Assist Crypt::HmacBase64 users to prevent HMACs over undelimited, composite messages

Created on 30 May 2015, over 9 years ago
Updated 8 March 2023, over 1 year ago

Suppose:

$part1 = 'foo';
$part2 = 'bar';
$hmac = Crypt::HmacBase64($part1 . $part2, $somekey);

The problem: The resulting HMAC is identical for the following combinations of $part1 and $part2:

part1 |part2
------|------
foo   |bar
foob  |ar
fooba |r
foobar|
fo    |obar
f     |oobar
      |foobar

Examples of the problems this can cause down the line:

Both Fabian and I looked at the current use of undelimited HMAC calculation in core. Neither of us thinks they are an acute problem.

Helping users prevent such mistakes would be a significant improvement to the hmac api however.

I've attached two patches:
- minimal note telling the user about delimiting parts
- change to the function signature of HmacBase64 to allow an arbitrary number of message parts preceding the key.

An alternative would be a HmacMultipleBase64 that takes an array of strings as the first parameter. Speaking of strings, why does the function check on is_scalar? The PHP documentation of hash_hmac states the params accepted are strings.

✨ Feature request
Status

Closed: outdated

Version

9.5

Component
BaseΒ  β†’

Last updated about 13 hours ago

Created by

πŸ‡³πŸ‡±Netherlands heine

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024