It's misleading because even with this option the Hash extension is
still required due to usage of hash_hmac(), it's just to allow this
class to work on pre-5.5 PHP that had hash_hmac() but not hash_pbkdf().
Since we require 7.0, this option doesn't do anything anymore.
Change-Id: Ib60ab9377b44d78b7147c6139b07dc5467da007c
Instead of having basically every caller do:
$pf = new PasswordFactory();
$pf->init( RequestContext::getMain()->getConfig() );
Just create a single PasswordFactory via MediaWikiServices and pass that
around. Things that want to use their own config can still pass settings
via the new constructor.
This will eventually let us remove the init() function, removing the
only hard dependency upon MediaWiki, to make it easier to librarize
(T89742).
Change-Id: I0fc7520dc023b11a7fa66083eff7b88ebfe49c7b
Similar to other non-php files used by various classes/libs.
This leaves the serialized/ empty (apart from dotfiles), and as
such the directory was removed.
Change-Id: I538ffe0828843220ac4e161cf2e119deb9bd7ac0
Replace it all with random_bytes(), leave
only MWCryptRand::generateHex() as a convenience helper.
Change-Id: Ic30376a90e66d8f00dab86e7e6466fb3a750b87d
Find: /isset\(\s*([^()]+?)\s*\)\s*\?\s*\1\s*:\s*/
Replace with: '\1 ?? '
(Everywhere except includes/PHPVersionCheck.php)
(Then, manually fix some line length and indentation issues)
Then manually reviewed the replacements for cases where confusing
operator precedence would result in incorrect results
(fixing those in I478db046a1cc162c6767003ce45c9b56270f3372).
Change-Id: I33b421c8cb11cdd4ce896488c9ff5313f03a38cf
From 21% to 82%.
* Added missing @covers, broadened @covers where appropriate.
* Added tests for some code that lacked them.
* Added a parameter to control the use of hash_pbkdf2() so that the pure
PHP fallback could be tested. In the non-fallback test, force the use
of the extension, and mark it skipped if it is not installed.
Bug: T167003
Change-Id: I987e1a89ec343907f4ead7f6192b2d4deb58ac16
This was added in I56b6600 in an attempt to work around a bug in
CentralAuth, but the bug has since been fixed in a better way. No hook
functions in Gerrit use the parameter (or ever have, as far as I can
tell), and anything that was passing a value other than the default
'login' has since been removed. So let's just get rid of it instead of
keeping it around doing nothing.
Change-Id: Ie604e03d268706221161ac93eb866f477e466fb4
DB uses a tinyblob field. With layered encrypted passwords, the
length gets close to 255 and can exceed if you use a long name
for the password type. Previously these would be silently inserted
into the DB and truncated, which would lock user out of their
account.
Change-Id: Idf0d0248b181f42d92e3ad6c3220b5331cd4d4d0
* openssl_decrypt() expects the encrypted string you give it to be the
exact one that came out of openssl_encrypt(), it doesn't expect you to
pre-decode the base64 encoding. So don't do that.
* Use the same IV when re-encrypting the underlying hash for comparison.
* Check the return value of OpenSSL functions, and report meaningful
error messages, for sysadmin convenience and to avoid e.g. giving all
users the same hash if an invalid cipher method was chosen (which was
the previous behaviour).
* Fix EncryptedPassword::update(). Tested it with eval.php since there
doesn't seem to be any callers.
Change-Id: I3a39de152d0329f93d16aa4ed43faf08f665b8e2
Partially reverting Icb809274f9f63.
The broken :A: prefixed passwords generated by MW before that change
were apparently written back to the database -- there are 2.5M in enwiki
alone. Accepting them should not depend on $wgPasswordSalt, which is a
deprecated global and should soon be removed.
Change-Id: I772de0fb17245d080eb15a7d5df6bf3125e1f71a
An A-type hash is an unsalted hash. A B-type hash is a salted hash of
the form md5(salt "-" md5(password)). So it's not correct to have an
A-type hash with a salt. User::comparePasswords() and
CentralAuthUser::getPasswordFromString() already get this right, they
generate :B: prefixes for legacy salted hashes where the salt is not
specified in the database.
Change-Id: Icb809274f9f63641e54daf98332a5646fd58b550
To prevent a bad password configuration from accidentally allowing
users to bypass authentication, throw an exception if either hash or
hash_pbkdf2 return false.
Also, ensure md5() returned a sane hash.
Bug: T127420
Change-Id: If3664941236e4065eb8db11b0a211fd6210de631
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Changes here are:
* action=login is deprecated for use other than bot passwords
* list=users will indicate if a missing user name is creatable.
* Added action=query&meta=authmanagerinfo
* Added action=clientlogin is to be used to log into the main account
* action=createaccount is changed in a non-BC manner
* Added action=linkaccount
* Added action=unlinkaccount
* Added action=changeauthenticationdata
* Added action=removeauthenticationdata
* Added action=resetpassword
Bug: T110276
Bug: T110747
Bug: T110751
Bug: T32788
Bug: T67857
Bug: T28597
Bug: T76103
Change-Id: I244fa9b1e0623247d6d9fa30990411c6df94a496
This changes the default config to not allow the top 25 passwords
to be used by Sysop/Crats. This should almost certainly be set to
a higher number, but I think its best to wait until after this is
comitted to argue over what the best value is.
I would expect that once this is comitted, there would be a config
change for wmf wikis, so that there is no change until this has
been discussed with the community.
The included common password file was generated from the first
10000 entries of
https://github.com/danielmiessler/SecLists/blob/master/Passwords/rockyou.txt?raw=true
10,000 was chosen based on csteipp's suggestion.
Change-Id: I26a9e8f2318a1eed33d7638b125695e8de3a9796
AuthManager is coming, which will make it easier to add alternative
methods of authentication. But in order to do that, we need to finally
get around to ripping the password-related bits out of the User class.
The password expiration handling isn't used anywhere in core or
extensions in Gerrit beyond testing for expired passwords on login and
resetting the expiry date on password change. Those bits have been
inlined and the functions removed; AuthManager will allow each
"authentication provider" to handle its own password expiration.
The methods for fetching passwords, including the fact that mPassword
and other fields are public, has also been removed. This is already
broken in combination with basically any extension that messes with
authentication, and the major use outside of that was in creating
system users like MassMessage's "MediaWiki message delivery" user.
Password setting methods are silently deprecated, since most of the
replacements won't be available until AuthManager. But uses in unit
testing can be replaced with TestUser::setPasswordForUser() immediately.
User::randomPassword() and User::getPasswordFactory() don't really
belong in User either. For the former a new PasswordFactory method has
been created, while the latter should just be replaced by the two lines
to create a PasswordFactory via its constructor.
Bug: T47716
Change-Id: I2c736ad72d946fa9b859e6cd335fa58aececc0d5
Allow callers to specify why they are checking a passwords validity, so
some checks can be modified. Only check the default policy on creation,
since the account doesn't exist it's not a member of any groups.
Bug: T104615
Change-Id: I56b66002562aaa1493d94a90309bc8e4ae3841c8
Refactor password checking a little to allow skipping the normal flow
in a special situation like this.
Bug: T104092
Change-Id: Ib4a4e1f34b6963a6414c6f88893884b0ec369ca5
Make password policies defined in a configurable policy, which is
defined by group. A user's password policy will be the maximum of
each group policy that the user belongs to.
Bug: T94774
Change-Id: Iad8e49ffcffed38df6293db0ef31a227d3962003
I noticed MWOldPassword is broken while working on
I7024b287a7. When generating new passwords for it,
a superfluous : is being added to the serialized hash
within the database (and that breaks parsing so that
people can't ever log in).
As this is not really relevant in the real world (as
nobody is hopefully using plain MD5 passwords anymore),
this doesn't need any backward compatibility handling
for the broken hashes.
Change-Id: I753c135a6de39008488bd7462c2bfcda2cbac116
By only updating the user row in the database, if needed
and by making use of md5 for passwords instead of slower
hashing.
This cut down run time of some Wikibase API tests to 20%
of the original value for me!
Also it reduces the run time of MediaWiki's test suite
by about 45s on jenkins.
Change-Id: I7024b287a71fe9b327dbcdc5427cd8edb5047606
Various code passes null around to mean "an invalid password". It
shouldn't all have to test for null and specially handle that.
This also fixes a codepath where User::$mNewpassword could get set to an
empty string rather than a password object, which would cause problems
later when anything else tries to use it.
Bug: 71421
Change-Id: Ib5f94b52c07e7dba89328b98fb43c86db95ee09f
It seems HHVM does not like the use of
dynamic typing in hash_pbkdf2() (also it's
kind of not the best idea in general), so
added explicit (int) casting to parameters.
Follows-up: I0a9c972931a0eff0cfb2619cef3ddffd03710285
Change-Id: I8adae3cc2cdf8029be59e2d62a3ab0fbfb73b7aa
Slight syntax code change for $wgPasswordDefault in DefaultSettings.php
and fixed reference to global in BcryptPassword.php.
Change-Id: I8d1d12c09ecd2f422f21a586e948f314e29fa605
Deprecated the old User::crypt, et. al password hashing
system and implemented an extensible password hashing
API.
The new Password class allows registering of child classes
and provides factory functions for creating new Password
objects. The built-in hash types are the old MediaWiki MD5
types, which are for backwards-compatibility only, and bcrypt.
Also included is support for wrapping existing hashes as well
as encrypting passwords with a configured encryption key.
Bug: 54948
Bug: 28419
Change-Id: I0a9c972931a0eff0cfb2619cef3ddffd03710285
