1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

QAuthenticator: condition using GSSAPI on credentials availability

Browse Source 
AFAICT with GSSAPI the normal workflow is to run kinit or similar and
authenticate before running programs relying on it. Therefore
we can try to get the credentials before we choose whether or not
to use Negotiate.

Pick-to: 5.15
Task-number: QTBUG-85123
Change-Id: If0478fdd45389b2939ad87c2f582776fe56959bb
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
This commit is contained in:
Mårten Nordheim 2020-09-07 18:15:14 +02:00
parent e6b8eb502e
commit e0918af700
5 changed files with 68 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/network/access/qhttpnetworkconnection.cpp
View File

@ -449,7 +449,14 @@ bool QHttpNetworkConnectionPrivate::handleAuthenticateChallenge(QAbstractSocket
if (auth->isNull())
auth->detach();
QAuthenticatorPrivate *priv = QAuthenticatorPrivate::getPrivate(*auth);
priv->parseHttpResponse(fields, isProxy);
priv->parseHttpResponse(fields, isProxy, reply->url().host());
// Update method in case it changed
if (priv->method == QAuthenticatorPrivate::None)
return false;
if (isProxy)
channels[i].proxyAuthMethod = priv->method;
else
channels[i].authMethod = priv->method;
if (priv->phase == QAuthenticatorPrivate::Done) {
pauseConnection();

66
src/network/kernel/qauthenticator.cpp
View File

@ -81,6 +81,7 @@ static QByteArray qSspiStartup(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate
static QByteArray qSspiContinue(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method,
const QString& host, const QByteArray& challenge = QByteArray());
#elif QT_CONFIG(gssapi) // GSSAPI
static bool qGssapiTestGetCredentials(const QString &host);
static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, const QString& host);
static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx,
const QByteArray& challenge = QByteArray());
@ -422,7 +423,7 @@ void QAuthenticatorPrivate::updateCredentials()
}
}
void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByteArray> > &values, bool isProxy)
void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByteArray> > &values, bool isProxy, const QString &host)
{
const char *search = isProxy ? "proxy-authenticate" : "www-authenticate";
@ -454,6 +455,13 @@ void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByt
headerVal = current.second.mid(7);
} else if (method < Negotiate && str.startsWith("negotiate")) {
#if QT_CONFIG(sspi) || QT_CONFIG(gssapi) // if it's not supported then we shouldn't try to use it
#if QT_CONFIG(gssapi)
// For GSSAPI there needs to be a KDC set up for the host (afaict).
// So let's only conditionally use it if we can fetch the credentials.
// Sadly it's a bit slow because it requires a DNS lookup.
if (!qGssapiTestGetCredentials(host))
continue;
#endif
method = Negotiate;
headerVal = current.second.mid(10);
#endif
@ -583,6 +591,7 @@ QByteArray QAuthenticatorPrivate::calculateResponse(const QByteArray &requestMet
phase = Phase2;
} else {
phase = Done;
return "";
}
} else {
QByteArray phase3Token;
@ -595,6 +604,9 @@ QByteArray QAuthenticatorPrivate::calculateResponse(const QByteArray &requestMet
response = phase3Token.toBase64();
phase = Done;
challenge = "";
} else {
phase = Done;
return "";
}
}
@ -1677,26 +1689,36 @@ static void q_GSSAPI_error(const char *message, OM_uint32 majStat, OM_uint32 min
q_GSSAPI_error_int(message, minStat, GSS_C_MECH_CODE);
}
static gss_name_t qGSsapiGetServiceName(const QString &host)
{
QByteArray serviceName = "HTTPS@" + host.toLocal8Bit();
gss_buffer_desc nameDesc = {static_cast<std::size_t>(serviceName.size()), serviceName.data()};
gss_name_t importedName;
OM_uint32 minStat;
OM_uint32 majStat = gss_import_name(&minStat, &nameDesc,
GSS_C_NT_HOSTBASED_SERVICE, &importedName);
if (majStat != GSS_S_COMPLETE) {
q_GSSAPI_error("gss_import_name error", majStat, minStat);
return nullptr;
}
return importedName;
}
// Send initial GSS authentication token
static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, const QString &host)
{
OM_uint32 majStat, minStat;
if (!ctx->gssApiHandles)
ctx->gssApiHandles.reset(new QGssApiHandles);
// Convert target name to internal form
QByteArray serviceName = QStringLiteral("HTTPS@%1").arg(host).toLocal8Bit();
gss_buffer_desc nameDesc = {static_cast<std::size_t>(serviceName.size()), serviceName.data()};
majStat = gss_import_name(&minStat, &nameDesc,
GSS_C_NT_HOSTBASED_SERVICE, &ctx->gssApiHandles->targetName);
if (majStat != GSS_S_COMPLETE) {
q_GSSAPI_error("gss_import_name error", majStat, minStat);
gss_name_t name = qGSsapiGetServiceName(host);
if (name == nullptr) {
ctx->gssApiHandles.reset(nullptr);
return QByteArray();
}
ctx->gssApiHandles->targetName = name;
// Call qGssapiContinue with GSS_C_NO_CONTEXT to get initial packet
ctx->gssApiHandles->gssCtx = GSS_C_NO_CONTEXT;
@ -1750,6 +1772,28 @@ static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, const QByteArray&
return result;
}
static bool qGssapiTestGetCredentials(const QString &host)
{
gss_name_t serviceName = qGSsapiGetServiceName(host);
if (!serviceName)
return false; // Something was wrong with the service name, so skip this
OM_uint32 minStat;
gss_cred_id_t cred;
OM_uint32 majStat = gss_acquire_cred(&minStat, serviceName, GSS_C_INDEFINITE,
GSS_C_NO_OID_SET, GSS_C_INITIATE, &cred, nullptr,
nullptr);
OM_uint32 ignored;
gss_release_name(&ignored, &serviceName);
gss_release_cred(&ignored, &cred);
if (majStat != GSS_S_COMPLETE) {
q_GSSAPI_error("gss_acquire_cred", majStat, minStat);
return false;
}
return true;
}
// ---------------------------- End of GSSAPI code ----------------------------------------------
#endif // gssapi

2
src/network/kernel/qauthenticator_p.h
View File

@ -113,7 +113,7 @@ public:
QByteArray digestMd5Response(const QByteArray &challenge, const QByteArray &method, const QByteArray &path);
static QHash<QByteArray, QByteArray> parseDigestAuthenticationChallenge(const QByteArray &challenge);
void parseHttpResponse(const QList<QPair<QByteArray, QByteArray> >&, bool isProxy);
void parseHttpResponse(const QList<QPair<QByteArray, QByteArray> >&, bool isProxy, const QString &host);
void updateCredentials();
};

2
src/network/socket/qhttpsocketengine.cpp
View File

@ -607,7 +607,7 @@ void QHttpSocketEngine::slotSocketReadNotification()
priv->hasFailed = true;
}
priv->parseHttpResponse(d->reply->header(), true);
priv->parseHttpResponse(d->reply->header(), true, d->proxy.hostName());
if (priv->phase == QAuthenticatorPrivate::Invalid) {
// problem parsing the reply

6
tests/auto/network/kernel/qauthenticator/tst_qauthenticator.cpp
View File

@ -83,7 +83,7 @@ void tst_QAuthenticator::basicAuth()
QList<QPair<QByteArray, QByteArray> > headers;
headers << qMakePair(QByteArray("WWW-Authenticate"), "Basic " + data.toUtf8());
priv->parseHttpResponse(headers, /*isProxy = */ false);
priv->parseHttpResponse(headers, /*isProxy = */ false, {});
QCOMPARE(auth.realm(), realm);
QCOMPARE(auth.option("realm").toString(), realm);
@ -131,7 +131,7 @@ void tst_QAuthenticator::ntlmAuth()
// Current implementation uses flags:
// NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET
headers << qMakePair(QByteArrayLiteral("WWW-Authenticate"), QByteArrayLiteral("NTLM"));
priv->parseHttpResponse(headers, /*isProxy = */ false);
priv->parseHttpResponse(headers, /*isProxy = */ false, {});
if (sso)
QVERIFY(priv->calculateResponse("GET", "/", "").startsWith("NTLM "));
else
@ -140,7 +140,7 @@ void tst_QAuthenticator::ntlmAuth()
// NTLM phase 2: challenge
headers.clear();
headers << qMakePair(QByteArray("WWW-Authenticate"), "NTLM " + data.toUtf8());
priv->parseHttpResponse(headers, /*isProxy = */ false);
priv->parseHttpResponse(headers, /*isProxy = */ false, {});
QEXPECT_FAIL("with-realm", "NTLM authentication code doesn't extract the realm", Continue);
QEXPECT_FAIL("with-realm-sso", "NTLM authentication code doesn't extract the realm", Continue);