NTLM: when NTLMv1 is requested, try NTLMv2 instead

Commit 21910ebc2ee8a6138eb2af8d38056d2b94e59f9c removed support for NTLMv1 authentication. This adjusts the behavior for existing configurations that specify "ntlm" keyword. Do not error out hard, instead just try to upgrade. This should work fine in many cases and will avoid breaking user configs unnecessarily on upgrade. In addition it fixes an issue with the mentioned patch where "auto" wasn't working correctly for NTLM anymore. Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Message-Id: <20240118151242.12169-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/search?l=mid&q=20240118151242.12169-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
author: Frank Lichtenheld 2024-01-18 16:12:42 +0100
committer: Gert Doering 2024-01-18 18:07:06 +0100
commit: b541a86948d7e9866b33e876fcf070fad00b3dce (patch)
tree: 7640f91e29d5f681088d5d52446a3921cd54c91a
parent: d3f84afedd33734416704d5d92e8d3ac639ef491 (diff)
download: openvpn-b541a86948d7e9866b33e876fcf070fad00b3dce.zip
openvpn-b541a86948d7e9866b33e876fcf070fad00b3dce.tar.gz
3 files changed, 18 insertions, 7 deletions
diff --git a/Changes.rst b/Changes.rst
index 69c811d..58cb3db 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -12,8 +12,13 @@ Deprecated features
     ``--allow-deprecated-insecure-static-crypto`` but will be removed in
     OpenVPN 2.8.
 
-NTLMv1 support has been removed because it is completely insecure.
-    NTLMv2 support is still available, but will removed in a future release.
+NTLMv1 authentication support for HTTP proxies has been removed.
+    This is considered an insecure method of authentication that uses
+    obsolete crypto algorithms.
+    NTLMv2 support is still available, but will be removed in a future
+    release.
+    When configured to authenticate with NTLMv1 (``ntlm`` keyword in
+    ``--http-proxy``) OpenVPN will try NTLMv2 instead.
 
 
 Overview of changes in 2.6
diff --git a/doc/man-sections/proxy-options.rst b/doc/man-sections/proxy-options.rst
index ad49c60..38c4578 100644
--- a/doc/man-sections/proxy-options.rst
+++ b/doc/man-sections/proxy-options.rst
@@ -48,6 +48,8 @@
      </http-proxy-user-pass>
 
   Note that support for NTLMv1 proxies was removed with OpenVPN 2.7.
+  :code:`ntlm` now is an alias for :code:`ntlm2`; i.e. OpenVPN will always
+  attempt to use NTLMv2 authentication.
 
 --http-proxy-user-pass userpass
   Overwrite the username/password information for ``--http-proxy``. If specified
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index e081532..2e8d7a8 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -497,7 +497,7 @@ http_proxy_new(const struct http_proxy_options *o)
         msg(M_FATAL, "HTTP_PROXY: server not specified");
     }
 
-    ASSERT( o->port);
+    ASSERT(o->port);
 
     ALLOC_OBJ_CLEAR(p, struct http_proxy_info);
     p->options = *o;
@@ -517,7 +517,8 @@ http_proxy_new(const struct http_proxy_options *o)
 #if NTLM
         else if (!strcmp(o->auth_method_string, "ntlm"))
         {
-            msg(M_FATAL, "ERROR: NTLM v1 support has been removed. For now, you can use NTLM v2 by selecting ntlm2 but it is deprecated as well.");
+            msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN 2.7. Will try to use NTLM v2 authentication.");
+            p->auth_method = HTTP_AUTH_NTLM2;
         }
         else if (!strcmp(o->auth_method_string, "ntlm2"))
         {
@@ -531,7 +532,9 @@ http_proxy_new(const struct http_proxy_options *o)
         }
     }
 
-    /* only basic and NTLM/NTLMv2 authentication supported so far */
+    /* When basic or NTLMv2 authentication is requested, get credentials now.
+     * In case of "auto" negotiation credentials will be retrieved later once
+     * we know whether we need any. */
     if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2)
     {
         get_user_pass_http(p, true);
@@ -644,7 +647,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
 
     /* get user/pass if not previously given */
     if (p->auth_method == HTTP_AUTH_BASIC
-        || p->auth_method == HTTP_AUTH_DIGEST)
+        || p->auth_method == HTTP_AUTH_DIGEST
+        || p->auth_method == HTTP_AUTH_NTLM2)
     {
         get_user_pass_http(p, false);
     }
@@ -748,7 +752,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
         {
             processed = true;
         }
-        else if ((p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check for NTLM */
+        else if (p->auth_method == HTTP_AUTH_NTLM2 && !processed) /* check for NTLM */
         {
 #if NTLM
             /* look for the phase 2 response */
author	Frank Lichtenheld	2024-01-18 16:12:42 +0100
committer	Gert Doering	2024-01-18 18:07:06 +0100
commit	b541a86948d7e9866b33e876fcf070fad00b3dce (patch)
tree	7640f91e29d5f681088d5d52446a3921cd54c91a
parent	d3f84afedd33734416704d5d92e8d3ac639ef491 (diff)
download	openvpn-b541a86948d7e9866b33e876fcf070fad00b3dce.zip openvpn-b541a86948d7e9866b33e876fcf070fad00b3dce.tar.gz