From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Fri, 2 May 2025 02:46:34 +0000 (+0200)
Subject: auth: mech-gssapi - Fix handling of server sending empty initial response
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=473532fb9b5d00aa0900331f463d404a672e3b8f;p=thirdparty%2Fdovecot%2Fcore.git

auth: mech-gssapi - Fix handling of server sending empty initial response

This situation was erroneously interpreted as sending an out-of-band challenge
for the recently added channel binding feature, which causes GSSAPI
authentication to fail when the client does not send the intial response as part
of the AUTHENTICATION command.
---

diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c
index 57a2b125b2..4ff5716528 100644
--- a/src/auth/mech-gssapi.c
+++ b/src/auth/mech-gssapi.c
@@ -672,7 +672,7 @@ mech_gssapi_auth_initial(struct auth_request *request,
 
 	if (data_size == 0) {
 		/* The client should go first */
-		auth_request_handler_reply_continue(request, NULL, 0);
+		auth_request_handler_reply_continue(request, uchar_empty_ptr, 0);
 	} else {
 		mech_gssapi_auth_continue(request, data, data_size);
 	}