Use different separators for service-type and service-name in Kerberos SPN.

net/http/http_auth_handler_negotiate.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_handler_negotiate.h"
 
 #include "base/logging.h"
 #include "net/base/address_family.h"
 #include "net/base/host_resolver.h"
 #include "net/base/net_errors.h"
@@ skipping 93 matching lines @@
 bool HttpAuthHandlerNegotiate::AllowsDefaultCredentials() {
   if (target_ == HttpAuth::AUTH_PROXY)
     return true;
   if (!url_security_manager_)
     return false;
   return url_security_manager_->CanUseDefaultCredentials(origin_);
 }
 
 std::wstring HttpAuthHandlerNegotiate::CreateSPN(
     const AddressList& address_list, const GURL& origin) {
-  // Kerberos SPNs are in the form HTTP/<host>:<port>
+  // Kerberos Web Server SPNs are in the form HTTP/<host>:<port> through SSPI,
+  // and in the form HTTP@<host>:<port> through GSSAPI
   //   http://msdn.microsoft.com/en-us/library/ms677601%28VS.85%29.aspx
   //
   // However, reality differs from the specification. A good description of
   // the problems can be found here:
   //   http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-kb911149-and-kb908209-are-not-the-soluton.aspx
   //
   // Typically the <host> portion should be the canonical FQDN for the service.
   // If this could not be resolved, the original hostname in the URL will be
   // attempted instead. However, some intranets register SPNs using aliases
   // for the same canonical DNS name to allow multiple web services to reside
@@ skipping 11 matching lines @@
   // option to include non-standard ports as of 3.6.
   //   http://support.microsoft.com/kb/908209
   //
   // Without any command-line flags, Chrome matches the behavior of Firefox
   // and IE. Users can override the behavior so aliases are allowed and
   // non-standard ports are included.
   int port = origin.EffectiveIntPort();
   std::string server;
   if (!address_list.GetCanonicalName(&server))
     server = origin.host();
+#if defined(OS_WIN)
+  static const char kSpnSeparator = '/';
+#elif defined(OS_POSIX)
+  static const char kSpnSeparator = '@';
+#endif
   if (port != 80 && port != 443 && use_port_) {
-    return ASCIIToWide(StringPrintf("HTTP/%s:%d", server.c_str(), port));
+    return ASCIIToWide(StringPrintf("HTTP%c%s:%d", kSpnSeparator,
+                                    server.c_str(), port));
   } else {
-    return ASCIIToWide(StringPrintf("HTTP/%s", server.c_str()));
+    return ASCIIToWide(StringPrintf("HTTP%c%s", kSpnSeparator, server.c_str()));
   }
 }
 
 int HttpAuthHandlerNegotiate::DoLoop(int result) {
   DCHECK(next_state_ != STATE_NONE);
 
   int rv = result;
   do {
     State state = next_state_;
     next_state_ = STATE_NONE;
@@ skipping 140 matching lines @@
                                    resolver_, disable_cname_lookup_,
                                    use_port_));
   if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log))
     return ERR_INVALID_RESPONSE;
   handler->swap(tmp_handler);
   return OK;
 #endif
 }
 
 }  // namespace net