Pass username through in GSSAPI connections

Fix bug in GSSAPI auth where the username was not being negotiated.

Github-ref: https://github.com/OfflineIMAP/offlineimap/issues/541
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Tested-by: Frank Lenormand <lenormf@gmail.com>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
This commit is contained in:
Robbie Harwood 2018-06-06 15:39:14 -04:00 committed by Nicolas Sebrecht
parent fc61c6fd30
commit 17cfb63db6

View File

@ -280,7 +280,18 @@ class IMAPServer(object):
# we'd be ready since krb5 always requests integrity and # we'd be ready since krb5 always requests integrity and
# confidentiality support. # confidentiality support.
response = self.gss_vc.unwrap(token) response = self.gss_vc.unwrap(token)
response = self.gss_vc.wrap(response.message, response.encrypted)
# This is a behavior we got from pykerberos. First byte is one,
# first four bytes are preserved (pykerberos calls this a length).
# Any additional bytes are username.
reply = []
reply[0:4] = response.message[0:4]
reply[0] = '\x01'
if self.username:
reply[5:] = self.username
reply = ''.join(reply)
response = self.gss_vc.wrap(reply, response.encrypted)
return response.message if response.message else "" return response.message if response.message else ""
except gssapi.exceptions.GSSError as err: except gssapi.exceptions.GSSError as err:
# GSSAPI errored out on us; respond with None to cancel the # GSSAPI errored out on us; respond with None to cancel the