build: make NTLM disabled by default

NTLM has weak security and does not work over HTTP/2 or HTTP/3.

Enable in cmake or configure to get support for it.

.github/workflows/macos.yml

@@ -238,7 +238,7 @@ jobs:
             generate: >-
               -DENABLE_DEBUG=ON -DENABLE_ARES=ON
               -DCURL_ENABLE_SSL=OFF -DHTTP_ONLY=ON
-              -DCURL_DISABLE_NTLM=ON -DCURL_DISABLE_ALTSVC=ON -DENABLE_UNIX_SOCKETS=OFF
+              -DCURL_ENABLE_NTLM=OFF -DCURL_DISABLE_ALTSVC=ON -DENABLE_UNIX_SOCKETS=OFF
               -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=OFF -DUSE_NGHTTP2=OFF
               -DCURL_USE_GSSAPI=OFF -DUSE_LIBIDN2=OFF -DCURL_USE_LIBPSL=OFF -DUSE_LIBRTMP=OFF
               -DCURL_BROTLI=OFF -DCURL_ZLIB=OFF -DCURL_ZSTD=OFF

CMakeLists.txt

@@ -468,8 +468,8 @@ option(CURL_DISABLE_BINDLOCAL "Disable local binding support" OFF)
 mark_as_advanced(CURL_DISABLE_BINDLOCAL)
 option(CURL_DISABLE_NETRC "Disable netrc parser" OFF)
 mark_as_advanced(CURL_DISABLE_NETRC)
-option(CURL_DISABLE_NTLM "Disable NTLM support" OFF)
-mark_as_advanced(CURL_DISABLE_NTLM)
+option(CURL_ENABLE_NTLM "Enable NTLM support" OFF)
+mark_as_advanced(CURL_ENABLE_NTLM)
 option(CURL_DISABLE_PARSEDATE "Disable date parsing" OFF)
 mark_as_advanced(CURL_DISABLE_PARSEDATE)
 option(CURL_DISABLE_POP3 "Disable POP3" OFF)
@@ -1945,7 +1945,7 @@ endmacro()
 
 # NTLM support requires crypto functions from various SSL libs.
 # These conditions must match those in lib/curl_setup.h.
-if(NOT CURL_DISABLE_NTLM AND
+if(CURL_ENABLE_NTLM AND
    ((USE_OPENSSL AND HAVE_DES_ECB_ENCRYPT) OR
     (USE_MBEDTLS AND HAVE_MBEDTLS_DES_CRYPT_ECB) OR
     USE_GNUTLS OR
@@ -2022,7 +2022,7 @@ curl_add_if("SPNEGO"        NOT CURL_DISABLE_NEGOTIATE_AUTH AND
                             (HAVE_GSSAPI OR USE_WINDOWS_SSPI))
 curl_add_if("Kerberos"      NOT CURL_DISABLE_KERBEROS_AUTH AND
                             (HAVE_GSSAPI OR USE_WINDOWS_SSPI))
-curl_add_if("NTLM"          NOT CURL_DISABLE_NTLM AND
+curl_add_if("NTLM"          CURL_ENABLE_NTLM AND
                             (_use_curl_ntlm_core OR USE_WINDOWS_SSPI))
 curl_add_if("TLS-SRP"       USE_TLS_SRP)
 curl_add_if("HTTP2"         USE_NGHTTP2)

configure.ac

@@ -4535,16 +4535,16 @@ AC_ARG_ENABLE(ntlm,
 AS_HELP_STRING([--enable-ntlm],[Enable NTLM support])
 AS_HELP_STRING([--disable-ntlm],[Disable NTLM support]),
 [ case "$enableval" in
-  no)
-    AC_MSG_RESULT(no)
-    AC_DEFINE(CURL_DISABLE_NTLM, 1, [to disable NTLM support])
-    CURL_DISABLE_NTLM=1
+  yes)
+    AC_MSG_RESULT(yes)
+    AC_DEFINE(CURL_ENABLE_NTLM, 1, [enable NTLM support])
+    CURL_ENABLE_NTLM=1
     ;;
   *)
-    AC_MSG_RESULT(yes)
+    AC_MSG_RESULT(no)
     ;;
   esac ],
-    AC_MSG_RESULT(yes)
+    AC_MSG_RESULT(no)
 )
 
 dnl ************************************************************
@@ -5201,7 +5201,7 @@ fi
 
 use_curl_ntlm_core=no
 
-if test "$CURL_DISABLE_NTLM" != "1"; then
+if test "$CURL_ENABLE_NTLM" = "1"; then
   if test "$HAVE_DES_ECB_ENCRYPT" = "1" ||
      test "$GNUTLS_ENABLED" = "1" ||
      test "$USE_WIN32_CRYPTO" = "1" ||

docs/CURL-DISABLE.md

@@ -120,10 +120,6 @@ Disable MQTT support.
 
 Disable the netrc parser.
 
-## `CURL_DISABLE_NTLM`
-
-Disable support for NTLM.
-
 ## `CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG`
 
 Disable the auto load config support in the OpenSSL backend.

docs/INSTALL-CMAKE.md

@@ -272,6 +272,7 @@ target_link_libraries(my_target PRIVATE CURL::libcurl)
 
 ## Enabling features
 
+- `CURL_ENABLE_NTLM`:                       Enable NTLM support. Default: `OFF`
 - `CURL_ENABLE_SSL`:                        Enable SSL support. Default: `ON`
 - `CURL_WINDOWS_SSPI`:                      Enable SSPI on Windows. Default: =`CURL_USE_SCHANNEL`
 - `ENABLE_IPV6`:                            Enable IPv6 support. Default: `ON` if target supports IPv6.
@@ -314,7 +315,6 @@ target_link_libraries(my_target PRIVATE CURL::libcurl)
 - `CURL_DISABLE_MQTT`:                      Disable MQTT. Default: `OFF`
 - `CURL_DISABLE_NEGOTIATE_AUTH`:            Disable negotiate authentication. Default: `OFF`
 - `CURL_DISABLE_NETRC`:                     Disable netrc parser. Default: `OFF`
-- `CURL_DISABLE_NTLM`:                      Disable NTLM support. Default: `OFF`
 - `CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG`:  Disable automatic loading of OpenSSL configuration. Default: `OFF`
 - `CURL_DISABLE_PARSEDATE`:                 Disable date parsing. Default: `OFF`
 - `CURL_DISABLE_POP3`:                      Disable POP3. Default: `OFF`

lib/curl_config-cmake.h.in

@@ -118,8 +118,8 @@
 /* disables netrc parser */
 #cmakedefine CURL_DISABLE_NETRC 1
 
-/* disables NTLM support */
-#cmakedefine CURL_DISABLE_NTLM 1
+/* enables NTLM support */
+#cmakedefine CURL_ENABLE_NTLM 1
 
 /* disables date parsing */
 #cmakedefine CURL_DISABLE_PARSEDATE 1

lib/curl_setup.h

@@ -757,7 +757,7 @@
 #endif
 
 /* Single point where USE_NTLM definition might be defined */
-#ifndef CURL_DISABLE_NTLM
+#ifdef CURL_ENABLE_NTLM
 #  if (defined(USE_OPENSSL) && defined(HAVE_DES_ECB_ENCRYPT)) ||        \
   defined(USE_GNUTLS) ||                                                \
   (defined(USE_MBEDTLS) && defined(HAVE_MBEDTLS_DES_CRYPT_ECB)) ||      \

projects/vms/generate_config_vms_h_curl.com

@@ -262,15 +262,9 @@ $write cvh "#ifdef CURL_DISABLE_LIBCURL_OPTION"
 $write cvh "#undef CURL_DISABLE_LIBCURL_OPTION"
 $write cvh "#endif"
 $write cvh "#ifndef __VAX"
-$write cvh "#ifdef CURL_DISABLE_NTLM"
-$write cvh "#undef CURL_DISABLE_NTLM"
-$write cvh "#endif"
 $write cvh "#else"
 $! NTLM needs long long or int64 support, missing from DECC C.
 $write cvh "#ifdef __DECC
-$write cvh "#ifndef CURL_DISABLE_NTLM"
-$write cvh "#define CURL_DISABLE_NTLM 1"
-$write cvh "#endif"
 $write cvh "#endif"
 $write cvh "#endif"
 $write cvh "#ifdef CURL_DISABLE_POP3"