From acca48094cc7ceaf00a0452a14740c4776f5e9c6 Mon Sep 17 00:00:00 2001 From: Ori Livneh Date: Sat, 28 May 2016 06:25:48 -0700 Subject: Make number of PBKDF2 iterations used for deriving session secret configurable The intent is both to allow the number of iterations to be dialed up (either as computational power increases, or on the basis of security needs) and dialed down for the unit tests, where hash_pbkdf2() calls account for 15-40% of wall time. The number of iterations is stored in the session, so changing the number of iterations does not cause existing sessions to become invalid or corrupt. Sessions that do not have wsSessionPbkdf2Iterations set (i.e., sessions which precede this change) are transparently upgraded. Change-Id: I084a97487ef4147eea0f0ce0cdf4b39ca569ef52 --- includes/session/Session.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'includes/session') diff --git a/includes/session/Session.php b/includes/session/Session.php index 29878d49f6b5..3d48101acc4a 100644 --- a/includes/session/Session.php +++ b/includes/session/Session.php @@ -384,7 +384,7 @@ final class Session implements \Countable, \Iterator, \ArrayAccess { * @return string[] Encryption key, HMAC key */ private function getSecretKeys() { - global $wgSessionSecret, $wgSecretKey; + global $wgSessionSecret, $wgSecretKey, $wgSessionPbkdf2Iterations; $wikiSecret = $wgSessionSecret ?: $wgSecretKey; $userSecret = $this->get( 'wsSessionSecret', null ); @@ -392,8 +392,13 @@ final class Session implements \Countable, \Iterator, \ArrayAccess { $userSecret = \MWCryptRand::generateHex( 32 ); $this->set( 'wsSessionSecret', $userSecret ); } + $iterations = $this->get( 'wsSessionPbkdf2Iterations', null ); + if ( $iterations === null ) { + $iterations = $wgSessionPbkdf2Iterations; + $this->set( 'wsSessionPbkdf2Iterations', $iterations ); + } - $keymats = hash_pbkdf2( 'sha256', $wikiSecret, $userSecret, 10001, 64, true ); + $keymats = hash_pbkdf2( 'sha256', $wikiSecret, $userSecret, $iterations, 64, true ); return [ substr( $keymats, 0, 32 ), substr( $keymats, 32, 32 ), -- cgit v1.2.3