diff options
| author | Stefan Esser | 2014-06-09 10:37:10 +0200 |
|---|---|---|
| committer | Stefan Esser | 2014-06-09 10:37:10 +0200 |
| commit | fb0f51e922b597a46d1065437f716c3179e5506c (patch) | |
| tree | 5958576a1aa087c7bfbdf76c6ef632d261905bb6 | |
| parent | 83bf21540d308a740c8835c4c3a104a5d2f761c5 (diff) | |
Added various improvements to rand()/mt_rand() protection
| -rw-r--r-- | Changelog | 5 | ||||
| -rw-r--r-- | execute.c | 23 | ||||
| -rw-r--r-- | php_suhosin.h | 3 | ||||
| -rw-r--r-- | suhosin.c | 14 |
4 files changed, 40 insertions, 5 deletions
| @@ -3,6 +3,11 @@ | |||
| 3 | - Added better handling of non existing/non executable shell scripts | 3 | - Added better handling of non existing/non executable shell scripts |
| 4 | - Added protection against XSS/SQL/Other Injections through User-Agent HTTP header | 4 | - Added protection against XSS/SQL/Other Injections through User-Agent HTTP header |
| 5 | - Fix variable logging statistics outputting on every include - ticket: #37 | 5 | - Fix variable logging statistics outputting on every include - ticket: #37 |
| 6 | - Added more entropy from /dev/urandom to internal random seeding (64 bit => 256 bit) | ||
| 7 | - Added non initialized stack variables to random seeding | ||
| 8 | - Added php_win32_get_random_bytes for windows compatibility in random seeding | ||
| 9 | - Added suhosin.rand.seedingkey for INI supplied additional entropy string (idea DavisNT) | ||
| 10 | - Added suhosin.rand.reseed_every_request to allow reseeding on every request (idea DavisNT) | ||
| 6 | - Added LICENSE file to make distributions happy | 11 | - Added LICENSE file to make distributions happy |
| 7 | 12 | ||
| 8 | 2014-02-24 - 0.9.35 | 13 | 2014-02-24 - 0.9.35 |
| @@ -38,6 +38,13 @@ | |||
| 38 | 38 | ||
| 39 | #include "sha256.h" | 39 | #include "sha256.h" |
| 40 | 40 | ||
| 41 | #ifdef PHP_WIN32 | ||
| 42 | # include "win32/winutil.h" | ||
| 43 | # include "win32/time.h" | ||
| 44 | #else | ||
| 45 | # include <sys/time.h> | ||
| 46 | #endif | ||
| 47 | |||
| 41 | #if PHP_VERSION_ID >= 50500 | 48 | #if PHP_VERSION_ID >= 50500 |
| 42 | static void (*old_execute_ex)(zend_execute_data *execute_data TSRMLS_DC); | 49 | static void (*old_execute_ex)(zend_execute_data *execute_data TSRMLS_DC); |
| 43 | static void suhosin_execute_ex(zend_execute_data *execute_data TSRMLS_DC); | 50 | static void suhosin_execute_ex(zend_execute_data *execute_data TSRMLS_DC); |
| @@ -1325,8 +1332,9 @@ static php_uint32 suhosin_mt_rand(TSRMLS_D) | |||
| 1325 | 1332 | ||
| 1326 | /* {{{ suhosin_gen_entropy | 1333 | /* {{{ suhosin_gen_entropy |
| 1327 | */ | 1334 | */ |
| 1328 | static void suhosin_gen_entropy(php_uint32 *seedbuf TSRMLS_DC) | 1335 | static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC) |
| 1329 | { | 1336 | { |
| 1337 | php_uint32 seedbuf[20]; | ||
| 1330 | /* On a modern OS code, stack and heap base are randomized */ | 1338 | /* On a modern OS code, stack and heap base are randomized */ |
| 1331 | unsigned long code_value = (unsigned long)suhosin_gen_entropy; | 1339 | unsigned long code_value = (unsigned long)suhosin_gen_entropy; |
| 1332 | unsigned long stack_value = (unsigned long)&code_value; | 1340 | unsigned long stack_value = (unsigned long)&code_value; |
| @@ -1353,14 +1361,21 @@ static void suhosin_gen_entropy(php_uint32 *seedbuf TSRMLS_DC) | |||
| 1353 | fd = VCWD_OPEN("/dev/urandom", O_RDONLY); | 1361 | fd = VCWD_OPEN("/dev/urandom", O_RDONLY); |
| 1354 | if (fd >= 0) { | 1362 | if (fd >= 0) { |
| 1355 | /* ignore error case - if urandom doesn't give us any/enough random bytes */ | 1363 | /* ignore error case - if urandom doesn't give us any/enough random bytes */ |
| 1356 | read(fd, &seedbuf[6], 2 * sizeof(php_uint32)); | 1364 | read(fd, &seedbuf[6], 8 * sizeof(php_uint32)); |
| 1357 | close(fd); | 1365 | close(fd); |
| 1358 | } | 1366 | } |
| 1367 | #else | ||
| 1368 | /* we have to live with the possibility that this call fails */ | ||
| 1369 | php_win32_get_random_bytes(rbuf, 8 * sizeof(php_uint32)); | ||
| 1359 | #endif | 1370 | #endif |
| 1360 | 1371 | ||
| 1361 | suhosin_SHA256Init(&context); | 1372 | suhosin_SHA256Init(&context); |
| 1362 | suhosin_SHA256Update(&context, (void *) seedbuf, sizeof(php_uint32) * 8); | 1373 | /* to our friends from Debian: yes this will add unitialized stack values to the entropy DO NOT REMOVE */ |
| 1363 | suhosin_SHA256Final((void *)seedbuf, &context); | 1374 | suhosin_SHA256Update(&context, (void *) seedbuf, sizeof(seedbuf)); |
| 1375 | if (SUHOSIN_G(seedingkey) != NULL && *SUHOSIN_G(seedingkey) != 0) { | ||
| 1376 | suhosin_SHA256Update(&context, (unsigned char*)SUHOSIN_G(seedingkey), strlen(SUHOSIN_G(seedingkey))); | ||
| 1377 | } | ||
| 1378 | suhosin_SHA256Final((void *)entropybuf, &context); | ||
| 1364 | } | 1379 | } |
| 1365 | /* }}} */ | 1380 | /* }}} */ |
| 1366 | 1381 | ||
diff --git a/php_suhosin.h b/php_suhosin.h index 608e420..152fe43 100644 --- a/php_suhosin.h +++ b/php_suhosin.h | |||
| @@ -239,6 +239,9 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin) | |||
| 239 | php_uint32 *mt_next; | 239 | php_uint32 *mt_next; |
| 240 | int mt_left; | 240 | int mt_left; |
| 241 | 241 | ||
| 242 | char *seedingkey; | ||
| 243 | zend_bool reseed_every_request; | ||
| 244 | |||
| 242 | zend_bool r_is_seeded; | 245 | zend_bool r_is_seeded; |
| 243 | zend_bool mt_is_seeded; | 246 | zend_bool mt_is_seeded; |
| 244 | 247 | ||
| @@ -1015,10 +1015,11 @@ PHP_INI_BEGIN() | |||
| 1015 | ZEND_INI_ENTRY("suhosin.cookie.cryptlist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdate_cookie_cryptlist) | 1015 | ZEND_INI_ENTRY("suhosin.cookie.cryptlist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdate_cookie_cryptlist) |
| 1016 | ZEND_INI_ENTRY("suhosin.cookie.plainlist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdate_cookie_plainlist) | 1016 | ZEND_INI_ENTRY("suhosin.cookie.plainlist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdate_cookie_plainlist) |
| 1017 | 1017 | ||
| 1018 | |||
| 1019 | STD_ZEND_INI_BOOLEAN("suhosin.server.encode", "1", ZEND_INI_SYSTEM, OnUpdateBool, server_encode,zend_suhosin_globals, suhosin_globals) | 1018 | STD_ZEND_INI_BOOLEAN("suhosin.server.encode", "1", ZEND_INI_SYSTEM, OnUpdateBool, server_encode,zend_suhosin_globals, suhosin_globals) |
| 1020 | STD_ZEND_INI_BOOLEAN("suhosin.server.strip", "1", ZEND_INI_SYSTEM, OnUpdateBool, server_strip,zend_suhosin_globals, suhosin_globals) | 1019 | STD_ZEND_INI_BOOLEAN("suhosin.server.strip", "1", ZEND_INI_SYSTEM, OnUpdateBool, server_strip,zend_suhosin_globals, suhosin_globals) |
| 1021 | 1020 | ||
| 1021 | STD_PHP_INI_ENTRY("suhosin.rand.seedingkey", "", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateString, seedingkey, zend_suhosin_globals, suhosin_globals) | ||
| 1022 | STD_ZEND_INI_BOOLEAN("suhosin.rand.reseed_every_request", "0", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, reseed_every_request, zend_suhosin_globals, suhosin_globals) | ||
| 1022 | STD_ZEND_INI_BOOLEAN("suhosin.srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, srand_ignore,zend_suhosin_globals, suhosin_globals) | 1023 | STD_ZEND_INI_BOOLEAN("suhosin.srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, srand_ignore,zend_suhosin_globals, suhosin_globals) |
| 1023 | STD_ZEND_INI_BOOLEAN("suhosin.mt_srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, mt_srand_ignore,zend_suhosin_globals, suhosin_globals) | 1024 | STD_ZEND_INI_BOOLEAN("suhosin.mt_srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, mt_srand_ignore,zend_suhosin_globals, suhosin_globals) |
| 1024 | 1025 | ||
| @@ -1239,6 +1240,11 @@ PHP_RSHUTDOWN_FUNCTION(suhosin) | |||
| 1239 | 1240 | ||
| 1240 | SUHOSIN_G(abort_request) = 0; | 1241 | SUHOSIN_G(abort_request) = 0; |
| 1241 | 1242 | ||
| 1243 | if (SUHOSIN_G(reseed_every_request)) { | ||
| 1244 | SUHOSIN_G(r_is_seeded) = 0; | ||
| 1245 | SUHOSIN_G(mt_is_seeded) = 0; | ||
| 1246 | } | ||
| 1247 | |||
| 1242 | if (SUHOSIN_G(decrypted_cookie)) { | 1248 | if (SUHOSIN_G(decrypted_cookie)) { |
| 1243 | efree(SUHOSIN_G(decrypted_cookie)); | 1249 | efree(SUHOSIN_G(decrypted_cookie)); |
| 1244 | SUHOSIN_G(decrypted_cookie)=NULL; | 1250 | SUHOSIN_G(decrypted_cookie)=NULL; |
| @@ -1301,6 +1307,9 @@ PHP_MINFO_FUNCTION(suhosin) | |||
| 1301 | if (zend_hash_find(EG(ini_directives), "suhosin.session.cryptkey", sizeof("suhosin.session.cryptkey"), (void **) &i)==SUCCESS) { | 1307 | if (zend_hash_find(EG(ini_directives), "suhosin.session.cryptkey", sizeof("suhosin.session.cryptkey"), (void **) &i)==SUCCESS) { |
| 1302 | i->displayer = suhosin_ini_displayer; | 1308 | i->displayer = suhosin_ini_displayer; |
| 1303 | } | 1309 | } |
| 1310 | if (zend_hash_find(EG(ini_directives), "suhosin.rand.seedingkey", sizeof("suhosin.rand.seedingkey"), (void **) &i)==SUCCESS) { | ||
| 1311 | i->displayer = suhosin_ini_displayer; | ||
| 1312 | } | ||
| 1304 | } | 1313 | } |
| 1305 | 1314 | ||
| 1306 | DISPLAY_INI_ENTRIES(); | 1315 | DISPLAY_INI_ENTRIES(); |
| @@ -1314,6 +1323,9 @@ PHP_MINFO_FUNCTION(suhosin) | |||
| 1314 | if (zend_hash_find(EG(ini_directives), "suhosin.session.cryptkey", sizeof("suhosin.session.cryptkey"), (void **) &i)==SUCCESS) { | 1323 | if (zend_hash_find(EG(ini_directives), "suhosin.session.cryptkey", sizeof("suhosin.session.cryptkey"), (void **) &i)==SUCCESS) { |
| 1315 | i->displayer = NULL; | 1324 | i->displayer = NULL; |
| 1316 | } | 1325 | } |
| 1326 | if (zend_hash_find(EG(ini_directives), "suhosin.rand.seedingkey", sizeof("suhosin.rand.seedingkey"), (void **) &i)==SUCCESS) { | ||
| 1327 | i->displayer = NULL; | ||
| 1328 | } | ||
| 1317 | } | 1329 | } |
| 1318 | 1330 | ||
| 1319 | } | 1331 | } |