fix: default to NTLM v2 in the network service for POSIX platforms

docs/api/command-line-switches.md

@@ -36,6 +36,10 @@ for integrated authentication. Without `*` prefix the URL has to match exactly.
 A comma-separated list of servers for which delegation of user credentials is required.
 Without `*` prefix the URL has to match exactly.
 
+### --disable-ntlm-v2
+
+Disables NTLM v2 for posix platforms, no effect elsewhere.
+
 ### --disable-http-cache
 
 Disables the disk cache for HTTP requests.

patches/chromium/.patches

@@ -98,3 +98,4 @@ allow_setting_secondary_label_via_simplemenumodel.patch
 disable_unnecessary_ischromefirstrun_check.patch
 disable_dcheck_that_fails_with_software_compositing.patch
 fix_swap_global_proxies_before_initializing_the_windows_proxies.patch
+fix_default_to_ntlm_v2_in_network_service.patch

patches/chromium/fix_default_to_ntlm_v2_in_network_service.patch

@@ -0,0 +1,20 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: deepak1556 <hop2deep@gmail.com>
+Date: Fri, 29 May 2020 02:12:56 -0700
+Subject: fix: default to NTLM v2 in network service
+
+Backports https://chromium-review.googlesource.com/c/chromium/src/+/2222116
+
+diff --git a/services/network/public/mojom/network_service.mojom b/services/network/public/mojom/network_service.mojom
+index 565d98ad87ca9c8f2fc5325ad25cbf18f500f36e..072d24087e1f1bed867788c068b651658ad6ce4e 100644
+--- a/services/network/public/mojom/network_service.mojom
++++ b/services/network/public/mojom/network_service.mojom
+@@ -152,7 +152,7 @@ struct HttpAuthDynamicParams {
+   bool enable_negotiate_port = true;
+
+   // Whether NTLM V2 is enabled on POSIX platforms. No effect elsewhere.
+-  bool ntlm_v2_enabled = false;
++  bool ntlm_v2_enabled = true;
+
+   // The AccountManager AccountManagerget.AccountsByTypeAndFeatures on Android
+   // when using Negotiate authentication.

shell/browser/api/electron_api_session.cc

@@ -576,12 +576,14 @@ v8::Local<v8::Promise> Session::ClearAuthCache() {
 }
 
 void Session::AllowNTLMCredentialsForDomains(const std::string& domains) {
+  auto* command_line = base::CommandLine::ForCurrentProcess();
   network::mojom::HttpAuthDynamicParamsPtr auth_dynamic_params =
       network::mojom::HttpAuthDynamicParams::New();
   auth_dynamic_params->server_allowlist = domains;
   auth_dynamic_params->enable_negotiate_port =
-      base::CommandLine::ForCurrentProcess()->HasSwitch(
-          electron::switches::kEnableAuthNegotiatePort);
+      command_line->HasSwitch(electron::switches::kEnableAuthNegotiatePort);
+  auth_dynamic_params->ntlm_v2_enabled =
+      !command_line->HasSwitch(electron::switches::kDisableNTLMv2);
   content::GetNetworkService()->ConfigureHttpAuthPrefs(
       std::move(auth_dynamic_params));
 }

shell/browser/net/system_network_context_manager.cc

@@ -53,6 +53,8 @@ network::mojom::HttpAuthDynamicParamsPtr CreateHttpAuthDynamicParams() {
       electron::switches::kAuthNegotiateDelegateWhitelist);
   auth_dynamic_params->enable_negotiate_port =
       command_line->HasSwitch(electron::switches::kEnableAuthNegotiatePort);
+  auth_dynamic_params->ntlm_v2_enabled =
+      !command_line->HasSwitch(electron::switches::kDisableNTLMv2);
 
   return auth_dynamic_params;
 }

shell/common/options_switches.cc

@@ -278,6 +278,9 @@ const char kAuthNegotiateDelegateWhitelist[] =
 // If set, include the port in generated Kerberos SPNs.
 const char kEnableAuthNegotiatePort[] = "enable-auth-negotiate-port";
 
+// If set, NTLM v2 is disabled for POSIX platforms.
+const char kDisableNTLMv2[] = "disable-ntlm-v2";
+
 #if BUILDFLAG(ENABLE_BUILTIN_SPELLCHECKER)
 const char kEnableSpellcheck[] = "enable-spellcheck";
 #endif

shell/common/options_switches.h

@@ -140,6 +140,7 @@ extern const char kIgnoreConnectionsLimit[];
 extern const char kAuthServerWhitelist[];
 extern const char kAuthNegotiateDelegateWhitelist[];
 extern const char kEnableAuthNegotiatePort[];
+extern const char kDisableNTLMv2[];
 
 #if BUILDFLAG(ENABLE_BUILTIN_SPELLCHECKER)
 extern const char kEnableSpellcheck[];