[Dovecot] [PATCH] SCRAM-SHA-1 authentication
Florian Zeitz
florob at babelmonkeys.de
Sun Sep 18 04:44:48 EEST 2011
Am 16.09.2011 14:40, schrieb Timo Sirainen:
> On Fri, 2011-09-16 at 02:47 +0200, Florian Zeitz wrote:
>
> Looks pretty good. Below are a few things I noticed. I could fix these
> myself next week also, or you can do them during weekend if you want
> to. :)
>
I decided to do it myself, hope this fixes all issues.
> - Could be nicer if client->proof was stored base64-decoded, so its
> validity could be checked and also later there wouldn't be need to
> base64-encode signature when testing it.
>
> - Doesn't verify_credentials() need to check the credentials in any way
> that it contains expected (sized) data? Anything is allowed?
>
I don't think it needs to. The password read from the database can
legitimately have any length and from the client it just takes a base64
encoded SHA-1 hash. The correct size of that was previously implicitly
checked when comparing the base64 encoded data (strings of different
length don't compare equal). It's now explicitly checked after base64
decoding the client proof.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: scram-sha-1.exp
URL: <http://dovecot.org/pipermail/dovecot/attachments/20110918/47ca797a/attachment-0004.pl>
More information about the dovecot
mailing list