Feature #73050

Add a CSPRNG to TYPO3

Added by Christian Futterlieb over 6 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-01-31
Due date:
% Done:

100%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

I'd like to bring some crypto-related code into TYPO3 core. First topic: a CSPRNG

As always in cryptography, using a widely used/adopted/reviewed library should be the way to go. This one seems to do a good job: https://github.com/paragonie/random_compat. It is a PHP 5.x polyfill for PHP 7's random_bytes() and random_int().

In the proposed change, I cover following tasks:
  1. remove all the GeneralUtility::generateRandomBytesXYZ methods, because they're covered by random_compat. Leave just the fallback method in place (and slightly improve it)
  2. Add a simple API in \TYPO3\CMS\Core\Crypto\Random to produce crypto-save random bytes, integers and hex strings
  3. Add a check to \TYPO3\CMS\Install\SystemEnvironment\Check that creates a warning, when no CSPRNG can be generated on the system (and the fallback will be used therefor). From the crypto-view it would be much better to fail instead of just warn.. please share your opinion on this!

Furthermore I'd like to come up with things like a Crypto\Hash class to do proper hashing and verifying, a Crypto\Password class for password-related stuff, a saltedpasswords salt and so on. I'll open new tasks for these ideas when they're ready.


Related issues

Related to TYPO3 Core - Task #67268: Introduce RandomUtility and move methodsClosed2015-06-03

Actions
Related to TYPO3 Core - Bug #37780: Possibility to get duplicate sessionId for different userClosed2012-06-06

Actions
Related to TYPO3 Core - Feature #73164: Add crypto-safe hashing APIRejected2016-02-06

Actions
Related to TYPO3 Core - Feature #73456: Timing attack vulnerability in Hash comparisons throughout the coreClosed2016-02-15

Actions
Related to TYPO3 Core - Task #72292: PHP7 >= onlyClosed2015-12-17

Actions

Also available in: Atom PDF