1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
#include "php_snuffleupagus.h"
PHP_FUNCTION(sp_serialize) {
zif_handler orig_handler;
/* Call the original `serialize` function. */
orig_handler = zend_hash_str_find_ptr(SPG(sp_internal_functions_hook), ZEND_STRL("serialize"));
if (orig_handler) {
orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
}
/* Compute the HMAC of the textual representation of the serialized data*/
zval func_name;
zval hmac;
zval params[3] = {0};
ZVAL_STRING(&func_name, "hash_hmac");
ZVAL_STRING(¶ms[0], "sha256");
params[1] = *return_value;
ZVAL_STRING(
¶ms[2],
ZSTR_VAL(SPCFG(encryption_key)));
call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params);
size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac);
if (len < Z_STRLEN_P(return_value)) {
// LCOV_EXCL_START
sp_log_err("overflow_error",
"Overflow tentative detected in sp_serialize.");
zend_bailout();
// LCOV_EXCL_STOP
}
/* Append the computed HMAC to the serialized data. */
return_value->value.str = zend_string_concat2(Z_STRVAL_P(return_value), Z_STRLEN_P(return_value), Z_STRVAL(hmac), Z_STRLEN(hmac));
return;
}
PHP_FUNCTION(sp_unserialize) {
zif_handler orig_handler;
char *buf = NULL;
char *serialized_str = NULL;
char *hmac = NULL;
zval expected_hmac;
size_t buf_len = 0;
zval *opts = NULL;
const sp_config_unserialize *config_unserialize = &(SPCFG(unserialize));
if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|a", &buf, &buf_len, &opts) ==
FAILURE) {
RETURN_FALSE;
}
/* 64 is the length of HMAC-256 */
if (buf_len < 64) {
sp_log_drop("unserialize", "The serialized object is too small.");
}
hmac = buf + buf_len - 64;
serialized_str = ecalloc(buf_len - 64 + 1, 1);
memcpy(serialized_str, buf, buf_len - 64);
zval func_name;
ZVAL_STRING(&func_name, "hash_hmac");
zval params[3] = {0};
ZVAL_STRING(¶ms[0], "sha256");
ZVAL_STRING(¶ms[1], serialized_str);
ZVAL_STRING(
¶ms[2],
ZSTR_VAL(SPCFG(encryption_key)));
call_user_function(CG(function_table), NULL, &func_name, &expected_hmac, 3,
params);
unsigned int status = 0;
for (uint8_t i = 0; i < 64; i++) {
status |= (hmac[i] ^ (Z_STRVAL(expected_hmac))[i]);
}
if (0 == status) {
if ((orig_handler = zend_hash_str_find_ptr(SPG(sp_internal_functions_hook), ZEND_STRL("unserialize")))) {
orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
}
} else {
if (config_unserialize->dump) {
sp_log_request(config_unserialize->dump,
config_unserialize->textual_representation);
}
if (true == config_unserialize->simulation) {
sp_log_simulation("unserialize", "Invalid HMAC for %s", serialized_str);
if ((orig_handler = zend_hash_str_find_ptr(SPG(sp_internal_functions_hook), ZEND_STRL("unserialize")))) {
orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU);
}
} else {
sp_log_drop("unserialize", "Invalid HMAC for %s", serialized_str);
}
}
efree(serialized_str);
return;
}
int hook_serialize(void) {
TSRMLS_FETCH();
HOOK_FUNCTION("serialize", sp_internal_functions_hook, PHP_FN(sp_serialize));
HOOK_FUNCTION("unserialize", sp_internal_functions_hook,
PHP_FN(sp_unserialize));
return SUCCESS;
}
|
