mozilla-aurora: changeset 185929:f2e10998cd71

--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@@ -1313,16 +1313,19 @@ pref("network.seer.preserve", 80); // pe
 
 // The following prefs pertain to the negotiate-auth extension (see bug 17578),
 // which provides transparent Kerberos or NTLM authentication using the SPNEGO
 // protocol.  Each pref is a comma-separated list of keys, where each key has
 // the format:
 //   [scheme "://"] [host [":" port]]
 // For example, "foo.com" would match "http://www.foo.com/bar", etc.
 
+// Allow insecure NTLMv1 when needed.
+pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
+
 // This list controls which URIs can use the negotiate-auth protocol.  This
 // list should be limited to the servers you know you'll need to login to.
 pref("network.negotiate-auth.trusted-uris", "");
 // This list controls which URIs can support delegation.
 pref("network.negotiate-auth.delegation-uris", "");
 
 // Do not allow SPNEGO by default when challenged by a local server.
 pref("network.negotiate-auth.allow-non-fqdn", false);

--- a/security/manager/ssl/src/nsNTLMAuthModule.cpp
+++ b/security/manager/ssl/src/nsNTLMAuthModule.cpp
@@ -8,20 +8,19 @@
 #include "nsNTLMAuthModule.h"
 #include "nsNSSShutDown.h"
 #include "nsNativeCharsetUtils.h"
 #include "prsystem.h"
 #include "pk11pub.h"
 #include "md4.h"
 #include "mozilla/Likely.h"
 #include "mozilla/Telemetry.h"
+#include "mozilla/Preferences.h"
 
-// Since the generic module doesn't support NTLMv2 and NTLMv1 is considered
-// a security threat, we disable the generic module completely.
-#define DISABLE_GENERIC_NTLM_MODULE 1
+static bool sNTLMv1Enabled = false;
 
 #ifdef PR_LOGGING
 static PRLogModuleInfo *
 GetNTLMLog()
 {
   static PRLogModuleInfo *sNTLMLog;
   if (!sNTLMLog)
     sNTLMLog = PR_NewLogModule("NTLM");
@@ -753,26 +752,33 @@ NS_IMPL_ISUPPORTS1(nsNTLMAuthModule, nsI
 nsNTLMAuthModule::~nsNTLMAuthModule()
 {
   ZapString(mPassword);
 }
 
 nsresult
 nsNTLMAuthModule::InitTest()
 {
-#if defined(DISABLE_GENERIC_NTLM_MODULE)
-  // Unconditionally disallow usage of the generic module.
-  return NS_ERROR_NOT_AVAILABLE;
-#else // Generic NTLM is enabled
+  static bool prefObserved = false;
+  if (!prefObserved) {
+    mozilla::Preferences::AddBoolVarCache(
+      &sNTLMv1Enabled, "network.negotiate-auth.allow-insecure-ntlm-v1", sNTLMv1Enabled);
+    prefObserved = true;
+  }
+
+  if (!sNTLMv1Enabled) {
+    // Unconditionally disallow usage of the generic module.
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
   nsNSSShutDownPreventionLock locker;
   //
   // disable NTLM authentication when FIPS mode is enabled.
   //
   return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK;
-#endif
 }
 
 NS_IMETHODIMP
 nsNTLMAuthModule::Init(const char      *serviceName,
                        uint32_t         serviceFlags,
                        const char16_t *domain,
                        const char16_t *username,
                        const char16_t *password)

author	Honza Bambas <honzab.moz@firemni.cz>
	Thu, 24 Apr 2014 18:50:46 +0200
changeset 185929	f2e10998cd71
parent 185928	7940ae66d505
child 185930	8f8dabb57393
push id	5820
push user	ryanvm@gmail.com
push date	Fri, 25 Apr 2014 21:45:49 +0000
treeherder	mozilla-aurora@8f8dabb57393 [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	jduell, lsblakk
bugs	999306
milestone	30.0a2

modules/libpref/src/init/all.js		file \| annotate \| diff \| comparison \| revisions
security/manager/ssl/src/nsNTLMAuthModule.cpp		file \| annotate \| diff \| comparison \| revisions