Skip to content

Commit 44361ab

Browse files
TimWollaTimWolla
committed
Mark parameter in ext/openssl as sensitive
1 parent 519c299 commit 44361ab

File tree

3 files changed

+121
-12
lines changed

3 files changed

+121
-12
lines changed

ext/openssl/openssl.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@
2727
#include "php.h"
2828
#include "php_ini.h"
2929
#include "php_openssl.h"
30+
#include "zend_attributes.h"
3031
#include "zend_exceptions.h"
3132

3233
/* PHP Includes */
@@ -1300,6 +1301,8 @@ PHP_MINIT_FUNCTION(openssl)
13001301

13011302
REGISTER_INI_ENTRIES();
13021303

1304+
register_openssl_symbols(module_number);
1305+
13031306
return SUCCESS;
13041307
}
13051308
/* }}} */

ext/openssl/openssl.stub.php

Lines changed: 74 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,10 @@ function openssl_x509_export(OpenSSLCertificate|string $certificate, &$output, b
3333

3434
function openssl_x509_fingerprint(OpenSSLCertificate|string $certificate, string $digest_algo = "sha1", bool $binary = false): string|false {}
3535

36-
/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
36+
/**
37+
* @sensitive-param $private_key
38+
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
39+
*/
3740
function openssl_x509_check_private_key(OpenSSLCertificate|string $certificate, $private_key): bool {}
3841

3942
/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key */
@@ -52,27 +55,42 @@ function openssl_x509_read(OpenSSLCertificate|string $certificate): OpenSSLCerti
5255
/** @deprecated */
5356
function openssl_x509_free(OpenSSLCertificate $certificate): void {}
5457

55-
/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
58+
/**
59+
* @sensitive-param $private_key
60+
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
61+
* @sensitive-param $passphrase
62+
*/
5663
function openssl_pkcs12_export_to_file(OpenSSLCertificate|string $certificate, string $output_filename, $private_key, string $passphrase, array $options = []): bool {}
5764

5865
/**
5966
* @param string $output
67+
* @sensitive-param $private_key
6068
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
69+
* @sensitive-param $passphrase
6170
*/
6271
function openssl_pkcs12_export(OpenSSLCertificate|string $certificate, &$output, $private_key, string $passphrase, array $options = []): bool {}
6372

64-
/** @param array $certificates */
73+
/**
74+
* @param array $certificates
75+
* @sensitive-param $passphrase
76+
*/
6577
function openssl_pkcs12_read(string $pkcs12, &$certificates, string $passphrase): bool {}
6678

6779
function openssl_csr_export_to_file(OpenSSLCertificateSigningRequest|string $csr, string $output_filename, bool $no_text = true): bool {}
6880

6981
/** @param string $output */
7082
function openssl_csr_export(OpenSSLCertificateSigningRequest|string $csr, &$output, bool $no_text = true): bool {}
7183

72-
/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
84+
/**
85+
* @sensitive-param $private_key
86+
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
87+
*/
7388
function openssl_csr_sign(OpenSSLCertificateSigningRequest|string $csr, OpenSSLCertificate|string|null $ca_certificate, $private_key, int $days, ?array $options = null, int $serial = 0): OpenSSLCertificate|false {}
7489

75-
/** @param OpenSSLAsymmetricKey $private_key */
90+
/**
91+
* @sensitive-param $private_key
92+
* @param OpenSSLAsymmetricKey $private_key
93+
*/
7694
function openssl_csr_new(array $distinguished_names, &$private_key, ?array $options = null, ?array $extra_attributes = null): OpenSSLCertificateSigningRequest|false {}
7795

7896
/**
@@ -85,12 +103,18 @@ function openssl_csr_get_public_key(OpenSSLCertificateSigningRequest|string $csr
85103

86104
function openssl_pkey_new(?array $options = null): OpenSSLAsymmetricKey|false {}
87105

88-
/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key */
106+
/**
107+
* @sensitive-param $key
108+
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
109+
* @sensitive-param $passphrase
110+
*/
89111
function openssl_pkey_export_to_file($key, string $output_filename, ?string $passphrase = null, ?array $options = null): bool {}
90112

91113
/**
114+
* @sensitive-param $key
92115
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
93116
* @param string $output
117+
* @sensitive-param $passphrase
94118
*/
95119
function openssl_pkey_export($key, &$output, ?string $passphrase = null, ?array $options = null): bool {}
96120

@@ -103,20 +127,30 @@ function openssl_pkey_get_public($public_key): OpenSSLAsymmetricKey|false {}
103127
*/
104128
function openssl_get_publickey($public_key): OpenSSLAsymmetricKey|false {}
105129

106-
/** @deprecated */
130+
/**
131+
* @deprecated
132+
* @sensitive-param $key
133+
*/
107134
function openssl_pkey_free(OpenSSLAsymmetricKey $key): void {}
108135

109136
/**
110137
* @alias openssl_pkey_free
111138
* @deprecated
139+
* @sensitive-param $key
112140
*/
113141
function openssl_free_key(OpenSSLAsymmetricKey $key): void {}
114142

115-
/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
143+
/**
144+
* @sensitive-param $private_key
145+
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
146+
* @sensitive-param $passphrase
147+
*/
116148
function openssl_pkey_get_private($private_key, ?string $passphrase = null): OpenSSLAsymmetricKey|false {}
117149

118150
/**
151+
* @sensitive-param $private_key
119152
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
153+
* @sensitive-param $passphrase
120154
* @alias openssl_pkey_get_private
121155
*/
122156
function openssl_get_privatekey($private_key, ?string $passphrase = null): OpenSSLAsymmetricKey|false {}
@@ -127,18 +161,23 @@ function openssl_get_privatekey($private_key, ?string $passphrase = null): OpenS
127161
*/
128162
function openssl_pkey_get_details(OpenSSLAsymmetricKey $key): array|false {}
129163

164+
/** @sensitive-param $password */
130165
function openssl_pbkdf2(string $password, string $salt, int $key_length, int $iterations, string $digest_algo = "sha1"): string|false {}
131166

132167
function openssl_pkcs7_verify(string $input_filename, int $flags, ?string $signers_certificates_filename = null, array $ca_info = [], ?string $untrusted_certificates_filename = null, ?string $content = null, ?string $output_filename = null): bool|int {}
133168

134169
/** @param OpenSSLCertificate|array|string $certificate */
135170
function openssl_pkcs7_encrypt(string $input_filename, string $output_filename, $certificate, ?array $headers, int $flags = 0, int $cipher_algo = OPENSSL_CIPHER_AES_128_CBC): bool {}
136171

137-
/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
172+
/**
173+
* @sensitive-param $private_key
174+
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
175+
*/
138176
function openssl_pkcs7_sign(string $input_filename, string $output_filename, OpenSSLCertificate|string $certificate, $private_key, ?array $headers, int $flags = PKCS7_DETACHED, ?string $untrusted_certificates_filename = null): bool {}
139177

140178
/**
141179
* @param OpenSSLCertificate|string $certificate
180+
* @sensitive-param $private_key
142181
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string|null $private_key
143182
*/
144183
function openssl_pkcs7_decrypt(string $input_filename, string $output_filename, $certificate, $private_key = null): bool {}
@@ -151,11 +190,15 @@ function openssl_cms_verify(string $input_filename, int $flags = 0, ?string $cer
151190
/** @param OpenSSLCertificate|array|string $certificate */
152191
function openssl_cms_encrypt(string $input_filename, string $output_filename, $certificate, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_SMIME, int $cipher_algo = OPENSSL_CIPHER_AES_128_CBC): bool {}
153192

154-
/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key */
193+
/**
194+
* @sensitive-param $private_key
195+
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
196+
*/
155197
function openssl_cms_sign(string $input_filename, string $output_filename, OpenSSLCertificate|string $certificate, $private_key, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_SMIME, ?string $untrusted_certificates_filename = null): bool {}
156198

157199
/**
158200
* @param OpenSSLCertificate|string $certificate
201+
* @sensitive-param $private_key
159202
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string|null $private_key
160203
*/
161204
function openssl_cms_decrypt(string $input_filename, string $output_filename, $certificate, $private_key = null, int $encoding = OPENSSL_ENCODING_SMIME): bool {}
@@ -164,24 +207,30 @@ function openssl_cms_decrypt(string $input_filename, string $output_filename, $c
164207
function openssl_cms_read(string $input_filename, &$certificates): bool {}
165208

166209
/**
210+
* @sensitive-param $data
167211
* @param string $encrypted_data
212+
* @sensitive-param $private_key
168213
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
169214
*/
170215
function openssl_private_encrypt(string $data, &$encrypted_data, $private_key, int $padding = OPENSSL_PKCS1_PADDING): bool {}
171216

172217
/**
218+
* @sensitive-param $decrypted_data
173219
* @param string $decrypted_data
220+
* @sensitive-param $private_key
174221
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
175222
*/
176223
function openssl_private_decrypt(string $data, &$decrypted_data, $private_key, int $padding = OPENSSL_PKCS1_PADDING): bool {}
177224

178225
/**
226+
* @sensitive-param $data
179227
* @param string $encrypted_data
180228
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key
181229
*/
182230
function openssl_public_encrypt(string $data, &$encrypted_data, $public_key, int $padding = OPENSSL_PKCS1_PADDING): bool {}
183231

184232
/**
233+
* @sensitive-param $decrypted_data
185234
* @param string $decrypted_data
186235
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key
187236
*/
@@ -191,6 +240,7 @@ function openssl_error_string(): string|false {}
191240

192241
/**
193242
* @param string $signature
243+
* @sensitive-param $private_key
194244
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
195245
*/
196246
function openssl_sign(string $data, &$signature, $private_key, string|int $algorithm = OPENSSL_ALGO_SHA1): bool {}
@@ -199,14 +249,17 @@ function openssl_sign(string $data, &$signature, $private_key, string|int $algor
199249
function openssl_verify(string $data, string $signature, $public_key, string|int $algorithm = OPENSSL_ALGO_SHA1): int|false {}
200250

201251
/**
252+
* @sensitive-param $data
202253
* @param string $sealed_data
203254
* @param array $encrypted_keys
204255
* @param string $iv
205256
*/
206257
function openssl_seal(string $data, &$sealed_data, &$encrypted_keys, array $public_key, string $cipher_algo, &$iv = null): int|false {}
207258

208259
/**
260+
* @sensitive-param $output
209261
* @param string $output
262+
* @sensitive-param $private_key
210263
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
211264
*/
212265
function openssl_open(string $data, &$output, string $encrypted_key, $private_key, string $cipher_algo, ?string $iv = null): bool {}
@@ -233,24 +286,34 @@ function openssl_get_curve_names(): array|false {}
233286

234287
function openssl_digest(string $data, string $digest_algo, bool $binary = false): string|false {}
235288

236-
/** @param string $tag */
289+
/**
290+
* @sensitive-param $data
291+
* @param string $tag
292+
* @sensitive-param $passphrase
293+
*/
237294
function openssl_encrypt(string $data, string $cipher_algo, string $passphrase, int $options = 0, string $iv = "", &$tag = null, string $aad = "", int $tag_length = 16): string|false {}
238295

296+
/**
297+
* @sensitive-param $passphrase
298+
*/
239299
function openssl_decrypt(string $data, string $cipher_algo, string $passphrase, int $options = 0, string $iv = "", ?string $tag = null, string $aad = ""): string|false {}
240300

241301
function openssl_cipher_iv_length(string $cipher_algo): int|false {}
242302

303+
/** @sensitive-param $private_key */
243304
function openssl_dh_compute_key(string $public_key, OpenSSLAsymmetricKey $private_key): string|false {}
244305

245306
/**
246307
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $public_key
308+
* @sensitive-param $private_key
247309
* @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key
248310
*/
249311
function openssl_pkey_derive($public_key, $private_key, int $key_length = 0): string|false {}
250312

251313
/** @param bool $strong_result */
252314
function openssl_random_pseudo_bytes(int $length, &$strong_result = null): string {}
253315

316+
/** @sensitive-param $private_key */
254317
function openssl_spki_new(OpenSSLAsymmetricKey $private_key, string $challenge, int $digest_algo = OPENSSL_ALGO_MD5): string|false {}
255318

256319
function openssl_spki_verify(string $spki): bool {}

ext/openssl/openssl_arginfo.h

Lines changed: 44 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/* This is a generated file, edit the .stub.php file instead.
2-
* Stub hash: b820bb89ed3a0612473de268b057663ee237f876 */
2+
* Stub hash: 8fdce193aee0363c8356c90e09a484f8148360b0 */
33

44
ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_export_to_file, 0, 2, _IS_BOOL, 0)
55
ZEND_ARG_OBJ_TYPE_MASK(0, certificate, OpenSSLCertificate, MAY_BE_STRING, NULL)
@@ -534,6 +534,49 @@ static const zend_function_entry class_OpenSSLAsymmetricKey_methods[] = {
534534
ZEND_FE_END
535535
};
536536

537+
static void register_openssl_symbols(int module_number)
538+
{
539+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_x509_check_private_key", 1);
540+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_export_to_file", 2);
541+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_export_to_file", 3);
542+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_export", 2);
543+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_export", 3);
544+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs12_read", 2);
545+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_csr_sign", 2);
546+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_csr_new", 1);
547+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_export_to_file", 0);
548+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_export_to_file", 2);
549+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_export", 0);
550+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_export", 2);
551+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_free", 0);
552+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_free_key", 0);
553+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_get_private", 0);
554+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_get_private", 1);
555+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_get_privatekey", 0);
556+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_get_privatekey", 1);
557+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pbkdf2", 0);
558+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs7_sign", 3);
559+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkcs7_decrypt", 3);
560+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_cms_sign", 3);
561+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_cms_decrypt", 3);
562+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_private_encrypt", 0);
563+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_private_encrypt", 2);
564+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_private_decrypt", 1);
565+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_private_decrypt", 2);
566+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_public_encrypt", 0);
567+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_public_decrypt", 1);
568+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_sign", 2);
569+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_seal", 0);
570+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_open", 1);
571+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_open", 3);
572+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_encrypt", 0);
573+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_encrypt", 2);
574+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_decrypt", 2);
575+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_dh_compute_key", 1);
576+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_pkey_derive", 1);
577+
zend_mark_function_parameter_as_sensitive(CG(function_table), "openssl_spki_new", 0);
578+
}
579+
537580
static zend_class_entry *register_class_OpenSSLCertificate(void)
538581
{
539582
zend_class_entry ce, *class_entry;

0 commit comments

Comments
 (0)