I'm using the Windows credentials store like this:
PCREDENTIAL cred = nullptr;
if (CredRead(entryName, 1, 0, &cred) != TRUE || !cred)
return -1;
// ... code which handles cred.UserName and cred.CredentialBlob
CredFree(cred);
As you can see I free the buffer as required. However, I see that the LPBYTE pointer CredentialBlob is still valid an still contains the password in memory. Do I have to SecureZeroMemory it manually and who owns the buffer? I found no other source code which does that...
I haven't found anything, https://msdn.microsoft.com/library/aa919793.aspx contains just the following generic statement:
Clear credential data from memory after use
Do not leave credentials in memory after use. Clear all credential data from temporary storage after use by calling SecureZeroMemory.
You own the buffer. The documentation states:
Any pointers contained within the buffer are pointers to locations within this single allocated block.
In an ideal world, CredFree would zero the entire block before freeing it, and it might be worth submitting a suggestion to Microsoft to this effect, but as things stand, your best bet is probably to do the following before calling CredFree:
SecureZeroMemory (cred->CredentialBlob, cred->CredentialBlobSize);