[TASK] Use hash_equals for timing-safe comparison of hash-values
[Packages/TYPO3.CMS.git] / typo3 / sysext / extbase / Classes / Security / Cryptography / HashService.php
1 <?php
2 namespace TYPO3\CMS\Extbase\Security\Cryptography;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 /**
18 * A hash service which should be used to generate and validate hashes.
19 *
20 * It will use some salt / encryption key in the future.
21 *
22 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser Public License, version 3 or later
23 */
24 class HashService implements \TYPO3\CMS\Core\SingletonInterface
25 {
26 /**
27 * Generate a hash (HMAC) for a given string
28 *
29 * @param string $string The string for which a hash should be generated
30 * @return string The hash of the string
31 * @throws \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException if something else than a string was given as parameter
32 */
33 public function generateHmac($string)
34 {
35 if (!is_string($string)) {
36 throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException('A hash can only be generated for a string, but "' . gettype($string) . '" was given.', 1255069587);
37 }
38 $encryptionKey = $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'];
39 if (!$encryptionKey) {
40 throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException('Encryption Key was empty!', 1255069597);
41 }
42 return hash_hmac('sha1', $string, $encryptionKey);
43 }
44
45 /**
46 * Appends a hash (HMAC) to a given string and returns the result
47 *
48 * @param string $string The string for which a hash should be generated
49 * @return string The original string with HMAC of the string appended
50 * @see generateHmac()
51 * @todo Mark as API once it is more stable
52 */
53 public function appendHmac($string)
54 {
55 $hmac = $this->generateHmac($string);
56 return $string . $hmac;
57 }
58
59 /**
60 * Tests if a string $string matches the HMAC given by $hash.
61 *
62 * @param string $string The string which should be validated
63 * @param string $hmac The hash of the string
64 * @return bool TRUE if string and hash fit together, FALSE otherwise.
65 */
66 public function validateHmac($string, $hmac)
67 {
68 return hash_equals($this->generateHmac($string), $hmac);
69 }
70
71 /**
72 * Tests if the last 40 characters of a given string $string
73 * matches the HMAC of the rest of the string and, if true,
74 * returns the string without the HMAC. In case of a HMAC
75 * validation error, an exception is thrown.
76 *
77 * @param string $string The string with the HMAC appended (in the format 'string<HMAC>')
78 * @return string the original string without the HMAC, if validation was successful
79 * @see validateHmac()
80 * @throws \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException if the given string is not well-formatted
81 * @throws \TYPO3\CMS\Extbase\Security\Exception\InvalidHashException if the hash did not fit to the data.
82 * @todo Mark as API once it is more stable
83 */
84 public function validateAndStripHmac($string)
85 {
86 if (!is_string($string)) {
87 throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException('A hash can only be validated for a string, but "' . gettype($string) . '" was given.', 1320829762);
88 }
89 if (strlen($string) < 40) {
90 throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException('A hashed string must contain at least 40 characters, the given string was only ' . strlen($string) . ' characters long.', 1320830276);
91 }
92 $stringWithoutHmac = substr($string, 0, -40);
93 if ($this->validateHmac($stringWithoutHmac, substr($string, -40)) !== true) {
94 throw new \TYPO3\CMS\Extbase\Security\Exception\InvalidHashException('The given string was not appended with a valid HMAC.', 1320830018);
95 }
96 return $stringWithoutHmac;
97 }
98 }