From 982e1a43193e4c67fd58ed4895d1d35e6cb5ec58 Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Sat, 1 Apr 2023 12:51:34 -0400
Subject: [PATCH] Password-reveal: Respect group policy setting, if any

- The policy setting is checked when GUI is started. Any change
  in policy will be effective only after restarting the GUI.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 misc.c     |  7 +++++++
 options.h  |  1 +
 registry.c | 15 +++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/misc.c b/misc.c
index 8fe7c9e..e9ff670 100644
--- a/misc.c
+++ b/misc.c
@@ -1096,6 +1096,13 @@ ResetPasswordReveal(HWND edit, HWND btn, WPARAM wParam)
     {
         return;
     }
+
+    if (o.disable_password_reveal)
+    {
+        ShowWindow(btn, SW_HIDE);
+        return;
+    }
+
     /* set the password field to be masked as a sane default */
     SendMessage(edit, EM_SETPASSWORDCHAR, (WPARAM)'*', 0);
     SendMessage(btn, STM_SETIMAGE, (WPARAM) IMAGE_ICON, (LPARAM)LoadLocalizedSmallIcon(ID_ICO_EYE));
diff --git a/options.h b/options.h
index 72757a6..d466f16 100644
--- a/options.h
+++ b/options.h
@@ -228,6 +228,7 @@ typedef struct {
     DWORD ovpn_engine;                  /* 0 - openvpn2, 1 - openvpn3 */
     DWORD enable_persistent;            /* 0 - disabled, 1 - enabled, 2 - enabled & auto attach */
     DWORD enable_auto_restart;          /* 0 - disabled, >0 enabled */
+    DWORD disable_password_reveal;      /* read from group policy */
 #ifdef DEBUG
     FILE *debug_fp;
 #endif
diff --git a/registry.c b/registry.c
index 88cb17b..94fce0e 100644
--- a/registry.c
+++ b/registry.c
@@ -212,6 +212,21 @@ GetRegistryKeys ()
         o.mgmt_port_offset = 25340;
     }
 
+    /* Read group policy setting for password reveal */
+    status = RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\Policies\\Microsoft\\Windows\\CredUI", 0, KEY_READ, &regkey);
+    if (status != ERROR_SUCCESS
+        || !GetRegistryValueNumeric(regkey, L"DisablePasswordReveal", &o.disable_password_reveal))
+    {
+        o.disable_password_reveal = 0;
+        PrintDebug(L"default: %ls = %lu", L"DisablePasswordReveal", o.disable_password_reveal);
+    }
+    else
+    {
+        PrintDebug(L"from policy: %ls = %lu", L"DisablePasswordReveal", o.disable_password_reveal);
+    }
+    if (status == ERROR_SUCCESS)
+        RegCloseKey(regkey);
+
     ExpandOptions ();
     return true;
 }