From cc39c6870646e74e98c507c59b181d3447396de3 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Thu, 3 Apr 2025 14:38:27 +0000
Subject: [PATCH] Application Passwords: Correct the fallback behaviour for
 application passwords that don't use a generic hash.

Application passwords that aren't hashed using BLAKE2b should be checked using wp_check_password() rather than assuming they were hashed with phpass. This provides full back compat support for application passwords that were created via an overridden wp_hash_password() function that uses an alternative hashing algorithm.

Reviewed by audrasjb.
Merges [60123] into the 6.8 branch.

Props snicco, debarghyabanerjee, peterwilsoncc, jorbin, johnbillion.

Fixes #63203

Built from https://develop.svn.wordpress.org/branches/6.8@60125


git-svn-id: http://core.svn.wordpress.org/branches/6.8@59461 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-wp-application-passwords.php | 8 ++++++++
 wp-includes/functions.php                      | 4 ++--
 wp-includes/version.php                        | 2 +-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/wp-includes/class-wp-application-passwords.php b/wp-includes/class-wp-application-passwords.php
index 8ed02dd6f3..6e84e0a2b2 100644
--- a/wp-includes/class-wp-application-passwords.php
+++ b/wp-includes/class-wp-application-passwords.php
@@ -502,6 +502,14 @@ class WP_Application_Passwords {
 		string $password,
 		string $hash
 	): bool {
+		if ( ! str_starts_with( $hash, '$generic$' ) ) {
+			/*
+			 * If the hash doesn't start with `$generic$`, it is a hash created with `wp_hash_password()`.
+			 * This is the case for application passwords created before 6.8.0.
+			 */
+			return wp_check_password( $password, $hash );
+		}
+
 		return wp_verify_fast_hash( $password, $hash );
 	}
 }
diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index ec6cc616dc..f12e925a69 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -9150,8 +9150,8 @@ function wp_fast_hash(
  * Checks whether a plaintext message matches the hashed value. Used to verify values hashed via wp_fast_hash().
  *
  * The function uses Sodium to hash the message and compare it to the hashed value. If the hash is not a generic hash,
- * the hash is treated as a phpass portable hash in order to provide backward compatibility for application passwords
- * which were hashed using phpass prior to WordPress 6.8.0.
+ * the hash is treated as a phpass portable hash in order to provide backward compatibility for passwords and security
+ * keys which were hashed using phpass prior to WordPress 6.8.0.
  *
  * @since 6.8.0
  *
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 5a0660c9c4..ec60b1a6e1 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.8-RC2-60118';
+$wp_version = '6.8-RC2-60125';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.