Fixed a "hang" when wrong password was used

Due to the current implementation of SHA512 salts, it could be
experienced as if the application hung on wrong passwords.  This is
because the rounds count for the passwords are scrambled, with values
based on the given password.  When a wrong password is given, this will
also result in getting a wrong salt length and hash rounds for the
following hash calculation.

Due to this, the extracted rounds value from the salt string could
return some really high number of rounds on wrong
passwords (possibly the max value if integer).  And this is why the
"hang" is experienced.

To avoid this, a check is added to make sure the rounds is not
unreasonably much higher than the configured max rounds values.  If the
descrambled rounds number from the salt exceeds max rounds * 1.5, the
password (most probaly) is wrong.  In this case we do a sleep() to slow
down bruteforce attacks and return NULL.

The drawback is if the maxrounds later on is changed to a value which
hits this scenario:

passwordsalt_rounds > maxrounds_cfg * 1.5

In this case these old passwords will be invalidated by that
configuration change.  This is considered to be a feature and not a bug.
The reason for mulitiplying by 1.5, is to allow a little room for a
degrading the max rounds setting.  By adjusting the max rounds up again,
these passwords will be valid again.

Added also a sleep() when wrong username is attempted.

0 files changed, 0 insertions, 0 deletions