aboutsummaryrefslogtreecommitdiffstats
path: root/includes/password
Commit message (Collapse)AuthorAgeFilesLines
...
* Unsuppress another phan issue (part 7)Daimona Eaytoy2019-09-031-0/+4
| | | | | | | Bug: T231636 Depends-On: I2cd24e73726394e3200a570c45d5e86b6849bfa9 Depends-On: I4fa3e6aad872434ca397325ed7a83f94973661d0 Change-Id: Ie6233561de78457cae5e4e44e220feec2d1272d8
* Remove hard deprecation of PasswordPolicyChecks::checkPopularPasswordBlacklistReedy2019-08-271-2/+0
| | | | | | | | It's causing quite a bit of WMF log spam because it's still used in wmf-config Partial revert of I4c90e361b7538efeb0c5efa7ca61aed2e468591c Change-Id: I7d1282e4260e7a42bee35b81d77470eb40dea818
* Remove unnecessary semi-colonsDerick Alangi2019-06-121-1/+1
| | | | Change-Id: I9eb65bdfbd3aa581effc14ead801b9e89b0359c3
* Hard deprecate Password::equals()Max Semenik2019-04-123-0/+7
| | | | Change-Id: I8d655a4f7a57f2186b1457d956af74bf21d4db08
* Password: update documentationMax Semenik2019-03-171-10/+3
| | | | Change-Id: Ifd7afc48e301a7985c2dd9134a7ea75af9bfeb4b
* Add password policy setting `suggestChangeOnLogin`Dayllan Maza2019-03-091-4/+20
| | | | | | | | | | | | | | | | | | | | | | | Password policy checks that fail and have `suggestChangeOnLogin` set to true will prompt for a password change on login. Below are some rules that apply to this setting in different scenarios: - If only one policy fails and has `suggestChangeOnLogin = false`, a password change will not be requested - If more than one policy fails and one or more have `suggestChangeOnLogin` set to true`, a password change will be requested - If `forceChange` is present in any of the failing policies, `suggestChangeOnLogin` value will be ignored and password change will be enforced - if $wgInvalidPasswordReset is set to false `suggestChangeOnLogin` is ignored IMPORTANT** Before this patch, suggesting a password change was the default behavior (depending on $wgInvalidPasswordReset), which means that the necessary changes to $wgPasswordPolicy need to be in place before this patch is merged and gets to production. Bug: T211621 Change-Id: I7a4a0a06273fa4e8bd0da3dac54cf5a1b78bb3fd
* Fix usage of MediaWikiServices in comments and documentationFomafix2019-03-031-1/+2
| | | | | | | | | | MediaWikiServices::getFoo() is wrong. Right is: MediaWikiServices::getInstance()->getFoo() Change-Id: Ib6d844ddfe5bd6ccd72b887a63d9ad476c8d196f
* Merge "Fix grammar in UserPasswordPolicy documentation"jenkins-bot2019-02-221-4/+4
|\
| * Fix grammar in UserPasswordPolicy documentationThalia2019-02-201-4/+4
| | | | | | | | Change-Id: I423d5ce9f9a778ee21381ba433a52b8bd3e154fc
* | Add support for Argon2 password hashingMax Semenik2019-02-102-4/+131
|/ | | | | | | | | | | So far, everything we had was vulnerable to newest advances in GPU cracking and timing side-channel attacks. Argon2 was designed specifically to address these problems. Unfortunately, PHP support is lagging, with some builds missing Argon2id or even Argon2i. Change-Id: Ifdf648f5d8a734a663e630286724a6d0a87c7510
* Password: replace equals() with verify()Max Semenik2019-01-242-6/+29
| | | | | | | | | | | | | | | | | | So far, our key derivation code assumed that it has control over the salt used by the derivation routines, however I want to add Argon2 support and it doesn't work this way: password_hash() generates the salt itself, and the only way to verify a password is by using password_verify(). Current way the things are done doesn't support it because it relies on the result of password hashing with parameters we provide to be deterministic. Therefore, I'm deprecating Password::equals(), as well as whole concept of comparing Password objects - it's used only in tests anyway. It's getting replaced with verify() that only accepts password strings. Uses of old function are fixed with exception of a few calls in tests that will be addressed in my Argon2 patch. Change-Id: I2b2be9a422ee0f773490eac316ad81505c3f8571
* Add force option to password policyGergő Tisza2019-01-021-13/+40
| | | | | | | | | Adds a way to set an array of options for a password policy. Currently there is one option, 'forceChange', which forces the user to change their password (if it fails the given check) before logging in. Bug: T118774 Change-Id: I28c31fc4eae08c3ac44eff3a05f5e785ce4b9e01
* Deprecate PasswordPolicyChecks::checkPopularPasswordBlacklistReedy2018-12-271-0/+3
| | | | Change-Id: I4c90e361b7538efeb0c5efa7ca61aed2e468591c
* Deprecate User::getPasswordValidity()Gergő Tisza2018-12-201-8/+20
| | | | | | | | | Unused, the return format does not seem useful. Also improve the documentation of $wgPasswordPolicy and PasswordPolicyChecks. Change-Id: Ic01e80cfefc4cfb0eee1eccc6a66942f692278a0
* Merge "PasswordPbkdf2: remove the 'use-hash-extension' option"jenkins-bot2018-12-041-43/+10
|\
| * PasswordPbkdf2: remove the 'use-hash-extension' optionMax Semenik2018-11-301-43/+10
| | | | | | | | | | | | | | | | | | It's misleading because even with this option the Hash extension is still required due to usage of hash_hmac(), it's just to allow this class to work on pre-5.5 PHP that had hash_hmac() but not hash_pbkdf(). Since we require 7.0, this option doesn't do anything anymore. Change-Id: Ib60ab9377b44d78b7147c6139b07dc5467da007c
* | Changing "===" on secrets to hash_equals to protect from timing attacks.Mogmog1232018-12-011-3/+6
|/ | | | | Bug: T207777 Change-Id: I1e12ef94f455f96b4d70af27a315414500c709ab
* Add PasswordPolicy to check the password isn't in the large blacklistReedy2018-11-241-0/+22
| | | | | | | | Add wikimedia/password-blacklist 0.1.3, which contains 100,000 common passwords Bug: T151425 Change-Id: I80572fcee6d23ea04ad9ee683157bab9378b660e Depends-On: I8aea5a44248da9bb9ff7b328679bff6fcf41750d
* Merge "password: Move commonpasswords.cdb to includes/password/"jenkins-bot2018-08-141-0/+0
|\
| * password: Move commonpasswords.cdb to includes/password/Timo Tijhof2018-08-011-0/+0
| | | | | | | | | | | | | | | | | | Similar to other non-php files used by various classes/libs. This leaves the serialized/ empty (apart from dotfiles), and as such the directory was removed. Change-Id: I538ffe0828843220ac4e161cf2e119deb9bd7ac0
* | Mass conversion of $wgContLang to serviceAryeh Gregor2018-08-111-2/+5
| | | | | | | | | | | | | | Brought to you by vim macros. Bug: T200246 Change-Id: I79e919f4553e3bd3eb714073fed7a43051b4fb2a
* | Add PasswordFactory to MediaWikiServicesKunal Mehta2018-08-021-3/+29
|/ | | | | | | | | | | | | | | Instead of having basically every caller do: $pf = new PasswordFactory(); $pf->init( RequestContext::getMain()->getConfig() ); Just create a single PasswordFactory via MediaWikiServices and pass that around. Things that want to use their own config can still pass settings via the new constructor. This will eventually let us remove the init() function, removing the only hard dependency upon MediaWiki, to make it easier to librarize (T89742). Change-Id: I0fc7520dc023b11a7fa66083eff7b88ebfe49c7b
* Clean up CSPRNG support for PHP7Max Semenik2018-06-103-4/+4
| | | | | | | Replace it all with random_bytes(), leave only MWCryptRand::generateHex() as a convenience helper. Change-Id: Ic30376a90e66d8f00dab86e7e6466fb3a750b87d
* Use PHP 7 '??' operator instead of '?:' with 'isset()' where convenientBartosz Dziewoński2018-05-301-2/+1
| | | | | | | | | | | | | | Find: /isset\(\s*([^()]+?)\s*\)\s*\?\s*\1\s*:\s*/ Replace with: '\1 ?? ' (Everywhere except includes/PHPVersionCheck.php) (Then, manually fix some line length and indentation issues) Then manually reviewed the replacements for cases where confusing operator precedence would result in incorrect results (fixing those in I478db046a1cc162c6767003ce45c9b56270f3372). Change-Id: I33b421c8cb11cdd4ce896488c9ff5313f03a38cf
* Autofix MediaWiki.Commenting.FunctionComment.SpacingDoc* errorsKunal Mehta2018-05-191-2/+2
| | | | Change-Id: I63761ebce04c03b9b13237919c27cc10180f198f
* Use ::class to resolve class names in includes filesUmherirrender2018-01-271-1/+1
| | | | | | | This helps to find renamed or misspelled classes earlier. Phan will check the class names Change-Id: I07a925c2a9404b0865e8a8703864ded9d14aa769
* Remove leading backslashes from "use \…" tagsThiemo Mättig2017-12-281-1/+1
| | | | Change-Id: I494b029de089a07e3b946ee78293a12d5036f63e
* Improve test coverage in includes/passwordTim Starling2017-06-071-1/+6
| | | | | | | | | | | | | From 21% to 82%. * Added missing @covers, broadened @covers where appropriate. * Added tests for some code that lacked them. * Added a parameter to control the use of hash_pbkdf2() so that the pure PHP fallback could be tested. In the non-fallback test, force the use of the extension, and mark it skipped if it is not installed. Bug: T167003 Change-Id: I987e1a89ec343907f4ead7f6192b2d4deb58ac16
* Decrease the number of 'function says it should return something' errorsMax Semenik2016-12-152-3/+2
| | | | Change-Id: Ib5115fe5bbaa67d8a6e54cc3ba1ba7020e239e11
* Remove $purpose parameter from password validity checkBrad Jorsch2016-12-011-14/+9
| | | | | | | | | | | This was added in I56b6600 in an attempt to work around a bug in CentralAuth, but the bug has since been fixed in a better way. No hook functions in Gerrit use the parameter (or ever have, as far as I can tell), and anything that was passing a value other than the default 'login' has since been removed. So let's just get rid of it instead of keeping it around doing nothing. Change-Id: Ie604e03d268706221161ac93eb866f477e466fb4
* Merge "Throw an exception if password hash would be truncated by DB"jenkins-bot2016-11-302-2/+28
|\
| * Throw an exception if password hash would be truncated by DBBrian Wolff2016-11-152-2/+28
| | | | | | | | | | | | | | | | | | | | DB uses a tinyblob field. With layered encrypted passwords, the length gets close to 255 and can exceed if you use a long name for the password type. Previously these would be silently inserted into the DB and truncated, which would lock user out of their account. Change-Id: Idf0d0248b181f42d92e3ad6c3220b5331cd4d4d0
* | Merge "Fix multiple bugs in EncryptedPassword"jenkins-bot2016-11-151-9/+32
|\|
| * Fix multiple bugs in EncryptedPasswordTim Starling2016-11-151-9/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * openssl_decrypt() expects the encrypted string you give it to be the exact one that came out of openssl_encrypt(), it doesn't expect you to pre-decode the base64 encoding. So don't do that. * Use the same IV when re-encrypting the underlying hash for comparison. * Check the return value of OpenSSL functions, and report meaningful error messages, for sysadmin convenience and to avoid e.g. giving all users the same hash if an invalid cipher method was chosen (which was the previous behaviour). * Fix EncryptedPassword::update(). Tested it with eval.php since there doesn't seem to be any callers. Change-Id: I3a39de152d0329f93d16aa4ed43faf08f665b8e2
* | Accept salted password hashes with :A: prefixesTim Starling2016-11-151-2/+10
| | | | | | | | | | | | | | | | | | | | | | Partially reverting Icb809274f9f63. The broken :A: prefixed passwords generated by MW before that change were apparently written back to the database -- there are 2.5M in enwiki alone. Accepting them should not depend on $wgPasswordSalt, which is a deprecated global and should soon be removed. Change-Id: I772de0fb17245d080eb15a7d5df6bf3125e1f71a
* | Fix interpretation of "A-type" password hashesTim Starling2016-11-141-8/+2
|/ | | | | | | | | | | An A-type hash is an unsalted hash. A B-type hash is a salted hash of the form md5(salt "-" md5(password)). So it's not correct to have an A-type hash with a salt. User::comparePasswords() and CentralAuthUser::getPasswordFromString() already get this right, they generate :B: prefixes for legacy salted hashes where the salt is not specified in the database. Change-Id: Icb809274f9f63641e54daf98332a5646fd58b550
* SECURITY: Throw exception on unknown hash algorithmcsteipp2016-05-203-1/+16
| | | | | | | | | | | | | To prevent a bad password configuration from accidentally allowing users to bypass authentication, throw an exception if either hash or hash_pbkdf2 return false. Also, ensure md5() returned a sane hash. Bug: T127420 Change-Id: If3664941236e4065eb8db11b0a211fd6210de631 Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
* API changes for AuthManagerBrad Jorsch2016-05-161-5/+9
| | | | | | | | | | | | | | | | | | | | | | | Changes here are: * action=login is deprecated for use other than bot passwords * list=users will indicate if a missing user name is creatable. * Added action=query&meta=authmanagerinfo * Added action=clientlogin is to be used to log into the main account * action=createaccount is changed in a non-BC manner * Added action=linkaccount * Added action=unlinkaccount * Added action=changeauthenticationdata * Added action=removeauthenticationdata * Added action=resetpassword Bug: T110276 Bug: T110747 Bug: T110751 Bug: T32788 Bug: T67857 Bug: T28597 Bug: T76103 Change-Id: I244fa9b1e0623247d6d9fa30990411c6df94a496
* Fix and standardize Doxygen tagsRicordisamoa2016-04-301-3/+3
| | | | | | | | | | * Use "@param datatype $paramname description" format * String → string, Integer → int etc. * @return $string → @return string Change-Id: I860d222382cb4c5699d313b0600bd22503c8c385
* Convert all array() syntax to []Kunal Mehta2016-02-1710-25/+25
| | | | | | | | | | Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
* [SECURITY] 0-pad to length in random string generationBrad Jorsch2015-12-181-3/+2
| | | | | | | | Otherwise shorter strings might be generated. Bug: T115522 Signed-off-by: Chad Horohoe <chadh@wikimedia.org> Change-Id: I110d873d56762552060fd428c236c8b0e9a859b0
* Merge "Add support for blacklisting common passwords"jenkins-bot2015-12-041-0/+48
|\
| * Add support for blacklisting common passwordsBrian Wolff2015-11-251-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changes the default config to not allow the top 25 passwords to be used by Sysop/Crats. This should almost certainly be set to a higher number, but I think its best to wait until after this is comitted to argue over what the best value is. I would expect that once this is comitted, there would be a config change for wmf wikis, so that there is no change until this has been discussed with the community. The included common password file was generated from the first 10000 entries of https://github.com/danielmiessler/SecLists/blob/master/Passwords/rockyou.txt?raw=true 10,000 was chosen based on csteipp's suggestion. Change-Id: I26a9e8f2318a1eed33d7638b125695e8de3a9796
* | Replace wfBaseConvert with Wikimedia\base_convertReedy2015-11-241-1/+1
| | | | | | | | Change-Id: Iadab3d018c3559daf79be90edb23d131729bdb68
* | Merge "Fix typo in doc comment on MWSaltedPassword.php"jenkins-bot2015-11-231-1/+1
|\ \
| * | Fix typo in doc comment on MWSaltedPassword.phpBrian Wolff2015-11-231-1/+1
| |/ | | | | | | Change-Id: I4d08846f6692797b0cfea33d56bbf1afb33b27db
* / Improve error message if check not defined for a password policy.Reedy2015-11-161-2/+9
|/ | | | | Bug: T118776 Change-Id: Ic1826f15424197545f4d6c2b1af49adbc4289e15
* User: Mostly remove password handlingBrad Jorsch2015-10-131-0/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | AuthManager is coming, which will make it easier to add alternative methods of authentication. But in order to do that, we need to finally get around to ripping the password-related bits out of the User class. The password expiration handling isn't used anywhere in core or extensions in Gerrit beyond testing for expired passwords on login and resetting the expiry date on password change. Those bits have been inlined and the functions removed; AuthManager will allow each "authentication provider" to handle its own password expiration. The methods for fetching passwords, including the fact that mPassword and other fields are public, has also been removed. This is already broken in combination with basically any extension that messes with authentication, and the major use outside of that was in creating system users like MassMessage's "MediaWiki message delivery" user. Password setting methods are silently deprecated, since most of the replacements won't be available until AuthManager. But uses in unit testing can be replaced with TestUser::setPasswordForUser() immediately. User::randomPassword() and User::getPasswordFactory() don't really belong in User either. For the former a new PasswordFactory method has been created, while the latter should just be replaced by the two lines to create a PasswordFactory via its constructor. Bug: T47716 Change-Id: I2c736ad72d946fa9b859e6cd335fa58aececc0d5
* Remove dead argument in EncryptedPassword.phpjeroendedauw2015-09-161-1/+1
| | | | Change-Id: Ib0bb2733284262c233e6de4c7645f0b215690156
* Add "purpose" to password validity checkcsteipp2015-07-141-9/+14
| | | | | | | | | Allow callers to specify why they are checking a passwords validity, so some checks can be modified. Only check the default policy on creation, since the account doesn't exist it's not a member of any groups. Bug: T104615 Change-Id: I56b66002562aaa1493d94a90309bc8e4ae3841c8
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-24 03:08:22 +0000