Fix #284 for new installations _only_

Users with existing installations are still required to follow the
advice in security bulletin #284.

This commit isn't perfect -- PHP installations below 7.0 and w/o OpenSSL
cannot be fully secured in my estimation. . .

install.php

@@ -2,11 +2,51 @@
 
 // Installation/upgrade file	
 define('VERSION', '5.1.4');
-
 require 'inc/functions.php';
-
 loadConfig();
 
+// Salt generators
+class SaltGen {
+	public $salt_length = 128;
+
+	// Best function I could think of for non-SSL PHP 5
+	private function generate_install_salt() {
+		$ret = "";
+
+		// This is bad! But what else can we do sans OpenSSL?
+		for ($i = 0; $i < $this->salt_length; ++$i) {
+			$s = pack("c", mt_rand(0,255));
+			$ret = $ret . $s;
+		}
+
+		return base64_encode($ret);
+	}
+
+	// Best function of the lot. Works with any PHP version as long as OpenSSL extension is on
+	private function generate_install_salt_openssl() {
+		$ret = openssl_random_pseudo_bytes($this->salt_length, $strong);
+		if (!$strong) {
+			error(_("Misconfigured system: OpenSSL returning weak salts. Cannot continue."));
+		}
+		return base64_encode($ret);
+	}
+
+	private function generate_install_salt_php7() {
+		return base64_encode(random_bytes($this->salt_length));
+	}
+
+	// TODO: Perhaps add mcrypt as an option? Maybe overkill.
+	public function generate() {
+		if (extension_loaded('openssl')) {
+			return "OSSL." . $this->generate_install_salt_openssl();
+		} else if (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7) {
+			return "PHP7." . $this->generate_install_salt_php7();
+		} else {
+			return "INSECURE." . $this->generate_install_salt();
+		}
+	}
+}
+
 $step = isset($_GET['step']) ? round($_GET['step']) : 0;
 $page = array(
 	'config' => $config,
@@ -679,6 +719,10 @@ if ($step == 0) {
 		'Imagick' => array(
 			'installed' => extension_loaded('imagick'),
 			'required' => false
+		),
+		'OpenSSL' => array(
+			'installed' => extension_loaded('openssl'),
+			'required' => false
 		)
 	);
 
@@ -704,6 +748,13 @@ if ($step == 0) {
 			'required' => true,
 			'message' => 'You must install the PHP <a href="http://www.php.net/manual/en/mbstring.installation.php">mbstring</a> extension.',
 		),
+		array(
+			'category' => 'PHP',
+			'name' => 'OpenSSL extension installed or PHP &ge; 7.0',
+			'result' => (extension_loaded('openssl') || (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7)),
+			'required' => false,
+			'message' => 'It is highly recommended that you install the PHP <a href="http://www.php.net/manual/en/openssl.installation.php">OpenSSL</a> extension and/or use PHP version 7 or above. <strong>If you do not, it is possible that the IP addresses of users of your site could be compromised &mdash; see <a href="https://github.com/vichan-devel/vichan/issues/284">vichan issue #284.</a></strong> Installing the OpenSSL extension allows vichan to generate a secure salt automatically for you.',
+		),
 		array(
 			'category' => 'Database',
 			'name' => 'PDO extension installed',
@@ -862,11 +913,13 @@ if ($step == 0) {
 		'config' => $config,
 	));
 } elseif ($step == 2) {
+
 	// Basic config
 	$page['title'] = 'Configuration';
-	
-	$config['cookies']['salt'] = substr(base64_encode(sha1(rand())), 0, 30);
-	$config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30);	
+
+	$sg = new SaltGen();
+	$config['cookies']['salt'] = $sg->generate();
+	$config['secure_trip_salt'] = $sg->generate();
 	
 	echo Element('page.html', array(
 		'body' => Element('installer/config.html', array(