Skip to content

Commit 8f82433

Browse files
TimWollaTimWolla
committed
Mark parameter in ext/sodium as sensitive
1 parent c311ab7 commit 8f82433

File tree

3 files changed

+230
-6
lines changed

3 files changed

+230
-6
lines changed

ext/sodium/libsodium.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
#include "php_ini.h"
2323
#include "ext/standard/info.h"
2424
#include "php_libsodium.h"
25+
#include "zend_attributes.h"
2526
#include "zend_exceptions.h"
2627

2728
#include <sodium.h>
@@ -386,6 +387,8 @@ PHP_MINIT_FUNCTION(sodium)
386387
}
387388
#endif
388389

390+
register_libsodium_symbols(module_number);
391+
389392
return SUCCESS;
390393
}
391394

ext/sodium/libsodium.stub.php

Lines changed: 110 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,57 +5,91 @@
55
function sodium_crypto_aead_aes256gcm_is_available(): bool {}
66

77
#ifdef HAVE_AESGCM
8+
/** @sensitive-param $key */
89
function sodium_crypto_aead_aes256gcm_decrypt(string $ciphertext, string $additional_data, string $nonce, string $key): string|false {}
910

11+
/**
12+
* @sensitive-param $message
13+
* @sensitive-param $key
14+
*/
1015
function sodium_crypto_aead_aes256gcm_encrypt(string $message, string $additional_data, string $nonce, string $key): string {}
1116

1217
function sodium_crypto_aead_aes256gcm_keygen(): string {}
1318
#endif
1419

20+
/** @sensitive-param $key */
1521
function sodium_crypto_aead_chacha20poly1305_decrypt(string $ciphertext, string $additional_data, string $nonce, string $key): string|false {}
1622

23+
/**
24+
* @sensitive-param $message
25+
* @sensitive-param $key
26+
*/
1727
function sodium_crypto_aead_chacha20poly1305_encrypt(string $message, string $additional_data, string $nonce, string $key): string {}
1828

1929
function sodium_crypto_aead_chacha20poly1305_keygen(): string {}
2030

31+
/** @sensitive-param $key */
2132
function sodium_crypto_aead_chacha20poly1305_ietf_decrypt(string $ciphertext, string $additional_data, string $nonce, string $key): string|false {}
2233

34+
/**
35+
* @sensitive-param $message
36+
* @sensitive-param $key
37+
*/
2338
function sodium_crypto_aead_chacha20poly1305_ietf_encrypt(string $message, string $additional_data, string $nonce, string $key): string {}
2439

2540
function sodium_crypto_aead_chacha20poly1305_ietf_keygen(): string {}
2641

2742
#ifdef crypto_aead_xchacha20poly1305_IETF_NPUBBYTES
43+
/** @sensitive-param $key */
2844
function sodium_crypto_aead_xchacha20poly1305_ietf_decrypt(string $ciphertext, string $additional_data, string $nonce, string $key): string|false {}
2945

3046
function sodium_crypto_aead_xchacha20poly1305_ietf_keygen(): string {}
3147

48+
/**
49+
* @sensitive-param $message
50+
* @sensitive-param $key
51+
*/
3252
function sodium_crypto_aead_xchacha20poly1305_ietf_encrypt(string $message, string $additional_data, string $nonce, string $key): string {}
3353
#endif
3454

55+
/** @sensitive-param $key */
3556
function sodium_crypto_auth(string $message, string $key): string {}
3657

3758
function sodium_crypto_auth_keygen(): string {}
3859

60+
/** @sensitive-param $key */
3961
function sodium_crypto_auth_verify(string $mac, string $message, string $key): bool {}
4062

63+
/**
64+
* @sensitive-param $message
65+
* @sensitive-param $key_pair
66+
*/
4167
function sodium_crypto_box(string $message, string $nonce, string $key_pair): string {}
4268

4369
function sodium_crypto_box_keypair(): string {}
4470

71+
/** @sensitive-param $seed */
4572
function sodium_crypto_box_seed_keypair(string $seed): string {}
4673

74+
/** @sensitive-param $secret_key */
4775
function sodium_crypto_box_keypair_from_secretkey_and_publickey(string $secret_key, string $public_key): string {}
4876

77+
/** @sensitive-param $key_pair */
4978
function sodium_crypto_box_open(string $ciphertext, string $nonce, string $key_pair): string|false {}
5079

80+
/** @sensitive-param $key_pair */
5181
function sodium_crypto_box_publickey(string $key_pair): string {}
5282

83+
/** @sensitive-param $secret_key */
5384
function sodium_crypto_box_publickey_from_secretkey(string $secret_key): string {}
5485

86+
/** @sensitive-param $message */
5587
function sodium_crypto_box_seal(string $message, string $public_key): string {}
5688

89+
/** @sensitive-param $key_pair */
5790
function sodium_crypto_box_seal_open(string $ciphertext, string $key_pair): string|false {}
5891

92+
/** @sensitive-param $key_pair */
5993
function sodium_crypto_box_secretkey(string $key_pair): string {}
6094

6195
#ifdef crypto_core_ristretto255_HASHBYTES
@@ -88,38 +122,54 @@ function sodium_crypto_core_ristretto255_sub(string $p, string $q): string {}
88122

89123
function sodium_crypto_kx_keypair(): string {}
90124

125+
/** @sensitive-param $key_pair */
91126
function sodium_crypto_kx_publickey(string $key_pair): string {}
92127

128+
/** @sensitive-param $key_pair */
93129
function sodium_crypto_kx_secretkey(string $key_pair): string {}
94130

131+
/** @sensitive-param $seed */
95132
function sodium_crypto_kx_seed_keypair(string $seed): string {}
96133

97-
/** @return array<int, string> */
134+
/**
135+
* @sensitive-param $client_key_pair
136+
* @return array<int, string>
137+
*/
98138
function sodium_crypto_kx_client_session_keys(string $client_key_pair, string $server_key): array {}
99139

100-
/** @return array<int, string> */
140+
/**
141+
* @sensitive-param $server_key_pair
142+
* @return array<int, string>
143+
*
144+
*/
101145
function sodium_crypto_kx_server_session_keys(string $server_key_pair, string $client_key): array {}
102146

147+
/** @sensitive-param $key */
103148
function sodium_crypto_generichash(string $message, string $key = "", int $length = SODIUM_CRYPTO_GENERICHASH_BYTES): string {}
104149

105150
function sodium_crypto_generichash_keygen(): string {}
106151

152+
/** @sensitive-param $key */
107153
function sodium_crypto_generichash_init(string $key = "", int $length = SODIUM_CRYPTO_GENERICHASH_BYTES): string {}
108154

109155
/** @return true */
110156
function sodium_crypto_generichash_update(string &$state, string $message): bool {}
111157

112158
function sodium_crypto_generichash_final(string &$state, int $length = SODIUM_CRYPTO_GENERICHASH_BYTES): string {}
113159

160+
/** @sensitive-param $key */
114161
function sodium_crypto_kdf_derive_from_key(int $subkey_length, int $subkey_id, string $context, string $key): string {}
115162

116163
function sodium_crypto_kdf_keygen(): string {}
117164

118165
#ifdef crypto_pwhash_SALTBYTES
166+
/** @sensitive-param $password */
119167
function sodium_crypto_pwhash(int $length, string $password, string $salt, int $opslimit, int $memlimit, int $algo = SODIUM_CRYPTO_PWHASH_ALG_DEFAULT): string {}
120168

169+
/** @sensitive-param $password */
121170
function sodium_crypto_pwhash_str(string $password, int $opslimit, int $memlimit): string {}
122171

172+
/** @sensitive-param $password */
123173
function sodium_crypto_pwhash_str_verify(string $hash, string $password): bool {}
124174
#endif
125175

@@ -128,10 +178,13 @@ function sodium_crypto_pwhash_str_needs_rehash(string $password, int $opslimit,
128178
#endif
129179

130180
#ifdef crypto_pwhash_scryptsalsa208sha256_SALTBYTES
181+
/** @sensitive-param $password */
131182
function sodium_crypto_pwhash_scryptsalsa208sha256(int $length, string $password, string $salt, int $opslimit, int $memlimit): string {}
132183

184+
/** @sensitive-param $password */
133185
function sodium_crypto_pwhash_scryptsalsa208sha256_str(string $password, int $opslimit, int $memlimit): string {}
134186

187+
/** @sensitive-param $password */
135188
function sodium_crypto_pwhash_scryptsalsa208sha256_str_verify(string $hash, string $password): bool {}
136189
#endif
137190

@@ -143,20 +196,32 @@ function sodium_crypto_scalarmult_ristretto255(string $n, string $p): string {}
143196
function sodium_crypto_scalarmult_ristretto255_base(string $n): string {}
144197
#endif
145198

199+
/**
200+
* @sensitive-param $message
201+
* @sensitive-param $key
202+
*/
146203
function sodium_crypto_secretbox(string $message, string $nonce, string $key): string {}
147204

148205
function sodium_crypto_secretbox_keygen(): string {}
149206

207+
/**
208+
* @sensitive-param $key
209+
*/
150210
function sodium_crypto_secretbox_open(string $ciphertext, string $nonce, string $key): string|false {}
151211

152212
#ifdef crypto_secretstream_xchacha20poly1305_ABYTES
153213
function sodium_crypto_secretstream_xchacha20poly1305_keygen(): string {}
154214

155-
/** @return array<int, string> */
215+
/**
216+
* @sensitive-param $key
217+
* @return array<int, string>
218+
*/
156219
function sodium_crypto_secretstream_xchacha20poly1305_init_push(string $key): array {}
157220

221+
/** @sensitive-param $message */
158222
function sodium_crypto_secretstream_xchacha20poly1305_push(string &$state, string $message, string $additional_data = "", int $tag = SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_TAG_MESSAGE): string {}
159223

224+
/** @sensitive-param $key */
160225
function sodium_crypto_secretstream_xchacha20poly1305_init_pull(string $header, string $key): string {}
161226

162227
/** @return array<int, int|string>|false */
@@ -165,75 +230,116 @@ function sodium_crypto_secretstream_xchacha20poly1305_pull(string &$state, strin
165230
function sodium_crypto_secretstream_xchacha20poly1305_rekey(string &$state): void {}
166231
#endif
167232

233+
/** @sensitive-param $key */
168234
function sodium_crypto_shorthash(string $message, string $key): string {}
169235

170236
function sodium_crypto_shorthash_keygen(): string {}
171237

238+
/** @sensitive-param $secret_key */
172239
function sodium_crypto_sign(string $message, string $secret_key): string {}
173240

241+
/** @sensitive-param $secret_key */
174242
function sodium_crypto_sign_detached(string $message, string $secret_key): string {}
175243

176244
function sodium_crypto_sign_ed25519_pk_to_curve25519(string $public_key): string {}
177245

246+
/** @sensitive-param $secret_key */
178247
function sodium_crypto_sign_ed25519_sk_to_curve25519(string $secret_key): string {}
179248

180249
function sodium_crypto_sign_keypair(): string {}
181250

251+
/** @sensitive-param $secret_key */
182252
function sodium_crypto_sign_keypair_from_secretkey_and_publickey(string $secret_key, string $public_key): string {}
183253

184254
function sodium_crypto_sign_open(string $signed_message, string $public_key): string|false {}
185255

256+
/** @sensitive-param $key_pair */
186257
function sodium_crypto_sign_publickey(string $key_pair): string {}
187258

259+
/** @sensitive-param $key_pair */
188260
function sodium_crypto_sign_secretkey(string $key_pair): string {}
189261

262+
/** @sensitive-param $secret_key */
190263
function sodium_crypto_sign_publickey_from_secretkey(string $secret_key): string {}
191264

265+
/** @sensitive-param $seed */
192266
function sodium_crypto_sign_seed_keypair(string $seed): string {}
193267

194268
function sodium_crypto_sign_verify_detached(string $signature, string $message, string $public_key): bool {}
195269

270+
/** @sensitive-param $key */
196271
function sodium_crypto_stream(int $length, string $nonce, string $key): string {}
197272

198273
function sodium_crypto_stream_keygen(): string {}
199274

275+
/**
276+
* @sensitive-param $message
277+
* @sensitive-param $key
278+
*/
200279
function sodium_crypto_stream_xor(string $message, string $nonce, string $key): string {}
201280

202281
#if defined(crypto_stream_xchacha20_KEYBYTES)
282+
/** @sensitive-param $key */
203283
function sodium_crypto_stream_xchacha20(int $length, string $nonce, string $key): string {}
204284

205285
function sodium_crypto_stream_xchacha20_keygen(): string {}
206286

287+
/**
288+
* @sensitive-param $message
289+
* @sensitive-param $key
290+
*/
207291
function sodium_crypto_stream_xchacha20_xor(string $message, string $nonce, string $key): string {}
208292

293+
/**
294+
* @sensitive-param $message
295+
* @sensitive-param $key
296+
*/
209297
function sodium_crypto_stream_xchacha20_xor_ic(string $message, string $nonce, int $counter, string $key): string {}
210298
#endif
211299

212300
function sodium_add(string &$string1, string $string2): void {}
213301

302+
/**
303+
* @sensitive-param $string1
304+
* @sensitive-param $string2
305+
*/
214306
function sodium_compare(string $string1, string $string2): int {}
215307

216308
function sodium_increment(string &$string): void {}
217309

310+
/**
311+
* @sensitive-param $string1
312+
* @sensitive-param $string2
313+
*/
218314
function sodium_memcmp(string $string1, string $string2): int {}
219315

316+
/** @sensitive-param $string */
220317
function sodium_memzero(string &$string): void {}
221318

319+
/** @sensitive-param $string */
222320
function sodium_pad(string $string, int $block_size): string {}
223321

322+
/** @sensitive-param $string */
224323
function sodium_unpad(string $string, int $block_size): string {}
225324

325+
/** @sensitive-param $string */
226326
function sodium_bin2hex(string $string): string {}
227327

328+
/** @sensitive-param $string */
228329
function sodium_hex2bin(string $string, string $ignore = ""): string {}
229330

230331
#ifdef sodium_base64_VARIANT_ORIGINAL
332+
/** @sensitive-param $string */
231333
function sodium_bin2base64(string $string, int $id): string {}
232334

335+
/** @sensitive-param $string */
233336
function sodium_base642bin(string $string, int $id, string $ignore = ""): string {}
234337
#endif
235338

236-
/** @alias sodium_crypto_box_publickey_from_secretkey */
339+
/**
340+
* @sensitive-param $secret_key
341+
* @alias sodium_crypto_box_publickey_from_secretkey
342+
*/
237343
function sodium_crypto_scalarmult_base(string $secret_key): string {}
238344

239345
class SodiumException extends Exception {}

0 commit comments

Comments
 (0)