From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 2 Dec 2022 20:04:50 +0000 (+0200)
Subject: auth: password-scheme-scram - Support rounds parameter
X-Git-Tag: 2.4.0~3285
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c92f42c9aed31227fd1ce2f18f02af25a3db55b;p=thirdparty%2Fdovecot%2Fcore.git

auth: password-scheme-scram - Support rounds parameter
---

diff --git a/src/auth/password-scheme-scram.c b/src/auth/password-scheme-scram.c
index 5f91f13a0f..ada19b644d 100644
--- a/src/auth/password-scheme-scram.c
+++ b/src/auth/password-scheme-scram.c
@@ -144,7 +144,8 @@ int scram_verify(const struct hash_method *hmethod, const char *scheme_name,
 }
 
 void scram_generate(const struct hash_method *hmethod, const char *plaintext,
-		    const unsigned char **raw_password_r, size_t *size_r)
+		    unsigned int rounds, const unsigned char **raw_password_r,
+		    size_t *size_r)
 {
 	string_t *str;
 	struct hmac_context ctx;
@@ -154,15 +155,21 @@ void scram_generate(const struct hash_method *hmethod, const char *plaintext,
 	unsigned char server_key[hmethod->digest_size];
 	unsigned char stored_key[hmethod->digest_size];
 
+	if (rounds == 0)
+		rounds = SCRAM_DEFAULT_ITERATE_COUNT;
+	else {
+		rounds = I_MAX(I_MIN(SCRAM_MAX_ITERATE_COUNT, rounds),
+			       SCRAM_MIN_ITERATE_COUNT);
+	}
 	random_fill(salt, sizeof(salt));
 
 	str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(salt)));
-	str_printfa(str, "%d,", SCRAM_DEFAULT_ITERATE_COUNT);
+	str_printfa(str, "%d,", rounds);
 	base64_encode(salt, sizeof(salt), str);
 
 	/* FIXME: credentials should be SASLprepped UTF8 data here */
 	Hi(hmethod, (const unsigned char *)plaintext, strlen(plaintext), salt,
-	   sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password);
+	   sizeof(salt), rounds, salted_password);
 
 	/* Calculate ClientKey */
 	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
@@ -201,10 +208,11 @@ int scram_sha1_verify(const char *plaintext,
 }
 
 void scram_sha1_generate(const char *plaintext,
-			 const struct password_generate_params *params ATTR_UNUSED,
+			 const struct password_generate_params *params,
                          const unsigned char **raw_password_r, size_t *size_r)
 {
-	scram_generate(&hash_method_sha1, plaintext, raw_password_r, size_r);
+	scram_generate(&hash_method_sha1, plaintext, params->rounds,
+		       raw_password_r, size_r);
 }
 
 int scram_sha256_verify(const char *plaintext,
@@ -217,8 +225,9 @@ int scram_sha256_verify(const char *plaintext,
 }
 
 void scram_sha256_generate(const char *plaintext,
-			   const struct password_generate_params *params ATTR_UNUSED,
+			   const struct password_generate_params *params,
 			   const unsigned char **raw_password_r, size_t *size_r)
 {
-	scram_generate(&hash_method_sha256, plaintext, raw_password_r, size_r);
+	scram_generate(&hash_method_sha256, plaintext, params->rounds,
+		       raw_password_r, size_r);
 }
diff --git a/src/auth/password-scheme.h b/src/auth/password-scheme.h
index 17b6377b30..f5c7ff4922 100644
--- a/src/auth/password-scheme.h
+++ b/src/auth/password-scheme.h
@@ -113,7 +113,8 @@ int scram_verify(const struct hash_method *hmethod, const char *scheme_name,
 		 const char *plaintext, const unsigned char *raw_password,
 		 size_t size, const char **error_r);
 void scram_generate(const struct hash_method *hmethod, const char *plaintext,
-		    const unsigned char **raw_password_r, size_t *size_r);
+		    unsigned int rounds, const unsigned char **raw_password_r,
+		    size_t *size_r);
 
 int scram_sha1_verify(const char *plaintext,
 		      const struct password_generate_params *params ATTR_UNUSED,