diff options
author | ftwbzhao <b.zhao1@gmail.com> | 2015-04-09 16:32:41 +0200 |
---|---|---|
committer | ftwbzhao <b.zhao1@gmail.com> | 2015-04-09 16:32:41 +0200 |
commit | b587698dd45396b91106bd7c894a79747b1fb7a9 (patch) | |
tree | 76a1d614976dd0b695e513a40f9235e3b9f7f82c /system/core/compat | |
parent | 9b9a06c9635cd3b4fce0aebe4d2eead4809999a5 (diff) | |
parent | fd363f224d7886eb686434d7a835eaa49183d8e6 (diff) |
Merge branch 'develop' of https://github.com/bcit-ci/CodeIgniter into develop
Diffstat (limited to 'system/core/compat')
-rw-r--r-- | system/core/compat/hash.php | 51 |
1 files changed, 49 insertions, 2 deletions
diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 477535dca..15954559c 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -174,9 +174,56 @@ if ( ! function_exists('hash_pbkdf2')) } $hash_length = strlen(hash($algo, NULL, TRUE)); - if (empty($length)) + empty($length) && $length = $hash_length; + + // Pre-hash password inputs longer than the algorithm's block size + // (i.e. prepare HMAC key) to mitigate potential DoS attacks. + static $block_sizes; + empty($block_sizes) && $block_sizes = array( + 'gost' => 32, + 'haval128,3' => 128, + 'haval160,3' => 128, + 'haval192,3' => 128, + 'haval224,3' => 128, + 'haval256,3' => 128, + 'haval128,4' => 128, + 'haval160,4' => 128, + 'haval192,4' => 128, + 'haval224,4' => 128, + 'haval256,4' => 128, + 'haval128,5' => 128, + 'haval160,5' => 128, + 'haval192,5' => 128, + 'haval224,5' => 128, + 'haval256,5' => 128, + 'md2' => 16, + 'md4' => 64, + 'md5' => 64, + 'ripemd128' => 64, + 'ripemd160' => 64, + 'ripemd256' => 64, + 'ripemd320' => 64, + 'salsa10' => 64, + 'salsa20' => 64, + 'sha1' => 64, + 'sha224' => 64, + 'sha256' => 64, + 'sha384' => 128, + 'sha512' => 128, + 'snefru' => 32, + 'snefru256' => 32, + 'tiger128,3' => 64, + 'tiger160,3' => 64, + 'tiger192,3' => 64, + 'tiger128,4' => 64, + 'tiger160,4' => 64, + 'tiger192,4' => 64, + 'whirlpool' => 64 + ); + + if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo]) { - $length = $hash_length; + $password = hash($algo, $password, TRUE); } $hash = ''; |