Fix not emitting proxyAuthenticationRequired signal for NTLM

During NTLM http proxy authentication QHttpSocketEngine did
not emit the proxyAuthenticationRequired signal during
handling of HTTP 407 responses. As a consequence, the proxy
server was spammed with connection requests that never
worked.

Fixes: QTBUG-109718
Pick-to: 6.5
Change-Id: Icf0ccf58e3f2690d210652713155a303026ed3b1
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit c73ee7353a22005890839afebb920a3c242b1f57)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

src/network/socket/qhttpsocketengine.cpp

@@ -556,15 +556,6 @@ void QHttpSocketEngine::slotSocketReadNotification()
             d->authenticator.detach();
         priv = QAuthenticatorPrivate::getPrivate(d->authenticator);
 
-        if (d->credentialsSent && priv->phase != QAuthenticatorPrivate::Phase2) {
-            // Remember that (e.g.) NTLM is two-phase, so only reset when the authentication is not currently in progress.
-            //407 response again means the provided username/password were invalid.
-            d->authenticator = QAuthenticator(); //this is needed otherwise parseHttpResponse won't set the state, and then signal isn't emitted.
-            d->authenticator.detach();
-            priv = QAuthenticatorPrivate::getPrivate(d->authenticator);
-            priv->hasFailed = true;
-        }
-
         priv->parseHttpResponse(d->reply->header(), true, d->proxy.hostName());
 
         if (priv->phase == QAuthenticatorPrivate::Invalid) {
@@ -576,6 +567,29 @@ void QHttpSocketEngine::slotSocketReadNotification()
             return;
         }
 
+        if (priv->phase == QAuthenticatorPrivate::Done
+            || (priv->phase == QAuthenticatorPrivate::Start
+                && (priv->method == QAuthenticatorPrivate::Ntlm
+                    || priv->method == QAuthenticatorPrivate::Negotiate))) {
+            if (priv->phase == QAuthenticatorPrivate::Start)
+                priv->phase = QAuthenticatorPrivate::Phase1;
+            bool credentialsWasSent = d->credentialsSent;
+            if (d->credentialsSent) {
+                // Remember that (e.g.) NTLM is two-phase, so only reset when the authentication is
+                // not currently in progress. 407 response again means the provided
+                // username/password were invalid.
+                d->authenticator.detach();
+                priv = QAuthenticatorPrivate::getPrivate(d->authenticator);
+                priv->hasFailed = true;
+                d->credentialsSent = false;
+                priv->phase = QAuthenticatorPrivate::Done;
+            }
+            if ((priv->method != QAuthenticatorPrivate::Ntlm
+                 && priv->method != QAuthenticatorPrivate::Negotiate)
+                || credentialsWasSent)
+                proxyAuthenticationRequired(d->proxy, &d->authenticator);
+        }
+
         bool willClose;
         QByteArray proxyConnectionHeader = d->reply->headerField("Proxy-Connection");
         // Although most proxies use the unofficial Proxy-Connection header, the Connection header
@@ -603,10 +617,8 @@ void QHttpSocketEngine::slotSocketReadNotification()
             d->reply = new QHttpNetworkReply(QUrl(), this);
         }
 
-        if (priv->phase == QAuthenticatorPrivate::Done)
-            proxyAuthenticationRequired(d->proxy, &d->authenticator);
-        // priv->phase will get reset to QAuthenticatorPrivate::Start if the authenticator got modified in the signal above.
         if (priv->phase == QAuthenticatorPrivate::Done) {
+            d->authenticator = QAuthenticator();
             setError(QAbstractSocket::ProxyAuthenticationRequiredError, tr("Authentication required"));
             d->socket->disconnectFromHost();
         } else {