git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Max Semenik <maxsem.wiki@gmail.com>
	Thu, 24 Jan 2019 02:51:21 +0000 (18:51 -0800)
committer	Max Semenik <maxsem.wiki@gmail.com>
	Thu, 24 Jan 2019 21:40:40 +0000 (13:40 -0800)
commit	7a7976ba7a406b6c7b90e256f26faaa3257b7ade
tree	846bd0e388ef62d21c1e0ed9cca1e2ec09be3f47	tree \| snapshot
parent	b02d72f7adebb7712476283e6fa68ad61ea00e15	commit \| diff

Password: replace equals() with verify()

So far, our key derivation code assumed that it has control over
the salt used by the derivation routines, however I want to add Argon2
support and it doesn't work this way: password_hash() generates the
salt itself, and the only way to verify a password is by using
password_verify(). Current way the things are done doesn't support it
because it relies on the result of password hashing with parameters we
provide to be deterministic.

Therefore, I'm deprecating Password::equals(), as well as whole concept
of comparing Password objects - it's used only in tests anyway. It's
getting replaced with verify() that only accepts password strings.
Uses of old function are fixed with exception of a few calls in tests
that will be addressed in my Argon2 patch.

Change-Id: I2b2be9a422ee0f773490eac316ad81505c3f8571

RELEASE-NOTES-1.33		diff \| blob \| history
includes/auth/LocalPasswordPrimaryAuthenticationProvider.php		diff \| blob \| history
includes/auth/TemporaryPasswordPrimaryAuthenticationProvider.php		diff \| blob \| history
includes/password/InvalidPassword.php		diff \| blob \| history
includes/password/Password.php		diff \| blob \| history
includes/user/BotPassword.php		diff \| blob \| history
tests/phpunit/includes/TestUser.php		diff \| blob \| history
tests/phpunit/includes/password/LayeredParameterizedPasswordTest.php		diff \| blob \| history
tests/phpunit/includes/password/PasswordTestCase.php		diff \| blob \| history