Mark parameter in ext/hash as sensitive

php · Jun 13, 2022 · 0d4147f · 0d4147f
1 parent 6906d1f
commit 0d4147f
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 7 deletions.
diff --git a/ext/hash/hash.c b/ext/hash/hash.c
@@ -26,8 +26,9 @@
 #include "ext/standard/php_var.h"
 #include "ext/spl/spl_exceptions.h"
 
-#include "zend_interfaces.h"
+#include "zend_attributes.h"
 #include "zend_exceptions.h"
+#include "zend_interfaces.h"
 #include "zend_smart_str.h"
 
 #include "hash_arginfo.h"

diff --git a/ext/hash/hash.stub.php b/ext/hash/hash.stub.php
@@ -14,13 +14,22 @@ function hash(string $algo, string $data, bool $binary = false, array $options =
 /** @refcount 1 */
 function hash_file(string $algo, string $filename, bool $binary = false, array $options = []): string|false {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_hmac(string $algo, string $data, string $key, bool $binary = false): string {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_hmac_file(string $algo, string $filename, string $key, bool $binary = false): string|false {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_init(string $algo, int $flags = 0, string $key = "", array $options = []): HashContext {}
 
 function hash_update(HashContext $context, string $data): bool {}
@@ -49,12 +58,22 @@ function hash_algos(): array {}
  */
 function hash_hmac_algos(): array {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $password
+ * @refcount 1
+ */
 function hash_pbkdf2(string $algo, string $password, string $salt, int $iterations, int $length = 0, bool $binary = false): string {}
 
+/**
+ * @sensitive-param $known_string
+ * @sensitive-param $user_string
+ */
 function hash_equals(string $known_string, string $user_string): bool {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_hkdf(string $algo, string $key, int $length = 0, string $info = "", string $salt = ""): string {}
 
 #ifdef PHP_MHASH_BC

diff --git a/ext/hash/hash_arginfo.h b/ext/hash/hash_arginfo.h
diff --git a/ext/hash/tests/sensitive_parameter.phpt b/ext/hash/tests/sensitive_parameter.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Test that sensitive parameters are marked sensitive.
+--FILE--
+<?php
+try {
+    var_dump(hash_equals('foo', null));
+} catch (\Throwable $e) {
+    echo $e, PHP_EOL;
+}
+try {
+    var_dump(hash_hmac('foo', 'bar', 'baz'));
+} catch (\Throwable $e) {
+    echo $e, PHP_EOL;
+}
+?>
+--EXPECTF--
+TypeError: hash_equals(): Argument #2 ($user_string) must be of type string, null given in %s:%d
+Stack trace:
+#0 %s(%d): hash_equals(Object(SensitiveParameterValue), Object(SensitiveParameterValue))
+#1 {main}
+ValueError: hash_hmac(): Argument #1 ($algo) must be a valid cryptographic hashing algorithm in %s:%d
+Stack trace:
+#0 %s(%d): hash_hmac('foo', 'bar', Object(SensitiveParameterValue))
+#1 {main}