TYPO3 Core

The core currently has the following functions or classes to create HMACs:

1. GeneralUtility::hmac($input, $additionalSecret = '')
2. Extbase HashService with generateHmac(string $string), appendHmac(string $string), validateHmac(string $string, string $hmac) and validateAndStripHmac(string $string)

The GeneralUtility::hmac($input, $additionalSecret = '') is used in several places in TYPO3 core and allows to provide an $additionalSecret. If the additional secret is used, it is safe to create hashed for the same input in a different context. If however the additional secret is left blank, the same input will result in the same HMAC, which is bad in terms of security, since a calculated HMAC possibly can be reused in a different context.

• Extension 1 used GeneralUtility::hmac('1') to calculate a HMAC. This HMAC is used in a extbase action confirmNewsletterSubscription(int $uid, string $hmac)
• Extension 2 uses GeneralUtility::hmac('1') to calculate a HMAC. This HMAC is used in a extbase action deleteUser(int $userId, string $hmac)

The HMAC generated my extension 1 for $uid === 1 can be reused in extension 2, since no additional secret is provided.

The Extbase HashService does not allow to provide any additional secret, so calculated HMACs will always be equal for the same value but in different context.

TYPO3 should have a dedicated class, which combines the fuctionality of GeneralUtility::hmac() and extbase HashService. The additional secret should be a mandatory parameter and not be empty.