From 5f53903197021fcc8332a7f44c29fbea8d2c2060 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 24 Apr 2026 12:17:05 +0200
Subject: Reduce the lifetime of cryptographic material

---
 src/sp_crypt.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src')

diff --git a/src/sp_crypt.c b/src/sp_crypt.c
index 9d4e6bb..3b65616 100644
--- a/src/sp_crypt.c
+++ b/src/sp_crypt.c
@@ -32,6 +32,7 @@ void generate_key(unsigned char *key) {
   }
 
   PHP_SHA256Final((unsigned char *)key, &ctx);
+  ZEND_SECURE_ZERO(&ctx, sizeof(ctx));
 }
 
 // This function return 0 upon success , non-zero otherwise
@@ -120,6 +121,7 @@ int decrypt_zval(zval *pDest, bool simulation, zend_hash_key *hash_key) {
   ret = ZEND_HASH_APPLY_KEEP;
 
 out:
+  ZEND_SECURE_ZERO(key, sizeof(key));
   zend_string_efree(debase64);
   efree(decrypted);
   efree(backup);
@@ -169,6 +171,8 @@ zend_string *encrypt_zval(zend_string *data) {
     z = php_base64_encode(encrypted_data, emsg_and_nonce_len);
   }
 
+  ZEND_SECURE_ZERO(key, sizeof(key));
+  ZEND_SECURE_ZERO(nonce, sizeof(nonce));
   efree(data_to_encrypt);
   efree(encrypted_data);
 
-- 
cgit v1.3