Added feature #12502: Use HMACs for authencity and integrity checks (Thanks to Marcus...
authorBenni Mack <benni.mack@typo3.org>
Fri, 30 Apr 2010 18:59:27 +0000 (18:59 +0000)
committerBenni Mack <benni.mack@typo3.org>
Fri, 30 Apr 2010 18:59:27 +0000 (18:59 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@7474 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
INSTALL.txt
t3lib/class.t3lib_div.php
tests/t3lib/t3lib_div_testcase.php

index aaa311a..644ad9a 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2010-04-30  Benjamin Mack  <benni@typo3.org>
+
+       * Added feature #12502: Use HMACs for authencity and integrity checks (Thanks to Marcus Krause and the TYPO3 Security Team)
+
 2010-04-30 Francois Suter  <francois@typo3.org>
 
        * Added feature #14195: Reorganize the backend stylesheets (thanks to Fabien Udriot and Steffen Gebert)
index c40b6b4..8837b25 100644 (file)
@@ -47,6 +47,7 @@ The following configuration is recommended:
        - cURL
        - filter
        - GD2
+       - hash
        - JSON
        - mbstring
        - mysql
index 488c17b..635367b 100644 (file)
@@ -1070,6 +1070,36 @@ final class t3lib_div {
        }
 
        /**
+        * Returns a proper HMAC on a given input string and secret TYPO3 encryption key.
+        *
+        * @param       string          Input string to create HMAC from
+        * @return      string          resulting (hexadecimal) HMAC currently with a length of 40 (HMAC-SHA-1)
+        */
+       public static function hmac($input) {
+               $hashAlgorithm = 'sha1';
+               $hashBlocksize = 64;
+               $hmac = '';
+
+               if (extension_loaded('hash') && function_exists('hash_hmac') && function_exists('hash_algos') && in_array($hashAlgorithm, hash_algos())) {
+                       $hmac = hash_hmac($hashAlgorithm, $input, $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']);
+               } else {
+                               // outer padding
+                       $opad = str_repeat(chr(0x5C), $hashBlocksize);
+                               // innner padding
+                       $ipad = str_repeat(chr(0x36), $hashBlocksize);
+                       if (strlen($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) > $hashBlocksize) {
+                                       // keys longer than blocksize are shorten
+                               $key = str_pad(pack('H*', call_user_func($hashAlgorithm, $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])), $hashBlocksize, chr(0x00));
+                       } else {
+                                       // keys shorter than blocksize are zero-padded
+                               $key = str_pad($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'], $hashBlocksize, chr(0x00));
+                       }
+                       $hmac = call_user_func($hashAlgorithm, ($key^$opad) . pack('H*', call_user_func($hashAlgorithm, ($key^$ipad) . $input)));
+               }
+               return $hmac;
+       }
+
+       /**
         * Takes comma-separated lists and arrays and removes all duplicates
         * If a value in the list is trim(empty), the value is ignored.
         * Usage: 16
index ab6e078..aaf57e5 100644 (file)
@@ -732,6 +732,38 @@ class t3lib_div_testcase extends tx_phpunit_testcase {
 
 
        //////////////////////////////////
+       // Tests concerning hmac
+       //////////////////////////////////
+
+       /**
+        * @test
+        */
+       public function hmacReturnsHashOfProperLength() {
+               $hmac = t3lib_div::hmac('message');
+               $this->assertTrue(!empty($hmac) && is_string($hmac));
+               $this->assertTrue(strlen($hmac) == 40);
+       }
+
+       /**
+        * @test
+        */
+       public function hmacReturnsEqualHashesForEqualInput() {
+               $msg0 = 'message';
+               $msg1 = 'message';
+               $this->assertEquals(t3lib_div::hmac($msg0), t3lib_div::hmac($msg1));
+       }
+
+       /**
+        * @test
+        */
+       public function hmacReturnsNotEqualHashesForNotEqualInput() {
+               $msg0 = 'message0';
+               $msg1 = 'message1';
+               $this->assertNotEquals(t3lib_div::hmac($msg0), t3lib_div::hmac($msg1));
+       }
+
+
+       //////////////////////////////////
        // Tests concerning quoteJSvalue
        //////////////////////////////////