diff --git a/wp-includes/class-phpass.php b/wp-includes/class-phpass.php
new file mode 100644
index 000000000..550a01b70
--- /dev/null
+++ b/wp-includes/class-phpass.php
@@ -0,0 +1,248 @@
+ in 2004-2006 and placed in
+# the public domain.
+#
+# There's absolutely no warranty.
+#
+# The homepage URL for this framework is:
+#
+# http://www.openwall.com/phpass/
+#
+# Please be sure to update the Version line if you edit this file in any way.
+# It is suggested that you leave the main version number intact, but indicate
+# your project name (after the slash) and add your own revision information.
+#
+# Please do not change the "private" password hashing method implemented in
+# here, thereby making your hashes incompatible. However, if you must, please
+# change the hash type identifier (the "$P$") to something different.
+#
+# Obviously, since this code is in the public domain, the above are not
+# requirements (there can be none), but merely suggestions.
+#
+class PasswordHash {
+ var $itoa64;
+ var $iteration_count_log2;
+ var $portable_hashes;
+ var $random_state;
+
+ function PasswordHash($iteration_count_log2, $portable_hashes)
+ {
+ $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
+
+ if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
+ $iteration_count_log2 = 8;
+ $this->iteration_count_log2 = $iteration_count_log2;
+
+ $this->portable_hashes = $portable_hashes;
+
+ $this->random_state = microtime() . getmypid();
+ }
+
+ function get_random_bytes($count)
+ {
+ $output = '';
+ if (($fh = @fopen('/dev/urandom', 'rb'))) {
+ $output = fread($fh, $count);
+ fclose($fh);
+ }
+
+ if (strlen($output) < $count) {
+ $output = '';
+ for ($i = 0; $i < $count; $i += 16) {
+ $this->random_state =
+ md5(microtime() . $this->random_state);
+ $output .=
+ pack('H*', md5($this->random_state));
+ }
+ $output = substr($output, 0, $count);
+ }
+
+ return $output;
+ }
+
+ function encode64($input, $count)
+ {
+ $output = '';
+ $i = 0;
+ do {
+ $value = ord($input[$i++]);
+ $output .= $this->itoa64[$value & 0x3f];
+ if ($i < $count)
+ $value |= ord($input[$i]) << 8;
+ $output .= $this->itoa64[($value >> 6) & 0x3f];
+ if ($i++ >= $count)
+ break;
+ if ($i < $count)
+ $value |= ord($input[$i]) << 16;
+ $output .= $this->itoa64[($value >> 12) & 0x3f];
+ if ($i++ >= $count)
+ break;
+ $output .= $this->itoa64[($value >> 18) & 0x3f];
+ } while ($i < $count);
+
+ return $output;
+ }
+
+ function gensalt_private($input)
+ {
+ $output = '$P$';
+ $output .= $this->itoa64[min($this->iteration_count_log2 +
+ ((PHP_VERSION >= '5') ? 5 : 3), 30)];
+ $output .= $this->encode64($input, 6);
+
+ return $output;
+ }
+
+ function crypt_private($password, $setting)
+ {
+ $output = '*0';
+ if (substr($setting, 0, 2) == $output)
+ $output = '*1';
+
+ if (substr($setting, 0, 3) != '$P$')
+ return $output;
+
+ $count_log2 = strpos($this->itoa64, $setting[3]);
+ if ($count_log2 < 7 || $count_log2 > 30)
+ return $output;
+
+ $count = 1 << $count_log2;
+
+ $salt = substr($setting, 4, 8);
+ if (strlen($salt) != 8)
+ return $output;
+
+ # We're kind of forced to use MD5 here since it's the only
+ # cryptographic primitive available in all versions of PHP
+ # currently in use. To implement our own low-level crypto
+ # in PHP would result in much worse performance and
+ # consequently in lower iteration counts and hashes that are
+ # quicker to crack (by non-PHP code).
+ if (PHP_VERSION >= '5') {
+ $hash = md5($salt . $password, TRUE);
+ do {
+ $hash = md5($hash . $password, TRUE);
+ } while (--$count);
+ } else {
+ $hash = pack('H*', md5($salt . $password));
+ do {
+ $hash = pack('H*', md5($hash . $password));
+ } while (--$count);
+ }
+
+ $output = substr($setting, 0, 12);
+ $output .= $this->encode64($hash, 16);
+
+ return $output;
+ }
+
+ function gensalt_extended($input)
+ {
+ $count_log2 = min($this->iteration_count_log2 + 8, 24);
+ # This should be odd to not reveal weak DES keys, and the
+ # maximum valid value is (2**24 - 1) which is odd anyway.
+ $count = (1 << $count_log2) - 1;
+
+ $output = '_';
+ $output .= $this->itoa64[$count & 0x3f];
+ $output .= $this->itoa64[($count >> 6) & 0x3f];
+ $output .= $this->itoa64[($count >> 12) & 0x3f];
+ $output .= $this->itoa64[($count >> 18) & 0x3f];
+
+ $output .= $this->encode64($input, 3);
+
+ return $output;
+ }
+
+ function gensalt_blowfish($input)
+ {
+ # This one needs to use a different order of characters and a
+ # different encoding scheme from the one in encode64() above.
+ # We care because the last character in our encoded string will
+ # only represent 2 bits. While two known implementations of
+ # bcrypt will happily accept and correct a salt string which
+ # has the 4 unused bits set to non-zero, we do not want to take
+ # chances and we also do not want to waste an additional byte
+ # of entropy.
+ $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+
+ $output = '$2a$';
+ $output .= chr(ord('0') + $this->iteration_count_log2 / 10);
+ $output .= chr(ord('0') + $this->iteration_count_log2 % 10);
+ $output .= '$';
+
+ $i = 0;
+ do {
+ $c1 = ord($input[$i++]);
+ $output .= $itoa64[$c1 >> 2];
+ $c1 = ($c1 & 0x03) << 4;
+ if ($i >= 16) {
+ $output .= $itoa64[$c1];
+ break;
+ }
+
+ $c2 = ord($input[$i++]);
+ $c1 |= $c2 >> 4;
+ $output .= $itoa64[$c1];
+ $c1 = ($c2 & 0x0f) << 2;
+
+ $c2 = ord($input[$i++]);
+ $c1 |= $c2 >> 6;
+ $output .= $itoa64[$c1];
+ $output .= $itoa64[$c2 & 0x3f];
+ } while (1);
+
+ return $output;
+ }
+
+ function HashPassword($password)
+ {
+ $random = '';
+
+ if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
+ $random = $this->get_random_bytes(16);
+ $hash =
+ crypt($password, $this->gensalt_blowfish($random));
+ if (strlen($hash) == 60)
+ return $hash;
+ }
+
+ if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
+ if (strlen($random) < 3)
+ $random = $this->get_random_bytes(3);
+ $hash =
+ crypt($password, $this->gensalt_extended($random));
+ if (strlen($hash) == 20)
+ return $hash;
+ }
+
+ if (strlen($random) < 6)
+ $random = $this->get_random_bytes(6);
+ $hash =
+ $this->crypt_private($password,
+ $this->gensalt_private($random));
+ if (strlen($hash) == 34)
+ return $hash;
+
+ # Returning '*' on error is safe here, but would _not_ be safe
+ # in a crypt(3)-like function used _both_ for generating new
+ # hashes and for validating passwords against existing hashes.
+ return '*';
+ }
+
+ function CheckPassword($password, $stored_hash)
+ {
+ $hash = $this->crypt_private($password, $stored_hash);
+ if ($hash[0] == '*')
+ $hash = crypt($password, $stored_hash);
+
+ return $hash == $stored_hash;
+ }
+}
+
+?>
diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index bf91e058e..4a773b270 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -307,21 +307,32 @@ function wp_login($username, $password, $already_md5 = false) {
}
$login = get_userdatabylogin($username);
- //$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");
- if (!$login) {
+ if ( !$login || ($login->user_login != $username) ) {
$error = __('ERROR: Invalid username.');
return false;
- } else {
- // If the password is already_md5, it has been double hashed.
- // Otherwise, it is plain text.
- if ( ($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
- return true;
- } else {
- $error = __('ERROR: Incorrect password.');
- return false;
- }
}
+
+ // If the password is already_md5, it has been double hashed.
+ // Otherwise, it is plain text.
+ if ( !$already_md5 ) {
+ if ( wp_check_password($password, $login->user_pass) ) {
+ // If using old md5 password, rehash.
+ if ( strlen($login->user_pass) <= 32 ) {
+ $hash = wp_hash_password($password);
+ $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'");
+ wp_cache_delete($login->ID, 'users');
+ }
+
+ return true;
+ }
+ } else {
+ if ( md5($login->user_pass) == $password )
+ return true;
+ }
+
+ $error = __('ERROR: Incorrect password.');
+ return false;
}
endif;
@@ -473,8 +484,10 @@ endif;
if ( !function_exists('wp_setcookie') ) :
function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
- if ( !$already_md5 )
- $password = md5( md5($password) ); // Double hash the password in the cookie.
+ $user = get_userdatabylogin($username);
+ if ( !$already_md5) {
+ $password = md5($user->user_pass); // Double hash the password in the cookie.
+ }
if ( empty($home) )
$cookiepath = COOKIEPATH;
@@ -700,4 +713,37 @@ function wp_hash($data) {
}
endif;
+if ( !function_exists('wp_hash_password') ) :
+function wp_hash_password($password) {
+ global $wp_hasher;
+
+ if ( empty($wp_hasher) ) {
+ require_once( ABSPATH . 'wp-includes/class-phpass.php');
+ // By default, use the portable hash from phpass
+ $wp_hasher = new PasswordHash(8, TRUE);
+ }
+
+ return $wp_hasher->HashPassword($password);
+}
+endif;
+
+if ( !function_exists('wp_check_password') ) :
+function wp_check_password($password, $hash) {
+ global $wp_hasher;
+
+ if ( strlen($hash) <= 32 )
+ return ( $hash == md5($password) );
+
+ // If the stored hash is longer than an MD5, presume the
+ // new style phpass portable hash.
+ if ( empty($wp_hasher) ) {
+ require_once( ABSPATH . 'wp-includes/class-phpass.php');
+ // By default, use the portable hash from phpass
+ $wp_hasher = new PasswordHash(8, TRUE);
+ }
+
+ return $wp_hasher->CheckPassword($password, $hash);
+}
+endif;
+
?>
diff --git a/wp-includes/registration.php b/wp-includes/registration.php
index a5a6f9727..7f7b7d2a3 100644
--- a/wp-includes/registration.php
+++ b/wp-includes/registration.php
@@ -54,8 +54,8 @@ function wp_insert_user($userdata) {
$update = true;
} else {
$update = false;
- // Password is not hashed when creating new user.
- $user_pass = md5($user_pass);
+ // Hash the password
+ $user_pass = wp_hash_password($user_pass);
}
$user_login = sanitize_user($user_login, true);
@@ -156,7 +156,7 @@ function wp_update_user($userdata) {
// If password is changing, hash it now.
if ( ! empty($userdata['user_pass']) ) {
$plaintext_pass = $userdata['user_pass'];
- $userdata['user_pass'] = md5($userdata['user_pass']);
+ $userdata['user_pass'] = wp_hash_password($userdata['user_pass']);
}
// Merge old and new fields with new fields overwriting old ones.
@@ -207,4 +207,4 @@ function create_user($username, $password, $email) {
return wp_create_user($username, $password, $email);
}
-?>
\ No newline at end of file
+?>
diff --git a/wp-includes/user.php b/wp-includes/user.php
index de2b703a3..1693fa4b1 100644
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -16,8 +16,7 @@ function get_usernumposts($userid) {
// TODO: xmlrpc only. Maybe move to xmlrpc.php.
function user_pass_ok($user_login,$user_pass) {
$userdata = get_userdatabylogin($user_login);
-
- return (md5($user_pass) == $userdata->user_pass);
+ return wp_check_password($user_pass, $userdata->user_pass);
}
//
diff --git a/wp-login.php b/wp-login.php
index a0817510a..5be7b3487 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -184,9 +184,9 @@ case 'rp' :
// Generate something random for a password... md5'ing current time with a rand salt
$new_pass = substr( md5( uniqid( microtime() ) ), 0, 7);
- $wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$new_pass'), user_activation_key = '' WHERE user_login = '$user->user_login'");
+ $new_hash = wp_hash_password($new_pass);
+ $wpdb->query("UPDATE $wpdb->users SET user_pass = '$new_hash', user_activation_key = '' WHERE ID = '$user->ID'");
wp_cache_delete($user->ID, 'users');
- wp_cache_delete($user->user_login, 'userlogins');
$message = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
$message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
$message .= get_option('siteurl') . "/wp-login.php\r\n";