Bug 734229 - Partially address by refusing to re-negotiate on NTLM. r=mayhemer, r=keeler
authorAndrew Bartlett <abartlet@samba.org>
Fri, 28 Nov 2014 11:34:06 +1300
changeset 273428 4ea6bc9e2fd5db3cb201486fd7b2593d87a13198
parent 273385 94ef7c315d160907333c51c5eaed420f9165a70c
child 273429 4e1ffa5e0202fa10ede528e16cdaf683adf2982f
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmayhemer, keeler
bugs734229
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 734229 - Partially address by refusing to re-negotiate on NTLM. r=mayhemer, r=keeler Now only one NTLM Negotiate packet will be sent per connection, rather than again after a failed authentication. The problem situation is triggered due to failed Negotiate authentication, and is probably more complex. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
security/manager/ssl/src/nsNTLMAuthModule.cpp
security/manager/ssl/src/nsNTLMAuthModule.h
--- a/security/manager/ssl/src/nsNTLMAuthModule.cpp
+++ b/security/manager/ssl/src/nsNTLMAuthModule.cpp
@@ -997,16 +997,17 @@ nsNTLMAuthModule::Init(const char      *
                        const char16_t *password)
 {
   NS_ASSERTION((serviceFlags & ~nsIAuthModule::REQ_PROXY_AUTH) == nsIAuthModule::REQ_DEFAULT,
       "unexpected service flags");
 
   mDomain = domain;
   mUsername = username;
   mPassword = password;
+  mNTLMNegotiateSent = false;
 
   static bool sTelemetrySent = false;
   if (!sTelemetrySent) {
       mozilla::Telemetry::Accumulate(
           mozilla::Telemetry::NTLM_MODULE_USED_2,
           serviceFlags & nsIAuthModule::REQ_PROXY_AUTH
               ? NTLM_MODULE_GENERIC_PROXY
               : NTLM_MODULE_GENERIC_DIRECT);
@@ -1025,26 +1026,39 @@ nsNTLMAuthModule::GetNextToken(const voi
   nsresult rv;
   nsNSSShutDownPreventionLock locker;
   //
   // disable NTLM authentication when FIPS mode is enabled.
   //
   if (PK11_IsFIPS())
     return NS_ERROR_NOT_AVAILABLE;
 
-  // if inToken is non-null, then assume it contains a type 2 message...
-  if (inToken)
-  {
-    LogToken("in-token", inToken, inTokenLen);
-    rv = GenerateType3Msg(mDomain, mUsername, mPassword, inToken,
-                          inTokenLen, outToken, outTokenLen);
-  }
-  else
-  {
-    rv = GenerateType1Msg(outToken, outTokenLen);
+  if (mNTLMNegotiateSent) {
+    // if inToken is non-null, and we have sent the NTLMSSP_NEGOTIATE (type 1),
+    // then the NTLMSSP_CHALLENGE (type 2) is expected
+    if (inToken) {
+      LogToken("in-token", inToken, inTokenLen);
+      // Now generate the NTLMSSP_AUTH (type 3)
+      rv = GenerateType3Msg(mDomain, mUsername, mPassword, inToken,
+			    inTokenLen, outToken, outTokenLen);
+    } else {
+      LOG(("NTLMSSP_NEGOTIATE already sent and presumably "
+	   "rejected by the server, refusing to send another"));
+      rv = NS_ERROR_UNEXPECTED;
+    }
+  } else {
+    if (inToken) {
+      LOG(("NTLMSSP_NEGOTIATE not sent but NTLM reply already received?!?"));
+      rv = NS_ERROR_UNEXPECTED;
+    } else {
+      rv = GenerateType1Msg(outToken, outTokenLen);
+      if (NS_SUCCEEDED(rv)) {
+	mNTLMNegotiateSent = true;
+      }
+    }
   }
 
 #ifdef PR_LOGGING
   if (NS_SUCCEEDED(rv))
     LogToken("out-token", *outToken, *outTokenLen);
 #endif
 
   return rv;
--- a/security/manager/ssl/src/nsNTLMAuthModule.h
+++ b/security/manager/ssl/src/nsNTLMAuthModule.h
@@ -23,16 +23,17 @@ public:
 
 protected:
   virtual ~nsNTLMAuthModule();
 
 private:
   nsString mDomain;
   nsString mUsername;
   nsString mPassword;
+  bool mNTLMNegotiateSent;
 };
 
 #define NS_NTLMAUTHMODULE_CONTRACTID \
   NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm"
 #define NS_NTLMAUTHMODULE_CID \
 { /* a4e5888f-4fe4-4632-8e7e-745196ea7c70 */       \
   0xa4e5888f,                                      \
   0x4fe4,                                          \