Bug 999306 - Add 'allow-insecure-ntlm-v1' preference for the generic NTLM v1 authentication module, r=jduell

modules/libpref/src/init/all.js

@@ -1337,6 +1337,9 @@ pref("network.seer.preserve", 80); // percentage of seer data to keep when clean
 //   [scheme "://"] [host [":" port]]
 // For example, "foo.com" would match "http://www.foo.com/bar", etc.
 
+// Allow insecure NTLMv1 when needed.
+pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
+
 // This list controls which URIs can use the negotiate-auth protocol.  This
 // list should be limited to the servers you know you'll need to login to.
 pref("network.negotiate-auth.trusted-uris", "");

security/manager/ssl/src/nsNTLMAuthModule.cpp

@@ -13,10 +13,9 @@
 #include "md4.h"
 #include "mozilla/Likely.h"
 #include "mozilla/Telemetry.h"
+#include "mozilla/Preferences.h"
 
-// Since the generic module doesn't support NTLMv2 and NTLMv1 is considered
+static bool sNTLMv1Enabled = false;
-// a security threat, we disable the generic module completely.
-#define DISABLE_GENERIC_NTLM_MODULE 1
 
 #ifdef PR_LOGGING
 static PRLogModuleInfo *
@@ -758,16 +757,23 @@ nsNTLMAuthModule::~nsNTLMAuthModule()
 nsresult
 nsNTLMAuthModule::InitTest()
 {
-#if defined(DISABLE_GENERIC_NTLM_MODULE)
+  static bool prefObserved = false;
-  // Unconditionally disallow usage of the generic module.
+  if (!prefObserved) {
-  return NS_ERROR_NOT_AVAILABLE;
+    mozilla::Preferences::AddBoolVarCache(
-#else // Generic NTLM is enabled
+      &sNTLMv1Enabled, "network.negotiate-auth.allow-insecure-ntlm-v1", sNTLMv1Enabled);
+    prefObserved = true;
+  }
+
+  if (!sNTLMv1Enabled) {
+    // Unconditionally disallow usage of the generic module.
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
   nsNSSShutDownPreventionLock locker;
   //
   // disable NTLM authentication when FIPS mode is enabled.
   //
   return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK;
-#endif
 }
 
 NS_IMETHODIMP