From 576730f599a46320bbfbcee1a4c4978b39d8fd7e Mon Sep 17 00:00:00 2001
From: Ivan Solovev <ivan.solovev@qt.io>
Date: Mon, 16 May 2022 18:33:42 +0200
Subject: [PATCH] QAuthenticator: allow to set custom SPN for Windows client
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A new option is added for SPNEGO/Negotiate authentication with
SSPI backend to customize the SPN that is used during the procedure.

Fixes: QTBUG-88869
Change-Id: If034ef451a61593445d8e79e7f82b9d3610ed653
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
---
 src/network/kernel/qauthenticator.cpp | 30 ++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/src/network/kernel/qauthenticator.cpp b/src/network/kernel/qauthenticator.cpp
index 795ff9f5f01..3b8aacebeba 100644
--- a/src/network/kernel/qauthenticator.cpp
+++ b/src/network/kernel/qauthenticator.cpp
@@ -119,7 +119,28 @@ static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, QByteArrayView cha
 
   \section2 SPNEGO/Negotiate
 
-  This authentication mechanism currently supports no incoming or outgoing options.
+  \table
+    \header
+        \li Option
+        \li Direction
+        \li Type
+        \li Description
+    \row
+        \li \tt{spn}
+        \li Outgoing
+        \li QString
+        \li Provides a custom SPN.
+  \endtable
+
+  This authentication mechanism currently supports no incoming options.
+
+  The \c{spn} property is used on Windows clients when an SSPI library is used.
+  If the property is not set, a default SPN will be used. The default SPN on
+  Windows is \c {HTTP/<hostname>}.
+
+  Other operating systems use GSSAPI libraries. For that it is expected that
+  KDC is set up, and the credentials can be fetched from it. The backend always
+  uses \c {HTTPS@<hostname>} as an SPN.
 
   \sa QSslSocket
 */
@@ -1623,8 +1644,11 @@ static QByteArray qSspiContinue(QAuthenticatorPrivate *ctx, QAuthenticatorPrivat
     responseBuf.cbBuffer   = 0;
 
     // Calculate target (SPN for Negotiate, empty for NTLM)
-    std::wstring targetNameW = (method == QAuthenticatorPrivate::Negotiate
-                                ? "HTTP/"_L1 + host : QString()).toStdWString();
+    QString targetName = ctx->options.value("spn"_L1).toString();
+    if (targetName.isEmpty())
+        targetName = "HTTP/"_L1 + host;
+    const std::wstring targetNameW = (method == QAuthenticatorPrivate::Negotiate
+                                      ? targetName : QString()).toStdWString();
 
     // Generate our challenge-response message
     SECURITY_STATUS secStatus = pSecurityFunctionTable->InitializeSecurityContext(