From 8b6a60e9ab2bcf73be102e2ffc097b963d7bdac5 Mon Sep 17 00:00:00 2001 From: Jim Norman Date: Mon, 18 Dec 2006 11:13:23 +0000 Subject: [PATCH] Security Audit - Remove assumption of username. --- CASA/micasad/cache/SecretStore.cs | 29 +++++++++++++++++-- CASA/micasad/lss/LocalStorage.cs | 4 +-- CASA/micasad/verbs/ObjectSerialization.cs | 35 ++++++++++------------- CASA/policy/PolicyImpl.cs | 27 +++++++++-------- 4 files changed, 59 insertions(+), 36 deletions(-) diff --git a/CASA/micasad/cache/SecretStore.cs b/CASA/micasad/cache/SecretStore.cs index bc048cdb..7f562055 100644 --- a/CASA/micasad/cache/SecretStore.cs +++ b/CASA/micasad/cache/SecretStore.cs @@ -882,8 +882,13 @@ namespace sscs.cache internal string GetUserHomeDirectory() { return user.GetUserHomeDir(); + } + + internal string GetUserName() + { + return user.GetUserName(); } - + internal string GetPersistenceDirectory() { if (m_persistenceDirectory != null) @@ -897,7 +902,7 @@ namespace sscs.cache { // the user might have set a different one // load the policy file and check. - UIPol uiPolicy = (UIPol)ICASAPol.GetPolicy(CASAPolType.UI_POL, GetUserHomeDirectory()); + UIPol uiPolicy = (UIPol)ICASAPol.GetPolicy(CASAPolType.UI_POL, GetUserHomeDirectory(), GetUserName()); if (uiPolicy != null) { string sDir = uiPolicy.GetConfigSetting(ConstStrings.CONFIG_PERSISTENT_DIRECTORY); @@ -1023,6 +1028,26 @@ namespace sscs.cache { string persistDir = GetPersistenceDirectory(); return persistDir + ConstStrings.MICASA_SERVER_VALIDATION_FILE; + } + + internal string GetSecretsForExport(string sEncryptionString) + { + byte[] baIV = null; + byte[] baSecrets = GetSecrets(sEncryptionString, ref baIV); + + if ((baIV != null) && (baSecrets != null)) + { + byte[] baCombined = new byte[baIV.Length + baSecrets.Length]; + baIV.CopyTo(baCombined, 0); + baSecrets.CopyTo(baCombined, baIV.Length); + + string sB64 = Convert.ToBase64String(baCombined); + return sB64; + } + else + { + return Convert.ToBase64String(baSecrets); + } } internal byte[] GetSecrets(string sEncryptionString, ref byte[] baIV) diff --git a/CASA/micasad/lss/LocalStorage.cs b/CASA/micasad/lss/LocalStorage.cs index 9cf110e1..576bd5a4 100644 --- a/CASA/micasad/lss/LocalStorage.cs +++ b/CASA/micasad/lss/LocalStorage.cs @@ -609,7 +609,7 @@ namespace sscs.lss string sPeristSecrets = null; // is policy set to persist secrets - UIPol uiPolicy = (UIPol)ICASAPol.GetPolicy(CASAPolType.UI_POL, userStore.GetUserHomeDirectory()); + UIPol uiPolicy = (UIPol)ICASAPol.GetPolicy(CASAPolType.UI_POL, userStore.GetUserHomeDirectory(), userStore.GetUserName()); if (uiPolicy != null) { sPeristSecrets = uiPolicy.GetConfigSetting(ConstStrings.CONFIG_PERSIST_SECRETS); @@ -739,7 +739,7 @@ namespace sscs.lss // TODO: Does Policy allow persisting this secret. if (policy == null) { - policy = (PersistencePol)ICASAPol.GetPolicy(CASAPolType.PERSISTENCE_POL, userStore.GetUserHomeDirectory()); + policy = (PersistencePol)ICASAPol.GetPolicy(CASAPolType.PERSISTENCE_POL, userStore.GetUserHomeDirectory(), userStore.GetUserName()); } bool bSaveValues = true; diff --git a/CASA/micasad/verbs/ObjectSerialization.cs b/CASA/micasad/verbs/ObjectSerialization.cs index 665cb04b..4d1b32a4 100644 --- a/CASA/micasad/verbs/ObjectSerialization.cs +++ b/CASA/micasad/verbs/ObjectSerialization.cs @@ -105,7 +105,7 @@ namespace sscs.verbs // Serialize the WrappedObject and send the reply ms = new MemoryStream(); - formatter.Serialize(ms, reply); + formatter.Serialize(ms, reply); int msLen = (int)ms.Length; outBuf = new byte[4+msLen]; @@ -276,11 +276,12 @@ namespace sscs.verbs { cpd.SetErrorMessage("Directory not allowed"); return wo; - } -#endif - - - // copy all .miCASA* files to new location + } + +#endif + + + // copy all .miCASA* files to new location string[] files = Directory.GetFiles(sOldDir, ".miCASA*"); if (files != null) { @@ -392,8 +393,7 @@ namespace sscs.verbs } private WrappedObject DoExportSecrets(SecretStore ssStore, WrappedObject wo, UserIdentifier userId) - { - byte[] baIV = null; + { ExportXMLSecrets secrets = (ExportXMLSecrets)wo.GetObject(); // validate masterpassword @@ -411,21 +411,16 @@ namespace sscs.verbs string sEncrpyptionPassphrase = secrets.GetPassphrase(); // get all secrets - byte[] baSecrets = ssStore.GetSecrets(sEncrpyptionPassphrase, ref baIV); - string sFilePath = secrets.GetFilePath(); + //byte[] baSecrets = ssStore.GetSecrets(sEncrpyptionPassphrase, ref baIV); + string baSecrets = ssStore.GetSecretsForExport(sEncrpyptionPassphrase); + + string sFilePath = secrets.GetFilePath(); if (sFilePath != null) { // write em out FileStream fs = new FileStream(sFilePath, FileMode.Create); - - // if a IV was set, write it out. - if (baIV != null) - { - fs.Write(baIV, 0, 16); - } - // write the secrets now - fs.Write(baSecrets, 0, baSecrets.Length); + //fs.Write(baSecrets, 0, baSecrets.Length); fs.Flush(); fs.Close(); @@ -436,8 +431,8 @@ namespace sscs.verbs } else - { - wo.SetObject(ssStore.GetSecrets(sEncrpyptionPassphrase, ref baIV)); + { + wo.SetObject(baSecrets); } wo.SetError(constants.RetCodes.SUCCESS, ""); diff --git a/CASA/policy/PolicyImpl.cs b/CASA/policy/PolicyImpl.cs index bd9c5fcd..2d40e18e 100644 --- a/CASA/policy/PolicyImpl.cs +++ b/CASA/policy/PolicyImpl.cs @@ -36,10 +36,10 @@ public class ICASAPol static string GetPolicyFilePath() { - return GetPolicyFilePath(null); + return GetPolicyFilePath(null, null); } - static string GetPolicyFilePath(string sUserHomeDir) + static string GetPolicyFilePath(string sUserHomeDir, string sUserName) { try @@ -64,14 +64,17 @@ public class ICASAPol homeDir = System.Environment.GetEnvironmentVariable("HOME"); } - // get users name - string sUsername = homeDir.Substring(homeDir.LastIndexOf("/") + 1); - - if (sUsername != null) + // get users name + if (sUserName == null) + { + sUserName = System.Environment.GetEnvironmentVariable("USER"); + } + + if (sUserName != null) { // check for existing files - string sOldLocation = homeDir + XmlConsts.policyFileName; - string sNewLocation = "/home/.casa/" + sUsername + XmlConsts.policyFileName; + string sOldLocation = homeDir + XmlConsts.policyFileName; + string sNewLocation = "/home/.casa/" + sUserName + XmlConsts.policyFileName; // move file if needed if ((!File.Exists(sNewLocation)) && (File.Exists(sOldLocation))) @@ -421,18 +424,18 @@ public class ICASAPol static public CASAPol GetPolicy(CASAPolType policyType) { - return GetPolicy(policyType, null); + return GetPolicy(policyType, null, null); } - static public CASAPol GetPolicy(CASAPolType policyType, string sDir) + static public CASAPol GetPolicy(CASAPolType policyType, string sDir, string sUserName) { CASAPol pol = null; try { XmlDocument doc = new XmlDocument(); - if(!File.Exists(GetPolicyFilePath(sDir))) + if(!File.Exists(GetPolicyFilePath(sDir, sUserName))) return null; - doc.Load(GetPolicyFilePath(sDir)); + doc.Load(GetPolicyFilePath(sDir, sUserName)); switch(policyType) { case CASAPolType.AGGREGATION_POL: