WordPress.org

Make WordPress Core

Opened 6 weeks ago

Last modified 6 weeks ago

#44032 new enhancement

Use random_bytes() for generating keys and salts

Reported by: alicewondermiscreations Owned by:
Milestone: Awaiting Review Priority: normal
Severity: trivial Version:
Component: Upgrade/Install Keywords: has-patch
Focuses: Cc:

Description

While auditing WordPress for remote queries the servers make, I noticed the generation of salts in wp-admin.php is wasteful with an unnecessary loop inside a loop. If the system php supports random_int it also supports random_bytes.

Attached patch generates 64 byte (512 bit) salts without needed the 64 round loop inside the 8 round loop loop.

Attachments (1)

setup-config.php.diff (739 bytes) - added by alicewondermiscreations 6 weeks ago.
change to setup-config

Download all attachments as: .zip

Change History (3)

@alicewondermiscreations
6 weeks ago

change to setup-config

#1 @alicewondermiscreations
6 weeks ago

Adding a couple notes -

A) This makes it much easier to see how much entropy is in the generation of the salt as you do not need to calculate the size if the dictionary.

B) This makes it much easier to adjust how much entropy is in the generation of the salt if needed to meet some guidelines (e.g. if NIST or someone were to publish guidelines saying salts needed 384 bits of entropy or something like that to comply with a certain standard)

There already are strong suggestions that a nonce used as CSRF token have 128 bits of entropy for example, so it wouldn't surprise me is salts soon had similar guidelines too.

#2 @ocean90
6 weeks ago

  • Keywords has-patch added
  • Summary changed from Minor enhancement to Use random_bytes() for generating keys and salts
Note: See TracTickets for help on using tickets.