Bug 734229 - Partially address by refusing to re-negotiate on NTLM. r=mayhemer, r=keeler

Now only one NTLM Negotiate packet will be sent per connection, rather
than again after a failed authentication.  The problem situation is
triggered due to failed Negotiate authentication, and is probably more
complex.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

security/manager/ssl/src/nsNTLMAuthModule.cpp

@@ -1002,6 +1002,7 @@ nsNTLMAuthModule::Init(const char      *serviceName,
   mDomain = domain;
   mUsername = username;
   mPassword = password;
+  mNTLMNegotiateSent = false;
 
   static bool sTelemetrySent = false;
   if (!sTelemetrySent) {
@@ -1030,16 +1031,29 @@ nsNTLMAuthModule::GetNextToken(const void *inToken,
   if (PK11_IsFIPS())
     return NS_ERROR_NOT_AVAILABLE;
 
-  // if inToken is non-null, then assume it contains a type 2 message...
-  if (inToken)
-  {
+  if (mNTLMNegotiateSent) {
+    // if inToken is non-null, and we have sent the NTLMSSP_NEGOTIATE (type 1),
+    // then the NTLMSSP_CHALLENGE (type 2) is expected
+    if (inToken) {
       LogToken("in-token", inToken, inTokenLen);
+      // Now generate the NTLMSSP_AUTH (type 3)
       rv = GenerateType3Msg(mDomain, mUsername, mPassword, inToken,
 			    inTokenLen, outToken, outTokenLen);
+    } else {
+      LOG(("NTLMSSP_NEGOTIATE already sent and presumably "
+	   "rejected by the server, refusing to send another"));
+      rv = NS_ERROR_UNEXPECTED;
     }
-  else
-  {
+  } else {
+    if (inToken) {
+      LOG(("NTLMSSP_NEGOTIATE not sent but NTLM reply already received?!?"));
+      rv = NS_ERROR_UNEXPECTED;
+    } else {
       rv = GenerateType1Msg(outToken, outTokenLen);
+      if (NS_SUCCEEDED(rv)) {
+	mNTLMNegotiateSent = true;
+      }
+    }
   }
 
 #ifdef PR_LOGGING

security/manager/ssl/src/nsNTLMAuthModule.h

@@ -28,6 +28,7 @@ private:
   nsString mDomain;
   nsString mUsername;
   nsString mPassword;
+  bool mNTLMNegotiateSent;
 };
 
 #define NS_NTLMAUTHMODULE_CONTRACTID \