Recovery Mode: Use PasswordHash API directly when validating keys.

Previously, the wp_check_password function was used for validating keys, while the PasswordHash class was used for creating keys. This would prevent Recovery Mode from working on sites that provide a custom implementation for the wp_check_password pluggable function.

Props calvinalkan.
Fixes #56787.


git-svn-id: https://develop.svn.wordpress.org/trunk@55397 602fd350-edb4-49c9-b593-d223f7449a82

Author: TimothyBJacobs

src/wp-includes/class-wp-recovery-mode-key-service.php

@@ -85,12 +85,15 @@ public function generate_and_store_recovery_mode_key( $token ) {
 	 *
 	 * @since 5.2.0
 	 *
+	 * @global PasswordHash $wp_hasher
+	 *
 	 * @param string $token The token used when generating the given key.
 	 * @param string $key   The unhashed key.
 	 * @param int    $ttl   Time in seconds for the key to be valid for.
 	 * @return true|WP_Error True on success, error object on failure.
 	 */
 	public function validate_recovery_mode_key( $token, $key, $ttl ) {
+		global $wp_hasher;
 
 		$records = $this->get_keys();
 
@@ -106,7 +109,12 @@ public function validate_recovery_mode_key( $token, $key, $ttl ) {
 			return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) );
 		}
 
-		if ( ! wp_check_password( $key, $record['hashed_key'] ) ) {
+		if ( empty( $wp_hasher ) ) {
+			require_once ABSPATH . WPINC . '/class-phpass.php';
+			$wp_hasher = new PasswordHash( 8, true );
+		}
+
+		if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) {
 			return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) );
 		}