diff -r 48c4eec2b7e6 -r 8c2e4d02f4ef wp/wp-includes/sodium_compat/src/Compat.php --- a/wp/wp-includes/sodium_compat/src/Compat.php Fri Sep 05 18:40:08 2025 +0200 +++ b/wp/wp-includes/sodium_compat/src/Compat.php Fri Sep 05 18:52:52 2025 +0200 @@ -59,6 +59,14 @@ const CRYPTO_AEAD_AES256GCM_NSECBYTES = 0; const CRYPTO_AEAD_AES256GCM_NPUBBYTES = 12; const CRYPTO_AEAD_AES256GCM_ABYTES = 16; + const CRYPTO_AEAD_AEGIS128L_KEYBYTES = 16; + const CRYPTO_AEAD_AEGIS128L_NSECBYTES = 0; + const CRYPTO_AEAD_AEGIS128L_NPUBBYTES = 16; + const CRYPTO_AEAD_AEGIS128L_ABYTES = 32; + const CRYPTO_AEAD_AEGIS256_KEYBYTES = 32; + const CRYPTO_AEAD_AEGIS256_NSECBYTES = 0; + const CRYPTO_AEAD_AEGIS256_NPUBBYTES = 32; + const CRYPTO_AEAD_AEGIS256_ABYTES = 32; const CRYPTO_AEAD_CHACHA20POLY1305_KEYBYTES = 32; const CRYPTO_AEAD_CHACHA20POLY1305_NSECBYTES = 0; const CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES = 8; @@ -155,8 +163,12 @@ * @return void * @throws SodiumException */ - public static function add(&$val, $addv) - { + public static function add( + #[\SensitiveParameter] + &$val, + #[\SensitiveParameter] + $addv + ) { $val_len = ParagonIE_Sodium_Core_Util::strlen($val); $addv_len = ParagonIE_Sodium_Core_Util::strlen($addv); if ($val_len !== $addv_len) { @@ -181,8 +193,12 @@ * @return string * @throws SodiumException */ - public static function base642bin($encoded, $variant, $ignore = '') - { + public static function base642bin( + #[\SensitiveParameter] + $encoded, + $variant, + $ignore = '' + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($encoded, 'string', 1); @@ -224,8 +240,11 @@ * @return string * @throws SodiumException */ - public static function bin2base64($decoded, $variant) - { + public static function bin2base64( + #[\SensitiveParameter] + $decoded, + $variant + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($decoded, 'string', 1); /** @var string $decoded */ @@ -257,8 +276,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function bin2hex($string) - { + public static function bin2hex( + #[\SensitiveParameter] + $string + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($string, 'string', 1); @@ -284,8 +305,12 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function compare($left, $right) - { + public static function compare( + #[\SensitiveParameter] + $left, + #[\SensitiveParameter] + $right + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($left, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($right, 'string', 2); @@ -300,6 +325,224 @@ } /** + * Authenticated Encryption with Associated Data: Decryption + * + * Algorithm: + * AEGIS-128L + * + * @param string $ciphertext Encrypted message (with MAC appended) + * @param string $assocData Authenticated Associated Data (unencrypted) + * @param string $nonce Number to be used only Once; must be 32 bytes + * @param string $key Encryption key + * + * @return string The original plaintext message + * @throws SodiumException + * @throws TypeError + * @psalm-suppress MixedArgument + * @psalm-suppress MixedInferredReturnType + * @psalm-suppress MixedReturnStatement + */ + public static function crypto_aead_aegis128l_decrypt( + $ciphertext = '', + $assocData = '', + $nonce = '', + #[\SensitiveParameter] + $key = '' + ) { + ParagonIE_Sodium_Core_Util::declareScalarType($ciphertext, 'string', 1); + ParagonIE_Sodium_Core_Util::declareScalarType($assocData, 'string', 2); + ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 3); + ParagonIE_Sodium_Core_Util::declareScalarType($key, 'string', 4); + + /* Input validation: */ + if (ParagonIE_Sodium_Core_Util::strlen($nonce) !== self::CRYPTO_AEAD_AEGIS128L_NPUBBYTES) { + throw new SodiumException('Nonce must be CRYPTO_AEAD_AEGIS_128L_NPUBBYTES long'); + } + if (ParagonIE_Sodium_Core_Util::strlen($key) !== self::CRYPTO_AEAD_AEGIS128L_KEYBYTES) { + throw new SodiumException('Key must be CRYPTO_AEAD_AEGIS128L_KEYBYTES long'); + } + $ct_length = ParagonIE_Sodium_Core_Util::strlen($ciphertext); + if ($ct_length < self::CRYPTO_AEAD_AEGIS128L_ABYTES) { + throw new SodiumException('Message must be at least CRYPTO_AEAD_AEGIS128L_ABYTES long'); + } + + $ct = ParagonIE_Sodium_Core_Util::substr( + $ciphertext, + 0, + $ct_length - self::CRYPTO_AEAD_AEGIS128L_ABYTES + ); + $tag = ParagonIE_Sodium_Core_Util::substr( + $ciphertext, + $ct_length - self::CRYPTO_AEAD_AEGIS128L_ABYTES, + self::CRYPTO_AEAD_AEGIS128L_ABYTES + ); + return ParagonIE_Sodium_Core_AEGIS128L::decrypt($ct, $tag, $assocData, $key, $nonce); + } + + /** + * Authenticated Encryption with Associated Data: Encryption + * + * Algorithm: + * AEGIS-128L + * + * @param string $plaintext Message to be encrypted + * @param string $assocData Authenticated Associated Data (unencrypted) + * @param string $nonce Number to be used only Once; must be 32 bytes + * @param string $key Encryption key + * + * @return string Ciphertext with 32-byte authentication tag appended + * @throws SodiumException + * @throws TypeError + * @psalm-suppress MixedArgument + */ + public static function crypto_aead_aegis128l_encrypt( + #[\SensitiveParameter] + $plaintext = '', + $assocData = '', + $nonce = '', + #[\SensitiveParameter] + $key = '' + ) { + ParagonIE_Sodium_Core_Util::declareScalarType($plaintext, 'string', 1); + ParagonIE_Sodium_Core_Util::declareScalarType($assocData, 'string', 2); + ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 3); + ParagonIE_Sodium_Core_Util::declareScalarType($key, 'string', 4); + + /* Input validation: */ + if (ParagonIE_Sodium_Core_Util::strlen($nonce) !== self::CRYPTO_AEAD_AEGIS128L_NPUBBYTES) { + throw new SodiumException('Nonce must be CRYPTO_AEAD_AEGIS128L_KEYBYTES long'); + } + if (ParagonIE_Sodium_Core_Util::strlen($key) !== self::CRYPTO_AEAD_AEGIS128L_KEYBYTES) { + throw new SodiumException('Key must be CRYPTO_AEAD_AEGIS128L_KEYBYTES long'); + } + + list($ct, $tag) = ParagonIE_Sodium_Core_AEGIS128L::encrypt($plaintext, $assocData, $key, $nonce); + return $ct . $tag; + } + + /** + * Return a secure random key for use with the AEGIS-128L + * symmetric AEAD interface. + * + * @return string + * @throws Exception + * @throws Error + */ + public static function crypto_aead_aegis128l_keygen() + { + return random_bytes(self::CRYPTO_AEAD_AEGIS128L_KEYBYTES); + } + + /** + * Authenticated Encryption with Associated Data: Decryption + * + * Algorithm: + * AEGIS-256 + * + * @param string $ciphertext Encrypted message (with MAC appended) + * @param string $assocData Authenticated Associated Data (unencrypted) + * @param string $nonce Number to be used only Once; must be 32 bytes + * @param string $key Encryption key + * + * @return string The original plaintext message + * @throws SodiumException + * @throws TypeError + * @psalm-suppress MixedArgument + * @psalm-suppress MixedInferredReturnType + * @psalm-suppress MixedReturnStatement + */ + public static function crypto_aead_aegis256_decrypt( + $ciphertext = '', + $assocData = '', + $nonce = '', + #[\SensitiveParameter] + $key = '' + ) { + ParagonIE_Sodium_Core_Util::declareScalarType($ciphertext, 'string', 1); + ParagonIE_Sodium_Core_Util::declareScalarType($assocData, 'string', 2); + ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 3); + ParagonIE_Sodium_Core_Util::declareScalarType($key, 'string', 4); + + /* Input validation: */ + if (ParagonIE_Sodium_Core_Util::strlen($nonce) !== self::CRYPTO_AEAD_AEGIS256_NPUBBYTES) { + throw new SodiumException('Nonce must be CRYPTO_AEAD_AEGIS256_NPUBBYTES long'); + } + if (ParagonIE_Sodium_Core_Util::strlen($key) !== self::CRYPTO_AEAD_AEGIS256_KEYBYTES) { + throw new SodiumException('Key must be CRYPTO_AEAD_AEGIS256_KEYBYTES long'); + } + $ct_length = ParagonIE_Sodium_Core_Util::strlen($ciphertext); + if ($ct_length < self::CRYPTO_AEAD_AEGIS256_ABYTES) { + throw new SodiumException('Message must be at least CRYPTO_AEAD_AEGIS256_ABYTES long'); + } + + $ct = ParagonIE_Sodium_Core_Util::substr( + $ciphertext, + 0, + $ct_length - self::CRYPTO_AEAD_AEGIS256_ABYTES + ); + $tag = ParagonIE_Sodium_Core_Util::substr( + $ciphertext, + $ct_length - self::CRYPTO_AEAD_AEGIS256_ABYTES, + self::CRYPTO_AEAD_AEGIS256_ABYTES + ); + return ParagonIE_Sodium_Core_AEGIS256::decrypt($ct, $tag, $assocData, $key, $nonce); + } + + /** + * Authenticated Encryption with Associated Data: Encryption + * + * Algorithm: + * AEGIS-256 + * + * @param string $plaintext Message to be encrypted + * @param string $assocData Authenticated Associated Data (unencrypted) + * @param string $nonce Number to be used only Once; must be 32 bytes + * @param string $key Encryption key + * + * @return string Ciphertext with 32-byte authentication tag appended + * @throws SodiumException + * @throws TypeError + * @psalm-suppress MixedArgument + */ + public static function crypto_aead_aegis256_encrypt( + #[\SensitiveParameter] + $plaintext = '', + $assocData = '', + $nonce = '', + #[\SensitiveParameter] + $key = '' + ) { + ParagonIE_Sodium_Core_Util::declareScalarType($plaintext, 'string', 1); + ParagonIE_Sodium_Core_Util::declareScalarType($assocData, 'string', 2); + ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 3); + ParagonIE_Sodium_Core_Util::declareScalarType($key, 'string', 4); + + /* Input validation: */ + if (ParagonIE_Sodium_Core_Util::strlen($nonce) !== self::CRYPTO_AEAD_AEGIS256_NPUBBYTES) { + throw new SodiumException('Nonce must be CRYPTO_AEAD_AEGIS128L_KEYBYTES long'); + } + if (ParagonIE_Sodium_Core_Util::strlen($key) !== self::CRYPTO_AEAD_AEGIS256_KEYBYTES) { + throw new SodiumException('Key must be CRYPTO_AEAD_AEGIS128L_KEYBYTES long'); + } + + list($ct, $tag) = ParagonIE_Sodium_Core_AEGIS256::encrypt($plaintext, $assocData, $key, $nonce); + return $ct . $tag; + } + + /** + * Return a secure random key for use with the AEGIS-256 + * symmetric AEAD interface. + * + * @return string + * @throws Exception + * @throws Error + */ + public static function crypto_aead_aegis256_keygen() + { + return random_bytes(self::CRYPTO_AEAD_AEGIS256_KEYBYTES); + } + + /** * Is AES-256-GCM even available to use? * * @return bool @@ -351,6 +594,7 @@ $ciphertext = '', $assocData = '', $nonce = '', + #[\SensitiveParameter] $key = '' ) { if (!self::crypto_aead_aes256gcm_is_available()) { @@ -408,9 +652,11 @@ * @psalm-suppress MixedArgument */ public static function crypto_aead_aes256gcm_encrypt( + #[\SensitiveParameter] $plaintext = '', $assocData = '', $nonce = '', + #[\SensitiveParameter] $key = '' ) { if (!self::crypto_aead_aes256gcm_is_available()) { @@ -484,6 +730,7 @@ $ciphertext = '', $assocData = '', $nonce = '', + #[\SensitiveParameter] $key = '' ) { /* Type checks: */ @@ -561,9 +808,11 @@ * @psalm-suppress MixedArgument */ public static function crypto_aead_chacha20poly1305_encrypt( + #[\SensitiveParameter] $plaintext = '', $assocData = '', $nonce = '', + #[\SensitiveParameter] $key = '' ) { /* Type checks: */ @@ -638,6 +887,7 @@ $ciphertext = '', $assocData = '', $nonce = '', + #[\SensitiveParameter] $key = '' ) { /* Type checks: */ @@ -728,9 +978,11 @@ * @psalm-suppress MixedArgument */ public static function crypto_aead_chacha20poly1305_ietf_encrypt( + #[\SensitiveParameter] $plaintext = '', $assocData = '', $nonce = '', + #[\SensitiveParameter] $key = '' ) { /* Type checks: */ @@ -819,6 +1071,7 @@ $ciphertext = '', $assocData = '', $nonce = '', + #[\SensitiveParameter] $key = '', $dontFallback = false ) { @@ -891,9 +1144,11 @@ * @psalm-suppress MixedArgument */ public static function crypto_aead_xchacha20poly1305_ietf_encrypt( + #[\SensitiveParameter] $plaintext = '', $assocData = '', $nonce = '', + #[\SensitiveParameter] $key = '', $dontFallback = false ) { @@ -971,8 +1226,11 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_auth($message, $key) - { + public static function crypto_auth( + $message, + #[\SensitiveParameter] + $key + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($key, 'string', 2); @@ -1016,8 +1274,12 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_auth_verify($mac, $message, $key) - { + public static function crypto_auth_verify( + $mac, + $message, + #[\SensitiveParameter] + $key + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($mac, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 2); @@ -1060,8 +1322,12 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_box($plaintext, $nonce, $keypair) - { + public static function crypto_box( + $plaintext, + $nonce, + #[\SensitiveParameter] + $keypair + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($plaintext, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -1104,8 +1370,11 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_box_seal($plaintext, $publicKey) - { + public static function crypto_box_seal( + #[\SensitiveParameter] + $plaintext, + $publicKey + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($plaintext, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($publicKey, 'string', 2); @@ -1142,8 +1411,11 @@ * @psalm-suppress MixedInferredReturnType * @psalm-suppress MixedReturnStatement */ - public static function crypto_box_seal_open($ciphertext, $keypair) - { + public static function crypto_box_seal_open( + $ciphertext, + #[\SensitiveParameter] + $keypair + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($ciphertext, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($keypair, 'string', 2); @@ -1205,8 +1477,11 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_box_keypair_from_secretkey_and_publickey($secretKey, $publicKey) - { + public static function crypto_box_keypair_from_secretkey_and_publickey( + #[\SensitiveParameter] + $secretKey, + $publicKey + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($secretKey, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($publicKey, 'string', 2); @@ -1244,8 +1519,12 @@ * @psalm-suppress MixedInferredReturnType * @psalm-suppress MixedReturnStatement */ - public static function crypto_box_open($ciphertext, $nonce, $keypair) - { + public static function crypto_box_open( + $ciphertext, + $nonce, + #[\SensitiveParameter] + $keypair + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($ciphertext, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -1287,8 +1566,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_box_publickey($keypair) - { + public static function crypto_box_publickey( + #[\SensitiveParameter] + $keypair + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($keypair, 'string', 1); @@ -1318,8 +1599,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_box_publickey_from_secretkey($secretKey) - { + public static function crypto_box_publickey_from_secretkey( + #[\SensitiveParameter] + $secretKey + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($secretKey, 'string', 1); @@ -1349,8 +1632,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_box_secretkey($keypair) - { + public static function crypto_box_secretkey( + #[\SensitiveParameter] + $keypair + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($keypair, 'string', 1); @@ -1381,8 +1666,10 @@ * @psalm-suppress MixedArgument * @psalm-suppress UndefinedFunction */ - public static function crypto_box_seed_keypair($seed) - { + public static function crypto_box_seed_keypair( + #[\SensitiveParameter] + $seed + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($seed, 'string', 1); @@ -1411,8 +1698,12 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_generichash($message, $key = '', $length = self::CRYPTO_GENERICHASH_BYTES) - { + public static function crypto_generichash( + $message, + #[\SensitiveParameter] + $key = '', + $length = self::CRYPTO_GENERICHASH_BYTES + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 1); if (is_null($key)) { @@ -1455,8 +1746,11 @@ * @psalm-suppress ReferenceConstraintViolation * @psalm-suppress ConflictingReferenceConstraint */ - public static function crypto_generichash_final(&$ctx, $length = self::CRYPTO_GENERICHASH_BYTES) - { + public static function crypto_generichash_final( + #[\SensitiveParameter] + &$ctx, + $length = self::CRYPTO_GENERICHASH_BYTES + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($ctx, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($length, 'int', 2); @@ -1500,8 +1794,11 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_generichash_init($key = '', $length = self::CRYPTO_GENERICHASH_BYTES) - { + public static function crypto_generichash_init( + #[\SensitiveParameter] + $key = '', + $length = self::CRYPTO_GENERICHASH_BYTES + ) { /* Type checks: */ if (is_null($key)) { $key = ''; @@ -1545,6 +1842,7 @@ * @psalm-suppress MixedArgument */ public static function crypto_generichash_init_salt_personal( + #[\SensitiveParameter] $key = '', $length = self::CRYPTO_GENERICHASH_BYTES, $salt = '', @@ -1591,8 +1889,11 @@ * @psalm-suppress MixedArgument * @psalm-suppress ReferenceConstraintViolation */ - public static function crypto_generichash_update(&$ctx, $message) - { + public static function crypto_generichash_update( + #[\SensitiveParameter] + &$ctx, + $message + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($ctx, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 2); @@ -1635,6 +1936,7 @@ $subkey_len, $subkey_id, $context, + #[\SensitiveParameter] $key ) { ParagonIE_Sodium_Core_Util::declareScalarType($subkey_len, 'int', 1); @@ -1712,8 +2014,14 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_kx($my_secret, $their_public, $client_public, $server_public, $dontFallback = false) - { + public static function crypto_kx( + #[\SensitiveParameter] + $my_secret, + $their_public, + $client_public, + $server_public, + $dontFallback = false + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($my_secret, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($their_public, 'string', 2); @@ -1774,8 +2082,10 @@ * @return string * @throws SodiumException */ - public static function crypto_kx_seed_keypair($seed) - { + public static function crypto_kx_seed_keypair( + #[\SensitiveParameter] + $seed + ) { ParagonIE_Sodium_Core_Util::declareScalarType($seed, 'string', 1); $seed = (string) $seed; @@ -1806,8 +2116,11 @@ * @return array{0: string, 1: string} * @throws SodiumException */ - public static function crypto_kx_client_session_keys($keypair, $serverPublicKey) - { + public static function crypto_kx_client_session_keys( + #[\SensitiveParameter] + $keypair, + $serverPublicKey + ) { ParagonIE_Sodium_Core_Util::declareScalarType($keypair, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($serverPublicKey, 'string', 2); @@ -1848,8 +2161,11 @@ * @return array{0: string, 1: string} * @throws SodiumException */ - public static function crypto_kx_server_session_keys($keypair, $clientPublicKey) - { + public static function crypto_kx_server_session_keys( + #[\SensitiveParameter] + $keypair, + $clientPublicKey + ) { ParagonIE_Sodium_Core_Util::declareScalarType($keypair, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($clientPublicKey, 'string', 2); @@ -1889,8 +2205,10 @@ * @return string * @throws SodiumException */ - public static function crypto_kx_secretkey($kp) - { + public static function crypto_kx_secretkey( + #[\SensitiveParameter] + $kp + ) { return ParagonIE_Sodium_Core_Util::substr( $kp, 0, @@ -1924,8 +2242,15 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_pwhash($outlen, $passwd, $salt, $opslimit, $memlimit, $alg = null) - { + public static function crypto_pwhash( + $outlen, + #[\SensitiveParameter] + $passwd, + $salt, + $opslimit, + $memlimit, + $alg = null + ) { ParagonIE_Sodium_Core_Util::declareScalarType($outlen, 'int', 1); ParagonIE_Sodium_Core_Util::declareScalarType($passwd, 'string', 2); ParagonIE_Sodium_Core_Util::declareScalarType($salt, 'string', 3); @@ -1976,8 +2301,12 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_pwhash_str($passwd, $opslimit, $memlimit) - { + public static function crypto_pwhash_str( + #[\SensitiveParameter] + $passwd, + $opslimit, + $memlimit + ) { ParagonIE_Sodium_Core_Util::declareScalarType($passwd, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($opslimit, 'int', 2); ParagonIE_Sodium_Core_Util::declareScalarType($memlimit, 'int', 3); @@ -2003,8 +2332,12 @@ * @return bool * @throws SodiumException */ - public static function crypto_pwhash_str_needs_rehash($hash, $opslimit, $memlimit) - { + public static function crypto_pwhash_str_needs_rehash( + #[\SensitiveParameter] + $hash, + $opslimit, + $memlimit + ) { ParagonIE_Sodium_Core_Util::declareScalarType($hash, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($opslimit, 'int', 2); ParagonIE_Sodium_Core_Util::declareScalarType($memlimit, 'int', 3); @@ -2032,8 +2365,12 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_pwhash_str_verify($passwd, $hash) - { + public static function crypto_pwhash_str_verify( + #[\SensitiveParameter] + $passwd, + #[\SensitiveParameter] + $hash + ) { ParagonIE_Sodium_Core_Util::declareScalarType($passwd, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($hash, 'string', 2); @@ -2059,8 +2396,14 @@ * @throws SodiumException * @throws TypeError */ - public static function crypto_pwhash_scryptsalsa208sha256($outlen, $passwd, $salt, $opslimit, $memlimit) - { + public static function crypto_pwhash_scryptsalsa208sha256( + $outlen, + #[\SensitiveParameter] + $passwd, + $salt, + $opslimit, + $memlimit + ) { ParagonIE_Sodium_Core_Util::declareScalarType($outlen, 'int', 1); ParagonIE_Sodium_Core_Util::declareScalarType($passwd, 'string', 2); ParagonIE_Sodium_Core_Util::declareScalarType($salt, 'string', 3); @@ -2119,8 +2462,12 @@ * @throws SodiumException * @throws TypeError */ - public static function crypto_pwhash_scryptsalsa208sha256_str($passwd, $opslimit, $memlimit) - { + public static function crypto_pwhash_scryptsalsa208sha256_str( + #[\SensitiveParameter] + $passwd, + $opslimit, + $memlimit + ) { ParagonIE_Sodium_Core_Util::declareScalarType($passwd, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($opslimit, 'int', 2); ParagonIE_Sodium_Core_Util::declareScalarType($memlimit, 'int', 3); @@ -2153,8 +2500,12 @@ * @throws SodiumException * @throws TypeError */ - public static function crypto_pwhash_scryptsalsa208sha256_str_verify($passwd, $hash) - { + public static function crypto_pwhash_scryptsalsa208sha256_str_verify( + #[\SensitiveParameter] + $passwd, + #[\SensitiveParameter] + $hash + ) { ParagonIE_Sodium_Core_Util::declareScalarType($passwd, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($hash, 'string', 2); @@ -2190,8 +2541,11 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_scalarmult($secretKey, $publicKey) - { + public static function crypto_scalarmult( + #[\SensitiveParameter] + $secretKey, + $publicKey + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($secretKey, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($publicKey, 'string', 2); @@ -2234,8 +2588,10 @@ * @psalm-suppress TooFewArguments * @psalm-suppress MixedArgument */ - public static function crypto_scalarmult_base($secretKey) - { + public static function crypto_scalarmult_base( + #[\SensitiveParameter] + $secretKey + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($secretKey, 'string', 1); @@ -2272,8 +2628,13 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_secretbox($plaintext, $nonce, $key) - { + public static function crypto_secretbox( + #[\SensitiveParameter] + $plaintext, + $nonce, + #[\SensitiveParameter] + $key + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($plaintext, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -2312,8 +2673,12 @@ * @psalm-suppress MixedInferredReturnType * @psalm-suppress MixedReturnStatement */ - public static function crypto_secretbox_open($ciphertext, $nonce, $key) - { + public static function crypto_secretbox_open( + $ciphertext, + $nonce, + #[\SensitiveParameter] + $key + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($ciphertext, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -2398,8 +2763,12 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_secretbox_xchacha20poly1305_open($ciphertext, $nonce, $key) - { + public static function crypto_secretbox_xchacha20poly1305_open( + $ciphertext, + $nonce, + #[\SensitiveParameter] + $key + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($ciphertext, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -2425,8 +2794,10 @@ * @throws Exception * @throws SodiumException */ - public static function crypto_secretstream_xchacha20poly1305_init_push($key) - { + public static function crypto_secretstream_xchacha20poly1305_init_push( + #[\SensitiveParameter] + $key + ) { if (PHP_INT_SIZE === 4) { return ParagonIE_Sodium_Crypto32::secretstream_xchacha20poly1305_init_push($key); } @@ -2439,8 +2810,11 @@ * @return string Returns a state. * @throws Exception */ - public static function crypto_secretstream_xchacha20poly1305_init_pull($header, $key) - { + public static function crypto_secretstream_xchacha20poly1305_init_pull( + $header, + #[\SensitiveParameter] + $key + ) { if (ParagonIE_Sodium_Core_Util::strlen($header) < self::CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_HEADERBYTES) { throw new SodiumException( 'header size should be SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_HEADERBYTES bytes' @@ -2460,8 +2834,14 @@ * @return string * @throws SodiumException */ - public static function crypto_secretstream_xchacha20poly1305_push(&$state, $msg, $aad = '', $tag = 0) - { + public static function crypto_secretstream_xchacha20poly1305_push( + #[\SensitiveParameter] + &$state, + #[\SensitiveParameter] + $msg, + $aad = '', + $tag = 0 + ) { if (PHP_INT_SIZE === 4) { return ParagonIE_Sodium_Crypto32::secretstream_xchacha20poly1305_push( $state, @@ -2485,8 +2865,12 @@ * @return bool|array{0: string, 1: int} * @throws SodiumException */ - public static function crypto_secretstream_xchacha20poly1305_pull(&$state, $msg, $aad = '') - { + public static function crypto_secretstream_xchacha20poly1305_pull( + #[\SensitiveParameter] + &$state, + $msg, + $aad = '' + ) { if (PHP_INT_SIZE === 4) { return ParagonIE_Sodium_Crypto32::secretstream_xchacha20poly1305_pull( $state, @@ -2515,8 +2899,10 @@ * @return void * @throws SodiumException */ - public static function crypto_secretstream_xchacha20poly1305_rekey(&$state) - { + public static function crypto_secretstream_xchacha20poly1305_rekey( + #[\SensitiveParameter] + &$state + ) { if (PHP_INT_SIZE === 4) { ParagonIE_Sodium_Crypto32::secretstream_xchacha20poly1305_rekey($state); } else { @@ -2536,8 +2922,11 @@ * @psalm-suppress MixedInferredReturnType * @psalm-suppress MixedReturnStatement */ - public static function crypto_shorthash($message, $key) - { + public static function crypto_shorthash( + $message, + #[\SensitiveParameter] + $key + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($key, 'string', 2); @@ -2586,8 +2975,11 @@ * @psalm-suppress MixedInferredReturnType * @psalm-suppress MixedReturnStatement */ - public static function crypto_sign($message, $secretKey) - { + public static function crypto_sign( + $message, + #[\SensitiveParameter] + $secretKey + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($secretKey, 'string', 2); @@ -2622,8 +3014,10 @@ * @psalm-suppress MixedInferredReturnType * @psalm-suppress MixedReturnStatement */ - public static function crypto_sign_open($signedMessage, $publicKey) - { + public static function crypto_sign_open( + $signedMessage, + $publicKey + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($signedMessage, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($publicKey, 'string', 2); @@ -2679,8 +3073,11 @@ * @return string * @throws SodiumException */ - public static function crypto_sign_keypair_from_secretkey_and_publickey($sk, $pk) - { + public static function crypto_sign_keypair_from_secretkey_and_publickey( + #[\SensitiveParameter] + $sk, + $pk + ) { ParagonIE_Sodium_Core_Util::declareScalarType($sk, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($pk, 'string', 1); $sk = (string) $sk; @@ -2708,8 +3105,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_sign_seed_keypair($seed) - { + public static function crypto_sign_seed_keypair( + #[\SensitiveParameter] + $seed + ) { ParagonIE_Sodium_Core_Util::declareScalarType($seed, 'string', 1); if (self::useNewSodiumAPI()) { @@ -2737,8 +3136,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_sign_publickey($keypair) - { + public static function crypto_sign_publickey( + #[\SensitiveParameter] + $keypair + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($keypair, 'string', 1); @@ -2768,8 +3169,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_sign_publickey_from_secretkey($secretKey) - { + public static function crypto_sign_publickey_from_secretkey( + #[\SensitiveParameter] + $secretKey + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($secretKey, 'string', 1); @@ -2799,8 +3202,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_sign_secretkey($keypair) - { + public static function crypto_sign_secretkey( + #[\SensitiveParameter] + $keypair + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($keypair, 'string', 1); @@ -2833,8 +3238,11 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_sign_detached($message, $secretKey) - { + public static function crypto_sign_detached( + $message, + #[\SensitiveParameter] + $secretKey + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($secretKey, 'string', 2); @@ -2941,8 +3349,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_sign_ed25519_sk_to_curve25519($sk) - { + public static function crypto_sign_ed25519_sk_to_curve25519( + #[\SensitiveParameter] + $sk + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($sk, 'string', 1); @@ -2983,8 +3393,12 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_stream($len, $nonce, $key) - { + public static function crypto_stream( + $len, + $nonce, + #[\SensitiveParameter] + $key + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($len, 'int', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -3030,8 +3444,13 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_stream_xor($message, $nonce, $key) - { + public static function crypto_stream_xor( + #[\SensitiveParameter] + $message, + $nonce, + #[\SensitiveParameter] + $key + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -3085,8 +3504,13 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_stream_xchacha20($len, $nonce, $key, $dontFallback = false) - { + public static function crypto_stream_xchacha20( + $len, + $nonce, + #[\SensitiveParameter] + $key, + $dontFallback = false + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($len, 'int', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -3130,8 +3554,14 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_stream_xchacha20_xor($message, $nonce, $key, $dontFallback = false) - { + public static function crypto_stream_xchacha20_xor( + #[\SensitiveParameter] + $message, + $nonce, + #[\SensitiveParameter] + $key, + $dontFallback = false + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -3176,8 +3606,15 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function crypto_stream_xchacha20_xor_ic($message, $nonce, $counter, $key, $dontFallback = false) - { + public static function crypto_stream_xchacha20_xor_ic( + #[\SensitiveParameter] + $message, + $nonce, + $counter, + #[\SensitiveParameter] + $key, + $dontFallback = false + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($message, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($nonce, 'string', 2); @@ -3226,8 +3663,11 @@ * @psalm-suppress TooFewArguments * @psalm-suppress MixedArgument */ - public static function hex2bin($string, $ignore = '') - { + public static function hex2bin( + #[\SensitiveParameter] + $string, + $ignore = '' + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($string, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($ignore, 'string', 2); @@ -3253,8 +3693,10 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function increment(&$var) - { + public static function increment( + #[\SensitiveParameter] + &$var + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($var, 'string', 1); @@ -3287,8 +3729,10 @@ * * @throws SodiumException */ - public static function is_zero($str) - { + public static function is_zero( + #[\SensitiveParameter] + $str + ) { $d = 0; for ($i = 0; $i < 32; ++$i) { $d |= ParagonIE_Sodium_Core_Util::chrToInt($str[$i]); @@ -3342,8 +3786,12 @@ * @throws TypeError * @psalm-suppress MixedArgument */ - public static function memcmp($left, $right) - { + public static function memcmp( + #[\SensitiveParameter] + $left, + #[\SensitiveParameter] + $right + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($left, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($right, 'string', 2); @@ -3371,8 +3819,10 @@ * @throws TypeError * @psalm-suppress TooFewArguments */ - public static function memzero(&$var) - { + public static function memzero( + #[\SensitiveParameter] + &$var + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($var, 'string', 1); @@ -3402,8 +3852,12 @@ * @return string * @throws SodiumException */ - public static function pad($unpadded, $blockSize, $dontFallback = false) - { + public static function pad( + #[\SensitiveParameter] + $unpadded, + $blockSize, + $dontFallback = false + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($unpadded, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($blockSize, 'int', 2); @@ -3488,8 +3942,12 @@ * @return string * @throws SodiumException */ - public static function unpad($padded, $blockSize, $dontFallback = false) - { + public static function unpad( + #[\SensitiveParameter] + $padded, + $blockSize, + $dontFallback = false + ) { /* Type checks: */ ParagonIE_Sodium_Core_Util::declareScalarType($padded, 'string', 1); ParagonIE_Sodium_Core_Util::declareScalarType($blockSize, 'int', 2); @@ -3643,8 +4101,11 @@ * @return bool * @throws SodiumException */ - public static function ristretto255_is_valid_point($p, $dontFallback = false) - { + public static function ristretto255_is_valid_point( + #[\SensitiveParameter] + $p, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_is_valid_point($p); } @@ -3667,8 +4128,13 @@ * @return string * @throws SodiumException */ - public static function ristretto255_add($p, $q, $dontFallback = false) - { + public static function ristretto255_add( + #[\SensitiveParameter] + $p, + #[\SensitiveParameter] + $q, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_add($p, $q); } @@ -3682,8 +4148,13 @@ * @return string * @throws SodiumException */ - public static function ristretto255_sub($p, $q, $dontFallback = false) - { + public static function ristretto255_sub( + #[\SensitiveParameter] + $p, + #[\SensitiveParameter] + $q, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_sub($p, $q); } @@ -3697,8 +4168,11 @@ * * @throws SodiumException */ - public static function ristretto255_from_hash($r, $dontFallback = false) - { + public static function ristretto255_from_hash( + #[\SensitiveParameter] + $r, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_from_hash($r); } @@ -3739,8 +4213,11 @@ * @return string * @throws SodiumException */ - public static function ristretto255_scalar_invert($s, $dontFallback = false) - { + public static function ristretto255_scalar_invert( + #[\SensitiveParameter] + $s, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_scalar_invert($s); } @@ -3752,8 +4229,11 @@ * @return string * @throws SodiumException */ - public static function ristretto255_scalar_negate($s, $dontFallback = false) - { + public static function ristretto255_scalar_negate( + #[\SensitiveParameter] + $s, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_scalar_negate($s); } @@ -3766,8 +4246,11 @@ * @return string * @throws SodiumException */ - public static function ristretto255_scalar_complement($s, $dontFallback = false) - { + public static function ristretto255_scalar_complement( + #[\SensitiveParameter] + $s, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_scalar_complement($s); } @@ -3781,8 +4264,13 @@ * @return string * @throws SodiumException */ - public static function ristretto255_scalar_add($x, $y, $dontFallback = false) - { + public static function ristretto255_scalar_add( + #[\SensitiveParameter] + $x, + #[\SensitiveParameter] + $y, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_scalar_add($x, $y); } @@ -3796,8 +4284,13 @@ * @return string * @throws SodiumException */ - public static function ristretto255_scalar_sub($x, $y, $dontFallback = false) - { + public static function ristretto255_scalar_sub( + #[\SensitiveParameter] + $x, + #[\SensitiveParameter] + $y, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_scalar_sub($x, $y); } @@ -3811,8 +4304,13 @@ * @return string * @throws SodiumException */ - public static function ristretto255_scalar_mul($x, $y, $dontFallback = false) - { + public static function ristretto255_scalar_mul( + #[\SensitiveParameter] + $x, + #[\SensitiveParameter] + $y, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_scalar_mul($x, $y); } @@ -3826,8 +4324,13 @@ * @return string * @throws SodiumException */ - public static function scalarmult_ristretto255($n, $p, $dontFallback = false) - { + public static function scalarmult_ristretto255( + #[\SensitiveParameter] + $n, + #[\SensitiveParameter] + $p, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_scalarmult_ristretto255($n, $p); } @@ -3841,8 +4344,11 @@ * @return string * @throws SodiumException */ - public static function scalarmult_ristretto255_base($n, $dontFallback = false) - { + public static function scalarmult_ristretto255_base( + #[\SensitiveParameter] + $n, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_scalarmult_ristretto255_base($n); } @@ -3855,8 +4361,11 @@ * @return string * @throws SodiumException */ - public static function ristretto255_scalar_reduce($s, $dontFallback = false) - { + public static function ristretto255_scalar_reduce( + #[\SensitiveParameter] + $s, + $dontFallback = false + ) { if (self::useNewSodiumAPI() && !$dontFallback) { return sodium_crypto_core_ristretto255_scalar_reduce($s); } @@ -3910,8 +4419,12 @@ * @return void * @throws SodiumException */ - public static function sub(&$val, $addv) - { + public static function sub( + #[\SensitiveParameter] + &$val, + #[\SensitiveParameter] + $addv + ) { $val_len = ParagonIE_Sodium_Core_Util::strlen($val); $addv_len = ParagonIE_Sodium_Core_Util::strlen($addv); if ($val_len !== $addv_len) {