Commit cc9b6676 authored by Stefan Neufeind's avatar Stefan Neufeind Committed by Helmut Hummel
Browse files

[TASK] Use hash_equals for timing-safe comparison of hash-values

To prevent timing-attacks on hash-comparions it is advised
to use hash_equals.

Resolves: #83329
Releases: master, 8.7
Change-Id: I7539ed27538d7d81767bfce582d568cff09d1610
Reviewed-on: https://review.typo3.org/55074

Tested-by: default avatarTYPO3com <no-reply@typo3.com>
Reviewed-by: Susanne Moog's avatarSusanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog's avatarSusanne Moog <susanne.moog@typo3.org>
Reviewed-by: Stephan Großberndt's avatarStephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Helmut Hummel's avatarHelmut Hummel <typo3@helhum.io>
Tested-by: Helmut Hummel's avatarHelmut Hummel <typo3@helhum.io>
parent ea7f8c63
......@@ -103,7 +103,7 @@ class FileSystemNavigationFrameController
$scopeData = (string)GeneralUtility::_GP('scopeData');
$scopeHash = (string)GeneralUtility::_GP('scopeHash');
if (!empty($scopeData) && GeneralUtility::hmac($scopeData) === $scopeHash) {
if (!empty($scopeData) && hash_equals(GeneralUtility::hmac($scopeData), $scopeHash)) {
$this->scopeData = unserialize($scopeData);
}
......
......@@ -743,7 +743,7 @@ class FormInlineAjaxController extends AbstractFormEngineAjaxController
if (empty($context['config'])) {
throw new \RuntimeException('Empty context config section given', 1489751362);
}
if (!\hash_equals(GeneralUtility::hmac(json_encode($context['config']), 'InlineContext'), $context['hmac'])) {
if (!hash_equals(GeneralUtility::hmac(json_encode($context['config']), 'InlineContext'), $context['hmac'])) {
throw new \RuntimeException('Hash does not validate', 1489751363);
}
return $context['config'];
......
......@@ -120,7 +120,7 @@ class LinkBrowserController extends AbstractLinkBrowserController
}
unset($value);
}
$result = $this->parameters['fieldChangeFuncHash'] === GeneralUtility::hmac(serialize($fieldChangeFunctions));
$result = hash_equals(GeneralUtility::hmac(serialize($fieldChangeFunctions)), $this->parameters['fieldChangeFuncHash']);
}
return $result;
}
......
......@@ -87,6 +87,6 @@ class ImageManipulationWizard
protected function isSignatureValid(ServerRequestInterface $request)
{
$token = GeneralUtility::hmac($request->getQueryParams()['arguments'], 'ajax_wizard_image_manipulation');
return $token === $request->getQueryParams()['signature'];
return hash_equals($token, $request->getQueryParams()['signature']);
}
}
......@@ -55,7 +55,7 @@ class FileDumpController
$parameters['p'] = $p;
}
if (GeneralUtility::hmac(implode('|', $parameters), 'resourceStorageDumpFile') === $this->getGetOrPost($request, 'token')) {
if (hash_equals(GeneralUtility::hmac(implode('|', $parameters), 'resourceStorageDumpFile'), $this->getGetOrPost($request, 'token'))) {
if (isset($parameters['f'])) {
try {
$file = ResourceFactory::getInstance()->getFileObject($parameters['f']);
......
......@@ -103,7 +103,7 @@ abstract class AbstractFormProtection
public function validateToken($tokenId, $formName, $action = '', $formInstanceName = '')
{
$validTokenId = GeneralUtility::hmac(((string)$formName . (string)$action) . (string)$formInstanceName . $this->getSessionToken());
if ((string)$tokenId === $validTokenId) {
if (hash_equals($validTokenId, (string)$tokenId)) {
$isValid = true;
} else {
$isValid = false;
......
......@@ -65,7 +65,7 @@ class HashService implements \TYPO3\CMS\Core\SingletonInterface
*/
public function validateHmac($string, $hmac)
{
return $this->generateHmac($string) === $hmac;
return hash_equals($this->generateHmac($string), $hmac);
}
/**
......
......@@ -120,7 +120,7 @@ EOF;
/* For backwards compatibility the HMAC is transported within the md5 param */
$hmacParameter = isset($this->request->getQueryParams()['md5']) ? $this->request->getQueryParams()['md5'] : null;
$hmac = GeneralUtility::hmac(implode('|', [$fileUid, $parametersEncoded]));
if ($hmac !== $hmacParameter) {
if (!hash_equals($hmac, $hmacParameter)) {
throw new \InvalidArgumentException('hash does not match', 1476048456);
}
......
......@@ -2133,7 +2133,7 @@ class TypoScriptFrontendController implements LoggerAwareInterface
$GET['id'] = $this->id;
$this->cHash_array = $this->cacheHash->getRelevantParameters(GeneralUtility::implodeArrayForUrl('', $GET));
$cHash_calc = $this->cacheHash->calculateCacheHash($this->cHash_array);
if ($cHash_calc != $this->cHash) {
if (!hash_equals($cHash_calc, $this->cHash)) {
if ($GLOBALS['TYPO3_CONF_VARS']['FE']['pageNotFoundOnCHashError']) {
$this->pageNotFoundAndExit('Request parameters could not be validated (&cHash comparison failed)');
} else {
......
......@@ -109,7 +109,7 @@ class Pbkdf2Salt extends AbstractComposedSalt
*/
public function checkPassword(string $plainPW, string $saltedHashPW): bool
{
return $this->isValidSalt($saltedHashPW) && \hash_equals($this->getHashedPassword($plainPW, $saltedHashPW), $saltedHashPW);
return $this->isValidSalt($saltedHashPW) && hash_equals($this->getHashedPassword($plainPW, $saltedHashPW), $saltedHashPW);
}
/**
......
......@@ -126,7 +126,7 @@ class PhpassSalt extends AbstractComposedSalt
public function checkPassword(string $plainPW, string $saltedHashPW): bool
{
$hash = $this->cryptPassword($plainPW, $saltedHashPW);
return $hash && \hash_equals($hash, $saltedHashPW);
return $hash && hash_equals($hash, $saltedHashPW);
}
/**
......
......@@ -137,13 +137,13 @@ class SaltedPasswordService extends AbstractAuthenticationService
$this->authenticationFailed = true;
}
} elseif (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {
$validPasswd = \hash_equals(md5($password), (string)$user['password']);
$validPasswd = hash_equals(md5($password), (string)$user['password']);
// Skip further authentication methods
if (!$validPasswd) {
$this->authenticationFailed = true;
}
} else {
$validPasswd = (string)$password !== '' && \hash_equals((string)$user['password'], (string)$password);
$validPasswd = (string)$password !== '' && hash_equals((string)$user['password'], (string)$password);
}
// Should we store the new format value in DB?
if ($validPasswd && (int)$this->extConf['updatePasswd']) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment