From patchwork Fri Nov 3 17:18:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "its_Giaan (Code Review)" X-Patchwork-Id: 3414 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:8e12:b0:f2:62eb:61c1 with SMTP id j18csp1355521dys; Fri, 3 Nov 2023 10:19:24 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHSQa5e3+0ecC8FoGstcn4kX44GP08U8+0FvFKpX7UdudHrG1OFcExxFIGtP8e0DWEkksgH X-Received: by 2002:a05:6a20:7d8e:b0:163:ab09:196d with SMTP id v14-20020a056a207d8e00b00163ab09196dmr25039553pzj.1.1699031964723; Fri, 03 Nov 2023 10:19:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1699031964; cv=none; d=google.com; s=arc-20160816; b=qUsjAxBHORcjMqDiz1QIbaQwjKhRO9GIClhIOT0gmwQOywZSF5wjg8RbjAzWVPDVfx odNjoNlQ1mdcBFRFfY/oaTFLidznp+ZTB0D42Jc2A2zz1OTx9IR1A1udOWupjrZyQ3wk l3epdvntfA7PT3TJFYkcCWWCJ2pZkoADMXBhc+4W1jJFK8DYIlfVz6Kzg9LlIUGFSfnz 4JYU3PKMmhWefvr998/mY98s6kEV5C4YPwQaS/xJ1Ffpu8GzCRxGgeUlFBXjo1+9KnsD pW9GYYehv4dBzq+rLVH52ENM79Hu3fb0uwf35/YBYFgAkKD1AlmxIPGQv4sVhzZEN0uz ebxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=ZBjAGtoeB3PxG13mL1v+KiGN1qX0ce+pqmNgPwdzImE=; fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=; b=Ed+bmwNZYEFYlGsNkM86FNPLHzxhS5oziVleKf8UXtItCER9kcjXhP/4ao/6+Lqc/W BofzsgJgFnnE8hh/NG3XRAHiniA3f8rKT57RvuK9y55jJqlQDuOt7z5OLxzbQotSg2lH IV6LcBd/59XafSkDMJj6f9wP/JWUaZ4byqlbRVi7Tmz8nagp2TKCDiodoDXZQ5s5jI1k zI9vhmZiztxqq6/lvxyK4afJWb2M5Dwlr5WFzBUsvoPM8HVcj1sOc3dNqp5ELdw/ym7F C+fQTOMKuuJ2czKTKjRQW4psKt1vUaW2E8lSoTilemqZjjfDyt9heRkiKYPFUsxMco5H 0FJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TRiEog7e; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VBoJk1ak; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=C8lqCTqw; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id kz3-20020a170902f9c300b001cc2f9d6a66si1783745plb.514.2023.11.03.10.19.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Nov 2023 10:19:24 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TRiEog7e; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VBoJk1ak; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=C8lqCTqw; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qyxoR-0006Gn-TX; Fri, 03 Nov 2023 17:18:27 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qyxoR-0006Gg-2a for openvpn-devel@lists.sourceforge.net; Fri, 03 Nov 2023 17:18:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QgGREz3njrZcQy2ev8DTOGWpgTYIOakrTvvUzkjwRv4=; b=TRiEog7eekWBd8ZXu+fH7X+TEK gIDepxDjh1ekg65Domd9hvg0chukWeF2Kjm8PFIAGcDV7wKOoyUzJOsWVKegWb2SxyrgNEOQie0an fJm/S/wmcZst0jYom/R8hA6zrPg3/ZB3wwajEMZH6td/JOzOVj7QNKIVEuZSaE1z4J88=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=QgGREz3njrZcQy2ev8DTOGWpgTYIOakrTvvUzkjwRv4=; b=V BoJk1akONEvSJVe6XFQPzmGppsQVEo9YMD/l0+Nz1K+pcTbuEOYyVVDvyLyz5v5OFubdG+yCcDTNg Ixex34JlAm40h10VNA/APaV/PfvBvV+vGq+l0QP3ZWYii/B+Kg4L3LLmYCPG/a4LCkQQinjPwG+qL rm6UeW5DOfk1uwo4=; Received: from mail-wm1-f46.google.com ([209.85.128.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1qyxoJ-0004Ak-9Q for openvpn-devel@lists.sourceforge.net; Fri, 03 Nov 2023 17:18:25 +0000 Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-40839652b97so17931265e9.3 for ; Fri, 03 Nov 2023 10:18:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1699031893; x=1699636693; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=QgGREz3njrZcQy2ev8DTOGWpgTYIOakrTvvUzkjwRv4=; b=C8lqCTqwGRhDM0D3hvr/g0+bWNPApupzBEQCrg6x3obDIfxThwaplJWW8iEye83KbC jbW49a8kfd3kpe7zlryuN/e9F8nGSZsJBjvGLvUGhovYu3V36rCiTQPYa1e1yMa+X6E1 i8uJtf01YUI0aqIaPQA21p6The4J3yap/+EI5+b0HhT6DyXGK/PmQ1CnHuNooYyz/Uy8 97ZcB7SNzsEQp+Iuevw9C6bCcYUjA5HJIr+kBhatz4eNC8Qevsl1GppBVik+l6vpQYwR 2SaknGGGd8iZoKrHWpGuccIxOI8cKS9g3mvjIDarnoVgDqYLj9oWqfTV8r6FwV28Sw+2 S9dA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699031893; x=1699636693; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QgGREz3njrZcQy2ev8DTOGWpgTYIOakrTvvUzkjwRv4=; b=JBX39Aq533vOb3kqBHN0PxpYZbKUu75Sz2DqUaq1fBqgRMbJz6UtJseV+ZDpamDyFj hQUHnCnNrjUWVfdiiTmagXQ33e0ypCMNck/XgEO+X0XecS7kahPO/ylcxN6xf8GvnKT2 UbnVEvKR0CZ4mcCB36AGowiu3YFoRPsE5EWzXTkrMr5B4K7aUfbhcwBLfK5FQSY27Gz7 lYfAClq855DWrazFewSueGl2W6S7lbcsCRchBP6c+QvywEiiSQKN5qWWGy1swJmDxB8/ afY8EmsHlk4k4aqP4+usyNmrxKsW3BkzkLg9Ppdaya+cP0B0wlMbhJi/iqqyTHxjaFBO LY1Q== X-Gm-Message-State: AOJu0Yy1J2W64i5By+44M7ahOVigQViS+eyAvNP8cOaJFgkXVdXCkNvn ZrXWy6cb1bD3RKK3ZFAYat42VVaYXlcmatS3i3I= X-Received: by 2002:a05:600c:1913:b0:408:3c10:ad47 with SMTP id j19-20020a05600c191300b004083c10ad47mr17608555wmq.40.1699031892629; Fri, 03 Nov 2023 10:18:12 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id r16-20020a05600c459000b003fefaf299b6sm3140750wmo.38.2023.11.03.10.18.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Nov 2023 10:18:12 -0700 (PDT) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 3 Nov 2023 17:18:11 +0000 To: plaisthos Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300 X-Gerrit-Change-Number: 378 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 7caa75928b38efbcc95d072fb367a22c8c55b903 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.46 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.46 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1qyxoJ-0004Ak-9Q Subject: [Openvpn-devel] [S] Change in openvpn[master]: configure: allow to disable NTLM X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1781564141623711777?= X-GMAIL-MSGID: =?utf-8?q?1781564141623711777?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/378?usp=email to review the following change. Change subject: configure: allow to disable NTLM ...................................................................... configure: allow to disable NTLM Since we want to get rid of it, might be useful to allow users to remove the support completely. Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300 Signed-off-by: Frank Lichtenheld --- M config.h.cmake.in M configure.ac M src/openvpn/options.c M src/openvpn/proxy.c M src/openvpn/syshead.h 5 files changed, 17 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/78/378/1 diff --git a/config.h.cmake.in b/config.h.cmake.in index f2cdd39..6334d56 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -35,6 +35,9 @@ /* Enable LZO compression library */ #cmakedefine ENABLE_LZO +/* Enable NTLMv2 proxy support */ +#define ENABLE_NTLM 1 + /* Enable management server capability */ #define ENABLE_MANAGEMENT 1 diff --git a/configure.ac b/configure.ac index 7e5763d..56fcb4b 100644 --- a/configure.ac +++ b/configure.ac @@ -109,6 +109,13 @@ ) AC_ARG_ENABLE( + [ntlm], + [AS_HELP_STRING([--disable-ntlm], [disable NTLMv2 proxy support @<:@default=yes@:>@])], + , + [enable_ntlm="yes"] +) + +AC_ARG_ENABLE( [plugins], [AS_HELP_STRING([--disable-plugins], [disable plug-in support @<:@default=yes@:>@])], , @@ -1302,6 +1309,7 @@ test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support]) test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing]) +test "${enable_ntlm}" = "yes" && AC_DEFINE([ENABLE_NTLM], [1], [Enable NTLMv2 proxy support]) test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) if test "${have_export_keying_material}" = "yes"; then AC_DEFINE( diff --git a/src/openvpn/options.c b/src/openvpn/options.c index d238269..fbf54ef 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6760,8 +6760,7 @@ if (p[3]) { /* auto -- try to figure out proxy addr, port, and type automatically */ - /* semiauto -- given proxy addr:port, try to figure out type automatically */ - /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */ + /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */ if (streq(p[3], "auto")) { ho->auth_retry = PAR_ALL; diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 76e27cb..3b6f7df 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -638,8 +638,6 @@ { struct gc_arena gc = gc_new(); char buf[512]; - char buf2[129]; - char get[80]; int status; int nparms; bool ret = false; @@ -758,6 +756,7 @@ { #if NTLM /* look for the phase 2 response */ + char buf2[129]; while (true) { @@ -768,7 +767,8 @@ chomp(buf); msg(D_PROXY, "HTTP proxy returned: '%s'", buf); - openvpn_snprintf(get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof(buf2) - 1); + char get[80]; + openvpn_snprintf(get, sizeof(get), "%%*s NTLM %%%zus", sizeof(buf2) - 1); nparms = sscanf(buf, get, buf2); buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */ diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 7181b94..a021c91 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -472,7 +472,9 @@ /* * Should we include NTLM proxy functionality */ +#ifdef ENABLE_NTLM #define NTLM 1 +#endif /* * Should we include proxy digest auth functionality