[Openvpn-devel,v3] configure: allow to disable NTLM

Message ID	20231230143817.4880-1-gert@greenie.muc.de
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; From: Gert Doering <gert@greenie.muc.de> To: openvpn-devel@lists.sourceforge.net Date: Sat, 30 Dec 2023 15:38:17 +0100 Message-ID: <20231230143817.4880-1-gert@greenie.muc.de> In-Reply-To: <gerrit.1699031887000.I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300@gerrit.openvpn.net> References: <gerrit.1699031887000.I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300@gerrit.openvpn.net> MIME-Version: 1.0 preview: From: Frank Lichtenheld <frank@lichtenheld.com> Since we want to get rid of it, might be useful to allow users to remove the support completely. Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> --- Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. Subject: [Openvpn-devel] [PATCH v3] configure: allow to disable NTLM Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel,v3] configure: allow to disable NTLM \| expand [Openvpn-devel,v3] configure: allow to disable NTLM

Message ID

20231230143817.4880-1-gert@greenie.muc.de

State

Accepted

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 30 Dec 2023 15:38:17 +0100
Message-ID: <20231230143817.4880-1-gert@greenie.muc.de>
In-Reply-To: 
 <gerrit.1699031887000.I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300@gerrit.openvpn.net>
References: 
 <gerrit.1699031887000.I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300@gerrit.openvpn.net>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH v3] configure: allow to disable NTLM
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel,v3] configure: allow to disable NTLM | expand

Commit Message

Gert Doering Dec. 30, 2023, 2:38 p.m. UTC

From: Frank Lichtenheld <frank@lichtenheld.com>

Since we want to get rid of it, might be useful to
allow users to remove the support completely.

Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/378
This mail reflects revision 3 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>

Comments

Gert Doering Dec. 30, 2023, 3:22 p.m. UTC | #1

Lightly tested (one build with and without --disable-ntlm, compare 
resulting strings in binary).  No surprises there, since this code was
already conditionalized, just not exposed to configure.

Your patch has been applied to the master branch.

commit 1da3496abce6c4380651fdf79c1d599750964ef2 (master)
Author: Frank Lichtenheld
Date:   Sat Dec 30 15:38:17 2023 +0100

     configure: allow to disable NTLM

     Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
     Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
     Message-Id: <20231230143817.4880-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27863.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/config.h.cmake.in b/config.h.cmake.in
index baf9556..3348f93 100644
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -35,6 +35,9 @@ 
 /* Enable LZO compression library */
 #cmakedefine ENABLE_LZO
 
+/* Enable NTLMv2 proxy support */
+#define ENABLE_NTLM 1
+
 /* Enable management server capability */
 #define ENABLE_MANAGEMENT 1
 
diff --git a/configure.ac b/configure.ac
index 54f79ab..29d55e7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -109,6 +109,13 @@ 
 )
 
 AC_ARG_ENABLE(
+	[ntlm],
+	[AS_HELP_STRING([--disable-ntlm], [disable NTLMv2 proxy support @<:@default=yes@:>@])],
+	,
+	[enable_ntlm="yes"]
+)
+
+AC_ARG_ENABLE(
 	[plugins],
 	[AS_HELP_STRING([--disable-plugins], [disable plug-in support @<:@default=yes@:>@])],
 	,
@@ -1316,6 +1323,7 @@ 
 test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support])
 test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing])
 
+test "${enable_ntlm}" = "yes" && AC_DEFINE([ENABLE_NTLM], [1], [Enable NTLMv2 proxy support])
 test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
 if test "${have_export_keying_material}" = "yes"; then
 	AC_DEFINE(
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2594b66..f692532 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6762,8 +6762,7 @@ 
         if (p[3])
         {
             /* auto -- try to figure out proxy addr, port, and type automatically */
-            /* semiauto -- given proxy addr:port, try to figure out type automatically */
-            /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
+            /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
             if (streq(p[3], "auto"))
             {
                 ho->auth_retry = PAR_ALL;
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index 76e27cb..3b6f7df 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -638,8 +638,6 @@ 
 {
     struct gc_arena gc = gc_new();
     char buf[512];
-    char buf2[129];
-    char get[80];
     int status;
     int nparms;
     bool ret = false;
@@ -758,6 +756,7 @@ 
         {
 #if NTLM
             /* look for the phase 2 response */
+            char buf2[129];
 
             while (true)
             {
@@ -768,7 +767,8 @@ 
                 chomp(buf);
                 msg(D_PROXY, "HTTP proxy returned: '%s'", buf);
 
-                openvpn_snprintf(get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof(buf2) - 1);
+                char get[80];
+                openvpn_snprintf(get, sizeof(get), "%%*s NTLM %%%zus", sizeof(buf2) - 1);
                 nparms = sscanf(buf, get, buf2);
                 buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */
 
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 7181b94..a021c91 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -472,7 +472,9 @@ 
 /*
  * Should we include NTLM proxy functionality
  */
+#ifdef ENABLE_NTLM
 #define NTLM 1
+#endif
 
 /*
  * Should we include proxy digest auth functionality

[Openvpn-devel,v3] configure: allow to disable NTLM

Commit Message

Comments

Patch