From 0d4147f0fbd03335fa4477697b6c5be6bc87407e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Tue, 12 Apr 2022 14:24:43 +0200
Subject: [PATCH] Mark parameter in ext/hash as sensitive

---
 ext/hash/hash.c                         |  3 ++-
 ext/hash/hash.stub.php                  | 29 ++++++++++++++++++++-----
 ext/hash/hash_arginfo.h                 | 10 ++++++++-
 ext/hash/tests/sensitive_parameter.phpt | 24 ++++++++++++++++++++
 4 files changed, 59 insertions(+), 7 deletions(-)
 create mode 100644 ext/hash/tests/sensitive_parameter.phpt

diff --git a/ext/hash/hash.c b/ext/hash/hash.c
index 9cd52a2fde5..c8b93313d59 100644
--- a/ext/hash/hash.c
+++ b/ext/hash/hash.c
@@ -26,8 +26,9 @@
 #include "ext/standard/php_var.h"
 #include "ext/spl/spl_exceptions.h"
 
-#include "zend_interfaces.h"
+#include "zend_attributes.h"
 #include "zend_exceptions.h"
+#include "zend_interfaces.h"
 #include "zend_smart_str.h"
 
 #include "hash_arginfo.h"
diff --git a/ext/hash/hash.stub.php b/ext/hash/hash.stub.php
index b18c08be3c1..a305983ac95 100644
--- a/ext/hash/hash.stub.php
+++ b/ext/hash/hash.stub.php
@@ -14,13 +14,22 @@ function hash(string $algo, string $data, bool $binary = false, array $options =
 /** @refcount 1 */
 function hash_file(string $algo, string $filename, bool $binary = false, array $options = []): string|false {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_hmac(string $algo, string $data, string $key, bool $binary = false): string {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_hmac_file(string $algo, string $filename, string $key, bool $binary = false): string|false {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_init(string $algo, int $flags = 0, string $key = "", array $options = []): HashContext {}
 
 function hash_update(HashContext $context, string $data): bool {}
@@ -49,12 +58,22 @@ function hash_algos(): array {}
  */
 function hash_hmac_algos(): array {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $password
+ * @refcount 1
+ */
 function hash_pbkdf2(string $algo, string $password, string $salt, int $iterations, int $length = 0, bool $binary = false): string {}
 
+/**
+ * @sensitive-param $known_string
+ * @sensitive-param $user_string
+ */
 function hash_equals(string $known_string, string $user_string): bool {}
 
-/** @refcount 1 */
+/**
+ * @sensitive-param $key
+ * @refcount 1
+ */
 function hash_hkdf(string $algo, string $key, int $length = 0, string $info = "", string $salt = ""): string {}
 
 #ifdef PHP_MHASH_BC
diff --git a/ext/hash/hash_arginfo.h b/ext/hash/hash_arginfo.h
index 80642f96b4e..e010d7a6625 100644
--- a/ext/hash/hash_arginfo.h
+++ b/ext/hash/hash_arginfo.h
@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 2c21ea2ab2a1f461c6a59b7c98160dac5d00b339 */
+ * Stub hash: fb95b61917a29769f4be4f5d7b5d589a39ae0c4e */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_hash, 0, 2, IS_STRING, 0)
 	ZEND_ARG_TYPE_INFO(0, algo, IS_STRING, 0)
@@ -213,6 +213,14 @@ static const zend_function_entry class_HashContext_methods[] = {
 static void register_hash_symbols(int module_number)
 {
     REGISTER_LONG_CONSTANT("HASH_HMAC", PHP_HASH_HMAC, CONST_CS | CONST_PERSISTENT);
+
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_hmac", 2);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_hmac_file", 2);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_init", 2);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_pbkdf2", 1);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_equals", 0);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_equals", 1);
+    zend_mark_function_parameter_as_sensitive(CG(function_table), "hash_hkdf", 1);
 }
 
 static zend_class_entry *register_class_HashContext(void)
diff --git a/ext/hash/tests/sensitive_parameter.phpt b/ext/hash/tests/sensitive_parameter.phpt
new file mode 100644
index 00000000000..1a5154d11b1
--- /dev/null
+++ b/ext/hash/tests/sensitive_parameter.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Test that sensitive parameters are marked sensitive.
+--FILE--
+<?php
+try {
+    var_dump(hash_equals('foo', null));
+} catch (\Throwable $e) {
+    echo $e, PHP_EOL;
+}
+try {
+    var_dump(hash_hmac('foo', 'bar', 'baz'));
+} catch (\Throwable $e) {
+    echo $e, PHP_EOL;
+}
+?>
+--EXPECTF--
+TypeError: hash_equals(): Argument #2 ($user_string) must be of type string, null given in %s:%d
+Stack trace:
+#0 %s(%d): hash_equals(Object(SensitiveParameterValue), Object(SensitiveParameterValue))
+#1 {main}
+ValueError: hash_hmac(): Argument #1 ($algo) must be a valid cryptographic hashing algorithm in %s:%d
+Stack trace:
+#0 %s(%d): hash_hmac('foo', 'bar', Object(SensitiveParameterValue))
+#1 {main}