diff options
| author | Mårten Nordheim <marten.nordheim@qt.io> | 2020-09-07 18:15:14 +0200 |
|---|---|---|
| committer | Mårten Nordheim <marten.nordheim@qt.io> | 2020-09-11 13:37:48 +0200 |
| commit | e0918af700acefd6e80562c051e42d0b64097e1f (patch) | |
| tree | 56432d0241af4bbc28db2e410f36b40a7ada6283 /src | |
| parent | e6b8eb502eb39f27fe3aa7a675cb3ca3ad220672 (diff) | |
| download | qtbase-e0918af700acefd6e80562c051e42d0b64097e1f.tar.gz | |
QAuthenticator: condition using GSSAPI on credentials availability
AFAICT with GSSAPI the normal workflow is to run kinit or similar and
authenticate before running programs relying on it. Therefore
we can try to get the credentials before we choose whether or not
to use Negotiate.
Pick-to: 5.15
Task-number: QTBUG-85123
Change-Id: If0478fdd45389b2939ad87c2f582776fe56959bb
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src')
| -rw-r--r-- | src/network/access/qhttpnetworkconnection.cpp | 9 | ||||
| -rw-r--r-- | src/network/kernel/qauthenticator.cpp | 66 | ||||
| -rw-r--r-- | src/network/kernel/qauthenticator_p.h | 2 | ||||
| -rw-r--r-- | src/network/socket/qhttpsocketengine.cpp | 2 |
4 files changed, 65 insertions, 14 deletions
diff --git a/src/network/access/qhttpnetworkconnection.cpp b/src/network/access/qhttpnetworkconnection.cpp index 24be5b1464..c133a09044 100644 --- a/src/network/access/qhttpnetworkconnection.cpp +++ b/src/network/access/qhttpnetworkconnection.cpp @@ -449,7 +449,14 @@ bool QHttpNetworkConnectionPrivate::handleAuthenticateChallenge(QAbstractSocket if (auth->isNull()) auth->detach(); QAuthenticatorPrivate *priv = QAuthenticatorPrivate::getPrivate(*auth); - priv->parseHttpResponse(fields, isProxy); + priv->parseHttpResponse(fields, isProxy, reply->url().host()); + // Update method in case it changed + if (priv->method == QAuthenticatorPrivate::None) + return false; + if (isProxy) + channels[i].proxyAuthMethod = priv->method; + else + channels[i].authMethod = priv->method; if (priv->phase == QAuthenticatorPrivate::Done) { pauseConnection(); diff --git a/src/network/kernel/qauthenticator.cpp b/src/network/kernel/qauthenticator.cpp index c23e82dd85..3db7161add 100644 --- a/src/network/kernel/qauthenticator.cpp +++ b/src/network/kernel/qauthenticator.cpp @@ -81,6 +81,7 @@ static QByteArray qSspiStartup(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate static QByteArray qSspiContinue(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method, const QString& host, const QByteArray& challenge = QByteArray()); #elif QT_CONFIG(gssapi) // GSSAPI +static bool qGssapiTestGetCredentials(const QString &host); static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, const QString& host); static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, const QByteArray& challenge = QByteArray()); @@ -422,7 +423,7 @@ void QAuthenticatorPrivate::updateCredentials() } } -void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByteArray> > &values, bool isProxy) +void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByteArray> > &values, bool isProxy, const QString &host) { const char *search = isProxy ? "proxy-authenticate" : "www-authenticate"; @@ -454,6 +455,13 @@ void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByt headerVal = current.second.mid(7); } else if (method < Negotiate && str.startsWith("negotiate")) { #if QT_CONFIG(sspi) || QT_CONFIG(gssapi) // if it's not supported then we shouldn't try to use it +#if QT_CONFIG(gssapi) + // For GSSAPI there needs to be a KDC set up for the host (afaict). + // So let's only conditionally use it if we can fetch the credentials. + // Sadly it's a bit slow because it requires a DNS lookup. + if (!qGssapiTestGetCredentials(host)) + continue; +#endif method = Negotiate; headerVal = current.second.mid(10); #endif @@ -583,6 +591,7 @@ QByteArray QAuthenticatorPrivate::calculateResponse(const QByteArray &requestMet phase = Phase2; } else { phase = Done; + return ""; } } else { QByteArray phase3Token; @@ -595,6 +604,9 @@ QByteArray QAuthenticatorPrivate::calculateResponse(const QByteArray &requestMet response = phase3Token.toBase64(); phase = Done; challenge = ""; + } else { + phase = Done; + return ""; } } @@ -1677,26 +1689,36 @@ static void q_GSSAPI_error(const char *message, OM_uint32 majStat, OM_uint32 min q_GSSAPI_error_int(message, minStat, GSS_C_MECH_CODE); } +static gss_name_t qGSsapiGetServiceName(const QString &host) +{ + QByteArray serviceName = "HTTPS@" + host.toLocal8Bit(); + gss_buffer_desc nameDesc = {static_cast<std::size_t>(serviceName.size()), serviceName.data()}; + + gss_name_t importedName; + OM_uint32 minStat; + OM_uint32 majStat = gss_import_name(&minStat, &nameDesc, + GSS_C_NT_HOSTBASED_SERVICE, &importedName); + + if (majStat != GSS_S_COMPLETE) { + q_GSSAPI_error("gss_import_name error", majStat, minStat); + return nullptr; + } + return importedName; +} + // Send initial GSS authentication token static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, const QString &host) { - OM_uint32 majStat, minStat; - if (!ctx->gssApiHandles) ctx->gssApiHandles.reset(new QGssApiHandles); // Convert target name to internal form - QByteArray serviceName = QStringLiteral("HTTPS@%1").arg(host).toLocal8Bit(); - gss_buffer_desc nameDesc = {static_cast<std::size_t>(serviceName.size()), serviceName.data()}; - - majStat = gss_import_name(&minStat, &nameDesc, - GSS_C_NT_HOSTBASED_SERVICE, &ctx->gssApiHandles->targetName); - - if (majStat != GSS_S_COMPLETE) { - q_GSSAPI_error("gss_import_name error", majStat, minStat); + gss_name_t name = qGSsapiGetServiceName(host); + if (name == nullptr) { ctx->gssApiHandles.reset(nullptr); return QByteArray(); } + ctx->gssApiHandles->targetName = name; // Call qGssapiContinue with GSS_C_NO_CONTEXT to get initial packet ctx->gssApiHandles->gssCtx = GSS_C_NO_CONTEXT; @@ -1750,6 +1772,28 @@ static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, const QByteArray& return result; } +static bool qGssapiTestGetCredentials(const QString &host) +{ + gss_name_t serviceName = qGSsapiGetServiceName(host); + if (!serviceName) + return false; // Something was wrong with the service name, so skip this + OM_uint32 minStat; + gss_cred_id_t cred; + OM_uint32 majStat = gss_acquire_cred(&minStat, serviceName, GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, GSS_C_INITIATE, &cred, nullptr, + nullptr); + + OM_uint32 ignored; + gss_release_name(&ignored, &serviceName); + gss_release_cred(&ignored, &cred); + + if (majStat != GSS_S_COMPLETE) { + q_GSSAPI_error("gss_acquire_cred", majStat, minStat); + return false; + } + return true; +} + // ---------------------------- End of GSSAPI code ---------------------------------------------- #endif // gssapi diff --git a/src/network/kernel/qauthenticator_p.h b/src/network/kernel/qauthenticator_p.h index 99dfdbda2c..1813634ee0 100644 --- a/src/network/kernel/qauthenticator_p.h +++ b/src/network/kernel/qauthenticator_p.h @@ -113,7 +113,7 @@ public: QByteArray digestMd5Response(const QByteArray &challenge, const QByteArray &method, const QByteArray &path); static QHash<QByteArray, QByteArray> parseDigestAuthenticationChallenge(const QByteArray &challenge); - void parseHttpResponse(const QList<QPair<QByteArray, QByteArray> >&, bool isProxy); + void parseHttpResponse(const QList<QPair<QByteArray, QByteArray> >&, bool isProxy, const QString &host); void updateCredentials(); }; diff --git a/src/network/socket/qhttpsocketengine.cpp b/src/network/socket/qhttpsocketengine.cpp index a23e2d3071..5324038dbd 100644 --- a/src/network/socket/qhttpsocketengine.cpp +++ b/src/network/socket/qhttpsocketengine.cpp @@ -607,7 +607,7 @@ void QHttpSocketEngine::slotSocketReadNotification() priv->hasFailed = true; } - priv->parseHttpResponse(d->reply->header(), true); + priv->parseHttpResponse(d->reply->header(), true, d->proxy.hostName()); if (priv->phase == QAuthenticatorPrivate::Invalid) { // problem parsing the reply |