Commit 44a6e258 authored by Xavier Guimard's avatar Xavier Guimard

Improve cryptographic functions (#1823)

parent e23611b7
lemonldap-ng (2.0.5-1) unstable; urgency=medium
This version adds some improvements in cryptographic functions. To take
advantage of them, you must change the master key of LemonLDAP::NG.
-- Xavier Guimard <yadd@debian.org> Thu, 27 Jun 2019 23:19:09 +0200
lemonldap-ng (2.0.0-1) unstable; urgency=medium
2.0 is a major release, many things have been changed. You must read
......
......@@ -211,7 +211,8 @@ Recommends: libapache-session-browseable-perl,
libdbi-perl,
libhttp-parser-xs-perl,
libjson-xs-perl,
liblwp-protocol-https-perl
liblwp-protocol-https-perl,
libstring-random-perl
Suggests: libconvert-base32-perl,
libnet-ldap-perl,
libsoap-lite-perl,
......@@ -277,7 +278,6 @@ Recommends: libcrypt-openssl-bignum-perl,
libgd-securityimage-perl,
libmime-tools-perl,
libnet-ldap-perl,
libstring-random-perl,
libunicode-string-perl
Suggests: libcrypt-u2f-server-perl,
libdbi-perl,
......
......@@ -4,13 +4,13 @@
"Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>"
],
"dynamic_config" : 1,
"generated_by" : "ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010",
"generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
"license" : [
"open_source"
],
"meta-spec" : {
"url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec",
"version" : "2"
"version" : 2
},
"name" : "Lemonldap-NG-Common",
"no_index" : {
......@@ -41,7 +41,8 @@
"DBI" : "0",
"LWP::Protocol::https" : "0",
"Net::LDAP" : "0",
"SOAP::Lite" : "0"
"SOAP::Lite" : "0",
"String::Random" : "0"
},
"requires" : {
"Apache::Session" : "0",
......@@ -72,5 +73,5 @@
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
},
"version" : "v2.0.4",
"x_serialization_backend" : "JSON::PP version 2.27400_02"
"x_serialization_backend" : "JSON::PP version 2.97001"
}
......@@ -9,7 +9,7 @@ build_requires:
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 1
generated_by: 'ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010'
generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
license: open_source
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
......@@ -28,6 +28,7 @@ recommends:
LWP::Protocol::https: '0'
Net::LDAP: '0'
SOAP::Lite: '0'
String::Random: '0'
requires:
Apache::Session: '0'
Cache::Cache: '0'
......
......@@ -34,6 +34,7 @@ WriteMakefile(
'Convert::Base32' => 0,
'Cookie::Baker::XS' => 0,
'Crypt::URandom' => 0,
'String::Random' => 0,
'DBI' => 0,
'Net::LDAP' => 0,
'SOAP::Lite' => 0,
......
......@@ -11,10 +11,33 @@ package Lemonldap::NG::Common::Crypto;
use strict;
use Crypt::Rijndael;
use MIME::Base64;
use Digest::MD5 qw(md5);
use Digest::SHA;
use bytes;
our $VERSION = '2.0.0';
my ( $newIv, $randG, $hash );
$hash = \&Digest::SHA::sha256;
use constant HMAC_LENGTH => 32;
use constant IV_LENGTH => 16;
BEGIN {
eval { require Crypt::URandom; Crypt::URandom::urandom(IV_LENGTH) };
if ($@) {
$newIv = sub {
return bytes::substr( Digest::SHA::sha1( rand() . time . {} ),
0, IV_LENGTH );
};
$randG = sub { return int( rand( $_[0] ) ) };
}
else {
$newIv = sub { return Crypt::URandom::urandom(IV_LENGTH) };
$randG = sub {
return
int( unpack( "C", Crypt::URandom::urandom(1) ) * $_[0] / 256 );
};
}
}
our $msg;
......@@ -44,7 +67,7 @@ sub _getCipher {
my ( $self, $key ) = @_;
$key ||= "";
$self->{ciphers}->{$key} ||=
Crypt::Rijndael->new( md5( $self->{key}, $key ), $self->{mode} );
Crypt::Rijndael->new( $hash->( $self->{key}, $key ), $self->{mode} );
return $self->{ciphers}->{$key};
}
......@@ -53,13 +76,23 @@ sub _getCipher {
# @param data data to encrypt
# @return encrypted data in Base64 format
sub encrypt {
my ( $self, $data ) = @_;
my ( $self, $data, $low ) = @_;
# pad $data so that its length be multiple of 16 bytes
my $l = bytes::length($data) % 16;
$data .= "\0" x ( 16 - $l ) unless ( $l == 0 );
eval { $data = encode_base64( $self->_getCipher->encrypt($data), '' ); };
my $iv =
$low
? bytes::substr( Digest::SHA::sha1( rand() . time . {} ), 0, IV_LENGTH )
: $newIv->();
my $hmac = $hash->($data);
eval {
$data =
encode_base64(
$iv . $self->_getCipher->set_iv($iv)->encrypt( $hmac . $data ),
'' );
};
if ($@) {
$msg = "Crypt::Rijndael error : $@";
return undef;
......@@ -81,11 +114,22 @@ sub decrypt {
$data =~ s/%2F/\//ig;
$data =~ s/%3D/=/ig;
$data =~ s/%0A/\n/ig;
eval { $data = $self->_getCipher->decrypt( decode_base64($data) ); };
$data = decode_base64($data);
my $iv;
$iv = bytes::substr( $data, 0, IV_LENGTH );
$data = bytes::substr( $data, IV_LENGTH );
eval { $data = $self->_getCipher->set_iv($iv)->decrypt($data); };
if ($@) {
$msg = "Crypt::Rijndael error : $@";
return undef;
}
my $hmac = bytes::substr( $data, 0, HMAC_LENGTH );
$data = bytes::substr( $data, HMAC_LENGTH );
if ( $hash->($data) ne $hmac ) {
$msg = "Bad MAC";
return undef;
}
else {
$msg = '';
......@@ -141,15 +185,34 @@ sub _cryptHex {
"Lemonldap::NG::Common::Crypto::${sub}Hex error : data length must be multiple of 32";
return undef;
}
my $iv;
if ( $sub eq 'encrypt' ) {
$iv = $newIv->();
}
$data = pack "H*", $data;
eval { $data = $self->_getCipher($key)->$sub($data); };
if ( $sub eq 'decrypt' ) {
$iv = bytes::substr( $data, 0, IV_LENGTH );
$data = bytes::substr( $data, IV_LENGTH );
}
eval { $data = $self->_getCipher($key)->set_iv($iv)->$sub($data); };
if ($@) {
$msg = "Crypt::Rijndael error : $@";
return undef;
}
if ( $sub eq 'encrypt' ) {
$data = $iv . $data;
}
$msg = "";
$data = unpack "H*", $data;
return $data;
}
sub srandom {
eval { require String::Random };
if ($@) {
die 'Missing recommended dependency to String::Random';
}
return String::Random->new( rand_gen => $randG );
}
1;
......@@ -12,7 +12,7 @@ use strict;
use Convert::PEM;
use Crypt::OpenSSL::RSA;
use Lemonldap::NG::Common::Conf;
use String::Random qw(random_string);
use Lemonldap::NG::Common::Crypto;
my $debug = 0;
......@@ -28,9 +28,10 @@ print "Configuration loaded\n" if $debug;
#=============================================================================
# Generate new key
#=============================================================================
my $rsa = Crypt::OpenSSL::RSA->generate_key(2048);
my $key_id = random_string("ssssssssss");
my $keys = {
my $rsa = Crypt::OpenSSL::RSA->generate_key(2048);
my $key_id =
Lemonldap::NG::Common::Crypto::srandom()->randpattern("ssssssssss");
my $keys = {
'private' => $rsa->get_private_key_string(),
'public' => $rsa->get_public_key_x509_string(),
'id' => $key_id,
......
......@@ -5,7 +5,7 @@
# change 'tests => 1' to 'tests => last_test_to_print';
use Test::More tests => 21;
use Test::More tests => 22;
use Digest::MD5 qw(md5 md5_hex md5_base64);
use strict;
......@@ -30,7 +30,11 @@ foreach my $i ( 1 .. 17 ) {
my $s = '';
$s = join( '', map { chr( int( rand(94) ) + 33 ) } ( 1 .. $i ) );
ok( $c->decrypt( $c->encrypt($s) ) eq $s,
"Test of base64 encrypting with $i characters string" );
"Test of base64 encrypting with $i characters string" )
or diag "Source: $s\nCypher: "
. $c->encrypt($s)
. "\nUncipher:"
. $c->decrypt( $c->encrypt($s) );
}
my $data = md5_hex(rand);
......@@ -42,6 +46,9 @@ ok(
# Test a long value, and replace carriage return by %0A
my $long = "f5a1f72e7ab2f7712855a068af0066f36bfcf2c87e6feb9cf4200da1868e1dfe";
my $cryptedlong =
"Da6sYxp9NCXv8+8TirqHmPWwTQHyEGmkCBGCLCX/81dPSMwIQVQNV7X9KG3RrKZfyRmzJR6DZYdU%0Ab75+VH3+CA==";
ok( $c->decrypt($cryptedlong) eq $long, "Test of long value encrypting" );
ok( $c->decrypt( $c->encrypt($long) ) eq $long,
"Test of long value encrypting" );
ok(
$c->decryptHex( $c->encryptHex($long) ) eq $long,
"Test of long value encrypting (hex)"
);
......@@ -4,13 +4,13 @@
"Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>"
],
"dynamic_config" : 1,
"generated_by" : "ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010",
"generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
"license" : [
"open_source"
],
"meta-spec" : {
"url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec",
"version" : "2"
"version" : 2
},
"name" : "Lemonldap-NG-Handler",
"no_index" : {
......@@ -59,5 +59,5 @@
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
},
"version" : "v2.0.4",
"x_serialization_backend" : "JSON::PP version 2.27400_02"
"x_serialization_backend" : "JSON::PP version 2.97001"
}
......@@ -11,7 +11,7 @@ build_requires:
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 1
generated_by: 'ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010'
generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
license: open_source
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
......
......@@ -103,7 +103,7 @@ sub build_jail {
# Import crypto methods for jail
sub encrypt {
return &Lemonldap::NG::Handler::Main::tsv->{cipher}->encrypt(@_);
return &Lemonldap::NG::Handler::Main::tsv->{cipher}->encrypt( $_[0], 1 );
}
sub token {
......
......@@ -4,13 +4,13 @@
"Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>"
],
"dynamic_config" : 1,
"generated_by" : "ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010",
"generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
"license" : [
"open_source"
],
"meta-spec" : {
"url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec",
"version" : "2"
"version" : 2
},
"name" : "Lemonldap-NG-Manager",
"no_index" : {
......@@ -55,5 +55,5 @@
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
},
"version" : "v2.0.4",
"x_serialization_backend" : "JSON::PP version 2.27400_02"
"x_serialization_backend" : "JSON::PP version 2.97001"
}
......@@ -9,7 +9,7 @@ build_requires:
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 1
generated_by: 'ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010'
generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
license: open_source
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
......
......@@ -4,13 +4,13 @@
"Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>"
],
"dynamic_config" : 1,
"generated_by" : "ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010",
"generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
"license" : [
"open_source"
],
"meta-spec" : {
"url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec",
"version" : "2"
"version" : 2
},
"name" : "Lemonldap-NG-Portal",
"no_index" : {
......@@ -57,7 +57,6 @@
"Net::OpenID::Consumer" : "0",
"Net::OpenID::Server" : "0",
"SOAP::Lite" : "0",
"String::Random" : "0",
"Unicode::String" : "0",
"Web::ID" : "0"
},
......@@ -78,5 +77,5 @@
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
},
"version" : "v2.0.4",
"x_serialization_backend" : "JSON::PP version 2.27400_02"
"x_serialization_backend" : "JSON::PP version 2.97001"
}
......@@ -14,7 +14,7 @@ build_requires:
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 1
generated_by: 'ExtUtils::MakeMaker version 7.24, CPAN::Meta::Converter version 2.150010'
generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
license: open_source
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
......@@ -43,7 +43,6 @@ recommends:
Net::OpenID::Consumer: '0'
Net::OpenID::Server: '0'
SOAP::Lite: '0'
String::Random: '0'
Unicode::String: '0'
Web::ID: '0'
requires:
......
......@@ -27,7 +27,6 @@ WriteMakefile(
'Net::OpenID::Consumer' => 0,
'Net::OpenID::Server' => 0,
'SOAP::Lite' => 0,
'String::Random' => 0,
'Unicode::String' => 0,
'Web::ID' => 0,
},
......
......@@ -2,7 +2,6 @@ package Lemonldap::NG::Portal::2F::Ext2F;
use strict;
use Mouse;
use String::Random;
use Lemonldap::NG::Portal::Main::Constants qw(
PE_BADCREDENTIALS
PE_ERROR
......@@ -38,7 +37,7 @@ sub init {
$self->error("Missing 'ext2FSendCommand' parameter, aborting");
return 0;
}
$self->random( String::Random->new );
$self->random( Lemonldap::NG::Common::Crypto::srandom() );
$self->logo( $self->conf->{ext2fLogo} )
if ( $self->conf->{ext2fLogo} );
return $self->SUPER::init();
......
......@@ -2,7 +2,6 @@ package Lemonldap::NG::Portal::2F::Mail2F;
use strict;
use Mouse;
use String::Random;
use Lemonldap::NG::Portal::Main::Constants qw(
PE_BADCREDENTIALS
PE_ERROR
......@@ -23,7 +22,7 @@ has prefix => ( is => 'ro', default => 'mail' );
has random => (
is => 'rw',
default => sub {
return String::Random->new;
return Lemonldap::NG::Common::Crypto::srandom();
}
);
......
......@@ -8,7 +8,6 @@ use Lemonldap::NG::Common::UserAgent;
use Lemonldap::NG::Common::FormEncode;
use XML::Simple;
use MIME::Base64;
use String::Random;
use HTTP::Request; # SOAP call
use POSIX qw(strftime); # Convert SAML2 date into timestamp
use Time::Local; # Convert SAML2 date into timestamp
......
......@@ -8,7 +8,6 @@ package Lemonldap::NG::Portal::Lib::SMTP;
use strict;
use Mouse;
use JSON qw(from_json);
use String::Random;
use MIME::Entity;
use Email::Sender::Simple qw(sendmail);
use Email::Sender::Transport::SMTP qw();
......@@ -24,7 +23,7 @@ our $transport;
has random => (
is => 'rw',
default => sub {
return String::Random->new;
return Lemonldap::NG::Common::Crypto::srandom();
}
);
has charset => (
......
......@@ -44,8 +44,8 @@ my $id1 = expectCookie($res);
my $id2 = expectCookie( $res, 'lemonldaphttp' );
# Check lemonldap Cookie
ok( $id1 =~ /^\w{64}$/, " -> Get cookie : lemonldap=something" )
or explain( $res->[1], "Set-Cookie: lemonldap=$id1" );
ok( $id1 =~ /^\w{64}$/, " -> https cookie is 64 char long" )
or explain( $id1, '64-char string' );
ok( ${ $res->[1] }[3] =~ /HttpOnly=1/, " -> Cookie 'lemonldap' is HttpOnly" )
or explain( $res->[1] );
ok( ${ $res->[1] }[3] =~ /secure/, " -> Cookie 'lemonldap' is secure" )
......@@ -53,8 +53,8 @@ ok( ${ $res->[1] }[3] =~ /secure/, " -> Cookie 'lemonldap' is secure" )
count(3);
# Check lemonldaphttp Cookie
ok( $id2 =~ /^\w{64}$/, " -> Get cookie lemonldaphttp=something" )
or explain( $res->[1], "Set-Cookie: lemonldaphttp=$id2" );
ok( length($id2) % 32 == 0, " -> http cookie is 96 byte long" )
or explain( $id2, '\w x 32 string' );
ok(
${ $res->[1] }[5] =~ /HttpOnly=1/,
" -> Cookie 'lemonldaphttp' is HttpOnly"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment