Skip to content

Commit 7c38675

Browse files
dknaussclaude
andcommitted
Fail closed when CSPRNG is unavailable during nonce generation
Replace the weak nonce fallback in create_login_nonce() with a hard failure. The fallback used wp_hash() with predictable inputs (user_id, wp_rand, microtime) and was defensive code from the PHP 5.x era. On PHP 7+ (the plugin minimum is 7.2), random_bytes() uses OS-level CSPRNG sources that do not fail under normal conditions. If the CSPRNG is broken, generating a weak nonce is worse than refusing to proceed. Both callers already handle the false return with wp_die(). Closes #860 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 3060a4d commit 7c38675

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

class-two-factor-core.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1208,7 +1208,7 @@ public static function create_login_nonce( $user_id ) {
12081208
try {
12091209
$login_nonce['key'] = bin2hex( random_bytes( 32 ) );
12101210
} catch ( Exception $ex ) {
1211-
$login_nonce['key'] = wp_hash( $user_id . wp_rand() . microtime(), 'nonce' );
1211+
return false;
12121212
}
12131213

12141214
// Store the nonce hashed to avoid leaking it via database access.

0 commit comments

Comments
 (0)