@@ -131,7 +131,8 @@ enum http_follow_config http_follow_config = HTTP_FOLLOW_INITIAL;
131131
132132static struct credential cert_auth = CREDENTIAL_INIT ;
133133static int ssl_cert_password_required ;
134- static unsigned long http_auth_methods = CURLAUTH_ANY ;
134+ static unsigned long http_auth_any = CURLAUTH_ANY & ~CURLAUTH_NTLM ;
135+ static unsigned long http_auth_methods ;
135136static int http_auth_methods_restricted ;
136137/* Modes for which empty_auth cannot actually help us. */
137138static unsigned long empty_auth_useless =
@@ -436,6 +437,15 @@ static int http_options(const char *var, const char *value,
436437 return 0 ;
437438 }
438439
440+ if (!strcmp ("http.allowntlmauth" , var )) {
441+ if (git_config_bool (var , value )) {
442+ http_auth_any |= CURLAUTH_NTLM ;
443+ } else {
444+ http_auth_any &= ~CURLAUTH_NTLM ;
445+ }
446+ return 0 ;
447+ }
448+
439449 if (!strcmp ("http.schannelcheckrevoke" , var )) {
440450 if (value && !strcmp (value , "best-effort" )) {
441451 http_schannel_check_revoke_mode =
@@ -674,6 +684,11 @@ static void init_curl_http_auth(CURL *result)
674684
675685 credential_fill (the_repository , & http_auth , 1 );
676686
687+ if (http_auth .ntlm_allow && !(http_auth_methods & CURLAUTH_NTLM )) {
688+ http_auth_methods |= CURLAUTH_NTLM ;
689+ curl_easy_setopt (result , CURLOPT_HTTPAUTH , http_auth_methods );
690+ }
691+
677692 if (http_auth .password ) {
678693 if (always_auth_proactively ()) {
679694 /*
@@ -733,11 +748,11 @@ static void init_curl_proxy_auth(CURL *result)
733748 if (i == ARRAY_SIZE (proxy_authmethods )) {
734749 warning ("unsupported proxy authentication method %s: using anyauth" ,
735750 http_proxy_authmethod );
736- curl_easy_setopt (result , CURLOPT_PROXYAUTH , CURLAUTH_ANY );
751+ curl_easy_setopt (result , CURLOPT_PROXYAUTH , http_auth_any );
737752 }
738753 }
739754 else
740- curl_easy_setopt (result , CURLOPT_PROXYAUTH , CURLAUTH_ANY );
755+ curl_easy_setopt (result , CURLOPT_PROXYAUTH , http_auth_any );
741756}
742757
743758static int has_cert_password (void )
@@ -1084,7 +1099,7 @@ static CURL *get_curl_handle(void)
10841099 }
10851100
10861101 curl_easy_setopt (result , CURLOPT_NETRC , CURL_NETRC_OPTIONAL );
1087- curl_easy_setopt (result , CURLOPT_HTTPAUTH , CURLAUTH_ANY );
1102+ curl_easy_setopt (result , CURLOPT_HTTPAUTH , http_auth_any );
10881103
10891104#ifdef CURLGSSAPI_DELEGATION_FLAG
10901105 if (curl_deleg ) {
@@ -1482,6 +1497,7 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
14821497 set_long_from_env (& http_retry_after , "GIT_HTTP_RETRY_AFTER" );
14831498 set_long_from_env (& http_max_retries , "GIT_HTTP_MAX_RETRIES" );
14841499 set_long_from_env (& http_max_retry_time , "GIT_HTTP_MAX_RETRY_TIME" );
1500+ http_auth_methods = http_auth_any ;
14851501
14861502 curl_default = get_curl_handle ();
14871503}
@@ -1914,6 +1930,12 @@ static int handle_curl_result(struct slot_results *results)
19141930 } else if (missing_target (results ))
19151931 return HTTP_MISSING_TARGET ;
19161932 else if (results -> http_code == 401 ) {
1933+ http_auth .ntlm_suppressed = (results -> auth_avail & CURLAUTH_NTLM ) &&
1934+ !(http_auth_any & CURLAUTH_NTLM );
1935+ if (http_auth .ntlm_suppressed && http_auth .ntlm_allow ) {
1936+ http_auth_methods |= CURLAUTH_NTLM ;
1937+ return HTTP_REAUTH ;
1938+ }
19171939 if ((http_auth .username && http_auth .password ) || \
19181940 (http_auth .authtype && http_auth .credential )) {
19191941 if (http_auth .multistage ) {
@@ -1923,6 +1945,16 @@ static int handle_curl_result(struct slot_results *results)
19231945 credential_reject (the_repository , & http_auth );
19241946 if (always_auth_proactively ())
19251947 http_proactive_auth = PROACTIVE_AUTH_NONE ;
1948+ if (http_auth .ntlm_suppressed ) {
1949+ warning (_ ("Due to its cryptographic weaknesses, "
1950+ "NTLM authentication has been\n"
1951+ "disabled in Git by default. You can "
1952+ "re-enable it for trusted servers\n"
1953+ "by running:\n\n"
1954+ "git config set "
1955+ "http.%s://%s.allowNTLMAuth true" ),
1956+ http_auth .protocol , http_auth .host );
1957+ }
19261958 return HTTP_NOAUTH ;
19271959 } else {
19281960 http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE ;
0 commit comments