Skip to content

Commit

Permalink
added secure configuration loader (#28)
Browse files Browse the repository at this point in the history
  • Loading branch information
bef committed Mar 1, 2016
1 parent 7060d15 commit c180da6
Show file tree
Hide file tree
Showing 6 changed files with 148 additions and 3 deletions.
1 change: 1 addition & 0 deletions Changelog
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
- removed dead code
- better debian integration
- fixed perdir checks
- added Juergen Pabel's secure configuration loader to experimental features

2015-05-21 - 0.9.38
- removed code compatibility for PHP <5.4 (lots of code + ifdefs)
Expand Down
2 changes: 1 addition & 1 deletion config.m4
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin, whether to enable suhosin support,
[ --enable-suhosin Enable suhosin support])

if test "$PHP_SUHOSIN" != "no"; then
PHP_NEW_EXTENSION(suhosin, suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c, $ext_shared)
PHP_NEW_EXTENSION(suhosin, suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c secureconfig.c, $ext_shared)
fi

PHP_ARG_ENABLE(suhosin-experimental, whether to enable experimental suhosin features,
Expand Down
2 changes: 1 addition & 1 deletion config.w32
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
ARG_ENABLE("suhosin", "whether to enable suhosin support", "yes");

if (PHP_SUHOSIN == "yes") {
EXTENSION("suhosin", "suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c");
EXTENSION("suhosin", "suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c secureconfig.c");
ARG_ENABLE("suhosin-experimental", "Enable experimental suhosin features", "no");

if (PHP_SUHOSIN_EXPERIMENTAL != "no") {
Expand Down
4 changes: 4 additions & 0 deletions php_suhosin.h
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,9 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
zend_bool sql_perdir;
zend_bool misc_perdir;

// misc
char* secureconfig_cryptkey;

ZEND_END_MODULE_GLOBALS(suhosin)

#ifdef ZTS
Expand Down Expand Up @@ -400,6 +403,7 @@ int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra TS
void suhosin_bailout(TSRMLS_D);
size_t suhosin_strnspn(const char *input, size_t n, const char *accept);
size_t suhosin_strncspn(const char *input, size_t n, const char *reject);
void suhosin_hook_secureconfig(TSRMLS_D);


#endif /* PHP_SUHOSIN_H */
Expand Down
135 changes: 135 additions & 0 deletions secureconfig.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
/*
+----------------------------------------------------------------------+
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
| Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
| available through the world-wide-web at the following url: |
| http://www.php.net/license/3_01.txt |
| If you did not receive a copy of the PHP license and are unable to |
| obtain it through the world-wide-web, please send a note to |
| license@php.net so we can mail you a copy immediately. |
+----------------------------------------------------------------------+
| Author: Juergen Pabel <jpabel@akkaya.de> |
+----------------------------------------------------------------------+
*/

#ifdef SUHOSIN_EXPERIMENTAL
#include <stdio.h>
#include "php.h"
#include "php_suhosin.h"
#include "sha256.h"

static char cryptkey[32];

/* {{{ proto string secureconfig_encrypt(string plaintext)
Encrypt a configuration value using the configured cryptographic key */
static PHP_FUNCTION(suhosin_secureconfig_encrypt)
{
char *plaintext, *ciphertext;
int plaintext_len, ciphertext_len;
int i;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &plaintext, &plaintext_len) == FAILURE) {
return;
}
ciphertext = suhosin_encrypt_string(plaintext, plaintext_len, "", 0, cryptkey TSRMLS_CC);
if(ciphertext == NULL) {
return;
}
ciphertext_len = strlen(ciphertext);
/* undo suhosin_encrypt_string()'s base64 alphabet transformation */
for (i=0; i<ciphertext_len; i++) {
switch (ciphertext[i]) {
case '-': ciphertext[i]='/'; break;
case '.': ciphertext[i]='='; break;
case '_': ciphertext[i]='+'; break;
}
}
RETURN_STRINGL((char *)ciphertext, ciphertext_len, 1);
}

/* }}} */


/* {{{ proto string secureconfig_decrypt(string ciphertext)
Decrypt a configuration value using the configured cryptographic key */
static PHP_FUNCTION(suhosin_secureconfig_decrypt)
{
char *plaintext, *ciphertext;
int plaintext_len, ciphertext_len;
int i;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &ciphertext, &ciphertext_len) == FAILURE) {
return;
}

/* redo suhosin_encrypt_string()'s base64 alphabet transformation */
for (i=0; i<ciphertext_len; i++) {
switch (ciphertext[i]) {
case '/': ciphertext[i]='-'; break;
case '=': ciphertext[i]='.'; break;
case '+': ciphertext[i]='_'; break;
}
}
plaintext = suhosin_decrypt_string(ciphertext, ciphertext_len, "", 0, cryptkey, &plaintext_len, 0 TSRMLS_CC);
if(plaintext == NULL || plaintext_len <= 0) {
return;
}
RETURN_STRINGL((char *)plaintext, plaintext_len, 1);
}

/* }}} */


/* {{{ suhosin_secureconfig_functions[]
*/
static function_entry suhosin_secureconfig_functions[] = {
PHP_NAMED_FE(secureconfig_encrypt, PHP_FN(suhosin_secureconfig_encrypt), NULL)
PHP_NAMED_FE(secureconfig_decrypt, PHP_FN(suhosin_secureconfig_decrypt), NULL)
{NULL, NULL, NULL}
};
/* }}} */


void suhosin_hook_secureconfig(TSRMLS_D)
{
char* key;
suhosin_SHA256_CTX ctx;

// TSRMLS_FETCH();

/* check if we already have secureconfig support */
if (zend_hash_exists(CG(function_table), "secureconfig_encrypt", sizeof("secureconfig_encrypt"))) {
return;
}

key = SUHOSIN_G(secureconfig_cryptkey);
if (key != NULL) {
suhosin_SHA256Init(&ctx);
suhosin_SHA256Update(&ctx, (unsigned char*)key, strlen(key));
suhosin_SHA256Final((unsigned char *)cryptkey, &ctx);
} else {
memset(cryptkey, 0x55 /*fallback key with alternating bits*/, 32);
}

/* add the secureconfig functions */
#ifndef ZEND_ENGINE_2
zend_register_functions(suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
#else
zend_register_functions(NULL, suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
#endif
}

#endif /* SUHOSIN_EXPERIMENTAL */

/*
* Local variables:
* tab-width: 4
* c-basic-offset: 4
* End:
* vim600: sw=4 ts=4 fdm=marker
* vim<600: sw=4 ts=4
*/
7 changes: 6 additions & 1 deletion suhosin.c
Original file line number Diff line number Diff line change
Expand Up @@ -907,6 +907,8 @@ PHP_INI_BEGIN()
STD_ZEND_INI_BOOLEAN("suhosin.srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, srand_ignore,zend_suhosin_globals, suhosin_globals)
STD_ZEND_INI_BOOLEAN("suhosin.mt_srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, mt_srand_ignore,zend_suhosin_globals, suhosin_globals)

STD_PHP_INI_ENTRY("suhosin.secureconfig.cryptkey", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscString, secureconfig_cryptkey, zend_suhosin_globals, suhosin_globals)

PHP_INI_END()
/* }}} */

Expand Down Expand Up @@ -1051,7 +1053,10 @@ PHP_MINIT_FUNCTION(suhosin)
suhosin_hook_memory_limit(TSRMLS_C);
suhosin_hook_sha256(TSRMLS_C);
suhosin_hook_ex_imp(TSRMLS_C);

#ifdef SUHOSIN_EXPERIMENTAL
suhosin_hook_secureconfig(TSRMLS_C);
#endif

#if PHP_VERSION_ID < 50500
/* register the logo for phpinfo */
php_register_info_logo(SUHOSIN_LOGO_GUID, "image/jpeg", suhosin_logo, sizeof(suhosin_logo));
Expand Down

0 comments on commit c180da6

Please sign in to comment.