From 1da3496abce6c4380651fdf79c1d599750964ef2 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Sat, 30 Dec 2023 15:38:17 +0100 Subject: [PATCH] configure: allow to disable NTLM Since we want to get rid of it, might be useful to allow users to remove the support completely. Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20231230143817.4880-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27863.html Signed-off-by: Gert Doering --- config.h.cmake.in | 3 +++ configure.ac | 8 ++++++++ src/openvpn/options.c | 3 +-- src/openvpn/proxy.c | 6 +++--- src/openvpn/syshead.h | 2 ++ 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/config.h.cmake.in b/config.h.cmake.in index 6c846f25a..2cdfdcc3a 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -35,6 +35,9 @@ /* Enable LZO compression library */ #cmakedefine ENABLE_LZO +/* Enable NTLMv2 proxy support */ +#define ENABLE_NTLM 1 + /* Enable management server capability */ #define ENABLE_MANAGEMENT 1 diff --git a/configure.ac b/configure.ac index 2823f0497..22ed44806 100644 --- a/configure.ac +++ b/configure.ac @@ -94,6 +94,13 @@ AC_ARG_ENABLE( [enable_x509_alt_username="no"] ) +AC_ARG_ENABLE( + [ntlm], + [AS_HELP_STRING([--disable-ntlm], [disable NTLMv2 proxy support @<:@default=yes@:>@])], + , + [enable_ntlm="yes"] +) + AC_ARG_ENABLE( [plugins], [AS_HELP_STRING([--disable-plugins], [disable plug-in support @<:@default=yes@:>@])], @@ -1302,6 +1309,7 @@ test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support]) test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing]) +test "${enable_ntlm}" = "yes" && AC_DEFINE([ENABLE_NTLM], [1], [Enable NTLMv2 proxy support]) test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) if test "${have_export_keying_material}" = "yes"; then AC_DEFINE( diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1521872d5..4c00353aa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6755,8 +6755,7 @@ add_option(struct options *options, if (p[3]) { /* auto -- try to figure out proxy addr, port, and type automatically */ - /* semiauto -- given proxy addr:port, try to figure out type automatically */ - /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */ + /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */ if (streq(p[3], "auto")) { ho->auth_retry = PAR_ALL; diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 76e27cb4a..3b6f7dfbd 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -638,8 +638,6 @@ establish_http_proxy_passthru(struct http_proxy_info *p, { struct gc_arena gc = gc_new(); char buf[512]; - char buf2[129]; - char get[80]; int status; int nparms; bool ret = false; @@ -758,6 +756,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p, { #if NTLM /* look for the phase 2 response */ + char buf2[129]; while (true) { @@ -768,7 +767,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, chomp(buf); msg(D_PROXY, "HTTP proxy returned: '%s'", buf); - openvpn_snprintf(get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof(buf2) - 1); + char get[80]; + openvpn_snprintf(get, sizeof(get), "%%*s NTLM %%%zus", sizeof(buf2) - 1); nparms = sscanf(buf, get, buf2); buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */ diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 7181b94d0..a021c91ea 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -472,7 +472,9 @@ socket_defined(const socket_descriptor_t sd) /* * Should we include NTLM proxy functionality */ +#ifdef ENABLE_NTLM #define NTLM 1 +#endif /* * Should we include proxy digest auth functionality -- 2.47.3