From a06c806d2efefba7530deacf181fca6653eb271a Mon Sep 17 00:00:00 2001 From: lsreevatsa Date: Wed, 29 Mar 2006 13:56:56 +0000 Subject: [PATCH] - Security Audit Report : Patch for Bug No. 5.7. File : c_micasad/verbs/SetMasterPassword.cs. - Added a check to verify the length of the Master Password to be greater than 8 characters and less than or equal to 256 characters. --- CASA.changes | 10 +++++ c_micasad/verbs/SetMasterPassword.cs | 59 ++++++++++++++++------------ 2 files changed, 44 insertions(+), 25 deletions(-) diff --git a/CASA.changes b/CASA.changes index 7ddee93c..da69f5b0 100644 --- a/CASA.changes +++ b/CASA.changes @@ -1,8 +1,18 @@ +------------------------------------------------------------------- +Wed Mar 29 19:20:12 IST 2006 - lsreevatsa@novell.com + +- Security Audit Report : Patch for Bug No. 5.7. + File : c_micasad/verbs/SetMasterPassword.cs. +- Added a check to verify the length of the Master Password + to be greater than 8 characters and less than or equal to + 256 characters. + ------------------------------------------------------------------- Wed Mar 29 17:00:41 IST 2006 - lsreevatsa@novell.com - Security Audit Report : Patch for Bug No. 5.4.1 File : c_micasad/lss/CASACrypto.cs +- Added a check to verify Decrypt string is greater than 32. ------------------------------------------------------------------- Wed Mar 15 21:22:48 IST 2006 - lsreevatsa@novell.com diff --git a/c_micasad/verbs/SetMasterPassword.cs b/c_micasad/verbs/SetMasterPassword.cs index 7730d2ea..da6ad585 100644 --- a/c_micasad/verbs/SetMasterPassword.cs +++ b/c_micasad/verbs/SetMasterPassword.cs @@ -49,7 +49,9 @@ namespace sscs.verbs private byte[] inBuf; private byte[] outBuf; private int retCode = 0; - + private int MASTER_PASS_MIN_LEN = 8; + private int MASTER_PASS_MAX_LEN = 256; + /* * This method sets the class member with the byte array received. */ @@ -78,30 +80,37 @@ namespace sscs.verbs throw new FormatException(" MsgLen sent does not match the length of the message received."); passwdType = BitConverter.ToUInt32(inBuf,6); passwdLen = BitConverter.ToUInt32(inBuf,10); - byte[] tempArr = new byte[passwdLen]; - Array.Copy(inBuf,14,tempArr,0,passwdLen); - passwd = Encoding.UTF8.GetString(tempArr); - // Message Format decipher - End - - try - { - SecretStore ssStore = null; - ssStore = SessionManager.GetUserSecretStore(userId); - if(ssStore.SetMasterPassword(passwd)) - retCode = IPCRetCodes.SSCS_REPLY_SUCCESS; - else - retCode = IPCRetCodes.SSCS_E_SETTING_PASSCODE_FAILED; - } - catch(UserNotInSessionException) - { - CSSSLogger.DbgLog("In " + CSSSLogger.GetExecutionPath(this) + " Unable to get user's secretstore" ); - retCode = IPCRetCodes.SSCS_E_SYSTEM_ERROR; - } - catch(Exception e) - { - CSSSLogger.ExpLog(e.ToString()); - retCode = IPCRetCodes.SSCS_E_SYSTEM_ERROR; - } + if(passwdLen < MASTER_PASS_MIN_LEN || passwdLen > MASTER_PASS_MAX_LEN) + { + retCode = IPCRetCodes.SSCS_E_SETTING_PASSCODE_FAILED; + } + else + { + byte[] tempArr = new byte[passwdLen]; + Array.Copy(inBuf,14,tempArr,0,passwdLen); + passwd = Encoding.UTF8.GetString(tempArr); + // Message Format decipher - End + + try + { + SecretStore ssStore = null; + ssStore = SessionManager.GetUserSecretStore(userId); + if(ssStore.SetMasterPassword(passwd)) + retCode = IPCRetCodes.SSCS_REPLY_SUCCESS; + else + retCode = IPCRetCodes.SSCS_E_SETTING_PASSCODE_FAILED; + } + catch(UserNotInSessionException) + { + CSSSLogger.DbgLog("In " + CSSSLogger.GetExecutionPath(this) + " Unable to get user's secretstore" ); + retCode = IPCRetCodes.SSCS_E_SYSTEM_ERROR; + } + catch(Exception e) + { + CSSSLogger.ExpLog(e.ToString()); + retCode = IPCRetCodes.SSCS_E_SYSTEM_ERROR; + } + } try {