mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 03:15:11 +00:00
Bug 1023748 - Allow NTLMv1 over SSL/TLS by default, r=jduell
This commit is contained in:
parent
6d0b3c59c0
commit
d8b9a11e34
@ -1408,6 +1408,8 @@ pref("network.predictor.preserve", 80); // percentage of predictor data to keep
|
||||
|
||||
// Allow insecure NTLMv1 when needed.
|
||||
pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
|
||||
// Allow insecure NTLMv1 for HTTPS protected sites by default.
|
||||
pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", true);
|
||||
|
||||
// This list controls which URIs can use the negotiate-auth protocol. This
|
||||
// list should be limited to the servers you know you'll need to login to.
|
||||
|
@ -24,6 +24,7 @@
|
||||
#include "nsISSLStatusProvider.h"
|
||||
#endif
|
||||
#include "mozilla/Attributes.h"
|
||||
#include "nsThreadUtils.h"
|
||||
|
||||
namespace mozilla {
|
||||
namespace net {
|
||||
@ -32,6 +33,8 @@ static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
|
||||
static const char kAllowNonFqdn[] = "network.automatic-ntlm-auth.allow-non-fqdn";
|
||||
static const char kTrustedURIs[] = "network.automatic-ntlm-auth.trusted-uris";
|
||||
static const char kForceGeneric[] = "network.auth.force-generic-ntlm";
|
||||
static const char kAllowGenericHTTP[] = "network.negotiate-auth.allow-insecure-ntlm-v1";
|
||||
static const char kAllowGenericHTTPS[] = "network.negotiate-auth.allow-insecure-ntlm-v1-https";
|
||||
|
||||
// XXX MatchesBaseURI and TestPref are duplicated in nsHttpNegotiateAuth.cpp,
|
||||
// but since that file lives in a separate library we cannot directly share it.
|
||||
@ -177,6 +180,47 @@ ForceGenericNTLM()
|
||||
return flag;
|
||||
}
|
||||
|
||||
// Check to see if we should use our generic (internal) NTLM auth module.
|
||||
static bool
|
||||
AllowGenericNTLM()
|
||||
{
|
||||
MOZ_ASSERT(NS_IsMainThread());
|
||||
|
||||
nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
|
||||
if (!prefs)
|
||||
return false;
|
||||
|
||||
bool flag = false;
|
||||
if (NS_FAILED(prefs->GetBoolPref(kAllowGenericHTTP, &flag)))
|
||||
flag = false;
|
||||
|
||||
LOG(("Allow use of generic ntlm auth module: %d\n", flag));
|
||||
return flag;
|
||||
}
|
||||
|
||||
// Check to see if we should use our generic (internal) NTLM auth module.
|
||||
static bool
|
||||
AllowGenericNTLMforHTTPS(nsIHttpAuthenticableChannel *channel)
|
||||
{
|
||||
bool isSSL = false;
|
||||
channel->GetIsSSL(&isSSL);
|
||||
if (!isSSL)
|
||||
return false;
|
||||
|
||||
MOZ_ASSERT(NS_IsMainThread());
|
||||
|
||||
nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
|
||||
if (!prefs)
|
||||
return false;
|
||||
|
||||
bool flag = false;
|
||||
if (NS_FAILED(prefs->GetBoolPref(kAllowGenericHTTPS, &flag)))
|
||||
flag = false;
|
||||
|
||||
LOG(("Allow use of generic ntlm auth module for only https: %d\n", flag));
|
||||
return flag;
|
||||
}
|
||||
|
||||
// Check to see if we should use default credentials for this host or proxy.
|
||||
static bool
|
||||
CanUseDefaultCredentials(nsIHttpAuthenticableChannel *channel,
|
||||
@ -298,8 +342,11 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHttpAuthenticableChannel *channel,
|
||||
|
||||
// Use our internal NTLM implementation. Note, this is less secure,
|
||||
// see bug 520607 for details.
|
||||
LOG(("Trying to fall back on internal ntlm auth.\n"));
|
||||
module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
|
||||
|
||||
if (AllowGenericNTLM() || AllowGenericNTLMforHTTPS(channel)) {
|
||||
LOG(("Trying to fall back on internal ntlm auth.\n"));
|
||||
module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
|
||||
}
|
||||
|
||||
mUseNative = false;
|
||||
|
||||
|
@ -15,8 +15,6 @@
|
||||
#include "mozilla/Telemetry.h"
|
||||
#include "mozilla/Preferences.h"
|
||||
|
||||
static bool sNTLMv1Enabled = false;
|
||||
|
||||
#ifdef PR_LOGGING
|
||||
static PRLogModuleInfo *
|
||||
GetNTLMLog()
|
||||
@ -757,18 +755,6 @@ nsNTLMAuthModule::~nsNTLMAuthModule()
|
||||
nsresult
|
||||
nsNTLMAuthModule::InitTest()
|
||||
{
|
||||
static bool prefObserved = false;
|
||||
if (!prefObserved) {
|
||||
mozilla::Preferences::AddBoolVarCache(
|
||||
&sNTLMv1Enabled, "network.negotiate-auth.allow-insecure-ntlm-v1", sNTLMv1Enabled);
|
||||
prefObserved = true;
|
||||
}
|
||||
|
||||
if (!sNTLMv1Enabled) {
|
||||
// Unconditionally disallow usage of the generic module.
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
//
|
||||
// disable NTLM authentication when FIPS mode is enabled.
|
||||
|
Loading…
Reference in New Issue
Block a user