security: Improve validate_scram_credential

Optimise the password validation when SCRAM-SHA-512 is in use,
by avoiding the validation against SCRAM-SHA-256 that will fail.

Signed-off-by: Ben Pope <ben@redpanda.com>

src/v/security/scram_algorithm.h

@@ -196,6 +196,8 @@ class scram_algorithm {
     static constexpr int min_iterations = MinIterations;
     static_assert(min_iterations > 0, "Minimum iterations must be positive");
 
+    static constexpr auto key_size = HashType::digest_size;
+
     static bytes client_signature(
       bytes_view stored_key,
       const client_first_message& client_first,

src/v/security/scram_authenticator.cc

@@ -140,11 +140,15 @@ template class scram_authenticator<scram_sha512>;
 std::optional<std::string_view> validate_scram_credential(
   const scram_credential& cred, const credential_password& password) {
     std::optional<std::string_view> sasl_mechanism;
-    if (security::scram_sha256::validate_password(
-          password, cred.stored_key(), cred.salt(), cred.iterations())) {
+    if (
+      cred.stored_key().size() == security::scram_sha256::key_size
+      && security::scram_sha256::validate_password(
+        password, cred.stored_key(), cred.salt(), cred.iterations())) {
         sasl_mechanism = security::scram_sha256_authenticator::name;
-    } else if (security::scram_sha512::validate_password(
-                 password, cred.stored_key(), cred.salt(), cred.iterations())) {
+    } else if (
+      cred.stored_key().size() == security::scram_sha512::key_size
+      && security::scram_sha512::validate_password(
+        password, cred.stored_key(), cred.salt(), cred.iterations())) {
         sasl_mechanism = security::scram_sha512_authenticator::name;
     }