Bug 999306 - Add 'allow-insecure-ntlm-v1' preference for the generic NTLM v1 authentication module. r=jduell, a=lsblakk
--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@@ -1313,16 +1313,19 @@ pref("network.seer.preserve", 80); // pe
// The following prefs pertain to the negotiate-auth extension (see bug 17578),
// which provides transparent Kerberos or NTLM authentication using the SPNEGO
// protocol. Each pref is a comma-separated list of keys, where each key has
// the format:
// [scheme "://"] [host [":" port]]
// For example, "foo.com" would match "http://www.foo.com/bar", etc.
+// Allow insecure NTLMv1 when needed.
+pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
+
// This list controls which URIs can use the negotiate-auth protocol. This
// list should be limited to the servers you know you'll need to login to.
pref("network.negotiate-auth.trusted-uris", "");
// This list controls which URIs can support delegation.
pref("network.negotiate-auth.delegation-uris", "");
// Do not allow SPNEGO by default when challenged by a local server.
pref("network.negotiate-auth.allow-non-fqdn", false);
--- a/security/manager/ssl/src/nsNTLMAuthModule.cpp
+++ b/security/manager/ssl/src/nsNTLMAuthModule.cpp
@@ -8,20 +8,19 @@
#include "nsNTLMAuthModule.h"
#include "nsNSSShutDown.h"
#include "nsNativeCharsetUtils.h"
#include "prsystem.h"
#include "pk11pub.h"
#include "md4.h"
#include "mozilla/Likely.h"
#include "mozilla/Telemetry.h"
+#include "mozilla/Preferences.h"
-// Since the generic module doesn't support NTLMv2 and NTLMv1 is considered
-// a security threat, we disable the generic module completely.
-#define DISABLE_GENERIC_NTLM_MODULE 1
+static bool sNTLMv1Enabled = false;
#ifdef PR_LOGGING
static PRLogModuleInfo *
GetNTLMLog()
{
static PRLogModuleInfo *sNTLMLog;
if (!sNTLMLog)
sNTLMLog = PR_NewLogModule("NTLM");
@@ -753,26 +752,33 @@ NS_IMPL_ISUPPORTS1(nsNTLMAuthModule, nsI
nsNTLMAuthModule::~nsNTLMAuthModule()
{
ZapString(mPassword);
}
nsresult
nsNTLMAuthModule::InitTest()
{
-#if defined(DISABLE_GENERIC_NTLM_MODULE)
- // Unconditionally disallow usage of the generic module.
- return NS_ERROR_NOT_AVAILABLE;
-#else // Generic NTLM is enabled
+ static bool prefObserved = false;
+ if (!prefObserved) {
+ mozilla::Preferences::AddBoolVarCache(
+ &sNTLMv1Enabled, "network.negotiate-auth.allow-insecure-ntlm-v1", sNTLMv1Enabled);
+ prefObserved = true;
+ }
+
+ if (!sNTLMv1Enabled) {
+ // Unconditionally disallow usage of the generic module.
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
nsNSSShutDownPreventionLock locker;
//
// disable NTLM authentication when FIPS mode is enabled.
//
return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK;
-#endif
}
NS_IMETHODIMP
nsNTLMAuthModule::Init(const char *serviceName,
uint32_t serviceFlags,
const char16_t *domain,
const char16_t *username,
const char16_t *password)