Bug 999306 - Add 'allow-insecure-ntlm-v1' preference for the generic NTLM v1 authentication module. r=jduell, a=lsblakk
authorHonza Bambas <honzab.moz@firemni.cz>
Thu, 24 Apr 2014 18:50:46 +0200
changeset 185929 f2e10998cd71
parent 185928 7940ae66d505
child 185930 8f8dabb57393
push id5820
push userryanvm@gmail.com
push date2014-04-25 21:45 +0000
treeherdermozilla-aurora@8f8dabb57393 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjduell, lsblakk
bugs999306
milestone30.0a2
Bug 999306 - Add 'allow-insecure-ntlm-v1' preference for the generic NTLM v1 authentication module. r=jduell, a=lsblakk
modules/libpref/src/init/all.js
security/manager/ssl/src/nsNTLMAuthModule.cpp
--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@@ -1313,16 +1313,19 @@ pref("network.seer.preserve", 80); // pe
 
 // The following prefs pertain to the negotiate-auth extension (see bug 17578),
 // which provides transparent Kerberos or NTLM authentication using the SPNEGO
 // protocol.  Each pref is a comma-separated list of keys, where each key has
 // the format:
 //   [scheme "://"] [host [":" port]]
 // For example, "foo.com" would match "http://www.foo.com/bar", etc.
 
+// Allow insecure NTLMv1 when needed.
+pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
+
 // This list controls which URIs can use the negotiate-auth protocol.  This
 // list should be limited to the servers you know you'll need to login to.
 pref("network.negotiate-auth.trusted-uris", "");
 // This list controls which URIs can support delegation.
 pref("network.negotiate-auth.delegation-uris", "");
 
 // Do not allow SPNEGO by default when challenged by a local server.
 pref("network.negotiate-auth.allow-non-fqdn", false);
--- a/security/manager/ssl/src/nsNTLMAuthModule.cpp
+++ b/security/manager/ssl/src/nsNTLMAuthModule.cpp
@@ -8,20 +8,19 @@
 #include "nsNTLMAuthModule.h"
 #include "nsNSSShutDown.h"
 #include "nsNativeCharsetUtils.h"
 #include "prsystem.h"
 #include "pk11pub.h"
 #include "md4.h"
 #include "mozilla/Likely.h"
 #include "mozilla/Telemetry.h"
+#include "mozilla/Preferences.h"
 
-// Since the generic module doesn't support NTLMv2 and NTLMv1 is considered
-// a security threat, we disable the generic module completely.
-#define DISABLE_GENERIC_NTLM_MODULE 1
+static bool sNTLMv1Enabled = false;
 
 #ifdef PR_LOGGING
 static PRLogModuleInfo *
 GetNTLMLog()
 {
   static PRLogModuleInfo *sNTLMLog;
   if (!sNTLMLog)
     sNTLMLog = PR_NewLogModule("NTLM");
@@ -753,26 +752,33 @@ NS_IMPL_ISUPPORTS1(nsNTLMAuthModule, nsI
 nsNTLMAuthModule::~nsNTLMAuthModule()
 {
   ZapString(mPassword);
 }
 
 nsresult
 nsNTLMAuthModule::InitTest()
 {
-#if defined(DISABLE_GENERIC_NTLM_MODULE)
-  // Unconditionally disallow usage of the generic module.
-  return NS_ERROR_NOT_AVAILABLE;
-#else // Generic NTLM is enabled
+  static bool prefObserved = false;
+  if (!prefObserved) {
+    mozilla::Preferences::AddBoolVarCache(
+      &sNTLMv1Enabled, "network.negotiate-auth.allow-insecure-ntlm-v1", sNTLMv1Enabled);
+    prefObserved = true;
+  }
+
+  if (!sNTLMv1Enabled) {
+    // Unconditionally disallow usage of the generic module.
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
   nsNSSShutDownPreventionLock locker;
   //
   // disable NTLM authentication when FIPS mode is enabled.
   //
   return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK;
-#endif
 }
 
 NS_IMETHODIMP
 nsNTLMAuthModule::Init(const char      *serviceName,
                        uint32_t         serviceFlags,
                        const char16_t *domain,
                        const char16_t *username,
                        const char16_t *password)