avoid integer overflow in PassHash::pmd5 method

Input iteration counts are squared in the function and passing something above 30 is giving integer overflows on 32 bit systems (and causes insane iteration counts on 64bit systems).
dokuwiki · May 1, 2012 · 22f44d0 · 22f44d0
1 parent 23684d4
commit 22f44d0
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/inc/PassHash.class.php b/inc/PassHash.class.php
@@ -316,6 +316,11 @@ public function hash_kmd5($clear, $salt=null){
      * Uses salted MD5 hashs. Salt is 1+8 bytes long, 1st byte is the
      * iteration count when given, for null salts $compute is used.
      *
+     * The actual iteration count is the given count squared, maximum is
+     * 30 (-> 1073741824). If a higher one is given, the function throws
+     * an exception.
+     *
+     * @link  http://www.openwall.com/phpass/
      * @param string $clear - the clear text to hash
      * @param string $salt  - the salt to use, null for random
      * @param string $magic - the hash identifier (P or H)
@@ -330,6 +335,12 @@ public function hash_pmd5($clear, $salt=null, $magic='P',$compute=8){
         }
         $iterc = $salt[0]; // pos 0 of salt is iteration count
         $iter = strpos($itoa64,$iterc);
+
+        if($iter > 30){
+            throw new Exception("Too high iteration count ($iter) in ".
+                                __class__.'::'.__function__);
+        }
+
         $iter = 1 << $iter;
         $salt = substr($salt,1,8);