bug 804605 - backout 766973 767158 785050 r=backout a=akeybl
authorPatrick McManus <mcmanus@ducksong.com>
Tue, 22 Jan 2013 11:59:01 -0500
changeset 119489 4a1188e7f538a99da1d50f03d35ee8a9e61899c9
parent 119488 528eac92e500f3cee6dc6638d5e6cd2e99ff7d54
child 119490 322f7440f2812546beeb3dfd737fc344d8eaff40
push id24208
push userryanvm@gmail.com
push dateWed, 23 Jan 2013 16:13:14 +0000
treeherdermozilla-central@35e0c12f4332 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbackout, akeybl
bugs804605, 766973, 767158, 785050
milestone21.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 804605 - backout 766973 767158 785050 r=backout a=akeybl
extensions/auth/nsAuthGSSAPI.cpp
extensions/auth/nsAuthSASL.cpp
extensions/auth/nsAuthSSPI.cpp
extensions/auth/nsAuthSambaNTLM.cpp
netwerk/base/public/nsIAuthModule.idl
netwerk/dns/nsDNSService2.cpp
netwerk/dns/nsIDNSService.idl
netwerk/protocol/http/nsHttpChannel.cpp
netwerk/protocol/http/nsHttpChannel.h
netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
netwerk/protocol/http/nsHttpChannelAuthProvider.h
netwerk/protocol/http/nsHttpNTLMAuth.cpp
netwerk/protocol/http/nsIHttpAuthenticableChannel.idl
netwerk/protocol/http/nsIHttpChannelAuthProvider.idl
security/manager/ssl/src/nsNTLMAuthModule.cpp
--- a/extensions/auth/nsAuthGSSAPI.cpp
+++ b/extensions/auth/nsAuthGSSAPI.cpp
@@ -562,14 +562,8 @@ nsAuthGSSAPI::Wrap(const void *inToken,
 
     /* it is not possible for output_token.length to be zero */
     *outToken = nsMemory::Clone(output_token.value, output_token.length);
     gss_release_buffer_ptr(&minor_status, &output_token);
 
     return NS_OK;
 }
 
-NS_IMETHODIMP
-nsAuthGSSAPI::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-    return NS_OK;
-}
--- a/extensions/auth/nsAuthSASL.cpp
+++ b/extensions/auth/nsAuthSASL.cpp
@@ -144,15 +144,8 @@ NS_IMETHODIMP
 nsAuthSASL::Wrap(const void *inToken,
                  uint32_t    inTokenLen,
                  bool        confidential,
                  void      **outToken,
                  uint32_t   *outTokenLen)
 {
     return NS_ERROR_NOT_IMPLEMENTED;
 }
-
-NS_IMETHODIMP
-nsAuthSASL::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-    return NS_OK;
-}
--- a/extensions/auth/nsAuthSSPI.cpp
+++ b/extensions/auth/nsAuthSSPI.cpp
@@ -86,16 +86,60 @@ InitSSPI()
         return NS_ERROR_UNEXPECTED;
     }
 
     return NS_OK;
 }
 
 //-----------------------------------------------------------------------------
 
+static nsresult
+MakeSN(const char *principal, nsCString &result)
+{
+    nsresult rv;
+
+    nsAutoCString buf(principal);
+
+    // The service name looks like "protocol@hostname", we need to map
+    // this to a value that SSPI expects.  To be consistent with IE, we
+    // need to map '@' to '/' and canonicalize the hostname.
+    PRInt32 index = buf.FindChar('@');
+    if (index == kNotFound)
+        return NS_ERROR_UNEXPECTED;
+    
+    nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID, &rv);
+    if (NS_FAILED(rv))
+        return rv;
+
+    // This could be expensive if our DNS cache cannot satisfy the request.
+    // However, we should have at least hit the OS resolver once prior to
+    // reaching this code, so provided the OS resolver has this information
+    // cached, we should not have to worry about blocking on this function call
+    // for very long.  NOTE: because we ask for the canonical hostname, we
+    // might end up requiring extra network activity in cases where the OS
+    // resolver might not have enough information to satisfy the request from
+    // its cache.  This is not an issue in versions of Windows up to WinXP.
+    nsCOMPtr<nsIDNSRecord> record;
+    rv = dns->Resolve(Substring(buf, index + 1),
+                      nsIDNSService::RESOLVE_CANONICAL_NAME,
+                      getter_AddRefs(record));
+    if (NS_FAILED(rv))
+        return rv;
+
+    nsAutoCString cname;
+    rv = record->GetCanonicalName(cname);
+    if (NS_SUCCEEDED(rv)) {
+        result = StringHead(buf, index) + NS_LITERAL_CSTRING("/") + cname;
+        LOG(("Using SPN of [%s]\n", result.get()));
+    }
+    return rv;
+}
+
+//-----------------------------------------------------------------------------
+
 nsAuthSSPI::nsAuthSSPI(pType package)
     : mServiceFlags(REQ_DEFAULT)
     , mMaxTokenLen(0)
     , mPackage(package)
     , mCertDERData(nullptr)
     , mCertDERLength(0)
 {
     memset(&mCred, 0, sizeof(mCred));
@@ -159,23 +203,33 @@ nsAuthSSPI::Init(const char *serviceName
         rv = InitSSPI();
         if (NS_FAILED(rv))
             return rv;
     }
     SEC_WCHAR *package;
 
     package = (SEC_WCHAR *) pTypeName[(int)mPackage];
 
-    // The incoming serviceName is in the format: "protocol@hostname", SSPI expects
-    // "<service class>/<hostname>", so swap the '@' for a '/'.
-    mServiceName.Assign(serviceName);
-    int32_t index = mServiceName.FindChar('@');
-    if (index == kNotFound)
-        return NS_ERROR_UNEXPECTED;
-    mServiceName.Replace(index, 1, '/');
+    if (mPackage == PACKAGE_TYPE_NTLM) {
+        // (bug 535193) For NTLM, just use the uri host, do not do canonical host lookups.
+        // The incoming serviceName is in the format: "protocol@hostname", SSPI expects
+        // "<service class>/<hostname>", so swap the '@' for a '/'.
+        mServiceName.Assign(serviceName);
+        int32_t index = mServiceName.FindChar('@');
+        if (index == kNotFound)
+            return NS_ERROR_UNEXPECTED;
+        mServiceName.Replace(index, 1, '/');
+    }
+    else {
+        // Kerberos requires the canonical host, MakeSN takes care of this through a
+        // DNS lookup.
+        rv = MakeSN(serviceName, mServiceName);
+        if (NS_FAILED(rv))
+            return rv;
+    }
 
     mServiceFlags = serviceFlags;
 
     SECURITY_STATUS rc;
 
     PSecPkgInfoW pinfo;
     rc = (sspi->QuerySecurityPackageInfoW)(package, &pinfo);
     if (rc != SEC_E_OK) {
@@ -594,21 +648,8 @@ nsAuthSSPI::Wrap(const void *inToken,
 
         memcpy(p,bufs.ib[2].pvBuffer, bufs.ib[2].cbBuffer);
         
         return NS_OK;
     }
 
     return NS_ERROR_FAILURE;
 }
-
-NS_IMETHODIMP
-nsAuthSSPI::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-
-    // (bug 535193) For NTLM, just use the uri host, do not do canonical host
-    // lookups. But Kerberos requires the canonical host.
-    if (mPackage != PACKAGE_TYPE_NTLM)
-        *flags |= CANONICAL_NAME_REQUIRED;
-
-    return NS_OK;
-}
--- a/extensions/auth/nsAuthSambaNTLM.cpp
+++ b/extensions/auth/nsAuthSambaNTLM.cpp
@@ -277,15 +277,8 @@ NS_IMETHODIMP
 nsAuthSambaNTLM::Wrap(const void *inToken,
                       uint32_t    inTokenLen,
                       bool        confidential,
                       void      **outToken,
                       uint32_t   *outTokenLen)
 {
     return NS_ERROR_NOT_IMPLEMENTED;
 }
-
-NS_IMETHODIMP
-nsAuthSambaNTLM::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-    return NS_OK;
-}
--- a/netwerk/base/public/nsIAuthModule.idl
+++ b/netwerk/base/public/nsIAuthModule.idl
@@ -1,15 +1,15 @@
 /* vim:set ts=4 sw=4 et cindent: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
-[uuid(fb82a326-1311-4c45-b5b3-84eb883d4b70)]
+[uuid(6e35dbc0-49ef-4e2c-b1ea-b72ec64450a2)]
 interface nsIAuthModule : nsISupports
 {
     /**
      * Default behavior.
      */
     const unsigned long REQ_DEFAULT = 0;
 
     /**
@@ -111,23 +111,16 @@ interface nsIAuthModule : nsISupports
      *
      * Unwrap() may return NS_ERROR_NOT_IMPLEMENTED, if the underlying  
      * authentication mechanism does not support security layers.
      */
     void unwrap([const] in voidPtr aInToken,
                 in unsigned long   aInTokenLength,
                 out voidPtr        aOutToken,
                 out unsigned long  aOutTokenLength);
-
-    /* Flags defining various properties of the auth module. */
-    readonly attribute unsigned long moduleProperties;
-
-    /* The service name in Init() is required to be the Canonical DNS
-       name for that host */
-    const unsigned long CANONICAL_NAME_REQUIRED = (1<<0);
 };
 
 %{C++
 /**
  * nsIAuthModule implementations are registered under the following contract
  * ID prefix:
  */
 #define NS_AUTH_MODULE_CONTRACTID_PREFIX \
--- a/netwerk/dns/nsDNSService2.cpp
+++ b/netwerk/dns/nsDNSService2.cpp
@@ -690,25 +690,16 @@ nsDNSService::CancelAsyncResolve(const n
     return NS_OK;
 }
 
 NS_IMETHODIMP
 nsDNSService::Resolve(const nsACString &hostname,
                       uint32_t          flags,
                       nsIDNSRecord    **result)
 {
-    NS_WARNING("Do not use synchronous DNS resolution! This API may be removed soon.");
-
-    // We will not allow this to be called on the main thread. This is transitional
-    // and a bit of a test for removing the synchronous API entirely.
-    if (NS_IsMainThread()) {
-        NS_ERROR("Synchronous DNS resolve failing - not allowed on the main thread!");
-        return NS_ERROR_FAILURE;
-    }
-
     // grab reference to global host resolver and IDN service.  beware
     // simultaneous shutdown!!
     nsRefPtr<nsHostResolver> res;
     nsCOMPtr<nsIIDNService> idn;
     bool localDomain = false;
     {
         MutexAutoLock lock(mLock);
         res = mResolver;
--- a/netwerk/dns/nsIDNSService.idl
+++ b/netwerk/dns/nsIDNSService.idl
@@ -64,18 +64,19 @@ interface nsIDNSService : nsISupports
      * @return An object that can be used to cancel the host lookup.
      */
     void cancelAsyncResolve(in AUTF8String       aHostName,
                             in unsigned long     aFlags,
                             in nsIDNSListener    aListener,
                             in nsresult          aReason);
     
     /**
-     * Called to synchronously resolve a hostname.  This method will fail
-     * if called from the main thread.
+     * called to synchronously resolve a hostname.  warning this method may
+     * block the calling thread for a long period of time.  it is extremely
+     * unwise to call this function on the UI thread of an application.
      *
      * @param aHostName
      *        the hostname or IP-address-literal to resolve.
      * @param aFlags
      *        a bitwise OR of the RESOLVE_ prefixed constants defined below.
      *
      * @return DNS record corresponding to the given hostname.
      * @throws NS_ERROR_UNKNOWN_HOST if host could not be resolved.
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -4169,29 +4169,16 @@ NS_IMETHODIMP nsHttpChannel::OnAuthCance
         if (NS_FAILED(rv))
             mTransactionPump->Cancel(rv);
     }
 
     mProxyAuthPending = false;
     return NS_OK;
 }
 
-NS_IMETHODIMP nsHttpChannel::GetAsciiHostForAuth(nsACString &host)
-{
-    if (mAuthProvider)
-        return mAuthProvider->GetAsciiHostForAuth(host);
-
-    nsresult rv;
-    nsCOMPtr<nsIURI> uri;
-    rv = GetURI(getter_AddRefs(uri));
-    if (NS_FAILED(rv))
-        return rv;
-    return uri->GetAsciiHost(host);
-}
-
 //-----------------------------------------------------------------------------
 // nsHttpChannel::nsISupports
 //-----------------------------------------------------------------------------
 
 NS_IMPL_ADDREF_INHERITED(nsHttpChannel, HttpBaseChannel)
 NS_IMPL_RELEASE_INHERITED(nsHttpChannel, HttpBaseChannel)
 
 NS_INTERFACE_MAP_BEGIN(nsHttpChannel)
--- a/netwerk/protocol/http/nsHttpChannel.h
+++ b/netwerk/protocol/http/nsHttpChannel.h
@@ -77,17 +77,16 @@ public:
     NS_IMETHOD GetProxyMethodIsConnect(bool *aProxyMethodIsConnect);
     NS_IMETHOD GetServerResponseHeader(nsACString & aServerResponseHeader);
     NS_IMETHOD GetProxyChallenges(nsACString & aChallenges);
     NS_IMETHOD GetWWWChallenges(nsACString & aChallenges);
     NS_IMETHOD SetProxyCredentials(const nsACString & aCredentials);
     NS_IMETHOD SetWWWCredentials(const nsACString & aCredentials);
     NS_IMETHOD OnAuthAvailable();
     NS_IMETHOD OnAuthCancelled(bool userCancel);
-    NS_IMETHOD GetAsciiHostForAuth(nsACString &aHost);
     // Functions we implement from nsIHttpAuthenticableChannel but are
     // declared in HttpBaseChannel must be implemented in this class. We
     // just call the HttpBaseChannel:: impls.
     NS_IMETHOD GetLoadFlags(nsLoadFlags *aLoadFlags);
     NS_IMETHOD GetURI(nsIURI **aURI);
     NS_IMETHOD GetNotificationCallbacks(nsIInterfaceRequestor **aCallbacks);
     NS_IMETHOD GetLoadGroup(nsILoadGroup **aLoadGroup);
     NS_IMETHOD GetRequestMethod(nsACString& aMethod);
--- a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
+++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
@@ -11,20 +11,16 @@
 #include "nsIAuthPrompt2.h"
 #include "nsIAuthPromptProvider.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsEscape.h"
 #include "nsAuthInformationHolder.h"
 #include "nsIStringBundle.h"
 #include "nsIPrompt.h"
-#include "nsIAuthModule.h"
-#include "nsIDNSService.h"
-#include "nsNetCID.h"
-#include "nsIDNSRecord.h"
 #include "nsNetUtil.h"
 
 static void
 GetAppIdAndBrowserStatus(nsIChannel* aChan, uint32_t* aAppId, bool* aInBrowserElem)
 {
     nsCOMPtr<nsILoadContext> loadContext;
     if (aChan) {
         NS_QueryNotificationCallbacks(aChan, loadContext);
@@ -42,17 +38,16 @@ nsHttpChannelAuthProvider::nsHttpChannel
     : mAuthChannel(nullptr)
     , mIsPrivate(false)
     , mProxyAuthContinuationState(nullptr)
     , mAuthContinuationState(nullptr)
     , mProxyAuth(false)
     , mTriedProxyAuth(false)
     , mTriedHostAuth(false)
     , mSuppressDefensiveAuth(false)
-    , mResolvedHost(0)
 {
     // grab a reference to the handler to ensure that it doesn't go away.
     nsHttpHandler *handler = gHttpHandler;
     NS_ADDREF(handler);
 }
 
 nsHttpChannelAuthProvider::~nsHttpChannelAuthProvider()
 {
@@ -96,19 +91,16 @@ NS_IMETHODIMP
 nsHttpChannelAuthProvider::ProcessAuthentication(uint32_t httpStatus,
                                                  bool     SSLConnectFailed)
 {
     LOG(("nsHttpChannelAuthProvider::ProcessAuthentication "
          "[this=%p channel=%p code=%u SSLConnectFailed=%d]\n",
          this, mAuthChannel, httpStatus, SSLConnectFailed));
 
     NS_ASSERTION(mAuthChannel, "Channel not initialized");
-    
-    mCanonicalizedHost.Truncate();
-    mResolvedHost = 0;
 
     nsCOMPtr<nsIProxyInfo> proxyInfo;
     nsresult rv = mAuthChannel->GetProxyInfo(getter_AddRefs(proxyInfo));
     if (NS_FAILED(rv)) return rv;
     if (proxyInfo) {
         mProxyInfo = do_QueryInterface(proxyInfo);
         if (!mProxyInfo) return NS_ERROR_NO_INTERFACE;
     }
@@ -237,36 +229,28 @@ NS_IMETHODIMP
 nsHttpChannelAuthProvider::Cancel(nsresult status)
 {
     NS_ASSERTION(mAuthChannel, "Channel not initialized");
 
     if (mAsyncPromptAuthCancelable) {
         mAsyncPromptAuthCancelable->Cancel(status);
         mAsyncPromptAuthCancelable = nullptr;
     }
-    if (mDNSQuery) {
-        mDNSQuery->Cancel(status);
-        mDNSQuery = nullptr;
-    }
     return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHttpChannelAuthProvider::Disconnect(nsresult status)
 {
     mAuthChannel = nullptr;
 
     if (mAsyncPromptAuthCancelable) {
         mAsyncPromptAuthCancelable->Cancel(status);
         mAsyncPromptAuthCancelable = nullptr;
     }
-    if (mDNSQuery) {
-        mDNSQuery->Cancel(status);
-        mDNSQuery = nullptr;
-    }
 
     NS_IF_RELEASE(mProxyAuthContinuationState);
     NS_IF_RELEASE(mAuthContinuationState);
 
     return NS_OK;
 }
 
 // buf contains "domain\user"
@@ -453,68 +437,16 @@ nsHttpChannelAuthProvider::PrepareForAut
             if (NS_FAILED(rv)) return rv;
             LOG(("  cleared proxy authorization header"));
         }
     }
 
     return NS_OK;
 }
 
-bool
-nsHttpChannelAuthProvider::AuthModuleRequiresCanonicalName(nsISupports *state)
-{
-    if (mResolvedHost || !state)
-        return false;
-
-    nsCOMPtr<nsIAuthModule> module = do_QueryInterface(state);
-    if (!module)
-        return false;
-
-    uint32_t flags;
-    if (NS_FAILED(module->GetModuleProperties(&flags)))
-        return false;
-
-    if (!(flags & nsIAuthModule::CANONICAL_NAME_REQUIRED))
-        return false;
-    
-    LOG(("nsHttpChannelAuthProvider::AuthModuleRequiresCanoncialName "
-         "this=%p\n", this));
-    return true;
-}
-
-nsresult
-nsHttpChannelAuthProvider::ResolveHost()
-{
-    mResolvedHost = 1;
-
-    nsresult rv;
-    static NS_DEFINE_CID(kDNSServiceCID, NS_DNSSERVICE_CID);
-        nsCOMPtr<nsIDNSService> dns = do_GetService(kDNSServiceCID, &rv);
-    if (NS_FAILED(rv))
-        return rv;
-
-    nsCOMPtr<nsIURI> uri;
-    rv = mAuthChannel->GetURI(getter_AddRefs(uri));
-    if (NS_FAILED(rv))
-        return rv;
-    nsAutoCString host;
-    rv = uri->GetAsciiHost(host);
-    if (NS_FAILED(rv))
-        return rv;
-
-    LOG(("nsHttpChannelAuthProvider::ResolveHost() this=%p "
-         "looking up canoncial of %s\n", this, host.get()));
-    nsRefPtr<DNSCallback> dnsCallback = new DNSCallback(this);
-    rv = dns->AsyncResolve(host,
-                           nsIDNSService::RESOLVE_CANONICAL_NAME,
-                           dnsCallback, NS_GetCurrentThread(),
-                           getter_AddRefs(mDNSQuery));
-    return rv;
-}
-
 nsresult
 nsHttpChannelAuthProvider::GetCredentials(const char     *challenges,
                                           bool            proxyAuth,
                                           nsAFlatCString &creds)
 {
     nsCOMPtr<nsIHttpAuthenticator> auth;
     nsAutoCString challenge;
 
@@ -821,23 +753,16 @@ nsHttpChannelAuthProvider::GetCredential
             // this return code alone is not equivalent to Cancel, since
             // it only instructs our caller that authentication failed.
             // without an explicit call to Cancel, our caller would just
             // load the page that accompanies the HTTP auth challenge.
             return NS_ERROR_ABORT;
         }
     }
 
-    if (AuthModuleRequiresCanonicalName(*continuationState)) {
-        nsresult rv = ResolveHost();
-        if (NS_SUCCEEDED(rv))
-            return NS_ERROR_IN_PROGRESS;
-        return rv;
-    }
-
     //
     // get credentials for the given user:pass
     //
     // always store the credentials we're trying now so that they will be used
     // on subsequent links.  This will potentially remove good credentials from
     // the cache.  This is ok as we don't want to use cached credentials if the
     // user specified something on the URI or in another manner.  This is so
     // that we don't transparently authenticate as someone they're not
@@ -1100,28 +1025,19 @@ NS_IMETHODIMP nsHttpChannelAuthProvider:
                                      &entry);
 
     nsCOMPtr<nsISupports> sessionStateGrip;
     if (entry)
         sessionStateGrip = entry->mMetaData;
 
     nsAuthInformationHolder* holder =
             static_cast<nsAuthInformationHolder*>(aAuthInfo);
-    if (holder) {
-        ident->Set(holder->Domain().get(),
-                   holder->User().get(),
-                   holder->Password().get());
-    }
-
-    if (AuthModuleRequiresCanonicalName(*continuationState)) {
-        rv = ResolveHost();
-        if (NS_FAILED(rv))
-            OnAuthCancelled(aContext, true);
-        return NS_OK;
-    }
+    ident->Set(holder->Domain().get(),
+               holder->User().get(),
+               holder->Password().get());
 
     nsAutoCString unused;
     nsCOMPtr<nsIHttpAuthenticator> auth;
     rv = GetAuthenticator(mCurrentChallenge.get(), unused,
                           getter_AddRefs(auth));
     if (NS_FAILED(rv)) {
         NS_ASSERTION(false, "GetAuthenticator failed");
         OnAuthCancelled(aContext, true);
@@ -1416,60 +1332,10 @@ nsHttpChannelAuthProvider::GetCurrentPat
     nsCOMPtr<nsIURL> url = do_QueryInterface(mURI);
     if (url)
         rv = url->GetDirectory(path);
     else
         rv = mURI->GetPath(path);
     return rv;
 }
 
-nsresult
-nsHttpChannelAuthProvider::GetAsciiHostForAuth(nsACString &host)
-{
-    if (!mCanonicalizedHost.IsEmpty()) {
-        LOG(("nsHttpChannelAuthProvider::GetAsciiHostForAuth"
-             " this=%p host is %s\n", this, mCanonicalizedHost.get()));
-        host = mCanonicalizedHost;
-        return NS_OK;
-    }
-    
-    // fallback
-    nsresult rv;
-    nsCOMPtr<nsIURI> uri;
-    rv = mAuthChannel->GetURI(getter_AddRefs(uri));
-    if (NS_FAILED(rv))
-        return rv;
-    return uri->GetAsciiHost(host);
-}
-
-NS_IMETHODIMP
-nsHttpChannelAuthProvider::DNSCallback::OnLookupComplete(nsICancelable *request,
-                                                         nsIDNSRecord  *record,
-                                                         nsresult       rv)
-{
-    nsCString cname;
-    mAuthProvider->SetDNSQuery(nullptr);
-
-    LOG(("nsHttpChannelAuthProvider::OnLookupComplete this=%p "
-         "rv=%X\n", mAuthProvider.get(), rv));
-
-    if (NS_SUCCEEDED(rv))
-        rv = record->GetCanonicalName(cname);
-
-    if (NS_SUCCEEDED(rv)) {
-        LOG(("nsHttpChannelAuthProvider::OnLookupComplete this=%p "
-             "resolved to %s\n", mAuthProvider.get(), cname.get()));
-        mAuthProvider->SetCanonicalizedHost(cname);
-    }
-    else {
-        LOG(("nsHttpChannelAuthProvider::OnLookupComplete this=%p "
-             "GetCanonicalName failed\n", mAuthProvider.get()));
-    }
-
-    // Proceed whether or not DNS canonicalization succeeded
-    mAuthProvider->OnAuthAvailable(nullptr, nullptr);
-    return NS_OK;
-}
-
 NS_IMPL_ISUPPORTS3(nsHttpChannelAuthProvider, nsICancelable,
                    nsIHttpChannelAuthProvider, nsIAuthPromptCallback)
-NS_IMPL_THREADSAFE_ISUPPORTS1(nsHttpChannelAuthProvider::DNSCallback,
-                              nsIDNSListener)
--- a/netwerk/protocol/http/nsHttpChannelAuthProvider.h
+++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.h
@@ -11,17 +11,16 @@
 #include "nsIHttpChannelAuthProvider.h"
 #include "nsIAuthPromptCallback.h"
 #include "nsString.h"
 #include "nsCOMPtr.h"
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIURI.h"
 #include "nsHttpAuthCache.h"
 #include "nsProxyInfo.h"
-#include "nsIDNSListener.h"
 #include "mozilla/Attributes.h"
 
 class nsIHttpAuthenticator;
 
 class nsHttpChannelAuthProvider : public nsIHttpChannelAuthProvider
                                 , public nsIAuthPromptCallback
 {
 public:
@@ -53,18 +52,16 @@ private:
                                  int32_t port, const char *dir,
                                  const char *realm, const char *challenge,
                                  const nsHttpAuthIdentity &ident,
                                  nsCOMPtr<nsISupports> &session, char **result);
     nsresult GetAuthenticator(const char *challenge, nsCString &scheme,
                               nsIHttpAuthenticator **auth);
     void     ParseRealm(const char *challenge, nsACString &realm);
     void     GetIdentityFromURI(uint32_t authFlags, nsHttpAuthIdentity&);
-    bool     AuthModuleRequiresCanonicalName(nsISupports *state);
-    nsresult ResolveHost();
 
     /**
      * Following three methods return NS_ERROR_IN_PROGRESS when
      * nsIAuthPrompt2.asyncPromptAuth method is called. This result indicates
      * the user's decision will be gathered in a callback and is not an actual
      * error.
      */
     nsresult GetCredentials(const char *challenges, bool proxyAuth,
@@ -105,26 +102,22 @@ private:
     /**
      * A function that takes care of reading STS headers and enforcing STS 
      * load rules.  After a secure channel is erected, STS requires the channel
      * to be trusted or any STS header data on the channel is ignored.
      * This is called from ProcessResponse.
      */
     nsresult ProcessSTSHeader();
 
-    void SetDNSQuery(nsICancelable *aQuery) { mDNSQuery = aQuery; }
-    void SetCanonicalizedHost(nsACString &aHost) { mCanonicalizedHost = aHost; }
-
 private:
     nsIHttpAuthenticableChannel      *mAuthChannel;  // weak ref
 
     nsCOMPtr<nsIURI>                  mURI;
     nsCOMPtr<nsProxyInfo>             mProxyInfo;
     nsCString                         mHost;
-    nsCString                         mCanonicalizedHost;
     int32_t                           mPort;
     bool                              mUsingSSL;
     bool                              mIsPrivate;
 
     nsISupports                      *mProxyAuthContinuationState;
     nsCString                         mProxyAuthType;
     nsISupports                      *mAuthContinuationState;
     nsCString                         mAuthType;
@@ -145,27 +138,11 @@ private:
     nsCString                         mRemainingChallenges;
 
     // True when we need to authenticate to proxy, i.e. when we get 407
     // response. Used in OnAuthAvailable and OnAuthCancelled callbacks.
     uint32_t                          mProxyAuth                : 1;
     uint32_t                          mTriedProxyAuth           : 1;
     uint32_t                          mTriedHostAuth            : 1;
     uint32_t                          mSuppressDefensiveAuth    : 1;
-    uint32_t                          mResolvedHost             : 1;
-
-    // define a separate threadsafe class for use with the DNS callback
-    class DNSCallback MOZ_FINAL : public nsIDNSListener
-    {
-        NS_DECL_ISUPPORTS
-        NS_DECL_NSIDNSLISTENER
-
-        DNSCallback(nsHttpChannelAuthProvider *authProvider)
-            : mAuthProvider(authProvider)
-        { }
-
-    private:
-        nsRefPtr<nsHttpChannelAuthProvider> mAuthProvider;
-    };
-    nsCOMPtr<nsICancelable>          mDNSQuery;
 };
 
 #endif // nsHttpChannelAuthProvider_h__
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -346,18 +346,22 @@ nsHttpNTLMAuth::GenerateCredentials(nsIH
     NS_ENSURE_SUCCESS(rv, rv);
 
     void *inBuf, *outBuf;
     uint32_t inBufLen, outBufLen;
 
     // initial challenge
     if (PL_strcasecmp(challenge, "NTLM") == 0) {
         // NTLM service name format is 'HTTP@host' for both http and https
+        nsCOMPtr<nsIURI> uri;
+        rv = authChannel->GetURI(getter_AddRefs(uri));
+        if (NS_FAILED(rv))
+            return rv;
         nsAutoCString serviceName, host;
-        rv = authChannel->GetAsciiHostForAuth(host);
+        rv = uri->GetAsciiHost(host);
         if (NS_FAILED(rv))
             return rv;
         serviceName.AppendLiteral("HTTP@");
         serviceName.Append(host);
         // initialize auth module
         rv = module->Init(serviceName.get(), nsIAuthModule::REQ_DEFAULT, domain, user, pass);
         if (NS_FAILED(rv))
             return rv;
--- a/netwerk/protocol/http/nsIHttpAuthenticableChannel.idl
+++ b/netwerk/protocol/http/nsIHttpAuthenticableChannel.idl
@@ -5,17 +5,17 @@
 
 #include "nsIProxiedChannel.idl"
 #include "nsIChannel.idl"
 
 interface nsILoadGroup;
 interface nsIURI;
 interface nsIInterfaceRequestor;
 
-[scriptable, uuid(ea5f7698-c4e4-48fd-aa54-6fdcf1dc349b)]
+[scriptable, uuid(701093ac-5c7f-429c-99e3-423b041fccb4)]
 interface nsIHttpAuthenticableChannel : nsIProxiedChannel
 {
     /**
      * If the channel being authenticated is using SSL.
      */
     readonly attribute boolean isSSL;
     
     /**
@@ -67,21 +67,16 @@ interface nsIHttpAuthenticableChannel : 
     readonly attribute ACString proxyChallenges;
 
     /**
      * The WWW-Authenticate response header.
      */
     readonly attribute ACString WWWChallenges;
 
     /**
-     * The host portion of the URI, possibly canonicalized
-     */
-    readonly attribute ACString asciiHostForAuth;
-
-    /**
      * Sets the Proxy-Authorization request header. An empty string 
      * will clear it.
      */
     void setProxyCredentials(in ACString credentials);
 
     /**
      * Sets the Authorization request header. An empty string
      * will clear it.
--- a/netwerk/protocol/http/nsIHttpChannelAuthProvider.idl
+++ b/netwerk/protocol/http/nsIHttpChannelAuthProvider.idl
@@ -20,38 +20,40 @@ interface nsIHttpAuthenticableChannel;
  * in order to get the http cached headers credentials. When the request is
  * unsuccessful because of receiving either a 401 or 407 http response code
  * ProcessAuthentication MUST be called and the page MUST be requested again
  * with the new credentials that the user has provided. After a successful
  * request, checkForSuperfluousAuth MAY be called, and disconnect MUST be
  * called.
  */
 
-[scriptable, uuid(1b74d211-8980-42d4-b0ce-caafa73f4a0f)]
+[scriptable, uuid(c68f3def-c7c8-4ee8-861c-eef49a48b702)]
 interface nsIHttpChannelAuthProvider : nsICancelable
 {
   /**
    * Initializes the http authentication support for the channel.
    * Implementations must hold a weak reference of the channel.
    */
   void init(in nsIHttpAuthenticableChannel channel);
 
   /**
    * Upon receipt of a server challenge, this function is called to determine
    * the credentials to send.
    *
    * @param httpStatus
    *        the http status received.
    * @param sslConnectFailed
    *        if the last ssl tunnel connection attempt was or not successful.
+   * @param callback
+   *        the callback to be called when it returns NS_ERROR_IN_PROGRESS.
+   *        The implementation must hold a weak reference.
    *
    * @returns NS_OK if the credentials were got and set successfully.
    *          NS_ERROR_IN_PROGRESS if the credentials are going to be asked to
-   *                               the user or other blocking event such as DNS
-   *                               is incurred. The channel reference must be
+   *                               the user. The channel reference must be
    *                               alive until the feedback from
    *                               nsIHttpAuthenticableChannel's methods or
    *                               until disconnect be called.
    */
   void processAuthentication(in unsigned long httpStatus,
                              in boolean sslConnectFailed);
 
   /**
@@ -61,18 +63,13 @@ interface nsIHttpChannelAuthProvider : n
 
   /**
    * Check if an unnecessary(and maybe malicious) url authentication has been
    * provided.
    */
   void checkForSuperfluousAuth();
 
   /**
-   * Cancel pending user auth prompts and release the channel
-   * weak reference.
+   * Cancel pending user auth prompts and release the callback and channel
+   * weak references.
    */
   void disconnect(in nsresult status);
-
-  /**
-   * The host portion of the URI, possibly canonicalized
-   */
-  readonly attribute ACString asciiHostForAuth;
 };
--- a/security/manager/ssl/src/nsNTLMAuthModule.cpp
+++ b/security/manager/ssl/src/nsNTLMAuthModule.cpp
@@ -823,23 +823,16 @@ nsNTLMAuthModule::Wrap(const void *inTok
                        uint32_t    inTokenLen,
                        bool        confidential,
                        void      **outToken,
                        uint32_t   *outTokenLen)
 {
   return NS_ERROR_NOT_IMPLEMENTED;
 }
 
-NS_IMETHODIMP
-nsNTLMAuthModule::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-    return NS_OK;
-}
-
 //-----------------------------------------------------------------------------
 // DES support code
 
 // set odd parity bit (in least significant bit position)
 static uint8_t
 des_setkeyparity(uint8_t x)
 {
   if ((((x >> 7) ^ (x >> 6) ^ (x >> 5) ^