github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-17 14:46:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adds password to the encryption

Browse Source
This commit is contained in:
Felipe Zimmerle 2018-07-04 00:19:06 -03:00 committed by John Doe
parent 5fe0a8de31
commit fe82df2c6e
9 changed files with 68 additions and 23367 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
others/Makefile.am
View File

@ -25,6 +25,7 @@ libmbedtls_la_SOURCES = \
mbedtls/md5.c \ mbedtls/md5.c \
mbedtls/aes.c \ mbedtls/aes.c \
mbedtls/aesni.c \ mbedtls/aesni.c \
mbedtls/sha512.c \
mbedtls/platform_util.c \ mbedtls/platform_util.c \
mbedtls/sha1.c mbedtls/sha1.c

322
src/parser/location.hh
View File

@ -1,322 +0,0 @@
// A Bison parser, made by GNU Bison 3.2.
// Locations for Bison parsers in C++
// Copyright (C) 2002-2015, 2018 Free Software Foundation, Inc.
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
// As a special exception, you may create a larger work that contains
// part or all of the Bison parser skeleton and distribute that work
// under terms of your choice, so long as that work isn't itself a
// parser generator using the skeleton or a modified version thereof
// as a parser skeleton. Alternatively, if you modify or redistribute
// the parser skeleton itself, you may (at your option) remove this
// special exception, which will cause the skeleton and the resulting
// Bison output files to be licensed under the GNU General Public
// License without this special exception.
// This special exception was added by the Free Software Foundation in
// version 2.2 of Bison.
/**
** \file location.hh
** Define the yy::location class.
*/
#ifndef YY_YY_LOCATION_HH_INCLUDED
# define YY_YY_LOCATION_HH_INCLUDED
# include <algorithm> // std::max
# include <iostream>
# include <string>
# ifndef YY_NULLPTR
# if defined __cplusplus
# if 201103L <= __cplusplus
# define YY_NULLPTR nullptr
# else
# define YY_NULLPTR 0
# endif
# else
# define YY_NULLPTR ((void*)0)
# endif
# endif
namespace yy {
#line 60 "location.hh" // location.cc:339
/// Abstract a position.
class position
{
public:
/// Construct a position.
explicit position (std::string* f = YY_NULLPTR,
unsigned l = 1u,
unsigned c = 1u)
: filename (f)
, line (l)
, column (c)
{}
/// Initialization.
void initialize (std::string* fn = YY_NULLPTR,
unsigned l = 1u,
unsigned c = 1u)
{
filename = fn;
line = l;
column = c;
}
/** \name Line and Column related manipulators
** \{ */
/// (line related) Advance to the COUNT next lines.
void lines (int count = 1)
{
if (count)
{
column = 1u;
line = add_ (line, count, 1);
}
}
/// (column related) Advance to the COUNT next columns.
void columns (int count = 1)
{
column = add_ (column, count, 1);
}
/** \} */
/// File name to which this position refers.
std::string* filename;
/// Current line number.
unsigned line;
/// Current column number.
unsigned column;
private:
/// Compute max (min, lhs+rhs).
static unsigned add_ (unsigned lhs, int rhs, int min)
{
return static_cast<unsigned> (std::max (min,
static_cast<int> (lhs) + rhs));
}
};
/// Add \a width columns, in place.
inline position&
operator+= (position& res, int width)
{
res.columns (width);
return res;
}
/// Add \a width columns.
inline position
operator+ (position res, int width)
{
return res += width;
}
/// Subtract \a width columns, in place.
inline position&
operator-= (position& res, int width)
{
return res += -width;
}
/// Subtract \a width columns.
inline position
operator- (position res, int width)
{
return res -= width;
}
/// Compare two position objects.
inline bool
operator== (const position& pos1, const position& pos2)
{
return (pos1.line == pos2.line
&& pos1.column == pos2.column
&& (pos1.filename == pos2.filename
|| (pos1.filename && pos2.filename
&& *pos1.filename == *pos2.filename)));
}
/// Compare two position objects.
inline bool
operator!= (const position& pos1, const position& pos2)
{
return !(pos1 == pos2);
}
/** \brief Intercept output stream redirection.
** \param ostr the destination output stream
** \param pos a reference to the position to redirect
*/
template <typename YYChar>
std::basic_ostream<YYChar>&
operator<< (std::basic_ostream<YYChar>& ostr, const position& pos)
{
if (pos.filename)
ostr << *pos.filename << ':';
return ostr << pos.line << '.' << pos.column;
}
/// Abstract a location.
class location
{
public:
/// Construct a location from \a b to \a e.
location (const position& b, const position& e)
: begin (b)
, end (e)
{}
/// Construct a 0-width location in \a p.
explicit location (const position& p = position ())
: begin (p)
, end (p)
{}
/// Construct a 0-width location in \a f, \a l, \a c.
explicit location (std::string* f,
unsigned l = 1u,
unsigned c = 1u)
: begin (f, l, c)
, end (f, l, c)
{}
/// Initialization.
void initialize (std::string* f = YY_NULLPTR,
unsigned l = 1u,
unsigned c = 1u)
{
begin.initialize (f, l, c);
end = begin;
}
/** \name Line and Column related manipulators
** \{ */
public:
/// Reset initial location to final location.
void step ()
{
begin = end;
}
/// Extend the current location to the COUNT next columns.
void columns (int count = 1)
{
end += count;
}
/// Extend the current location to the COUNT next lines.
void lines (int count = 1)
{
end.lines (count);
}
/** \} */
public:
/// Beginning of the located region.
position begin;
/// End of the located region.
position end;
};
/// Join two locations, in place.
inline location& operator+= (location& res, const location& end)
{
res.end = end.end;
return res;
}
/// Join two locations.
inline location operator+ (location res, const location& end)
{
return res += end;
}
/// Add \a width columns to the end position, in place.
inline location& operator+= (location& res, int width)
{
res.columns (width);
return res;
}
/// Add \a width columns to the end position.
inline location operator+ (location res, int width)
{
return res += width;
}
/// Subtract \a width columns to the end position, in place.
inline location& operator-= (location& res, int width)
{
return res += -width;
}
/// Subtract \a width columns to the end position.
inline location operator- (location res, int width)
{
return res -= width;
}
/// Compare two location objects.
inline bool
operator== (const location& loc1, const location& loc2)
{
return loc1.begin == loc2.begin && loc1.end == loc2.end;
}
/// Compare two location objects.
inline bool
operator!= (const location& loc1, const location& loc2)
{
return !(loc1 == loc2);
}
/** \brief Intercept output stream redirection.
** \param ostr the destination output stream
** \param loc a reference to the location to redirect
**
** Avoid duplicate information.
*/
template <typename YYChar>
std::basic_ostream<YYChar>&
operator<< (std::basic_ostream<YYChar>& ostr, const location& loc)
{
unsigned end_col = 0 < loc.end.column ? loc.end.column - 1 : 0;
ostr << loc.begin;
if (loc.end.filename
&& (!loc.begin.filename
|| *loc.begin.filename != *loc.end.filename))
ostr << '-' << loc.end.filename << ':' << loc.end.line << '.' << end_col;
else if (loc.begin.line < loc.end.line)
ostr << '-' << loc.end.line << '.' << end_col;
else if (loc.begin.column < end_col)
ostr << '-' << end_col;
return ostr;
}
} // yy
#line 322 "location.hh" // location.cc:339
#endif // !YY_YY_LOCATION_HH_INCLUDED

11
src/parser/position.hh
View File

@ -1,11 +0,0 @@
// A Bison parser, made by GNU Bison 3.2.
// Starting with Bison 3.2, this file is useless: the structure it
// used to define is now defined in "location.hh".
//
// To get rid of this file:
// 1. add 'require "3.2"' (or newer) to your grammar file
// 2. remove references to this file from your build system
// 3. if you used to include it, include "location.hh" instead.
#include "location.hh"

6855
src/parser/seclang-parser.cc
View File

File diff suppressed because it is too large Load Diff

6448
src/parser/seclang-parser.hh
View File

File diff suppressed because it is too large Load Diff

9697
src/parser/seclang-scanner.cc
View File

File diff suppressed because it is too large Load Diff

88
src/parser/seclang-scanner.ll
View File

@ -9,6 +9,7 @@
#include "src/utils/https_client.h" #include "src/utils/https_client.h"
#include "src/utils/string.h" #include "src/utils/string.h"
#include "others/mbedtls/aes.h" #include "others/mbedtls/aes.h"
#include "others/mbedtls/sha512.h"
using modsecurity::Parser::Driver; using modsecurity::Parser::Driver;
using modsecurity::Utils::HttpsClient; using modsecurity::Utils::HttpsClient;
@ -1287,42 +1288,85 @@ EQUALS_MINUS (?i:=\-)
free(f); free(f);
} }
{CONFIG_SEC_BINARY_RULES}[ ]+[^\n\r ]+ { {CONFIG_SEC_BINARY_RULES}[ ]+[^\n\r ]+[ ]+[^\n\r ]+ {
// https://tls.mbed.org/kb/how-to/encrypt-with-aes-cbc std::stringstream z;
mbedtls_aes_context aes;
std::vector<std::string> conf = modsecurity::utils::string::split(yytext, ' '); std::vector<std::string> conf = modsecurity::utils::string::split(yytext, ' ');
if (conf.size() < 2) {
driver.error (*driver.loc.back(), "", "SecRemoteRules demands a key and a URI"); std::cout << " --> " << yytext << std::endl;
for (std::string a : conf) {
std::cout << a << std::endl;
}
if (conf.size() < 3) {
driver.error (*driver.loc.back(), "", "SecBinaryRules demands a key and a File");
throw p::syntax_error(*driver.loc.back(), "");
}
std::string file(conf[2]);
std::ifstream infile(file);
if (!infile) {
driver.error (*driver.loc.back(), "", "SecBinaryRules demands a target file. " + file + " does not seems to be valid.");
throw p::syntax_error(*driver.loc.back(), ""); throw p::syntax_error(*driver.loc.back(), "");
} }
std::ifstream t(conf[1]); infile.seekg(0, infile.end);
std::string str; size_t inlen = infile.tellg();
std::cout << conf[1] << std::endl; infile.seekg(0, infile.beg);
mbedtls_aes_context ctx;
unsigned char iv[16] = { 0x11, 0x22, 0xed, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff };
unsigned char key[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
size_t inblock_size = 16;
unsigned char input[inblock_size];
unsigned char output[inblock_size];
unsigned char hash_output[64];
mbedtls_sha512_context ct;
mbedtls_sha512_init( &ct );
mbedtls_sha512_starts( &ct, 0 );
mbedtls_aes_init( &ctx );
for (int i = 0; i < 16 && i < conf[1].size(); i++) {
key[i] = conf[1].at(i);
}
t.seekg(0, std::ios::end); mbedtls_aes_setkey_dec(&ctx, key, 128);
str.reserve(t.tellg());
t.seekg(0, std::ios::beg);
str.assign((std::istreambuf_iterator<char>(t)), for (int i = 0; inlen - i > 64 + inblock_size; i = i+inblock_size) {
std::istreambuf_iterator<char>()); infile.read((char*)input, inblock_size);
mbedtls_aes_crypt_cbc( &ctx, MBEDTLS_AES_DECRYPT, inblock_size, iv, input, output);
mbedtls_sha512_update( &ct, output, inblock_size );
z.write((char*)output, inblock_size);
}
std::cout << str << std::endl; infile.read((char*)input, inblock_size);
mbedtls_aes_crypt_cbc( &ctx, MBEDTLS_AES_DECRYPT, inblock_size, iv, input, output);
mbedtls_sha512_update( &ct, output, inblock_size );
driver.ref.push_back(conf[1]); int i = inblock_size - 1;
for (; i >= 0; i--) {
if (output[i] != 0x01) {
break;
}
}
z.write((char*)output, i+1);
mbedtls_sha512_finish( &ct, hash_output );
unsigned char given_hash[64];
infile.read((char*)given_hash, 64);
driver.ref.push_back(file);
driver.loc.push_back(new yy::location()); driver.loc.push_back(new yy::location());
YY_BUFFER_STATE temp = YY_CURRENT_BUFFER; YY_BUFFER_STATE temp = YY_CURRENT_BUFFER;
yypush_buffer_state(temp); yypush_buffer_state(temp);
unsigned char key[32] = { 0 }; for (size_t i = 0; i < 64; ++i) {
unsigned char iv[16] = { 0 }; if (given_hash[i] != hash_output[i]) {
unsigned char *output = (unsigned char *)malloc(str.size() + 1); driver.error (*driver.loc.back(), "", "Binary file is corrupted or password is wrong.");
mbedtls_aes_setkey_enc( &aes, key, 256 ); throw p::syntax_error(*driver.loc.back(), "");
mbedtls_aes_crypt_cbc( &aes, MBEDTLS_AES_DECRYPT, 24, iv, (unsigned char *) str.c_str(), output ); break;
}
yy_scan_string(str.c_str()); }
yy_scan_string(z.str().c_str());
} }
{CONFIG_SEC_REMOTE_RULES}[ ][^ ]+[ ][^\n\r ]+ { {CONFIG_SEC_REMOTE_RULES}[ ][^ ]+[ ][^\n\r ]+ {

8
src/parser/stack.hh
View File

@ -1,8 +0,0 @@
// A Bison parser, made by GNU Bison 3.2.
// Starting with Bison 3.2, this file is useless: the structure it
// used to define is now defined with the parser itself.
//
// To get rid of this file:
// 1. add 'require "3.2"' (or newer) to your grammar file
// 2. remove references to this file from your build system.

5
test/benchmark/basic_rules.conf
View File

@ -1,5 +1,2 @@
Include "../../modsecurity.conf-recommended" SecBinaryRules test /tmp/test.rules.bin
Include "owasp-v3/crs-setup.conf.example"
Include "owasp-v3/rules/*.conf"