From e9dbf32553be3e235a0fc70d38e96ce8246834ae Mon Sep 17 00:00:00 2001
From: Dion Hulse <dd32@git.wordpress.org>
Date: Mon, 7 Mar 2016 06:31:18 +0000
Subject: [PATCH] Setup config: Generate the default secret keys & salts from
 the local CSPRNG if available, falling back to the WordPress.org API and a
 backup psuedo random source.

Props diddledan.
Fixes #35290


git-svn-id: https://develop.svn.wordpress.org/trunk@36872 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/setup-config.php | 39 +++++++++++++++++++++++------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/src/wp-admin/setup-config.php b/src/wp-admin/setup-config.php
index fd8d32b2a6..befa6937ed 100644
--- a/src/wp-admin/setup-config.php
+++ b/src/wp-admin/setup-config.php
@@ -276,21 +276,34 @@ switch($step) {
 	if ( ! empty( $wpdb->error ) )
 		wp_die( $wpdb->error->get_error_message() . $tryagain_link );
 
-	// Fetch or generate keys and salts.
-	$no_api = isset( $_POST['noapi'] );
-	if ( ! $no_api ) {
-		$secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
-	}
-
-	if ( $no_api || is_wp_error( $secret_keys ) ) {
-		$secret_keys = array();
+	// Generate keys and salts using secure CSPRNG; fallback to API if enabled; further fallback to original wp_generate_password().
+	try {
+		$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_ []{}<>~`+=,.;:/?|';
+		$max = strlen($chars) - 1;
 		for ( $i = 0; $i < 8; $i++ ) {
-			$secret_keys[] = wp_generate_password( 64, true, true );
+			$key = '';
+			for ( $j = 0; $j < 64; $j++ ) {
+				$key .= substr( $chars, random_int( 0, $max ), 1 );
+			}
+			$secret_keys[] = $key;
 		}
-	} else {
-		$secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) );
-		foreach ( $secret_keys as $k => $v ) {
-			$secret_keys[$k] = substr( $v, 28, 64 );
+	} catch ( Exception $ex ) {
+		$no_api = isset( $_POST['noapi'] );
+
+		if ( ! $no_api ) {
+			$secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
+		}
+
+		if ( $no_api || is_wp_error( $secret_keys ) ) {
+			$secret_keys = array();
+			for ( $i = 0; $i < 8; $i++ ) {
+				$secret_keys[] = wp_generate_password( 64, true, true );
+			}
+		} else {
+			$secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) );
+			foreach ( $secret_keys as $k => $v ) {
+				$secret_keys[$k] = substr( $v, 28, 64 );
+			}
 		}
 	}