[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #109 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 148442 abandoned by Parent5446: Replaced hash_equals with a custom function https://gerrit.wikimedia.org/r/148442 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #108 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 149658 merged by jenkins-bot: Changed password default to PBKDF2 https://gerrit.wikimedia.org/r/149658 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 Tyler Romeo tylerro...@gmail.com changed: What|Removed |Added Status|PATCH_TO_REVIEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 Tyler Romeo tylerro...@gmail.com changed: What|Removed |Added Blocks||68766 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #105 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 77645 merged by jenkins-bot: Added password hashing API https://gerrit.wikimedia.org/r/77645 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 Tyler Romeo tylerro...@gmail.com changed: What|Removed |Added Version|1.18.x |1.24-git -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #106 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 150028 had a related patch set uploaded by Parent5446: Fixed hook documentation for removed hooks https://gerrit.wikimedia.org/r/150028 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #107 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 150028 merged by jenkins-bot: Fixed hook documentation for removed hooks https://gerrit.wikimedia.org/r/150028 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #104 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 149658 had a related patch set uploaded by Parent5446: Changed password default to PBKDF2 https://gerrit.wikimedia.org/r/149658 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #103 from Liangent liang...@gmail.com --- (In reply to scott from comment #102) (In reply to Liangent from comment #99) Bug 68389 is still a security bug. Does duping it to a public one mean it's actually not something sensitive? It's not sensitive at all. It's literally a duplicate of the issue here, because I failed to locate the existing bug report and fired off a patch. Well putting a bug in the Security product hides it from public view. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 Chris Steipp cste...@wikimedia.org changed: What|Removed |Added CC||sc...@arciszewski.me --- Comment #95 from Chris Steipp cste...@wikimedia.org --- *** Bug 68389 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419
--- Comment #96 from sc...@arciszewski.me ---
return md5( $salt.'-'.md5( $password ) ) == $realHash;
return self::crypt( $password, $salt ) == $hash;
return self::reallyOldCrypt( $password, $userId ) === $hash;
Can we swap out the == and === logic for one of the following:
- Constant time hash comparison code (see hash_equals() in PHP 5.6.0 and PHP
implementations, such as Taylor Hornby's PBKDF2 library)?
- Double HMAC with a random nonce
i.e.
+/**
+ * A comparison of two strings, not vulnerable to timing attacks
+ * @param string $answer the secret string that you are comparing against.
+ * @param string $test compare this string to the $answer.
+ * @return bool True if the strings are the same, false otherwise
+ */
+static function hash_equals( $answer, $test ) {
+if (function_exists('hash_equals')) {
+return hash_equals($answer, $test);
+} //
+if ( strlen( $answer ) !== strlen( $test ) ) {
+$passwordCorrect = false;
+} else {
+$result = 0;
+for ( $i = 0; $i strlen( $answer ); $i++ ) {
+$result |= ord( $answer[$i] ) ^ ord( $test[$i] );
+} //
+$passwordCorrect = ( $result === 0 );
+} //
+return $passwordCorrect;
+} //
OR
+/**
+ * A comparison of two strings, not vulnerable to timing attacks
+ * @param string $answer the secret string that you are comparing against.
+ * @param string $test compare this string to the $answer.
+ * @return bool True if the strings are the same, false otherwise
+ */
+static function hash_equals( $answer, $test ) {
+if (function_exists('hash_equals')) {
+return hash_equals($answer, $test);
+} //
+$nonce = MWCryptRand::generate(16);
+return hash_hmac('sha256', $test, $nonce) === hash_hmac('sha256',
$answer, $nonce);
+} //
--
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #97 from sc...@arciszewski.me --- Further references on the Double HMAC mitigation: https://www.isecpartners.com/blog/2011/february/double-hmac-verification.aspx https://github.com/defuse/php-encryption/issues/21 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #98 from Bartosz Dziewoński matma@gmail.com --- This bug already has a pending patch: https://gerrit.wikimedia.org/r/#/c/77645 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 Bartosz Dziewoński matma@gmail.com changed: What|Removed |Added Assignee|mediawiki-bugs@nadir-seen-f |tylerro...@gmail.com |ire.com | -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #99 from Liangent liang...@gmail.com --- Bug 68389 is still a security bug. Does duping it to a public one mean it's actually not something sensitive? -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #100 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 148442 had a related patch set uploaded by Parent5446: Replaced hash_equals with a custom function https://gerrit.wikimedia.org/r/148442 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #101 from Tyler Romeo tylerro...@gmail.com --- ^Might as well be paranoid. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #102 from sc...@arciszewski.me --- (In reply to Liangent from comment #99) Bug 68389 is still a security bug. Does duping it to a public one mean it's actually not something sensitive? It's not sensitive at all. It's literally a duplicate of the issue here, because I failed to locate the existing bug report and fired off a patch. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #91 from Chris Steipp cste...@wikimedia.org --- Sorry to pollute this bug with operational details, but since gerrit 77645 looks ready to merge, we have to do a little dance to make sure we don't break things in the WMF environment-- namely CentralAuth copies the user_password field when it merges accounts, so CentralAuth needs to use the new password classes also. I think I'll merge gerrit 77645, and then at the WMF, we'll set $wgPasswordDefault = 'B' temporarily for all wikis. We'll update CentralAuth to use the Password class, and then we'll remove the $wgPasswordDefault in our environment so users will start using pbkdf2. Once we're using pbkdf2, we'll run the maintenance script to layer all wiki's passwords with pbkdf2-legacyB. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #92 from Chris Steipp cste...@wikimedia.org --- And since CentralAuth already lets the User object do the comparison, ignore my last comment. CentralAuth uses the new hashes just fine. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #93 from Chris Steipp cste...@wikimedia.org --- (In reply to Chris Steipp from comment #92) And since CentralAuth already lets the User object do the comparison, ignore my last comment. CentralAuth uses the new hashes just fine. ... except when CentralAuth unmerges accounts. If a user creates a new account and CentralAuth gets the pbkdf2 hash, and later they are unmerged in CentralAuth, they won't be able to login to any wikis where the password api hasn't been deployed. So we do need the $wgPasswordDefault = 'B' for the week while code is deployed to all wikis. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 --- Comment #94 from Tyler Romeo tylerro...@gmail.com --- (In reply to Chris Steipp from comment #93) ... except when CentralAuth unmerges accounts. If a user creates a new account and CentralAuth gets the pbkdf2 hash, and later they are unmerged in CentralAuth, they won't be able to login to any wikis where the password api hasn't been deployed. So we do need the $wgPasswordDefault = 'B' for the week while code is deployed to all wikis. Awesome! When I saw your first comment I was afraid we'd be stuck here waiting for CentralAuth to catch up. Having the default as 'B' while changes are deployed sounds like a good route to me. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 28419] Replace MD5 password hashing with more secure hash
https://bugzilla.wikimedia.org/show_bug.cgi?id=28419 Tyler Romeo tylerro...@gmail.com changed: What|Removed |Added Summary|Replace MD5 password|Replace MD5 password |hashing with WHIRLPOOL |hashing with more secure ||hash -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
