Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes/utils
History
Kevin Israel 7d250d2109 Remove CryptHKDF and MWCryptHKDF 
MWCryptHKDF was added ten years ago (in af66c04d39), and as far as
I can tell, it was never used anywhere. It seems unlikely that CryptHKDF
will be used in the future, at least in its current form, for several
reasons:

* PHP 7.1.2+ has hash_hkdf(), so HKDF() would not be needed.

* At the time MWCryptHKDF was created, access to a CSPRNG was dependent
  on server configuration: operating system, enabled PHP extensions,
  open_basedir, etc. The "clock drift" RNG used as a last resort was not
  considered to be secure or fast enough for generating large amounts of
  output.[1] random_bytes(), added in PHP 7, changed the situation.

* Depleting the input pool of Linux's RNG is no longer a concern; there
  is no more blocking output pool for /dev/random.[2][3] In 2022, this
  change and others, including some that improved performance,[4] were
  backported to stable kernels as old as 4.9.[5]

* $wgAuthenticationTokenVersion obviated the primary use case of
  quickly resetting the user_token field for all users, assuming all
  the existing tokens are unique.

* CryptHKDF seems to perform much slower than random_bytes(), at least
  on Linux, making it pointless to use given that the other reasons for
  its existence no longer apply.

[1]: https://bots.wmflabs.org/logs/%23mediawiki-core/20161004.txt
[2]: https://lwn.net/Articles/808575/
[3]: https://lore.kernel.org/all/cover.1577088521.git.luto@kernel.org/
[4]: https://www.zx2c4.com/projects/linux-rng-5.17-5.18/
[5]: https://lore.kernel.org/all/Yo3pmh9hiUFtQz77@zx2c4.com/T/

Change-Id: I29136fad826341d21728671aa30285d5551f1162
2024-11-10 22:49:37 -05:00
..
AutoloadGenerator.php
BatchRowIterator.php Remove unchecked exception annotations 2024-09-17 22:20:58 +02:00
BatchRowUpdate.php
BatchRowWriter.php
ClassCollector.php
ExecutableFinder.php
ExtensionInfo.php
FileContentsHasher.php
GitInfo.php utils: Add missing documentation to class properties 2024-09-01 14:40:01 +00:00
MWCryptRand.php
MWFileProps.php Add namespace to remaining parts of Wikimedia\FileBackend 2024-10-03 16:21:22 +00:00
MWRestrictions.php Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
MWTimestamp.php Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
README
RowUpdateGenerator.php
UrlUtils.php
ZipDirectoryReader.php Merge "utils: Add missing documentation to class properties" 2024-09-01 15:19:10 +00:00
ZipDirectoryReaderError.php utils: Add missing documentation to class properties 2024-09-01 14:40:01 +00:00

README 

The classes in this directory are general utilities for use by any part of
MediaWiki. They do not favour any particular user interface and are not
constrained to serve any particular feature. This is similar to includes/libs,
except that some dependency on the MediaWiki framework (such as the use of
Status or wfDebug()) disqualifies them from use outside of
MediaWiki without modification.

Utilities should not use global configuration variables, rather they should rely
on the caller to configure their behaviour.