[wp-trac] [WordPress Trac] #35290: Use CSPRNG to generate salt instead of API, if possible.

Sat Jan 2 22:31:21 UTC 2016

#35290: Use CSPRNG to generate salt instead of API, if possible.
----------------------------+-----------------------------
 Reporter:  sarciszewski    |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Security        |    Version:  trunk
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
----------------------------+-----------------------------
 https://security.stackexchange.com/questions/61676/why-do-wordpress-
 installations-retrieve-the-crypto-secrets-remotely-on-installat

 https://github.com/WordPress/WordPress/blob/ced6b063a3b7cb7f7b33d9eafb356881ca1ea199
 /wp-admin/setup-config.php#L282

 Since we have `random_bytes()` as of WordPress 4.4 (even on PHP 5.2.x), I
 propose something like this:

 {{{
 try {
         $chars =
 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_
 []{}<>~`+=,.;:/?|';
         $maxl = strlen($chars) - 1;
         for ( $i = 0; $i < 8; $i++ ) {
                 $key = '';
                 for ( $j = 0; $j < 64; $j++ ) {
                         $key .= $chars[random_int(0, $max)];
                 }
                 $secret_keys[] = $key;
         }
 } catch (Exception $ex) {
         $secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-
 key/1.1/salt/' );
 }
 }}}

 Instead of just using `wp_generate_password(64, true true)`, this
 prioritizes the CSPRNG and falls back to the API approach if it's not
 available (since `wp_generate_password()` falls back silently if
 random_compat throws an `Exception`).

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35290>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform