[illumos-Developer] No LOGIN method in libsasl? Why not? (with webrev...)

Mon Feb 14 06:05:07 PST 2011

On Mon, Feb 14, 2011 at 2:11 PM, Dan McDonald <danmcd at nexenta.com> wrote:
> On Tue, Feb 08, 2011 at 11:51:29AM -0500, Dan McDonald wrote:
>> I'm going to poke security-discuss at opensolaris.org as well, because part of
>> me wonders why, when they based the code of cyrus 2.1.15, they didn't take
>> LOGIN in with the other methods (GSS, PLAIN, etc.)?

> Here's the webrev:
>
>       http://www.kebe.com/~danmcd/webrevs/sasl-login/

Some comments+questions after a 5min race through the code (and
spending much more time trying to find "LOGIN" in the standard
documentation... ;-/ ):

1. What's the difference between |_INTEGRATED_SOLARIS_| and |_SUN_SDK_| ?

2. usr/src/lib/sasl_plugins/login/login.c, function
|login_server_mech_step()| uses |strlen()| on a string constant:
-- snip --
+	    *serveroutlen = strlen(USERNAME_CHALLENGE);
-- snip --
IMO something like |sizeof()| or any other static expression would be
nice (some compilers are able to reduce this kind of expression to a
const integer value but not all can do that).
The issue is repeated in the code for |strlen(PASSWORD_CHALLENGE);| ...

3. Then there is this code:
+	/* get password */
+	password =
+	    params->utils->malloc(sizeof(sasl_secret_t) + clientinlen + 1);
+	if (!password) {
+	    MEMERROR(params->utils);
+	    return SASL_NOMEM;
+	}
+	
+	strncpy((char *)password->data, clientin, clientinlen);
+	password->data[clientinlen] = '\0';
+	password->len = clientinlen;

4. Maybe it would be nice to have a comment in the source at the top
that "LOGIN" is non-standard...

----

bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz at nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)