fix(web): support passwords up to 2048 characters

Fixes #5485

Documentation/SOGoInstallationGuide.asciidoc

@@ -3142,6 +3142,10 @@ current version of SOGo from the previous release.
 
 [cols="100a"]
 |=======================================================================
+h|5.6.0
+|The session table (`OCSSessionsFolderURL`) must be dropped prior to restart sogod.
+This will allow users to use larger passwords (up to 2048 characters).
+
 h|5.3.0
 |A new private salt must be generated for users using TOTP. When TOTP is enabled for a user, it will
 be disabled until the user configures it again, which will generate a new private salt.

SOPE/GDLContentStore/GCSSpecialQueries.m

@@ -189,7 +189,7 @@
   static NSString *sqlFolderFormat
     = (@"CREATE TABLE %@ ("
        @" c_id VARCHAR(255) PRIMARY KEY,"
-       @" c_value VARCHAR(255) NOT NULL,"
+       @" c_value VARCHAR(4096) NOT NULL,"
        @" c_creationdate INT4 NOT NULL,"
        @" c_lastseen INT4 NOT NULL)");
 
@@ -294,7 +294,7 @@
   static NSString *sqlFolderFormat
     = (@"CREATE TABLE %@ (" 
        @" c_id VARCHAR(255) PRIMARY KEY,"
-       @" c_value VARCHAR(255) NOT NULL,"
+       @" c_value VARCHAR(4096) NOT NULL,"
        @" c_creationdate INT NOT NULL,"
        @" c_lastseen INT NOT NULL)");
 
@@ -398,7 +398,7 @@
   static NSString *sqlFolderFormat
     = (@"CREATE TABLE %@ (" 
        @" c_id VARCHAR2(255) PRIMARY KEY,"
-       @" c_value VARCHAR2(255) NOT NULL,"
+       @" c_value VARCHAR2(4096) NOT NULL,"
        @" c_creationdate INTEGER NOT NULL,"
        @" c_lastseen INTEGER NOT NULL)");
 

SoObjects/SOGo/SOGoSession.m

@@ -28,6 +28,7 @@
 #import <GDLContentStore/GCSFolderManager.h>
 
 #import <NGExtensions/NGBase64Coding.h>
+#import <NGExtensions/NSObject+Logs.h>
 
 #include <fcntl.h>
 #include <unistd.h>
@@ -120,7 +121,7 @@
 + (NSString *) generateKeyForLength: (unsigned int) theLength
 {
   char *buf;
-  int fd;
+  int fd, len;
   
   fd = open("/dev/urandom", O_RDONLY);
 
@@ -129,13 +130,14 @@
       NSData *data;
       NSString *s;
 
-      buf = (char *)malloc(theLength);
-      read(fd, buf, theLength);
+      len = (int)theLength/1.33; // base64 encoding will increase length by about 33%
+      buf = (char *)malloc(len);
+      read(fd, buf, len);
       close(fd);
 
       // We encode the bytes in base64 with a line lenght fixed to 1024 since
       // we want to avoid folding the values
-      data = [NSData dataWithBytesNoCopy: buf  length: theLength  freeWhenDone: YES];
+      data = [NSData dataWithBytesNoCopy: buf  length: len  freeWhenDone: YES];
     
       s = [[NSString alloc] initWithData: [data dataByEncodingBase64WithLineLength: 1024]
 			    encoding: NSASCIIStringEncoding];
@@ -163,6 +165,9 @@
   key = (char *)[data bytes];
   klen = [data length];
 
+  if (klen < [theValue length])
+    [self errorWithFormat: @"Value to be secured is too big (%i > %i) -- secured value will be corrupted", [theValue length], klen, [theKey length]];
+
   // Get the key - padding it with 0 with key length
   pass = (char *) calloc(klen, sizeof(char));
   [theValue getCString: pass  maxLength: klen  encoding: NSUTF8StringEncoding];

SoObjects/SOGo/SOGoWebAuthenticator.m

@@ -46,10 +46,13 @@
 #import "SOGoWebAuthenticator.h"
 
 #define COOKIE_SESSIONKEY_LEN 16
-/* the key b64 encoded key XORed with the cookie value
- * must fit in the database field which is 255 char long at the moment
+/**
+   The base64 encoded key XORed with the cookie value. It must fit in the
+   database field which is 4096 char long. The browser cookie limit is
+   about the same. The length is prior to bas64 encoding, so we must calculate
+   a 33-36% increase.
  */
-#define COOKIE_USERKEY_LEN    160
+#define COOKIE_USERKEY_LEN    3000
 
 @implementation SOGoWebAuthenticator