mod_auth_internal_hashed: Up iteration count to 10000 per XEP-0438

More security for less pain than switching to SCRAM-SHA-256

The XEP will likely be change to reference the RFC that will probably
come from draft-ietf-kitten-password-storage once it is ready, and then
we should update to follow that.

3 files changed, 9 insertions, 2 deletions

diff --git a/doc/doap.xml b/doc/doap.xml
index 997fb467..723d59d5 100644
--- a/doc/doap.xml
+++ b/doc/doap.xml
@@ -787,6 +787,13 @@
     </implements>
     <implements>
       <xmpp:SupportedXep>
+        <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0438.html"/>
+        <xmpp:version>0.2.0</xmpp:version>
+        <xmpp:status>partial</xmpp:status>
+      </xmpp:SupportedXep>
+    </implements>
+    <implements>
+      <xmpp:SupportedXep>
         <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0441.html"/>
         <xmpp:version>0.2.0</xmpp:version>
         <xmpp:status>complete</xmpp:status>
diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua
index 285ca118..1b0e76ed 100644
--- a/plugins/mod_auth_internal_hashed.lua
+++ b/plugins/mod_auth_internal_hashed.lua
@@ -28,7 +28,7 @@ local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not
 local scram_name = "scram_"..hash_name:gsub("%-","_"):lower();
 
 -- Default; can be set per-user
-local default_iteration_count = module:get_option_number("default_iteration_count", 4096);
+local default_iteration_count = module:get_option_number("default_iteration_count", 10000);
 
 -- define auth provider
 local provider = {};
diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua
index f11ae2e0..37abf4a4 100644
--- a/util/sasl/scram.lua
+++ b/util/sasl/scram.lua
@@ -41,7 +41,7 @@ Supported Channel Binding Backends
 'tls-unique' according to RFC 5929
 ]]
 
-local default_i = 4096
+local default_i = 10000
 
 local function validate_username(username, _nodeprep)
 	-- check for forbidden char sequences