Do not clear saved passwords on verification failure

After a failure the auth-pass dialog is shown with the password field prefilled but highlighted. This allows the user to easily overwrite the password or resubmit the old password if the failure was temporary. After a private key passphrase failure, the dialog is not prefilled with saved password as this failure happens locally and in such cases the password is very likely wrong. If the user aborts the dialog by pressing cancel, the saved password will get used during the next connection attempt. Wrong username or password warning text is changed to: "Wrong credentials". Signed-off-by: Selva Nair <selva.nair@gmail.com>
7 years ago · 14615356e5
2 changed files with 8 additions and 8 deletions
--- a/openvpn.c
+++ b/openvpn.c
@ -307,12 +307,6 @@ OnStateChange(connection_t *c, char *data)
                c->failed_auth_attempts++;
            else if (strcmp(message, "private-key-password-failure") == 0)
                c->failed_psw_attempts++;
-
-            if (strcmp(message, "auth-failure") == 0 && (c->flags & FLAG_SAVE_AUTH_PASS))
-                SaveAuthPass(c->config_name, L""); /* clear saved password */
-
-            else if (strcmp(message, "private-key-password-failure") == 0 && (c->flags & FLAG_SAVE_KEY_PASS))
-                SaveKeyPass(c->config_name, L"");  /* clear saved private key password */
        }

        c->state = reconnecting;
@ -461,6 +455,11 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
                UINT timeout = o.silent_connection ? 0 : 6; /* in seconds */
                AutoCloseSetup(hwndDlg, IDOK, timeout, ID_TXT_WARNING, IDS_NFO_AUTO_CONNECT);
            }
+            /* if auth failed, highlight password so that user can type over */
+            else if (param->c->failed_auth_attempts)
+            {
+                SendMessage(GetDlgItem(hwndDlg, ID_EDT_AUTH_PASS), EM_SETSEL, 0, MAKELONG(0,-1));
+            }
            SecureZeroMemory(password, sizeof(password));
        }
        if (param->c->flags & FLAG_DISABLE_SAVE_PASS)
@ -732,7 +731,8 @@ PrivKeyPassDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
        c = (connection_t *) lParam;
        SetProp(hwndDlg, cfgProp, (HANDLE) c);
        AppendTextToCaption (hwndDlg, c->config_name);
-        if (RecallKeyPass(c->config_name, passphrase) && wcslen(passphrase))
+        if (RecallKeyPass(c->config_name, passphrase) && wcslen(passphrase)
+            && c->failed_psw_attempts == 0)
        {
            /* Use the saved password and skip the dialog */
            SetDlgItemTextW(hwndDlg, ID_EDT_PASSPHRASE, passphrase);
--- a/res/openvpn-gui-res-en.rc
+++ b/res/openvpn-gui-res-en.rc
@ -469,7 +469,7 @@ BEGIN
    IDS_NFO_TOKEN_PASSWORD_CAPTION "OpenVPN - Token Password"
    IDS_NFO_TOKEN_PASSWORD_REQUEST "Input Password/PIN for Token '%S'"

-    IDS_NFO_AUTH_PASS_RETRY "Wrong username or password. Try again..."
+    IDS_NFO_AUTH_PASS_RETRY "Wrong credentials. Try again..."
    IDS_NFO_KEY_PASS_RETRY  "Wrong password. Try again..."
    IDS_ERR_INVALID_PASSWORD_INPUT "Invalid character in password"
    IDS_ERR_INVALID_USERNAME_INPUT "Invalid character in username"