Bug 999306 - Add 'allow-insecure-ntlm-v1' preference for the generic NTLM v1 authentication module, r=jduell

This commit is contained in:
Honza Bambas 2014-04-24 18:50:46 +02:00
Родитель f52f871f89
Коммит caddd65460
2 изменённых файлов: 17 добавлений и 8 удалений

Просмотреть файл

@ -1337,6 +1337,9 @@ pref("network.seer.preserve", 80); // percentage of seer data to keep when clean
// [scheme "://"] [host [":" port]]
// For example, "foo.com" would match "http://www.foo.com/bar", etc.
// Allow insecure NTLMv1 when needed.
pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
// This list controls which URIs can use the negotiate-auth protocol. This
// list should be limited to the servers you know you'll need to login to.
pref("network.negotiate-auth.trusted-uris", "");

Просмотреть файл

@ -13,10 +13,9 @@
#include "md4.h"
#include "mozilla/Likely.h"
#include "mozilla/Telemetry.h"
#include "mozilla/Preferences.h"
// Since the generic module doesn't support NTLMv2 and NTLMv1 is considered
// a security threat, we disable the generic module completely.
#define DISABLE_GENERIC_NTLM_MODULE 1
static bool sNTLMv1Enabled = false;
#ifdef PR_LOGGING
static PRLogModuleInfo *
@ -758,16 +757,23 @@ nsNTLMAuthModule::~nsNTLMAuthModule()
nsresult
nsNTLMAuthModule::InitTest()
{
#if defined(DISABLE_GENERIC_NTLM_MODULE)
static bool prefObserved = false;
if (!prefObserved) {
mozilla::Preferences::AddBoolVarCache(
&sNTLMv1Enabled, "network.negotiate-auth.allow-insecure-ntlm-v1", sNTLMv1Enabled);
prefObserved = true;
}
if (!sNTLMv1Enabled) {
// Unconditionally disallow usage of the generic module.
return NS_ERROR_NOT_AVAILABLE;
#else // Generic NTLM is enabled
}
nsNSSShutDownPreventionLock locker;
//
// disable NTLM authentication when FIPS mode is enabled.
//
return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK;
#endif
}
NS_IMETHODIMP