Page MenuHomePhabricator
Create Task
Maniphest T320929

Deploy MediaWiki config change to use OpenSSL for PBKDF2 password hashing
Closed, ResolvedPublic
Actions

Description

Since rMW47241a3520d5b4bf, MediaWiki core by default now uses OpenSSL when available for creating and verifying type "pbkdf2" password hashes. This is more efficient and would allow for a significant increase in the number of PBKDF2 iterations if desired (see T234987). However, the way the core change was implemented means that Wikimedia sites still use PHP's hash extension for this purpose. CommonSettings.php specifies that the class "Pbkdf2Password" be used, and for compatibility reasons, that class name refers to "Pbkdf2PasswordUsingHashExtension" rather than any implementation that uses OpenSSL.

https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/842522 would change CommonSettings.php to instead reference the new class "Pbkdf2PasswordUsingOpenSSL". @Urbanecm said on IRC that deployment of this change should be coordinated with SRE. So I am filing this task to request SRE assistance with the deployment.

Note that even if we decide to switch to a different password hashing function such as Argon2id (see T216682), I think this config change should still be deployed in order to verify that the OpenSSL code path works in production, since that is what would be used if the Wikimedia-specific configuration for type "pbkdf2" were to be removed from CommonSettings.php.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Use OpenSSL for PBKDF2 password hashingoperations/mediawiki-configmaster+7 -16
Use OpenSSL for PBKDF2 password hashing on testwikioperations/mediawiki-configmaster+16 -7
beta: Use OpenSSL for PBKDF2 password hashingoperations/mediawiki-configmaster+8 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

PleaseStand created this task.Oct 17 2022, 8:34 AM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptOct 17 2022, 8:34 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Oct 17 2022, 8:34 AM

Change 842522 had a related patch set uploaded (by PleaseStand; author: PleaseStand):

[operations/mediawiki-config@master] Use OpenSSL for PBKDF2 password hashing

https://gerrit.wikimedia.org/r/842522

gerritbot added a project: Patch-For-Review.Oct 17 2022, 8:34 AM
Legoktm subscribed.Oct 18 2022, 3:58 AM

@Urbanecm please clarify what part of this change do you want SRE to coordinate :)

Legoktm added a parent task: T234987: Increase pbkdf2 parameter strengths (2019).Oct 18 2022, 4:00 AM
PleaseStand added a comment.Oct 18 2022, 4:42 AM
In T320929#8323596, @Legoktm wrote:

@Urbanecm please clarify what part of this change do you want SRE to coordinate :)

For context, here are the relevant messages from the #wikimedia-operations IRC log:

2022-10-17 07:25:31 <urbanecm> hi PleaseStand, sorry, i missed the start of the window
2022-10-17 07:25:35 <urbanecm> did someone start deploying already?
2022-10-17 07:25:59 <PleaseStand> urbanecm: no?
2022-10-17 07:28:10 <urbanecm> PleaseStand: okay. actually, in this case, i think it'd be great to coordinate the deployment closely with SREs, to ensure it doesn't result in an accident. changing PW hashing is potentially dangerous
2022-10-17 07:29:35 <PleaseStand> urbanecm: Fine with me, no big hurry, should I file a Phabricator task and tag SRE?
2022-10-17 07:29:51 <urbanecm> PleaseStand: yeah, that's a great first step.

I'm also not sure what exactly SRE could do to "ensure it doesn't result in an accident", though at the very least, since the patch was turned down for deployment during a backport window, it should be deployed in a dedicated window.

LSobanski added a project: serviceops.Oct 19 2022, 1:08 PM
akosiaris subscribed.Nov 18 2022, 12:57 PM

I am not sure what type of coordination is needed from SRE either. Maybe just making sure that 1 or 2 SREs are around when the patch is deployed? Can't see anything else right now.

Clement_Goubert moved this task from Incoming 🐫 to 🌻Mediawiki on the serviceops board.Dec 5 2022, 11:22 AM
Aklapper removed a project: SRE.Dec 10 2022, 10:36 AM
Zabe subscribed.Jan 22 2023, 8:28 PM
gerritbot added a comment.May 4 2024, 11:53 PM

Change #1027337 had a related patch set uploaded (by Zabe; author: Zabe):

[operations/mediawiki-config@master] beta: Use OpenSSL for PBKDF2 password hashing

https://gerrit.wikimedia.org/r/1027337

gerritbot added a comment.May 5 2024, 11:25 AM

Change #1027337 merged by jenkins-bot:

[operations/mediawiki-config@master] beta: Use OpenSSL for PBKDF2 password hashing

https://gerrit.wikimedia.org/r/1027337

gerritbot added a comment.May 7 2024, 7:58 AM

Change #1028756 had a related patch set uploaded (by Zabe; author: Zabe):

[operations/mediawiki-config@master] Use OpenSSL for PBKDF2 password hashing on testwiki

https://gerrit.wikimedia.org/r/1028756

gerritbot added a comment.May 7 2024, 8:16 AM

Change #1028756 merged by jenkins-bot:

[operations/mediawiki-config@master] Use OpenSSL for PBKDF2 password hashing on testwiki

https://gerrit.wikimedia.org/r/1028756

Stashbot added a comment.May 7 2024, 8:17 AM

Mentioned in SAL (#wikimedia-operations) [2024-05-07T08:17:20Z] <zabe@deploy1002> Started scap: Backport for [[gerrit:1028756|Use OpenSSL for PBKDF2 password hashing on testwiki (T320929)]]

Stashbot added a comment.May 7 2024, 8:19 AM

Mentioned in SAL (#wikimedia-operations) [2024-05-07T08:19:44Z] <zabe@deploy1002> zabe: Backport for [[gerrit:1028756|Use OpenSSL for PBKDF2 password hashing on testwiki (T320929)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.May 7 2024, 8:34 AM

Mentioned in SAL (#wikimedia-operations) [2024-05-07T08:34:43Z] <zabe@deploy1002> Finished scap: Backport for [[gerrit:1028756|Use OpenSSL for PBKDF2 password hashing on testwiki (T320929)]] (duration: 17m 22s)

gerritbot added a comment.May 7 2024, 8:58 PM

Change #842522 merged by jenkins-bot:

[operations/mediawiki-config@master] Use OpenSSL for PBKDF2 password hashing

https://gerrit.wikimedia.org/r/842522

Stashbot added a comment.May 7 2024, 8:58 PM

Mentioned in SAL (#wikimedia-operations) [2024-05-07T20:58:41Z] <zabe@deploy1002> Started scap: Backport for [[gerrit:842522|Use OpenSSL for PBKDF2 password hashing (T320929)]]

Stashbot added a comment.May 7 2024, 9:01 PM

Mentioned in SAL (#wikimedia-operations) [2024-05-07T21:01:15Z] <zabe@deploy1002> zabe and ki: Backport for [[gerrit:842522|Use OpenSSL for PBKDF2 password hashing (T320929)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.May 7 2024, 9:15 PM

Mentioned in SAL (#wikimedia-operations) [2024-05-07T21:15:56Z] <zabe@deploy1002> Finished scap: Backport for [[gerrit:842522|Use OpenSSL for PBKDF2 password hashing (T320929)]] (duration: 17m 14s)

Zabe closed this task as Resolved.May 7 2024, 9:16 PM
Zabe claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits