I received this email from Authorize.net:

Authorize.Net is phasing out the MD5 based transHash element in favor of the SHA-256 based transHashSHA2. The setting in the Merchant Interface which controls the MD5 Hash option will be removed by the end of January 2019, and the transHash element will stop returning values at a later date to be determined.

We have identified that you have this feature configured and may be relying on MD5 based transHash in transaction responses for verifying the sender is Authorize.Net.

Please contact and work with your web developer or solutions provider to verify if you are still utilizing MD5 based hash and if still needed to move to SHA-256 hash via Signature Key.

Please refer your developer or solution provider to our Transaction Hash Upgrade Guide for more details and information on this change.

Ubercart 7.x doesn't appear to support any options for changing from an MD5-based hash value to an SHA-256-based hash value, and an upgrade to 8.x (assuming 8.x can deal with this) isn't possible for me until a number of other contrib modules are updated and available for Drupal 8. Is there something that can be done to deal with this situation in Ubercart 7.x? Can I just remove the MD5 hash value?

CommentFileSizeAuthor
#18 interdiff-16-18.diff1.96 KBsean_e_dietrich
#18 3025475-ubercart-md5_hash_removal-18.patch5.26 KBsean_e_dietrich
#16 3025475-ubercart-md5_hash_removal-16.patch3.62 KBsean_e_dietrich

Issue fork ubercart-3025475

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

sah62 created an issue. See original summary.

philsward’s picture

philsward commented

+1

Surf New Media’s picture

Surf New Media commented

+1

sah62’s picture

sah62 commented

Looking at the code in uc_authorizenet.module, I see the Transaction Response MD5 Hash described as response key index value 37. I don't see anywhere in the code where this value is actually checked, though. Did I miss something? Is it not used to verify the response?

tr’s picture

tr commented
Category: Support request » Task

I am not currently using Authorize.net, so the solution to this will need to come from community contributions.

sah62’s picture

sah62 commented

I got off the phone with Authorize.net technical support a few minutes ago. The only way this should be a problem is if Ubercart tries to compare the hash value returned from Authorize.net to the hash value stored on Ubercart's Authorize.net settings page, which appears to only happen if you're using the Automated Recurring Billing (ARB) service (see uc_authorizenet.pages.inc):

30   // This is an ARB notification.
31   if ($arb) {
32
33     // Compare our expected MD5 Hash against what was received.
34     $md5 = strtoupper(md5($login_data['md5_hash'] . $_POST['x_trans_id'] . $_POST['x_amount']));
35
36     // Post an error message if the MD5 hash does not validate.
37     if ($_POST['x_MD5_Hash'] != $md5) {
38       watchdog('uc_authorizenet', 'Invalid ARB payment notification received.', array(), WATCHDOG_ERROR);
39     }
40     // Otherwise, let other modules act on the data.
41     else {
42       module_invoke_all('uc_auth_arb_payment', $_POST);
43     }
44   }

To make this work, line 34 will need to be changed from using PHP's md5 function to (I think) something like this:

$md5 = strtoupper(hash('sha256', $login_data['md5_hash'] . $_POST['x_trans_id'] . $_POST['x_amount']));

Of course, it would help to get update variable names associated with MD5, but I don't think leaving them as-is will break anything (though it will be confusing).

laryn’s picture

laryn
he/him
commented

@sah62 did they say what the POST variable name would be? ie. does this need to change?

$_POST['x_MD5_Hash']

EDIT: this might have the info needed:
https://support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-K...

EDIT2: the link originally posted seems to suggest that instead of the above, we'd need to compare the new hash to:

transHashSHA2

I'm not sure if that translates to:

$_POST['x_transHashSHA2']

jerry’s picture

jerry commented

FWIW, the hash change also affected SIM and DPM transactions, and I've had to patch that payment module as well. In that case, at least, the SHA-512 version of the transaction hash is contained in:

$_POST['x_SHA2_Hash']

and the validation requires the use of the new API Signature Key obtained via the Authorize.Net account interface:

$auth_hash = check_plain($_POST['x_SHA2_Hash']);
$local_hash = hash_hmac("sha512", $hash_data, pack("H*", $key));
if (drupal_strtolower($local_hash) != drupal_strtolower($auth_hash)) {
  $auth_successful = FALSE;
}

where:
$key is the hex-encoded signature key provided by Authorize
$hash_data is the concatenated data to be hashed (which changed considerably in the SIM/DPM case)

The outgoing payment POST changed as well. The MD5 hash using the transaction key was replaced by one similar to the above using the signature key. This may not be relevant to the AIM/ARB protocols.

sah62’s picture

sah62 commented

@sah62 did they say what the POST variable name would be? ie. does this need to change?

$_POST['x_MD5_Hash']

They didn't say, and unfortunately I didn't ask. I can't find a clear answer in the API documentation I've seen, either.

aneehd’s picture

aneehd commented

Hi

I am also trying to integrate this new feature.
But being confuse regarding the $_POST['x_SHA2_Hash'] parameter.

Can you please confirm that where I can get this value. I can see response array as given below:

Debug response:
Array
(
[0] => "1"
[1] => "1"
[2] => "1"
[3] => "This transaction has been approved."
[4] => "170016"
[5] => "Y"
[6] => "11111111111"
[7] => "1234"
[8] => "1x PCIASV01Q"
[9] => "10.00"
[10] => "CC"
[11] => "auth_capture"
[12] => "0"
[13] => "dev"
[14] => "test"
[15] => "test Designs"
[16] => "test"
[17] => "South San Francisco"
[18] => "CA"
[19] => "94080"
[20] => "US"
[21] => "123-456-7890"
[22] => ""
[23] => "example@gmail.com"
[24] => ""
[25] => ""
[26] => ""
[27] => ""
[28] => ""
[29] => "CA"
[30] => "94080"
[31] => "US"
[32] => ""
[33] => ""
[34] => ""
[35] => ""
[36] => ""
[37] => "7888955711D9FB2DDE879299820B80EA"
[38] => ""
[39] => ""
[40] => ""
[41] => ""
[42] => ""
[43] => ""
[44] => ""
[45] => ""
[46] => ""
[47] => ""
[48] => ""
[49] => ""
[50] => "XXXX2017"
[51] => "American Express"
[52] => ""
[53] => ""
[54] => ""
[55] => ""
[56] => ""
[57] => ""
[58] => ""
[59] => ""
[60] => ""
[61] => ""
[62] => ""
[63] => ""
[64] => ""
[65] => ""
[66] => ""
[67] => ""
[68] => ""
)

As per documentation in uc_authorizenet.module : [37] = Transaction Response MD5 Hash
Does it be a case that authorizenet not started to return x_SHA2_Hash yet ?
Thanks

jerry’s picture

jerry commented

It's hard to say. I posted about the change to SIM/DPM in the hope that they'd taken a consistent approach with AIM/ARB, but they may not have done so. I just poked around in the ARB documentation available at their website, and I didn't find any reference to the SHA-512 changes.

glynster’s picture

glynster commented

This is requested a number of times within: uc_authorizenet.module and as @sah62 pointed out uc_authorizenet.pages.inc. We only use CIM however it would appear that there are some tweaks that need updating in uc_authorizenet.module.

Lines 127 - 133

  $form['arb_settings']['uc_authnet_md5_hash'] = array(
    '#type' => 'textfield',
    '#title' => t('MD5 Hash'),
    '#description' => t('<b>Note:</b> You must first configure credit card encryption before setting this.<br />Enter the value here you entered in your Auth.Net account settings.'),
    '#default_value' => $login_data['md5_hash'],
    '#access' => user_access('administer credit cards'),
  );

Lines 175 - 192

/**
 * Submit handler for payment gateway settings form to encrypt fields.
 */
function uc_authorizenet_payment_gateway_settings_submit($form, &$form_state) {
  // If CC encryption has been configured properly.
  if ($key = uc_credit_encryption_key()) {
    // Setup our encryption object.
    $crypt = new UbercartEncryption();

    // Encrypt the Login ID, Transaction key, and MD5 Hash.
    if (!empty($form_state['values']['uc_authnet_md5_hash'])) {
      variable_set('uc_authnet_md5_hash', $crypt->encrypt($key, $form_state['values']['uc_authnet_md5_hash']));
    }

    // Store any errors.
    uc_store_encryption_errors($crypt, 'uc_authorizenet');
  }
}

Line 539

  /**
   * Response key index:
   * 0 = Response Code
   * 2 = Response Reason Code
   * 3 = Response Reason Text
   * 4 = Authorization Code
   * 5 = Address Verification Service (AVS) Response
   * 6 = Transaction ID; needed for CREDIT, PRIOR_AUTH_CAPTURE, and VOID transactions.
   * 9 = Amount
   * 11 = Transaction Type
   * 32 = Tax Amount Charged
   * 37 = Transaction Response MD5 Hash
   * 38 = Card Code (CVV) Response
   */

Lines 960 - 991

/**
 * Decrypts the login data for using Auth.Net APIs.
 */
function _uc_authorizenet_login_data() {
  static $data;

  if (!empty($data)) {
    return $data;
  }

  $md5_hash = variable_get('uc_authnet_md5_hash', '');

  // If CC encryption has been configured properly.
  if ($key = uc_credit_encryption_key()) {
    // Setup our encryption object.
    $crypt = new UbercartEncryption();

    // Decrypt the MD5 Hash.
    if (!empty($md5_hash)) {
      $md5_hash = $crypt->decrypt($key, $md5_hash);
    }

    // Store any errors.
    uc_store_encryption_errors($crypt, 'uc_authorizenet');
  }

  $data = array(
    'md5_hash' => $md5_hash,
  );

  return $data;
}

Whether it is optional or not it makes sense to create a small patch to adjust as needed right?

satter9’s picture

satter9 commented

Does anyone know if we need to make an update to Ubercart based on this update in Authorize.net? I get conflicting information as I read through my Google searches. We are using Ubercart 7x-3.8 and Ubercart Recurring Payments to process recurring subscriptions. The Authorize.net agent told me transactions would stop processing on March 14th if we do not start using the Signature Key.

Thanks,
Nils

satter9’s picture

satter9 commented

We would be interested in sponsoring a developer to write a module to accommodate this. We must have our recurring transactions continue to work. If anyone is interested please let me know.

Thanks,
Nils

glynster’s picture

glynster commented

@satter9 are you using ARB or CIM?

sean_e_dietrich’s picture

sean_e_dietrich
he/him
Primary language English
Location Sacramento, CA
commented
Status: Active » Needs review
StatusFileSize
new 3025475-ubercart-md5_hash_removal-16.patch3.62 KB

We have a need to use this. After reviewing the following pages:

* https://support.authorize.net/s/article/What-is-the-MD5-Hash-Security-fe...
* https://support.authorize.net/s/article/Silent-Post-URL

It looks like we can replace a majority of the MD5 files with just SHA2.

I've uploaded a patch that should hopefully fix this. It will require the Signature be taken from the Authorize.net's account.

tr’s picture

tr commented

PHP 5.3 testing is currently broken because of a Views bug #3039953: PHP 5.3.x fix for syntax changes Views 3.21. I triggered a retest with PHP 5.5 and PHP 7.2, and both of those tests pass.

Now we need people to test this patch and report back saying whether Authorize.net works. The upgrade path needs to be tested as well, see below.

This patch also needs a hook_update_N(), because it stops using a system variable (which should be deleted in the hook).

This patch also needs to do something to deal with the upgrade of sites that were using the old variable. Once the patch is applied and/or the upgrade is done, uc_authorizenet will no longer work until the settings are changed and saved. Perhaps a warning message printed by hook_update_N(), along with an implementation of hook_uc_store_status() to show that uc_authorizenet is not configured and to provide a link to the settings page. (See uc_ups for an example of how to do this.)

sean_e_dietrich’s picture

sean_e_dietrich
he/him
Primary language English
Location Sacramento, CA
commented
StatusFileSize
new 3025475-ubercart-md5_hash_removal-18.patch5.26 KB
new interdiff-16-18.diff1.96 KB

Thanks @TR for the direction!

Updated patch and interdiff have been uploaded.

sahil432’s picture

sahil432 commented

@sean_e_dietrich can we apply this patch in drupal 6 ubercart, Because i am facing same issue in drupal 6 and most of these files are same.

sean_e_dietrich’s picture

sean_e_dietrich
he/him
Primary language English
Location Sacramento, CA
commented

@sahil432 i'm not sure honestly if it will apply to the d6 version but you can always try it out.

John0415 made their first commit to this issue’s fork.

Surf New Media’s picture

Surf New Media commented

Hi,

Silly question on such an old module, but can I buy the patched module off of someone? I have an old site (upgrading in the next year), but the client wants this added, and for the life of me, I cannot seem to patch it myself.

Please let me know. I will pay via paypal, apple pay, or whatever you would like. Name a price.