Mark parameter in ext/hash as sensitive

ext/hash/hash.c

@@ -26,8 +26,9 @@
 #include "ext/standard/php_var.h"
 #include "ext/spl/spl_exceptions.h"
 
-#include "zend_interfaces.h"
+#include "zend_attributes.h"
 #include "zend_exceptions.h"
+#include "zend_interfaces.h"
 #include "zend_smart_str.h"
 
 #include "hash_arginfo.h"

ext/hash/hash.stub.php

@@ -14,13 +14,22 @@ function hash(string $algo, string $data, bool $binary = false, array $options =
 /** @refcount 1 */
 function hash_file(string $algo, string $filename, bool $binary = false, array $options = []): string|false {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_hmac(string $algo, string $data, string $key, bool $binary = false): string {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_hmac_file(string $algo, string $filename, string $key, bool $binary = false): string|false {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_init(string $algo, int $flags = 0, string $key = "", array $options = []): HashContext {}
 
 function hash_update(HashContext $context, string $data): bool {}
@@ -49,12 +58,22 @@ function hash_algos(): array {}
  */
 function hash_hmac_algos(): array {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $password
+ * @refcount 1
+ */
 function hash_pbkdf2(string $algo, string $password, string $salt, int $iterations, int $length = 0, bool $binary = false): string {}
 
+/**
+ * @sensitive-param $known_string
+ * @sensitive-param $user_string
+ */
 function hash_equals(string $known_string, string $user_string): bool {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_hkdf(string $algo, string $key, int $length = 0, string $info = "", string $salt = ""): string {}
 
 #ifdef PHP_MHASH_BC

ext/hash/hash_arginfo.h

@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 2c21ea2ab2a1f461c6a59b7c98160dac5d00b339 */
+ * Stub hash: fb95b61917a29769f4be4f5d7b5d589a39ae0c4e */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_hash, 0, 2, IS_STRING, 0)
 	ZEND_ARG_TYPE_INFO(0, algo, IS_STRING, 0)
@@ -213,6 +213,14 @@ static const zend_function_entry class_HashContext_methods[] = {
 static void register_hash_symbols(int module_number)
 {
     REGISTER_LONG_CONSTANT("HASH_HMAC", PHP_HASH_HMAC, CONST_CS | CONST_PERSISTENT);
+
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_hmac", 2);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_hmac_file", 2);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_init", 2);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_pbkdf2", 1);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_equals", 0);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_equals", 1);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_hkdf", 1);
 }
 
 static zend_class_entry *register_class_HashContext(void)

ext/hash/tests/sensitive_parameter.phpt

@@ -0,0 +1,24 @@
+--TEST--
+Test that sensitive parameters are marked sensitive.
+--FILE--
+<?php
+try {
+    var_dump(hash_equals('foo', null));
+} catch (\Throwable $e) {
+    echo $e, PHP_EOL;
+}
+try {
+    var_dump(hash_hmac('foo', 'bar', 'baz'));
+} catch (\Throwable $e) {
+    echo $e, PHP_EOL;
+}
+?>
+--EXPECTF--
+TypeError: hash_equals(): Argument #2 ($user_string) must be of type string, null given in %s:%d
+Stack trace:
+#0 %s(%d): hash_equals(Object(SensitiveParameterValue), Object(SensitiveParameterValue))
+#1 {main}
+ValueError: hash_hmac(): Argument #1 ($algo) must be a valid cryptographic hashing algorithm in %s:%d
+Stack trace:
+#0 %s(%d): hash_hmac('foo', 'bar', Object(SensitiveParameterValue))
+#1 {main}