lib-sasl: sasl-server-mech-gssapi - Move mech_gssapi_oid_cmp() to lib-auth/auth-gssapi as auth_gssapi_oid_equal()

1 week ago · 8e2438e418
7 changed files with 28 additions and 13 deletions
--- a/configure.ac
+++ b/configure.ac
@ -626,7 +626,7 @@ else
    LIBDOVECOT_LUA='$(top_builddir)/src/lib-lua/libdlua.la'
  fi
  if test $want_gssapi != no; then
-    LIBDOVECOT_GSSAPI='$(top_builddir)/src/lib-sasl/libsasl-gssapi.la'
+    LIBDOVECOT_GSSAPI='$(top_builddir)/src/lib-auth/libauth-gssapi.la $(top_builddir)/src/lib-sasl/libsasl-gssapi.la'
  fi
 fi
 LIBDOVECOT_GSSAPI_DEPS="$LIBDOVECOT_GSSAPI"
--- a/src/lib-auth/Makefile.am
+++ b/src/lib-auth/Makefile.am
@ -1,4 +1,7 @@
 noinst_LTLIBRARIES = libauth-crypt.la libauth.la
+if HAVE_GSSAPI
+noinst_LTLIBRARIES += libauth-gssapi.la
+endif

 AM_CPPFLAGS = \
 	$(LIBSODIUM_CFLAGS) \
@ -28,6 +31,9 @@ libauth_crypt_la_LIBADD = \
 	$(LIBSODIUM_LIBS) \
 	$(CRYPT_LIBS)

+libauth_gssapi_la_SOURCES = \
+	auth-gssapi.c
+
 headers = \
 	mycrypt.h \
 	auth-digest.h \
--- a/src/lib-auth/auth-gssapi.c
+++ b/src/lib-auth/auth-gssapi.c
@ -0,0 +1,11 @@
+/* Copyright (c) 2025 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "auth-gssapi.h"
+
+bool auth_gssapi_oid_equal(const gss_OID_desc *oid1, const gss_OID_desc *oid2)
+{
+	return (oid1->length == oid2->length &&
+		mem_equals_timing_safe(oid1->elements, oid2->elements,
+				       oid1->length));
+}
--- a/src/lib-auth/auth-gssapi.h
+++ b/src/lib-auth/auth-gssapi.h
@ -17,4 +17,6 @@
 #  include <gssapi/gssapi_ext.h>
 #endif

+bool auth_gssapi_oid_equal(const gss_OID_desc *oid1, const gss_OID_desc *oid2);
+
 #endif
--- a/src/lib-dovecot/Makefile.am
+++ b/src/lib-dovecot/Makefile.am
@ -16,10 +16,12 @@ libdovecot_gssapi_la_CPPFLAGS = $(AM_CPPFLAGS) $(KRB5_CFLAGS)
 libdovecot_gssapi_la_SOURCES =
 libdovecot_gssapi_la_LIBADD = \
 	$(top_builddir)/src/lib-sasl/libsasl-gssapi.la \
+	$(top_builddir)/src/lib-auth/libauth-gssapi.la \
 	$(MODULE_LIBS) \
 	$(KRB5_LIBS) \
 	$(RELRO_LDFLAGS)
 libdovecot_gssapi_la_DEPENDENCIES = \
-	$(top_builddir)/src/lib-sasl/libsasl-gssapi.la
+	$(top_builddir)/src/lib-sasl/libsasl-gssapi.la \
+	$(top_builddir)/src/lib-auth/libauth-gssapi.la
 libdovecot_gssapi_la_LDFLAGS = -export-dynamic
 endif
--- a/src/lib-sasl/Makefile.am
+++ b/src/lib-sasl/Makefile.am
@ -56,7 +56,9 @@ libsasl_gssapi_la_SOURCES = \
 	sasl-server-mech-gssapi.c
 libsasl_gssapi_la_LIBADD = $(KRB5_LIBS)
 libsasl_gssapi_la_CPPFLAGS = $(AM_CPPFLAGS) $(KRB5_CFLAGS)
-libsasl_gssapi_la_DEPENDENCIES = libsasl.la
+libsasl_gssapi_la_DEPENDENCIES = \
+	libsasl.la \
+	../lib-auth/libauth-gssapi.la
 endif

 headers = \
--- a/src/lib-sasl/sasl-server-mech-gssapi.c
+++ b/src/lib-sasl/sasl-server-mech-gssapi.c
@ -225,14 +225,6 @@ get_display_name(struct gssapi_auth_request *request, gss_name_t name,
 	return 0;
 }

-static bool
-mech_gssapi_oid_cmp(const gss_OID_desc *oid1, const gss_OID_desc *oid2)
-{
-	return (oid1->length == oid2->length &&
-		mem_equals_timing_safe(oid1->elements, oid2->elements,
-				       oid1->length));
-}
-
 static int
 mech_gssapi_sec_context(struct gssapi_auth_request *request,
 			gss_buffer_desc inbuf)
@ -269,7 +261,7 @@ mech_gssapi_sec_context(struct gssapi_auth_request *request,

 	switch (major_status) {
 	case GSS_S_COMPLETE:
-		if (!mech_gssapi_oid_cmp(mech_type, &mech_gssapi_krb5_oid)) {
+		if (!auth_gssapi_oid_equal(mech_type, &mech_gssapi_krb5_oid)) {
 			e_info(auth_request->event,
 			       "GSSAPI mechanism not Kerberos5");
 			ret = -1;
@ -392,7 +384,7 @@ mech_gssapi_krb5_userok(struct gssapi_auth_request *request,
 			     &princ_display_name) < 0)
 		return FALSE;

-	if (!mech_gssapi_oid_cmp(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) &&
+	if (!auth_gssapi_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) &&
 	    check_name_type) {
 		e_info(auth_request->event, "OID not kerberos principal name");
 		return FALSE;