Use CSPRNG to generate salt instead of API, if possible.

[sarciszewski]

​https://security.stackexchange.com/questions/61676/why-do-wordpress-installations-retrieve-the-crypto-secrets-remotely-on-installat

​https://github.com/WordPress/WordPress/blob/ced6b063a3b7cb7f7b33d9eafb356881ca1ea199/wp-admin/setup-config.php#L282

Since we have random_bytes() as of WordPress 4.4 (even on PHP 5.2.x), I propose something like this:

try {
	$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_ []{}<>~`+=,.;:/?|';
	$maxl = strlen($chars) - 1;
	for ( $i = 0; $i < 8; $i++ ) {
		$key = '';
		for ( $j = 0; $j < 64; $j++ ) {
			$key .= $chars[random_int(0, $max)];
		}
		$secret_keys[] = $key;
	}
} catch (Exception $ex) {
	$secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
}

Instead of just using wp_generate_password(64, true true), this prioritizes the CSPRNG and falls back to the API approach if it's not available (since wp_generate_password() falls back silently if random_compat throws an Exception).

[jorbin]

This seems like a good extension of the random_bytes work done in 4.4

[diddledani]

Attempt at using CSPRNG falling back to API (if enabled) and further falling back to original wp_generate_password()

[diddledani]

I believe this patch should do the job :-)

[sarciszewski]

LGTM :)

[dd32]

@diddledan Thanks for the patch! A few things though

• There's a typo, $maxl instead of $max
• In general we avoid array-syntax access to arrays in favour of substr()

[diddledani]

second patch, replacing previous, following @dd32's suggested improvements

[jorbin]

This looks good. @dd32 want to get this in?

[dd32]

In 36872:

Setup config: Generate the default secret keys & salts from the local CSPRNG if available, falling back to the WordPress.org API and a backup psuedo random source.

Props diddledan.
Fixes #35290