From 8368db06eebfdbbbd910472c836c87f958fa96e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Thu, 27 Jan 2022 12:34:31 +0100 Subject: [PATCH 01/12] Mark parameter in ext/standard as sensitive No changes to the stubs required, password_hash and password_verify were added to the initial version of the stub support. --- ext/standard/basic_functions.stub.php | 2 +- ext/standard/basic_functions_arginfo.h | 2 +- .../password_hash_sensitive_parameter.phpt | 24 +++++++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 ext/standard/tests/password/password_hash_sensitive_parameter.phpt diff --git a/ext/standard/basic_functions.stub.php b/ext/standard/basic_functions.stub.php index cbdda2bde3c25..3ecd69a1de173 100755 --- a/ext/standard/basic_functions.stub.php +++ b/ext/standard/basic_functions.stub.php @@ -1636,8 +1636,8 @@ function unpack(string $format, string $string, int $offset = 0): array|false {} function password_get_info(string $hash): array {} /** - * @refcount 1 * @sensitive-param $password + * @refcount 1 */ function password_hash(string $password, string|int|null $algo, array $options = []): string {} diff --git a/ext/standard/basic_functions_arginfo.h b/ext/standard/basic_functions_arginfo.h index f72d95e08c245..1be00c3277a78 100644 --- a/ext/standard/basic_functions_arginfo.h +++ b/ext/standard/basic_functions_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: f35440fd9902dd0201fbaa9005bc51c5aecadf2c */ + * Stub hash: 3ce386bb8ab215ad532826e053b8487fd3fd5582 */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_set_time_limit, 0, 1, _IS_BOOL, 0) ZEND_ARG_TYPE_INFO(0, seconds, IS_LONG, 0) diff --git a/ext/standard/tests/password/password_hash_sensitive_parameter.phpt b/ext/standard/tests/password/password_hash_sensitive_parameter.phpt new file mode 100644 index 0000000000000..9b2b364e65a79 --- /dev/null +++ b/ext/standard/tests/password/password_hash_sensitive_parameter.phpt @@ -0,0 +1,24 @@ +--TEST-- +Test that the password parameter is marked sensitive. +--FILE-- + +--EXPECTF-- +ArgumentCountError: password_hash() expects at least 2 arguments, 1 given in %spassword_hash_sensitive_parameter.php:3 +Stack trace: +#0 %spassword_hash_sensitive_parameter.php(3): password_hash(Object(SensitiveParameterValue)) +#1 {main} +ValueError: password_hash(): Argument #2 ($algo) must be a valid password hashing algorithm in%spassword_hash_sensitive_parameter.php:8 +Stack trace: +#0 %spassword_hash_sensitive_parameter.php(8): password_hash(Object(SensitiveParameterValue), 'Invalid') +#1 {main} From ff60f19e9c1db8af9abf70b6bb5118e8e6aea650 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Thu, 27 Jan 2022 12:34:13 +0100 Subject: [PATCH 02/12] Mark parameter in ext/pdo as sensitive --- ext/pdo/pdo.c | 2 +- ext/pdo/pdo_dbh.c | 5 ++++- ext/pdo/pdo_dbh.stub.php | 1 + ext/pdo/pdo_dbh_arginfo.h | 7 ++++++- ext/pdo/php_pdo_int.h | 2 +- ext/pdo/tests/sensitive_parameter.phpt | 17 +++++++++++++++++ 6 files changed, 30 insertions(+), 4 deletions(-) create mode 100644 ext/pdo/tests/sensitive_parameter.phpt diff --git a/ext/pdo/pdo.c b/ext/pdo/pdo.c index f11b983a9a82f..e8738db9f85ad 100644 --- a/ext/pdo/pdo.c +++ b/ext/pdo/pdo.c @@ -252,7 +252,7 @@ PHP_MINIT_FUNCTION(pdo) pdo_exception_ce = register_class_PDOException(spl_ce_RuntimeException); - pdo_dbh_init(); + pdo_dbh_init(module_number); pdo_stmt_init(); return SUCCESS; diff --git a/ext/pdo/pdo_dbh.c b/ext/pdo/pdo_dbh.c index 692f187a04df8..6cb767aa712cd 100644 --- a/ext/pdo/pdo_dbh.c +++ b/ext/pdo/pdo_dbh.c @@ -28,6 +28,7 @@ #include "php_pdo.h" #include "php_pdo_driver.h" #include "php_pdo_int.h" +#include "zend_attributes.h" #include "zend_exceptions.h" #include "zend_object_handlers.h" #include "zend_hash.h" @@ -1325,7 +1326,7 @@ static HashTable *dbh_get_gc(zend_object *object, zval **gc_data, int *gc_count) static zend_object_handlers pdo_dbh_object_handlers; static void pdo_dbh_free_storage(zend_object *std); -void pdo_dbh_init(void) +void pdo_dbh_init(int module_number) { pdo_dbh_ce = register_class_PDO(); pdo_dbh_ce->create_object = pdo_dbh_new; @@ -1423,6 +1424,8 @@ void pdo_dbh_init(void) REGISTER_PDO_CLASS_CONST_LONG("CURSOR_FWDONLY", (zend_long)PDO_CURSOR_FWDONLY); REGISTER_PDO_CLASS_CONST_LONG("CURSOR_SCROLL", (zend_long)PDO_CURSOR_SCROLL); + + register_pdo_dbh_symbols(module_number, pdo_dbh_ce); } static void dbh_free(pdo_dbh_t *dbh, bool free_persistent) diff --git a/ext/pdo/pdo_dbh.stub.php b/ext/pdo/pdo_dbh.stub.php index 7ff52c9696a07..571925dbb6e57 100644 --- a/ext/pdo/pdo_dbh.stub.php +++ b/ext/pdo/pdo_dbh.stub.php @@ -5,6 +5,7 @@ /** @not-serializable */ class PDO { + /** @sensitive-param $password */ public function __construct(string $dsn, ?string $username = null, ?string $password = null, ?array $options = null) {} /** @tentative-return-type */ diff --git a/ext/pdo/pdo_dbh_arginfo.h b/ext/pdo/pdo_dbh_arginfo.h index 11d6fac08b577..ce1bbd6b08f25 100644 --- a/ext/pdo/pdo_dbh_arginfo.h +++ b/ext/pdo/pdo_dbh_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 7d10dbdfd55eb4a4dc779cbf4fa000cdf4fb3539 */ + * Stub hash: 5d26f6875ff2704506a9f94b171adbe13aa40483 */ ZEND_BEGIN_ARG_INFO_EX(arginfo_class_PDO___construct, 0, 0, 1) ZEND_ARG_TYPE_INFO(0, dsn, IS_STRING, 0) @@ -95,6 +95,11 @@ static const zend_function_entry class_PDO_methods[] = { ZEND_FE_END }; +static void register_pdo_dbh_symbols(int module_number, zend_class_entry *class_entry_PDO) +{ + zend_mark_function_parameter_as_sensitive(&class_entry_PDO->function_table, "__construct", 2); +} + static zend_class_entry *register_class_PDO(void) { zend_class_entry ce, *class_entry; diff --git a/ext/pdo/php_pdo_int.h b/ext/pdo/php_pdo_int.h index c3d2fe00a1d70..aa83c6603b5aa 100644 --- a/ext/pdo/php_pdo_int.h +++ b/ext/pdo/php_pdo_int.h @@ -25,7 +25,7 @@ extern HashTable pdo_driver_hash; extern zend_class_entry *pdo_exception_ce; int php_pdo_list_entry(void); -void pdo_dbh_init(void); +void pdo_dbh_init(int module_number); void pdo_stmt_init(void); extern zend_object *pdo_dbh_new(zend_class_entry *ce); diff --git a/ext/pdo/tests/sensitive_parameter.phpt b/ext/pdo/tests/sensitive_parameter.phpt new file mode 100644 index 0000000000000..b9cf01baedfc2 --- /dev/null +++ b/ext/pdo/tests/sensitive_parameter.phpt @@ -0,0 +1,17 @@ +--TEST-- +Test that sensitive parameters are marked sensitive. +--EXTENSIONS-- +pdo +--FILE-- + +--EXPECTF-- +PDOException: PDO::__construct(): Argument #1 ($dsn) must be a valid data source name in %s:%d +Stack trace: +#0 %s(%d): PDO->__construct('dsn', 'username', Object(SensitiveParameterValue)) +#1 {main} From 377c79c99c9b042b2351cc1c122d4abc7e5f0bf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 14:24:43 +0200 Subject: [PATCH 03/12] Mark parameter in ext/hash as sensitive --- ext/hash/hash.c | 3 ++- ext/hash/hash.stub.php | 29 ++++++++++++++++++++----- ext/hash/hash_arginfo.h | 10 ++++++++- ext/hash/tests/sensitive_parameter.phpt | 24 ++++++++++++++++++++ 4 files changed, 59 insertions(+), 7 deletions(-) create mode 100644 ext/hash/tests/sensitive_parameter.phpt diff --git a/ext/hash/hash.c b/ext/hash/hash.c index 9cd52a2fde553..c8b93313d594c 100644 --- a/ext/hash/hash.c +++ b/ext/hash/hash.c @@ -26,8 +26,9 @@ #include "ext/standard/php_var.h" #include "ext/spl/spl_exceptions.h" -#include "zend_interfaces.h" +#include "zend_attributes.h" #include "zend_exceptions.h" +#include "zend_interfaces.h" #include "zend_smart_str.h" #include "hash_arginfo.h" diff --git a/ext/hash/hash.stub.php b/ext/hash/hash.stub.php index b18c08be3c1fb..a305983ac9580 100644 --- a/ext/hash/hash.stub.php +++ b/ext/hash/hash.stub.php @@ -14,13 +14,22 @@ function hash(string $algo, string $data, bool $binary = false, array $options = /** @refcount 1 */ function hash_file(string $algo, string $filename, bool $binary = false, array $options = []): string|false {} -/** @refcount 1 */ +/** + * @sensitive-param $key + * @refcount 1 + */ function hash_hmac(string $algo, string $data, string $key, bool $binary = false): string {} -/** @refcount 1 */ +/** + * @sensitive-param $key + * @refcount 1 + */ function hash_hmac_file(string $algo, string $filename, string $key, bool $binary = false): string|false {} -/** @refcount 1 */ +/** + * @sensitive-param $key + * @refcount 1 + */ function hash_init(string $algo, int $flags = 0, string $key = "", array $options = []): HashContext {} function hash_update(HashContext $context, string $data): bool {} @@ -49,12 +58,22 @@ function hash_algos(): array {} */ function hash_hmac_algos(): array {} -/** @refcount 1 */ +/** + * @sensitive-param $password + * @refcount 1 + */ function hash_pbkdf2(string $algo, string $password, string $salt, int $iterations, int $length = 0, bool $binary = false): string {} +/** + * @sensitive-param $known_string + * @sensitive-param $user_string + */ function hash_equals(string $known_string, string $user_string): bool {} -/** @refcount 1 */ +/** + * @sensitive-param $key + * @refcount 1 + */ function hash_hkdf(string $algo, string $key, int $length = 0, string $info = "", string $salt = ""): string {} #ifdef PHP_MHASH_BC diff --git a/ext/hash/hash_arginfo.h b/ext/hash/hash_arginfo.h index 80642f96b4efd..e010d7a66251e 100644 --- a/ext/hash/hash_arginfo.h +++ b/ext/hash/hash_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 2c21ea2ab2a1f461c6a59b7c98160dac5d00b339 */ + * Stub hash: fb95b61917a29769f4be4f5d7b5d589a39ae0c4e */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_hash, 0, 2, IS_STRING, 0) ZEND_ARG_TYPE_INFO(0, algo, IS_STRING, 0) @@ -213,6 +213,14 @@ static const zend_function_entry class_HashContext_methods[] = { static void register_hash_symbols(int module_number) { REGISTER_LONG_CONSTANT("HASH_HMAC", PHP_HASH_HMAC, CONST_CS | CONST_PERSISTENT); + + zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_hmac", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_hmac_file", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_init", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_pbkdf2", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_equals", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_equals", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_hkdf", 1); } static zend_class_entry *register_class_HashContext(void) diff --git a/ext/hash/tests/sensitive_parameter.phpt b/ext/hash/tests/sensitive_parameter.phpt new file mode 100644 index 0000000000000..1a5154d11b16a --- /dev/null +++ b/ext/hash/tests/sensitive_parameter.phpt @@ -0,0 +1,24 @@ +--TEST-- +Test that sensitive parameters are marked sensitive. +--FILE-- + +--EXPECTF-- +TypeError: hash_equals(): Argument #2 ($user_string) must be of type string, null given in %s:%d +Stack trace: +#0 %s(%d): hash_equals(Object(SensitiveParameterValue), Object(SensitiveParameterValue)) +#1 {main} +ValueError: hash_hmac(): Argument #1 ($algo) must be a valid cryptographic hashing algorithm in %s:%d +Stack trace: +#0 %s(%d): hash_hmac('foo', 'bar', Object(SensitiveParameterValue)) +#1 {main} From ac76758aed36910c3672e8a4f4aca0476376ac17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 14:28:38 +0200 Subject: [PATCH 04/12] Mark parameter in ext/ftp as sensitive --- ext/ftp/ftp.stub.php | 1 + ext/ftp/ftp_arginfo.h | 4 +++- ext/ftp/php_ftp.c | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ext/ftp/ftp.stub.php b/ext/ftp/ftp.stub.php index 70fdd2511909c..eed2e6a2ce073 100644 --- a/ext/ftp/ftp.stub.php +++ b/ext/ftp/ftp.stub.php @@ -75,6 +75,7 @@ function ftp_connect(string $hostname, int $port = 21, int $timeout = 90): FTP\C function ftp_ssl_connect(string $hostname, int $port = 21, int $timeout = 90): FTP\Connection|false {} #endif + /** @sensitive-param $password */ function ftp_login(FTP\Connection $ftp, string $username, string $password): bool {} function ftp_pwd(FTP\Connection $ftp): string|false {} function ftp_cdup(FTP\Connection $ftp): bool {} diff --git a/ext/ftp/ftp_arginfo.h b/ext/ftp/ftp_arginfo.h index 42ebb40475a9d..01c6c94781406 100644 --- a/ext/ftp/ftp_arginfo.h +++ b/ext/ftp/ftp_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: bd80737c67a0c10119f97988e41a08870b1f1af9 */ + * Stub hash: f3728c451a9cd130e9ffdf48389e2f68b4f82423 */ ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_ftp_connect, 0, 1, FTP\\Connection, MAY_BE_FALSE) ZEND_ARG_TYPE_INFO(0, hostname, IS_STRING, 0) @@ -293,6 +293,8 @@ static void register_ftp_symbols(int module_number) REGISTER_LONG_CONSTANT("FTP_FAILED", PHP_FTP_FAILED, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FTP_FINISHED", PHP_FTP_FINISHED, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FTP_MOREDATA", PHP_FTP_MOREDATA, CONST_CS | CONST_PERSISTENT); + + zend_mark_function_parameter_as_sensitive(CG(function_table), "ftp_login", 2); } static zend_class_entry *register_class_FTP_Connection(void) diff --git a/ext/ftp/php_ftp.c b/ext/ftp/php_ftp.c index d8e29444249c1..75d106bc48a69 100644 --- a/ext/ftp/php_ftp.c +++ b/ext/ftp/php_ftp.c @@ -29,6 +29,7 @@ #include "ext/standard/info.h" #include "ext/standard/file.h" +#include "Zend/zend_attributes.h" #include "Zend/zend_exceptions.h" #include "php_ftp.h" From 0b61bd6083ffd82c5528d8083d00531dffe80b23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 14:30:23 +0200 Subject: [PATCH 05/12] Mark parameter in ext/imap as sensitive --- ext/imap/php_imap.c | 1 + ext/imap/php_imap.stub.php | 1 + ext/imap/php_imap_arginfo.h | 4 +++- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index ce615b08aabee..d0eda05a85c7f 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -34,6 +34,7 @@ #include "php.h" #include "php_ini.h" #include "php_streams.h" +#include "Zend/zend_attributes.h" #include "Zend/zend_exceptions.h" #include "ext/standard/php_string.h" #include "ext/standard/info.h" diff --git a/ext/imap/php_imap.stub.php b/ext/imap/php_imap.stub.php index e13c2b28198e6..5caa94d4433a2 100644 --- a/ext/imap/php_imap.stub.php +++ b/ext/imap/php_imap.stub.php @@ -405,6 +405,7 @@ */ const IMAP_GC_TEXTS = UNKNOWN; + /** @sensitive-param $password */ function imap_open(string $mailbox, string $user, string $password, int $flags = 0, int $retries = 0, array $options = []): IMAP\Connection|false {} function imap_reopen(IMAP\Connection $imap, string $mailbox, int $flags = 0, int $retries = 0): bool {} diff --git a/ext/imap/php_imap_arginfo.h b/ext/imap/php_imap_arginfo.h index 72100be406f12..9836c5aa672b2 100644 --- a/ext/imap/php_imap_arginfo.h +++ b/ext/imap/php_imap_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 1665cea82b6d10538afcaf8c8e339ddb215855b9 */ + * Stub hash: 0f1acb4f23b4c82e58aac65af39ce29029e203e5 */ ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_imap_open, 0, 3, IMAP\\Connection, MAY_BE_FALSE) ZEND_ARG_TYPE_INFO(0, mailbox, IS_STRING, 0) @@ -594,6 +594,8 @@ static void register_php_imap_symbols(int module_number) REGISTER_LONG_CONSTANT("IMAP_GC_ELT", GC_ELT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("IMAP_GC_ENV", GC_ENV, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("IMAP_GC_TEXTS", GC_TEXTS, CONST_CS | CONST_PERSISTENT); + + zend_mark_function_parameter_as_sensitive(CG(function_table), "imap_open", 2); } static zend_class_entry *register_class_IMAP_Connection(void) From 082dcd8ce9816faf5de72f88880d83e027a64c2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 14:34:03 +0200 Subject: [PATCH 06/12] Mark parameter in ext/ldap as sensitive --- ext/ldap/ldap.c | 1 + ext/ldap/ldap.stub.php | 14 ++++++++++++++ ext/ldap/ldap_arginfo.h | 15 ++++++++++++++- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c index 1b40c7e433213..b8fb4274215ff 100644 --- a/ext/ldap/ldap.c +++ b/ext/ldap/ldap.c @@ -28,6 +28,7 @@ #include "php.h" #include "php_ini.h" +#include "Zend/zend_attributes.h" #include diff --git a/ext/ldap/ldap.stub.php b/ext/ldap/ldap.stub.php index ef2bc39e97422..056bab35fb5f6 100644 --- a/ext/ldap/ldap.stub.php +++ b/ext/ldap/ldap.stub.php @@ -610,6 +610,9 @@ #endif #ifdef HAVE_ORALDAP + /** + * @sensitive-param $password + */ function ldap_connect(?string $uri = null, int $port = 389, string $wallet = UNKNOWN, string $password = UNKNOWN, int $auth_mode = GSLC_SSL_NO_AUTH): LDAP\Connection|false {} #else function ldap_connect(?string $uri = null, int $port = 389): LDAP\Connection|false {} @@ -620,11 +623,20 @@ function ldap_unbind(LDAP\Connection $ldap): bool {} /** @alias ldap_unbind */ function ldap_close(LDAP\Connection $ldap): bool {} + /** + * @sensitive-param $password + */ function ldap_bind(LDAP\Connection $ldap, ?string $dn = null, ?string $password = null): bool {} + /** + * @sensitive-param $password + */ function ldap_bind_ext(LDAP\Connection $ldap, ?string $dn = null, ?string $password = null, ?array $controls = null): LDAP\Result|false {} #ifdef HAVE_LDAP_SASL + /** + * @sensitive-param $password + */ function ldap_sasl_bind(LDAP\Connection $ldap, ?string $dn = null, ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authc_id = null, ?string $authz_id = null, ?string $props = null): bool {} #endif @@ -779,6 +791,8 @@ function ldap_exop(LDAP\Connection $ldap, string $request_oid, ?string $request_ #ifdef HAVE_LDAP_PASSWD /** * @param array $controls + * @sensitive-param $old_password + * @sensitive-param $new_password */ function ldap_exop_passwd(LDAP\Connection $ldap, string $user = "", string $old_password = "", string $new_password = "", &$controls = null): string|bool {} #endif diff --git a/ext/ldap/ldap_arginfo.h b/ext/ldap/ldap_arginfo.h index 965d79a0fa559..96cc5fde32dbc 100644 --- a/ext/ldap/ldap_arginfo.h +++ b/ext/ldap/ldap_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 6a3bdee5c77294d583d385a03b01713edb0923d8 */ + * Stub hash: 67b3287b7dfa9beec9d9981214de8099f8224fe2 */ #if defined(HAVE_ORALDAP) ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_ldap_connect, 0, 0, LDAP\\Connection, MAY_BE_FALSE) @@ -829,6 +829,19 @@ static void register_ldap_symbols(int module_number) #if defined(LDAP_CONTROL_VLVREQUEST) REGISTER_STRING_CONSTANT("LDAP_CONTROL_VLVRESPONSE", LDAP_CONTROL_VLVRESPONSE, CONST_CS | CONST_PERSISTENT); #endif + +#if defined(HAVE_ORALDAP) + zend_mark_function_parameter_as_sensitive(CG(function_table), "ldap_connect", 3); +#endif + zend_mark_function_parameter_as_sensitive(CG(function_table), "ldap_bind", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "ldap_bind_ext", 2); +#if defined(HAVE_LDAP_SASL) + zend_mark_function_parameter_as_sensitive(CG(function_table), "ldap_sasl_bind", 2); +#endif +#if defined(HAVE_LDAP_PASSWD) + zend_mark_function_parameter_as_sensitive(CG(function_table), "ldap_exop_passwd", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "ldap_exop_passwd", 3); +#endif } static zend_class_entry *register_class_LDAP_Connection(void) From eaeccb47b8e585f6d4ff136cee316cd6f48190bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 14:41:59 +0200 Subject: [PATCH 07/12] Mark parameter in ext/mysqli as sensitive --- ext/mysqli/mysqli.c | 1 + ext/mysqli/mysqli.stub.php | 10 +++++++++- ext/mysqli/mysqli_arginfo.h | 8 +++++++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c index 997860679d06f..23129651aeee1 100644 --- a/ext/mysqli/mysqli.c +++ b/ext/mysqli/mysqli.c @@ -29,6 +29,7 @@ #include "php_mysqli.h" #include "php_mysqli_structs.h" #include "mysqli_priv.h" +#include "zend_attributes.h" #include "zend_exceptions.h" #include "ext/spl/spl_exceptions.h" #include "zend_interfaces.h" diff --git a/ext/mysqli/mysqli.stub.php b/ext/mysqli/mysqli.stub.php index db0e3f0f8d8a3..fe86c8478f223 100644 --- a/ext/mysqli/mysqli.stub.php +++ b/ext/mysqli/mysqli.stub.php @@ -149,6 +149,7 @@ public function autocommit(bool $enable): bool {} public function begin_transaction(int $flags = 0, ?string $name = null): bool {} /** + * @sensitive-param $password * @tentative-return-type * @alias mysqli_change_user */ @@ -174,6 +175,7 @@ public function close() {} // TODO make return type void public function commit(int $flags = 0, ?string $name = null): bool {} /** + * @sensitive-param $password * @tentative-return-type * @alias mysqli_connect * @no-verify @@ -287,6 +289,7 @@ public function prepare(string $query): mysqli_stmt|false {} public function query(string $query, int $result_mode = MYSQLI_STORE_RESULT): mysqli_result|bool {} /** + * @sensitive-param $password * @tentative-return-type * @alias mysqli_real_connect */ @@ -740,6 +743,7 @@ function mysqli_autocommit(mysqli $mysql, bool $enable): bool {} function mysqli_begin_transaction(mysqli $mysql, int $flags = 0, ?string $name = null): bool {} +/** @sensitive-param $password */ function mysqli_change_user(mysqli $mysql, string $username, string $password, ?string $database): bool {} /** @refcount 1 */ @@ -750,7 +754,10 @@ function mysqli_close(mysqli $mysql): bool {} // TODO make return type void function mysqli_commit(mysqli $mysql, int $flags = 0, ?string $name = null): bool {} -/** @refcount 1 */ +/** + * @refcount 1 + * @sensitive-param $password + */ function mysqli_connect( ?string $hostname = null, ?string $username = null, @@ -925,6 +932,7 @@ function mysqli_report(int $flags): bool {} /** @refcount 1 */ function mysqli_query(mysqli $mysql, string $query, int $result_mode = MYSQLI_STORE_RESULT): mysqli_result|bool {} +/** @sensitive-param $password */ function mysqli_real_connect( mysqli $mysql, ?string $hostname = null, diff --git a/ext/mysqli/mysqli_arginfo.h b/ext/mysqli/mysqli_arginfo.h index 2542754fcbfa1..9f6f22197c404 100644 --- a/ext/mysqli/mysqli_arginfo.h +++ b/ext/mysqli/mysqli_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 794efd97f6eac5e755bed2eb6219173a1ee45321 */ + * Stub hash: db2ec0349b8b40e9352569e08cb4a3bd253f0255 */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_mysqli_affected_rows, 0, 1, MAY_BE_LONG|MAY_BE_STRING) ZEND_ARG_OBJ_INFO(0, mysql, mysqli, 0) @@ -1027,7 +1027,13 @@ static const zend_function_entry class_mysqli_sql_exception_methods[] = { static void register_mysqli_symbols(int module_number, zend_class_entry *class_entry_mysqli) { + zend_mark_function_parameter_as_sensitive(CG(function_table), "mysqli_change_user", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "mysqli_connect", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "mysqli_real_connect", 3); zend_mark_function_parameter_as_sensitive(&class_entry_mysqli->function_table, "__construct", 2); + zend_mark_function_parameter_as_sensitive(&class_entry_mysqli->function_table, "change_user", 1); + zend_mark_function_parameter_as_sensitive(&class_entry_mysqli->function_table, "connect", 2); + zend_mark_function_parameter_as_sensitive(&class_entry_mysqli->function_table, "real_connect", 2); } static zend_class_entry *register_class_mysqli_driver(void) From 4c85201c4c099178726c9e54e17b0f0f1e815bc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 14:47:46 +0200 Subject: [PATCH 08/12] Mark parameter in ext/oci8 as sensitive --- ext/oci8/oci8.c | 3 +++ ext/oci8/oci8.stub.php | 14 ++++++++++++-- ext/oci8/oci8_arginfo.h | 12 +++++++++++- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/ext/oci8/oci8.c b/ext/oci8/oci8.c index f75a3a89187c7..9b5a41832c6cc 100644 --- a/ext/oci8/oci8.c +++ b/ext/oci8/oci8.c @@ -31,6 +31,7 @@ #include "php.h" #include "ext/standard/info.h" #include "php_ini.h" +#include "zend_attributes.h" #include "zend_smart_str.h" #ifdef HAVE_OCI8 @@ -385,6 +386,8 @@ PHP_MINIT_FUNCTION(oci) REGISTER_LONG_CONSTANT("OCI_FO_RETRY", OCI_FO_RETRY, CONST_CS | CONST_PERSISTENT); + register_oci8_symbols(module_number); + return SUCCESS; } diff --git a/ext/oci8/oci8.stub.php b/ext/oci8/oci8.stub.php index efedc3eb9063c..1cdb076988e9f 100644 --- a/ext/oci8/oci8.stub.php +++ b/ext/oci8/oci8.stub.php @@ -294,10 +294,14 @@ function oci_close($connection): ?bool {} */ function ocilogoff($connection): ?bool {} -/** @return resource|false */ +/** + * @sensitive-param $password + * @return resource|false + */ function oci_new_connect(string $username, string $password, ?string $connection_string = null, string $encoding = "", int $session_mode = OCI_DEFAULT) {} /** + * @sensitive-param $password * @return resource|false * @alias oci_new_connect * @deprecated @@ -305,21 +309,27 @@ function oci_new_connect(string $username, string $password, ?string $connection function ocinlogon(string $username, string $password, ?string $connection_string = null, string $encoding = "", int $session_mode = OCI_DEFAULT) {} /** + * @sensitive-param $password * @return resource|false */ function oci_connect(string $username, string $password, ?string $connection_string = null, string $encoding = "", int $session_mode = OCI_DEFAULT) {} /** + * @sensitive-param $password * @return resource|false * @alias oci_connect * @deprecated */ function ocilogon(string $username, string $password, ?string $connection_string = null, string $encoding = "", int $session_mode = OCI_DEFAULT) {} -/** @return resource|false */ +/** + * @sensitive-param $password + * @return resource|false + */ function oci_pconnect(string $username, string $password, ?string $connection_string = null, string $encoding = "", int $session_mode = OCI_DEFAULT) {} /** + * @sensitive-param $password * @return resource|false * @alias oci_pconnect * @deprecated diff --git a/ext/oci8/oci8_arginfo.h b/ext/oci8/oci8_arginfo.h index b6916e49c37c5..78bf7cf3756fd 100644 --- a/ext/oci8/oci8_arginfo.h +++ b/ext/oci8/oci8_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 9db587b5d431b9dfe7178fd843ae8907db737a04 */ + * Stub hash: db170b61403c53d4d420d0095031944f3d036508 */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_oci_define_by_name, 0, 3, _IS_BOOL, 0) ZEND_ARG_INFO(0, statement) @@ -799,6 +799,16 @@ static const zend_function_entry class_OCICollection_methods[] = { ZEND_FE_END }; +static void register_oci8_symbols(int module_number) +{ + zend_mark_function_parameter_as_sensitive(CG(function_table), "oci_new_connect", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "ocinlogon", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "oci_connect", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "ocilogon", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "oci_pconnect", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "ociplogon", 1); +} + static zend_class_entry *register_class_OCILob(void) { zend_class_entry ce, *class_entry; From 3007bde5aa6a2fa8ff6dc72eb18e890b6fbb10f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 14:49:36 +0200 Subject: [PATCH 09/12] Mark parameter in ext/odbc as sensitive --- ext/odbc/odbc.stub.php | 10 ++++++++-- ext/odbc/odbc_arginfo.h | 8 +++++++- ext/odbc/php_odbc.c | 3 +++ 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/ext/odbc/odbc.stub.php b/ext/odbc/odbc.stub.php index 077a4c0ff5dcc..5aafe587f3a31 100644 --- a/ext/odbc/odbc.stub.php +++ b/ext/odbc/odbc.stub.php @@ -69,10 +69,16 @@ function odbc_result_all($statement, string $format = ""): int|false {} /** @param resource $statement */ function odbc_free_result($statement): bool {} -/** @return resource|false */ +/** + * @sensitive-param $password + * @return resource|false + */ function odbc_connect(string $dsn, string $user, string $password, int $cursor_option = SQL_CUR_USE_DRIVER) {} -/** @return resource|false */ +/** + * @sensitive-param $password + * @return resource|false + */ function odbc_pconnect(string $dsn, string $user, string $password, int $cursor_option = SQL_CUR_USE_DRIVER) {} /** @param resource $odbc */ diff --git a/ext/odbc/odbc_arginfo.h b/ext/odbc/odbc_arginfo.h index 0786eb5231a28..d1d85debba5b6 100644 --- a/ext/odbc/odbc_arginfo.h +++ b/ext/odbc/odbc_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 298e48377c2d18c532d91a9ed97886b49a64c096 */ + * Stub hash: 66b702c6f84c0ae63c8aa53c8a667324a71651a0 */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_odbc_close_all, 0, 0, IS_VOID, 0) ZEND_END_ARG_INFO() @@ -391,3 +391,9 @@ static const zend_function_entry ext_functions[] = { ZEND_FE(odbc_connection_string_quote, arginfo_odbc_connection_string_quote) ZEND_FE_END }; + +static void register_odbc_symbols(int module_number) +{ + zend_mark_function_parameter_as_sensitive(CG(function_table), "odbc_connect", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "odbc_pconnect", 2); +} diff --git a/ext/odbc/php_odbc.c b/ext/odbc/php_odbc.c index b829ff2ae51f2..8833de7783795 100644 --- a/ext/odbc/php_odbc.c +++ b/ext/odbc/php_odbc.c @@ -24,6 +24,7 @@ #include "php.h" #include "php_globals.h" +#include "zend_attributes.h" #include "ext/standard/info.h" #include "ext/standard/php_string.h" @@ -483,6 +484,8 @@ PHP_MINIT_FUNCTION(odbc) putenv("DB2NOEXITLIST=TRUE"); #endif + register_odbc_symbols(module_number); + return SUCCESS; } /* }}} */ From dcadf4b8f176b7cb7db75711b9e95ceb91a83266 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 15:04:18 +0200 Subject: [PATCH 10/12] Mark parameter in ext/openssl as sensitive --- ext/openssl/openssl.c | 3 ++ ext/openssl/openssl.stub.php | 85 ++++++++++++++++++++++++++++++----- ext/openssl/openssl_arginfo.h | 45 ++++++++++++++++++- 3 files changed, 121 insertions(+), 12 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 80425a95d9d7e..dd9a891ed8f51 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -27,6 +27,7 @@ #include "php.h" #include "php_ini.h" #include "php_openssl.h" +#include "zend_attributes.h" #include "zend_exceptions.h" /* PHP Includes */ @@ -1392,6 +1393,8 @@ PHP_MINIT_FUNCTION(openssl) REGISTER_INI_ENTRIES(); + register_openssl_symbols(module_number); + return SUCCESS; } /* }}} */ diff --git a/ext/openssl/openssl.stub.php b/ext/openssl/openssl.stub.php index 316df87893b08..4a4f2674a46b9 100644 --- a/ext/openssl/openssl.stub.php +++ b/ext/openssl/openssl.stub.php @@ -33,7 +33,10 @@ function openssl_x509_export(OpenSSLCertificate|string $certificate, &$output, b function openssl_x509_fingerprint(OpenSSLCertificate|string $certificate, string $digest_algo = "sha1", bool $binary = false): string|false {} -/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */ +/** + * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key + */ function openssl_x509_check_private_key(OpenSSLCertificate|string $certificate, $private_key): bool {} /** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key */ @@ -52,16 +55,25 @@ function openssl_x509_read(OpenSSLCertificate|string $certificate): OpenSSLCerti /** @deprecated */ function openssl_x509_free(OpenSSLCertificate $certificate): void {} -/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */ +/** + * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key + * @sensitive-param $passphrase + */ function openssl_pkcs12_export_to_file(OpenSSLCertificate|string $certificate, string $output_filename, $private_key, string $passphrase, array $options = []): bool {} /** * @param string $output * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key + * @sensitive-param $passphrase */ function openssl_pkcs12_export(OpenSSLCertificate|string $certificate, &$output, $private_key, string $passphrase, array $options = []): bool {} -/** @param array $certificates */ +/** + * @param array $certificates + * @sensitive-param $passphrase + */ function openssl_pkcs12_read(string $pkcs12, &$certificates, string $passphrase): bool {} function openssl_csr_export_to_file(OpenSSLCertificateSigningRequest|string $csr, string $output_filename, bool $no_text = true): bool {} @@ -69,10 +81,16 @@ function openssl_csr_export_to_file(OpenSSLCertificateSigningRequest|string $csr /** @param string $output */ function openssl_csr_export(OpenSSLCertificateSigningRequest|string $csr, &$output, bool $no_text = true): bool {} -/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */ +/** + * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key + */ function openssl_csr_sign(OpenSSLCertificateSigningRequest|string $csr, OpenSSLCertificate|string|null $ca_certificate, $private_key, int $days, ?array $options = null, int $serial = 0): OpenSSLCertificate|false {} -/** @param OpenSSLAsymmetricKey $private_key */ +/** + * @param OpenSSLAsymmetricKey $private_key + * @sensitive-param $private_key + */ function openssl_csr_new(array $distinguished_names, &$private_key, ?array $options = null, ?array $extra_attributes = null): OpenSSLCertificateSigningRequest|false {} /** @@ -85,12 +103,18 @@ function openssl_csr_get_public_key(OpenSSLCertificateSigningRequest|string $csr function openssl_pkey_new(?array $options = null): OpenSSLAsymmetricKey|false {} -/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key */ +/** + * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key + * @sensitive-param $key + * @sensitive-param $passphrase + */ function openssl_pkey_export_to_file($key, string $output_filename, ?string $passphrase = null, ?array $options = null): bool {} /** * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key * @param string $output + * @sensitive-param $key + * @sensitive-param $passphrase */ function openssl_pkey_export($key, &$output, ?string $passphrase = null, ?array $options = null): bool {} @@ -103,7 +127,9 @@ function openssl_pkey_get_public($public_key): OpenSSLAsymmetricKey|false {} */ function openssl_get_publickey($public_key): OpenSSLAsymmetricKey|false {} -/** @deprecated */ +/** + * @deprecated + */ function openssl_pkey_free(OpenSSLAsymmetricKey $key): void {} /** @@ -112,11 +138,17 @@ function openssl_pkey_free(OpenSSLAsymmetricKey $key): void {} */ function openssl_free_key(OpenSSLAsymmetricKey $key): void {} -/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */ +/** + * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key + * @sensitive-param $passphrase + */ function openssl_pkey_get_private($private_key, ?string $passphrase = null): OpenSSLAsymmetricKey|false {} /** * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key + * @sensitive-param $passphrase * @alias openssl_pkey_get_private */ function openssl_get_privatekey($private_key, ?string $passphrase = null): OpenSSLAsymmetricKey|false {} @@ -127,6 +159,7 @@ function openssl_get_privatekey($private_key, ?string $passphrase = null): OpenS */ function openssl_pkey_get_details(OpenSSLAsymmetricKey $key): array|false {} +/** @sensitive-param $password */ function openssl_pbkdf2(string $password, string $salt, int $key_length, int $iterations, string $digest_algo = "sha1"): string|false {} function openssl_pkcs7_verify(string $input_filename, int $flags, ?string $signers_certificates_filename = null, array $ca_info = [], ?string $untrusted_certificates_filename = null, ?string $content = null, ?string $output_filename = null): bool|int {} @@ -134,12 +167,17 @@ function openssl_pkcs7_verify(string $input_filename, int $flags, ?string $signe /** @param OpenSSLCertificate|array|string $certificate */ function openssl_pkcs7_encrypt(string $input_filename, string $output_filename, $certificate, ?array $headers, int $flags = 0, int $cipher_algo = OPENSSL_CIPHER_AES_128_CBC): bool {} -/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */ +/** + * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key + */ function openssl_pkcs7_sign(string $input_filename, string $output_filename, OpenSSLCertificate|string $certificate, $private_key, ?array $headers, int $flags = PKCS7_DETACHED, ?string $untrusted_certificates_filename = null): bool {} /** * @param OpenSSLCertificate|string $certificate * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string|null $private_key + * @sensitive-param $certificate + * @sensitive-param $private_key */ function openssl_pkcs7_decrypt(string $input_filename, string $output_filename, $certificate, $private_key = null): bool {} @@ -151,12 +189,17 @@ function openssl_cms_verify(string $input_filename, int $flags = 0, ?string $cer /** @param OpenSSLCertificate|array|string $certificate */ function openssl_cms_encrypt(string $input_filename, string $output_filename, $certificate, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_SMIME, int $cipher_algo = OPENSSL_CIPHER_AES_128_CBC): bool {} -/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */ +/** + * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key + */ function openssl_cms_sign(string $input_filename, string $output_filename, OpenSSLCertificate|string $certificate, $private_key, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_SMIME, ?string $untrusted_certificates_filename = null): bool {} /** * @param OpenSSLCertificate|string $certificate * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string|null $private_key + * @sensitive-param $certificate + * @sensitive-param $private_key */ function openssl_cms_decrypt(string $input_filename, string $output_filename, $certificate, $private_key = null, int $encoding = OPENSSL_ENCODING_SMIME): bool {} @@ -166,24 +209,30 @@ function openssl_cms_read(string $input_filename, &$certificates): bool {} /** * @param string $encrypted_data * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $data + * @sensitive-param $private_key */ function openssl_private_encrypt(string $data, &$encrypted_data, $private_key, int $padding = OPENSSL_PKCS1_PADDING): bool {} /** * @param string $decrypted_data * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $decrypted_data + * @sensitive-param $private_key */ function openssl_private_decrypt(string $data, &$decrypted_data, $private_key, int $padding = OPENSSL_PKCS1_PADDING): bool {} /** * @param string $encrypted_data * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key + * @sensitive-param $data */ function openssl_public_encrypt(string $data, &$encrypted_data, $public_key, int $padding = OPENSSL_PKCS1_PADDING): bool {} /** * @param string $decrypted_data * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key + * @sensitive-param $decrypted_data */ function openssl_public_decrypt(string $data, &$decrypted_data, $public_key, int $padding = OPENSSL_PKCS1_PADDING): bool {} @@ -192,6 +241,7 @@ function openssl_error_string(): string|false {} /** * @param string $signature * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key */ function openssl_sign(string $data, &$signature, $private_key, string|int $algorithm = OPENSSL_ALGO_SHA1): bool {} @@ -202,12 +252,15 @@ function openssl_verify(string $data, string $signature, $public_key, string|int * @param string $sealed_data * @param array $encrypted_keys * @param string $iv + * @sensitive-param $data */ function openssl_seal(string $data, &$sealed_data, &$encrypted_keys, array $public_key, string $cipher_algo, &$iv = null): int|false {} /** * @param string $output * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $output + * @sensitive-param $private_key */ function openssl_open(string $data, &$output, string $encrypted_key, $private_key, string $cipher_algo, ?string $iv = null): bool {} @@ -233,24 +286,34 @@ function openssl_get_curve_names(): array|false {} function openssl_digest(string $data, string $digest_algo, bool $binary = false): string|false {} -/** @param string $tag */ +/** + * @param string $tag + * @sensitive-param $data + * @sensitive-param $passphrase + */ function openssl_encrypt(string $data, string $cipher_algo, string $passphrase, int $options = 0, string $iv = "", &$tag = null, string $aad = "", int $tag_length = 16): string|false {} +/** + * @sensitive-param $passphrase + */ function openssl_decrypt(string $data, string $cipher_algo, string $passphrase, int $options = 0, string $iv = "", ?string $tag = null, string $aad = ""): string|false {} function openssl_cipher_iv_length(string $cipher_algo): int|false {} +/** @sensitive-param $private_key */ function openssl_dh_compute_key(string $public_key, OpenSSLAsymmetricKey $private_key): string|false {} /** * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key + * @sensitive-param $private_key */ function openssl_pkey_derive($public_key, $private_key, int $key_length = 0): string|false {} /** @param bool $strong_result */ function openssl_random_pseudo_bytes(int $length, &$strong_result = null): string {} +/** @sensitive-param $private_key */ function openssl_spki_new(OpenSSLAsymmetricKey $private_key, string $challenge, int $digest_algo = OPENSSL_ALGO_MD5): string|false {} function openssl_spki_verify(string $spki): bool {} diff --git a/ext/openssl/openssl_arginfo.h b/ext/openssl/openssl_arginfo.h index 9ed898b28a607..4137a793a7fb4 100644 --- a/ext/openssl/openssl_arginfo.h +++ b/ext/openssl/openssl_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: b820bb89ed3a0612473de268b057663ee237f876 */ + * Stub hash: 9e75d730683f247a5787fe7d493039b7e4fa4399 */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_export_to_file, 0, 2, _IS_BOOL, 0) ZEND_ARG_OBJ_TYPE_MASK(0, certificate, OpenSSLCertificate, MAY_BE_STRING, NULL) @@ -534,6 +534,49 @@ static const zend_function_entry class_OpenSSLAsymmetricKey_methods[] = { ZEND_FE_END }; +static void register_openssl_symbols(int module_number) +{ + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_x509_check_private_key", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_export_to_file", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_export_to_file", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_export", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_export", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_read", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_csr_sign", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_csr_new", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_export_to_file", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_export_to_file", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_export", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_export", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_get_private", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_get_private", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_get_privatekey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_get_privatekey", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pbkdf2", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs7_sign", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs7_decrypt", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs7_decrypt", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_cms_sign", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_cms_decrypt", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_cms_decrypt", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_private_encrypt", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_private_encrypt", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_private_decrypt", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_private_decrypt", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_public_encrypt", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_public_decrypt", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_sign", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_seal", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_open", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_open", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_encrypt", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_encrypt", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_decrypt", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_dh_compute_key", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_derive", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_spki_new", 0); +} + static zend_class_entry *register_class_OpenSSLCertificate(void) { zend_class_entry ce, *class_entry; From 39ff32cc0076854e63a0aa10b6c3a4f6fcba342c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 17:11:47 +0200 Subject: [PATCH 11/12] Mark parameter in ext/sodium as sensitive --- ext/sodium/libsodium.c | 3 + ext/sodium/libsodium.stub.php | 114 +++++++++++++++++++++++++++++-- ext/sodium/libsodium_arginfo.h | 119 ++++++++++++++++++++++++++++++++- 3 files changed, 230 insertions(+), 6 deletions(-) diff --git a/ext/sodium/libsodium.c b/ext/sodium/libsodium.c index edd807cbe9864..e00ae491543fe 100644 --- a/ext/sodium/libsodium.c +++ b/ext/sodium/libsodium.c @@ -22,6 +22,7 @@ #include "php_ini.h" #include "ext/standard/info.h" #include "php_libsodium.h" +#include "zend_attributes.h" #include "zend_exceptions.h" #include @@ -386,6 +387,8 @@ PHP_MINIT_FUNCTION(sodium) } #endif + register_libsodium_symbols(module_number); + return SUCCESS; } diff --git a/ext/sodium/libsodium.stub.php b/ext/sodium/libsodium.stub.php index 55d3e0a5161bc..9a62357f582ca 100644 --- a/ext/sodium/libsodium.stub.php +++ b/ext/sodium/libsodium.stub.php @@ -5,57 +5,91 @@ function sodium_crypto_aead_aes256gcm_is_available(): bool {} #ifdef HAVE_AESGCM +/** @sensitive-param $key */ function sodium_crypto_aead_aes256gcm_decrypt(string $ciphertext, string $additional_data, string $nonce, string $key): string|false {} +/** + * @sensitive-param $message + * @sensitive-param $key + */ function sodium_crypto_aead_aes256gcm_encrypt(string $message, string $additional_data, string $nonce, string $key): string {} function sodium_crypto_aead_aes256gcm_keygen(): string {} #endif +/** @sensitive-param $key */ function sodium_crypto_aead_chacha20poly1305_decrypt(string $ciphertext, string $additional_data, string $nonce, string $key): string|false {} +/** + * @sensitive-param $message + * @sensitive-param $key + */ function sodium_crypto_aead_chacha20poly1305_encrypt(string $message, string $additional_data, string $nonce, string $key): string {} function sodium_crypto_aead_chacha20poly1305_keygen(): string {} +/** @sensitive-param $key */ function sodium_crypto_aead_chacha20poly1305_ietf_decrypt(string $ciphertext, string $additional_data, string $nonce, string $key): string|false {} +/** + * @sensitive-param $message + * @sensitive-param $key + */ function sodium_crypto_aead_chacha20poly1305_ietf_encrypt(string $message, string $additional_data, string $nonce, string $key): string {} function sodium_crypto_aead_chacha20poly1305_ietf_keygen(): string {} #ifdef crypto_aead_xchacha20poly1305_IETF_NPUBBYTES +/** @sensitive-param $key */ function sodium_crypto_aead_xchacha20poly1305_ietf_decrypt(string $ciphertext, string $additional_data, string $nonce, string $key): string|false {} function sodium_crypto_aead_xchacha20poly1305_ietf_keygen(): string {} +/** + * @sensitive-param $message + * @sensitive-param $key + */ function sodium_crypto_aead_xchacha20poly1305_ietf_encrypt(string $message, string $additional_data, string $nonce, string $key): string {} #endif +/** @sensitive-param $key */ function sodium_crypto_auth(string $message, string $key): string {} function sodium_crypto_auth_keygen(): string {} +/** @sensitive-param $key */ function sodium_crypto_auth_verify(string $mac, string $message, string $key): bool {} +/** + * @sensitive-param $message + * @sensitive-param $key_pair + */ function sodium_crypto_box(string $message, string $nonce, string $key_pair): string {} function sodium_crypto_box_keypair(): string {} +/** @sensitive-param $seed */ function sodium_crypto_box_seed_keypair(string $seed): string {} +/** @sensitive-param $secret_key */ function sodium_crypto_box_keypair_from_secretkey_and_publickey(string $secret_key, string $public_key): string {} +/** @sensitive-param $key_pair */ function sodium_crypto_box_open(string $ciphertext, string $nonce, string $key_pair): string|false {} +/** @sensitive-param $key_pair */ function sodium_crypto_box_publickey(string $key_pair): string {} +/** @sensitive-param $secret_key */ function sodium_crypto_box_publickey_from_secretkey(string $secret_key): string {} +/** @sensitive-param $message */ function sodium_crypto_box_seal(string $message, string $public_key): string {} +/** @sensitive-param $key_pair */ function sodium_crypto_box_seal_open(string $ciphertext, string $key_pair): string|false {} +/** @sensitive-param $key_pair */ function sodium_crypto_box_secretkey(string $key_pair): string {} #ifdef crypto_core_ristretto255_HASHBYTES @@ -88,22 +122,34 @@ function sodium_crypto_core_ristretto255_sub(string $p, string $q): string {} function sodium_crypto_kx_keypair(): string {} +/** @sensitive-param $key_pair */ function sodium_crypto_kx_publickey(string $key_pair): string {} +/** @sensitive-param $key_pair */ function sodium_crypto_kx_secretkey(string $key_pair): string {} +/** @sensitive-param $seed */ function sodium_crypto_kx_seed_keypair(string $seed): string {} -/** @return array */ +/** + * @sensitive-param $client_key_pair + * @return array + */ function sodium_crypto_kx_client_session_keys(string $client_key_pair, string $server_key): array {} -/** @return array */ +/** + * @sensitive-param $server_key_pair + * @return array + * + */ function sodium_crypto_kx_server_session_keys(string $server_key_pair, string $client_key): array {} +/** @sensitive-param $key */ function sodium_crypto_generichash(string $message, string $key = "", int $length = SODIUM_CRYPTO_GENERICHASH_BYTES): string {} function sodium_crypto_generichash_keygen(): string {} +/** @sensitive-param $key */ function sodium_crypto_generichash_init(string $key = "", int $length = SODIUM_CRYPTO_GENERICHASH_BYTES): string {} /** @return true */ @@ -111,15 +157,19 @@ function sodium_crypto_generichash_update(string &$state, string $message): bool function sodium_crypto_generichash_final(string &$state, int $length = SODIUM_CRYPTO_GENERICHASH_BYTES): string {} +/** @sensitive-param $key */ function sodium_crypto_kdf_derive_from_key(int $subkey_length, int $subkey_id, string $context, string $key): string {} function sodium_crypto_kdf_keygen(): string {} #ifdef crypto_pwhash_SALTBYTES +/** @sensitive-param $password */ function sodium_crypto_pwhash(int $length, string $password, string $salt, int $opslimit, int $memlimit, int $algo = SODIUM_CRYPTO_PWHASH_ALG_DEFAULT): string {} +/** @sensitive-param $password */ function sodium_crypto_pwhash_str(string $password, int $opslimit, int $memlimit): string {} +/** @sensitive-param $password */ function sodium_crypto_pwhash_str_verify(string $hash, string $password): bool {} #endif @@ -128,10 +178,13 @@ function sodium_crypto_pwhash_str_needs_rehash(string $password, int $opslimit, #endif #ifdef crypto_pwhash_scryptsalsa208sha256_SALTBYTES +/** @sensitive-param $password */ function sodium_crypto_pwhash_scryptsalsa208sha256(int $length, string $password, string $salt, int $opslimit, int $memlimit): string {} +/** @sensitive-param $password */ function sodium_crypto_pwhash_scryptsalsa208sha256_str(string $password, int $opslimit, int $memlimit): string {} +/** @sensitive-param $password */ function sodium_crypto_pwhash_scryptsalsa208sha256_str_verify(string $hash, string $password): bool {} #endif @@ -143,20 +196,32 @@ function sodium_crypto_scalarmult_ristretto255(string $n, string $p): string {} function sodium_crypto_scalarmult_ristretto255_base(string $n): string {} #endif +/** + * @sensitive-param $message + * @sensitive-param $key + */ function sodium_crypto_secretbox(string $message, string $nonce, string $key): string {} function sodium_crypto_secretbox_keygen(): string {} +/** + * @sensitive-param $key + */ function sodium_crypto_secretbox_open(string $ciphertext, string $nonce, string $key): string|false {} #ifdef crypto_secretstream_xchacha20poly1305_ABYTES function sodium_crypto_secretstream_xchacha20poly1305_keygen(): string {} -/** @return array */ +/** + * @sensitive-param $key + * @return array + */ function sodium_crypto_secretstream_xchacha20poly1305_init_push(string $key): array {} +/** @sensitive-param $message */ function sodium_crypto_secretstream_xchacha20poly1305_push(string &$state, string $message, string $additional_data = "", int $tag = SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_TAG_MESSAGE): string {} +/** @sensitive-param $key */ function sodium_crypto_secretstream_xchacha20poly1305_init_pull(string $header, string $key): string {} /** @return array|false */ @@ -165,75 +230,116 @@ function sodium_crypto_secretstream_xchacha20poly1305_pull(string &$state, strin function sodium_crypto_secretstream_xchacha20poly1305_rekey(string &$state): void {} #endif +/** @sensitive-param $key */ function sodium_crypto_shorthash(string $message, string $key): string {} function sodium_crypto_shorthash_keygen(): string {} +/** @sensitive-param $secret_key */ function sodium_crypto_sign(string $message, string $secret_key): string {} +/** @sensitive-param $secret_key */ function sodium_crypto_sign_detached(string $message, string $secret_key): string {} function sodium_crypto_sign_ed25519_pk_to_curve25519(string $public_key): string {} +/** @sensitive-param $secret_key */ function sodium_crypto_sign_ed25519_sk_to_curve25519(string $secret_key): string {} function sodium_crypto_sign_keypair(): string {} +/** @sensitive-param $secret_key */ function sodium_crypto_sign_keypair_from_secretkey_and_publickey(string $secret_key, string $public_key): string {} function sodium_crypto_sign_open(string $signed_message, string $public_key): string|false {} +/** @sensitive-param $key_pair */ function sodium_crypto_sign_publickey(string $key_pair): string {} +/** @sensitive-param $key_pair */ function sodium_crypto_sign_secretkey(string $key_pair): string {} +/** @sensitive-param $secret_key */ function sodium_crypto_sign_publickey_from_secretkey(string $secret_key): string {} +/** @sensitive-param $seed */ function sodium_crypto_sign_seed_keypair(string $seed): string {} function sodium_crypto_sign_verify_detached(string $signature, string $message, string $public_key): bool {} +/** @sensitive-param $key */ function sodium_crypto_stream(int $length, string $nonce, string $key): string {} function sodium_crypto_stream_keygen(): string {} +/** + * @sensitive-param $message + * @sensitive-param $key + */ function sodium_crypto_stream_xor(string $message, string $nonce, string $key): string {} #if defined(crypto_stream_xchacha20_KEYBYTES) +/** @sensitive-param $key */ function sodium_crypto_stream_xchacha20(int $length, string $nonce, string $key): string {} function sodium_crypto_stream_xchacha20_keygen(): string {} +/** + * @sensitive-param $message + * @sensitive-param $key + */ function sodium_crypto_stream_xchacha20_xor(string $message, string $nonce, string $key): string {} +/** + * @sensitive-param $message + * @sensitive-param $key + */ function sodium_crypto_stream_xchacha20_xor_ic(string $message, string $nonce, int $counter, string $key): string {} #endif function sodium_add(string &$string1, string $string2): void {} +/** + * @sensitive-param $string1 + * @sensitive-param $string2 + */ function sodium_compare(string $string1, string $string2): int {} function sodium_increment(string &$string): void {} +/** + * @sensitive-param $string1 + * @sensitive-param $string2 + */ function sodium_memcmp(string $string1, string $string2): int {} +/** @sensitive-param $string */ function sodium_memzero(string &$string): void {} +/** @sensitive-param $string */ function sodium_pad(string $string, int $block_size): string {} +/** @sensitive-param $string */ function sodium_unpad(string $string, int $block_size): string {} +/** @sensitive-param $string */ function sodium_bin2hex(string $string): string {} +/** @sensitive-param $string */ function sodium_hex2bin(string $string, string $ignore = ""): string {} #ifdef sodium_base64_VARIANT_ORIGINAL +/** @sensitive-param $string */ function sodium_bin2base64(string $string, int $id): string {} +/** @sensitive-param $string */ function sodium_base642bin(string $string, int $id, string $ignore = ""): string {} #endif -/** @alias sodium_crypto_box_publickey_from_secretkey */ +/** + * @sensitive-param $secret_key + * @alias sodium_crypto_box_publickey_from_secretkey + */ function sodium_crypto_scalarmult_base(string $secret_key): string {} class SodiumException extends Exception {} diff --git a/ext/sodium/libsodium_arginfo.h b/ext/sodium/libsodium_arginfo.h index a7351c9bef165..4031470b61c1c 100644 --- a/ext/sodium/libsodium_arginfo.h +++ b/ext/sodium/libsodium_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 7ccd5115d292690c0cfcfeeb2ff5adf7ac7a616a */ + * Stub hash: d751b690703cb449e249d693d177cdb94087ce82 */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_sodium_crypto_aead_aes256gcm_is_available, 0, 0, _IS_BOOL, 0) ZEND_END_ARG_INFO() @@ -470,7 +470,9 @@ ZEND_END_ARG_INFO() #define arginfo_sodium_memcmp arginfo_sodium_compare -#define arginfo_sodium_memzero arginfo_sodium_increment +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_sodium_memzero, 0, 1, IS_VOID, 0) + ZEND_ARG_TYPE_INFO(1, string, IS_STRING, 0) +ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_sodium_pad, 0, 2, IS_STRING, 0) ZEND_ARG_TYPE_INFO(0, string, IS_STRING, 0) @@ -884,6 +886,119 @@ static const zend_function_entry class_SodiumException_methods[] = { ZEND_FE_END }; +static void register_libsodium_symbols(int module_number) +{ +#if defined(HAVE_AESGCM) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_aes256gcm_decrypt", 3); +#endif +#if defined(HAVE_AESGCM) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_aes256gcm_encrypt", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_aes256gcm_encrypt", 3); +#endif + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_chacha20poly1305_decrypt", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_chacha20poly1305_encrypt", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_chacha20poly1305_encrypt", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_chacha20poly1305_ietf_decrypt", 3); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_chacha20poly1305_ietf_encrypt", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_chacha20poly1305_ietf_encrypt", 3); +#if defined(crypto_aead_xchacha20poly1305_IETF_NPUBBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_xchacha20poly1305_ietf_decrypt", 3); +#endif +#if defined(crypto_aead_xchacha20poly1305_IETF_NPUBBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_xchacha20poly1305_ietf_encrypt", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_aead_xchacha20poly1305_ietf_encrypt", 3); +#endif + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_auth", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_auth_verify", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box_seed_keypair", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box_keypair_from_secretkey_and_publickey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box_open", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box_publickey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box_publickey_from_secretkey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box_seal", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box_seal_open", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_box_secretkey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_kx_publickey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_kx_secretkey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_kx_seed_keypair", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_kx_client_session_keys", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_kx_server_session_keys", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_generichash", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_generichash_init", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_kdf_derive_from_key", 3); +#if defined(crypto_pwhash_SALTBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_pwhash", 1); +#endif +#if defined(crypto_pwhash_SALTBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_pwhash_str", 0); +#endif +#if defined(crypto_pwhash_SALTBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_pwhash_str_verify", 1); +#endif +#if defined(crypto_pwhash_scryptsalsa208sha256_SALTBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_pwhash_scryptsalsa208sha256", 1); +#endif +#if defined(crypto_pwhash_scryptsalsa208sha256_SALTBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_pwhash_scryptsalsa208sha256_str", 0); +#endif +#if defined(crypto_pwhash_scryptsalsa208sha256_SALTBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_pwhash_scryptsalsa208sha256_str_verify", 1); +#endif + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_secretbox", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_secretbox", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_secretbox_open", 2); +#if defined(crypto_secretstream_xchacha20poly1305_ABYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_secretstream_xchacha20poly1305_init_push", 0); +#endif +#if defined(crypto_secretstream_xchacha20poly1305_ABYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_secretstream_xchacha20poly1305_push", 1); +#endif +#if defined(crypto_secretstream_xchacha20poly1305_ABYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_secretstream_xchacha20poly1305_init_pull", 1); +#endif + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_shorthash", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_sign", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_sign_detached", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_sign_ed25519_sk_to_curve25519", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_sign_keypair_from_secretkey_and_publickey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_sign_publickey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_sign_secretkey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_sign_publickey_from_secretkey", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_sign_seed_keypair", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_stream", 2); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_stream_xor", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_stream_xor", 2); +#if defined(crypto_stream_xchacha20_KEYBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_stream_xchacha20", 2); +#endif +#if defined(crypto_stream_xchacha20_KEYBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_stream_xchacha20_xor", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_stream_xchacha20_xor", 2); +#endif +#if defined(crypto_stream_xchacha20_KEYBYTES) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_stream_xchacha20_xor_ic", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_stream_xchacha20_xor_ic", 3); +#endif + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_compare", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_compare", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_memcmp", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_memcmp", 1); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_memzero", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_pad", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_unpad", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_bin2hex", 0); + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_hex2bin", 0); +#if defined(sodium_base64_VARIANT_ORIGINAL) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_bin2base64", 0); +#endif +#if defined(sodium_base64_VARIANT_ORIGINAL) + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_base642bin", 0); +#endif + zend_mark_function_parameter_as_sensitive(CG(function_table), "sodium_crypto_scalarmult_base", 0); +} + static zend_class_entry *register_class_SodiumException(zend_class_entry *class_entry_Exception) { zend_class_entry ce, *class_entry; From 67dad58514e5baa5501e4eaccba84096cec2a9d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 12 Apr 2022 15:08:40 +0200 Subject: [PATCH 12/12] Mark parameter in ext/zip as sensitive --- ext/zip/php_zip.c | 3 +++ ext/zip/php_zip.stub.php | 15 ++++++++++++--- ext/zip/php_zip_arginfo.h | 13 ++++++++++++- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index ab0ecda212fb8..7db9512c99ed8 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -26,6 +26,7 @@ #include "ext/standard/php_string.h" #include "ext/pcre/php_pcre.h" #include "ext/standard/php_filestat.h" +#include "zend_attributes.h" #include "zend_interfaces.h" #include "php_zip.h" #include "php_zip_arginfo.h" @@ -3255,6 +3256,8 @@ static PHP_MINIT_FUNCTION(zip) le_zip_dir = zend_register_list_destructors_ex(php_zip_free_dir, NULL, le_zip_dir_name, module_number); le_zip_entry = zend_register_list_destructors_ex(php_zip_free_entry, NULL, le_zip_entry_name, module_number); + register_php_zip_symbols(module_number, zip_class_entry); + return SUCCESS; } /* }}} */ diff --git a/ext/zip/php_zip.stub.php b/ext/zip/php_zip.stub.php index 47df80df0e49a..a0866e114b432 100644 --- a/ext/zip/php_zip.stub.php +++ b/ext/zip/php_zip.stub.php @@ -82,7 +82,10 @@ class ZipArchive implements Countable /** @tentative-return-type */ public function open(string $filename, int $flags = 0): bool|int {} - /** @tentative-return-type */ + /** + * @sensitive-param $password + * @tentative-return-type + */ public function setPassword(string $password): bool {} /** @tentative-return-type */ @@ -223,10 +226,16 @@ public function setCompressionName(string $name, int $method, int $compflags = 0 public function setCompressionIndex(int $index, int $method, int $compflags = 0): bool {} #ifdef HAVE_ENCRYPTION - /** @tentative-return-type */ + /** + * @sensitive-param $password + * @tentative-return-type + */ public function setEncryptionName(string $name, int $method, ?string $password = null): bool {} - /** @tentative-return-type */ + /** + * @sensitive-param $password + * @tentative-return-type + */ public function setEncryptionIndex(int $index, int $method, ?string $password = null): bool {} #endif diff --git a/ext/zip/php_zip_arginfo.h b/ext/zip/php_zip_arginfo.h index b642f6347783e..80a8a34b5905b 100644 --- a/ext/zip/php_zip_arginfo.h +++ b/ext/zip/php_zip_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: f6542fda12c523584d476d2b733b4ccc0ffffe32 */ + * Stub hash: f8ec36ea62bfbdb74cfa6472227e08d9282413a2 */ ZEND_BEGIN_ARG_INFO_EX(arginfo_zip_open, 0, 0, 1) ZEND_ARG_TYPE_INFO(0, filename, IS_STRING, 0) @@ -486,6 +486,17 @@ static const zend_function_entry class_ZipArchive_methods[] = { ZEND_FE_END }; +static void register_php_zip_symbols(int module_number, zend_class_entry *class_entry_ZipArchive) +{ + zend_mark_function_parameter_as_sensitive(&class_entry_ZipArchive->function_table, "setpassword", 0); +#if defined(HAVE_ENCRYPTION) + zend_mark_function_parameter_as_sensitive(&class_entry_ZipArchive->function_table, "setencryptionname", 2); +#endif +#if defined(HAVE_ENCRYPTION) + zend_mark_function_parameter_as_sensitive(&class_entry_ZipArchive->function_table, "setencryptionindex", 2); +#endif +} + static zend_class_entry *register_class_ZipArchive(zend_class_entry *class_entry_Countable) { zend_class_entry ce, *class_entry;