Op 1-5-2025 om 21:36 schreef Noah Meyerhans via dovecot:
On Wed, Apr 30, 2025 at 08:30:16PM +0300, Aki Tuomi via dovecot wrote:
GSSAPI is one of these pretty opaque protocols. Since it works with mutt, and
does not work with gsasl, it could be some thing with gsasl.
I can only see one change in mech-gssapi, we use mech_gssapi_krb5_userok()
always. Also we have added support for final response prosessing, which was
missing in 2.3.21.1.
I've traced the issue to commit 1486c30 ("auth: Add support for channel
binding"). With this commit reverted (along with 848cceb25c2 ("auth:
mech-scram - Implement SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS"), which
depends on it but isn't related to gssapi handling) then authentication
from gsasl is again possible.
I haven't looked deeply into exactly what in this commit is causing the
regression yet.
https://github.com/dovecot/core/commit/1486c30e191
https://github.com/dovecot/core/commit/848cceb25c2
I am having some difficulty setting up an environment to test this right
now, but I think this should fix it:
diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c
index 57a2b125b2..4ff5716528 100644
--- a/src/auth/mech-gssapi.c
+++ b/src/auth/mech-gssapi.c
@@ -672,7 +672,7 @@ mech_gssapi_auth_initial(struct auth_request *request,
if (data_size == 0) {
/* The client should go first */
- auth_request_handler_reply_continue(request, NULL, 0);
+ auth_request_handler_reply_continue(request,
uchar_empty_ptr, 0);
} else {
mech_gssapi_auth_continue(request, data, data_size);
}
Regards,
Stephan.
noah
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
