diff --git a/lib/EAPBase/src/Credentials.cpp b/lib/EAPBase/src/Credentials.cpp index 11098a8..9e71ca7 100644 --- a/lib/EAPBase/src/Credentials.cpp +++ b/lib/EAPBase/src/Credentials.cpp @@ -215,7 +215,6 @@ bool eap::credentials_pass::store(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR ** { assert(pszTargetName); assert(ppEapError); - string password_enc; // Prepare cryptographics provider. crypt_prov cp; @@ -225,26 +224,25 @@ bool eap::credentials_pass::store(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR ** } // Encrypt password. - vector password; - if (!m_module.encrypt_md5(cp, m_password, password, ppEapError)) + vector cred_int; + if (!m_module.encrypt(cp, m_password, cred_int, ppEapError)) return false; - // Convert encrypted password to Base64, since CredProtectA() fail for binary strings. - string password_base64; - base64_enc enc; - enc.encode(password_base64, password.data(), password.size()); - // Encrypt the password using user's key. - CRED_PROTECTION_TYPE cpt; - if (!CredProtectA(TRUE, password_base64.c_str(), (DWORD)password_base64.length(), password_enc, &cpt)) { - *ppEapError = m_module.make_error(GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CredProtect failed."), NULL); + DATA_BLOB cred_blob = { + (DWORD)cred_int.size(), + (LPBYTE)cred_int.data() + }; + data_blob cred_enc; + if (!CryptProtectData(&cred_blob, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &cred_enc)) { + *ppEapError = m_module.make_error(GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CryptProtectData failed."), NULL); return false; } tstring target(target_name(pszTargetName)); // Write credentials. - assert(password_enc.size() < CRED_MAX_CREDENTIAL_BLOB_SIZE); + assert(cred_enc.cbData < CRED_MAX_CREDENTIAL_BLOB_SIZE); assert(m_identity.length() < CRED_MAX_USERNAME_LENGTH ); CREDENTIAL cred = { 0, // Flags @@ -252,8 +250,8 @@ bool eap::credentials_pass::store(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR ** (LPTSTR)target.c_str(), // TargetName _T(""), // Comment { 0, 0 }, // LastWritten - (DWORD)password_enc.size(), // CredentialBlobSize - (LPBYTE)password_enc.data(),// CredentialBlob + cred_enc.cbData, // CredentialBlobSize + cred_enc.pbData, // CredentialBlob CRED_PERSIST_ENTERPRISE, // Persist 0, // AttributeCount NULL, // Attributes @@ -280,24 +278,17 @@ bool eap::credentials_pass::retrieve(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR return false; } - if (cred->UserName) - m_identity = cred->UserName; - else - m_identity.clear(); - // Decrypt the password using user's key. - string password_base64; - if (!CredUnprotectA(TRUE, (LPCSTR)(cred->CredentialBlob), cred->CredentialBlobSize, password_base64)) { - *ppEapError = m_module.make_error(GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CredUnprotect failed."), NULL); + DATA_BLOB cred_enc = { + cred->CredentialBlobSize, + cred->CredentialBlob + }; + data_blob cred_int; + if (!CryptUnprotectData(&cred_enc, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN | CRYPTPROTECT_VERIFY_PROTECTION, &cred_int)) { + *ppEapError = m_module.make_error(GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CryptUnprotectData failed."), NULL); return false; } - // Convert Base64 to binary encrypted password, since CredProtectA() fail for binary strings. - vector password; - base64_dec dec; - bool is_last; - dec.decode(password, is_last, password_base64.c_str(), password_base64.length()); - // Prepare cryptographics provider. crypt_prov cp; if (!cp.create(NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { @@ -306,5 +297,13 @@ bool eap::credentials_pass::retrieve(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR } // Decrypt password. - return m_module.decrypt_md5(cp, password.data(), password.size(), m_password, ppEapError); + if (!m_module.decrypt(cp, cred_int.pbData, cred_int.cbData, m_password, ppEapError)) + return false; + + if (cred->UserName) + m_identity = cred->UserName; + else + m_identity.clear(); + + return true; } diff --git a/lib/TLS/src/Credentials.cpp b/lib/TLS/src/Credentials.cpp index 8baf826..e065484 100644 --- a/lib/TLS/src/Credentials.cpp +++ b/lib/TLS/src/Credentials.cpp @@ -170,7 +170,6 @@ bool eap::credentials_tls::store(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR **p { assert(pszTargetName); assert(ppEapError); - string cert_enc; // Prepare cryptographics provider. crypt_prov cp; @@ -180,26 +179,25 @@ bool eap::credentials_tls::store(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR **p } // Encrypt certificate. - vector cert; - if (!m_module.encrypt_md5(cp, m_cert->pbCertEncoded, m_cert->cbCertEncoded, cert, ppEapError)) + vector cred_int; + if (!m_module.encrypt(cp, m_cert->pbCertEncoded, m_cert->cbCertEncoded, cred_int, ppEapError)) return false; - // Convert encrypted certificate to Base64, since CredProtectA() fail for binary strings. - string cert_base64; - base64_enc enc; - enc.encode(cert_base64, cert.data(), cert.size()); - // Encrypt the certificate using user's key. - CRED_PROTECTION_TYPE cpt; - if (!CredProtectA(TRUE, cert_base64.c_str(), (DWORD)cert_base64.length(), cert_enc, &cpt)) { - *ppEapError = m_module.make_error(GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CredProtect failed."), NULL); + DATA_BLOB cred_blob = { + (DWORD)cred_int.size(), + (LPBYTE)cred_int.data() + }; + data_blob cred_enc; + if (!CryptProtectData(&cred_blob, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &cred_enc)) { + *ppEapError = m_module.make_error(GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CryptProtectData failed."), NULL); return false; } tstring target(target_name(pszTargetName)); // Write credentials. - assert(cert_enc.size() < CRED_MAX_CREDENTIAL_BLOB_SIZE); + assert(cred_enc.cbData < CRED_MAX_CREDENTIAL_BLOB_SIZE); assert(m_identity.length() < CRED_MAX_USERNAME_LENGTH ); CREDENTIAL cred = { 0, // Flags @@ -207,8 +205,8 @@ bool eap::credentials_tls::store(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR **p (LPTSTR)target.c_str(), // TargetName _T(""), // Comment { 0, 0 }, // LastWritten - (DWORD)cert_enc.size(), // CredentialBlobSize - (LPBYTE)cert_enc.data(), // CredentialBlob + cred_enc.cbData, // CredentialBlobSize + cred_enc.pbData, // CredentialBlob CRED_PERSIST_ENTERPRISE, // Persist 0, // AttributeCount NULL, // Attributes @@ -236,18 +234,16 @@ bool eap::credentials_tls::retrieve(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR } // Decrypt the certificate using user's key. - string cert_base64; - if (!CredUnprotectA(TRUE, (LPCSTR)(cred->CredentialBlob), cred->CredentialBlobSize, cert_base64)) { - *ppEapError = m_module.make_error(GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CredUnprotect failed."), NULL); + DATA_BLOB cred_enc = { + cred->CredentialBlobSize, + cred->CredentialBlob + }; + data_blob cred_int; + if (!CryptUnprotectData(&cred_enc, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN | CRYPTPROTECT_VERIFY_PROTECTION, &cred_int)) { + *ppEapError = m_module.make_error(GetLastError(), 0, NULL, NULL, NULL, _T(__FUNCTION__) _T(" CryptUnprotectData failed."), NULL); return false; } - // Convert Base64 to binary encrypted certificate, since CredProtectA() fail for binary strings. - vector cert; - base64_dec dec; - bool is_last; - dec.decode(cert, is_last, cert_base64.c_str(), cert_base64.length()); - // Prepare cryptographics provider. crypt_prov cp; if (!cp.create(NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { @@ -257,7 +253,7 @@ bool eap::credentials_tls::retrieve(_In_ LPCTSTR pszTargetName, _Out_ EAP_ERROR // Decrypt certificate. vector > _cert; - if (!m_module.decrypt_md5(cp, cert.data(), cert.size(), _cert, ppEapError)) + if (!m_module.decrypt(cp, cred_int.pbData, cred_int.cbData, _cert, ppEapError)) return false; if (!m_cert.create(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, _cert.data(), (DWORD)_cert.size())) { diff --git a/lib/WinStd b/lib/WinStd index 5d47a19..4b6dbff 160000 --- a/lib/WinStd +++ b/lib/WinStd @@ -1 +1 @@ -Subproject commit 5d47a19972d64b7f537b675fcbf435759d9c95e5 +Subproject commit 4b6dbff918af43b623d3702d52c83d17a4c4a6da