configure: allow to disable NTLM

Since we want to get rid of it, might be useful to
allow users to remove the support completely.

Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231230143817.4880-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27863.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/config.h.cmake.in b/config.h.cmake.in
index 6c846f25a22dbb3ab4ff771352109c1d437ea268..2cdfdcc3a702e6228a91186e41e287b178915fcf 100644 (file)
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -35,6 +35,9 @@
 /* Enable LZO compression library */
 #cmakedefine ENABLE_LZO
 
+/* Enable NTLMv2 proxy support */
+#define ENABLE_NTLM 1
+
 /* Enable management server capability */
 #define ENABLE_MANAGEMENT 1
 

diff --git a/configure.ac b/configure.ac
index 2823f0497e4ab90a74afe84bbaa766bb82d041a6..22ed448064c0a82cfb4c8c478935251a952e60f7 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -94,6 +94,13 @@ AC_ARG_ENABLE(
        [enable_x509_alt_username="no"]
 )
 
+AC_ARG_ENABLE(
+       [ntlm],
+       [AS_HELP_STRING([--disable-ntlm], [disable NTLMv2 proxy support @<:@default=yes@:>@])],
+       ,
+       [enable_ntlm="yes"]
+)
+
 AC_ARG_ENABLE(
        [plugins],
        [AS_HELP_STRING([--disable-plugins], [disable plug-in support @<:@default=yes@:>@])],
@@ -1302,6 +1309,7 @@ test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller
 test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support])
 test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing])
 
+test "${enable_ntlm}" = "yes" && AC_DEFINE([ENABLE_NTLM], [1], [Enable NTLMv2 proxy support])
 test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
 if test "${have_export_keying_material}" = "yes"; then
        AC_DEFINE(

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1521872d5f4d2754c31af3df20422cfbb4f3673b..4c00353aa1366cc6e243401e4363554ed66c43f1 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6755,8 +6755,7 @@ add_option(struct options *options,
         if (p[3])
         {
             /* auto -- try to figure out proxy addr, port, and type automatically */
-            /* semiauto -- given proxy addr:port, try to figure out type automatically */
-            /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
+            /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
             if (streq(p[3], "auto"))
             {
                 ho->auth_retry = PAR_ALL;

diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index 76e27cb4ac496b1873bd32955641aea97aaf97b1..3b6f7dfbdb47022a675f2eb27b7891a82521a6ac 100644 (file)
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -638,8 +638,6 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
 {
     struct gc_arena gc = gc_new();
     char buf[512];
-    char buf2[129];
-    char get[80];
     int status;
     int nparms;
     bool ret = false;
@@ -758,6 +756,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
         {
 #if NTLM
             /* look for the phase 2 response */
+            char buf2[129];
 
             while (true)
             {
@@ -768,7 +767,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
                 chomp(buf);
                 msg(D_PROXY, "HTTP proxy returned: '%s'", buf);
 
-                openvpn_snprintf(get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof(buf2) - 1);
+                char get[80];
+                openvpn_snprintf(get, sizeof(get), "%%*s NTLM %%%zus", sizeof(buf2) - 1);
                 nparms = sscanf(buf, get, buf2);
                 buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */
 

diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 7181b94d0ae7c172ad81a5ddd790291a1672d36c..a021c91eaef4457e3703d83cd9ee0eab8cc3f471 100644 (file)
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -472,7 +472,9 @@ socket_defined(const socket_descriptor_t sd)
 /*
  * Should we include NTLM proxy functionality
  */
+#ifdef ENABLE_NTLM
 #define NTLM 1
+#endif
 
 /*
  * Should we include proxy digest auth functionality