mod_auth_internal_hashed: Up iteration count to 10000 per XEP-0438

More security for less pain than switching to SCRAM-SHA-256

The XEP will likely be change to reference the RFC that will probably
come from draft-ietf-kitten-password-storage once it is ready, and then
we should update to follow that.

doc/doap.xml

@@ -785,6 +785,13 @@
         <xmpp:note>mod_muc</xmpp:note>
       </xmpp:SupportedXep>
     </implements>
+    <implements>
+      <xmpp:SupportedXep>
+        <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0438.html"/>
+        <xmpp:version>0.2.0</xmpp:version>
+        <xmpp:status>partial</xmpp:status>
+      </xmpp:SupportedXep>
+    </implements>
     <implements>
       <xmpp:SupportedXep>
         <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0441.html"/>

plugins/mod_auth_internal_hashed.lua

@@ -28,7 +28,7 @@ local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not
 local scram_name = "scram_"..hash_name:gsub("%-","_"):lower();
 
 -- Default; can be set per-user
-local default_iteration_count = module:get_option_number("default_iteration_count", 4096);
+local default_iteration_count = module:get_option_number("default_iteration_count", 10000);
 
 -- define auth provider
 local provider = {};

util/sasl/scram.lua

@@ -41,7 +41,7 @@ Supported Channel Binding Backends
 'tls-unique' according to RFC 5929
 ]]
 
-local default_i = 4096
+local default_i = 10000
 
 local function validate_username(username, _nodeprep)
 	-- check for forbidden char sequences