added secure configuration loader (#28)secureconfig

1 files changed, 135 insertions, 0 deletions

diff --git a/secureconfig.c b/secureconfig.c
new file mode 100644
index 0000000..075baf0
--- /dev/null
+++ b/secureconfig.c
@@ -0,0 +1,135 @@
+/*
+  +----------------------------------------------------------------------+
+  | Suhosin Version 1                                                    |
+  +----------------------------------------------------------------------+
+  | Copyright (c) 2006-2007 The Hardened-PHP Project                     |
+  | Copyright (c) 2007-2010 SektionEins GmbH                             |
+  +----------------------------------------------------------------------+
+  | This source file is subject to version 3.01 of the PHP license,      |
+  | that is bundled with this package in the file LICENSE, and is        |
+  | available through the world-wide-web at the following url:           |
+  | http://www.php.net/license/3_01.txt                                  |
+  | If you did not receive a copy of the PHP license and are unable to   |
+  | obtain it through the world-wide-web, please send a note to          |
+  | license@php.net so we can mail you a copy immediately.               |
+  +----------------------------------------------------------------------+
+  | Author: Juergen Pabel <jpabel@akkaya.de>                             |
+  +----------------------------------------------------------------------+
+*/
+
+#ifdef SUHOSIN_EXPERIMENTAL
+#include <stdio.h>
+#include "php.h"
+#include "php_suhosin.h"
+#include "sha256.h"
+
+static char cryptkey[32];
+
+/* {{{ proto string secureconfig_encrypt(string plaintext)
+   Encrypt a configuration value using the configured cryptographic key */
+static PHP_FUNCTION(suhosin_secureconfig_encrypt)
+{
+        char *plaintext, *ciphertext;
+        int plaintext_len, ciphertext_len;
+        int i;
+        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &plaintext, &plaintext_len) == FAILURE) {
+                return;
+        }
+        ciphertext = suhosin_encrypt_string(plaintext, plaintext_len, "", 0, cryptkey TSRMLS_CC);
+        if(ciphertext == NULL) {
+                return;
+        }
+        ciphertext_len = strlen(ciphertext);
+        /* undo suhosin_encrypt_string()'s base64 alphabet transformation */
+        for (i=0; i<ciphertext_len; i++) {
+                switch (ciphertext[i]) {
+                        case '-': ciphertext[i]='/'; break;
+                        case '.': ciphertext[i]='='; break;
+                        case '_': ciphertext[i]='+'; break;
+                }
+        }
+        RETURN_STRINGL((char *)ciphertext, ciphertext_len, 1);
+}
+
+/* }}} */
+
+
+/* {{{ proto string secureconfig_decrypt(string ciphertext)
+   Decrypt a configuration value using the configured cryptographic key */
+static PHP_FUNCTION(suhosin_secureconfig_decrypt)
+{
+        char *plaintext, *ciphertext;
+        int plaintext_len, ciphertext_len;
+        int i;
+        
+        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &ciphertext, &ciphertext_len) == FAILURE) {
+                return;
+        }
+
+        /* redo suhosin_encrypt_string()'s base64 alphabet transformation */
+        for (i=0; i<ciphertext_len; i++) {
+                switch (ciphertext[i]) {
+                        case '/': ciphertext[i]='-'; break;
+                        case '=': ciphertext[i]='.'; break;
+                        case '+': ciphertext[i]='_'; break;
+                }
+        }
+        plaintext = suhosin_decrypt_string(ciphertext, ciphertext_len, "", 0, cryptkey, &plaintext_len, 0 TSRMLS_CC);
+        if(plaintext == NULL || plaintext_len <= 0) {
+                return;
+        }
+        RETURN_STRINGL((char *)plaintext, plaintext_len, 1);
+}
+
+/* }}} */
+
+
+/* {{{ suhosin_secureconfig_functions[]
+ */
+static function_entry suhosin_secureconfig_functions[] = {
+        PHP_NAMED_FE(secureconfig_encrypt, PHP_FN(suhosin_secureconfig_encrypt), NULL)
+        PHP_NAMED_FE(secureconfig_decrypt, PHP_FN(suhosin_secureconfig_decrypt), NULL)
+        {NULL, NULL, NULL}
+};
+/* }}} */
+
+
+void suhosin_hook_secureconfig(TSRMLS_D)
+{
+        char* key;
+        suhosin_SHA256_CTX ctx;
+
+        // TSRMLS_FETCH();
+        
+        /* check if we already have secureconfig support */
+        if (zend_hash_exists(CG(function_table), "secureconfig_encrypt", sizeof("secureconfig_encrypt"))) {
+                return;         
+        }
+
+        key = SUHOSIN_G(secureconfig_cryptkey);
+        if (key != NULL) {
+                suhosin_SHA256Init(&ctx);
+                suhosin_SHA256Update(&ctx, (unsigned char*)key, strlen(key));
+                suhosin_SHA256Final((unsigned char *)cryptkey, &ctx);
+        } else {
+                memset(cryptkey, 0x55 /*fallback key with alternating bits*/, 32);
+        }
+
+        /* add the secureconfig functions */
+#ifndef ZEND_ENGINE_2
+        zend_register_functions(suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
+#else
+        zend_register_functions(NULL, suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
+#endif
+}
+
+#endif /* SUHOSIN_EXPERIMENTAL */
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: sw=4 ts=4 fdm=marker
+ * vim<600: sw=4 ts=4
+ */