Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#21022 Switch to using bcrypt for hashing passwords #7333

Open
wants to merge 102 commits into
base: trunk
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
102 commits
Select commit Hold shift + click to select a range
fe1c16e
Begin switching the password hashing mechanism from phpass to bcrypt.
johnbillion Sep 11, 2024
82d937f
Update the handling of user passwords, password reset keys, and user …
johnbillion Sep 11, 2024
f12e93d
Update the handling of the recovery mode key.
johnbillion Sep 11, 2024
5a46809
Update the handling of post passwords.
johnbillion Sep 11, 2024
d4e4e47
Automatically rehash user passwords and application passwords after t…
johnbillion Sep 11, 2024
638421d
Docs.
johnbillion Sep 11, 2024
316cb41
Juggle this a bit.
johnbillion Sep 11, 2024
76fa518
Trying to get these tests in order.
johnbillion Sep 11, 2024
d707939
More docs.
johnbillion Sep 11, 2024
4a796b7
Retain validity of phpass hashed password reset keys.
johnbillion Sep 11, 2024
64dfd57
Retain validity of a phpass hashed recovery mode key.
johnbillion Sep 11, 2024
e161994
Retain validity of phpass hashed user request keys.
johnbillion Sep 11, 2024
548f937
More docs.
johnbillion Sep 11, 2024
fe9b053
Add tests for password rehashing when signing in with a username or e…
johnbillion Sep 12, 2024
33cf000
Docs.
johnbillion Sep 12, 2024
d51cbc2
Ensure `wp_check_password()` remains compatible with changes to the d…
johnbillion Sep 12, 2024
6b5441c
Simplify this logic.
johnbillion Sep 12, 2024
89e0645
Add tests for Argon2 support.
johnbillion Sep 12, 2024
085b73c
Always pass the return value of `wp_check_password()` through the `ch…
johnbillion Sep 12, 2024
3e078a7
Reintroduce support for the `$wp_hasher` global if it's set.
johnbillion Sep 12, 2024
be636be
Test the tests.
johnbillion Sep 12, 2024
4265787
Docs.
johnbillion Sep 12, 2024
fd6bcdd
Start splitting up and fixing these tests.
johnbillion Sep 12, 2024
392e612
Coding standards.
johnbillion Sep 12, 2024
9040193
Add a todo.
johnbillion Sep 13, 2024
bc99ca1
Add some more assertions to the application password auth tests.
johnbillion Sep 17, 2024
58a89e2
Correct and add tests for the application password rehashing.
johnbillion Sep 17, 2024
49871d0
Done.
johnbillion Sep 17, 2024
b42e57b
Coding standards.
johnbillion Sep 17, 2024
2baeb19
Allow either the name or password to change in order to allow an appl…
johnbillion Sep 17, 2024
95f6d94
Docs.
johnbillion Sep 17, 2024
f8974eb
PHP 7.2 compatibility.
johnbillion Oct 8, 2024
ff85df2
Docs.
johnbillion Oct 8, 2024
ebcdd26
Add a test to ensure the user's account password isn't touched when r…
johnbillion Oct 8, 2024
140b9d4
Merge branch 'trunk' into 21022-bcrypt
johnbillion Oct 8, 2024
ea8c56c
One fewer regexes in the world.
johnbillion Oct 8, 2024
2ef2077
Merge branch 'trunk' into 21022-bcrypt
johnbillion Oct 9, 2024
3a951ef
Allow the password hashing options to be filtered.
johnbillion Oct 11, 2024
53acf70
Docs.
johnbillion Oct 11, 2024
5944d9a
Merge branch 'trunk' into 21022-bcrypt
johnbillion Oct 21, 2024
820f48f
Cease hashing passwords as md5 during the upgrade routine and/or the …
johnbillion Oct 21, 2024
c07e618
More tests for empty values.
johnbillion Oct 21, 2024
5d33621
More updates to the tests.
johnbillion Oct 21, 2024
0063154
Add a test to verify that a password gets rehashed when the default c…
johnbillion Oct 22, 2024
1aea250
This might as well go here.
johnbillion Oct 22, 2024
d6c7837
Add tests for post password handling.
johnbillion Oct 22, 2024
8b1dbd2
Merge branch 'trunk' into 21022-bcrypt
johnbillion Oct 22, 2024
5824f4c
Clear the cookie value before performing the assertions.
johnbillion Oct 22, 2024
2502179
Implement pre-hashing with sha384 to retain entropy of passwords over…
johnbillion Nov 5, 2024
2321412
Implement domain separation for the password to protect against passw…
johnbillion Nov 11, 2024
d86ef6d
Remove assertions that are unnecessarily specific to bcrypt.
johnbillion Nov 25, 2024
09ddc5e
The default bcrypt cost was increased in PHP 8.4.
johnbillion Nov 25, 2024
a27411d
Merge branch 'trunk' into 21022-bcrypt-sha2
johnbillion Dec 12, 2024
e5f8d5c
Merge branch 'trunk' into 21022-bcrypt
johnbillion Dec 12, 2024
9bb86a8
Merge branch '21022-bcrypt' into 21022-bcrypt-sha2
johnbillion Dec 12, 2024
1cebd80
Switch to HMAC in place of manually prepending the domain separation …
johnbillion Dec 12, 2024
537ee4a
Introduce the `wp_hash_password_algorithm` filter for controlling the…
johnbillion Dec 18, 2024
8a99edd
Why.
johnbillion Dec 18, 2024
68634f0
Vanilla bcrypt hashes should be rehashed to use pre-hashing.
johnbillion Dec 18, 2024
adf983f
Let's bring this more inline with the other tests.
johnbillion Dec 18, 2024
754519b
No need to perform a prefix check here, just let `wp_check_password()…
johnbillion Dec 18, 2024
35d1885
Merge branch 'trunk' into 21022-bcrypt-algo-filter
johnbillion Jan 6, 2025
0c49b94
Docs.
johnbillion Jan 6, 2025
f85a6cb
Merge branch 'trunk' into 21022-bcrypt
johnbillion Jan 6, 2025
413e81f
Switch to using a fast sha1 hash for password reset keys, user reques…
johnbillion Jan 6, 2025
4880c6e
Switch from SHA-1 to SHA-256 in the security key HMACs.
johnbillion Jan 7, 2025
cb46077
Use a more fitting hash prefix.
johnbillion Jan 7, 2025
a9a1c17
Update some more tests.
johnbillion Jan 7, 2025
8b4d40e
Introduce wrapper functions for hashing and checking a value with BLA…
johnbillion Jan 7, 2025
9994922
Replace SHA-256 and SHA-1 with BLAKE2b when hashing of password reset…
johnbillion Jan 7, 2025
d80491d
Switch application passwords over to BLAKE2b instead of phpass.
johnbillion Jan 7, 2025
f222f64
Remove opportunistic rehashing of application passwords.
johnbillion Jan 8, 2025
c966123
The hash extension is now required due to the use of sha384.
johnbillion Jan 8, 2025
7b3eb9a
Enforce an upper key length.
johnbillion Jan 8, 2025
e3fcdca
Ensure the salt satisfies the constraints for key length in Sodium.
johnbillion Jan 9, 2025
1d1ab91
Add some type safety.
johnbillion Jan 9, 2025
a94d7ff
Merge branch 'trunk' into 21022-bcrypt
johnbillion Jan 13, 2025
8e4652e
Merge branch 'trunk' into 21022-application-passwords
johnbillion Jan 13, 2025
20eb361
Remove salting from the fast hashing function.
johnbillion Jan 14, 2025
37e0cd7
Docs.
johnbillion Jan 14, 2025
9a58b91
Tidying up.
johnbillion Jan 14, 2025
d62c5d3
Rename these functions.
johnbillion Jan 14, 2025
5f1a8ee
Docs.
johnbillion Jan 14, 2025
8931037
More docs.
johnbillion Jan 14, 2025
141b031
Merge branch '21022-application-passwords' into 21022-bcrypt
johnbillion Jan 14, 2025
a5c105b
Merge branch 'trunk' into 21022-bcrypt
johnbillion Jan 14, 2025
74f8ecf
More docs!
johnbillion Jan 14, 2025
1d97c7d
This is no longer needed.
johnbillion Jan 16, 2025
5e7e059
Merge branch 'trunk' into 21022-bcrypt
johnbillion Jan 17, 2025
3635023
No need to duplicate this everywhere.
johnbillion Jan 17, 2025
2686d46
Add tests for `wp_fast_hash()` and `wp_verify_fast_hash()` and correc…
johnbillion Jan 17, 2025
1227f17
Ensure that the password fragment used in the auth cookie key always …
johnbillion Jan 17, 2025
66f1bd8
More accurate naming and test coverage declaration.
johnbillion Jan 17, 2025
946c93f
Retain current cookie hashing behaviour for vanilla bcrypt hashes too.
johnbillion Jan 18, 2025
afff6fe
Docs.
johnbillion Jan 18, 2025
0cae584
Add tests for retaining validity of an auth cookie generated with a p…
johnbillion Jan 18, 2025
0bdec8e
Fully reinstall WordPress between performance runs. This ensures ther…
johnbillion Jan 18, 2025
9ee9ee2
Revert "Fully reinstall WordPress between performance runs. This ensu…
johnbillion Jan 19, 2025
b0f83d4
Reorder the performance tests so the base tests run first, followed b…
johnbillion Jan 19, 2025
1c85aea
o_O
johnbillion Jan 19, 2025
540d77b
Reinstate the initial build.
johnbillion Jan 19, 2025
bb1d062
It's Sunday.
johnbillion Jan 19, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Why.
johnbillion committed Dec 18, 2024

Verified

This commit was signed with the committer’s verified signature.
johnbillion John Blackbourn
commit 8a99eddf6a1245483475c0bf4b59d9d8e614d676
2 changes: 1 addition & 1 deletion src/wp-includes/pluggable.php
Original file line number Diff line number Diff line change
@@ -2661,7 +2661,7 @@ function wp_hash_password( $password ) {
$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );

// Algorithms other than bcrypt don't need to use pre-hashing.
if ( $algorithm !== PASSWORD_BCRYPT ) {
if ( PASSWORD_BCRYPT !== $algorithm ) {
return password_hash( $password, $algorithm, $options );
}


Unchanged files with check annotations Beta

await expect(
page,
'should redirect to the installation page'
).toHaveURL( /wp-admin\/install\.php$/ );

Check failure on line 40 in tests/e2e/specs/install.test.js

GitHub Actions / Test with SCRIPT_DEBUG disabled / Run E2E tests

[chromium] › install.test.js:34:6 › WordPress installation process › should install WordPress with pre-existing database credentials

1) [chromium] › install.test.js:34:6 › WordPress installation process › should install WordPress with pre-existing database credentials Error: should redirect to the installation page Timed out 5000ms waiting for expect(locator).toHaveURL(expected) Locator: locator(':root') Expected pattern: /wp-admin\/install\.php$/ Received string: "http://localhost:8889/" Call log: - should redirect to the installation page with timeout 5000ms - waiting for locator(':root') - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" 38 | page, 39 | 'should redirect to the installation page' > 40 | ).toHaveURL( /wp-admin\/install\.php$/ ); | ^ 41 | 42 | await expect( 43 | page.getByText( /WordPress database error/ ), at /home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/install.test.js:40:5

Check failure on line 40 in tests/e2e/specs/install.test.js

GitHub Actions / Test with SCRIPT_DEBUG enabled / Run E2E tests

[chromium] › install.test.js:34:6 › WordPress installation process › should install WordPress with pre-existing database credentials

1) [chromium] › install.test.js:34:6 › WordPress installation process › should install WordPress with pre-existing database credentials Error: should redirect to the installation page Timed out 5000ms waiting for expect(locator).toHaveURL(expected) Locator: locator(':root') Expected pattern: /wp-admin\/install\.php$/ Received string: "http://localhost:8889/" Call log: - should redirect to the installation page with timeout 5000ms - waiting for locator(':root') - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" - locator resolved to <html lang="en-US">…</html> - unexpected value "http://localhost:8889/" 38 | page, 39 | 'should redirect to the installation page' > 40 | ).toHaveURL( /wp-admin\/install\.php$/ ); | ^ 41 | 42 | await expect( 43 | page.getByText( /WordPress database error/ ), at /home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/install.test.js:40:5
await expect(
page.getByText( /WordPress database error/ ),
}
async create(applicationName = TEST_APPLICATION_NAME) {
await this.admin.visitAdminPage( '/profile.php' );

Check failure on line 98 in tests/e2e/specs/profile/applications-passwords.test.js

GitHub Actions / Test with SCRIPT_DEBUG disabled / Run E2E tests

[chromium] › profile/applications-passwords.test.js:19:6 › Manage applications passwords › should correctly create a new application password

2) [chromium] › profile/applications-passwords.test.js:19:6 › Manage applications passwords › should correctly create a new application password Error: Not logged in 96 | 97 | async create(applicationName = TEST_APPLICATION_NAME) { > 98 | await this.admin.visitAdminPage( '/profile.php' ); | ^ 99 | 100 | const newPasswordField = this.page.getByRole( 'textbox', { name: 'New Application Password Name' } ); 101 | await expect( newPasswordField ).toBeVisible(); at Admin.visitAdminPage (/home/runner/work/wordpress-develop/wordpress-develop/node_modules/@wordpress/e2e-test-utils-playwright/src/admin/visit-admin-page.ts:36:9) at ApplicationPasswords.create (/home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/profile/applications-passwords.test.js:98:3) at /home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/profile/applications-passwords.test.js:23:3

Check failure on line 98 in tests/e2e/specs/profile/applications-passwords.test.js

GitHub Actions / Test with SCRIPT_DEBUG disabled / Run E2E tests

[chromium] › profile/applications-passwords.test.js:19:6 › Manage applications passwords › should correctly create a new application password

2) [chromium] › profile/applications-passwords.test.js:19:6 › Manage applications passwords › should correctly create a new application password Retry #1 ─────────────────────────────────────────────────────────────────────────────────────── Error: Not logged in 96 | 97 | async create(applicationName = TEST_APPLICATION_NAME) { > 98 | await this.admin.visitAdminPage( '/profile.php' ); | ^ 99 | 100 | const newPasswordField = this.page.getByRole( 'textbox', { name: 'New Application Password Name' } ); 101 | await expect( newPasswordField ).toBeVisible(); at Admin.visitAdminPage (/home/runner/work/wordpress-develop/wordpress-develop/node_modules/@wordpress/e2e-test-utils-playwright/src/admin/visit-admin-page.ts:36:9) at ApplicationPasswords.create (/home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/profile/applications-passwords.test.js:98:3) at /home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/profile/applications-passwords.test.js:23:3

Check failure on line 98 in tests/e2e/specs/profile/applications-passwords.test.js

GitHub Actions / Test with SCRIPT_DEBUG enabled / Run E2E tests

[chromium] › profile/applications-passwords.test.js:19:6 › Manage applications passwords › should correctly create a new application password

2) [chromium] › profile/applications-passwords.test.js:19:6 › Manage applications passwords › should correctly create a new application password Error: Not logged in 96 | 97 | async create(applicationName = TEST_APPLICATION_NAME) { > 98 | await this.admin.visitAdminPage( '/profile.php' ); | ^ 99 | 100 | const newPasswordField = this.page.getByRole( 'textbox', { name: 'New Application Password Name' } ); 101 | await expect( newPasswordField ).toBeVisible(); at Admin.visitAdminPage (/home/runner/work/wordpress-develop/wordpress-develop/node_modules/@wordpress/e2e-test-utils-playwright/src/admin/visit-admin-page.ts:36:9) at ApplicationPasswords.create (/home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/profile/applications-passwords.test.js:98:3) at /home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/profile/applications-passwords.test.js:23:3

Check failure on line 98 in tests/e2e/specs/profile/applications-passwords.test.js

GitHub Actions / Test with SCRIPT_DEBUG enabled / Run E2E tests

[chromium] › profile/applications-passwords.test.js:19:6 › Manage applications passwords › should correctly create a new application password

2) [chromium] › profile/applications-passwords.test.js:19:6 › Manage applications passwords › should correctly create a new application password Retry #1 ─────────────────────────────────────────────────────────────────────────────────────── Error: Not logged in 96 | 97 | async create(applicationName = TEST_APPLICATION_NAME) { > 98 | await this.admin.visitAdminPage( '/profile.php' ); | ^ 99 | 100 | const newPasswordField = this.page.getByRole( 'textbox', { name: 'New Application Password Name' } ); 101 | await expect( newPasswordField ).toBeVisible(); at Admin.visitAdminPage (/home/runner/work/wordpress-develop/wordpress-develop/node_modules/@wordpress/e2e-test-utils-playwright/src/admin/visit-admin-page.ts:36:9) at ApplicationPasswords.create (/home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/profile/applications-passwords.test.js:98:3) at /home/runner/work/wordpress-develop/wordpress-develop/tests/e2e/specs/profile/applications-passwords.test.js:23:3
const newPasswordField = this.page.getByRole( 'textbox', { name: 'New Application Password Name' } );
await expect( newPasswordField ).toBeVisible();