Password Hash is always regenerated when logging in when using EncryptedPassword
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Zabe
	May 29 2024, 12:31 AM

Description

After T150647 and T216682 I noticed, while the changes itself are working, that MediaWiki generates and stores a new salt and a new hash during every login, even if the password is already stored in the correct format.

After some debugging with ReflectionClass I noticed that ->needsUpdate returns true due to a strict comparison failing.

> $params->getValue( $password );
= [
    "cipher" => "aes-256-cbc",
    "secret" => "0",
  ]

> $default->invoke( $password )
= [
    "cipher" => "aes-256-cbc",
    "secret" => 0,
  ]

> $default->invoke( $password ) == $params->getValue( $password )
= true

> $default->invoke( $password ) === $params->getValue( $password )
= false

>

EncryptedPassword stores its default config as an integer while the read one is always a string.

Details

Subject	Repo	Branch	Lines +/-
EncryptedPassword: Store default parameters as strings	mediawiki/core	REL1_42	+7 -5
EncryptedPassword: Store default parameters as strings	mediawiki/core	REL1_40	+7 -5
EncryptedPassword: Store default parameters as strings	mediawiki/core	REL1_41	+7 -5
EncryptedPassword: Store default parameters as strings	mediawiki/core	REL1_39	+7 -5
EncryptedPassword: Store default parameters as strings	mediawiki/core	master	+7 -5

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		Zabe	T150647 Deploy EncryptedPassword to Wikimedia Sites
		Resolved		Zabe	T366130 Password Hash is always regenerated when logging in when using EncryptedPassword

Event Timeline

Zabe created this task.May 29 2024, 12:31 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 29 2024, 12:31 AM

Change #1036772 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] EncryptedPassword: Store default parameters as strings

https://gerrit.wikimedia.org/r/1036772

gerritbot added a project: Patch-For-Review.May 29 2024, 12:37 AM

• Kalyan321 subscribed.May 29 2024, 1:23 AM

FWIW you can use the sudo builtin to make reflection more convenient:

> $password = $pf->newFromCiphertext( $hash )
= MediaWiki\Password\EncryptedPassword {#6797}

> sudo $password->params
= [
    "cipher" => "aes-256-cbc",
    "secret" => "0",
  ]

> sudo $password->getDefaultParams()
= [
    "cipher" => "aes-256-cbc",
    "secret" => 0,
  ]

Change #1036772 merged by jenkins-bot:

[mediawiki/core@master] EncryptedPassword: Store default parameters as strings

https://gerrit.wikimedia.org/r/1036772

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.8; 2024-06-04).Jun 2 2024, 10:00 AM

Maintenance_bot removed a project: Patch-For-Review.Jun 2 2024, 10:30 AM

Krinkle added a project: MediaWiki-Platform-Team.Jun 2 2024, 11:30 PM

Change #1038312 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/core@REL1_42] EncryptedPassword: Store default parameters as strings

https://gerrit.wikimedia.org/r/1038312

Change #1038313 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/core@REL1_41] EncryptedPassword: Store default parameters as strings

https://gerrit.wikimedia.org/r/1038313