From a9d648bd8abd19c597b51da3902869005d9d9263 Mon Sep 17 00:00:00 2001 From: Daniel Gultsch Date: Tue, 24 Feb 2026 08:39:52 +0100 Subject: [PATCH] Require a SCRAM iteration count of 4096 or higher The RFC specifies a minimum iteration count of 4096 only as a "SHOULD". Therefore, requiring 4096 on the client side is technically not fully in line with the spec. However, in the existing ecosystem, the servers that we tested all use 4096 or more. --- .../conversations/crypto/sasl/ScramMechanism.java | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/main/java/eu/siacs/conversations/crypto/sasl/ScramMechanism.java b/src/main/java/eu/siacs/conversations/crypto/sasl/ScramMechanism.java index 9fc6dff754f605cff3cc2d16b80cad724f47c603..6d8d7bb7b5002569c4656b8d9120e7b6d8d826af 100644 --- a/src/main/java/eu/siacs/conversations/crypto/sasl/ScramMechanism.java +++ b/src/main/java/eu/siacs/conversations/crypto/sasl/ScramMechanism.java @@ -41,6 +41,10 @@ public abstract class ScramMechanism extends SaslMechanism { } }; + // For the SCRAM-SHA-1/SCRAM-SHA-1-PLUS SASL mechanism, servers SHOULD announce a hash + // iteration-count of at least 4096. + // https://datatracker.ietf.org/doc/html/rfc5802#section-5.1 + private static final int ITERATION_COUNT_MINIMUM = 4096; private static final byte[] CLIENT_KEY_BYTES = "Client Key".getBytes(); private static final byte[] SERVER_KEY_BYTES = "Server Key".getBytes(); private static final Cache CACHE = @@ -188,6 +192,14 @@ public abstract class ScramMechanism extends SaslMechanism { if (iterationCount == null || iterationCount < 0) { throw new AuthenticationException("Server did not send iteration count"); } + + if (iterationCount < ITERATION_COUNT_MINIMUM) { + throw new AuthenticationException( + String.format( + "Weak iteration count. %d instead of %d", + iterationCount, ITERATION_COUNT_MINIMUM)); + } + if (!nonce.startsWith(clientNonce)) { throw new AuthenticationException( "Server nonce does not contain client nonce: " + nonce);