From ad5dbdf2129f5e0fb644637770b7f33de8ca8575 Mon Sep 17 00:00:00 2001 From: terrafrost Date: Fri, 23 Feb 2024 08:57:22 -0600 Subject: [PATCH 1/2] BigInteger: put guardrails on isPrime() and randomPrime() --- phpseclib/Math/BigInteger.php | 41 ++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php index 38e86d5b..e21a5488 100644 --- a/phpseclib/Math/BigInteger.php +++ b/phpseclib/Math/BigInteger.php @@ -749,6 +749,33 @@ class Math_BigInteger return $result; } + /** + * Return the size of a BigInteger in bits + * + * @return int + */ + function getLength() + { + if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) { + return strlen($this->toBits()); + } + + $max = count($this->value) - 1; + return $max != -1 ? + $max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) : + 0; + } + + /** + * Return the size of a BigInteger in bytes + * + * @return int + */ + function getLengthInBytes() + { + return ceil($this->getLength() / 8); + } + /** * Copy an object * @@ -3286,6 +3313,11 @@ class Math_BigInteger $min = $temp; } + $length = $max->getLength(); + if ($length > 8196) { + user_error('Generation of random prime numbers larger than 8196 has been disabled'); + } + static $one, $two; if (!isset($one)) { $one = new Math_BigInteger(1); @@ -3393,7 +3425,14 @@ class Math_BigInteger */ function isPrime($t = false) { - $length = strlen($this->toBytes()); + $length = $this->getLength(); + // OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is + // produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is + // a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest + // that it'll generate it also stands to reason that that's the largest you'll be able to test primality on + if ($length > 8196) { + user_error('Primality testing is not supported for numbers larger than 8196 bits'); + } if (!$t) { // see HAC 4.49 "Note (controlling the error probability)" From 2124f399b430f67c3e51211a6e5db6dee8f2cec4 Mon Sep 17 00:00:00 2001 From: terrafrost Date: Fri, 23 Feb 2024 21:55:47 -0600 Subject: [PATCH 2/2] BigInteger: rm visibility modifiers from static variables the non static variables don't have privacy modifiers so idk that the static ones ought to either. phpseclib 3.0 uses privacy modifiers but not the 2.0 branch --- phpseclib/Math/BigInteger.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php index fd9cd578..be07d588 100644 --- a/phpseclib/Math/BigInteger.php +++ b/phpseclib/Math/BigInteger.php @@ -163,23 +163,23 @@ class BigInteger * * @see __construct() */ - protected static $base; - protected static $baseFull; - protected static $maxDigit; - protected static $msb; + static $base; + static $baseFull; + static $maxDigit; + static $msb; /** * $max10 in greatest $max10Len satisfying * $max10 = 10**$max10Len <= 2**$base. */ - protected static $max10; + static $max10; /** * $max10Len in greatest $max10Len satisfying * $max10 = 10**$max10Len <= 2**$base. */ - protected static $max10Len; - protected static $maxDigit2; + static $max10Len; + static $maxDigit2; /**#@-*/ /**