From: Benni Mack Date: Fri, 30 Apr 2010 18:59:27 +0000 (+0000) Subject: Added feature #12502: Use HMACs for authencity and integrity checks (Thanks to Marcus... X-Git-Tag: TYPO3_4-4-0beta2~50 X-Git-Url: http://git.typo3.org/Packages/TYPO3.CMS.git/commitdiff_plain/a1316468c27a77acea28393683fb04782341b5af Added feature #12502: Use HMACs for authencity and integrity checks (Thanks to Marcus Krause and the TYPO3 Security Team) git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@7474 709f56b5-9817-0410-a4d7-c38de5d9e867 --- diff --git a/ChangeLog b/ChangeLog index aaa311acdd3b..644ad9a63c7f 100755 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2010-04-30 Benjamin Mack + + * Added feature #12502: Use HMACs for authencity and integrity checks (Thanks to Marcus Krause and the TYPO3 Security Team) + 2010-04-30 Francois Suter * Added feature #14195: Reorganize the backend stylesheets (thanks to Fabien Udriot and Steffen Gebert) diff --git a/INSTALL.txt b/INSTALL.txt index c40b6b451a59..8837b25bf7be 100644 --- a/INSTALL.txt +++ b/INSTALL.txt @@ -47,6 +47,7 @@ The following configuration is recommended: - cURL - filter - GD2 + - hash - JSON - mbstring - mysql diff --git a/t3lib/class.t3lib_div.php b/t3lib/class.t3lib_div.php index 488c17b93cca..635367b18a76 100644 --- a/t3lib/class.t3lib_div.php +++ b/t3lib/class.t3lib_div.php @@ -1069,6 +1069,36 @@ final class t3lib_div { return substr(md5($input),0,$len); } + /** + * Returns a proper HMAC on a given input string and secret TYPO3 encryption key. + * + * @param string Input string to create HMAC from + * @return string resulting (hexadecimal) HMAC currently with a length of 40 (HMAC-SHA-1) + */ + public static function hmac($input) { + $hashAlgorithm = 'sha1'; + $hashBlocksize = 64; + $hmac = ''; + + if (extension_loaded('hash') && function_exists('hash_hmac') && function_exists('hash_algos') && in_array($hashAlgorithm, hash_algos())) { + $hmac = hash_hmac($hashAlgorithm, $input, $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']); + } else { + // outer padding + $opad = str_repeat(chr(0x5C), $hashBlocksize); + // innner padding + $ipad = str_repeat(chr(0x36), $hashBlocksize); + if (strlen($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) > $hashBlocksize) { + // keys longer than blocksize are shorten + $key = str_pad(pack('H*', call_user_func($hashAlgorithm, $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])), $hashBlocksize, chr(0x00)); + } else { + // keys shorter than blocksize are zero-padded + $key = str_pad($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'], $hashBlocksize, chr(0x00)); + } + $hmac = call_user_func($hashAlgorithm, ($key^$opad) . pack('H*', call_user_func($hashAlgorithm, ($key^$ipad) . $input))); + } + return $hmac; + } + /** * Takes comma-separated lists and arrays and removes all duplicates * If a value in the list is trim(empty), the value is ignored. diff --git a/tests/t3lib/t3lib_div_testcase.php b/tests/t3lib/t3lib_div_testcase.php index ab6e078997fc..aaf57e506db2 100644 --- a/tests/t3lib/t3lib_div_testcase.php +++ b/tests/t3lib/t3lib_div_testcase.php @@ -731,6 +731,38 @@ class t3lib_div_testcase extends tx_phpunit_testcase { } + ////////////////////////////////// + // Tests concerning hmac + ////////////////////////////////// + + /** + * @test + */ + public function hmacReturnsHashOfProperLength() { + $hmac = t3lib_div::hmac('message'); + $this->assertTrue(!empty($hmac) && is_string($hmac)); + $this->assertTrue(strlen($hmac) == 40); + } + + /** + * @test + */ + public function hmacReturnsEqualHashesForEqualInput() { + $msg0 = 'message'; + $msg1 = 'message'; + $this->assertEquals(t3lib_div::hmac($msg0), t3lib_div::hmac($msg1)); + } + + /** + * @test + */ + public function hmacReturnsNotEqualHashesForNotEqualInput() { + $msg0 = 'message0'; + $msg1 = 'message1'; + $this->assertNotEquals(t3lib_div::hmac($msg0), t3lib_div::hmac($msg1)); + } + + ////////////////////////////////// // Tests concerning quoteJSvalue //////////////////////////////////