From a9ee28263f1bf50970a5a475f90e5da22b481253 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Mon, 22 Feb 2016 12:50:40 -0800
Subject: [PATCH] SECURITY: Throw exception on unknown hash algorithm

To prevent a bad password configuration from accidentally allowing
users to bypass authentication, throw an exception if either hash_hmac
or hash_pbkdf2 return false.

Bug: T127420
Change-Id: If3664941236e4065eb8db11b0a211fd6210de631
---
 includes/password/Pbkdf2Password.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/includes/password/Pbkdf2Password.php b/includes/password/Pbkdf2Password.php
index 8ef6f8d..a36e248 100644
--- a/includes/password/Pbkdf2Password.php
+++ b/includes/password/Pbkdf2Password.php
@@ -55,6 +55,11 @@ class Pbkdf2Password extends ParameterizedPassword {
 				(int)$this->params['length'],
 				true
 			);
+			if ( $hash === false ) {
+				throw new InvalidArgumentException(
+					"Unknown hash algorithm: {$this->params['algo']}"
+				);
+			}
 		} else {
 			$hashLen = strlen( hash( $this->params['algo'], '', true ) );
 			$blockCount = ceil( $this->params['length'] / $hashLen );
@@ -68,6 +73,11 @@ class Pbkdf2Password extends ParameterizedPassword {
 					$password,
 					true
 				);
+				if ( $roundTotal === false ) {
+					throw new InvalidArgumentException(
+						"Unknown hash algorithm: {$this->params['algo']}"
+					);
+				}
 
 				for ( $j = 1; $j < $this->params['rounds']; ++$j ) {
 					$lastRound = hash_hmac( $this->params['algo'], $lastRound, $password, true );
-- 
2.6.2