Suppose:
$part1 = 'foo';
$part2 = 'bar';
$hmac = Crypt::HmacBase64($part1 . $part2, $somekey);
The problem: The resulting HMAC is identical for the following combinations of $part1 and $part2:
part1 |part2
------|------
foo |bar
foob |ar
fooba |r
foobar|
fo |obar
f |oobar
|foobar
Examples of the problems this can cause down the line:
- CVE-2008-1930 - Wordpress Admin cookie forgery
- AWS v1 signature forgery
Both Fabian and I looked at the current use of undelimited HMAC calculation in core. Neither of us thinks they are an acute problem.
Helping users prevent such mistakes would be a significant improvement to the hmac api however.
I've attached two patches:
- minimal note telling the user about delimiting parts
- change to the function signature of HmacBase64 to allow an arbitrary number of message parts preceding the key.
An alternative would be a HmacMultipleBase64 that takes an array of strings as the first parameter. Speaking of strings, why does the function check on is_scalar? The PHP documentation of hash_hmac states the params accepted are strings.