Fix: gost-crypto hash incorrect if input data contains long 0xFF sequence #2391

Closed
wants to merge 4 commits into
from

Conversation

3 participants
@Grundik
Contributor

Grundik commented Feb 18, 2017

https://bugs.php.net/bug.php?id=73127
Problem was lying in calculations of Sum-block.

@Grundik

This comment has been minimized.

Show comment
Hide comment
@Grundik

Grundik Feb 18, 2017

Contributor

Problem was within overflow detection: if result is less than any of two arguments, than there was overflow. But in fact there are three arguments, so with the right data overflow would not be detected: 0x00000001 + 0xFFFFFFFF+0xFFFFFFFF = 0xFFFFFFFF.

My fix changes operations to 16-bits, so there are no undetectable overflows possible.

Contributor

Grundik commented Feb 18, 2017

Problem was within overflow detection: if result is less than any of two arguments, than there was overflow. But in fact there are three arguments, so with the right data overflow would not be detected: 0x00000001 + 0xFFFFFFFF+0xFFFFFFFF = 0xFFFFFFFF.

My fix changes operations to 16-bits, so there are no undetectable overflows possible.

@nikic

This comment has been minimized.

Show comment
Hide comment
@nikic

nikic Feb 18, 2017

Member

Could you please add a test for this change?

Also, the implementation looks unnecessarily complicated. For example, this is how the same code in rhash looks like: https://github.com/rhash/RHash/blob/master/librhash/gost.c#L326

Member

nikic commented Feb 18, 2017

Could you please add a test for this change?

Also, the implementation looks unnecessarily complicated. For example, this is how the same code in rhash looks like: https://github.com/rhash/RHash/blob/master/librhash/gost.c#L326

@nikic nikic added the Bugfix label Feb 18, 2017

Grundik added some commits Feb 18, 2017

Fix: gost-crypto hash incorrect if input data contains long 0xFF sequ…
…ence, refs #73127

Cleaner approach (thanks to rhash)
@Grundik

This comment has been minimized.

Show comment
Hide comment
@Grundik

Grundik Feb 18, 2017

Contributor

I have modified overflow detection code and added test. Feel free to move test to more appropriate place if necessary.

Contributor

Grundik commented Feb 18, 2017

I have modified overflow detection code and added test. Feel free to move test to more appropriate place if necessary.

Test: gost-crypto hash incorrect if input data contains long 0xFF seq…
…uence, refs #73127

Moved to hash module
@krakjoe

This comment has been minimized.

Show comment
Hide comment
@krakjoe

krakjoe Feb 22, 2017

Member

@nikic can you take care of this one please ?

Member

krakjoe commented Feb 22, 2017

@nikic can you take care of this one please ?

@nikic

nikic approved these changes Feb 22, 2017

@Grundik

This comment has been minimized.

Show comment
Hide comment
@Grundik

Grundik Feb 22, 2017

Contributor

Since all versions of PHP are affected by this bug: https://3v4l.org/0IECu, it would be very convenient if this fix would be applied to all supported PHP versions.

Contributor

Grundik commented Feb 22, 2017

Since all versions of PHP are affected by this bug: https://3v4l.org/0IECu, it would be very convenient if this fix would be applied to all supported PHP versions.

@nikic

This comment has been minimized.

Show comment
Hide comment
@nikic

nikic Feb 24, 2017

Member

Sorry for the delay, now merged into 7.0+ via eac8166. Thanks!

Member

nikic commented Feb 24, 2017

Sorry for the delay, now merged into 7.0+ via eac8166. Thanks!

@nikic nikic closed this Feb 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment