johnbillion · johnbillion · Dec 12, 2024 · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024
diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
@@ -2622,22 +2622,54 @@ function wp_hash_password( $password ) {
 			return '*';
 		}
 
+		/**
+		 * Filters the hashing algorithm to use in the password_hash() and password_needs_rehash() functions.
+		 *
+		 * The default is the value of the `PASSWORD_BCRYPT` constant which means bcrypt is used.
+		 *
+		 * **Important:** The only password hashing algorithm that is guaranteed to be available across PHP
+		 * installations is bcrypt. If you use any other algorithm you must make sure that it is available on
+		 * the server. The `password_algos()` function can be used to check which hashing algorithms are available.
+		 *
+		 * The hashing options can be controlled via the {@see 'wp_hash_password_options'} filter.
+		 *
+		 * Other available constants include:
+		 *
+		 * - `PASSWORD_ARGON2I`
+		 * - `PASSWORD_ARGON2ID`
+		 * - `PASSWORD_DEFAULT`
+		 *
+		 * @since x.y.z
+		 *
+		 * @param string $algorithm The hashing algorithm. Default is the value of the `PASSWORD_BCRYPT` constant.
+		 */
+		$algorithm = apply_filters( 'wp_hash_password_algorithm', PASSWORD_BCRYPT );
+
 		/**
 		 * Filters the options passed to the password_hash() and password_needs_rehash() functions.
 		 *
+		 * The default hashing algorithm is bcrypt, but this can be changed via the {@see 'wp_hash_password_algorithm'}
+		 * filter. You must ensure that the options are appropriate for the algorithm in use.
+		 *
 		 * @since x.y.z
 		 *
-		 * @param array $options Array of options to pass to the password hashing functions.
-		 *                       By default this is an empty array which means the default
-		 *                       options will be used.
+		 * @param array $options    Array of options to pass to the password hashing functions.
+		 *                          By default this is an empty array which means the default
+		 *                          options will be used.
+		 * @param string $algorithm The hashing algorithm in use.
 		 */
-		$options = apply_filters( 'wp_hash_password_options', array() );
+		$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );
+
+		// Algorithms other than bcrypt don't need to use pre-hashing.
+		if ( PASSWORD_BCRYPT !== $algorithm ) {
+			return password_hash( $password, $algorithm, $options );
+		}
 
 		// Use sha384 to retain entropy from a password that's longer than 72 bytes, and a wp-sha384 key for domain separation.
 		$password_to_hash = base64_encode( hash_hmac( 'sha384', trim( $password ), 'wp-sha384', true ) );
 
 		// Add a `wp-` prefix to facilitate distinguishing vanilla bcrypt hashes.
-		return 'wp-' . password_hash( $password_to_hash, PASSWORD_BCRYPT, $options );
+		return 'wp-' . password_hash( $password_to_hash, $algorithm, $options );
 	}
 endif;
 
@@ -2736,14 +2768,20 @@ function wp_password_needs_rehash( $hash ) {
 			return false;
 		}
 
-		if ( ! str_starts_with( $hash, 'wp-' ) ) {
-			return true;
-		}
+		/** This filter is documented in wp-includes/pluggable.php */
+		$algorithm = apply_filters( 'wp_hash_password_algorithm', PASSWORD_BCRYPT );
 
 		/** This filter is documented in wp-includes/pluggable.php */
-		$options = apply_filters( 'wp_hash_password_options', array() );
+		$options = apply_filters( 'wp_hash_password_options', array(), $algorithm );
+
+		if ( str_starts_with( $hash, 'wp-' ) ) {
+			$hash = substr( $hash, 3 );
+		} else if ( PASSWORD_BCRYPT === $algorithm ) {
+			// Vanilla bcrypt hashes should be rehashed to use pre-hashing.
+			return true;
+		}
 
-		return password_needs_rehash( substr( $hash, 3 ), PASSWORD_BCRYPT, $options );
+		return password_needs_rehash( $hash, $algorithm, $options );
 	}
 endif;
 

diff --git a/src/wp-includes/post-template.php b/src/wp-includes/post-template.php
@@ -883,11 +883,7 @@ function post_password_required( $post = null ) {
 	}
 
 	$hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
-	if ( ! str_starts_with( $hash, '$' ) ) {
-		$required = true;
-	} else {
-		$required = ! wp_check_password( $post->post_password, $hash );
-	}
+	$required = ! wp_check_password( $post->post_password, $hash );
 
 	/**
 	 * Filters whether a post requires the user to supply a password.

diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
@@ -1101,6 +1101,23 @@ public function data_usernames() {
 		);
 	}
 
+	/**
+	 * @ticket 21022
+	 * @ticket 50027
+	 */
+	public function test_password_hashing_algorithm_can_be_filtered() {
+		$password = 'password';
+
+		$filter_count_before = did_filter( 'wp_hash_password_algorithm' );
+
+		$wp_hash = wp_hash_password( $password );
+
+		wp_check_password( $password, $wp_hash );
+		wp_password_needs_rehash( $wp_hash );
+
+		$this->assertSame( $filter_count_before + 2, did_filter( 'wp_hash_password_algorithm' ) );
+	}
+
 	/**
 	 * @ticket 21022
 	 * @ticket 50027