From 859d7fad79568614f1200e76e35a9898cffbe775 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Thu, 27 Jun 2019 10:49:59 +0200 Subject: [PATCH 01/12] Update fr.json --- lemonldap-ng-manager/site/htdocs/static/languages/fr.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json index 98ffd7238..dc8cfbc7b 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json @@ -298,7 +298,7 @@ "hideTree":"Masquer l'arbre", "httpOnly":"Protection contre javascript", "https":"HTTPS", -"impersonation":"Usurpation d'identité", +"impersonation":"Simulation d'identité", "impersonationRule":"Règle d'utilisation", "impersonationIdRule":"Règle d'utilisation des identités", "impersonationHiddenAttributes":"Attributs masqués", From e1f927a195e5cfd3e34fb9f8f283373b902c4cc5 Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Thu, 27 Jun 2019 12:36:18 +0200 Subject: [PATCH 02/12] Check service= parameter on CAS logout (#1795) service= redirect URL is not checked when logging out from CAS, to avoid insecure redirect attacks. The verification is only made if CAS access control is enabled. In order for this to work in common cases (applications redirects to an unprotected page after logout), we add CAS App domains to the list of globally trusted domains. If your application wants to redirect to a third-party domain, it needs to be added to LLNG's trustedDomains --- .../lib/Lemonldap/NG/Portal/Issuer/CAS.pm | 14 ++++++++++ .../lib/Lemonldap/NG/Portal/Main/Init.pm | 14 ++++++++++ .../t/31-Auth-and-issuer-CAS-Logout-30.t | 26 ++++++++++++++++--- 3 files changed, 51 insertions(+), 3 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm index 7b9ff1231..45af0ba2d 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm @@ -10,6 +10,7 @@ use Lemonldap::NG::Portal::Main::Constants qw( PE_ERROR PE_LOGOUT_OK PE_OK + PE_BADURL PE_SENDRESPONSE ); @@ -265,6 +266,19 @@ sub run { $logout_service = '' if ( $self->p->checkXSSAttack( 'service', $logout_service ) ); + # If we use access control, check that the service URL is trusted + if ( $self->conf->{casAccessControlPolicy} =~ /^(error|faketicket)$/i ) + { + if ( $logout_service + and not $self->p->isTrustedUrl($logout_service) ) + { + $self->userLogger->error( + "Untrusted service URL $logout_service" + . "specified for CAS Logout" ); + return PE_BADURL; + } + } + # Delete linked CAS sessions $self->deleteCasSecondarySessions($session_id); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm index dbfaf673d..7cada12cc 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm @@ -312,8 +312,22 @@ sub reloadConf { } } } + + # Add CAS Services, so we can check service= parameter on logout + foreach my $casSrv ( keys %{ $self->conf->{casAppMetaDataOptions} } ) { + if ( my $serviceUrl = + $self->conf->{casAppMetaDataOptions}->{$casSrv} + ->{casAppMetaDataOptionsService} ) + { + $serviceUrl =~ s#https?://([^/]*).*$#$1#; + $self->logger->debug( + "CAS Service $serviceUrl added in trusted domains"); + $re->add( quotemeta($serviceUrl) ); + } + } my $tmp = 'https?://' . $re->as_string . '(?::\d+)?(?:/|$)'; $self->trustedDomainsRe(qr/$tmp/); + } # Compile macros in _macros, groups in _groups diff --git a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t index d647cf252..3bece21d1 100644 --- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t +++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t @@ -152,7 +152,7 @@ ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' ) or explain( $res, 'cn => Frédéric Accents' ); count(3); -# Logout initiated by CAS +# Logout initiated by CAS, try with invalid service URL first switch ('issuer'); ok( $res = $issuer->_get( @@ -164,7 +164,22 @@ ok( 'Query SP for logout' ); count(1); -expectRedirection( $res, 'http://url.test/' ); +ok( $res->[2]->[0] =~ m%%, ' PE37 found' ); +count(1); + +# Logout initiated by CAS, try with valid service URL +ok( + $res = $issuer->_get( + '/cas/logout', + query => 'service=http://auth.sp.com/', + cookie => "lemonldap=$idpId,llngcasserver=idp", + accept => 'text/html' + ), + 'Query SP for logout' +); +count(1); + +expectRedirection( $res, 'http://auth.sp.com/' ); # Verify that user has been disconnected ok( $res = $issuer->_get( '/', cookie => "lemonldap=$idpId" ), 'Query IdP' ); @@ -192,8 +207,13 @@ sub issuer { issuerDBCASActivation => 1, casAttr => 'uid', casAttributes => { cn => 'cn', uid => 'uid', }, - casAccessControlPolicy => 'none', + casAccessControlPolicy => 'error', multiValuesSeparator => ';', + casAppMetaDataOptions => { + sp => { + casAppMetaDataOptionsService => 'http://auth.sp.com', + }, + }, } } ); From 8f834f5bb8c8fcb7bd3fe83f284631b12516c2f5 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Thu, 27 Jun 2019 13:27:05 +0200 Subject: [PATCH 03/12] Append use directive (#1824) --- lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm | 1 + lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm | 1 + 2 files changed, 2 insertions(+) diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index aaa0e4da4..fd4a1efe0 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -2,6 +2,7 @@ package Lemonldap::NG::Manager::Attributes; our $VERSION = '2.0.5'; +use Lemonldap::NG::Handler::Main::Jail; sub perlExpr { my ( $val, $conf ) = @_; diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm index 427e157e0..80e01a12b 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm @@ -380,6 +380,7 @@ EOF package Lemonldap::NG::Manager::Attributes; our \$VERSION = '$Lemonldap::NG::Manager::Build::Attributes::VERSION'; +use Lemonldap::NG::Handler::Main::Jail; $managerSub From 264410409d39eb2e758befa6f01c67b5a975548b Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 27 Jun 2019 16:55:12 +0200 Subject: [PATCH 04/12] Move CAS service verification from main to Issuer::CAS (#1795) --- .../lib/Lemonldap/NG/Portal/Issuer/CAS.pm | 12 ++ .../lib/Lemonldap/NG/Portal/Main/Init.pm | 115 ++++++++---------- 2 files changed, 66 insertions(+), 61 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm index 45af0ba2d..b6ea7cfa8 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm @@ -56,6 +56,18 @@ sub init { }, ['GET'] ); + + # Add CAS Services, so we can check service= parameter on logout + foreach my $casSrv ( keys %{ $self->conf->{casAppMetaDataOptions} } ) { + if ( my $serviceUrl = + $self->conf->{casAppMetaDataOptions}->{$casSrv} + ->{casAppMetaDataOptionsService} ) + { + push @{ $self->p->{additionalTrustedDomains} }, $serviceUrl; + $self->logger->debug( + "CAS Service $serviceUrl added in trusted domains"); + } + } return $res; } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm index 7cada12cc..2c5f65314 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm @@ -39,6 +39,7 @@ has _jsRedirect => ( is => 'rw' ); # TrustedDomain regexp has trustedDomainsRe => ( is => 'rw' ); +has additionalTrustedDomains => ( is => 'rw', default => sub { [] } ); # Lists to store plugins entry-points my @entryPoints; @@ -269,67 +270,6 @@ sub reloadConf { unless $self->{_sfEngine} = $self->loadPlugin( $self->conf->{'sfEngine'} ); - # Initialize trusted domain regexp - if ( $self->conf->{trustedDomains} - and $self->conf->{trustedDomains} =~ /^\s*\*\s*$/ ) - { - $self->trustedDomainsRe(qr#^https?://#); - } - else { - my $re = Regexp::Assemble->new(); - if ( my $td = $self->conf->{trustedDomains} ) { - $td =~ s/^\s*(.*?)\s*/$1/; - foreach ( split( /\s+/, $td ) ) { - next unless ($td); - s#^\.#([^/]+\.)?#; - $self->logger->debug("Domain $_ added in trusted domains"); - s/\./\\./g; - - # This regexp is valid for the followings hosts: - # - $td - # - $domainlabel.$td - # $domainlabel is build looking RFC2396 - # (see Regexp::Common::URI::RFC2396) - $_ =~ - s/\*\\\./(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9]\\.)*/g; - $re->add("$_"); - } - } - my $p = $self->conf->{portal}; - $p =~ s#https?://([^/]*).*$#$1#; - $re->add( quotemeta($p) ); - foreach my $vhost ( keys %{ $self->conf->{locationRules} } ) { - $self->logger->debug("Vhost $vhost added in trusted domains"); - $re->add( quotemeta($vhost) ); - $self->conf->{vhostOptions} ||= {}; - if ( my $tmp = - $self->conf->{vhostOptions}->{$vhost}->{vhostAliases} ) - { - foreach my $alias ( split /\s+/, $tmp ) { - $self->logger->debug( - "Alias $alias added in trusted domains"); - $re->add( quotemeta($alias) ); - } - } - } - - # Add CAS Services, so we can check service= parameter on logout - foreach my $casSrv ( keys %{ $self->conf->{casAppMetaDataOptions} } ) { - if ( my $serviceUrl = - $self->conf->{casAppMetaDataOptions}->{$casSrv} - ->{casAppMetaDataOptionsService} ) - { - $serviceUrl =~ s#https?://([^/]*).*$#$1#; - $self->logger->debug( - "CAS Service $serviceUrl added in trusted domains"); - $re->add( quotemeta($serviceUrl) ); - } - } - my $tmp = 'https?://' . $re->as_string . '(?::\d+)?(?:/|$)'; - $self->trustedDomainsRe(qr/$tmp/); - - } - # Compile macros in _macros, groups in _groups foreach my $type (qw(macros groups)) { $self->{"_$type"} = {}; @@ -358,6 +298,59 @@ sub reloadConf { $self->loadPlugin($plugin) or return $self->fail; } + # Initialize trusted domain regexp + if ( $self->conf->{trustedDomains} + and $self->conf->{trustedDomains} =~ /^\s*\*\s*$/ ) + { + $self->trustedDomainsRe(qr#^https?://#); + } + else { + my $re = Regexp::Assemble->new(); + if ( my $td = $self->conf->{trustedDomains} ) { + $td =~ s/^\s*(.*?)\s*/$1/; + foreach ( split( /\s+/, $td ) ) { + next unless ($td); + s#^\.#([^/]+\.)?#; + $self->logger->debug("Domain $_ added in trusted domains"); + s/\./\\./g; + + # This regexp is valid for the followings hosts: + # - $td + # - $domainlabel.$td + # $domainlabel is build looking RFC2396 + # (see Regexp::Common::URI::RFC2396) + $_ =~ + s/\*\\\./(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9]\\.)*/g; + $re->add("$_"); + } + } + foreach ( @{ $self->{additionalTrustedDomains} }, + $self->conf->{portal} ) + { + my $p = $_; + $p =~ s#https?://([^/]*).*$#$1#; + $re->add( quotemeta($p) ); + } + foreach my $vhost ( keys %{ $self->conf->{locationRules} } ) { + $self->logger->debug("Vhost $vhost added in trusted domains"); + $re->add( quotemeta($vhost) ); + $self->conf->{vhostOptions} ||= {}; + if ( my $tmp = + $self->conf->{vhostOptions}->{$vhost}->{vhostAliases} ) + { + foreach my $alias ( split /\s+/, $tmp ) { + $self->logger->debug( + "Alias $alias added in trusted domains"); + $re->add( quotemeta($alias) ); + } + } + } + + my $tmp = 'https?://' . $re->as_string . '(?::\d+)?(?:/|$)'; + $self->trustedDomainsRe(qr/$tmp/); + + } + # Clean $req->pdata after authentication push @{ $self->endAuth }, sub { unless ( $_[0]->pdata->{keepPdata} ) { From 4b48f955076c9170b012616f26993062844a250d Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 27 Jun 2019 17:08:21 +0200 Subject: [PATCH 05/12] Move missing deps in the good place (#1824) --- lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm | 1 - lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm | 1 - lemonldap-ng-manager/scripts/lmConfigEditor | 1 + 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index fd4a1efe0..aaa0e4da4 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -2,7 +2,6 @@ package Lemonldap::NG::Manager::Attributes; our $VERSION = '2.0.5'; -use Lemonldap::NG::Handler::Main::Jail; sub perlExpr { my ( $val, $conf ) = @_; diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm index 80e01a12b..427e157e0 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm @@ -380,7 +380,6 @@ EOF package Lemonldap::NG::Manager::Attributes; our \$VERSION = '$Lemonldap::NG::Manager::Build::Attributes::VERSION'; -use Lemonldap::NG::Handler::Main::Jail; $managerSub diff --git a/lemonldap-ng-manager/scripts/lmConfigEditor b/lemonldap-ng-manager/scripts/lmConfigEditor index 1d2ab7968..a1ac31089 100644 --- a/lemonldap-ng-manager/scripts/lmConfigEditor +++ b/lemonldap-ng-manager/scripts/lmConfigEditor @@ -3,6 +3,7 @@ use Lemonldap::NG::Common::Conf; use Lemonldap::NG::Common::Conf::Constants; use Lemonldap::NG::Manager::Conf::Parser; +use Lemonldap::NG::Handler::Main::Jail; use Data::Dumper; use English qw(-no_match_vars); use File::Temp; From e53129568a695d4a19807423cb840cf2465b68f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Thu, 27 Jun 2019 17:29:56 +0200 Subject: [PATCH 06/12] Set some default values for lemonldap-ng-cli info (#1827) --- lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm index 82a657feb..34f5355f4 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm @@ -4,7 +4,7 @@ use strict; use Mouse; use Lemonldap::NG::Common::Conf; -our $VERSION = '2.0.0'; +our $VERSION = '2.0.5'; has confAccess => ( is => 'rw', @@ -31,6 +31,9 @@ sub info { my $conf = $self->confAccess->getConf( { cfgNum => $self->cfgNum, raw => 1 } ) or die $Lemonldap::NG::Common::Conf::msg; + $conf->{cfgAuthorIP} ||= "No IP provided"; + $conf->{cfgDate} ||= 0; + $conf->{cfgLog} ||= "No log provided"; print qq{ Num : $conf->{cfgNum} Author : $conf->{cfgAuthor} From e23611b73b1408ade2f7587c1d7f25e0d9104360 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 27 Jun 2019 17:40:50 +0200 Subject: [PATCH 07/12] Avoid failure with future Perl (warnings reserved) --- fastcgi-server/man/llng-fastcgi-server.1p | 2 +- lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm | 2 +- .../lib/Lemonldap/NG/Manager/Build/Attributes.pm | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fastcgi-server/man/llng-fastcgi-server.1p b/fastcgi-server/man/llng-fastcgi-server.1p index dea827ce1..960a19d0e 100644 --- a/fastcgi-server/man/llng-fastcgi-server.1p +++ b/fastcgi-server/man/llng-fastcgi-server.1p @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "llng-fastcgi-server 1" -.TH llng-fastcgi-server 1 "2019-06-13" "perl v5.28.1" "User Contributed Perl Documentation" +.TH llng-fastcgi-server 1 "2019-06-27" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index aaa0e4da4..14c3851fb 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -11,7 +11,7 @@ sub perlExpr { [ '&encrypt', '&token' ] ); $cpt->share_from( 'Lemonldap::NG::Common::Safelib', $Lemonldap::NG::Common::Safelib::functions ); - $cpt->reval("BEGIN { warnings->unimport; } $val"); + $cpt->reval("BEGIN { 'warnings'->unimport; } $val"); my $err = join( '', grep( { $_ =~ /Undefined subroutine/ ? () : $_; } split( /\n/, $@, 0 ) ) diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm index 3a5faa6f2..6430a3306 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm @@ -18,7 +18,7 @@ sub perlExpr { [ '&encrypt', '&token' ] ); $cpt->share_from( 'Lemonldap::NG::Common::Safelib', $Lemonldap::NG::Common::Safelib::functions ); - $cpt->reval("BEGIN { warnings->unimport; } $val"); + $cpt->reval("BEGIN { 'warnings'->unimport; } $val"); my $err = join( '', grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) ); return $err ? ( 1, "__badExpression__: $err" ) : (1); From 0b1643c29456a364891b6cee5d2637e233a1f2aa Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 27 Jun 2019 18:39:01 +0200 Subject: [PATCH 08/12] Add an initialization vector in crypt methods --- .../lib/Lemonldap/NG/Common/Crypto.pm | 30 +++++++++++++++---- lemonldap-ng-common/t/35-Common-Crypto.t | 6 ++-- 2 files changed, 27 insertions(+), 9 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm index 9d6c4b443..e21ad0977 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm @@ -15,6 +15,17 @@ use Digest::MD5 qw(md5); use bytes; our $VERSION = '2.0.0'; +my $newIv; + +BEGIN { + eval { require Crypt::URandom; Crypt::URandom::urandom(16) }; + if ($@) { + $newIv = sub { return md5( rand() . time . {} ) }; + } + else { + $newIv = sub { return Crypt::URandom::urandom(16) }; + } +} our $msg; @@ -41,11 +52,11 @@ sub new { # @param key that secondary key # @return Crypt::Rijndael object sub _getCipher { - my ( $self, $key ) = @_; + my ( $self, $key, $iv ) = @_; $key ||= ""; - $self->{ciphers}->{$key} ||= + my $cipher = Crypt::Rijndael->new( md5( $self->{key}, $key ), $self->{mode} ); - return $self->{ciphers}->{$key}; + return $cipher; } ## @method string encrypt(string data) @@ -59,7 +70,12 @@ sub encrypt { my $l = bytes::length($data) % 16; $data .= "\0" x ( 16 - $l ) unless ( $l == 0 ); - eval { $data = encode_base64( $self->_getCipher->encrypt($data), '' ); }; + my $iv = $newIv->(); + eval { + $data = + encode_base64( $iv . $self->_getCipher->set_iv($iv)->encrypt($data), + '' ); + }; if ($@) { $msg = "Crypt::Rijndael error : $@"; return undef; @@ -81,7 +97,11 @@ sub decrypt { $data =~ s/%2F/\//ig; $data =~ s/%3D/=/ig; $data =~ s/%0A/\n/ig; - eval { $data = $self->_getCipher->decrypt( decode_base64($data) ); }; + $data = decode_base64($data); + my $iv; + $iv = bytes::substr( $data, 0, 16 ); + $data = bytes::substr( $data, 16 ); + eval { $data = $self->_getCipher->set_iv($iv)->decrypt($data); }; if ($@) { $msg = "Crypt::Rijndael error : $@"; return undef; diff --git a/lemonldap-ng-common/t/35-Common-Crypto.t b/lemonldap-ng-common/t/35-Common-Crypto.t index f926a55b7..d0edd23dc 100644 --- a/lemonldap-ng-common/t/35-Common-Crypto.t +++ b/lemonldap-ng-common/t/35-Common-Crypto.t @@ -30,7 +30,7 @@ foreach my $i ( 1 .. 17 ) { my $s = ''; $s = join( '', map { chr( int( rand(94) ) + 33 ) } ( 1 .. $i ) ); ok( $c->decrypt( $c->encrypt($s) ) eq $s, - "Test of base64 encrypting with $i characters string" ); + "Test of base64 encrypting with $i characters string" ) or diag "Source: $s\nCypher: ".$c->encrypt($s)."\nUncipher:".$c->decrypt( $c->encrypt($s)); } my $data = md5_hex(rand); @@ -42,6 +42,4 @@ ok( # Test a long value, and replace carriage return by %0A my $long = "f5a1f72e7ab2f7712855a068af0066f36bfcf2c87e6feb9cf4200da1868e1dfe"; -my $cryptedlong = -"Da6sYxp9NCXv8+8TirqHmPWwTQHyEGmkCBGCLCX/81dPSMwIQVQNV7X9KG3RrKZfyRmzJR6DZYdU%0Ab75+VH3+CA=="; -ok( $c->decrypt($cryptedlong) eq $long, "Test of long value encrypting" ); +ok( $c->decrypt($c->encrypt($long)) eq $long, "Test of long value encrypting" ); From 9d5d1f6cd56d86b91494e24fef76e052cfd0231a Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 27 Jun 2019 19:10:51 +0200 Subject: [PATCH 09/12] Don't use Crypt::URandom inside jail: this import file access libraries --- lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm | 5 +++-- lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm index e21ad0977..9bae6841c 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm @@ -64,13 +64,13 @@ sub _getCipher { # @param data data to encrypt # @return encrypted data in Base64 format sub encrypt { - my ( $self, $data ) = @_; + my ( $self, $data, $low ) = @_; # pad $data so that its length be multiple of 16 bytes my $l = bytes::length($data) % 16; $data .= "\0" x ( 16 - $l ) unless ( $l == 0 ); - my $iv = $newIv->(); + my $iv = $low ? md5( rand() . time . {} ) : $newIv->(); eval { $data = encode_base64( $iv . $self->_getCipher->set_iv($iv)->encrypt($data), @@ -102,6 +102,7 @@ sub decrypt { $iv = bytes::substr( $data, 0, 16 ); $data = bytes::substr( $data, 16 ); eval { $data = $self->_getCipher->set_iv($iv)->decrypt($data); }; + if ($@) { $msg = "Crypt::Rijndael error : $@"; return undef; diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm index 02b1dcb1a..d48bf74bf 100644 --- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm +++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Jail.pm @@ -103,7 +103,7 @@ sub build_jail { # Import crypto methods for jail sub encrypt { - return &Lemonldap::NG::Handler::Main::tsv->{cipher}->encrypt(@_); + return &Lemonldap::NG::Handler::Main::tsv->{cipher}->encrypt( $_[0], 1 ); } sub token { From cc8c5e057e1782e470a7466cae76c81a2825cd92 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Thu, 27 Jun 2019 19:36:01 +0200 Subject: [PATCH 10/12] Use IV for *cryptHex methods --- .../lib/Lemonldap/NG/Common/Crypto.pm | 13 ++++++++++++- lemonldap-ng-common/t/35-Common-Crypto.t | 15 ++++++++++++--- .../t/59-Double-cookies-for-a-Single-session.t | 8 ++++---- 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm index 9bae6841c..179c92036 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm @@ -162,12 +162,23 @@ sub _cryptHex { "Lemonldap::NG::Common::Crypto::${sub}Hex error : data length must be multiple of 32"; return undef; } + my $iv; + if($sub eq 'encrypt') { + $iv = $newIv->(); + } $data = pack "H*", $data; - eval { $data = $self->_getCipher($key)->$sub($data); }; + if($sub eq 'decrypt') { + $iv = bytes::substr($data,0,16); + $data = bytes::substr($data,16); + } + eval { $data = $self->_getCipher($key)->set_iv($iv)->$sub($data); }; if ($@) { $msg = "Crypt::Rijndael error : $@"; return undef; } + if($sub eq 'encrypt') { + $data = $iv.$data; + } $msg = ""; $data = unpack "H*", $data; return $data; diff --git a/lemonldap-ng-common/t/35-Common-Crypto.t b/lemonldap-ng-common/t/35-Common-Crypto.t index d0edd23dc..3d682d7f6 100644 --- a/lemonldap-ng-common/t/35-Common-Crypto.t +++ b/lemonldap-ng-common/t/35-Common-Crypto.t @@ -5,7 +5,7 @@ # change 'tests => 1' to 'tests => last_test_to_print'; -use Test::More tests => 21; +use Test::More tests => 22; use Digest::MD5 qw(md5 md5_hex md5_base64); use strict; @@ -30,7 +30,11 @@ foreach my $i ( 1 .. 17 ) { my $s = ''; $s = join( '', map { chr( int( rand(94) ) + 33 ) } ( 1 .. $i ) ); ok( $c->decrypt( $c->encrypt($s) ) eq $s, - "Test of base64 encrypting with $i characters string" ) or diag "Source: $s\nCypher: ".$c->encrypt($s)."\nUncipher:".$c->decrypt( $c->encrypt($s)); + "Test of base64 encrypting with $i characters string" ) + or diag "Source: $s\nCypher: " + . $c->encrypt($s) + . "\nUncipher:" + . $c->decrypt( $c->encrypt($s) ); } my $data = md5_hex(rand); @@ -42,4 +46,9 @@ ok( # Test a long value, and replace carriage return by %0A my $long = "f5a1f72e7ab2f7712855a068af0066f36bfcf2c87e6feb9cf4200da1868e1dfe"; -ok( $c->decrypt($c->encrypt($long)) eq $long, "Test of long value encrypting" ); +ok( $c->decrypt( $c->encrypt($long) ) eq $long, + "Test of long value encrypting" ); +ok( + $c->decryptHex( $c->encryptHex($long) ) eq $long, + "Test of long value encrypting (hex)" +); diff --git a/lemonldap-ng-portal/t/59-Double-cookies-for-a-Single-session.t b/lemonldap-ng-portal/t/59-Double-cookies-for-a-Single-session.t index 25de134f1..8d6d81def 100644 --- a/lemonldap-ng-portal/t/59-Double-cookies-for-a-Single-session.t +++ b/lemonldap-ng-portal/t/59-Double-cookies-for-a-Single-session.t @@ -44,8 +44,8 @@ my $id1 = expectCookie($res); my $id2 = expectCookie( $res, 'lemonldaphttp' ); # Check lemonldap Cookie -ok( $id1 =~ /^\w{64}$/, " -> Get cookie : lemonldap=something" ) - or explain( $res->[1], "Set-Cookie: lemonldap=$id1" ); +ok( $id1 =~ /^\w{64}$/, " -> https cookie is 64 char long" ) + or explain( $id1, '64-char string' ); ok( ${ $res->[1] }[3] =~ /HttpOnly=1/, " -> Cookie 'lemonldap' is HttpOnly" ) or explain( $res->[1] ); ok( ${ $res->[1] }[3] =~ /secure/, " -> Cookie 'lemonldap' is secure" ) @@ -53,8 +53,8 @@ ok( ${ $res->[1] }[3] =~ /secure/, " -> Cookie 'lemonldap' is secure" ) count(3); # Check lemonldaphttp Cookie -ok( $id2 =~ /^\w{64}$/, " -> Get cookie lemonldaphttp=something" ) - or explain( $res->[1], "Set-Cookie: lemonldaphttp=$id2" ); +ok( length($id2) % 32 == 0, " -> http cookie is 96 byte long" ) + or explain( $id2, '\w x 32 string' ); ok( ${ $res->[1] }[5] =~ /HttpOnly=1/, " -> Cookie 'lemonldaphttp' is HttpOnly" From b1f12b72e5bdb58f4de2522607e3612c1742a536 Mon Sep 17 00:00:00 2001 From: Xavier Date: Thu, 27 Jun 2019 20:48:01 +0200 Subject: [PATCH 11/12] Add MAC verification to crypto --- .../lib/Lemonldap/NG/Common/Crypto.pm | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm index 179c92036..70af44638 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm @@ -71,10 +71,11 @@ sub encrypt { $data .= "\0" x ( 16 - $l ) unless ( $l == 0 ); my $iv = $low ? md5( rand() . time . {} ) : $newIv->(); + my $hmac = md5($data); eval { $data = - encode_base64( $iv . $self->_getCipher->set_iv($iv)->encrypt($data), - '' ); + encode_base64( + $iv . $hmac . $self->_getCipher->set_iv($iv)->encrypt($data), '' ); }; if ($@) { $msg = "Crypt::Rijndael error : $@"; @@ -100,13 +101,18 @@ sub decrypt { $data = decode_base64($data); my $iv; $iv = bytes::substr( $data, 0, 16 ); - $data = bytes::substr( $data, 16 ); + my $hmac = bytes::substr( $data, 16, 16 ); + $data = bytes::substr( $data, 32 ); eval { $data = $self->_getCipher->set_iv($iv)->decrypt($data); }; if ($@) { $msg = "Crypt::Rijndael error : $@"; return undef; } + if ( md5($data) ne $hmac ) { + $msg = "Bad MAC"; + return undef; + } else { $msg = ''; @@ -163,21 +169,21 @@ sub _cryptHex { return undef; } my $iv; - if($sub eq 'encrypt') { + if ( $sub eq 'encrypt' ) { $iv = $newIv->(); } $data = pack "H*", $data; - if($sub eq 'decrypt') { - $iv = bytes::substr($data,0,16); - $data = bytes::substr($data,16); + if ( $sub eq 'decrypt' ) { + $iv = bytes::substr( $data, 0, 16 ); + $data = bytes::substr( $data, 16 ); } eval { $data = $self->_getCipher($key)->set_iv($iv)->$sub($data); }; if ($@) { $msg = "Crypt::Rijndael error : $@"; return undef; } - if($sub eq 'encrypt') { - $data = $iv.$data; + if ( $sub eq 'encrypt' ) { + $data = $iv . $data; } $msg = ""; $data = unpack "H*", $data; From 2fcaf52bcfee90368b7367ca156ff0b8d06eb5ff Mon Sep 17 00:00:00 2001 From: Xavier Date: Thu, 27 Jun 2019 21:59:18 +0200 Subject: [PATCH 12/12] Better random string generation (#1803) --- lemonldap-ng-common/META.json | 9 +++++---- lemonldap-ng-common/META.yml | 3 ++- lemonldap-ng-common/Makefile.PL | 1 + .../lib/Lemonldap/NG/Common/Crypto.pm | 13 ++++++++++++- lemonldap-ng-handler/META.json | 6 +++--- lemonldap-ng-handler/META.yml | 2 +- lemonldap-ng-manager/META.json | 6 +++--- lemonldap-ng-manager/META.yml | 2 +- lemonldap-ng-portal/META.json | 7 +++---- lemonldap-ng-portal/META.yml | 3 +-- lemonldap-ng-portal/Makefile.PL | 1 - .../lib/Lemonldap/NG/Portal/2F/Ext2F.pm | 3 +-- .../lib/Lemonldap/NG/Portal/2F/Mail2F.pm | 3 +-- .../lib/Lemonldap/NG/Portal/Lib/SAML.pm | 1 - .../lib/Lemonldap/NG/Portal/Lib/SMTP.pm | 3 +-- 15 files changed, 35 insertions(+), 28 deletions(-) diff --git a/lemonldap-ng-common/META.json b/lemonldap-ng-common/META.json index 193030fa6..d26501ef6 100644 --- a/lemonldap-ng-common/META.json +++ b/lemonldap-ng-common/META.json @@ -4,13 +4,13 @@ "Xavier Guimard , Clément Oudot " ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010", + "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010", "license" : [ "open_source" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", - "version" : "2" + "version" : 2 }, "name" : "Lemonldap-NG-Common", "no_index" : { @@ -41,7 +41,8 @@ "DBI" : "0", "LWP::Protocol::https" : "0", "Net::LDAP" : "0", - "SOAP::Lite" : "0" + "SOAP::Lite" : "0", + "String::Random" : "0" }, "requires" : { "Apache::Session" : "0", @@ -72,5 +73,5 @@ "x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org" }, "version" : "v2.0.4", - "x_serialization_backend" : "JSON::PP version 2.27400_02" + "x_serialization_backend" : "JSON::PP version 2.97001" } diff --git a/lemonldap-ng-common/META.yml b/lemonldap-ng-common/META.yml index f58d6eccd..3100dabaa 100644 --- a/lemonldap-ng-common/META.yml +++ b/lemonldap-ng-common/META.yml @@ -9,7 +9,7 @@ build_requires: configure_requires: ExtUtils::MakeMaker: '0' dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010' +generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010' license: open_source meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html @@ -28,6 +28,7 @@ recommends: LWP::Protocol::https: '0' Net::LDAP: '0' SOAP::Lite: '0' + String::Random: '0' requires: Apache::Session: '0' Cache::Cache: '0' diff --git a/lemonldap-ng-common/Makefile.PL b/lemonldap-ng-common/Makefile.PL index 0c0af0207..86745216a 100644 --- a/lemonldap-ng-common/Makefile.PL +++ b/lemonldap-ng-common/Makefile.PL @@ -34,6 +34,7 @@ WriteMakefile( 'Convert::Base32' => 0, 'Cookie::Baker::XS' => 0, 'Crypt::URandom' => 0, + 'String::Random' => 0, 'DBI' => 0, 'Net::LDAP' => 0, 'SOAP::Lite' => 0, diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm index 70af44638..2202b8817 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm @@ -12,18 +12,25 @@ use strict; use Crypt::Rijndael; use MIME::Base64; use Digest::MD5 qw(md5); +use String::Random; use bytes; our $VERSION = '2.0.0'; -my $newIv; +my ( $newIv, $randG ); BEGIN { eval { require Crypt::URandom; Crypt::URandom::urandom(16) }; if ($@) { $newIv = sub { return md5( rand() . time . {} ) }; + $randG = sub { + my $a = 256; + $a = unpack( "C", Crypt::URandom::urandom(1) ) while ( $a > $_[0] ); + return $a; + }; } else { $newIv = sub { return Crypt::URandom::urandom(16) }; + $randG = sub { return int( rand( $_[0] ) ) }; } } @@ -190,4 +197,8 @@ sub _cryptHex { return $data; } +sub srandom { + return String::Random->new( rand_gen => $randG ); +} + 1; diff --git a/lemonldap-ng-handler/META.json b/lemonldap-ng-handler/META.json index 808e97c07..8f47b4f9a 100644 --- a/lemonldap-ng-handler/META.json +++ b/lemonldap-ng-handler/META.json @@ -4,13 +4,13 @@ "Xavier Guimard , Clément Oudot " ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010", + "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010", "license" : [ "open_source" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", - "version" : "2" + "version" : 2 }, "name" : "Lemonldap-NG-Handler", "no_index" : { @@ -59,5 +59,5 @@ "x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org" }, "version" : "v2.0.4", - "x_serialization_backend" : "JSON::PP version 2.27400_02" + "x_serialization_backend" : "JSON::PP version 2.97001" } diff --git a/lemonldap-ng-handler/META.yml b/lemonldap-ng-handler/META.yml index d36ae2e91..55ae287ab 100644 --- a/lemonldap-ng-handler/META.yml +++ b/lemonldap-ng-handler/META.yml @@ -11,7 +11,7 @@ build_requires: configure_requires: ExtUtils::MakeMaker: '0' dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010' +generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010' license: open_source meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html diff --git a/lemonldap-ng-manager/META.json b/lemonldap-ng-manager/META.json index a962fa4d4..34c00e7be 100644 --- a/lemonldap-ng-manager/META.json +++ b/lemonldap-ng-manager/META.json @@ -4,13 +4,13 @@ "Xavier Guimard , Clément Oudot " ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010", + "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010", "license" : [ "open_source" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", - "version" : "2" + "version" : 2 }, "name" : "Lemonldap-NG-Manager", "no_index" : { @@ -55,5 +55,5 @@ "x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org" }, "version" : "v2.0.4", - "x_serialization_backend" : "JSON::PP version 2.27400_02" + "x_serialization_backend" : "JSON::PP version 2.97001" } diff --git a/lemonldap-ng-manager/META.yml b/lemonldap-ng-manager/META.yml index 9ff57b806..e98e13f1f 100644 --- a/lemonldap-ng-manager/META.yml +++ b/lemonldap-ng-manager/META.yml @@ -9,7 +9,7 @@ build_requires: configure_requires: ExtUtils::MakeMaker: '0' dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010' +generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010' license: open_source meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html diff --git a/lemonldap-ng-portal/META.json b/lemonldap-ng-portal/META.json index c85aa5d50..51e50ee7f 100644 --- a/lemonldap-ng-portal/META.json +++ b/lemonldap-ng-portal/META.json @@ -4,13 +4,13 @@ "Xavier Guimard , Clément Oudot " ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010", + "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010", "license" : [ "open_source" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", - "version" : "2" + "version" : 2 }, "name" : "Lemonldap-NG-Portal", "no_index" : { @@ -57,7 +57,6 @@ "Net::OpenID::Consumer" : "0", "Net::OpenID::Server" : "0", "SOAP::Lite" : "0", - "String::Random" : "0", "Unicode::String" : "0", "Web::ID" : "0" }, @@ -78,5 +77,5 @@ "x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org" }, "version" : "v2.0.4", - "x_serialization_backend" : "JSON::PP version 2.27400_02" + "x_serialization_backend" : "JSON::PP version 2.97001" } diff --git a/lemonldap-ng-portal/META.yml b/lemonldap-ng-portal/META.yml index 854ab4517..097b63005 100644 --- a/lemonldap-ng-portal/META.yml +++ b/lemonldap-ng-portal/META.yml @@ -14,7 +14,7 @@ build_requires: configure_requires: ExtUtils::MakeMaker: '0' dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010' +generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010' license: open_source meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html @@ -43,7 +43,6 @@ recommends: Net::OpenID::Consumer: '0' Net::OpenID::Server: '0' SOAP::Lite: '0' - String::Random: '0' Unicode::String: '0' Web::ID: '0' requires: diff --git a/lemonldap-ng-portal/Makefile.PL b/lemonldap-ng-portal/Makefile.PL index f087cda7b..b651bb744 100644 --- a/lemonldap-ng-portal/Makefile.PL +++ b/lemonldap-ng-portal/Makefile.PL @@ -27,7 +27,6 @@ WriteMakefile( 'Net::OpenID::Consumer' => 0, 'Net::OpenID::Server' => 0, 'SOAP::Lite' => 0, - 'String::Random' => 0, 'Unicode::String' => 0, 'Web::ID' => 0, }, diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Ext2F.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Ext2F.pm index a8a7f9a1c..20b4cb775 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Ext2F.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Ext2F.pm @@ -2,7 +2,6 @@ package Lemonldap::NG::Portal::2F::Ext2F; use strict; use Mouse; -use String::Random; use Lemonldap::NG::Portal::Main::Constants qw( PE_BADCREDENTIALS PE_ERROR @@ -38,7 +37,7 @@ sub init { $self->error("Missing 'ext2FSendCommand' parameter, aborting"); return 0; } - $self->random( String::Random->new ); + $self->random( Lemonldap::NG::Common::Crypto::srandom() ); $self->logo( $self->conf->{ext2fLogo} ) if ( $self->conf->{ext2fLogo} ); return $self->SUPER::init(); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm index c34c50c9d..2c4c6da80 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm @@ -2,7 +2,6 @@ package Lemonldap::NG::Portal::2F::Mail2F; use strict; use Mouse; -use String::Random; use Lemonldap::NG::Portal::Main::Constants qw( PE_BADCREDENTIALS PE_ERROR @@ -23,7 +22,7 @@ has prefix => ( is => 'ro', default => 'mail' ); has random => ( is => 'rw', default => sub { - return String::Random->new; + return Lemonldap::NG::Common::Crypto::srandom(); } ); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm index 849350b74..d4f89ef90 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm @@ -8,7 +8,6 @@ use Lemonldap::NG::Common::UserAgent; use Lemonldap::NG::Common::FormEncode; use XML::Simple; use MIME::Base64; -use String::Random; use HTTP::Request; # SOAP call use POSIX qw(strftime); # Convert SAML2 date into timestamp use Time::Local; # Convert SAML2 date into timestamp diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm index 8cafb192d..3b82cb098 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm @@ -8,7 +8,6 @@ package Lemonldap::NG::Portal::Lib::SMTP; use strict; use Mouse; use JSON qw(from_json); -use String::Random; use MIME::Entity; use Email::Sender::Simple qw(sendmail); use Email::Sender::Transport::SMTP qw(); @@ -24,7 +23,7 @@ our $transport; has random => ( is => 'rw', default => sub { - return String::Random->new; + return Lemonldap::NG::Common::Crypto::srandom(); } ); has charset => (