mod_auth_internal_hashed: Up iteration count to 10000 per XEP-0438
More security for less pain than switching to SCRAM-SHA-256
The XEP will likely be change to reference the RFC that will probably
come from draft-ietf-kitten-password-storage once it is ready, and then
we should update to follow that.
--- a/doc/doap.xml Sun Dec 26 16:37:50 2021 +0100
+++ b/doc/doap.xml Sun Dec 26 16:51:04 2021 +0100
@@ -787,6 +787,13 @@
</implements>
<implements>
<xmpp:SupportedXep>
+ <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0438.html"/>
+ <xmpp:version>0.2.0</xmpp:version>
+ <xmpp:status>partial</xmpp:status>
+ </xmpp:SupportedXep>
+ </implements>
+ <implements>
+ <xmpp:SupportedXep>
<xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0441.html"/>
<xmpp:version>0.2.0</xmpp:version>
<xmpp:status>complete</xmpp:status>
--- a/plugins/mod_auth_internal_hashed.lua Sun Dec 26 16:37:50 2021 +0100
+++ b/plugins/mod_auth_internal_hashed.lua Sun Dec 26 16:51:04 2021 +0100
@@ -28,7 +28,7 @@
local scram_name = "scram_"..hash_name:gsub("%-","_"):lower();
-- Default; can be set per-user
-local default_iteration_count = module:get_option_number("default_iteration_count", 4096);
+local default_iteration_count = module:get_option_number("default_iteration_count", 10000);
-- define auth provider
local provider = {};
--- a/util/sasl/scram.lua Sun Dec 26 16:37:50 2021 +0100
+++ b/util/sasl/scram.lua Sun Dec 26 16:51:04 2021 +0100
@@ -41,7 +41,7 @@
'tls-unique' according to RFC 5929
]]
-local default_i = 4096
+local default_i = 10000
local function validate_username(username, _nodeprep)
-- check for forbidden char sequences