From 4261dc1d80e3813e50763e7643faa0dbcf6626f9 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 26 Dec 2021 16:51:04 +0100 Subject: mod_auth_internal_hashed: Up iteration count to 10000 per XEP-0438 More security for less pain than switching to SCRAM-SHA-256 The XEP will likely be change to reference the RFC that will probably come from draft-ietf-kitten-password-storage once it is ready, and then we should update to follow that. --- doc/doap.xml | 7 +++++++ plugins/mod_auth_internal_hashed.lua | 2 +- util/sasl/scram.lua | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/doap.xml b/doc/doap.xml index 997fb467..723d59d5 100644 --- a/doc/doap.xml +++ b/doc/doap.xml @@ -785,6 +785,13 @@ mod_muc + + + + 0.2.0 + partial + + diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua index 285ca118..1b0e76ed 100644 --- a/plugins/mod_auth_internal_hashed.lua +++ b/plugins/mod_auth_internal_hashed.lua @@ -28,7 +28,7 @@ local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not local scram_name = "scram_"..hash_name:gsub("%-","_"):lower(); -- Default; can be set per-user -local default_iteration_count = module:get_option_number("default_iteration_count", 4096); +local default_iteration_count = module:get_option_number("default_iteration_count", 10000); -- define auth provider local provider = {}; diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua index f11ae2e0..37abf4a4 100644 --- a/util/sasl/scram.lua +++ b/util/sasl/scram.lua @@ -41,7 +41,7 @@ Supported Channel Binding Backends 'tls-unique' according to RFC 5929 ]] -local default_i = 4096 +local default_i = 10000 local function validate_username(username, _nodeprep) -- check for forbidden char sequences -- cgit v1.2.3