From 89e859d09248de6b1b9b9cdd652cb72c9f7ff098 Mon Sep 17 00:00:00 2001
From: xXx-caillou-xXx
Date: Wed, 29 Aug 2018 18:09:51 +0200
Subject: Change how we're validating certificates

---
 src/config.m4                                      |  1 -
 src/php_snuffleupagus.h                            |  1 -
 src/snuffleupagus.c                                |  6 ----
 src/sp_config.c                                    |  1 -
 src/sp_config.h                                    |  8 ------
 src/sp_config_keywords.c                           |  5 ----
 src/sp_config_keywords.h                           |  1 -
 src/sp_curl_verify_certificates.c                  | 33 ----------------------
 src/sp_curl_verify_certificates.h                  | 15 ----------
 .../config/disabled_function_curl_verify_certs.ini | 19 ++++++++++++-
 ...isabled_function_ensure_client_valid_certs.phpt | 18 ++++++++++++
 ...nsure_client_valid_certs_curl_multi_setopt.phpt | 19 +++++++++++++
 ...nsure_client_valid_certs_curl_setopt_array.phpt | 21 ++++++++++++++
 ...isabled_function_ensure_server_valid_certs.phpt | 18 ++++++++++++
 ...nsure_server_valid_certs_curl_multi_setopt.phpt | 19 +++++++++++++
 ...nsure_server_valid_certs_curl_setopt_array.phpt | 21 ++++++++++++++
 src/tests/ensure_client_valid_certs.phpt           | 18 ------------
 src/tests/ensure_server_valid_certs.phpt           | 18 ------------
 18 files changed, 134 insertions(+), 108 deletions(-)
 delete mode 100644 src/sp_curl_verify_certificates.c
 delete mode 100644 src/sp_curl_verify_certificates.h
 create mode 100644 src/tests/disabled_function_ensure_client_valid_certs.phpt
 create mode 100644 src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt
 create mode 100644 src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt
 create mode 100644 src/tests/disabled_function_ensure_server_valid_certs.phpt
 create mode 100644 src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt
 create mode 100644 src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt
 delete mode 100644 src/tests/ensure_client_valid_certs.phpt
 delete mode 100644 src/tests/ensure_server_valid_certs.phpt

(limited to 'src')

diff --git a/src/config.m4 b/src/config.m4
index dc88661..52b6d04 100644
--- a/src/config.m4
+++ b/src/config.m4
@@ -7,7 +7,6 @@ sources="$sources sp_disabled_functions.c sp_execute.c sp_upload_validation.c"
 sources="$sources sp_cookie_encryption.c sp_network_utils.c tweetnacl.c"
 sources="$sources sp_config_keywords.c sp_var_parser.c sp_var_value.c sp_tree.c"
 sources="$sources sp_pcre_compat.c sp_crypt.c sp_session.c sp_sloppy.c sp_wrapper.c"
-sources="$sources sp_curl_verify_certificates.c"
 
 PHP_ARG_ENABLE(snuffleupagus, whether to enable snuffleupagus support,
 [  --enable-snuffleupagus           Enable snuffleupagus support])
diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h
index 9dc045c..41d9b77 100644
--- a/src/php_snuffleupagus.h
+++ b/src/php_snuffleupagus.h
@@ -32,7 +32,6 @@
 #include "sp_config.h"
 #include "sp_config_utils.h"
 #include "sp_config_keywords.h"
-#include "sp_curl_verify_certificates.h"
 #include "sp_cookie_encryption.h"
 #include "sp_disable_xxe.h"
 #include "sp_disabled_functions.h"
diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c
index ca23bac..5ef8323 100644
--- a/src/snuffleupagus.c
+++ b/src/snuffleupagus.c
@@ -96,7 +96,6 @@ PHP_GINIT_FUNCTION(snuffleupagus) {
   SP_INIT(snuffleupagus_globals->config.config_session);
   SP_INIT(snuffleupagus_globals->config.config_eval);
   SP_INIT(snuffleupagus_globals->config.config_wrapper);
-  SP_INIT(snuffleupagus_globals->config.config_curl_verify_certificates);
 
   snuffleupagus_globals->config.config_disabled_functions_reg
       ->disabled_functions = NULL;
@@ -144,7 +143,6 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
   pefree(SNUFFLEUPAGUS_G(config.config_random), 1);
   pefree(SNUFFLEUPAGUS_G(config.config_readonly_exec), 1);
   pefree(SNUFFLEUPAGUS_G(config.config_global_strict), 1);
-  pefree(SNUFFLEUPAGUS_G(config.config_curl_verify_certificates), 1);
   pefree(SNUFFLEUPAGUS_G(config.config_auto_cookie_secure), 1);
   pefree(SNUFFLEUPAGUS_G(config.config_snuffleupagus), 1);
   pefree(SNUFFLEUPAGUS_G(config.config_disable_xxe), 1);
@@ -274,10 +272,6 @@ static PHP_INI_MH(OnUpdateConfiguration) {
     hook_session();
   }
 
-  if (SNUFFLEUPAGUS_G(config).config_curl_verify_certificates->enable) {
-    hook_curl_verify_certificates();
-  }
-
   if (true == SNUFFLEUPAGUS_G(config).config_global_strict->enable) {
     if (!zend_get_extension(PHP_SNUFFLEUPAGUS_EXTNAME)) {
       zend_extension_entry.startup = NULL;
diff --git a/src/sp_config.c b/src/sp_config.c
index bc703a6..2480362 100644
--- a/src/sp_config.c
+++ b/src/sp_config.c
@@ -24,7 +24,6 @@ sp_config_tokens const sp_func[] = {
     {.func = parse_session, .token = SP_TOKEN_SESSION_ENCRYPTION},
     {.func = parse_sloppy_comparison, .token = SP_TOKEN_SLOPPY_COMPARISON},
     {.func = parse_wrapper_whitelist, .token = SP_TOKEN_ALLOW_WRAPPERS},
-    {.func = parse_curl_verify_certificates, .token = SP_TOKEN_CURL_VERIFY_CERTIFICATES},
     {NULL, NULL}};
 
 /* Top level keyword parsing */
diff --git a/src/sp_config.h b/src/sp_config.h
index 4d85cf2..9d58359 100644
--- a/src/sp_config.h
+++ b/src/sp_config.h
@@ -53,10 +53,6 @@ typedef struct {
   bool enable;
 } sp_config_global_strict;
 
-typedef struct {
-  bool enable;
-} sp_config_curl_verify_certificates;
-
 typedef struct {
   bool enable;
 } sp_config_random;
@@ -166,7 +162,6 @@ typedef struct {
 
 typedef struct {
   sp_config_random *config_random;
-	sp_config_curl_verify_certificates *config_curl_verify_certificates;
   sp_config_sloppy *config_sloppy;
   sp_config_unserialize *config_unserialize;
   sp_config_readonly_exec *config_readonly_exec;
@@ -269,9 +264,6 @@ typedef struct {
 // upload_validator
 #define SP_TOKEN_UPLOAD_SCRIPT ".script("
 
-// cURL certificate verify
-# define SP_TOKEN_CURL_VERIFY_CERTIFICATES ".curl_verify_certificates"
-
 #define SP_TOKEN_LIST ".list("
 
 int sp_parse_config(const char *);
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index ee4d130..93077c6 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -94,11 +94,6 @@ int parse_global_strict(char *line) {
       line, &(SNUFFLEUPAGUS_G(config).config_global_strict->enable), NULL);
 }
 
-int parse_curl_verify_certificates(char *line) {
-  return parse_enable(
-      line, &(SNUFFLEUPAGUS_G(config).config_curl_verify_certificates->enable), NULL);
-}
-
 int parse_unserialize(char *line) {
   bool enable = false, disable = false;
   sp_config_unserialize *unserialize =
diff --git a/src/sp_config_keywords.h b/src/sp_config_keywords.h
index f7a4ca4..ab58456 100644
--- a/src/sp_config_keywords.h
+++ b/src/sp_config_keywords.h
@@ -17,6 +17,5 @@ int parse_eval_whitelist(char *line);
 int parse_session(char *line);
 int parse_sloppy_comparison(char *line);
 int parse_wrapper_whitelist(char *line);
-int parse_curl_verify_certificates(char *line);
 
 #endif  // __SP_CONFIG_KEYWORDS_H
diff --git a/src/sp_curl_verify_certificates.c b/src/sp_curl_verify_certificates.c
deleted file mode 100644
index 057ee29..0000000
--- a/src/sp_curl_verify_certificates.c
+++ /dev/null
@@ -1,33 +0,0 @@
-#include "php_snuffleupagus.h"
-#include "sp_config.h"
-
-ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus)
-
-PHP_FUNCTION(sp_curl_setopt) {
-	void (*orig_handler)(INTERNAL_FUNCTION_PARAMETERS);
-	zend_string *protocol_name = NULL;
-	zval *zid, *zvalue;
-	zend_long options;
-
-	ZEND_PARSE_PARAMETERS_START(3, 3)
-		Z_PARAM_RESOURCE(zid)
-		Z_PARAM_LONG(options)
-		Z_PARAM_ZVAL(zvalue)
-	ZEND_PARSE_PARAMETERS_END();
-
-	if (options & CURLOPT_SSL_VERIFYPEER && zval_get_long(zvalue) != 1) {
-			sp_log_err("verify_vertificates", "Please don't deactivate server certificate validation");
-	} else if (options & CURLOPT_SSL_VERIFYHOST && zval_get_long(zvalue) != 2) {
-			sp_log_err("verify_vertificates", "Please don't deactivate client certificate validation");
-	}
-
-	orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
-}
-
-int hook_curl_verify_certificates() {
-	TSRMLS_FETCH();
-
-  HOOK_FUNCTION("curl_setopt", sp_internal_functions_hook, PHP_FN(sp_curl_setopt));
-
-	return SUCCESS;
-}
diff --git a/src/sp_curl_verify_certificates.h b/src/sp_curl_verify_certificates.h
deleted file mode 100644
index f4f680e..0000000
--- a/src/sp_curl_verify_certificates.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef SP_CURL_VERIFY_CERTIFICATES_H
-#define SP_CURL_VERIFY_CERTIFICATES_H
-#include "php_snuffleupagus.h"
-
-#ifndef CURLOPT_SSL_VERIFYPEER
-#define CURLOPT_SSL_VERIFYPEER 64
-#endif
-
-#ifndef CURLOPT_SSL_VERIFYHOST
-#define CURLOPT_SSL_VERIFYHOST 81
-#endif
-
-int hook_curl_verify_certificates();
-
-#endif
diff --git a/src/tests/config/disabled_function_curl_verify_certs.ini b/src/tests/config/disabled_function_curl_verify_certs.ini
index 64d54a7..133e024 100644
--- a/src/tests/config/disabled_function_curl_verify_certs.ini
+++ b/src/tests/config/disabled_function_curl_verify_certs.ini
@@ -1 +1,18 @@
-sp.curl_verify_certificates.enable();
+# `81` being SSL_VERIFYHOST, and `64` SSL_VERIFYPEER
+
+sp.disable_function.function("curl_setopt").param("value").value("1").allow();
+sp.disable_function.function("curl_setopt").param("value").value("2").allow();
+sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYPEER off.");
+
+# ---
+
+sp.disable_function.function("curl_setopt_array").param("options[CURLOPT_SSL_VERIFYHOST]").value("0").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+sp.disable_function.function("curl_setopt_array").param("options[CURLOPT_SSL_VERIFYPEER]").value("0").drop().alias("Please don't turn CURLOPT_SSL_VERIFYPEER off.");
+
+# ---
+
+sp.disable_function.function("curl_multi_setopt").param("value").value("1").allow();
+sp.disable_function.function("curl_multi_setopt").param("value").value("2").allow();
+sp.disable_function.function("curl_multi_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+sp.disable_function.function("curl_multi_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYPEER off.");
diff --git a/src/tests/disabled_function_ensure_client_valid_certs.phpt b/src/tests/disabled_function_ensure_client_valid_certs.phpt
new file mode 100644
index 0000000..374ee42
--- /dev/null
+++ b/src/tests/disabled_function_ensure_client_valid_certs.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Disable functions - Ensure that client certificates validation can't be disabled
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_VERBOSE, '1');
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '0');
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt', because its argument '$option' content (64) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYPEER off.' in %s/tests/disabled_function_ensure_client_valid_certs.php on line %d
diff --git a/src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt b/src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt
new file mode 100644
index 0000000..fd4d176
--- /dev/null
+++ b/src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Disable functions - Ensure that client certificates validation can't be disabled via `curl_multi_setopt`
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$mch = curl_multi_init();
+curl_multi_setopt($mch, CURLOPT_SSL_VERIFYPEER, 0);
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_multi_setopt', because its argument '$option' content (64) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYPEER off.' in %s/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.php on line %d
diff --git a/src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt b/src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt
new file mode 100644
index 0000000..ce6a585
--- /dev/null
+++ b/src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Disable functions - Ensure that client certificates validation can't be disabled via `curl_setopt_array`
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_VERBOSE, '1');
+$options = array(CURLOPT_SSL_VERIFYPEER => 0);
+curl_setopt_array($ch, $options);
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt_array', because its argument '$options' content (0) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYPEER off.' in %s/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.php on line 5
diff --git a/src/tests/disabled_function_ensure_server_valid_certs.phpt b/src/tests/disabled_function_ensure_server_valid_certs.phpt
new file mode 100644
index 0000000..01a4406
--- /dev/null
+++ b/src/tests/disabled_function_ensure_server_valid_certs.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Disable functions - Ensure that server certificates validation can't be disabled
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_VERBOSE, '1');
+curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '0');
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt', because its argument '$option' content (81) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYHOST off.' in %s/tests/disabled_function_ensure_server_valid_certs.php on line %d
diff --git a/src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt b/src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt
new file mode 100644
index 0000000..add2a18
--- /dev/null
+++ b/src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Disable functions - Ensure that server certificates validation can't be disabled via `curl_multi_setopt`
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$mch = curl_multi_init();
+curl_multi_setopt($mch, CURLOPT_SSL_VERIFYHOST, 0);
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_multi_setopt', because its argument '$option' content (81) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYHOST off.' in %s/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.php on line %d
diff --git a/src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt b/src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt
new file mode 100644
index 0000000..3345797
--- /dev/null
+++ b/src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Disable functions - Ensure that server certificates validation can't be disabled via `curl_setopt_array`
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_VERBOSE, '1');
+$options = array(CURLOPT_SSL_VERIFYHOST => 0);
+curl_setopt_array($ch, $options);
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt_array', because its argument '$options' content (0) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYHOST off.' in %s/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.php on line 5
diff --git a/src/tests/ensure_client_valid_certs.phpt b/src/tests/ensure_client_valid_certs.phpt
deleted file mode 100644
index 64c523c..0000000
--- a/src/tests/ensure_client_valid_certs.phpt
+++ /dev/null
@@ -1,18 +0,0 @@
---TEST--
-Disable functions - Ensure that client certificates validation can't be disabled
---SKIPIF--
-<?php
-if (!extension_loaded("snuffleupagus")) die "skip"; 
-if (!extension_loaded("curl")) die "skip"; 
-?>
---INI--
-sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
---FILE--
-<?php
-$ch = curl_init();
-curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
-curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '0'); 
-echo "1337";
-?>
---EXPECTF--
-Fatal error: [snuffleupagus][verify_vertificates] Please don't deactivate client certificate validation in %s/tests/ensure_client_valid_certs.php on line %d
diff --git a/src/tests/ensure_server_valid_certs.phpt b/src/tests/ensure_server_valid_certs.phpt
deleted file mode 100644
index 7eaf1a4..0000000
--- a/src/tests/ensure_server_valid_certs.phpt
+++ /dev/null
@@ -1,18 +0,0 @@
---TEST--
-Disable functions - Ensure that server certificates validation can't be disabled
---SKIPIF--
-<?php
-if (!extension_loaded("snuffleupagus")) die "skip"; 
-if (!extension_loaded("curl")) die "skip"; 
-?>
---INI--
-sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
---FILE--
-<?php
-$ch = curl_init();
-curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
-curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '0'); 
-echo "1337";
-?>
---EXPECTF--
-Fatal error: [snuffleupagus][verify_vertificates] Please don't deactivate client certificate validation in %s/tests/ensure_server_valid_certs.php on line 3
-- 
cgit v1.3