Closed
Bug 286803
Opened 19 years ago
Closed 19 years ago
Automatic NTLM auth fails if SSPI 'negotiate' package not found
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.8beta2
People
(Reporter: darin.moz, Assigned: darin.moz)
Details
Attachments
(1 file, 1 obsolete file)
5.88 KB,
patch
|
Biesinger
:
review+
|
Details | Diff | Splinter Review |
Automatic NTLM auth fails if SSPI 'negotiate' package not found We have buggy code in nsNegotiateAuthSSPI.cpp's InitSSPI function that only succeeds if SSPI provides a 'negotiate' package. For automatic NTLM auth, we leverage the same code that we created for negotiate auth to handle NTLM. That means that this code should initialize itself properly even if the OS only provides NTLM and not negotiate auth.
Assignee | ||
Comment 1•19 years ago
|
||
This is only showing up as a bug on NT4 and other old systems.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta2
Assignee | ||
Comment 2•19 years ago
|
||
This patch should do the trick, but I haven't tested it. If someone can help test it that would be greatly appreciated. I lack access to servers that I could use to test this patch.
Assignee | ||
Comment 3•19 years ago
|
||
Test build posted here: http://friedfish.homeip.net/~darinf/sspi/firefox-test.zip
Assignee | ||
Comment 4•19 years ago
|
||
Comment on attachment 177929 [details] [diff] [review] possible patch Thanks to Stefan Baur "www.stefanbaur.de/KSKLB" for verifying that this patch works. Biesi: this is a pretty straightforward patch. it just moves the call to QuerySecurityPackageInfo down to the initialization routine for each instance of the nsNegotiateAuth object. NOTE: don't be confused by the fact that this class is named "nsNegotiateAuth".. it is actually a generic class that interfaces with Microsoft SSPI. Originally, it was only for the "negotiate" auth package, but now we use it for "NTLM" as well (in order to support automatic NTLM authentication leveraging the user's login credentials).
Attachment #177929 -
Flags: review?(cbiesinger)
Comment 5•19 years ago
|
||
interesting... this leaks some stuff, presumably (and always did), since MSDN says: "The caller must call the FreeContextBuffer function to free the buffer returned in ppPackageInfo." (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/querysecuritypackageinfo.asp)
Comment 6•19 years ago
|
||
while I'm looking at this file... // This should always hit our DNS cache nsCOMPtr<nsIDNSRecord> record; rv = dns->Resolve(Substring(buf, index + 1), nsIDNSService::RESOLVE_CANONICAL_NAME, getter_AddRefs(record)); Why's the comment true? Won't the RESOLVE_CANONICAL_NAME flag make it so that this will almost always not be cached? (unless you hit this code more than once for a given host). The nsHostResolver.cpp code carefully avoids hashing an entry with and without that flag to the same key. (Was this from before that flag, when AI_CANONNAME was always passed to getaddrinfo?) (I wonder if this should use iterators instead of FindChar)
Assignee | ||
Comment 7•19 years ago
|
||
yes, you are correct. we will not benefit from a cached result the first time. that comment pre-dates the existance of that flag anyways. i'll revise the comment accordingly. thanks for noticing that we are not free'ing that memory buffer. i'll make that change which is especially important since we will now be querying the package more often. i don't see any real advantage to using iterators at this point.
Assignee | ||
Comment 8•19 years ago
|
||
revised patch per review comments from biesi
Attachment #177929 -
Attachment is obsolete: true
Attachment #178089 -
Flags: review?(cbiesinger)
Assignee | ||
Updated•19 years ago
|
Attachment #177929 -
Flags: review?(cbiesinger)
Comment 9•19 years ago
|
||
Comment on attachment 178089 [details] [diff] [review] v1.1 patch r=biesi
Attachment #178089 -
Flags: review?(cbiesinger) → review+
Assignee | ||
Comment 10•19 years ago
|
||
fixed-on-trunk tomorrow's nightly builds will include this fix.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•