Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 25461d8eac80c0f1242150f7316ec58ac14c5d39^! / .
commit25461d8eac80c0f1242150f7316ec58ac14c5d39[log] [tgz]
authorAndrey Andreev <narf@devilix.net>Thu Jan 19 15:42:43 2017 +0200
committerAndrey Andreev <narf@devilix.net>Thu Jan 19 15:42:43 2017 +0200
treeeadd2c853a7cae0ab6826c49e5c1113f504d73cd
parentedbe791919dd1a526915828575ba18791c3fe764 [diff]
hash_pbkdf2() byte-safety

diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php
index ba0198e..7eb2921 100644
--- a/system/core/compat/hash.php
+++ b/system/core/compat/hash.php

@@ -173,7 +173,9 @@
 			return FALSE;
 		}
 
-		$hash_length = strlen(hash($algo, NULL, TRUE));
+		$hash_length = defined('MB_OVERLOAD_STRING')
+			? mb_strlen(hash($algo, NULL, TRUE))
+			: strlen(hash($algo, NULL, TRUE));
 		empty($length) && $length = $hash_length;
 
 		// Pre-hash password inputs longer than the algorithm's block size
@@ -221,14 +223,14 @@
 			'whirlpool' => 64
 		);
 
-		if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo])
+		if (isset($block_sizes[$algo], $password[$block_sizes[$algo]]))
 		{
 			$password = hash($algo, $password, TRUE);
 		}
 
 		$hash = '';
 		// Note: Blocks are NOT 0-indexed
-		for ($bc = ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++)
+		for ($bc = (int) ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++)
 		{
 			$key = $derived_key = hash_hmac($algo, $salt.pack('N', $bi), $password, TRUE);
 			for ($i = 1; $i < $iterations; $i++)
@@ -240,6 +242,13 @@
 		}
 
 		// This is not RFC-compatible, but we're aiming for natural PHP compatibility
-		return substr($raw_output ? $hash : bin2hex($hash), 0, $length);
+		if ( ! $raw_output)
+		{
+			$hash = bin2hex($hash);
+		}
+
+		return defined('MB_OVERLOAD_STRING')
+			? mb_substr($hash, 0, $length)
+			: substr($hash, 0, $length);
 	}
 }

diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 7d1302b..ce82f07 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst

@@ -12,7 +12,7 @@
    -  Updated :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) to call ``mcrypt_create_iv()`` with ``MCRYPT_DEV_URANDOM``.
    -  Fixed byte-safety issues in :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) when ``mbstring.func_overload`` is enabled.
    -  Fixed byte-safety issues in :doc:`Encryption Library <libraries/encryption>` when ``mbstring.func_overload`` is enabled.
-   -  Fixed byte-safety issues in :doc:`compatibility function <general/compatibility_functions>` ``password_hash()`` when ``mbstring.func_overload`` is enabled.
+   -  Fixed byte-safety issues in :doc:`compatibility functions <general/compatibility_functions>` ``password_hash()``, ``hash_pbkdf2()`` when ``mbstring.func_overload`` is enabled.
 
 -  General Changes