[wp-trac] [WordPress Trac] #56335: use hash_equals to check password hash

WordPress Trac noreply at wordpress.org
Thu Aug 4 22:43:13 UTC 2022


#56335: use hash_equals to check password hash
-------------------------+-----------------------------
 Reporter:  hanshenrik   |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:  trunk
 Severity:  trivial      |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 today in wp-includes/class-phpass.php under function CheckPassword we find

 ```
                 # This is not constant-time.  In order to keep the code
 simple,
                 # for timing safety we currently rely on the salts being
                 # unpredictable, which they are at least in the non-
 fallback
                 # cases (that is, when we use /dev/urandom and bcrypt).
                 return $hash === $stored_hash;
 ```
 and while i agree that a constant-time comparison is probably not needed,
 it's a trivial change to fix it, and better safe than sorry. I suggest
 changing it to
 ```
                 if(PHP_VERSION_ID >= 50600){
                         return hash_equals($stored_hash, $hash);
                 } else {
                         # This is not constant-time.  In order to keep the
 code simple,
                         # for timing safety we currently rely on the salts
 being
                         # unpredictable, which they are at least in the
 non-fallback
                         # cases (that is, when we use /dev/urandom and
 bcrypt).
                         return $hash === $stored_hash;
                 }
 ```

 PHP_VERSION_ID was introduced in 5.2.7, and i doubt WordPress still need
 to support PHP5.2. Unsure if WordPress still support 5.5? if the answer is
 no, the entire PHP_VERSION_ID can be removed.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56335>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list