Pass username through in GSSAPI connections

Fix bug in GSSAPI auth where the username was not being negotiated. Github-ref: https://github.com/OfflineIMAP/offlineimap/issues/541 Signed-off-by: Robbie Harwood <rharwood@redhat.com> Tested-by: Frank Lenormand <lenormf@gmail.com> Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2018-06-06 15:39:14 -04:00 · 2018-06-06 15:39:14 -04:00 · 17cfb63db6
commit 17cfb63db6
parent fc61c6fd30
1 changed files with 12 additions and 1 deletions
--- a/offlineimap/imapserver.py
+++ b/offlineimap/imapserver.py
@ -280,7 +280,18 @@ class IMAPServer(object):
            # we'd be ready since krb5 always requests integrity and
            # confidentiality support.
            response = self.gss_vc.unwrap(token)
-            response = self.gss_vc.wrap(response.message, response.encrypted)
+
+            # This is a behavior we got from pykerberos.  First byte is one,
+            # first four bytes are preserved (pykerberos calls this a length).
+            # Any additional bytes are username.
+            reply = []
+            reply[0:4] = response.message[0:4]
+            reply[0] = '\x01'
+            if self.username:
+                reply[5:] = self.username
+            reply = ''.join(reply)
+
+            response = self.gss_vc.wrap(reply, response.encrypted)
            return response.message if response.message else ""
        except gssapi.exceptions.GSSError as err:
            # GSSAPI errored out on us; respond with None to cancel the