Feature #102761
closed
Introduce class for HMAC generation
0%
Description
The core currently has the following functions or classes to create HMACs:
GeneralUtility::hmac($input, $additionalSecret = '')- Extbase
HashServicewithgenerateHmac(string $string),appendHmac(string $string),validateHmac(string $string, string $hmac)andvalidateAndStripHmac(string $string)
The GeneralUtility::hmac($input, $additionalSecret = '') is used in several places in TYPO3 core and allows to provide an $additionalSecret. If the additional secret is used, it is safe to create hashed for the same input in a different context. If however the additional secret is left blank, the same input will result in the same HMAC, which is bad in terms of security, since a calculated HMAC possibly can be reused in a different context.
- Extension 1 used
GeneralUtility::hmac('1')to calculate a HMAC. This HMAC is used in a extbase actionconfirmNewsletterSubscription(int $uid, string $hmac) - Extension 2 uses
GeneralUtility::hmac('1')to calculate a HMAC. This HMAC is used in a extbase actiondeleteUser(int $userId, string $hmac)
The HMAC generated my extension 1 for $uid === 1 can be reused in extension 2, since no additional secret is provided.
The Extbase HashService does not allow to provide any additional secret, so calculated HMACs will always be equal for the same value but in different context.
TYPO3 should have a dedicated class, which combines the fuctionality of GeneralUtility::hmac() and extbase HashService. The additional secret should be a mandatory parameter and not be empty.
Updated by 
Updated by 
Updated by 
Updated by 
Updated by