Application Passwords: Correct the fallback behaviour for application passwords that don't use a generic hash.

johnbillion · johnbillion · commit ff65b7e17897 · 2025-04-03T13:51:28.000Z
Application passwords that aren't hashed using BLAKE2b should be checked using `wp_check_password()` rather than assuming they were hashed with phpass. This provides full back compat support for application passwords that were created via an overridden `wp_hash_password()` function that uses an alternative hashing algorithm. Props snicco, debarghyabanerjee, peterwilsoncc, jorbin, johnbillion. Fixes #63203 git-svn-id: https://develop.svn.wordpress.org/trunk@60123 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/class-wp-application-passwords.php b/src/wp-includes/class-wp-application-passwords.php
@@ -502,6 +502,14 @@ public static function check_password(
 		string $password,
 		string $hash
 	): bool {
+		if ( ! str_starts_with( $hash, '$generic$' ) ) {
+			/*
+			 * If the hash doesn't start with `$generic$`, it is a hash created with `wp_hash_password()`.
+			 * This is the case for application passwords created before 6.8.0.
+			 */
+			return wp_check_password( $password, $hash );
+		}
+
 		return wp_verify_fast_hash( $password, $hash );
 	}
 }
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
@@ -9149,8 +9149,8 @@ function wp_fast_hash(
  * Checks whether a plaintext message matches the hashed value. Used to verify values hashed via wp_fast_hash().
  *
  * The function uses Sodium to hash the message and compare it to the hashed value. If the hash is not a generic hash,
- * the hash is treated as a phpass portable hash in order to provide backward compatibility for application passwords
- * which were hashed using phpass prior to WordPress 6.8.0.
+ * the hash is treated as a phpass portable hash in order to provide backward compatibility for passwords and security
+ * keys which were hashed using phpass prior to WordPress 6.8.0.
  *
  * @since 6.8.0
  *
diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
@@ -1134,6 +1134,29 @@ public function test_phpass_application_password_is_accepted() {
 		$this->assertSame( self::$user_id, $user->ID );
 	}
 
+	/**
+	 * @ticket 21022
+	 * @ticket 63203
+	 */
+	public function test_plain_bcrypt_application_password_is_accepted() {
+		add_filter( 'application_password_is_api_request', '__return_true' );
+		add_filter( 'wp_is_application_passwords_available', '__return_true' );
+
+		$password = 'password';
+
+		// Set an application password with plain bcrypt, which mimics a password that was hashed with
+		// a custom `wp_hash_password()` in use.
+		$uuid = self::set_application_password_with_plain_bcrypt( $password, self::$user_id );
+
+		// Authenticate.
+		$user = wp_authenticate_application_password( null, self::USER_LOGIN, $password );
+
+		// Verify that the plain bcrypt hash for the application password was valid.
+		$this->assertNotWPError( $user );
+		$this->assertInstanceOf( 'WP_User', $user );
+		$this->assertSame( self::$user_id, $user->ID );
+	}
+
 	/**
 	 * @dataProvider data_usernames
 	 *
@@ -1591,6 +1614,19 @@ public function test_application_password_authentication() {
 		$this->assertSame( $item['uuid'], rest_get_authenticated_app_password() );
 	}
 
+	/**
+	 * @ticket 21022
+	 * @ticket 63203
+	 *
+	 * @covers WP_Application_Passwords::create_new_application_password
+	 */
+	public function test_application_password_is_hashed_with_fast_hash() {
+		// Create a new app-only password.
+		list( , $item ) = WP_Application_Passwords::create_new_application_password( self::$user_id, array( 'name' => 'phpunit' ) );
+
+		$this->assertStringStartsWith( '$generic$', $item['password'] );
+	}
+
 	/**
 	 * @ticket 42790
 	 */
@@ -1963,6 +1999,37 @@ private static function set_user_password_with_plain_bcrypt( string $password, i
 		clean_user_cache( $user_id );
 	}
 
+	/**
+	 * Test the tests
+	 *
+	 * @covers Tests_Auth::set_application_password_with_plain_bcrypt
+	 *
+	 * @ticket 21022
+	 * @ticket 63203
+	 */
+	public function test_set_application_password_with_plain_bcrypt() {
+		// Set an application password with the plain_bcrypt algorithm.
+		$uuid = self::set_application_password_with_plain_bcrypt( 'password', self::$user_id );
+
+		// Ensure the password is hashed with plain_bcrypt.
+		$hash = WP_Application_Passwords::get_user_application_password( self::$user_id, $uuid )['password'];
+		$this->assertStringStartsWith( '$2y$', $hash );
+	}
+
+	/**
+	 * Creates an application password that is hashed using bcrypt instead of the generic algorithm.
+	 *
+	 * This is ultimately used to mimic a plugged version of `wp_hash_password()` that uses bcrypt and
+	 * facilitate backwards compatibility testing.
+	 *
+	 * @param string $password The password to hash.
+	 * @param int    $user_id  The user ID to associate the password with.
+	 * @return string The UUID of the application password.
+	 */
+	private static function set_application_password_with_plain_bcrypt( string $password, int $user_id ) {
+		return self::set_application_password( password_hash( $password, PASSWORD_BCRYPT ), $user_id );
+	}
+
 	/**
 	 * Test the tests
 	 *
@@ -1979,13 +2046,33 @@ public function test_set_application_password_with_phpass() {
 		$this->assertStringStartsWith( '$P$', $hash );
 	}
 
+	/**
+	 * Creates an application password that is hashed using a phpass portable hash instead of the generic algorithm.
+	 *
+	 * This facilitate backwards compatibility testing.
+	 *
+	 * @param string $password The password to hash.
+	 * @param int    $user_id  The user ID to associate the password with.
+	 * @return string The UUID of the application password.
+	 */
 	private static function set_application_password_with_phpass( string $password, int $user_id ) {
+		return self::set_application_password( self::$wp_hasher->HashPassword( $password ), $user_id );
+	}
+
+	/**
+	 * Creates an application password using the given password hash.
+	 *
+	 * @param string $hash    The password hash.
+	 * @param int    $user_id The user ID to associate the password with.
+	 * @return string The UUID of the application password.
+	 */
+	private static function set_application_password( string $hash, int $user_id ) {
 		$uuid = wp_generate_uuid4();
 		$item = array(
 			'uuid'      => $uuid,
 			'app_id'    => '',
 			'name'      => 'Test',
-			'password'  => self::$wp_hasher->HashPassword( $password ),
+			'password'  => $hash,
 			'created'   => time(),
 			'last_used' => null,
 			'last_ip'   => null,

Original file line number	Diff line number	Diff line change
`@@ -9149,8 +9149,8 @@ function wp_fast_hash(`
`9149`	`9149`	`* Checks whether a plaintext message matches the hashed value. Used to verify values hashed via wp_fast_hash().`
`9150`	`9150`	`*`
`9151`	`9151`	`* The function uses Sodium to hash the message and compare it to the hashed value. If the hash is not a generic hash,`
`9152`		`- * the hash is treated as a phpass portable hash in order to provide backward compatibility for application passwords`
`9153`		`- * which were hashed using phpass prior to WordPress 6.8.0.`
	`9152`	`+ * the hash is treated as a phpass portable hash in order to provide backward compatibility for passwords and security`
	`9153`	`+ * keys which were hashed using phpass prior to WordPress 6.8.0.`
`9154`	`9154`	`*`
`9155`	`9155`	`* @since 6.8.0`
`9156`	`9156`	`*`