diff options
author | Andrey Andreev <narf@devilix.net> | 2017-01-19 14:42:43 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2017-01-19 14:42:43 +0100 |
commit | 25461d8eac80c0f1242150f7316ec58ac14c5d39 (patch) | |
tree | eadd2c853a7cae0ab6826c49e5c1113f504d73cd | |
parent | edbe791919dd1a526915828575ba18791c3fe764 (diff) |
hash_pbkdf2() byte-safety
-rw-r--r-- | system/core/compat/hash.php | 17 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 2 |
2 files changed, 14 insertions, 5 deletions
diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index ba0198e10..7eb292188 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -173,7 +173,9 @@ if ( ! function_exists('hash_pbkdf2')) return FALSE; } - $hash_length = strlen(hash($algo, NULL, TRUE)); + $hash_length = defined('MB_OVERLOAD_STRING') + ? mb_strlen(hash($algo, NULL, TRUE)) + : strlen(hash($algo, NULL, TRUE)); empty($length) && $length = $hash_length; // Pre-hash password inputs longer than the algorithm's block size @@ -221,14 +223,14 @@ if ( ! function_exists('hash_pbkdf2')) 'whirlpool' => 64 ); - if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo]) + if (isset($block_sizes[$algo], $password[$block_sizes[$algo]])) { $password = hash($algo, $password, TRUE); } $hash = ''; // Note: Blocks are NOT 0-indexed - for ($bc = ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++) + for ($bc = (int) ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++) { $key = $derived_key = hash_hmac($algo, $salt.pack('N', $bi), $password, TRUE); for ($i = 1; $i < $iterations; $i++) @@ -240,6 +242,13 @@ if ( ! function_exists('hash_pbkdf2')) } // This is not RFC-compatible, but we're aiming for natural PHP compatibility - return substr($raw_output ? $hash : bin2hex($hash), 0, $length); + if ( ! $raw_output) + { + $hash = bin2hex($hash); + } + + return defined('MB_OVERLOAD_STRING') + ? mb_substr($hash, 0, $length) + : substr($hash, 0, $length); } } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 7d1302b3a..ce82f071c 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -12,7 +12,7 @@ Release Date: Not Released - Updated :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) to call ``mcrypt_create_iv()`` with ``MCRYPT_DEV_URANDOM``. - Fixed byte-safety issues in :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) when ``mbstring.func_overload`` is enabled. - Fixed byte-safety issues in :doc:`Encryption Library <libraries/encryption>` when ``mbstring.func_overload`` is enabled. - - Fixed byte-safety issues in :doc:`compatibility function <general/compatibility_functions>` ``password_hash()`` when ``mbstring.func_overload`` is enabled. + - Fixed byte-safety issues in :doc:`compatibility functions <general/compatibility_functions>` ``password_hash()``, ``hash_pbkdf2()`` when ``mbstring.func_overload`` is enabled. - General Changes |