[Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

Timo Sirainen tss at iki.fi
Wed Oct 3 01:31:51 EEST 2012


On 3.10.2012, at 1.12, Florian Zeitz wrote:

> Am 02.10.2012 23:27, schrieb Timo Sirainen:
>> On 3.10.2012, at 0.05, Florian Zeitz wrote:
>> 
>>> attached is an hg export on top of the current dovecot-2.2 branch, which
>>> adds support for a SCRAM-SHA-1 password scheme.
>>> 
>>> Ideally I'd want doveadm pw's rounds flag to apply to this, but that's
>>> currently specific to the crypt password scheme, so I left it out for now.
>> 
>> Looks pretty good. But you could improve the error handling a bit. Instead of atoi() use str_to_uint() and verify the error value. Also verify that t_strsplit() returns the correct number of values. And there should be some sanity check for the iter count also.. I'm not sure what, but currently it's possible for Hi() to go to infinite loop.
>> 
> I shall. For the iteration count the endless loop should be fixed by
> restricting the largest value to UINT_MAX-1, right?

Yeah.

> I'm not too fond of
> stopping people from wasting their CPU time on Hi calculation beyond
> this. I can try to guestimate a "sane" upper limit, but given time I
> have an icky feeling that it will end up being too low. Thoughts?

Looks like RFC 5802 doesn't give any kind of a limit. But since it gets sent to various client implementations, INT_MAX is probably a good limit? Also 0 isn't a valid iteration count.


More information about the dovecot mailing list