From cbda43788b27f00b1eac14ee228ad4eb5d4e9a42 Mon Sep 17 00:00:00 2001
From: Dion Hulse <wordpress@dd32.id.au>
Date: Mon, 7 Mar 2016 06:32:29 +0000
Subject: [PATCH] Setup config: Generate the default secret keys & salts from
 the local CSPRNG if available, falling back to the WordPress.org API and a
 backup psuedo random source.

Props diddledan.
Fixes #35290

Built from https://develop.svn.wordpress.org/trunk@36872


git-svn-id: http://core.svn.wordpress.org/trunk@36839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/setup-config.php | 39 ++++++++++++++++++++++++++-------------
 wp-includes/version.php   |  2 +-
 2 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/wp-admin/setup-config.php b/wp-admin/setup-config.php
index fd8d32b2a6..befa6937ed 100644
--- a/wp-admin/setup-config.php
+++ b/wp-admin/setup-config.php
@@ -276,21 +276,34 @@ switch($step) {
 	if ( ! empty( $wpdb->error ) )
 		wp_die( $wpdb->error->get_error_message() . $tryagain_link );
 
-	// Fetch or generate keys and salts.
-	$no_api = isset( $_POST['noapi'] );
-	if ( ! $no_api ) {
-		$secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
-	}
-
-	if ( $no_api || is_wp_error( $secret_keys ) ) {
-		$secret_keys = array();
+	// Generate keys and salts using secure CSPRNG; fallback to API if enabled; further fallback to original wp_generate_password().
+	try {
+		$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_ []{}<>~`+=,.;:/?|';
+		$max = strlen($chars) - 1;
 		for ( $i = 0; $i < 8; $i++ ) {
-			$secret_keys[] = wp_generate_password( 64, true, true );
+			$key = '';
+			for ( $j = 0; $j < 64; $j++ ) {
+				$key .= substr( $chars, random_int( 0, $max ), 1 );
+			}
+			$secret_keys[] = $key;
 		}
-	} else {
-		$secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) );
-		foreach ( $secret_keys as $k => $v ) {
-			$secret_keys[$k] = substr( $v, 28, 64 );
+	} catch ( Exception $ex ) {
+		$no_api = isset( $_POST['noapi'] );
+
+		if ( ! $no_api ) {
+			$secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
+		}
+
+		if ( $no_api || is_wp_error( $secret_keys ) ) {
+			$secret_keys = array();
+			for ( $i = 0; $i < 8; $i++ ) {
+				$secret_keys[] = wp_generate_password( 64, true, true );
+			}
+		} else {
+			$secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) );
+			foreach ( $secret_keys as $k => $v ) {
+				$secret_keys[$k] = substr( $v, 28, 64 );
+			}
 		}
 	}
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 8abd2d8477..75376779a5 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.5-beta2-36871';
+$wp_version = '4.5-beta2-36872';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.