[SECURITY] Mitigate timing discrepancies during user authentication

Observing response time during user authentication can be used to
distinguish between existing and non-existing user accounts. This
change introduces `MimicServiceInterface::mimicAuthUser` -  to be
implemented by 3rd party authentication services - which simulates
corresponding times regular processing would usually take.

Resolves: #98217
Releases: main, 11.5, 10.4
Change-Id: I143ae0d3877dffe6f2decbb3f0cf8c9d9cb6ca0b
Security-Bulletin: TYPO3-CORE-SA-2022-007
Security-References: CVE-2022-36105
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75710
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php

@@ -590,6 +590,15 @@ public function checkAuthentication(ServerRequestInterface $request = null)
                     break;
                 }
             }
+        // mimic user authentication to mitigate observable timing discrepancies
+        // @link https://cwe.mitre.org/data/definitions/208.html
+        } elseif ($activeLogin) {
+            $subType = 'authUser' . $this->loginType;
+            foreach ($this->getAuthServices($subType, $loginData, $authInfo) as $serviceObj) {
+                if ($serviceObj instanceof MimicServiceInterface && $serviceObj->mimicAuthUser() === false) {
+                    break;
+                }
+            }
         }
 
         // If user is authenticated a valid user is in $tempuser

typo3/sysext/core/Classes/Authentication/AuthenticationService.php

@@ -28,7 +28,7 @@
 /**
  * Authentication services class
  */
-class AuthenticationService extends AbstractAuthenticationService
+class AuthenticationService extends AbstractAuthenticationService implements MimicServiceInterface
 {
     /**
      * Process the submitted credentials.
@@ -174,6 +174,22 @@ public function authUser(array $user): int
         return 200;
     }
 
+    /**
+     * Mimics password hashing for invalid authentication requests to mitigate
+     * @link https://cwe.mitre.org/data/definitions/208.html: CWE-208: Observable Timing Discrepancy
+     */
+    public function mimicAuthUser(): bool
+    {
+        try {
+            $hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class);
+            $defaultHashInstance = $hashFactory->getDefaultHashInstance($this->pObj->loginType);
+            $defaultHashInstance->getHashedPassword(random_bytes(10));
+        } catch (\Exception $exception) {
+            // no further processing here
+        }
+        return false;
+    }
+
     /**
      * Method updates a FE/BE user record - in this case a new password string will be set.
      *

typo3/sysext/core/Classes/Authentication/MimicServiceInterface.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Authentication;
+
+interface MimicServiceInterface
+{
+    /**
+     * Mimics user authentication for known invalid authentication requests. This method can be used
+     * to mitigate timing discrepancies for invalid authentication attempts, which can be used for
+     * user enumeration.
+     *
+     * Authentication services can implement this method to simulate(!) corresponding processes that
+     * would be processed during valid requests - e.g. perform password hashing (timing) or call
+     * remote services (network latency).
+     *
+     * @return bool whether other services shall continue
+     * @link https://cwe.mitre.org/data/definitions/208.html: CWE-208: Observable Timing Discrepancy
+     */
+    public function mimicAuthUser(): bool;
+}