QAuthenticator: allow to set custom SPN for Windows client

A new option is added for SPNEGO/Negotiate authentication with SSPI backend to customize the SPN that is used during the procedure. Fixes: QTBUG-88869 Change-Id: If034ef451a61593445d8e79e7f82b9d3610ed653 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
2022-05-16 18:33:42 +02:00 · 2022-05-16 18:33:42 +02:00 · 576730f599
commit 576730f599
parent f569acd6ae
1 changed files with 27 additions and 3 deletions
--- a/src/network/kernel/qauthenticator.cpp
+++ b/src/network/kernel/qauthenticator.cpp
@ -119,7 +119,28 @@ static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, QByteArrayView cha

  \section2 SPNEGO/Negotiate

-  This authentication mechanism currently supports no incoming or outgoing options.
+  \table
+    \header
+        \li Option
+        \li Direction
+        \li Type
+        \li Description
+    \row
+        \li \tt{spn}
+        \li Outgoing
+        \li QString
+        \li Provides a custom SPN.
+  \endtable
+
+  This authentication mechanism currently supports no incoming options.
+
+  The \c{spn} property is used on Windows clients when an SSPI library is used.
+  If the property is not set, a default SPN will be used. The default SPN on
+  Windows is \c {HTTP/<hostname>}.
+
+  Other operating systems use GSSAPI libraries. For that it is expected that
+  KDC is set up, and the credentials can be fetched from it. The backend always
+  uses \c {HTTPS@<hostname>} as an SPN.

  \sa QSslSocket
 */
@ -1623,8 +1644,11 @@ static QByteArray qSspiContinue(QAuthenticatorPrivate *ctx, QAuthenticatorPrivat
    responseBuf.cbBuffer   = 0;

    // Calculate target (SPN for Negotiate, empty for NTLM)
-    std::wstring targetNameW = (method == QAuthenticatorPrivate::Negotiate
-                                ? "HTTP/"_L1 + host : QString()).toStdWString();
+    QString targetName = ctx->options.value("spn"_L1).toString();
+    if (targetName.isEmpty())
+        targetName = "HTTP/"_L1 + host;
+    const std::wstring targetNameW = (method == QAuthenticatorPrivate::Negotiate
+                                      ? targetName : QString()).toStdWString();

    // Generate our challenge-response message
    SECURITY_STATUS secStatus = pSecurityFunctionTable->InitializeSecurityContext(