Project

General

Profile

Actions

Feature #102761

closed

Introduce class for HMAC generation

Added by Torben Hansen 5 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Should have
Assignee:
Category:
-
Target version:
Start date:
2024-01-05
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

The core currently has the following functions or classes to create HMACs:

  1. GeneralUtility::hmac($input, $additionalSecret = '')
  2. Extbase HashService with generateHmac(string $string), appendHmac(string $string), validateHmac(string $string, string $hmac) and validateAndStripHmac(string $string)

The GeneralUtility::hmac($input, $additionalSecret = '') is used in several places in TYPO3 core and allows to provide an $additionalSecret. If the additional secret is used, it is safe to create hashed for the same input in a different context. If however the additional secret is left blank, the same input will result in the same HMAC, which is bad in terms of security, since a calculated HMAC possibly can be reused in a different context.

Example:
  • Extension 1 used GeneralUtility::hmac('1') to calculate a HMAC. This HMAC is used in a extbase action confirmNewsletterSubscription(int $uid, string $hmac)
  • Extension 2 uses GeneralUtility::hmac('1') to calculate a HMAC. This HMAC is used in a extbase action deleteUser(int $userId, string $hmac)

The HMAC generated my extension 1 for $uid === 1 can be reused in extension 2, since no additional secret is provided.

The Extbase HashService does not allow to provide any additional secret, so calculated HMACs will always be equal for the same value but in different context.

TYPO3 should have a dedicated class, which combines the fuctionality of GeneralUtility::hmac() and extbase HashService. The additional secret should be a mandatory parameter and not be empty.


Related issues 8 (0 open8 closed)

Related to TYPO3 Core - Task #102763: Deprecate Extbase HashServiceClosedTorben Hansen2024-01-05

Actions
Related to TYPO3 Core - Task #102762: Deprecate GeneralUtility::hmac()ResolvedTorben Hansen2024-01-05

Actions
Related to TYPO3 Core - Task #103245: Replace GeneralUtility::hmac usage with HashServiceClosedTorben Hansen2024-03-02

Actions
Related to TYPO3 Core - Task #103251: Replace GeneralUtility::hmac usage in ext:installResolved2024-03-02

Actions
Related to TYPO3 Core - Task #103320: Remove internal declaration for hashService property in actionControllerResolvedTorben Hansen2024-03-07

Actions
Related to TYPO3 Core - Task #103248: Replace GeneralUtility::hmac usage in ext:coreResolvedTorben Hansen2024-03-02

Actions
Related to TYPO3 Core - Task #103249: Replace GeneralUtility::hmac usage in ext:formResolvedTorben Hansen2024-03-02

Actions
Related to TYPO3 Core - Task #103247: Replace GeneralUtility::hmac usage in ext:backendResolvedTorben Hansen2024-03-02

Actions
Actions

Also available in: Atom PDF