6 files changed, 79 insertions, 8 deletions
diff --git a/src/sp_config.h b/src/sp_config.h
index 86513f9..3a7a79c 100644
--- a/src/sp_config.h
+++ b/src/sp_config.h
@@ -58,6 +58,7 @@ typedef struct { bool enable; } sp_config_disable_xxe;
 typedef struct {
  enum samesite_type {strict=1, lax=2} samesite;
  bool encrypt;
+        bool simulation;
 } sp_cookie;
 typedef struct {
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index 2d294ee..32363b8 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -111,6 +111,7 @@ int parse_cookie(char *line) {
  sp_config_functions sp_config_funcs_cookie_encryption[] = {
      {parse_str, SP_TOKEN_NAME, &name},
      {parse_str, SP_TOKEN_SAMESITE, &samesite},
+      {parse_empty, SP_TOKEN_SIMULATION, &cookie->simulation},
      {parse_empty, SP_TOKEN_ENCRYPT, &cookie->encrypt},
      {0}};
diff --git a/src/sp_cookie_encryption.c b/src/sp_cookie_encryption.c
index c749040..04c864f 100644
--- a/src/sp_cookie_encryption.c
+++ b/src/sp_cookie_encryption.c
@@ -63,9 +63,17 @@ int decrypt_cookie(zval *pDest, int num_args, va_list args,
  if (ZSTR_LEN(debase64) <
      crypto_secretbox_NONCEBYTES + crypto_secretbox_ZEROBYTES) {
-    sp_log_msg("cookie_encryption", SP_LOG_DROP,
+    if (true == cookie->simulation) {
-        "Buffer underflow tentative detected in cookie encryption handling.");
+      sp_log_msg("cookie_encryption", SP_LOG_SIMULATION,
-    return ZEND_HASH_APPLY_REMOVE;
+          "Buffer underflow tentative detected in cookie encryption handling "
+                                        "for %s. Using the cookie 'as it' instead of decrypting it.",
+                                        ZSTR_VAL(hash_key->key)); 
+      return ZEND_HASH_APPLY_KEEP;
+    } else {
+      sp_log_msg("cookie_encryption", SP_LOG_DROP,
+          "Buffer underflow tentative detected in cookie encryption handling.");
+      return ZEND_HASH_APPLY_REMOVE;
+    }
  }
  generate_key(key);
@@ -78,11 +86,18 @@ int decrypt_cookie(zval *pDest, int num_args, va_list args,
      ZSTR_LEN(debase64) - crypto_secretbox_NONCEBYTES,
      (unsigned char *)ZSTR_VAL(debase64), key);
-  if (ret == -1) {
+  if (-1 == ret) {
-    sp_log_msg("cookie_encryption", SP_LOG_DROP,
+    if (true == cookie->simulation) {
-      "Something went wrong with the decryption of %s.",
+      sp_log_msg("cookie_encryption", SP_LOG_SIMULATION,
-               ZSTR_VAL(hash_key->key));
+        "Something went wrong with the decryption of %s. Using the cookie "
-    return ZEND_HASH_APPLY_REMOVE;
+        "'as it' instead of decrypting it", ZSTR_VAL(hash_key->key));
+      return ZEND_HASH_APPLY_KEEP;
+    } else {
+      sp_log_msg("cookie_encryption", SP_LOG_DROP,
+        "Something went wrong with the decryption of %s.",
+        ZSTR_VAL(hash_key->key));
+      return ZEND_HASH_APPLY_REMOVE;
+    }
  }
  ZVAL_STRINGL(pDest, (char *)(decrypted + crypto_secretbox_ZEROBYTES),
diff --git a/src/tests/config/config_encrypted_cookies_simulation.ini b/src/tests/config/config_encrypted_cookies_simulation.ini
new file mode 100644
index 0000000..32e24a1
--- /dev/null
+++ b/src/tests/config/config_encrypted_cookies_simulation.ini
@@ -0,0 +1,3 @@
+sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.cookie.name("super_cookie").encrypt().simulation();
+sp.auto_cookie_secure.enable();
diff --git a/src/tests/encrypt_cookies_invalid_decryption_short_cookie.phpt b/src/tests/encrypt_cookies_invalid_decryption_short_cookie.phpt
new file mode 100644
index 0000000..e5b6bfc
--- /dev/null
+++ b/src/tests/encrypt_cookies_invalid_decryption_short_cookie.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Cookie encryption - invalid decryption in simulation mode with a short cookie
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies_simulation.ini
+display_errors=1
+display_startup_errors=1
+error_reporting=E_ALL
+--COOKIE--
+super_cookie=AAA;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+array(2) {
+  ["super_cookie"]=>
+  string(3) "AAA"
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_cookies_invalid_decryption_simulation.phpt b/src/tests/encrypt_cookies_invalid_decryption_simulation.phpt
new file mode 100644
index 0000000..0bd1dc8
--- /dev/null
+++ b/src/tests/encrypt_cookies_invalid_decryption_simulation.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Cookie encryption - invalid decryption in simulation mode
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies_simulation.ini
+display_errors=1
+display_startup_errors=1
+error_reporting=E_ALL
+--COOKIE--
+super_cookie=Wk9NR1RISVNJU05PVEVOQ1JZUFRFREFUQUxMV0hBVFRIRUhFTExJU0hIRUxMQVJFWU9VRE9JTkdaT01Hb2htYXliZXRoaXNpc2Fub2xkc2Vzc2lvbmNvb2tpZQo=;awfulcookie=awfulcookievalue;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+echo "1337\n";
+var_dump($_COOKIE); ?>
+--EXPECT--
+1337
+array(2) {
+  ["super_cookie"]=>
+  string(124) "Wk9NR1RISVNJU05PVEVOQ1JZUFRFREFUQUxMV0hBVFRIRUhFTExJU0hIRUxMQVJFWU9VRE9JTkdaT01Hb2htYXliZXRoaXNpc2Fub2xkc2Vzc2lvbmNvb2tpZQo="
+  ["awfulcookie"]=>
+  string(16) "awfulcookievalue"
+}

diff --git a/src/sp_config.h b/src/sp_config.h index 86513f9..3a7a79c 100644 --- a/src/sp_config.h +++ b/src/sp_config.h
@@ -58,6 +58,7 @@ typedef struct { bool enable; } sp_config_disable_xxe;
58	typedef struct {	58	typedef struct {
59	enum samesite_type {strict=1, lax=2} samesite;	59	enum samesite_type {strict=1, lax=2} samesite;
60	bool encrypt;	60	bool encrypt;
		61	bool simulation;
61	} sp_cookie;	62	} sp_cookie;
62		63
63	typedef struct {	64	typedef struct {


diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index 2d294ee..32363b8 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c
@@ -111,6 +111,7 @@ int parse_cookie(char *line) {
111	sp_config_functions sp_config_funcs_cookie_encryption[] = {	111	sp_config_functions sp_config_funcs_cookie_encryption[] = {
112	{parse_str, SP_TOKEN_NAME, &name},	112	{parse_str, SP_TOKEN_NAME, &name},
113	{parse_str, SP_TOKEN_SAMESITE, &samesite},	113	{parse_str, SP_TOKEN_SAMESITE, &samesite},
		114	{parse_empty, SP_TOKEN_SIMULATION, &cookie->simulation},
114	{parse_empty, SP_TOKEN_ENCRYPT, &cookie->encrypt},	115	{parse_empty, SP_TOKEN_ENCRYPT, &cookie->encrypt},
115	{0}};	116	{0}};
116		117


diff --git a/src/sp_cookie_encryption.c b/src/sp_cookie_encryption.c index c749040..04c864f 100644 --- a/src/sp_cookie_encryption.c +++ b/src/sp_cookie_encryption.c
@@ -63,9 +63,17 @@ int decrypt_cookie(zval *pDest, int num_args, va_list args,
63		63
64	if (ZSTR_LEN(debase64) <	64	if (ZSTR_LEN(debase64) <
65	crypto_secretbox_NONCEBYTES + crypto_secretbox_ZEROBYTES) {	65	crypto_secretbox_NONCEBYTES + crypto_secretbox_ZEROBYTES) {
66	sp_log_msg("cookie_encryption", SP_LOG_DROP,	66	if (true == cookie->simulation) {
67	"Buffer underflow tentative detected in cookie encryption handling.");	67	sp_log_msg("cookie_encryption", SP_LOG_SIMULATION,
68	return ZEND_HASH_APPLY_REMOVE;	68	"Buffer underflow tentative detected in cookie encryption handling "
		69	"for %s. Using the cookie 'as it' instead of decrypting it.",
		70	ZSTR_VAL(hash_key->key));
		71	return ZEND_HASH_APPLY_KEEP;
		72	} else {
		73	sp_log_msg("cookie_encryption", SP_LOG_DROP,
		74	"Buffer underflow tentative detected in cookie encryption handling.");
		75	return ZEND_HASH_APPLY_REMOVE;
		76	}
69	}	77	}
70		78
71	generate_key(key);	79	generate_key(key);
@@ -78,11 +86,18 @@ int decrypt_cookie(zval *pDest, int num_args, va_list args,
78	ZSTR_LEN(debase64) - crypto_secretbox_NONCEBYTES,	86	ZSTR_LEN(debase64) - crypto_secretbox_NONCEBYTES,
79	(unsigned char *)ZSTR_VAL(debase64), key);	87	(unsigned char *)ZSTR_VAL(debase64), key);
80		88
81	if (ret == -1) {	89	if (-1 == ret) {
82	sp_log_msg("cookie_encryption", SP_LOG_DROP,	90	if (true == cookie->simulation) {
83	"Something went wrong with the decryption of %s.",	91	sp_log_msg("cookie_encryption", SP_LOG_SIMULATION,
84	ZSTR_VAL(hash_key->key));	92	"Something went wrong with the decryption of %s. Using the cookie "
85	return ZEND_HASH_APPLY_REMOVE;	93	"'as it' instead of decrypting it", ZSTR_VAL(hash_key->key));
		94	return ZEND_HASH_APPLY_KEEP;
		95	} else {
		96	sp_log_msg("cookie_encryption", SP_LOG_DROP,
		97	"Something went wrong with the decryption of %s.",
		98	ZSTR_VAL(hash_key->key));
		99	return ZEND_HASH_APPLY_REMOVE;
		100	}
86	}	101	}
87		102
88	ZVAL_STRINGL(pDest, (char *)(decrypted + crypto_secretbox_ZEROBYTES),	103	ZVAL_STRINGL(pDest, (char *)(decrypted + crypto_secretbox_ZEROBYTES),


diff --git a/src/tests/config/config_encrypted_cookies_simulation.ini b/src/tests/config/config_encrypted_cookies_simulation.ini new file mode 100644 index 0000000..32e24a1 --- /dev/null +++ b/src/tests/config/config_encrypted_cookies_simulation.ini
@@ -0,0 +1,3 @@
		1	sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
		2	sp.cookie.name("super_cookie").encrypt().simulation();
		3	sp.auto_cookie_secure.enable();


diff --git a/src/tests/encrypt_cookies_invalid_decryption_short_cookie.phpt b/src/tests/encrypt_cookies_invalid_decryption_short_cookie.phpt new file mode 100644 index 0000000..e5b6bfc --- /dev/null +++ b/src/tests/encrypt_cookies_invalid_decryption_short_cookie.phpt
@@ -0,0 +1,24 @@
		1	--TEST--
		2	Cookie encryption - invalid decryption in simulation mode with a short cookie
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/config_encrypted_cookies_simulation.ini
		7	display_errors=1
		8	display_startup_errors=1
		9	error_reporting=E_ALL
		10	--COOKIE--
		11	super_cookie=AAA;awful_cookie=awful_cookie_value;
		12	--ENV--
		13	return <<<EOF
		14	REMOTE_ADDR=127.0.0.1
		15	EOF;
		16	--FILE--
		17	<?php var_dump($_COOKIE); ?>
		18	--EXPECT--
		19	array(2) {
		20	["super_cookie"]=>
		21	string(3) "AAA"
		22	["awful_cookie"]=>
		23	string(18) "awful_cookie_value"
		24	}


diff --git a/src/tests/encrypt_cookies_invalid_decryption_simulation.phpt b/src/tests/encrypt_cookies_invalid_decryption_simulation.phpt new file mode 100644 index 0000000..0bd1dc8 --- /dev/null +++ b/src/tests/encrypt_cookies_invalid_decryption_simulation.phpt
@@ -0,0 +1,27 @@
		1	--TEST--
		2	Cookie encryption - invalid decryption in simulation mode
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/config_encrypted_cookies_simulation.ini
		7	display_errors=1
		8	display_startup_errors=1
		9	error_reporting=E_ALL
		10	--COOKIE--
		11	super_cookie=Wk9NR1RISVNJU05PVEVOQ1JZUFRFREFUQUxMV0hBVFRIRUhFTExJU0hIRUxMQVJFWU9VRE9JTkdaT01Hb2htYXliZXRoaXNpc2Fub2xkc2Vzc2lvbmNvb2tpZQo=;awfulcookie=awfulcookievalue;
		12	--ENV--
		13	return <<<EOF
		14	REMOTE_ADDR=127.0.0.1
		15	EOF;
		16	--FILE--
		17	<?php
		18	echo "1337\n";
		19	var_dump($_COOKIE); ?>
		20	--EXPECT--
		21	1337
		22	array(2) {
		23	["super_cookie"]=>
		24	string(124) "Wk9NR1RISVNJU05PVEVOQ1JZUFRFREFUQUxMV0hBVFRIRUhFTExJU0hIRUxMQVJFWU9VRE9JTkdaT01Hb2htYXliZXRoaXNpc2Fub2xkc2Vzc2lvbmNvb2tpZQo="
		25	["awfulcookie"]=>
		26	string(16) "awfulcookievalue"
		27	}