Changeset 59828 for trunk/src/wp-includes/user.php

Timestamp:

02/17/2025 11:22:33 AM (3 months ago)

Author:

johnbillion

Message:

Security: Switch to using bcrypt for hashing user passwords and BLAKE2b for hashing application passwords and security keys.

Passwords and security keys that were saved in prior versions of WordPress will continue to work. Each user's password will be opportunistically rehashed and resaved when they next subsequently log in using a valid password.

The following new functions have been introduced:

• wp_password_needs_rehash()
• wp_fast_hash()
• wp_verify_fast_hash()

The following new filters have been introduced:

• password_needs_rehash
• wp_hash_password_algorithm
• wp_hash_password_options

Props ayeshrajans, bgermann, dd32, deadduck169, desrosj, haozi, harrym, iandunn, jammycakes, joehoyle, johnbillion, mbijon, mojorob, mslavco, my1xt, nacin, otto42, paragoninitiativeenterprises, paulkevan, rmccue, ryanhellyer, scribu, swalkinshaw, synchro, th23, timothyblynjacobs, tomdxw, westi, xknown.

Additional thanks go to the Roots team, Soatok, Calvin Alkan, and Raphael Ahrens.

Fixes #21022, #44628

File:

• trunk/src/wp-includes/user.php (modified) (19 diffs)

trunk/src/wp-includes/user.php

@@ -206 +206 @@
     }
 
-    if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
+    $valid = wp_check_password( $password, $user->user_pass, $user->ID );
+
+    if ( ! $valid ) {
         return new WP_Error(
             'incorrect_password',
@@ -220 +222 @@
     }
 
+    if ( wp_password_needs_rehash( $user->user_pass, $user->ID ) ) {
+        wp_set_password( $password, $user->ID );
+    }
+
     return $user;
 }
@@ -283 +289 @@
     }
 
-    if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
+    $valid = wp_check_password( $password, $user->user_pass, $user->ID );
+
+    if ( ! $valid ) {
         return new WP_Error(
             'incorrect_password',
@@ -295 +303 @@
             '</a>'
         );
+    }
+
+    if ( wp_password_needs_rehash( $user->user_pass, $user->ID ) ) {
+        wp_set_password( $password, $user->ID );
     }
 
@@ -446 +458 @@
 
     foreach ( $hashed_passwords as $key => $item ) {
-        if ( ! wp_check_password( $password, $item['password'], $user->ID ) ) {
+        if ( ! WP_Application_Passwords::check_password( $password, $item['password'] ) ) {
             continue;
         }
@@ -2432 +2444 @@
      * @since 4.9.0
      * @since 5.8.0 The `$userdata` parameter was added.
+     * @since 6.8.0 The user's password is now hashed using bcrypt instead of phpass.
      *
      * @param array    $data {
@@ -2979 +2992 @@
  * @since 4.4.0
  *
- * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
- *
  * @param WP_User $user User to retrieve password reset key for.
  * @return string|WP_Error Password reset key on success. WP_Error on error.
  */
 function get_password_reset_key( $user ) {
-    global $wp_hasher;
-
     if ( ! ( $user instanceof WP_User ) ) {
         return new WP_Error( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) );
@@ -3032 +3041 @@
     do_action( 'retrieve_password_key', $user->user_login, $key );
 
-    // Now insert the key, hashed, into the DB.
-    if ( empty( $wp_hasher ) ) {
-        require_once ABSPATH . WPINC . '/class-phpass.php';
-        $wp_hasher = new PasswordHash( 8, true );
-    }
-
-    $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
+    $hashed = time() . ':' . wp_fast_hash( $key );
 
     $key_saved = wp_update_user(
@@ -3064 +3067 @@
  * @since 3.1.0
  *
- * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
- *
- * @param string $key       Hash to validate sending user's password.
+ * @param string $key       The password reset key.
  * @param string $login     The user login.
  * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys.
@@ -3075 +3076 @@
     $login
 ) {
-    global $wp_hasher;
-
     $key = preg_replace( '/[^a-z0-9]/i', '', $key );
 
@@ -3091 +3090 @@
     if ( ! $user ) {
         return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
-    }
-
-    if ( empty( $wp_hasher ) ) {
-        require_once ABSPATH . WPINC . '/class-phpass.php';
-        $wp_hasher = new PasswordHash( 8, true );
     }
 
@@ -3119 +3113 @@
     }
 
-    $hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key );
+    $hash_is_correct = wp_verify_fast_hash( $key, $pass_key );
 
     if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) {
@@ -3134 +3128 @@
         /**
          * Filters the return value of check_password_reset_key() when an
-         * old-style key is used.
+         * old-style key or an expired key is used.
          *
          * @since 3.7.0 Previously plain-text keys were stored in the database.
@@ -3155 +3149 @@
  * @since 5.7.0 Added `$user_login` parameter.
  *
- * @global wpdb         $wpdb      WordPress database abstraction object.
- * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
+ * @global wpdb $wpdb WordPress database abstraction object.
  *
  * @param string $user_login Optional. Username to send a password retrieval email for.
@@ -4937 +4930 @@
  * @since 4.9.6
  *
- * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
- *
  * @param int $request_id Request ID.
  * @return string Confirmation key.
  */
 function wp_generate_user_request_key( $request_id ) {
-    global $wp_hasher;
-
     // Generate something random for a confirmation key.
     $key = wp_generate_password( 20, false );
 
-    // Return the key, hashed.
-    if ( empty( $wp_hasher ) ) {
-        require_once ABSPATH . WPINC . '/class-phpass.php';
-        $wp_hasher = new PasswordHash( 8, true );
-    }
-
+    // Save the key, hashed.
     wp_update_post(
         array(
             'ID'            => $request_id,
             'post_status'   => 'request-pending',
-            'post_password' => $wp_hasher->HashPassword( $key ),
+            'post_password' => wp_fast_hash( $key ),
         )
     );
@@ -4969 +4953 @@
  *
  * @since 4.9.6
- *
- * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
  *
  * @param string $request_id ID of the request being confirmed.
@@ -4981 +4963 @@
     $key
 ) {
-    global $wp_hasher;
-
     $request_id       = absint( $request_id );
     $request          = wp_get_user_request( $request_id );
@@ -5000 +4980 @@
     }
 
-    if ( empty( $wp_hasher ) ) {
-        require_once ABSPATH . WPINC . '/class-phpass.php';
-        $wp_hasher = new PasswordHash( 8, true );
-    }
-
     /**
      * Filters the expiration time of confirm keys.
@@ -5015 +4990 @@
     $expiration_time     = $key_request_time + $expiration_duration;
 
-    if ( ! $wp_hasher->CheckPassword( $key, $saved_key ) ) {
+    if ( ! wp_verify_fast_hash( $key, $saved_key ) ) {
         return new WP_Error( 'invalid_key', __( 'The confirmation key is invalid for this personal data request.' ) );
     }