From 21% to 82%.
* Added missing @covers, broadened @covers where appropriate.
* Added tests for some code that lacked them.
* Added a parameter to control the use of hash_pbkdf2() so that the pure
PHP fallback could be tested. In the non-fallback test, force the use
of the extension, and mark it skipped if it is not installed.
Bug: T167003
Change-Id: I987e1a89ec343907f4ead7f6192b2d4deb58ac16
To prevent a bad password configuration from accidentally allowing
users to bypass authentication, throw an exception if either hash or
hash_pbkdf2 return false.
Also, ensure md5() returned a sane hash.
Bug: T127420
Change-Id: If3664941236e4065eb8db11b0a211fd6210de631
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
It seems HHVM does not like the use of
dynamic typing in hash_pbkdf2() (also it's
kind of not the best idea in general), so
added explicit (int) casting to parameters.
Follows-up: I0a9c972931a0eff0cfb2619cef3ddffd03710285
Change-Id: I8adae3cc2cdf8029be59e2d62a3ab0fbfb73b7aa
Deprecated the old User::crypt, et. al password hashing
system and implemented an extensible password hashing
API.
The new Password class allows registering of child classes
and provides factory functions for creating new Password
objects. The built-in hash types are the old MediaWiki MD5
types, which are for backwards-compatibility only, and bcrypt.
Also included is support for wrapping existing hashes as well
as encrypting passwords with a configured encryption key.
Bug: 54948
Bug: 28419
Change-Id: I0a9c972931a0eff0cfb2619cef3ddffd03710285
