Updating passwords on Windows desktop to be more secure, minimizing time spent as plaintext.

Author: stgates

Release/include/cpprest/web_utilities.h

@@ -32,16 +32,28 @@
 
 namespace web
 {
+
+namespace http { namespace client { namespace details {
+class winhttp_client;
+}}}
+
 namespace details
 {
 #if defined(_MS_WINDOWS) && !defined(__cplusplus_winrt)
+class zero_memory_deleter
+{
+public:
+    _ASYNCRTIMP void operator()(::utility::string_t *data) const;
+};
+typedef std::unique_ptr<std::wstring, zero_memory_deleter> password_string;
+
 class win32_encryption
 {
 public:
     win32_encryption() {}
     _ASYNCRTIMP win32_encryption(const std::wstring &data);
     _ASYNCRTIMP ~win32_encryption();
-    _ASYNCRTIMP std::wstring decrypt() const;
+    _ASYNCRTIMP password_string decrypt() const;
 private:
     std::vector<char> m_buffer;
     size_t m_numCharacters;
@@ -81,10 +93,11 @@ class credentials
     /// The password for the user name associated with the credentials.
     /// </summary>
     /// <returns>A string containing the password.</returns>
-    utility::string_t password() const
+    CASABLANCA_DEPRECATED("This API is deprecated for security reasons to avoid unnecessary password copies stored in plaintext.")
+        utility::string_t password() const
     {
 #if defined(_MS_WINDOWS) && !defined(__cplusplus_winrt)
-        return m_password.decrypt();
+        return utility::string_t(*m_password.decrypt());
 #else
         return m_password;
 #endif
@@ -97,6 +110,15 @@ class credentials
     bool is_set() const { return !m_username.empty(); }
 
 private:
+    friend class http::client::details::winhttp_client;
+
+#if defined(_MS_WINDOWS) && !defined(__cplusplus_winrt)
+    details::password_string decrypt() const
+    {
+        return m_password.decrypt();
+    }
+#endif
+
     ::utility::string_t m_username;
 #if defined(_MS_WINDOWS) && !defined(__cplusplus_winrt)
     ::web::details::win32_encryption m_password;

Release/src/http/client/http_win7.cpp

@@ -923,12 +923,13 @@ class winhttp_client : public _http_client_communicator
             {
                 return false;
             }
+            auto password = cred.decrypt();
             if (!WinHttpSetCredentials(
                 hRequestHandle,
                 dwAuthTarget,
                 dwSelectedScheme,
                 cred.username().c_str(),
-                cred.password().c_str(),
+                password->c_str(),
                 nullptr))
             {
                 return false;

Release/src/utilities/web_utilities.cpp

@@ -36,6 +36,12 @@ namespace web
 namespace details
 {
 #if defined(_MS_WINDOWS) && !defined(__cplusplus_winrt)
+void zero_memory_deleter::operator()(::utility::string_t *data) const
+{
+    SecureZeroMemory(reinterpret_cast<void *>(const_cast<::utility::string_t::value_type *>(data->data())), data->size());
+    delete data;
+}
+
 win32_encryption::win32_encryption(const std::wstring &data) :
     m_numCharacters(data.size())
 {
@@ -60,19 +66,19 @@ win32_encryption::~win32_encryption()
     SecureZeroMemory(m_buffer.data(), m_buffer.size());
 }
 
-std::wstring win32_encryption::decrypt() const
+password_string win32_encryption::decrypt() const
 {
     // Copy the buffer and decrypt to avoid having to re-encrypt.
-    std::wstring data(reinterpret_cast<const std::wstring::value_type *>(m_buffer.data()), m_buffer.size() / 2);
+    auto data = password_string(new std::wstring(reinterpret_cast<const std::wstring::value_type *>(m_buffer.data()), m_buffer.size() / 2));
     if (!CryptUnprotectMemory(
-        reinterpret_cast<void *>(const_cast<std::wstring::value_type *>(data.c_str())),
+        reinterpret_cast<void *>(const_cast<std::wstring::value_type *>(data->c_str())),
         m_buffer.size(),
         CRYPTPROTECTMEMORY_SAME_PROCESS))
     {
         throw ::utility::details::create_system_error(GetLastError());
     }
-    data.resize(m_numCharacters);
-    return data;
+    data->resize(m_numCharacters);
+    return std::move(data);
 }
 #endif
 }