On 3.10.2012, at 1.12, Florian Zeitz wrote: > Am 02.10.2012 23:27, schrieb Timo Sirainen: >> On 3.10.2012, at 0.05, Florian Zeitz wrote: >> >>> attached is an hg export on top of the current dovecot-2.2 branch, which >>> adds support for a SCRAM-SHA-1 password scheme. >>> >>> Ideally I'd want doveadm pw's rounds flag to apply to this, but that's >>> currently specific to the crypt password scheme, so I left it out for now. >> >> Looks pretty good. But you could improve the error handling a bit. Instead >> of atoi() use str_to_uint() and verify the error value. Also verify that >> t_strsplit() returns the correct number of values. And there should be some >> sanity check for the iter count also.. I'm not sure what, but currently it's >> possible for Hi() to go to infinite loop. >> > I shall. For the iteration count the endless loop should be fixed by > restricting the largest value to UINT_MAX-1, right?
Yeah. > I'm not too fond of > stopping people from wasting their CPU time on Hi calculation beyond > this. I can try to guestimate a "sane" upper limit, but given time I > have an icky feeling that it will end up being too low. Thoughts? Looks like RFC 5802 doesn't give any kind of a limit. But since it gets sent to various client implementations, INT_MAX is probably a good limit? Also 0 isn't a valid iteration count.
