From c180da6de0851521cae98a1b385e03a120d5cf61 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de>
Date: Tue, 1 Mar 2016 14:55:46 +0100
Subject: [PATCH] added secure configuration loader (#28)

---
 Changelog      |   1 +
 config.m4      |   2 +-
 config.w32     |   2 +-
 php_suhosin.h  |   4 ++
 secureconfig.c | 135 +++++++++++++++++++++++++++++++++++++++++++++++++
 suhosin.c      |   7 ++-
 6 files changed, 148 insertions(+), 3 deletions(-)
 create mode 100644 secureconfig.c

diff --git a/Changelog b/Changelog
index fbf5709..8c7edae 100644
--- a/Changelog
+++ b/Changelog
@@ -3,6 +3,7 @@
     - removed dead code
     - better debian integration
     - fixed perdir checks
+    - added Juergen Pabel's secure configuration loader to experimental features
 
 2015-05-21 - 0.9.38
     - removed code compatibility for PHP <5.4 (lots of code + ifdefs)
diff --git a/config.m4 b/config.m4
index c908de9..7a3843e 100644
--- a/config.m4
+++ b/config.m4
@@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin, whether to enable suhosin support,
 [  --enable-suhosin        Enable suhosin support])
 
 if test "$PHP_SUHOSIN" != "no"; then
-  PHP_NEW_EXTENSION(suhosin, suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c, $ext_shared)
+  PHP_NEW_EXTENSION(suhosin, suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c secureconfig.c, $ext_shared)
 fi
 
 PHP_ARG_ENABLE(suhosin-experimental, whether to enable experimental suhosin features,
diff --git a/config.w32 b/config.w32
index ecfe832..1b63bdf 100644
--- a/config.w32
+++ b/config.w32
@@ -4,7 +4,7 @@
 ARG_ENABLE("suhosin", "whether to enable suhosin support", "yes");
 
 if (PHP_SUHOSIN == "yes") {
-	EXTENSION("suhosin", "suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c");
+	EXTENSION("suhosin", "suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c secureconfig.c");
 	ARG_ENABLE("suhosin-experimental", "Enable experimental suhosin features", "no");
 
 	if (PHP_SUHOSIN_EXPERIMENTAL != "no") {
diff --git a/php_suhosin.h b/php_suhosin.h
index 824ce21..3fa4160 100644
--- a/php_suhosin.h
+++ b/php_suhosin.h
@@ -320,6 +320,9 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
 	zend_bool sql_perdir;
 	zend_bool misc_perdir;
 
+	// misc
+	char*	secureconfig_cryptkey;
+
 ZEND_END_MODULE_GLOBALS(suhosin)
 
 #ifdef ZTS
@@ -400,6 +403,7 @@ int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra TS
 void suhosin_bailout(TSRMLS_D);
 size_t suhosin_strnspn(const char *input, size_t n, const char *accept);
 size_t suhosin_strncspn(const char *input, size_t n, const char *reject);
+void suhosin_hook_secureconfig(TSRMLS_D);
 
 
 #endif	/* PHP_SUHOSIN_H */
diff --git a/secureconfig.c b/secureconfig.c
new file mode 100644
index 0000000..075baf0
--- /dev/null
+++ b/secureconfig.c
@@ -0,0 +1,135 @@
+/*
+  +----------------------------------------------------------------------+
+  | Suhosin Version 1                                                    |
+  +----------------------------------------------------------------------+
+  | Copyright (c) 2006-2007 The Hardened-PHP Project                     |
+  | Copyright (c) 2007-2010 SektionEins GmbH                             |
+  +----------------------------------------------------------------------+
+  | This source file is subject to version 3.01 of the PHP license,      |
+  | that is bundled with this package in the file LICENSE, and is        |
+  | available through the world-wide-web at the following url:           |
+  | http://www.php.net/license/3_01.txt                                  |
+  | If you did not receive a copy of the PHP license and are unable to   |
+  | obtain it through the world-wide-web, please send a note to          |
+  | license@php.net so we can mail you a copy immediately.               |
+  +----------------------------------------------------------------------+
+  | Author: Juergen Pabel <jpabel@akkaya.de>                             |
+  +----------------------------------------------------------------------+
+*/
+
+#ifdef SUHOSIN_EXPERIMENTAL
+#include <stdio.h>
+#include "php.h"
+#include "php_suhosin.h"
+#include "sha256.h"
+
+static char cryptkey[32];
+
+/* {{{ proto string secureconfig_encrypt(string plaintext)
+   Encrypt a configuration value using the configured cryptographic key */
+static PHP_FUNCTION(suhosin_secureconfig_encrypt)
+{
+	char *plaintext, *ciphertext;
+	int plaintext_len, ciphertext_len;
+	int i;
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &plaintext, &plaintext_len) == FAILURE) {
+		return;
+	}
+	ciphertext = suhosin_encrypt_string(plaintext, plaintext_len, "", 0, cryptkey TSRMLS_CC);
+	if(ciphertext == NULL) {
+		return;
+	}
+	ciphertext_len = strlen(ciphertext);
+	/* undo suhosin_encrypt_string()'s base64 alphabet transformation */
+	for (i=0; i<ciphertext_len; i++) {
+		switch (ciphertext[i]) {
+			case '-': ciphertext[i]='/'; break;
+			case '.': ciphertext[i]='='; break;
+			case '_': ciphertext[i]='+'; break;
+		}
+	}
+	RETURN_STRINGL((char *)ciphertext, ciphertext_len, 1);
+}
+
+/* }}} */
+
+
+/* {{{ proto string secureconfig_decrypt(string ciphertext)
+   Decrypt a configuration value using the configured cryptographic key */
+static PHP_FUNCTION(suhosin_secureconfig_decrypt)
+{
+	char *plaintext, *ciphertext;
+	int plaintext_len, ciphertext_len;
+	int i;
+	
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &ciphertext, &ciphertext_len) == FAILURE) {
+		return;
+	}
+
+	/* redo suhosin_encrypt_string()'s base64 alphabet transformation */
+	for (i=0; i<ciphertext_len; i++) {
+		switch (ciphertext[i]) {
+			case '/': ciphertext[i]='-'; break;
+			case '=': ciphertext[i]='.'; break;
+			case '+': ciphertext[i]='_'; break;
+		}
+	}
+	plaintext = suhosin_decrypt_string(ciphertext, ciphertext_len, "", 0, cryptkey, &plaintext_len, 0 TSRMLS_CC);
+	if(plaintext == NULL || plaintext_len <= 0) {
+		return;
+	}
+	RETURN_STRINGL((char *)plaintext, plaintext_len, 1);
+}
+
+/* }}} */
+
+
+/* {{{ suhosin_secureconfig_functions[]
+ */
+static function_entry suhosin_secureconfig_functions[] = {
+	PHP_NAMED_FE(secureconfig_encrypt, PHP_FN(suhosin_secureconfig_encrypt), NULL)
+	PHP_NAMED_FE(secureconfig_decrypt, PHP_FN(suhosin_secureconfig_decrypt), NULL)
+	{NULL, NULL, NULL}
+};
+/* }}} */
+
+
+void suhosin_hook_secureconfig(TSRMLS_D)
+{
+	char* key;
+	suhosin_SHA256_CTX ctx;
+
+	// TSRMLS_FETCH();
+	
+	/* check if we already have secureconfig support */
+	if (zend_hash_exists(CG(function_table), "secureconfig_encrypt", sizeof("secureconfig_encrypt"))) {
+		return;		
+	}
+
+	key = SUHOSIN_G(secureconfig_cryptkey);
+	if (key != NULL) {
+		suhosin_SHA256Init(&ctx);
+		suhosin_SHA256Update(&ctx, (unsigned char*)key, strlen(key));
+		suhosin_SHA256Final((unsigned char *)cryptkey, &ctx);
+	} else {
+		memset(cryptkey, 0x55 /*fallback key with alternating bits*/, 32);
+	}
+
+	/* add the secureconfig functions */
+#ifndef ZEND_ENGINE_2
+	zend_register_functions(suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
+#else
+	zend_register_functions(NULL, suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
+#endif
+}
+
+#endif /* SUHOSIN_EXPERIMENTAL */
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: sw=4 ts=4 fdm=marker
+ * vim<600: sw=4 ts=4
+ */
diff --git a/suhosin.c b/suhosin.c
index dede702..93dfd08 100644
--- a/suhosin.c
+++ b/suhosin.c
@@ -907,6 +907,8 @@ PHP_INI_BEGIN()
 	STD_ZEND_INI_BOOLEAN("suhosin.srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, srand_ignore,zend_suhosin_globals,	suhosin_globals)
 	STD_ZEND_INI_BOOLEAN("suhosin.mt_srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, mt_srand_ignore,zend_suhosin_globals,	suhosin_globals)
 
+	STD_PHP_INI_ENTRY("suhosin.secureconfig.cryptkey", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscString, secureconfig_cryptkey, zend_suhosin_globals, suhosin_globals)
+
 PHP_INI_END()
 /* }}} */
 
@@ -1051,7 +1053,10 @@ PHP_MINIT_FUNCTION(suhosin)
 	suhosin_hook_memory_limit(TSRMLS_C);
 	suhosin_hook_sha256(TSRMLS_C);
 	suhosin_hook_ex_imp(TSRMLS_C);
-
+#ifdef SUHOSIN_EXPERIMENTAL
+	suhosin_hook_secureconfig(TSRMLS_C);
+#endif
+	
 #if PHP_VERSION_ID < 50500
 	/* register the logo for phpinfo */
 	php_register_info_logo(SUHOSIN_LOGO_GUID, "image/jpeg", suhosin_logo, sizeof(suhosin_logo));