[Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme
Florian Zeitz
florob at babelmonkeys.de
Wed Oct 3 01:12:29 EEST 2012
Am 02.10.2012 23:27, schrieb Timo Sirainen:
> On 3.10.2012, at 0.05, Florian Zeitz wrote:
>
>> attached is an hg export on top of the current dovecot-2.2 branch, which
>> adds support for a SCRAM-SHA-1 password scheme.
>>
>> Ideally I'd want doveadm pw's rounds flag to apply to this, but that's
>> currently specific to the crypt password scheme, so I left it out for now.
>
> Looks pretty good. But you could improve the error handling a bit. Instead of atoi() use str_to_uint() and verify the error value. Also verify that t_strsplit() returns the correct number of values. And there should be some sanity check for the iter count also.. I'm not sure what, but currently it's possible for Hi() to go to infinite loop.
>
I shall. For the iteration count the endless loop should be fixed by
restricting the largest value to UINT_MAX-1, right? I'm not too fond of
stopping people from wasting their CPU time on Hi calculation beyond
this. I can try to guestimate a "sane" upper limit, but given time I
have an icky feeling that it will end up being too low. Thoughts?
More information about the dovecot
mailing list