Fix bug 573043. r=jmathies@mozilla.com, a=blocker.
authorHonza Bambas <honzab.moz@firemni.cz>
Tue, 08 Feb 2011 16:12:29 -0800
changeset 62191 52384369a8d479cecf829debe21e31be78cd8de0
parent 62190 f34826051dd5351c58cb7c3b2d8d844c72c0c474
child 62192 39a631a71d18da05227af7639f74e0112fa3dd44
child 63245 3c5f25ac14bf2cdfc5855c7aee09980c1d32b35e
push idunknown
push userunknown
push dateunknown
reviewersjmathies, blocker
bugs573043
milestone2.0b12pre
Fix bug 573043. r=jmathies@mozilla.com, a=blocker.
extensions/auth/nsAuthSSPI.cpp
extensions/auth/nsAuthSSPI.h
netwerk/base/public/Makefile.in
netwerk/base/public/nsISSLStatus.idl
netwerk/base/public/nsISSLStatusProvider.idl
netwerk/base/public/nsIX509Cert.idl
netwerk/protocol/http/nsHttpNTLMAuth.cpp
netwerk/protocol/http/nsHttpNTLMAuth.h
security/manager/boot/public/Makefile.in
security/manager/boot/public/nsISSLStatusProvider.idl
security/manager/ssl/public/Makefile.in
security/manager/ssl/public/nsISSLStatus.idl
security/manager/ssl/public/nsIX509Cert.idl
--- a/extensions/auth/nsAuthSSPI.cpp
+++ b/extensions/auth/nsAuthSSPI.cpp
@@ -16,16 +16,17 @@
  *
  * The Initial Developer of the Original Code is IBM Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2004
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@meer.net>
  *   Jim Mathies <jmathies@mozilla.com>
+ *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -47,16 +48,17 @@
 //
 
 #include "nsAuthSSPI.h"
 #include "nsIServiceManager.h"
 #include "nsIDNSService.h"
 #include "nsIDNSRecord.h"
 #include "nsNetCID.h"
 #include "nsCOMPtr.h"
+#include "nsICryptoHash.h"
 
 #include <windows.h>
 
 #define SEC_SUCCESS(Status) ((Status) >= 0)
 
 #ifndef KERB_WRAP_NO_ENCRYPT
 #define KERB_WRAP_NO_ENCRYPT 0x80000001
 #endif
@@ -185,16 +187,18 @@ MakeSN(const char *principal, nsCString 
 }
 
 //-----------------------------------------------------------------------------
 
 nsAuthSSPI::nsAuthSSPI(pType package)
     : mServiceFlags(REQ_DEFAULT)
     , mMaxTokenLen(0)
     , mPackage(package)
+    , mCertDERData(nsnull)
+    , mCertDERLength(0)
 {
     memset(&mCred, 0, sizeof(mCred));
     memset(&mCtxt, 0, sizeof(mCtxt));
 }
 
 nsAuthSSPI::~nsAuthSSPI()
 {
     Reset();
@@ -207,16 +211,24 @@ nsAuthSSPI::~nsAuthSSPI()
 #endif
         memset(&mCred, 0, sizeof(mCred));
     }
 }
 
 void
 nsAuthSSPI::Reset()
 {
+    mIsFirst = PR_TRUE;
+
+    if (mCertDERData){
+        nsMemory::Free(mCertDERData);
+        mCertDERData = nsnull;
+        mCertDERLength = 0;   
+    }
+
     if (mCtxt.dwLower || mCtxt.dwUpper) {
         (sspi->DeleteSecurityContext)(&mCtxt);
         memset(&mCtxt, 0, sizeof(mCtxt));
     }
 }
 
 NS_IMPL_ISUPPORTS1(nsAuthSSPI, nsIAuthModule)
 
@@ -224,16 +236,20 @@ NS_IMETHODIMP
 nsAuthSSPI::Init(const char *serviceName,
                  PRUint32    serviceFlags,
                  const PRUnichar *domain,
                  const PRUnichar *username,
                  const PRUnichar *password)
 {
     LOG(("  nsAuthSSPI::Init\n"));
 
+    mIsFirst = PR_TRUE;
+    mCertDERLength = 0;
+    mCertDERData = nsnull;
+
     // The caller must supply a service name to be used. (For why we now require
     // a service name for NTLM, see bug 487872.)
     NS_ENSURE_TRUE(serviceName && *serviceName, NS_ERROR_INVALID_ARG);
 
     nsresult rv;
 
     // XXX lazy initialization like this assumes that we are single threaded
     if (!sspi) {
@@ -309,73 +325,186 @@ nsAuthSSPI::Init(const char *serviceName
                                            &mCred,
                                            &useBefore);
     if (rc != SEC_E_OK)
         return NS_ERROR_UNEXPECTED;
     LOG(("AcquireCredentialsHandle() succeeded.\n"));
     return NS_OK;
 }
 
+// The arguments inToken and inTokenLen are used to pass in the server
+// certificate (when available) in the first call of the function. The
+// second time these arguments hold an input token. 
 NS_IMETHODIMP
 nsAuthSSPI::GetNextToken(const void *inToken,
                          PRUint32    inTokenLen,
                          void      **outToken,
                          PRUint32   *outTokenLen)
 {
+    // String for end-point bindings.
+    const char end_point[] = "tls-server-end-point:"; 
+    const int end_point_length = sizeof(end_point) - 1;
+    const int hash_size = 32;  // Size of a SHA256 hash.
+    const int cbt_size = hash_size + end_point_length;
+	
     SECURITY_STATUS rc;
     TimeStamp ignored;
 
     DWORD ctxAttr, ctxReq = 0;
     CtxtHandle *ctxIn;
     SecBufferDesc ibd, obd;
-    SecBuffer ib, ob;
+    // Optional second input buffer for the CBT (Channel Binding Token)
+    SecBuffer ib[2], ob;
+    // Pointer to the block of memory that stores the CBT
+    char* sspi_cbt = nsnull;
+    SEC_CHANNEL_BINDINGS pendpoint_binding;
 
     LOG(("entering nsAuthSSPI::GetNextToken()\n"));
 
     if (!mCred.dwLower && !mCred.dwUpper) {
         LOG(("nsAuthSSPI::GetNextToken(), not initialized. exiting."));
         return NS_ERROR_NOT_INITIALIZED;
     }
 
     if (mServiceFlags & REQ_DELEGATE)
         ctxReq |= ISC_REQ_DELEGATE;
     if (mServiceFlags & REQ_MUTUAL_AUTH)
         ctxReq |= ISC_REQ_MUTUAL_AUTH;
 
     if (inToken) {
-        ib.BufferType = SECBUFFER_TOKEN;
-        ib.cbBuffer = inTokenLen;
-        ib.pvBuffer = (void *) inToken;
-        ibd.ulVersion = SECBUFFER_VERSION;
-        ibd.cBuffers = 1;
-        ibd.pBuffers = &ib;
-        ctxIn = &mCtxt;
-    }
-    else {
-        // If there is no input token, then we are starting a new
-        // authentication sequence.  If we have already initialized our
-        // security context, then we're in trouble because it means that the
-        // first sequence failed.  We need to bail or else we might end up in
-        // an infinite loop.
-        if (mCtxt.dwLower || mCtxt.dwUpper) {
+        if (mIsFirst) {
+            // First time if it comes with a token,
+            // the token represents the server certificate.
+            mIsFirst = PR_FALSE;
+            mCertDERLength = inTokenLen;
+            mCertDERData = nsMemory::Alloc(inTokenLen);
+            if (!mCertDERData)
+                return NS_ERROR_OUT_OF_MEMORY;
+            memcpy(mCertDERData, inToken, inTokenLen);
+
+            // We are starting a new authentication sequence.  
+            // If we have already initialized our
+            // security context, then we're in trouble because it means that the
+            // first sequence failed.  We need to bail or else we might end up in
+            // an infinite loop.
+            if (mCtxt.dwLower || mCtxt.dwUpper) {
+                LOG(("Cannot restart authentication sequence!"));
+                return NS_ERROR_UNEXPECTED;
+            }
+            ctxIn = nsnull;
+            // The certificate needs to be erased before being passed 
+            // to InitializeSecurityContextW().
+            inToken = nsnull;
+            inTokenLen = 0;
+        } else {
+            ibd.ulVersion = SECBUFFER_VERSION;
+            ibd.cBuffers = 0;
+            ibd.pBuffers = ib;
+            
+            // If we have stored a certificate, the Channel Binding Token
+            // needs to be generated and sent in the first input buffer.
+            if (mCertDERLength > 0) {
+                // First we create a proper Endpoint Binding structure. 
+                pendpoint_binding.dwInitiatorAddrType = 0;
+                pendpoint_binding.cbInitiatorLength = 0;
+                pendpoint_binding.dwInitiatorOffset = 0;
+                pendpoint_binding.dwAcceptorAddrType = 0;
+                pendpoint_binding.cbAcceptorLength = 0;
+                pendpoint_binding.dwAcceptorOffset = 0;
+                pendpoint_binding.cbApplicationDataLength = cbt_size;
+                pendpoint_binding.dwApplicationDataOffset = 
+                                            sizeof(SEC_CHANNEL_BINDINGS);
+
+                // Then add it to the array of sec buffers accordingly.
+                ib[ibd.cBuffers].BufferType = SECBUFFER_CHANNEL_BINDINGS;
+                ib[ibd.cBuffers].cbBuffer =
+                        pendpoint_binding.cbApplicationDataLength
+                        + pendpoint_binding.dwApplicationDataOffset;
+          
+                sspi_cbt = (char *) nsMemory::Alloc(ib[ibd.cBuffers].cbBuffer);
+                if (!sspi_cbt){
+                    return NS_ERROR_OUT_OF_MEMORY;
+                }
+
+                // Helper to write in the memory block that stores the CBT
+                char* sspi_cbt_ptr = sspi_cbt;
+          
+                ib[ibd.cBuffers].pvBuffer = sspi_cbt;
+                ibd.cBuffers++;
+
+                memcpy(sspi_cbt_ptr, &pendpoint_binding,
+                       pendpoint_binding.dwApplicationDataOffset);
+                sspi_cbt_ptr += pendpoint_binding.dwApplicationDataOffset;
+
+                memcpy(sspi_cbt_ptr, end_point, end_point_length);
+                sspi_cbt_ptr += end_point_length;
+          
+                // Start hashing. We are always doing SHA256, but depending
+                // on the certificate, a different alogirthm might be needed.
+                nsCAutoString hashString;
+
+                nsresult rv;
+                nsCOMPtr<nsICryptoHash> crypto;
+                crypto = do_CreateInstance(NS_CRYPTO_HASH_CONTRACTID, &rv);
+                if (NS_SUCCEEDED(rv))
+                    rv = crypto->Init(nsICryptoHash::SHA256);
+                if (NS_SUCCEEDED(rv))
+                    rv = crypto->Update((unsigned char*)mCertDERData, mCertDERLength);
+                if (NS_SUCCEEDED(rv))
+                    rv = crypto->Finish(PR_FALSE, hashString);
+                if (NS_FAILED(rv)) {
+                    nsMemory::Free(mCertDERData);
+                    mCertDERData = nsnull;
+                    mCertDERLength = 0;
+                    nsMemory::Free(sspi_cbt);
+                    return rv;
+                }
+          
+                // Once the hash has been computed, we store it in memory right
+                // after the Endpoint structure and the "tls-server-end-point:"
+                // char array.
+                memcpy(sspi_cbt_ptr, hashString.get(), hash_size);
+          
+                // Free memory used to store the server certificate
+                nsMemory::Free(mCertDERData);
+                mCertDERData = nsnull;
+                mCertDERLength = 0;
+            } // End of CBT computation.
+
+            // We always need this SECBUFFER.
+            ib[ibd.cBuffers].BufferType = SECBUFFER_TOKEN;
+            ib[ibd.cBuffers].cbBuffer = inTokenLen;
+            ib[ibd.cBuffers].pvBuffer = (void *) inToken;
+            ibd.cBuffers++;
+            ctxIn = &mCtxt;
+        }
+    } else { // First time and without a token (no server certificate)
+        // We are starting a new authentication sequence.  If we have already 
+        // initialized our security context, then we're in trouble because it 
+        // means that the first sequence failed.  We need to bail or else we 
+        // might end up in an infinite loop.
+        if (mCtxt.dwLower || mCtxt.dwUpper || mCertDERData || mCertDERLength) {
             LOG(("Cannot restart authentication sequence!"));
             return NS_ERROR_UNEXPECTED;
         }
-
         ctxIn = NULL;
+        mIsFirst = PR_FALSE;
     }
 
     obd.ulVersion = SECBUFFER_VERSION;
     obd.cBuffers = 1;
     obd.pBuffers = &ob;
     ob.BufferType = SECBUFFER_TOKEN;
     ob.cbBuffer = mMaxTokenLen;
     ob.pvBuffer = nsMemory::Alloc(ob.cbBuffer);
-    if (!ob.pvBuffer)
+    if (!ob.pvBuffer){
+        if (sspi_cbt)
+            nsMemory::Free(sspi_cbt);
         return NS_ERROR_OUT_OF_MEMORY;
+    }
     memset(ob.pvBuffer, 0, ob.cbBuffer);
 
     NS_ConvertUTF8toUTF16 wSN(mServiceName);
     SEC_WCHAR *sn = (SEC_WCHAR *) wSN.get();
 
     rc = (sspi->InitializeSecurityContextW)(&mCred,
                                             ctxIn,
                                             sn,
@@ -391,17 +520,19 @@ nsAuthSSPI::GetNextToken(const void *inT
     if (rc == SEC_I_CONTINUE_NEEDED || rc == SEC_E_OK) {
 
 #ifdef PR_LOGGING
         if (rc == SEC_E_OK)
             LOG(("InitializeSecurityContext: succeeded.\n"));
         else
             LOG(("InitializeSecurityContext: continue.\n"));
 #endif
-
+        if (sspi_cbt)
+            nsMemory::Free(sspi_cbt);
+            
         if (!ob.cbBuffer) {
             nsMemory::Free(ob.pvBuffer);
             ob.pvBuffer = NULL;
         }
         *outToken = ob.pvBuffer;
         *outTokenLen = ob.cbBuffer;
 
         if (rc == SEC_E_OK)
--- a/extensions/auth/nsAuthSSPI.h
+++ b/extensions/auth/nsAuthSSPI.h
@@ -15,16 +15,17 @@
  * The Original Code is the SSPI NegotiateAuth Module.
  *
  * The Initial Developer of the Original Code is IBM Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2004
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@meer.net>
+ *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -76,11 +77,14 @@ private:
     CtxtHandle   mCtxt;
     nsCString    mServiceName;
     PRUint32     mServiceFlags;
     PRUint32     mMaxTokenLen;
     pType        mPackage;
     nsString     mDomain;
     nsString     mUsername;
     nsString     mPassword;
+    PRBool       mIsFirst;	
+    void*        mCertDERData; 
+    PRUint32     mCertDERLength;
 };
 
 #endif /* nsAuthSSPI_h__ */
--- a/netwerk/base/public/Makefile.in
+++ b/netwerk/base/public/Makefile.in
@@ -54,16 +54,17 @@ SDK_XPIDLSRCS   = \
 		nsIStreamListener.idl \
 		nsIIOService.idl \
 		nsIURI.idl \
 		nsIURL.idl \
 		nsIFileURL.idl \
 		nsIUploadChannel.idl \
 		nsIUnicharStreamListener.idl \
 		nsITraceableChannel.idl \
+		nsIX509Cert.idl \
 		$(NULL)
 
 XPIDLSRCS	= \
 		nsIApplicationCache.idl \
 		nsIApplicationCacheChannel.idl \
 		nsIApplicationCacheContainer.idl \
 		nsIApplicationCacheService.idl \
 		nsIAuthInformation.idl \
@@ -138,16 +139,18 @@ XPIDLSRCS	= \
 		nsIProxiedChannel.idl \
 		nsIRandomGenerator.idl \
 		nsIStrictTransportSecurityService.idl \
 		nsIURIWithPrincipal.idl \
 		nsIURIClassifier.idl \
 		nsIRedirectResultListener.idl \
 		mozIThirdPartyUtil.idl \
 		nsISerializationHelper.idl \
+		nsISSLStatus.idl \
+		nsISSLStatusProvider.idl \
 		$(NULL)
 
 ifdef MOZ_IPC
 XPIDLSRCS	+= \
 		nsIChildChannel.idl \
 		nsIParentChannel.idl \
 		nsIParentRedirectingChannel.idl \
 		nsIRedirectChannelRegistrar.idl
rename from security/manager/ssl/public/nsISSLStatus.idl
rename to netwerk/base/public/nsISSLStatus.idl
rename from security/manager/boot/public/nsISSLStatusProvider.idl
rename to netwerk/base/public/nsISSLStatusProvider.idl
rename from security/manager/ssl/public/nsIX509Cert.idl
rename to netwerk/base/public/nsIX509Cert.idl
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -17,16 +17,17 @@
  * The Initial Developer of the Original Code is
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2003
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@meer.net>
  *   Jim Mathies <jmathies@mozilla.com>
+ *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -47,16 +48,19 @@
 
 //-----------------------------------------------------------------------------
 
 #include "nsIPrefBranch.h"
 #include "nsIPrefService.h"
 #include "nsIServiceManager.h"
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIURI.h"
+#include "nsIX509Cert.h"
+#include "nsISSLStatus.h"
+#include "nsISSLStatusProvider.h"
 
 static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
 static const char kTrustedURIs[]  = "network.automatic-ntlm-auth.trusted-uris";
 static const char kForceGeneric[] = "network.auth.force-generic-ntlm";
 
 // XXX MatchesBaseURI and TestPref are duplicated in nsHttpNegotiateAuth.cpp,
 // but since that file lives in a separate library we cannot directly share it.
 // bug 236865 addresses this problem.
@@ -230,16 +234,19 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHtt
                                   PRBool          isProxyAuth,
                                   nsISupports   **sessionState,
                                   nsISupports   **continuationState,
                                   PRBool         *identityInvalid)
 {
     LOG(("nsHttpNTLMAuth::ChallengeReceived [ss=%p cs=%p]\n",
          *sessionState, *continuationState));
 
+    // Use the native NTLM if available
+    mUseNative = PR_TRUE;
+
     // NOTE: we don't define any session state, but we do use the pointer.
 
     *identityInvalid = PR_FALSE;
 
     // Start a new auth sequence if the challenge is exactly "NTLM".
     // If native NTLM auth apis are available and enabled through prefs,
     // try to use them.
     if (PL_strcasecmp(challenge, "NTLM") == 0) {
@@ -293,16 +300,18 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHtt
                     return NS_ERROR_OUT_OF_MEMORY;
                 NS_ADDREF(*sessionState);
             }
 
             // Use our internal NTLM implementation. Note, this is less secure,
             // see bug 520607 for details.
             LOG(("Trying to fall back on internal ntlm auth.\n"));
             module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
+	    
+            mUseNative = PR_FALSE;
 
             // Prompt user for domain, username, and password.
             *identityInvalid = PR_TRUE;
         }
 
         // If this fails, then it means that we cannot do NTLM auth.
         if (!module) {
             LOG(("No ntlm auth modules available.\n"));
@@ -361,18 +370,75 @@ nsHttpNTLMAuth::GenerateCredentials(nsIH
             return rv;
         serviceName.AppendLiteral("HTTP@");
         serviceName.Append(host);
         // initialize auth module
         rv = module->Init(serviceName.get(), nsIAuthModule::REQ_DEFAULT, domain, user, pass);
         if (NS_FAILED(rv))
             return rv;
 
+// This update enables updated Windows machines (Win7 or patched previous
+// versions) and Linux machines running Samba (updated for Channel 
+// Binding), to perform Channel Binding when authenticating using NTLMv2 
+// and an outer secure channel.
+// 
+// Currently only implemented for Windows, linux support will be landing in 
+// a separate patch, update this #ifdef accordingly then.
+#if defined (XP_WIN) /* || defined (LINUX) */
+        PRBool isHttps;
+        rv = uri->SchemeIs("https", &isHttps);
+        if (NS_FAILED(rv))
+            return rv;
+            
+        // When the url starts with https, we should retrieve the server 
+        // certificate and compute the CBT, but only when we are using
+        // the native NTLM implementation and not the internal one.
+        if (isHttps && mUseNative) {
+            nsCOMPtr<nsIChannel> channel = do_QueryInterface(authChannel, &rv);
+            if (NS_FAILED(rv))
+                return rv;
+
+            nsCOMPtr<nsISupports> security;
+            rv = channel->GetSecurityInfo(getter_AddRefs(security));
+            if (NS_FAILED(rv))
+                return rv;
+
+            nsCOMPtr<nsISSLStatusProvider> 
+                        statusProvider(do_QueryInterface(security));
+            NS_ENSURE_TRUE(statusProvider, NS_ERROR_FAILURE);
+
+            rv = statusProvider->GetSSLStatus(getter_AddRefs(security));
+            if (NS_FAILED(rv))
+                return rv;
+
+            nsCOMPtr<nsISSLStatus> status(do_QueryInterface(security));
+            NS_ENSURE_TRUE(status, NS_ERROR_FAILURE);
+
+            nsCOMPtr<nsIX509Cert> cert;
+            rv = status->GetServerCert(getter_AddRefs(cert));
+            if (NS_FAILED(rv))
+                return rv;
+
+            PRUint32 length;
+            PRUint8* certArray;
+            cert->GetRawDER(&length, &certArray);						  
+			
+            // If there is a server certificate, we pass it along the
+            // first time we call GetNextToken().
+            inBufLen = length;
+            inBuf = certArray;
+        } else { 
+            // If there is no server certificate, we don't pass anything.
+            inBufLen = 0;
+            inBuf = nsnull;
+        }
+#else // Extended protection update is just for Linux and Windows machines.
         inBufLen = 0;
         inBuf = nsnull;
+#endif
     }
     else {
         // decode challenge; skip past "NTLM " to the start of the base64
         // encoded data.
         int len = strlen(challenge);
         if (len < 6)
             return NS_ERROR_UNEXPECTED; // bogus challenge
         challenge += 5;
--- a/netwerk/protocol/http/nsHttpNTLMAuth.h
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.h
@@ -15,16 +15,17 @@
  *
  * The Initial Developer of the Original Code is
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2003
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@netscape.com>
+ *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -43,11 +44,16 @@
 class nsHttpNTLMAuth : public nsIHttpAuthenticator
 {
 public:
     NS_DECL_ISUPPORTS
     NS_DECL_NSIHTTPAUTHENTICATOR
 
     nsHttpNTLMAuth() {}
     virtual ~nsHttpNTLMAuth() {}
+
+private:
+    // This flag indicates whether we are using the native NTLM implementation
+    // or the internal one.
+    PRBool  mUseNative;
 };
 
 #endif // !nsHttpNTLMAuth_h__
--- a/security/manager/boot/public/Makefile.in
+++ b/security/manager/boot/public/Makefile.in
@@ -45,13 +45,12 @@ include $(DEPTH)/config/autoconf.mk
 MODULE = pipboot
 GRE_MODULE	= 1
 
 SDK_XPIDLSRCS = \
     nsISecurityWarningDialogs.idl \
     $(NULL)
 
 XPIDLSRCS = \
-    nsISSLStatusProvider.idl \
     nsIBufEntropyCollector.idl \
     $(NULL)
 
 include $(topsrcdir)/config/rules.mk
--- a/security/manager/ssl/public/Makefile.in
+++ b/security/manager/ssl/public/Makefile.in
@@ -48,17 +48,16 @@ include $(DEPTH)/config/autoconf.mk
 MODULE = pipnss
 GRE_MODULE	= 1
 
 SDK_XPIDLSRCS = \
     nsIASN1Object.idl \
     nsIASN1Sequence.idl \
     nsICertificateDialogs.idl \
     nsICRLInfo.idl \
-    nsIX509Cert.idl \
     nsIX509CertDB.idl \
     nsIX509CertValidity.idl \
     $(NULL)
 
 XPIDLSRCS = \
     nsISSLCertErrorDialog.idl \
     nsIBadCertListener2.idl \
     nsISSLErrorListener.idl \
@@ -75,17 +74,16 @@ XPIDLSRCS = \
     nsIPKCS11Slot.idl \
     nsIPK11TokenDB.idl \
     nsICertPickDialogs.idl \
     nsIClientAuthDialogs.idl \
     nsIDOMCryptoDialogs.idl \
     nsIGenKeypairInfoDlg.idl \
     nsITokenDialogs.idl \
     nsITokenPasswordDialogs.idl \
-    nsISSLStatus.idl \
     nsIKeygenThread.idl \
     nsICMSSecureMessage.idl \
     nsIUserCertPicker.idl \
     nsIASN1PrintableItem.idl \
     nsICMSDecoder.idl \
     nsICMSEncoder.idl \
     nsICMSMessageErrors.idl \
     nsICMSMessage.idl \