Project

General

Profile

Actions

Feature #73164

closed

Add crypto-safe hashing API

Added by Christian Futterlieb almost 9 years ago. Updated over 6 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-02-06
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

This is my second task for equipping TYPO3 with some crypto-related code (see also #73050).

I'd like to introduce a crypto-safe hashing API into TYPO3 core. As the hashing features of PHP are strong related to security features, it seems crucial to have it done right (on the backside) and with an easy to use interface.

The proposed change should contain the following:
  • Create API in Crypto\Hash
  • Deprecate GeneralUtility::hmac()
  • Adopt the new API

Interface description:

namespace TYPO3\CMS\Core\Crypto;
class Hash
{
    /* hashing methods */
    public static function hash($data, $rawOutput = FALSE);
    public static function hmac($data, $key = NULL, $rawOutput = FALSE);
    public static function verifyHash($correctHash, $data, $withRawOutputEnabled = FALSE);
    public static function verifyHmac($correctHash, $data, $key = null, $withRawOutputEnabled = FALSE);

    /* timing attack safe string comparison */
    public static function hashEquals($known_string, $user_string);

    /* information methods */
    public static function getHashLenght($withRawOutputEnabled = FALSE)
    public static function getSupportedAlgos();
}


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Feature #73050: Add a CSPRNG to TYPO3Closed2016-01-31

Actions
Has duplicate TYPO3 Core - Feature #73456: Timing attack vulnerability in Hash comparisons throughout the coreClosed2016-02-15

Actions
Actions

Also available in: Atom PDF