Adds password to the encryption

others/Makefile.am

@@ -25,6 +25,7 @@ libmbedtls_la_SOURCES = \
 	mbedtls/md5.c \
 	mbedtls/aes.c \
 	mbedtls/aesni.c \
+	mbedtls/sha512.c \
 	mbedtls/platform_util.c \
 	mbedtls/sha1.c
 

src/parser/location.hh

@@ -1,322 +0,0 @@
-// A Bison parser, made by GNU Bison 3.2.
-
-// Locations for Bison parsers in C++
-
-// Copyright (C) 2002-2015, 2018 Free Software Foundation, Inc.
-
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-
-// You should have received a copy of the GNU General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-// As a special exception, you may create a larger work that contains
-// part or all of the Bison parser skeleton and distribute that work
-// under terms of your choice, so long as that work isn't itself a
-// parser generator using the skeleton or a modified version thereof
-// as a parser skeleton.  Alternatively, if you modify or redistribute
-// the parser skeleton itself, you may (at your option) remove this
-// special exception, which will cause the skeleton and the resulting
-// Bison output files to be licensed under the GNU General Public
-// License without this special exception.
-
-// This special exception was added by the Free Software Foundation in
-// version 2.2 of Bison.
-
-/**
- ** \file location.hh
- ** Define the yy::location class.
- */
-
-#ifndef YY_YY_LOCATION_HH_INCLUDED
-# define YY_YY_LOCATION_HH_INCLUDED
-
-# include <algorithm> // std::max
-# include <iostream>
-# include <string>
-
-# ifndef YY_NULLPTR
-#  if defined __cplusplus
-#   if 201103L <= __cplusplus
-#    define YY_NULLPTR nullptr
-#   else
-#    define YY_NULLPTR 0
-#   endif
-#  else
-#   define YY_NULLPTR ((void*)0)
-#  endif
-# endif
-
-
-namespace yy {
-#line 60 "location.hh" // location.cc:339
-  /// Abstract a position.
-  class position
-  {
-  public:
-    /// Construct a position.
-    explicit position (std::string* f = YY_NULLPTR,
-                       unsigned l = 1u,
-                       unsigned c = 1u)
-      : filename (f)
-      , line (l)
-      , column (c)
-    {}
-
-
-    /// Initialization.
-    void initialize (std::string* fn = YY_NULLPTR,
-                     unsigned l = 1u,
-                     unsigned c = 1u)
-    {
-      filename = fn;
-      line = l;
-      column = c;
-    }
-
-    /** \name Line and Column related manipulators
-     ** \{ */
-    /// (line related) Advance to the COUNT next lines.
-    void lines (int count = 1)
-    {
-      if (count)
-        {
-          column = 1u;
-          line = add_ (line, count, 1);
-        }
-    }
-
-    /// (column related) Advance to the COUNT next columns.
-    void columns (int count = 1)
-    {
-      column = add_ (column, count, 1);
-    }
-    /** \} */
-
-    /// File name to which this position refers.
-    std::string* filename;
-    /// Current line number.
-    unsigned line;
-    /// Current column number.
-    unsigned column;
-
-  private:
-    /// Compute max (min, lhs+rhs).
-    static unsigned add_ (unsigned lhs, int rhs, int min)
-    {
-      return static_cast<unsigned> (std::max (min,
-                                              static_cast<int> (lhs) + rhs));
-    }
-  };
-
-  /// Add \a width columns, in place.
-  inline position&
-  operator+= (position& res, int width)
-  {
-    res.columns (width);
-    return res;
-  }
-
-  /// Add \a width columns.
-  inline position
-  operator+ (position res, int width)
-  {
-    return res += width;
-  }
-
-  /// Subtract \a width columns, in place.
-  inline position&
-  operator-= (position& res, int width)
-  {
-    return res += -width;
-  }
-
-  /// Subtract \a width columns.
-  inline position
-  operator- (position res, int width)
-  {
-    return res -= width;
-  }
-
-  /// Compare two position objects.
-  inline bool
-  operator== (const position& pos1, const position& pos2)
-  {
-    return (pos1.line == pos2.line
-            && pos1.column == pos2.column
-            && (pos1.filename == pos2.filename
-                || (pos1.filename && pos2.filename
-                    && *pos1.filename == *pos2.filename)));
-  }
-
-  /// Compare two position objects.
-  inline bool
-  operator!= (const position& pos1, const position& pos2)
-  {
-    return !(pos1 == pos2);
-  }
-
-  /** \brief Intercept output stream redirection.
-   ** \param ostr the destination output stream
-   ** \param pos a reference to the position to redirect
-   */
-  template <typename YYChar>
-  std::basic_ostream<YYChar>&
-  operator<< (std::basic_ostream<YYChar>& ostr, const position& pos)
-  {
-    if (pos.filename)
-      ostr << *pos.filename << ':';
-    return ostr << pos.line << '.' << pos.column;
-  }
-
-  /// Abstract a location.
-  class location
-  {
-  public:
-
-    /// Construct a location from \a b to \a e.
-    location (const position& b, const position& e)
-      : begin (b)
-      , end (e)
-    {}
-
-    /// Construct a 0-width location in \a p.
-    explicit location (const position& p = position ())
-      : begin (p)
-      , end (p)
-    {}
-
-    /// Construct a 0-width location in \a f, \a l, \a c.
-    explicit location (std::string* f,
-                       unsigned l = 1u,
-                       unsigned c = 1u)
-      : begin (f, l, c)
-      , end (f, l, c)
-    {}
-
-
-    /// Initialization.
-    void initialize (std::string* f = YY_NULLPTR,
-                     unsigned l = 1u,
-                     unsigned c = 1u)
-    {
-      begin.initialize (f, l, c);
-      end = begin;
-    }
-
-    /** \name Line and Column related manipulators
-     ** \{ */
-  public:
-    /// Reset initial location to final location.
-    void step ()
-    {
-      begin = end;
-    }
-
-    /// Extend the current location to the COUNT next columns.
-    void columns (int count = 1)
-    {
-      end += count;
-    }
-
-    /// Extend the current location to the COUNT next lines.
-    void lines (int count = 1)
-    {
-      end.lines (count);
-    }
-    /** \} */
-
-
-  public:
-    /// Beginning of the located region.
-    position begin;
-    /// End of the located region.
-    position end;
-  };
-
-  /// Join two locations, in place.
-  inline location& operator+= (location& res, const location& end)
-  {
-    res.end = end.end;
-    return res;
-  }
-
-  /// Join two locations.
-  inline location operator+ (location res, const location& end)
-  {
-    return res += end;
-  }
-
-  /// Add \a width columns to the end position, in place.
-  inline location& operator+= (location& res, int width)
-  {
-    res.columns (width);
-    return res;
-  }
-
-  /// Add \a width columns to the end position.
-  inline location operator+ (location res, int width)
-  {
-    return res += width;
-  }
-
-  /// Subtract \a width columns to the end position, in place.
-  inline location& operator-= (location& res, int width)
-  {
-    return res += -width;
-  }
-
-  /// Subtract \a width columns to the end position.
-  inline location operator- (location res, int width)
-  {
-    return res -= width;
-  }
-
-  /// Compare two location objects.
-  inline bool
-  operator== (const location& loc1, const location& loc2)
-  {
-    return loc1.begin == loc2.begin && loc1.end == loc2.end;
-  }
-
-  /// Compare two location objects.
-  inline bool
-  operator!= (const location& loc1, const location& loc2)
-  {
-    return !(loc1 == loc2);
-  }
-
-  /** \brief Intercept output stream redirection.
-   ** \param ostr the destination output stream
-   ** \param loc a reference to the location to redirect
-   **
-   ** Avoid duplicate information.
-   */
-  template <typename YYChar>
-  std::basic_ostream<YYChar>&
-  operator<< (std::basic_ostream<YYChar>& ostr, const location& loc)
-  {
-    unsigned end_col = 0 < loc.end.column ? loc.end.column - 1 : 0;
-    ostr << loc.begin;
-    if (loc.end.filename
-        && (!loc.begin.filename
-            || *loc.begin.filename != *loc.end.filename))
-      ostr << '-' << loc.end.filename << ':' << loc.end.line << '.' << end_col;
-    else if (loc.begin.line < loc.end.line)
-      ostr << '-' << loc.end.line << '.' << end_col;
-    else if (loc.begin.column < end_col)
-      ostr << '-' << end_col;
-    return ostr;
-  }
-
-
-} // yy
-#line 322 "location.hh" // location.cc:339
-#endif // !YY_YY_LOCATION_HH_INCLUDED

src/parser/position.hh

@@ -1,11 +0,0 @@
-// A Bison parser, made by GNU Bison 3.2.
-
-// Starting with Bison 3.2, this file is useless: the structure it
-// used to define is now defined in "location.hh".
-//
-// To get rid of this file:
-// 1. add 'require "3.2"' (or newer) to your grammar file
-// 2. remove references to this file from your build system
-// 3. if you used to include it, include "location.hh" instead.
-
-#include "location.hh"

src/parser/seclang-scanner.ll

@@ -9,6 +9,7 @@
 #include "src/utils/https_client.h"
 #include "src/utils/string.h"
 #include "others/mbedtls/aes.h"
+#include "others/mbedtls/sha512.h"
 
 using modsecurity::Parser::Driver;
 using modsecurity::Utils::HttpsClient;
@@ -1287,42 +1288,85 @@ EQUALS_MINUS                            (?i:=\-)
     free(f);
 }
 
-{CONFIG_SEC_BINARY_RULES}[ ]+[^\n\r ]+ {
-// https://tls.mbed.org/kb/how-to/encrypt-with-aes-cbc
-    mbedtls_aes_context aes;
+{CONFIG_SEC_BINARY_RULES}[ ]+[^\n\r ]+[ ]+[^\n\r ]+ {
+    std::stringstream z;
     std::vector<std::string> conf = modsecurity::utils::string::split(yytext, ' ');
-    if (conf.size() < 2) {
-        driver.error (*driver.loc.back(), "", "SecRemoteRules demands a key and a URI");
+
+    std::cout << " --> " << yytext << std::endl;
+    for (std::string a : conf) {
+        std::cout << a << std::endl;
+    }
+
+    if (conf.size() < 3) {
+        driver.error (*driver.loc.back(), "", "SecBinaryRules demands a key and a File");
+        throw p::syntax_error(*driver.loc.back(), "");
+    }
+    std::string file(conf[2]);
+    std::ifstream infile(file);
+
+    if (!infile) {
+        driver.error (*driver.loc.back(), "", "SecBinaryRules demands a target file. " + file +  " does not seems to be valid.");
         throw p::syntax_error(*driver.loc.back(), "");
     }
 
-    std::ifstream t(conf[1]);
-    std::string str;
-        std::cout << conf[1] << std::endl;
+    infile.seekg(0, infile.end);
+    size_t inlen = infile.tellg();
+    infile.seekg(0, infile.beg);
+    mbedtls_aes_context ctx;
+    unsigned char iv[16] = { 0x11, 0x22, 0xed, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff };
+    unsigned char key[16] =  { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+    size_t inblock_size = 16;
+    unsigned char input[inblock_size];
+    unsigned char output[inblock_size];
+    unsigned char hash_output[64];
+    mbedtls_sha512_context ct;
+    mbedtls_sha512_init( &ct );
+    mbedtls_sha512_starts( &ct, 0 );
+    mbedtls_aes_init( &ctx );
 
+    for (int i = 0; i < 16 && i < conf[1].size(); i++) {
+        key[i] = conf[1].at(i);
+    }
 
-    t.seekg(0, std::ios::end);
-    str.reserve(t.tellg());
-    t.seekg(0, std::ios::beg);
+    mbedtls_aes_setkey_dec(&ctx, key, 128);
 
-    str.assign((std::istreambuf_iterator<char>(t)),
-        std::istreambuf_iterator<char>());
+    for (int i = 0; inlen - i > 64 + inblock_size; i = i+inblock_size) {
+        infile.read((char*)input, inblock_size);
+        mbedtls_aes_crypt_cbc( &ctx, MBEDTLS_AES_DECRYPT, inblock_size, iv, input, output);
+        mbedtls_sha512_update( &ct, output, inblock_size );
+        z.write((char*)output, inblock_size);
+    }
 
-    std::cout << str << std::endl;
+    infile.read((char*)input, inblock_size);
+    mbedtls_aes_crypt_cbc( &ctx, MBEDTLS_AES_DECRYPT, inblock_size, iv, input, output);
+    mbedtls_sha512_update( &ct, output, inblock_size );
 
-    driver.ref.push_back(conf[1]);
+    int i = inblock_size - 1;
+    for (; i >= 0; i--) {
+        if (output[i] != 0x01) {
+            break;
+        }
+    }
+
+    z.write((char*)output, i+1);
+    mbedtls_sha512_finish( &ct, hash_output );
+    unsigned char given_hash[64];
+    infile.read((char*)given_hash, 64);
+
+    driver.ref.push_back(file);
     driver.loc.push_back(new yy::location());
     YY_BUFFER_STATE temp = YY_CURRENT_BUFFER;
     yypush_buffer_state(temp);
 
-    unsigned char key[32] = { 0 };
-    unsigned char iv[16] = { 0 };
-    unsigned char *output = (unsigned char *)malloc(str.size() + 1);
-    mbedtls_aes_setkey_enc( &aes, key, 256 );
-    mbedtls_aes_crypt_cbc( &aes, MBEDTLS_AES_DECRYPT, 24, iv, (unsigned char *) str.c_str(), output );
-
-    yy_scan_string(str.c_str());
+    for (size_t i = 0; i < 64; ++i) {
+        if (given_hash[i] != hash_output[i]) {
+            driver.error (*driver.loc.back(), "", "Binary file is corrupted or password is wrong.");
+            throw p::syntax_error(*driver.loc.back(), "");
+            break;
+        }
+    }
 
+    yy_scan_string(z.str().c_str());
 }
 
 {CONFIG_SEC_REMOTE_RULES}[ ][^ ]+[ ][^\n\r ]+ {

src/parser/stack.hh

@@ -1,8 +0,0 @@
-// A Bison parser, made by GNU Bison 3.2.
-
-// Starting with Bison 3.2, this file is useless: the structure it
-// used to define is now defined with the parser itself.
-//
-// To get rid of this file:
-// 1. add 'require "3.2"' (or newer) to your grammar file
-// 2. remove references to this file from your build system.

test/benchmark/basic_rules.conf

@@ -1,5 +1,2 @@
 
-Include "../../modsecurity.conf-recommended"
-
-Include "owasp-v3/crs-setup.conf.example"
-Include "owasp-v3/rules/*.conf"
+SecBinaryRules test /tmp/test.rules.bin