Skip to content

Fail closed when CSPRNG is unavailable during nonce generation#877

Open
dknauss wants to merge 2 commits intoWordPress:masterfrom
dknauss:codex/fail-closed-nonce
Open

Fail closed when CSPRNG is unavailable during nonce generation#877
dknauss wants to merge 2 commits intoWordPress:masterfrom
dknauss:codex/fail-closed-nonce

Conversation

@dknauss
Copy link
Copy Markdown

@dknauss dknauss commented Apr 12, 2026
edited
Loading

Summary

This PR replaces the weak fallback in create_login_nonce() with a hard failure.

The existing fallback uses wp_hash() with inputs including $user_id, wp_rand(), and microtime(). That defensive path dates back to the PHP 5.x / random_compat era. On the plugin’s current minimum PHP version (7.2+), random_bytes() should use the OS CSPRNG and should not fail under normal conditions.

If secure randomness is unavailable, failing closed is safer than generating a weaker nonce. Both existing call sites already handle a false return with wp_die().

Change

try {
    $login_nonce['key'] = bin2hex( random_bytes( 32 ) );
} catch ( Exception $ex ) {
-   $login_nonce['key'] = wp_hash( $user_id . wp_rand() . microtime(), 'nonce' );
+   return false;
}

@dknauss @claude
Fail closed when CSPRNG is unavailable during nonce generation
7c38675 
Replace the weak nonce fallback in create_login_nonce() with a
hard failure. The fallback used wp_hash() with predictable inputs
(user_id, wp_rand, microtime) and was defensive code from the
PHP 5.x era. On PHP 7+ (the plugin minimum is 7.2), random_bytes()
uses OS-level CSPRNG sources that do not fail under normal conditions.

If the CSPRNG is broken, generating a weak nonce is worse than
refusing to proceed. Both callers already handle the false return
with wp_die().

Closes WordPress#860

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 12, 2026

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: dknauss <dpknauss@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@dknauss dknauss mentioned this pull request Apr 12, 2026
Closed
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens Two_Factor_Core::create_login_nonce() by removing the weak entropy fallback used when random_bytes() fails and instead returning false, ensuring nonce generation fails closed when a CSPRNG is unavailable.

Changes:

  • Replace the wp_hash( $user_id . wp_rand() . microtime(), 'nonce' ) fallback with return false when random_bytes() throws.
  • Preserve existing caller behavior: both in-file call sites already treat a false return as fatal via wp_die().

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@georgestephanis georgestephanis Awaiting requested review from georgestephanis

@masteradhoc masteradhoc Awaiting requested review from masteradhoc

Assignees

@dknauss dknauss

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dknauss