QAuthenticator: condition using GSSAPI on credentials availability

AFAICT with GSSAPI the normal workflow is to run kinit or similar and
authenticate before running programs relying on it. Therefore
we can try to get the credentials before we choose whether or not
to use Negotiate.

Pick-to: 5.15
Task-number: QTBUG-85123
Change-Id: If0478fdd45389b2939ad87c2f582776fe56959bb
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>

5 files changed, 68 insertions, 17 deletions

diff --git a/src/network/access/qhttpnetworkconnection.cpp b/src/network/access/qhttpnetworkconnection.cpp
index 24be5b1464..c133a09044 100644
--- a/src/network/access/qhttpnetworkconnection.cpp
+++ b/src/network/access/qhttpnetworkconnection.cpp
@@ -449,7 +449,14 @@ bool QHttpNetworkConnectionPrivate::handleAuthenticateChallenge(QAbstractSocket
         if (auth->isNull())
             auth->detach();
         QAuthenticatorPrivate *priv = QAuthenticatorPrivate::getPrivate(*auth);
-        priv->parseHttpResponse(fields, isProxy);
+        priv->parseHttpResponse(fields, isProxy, reply->url().host());
+        // Update method in case it changed
+        if (priv->method == QAuthenticatorPrivate::None)
+            return false;
+        if (isProxy)
+            channels[i].proxyAuthMethod = priv->method;
+        else
+            channels[i].authMethod = priv->method;
 
         if (priv->phase == QAuthenticatorPrivate::Done) {
             pauseConnection();
diff --git a/src/network/kernel/qauthenticator.cpp b/src/network/kernel/qauthenticator.cpp
index c23e82dd85..3db7161add 100644
--- a/src/network/kernel/qauthenticator.cpp
+++ b/src/network/kernel/qauthenticator.cpp
@@ -81,6 +81,7 @@ static QByteArray qSspiStartup(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate
 static QByteArray qSspiContinue(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method,
                                 const QString& host, const QByteArray& challenge = QByteArray());
 #elif QT_CONFIG(gssapi) // GSSAPI
+static bool qGssapiTestGetCredentials(const QString &host);
 static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, const QString& host);
 static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx,
                                   const QByteArray& challenge = QByteArray());
@@ -422,7 +423,7 @@ void QAuthenticatorPrivate::updateCredentials()
     }
 }
 
-void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByteArray> > &values, bool isProxy)
+void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByteArray> > &values, bool isProxy, const QString &host)
 {
     const char *search = isProxy ? "proxy-authenticate" : "www-authenticate";
 
@@ -454,6 +455,13 @@ void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByt
             headerVal = current.second.mid(7);
         } else if (method < Negotiate && str.startsWith("negotiate")) {
 #if QT_CONFIG(sspi) || QT_CONFIG(gssapi) // if it's not supported then we shouldn't try to use it
+#if QT_CONFIG(gssapi)
+            // For GSSAPI there needs to be a KDC set up for the host (afaict).
+            // So let's only conditionally use it if we can fetch the credentials.
+            // Sadly it's a bit slow because it requires a DNS lookup.
+            if (!qGssapiTestGetCredentials(host))
+                continue;
+#endif
             method = Negotiate;
             headerVal = current.second.mid(10);
 #endif
@@ -583,6 +591,7 @@ QByteArray QAuthenticatorPrivate::calculateResponse(const QByteArray &requestMet
                 phase = Phase2;
             } else {
                 phase = Done;
+                return "";
             }
         } else {
             QByteArray phase3Token;
@@ -595,6 +604,9 @@ QByteArray QAuthenticatorPrivate::calculateResponse(const QByteArray &requestMet
                 response = phase3Token.toBase64();
                 phase = Done;
                 challenge = "";
+            } else {
+                phase = Done;
+                return "";
             }
         }
 
@@ -1677,26 +1689,36 @@ static void q_GSSAPI_error(const char *message, OM_uint32 majStat, OM_uint32 min
     q_GSSAPI_error_int(message, minStat, GSS_C_MECH_CODE);
 }
 
+static gss_name_t qGSsapiGetServiceName(const QString &host)
+{
+    QByteArray serviceName = "HTTPS@" + host.toLocal8Bit();
+    gss_buffer_desc nameDesc = {static_cast<std::size_t>(serviceName.size()), serviceName.data()};
+
+    gss_name_t importedName;
+    OM_uint32 minStat;
+    OM_uint32 majStat = gss_import_name(&minStat, &nameDesc,
+                              GSS_C_NT_HOSTBASED_SERVICE, &importedName);
+
+    if (majStat != GSS_S_COMPLETE) {
+        q_GSSAPI_error("gss_import_name error", majStat, minStat);
+        return nullptr;
+    }
+    return importedName;
+}
+
 // Send initial GSS authentication token
 static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, const QString &host)
 {
-    OM_uint32 majStat, minStat;
-
     if (!ctx->gssApiHandles)
         ctx->gssApiHandles.reset(new QGssApiHandles);
 
     // Convert target name to internal form
-    QByteArray serviceName = QStringLiteral("HTTPS@%1").arg(host).toLocal8Bit();
-    gss_buffer_desc nameDesc = {static_cast<std::size_t>(serviceName.size()), serviceName.data()};
-
-    majStat = gss_import_name(&minStat, &nameDesc,
-                              GSS_C_NT_HOSTBASED_SERVICE, &ctx->gssApiHandles->targetName);
-
-    if (majStat != GSS_S_COMPLETE) {
-        q_GSSAPI_error("gss_import_name error", majStat, minStat);
+    gss_name_t name = qGSsapiGetServiceName(host);
+    if (name == nullptr) {
         ctx->gssApiHandles.reset(nullptr);
         return QByteArray();
     }
+    ctx->gssApiHandles->targetName = name;
 
     // Call qGssapiContinue with GSS_C_NO_CONTEXT to get initial packet
     ctx->gssApiHandles->gssCtx = GSS_C_NO_CONTEXT;
@@ -1750,6 +1772,28 @@ static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, const QByteArray&
     return result;
 }
 
+static bool qGssapiTestGetCredentials(const QString &host)
+{
+    gss_name_t serviceName = qGSsapiGetServiceName(host);
+    if (!serviceName)
+        return false; // Something was wrong with the service name, so skip this
+    OM_uint32 minStat;
+    gss_cred_id_t cred;
+    OM_uint32 majStat = gss_acquire_cred(&minStat, serviceName, GSS_C_INDEFINITE,
+                                         GSS_C_NO_OID_SET, GSS_C_INITIATE, &cred, nullptr,
+                                         nullptr);
+
+    OM_uint32 ignored;
+    gss_release_name(&ignored, &serviceName);
+    gss_release_cred(&ignored, &cred);
+
+    if (majStat != GSS_S_COMPLETE) {
+        q_GSSAPI_error("gss_acquire_cred", majStat, minStat);
+        return false;
+    }
+    return true;
+}
+
 // ---------------------------- End of GSSAPI code ----------------------------------------------
 
 #endif // gssapi
diff --git a/src/network/kernel/qauthenticator_p.h b/src/network/kernel/qauthenticator_p.h
index 99dfdbda2c..1813634ee0 100644
--- a/src/network/kernel/qauthenticator_p.h
+++ b/src/network/kernel/qauthenticator_p.h
@@ -113,7 +113,7 @@ public:
     QByteArray digestMd5Response(const QByteArray &challenge, const QByteArray &method, const QByteArray &path);
     static QHash<QByteArray, QByteArray> parseDigestAuthenticationChallenge(const QByteArray &challenge);
 
-    void parseHttpResponse(const QList<QPair<QByteArray, QByteArray> >&, bool isProxy);
+    void parseHttpResponse(const QList<QPair<QByteArray, QByteArray> >&, bool isProxy, const QString &host);
     void updateCredentials();
 };
 
diff --git a/src/network/socket/qhttpsocketengine.cpp b/src/network/socket/qhttpsocketengine.cpp
index a23e2d3071..5324038dbd 100644
--- a/src/network/socket/qhttpsocketengine.cpp
+++ b/src/network/socket/qhttpsocketengine.cpp
@@ -607,7 +607,7 @@ void QHttpSocketEngine::slotSocketReadNotification()
             priv->hasFailed = true;
         }
 
-        priv->parseHttpResponse(d->reply->header(), true);
+        priv->parseHttpResponse(d->reply->header(), true, d->proxy.hostName());
 
         if (priv->phase == QAuthenticatorPrivate::Invalid) {
             // problem parsing the reply
diff --git a/tests/auto/network/kernel/qauthenticator/tst_qauthenticator.cpp b/tests/auto/network/kernel/qauthenticator/tst_qauthenticator.cpp
index 94a998a6a6..7e56921606 100644
--- a/tests/auto/network/kernel/qauthenticator/tst_qauthenticator.cpp
+++ b/tests/auto/network/kernel/qauthenticator/tst_qauthenticator.cpp
@@ -83,7 +83,7 @@ void tst_QAuthenticator::basicAuth()
 
     QList<QPair<QByteArray, QByteArray> > headers;
     headers << qMakePair(QByteArray("WWW-Authenticate"), "Basic " + data.toUtf8());
-    priv->parseHttpResponse(headers, /*isProxy = */ false);
+    priv->parseHttpResponse(headers, /*isProxy = */ false, {});
 
     QCOMPARE(auth.realm(), realm);
     QCOMPARE(auth.option("realm").toString(), realm);
@@ -131,7 +131,7 @@ void tst_QAuthenticator::ntlmAuth()
     // Current implementation uses flags:
     //  NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET
     headers << qMakePair(QByteArrayLiteral("WWW-Authenticate"), QByteArrayLiteral("NTLM"));
-    priv->parseHttpResponse(headers, /*isProxy = */ false);
+    priv->parseHttpResponse(headers, /*isProxy = */ false, {});
     if (sso)
         QVERIFY(priv->calculateResponse("GET", "/", "").startsWith("NTLM "));
     else
@@ -140,7 +140,7 @@ void tst_QAuthenticator::ntlmAuth()
     // NTLM phase 2: challenge
     headers.clear();
     headers << qMakePair(QByteArray("WWW-Authenticate"), "NTLM " + data.toUtf8());
-    priv->parseHttpResponse(headers, /*isProxy = */ false);
+    priv->parseHttpResponse(headers, /*isProxy = */ false, {});
 
     QEXPECT_FAIL("with-realm", "NTLM authentication code doesn't extract the realm", Continue);
     QEXPECT_FAIL("with-realm-sso", "NTLM authentication code doesn't extract the realm", Continue);