Setup config: Generate the default secret keys & salts from the local CSPRNG if available, falling back to the WordPress.org API and a backup psuedo random source.

Props diddledan.
Fixes #35290


git-svn-id: https://develop.svn.wordpress.org/trunk@36872 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-admin/setup-config.php

@@ -276,8 +276,20 @@ switch($step) {
 	if ( ! empty( $wpdb->error ) )
 		wp_die( $wpdb->error->get_error_message() . $tryagain_link );
 
-	// Fetch or generate keys and salts.
+	// Generate keys and salts using secure CSPRNG; fallback to API if enabled; further fallback to original wp_generate_password().
+	try {
+		$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_ []{}<>~`+=,.;:/?|';
+		$max = strlen($chars) - 1;
+		for ( $i = 0; $i < 8; $i++ ) {
+			$key = '';
+			for ( $j = 0; $j < 64; $j++ ) {
+				$key .= substr( $chars, random_int( 0, $max ), 1 );
+			}
+			$secret_keys[] = $key;
+		}
+	} catch ( Exception $ex ) {
 		$no_api = isset( $_POST['noapi'] );
+
 		if ( ! $no_api ) {
 			$secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
 		}
@@ -293,6 +305,7 @@ switch($step) {
 				$secret_keys[$k] = substr( $v, 28, 64 );
 			}
 		}
+	}
 
 	$key = 0;
 	// Not a PHP5-style by-reference foreach, as this file must be parseable by PHP4.