bug 804605 - backout 767158 and 785050 r=backout a=lsblakk
authorPatrick McManus <mcmanus@ducksong.com>
Mon, 29 Oct 2012 14:18:17 -0400
changeset 110237 757f408c1494476e975749573dccd269ade5764c
parent 110236 214dfb353b693374925843731c2bb026868a63c8
child 110238 9340e498ee624c224d2ca11499989c4c72d264cc
push id214
push userakeybl@mozilla.com
push dateWed, 14 Nov 2012 20:38:59 +0000
treeherdermozilla-release@c8b08ec8e1aa [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbackout, lsblakk
bugs804605, 767158, 785050
milestone17.0
bug 804605 - backout 767158 and 785050 r=backout a=lsblakk
extensions/auth/nsAuthGSSAPI.cpp
extensions/auth/nsAuthSASL.cpp
extensions/auth/nsAuthSSPI.cpp
extensions/auth/nsAuthSambaNTLM.cpp
netwerk/base/public/nsIAuthModule.idl
netwerk/protocol/http/nsHttpChannel.cpp
netwerk/protocol/http/nsHttpChannel.h
netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
netwerk/protocol/http/nsHttpChannelAuthProvider.h
netwerk/protocol/http/nsHttpNTLMAuth.cpp
netwerk/protocol/http/nsIHttpAuthenticableChannel.idl
netwerk/protocol/http/nsIHttpChannelAuthProvider.idl
security/manager/ssl/src/nsNTLMAuthModule.cpp
--- a/extensions/auth/nsAuthGSSAPI.cpp
+++ b/extensions/auth/nsAuthGSSAPI.cpp
@@ -562,14 +562,8 @@ nsAuthGSSAPI::Wrap(const void *inToken,
 
     /* it is not possible for output_token.length to be zero */
     *outToken = nsMemory::Clone(output_token.value, output_token.length);
     gss_release_buffer_ptr(&minor_status, &output_token);
 
     return NS_OK;
 }
 
-NS_IMETHODIMP
-nsAuthGSSAPI::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-    return NS_OK;
-}
--- a/extensions/auth/nsAuthSASL.cpp
+++ b/extensions/auth/nsAuthSASL.cpp
@@ -144,15 +144,8 @@ NS_IMETHODIMP
 nsAuthSASL::Wrap(const void *inToken,
                  uint32_t    inTokenLen,
                  bool        confidential,
                  void      **outToken,
                  uint32_t   *outTokenLen)
 {
     return NS_ERROR_NOT_IMPLEMENTED;
 }
-
-NS_IMETHODIMP
-nsAuthSASL::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-    return NS_OK;
-}
--- a/extensions/auth/nsAuthSSPI.cpp
+++ b/extensions/auth/nsAuthSSPI.cpp
@@ -86,16 +86,60 @@ InitSSPI()
         return NS_ERROR_UNEXPECTED;
     }
 
     return NS_OK;
 }
 
 //-----------------------------------------------------------------------------
 
+static nsresult
+MakeSN(const char *principal, nsCString &result)
+{
+    nsresult rv;
+
+    nsCAutoString buf(principal);
+
+    // The service name looks like "protocol@hostname", we need to map
+    // this to a value that SSPI expects.  To be consistent with IE, we
+    // need to map '@' to '/' and canonicalize the hostname.
+    PRInt32 index = buf.FindChar('@');
+    if (index == kNotFound)
+        return NS_ERROR_UNEXPECTED;
+    
+    nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID, &rv);
+    if (NS_FAILED(rv))
+        return rv;
+
+    // This could be expensive if our DNS cache cannot satisfy the request.
+    // However, we should have at least hit the OS resolver once prior to
+    // reaching this code, so provided the OS resolver has this information
+    // cached, we should not have to worry about blocking on this function call
+    // for very long.  NOTE: because we ask for the canonical hostname, we
+    // might end up requiring extra network activity in cases where the OS
+    // resolver might not have enough information to satisfy the request from
+    // its cache.  This is not an issue in versions of Windows up to WinXP.
+    nsCOMPtr<nsIDNSRecord> record;
+    rv = dns->Resolve(Substring(buf, index + 1),
+                      nsIDNSService::RESOLVE_CANONICAL_NAME,
+                      getter_AddRefs(record));
+    if (NS_FAILED(rv))
+        return rv;
+
+    nsCAutoString cname;
+    rv = record->GetCanonicalName(cname);
+    if (NS_SUCCEEDED(rv)) {
+        result = StringHead(buf, index) + NS_LITERAL_CSTRING("/") + cname;
+        LOG(("Using SPN of [%s]\n", result.get()));
+    }
+    return rv;
+}
+
+//-----------------------------------------------------------------------------
+
 nsAuthSSPI::nsAuthSSPI(pType package)
     : mServiceFlags(REQ_DEFAULT)
     , mMaxTokenLen(0)
     , mPackage(package)
     , mCertDERData(nullptr)
     , mCertDERLength(0)
 {
     memset(&mCred, 0, sizeof(mCred));
@@ -159,23 +203,33 @@ nsAuthSSPI::Init(const char *serviceName
         rv = InitSSPI();
         if (NS_FAILED(rv))
             return rv;
     }
     SEC_WCHAR *package;
 
     package = (SEC_WCHAR *) pTypeName[(int)mPackage];
 
-    // The incoming serviceName is in the format: "protocol@hostname", SSPI expects
-    // "<service class>/<hostname>", so swap the '@' for a '/'.
-    mServiceName.Assign(serviceName);
-    int32_t index = mServiceName.FindChar('@');
-    if (index == kNotFound)
-        return NS_ERROR_UNEXPECTED;
-    mServiceName.Replace(index, 1, '/');
+    if (mPackage == PACKAGE_TYPE_NTLM) {
+        // (bug 535193) For NTLM, just use the uri host, do not do canonical host lookups.
+        // The incoming serviceName is in the format: "protocol@hostname", SSPI expects
+        // "<service class>/<hostname>", so swap the '@' for a '/'.
+        mServiceName.Assign(serviceName);
+        int32_t index = mServiceName.FindChar('@');
+        if (index == kNotFound)
+            return NS_ERROR_UNEXPECTED;
+        mServiceName.Replace(index, 1, '/');
+    }
+    else {
+        // Kerberos requires the canonical host, MakeSN takes care of this through a
+        // DNS lookup.
+        rv = MakeSN(serviceName, mServiceName);
+        if (NS_FAILED(rv))
+            return rv;
+    }
 
     mServiceFlags = serviceFlags;
 
     SECURITY_STATUS rc;
 
     PSecPkgInfoW pinfo;
     rc = (sspi->QuerySecurityPackageInfoW)(package, &pinfo);
     if (rc != SEC_E_OK) {
@@ -594,21 +648,8 @@ nsAuthSSPI::Wrap(const void *inToken,
 
         memcpy(p,bufs.ib[2].pvBuffer, bufs.ib[2].cbBuffer);
         
         return NS_OK;
     }
 
     return NS_ERROR_FAILURE;
 }
-
-NS_IMETHODIMP
-nsAuthSSPI::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-
-    // (bug 535193) For NTLM, just use the uri host, do not do canonical host
-    // lookups. But Kerberos requires the canonical host.
-    if (mPackage != PACKAGE_TYPE_NTLM)
-        *flags |= CANONICAL_NAME_REQUIRED;
-
-    return NS_OK;
-}
--- a/extensions/auth/nsAuthSambaNTLM.cpp
+++ b/extensions/auth/nsAuthSambaNTLM.cpp
@@ -277,15 +277,8 @@ NS_IMETHODIMP
 nsAuthSambaNTLM::Wrap(const void *inToken,
                       uint32_t    inTokenLen,
                       bool        confidential,
                       void      **outToken,
                       uint32_t   *outTokenLen)
 {
     return NS_ERROR_NOT_IMPLEMENTED;
 }
-
-NS_IMETHODIMP
-nsAuthSambaNTLM::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-    return NS_OK;
-}
--- a/netwerk/base/public/nsIAuthModule.idl
+++ b/netwerk/base/public/nsIAuthModule.idl
@@ -1,15 +1,15 @@
 /* vim:set ts=4 sw=4 et cindent: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
-[uuid(fb82a326-1311-4c45-b5b3-84eb883d4b70)]
+[uuid(6e35dbc0-49ef-4e2c-b1ea-b72ec64450a2)]
 interface nsIAuthModule : nsISupports
 {
     /**
      * Default behavior.
      */
     const unsigned long REQ_DEFAULT = 0;
 
     /**
@@ -111,23 +111,16 @@ interface nsIAuthModule : nsISupports
      *
      * Unwrap() may return NS_ERROR_NOT_IMPLEMENTED, if the underlying  
      * authentication mechanism does not support security layers.
      */
     void unwrap([const] in voidPtr aInToken,
                 in unsigned long   aInTokenLength,
                 out voidPtr        aOutToken,
                 out unsigned long  aOutTokenLength);
-
-    /* Flags defining various properties of the auth module. */
-    readonly attribute unsigned long moduleProperties;
-
-    /* The service name in Init() is required to be the Canonical DNS
-       name for that host */
-    const unsigned long CANONICAL_NAME_REQUIRED = (1<<0);
 };
 
 %{C++
 /**
  * nsIAuthModule implementations are registered under the following contract
  * ID prefix:
  */
 #define NS_AUTH_MODULE_CONTRACTID_PREFIX \
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -4206,29 +4206,16 @@ NS_IMETHODIMP nsHttpChannel::OnAuthCance
 
         if (NS_FAILED(rv))
             mTransactionPump->Cancel(rv);
     }
     
     return NS_OK;
 }
 
-NS_IMETHODIMP nsHttpChannel::GetAsciiHostForAuth(nsACString &host)
-{
-    if (mAuthProvider)
-        return mAuthProvider->GetAsciiHostForAuth(host);
-
-    nsresult rv;
-    nsCOMPtr<nsIURI> uri;
-    rv = GetURI(getter_AddRefs(uri));
-    if (NS_FAILED(rv))
-        return rv;
-    return uri->GetAsciiHost(host);
-}
-
 //-----------------------------------------------------------------------------
 // nsHttpChannel::nsISupports
 //-----------------------------------------------------------------------------
 
 NS_IMPL_ADDREF_INHERITED(nsHttpChannel, HttpBaseChannel)
 NS_IMPL_RELEASE_INHERITED(nsHttpChannel, HttpBaseChannel)
 
 NS_INTERFACE_MAP_BEGIN(nsHttpChannel)
--- a/netwerk/protocol/http/nsHttpChannel.h
+++ b/netwerk/protocol/http/nsHttpChannel.h
@@ -77,17 +77,16 @@ public:
     NS_IMETHOD GetProxyMethodIsConnect(bool *aProxyMethodIsConnect);
     NS_IMETHOD GetServerResponseHeader(nsACString & aServerResponseHeader);
     NS_IMETHOD GetProxyChallenges(nsACString & aChallenges);
     NS_IMETHOD GetWWWChallenges(nsACString & aChallenges);
     NS_IMETHOD SetProxyCredentials(const nsACString & aCredentials);
     NS_IMETHOD SetWWWCredentials(const nsACString & aCredentials);
     NS_IMETHOD OnAuthAvailable();
     NS_IMETHOD OnAuthCancelled(bool userCancel);
-    NS_IMETHOD GetAsciiHostForAuth(nsACString &aHost);
     // Functions we implement from nsIHttpAuthenticableChannel but are
     // declared in HttpBaseChannel must be implemented in this class. We
     // just call the HttpBaseChannel:: impls.
     NS_IMETHOD GetLoadFlags(nsLoadFlags *aLoadFlags);
     NS_IMETHOD GetURI(nsIURI **aURI);
     NS_IMETHOD GetNotificationCallbacks(nsIInterfaceRequestor **aCallbacks);
     NS_IMETHOD GetLoadGroup(nsILoadGroup **aLoadGroup);
     NS_IMETHOD GetRequestMethod(nsACString& aMethod);
--- a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
+++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
@@ -11,30 +11,25 @@
 #include "nsIAuthPrompt2.h"
 #include "nsIAuthPromptProvider.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsEscape.h"
 #include "nsAuthInformationHolder.h"
 #include "nsIStringBundle.h"
 #include "nsIPrompt.h"
-#include "nsIAuthModule.h"
-#include "nsIDNSService.h"
-#include "nsNetCID.h"
-#include "nsIDNSRecord.h"
 
 nsHttpChannelAuthProvider::nsHttpChannelAuthProvider()
     : mAuthChannel(nullptr)
     , mProxyAuthContinuationState(nullptr)
     , mAuthContinuationState(nullptr)
     , mProxyAuth(false)
     , mTriedProxyAuth(false)
     , mTriedHostAuth(false)
     , mSuppressDefensiveAuth(false)
-    , mResolvedHost(0)
 {
     // grab a reference to the handler to ensure that it doesn't go away.
     nsHttpHandler *handler = gHttpHandler;
     NS_ADDREF(handler);
 }
 
 nsHttpChannelAuthProvider::~nsHttpChannelAuthProvider()
 {
@@ -75,19 +70,16 @@ NS_IMETHODIMP
 nsHttpChannelAuthProvider::ProcessAuthentication(uint32_t httpStatus,
                                                  bool     SSLConnectFailed)
 {
     LOG(("nsHttpChannelAuthProvider::ProcessAuthentication "
          "[this=%p channel=%p code=%u SSLConnectFailed=%d]\n",
          this, mAuthChannel, httpStatus, SSLConnectFailed));
 
     NS_ASSERTION(mAuthChannel, "Channel not initialized");
-    
-    mCanonicalizedHost.Truncate();
-    mResolvedHost = 0;
 
     nsCOMPtr<nsIProxyInfo> proxyInfo;
     nsresult rv = mAuthChannel->GetProxyInfo(getter_AddRefs(proxyInfo));
     if (NS_FAILED(rv)) return rv;
     if (proxyInfo) {
         mProxyInfo = do_QueryInterface(proxyInfo);
         if (!mProxyInfo) return NS_ERROR_NO_INTERFACE;
     }
@@ -227,36 +219,28 @@ NS_IMETHODIMP
 nsHttpChannelAuthProvider::Cancel(nsresult status)
 {
     NS_ASSERTION(mAuthChannel, "Channel not initialized");
 
     if (mAsyncPromptAuthCancelable) {
         mAsyncPromptAuthCancelable->Cancel(status);
         mAsyncPromptAuthCancelable = nullptr;
     }
-    if (mDNSQuery) {
-        mDNSQuery->Cancel(status);
-        mDNSQuery = nullptr;
-    }
     return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHttpChannelAuthProvider::Disconnect(nsresult status)
 {
     mAuthChannel = nullptr;
 
     if (mAsyncPromptAuthCancelable) {
         mAsyncPromptAuthCancelable->Cancel(status);
         mAsyncPromptAuthCancelable = nullptr;
     }
-    if (mDNSQuery) {
-        mDNSQuery->Cancel(status);
-        mDNSQuery = nullptr;
-    }
 
     NS_IF_RELEASE(mProxyAuthContinuationState);
     NS_IF_RELEASE(mAuthContinuationState);
 
     return NS_OK;
 }
 
 // buf contains "domain\user"
@@ -437,68 +421,16 @@ nsHttpChannelAuthProvider::PrepareForAut
             if (NS_FAILED(rv)) return rv;
             LOG(("  cleared proxy authorization header"));
         }
     }
 
     return NS_OK;
 }
 
-bool
-nsHttpChannelAuthProvider::AuthModuleRequiresCanonicalName(nsISupports *state)
-{
-    if (mResolvedHost || !state)
-        return false;
-
-    nsCOMPtr<nsIAuthModule> module = do_QueryInterface(state);
-    if (!module)
-        return false;
-
-    uint32_t flags;
-    if (NS_FAILED(module->GetModuleProperties(&flags)))
-        return false;
-
-    if (!(flags & nsIAuthModule::CANONICAL_NAME_REQUIRED))
-        return false;
-    
-    LOG(("nsHttpChannelAuthProvider::AuthModuleRequiresCanoncialName "
-         "this=%p\n", this));
-    return true;
-}
-
-nsresult
-nsHttpChannelAuthProvider::ResolveHost()
-{
-    mResolvedHost = 1;
-
-    nsresult rv;
-    static NS_DEFINE_CID(kDNSServiceCID, NS_DNSSERVICE_CID);
-        nsCOMPtr<nsIDNSService> dns = do_GetService(kDNSServiceCID, &rv);
-    if (NS_FAILED(rv))
-        return rv;
-
-    nsCOMPtr<nsIURI> uri;
-    rv = mAuthChannel->GetURI(getter_AddRefs(uri));
-    if (NS_FAILED(rv))
-        return rv;
-    nsCAutoString host;
-    rv = uri->GetAsciiHost(host);
-    if (NS_FAILED(rv))
-        return rv;
-
-    LOG(("nsHttpChannelAuthProvider::ResolveHost() this=%p "
-         "looking up canoncial of %s\n", this, host.get()));
-    nsRefPtr<DNSCallback> dnsCallback = new DNSCallback(this);
-    rv = dns->AsyncResolve(host,
-                           nsIDNSService::RESOLVE_CANONICAL_NAME,
-                           dnsCallback, NS_GetCurrentThread(),
-                           getter_AddRefs(mDNSQuery));
-    return rv;
-}
-
 nsresult
 nsHttpChannelAuthProvider::GetCredentials(const char     *challenges,
                                           bool            proxyAuth,
                                           nsAFlatCString &creds)
 {
     nsCOMPtr<nsIHttpAuthenticator> auth;
     nsCAutoString challenge;
 
@@ -777,23 +709,16 @@ nsHttpChannelAuthProvider::GetCredential
             // this return code alone is not equivalent to Cancel, since
             // it only instructs our caller that authentication failed.
             // without an explicit call to Cancel, our caller would just
             // load the page that accompanies the HTTP auth challenge.
             return NS_ERROR_ABORT;
         }
     }
 
-    if (AuthModuleRequiresCanonicalName(*continuationState)) {
-        nsresult rv = ResolveHost();
-        if (NS_SUCCEEDED(rv))
-            return NS_ERROR_IN_PROGRESS;
-        return rv;
-    }
-
     //
     // get credentials for the given user:pass
     //
     // always store the credentials we're trying now so that they will be used
     // on subsequent links.  This will potentially remove good credentials from
     // the cache.  This is ok as we don't want to use cached credentials if the
     // user specified something on the URI or in another manner.  This is so
     // that we don't transparently authenticate as someone they're not
@@ -1049,28 +974,19 @@ NS_IMETHODIMP nsHttpChannelAuthProvider:
                                      realm.get(), &entry);
 
     nsCOMPtr<nsISupports> sessionStateGrip;
     if (entry)
         sessionStateGrip = entry->mMetaData;
 
     nsAuthInformationHolder* holder =
             static_cast<nsAuthInformationHolder*>(aAuthInfo);
-    if (holder) {
-        ident->Set(holder->Domain().get(),
-                   holder->User().get(),
-                   holder->Password().get());
-    }
-
-    if (AuthModuleRequiresCanonicalName(*continuationState)) {
-        rv = ResolveHost();
-        if (NS_FAILED(rv))
-            OnAuthCancelled(aContext, true);
-        return NS_OK;
-    }
+    ident->Set(holder->Domain().get(),
+               holder->User().get(),
+               holder->Password().get());
 
     nsCAutoString unused;
     nsCOMPtr<nsIHttpAuthenticator> auth;
     rv = GetAuthenticator(mCurrentChallenge.get(), unused,
                           getter_AddRefs(auth));
     if (NS_FAILED(rv)) {
         NS_ASSERTION(false, "GetAuthenticator failed");
         OnAuthCancelled(aContext, true);
@@ -1352,60 +1268,10 @@ nsHttpChannelAuthProvider::GetCurrentPat
     nsCOMPtr<nsIURL> url = do_QueryInterface(mURI);
     if (url)
         rv = url->GetDirectory(path);
     else
         rv = mURI->GetPath(path);
     return rv;
 }
 
-nsresult
-nsHttpChannelAuthProvider::GetAsciiHostForAuth(nsACString &host)
-{
-    if (!mCanonicalizedHost.IsEmpty()) {
-        LOG(("nsHttpChannelAuthProvider::GetAsciiHostForAuth"
-             " this=%p host is %s\n", this, mCanonicalizedHost.get()));
-        host = mCanonicalizedHost;
-        return NS_OK;
-    }
-    
-    // fallback
-    nsresult rv;
-    nsCOMPtr<nsIURI> uri;
-    rv = mAuthChannel->GetURI(getter_AddRefs(uri));
-    if (NS_FAILED(rv))
-        return rv;
-    return uri->GetAsciiHost(host);
-}
-
-NS_IMETHODIMP
-nsHttpChannelAuthProvider::DNSCallback::OnLookupComplete(nsICancelable *request,
-                                                         nsIDNSRecord  *record,
-                                                         nsresult       rv)
-{
-    nsCString cname;
-    mAuthProvider->SetDNSQuery(nullptr);
-
-    LOG(("nsHttpChannelAuthProvider::OnLookupComplete this=%p "
-         "rv=%X\n", mAuthProvider.get(), rv));
-
-    if (NS_SUCCEEDED(rv))
-        rv = record->GetCanonicalName(cname);
-
-    if (NS_SUCCEEDED(rv)) {
-        LOG(("nsHttpChannelAuthProvider::OnLookupComplete this=%p "
-             "resolved to %s\n", mAuthProvider.get(), cname.get()));
-        mAuthProvider->SetCanonicalizedHost(cname);
-    }
-    else {
-        LOG(("nsHttpChannelAuthProvider::OnLookupComplete this=%p "
-             "GetCanonicalName failed\n", mAuthProvider.get()));
-    }
-
-    // Proceed whether or not DNS canonicalization succeeded
-    mAuthProvider->OnAuthAvailable(nullptr, nullptr);
-    return NS_OK;
-}
-
 NS_IMPL_ISUPPORTS3(nsHttpChannelAuthProvider, nsICancelable,
                    nsIHttpChannelAuthProvider, nsIAuthPromptCallback)
-NS_IMPL_THREADSAFE_ISUPPORTS1(nsHttpChannelAuthProvider::DNSCallback,
-                              nsIDNSListener)
--- a/netwerk/protocol/http/nsHttpChannelAuthProvider.h
+++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.h
@@ -11,17 +11,16 @@
 #include "nsIHttpChannelAuthProvider.h"
 #include "nsIAuthPromptCallback.h"
 #include "nsString.h"
 #include "nsCOMPtr.h"
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIURI.h"
 #include "nsHttpAuthCache.h"
 #include "nsProxyInfo.h"
-#include "nsIDNSListener.h"
 #include "mozilla/Attributes.h"
 
 class nsIHttpAuthenticator;
 
 class nsHttpChannelAuthProvider : public nsIHttpChannelAuthProvider
                                 , public nsIAuthPromptCallback
 {
 public:
@@ -53,18 +52,16 @@ private:
                                  int32_t port, const char *dir,
                                  const char *realm, const char *challenge,
                                  const nsHttpAuthIdentity &ident,
                                  nsCOMPtr<nsISupports> &session, char **result);
     nsresult GetAuthenticator(const char *challenge, nsCString &scheme,
                               nsIHttpAuthenticator **auth);
     void     ParseRealm(const char *challenge, nsACString &realm);
     void     GetIdentityFromURI(uint32_t authFlags, nsHttpAuthIdentity&);
-    bool     AuthModuleRequiresCanonicalName(nsISupports *state);
-    nsresult ResolveHost();
 
     /**
      * Following three methods return NS_ERROR_IN_PROGRESS when
      * nsIAuthPrompt2.asyncPromptAuth method is called. This result indicates
      * the user's decision will be gathered in a callback and is not an actual
      * error.
      */
     nsresult GetCredentials(const char *challenges, bool proxyAuth,
@@ -105,26 +102,22 @@ private:
     /**
      * A function that takes care of reading STS headers and enforcing STS 
      * load rules.  After a secure channel is erected, STS requires the channel
      * to be trusted or any STS header data on the channel is ignored.
      * This is called from ProcessResponse.
      */
     nsresult ProcessSTSHeader();
 
-    void SetDNSQuery(nsICancelable *aQuery) { mDNSQuery = aQuery; }
-    void SetCanonicalizedHost(nsACString &aHost) { mCanonicalizedHost = aHost; }
-
 private:
     nsIHttpAuthenticableChannel      *mAuthChannel;  // weak ref
 
     nsCOMPtr<nsIURI>                  mURI;
     nsCOMPtr<nsProxyInfo>             mProxyInfo;
     nsCString                         mHost;
-    nsCString                         mCanonicalizedHost;
     int32_t                           mPort;
     bool                              mUsingSSL;
 
     nsISupports                      *mProxyAuthContinuationState;
     nsCString                         mProxyAuthType;
     nsISupports                      *mAuthContinuationState;
     nsCString                         mAuthType;
     nsHttpAuthIdentity                mIdent;
@@ -144,27 +137,11 @@ private:
     nsCString                         mRemainingChallenges;
 
     // True when we need to authenticate to proxy, i.e. when we get 407
     // response. Used in OnAuthAvailable and OnAuthCancelled callbacks.
     uint32_t                          mProxyAuth                : 1;
     uint32_t                          mTriedProxyAuth           : 1;
     uint32_t                          mTriedHostAuth            : 1;
     uint32_t                          mSuppressDefensiveAuth    : 1;
-    uint32_t                          mResolvedHost             : 1;
-
-    // define a separate threadsafe class for use with the DNS callback
-    class DNSCallback MOZ_FINAL : public nsIDNSListener
-    {
-        NS_DECL_ISUPPORTS
-        NS_DECL_NSIDNSLISTENER
-
-        DNSCallback(nsHttpChannelAuthProvider *authProvider)
-            : mAuthProvider(authProvider)
-        { }
-
-    private:
-        nsRefPtr<nsHttpChannelAuthProvider> mAuthProvider;
-    };
-    nsCOMPtr<nsICancelable>          mDNSQuery;
 };
 
 #endif // nsHttpChannelAuthProvider_h__
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -346,18 +346,22 @@ nsHttpNTLMAuth::GenerateCredentials(nsIH
     NS_ENSURE_SUCCESS(rv, rv);
 
     void *inBuf, *outBuf;
     uint32_t inBufLen, outBufLen;
 
     // initial challenge
     if (PL_strcasecmp(challenge, "NTLM") == 0) {
         // NTLM service name format is 'HTTP@host' for both http and https
+        nsCOMPtr<nsIURI> uri;
+        rv = authChannel->GetURI(getter_AddRefs(uri));
+        if (NS_FAILED(rv))
+            return rv;
         nsCAutoString serviceName, host;
-        rv = authChannel->GetAsciiHostForAuth(host);
+        rv = uri->GetAsciiHost(host);
         if (NS_FAILED(rv))
             return rv;
         serviceName.AppendLiteral("HTTP@");
         serviceName.Append(host);
         // initialize auth module
         rv = module->Init(serviceName.get(), nsIAuthModule::REQ_DEFAULT, domain, user, pass);
         if (NS_FAILED(rv))
             return rv;
--- a/netwerk/protocol/http/nsIHttpAuthenticableChannel.idl
+++ b/netwerk/protocol/http/nsIHttpAuthenticableChannel.idl
@@ -5,17 +5,17 @@
 
 #include "nsIProxiedChannel.idl"
 #include "nsIChannel.idl"
 
 interface nsILoadGroup;
 interface nsIURI;
 interface nsIInterfaceRequestor;
 
-[scriptable, uuid(ea5f7698-c4e4-48fd-aa54-6fdcf1dc349b)]
+[scriptable, uuid(701093ac-5c7f-429c-99e3-423b041fccb4)]
 interface nsIHttpAuthenticableChannel : nsIProxiedChannel
 {
     /**
      * If the channel being authenticated is using SSL.
      */
     readonly attribute boolean isSSL;
     
     /**
@@ -67,21 +67,16 @@ interface nsIHttpAuthenticableChannel : 
     readonly attribute ACString proxyChallenges;
 
     /**
      * The WWW-Authenticate response header.
      */
     readonly attribute ACString WWWChallenges;
 
     /**
-     * The host portion of the URI, possibly canonicalized
-     */
-    readonly attribute ACString asciiHostForAuth;
-
-    /**
      * Sets the Proxy-Authorization request header. An empty string 
      * will clear it.
      */
     void setProxyCredentials(in ACString credentials);
 
     /**
      * Sets the Authorization request header. An empty string
      * will clear it.
--- a/netwerk/protocol/http/nsIHttpChannelAuthProvider.idl
+++ b/netwerk/protocol/http/nsIHttpChannelAuthProvider.idl
@@ -20,38 +20,40 @@ interface nsIHttpAuthenticableChannel;
  * in order to get the http cached headers credentials. When the request is
  * unsuccessful because of receiving either a 401 or 407 http response code
  * ProcessAuthentication MUST be called and the page MUST be requested again
  * with the new credentials that the user has provided. After a successful
  * request, checkForSuperfluousAuth MAY be called, and disconnect MUST be
  * called.
  */
 
-[scriptable, uuid(1b74d211-8980-42d4-b0ce-caafa73f4a0f)]
+[scriptable, uuid(c68f3def-c7c8-4ee8-861c-eef49a48b702)]
 interface nsIHttpChannelAuthProvider : nsICancelable
 {
   /**
    * Initializes the http authentication support for the channel.
    * Implementations must hold a weak reference of the channel.
    */
   void init(in nsIHttpAuthenticableChannel channel);
 
   /**
    * Upon receipt of a server challenge, this function is called to determine
    * the credentials to send.
    *
    * @param httpStatus
    *        the http status received.
    * @param sslConnectFailed
    *        if the last ssl tunnel connection attempt was or not successful.
+   * @param callback
+   *        the callback to be called when it returns NS_ERROR_IN_PROGRESS.
+   *        The implementation must hold a weak reference.
    *
    * @returns NS_OK if the credentials were got and set successfully.
    *          NS_ERROR_IN_PROGRESS if the credentials are going to be asked to
-   *                               the user or other blocking event such as DNS
-   *                               is incurred. The channel reference must be
+   *                               the user. The channel reference must be
    *                               alive until the feedback from
    *                               nsIHttpAuthenticableChannel's methods or
    *                               until disconnect be called.
    */
   void processAuthentication(in unsigned long httpStatus,
                              in boolean sslConnectFailed);
 
   /**
@@ -61,18 +63,13 @@ interface nsIHttpChannelAuthProvider : n
 
   /**
    * Check if an unnecessary(and maybe malicious) url authentication has been
    * provided.
    */
   void checkForSuperfluousAuth();
 
   /**
-   * Cancel pending user auth prompts and release the channel
-   * weak reference.
+   * Cancel pending user auth prompts and release the callback and channel
+   * weak references.
    */
   void disconnect(in nsresult status);
-
-  /**
-   * The host portion of the URI, possibly canonicalized
-   */
-  readonly attribute ACString asciiHostForAuth;
 };
--- a/security/manager/ssl/src/nsNTLMAuthModule.cpp
+++ b/security/manager/ssl/src/nsNTLMAuthModule.cpp
@@ -826,23 +826,16 @@ nsNTLMAuthModule::Wrap(const void *inTok
                        uint32_t    inTokenLen,
                        bool        confidential,
                        void      **outToken,
                        uint32_t   *outTokenLen)
 {
   return NS_ERROR_NOT_IMPLEMENTED;
 }
 
-NS_IMETHODIMP
-nsNTLMAuthModule::GetModuleProperties(uint32_t *flags)
-{
-    *flags = 0;
-    return NS_OK;
-}
-
 //-----------------------------------------------------------------------------
 // DES support code
 
 // set odd parity bit (in least significant bit position)
 static uint8_t
 des_setkeyparity(uint8_t x)
 {
   if ((((x >> 7) ^ (x >> 6) ^ (x >> 5) ^