From 8e2438e41886c160f1798057fa6899685d251aad Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Tue, 7 Oct 2025 04:01:29 +0200
Subject: [PATCH] lib-sasl: sasl-server-mech-gssapi - Move
 mech_gssapi_oid_cmp() to lib-auth/auth-gssapi as auth_gssapi_oid_equal()

---
 configure.ac                           |  2 +-
 src/lib-auth/Makefile.am               |  6 ++++++
 src/lib-auth/auth-gssapi.c             | 11 +++++++++++
 src/lib-auth/auth-gssapi.h             |  2 ++
 src/lib-dovecot/Makefile.am            |  4 +++-
 src/lib-sasl/Makefile.am               |  4 +++-
 src/lib-sasl/sasl-server-mech-gssapi.c | 12 ++----------
 7 files changed, 28 insertions(+), 13 deletions(-)
 create mode 100644 src/lib-auth/auth-gssapi.c

diff --git a/configure.ac b/configure.ac
index 2c47f971a2..cf5857c836 100644
--- a/configure.ac
+++ b/configure.ac
@@ -626,7 +626,7 @@ else
     LIBDOVECOT_LUA='$(top_builddir)/src/lib-lua/libdlua.la'
   fi
   if test $want_gssapi != no; then
-    LIBDOVECOT_GSSAPI='$(top_builddir)/src/lib-sasl/libsasl-gssapi.la'
+    LIBDOVECOT_GSSAPI='$(top_builddir)/src/lib-auth/libauth-gssapi.la $(top_builddir)/src/lib-sasl/libsasl-gssapi.la'
   fi
 fi
 LIBDOVECOT_GSSAPI_DEPS="$LIBDOVECOT_GSSAPI"
diff --git a/src/lib-auth/Makefile.am b/src/lib-auth/Makefile.am
index 817afd21d8..fefb78448a 100644
--- a/src/lib-auth/Makefile.am
+++ b/src/lib-auth/Makefile.am
@@ -1,4 +1,7 @@
 noinst_LTLIBRARIES = libauth-crypt.la libauth.la
+if HAVE_GSSAPI
+noinst_LTLIBRARIES += libauth-gssapi.la
+endif
 
 AM_CPPFLAGS = \
 	$(LIBSODIUM_CFLAGS) \
@@ -28,6 +31,9 @@ libauth_crypt_la_LIBADD = \
 	$(LIBSODIUM_LIBS) \
 	$(CRYPT_LIBS)
 
+libauth_gssapi_la_SOURCES = \
+	auth-gssapi.c
+
 headers = \
 	mycrypt.h \
 	auth-digest.h \
diff --git a/src/lib-auth/auth-gssapi.c b/src/lib-auth/auth-gssapi.c
new file mode 100644
index 0000000000..008dfdb067
--- /dev/null
+++ b/src/lib-auth/auth-gssapi.c
@@ -0,0 +1,11 @@
+/* Copyright (c) 2025 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "auth-gssapi.h"
+
+bool auth_gssapi_oid_equal(const gss_OID_desc *oid1, const gss_OID_desc *oid2)
+{
+	return (oid1->length == oid2->length &&
+		mem_equals_timing_safe(oid1->elements, oid2->elements,
+				       oid1->length));
+}
diff --git a/src/lib-auth/auth-gssapi.h b/src/lib-auth/auth-gssapi.h
index 9c55999725..3dd28638e0 100644
--- a/src/lib-auth/auth-gssapi.h
+++ b/src/lib-auth/auth-gssapi.h
@@ -17,4 +17,6 @@
 #  include <gssapi/gssapi_ext.h>
 #endif
 
+bool auth_gssapi_oid_equal(const gss_OID_desc *oid1, const gss_OID_desc *oid2);
+
 #endif
diff --git a/src/lib-dovecot/Makefile.am b/src/lib-dovecot/Makefile.am
index 4b27ee6024..feb9d064ae 100644
--- a/src/lib-dovecot/Makefile.am
+++ b/src/lib-dovecot/Makefile.am
@@ -16,10 +16,12 @@ libdovecot_gssapi_la_CPPFLAGS = $(AM_CPPFLAGS) $(KRB5_CFLAGS)
 libdovecot_gssapi_la_SOURCES =
 libdovecot_gssapi_la_LIBADD = \
 	$(top_builddir)/src/lib-sasl/libsasl-gssapi.la \
+	$(top_builddir)/src/lib-auth/libauth-gssapi.la \
 	$(MODULE_LIBS) \
 	$(KRB5_LIBS) \
 	$(RELRO_LDFLAGS)
 libdovecot_gssapi_la_DEPENDENCIES = \
-	$(top_builddir)/src/lib-sasl/libsasl-gssapi.la
+	$(top_builddir)/src/lib-sasl/libsasl-gssapi.la \
+	$(top_builddir)/src/lib-auth/libauth-gssapi.la
 libdovecot_gssapi_la_LDFLAGS = -export-dynamic
 endif
diff --git a/src/lib-sasl/Makefile.am b/src/lib-sasl/Makefile.am
index b338e341c9..9cf297712a 100644
--- a/src/lib-sasl/Makefile.am
+++ b/src/lib-sasl/Makefile.am
@@ -56,7 +56,9 @@ libsasl_gssapi_la_SOURCES = \
 	sasl-server-mech-gssapi.c
 libsasl_gssapi_la_LIBADD = $(KRB5_LIBS)
 libsasl_gssapi_la_CPPFLAGS = $(AM_CPPFLAGS) $(KRB5_CFLAGS)
-libsasl_gssapi_la_DEPENDENCIES = libsasl.la
+libsasl_gssapi_la_DEPENDENCIES = \
+	libsasl.la \
+	../lib-auth/libauth-gssapi.la
 endif
 
 headers = \
diff --git a/src/lib-sasl/sasl-server-mech-gssapi.c b/src/lib-sasl/sasl-server-mech-gssapi.c
index 204675712a..963c30b70c 100644
--- a/src/lib-sasl/sasl-server-mech-gssapi.c
+++ b/src/lib-sasl/sasl-server-mech-gssapi.c
@@ -225,14 +225,6 @@ get_display_name(struct gssapi_auth_request *request, gss_name_t name,
 	return 0;
 }
 
-static bool
-mech_gssapi_oid_cmp(const gss_OID_desc *oid1, const gss_OID_desc *oid2)
-{
-	return (oid1->length == oid2->length &&
-		mem_equals_timing_safe(oid1->elements, oid2->elements,
-				       oid1->length));
-}
-
 static int
 mech_gssapi_sec_context(struct gssapi_auth_request *request,
 			gss_buffer_desc inbuf)
@@ -269,7 +261,7 @@ mech_gssapi_sec_context(struct gssapi_auth_request *request,
 
 	switch (major_status) {
 	case GSS_S_COMPLETE:
-		if (!mech_gssapi_oid_cmp(mech_type, &mech_gssapi_krb5_oid)) {
+		if (!auth_gssapi_oid_equal(mech_type, &mech_gssapi_krb5_oid)) {
 			e_info(auth_request->event,
 			       "GSSAPI mechanism not Kerberos5");
 			ret = -1;
@@ -392,7 +384,7 @@ mech_gssapi_krb5_userok(struct gssapi_auth_request *request,
 			     &princ_display_name) < 0)
 		return FALSE;
 
-	if (!mech_gssapi_oid_cmp(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) &&
+	if (!auth_gssapi_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME) &&
 	    check_name_type) {
 		e_info(auth_request->event, "OID not kerberos principal name");
 		return FALSE;