Require a SCRAM iteration count of 4096 or higher

Daniel Gultsch created 

The RFC specifies a minimum iteration count of 4096 only as a "SHOULD".
Therefore, requiring 4096 on the client side is technically not fully in
line with the spec. However, in the existing ecosystem, the servers that
we tested all use 4096 or more.

Change summary

src/main/java/eu/siacs/conversations/crypto/sasl/ScramMechanism.java | 12 
1 file changed, 12 insertions(+)

Detailed changes

src/main/java/eu/siacs/conversations/crypto/sasl/ScramMechanism.java 🔗 

@@ -41,6 +41,10 @@ public abstract class ScramMechanism extends SaslMechanism {
                 }
             };
 
+    // For the SCRAM-SHA-1/SCRAM-SHA-1-PLUS SASL mechanism, servers SHOULD announce a hash
+    // iteration-count of at least 4096.
+    // https://datatracker.ietf.org/doc/html/rfc5802#section-5.1
+    private static final int ITERATION_COUNT_MINIMUM = 4096;
     private static final byte[] CLIENT_KEY_BYTES = "Client Key".getBytes();
     private static final byte[] SERVER_KEY_BYTES = "Server Key".getBytes();
     private static final Cache<CacheKey, KeyPair> CACHE =
@@ -188,6 +192,14 @@ public abstract class ScramMechanism extends SaslMechanism {
         if (iterationCount == null || iterationCount < 0) {
             throw new AuthenticationException("Server did not send iteration count");
         }
+
+        if (iterationCount < ITERATION_COUNT_MINIMUM) {
+            throw new AuthenticationException(
+                    String.format(
+                            "Weak iteration count. %d instead of %d",
+                            iterationCount, ITERATION_COUNT_MINIMUM));
+        }
+
         if (!nonce.startsWith(clientNonce)) {
             throw new AuthenticationException(
                     "Server nonce does not contain client nonce: " + nonce);