[TYPO3-core] RFC #12502: Feature: Use HMACs for authencity and integrity checks
Marcus Krause
marcus#exp2009 at t3sec.info
Sat Nov 7 19:44:58 CET 2009
Martin Kutschker schrieb:
> Marcus Krause schrieb:
>>
>> Advantages of HMACs in TYPO3:
>> * having a dedicated method for integrity and authencity checks on data
>> * raising the awareness of HMACs and thus make them easily useable by
>> creating a t3lib_div method
>> * using one API method enables us to easily switch to a different
>> hashing algorithm in future
>
> But isn't it a problem that different hash algorithms return different digest lengths?
>
> Perhaps it is better to remove the $len (should be $length BTW) argument and document the max.
> length the calling code has to provide space for.
To answer the questions:
Yes, using different hashing algorithms for HMAC result in different
lengths of a hexadecimal string.
I've used the length parameter as some code uses full MD5 (showpic),
others shortMD5 (workspace preview?). I just didn't want to cause too
much change in behaviour.
However, I'm open to remove the parameter and let according code handle
the length. AFAIK, removing the parameter would not hurt. It's (always)
only a GET variable and according code simply creates a hash over
parameter and compares it to the given one. Extending the length of such
"checksum" now or later most probably won't cause any problems.
Then this would mean that when using hmac, we at least for now work with
32 byte hexadecimal strings (for MD5 hashing algorithm).
Marcus.
More information about the TYPO3-team-core
mailing list