Am 02.10.2012 23:27, schrieb Timo Sirainen:
> On 3.10.2012, at 0.05, Florian Zeitz wrote:
>
>> attached is an hg export on top of the current dovecot-2.2 branch, which
>> adds support for a SCRAM-SHA-1 password scheme.
>>
>> Ideally I'd want doveadm pw's rounds flag to apply to this, but that's
>> currently specific to the crypt password scheme, so I left it out for now.
>
> Looks pretty good. But you could improve the error handling a bit. Instead of
> atoi() use str_to_uint() and verify the error value. Also verify that
> t_strsplit() returns the correct number of values. And there should be some
> sanity check for the iter count also.. I'm not sure what, but currently it's
> possible for Hi() to go to infinite loop.
>
I shall. For the iteration count the endless loop should be fixed by
restricting the largest value to UINT_MAX-1, right? I'm not too fond of
stopping people from wasting their CPU time on Hi calculation beyond
this. I can try to guestimate a "sane" upper limit, but given time I
have an icky feeling that it will end up being too low. Thoughts?
