Bug 1023748 - Allow NTLMv1 over SSL/TLS by default. r=jduell, a=sledru
authorHonza Bambas <honzab.moz@firemni.cz>
Mon, 23 Jun 2014 19:43:40 +0200
changeset 199552 91263283a868
parent 199551 37a6172af9cb
child 199553 df888ea3ce68
push id3667
push userryanvm@gmail.com
push date2014-06-23 20:54 +0000
treeherdermozilla-beta@df888ea3ce68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjduell, sledru
bugs1023748
milestone31.0
Bug 1023748 - Allow NTLMv1 over SSL/TLS by default. r=jduell, a=sledru
modules/libpref/src/init/all.js
netwerk/protocol/http/nsHttpNTLMAuth.cpp
security/manager/ssl/src/nsNTLMAuthModule.cpp
--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@@ -1338,16 +1338,18 @@ pref("network.seer.preserve", 80); // pe
 // which provides transparent Kerberos or NTLM authentication using the SPNEGO
 // protocol.  Each pref is a comma-separated list of keys, where each key has
 // the format:
 //   [scheme "://"] [host [":" port]]
 // For example, "foo.com" would match "http://www.foo.com/bar", etc.
 
 // Allow insecure NTLMv1 when needed.
 pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
+// Allow insecure NTLMv1 for HTTPS protected sites by default.
+pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", true);
 
 // This list controls which URIs can use the negotiate-auth protocol.  This
 // list should be limited to the servers you know you'll need to login to.
 pref("network.negotiate-auth.trusted-uris", "");
 // This list controls which URIs can support delegation.
 pref("network.negotiate-auth.delegation-uris", "");
 
 // Do not allow SPNEGO by default when challenged by a local server.
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -19,24 +19,27 @@
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIURI.h"
 #ifdef XP_WIN
 #include "nsIX509Cert.h"
 #include "nsISSLStatus.h"
 #include "nsISSLStatusProvider.h"
 #endif
 #include "mozilla/Attributes.h"
+#include "nsThreadUtils.h"
 
 namespace mozilla {
 namespace net {
 
 static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
 static const char kAllowNonFqdn[] = "network.automatic-ntlm-auth.allow-non-fqdn";
 static const char kTrustedURIs[]  = "network.automatic-ntlm-auth.trusted-uris";
 static const char kForceGeneric[] = "network.auth.force-generic-ntlm";
+static const char kAllowGenericHTTP[] = "network.negotiate-auth.allow-insecure-ntlm-v1";
+static const char kAllowGenericHTTPS[] = "network.negotiate-auth.allow-insecure-ntlm-v1-https";
 
 // XXX MatchesBaseURI and TestPref are duplicated in nsHttpNegotiateAuth.cpp,
 // but since that file lives in a separate library we cannot directly share it.
 // bug 236865 addresses this problem.
 
 static bool
 MatchesBaseURI(const nsCSubstring &matchScheme,
                const nsCSubstring &matchHost,
@@ -172,16 +175,57 @@ ForceGenericNTLM()
 
     if (NS_FAILED(prefs->GetBoolPref(kForceGeneric, &flag)))
         flag = false;
 
     LOG(("Force use of generic ntlm auth module: %d\n", flag));
     return flag;
 }
 
+// Check to see if we should use our generic (internal) NTLM auth module.
+static bool
+AllowGenericNTLM()
+{
+    MOZ_ASSERT(NS_IsMainThread());
+
+    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
+    if (!prefs)
+        return false;
+
+    bool flag = false;
+    if (NS_FAILED(prefs->GetBoolPref(kAllowGenericHTTP, &flag)))
+        flag = false;
+
+    LOG(("Allow use of generic ntlm auth module: %d\n", flag));
+    return flag;
+}
+
+// Check to see if we should use our generic (internal) NTLM auth module.
+static bool
+AllowGenericNTLMforHTTPS(nsIHttpAuthenticableChannel *channel)
+{
+    bool isSSL = false;
+    channel->GetIsSSL(&isSSL);
+    if (!isSSL)
+        return false;
+
+    MOZ_ASSERT(NS_IsMainThread());
+
+    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
+    if (!prefs)
+        return false;
+
+    bool flag = false;
+    if (NS_FAILED(prefs->GetBoolPref(kAllowGenericHTTPS, &flag)))
+        flag = false;
+
+    LOG(("Allow use of generic ntlm auth module for only https: %d\n", flag));
+    return flag;
+}
+
 // Check to see if we should use default credentials for this host or proxy.
 static bool
 CanUseDefaultCredentials(nsIHttpAuthenticableChannel *channel,
                          bool isProxyAuth)
 {
     nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
     if (!prefs)
         return false;
@@ -293,18 +337,21 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHtt
                 *sessionState = new nsNTLMSessionState();
                 if (!*sessionState)
                     return NS_ERROR_OUT_OF_MEMORY;
                 NS_ADDREF(*sessionState);
             }
 
             // Use our internal NTLM implementation. Note, this is less secure,
             // see bug 520607 for details.
-            LOG(("Trying to fall back on internal ntlm auth.\n"));
-            module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
+
+            if (AllowGenericNTLM() || AllowGenericNTLMforHTTPS(channel)) {
+                LOG(("Trying to fall back on internal ntlm auth.\n"));
+                module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
+            }
 	
             mUseNative = false;
 
             // Prompt user for domain, username, and password.
             *identityInvalid = true;
         }
 
         // If this fails, then it means that we cannot do NTLM auth.
--- a/security/manager/ssl/src/nsNTLMAuthModule.cpp
+++ b/security/manager/ssl/src/nsNTLMAuthModule.cpp
@@ -10,18 +10,16 @@
 #include "nsNativeCharsetUtils.h"
 #include "prsystem.h"
 #include "pk11pub.h"
 #include "md4.h"
 #include "mozilla/Likely.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/Preferences.h"
 
-static bool sNTLMv1Enabled = false;
-
 #ifdef PR_LOGGING
 static PRLogModuleInfo *
 GetNTLMLog()
 {
   static PRLogModuleInfo *sNTLMLog;
   if (!sNTLMLog)
     sNTLMLog = PR_NewLogModule("NTLM");
   return sNTLMLog;
@@ -752,28 +750,16 @@ NS_IMPL_ISUPPORTS(nsNTLMAuthModule, nsIA
 nsNTLMAuthModule::~nsNTLMAuthModule()
 {
   ZapString(mPassword);
 }
 
 nsresult
 nsNTLMAuthModule::InitTest()
 {
-  static bool prefObserved = false;
-  if (!prefObserved) {
-    mozilla::Preferences::AddBoolVarCache(
-      &sNTLMv1Enabled, "network.negotiate-auth.allow-insecure-ntlm-v1", sNTLMv1Enabled);
-    prefObserved = true;
-  }
-
-  if (!sNTLMv1Enabled) {
-    // Unconditionally disallow usage of the generic module.
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsNSSShutDownPreventionLock locker;
   //
   // disable NTLM authentication when FIPS mode is enabled.
   //
   return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK;
 }
 
 NS_IMETHODIMP