Introduce NONCE_SALT and NONCE_KEY

git-svn-id: http://svn.automattic.com/wordpress/trunk@10120 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-config-sample.php

@@ -44,6 +44,7 @@ define('DB_COLLATE', '');
 define('AUTH_KEY', 'put your unique phrase here');
 define('SECURE_AUTH_KEY', 'put your unique phrase here');
 define('LOGGED_IN_KEY', 'put your unique phrase here');
+define('NONCE_KEY', 'put your unique phrase here');
 /**#@-*/
 
 /**

wp-includes/pluggable.php

@@ -1159,10 +1159,10 @@ function wp_verify_nonce($nonce, $action = -1) {
 	$i = wp_nonce_tick();
 
 	// Nonce generated 0-12 hours ago
-	if ( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce )
+	if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) == $nonce )
 		return 1;
 	// Nonce generated 12-24 hours ago
-	if ( substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce )
+	if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) == $nonce )
 		return 2;
 	// Invalid nonce
 	return false;
@@ -1184,7 +1184,7 @@ function wp_create_nonce($action = -1) {
 
 	$i = wp_nonce_tick();
 
-	return substr(wp_hash($i . $action . $uid), -12, 10);
+	return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
 }
 endif;
 
@@ -1272,6 +1272,19 @@ function wp_salt($scheme = 'auth') {
 				update_option('logged_in_salt', $salt);
 			}
 		}
+	} elseif ( 'nonce' == $scheme ) {
+		if ( defined('NONCE_KEY') && ('' != NONCE_KEY) && ( $wp_default_secret_key != NONCE_KEY) )
+			$secret_key = NONCE_KEY;
+
+		if ( defined('NONCE_SALT') ) {
+			$salt = NONCE_SALT;
+		} else {
+			$salt = get_option('nonce_salt');
+			if ( empty($salt) ) {
+				$salt = wp_generate_password();
+				update_option('nonce_salt', $salt);
+			}
+		}
 	} else {
 		// ensure each auth scheme has its own unique salt
 		$salt = hash_hmac('md5', $scheme, $secret_key);