diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2012-05-01 21:18:17 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2012-05-01 21:18:17 +0200 |
| commit | 22f44d031dd846cd1ff2f032ea10bc1ff1797f42 (patch) | |
| tree | 6e93a3a5b90254371b384d6593cd1c89387adb50 /inc/PassHash.class.php | |
| parent | 23684d4a1920ae8e92fda68725e49035614f3d8a (diff) | |
| download | rpg-22f44d031dd846cd1ff2f032ea10bc1ff1797f42.tar.gz rpg-22f44d031dd846cd1ff2f032ea10bc1ff1797f42.tar.bz2 | |
avoid integer overflow in PassHash::pmd5 method
Input iteration counts are squared in the function and passing something
above 30 is giving integer overflows on 32 bit systems (and causes insane
iteration counts on 64bit systems).
Diffstat (limited to 'inc/PassHash.class.php')
| -rw-r--r-- | inc/PassHash.class.php | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/inc/PassHash.class.php b/inc/PassHash.class.php index 3fb1349d2..d825057f0 100644 --- a/inc/PassHash.class.php +++ b/inc/PassHash.class.php @@ -316,6 +316,11 @@ class PassHash { * Uses salted MD5 hashs. Salt is 1+8 bytes long, 1st byte is the * iteration count when given, for null salts $compute is used. * + * The actual iteration count is the given count squared, maximum is + * 30 (-> 1073741824). If a higher one is given, the function throws + * an exception. + * + * @link http://www.openwall.com/phpass/ * @param string $clear - the clear text to hash * @param string $salt - the salt to use, null for random * @param string $magic - the hash identifier (P or H) @@ -330,6 +335,12 @@ class PassHash { } $iterc = $salt[0]; // pos 0 of salt is iteration count $iter = strpos($itoa64,$iterc); + + if($iter > 30){ + throw new Exception("Too high iteration count ($iter) in ". + __class__.'::'.__function__); + } + $iter = 1 << $iter; $salt = substr($salt,1,8); |