[MediaWiki-commits] [Gerrit] Make number of PBKDF2 iterations used for deriving session s... - change (mediawiki/core)

[Ori.livneh (Code Review)]

Hello Anomie, Legoktm, Gergő Tisza,

I'd like you to do a code review.  Please visit

    https://gerrit.wikimedia.org/r/291503

to review the following change.

Change subject: Make number of PBKDF2 iterations used for deriving session 
secret configurable
......................................................................

Make number of PBKDF2 iterations used for deriving session secret configurable

The intent is both to allow the number of iterations to be dialed up (either as
computational power increases, or on the basis of security needs) and dialed
down for the unit tests, where hash_pbkdf2() calls account for 15-40% of wall
time. The number of iterations is stored in the session, so changing the number
of iterations does not cause existing sessions to become invalid or corrupt.
Sessions that do not have wsSessionPbkdf2Iterations set (i.e., sessions which
precede this change) are transparently upgraded.

Change-Id: I084a97487ef4147eea0f0ce0cdf4b39ca569ef52
---
M RELEASE-NOTES-1.28
M includes/DefaultSettings.php
M includes/session/Session.php
M tests/phpunit/MediaWikiTestCase.php
4 files changed, 20 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/03/291503/1

diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index d57c8ba..6348ac3 100644
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -9,6 +9,8 @@
 * The load.php entry point now enforces the existing policy of not allowing
   access to session data, which includes the session user and the session
   user's language. If such access is attempted, an exception will be thrown.
+* The number of internal PBKDF2 iterations used to derive the session secret
+  is configurable via $wgSessionPbkdf2Iterations.
 
 === New features in 1.28 ===
 * User::isBot() method for checking if an account is a bot role account.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index c6d9010..8f56c36 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -2386,6 +2386,14 @@
  */
 $wgPHPSessionHandling = 'enable';
 
+
+/**
+ * Number of internal PBKDF2 iterations to use when deriving session secrets.
+ *
+ * @since 1.28
+ */
+$wgSessionPbkdf2Iterations = 10001;
+
 /**
  * If enabled, will send MemCached debugging information to $wgDebugLogFile
  */
diff --git a/includes/session/Session.php b/includes/session/Session.php
index 29878d4..3d48101 100644
--- a/includes/session/Session.php
+++ b/includes/session/Session.php
@@ -384,7 +384,7 @@
         * @return string[] Encryption key, HMAC key
         */
        private function getSecretKeys() {
-               global $wgSessionSecret, $wgSecretKey;
+               global $wgSessionSecret, $wgSecretKey, 
$wgSessionPbkdf2Iterations;
 
                $wikiSecret = $wgSessionSecret ?: $wgSecretKey;
                $userSecret = $this->get( 'wsSessionSecret', null );
@@ -392,8 +392,13 @@
                        $userSecret = \MWCryptRand::generateHex( 32 );
                        $this->set( 'wsSessionSecret', $userSecret );
                }
+               $iterations = $this->get( 'wsSessionPbkdf2Iterations', null );
+               if ( $iterations === null ) {
+                       $iterations = $wgSessionPbkdf2Iterations;
+                       $this->set( 'wsSessionPbkdf2Iterations', $iterations );
+               }
 
-               $keymats = hash_pbkdf2( 'sha256', $wikiSecret, $userSecret, 
10001, 64, true );
+               $keymats = hash_pbkdf2( 'sha256', $wikiSecret, $userSecret, 
$iterations, 64, true );
                return [
                        substr( $keymats, 0, 32 ),
                        substr( $keymats, 32, 32 ),
diff --git a/tests/phpunit/MediaWikiTestCase.php 
b/tests/phpunit/MediaWikiTestCase.php
index 47d96e1..00b0e55 100644
--- a/tests/phpunit/MediaWikiTestCase.php
+++ b/tests/phpunit/MediaWikiTestCase.php
@@ -260,6 +260,9 @@
                // Use a fast hash algorithm to hash passwords.
                $defaultOverrides->set( 'PasswordDefault', 'A' );
 
+               // Single-iteration PBKDF2 session secret derivation, also for 
speed.
+               $defaultOverrides->set( 'SessionPbkdf2Iterations', 1 );
+
                $testConfig = $customOverrides
                        ? new MultiConfig( [ $customOverrides, 
$defaultOverrides, $baseConfig ] )
                        : new MultiConfig( [ $defaultOverrides, $baseConfig ] );

-- 
To view, visit https://gerrit.wikimedia.org/r/291503
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I084a97487ef4147eea0f0ce0cdf4b39ca569ef52
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Ori.livneh <o...@wikimedia.org>
Gerrit-Reviewer: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: Gergő Tisza <gti...@wikimedia.org>
Gerrit-Reviewer: Legoktm <legoktm.wikipe...@gmail.com>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits