From patchwork Sat Dec 30 14:38:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3536 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:2791:b0:100:d2e5:60d with SMTP id hm17csp586912dyb; Sat, 30 Dec 2023 06:38:53 -0800 (PST) X-Google-Smtp-Source: AGHT+IFiByirVRkThEaOwxBCcp44oVwkCQiqJz6YKjoE0wzdD+YVi2Qj3k20aekAegqi1nuzCXhm X-Received: by 2002:a05:6a00:6902:b0:6d9:edd1:4edd with SMTP id hs2-20020a056a00690200b006d9edd14eddmr12953799pfb.2.1703947133440; Sat, 30 Dec 2023 06:38:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703947133; cv=none; d=google.com; s=arc-20160816; b=oZKTJQe5I8TpG4haR5KCAfq0UayYnCSnm9uH8Ljf8nh9n6SXKKWcsxPd9BBukjZG92 5AHclwLOF3l86St9qraLKxlrWt+uk983JkehlkAHfxFRuDLoYbrMJGHIPOETbC3549H0 fJXTB9ssdsNNOFc2zF5dX11OlByYy97ZydBpFruHNIi0eECjNmvCCI0G+aUjywpV8gFZ 89rY43OgTDAlOeblp1p8x+ar3WCidADevJ1IKdT9xxIq++dJk8ZF8QA6qvs0clR3ofYh +1ukAQb60UApJplwh6VcAEXvuYaXRlYyHaqwUqU74N7nQHkk9u3yFUS6Cd5AOcFd/cNl TKpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=McQ9LBKfXnIhZCCfhsmYiw2Dsesb4I99X7MeqPhQAKk=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=r/FShx+znCHFJn++h5VSCkfcwrU/v/mhFmhk6ZWiQweIyWlpZyT+xTAqZdo8AtOQiM 6tkfIgcUMTPCX4QtklkaS6jOJ8pgT5FA7oV5R8vHl3yshd2fOiOqLieq7tQCp9rQ/E+O z8T6ZANXT7/bFc2mVulLaR2WKaNJljQI5cHE+zbuyj58Ezl5CjExoDaz+51wLBiyLg3k PBqKIn24NCFs/N8xvQPLBWOx17Ht3k6CfcXSRPHrwkpOtFfzyXMWev50+7Ev4eLCp6WF X9BzdAGC1fxV7VQs0wzuUowqFaKYdo48qOA74zYwNRUdOZsgLyDHW2POPCINkFIgktP3 xg4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=koqKjmhd; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=M8CX844A; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id a25-20020a62bd19000000b006d9bdc1f84fsi9185732pff.34.2023.12.30.06.38.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 30 Dec 2023 06:38:53 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=koqKjmhd; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=M8CX844A; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rJaTw-0003lD-AB; Sat, 30 Dec 2023 14:38:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rJaTv-0003l6-CI for openvpn-devel@lists.sourceforge.net; Sat, 30 Dec 2023 14:38:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GWsVth7jAyuP5xMF8RmZgPJgZy29c1jpWFVNK51iRQ0=; b=koqKjmhdhUvkFuQ7qpwLunOEKi coyuaFPZB71rePeWH79cqwjFckyna0KaPBmldQ5+TpmjlI4DSKyZksHJGjeKB2i6sJIX61/hN5ztB it/ZF0eOT9yE1dgbXPQEQfXe/YRJTa3iJyjtT064A9i+w9p0rfUY9bWTo1RNDi2au4NU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GWsVth7jAyuP5xMF8RmZgPJgZy29c1jpWFVNK51iRQ0=; b=M8CX844Afcl+9gOF1+qKmoBsrh bxYTZ6G6ofFDdFPHCPltQPA3O5fPsWdiDb5PILaO8TcK2MZ3G8+mK7WVjtz1TQwQCR8DQI62vMnHO hauBxGd9KkCwnSjdmRapETTqd3lfu0TAqmavtF0aSXBpaVDOfN8Fn43r4PR6XBAJGCvI=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rJaTu-0007W3-9K for openvpn-devel@lists.sourceforge.net; Sat, 30 Dec 2023 14:38:31 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 3BUEcIIu004890 for ; Sat, 30 Dec 2023 15:38:18 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 3BUEcIxQ004889 for openvpn-devel@lists.sourceforge.net; Sat, 30 Dec 2023 15:38:18 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sat, 30 Dec 2023 15:38:17 +0100 Message-ID: <20231230143817.4880-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld Since we want to get rid of it, might be useful to allow users to remove the support completely. Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rJaTu-0007W3-9K Subject: [Openvpn-devel] [PATCH v3] configure: allow to disable NTLM X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1786718069028379862?= X-GMAIL-MSGID: =?utf-8?q?1786718069028379862?= From: Frank Lichtenheld Since we want to get rid of it, might be useful to allow users to remove the support completely. Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/378 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/config.h.cmake.in b/config.h.cmake.in index baf9556..3348f93 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -35,6 +35,9 @@ /* Enable LZO compression library */ #cmakedefine ENABLE_LZO +/* Enable NTLMv2 proxy support */ +#define ENABLE_NTLM 1 + /* Enable management server capability */ #define ENABLE_MANAGEMENT 1 diff --git a/configure.ac b/configure.ac index 54f79ab..29d55e7 100644 --- a/configure.ac +++ b/configure.ac @@ -109,6 +109,13 @@ ) AC_ARG_ENABLE( + [ntlm], + [AS_HELP_STRING([--disable-ntlm], [disable NTLMv2 proxy support @<:@default=yes@:>@])], + , + [enable_ntlm="yes"] +) + +AC_ARG_ENABLE( [plugins], [AS_HELP_STRING([--disable-plugins], [disable plug-in support @<:@default=yes@:>@])], , @@ -1316,6 +1323,7 @@ test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support]) test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing]) +test "${enable_ntlm}" = "yes" && AC_DEFINE([ENABLE_NTLM], [1], [Enable NTLMv2 proxy support]) test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) if test "${have_export_keying_material}" = "yes"; then AC_DEFINE( diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2594b66..f692532 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6762,8 +6762,7 @@ if (p[3]) { /* auto -- try to figure out proxy addr, port, and type automatically */ - /* semiauto -- given proxy addr:port, try to figure out type automatically */ - /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */ + /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */ if (streq(p[3], "auto")) { ho->auth_retry = PAR_ALL; diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 76e27cb..3b6f7df 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -638,8 +638,6 @@ { struct gc_arena gc = gc_new(); char buf[512]; - char buf2[129]; - char get[80]; int status; int nparms; bool ret = false; @@ -758,6 +756,7 @@ { #if NTLM /* look for the phase 2 response */ + char buf2[129]; while (true) { @@ -768,7 +767,8 @@ chomp(buf); msg(D_PROXY, "HTTP proxy returned: '%s'", buf); - openvpn_snprintf(get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof(buf2) - 1); + char get[80]; + openvpn_snprintf(get, sizeof(get), "%%*s NTLM %%%zus", sizeof(buf2) - 1); nparms = sscanf(buf, get, buf2); buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */ diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 7181b94..a021c91 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -472,7 +472,9 @@ /* * Should we include NTLM proxy functionality */ +#ifdef ENABLE_NTLM #define NTLM 1 +#endif /* * Should we include proxy digest auth functionality