🔒 Add ScramAuthenticator#max_iterations#654
Merged
Conversation
`SASL::ScramAlgorithm` and `SASL::ScramAuthenticator` use `salted_password` _at least_ twice: once to compute `client_key` and once to compute `server_key`. It is actually used more than that, since `client_key` and `server_key` are also used multiple times each. Computing `salted_password` is _intentionally_ computationally expensive, so it should be cached. Although `client_key` and `server_key` are far less computationally expensive, they _are_ used multiple times, so they are memoized too. Ultimately, we _could_ memoize most of the methods in `ScramAlgorithm`, but I've decided to keep it simple by only memoizing these three.
This is used to investigate possible default values for `ScramAuthenticator#max_iterations`.
`max_iterations` enforces a maximum allowed iteration count. A higher number iterations will raise an error. As noted in RFC5802 §9: >>> A hostile server can perform a computational denial-of-service attack on clients by sending a big iteration count value. Note that `OpenSSL::KDF.pbkdf2_hmac` is implemented by a blocking C function, and cannot be interrupted by +Timeout+ or `Thread.raise`. And (as of v4.0 of the +openssl+ gem) it keeps the Global VM lock, so other ruby threads will not be able to run either. The default value is `2³¹ - 1`, the maximum signed 32-bit integer. This is large enough for the computation to take several minutes, and insufficient protection against hostile servers. _To prevent a denial of service attack,_ this must be set to a safe value, based on user's hardware and version of OpenSSL. _It is the user's responsibility_ to enforce minimum and maximum iteration counts that are appropriate for their security context.
nevans
added
performance
nevans
changed the title
ScramAuthenticator#max_iterations
nevans
added
the
backport-0.4
This was referenced Apr 22, 2026
nevans
added a commit
that referenced
this pull request
Apr 22, 2026
…tions 🔒 Add `ScramAuthenticator#max_iterations` (backports #654)
nevans
added
security vulnerability patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
This adds a configurable
max_iterationscount forSCRAM-*authentication.This should only be needed when connecting to an untrusted hostile server (or without TLS).
The default
ScramAuthenticator#max_iterationsis2**31 - 1(max 32-bit signed int), which was already OpenSSL's maximum value. It provides no protection against hostile servers unless it is explicitly set to a lower value by the user.As noted in RFC5802:
Note that
OpenSSL::KDF.pbkdf2_hmacdoes not drop the Global VM Lock, and soTimeoutcannot interrupt the key derivation function. To prevent a denial of service attack, this must be set to a safe value, depending on hardware and version of OpenSSL.