Bug 1023748 - Allow NTLMv1 over SSL/TLS by default, r=jduell

modules/libpref/src/init/all.js

@@ -1408,6 +1408,8 @@ pref("network.predictor.preserve", 80); // percentage of predictor data to keep
 
 // Allow insecure NTLMv1 when needed.
 pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
+// Allow insecure NTLMv1 for HTTPS protected sites by default.
+pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", true);
 
 // This list controls which URIs can use the negotiate-auth protocol.  This
 // list should be limited to the servers you know you'll need to login to.

netwerk/protocol/http/nsHttpNTLMAuth.cpp

@@ -24,6 +24,7 @@
 #include "nsISSLStatusProvider.h"
 #endif
 #include "mozilla/Attributes.h"
+#include "nsThreadUtils.h"
 
 namespace mozilla {
 namespace net {
@@ -32,6 +33,8 @@ static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
 static const char kAllowNonFqdn[] = "network.automatic-ntlm-auth.allow-non-fqdn";
 static const char kTrustedURIs[]  = "network.automatic-ntlm-auth.trusted-uris";
 static const char kForceGeneric[] = "network.auth.force-generic-ntlm";
+static const char kAllowGenericHTTP[] = "network.negotiate-auth.allow-insecure-ntlm-v1";
+static const char kAllowGenericHTTPS[] = "network.negotiate-auth.allow-insecure-ntlm-v1-https";
 
 // XXX MatchesBaseURI and TestPref are duplicated in nsHttpNegotiateAuth.cpp,
 // but since that file lives in a separate library we cannot directly share it.
@@ -177,6 +180,47 @@ ForceGenericNTLM()
     return flag;
 }
 
+// Check to see if we should use our generic (internal) NTLM auth module.
+static bool
+AllowGenericNTLM()
+{
+    MOZ_ASSERT(NS_IsMainThread());
+
+    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
+    if (!prefs)
+        return false;
+
+    bool flag = false;
+    if (NS_FAILED(prefs->GetBoolPref(kAllowGenericHTTP, &flag)))
+        flag = false;
+
+    LOG(("Allow use of generic ntlm auth module: %d\n", flag));
+    return flag;
+}
+
+// Check to see if we should use our generic (internal) NTLM auth module.
+static bool
+AllowGenericNTLMforHTTPS(nsIHttpAuthenticableChannel *channel)
+{
+    bool isSSL = false;
+    channel->GetIsSSL(&isSSL);
+    if (!isSSL)
+        return false;
+
+    MOZ_ASSERT(NS_IsMainThread());
+
+    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
+    if (!prefs)
+        return false;
+
+    bool flag = false;
+    if (NS_FAILED(prefs->GetBoolPref(kAllowGenericHTTPS, &flag)))
+        flag = false;
+
+    LOG(("Allow use of generic ntlm auth module for only https: %d\n", flag));
+    return flag;
+}
+
 // Check to see if we should use default credentials for this host or proxy.
 static bool
 CanUseDefaultCredentials(nsIHttpAuthenticableChannel *channel,
@@ -298,8 +342,11 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHttpAuthenticableChannel *channel,
 
             // Use our internal NTLM implementation. Note, this is less secure,
             // see bug 520607 for details.
-            LOG(("Trying to fall back on internal ntlm auth.\n"));
-            module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
+
+            if (AllowGenericNTLM() || AllowGenericNTLMforHTTPS(channel)) {
+                LOG(("Trying to fall back on internal ntlm auth.\n"));
+                module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
+            }
 	
             mUseNative = false;
 

security/manager/ssl/src/nsNTLMAuthModule.cpp

@@ -15,8 +15,6 @@
 #include "mozilla/Telemetry.h"
 #include "mozilla/Preferences.h"
 
-static bool sNTLMv1Enabled = false;
-
 #ifdef PR_LOGGING
 static PRLogModuleInfo *
 GetNTLMLog()
@@ -757,18 +755,6 @@ nsNTLMAuthModule::~nsNTLMAuthModule()
 nsresult
 nsNTLMAuthModule::InitTest()
 {
-  static bool prefObserved = false;
-  if (!prefObserved) {
-    mozilla::Preferences::AddBoolVarCache(
-      &sNTLMv1Enabled, "network.negotiate-auth.allow-insecure-ntlm-v1", sNTLMv1Enabled);
-    prefObserved = true;
-  }
-
-  if (!sNTLMv1Enabled) {
-    // Unconditionally disallow usage of the generic module.
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsNSSShutDownPreventionLock locker;
   //
   // disable NTLM authentication when FIPS mode is enabled.