diff options
author | Andrey Andreev <narf@devilix.net> | 2015-04-01 13:51:25 +0200 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2015-04-01 13:51:25 +0200 |
commit | 68bad62fc4d88b6423bd15ab94a53c54a919f041 (patch) | |
tree | a6b9f5d91f117d17f612f7a184d0c9592a2c83b9 | |
parent | 2e9ae00efbc8441e7019a7ab68a866798df42800 (diff) |
Mitigate potential DoS attacks against hash_pbkdf2()
Related: #3720
-rw-r--r-- | system/core/compat/hash.php | 51 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 14 |
2 files changed, 61 insertions, 4 deletions
diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 477535dca..15954559c 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -174,9 +174,56 @@ if ( ! function_exists('hash_pbkdf2')) } $hash_length = strlen(hash($algo, NULL, TRUE)); - if (empty($length)) + empty($length) && $length = $hash_length; + + // Pre-hash password inputs longer than the algorithm's block size + // (i.e. prepare HMAC key) to mitigate potential DoS attacks. + static $block_sizes; + empty($block_sizes) && $block_sizes = array( + 'gost' => 32, + 'haval128,3' => 128, + 'haval160,3' => 128, + 'haval192,3' => 128, + 'haval224,3' => 128, + 'haval256,3' => 128, + 'haval128,4' => 128, + 'haval160,4' => 128, + 'haval192,4' => 128, + 'haval224,4' => 128, + 'haval256,4' => 128, + 'haval128,5' => 128, + 'haval160,5' => 128, + 'haval192,5' => 128, + 'haval224,5' => 128, + 'haval256,5' => 128, + 'md2' => 16, + 'md4' => 64, + 'md5' => 64, + 'ripemd128' => 64, + 'ripemd160' => 64, + 'ripemd256' => 64, + 'ripemd320' => 64, + 'salsa10' => 64, + 'salsa20' => 64, + 'sha1' => 64, + 'sha224' => 64, + 'sha256' => 64, + 'sha384' => 128, + 'sha512' => 128, + 'snefru' => 32, + 'snefru256' => 32, + 'tiger128,3' => 64, + 'tiger160,3' => 64, + 'tiger192,3' => 64, + 'tiger128,4' => 64, + 'tiger160,4' => 64, + 'tiger192,4' => 64, + 'whirlpool' => 64 + ); + + if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo]) { - $length = $hash_length; + $password = hash($algo, $password, TRUE); } $hash = ''; diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 45780ddb3..e6e3e9d17 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -2,11 +2,21 @@ Change Log ########## -Version 3.0 (planned) -======================= +Version 3.0.1 +============= Release Date: Not Released +- Core + + - Added DoS mitigation to :php:func:`hash_pbkdf2()` :doc:`compatibility function <general/compatibility_functions>`. + + +Version 3.0.0 +============= + +Release Date: March 30, 2015 + - License - CodeIgniter has been relicensed with the `MIT License <http://opensource.org/licenses/MIT>`_, eliminating its old proprietary licensing. |