From c447df6ce8964b2863a50f0f8027d9b234b7507f Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Fri, 19 Nov 2021 14:57:01 +0100
Subject: replaced call_user_func with C level call

---
 src/sp_php_compat.c  |  4 +++
 src/sp_php_compat.h  | 36 ++++++++++++++++++++++-
 src/sp_unserialize.c | 81 +++++++++++++++++++++++++++++++++-------------------
 3 files changed, 90 insertions(+), 31 deletions(-)

(limited to 'src')

diff --git a/src/sp_php_compat.c b/src/sp_php_compat.c
index cd7c3e7..a0693c3 100644
--- a/src/sp_php_compat.c
+++ b/src/sp_php_compat.c
@@ -1,5 +1,9 @@
 #include "php_snuffleupagus.h"
 
+/* code in this file is licensed under its original license
+   The PHP License, version 3.01 (https://www.php.net/license/3_01.txt)
+   which is also included with these sources in the file `PHP_LICENSE` */
+
 #if PHP_VERSION_ID < 80000
 
 // copied from PHP 8.0.9 sources
diff --git a/src/sp_php_compat.h b/src/sp_php_compat.h
index 09d9a1f..d1102a8 100644
--- a/src/sp_php_compat.h
+++ b/src/sp_php_compat.h
@@ -1,3 +1,7 @@
+/* code in this file is licensed under its original license
+The PHP License, version 3.01 (https://www.php.net/license/3_01.txt)
+which is also included with these sources in the file `PHP_LICENSE` */
+
 #if PHP_VERSION_ID < 80000
 
 // copied from PHP 8.0.9 sources
@@ -93,4 +97,34 @@ static zend_always_inline void zend_string_efree(zend_string *s)
 		__ht->nNumUsed = _idx; \
 	} while (0)
 
-#endif
\ No newline at end of file
+#endif
+
+// copied from PHP 8.0.11 sources, ext/hash/hash.c
+
+static inline void php_hash_string_xor_char(unsigned char *out, const unsigned char *in, const unsigned char xor_with, const size_t length) {
+	size_t i;
+	for (i=0; i < length; i++) {
+		out[i] = in[i] ^ xor_with;
+	}
+}
+
+static inline void php_hash_hmac_prep_key(unsigned char *K, const php_hash_ops *ops, void *context, const unsigned char *key, const size_t key_len) {
+	memset(K, 0, ops->block_size);
+	if (key_len > ops->block_size) {
+		/* Reduce the key first */
+		ops->hash_init(context);
+		ops->hash_update(context, key, key_len);
+		ops->hash_final(K, context);
+	} else {
+		memcpy(K, key, key_len);
+	}
+	/* XOR the key with 0x36 to get the ipad) */
+	php_hash_string_xor_char(K, K, 0x36, ops->block_size);
+}
+
+static inline void php_hash_hmac_round(unsigned char *final, const php_hash_ops *ops, void *context, const unsigned char *key, const unsigned char *data, const zend_long data_size) {
+	ops->hash_init(context);
+	ops->hash_update(context, key, ops->block_size);
+	ops->hash_update(context, data, data_size);
+	ops->hash_final(final, context);
+}
diff --git a/src/sp_unserialize.c b/src/sp_unserialize.c
index 5ede015..4a9f565 100644
--- a/src/sp_unserialize.c
+++ b/src/sp_unserialize.c
@@ -1,5 +1,40 @@
 #include "php_snuffleupagus.h"
 
+// condensed version of PHP's php_hash_do_hash_hmac() in ext/hash/hash.c
+static zend_string *sp_do_hash_hmac_sha256(char *data, size_t data_len, char *key, size_t key_len)
+{
+  zend_string *algo = zend_string_init(ZEND_STRL("sha256"), 0);
+  const php_hash_ops *ops = php_hash_fetch_ops(algo);
+  zend_string_release_ex(algo, 0);
+
+  if (!ops || !ops->is_crypto) {
+    sp_log_err("unsupported hash algorithm for hmac: %s", ZSTR_VAL(algo));
+    return NULL;
+  }
+
+  void *context = php_hash_alloc_context(ops);
+
+  unsigned char *K = emalloc(ops->block_size);
+  zend_string *digest = zend_string_alloc(ops->digest_size, 0);
+
+  php_hash_hmac_prep_key(K, ops, context, (unsigned char *) key, key_len);
+  php_hash_hmac_round((unsigned char *) ZSTR_VAL(digest), ops, context, K, (unsigned char *) data, data_len);
+  php_hash_string_xor_char(K, K, 0x6A, ops->block_size);
+  php_hash_hmac_round((unsigned char *) ZSTR_VAL(digest), ops, context, K, (unsigned char *) ZSTR_VAL(digest), ops->digest_size);
+
+  /* Zero the key */
+  ZEND_SECURE_ZERO(K, ops->block_size);
+  efree(K);
+  efree(context);
+
+  zend_string *hex_digest = zend_string_safe_alloc(ops->digest_size, 2, 0, 0);
+
+  php_hash_bin2hex(ZSTR_VAL(hex_digest), (unsigned char *) ZSTR_VAL(digest), ops->digest_size);
+  ZSTR_VAL(hex_digest)[2 * ops->digest_size] = 0;
+  zend_string_release_ex(digest, 0);
+  return hex_digest;
+}
+
 PHP_FUNCTION(sp_serialize) {
   zif_handler orig_handler;
 
@@ -10,19 +45,13 @@ PHP_FUNCTION(sp_serialize) {
   }
 
   /* Compute the HMAC of the textual representation of the serialized data*/
-  zval func_name;
-  zval hmac;
-  zval params[3] = {0};
-
-  ZVAL_STRING(&func_name, "hash_hmac");
-  ZVAL_STRING(&params[0], "sha256");
-  params[1] = *return_value;
-  ZVAL_STRING(
-      &params[2],
-      ZSTR_VAL(SPCFG(encryption_key)));
-  call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params);
-
-  size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac);
+  zend_string *hmac = sp_do_hash_hmac_sha256(Z_STRVAL_P(return_value), Z_STRLEN_P(return_value), ZSTR_VAL(SPCFG(encryption_key)), ZSTR_LEN(SPCFG(encryption_key)));
+
+  if (!hmac) {
+    zend_bailout();
+  }
+
+  size_t len = Z_STRLEN_P(return_value) + ZSTR_LEN(hmac);
   if (len < Z_STRLEN_P(return_value)) {
     // LCOV_EXCL_START
     sp_log_err("overflow_error",
@@ -32,8 +61,9 @@ PHP_FUNCTION(sp_serialize) {
   }
 
   /* Append the computed HMAC to the serialized data. */
-  return_value->value.str = zend_string_concat2(Z_STRVAL_P(return_value), Z_STRLEN_P(return_value), Z_STRVAL(hmac), Z_STRLEN(hmac));
-  return;
+  zend_string *orig_ret_str = return_value->value.str;
+  RETVAL_NEW_STR(zend_string_concat2(Z_STRVAL_P(return_value), Z_STRLEN_P(return_value), ZSTR_VAL(hmac), ZSTR_LEN(hmac)));
+  zend_string_free(orig_ret_str);
 }
 
 PHP_FUNCTION(sp_unserialize) {
@@ -42,7 +72,6 @@ PHP_FUNCTION(sp_unserialize) {
   char *buf = NULL;
   char *serialized_str = NULL;
   char *hmac = NULL;
-  zval expected_hmac;
   size_t buf_len = 0;
   zval *opts = NULL;
 
@@ -62,22 +91,14 @@ PHP_FUNCTION(sp_unserialize) {
   serialized_str = ecalloc(buf_len - 64 + 1, 1);
   memcpy(serialized_str, buf, buf_len - 64);
 
-  zval func_name;
-  ZVAL_STRING(&func_name, "hash_hmac");
-
-  zval params[3] = {0};
-  ZVAL_STRING(&params[0], "sha256");
-  ZVAL_STRING(&params[1], serialized_str);
-  ZVAL_STRING(
-      &params[2],
-      ZSTR_VAL(SPCFG(encryption_key)));
-  call_user_function(CG(function_table), NULL, &func_name, &expected_hmac, 3,
-                     params);
+  zend_string *expected_hmac = sp_do_hash_hmac_sha256(serialized_str, strlen(serialized_str), ZSTR_VAL(SPCFG(encryption_key)), ZSTR_LEN(SPCFG(encryption_key)));
 
   unsigned int status = 0;
-  for (uint8_t i = 0; i < 64; i++) {
-    status |= (hmac[i] ^ (Z_STRVAL(expected_hmac))[i]);
-  }
+  if (expected_hmac) {
+    for (uint8_t i = 0; i < 64; i++) {
+      status |= (hmac[i] ^ (ZSTR_VAL(expected_hmac))[i]);
+    }
+  } else { status = 1; }
 
   if (0 == status) {
     if ((orig_handler = zend_hash_str_find_ptr(SPG(sp_internal_functions_hook), ZEND_STRL("unserialize")))) {
-- 
cgit v1.3