SCRAM-SHA-1 Browser Issues

[lboynton]

I'm using the current head of strophejs master, and I notice it now uses SCRAM-SHA-1 if the server supports it. For me at least, it causes IE7 to hang until I get a dialog asking me if I want to stop the script. In Firefox 11, the browser hangs for a couple of seconds during the auth process, but works. In Chrome 17, all is fine. I was wondering if anyone else was having the same issue?

I've tested using both the strophe basic example and my own application built using strophe and get the same result with both. I'm using ejabberd 2.1.10 for the server. Using an older version of strophe which uses DIGEST-MD5 during the auth process also works fine across all browsers I've tested.

[lboynton]

It's this bit of code which is causing the hang in Firefox, and I expect could be causing IE7 to break too. iter is 4096 for me.

for (i = 1; i < iter; i++) {
    U = core_hmac_sha1(this.pass, binb2str(U_old));
    for (k = 0; k < 5; k++) {
        Hi[k] ^= U[k];
    }
    U_old = U;
}

[Florob]

I'm not sure this is a "bug" as such.
These calculations are designed to be expensive (in terms of processor time). And particularly in Javascript they are.
I never tested it in IE7, but Firefox always gave me acceptable results even on not too recent hardware.
If you can come up with an optimization for that loop I'd think a pull request certainly won't be rejected, but otherwise I don't think there is much that could be done here.

[lboynton]

OK, that is fair enough. Perhaps there should be a way of disabling SCRAM-SHA-1 then? At the moment I am using a patched version of Strophe as I could not find a way to disable it in ejabberd (and I need to support IE7).