Bug 1573720 - Convert network.auth.force-generic-ntlm-v1 to a static pref. r=keeler
authorNicholas Nethercote <nnethercote@mozilla.com>
Thu, 15 Aug 2019 05:29:49 +0000
changeset 488184 c468c61b502549d11efbc0d09fb8ea542eeecdf5
parent 488183 0bef6c2195bc758dffd7265b06c0502d1612918f
child 488185 b4681ecf1fbcf34425db3438339f0ba0f0b71c52
push id36437
push userncsoregi@mozilla.com
push dateThu, 15 Aug 2019 19:33:18 +0000
treeherdermozilla-central@44aac6fc3352 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1573720
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1573720 - Convert network.auth.force-generic-ntlm-v1 to a static pref. r=keeler Differential Revision: https://phabricator.services.mozilla.com/D41913
modules/libpref/init/StaticPrefList.yaml
modules/libpref/init/all.js
security/manager/ssl/nsNTLMAuthModule.cpp
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -5701,16 +5701,22 @@
   type: RelaxedAtomicInt32
   value: 1500
   mirror: always
 
 #---------------------------------------------------------------------------
 # Prefs starting with "network."
 #---------------------------------------------------------------------------
 
+# Force less-secure NTLMv1 when needed (NTLMv2 is the default).
+- name: network.auth.force-generic-ntlm-v1
+  type: bool
+  value: false
+  mirror: always
+
 # Sub-resources HTTP-authentication:
 #   0 - don't allow sub-resources to open HTTP authentication credentials
 #       dialogs
 #   1 - allow sub-resources to open HTTP authentication credentials dialogs,
 #       but don't allow it for cross-origin sub-resources
 #   2 - allow the cross-origin authentication as well.
 - name: network.auth.subresource-http-auth-allow
   type: uint32_t
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2106,19 +2106,16 @@ pref("network.preload", false);
 
 // The following prefs pertain to the negotiate-auth extension (see bug 17578),
 // which provides transparent Kerberos or NTLM authentication using the SPNEGO
 // protocol.  Each pref is a comma-separated list of keys, where each key has
 // the format:
 //   [scheme "://"] [host [":" port]]
 // For example, "foo.com" would match "http://www.foo.com/bar", etc.
 
-// Force less-secure NTLMv1 when needed (NTLMv2 is the default).
-pref("network.auth.force-generic-ntlm-v1", false);
-
 // This list controls which URIs can use the negotiate-auth protocol.  This
 // list should be limited to the servers you know you'll need to login to.
 pref("network.negotiate-auth.trusted-uris", "");
 // This list controls which URIs can support delegation.
 pref("network.negotiate-auth.delegation-uris", "");
 
 // Do not allow SPNEGO by default when challenged by a local server.
 pref("network.negotiate-auth.allow-non-fqdn", false);
--- a/security/manager/ssl/nsNTLMAuthModule.cpp
+++ b/security/manager/ssl/nsNTLMAuthModule.cpp
@@ -13,30 +13,30 @@
 #include "mozilla/Base64.h"
 #include "mozilla/Casting.h"
 #include "mozilla/CheckedInt.h"
 #include "mozilla/EndianUtils.h"
 #include "mozilla/Likely.h"
 #include "mozilla/Logging.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Sprintf.h"
+#include "mozilla/StaticPrefs_network.h"
 #include "mozilla/Telemetry.h"
 #include "nsCOMPtr.h"
 #include "nsComponentManagerUtils.h"
 #include "nsICryptoHMAC.h"
 #include "nsICryptoHash.h"
 #include "nsIKeyModule.h"
 #include "nsKeyModule.h"
 #include "nsNativeCharsetUtils.h"
 #include "nsNetCID.h"
 #include "nsUnicharUtils.h"
 #include "pk11pub.h"
 #include "prsystem.h"
 
-static bool sNTLMv1Forced = false;
 static mozilla::LazyLogModule sNTLMLog("NTLM");
 
 #define LOG(x) MOZ_LOG(sNTLMLog, mozilla::LogLevel::Debug, x)
 #define LOG_ENABLED() MOZ_LOG_TEST(sNTLMLog, mozilla::LogLevel::Debug)
 
 static void des_makekey(const uint8_t* raw, uint8_t* key);
 static void des_encrypt(const uint8_t* key, const uint8_t* src, uint8_t* hash);
 
@@ -492,17 +492,17 @@ static nsresult GenerateType3Msg(const n
 
   rv = ParseType2Msg(inBuf, inLen, &msg);
   if (NS_FAILED(rv)) return rv;
 
   bool unicode = (msg.flags & NTLM_NegotiateUnicode);
 
   // There is no negotiation for NTLMv2, so we just do it unless we are forced
   // by explict user configuration to use the older DES-based cryptography.
-  bool ntlmv2 = (sNTLMv1Forced == false);
+  bool ntlmv2 = StaticPrefs::network_auth_force_generic_ntlm_v1() == false;
 
   // temporary buffers for unicode strings
 #ifdef IS_BIG_ENDIAN
   nsAutoString ucsDomainBuf, ucsUserBuf;
 #endif
   nsAutoCString hostBuf;
   nsAutoString ucsHostBuf;
   // temporary buffers for oem strings
@@ -905,23 +905,16 @@ static nsresult GenerateType3Msg(const n
 
 //-----------------------------------------------------------------------------
 
 NS_IMPL_ISUPPORTS(nsNTLMAuthModule, nsIAuthModule)
 
 nsNTLMAuthModule::~nsNTLMAuthModule() { ZapString(mPassword); }
 
 nsresult nsNTLMAuthModule::InitTest() {
-  static bool prefObserved = false;
-  if (!prefObserved) {
-    mozilla::Preferences::AddBoolVarCache(
-        &sNTLMv1Forced, "network.auth.force-generic-ntlm-v1", sNTLMv1Forced);
-    prefObserved = true;
-  }
-
   // disable NTLM authentication when FIPS mode is enabled.
   return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK;
 }
 
 NS_IMETHODIMP
 nsNTLMAuthModule::Init(const char* /*serviceName*/, uint32_t serviceFlags,
                        const char16_t* domain, const char16_t* username,
                        const char16_t* password) {