On Wed, Aug 14, 2024 at 2:52 AM Gert Doering <g...@greenie.muc.de> wrote:
> Hi, > > On Tue, Aug 13, 2024 at 08:14:23PM -0400, Selva Nair wrote: > > Nonetheless, on Windows, we could easily add CryptProtectMemory() with > > SAME_PROCESS access for good measure, especially for those who cannot use > > "--auth-nocache". That will also add some protection to proxy passwords > > which are always cached for some reason. > > Would you be willing to send something? > Will try. Doesn't look as easy as I first thought, but still doable. > > (proxy auth caching has been reworked in commit 3cfd6f961d5c92bec2, and > Frank / Gianmarco claim it is behaving better now - that is, caching if > allowed, and not caching if --auth-nocache is in effect. I have not > tested all possible variants myself) > As far as I can see, the long-term storage buffer (one that persists password across restarts) is cleared if nocache is in effect. A local copy is still retained for a long while in establish_proxy_pass_through() as p->up and never properly cleared. Also there are some buffers into which password is copied into for auth, and not wiped clean after use. Not hard to fix, but I do not have a proxy setup to test. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
