Skip to content

Commit

Permalink
Mark parameter in ext/openssl as sensitive
Browse files Browse the repository at this point in the history
  • Loading branch information
@TimWolla
TimWolla committed Jun 13, 2022
1 parent e85b17b commit c311ab7
Show file tree
Hide file tree
Showing 3 changed files with 121 additions and 12 deletions.
3 changes: 3 additions & 0 deletions ext/openssl/openssl.c
View file
Expand Up @@ -27,6 +27,7 @@
#include "php.h"
#include "php_ini.h"
#include "php_openssl.h"
#include "zend_attributes.h"
#include "zend_exceptions.h"

/* PHP Includes */
Expand Down Expand Up @@ -1392,6 +1393,8 @@ PHP_MINIT_FUNCTION(openssl)

REGISTER_INI_ENTRIES();

register_openssl_symbols(module_number);

return SUCCESS;
}
/* }}} */
Expand Down
85 changes: 74 additions & 11 deletions ext/openssl/openssl.stub.php
View file
Expand Up @@ -33,7 +33,10 @@ function openssl_x509_export(OpenSSLCertificate|string $certificate, &$output, b

function openssl_x509_fingerprint(OpenSSLCertificate|string $certificate, string $digest_algo = "sha1", bool $binary = false): string|false {}

/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
*/
function openssl_x509_check_private_key(OpenSSLCertificate|string $certificate, $private_key): bool {}

/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key */
Expand All @@ -52,27 +55,42 @@ function openssl_x509_read(OpenSSLCertificate|string $certificate): OpenSSLCerti
/** @deprecated */
function openssl_x509_free(OpenSSLCertificate $certificate): void {}

/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
* @sensitive-param $passphrase
*/
function openssl_pkcs12_export_to_file(OpenSSLCertificate|string $certificate, string $output_filename, $private_key, string $passphrase, array $options = []): bool {}

/**
* @param string $output
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
* @sensitive-param $passphrase
*/
function openssl_pkcs12_export(OpenSSLCertificate|string $certificate, &$output, $private_key, string $passphrase, array $options = []): bool {}

/** @param array $certificates */
/**
* @param array $certificates
* @sensitive-param $passphrase
*/
function openssl_pkcs12_read(string $pkcs12, &$certificates, string $passphrase): bool {}

function openssl_csr_export_to_file(OpenSSLCertificateSigningRequest|string $csr, string $output_filename, bool $no_text = true): bool {}

/** @param string $output */
function openssl_csr_export(OpenSSLCertificateSigningRequest|string $csr, &$output, bool $no_text = true): bool {}

/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
*/
function openssl_csr_sign(OpenSSLCertificateSigningRequest|string $csr, OpenSSLCertificate|string|null $ca_certificate, $private_key, int $days, ?array $options = null, int $serial = 0): OpenSSLCertificate|false {}

/** @param OpenSSLAsymmetricKey $private_key */
/**
* @param OpenSSLAsymmetricKey $private_key
* @sensitive-param $private_key
*/
function openssl_csr_new(array $distinguished_names, &$private_key, ?array $options = null, ?array $extra_attributes = null): OpenSSLCertificateSigningRequest|false {}

/**
Expand All @@ -85,12 +103,18 @@ function openssl_csr_get_public_key(OpenSSLCertificateSigningRequest|string $csr

function openssl_pkey_new(?array $options = null): OpenSSLAsymmetricKey|false {}

/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key */
/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
* @sensitive-param $key
* @sensitive-param $passphrase
*/
function openssl_pkey_export_to_file($key, string $output_filename, ?string $passphrase = null, ?array $options = null): bool {}

/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
* @param string $output
* @sensitive-param $key
* @sensitive-param $passphrase
*/
function openssl_pkey_export($key, &$output, ?string $passphrase = null, ?array $options = null): bool {}

Expand All @@ -103,7 +127,9 @@ function openssl_pkey_get_public($public_key): OpenSSLAsymmetricKey|false {}
*/
function openssl_get_publickey($public_key): OpenSSLAsymmetricKey|false {}

/** @deprecated */
/**
* @deprecated
*/
function openssl_pkey_free(OpenSSLAsymmetricKey $key): void {}

/**
Expand All @@ -112,11 +138,17 @@ function openssl_pkey_free(OpenSSLAsymmetricKey $key): void {}
*/
function openssl_free_key(OpenSSLAsymmetricKey $key): void {}

/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
* @sensitive-param $passphrase
*/
function openssl_pkey_get_private($private_key, ?string $passphrase = null): OpenSSLAsymmetricKey|false {}

/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
* @sensitive-param $passphrase
* @alias openssl_pkey_get_private
*/
function openssl_get_privatekey($private_key, ?string $passphrase = null): OpenSSLAsymmetricKey|false {}
Expand All @@ -127,19 +159,25 @@ function openssl_get_privatekey($private_key, ?string $passphrase = null): OpenS
*/
function openssl_pkey_get_details(OpenSSLAsymmetricKey $key): array|false {}

/** @sensitive-param $password */
function openssl_pbkdf2(string $password, string $salt, int $key_length, int $iterations, string $digest_algo = "sha1"): string|false {}

function openssl_pkcs7_verify(string $input_filename, int $flags, ?string $signers_certificates_filename = null, array $ca_info = [], ?string $untrusted_certificates_filename = null, ?string $content = null, ?string $output_filename = null): bool|int {}

/** @param OpenSSLCertificate|array|string $certificate */
function openssl_pkcs7_encrypt(string $input_filename, string $output_filename, $certificate, ?array $headers, int $flags = 0, int $cipher_algo = OPENSSL_CIPHER_AES_128_CBC): bool {}

/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
*/
function openssl_pkcs7_sign(string $input_filename, string $output_filename, OpenSSLCertificate|string $certificate, $private_key, ?array $headers, int $flags = PKCS7_DETACHED, ?string $untrusted_certificates_filename = null): bool {}

/**
* @param OpenSSLCertificate|string $certificate
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string|null $private_key
* @sensitive-param $certificate
* @sensitive-param $private_key
*/
function openssl_pkcs7_decrypt(string $input_filename, string $output_filename, $certificate, $private_key = null): bool {}

Expand All @@ -151,12 +189,17 @@ function openssl_cms_verify(string $input_filename, int $flags = 0, ?string $cer
/** @param OpenSSLCertificate|array|string $certificate */
function openssl_cms_encrypt(string $input_filename, string $output_filename, $certificate, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_SMIME, int $cipher_algo = OPENSSL_CIPHER_AES_128_CBC): bool {}

/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
*/
function openssl_cms_sign(string $input_filename, string $output_filename, OpenSSLCertificate|string $certificate, $private_key, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_SMIME, ?string $untrusted_certificates_filename = null): bool {}

/**
* @param OpenSSLCertificate|string $certificate
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string|null $private_key
* @sensitive-param $certificate
* @sensitive-param $private_key
*/
function openssl_cms_decrypt(string $input_filename, string $output_filename, $certificate, $private_key = null, int $encoding = OPENSSL_ENCODING_SMIME): bool {}

Expand All @@ -166,24 +209,30 @@ function openssl_cms_read(string $input_filename, &$certificates): bool {}
/**
* @param string $encrypted_data
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $data
* @sensitive-param $private_key
*/
function openssl_private_encrypt(string $data, &$encrypted_data, $private_key, int $padding = OPENSSL_PKCS1_PADDING): bool {}

/**
* @param string $decrypted_data
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $decrypted_data
* @sensitive-param $private_key
*/
function openssl_private_decrypt(string $data, &$decrypted_data, $private_key, int $padding = OPENSSL_PKCS1_PADDING): bool {}

/**
* @param string $encrypted_data
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key
* @sensitive-param $data
*/
function openssl_public_encrypt(string $data, &$encrypted_data, $public_key, int $padding = OPENSSL_PKCS1_PADDING): bool {}

/**
* @param string $decrypted_data
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key
* @sensitive-param $decrypted_data
*/
function openssl_public_decrypt(string $data, &$decrypted_data, $public_key, int $padding = OPENSSL_PKCS1_PADDING): bool {}

Expand All @@ -192,6 +241,7 @@ function openssl_error_string(): string|false {}
/**
* @param string $signature
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
*/
function openssl_sign(string $data, &$signature, $private_key, string|int $algorithm = OPENSSL_ALGO_SHA1): bool {}

Expand All @@ -202,12 +252,15 @@ function openssl_verify(string $data, string $signature, $public_key, string|int
* @param string $sealed_data
* @param array $encrypted_keys
* @param string $iv
* @sensitive-param $data
*/
function openssl_seal(string $data, &$sealed_data, &$encrypted_keys, array $public_key, string $cipher_algo, &$iv = null): int|false {}

/**
* @param string $output
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $output
* @sensitive-param $private_key
*/
function openssl_open(string $data, &$output, string $encrypted_key, $private_key, string $cipher_algo, ?string $iv = null): bool {}

Expand All @@ -233,24 +286,34 @@ function openssl_get_curve_names(): array|false {}

function openssl_digest(string $data, string $digest_algo, bool $binary = false): string|false {}

/** @param string $tag */
/**
* @param string $tag
* @sensitive-param $data
* @sensitive-param $passphrase
*/
function openssl_encrypt(string $data, string $cipher_algo, string $passphrase, int $options = 0, string $iv = "", &$tag = null, string $aad = "", int $tag_length = 16): string|false {}

/**
* @sensitive-param $passphrase
*/
function openssl_decrypt(string $data, string $cipher_algo, string $passphrase, int $options = 0, string $iv = "", ?string $tag = null, string $aad = ""): string|false {}

function openssl_cipher_iv_length(string $cipher_algo): int|false {}

/** @sensitive-param $private_key */
function openssl_dh_compute_key(string $public_key, OpenSSLAsymmetricKey $private_key): string|false {}

/**
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
* @sensitive-param $private_key
*/
function openssl_pkey_derive($public_key, $private_key, int $key_length = 0): string|false {}

/** @param bool $strong_result */
function openssl_random_pseudo_bytes(int $length, &$strong_result = null): string {}

/** @sensitive-param $private_key */
function openssl_spki_new(OpenSSLAsymmetricKey $private_key, string $challenge, int $digest_algo = OPENSSL_ALGO_MD5): string|false {}

function openssl_spki_verify(string $spki): bool {}
Expand Down
45 changes: 44 additions & 1 deletion ext/openssl/openssl_arginfo.h
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit c311ab7

Please sign in to comment.