Updating WinRT to encrypt passwords.

Author: stgates

Release/include/cpprest/web_utilities.h

@@ -49,14 +49,16 @@ class zero_memory_deleter
 public:
     _ASYNCRTIMP void operator()(::utility::string_t *data) const;
 };
-typedef std::unique_ptr<std::wstring, zero_memory_deleter> password_string;
+typedef std::unique_ptr<std::wstring, zero_memory_deleter> plaintext_string;
 #if defined(__cplusplus_winrt)
 class winrt_encryption
 {
 public:
     winrt_encryption() {}
     _ASYNCRTIMP winrt_encryption(const std::wstring &data);
-    _ASYNCRTIMP password_string decrypt() const;
+    _ASYNCRTIMP plaintext_string decrypt() const;
+private:
+    ::pplx::task<Windows::Storage::Streams::IBuffer ^> m_buffer;
 };
 #else
 class win32_encryption
@@ -65,7 +67,7 @@ class win32_encryption
     win32_encryption() {}
     _ASYNCRTIMP win32_encryption(const std::wstring &data);
     _ASYNCRTIMP ~win32_encryption();
-    _ASYNCRTIMP password_string decrypt() const;
+    _ASYNCRTIMP plaintext_string decrypt() const;
 private:
     std::vector<char> m_buffer;
     size_t m_numCharacters;
@@ -128,7 +130,7 @@ class credentials
     friend class experimental::websockets::client::details::winrt_client;
 
 #if defined(_MS_WINDOWS)
-    details::password_string decrypt() const
+    details::plaintext_string decrypt() const
     {
         return m_password.decrypt();
     }

Release/src/http/client/http_win8.cpp

@@ -395,30 +395,34 @@ class winrt_client : public _http_client_communicator
             return;
         }
 
-        // New scope to ensure plaintext password is cleared as soon as possible.
+        // New scope to ensure plain text password is cleared as soon as possible.
         {
             utility::string_t username, proxy_username;
-            ::web::details::password_string password, proxy_password;
+            const utility::char_t *password = nullptr;
+            const utility::char_t *proxy_password = nullptr;
+            ::web::details::plaintext_string password_plaintext, proxy_password_plaintext;
 
             if (client_cred.is_set())
             {
                 username = client_cred.username();
-                password = client_cred.decrypt();
+                password_plaintext = client_cred.decrypt();
+                password = password_plaintext->c_str();
             }
             if (proxy_cred.is_set())
             {
                 proxy_username = proxy_cred.username();
-                proxy_password = proxy_cred.decrypt();
+                proxy_password_plaintext = proxy_cred.decrypt();
+                proxy_password = proxy_password_plaintext->c_str();
             }
 
             hr = winrt_context->m_hRequest->Open(
                 msg.method().c_str(),
                 encoded_resource.c_str(),
                 Make<HttpRequestCallback>(winrt_context).Get(),
                 username.c_str(),
-                password->c_str(),
+                password,
                 proxy_username.c_str(),
-                proxy_password->c_str());
+                proxy_password);
         }
         if (FAILED(hr))
         {

Release/src/utilities/web_utilities.cpp

@@ -29,33 +29,76 @@
 #include <Wincrypt.h>
 #endif
 
+#if defined(__cplusplus_winrt)
+#include <robuffer.h>
+#endif
+
 #include "cpprest\web_utilities.h"
 
 namespace web
 {
 namespace details
 {
 #if defined(_MS_WINDOWS)
-void zero_memory_deleter::operator()(::utility::string_t *data) const
-{
 #if defined(__cplusplus_winrt)
-    SecureZeroMemory(reinterpret_cast<void *>(const_cast<::utility::string_t::value_type *>(data->data())), data->size());
-#else
-    // TODO
-#endif
-    delete data;
+
+// Helper function since SecureZeroMemory isn't available.
+void winrt_secure_zero_memory(_Out_writes_(count) void *buffer, _In_ size_t count)
+{
+    auto vptr = reinterpret_cast<volatile char *>(buffer);
+    while (count != 0)
+    {
+        *vptr = 0;
+        ++vptr;
+        --count;
+    }
+}
+void winrt_secure_zero_buffer(Windows::Storage::Streams::IBuffer ^buffer)
+{
+    Microsoft::WRL::ComPtr<IInspectable> bufferInspectable(reinterpret_cast<IInspectable *>(buffer));
+    Microsoft::WRL::ComPtr<Windows::Storage::Streams::IBufferByteAccess> bufferByteAccess;
+    bufferInspectable.As(&bufferByteAccess);
+    byte * rawBytes;
+    bufferByteAccess->Buffer(&rawBytes);
+    winrt_secure_zero_memory(rawBytes, buffer->Length);
 }
 
-#if defined(__cplusplus_winrt)
 winrt_encryption::winrt_encryption(const std::wstring &data)
 {
-    // TODO
+    auto provider = ref new Windows::Security::Cryptography::DataProtection::DataProtectionProvider(ref new Platform::String(L"Local=user"));
+
+    // Create buffer containing plain text password.
+    Platform::ArrayReference<unsigned char> arrayref(
+        reinterpret_cast<unsigned char *>(const_cast<std::wstring::value_type *>(data.c_str())),
+        data.size() * sizeof(std::wstring::value_type));
+    Windows::Storage::Streams::IBuffer ^plaintext = Windows::Security::Cryptography::CryptographicBuffer::CreateFromByteArray(arrayref);
+    m_buffer = pplx::create_task(provider->ProtectAsync(plaintext));
+    m_buffer.then([plaintext](pplx::task<Windows::Storage::Streams::IBuffer ^>)
+    {
+        winrt_secure_zero_buffer(plaintext);
+    });
 }
 
-password_string winrt_encryption::decrypt() const
+plaintext_string winrt_encryption::decrypt() const
 {
-    auto data = password_string(new std::wstring());
-    // TODO
+    // To fully guarantee asynchrony would require significant impact on existing code. This code path
+    // is never run on a user's thread and is only done once when setting up a connection.
+    auto encrypted = m_buffer.get();
+    auto provider = ref new Windows::Security::Cryptography::DataProtection::DataProtectionProvider();
+    auto plaintext = pplx::create_task(provider->UnprotectAsync(encrypted)).get();
+
+    // Get access to raw bytes in plain text buffer.
+    Microsoft::WRL::ComPtr<IInspectable> bufferInspectable(reinterpret_cast<IInspectable *>(plaintext));
+    Microsoft::WRL::ComPtr<Windows::Storage::Streams::IBufferByteAccess> bufferByteAccess;
+    bufferInspectable.As(&bufferByteAccess);
+    byte * rawPlaintext;
+    bufferByteAccess->Buffer(&rawPlaintext);
+
+    // Construct string and zero out memory from plain text buffer.
+    auto data = plaintext_string(new std::wstring(
+        reinterpret_cast<const std::wstring::value_type *>(rawPlaintext),
+        plaintext->Length / 2));
+    winrt_secure_zero_memory(rawPlaintext, plaintext->Length);
     return std::move(data);
 }
 #else
@@ -72,7 +115,7 @@ win32_encryption::win32_encryption(const std::wstring &data) :
     {
         m_buffer.resize(m_buffer.size() + CRYPTPROTECTMEMORY_BLOCK_SIZE - mod);
     }
-    if (!CryptProtectMemory(reinterpret_cast<void *>(m_buffer.data()), m_buffer.size(), CRYPTPROTECTMEMORY_SAME_PROCESS))
+    if (!CryptProtectMemory(m_buffer.data(), m_buffer.size(), CRYPTPROTECTMEMORY_SAME_PROCESS))
     {
         throw ::utility::details::create_system_error(GetLastError());
     }
@@ -83,12 +126,12 @@ win32_encryption::~win32_encryption()
     SecureZeroMemory(m_buffer.data(), m_buffer.size());
 }
 
-password_string win32_encryption::decrypt() const
+plaintext_string win32_encryption::decrypt() const
 {
     // Copy the buffer and decrypt to avoid having to re-encrypt.
-    auto data = password_string(new std::wstring(reinterpret_cast<const std::wstring::value_type *>(m_buffer.data()), m_buffer.size() / 2));
+    auto data = plaintext_string(new std::wstring(reinterpret_cast<const std::wstring::value_type *>(m_buffer.data()), m_buffer.size() / 2));
     if (!CryptUnprotectMemory(
-        reinterpret_cast<void *>(const_cast<std::wstring::value_type *>(data->c_str())),
+        const_cast<std::wstring::value_type *>(data->c_str()),
         m_buffer.size(),
         CRYPTPROTECTMEMORY_SAME_PROCESS))
     {
@@ -98,6 +141,19 @@ password_string win32_encryption::decrypt() const
     return std::move(data);
 }
 #endif
+
+void zero_memory_deleter::operator()(::utility::string_t *data) const
+{
+#if defined(__cplusplus_winrt)
+    winrt_secure_zero_memory(
+#else
+    SecureZeroMemory(
+#endif
+        const_cast<::utility::string_t::value_type *>(data->data()),
+        data->size() * sizeof(::utility::string_t::value_type));
+    delete data;
+}
+
 #endif
 }