Move ext-openssl from suggest to require
openssl provides the proper password hashing algorithm, so it is needed in order to have safe and efficent password hashing. Change-Id: I61498275c7f7cf19787f0aee50dc4884c57b82b2
This commit is contained in:
Alexander Vorwerk
Zabe
parent
75cfc97d17
commit
e4127e5864
9 changed files with 7 additions and 60 deletions
1
INSTALL
1
INSTALL
|
|
@ -16,6 +16,7 @@ Required software as of MediaWiki 1.43.0:
|
|||
** json
|
||||
** libxml
|
||||
** mbstring
|
||||
** openssl
|
||||
** xml
|
||||
** xmlreader
|
||||
* A SQL server, the following types are supported
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ oldest supported upgrading version, MediaWiki 1.35.
|
|||
|
||||
Some specific notes for MediaWiki 1.43 upgrades are below:
|
||||
|
||||
* It is now necessary that the OpenSSL PHP extension is installed.
|
||||
* …
|
||||
|
||||
For notes on 1.42.x and older releases, see HISTORY.
|
||||
|
|
@ -36,6 +37,8 @@ For notes on 1.42.x and older releases, see HISTORY.
|
|||
|
||||
==== Removed configuration ====
|
||||
|
||||
* wgSessionInsecureSecrets has been removed since OpenSSL is now a required
|
||||
PHP extension.
|
||||
* …
|
||||
|
||||
=== New user-facing features in 1.43 ===
|
||||
|
|
@ -246,6 +249,7 @@ MediaWiki 1.43 requires PHP 8.1.0 or later and the following PHP extensions:
|
|||
* intl
|
||||
* json
|
||||
* mbstring
|
||||
* openssl
|
||||
* xml
|
||||
|
||||
MariaDB is the recommended database software. MySQL, PostgreSQL, or SQLite can
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@
|
|||
"ext-json": "*",
|
||||
"ext-libxml": "*",
|
||||
"ext-mbstring": "*",
|
||||
"ext-openssl": "*",
|
||||
"ext-xml": "*",
|
||||
"ext-xmlreader": "*",
|
||||
"guzzlehttp/guzzle": "7.8.1",
|
||||
|
|
@ -121,7 +122,6 @@
|
|||
"ext-gd": "Enable thumbnails for file uploads.",
|
||||
"ext-gmp": "Increased performance of some operations. Required especially on 32 bit machines. This or ext-bcmath are needed for scrambling Temporary Accounts.",
|
||||
"ext-mysqli": "Enable the MySQL and MariaDB database type for MediaWiki.",
|
||||
"ext-openssl": "Encrypt session data (or opt-out via $wgSessionInsecureSecrets).",
|
||||
"ext-pdo": "Enable the SQLite database type for MediaWiki.",
|
||||
"ext-pgsql": "Enable the PostgreSQL database type for MediaWiki.",
|
||||
"ext-posix": "Enable CLI concurrent processing, e.g. for runJobs.php.",
|
||||
|
|
|
|||
|
|
@ -5863,14 +5863,6 @@ config-schema:
|
|||
This should be set in LocalSettings.php, otherwise $wgSecretKey will
|
||||
be used.
|
||||
@since 1.27
|
||||
SessionInsecureSecrets:
|
||||
default: false
|
||||
description: |-
|
||||
If for some reason you can't install the PHP OpenSSL extension,
|
||||
you can set this to true to make MediaWiki work again at the cost of storing
|
||||
sensitive session data insecurely. But it would be much more secure to just
|
||||
install the OpenSSL extension.
|
||||
@since 1.27
|
||||
HKDFSecret:
|
||||
default: false
|
||||
description: |-
|
||||
|
|
|
|||
|
|
@ -3107,12 +3107,6 @@ $wgRestAllowCrossOriginCookieAuth = null;
|
|||
*/
|
||||
$wgSessionSecret = null;
|
||||
|
||||
/**
|
||||
* Config variable stub for the SessionInsecureSecrets setting, for use by phpdoc and IDEs.
|
||||
* @see MediaWiki\MainConfigSchema::SessionInsecureSecrets
|
||||
*/
|
||||
$wgSessionInsecureSecrets = null;
|
||||
|
||||
/**
|
||||
* Config variable stub for the HKDFSecret setting, for use by phpdoc and IDEs.
|
||||
* @see MediaWiki\MainConfigSchema::HKDFSecret
|
||||
|
|
|
|||
|
|
@ -3122,12 +3122,6 @@ class MainConfigNames {
|
|||
*/
|
||||
public const SessionSecret = 'SessionSecret';
|
||||
|
||||
/**
|
||||
* Name constant for the SessionInsecureSecrets setting, for use with Config::get()
|
||||
* @see MainConfigSchema::SessionInsecureSecrets
|
||||
*/
|
||||
public const SessionInsecureSecrets = 'SessionInsecureSecrets';
|
||||
|
||||
/**
|
||||
* Name constant for the HKDFSecret setting, for use with Config::get()
|
||||
* @see MainConfigSchema::HKDFSecret
|
||||
|
|
|
|||
|
|
@ -9347,18 +9347,6 @@ class MainConfigSchema {
|
|||
'default' => false,
|
||||
];
|
||||
|
||||
/**
|
||||
* If for some reason you can't install the PHP OpenSSL extension,
|
||||
* you can set this to true to make MediaWiki work again at the cost of storing
|
||||
* sensitive session data insecurely. But it would be much more secure to just
|
||||
* install the OpenSSL extension.
|
||||
*
|
||||
* @since 1.27
|
||||
*/
|
||||
public const SessionInsecureSecrets = [
|
||||
'default' => false,
|
||||
];
|
||||
|
||||
/**
|
||||
* Secret for hmac-based key derivation function (fast,
|
||||
* cryptographically secure random numbers).
|
||||
|
|
|
|||
|
|
@ -1816,7 +1816,6 @@ return [
|
|||
'AllowCrossOrigin' => false,
|
||||
'RestAllowCrossOriginCookieAuth' => false,
|
||||
'SessionSecret' => false,
|
||||
'SessionInsecureSecrets' => false,
|
||||
'HKDFSecret' => false,
|
||||
'HKDFAlgorithm' => 'sha256',
|
||||
'CookieExpiration' => 2592000,
|
||||
|
|
|
|||
|
|
@ -453,9 +453,6 @@ class Session implements \Countable, \Iterator, \ArrayAccess {
|
|||
* @return array
|
||||
*/
|
||||
private static function getEncryptionAlgorithm() {
|
||||
$sessionInsecureSecrets = MediaWikiServices::getInstance()->getMainConfig()
|
||||
->get( MainConfigNames::SessionInsecureSecrets );
|
||||
|
||||
if ( self::$encryptionAlgorithm === null ) {
|
||||
if ( function_exists( 'openssl_encrypt' ) ) {
|
||||
$methods = openssl_get_cipher_methods();
|
||||
|
|
@ -469,17 +466,8 @@ class Session implements \Countable, \Iterator, \ArrayAccess {
|
|||
}
|
||||
}
|
||||
|
||||
if ( $sessionInsecureSecrets ) {
|
||||
// @todo: import a pure-PHP library for AES instead of this
|
||||
self::$encryptionAlgorithm = [ 'insecure' ];
|
||||
return self::$encryptionAlgorithm;
|
||||
}
|
||||
|
||||
throw new BadMethodCallException(
|
||||
'Encryption is not available. You really should install the PHP OpenSSL extension. ' .
|
||||
'But if you really can\'t and you\'re willing ' .
|
||||
'to accept insecure storage of sensitive session data, set ' .
|
||||
'$wgSessionInsecureSecrets = true in LocalSettings.php to make this exception go away.'
|
||||
'Encryption is not available. You need to install the PHP OpenSSL extension.'
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -502,7 +490,6 @@ class Session implements \Countable, \Iterator, \ArrayAccess {
|
|||
// Chris Steipp's OATHAuthUtils class in Extension::OATHAuth.
|
||||
|
||||
// Encrypt
|
||||
// @todo: import a pure-PHP library for AES instead of doing $wgSessionInsecureSecrets
|
||||
$iv = random_bytes( 16 );
|
||||
$algorithm = self::getEncryptionAlgorithm();
|
||||
switch ( $algorithm[0] ) {
|
||||
|
|
@ -512,11 +499,6 @@ class Session implements \Countable, \Iterator, \ArrayAccess {
|
|||
throw new \UnexpectedValueException( 'Encryption failed: ' . openssl_error_string() );
|
||||
}
|
||||
break;
|
||||
case 'insecure':
|
||||
$ex = new RuntimeException( 'No encryption is available, storing data as plain text' );
|
||||
$this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );
|
||||
$ciphertext = $serialized;
|
||||
break;
|
||||
default:
|
||||
throw new LogicException( 'invalid algorithm' );
|
||||
}
|
||||
|
|
@ -575,13 +557,6 @@ class Session implements \Countable, \Iterator, \ArrayAccess {
|
|||
return $default;
|
||||
}
|
||||
break;
|
||||
case 'insecure':
|
||||
$ex = new RuntimeException(
|
||||
'No encryption is available, retrieving data that was stored as plain text'
|
||||
);
|
||||
$this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );
|
||||
$serialized = base64_decode( $ciphertext );
|
||||
break;
|
||||
default:
|
||||
throw new \LogicException( 'invalid algorithm' );
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue