From: Philip Prindeville <[email protected]>
---
.gitlab-ci.yml | 4 +-
NEWS | 2 +
configure.ac | 41 +--
doc/wget.texi | 2 +-
fuzz/Makefile.am | 7 -
fuzz/wget_ntlm_fuzzer.c | 102 -------
msdos/Makefile.DJ | 2 +-
src/DESCRIP_DEPS.MMS | 17 --
src/DESCRIP_MODS.MMS | 1 -
src/Makefile.am | 4 -
src/build_info.c.in | 1 -
src/http-ntlm.c | 618 ----------------------------------------
src/http-ntlm.h | 53 ----
src/http.c | 82 +-----
vms/DESCRIP.MMS | 4 +-
vms/DESCRIP_SRC_CMN.MMS | 4 +-
vms/config.h_vms | 3 -
17 files changed, 22 insertions(+), 925 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index
c764e2dbf366f5d9b2f01eca2f8ec5eadaf28344..47d475e1b260533541217418d5b9ab8c8030ccb2
100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -63,7 +63,7 @@ Build-Tarball:
- mkdir vpath && cd vpath
- ../configure $CONFIGURE_BASE_FLAGS --cache-file
../cache/config.cache
--without-ssl --enable-ipv6 --without-zlib --without-libiconv-prefix
- --disable-iri --disable-ntlm --disable-pcre --without-libpsl
--without-libuuid
+ --disable-iri --disable-pcre --without-libpsl --without-libuuid
--without-libintl-prefix
- make -j$(nproc)
- make -j$(nproc) syntax-check
@@ -122,7 +122,7 @@ Minimal:
- cd wget-*/
- ./configure $CONFIGURE_BASE_FLAGS --cache-file ../cache/config.cache
--disable-nls --without-ssl --enable-ipv6 --without-zlib
--without-libiconv-prefix
- --disable-iri --disable-ntlm --disable-pcre --without-libpsl
--without-libuuid
+ --disable-iri --disable-pcre --without-libpsl --without-libuuid
--without-libintl-prefix
- make -j$(nproc) check-valgrind
except:
diff --git a/NEWS b/NEWS
index
28ebc27ff390fc75d629395e84ba0fa124d0a2e8..5d054ee1ec380bf154c39df38b7a9c71fe473c4b
100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@ GNU Wget NEWS -- history of user-visible changes.
* Noteworthy changes in release ?.? (????-??-??) [?]
+* Drop NTLM as it's insecure and deprecated
+
* Noteworthy changes in release 1.25.0 (2024-11-10) [stable]
diff --git a/configure.ac b/configure.ac
index
5f6a7286ca8782d791a821c3c90872a9f8ae8646..99a81770a86971f2dadb26a207fb06b99202d60e
100644
--- a/configure.ac
+++ b/configure.ac
@@ -186,14 +186,6 @@ AS_IF([test "x$ENABLE_DIGEST" = xyes],
)
-dnl NTLM: Support for HTTP NTLM Authentication
-AC_ARG_ENABLE([ntlm],
- [AS_HELP_STRING([--disable-ntlm], [disable support for NTLM authorization])],
- [ENABLE_NTLM=$enableval],
- [ENABLE_NTLM=auto]
-)
-
-
dnl Debug: Support for printing debugging output
AC_ARG_ENABLE([debug],
[AS_HELP_STRING([--disable-debug], [disable support for debugging output])],
@@ -525,7 +517,7 @@ AS_IF([test x"$with_ssl" = xopenssl], [
ssl_library="openssl"
LIBS="$OPENSSL_LIBS $LIBS"
CFLAGS="$OPENSSL_CFLAGS -DHAVE_LIBSSL $CFLAGS"
- LIBSSL=" " # ntlm check below wants this
+ LIBSSL=""
AC_CHECK_FUNCS([RAND_egd])
AC_DEFINE([HAVE_LIBSSL], [1], [Define if using openssl.])
ssl_found=yes
@@ -625,37 +617,6 @@ AS_IF([test x"$with_ssl" = xopenssl], [
]) # endif: --with-ssl != no?
]) # endif: --with-ssl == openssl?
-dnl Enable NTLM if requested and if SSL is available.
-if test x"$ENABLE_NTLM" != xno
-then
- if test x"$LIBSSL" != x || test "$ac_cv_lib_ssl32_SSL_connect" = yes
- then
- ENABLE_NTLM=yes
- AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization
support compiled in.])
- else
- PKG_CHECK_MODULES([NETTLE], nettle, [
- HAVE_NETTLE=yes
- LIBS="$NETTLE_LIBS $LIBS"
- CFLAGS="$NETTLE_CFLAGS $CFLAGS"
- ], [
- AC_CHECK_LIB(nettle, nettle_md4_init, [HAVE_NETTLE=yes],
[HAVE_NETTLE=no; AC_MSG_WARN(*** libnettle was not found. You will not be able
to use NTLM)])
- if test x"$HAVE_NETTLE" != xyes; then
- if test x"$ENABLE_NTLM" = xyes; then
- AC_MSG_ERROR([NTLM authorization requested and SSL not enabled;
aborting])
- fi
- else
- AC_SUBST(NETTLE_LIBS, "-lnettle")
- LIBS="$NETTLE_LIBS $LIBS"
- fi
- ])
-
- if test x"$HAVE_NETTLE" = xyes; then
- AC_DEFINE([HAVE_NETTLE], [1], [Use libnettle])
- ENABLE_NTLM=yes
- AC_DEFINE([ENABLE_NTLM], 1, [Define if you want the NTLM authorization
support compiled in.])
- fi
- fi
-fi
dnl **********************************************************************
dnl Checks for IPv6
diff --git a/doc/wget.texi b/doc/wget.texi
index
0689c177b3ae0598b13b7a871ab764177086d5c5..576ba0d9d65047f98c97c02ac358b393ef44da98
100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -1379,7 +1379,7 @@ that are not parsed by Wget.
Specify the username @var{user} and password @var{password} on an
@sc{http} server. According to the type of the challenge, Wget will
encode them using either the @code{basic} (insecure),
-the @code{digest}, or the Windows @code{NTLM} authentication scheme.
+or the @code{digest} authentication scheme.
Another way to specify username and password is in the @sc{url} itself
(@pxref{URL Format}). Either method reveals your password to anyone who
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index
84abfcc911ab740ea309b4f5fffb34241bd096bb..3796b941c5f0e0043d4673efea96ad20917ab889
100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -39,10 +39,6 @@ WGET_TESTS = \
EXTRA_DIST = test-runner.sh
-if WITH_NTLM
- WGET_TESTS += wget_ntlm_fuzzer$(EXEEXT)
-endif
-
if FUZZING
bin_PROGRAMS = $(WGET_TESTS)
LDADD += $(LIB_FUZZING_ENGINE)
@@ -77,9 +73,6 @@ wget_html_fuzzer_LDADD = ../src/libunittest.a $(LDADD)
wget_netrc_fuzzer_SOURCES = wget_netrc_fuzzer.c $(MAIN)
wget_netrc_fuzzer_LDADD = ../src/libunittest.a $(LDADD)
-wget_ntlm_fuzzer_SOURCES = wget_ntlm_fuzzer.c $(MAIN)
-wget_ntlm_fuzzer_LDADD = ../src/libunittest.a $(LDADD)
-
wget_options_fuzzer_SOURCES = wget_options_fuzzer.c $(MAIN)
wget_options_fuzzer_LDADD = ../src/libunittest.a $(LDADD)
diff --git a/fuzz/wget_ntlm_fuzzer.c b/fuzz/wget_ntlm_fuzzer.c
deleted file mode 100644
index
5f38a258545056b6ada3788d176b5a3bd0dbd84f..0000000000000000000000000000000000000000
--- a/fuzz/wget_ntlm_fuzzer.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (c) 2017-2019, 2021-2024, 2026 Free Software Foundation,
- * Inc.
- *
- * This file is part of GNU Wget.
- *
- * GNU Wget is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * GNU Wget is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with Wget. If not, see <https://www.gnu.org/licenses/>.
- */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <dirent.h> // opendir, readdir
-#include <stdint.h> // uint8_t
-#include <stdio.h> // fmemopen
-#include <string.h> // strncmp
-#include <stdlib.h> // free
-#include <fcntl.h> // open flags
-#include <unistd.h> // close
-#include <setjmp.h> // longjmp, setjmp
-#include <assert.h> // assert
-
-#include "wget.h"
-
-#undef fopen_wgetrc
-
-#ifdef __cplusplus
- extern "C" {
-#endif
- #include "http-ntlm.h"
-
- // declarations for wget internal functions
- int main_wget(int argc, const char **argv);
- void cleanup(void);
- FILE *fopen_wget(const char *pathname, const char *mode);
- FILE *fopen_wgetrc(const char *pathname, const char *mode);
- void exit_wget(int status);
-#ifdef __cplusplus
- }
-#endif
-
-#include "fuzzer.h"
-
-FILE *fopen_wget(const char *pathname, const char *mode)
-{
- (void) pathname;
- return fopen("/dev/null", mode);
-}
-
-FILE *fopen_wgetrc(const char *pathname, const char *mode)
-{
- (void) pathname;
- (void) mode;
- return NULL;
-}
-
-#ifdef FUZZING
-void exit_wget(int status)
-{
- (void) status;
-}
-#endif
-
-
-int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- if (size > 128) // same as max_len = ... in .options file
- return 0;
-
- // CLOSE_STDERR
-
- struct ntlmdata *ntlm = (struct ntlmdata *) calloc(1, sizeof(struct
ntlmdata));
- char *data0 = (char *) malloc(size + 4 + 1);
- bool ready;
-
- assert(ntlm && data0);
-
- memcpy(data0, "NTLM", 4);
- memcpy(data0 + 4, data, size);
- data0[size + 4] = 0;
-
- if (ntlm_input(ntlm, data0))
- free(ntlm_output(ntlm, data0 + 4, data0 + 4, &ready));
-
- free(data0);
- free(ntlm);
-
-// RESTORE_STDERR
-
- return 0;
-}
diff --git a/msdos/Makefile.DJ b/msdos/Makefile.DJ
index
5ae5fecbf6bfdeeee4b33df1835eedcefe209a4d..77924722f8b37f8a19d1fba01cbafc3e7354184e
100644
--- a/msdos/Makefile.DJ
+++ b/msdos/Makefile.DJ
@@ -34,7 +34,7 @@ ifeq ($(USE_OPENSSL),1)
CFLAGS += -DHAVE_OPENSSL -DHAVE_SSL -DOPENSSL_NO_KRB5 -I$(OPENSSL_ROOT)
EX_LIBS += $(OPENSSL_ROOT)/lib/libssl.a $(OPENSSL_ROOT)/lib/libcrypt.a \
$(ZLIB_ROOT)/libz.a
- SOURCES += openssl.c http-ntlm.c
+ SOURCES += openssl.c
endif
ifeq ($(USE_IPV6),1)
diff --git a/src/DESCRIP_DEPS.MMS b/src/DESCRIP_DEPS.MMS
index
30732b5c185a1dccd5085d3dd70ae890c8d86e8b..ebd4604cd6bd93bf2b466a786992ca9cb0fa1088
100644
--- a/src/DESCRIP_DEPS.MMS
+++ b/src/DESCRIP_DEPS.MMS
@@ -312,22 +312,6 @@ $$$$ THIS DESCRIPTION FILE IS NOT INTENDED TO BE USED THIS
WAY.
[.$(DEST)]HTML-URL.OBJ : [-.SRC]RECUR.H
[.$(DEST)]HTML-URL.OBJ : [-.SRC]HTML-URL.H
[.$(DEST)]HTML-URL.OBJ : [-.SRC]CSS-URL.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC]HTTP-NTLM.C
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC]WGET.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC.$(DEST)]CONFIG.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC]SYSDEP.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.VMS]STDINT.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC]GETTEXT.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.LIB]C-CTYPE.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC]OPTIONS.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.VMS]ALLOCA.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.LIB]XALLOC.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC]LOG.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.LIB]QUOTE.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.LIB]QUOTEARG.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC]IRI.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC]UTILS.H
-[.$(DEST)]HTTP-NTLM.OBJ : [-.SRC]HTTP-NTLM.H
[.$(DEST)]HTTP.OBJ : [-.SRC]HTTP.C
[.$(DEST)]HTTP.OBJ : [-.SRC]WGET.H
[.$(DEST)]HTTP.OBJ : [-.SRC.$(DEST)]CONFIG.H
@@ -352,7 +336,6 @@ $$$$ THIS DESCRIPTION FILE IS NOT INTENDED TO BE USED THIS
WAY.
[.$(DEST)]HTTP.OBJ : [-.SRC]CONNECT.H
[.$(DEST)]HTTP.OBJ : [-.SRC]NETRC.H
[.$(DEST)]HTTP.OBJ : [-.SRC]SSL.H
-[.$(DEST)]HTTP.OBJ : [-.SRC]HTTP-NTLM.H
[.$(DEST)]HTTP.OBJ : [-.SRC]COOKIES.H
[.$(DEST)]HTTP.OBJ : [-.SRC]GEN-MD5.H
[.$(DEST)]HTTP.OBJ : [-.SRC]CONVERT.H
diff --git a/src/DESCRIP_MODS.MMS b/src/DESCRIP_MODS.MMS
index
93a145c279ee3ccfeec1cc0149b08dec31b83de8..de1600947c0c46ce52cd295b0fa754655023becb
100644
--- a/src/DESCRIP_MODS.MMS
+++ b/src/DESCRIP_MODS.MMS
@@ -31,7 +31,6 @@ MODS_OBJS_LIB_SRC_NOSSL = \
HOST=[.$(DEST)]HOST.OBJ \
HTML-PARSE=[.$(DEST)]HTML-PARSE.OBJ \
HTML-URL=[.$(DEST)]HTML-URL.OBJ \
- HTTP-NTLM=[.$(DEST)]HTTP-NTLM.OBJ \
HTTP=[.$(DEST)]HTTP.OBJ \
INIT=[.$(DEST)]INIT.OBJ \
LOG=[.$(DEST)]LOG.OBJ \
diff --git a/src/Makefile.am b/src/Makefile.am
index
9fd7d9a00f77d2c79946ec29544bba66b2e424d8..9ee473619fb9d08e4c2950ce99d749b9f0290779
100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -70,10 +70,6 @@ if OS_MSWINDOWS
wget_SOURCES += mswindows.c mswindows.h
endif
-if WITH_NTLM
-wget_SOURCES += http-ntlm.c http-ntlm.h
-endif
-
if WITH_OPENSSL
wget_SOURCES += openssl.c
endif
diff --git a/src/build_info.c.in b/src/build_info.c.in
index
c7493e9cb22977ac7593ec9fde7ab31da3d804b7..d957be84ae6beb9cd4ba367e3feb7462fe657920
100644
--- a/src/build_info.c.in
+++ b/src/build_info.c.in
@@ -5,7 +5,6 @@ iri defined ENABLE_IRI
large-file SIZEOF_OFF_T >= 8 || defined WINDOWS
nls defined ENABLE_NLS
-ntlm defined ENABLE_NTLM
opie defined ENABLE_OPIE
psl defined HAVE_LIBPSL
cares defined HAVE_LIBCARES
diff --git a/src/http-ntlm.c b/src/http-ntlm.c
deleted file mode 100644
index
df9603b0da76c4a5e24c6f75031d7ade920fab45..0000000000000000000000000000000000000000
--- a/src/http-ntlm.c
+++ /dev/null
@@ -1,618 +0,0 @@
-/* NTLM code.
- Copyright (C) 2005-2011, 2015, 2018-2024, 2026 Free Software
- Foundation, Inc.
- Contributed by Daniel Stenberg.
-
-This file is part of GNU Wget.
-
-GNU Wget is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
-GNU Wget is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with Wget. If not, see <http://www.gnu.org/licenses/>.
-
-Additional permission under GNU GPL version 3 section 7
-
-If you modify this program, or any covered work, by linking or
-combining it with the OpenSSL project's OpenSSL library (or a
-modified version of that library), containing parts covered by the
-terms of the OpenSSL or SSLeay licenses, the Free Software Foundation
-grants you additional permission to convey the resulting work.
-Corresponding Source for a non-source form of such a combination
-shall include the source code for the parts of OpenSSL used as well
-as that of the covered work. */
-
-#include "wget.h"
-
-/* NTLM details:
-
- http://davenport.sourceforge.net/ntlm.html
- http://www.innovation.ch/java/ntlm.html
-
-*/
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "utils.h"
-#include "http-ntlm.h"
-
-#ifdef HAVE_NETTLE
-# include <nettle/md4.h>
-# include <nettle/des.h>
-#else
-# include <openssl/des.h>
-# include <openssl/md4.h>
-# include <openssl/opensslv.h>
-
-# if OPENSSL_VERSION_NUMBER < 0x00907001L
-# define DES_key_schedule des_key_schedule
-# define DES_cblock des_cblock
-# define DES_set_odd_parity des_set_odd_parity
-# define DES_set_key des_set_key
-# define DES_ecb_encrypt des_ecb_encrypt
-
-/* This is how things were done in the old days */
-# define DESKEY(x) x
-# define DESKEYARG(x) x
-# else
-/* Modern version */
-# define DESKEYARG(x) *x
-# define DESKEY(x) &x
-# endif
-
-#endif
-
-/* Define this to make the type-3 message include the NT response message */
-#define USE_NTRESPONSES 1
-
-
-/* Flag bits definitions available at on
- http://davenport.sourceforge.net/ntlm.html */
-
-#define NTLMFLAG_NEGOTIATE_OEM (1<<1)
-#define NTLMFLAG_NEGOTIATE_NTLM_KEY (1<<9)
-
-/*
- (*) = A "security buffer" is a triplet consisting of two shorts and one
- long:
-
- 1. a 'short' containing the length of the buffer in bytes
- 2. a 'short' containing the allocated space for the buffer in bytes
- 3. a 'long' containing the offset to the start of the buffer from the
- beginning of the NTLM message, in bytes.
-*/
-
-/* return true on success, false otherwise */
-bool
-ntlm_input (struct ntlmdata *ntlm, const char *header)
-{
- if (0 != strncmp (header, "NTLM", 4))
- return false;
-
- header += 4;
- while (*header && c_isspace(*header))
- header++;
-
- if (*header)
- {
- /* We got a type-2 message here:
-
- Index Description Content
- 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
- (0x4e544c4d53535000)
- 8 NTLM Message Type long (0x02000000)
- 12 Target Name security buffer(*)
- 20 Flags long
- 24 Challenge 8 bytes
- (32) Context (optional) 8 bytes (two consecutive longs)
- (40) Target Information (optional) security buffer(*)
- 32 (48) start of data block
- */
- ssize_t size;
- char buffer[48]; // decode 48 bytes needs ((48 + 2) / 3) * 4 + 1 bytes
-
- DEBUGP (("Received a type-2 NTLM message.\n"));
-
- size = wget_base64_decode (header, buffer, sizeof (buffer));
- if (size < 0)
- return false; /* malformed base64 from server */
-
- ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
-
- if ((size_t) size >= sizeof (buffer))
- /* the nonce of interest is index [24 .. 31], 8 bytes */
- memcpy (ntlm->nonce, &buffer[24], 8);
-
- /* at index decimal 20, there's a 32bit NTLM flag field */
- }
- else
- {
- if (ntlm->state == NTLMSTATE_LAST)
- {
- DEBUGP (("NTLM auth restarted.\n"));
- /* no return, continue */
- }
- else if (ntlm->state == NTLMSTATE_TYPE3)
- {
- DEBUGP (("NTLM handshake rejected.\n"));
- ntlm->state = NTLMSTATE_NONE;
- return false;
- }
- else if (ntlm->state >= NTLMSTATE_TYPE1)
- {
- DEBUGP (("Unexpected empty NTLM message.\n"));
- return false; /* this is an error */
- }
-
- DEBUGP (("Empty NTLM message, (re)starting transaction.\n"));
- ntlm->state = NTLMSTATE_TYPE1; /* we should sent away a type-1 */
- }
-
- return true;
-}
-
-/*
- * Turns a 56 bit key into the 64 bit, odd parity key and sets the key. The
- * key schedule ks is also set.
- */
-#ifdef HAVE_NETTLE
-static void
-setup_des_key(unsigned char *key_56,
- struct des_ctx *des)
-{
- unsigned char key[8];
-
- key[0] = key_56[0];
- key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
- key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
- key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
- key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
- key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
- key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
- key[7] = (key_56[6] << 1) & 0xFF;
-
- nettle_des_set_key(des, key);
-}
-#else
-static void
-setup_des_key(unsigned char *key_56,
- DES_key_schedule DESKEYARG(ks))
-{
- DES_cblock key;
-
- key[0] = key_56[0];
- key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
- key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
- key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
- key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
- key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
- key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
- key[7] = (key_56[6] << 1) & 0xFF;
-
- DES_set_odd_parity(&key);
- DES_set_key(&key, ks);
-}
-#endif
-
- /*
- * takes a 21 byte array and treats it as 3 56-bit DES keys. The
- * 8 byte plaintext is encrypted with each key and the resulting 24
- * bytes are stored in the results array.
- */
-static void
-calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char
*results)
-{
-#ifdef HAVE_NETTLE
- struct des_ctx des;
-
- setup_des_key(keys, &des);
- nettle_des_encrypt(&des, 8, results, plaintext);
-
- setup_des_key(keys + 7, &des);
- nettle_des_encrypt(&des, 8, results + 8, plaintext);
-
- setup_des_key(keys + 14, &des);
- nettle_des_encrypt(&des, 8, results + 16, plaintext);
-#else
- DES_key_schedule ks;
-
- setup_des_key(keys, DESKEY(ks));
- DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) results,
- DESKEY(ks), DES_ENCRYPT);
-
- setup_des_key(keys+7, DESKEY(ks));
- DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+8),
- DESKEY(ks), DES_ENCRYPT);
-
- setup_des_key(keys+14, DESKEY(ks));
- DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+16),
- DESKEY(ks), DES_ENCRYPT);
-#endif
-}
-
-/*
- * Set up lanmanager and nt hashed passwords
- */
-static void
-mkhash(const char *password,
- unsigned char *nonce, /* 8 bytes */
- unsigned char *lmresp /* must fit 0x18 bytes */
-#ifdef USE_NTRESPONSES
- , unsigned char *ntresp /* must fit 0x18 bytes */
-#endif
- )
-{
- unsigned char lmbuffer[21];
-#ifdef USE_NTRESPONSES
- unsigned char ntbuffer[21];
-#endif
- unsigned char pw[14];
- static const unsigned char magic[] = {
- 0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25
- };
- size_t i, len = strlen(password);
-
- /* make it fit at least 14 bytes */
-
- if (len > sizeof (pw))
- len = sizeof (pw);
-
- for (i = 0; i < len; i++)
- pw[i] = (unsigned char) c_toupper (password[i]);
-
- for (; i < sizeof (pw); i++)
- pw[i] = 0;
-
- {
- /* create LanManager hashed password */
-#ifdef HAVE_NETTLE
- struct des_ctx des;
-
- setup_des_key(pw, &des);
- nettle_des_encrypt(&des, 8, lmbuffer, magic);
-
- setup_des_key(pw + 7, &des);
- nettle_des_encrypt(&des, 8, lmbuffer + 8, magic);
-#else
- DES_key_schedule ks;
-
- setup_des_key(pw, DESKEY (ks));
- DES_ecb_encrypt((DES_cblock *) magic, (DES_cblock *) lmbuffer,
- DESKEY (ks), DES_ENCRYPT);
-
- setup_des_key(pw+7, DESKEY (ks));
- DES_ecb_encrypt((DES_cblock *) magic, (DES_cblock *) (lmbuffer + 8),
- DESKEY (ks), DES_ENCRYPT);
-#endif
-
- memset(lmbuffer + 16, 0, 5);
- }
- /* create LM responses */
- calc_resp(lmbuffer, nonce, lmresp);
-
-#ifdef USE_NTRESPONSES
- {
-#ifdef HAVE_NETTLE
- struct md4_ctx MD4;
-#else
- MD4_CTX MD4;
-#endif
-
- unsigned char pw4[64];
-
- len = strlen (password);
-
- if (len > sizeof (pw4) / 2)
- len = sizeof (pw4) / 2;
-
- for (i = 0; i < len; i++) {
- pw4[2 * i] = (unsigned char) password[i];
- pw4[2 * i + 1] = 0;
- }
-
-#ifdef HAVE_NETTLE
- nettle_md4_init(&MD4);
- nettle_md4_update(&MD4, (unsigned) (2 * len), pw4);
- nettle_md4_digest(&MD4, MD4_DIGEST_SIZE, ntbuffer);
-#else
- /* create NT hashed password */
- MD4_Init(&MD4);
- MD4_Update(&MD4, pw4, 2 * len);
- MD4_Final(ntbuffer, &MD4);
-#endif
-
- memset(ntbuffer + 16, 0, 5);
- }
-
- calc_resp(ntbuffer, nonce, ntresp);
-#endif
-}
-
-#define SHORTPAIR(x) (char) ((x) & 0xff), (char) ((x) >> 8)
-#define LONGQUARTET(x) ((x) & 0xff), (((x) >> 8)&0xff), \
- (((x) >>16)&0xff), ((x)>>24)
-
-/* this is for creating ntlm header output */
-char *
-ntlm_output (struct ntlmdata *ntlm, const char *user, const char *passwd,
- bool *ready)
-{
- const char *domain = ""; /* empty */
- const char *host = ""; /* empty */
- size_t domlen = strlen(domain);
- size_t hostlen = strlen(host);
- size_t hostoff; /* host name offset */
- size_t domoff; /* domain name offset */
- size_t size;
- char ntlmbuf[256]; /* enough, unless the host/domain is very long */
-
- /* point to the address of the pointer that holds the string to sent to the
- server, which is for a plain host or for a HTTP proxy */
- char *output = NULL;
-
- *ready = false;
-
- /* not set means empty */
- if(!user)
- user="";
-
- if(!passwd)
- passwd="";
-
- switch(ntlm->state) {
- case NTLMSTATE_TYPE1:
- case NTLMSTATE_NONE:
- case NTLMSTATE_LAST:
- hostoff = 32;
- domoff = hostoff + hostlen;
-
- DEBUGP (("Creating a type-1 NTLM message.\n"));
-
- /* Create and send a type-1 message:
-
- Index Description Content
- 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
- (0x4e544c4d53535000)
- 8 NTLM Message Type long (0x01000000)
- 12 Flags long
- 16 Supplied Domain security buffer(*)
- 24 Supplied Workstation security buffer(*)
- 32 start of data block
-
- */
-
- snprintf (ntlmbuf, sizeof(ntlmbuf), "NTLMSSP%c"
- "\x01%c%c%c" /* 32-bit type = 1 */
- "%c%c%c%c" /* 32-bit NTLM flag field */
- "%c%c" /* domain length */
- "%c%c" /* domain allocated space */
- "%c%c" /* domain name offset */
- "%c%c" /* 2 zeroes */
- "%c%c" /* host length */
- "%c%c" /* host allocated space */
- "%c%c" /* host name offset */
- "%c%c" /* 2 zeroes */
- "%s" /* host name */
- "%s", /* domain string */
- 0, /* trailing zero */
- 0,0,0, /* part of type-1 long */
-
- LONGQUARTET(
- NTLMFLAG_NEGOTIATE_OEM| /* 2 */
- NTLMFLAG_NEGOTIATE_NTLM_KEY /* 200 */
- /* equals 0x0202 */
- ),
- SHORTPAIR(domlen),
- SHORTPAIR(domlen),
- SHORTPAIR(domoff),
- 0,0,
- SHORTPAIR(hostlen),
- SHORTPAIR(hostlen),
- SHORTPAIR(hostoff),
- 0,0,
- host, domain);
-
- /* initial packet length */
- size = 32 + hostlen + domlen;
-
- output = xmalloc(5 + BASE64_LENGTH (size) + 1);
- memcpy(output, "NTLM ", 5);
- wget_base64_encode (ntlmbuf, size, output + 5);
-
- break;
-
- case NTLMSTATE_TYPE2:
- /* We received the type-2 already, create a type-3 message:
-
- Index Description Content
- 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
- (0x4e544c4d53535000)
- 8 NTLM Message Type long (0x03000000)
- 12 LM/LMv2 Response security buffer(*)
- 20 NTLM/NTLMv2 Response security buffer(*)
- 28 Domain Name security buffer(*)
- 36 User Name security buffer(*)
- 44 Workstation Name security buffer(*)
- (52) Session Key (optional) security buffer(*)
- (60) Flags (optional) long
- 52 (64) start of data block
-
- */
-
- {
- size_t lmrespoff;
- size_t ntrespoff;
- size_t useroff;
- unsigned char lmresp[0x18]; /* fixed-size */
-#ifdef USE_NTRESPONSES
- unsigned char ntresp[0x18]; /* fixed-size */
-#endif
- const char *usr;
- size_t userlen;
-
- DEBUGP (("Creating a type-3 NTLM message.\n"));
-
- usr = strchr(user, '\\');
- if(!usr)
- usr = strchr(user, '/');
-
- if (usr) {
- domain = user;
- domlen = (size_t) (usr - domain);
- usr++;
- }
- else
- usr = user;
- userlen = strlen(usr);
-
- mkhash(passwd, &ntlm->nonce[0], lmresp
-#ifdef USE_NTRESPONSES
- , ntresp
-#endif
- );
-
- domoff = 64; /* always */
- useroff = domoff + domlen;
- hostoff = useroff + userlen;
- lmrespoff = hostoff + hostlen;
- ntrespoff = lmrespoff + 0x18;
-
- /* Create the big type-3 message binary blob */
-
- snprintf (ntlmbuf, sizeof (ntlmbuf),
- "NTLMSSP%c"
- "\x03%c%c%c" /* type-3, 32 bits */
-
- "%c%c%c%c" /* LanManager length + allocated space */
- "%c%c" /* LanManager offset */
- "%c%c" /* 2 zeroes */
-
- "%c%c" /* NT-response length */
- "%c%c" /* NT-response allocated space */
- "%c%c" /* NT-response offset */
- "%c%c" /* 2 zeroes */
-
- "%c%c" /* domain length */
- "%c%c" /* domain allocated space */
- "%c%c" /* domain name offset */
- "%c%c" /* 2 zeroes */
-
- "%c%c" /* user length */
- "%c%c" /* user allocated space */
- "%c%c" /* user offset */
- "%c%c" /* 2 zeroes */
-
- "%c%c" /* host length */
- "%c%c" /* host allocated space */
- "%c%c" /* host offset */
- "%c%c%c%c%c%c" /* 6 zeroes */
-
- "\xff\xff" /* message length */
- "%c%c" /* 2 zeroes */
-
- "\x01\x82" /* flags */
- "%c%c" /* 2 zeroes */
-
- /* domain string */
- /* user string */
- /* host string */
- /* LanManager response */
- /* NT response */
- ,
- 0, /* zero termination */
- 0, 0, 0, /* type-3 long, the 24 upper bits */
-
- SHORTPAIR (0x18), /* LanManager response length, twice */
- SHORTPAIR (0x18),
- SHORTPAIR (lmrespoff),
- 0x0, 0x0,
-
-#ifdef USE_NTRESPONSES
- SHORTPAIR (0x18), /* NT-response length, twice */
- SHORTPAIR (0x18),
-#else
- 0x0, 0x0,
- 0x0, 0x0,
-#endif
- SHORTPAIR (ntrespoff),
- 0x0, 0x0,
-
- SHORTPAIR (domlen),
- SHORTPAIR (domlen),
- SHORTPAIR (domoff),
- 0x0, 0x0,
-
- SHORTPAIR (userlen),
- SHORTPAIR (userlen),
- SHORTPAIR (useroff),
- 0x0, 0x0,
-
- SHORTPAIR (hostlen),
- SHORTPAIR (hostlen),
- SHORTPAIR (hostoff),
- 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
-
- 0x0, 0x0,
-
- 0x0, 0x0);
-
- /* size is now 64 */
- size=64;
- ntlmbuf[62]=ntlmbuf[63]=0;
-
- /* Make sure that the user and domain strings fit in the target buffer
- before we copy them there. */
- if((size + userlen + domlen) >= sizeof(ntlmbuf))
- return NULL;
-
- memcpy(&ntlmbuf[size], domain, domlen);
- size += domlen;
-
- memcpy(&ntlmbuf[size], usr, userlen);
- size += userlen;
-
- /* we append the binary hashes to the end of the blob */
- if(size < (sizeof(ntlmbuf) - 0x18)) {
- memcpy(&ntlmbuf[size], lmresp, 0x18);
- size += 0x18;
- }
-
-#ifdef USE_NTRESPONSES
- if(size < (sizeof(ntlmbuf) - 0x18)) {
- memcpy(&ntlmbuf[size], ntresp, 0x18);
- size += 0x18;
- }
-#endif
-
- ntlmbuf[56] = (char) (size & 0xff);
- ntlmbuf[57] = (char) (size >> 8);
-
- /* convert the binary blob into base64 */
- output = xmalloc(5 + BASE64_LENGTH (size) + 1);
- memcpy(output, "NTLM ", 5);
- wget_base64_encode (ntlmbuf, size, output + 5);
-
- ntlm->state = NTLMSTATE_TYPE3; /* we sent a type-3 */
- *ready = true;
- }
- break;
-
- case NTLMSTATE_TYPE3:
- /* connection is already authenticated,
- * don't send a header in future requests */
- *ready = true;
- output = NULL;
- break;
- }
-
- return output;
-}
diff --git a/src/http-ntlm.h b/src/http-ntlm.h
deleted file mode 100644
index
5b47bac0c9f8b185be657729564a0dd3b319dc75..0000000000000000000000000000000000000000
--- a/src/http-ntlm.h
+++ /dev/null
@@ -1,53 +0,0 @@
-#ifndef __HTTP_NTLM_H
-#define __HTTP_NTLM_H
-/* Declarations for http_ntlm.c
- Copyright (C) 1995-1997, 2000, 2007-2011, 2015, 2018-2024, 2026 Free
- Software Foundation, Inc.
- Contributed by Daniel Stenberg.
-
-This file is part of GNU Wget.
-
-GNU Wget is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
-GNU Wget is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with Wget. If not, see <http://www.gnu.org/licenses/>.
-
-Additional permission under GNU GPL version 3 section 7
-
-If you modify this program, or any covered work, by linking or
-combining it with the OpenSSL project's OpenSSL library (or a
-modified version of that library), containing parts covered by the
-terms of the OpenSSL or SSLeay licenses, the Free Software Foundation
-grants you additional permission to convey the resulting work.
-Corresponding Source for a non-source form of such a combination
-shall include the source code for the parts of OpenSSL used as well
-as that of the covered work. */
-
-typedef enum {
- NTLMSTATE_NONE,
- NTLMSTATE_TYPE1,
- NTLMSTATE_TYPE2,
- NTLMSTATE_TYPE3,
- NTLMSTATE_LAST
-} wgetntlm;
-
-/* Struct used for NTLM challenge-response authentication */
-struct ntlmdata {
- wgetntlm state;
- unsigned char nonce[8];
-};
-
-/* this is for ntlm header input */
-bool ntlm_input (struct ntlmdata *, const char *);
-
-/* this is for creating ntlm header output */
-char *ntlm_output (struct ntlmdata *, const char *, const char *, bool *);
-#endif
diff --git a/src/http.c b/src/http.c
index
570b72a7274d1ea1261b087cae433abd576d8df0..7bced7890b958c2adb349c6e6877e106d0679b8e
100644
--- a/src/http.c
+++ b/src/http.c
@@ -52,9 +52,6 @@ as that of the covered work. */
#ifdef HAVE_SSL
# include "ssl.h"
#endif
-#ifdef ENABLE_NTLM
-# include "http-ntlm.h"
-#endif
#include "cookies.h"
#include "md5.h"
#include "convert.h"
@@ -1371,17 +1368,6 @@ static struct {
/* Whether a ssl handshake has occurred on this connection. */
bool ssl;
-
- /* Whether the connection was authorized. This is only done by
- NTLM, which authorizes *connections* rather than individual
- requests. (That practice is peculiar for HTTP, but it is a
- useful optimization.) */
- bool authorized;
-
-#ifdef ENABLE_NTLM
- /* NTLM data of the current connection. */
- struct ntlmdata ntlm;
-#endif
} pconn;
/* Mark the persistent connection as invalid and free the resources it
@@ -1432,7 +1418,6 @@ register_persistent (const char *host, int port, int fd,
bool ssl)
pconn.host = xstrdup (host);
pconn.port = port;
pconn.ssl = ssl;
- pconn.authorized = false;
DEBUGP (("Registered socket %d for persistent reuse.\n", fd));
}
@@ -2099,11 +2084,6 @@ establish_connection (const struct url *u, const struct
url **conn_ref,
quotearg_style (escape_quoting_style, pconn.host),
pconn.port);
DEBUGP (("Reusing fd %d.\n", sock));
- if (pconn.authorized)
- /* If the connection is already authorized, the "Basic"
- authorization added by code above is unnecessary and
- only hurts us. */
- request_remove_header (req, "Authorization");
}
else if (host_lookup_failed)
{
@@ -2375,13 +2355,12 @@ check_file_output (const struct url *u, struct
http_stat *hs,
static uerr_t
check_auth (const struct url *u, char *user, char *passwd, struct response
*resp,
- struct request *req, bool *ntlm_seen_ref, bool *retry,
+ struct request *req, bool *retry,
bool *basic_auth_finished_ref, bool *auth_finished_ref)
{
uerr_t auth_err = RETROK;
bool basic_auth_finished = *basic_auth_finished_ref;
bool auth_finished = *auth_finished_ref;
- bool ntlm_seen = *ntlm_seen_ref;
char buf[256], *tmp = NULL;
*retry = false;
@@ -2394,10 +2373,10 @@ check_auth (const struct url *u, char *user, char
*passwd, struct response *resp
int wapos;
const char *www_authenticate = NULL;
const char *wabeg, *waend;
- const char *digest = NULL, *basic = NULL, *ntlm = NULL;
+ const char *digest = NULL, *basic = NULL;
- for (wapos = 0; !ntlm
- && (wapos = resp_header_locate (resp, "WWW-Authenticate", wapos,
+ for (wapos = 0;
+ (wapos = resp_header_locate (resp, "WWW-Authenticate", wapos,
&wabeg, &waend)) != -1;
++wapos)
{
@@ -2417,7 +2396,7 @@ check_auth (const struct url *u, char *user, char
*passwd, struct response *resp
www_authenticate = tmp;
- for (;!ntlm;)
+ for (;;)
{
/* extract the auth-scheme */
while (c_isspace (*www_authenticate)) www_authenticate++;
@@ -2431,12 +2410,7 @@ check_auth (const struct url *u, char *user, char
*passwd, struct response *resp
if (known_authentication_scheme_p (name.b, name.e))
{
- if (BEGINS_WITH (name.b, "NTLM"))
- {
- ntlm = name.b;
- break; /* this is the most secure challenge, stop here */
- }
- else if (!digest && BEGINS_WITH (name.b, "Digest"))
+ if (!digest && BEGINS_WITH (name.b, "Digest"))
digest = name.b;
else if (!basic && BEGINS_WITH (name.b, "Basic"))
basic = name.b;
@@ -2453,7 +2427,7 @@ check_auth (const struct url *u, char *user, char
*passwd, struct response *resp
}
}
- if (!basic && !digest && !ntlm)
+ if (!basic && !digest)
{
/* If the authentication header is missing or
unrecognized, there's no sense in retrying. */
@@ -2468,9 +2442,7 @@ check_auth (const struct url *u, char *user, char
*passwd, struct response *resp
auth_stat = xmalloc (sizeof (uerr_t));
*auth_stat = RETROK;
- if (ntlm)
- www_authenticate = ntlm;
- else if (digest)
+ if (digest)
www_authenticate = digest;
else
www_authenticate = basic;
@@ -2491,9 +2463,7 @@ check_auth (const struct url *u, char *user, char
*passwd, struct response *resp
{
request_set_header (req, "Authorization", value, rel_value);
- if (BEGINS_WITH (www_authenticate, "NTLM"))
- ntlm_seen = true;
- else if (!u->user && BEGINS_WITH (www_authenticate, "Basic"))
+ if (!u->user && BEGINS_WITH (www_authenticate, "Basic"))
{
/* Need to register this host as using basic auth,
* so we automatically send creds next time. */
@@ -2519,7 +2489,6 @@ check_auth (const struct url *u, char *user, char
*passwd, struct response *resp
cleanup:
if (tmp != buf)
xfree (tmp);
- *ntlm_seen_ref = ntlm_seen;
*basic_auth_finished_ref = basic_auth_finished;
*auth_finished_ref = auth_finished;
return auth_err;
@@ -3195,9 +3164,6 @@ gethttp (const struct url *u, struct url *original_url,
struct http_stat *hs,
* mechanisms. */
bool basic_auth_finished = false;
- /* Whether NTLM authentication is used for this request. */
- bool ntlm_seen = false;
-
/* Whether our connection to the remote host is through SSL. */
bool using_ssl = false;
@@ -3620,11 +3586,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
CLOSE_INVALIDATE (sock);
}
- pconn.authorized = false;
-
{
auth_err = check_auth (u, user, passwd, resp, req,
- &ntlm_seen, &retry,
+ &retry,
&basic_auth_finished,
&auth_finished);
if (auth_err == RETROK && retry)
@@ -3641,12 +3605,6 @@ gethttp (const struct url *u, struct url *original_url,
struct http_stat *hs,
retval = auth_err;
goto cleanup;
}
- else /* statcode != HTTP_STATUS_UNAUTHORIZED */
- {
- /* Kludge: if NTLM is used, mark the TCP connection as authorized. */
- if (ntlm_seen)
- pconn.authorized = true;
- }
{
uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval);
@@ -4995,13 +4953,7 @@ http_atotm (const char *time_string)
* `Digest' scheme, added by Junio Hamano <[email protected]>,
consisting of answering to the server's challenge with the proper
- MD5 digests.
-
- * `NTLM' ("NT Lan Manager") scheme, based on code written by Daniel
- Stenberg for libcurl. Like digest, NTLM is based on a
- challenge-response mechanism, but unlike digest, it is non-standard
- (authenticates TCP connections rather than requests), undocumented
- and Microsoft-specific. */
+ MD5 digests. */
/* Create the authentication header contents for the `Basic' scheme.
This is done by encoding the string "USER:PASS" to base64 and
@@ -5272,9 +5224,6 @@ known_authentication_scheme_p (const char *hdrbeg, const
char *hdrend)
return STARTS ("Basic", hdrbeg, hdrend)
#ifdef ENABLE_DIGEST
|| STARTS ("Digest", hdrbeg, hdrend)
-#endif
-#ifdef ENABLE_NTLM
- || STARTS ("NTLM", hdrbeg, hdrend)
#endif
;
}
@@ -5302,15 +5251,6 @@ create_authorization_line (const char *au, const char
*user,
case 'D': /* Digest */
*finished = true;
return digest_authentication_encode (au, user, passwd, method, path,
auth_err);
-#endif
-#ifdef ENABLE_NTLM
- case 'N': /* NTLM */
- if (!ntlm_input (&pconn.ntlm, au))
- {
- *finished = true;
- return NULL;
- }
- return ntlm_output (&pconn.ntlm, user, passwd, finished);
#endif
default:
/* We shouldn't get here -- this function should be only called
diff --git a/vms/DESCRIP.MMS b/vms/DESCRIP.MMS
index
11c9fd8a8bf310929f76e98bba1b0943ef72b7a3..5248593691c3a6cff2b9c09895eeffa7e070123e
100644
--- a/vms/DESCRIP.MMS
+++ b/vms/DESCRIP.MMS
@@ -20,7 +20,7 @@
# Link with /DEBUG /TRACEBACK.
# (Default is /NOTRACEBACK.)
#
-# HPSSL=1 Enable HTTPS (and NTLM) support using HP SSL.
+# HPSSL=1 Enable HTTPS support using HP SSL.
#
# LARGE=1 Enable large-file (>2GB) support. Non-VAX only.
#
@@ -42,7 +42,7 @@
# source kit was extracted using VMSTAR with the
# /UNDERDOT ("-u") option.
#
-# OSSL=1 Enable HTTPS (and NTLM) support using OpenSSL.
+# OSSL=1 Enable HTTPS support using OpenSSL.
#
#
# The default target, ALL, builds all the product executables.
diff --git a/vms/DESCRIP_SRC_CMN.MMS b/vms/DESCRIP_SRC_CMN.MMS
index
3f4beaf0230dba297021c8e2f433d679b9f08113..ea2bcf04ccc92b9680ac91fa65844545cdff2f13
100644
--- a/vms/DESCRIP_SRC_CMN.MMS
+++ b/vms/DESCRIP_SRC_CMN.MMS
@@ -87,14 +87,14 @@ CDEFS_LARGE =
.ENDIF # LARGE [else]
.IFDEF HPSSL # HPSSL
-CDEFS_SSL = , "HAVE_SSL", "ENABLE_NTLM"
+CDEFS_SSL = , "HAVE_SSL"
SSL_LINK_OPT = , [-.VMS]WGET_SSL_HP.OPT /OPTIONS
.IFDEF OSSL # OSSL
HPSSL_OSSL = 1
.ENDIF # OSSL
.ELSE # HPSSL
.IFDEF OSSL # OSSL
-CDEFS_SSL = , "HAVE_LIBSSL", "ENABLE_NTLM"
+CDEFS_SSL = , "HAVE_LIBSSL"
SSL_LINK_OPT = , [-.VMS]WGET_SSL_O.OPT /OPTIONS
.ELSE # OSSL
CDEFS_SSL =
diff --git a/vms/config.h_vms b/vms/config.h_vms
index
b78e4e3aed277b42a0603900f3558f7c199b9f7e..5f4421a32bc55fe98a231d1e5868df260fc4af41
100644
--- a/vms/config.h_vms
+++ b/vms/config.h_vms
@@ -49,9 +49,6 @@
language is requested. */
/* #undef ENABLE_NLS */
-/* Define if you want the NTLM authorization support compiled in. */
-/* #undef ENABLE_NTLM */
-
/* Define if you want the Opie support for FTP compiled in. */
#define ENABLE_OPIE 1
