Mercurial > p > roundup > code
comparison roundup/password.py @ 7162:cfdcaf8b5936
issue2551251 - migrate pbkdf2 passwords if more rounds configured
migrate/re-encrypt PBKDF2 password if stored password used a smaller
number of rounds than set in password_pbkdf2_default_rounds.
Also increase fallback number of rounds (when not set in config) to
2,000,000.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 19:34:39 -0500 |
| parents | aa629aebac41 |
| children | 0b52ee664580 |
comparison
equal
deleted
inserted
replaced
| 7161:be7849588372 | 7162:cfdcaf8b5936 |
|---|---|
| 188 raw_salt = random_.token_bytes(20) | 188 raw_salt = random_.token_bytes(20) |
| 189 salt = h64encode(raw_salt) | 189 salt = h64encode(raw_salt) |
| 190 if config: | 190 if config: |
| 191 rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS | 191 rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS |
| 192 else: | 192 else: |
| 193 rounds = 10000 | 193 rounds = 2000000 |
| 194 if rounds < 1000: | 194 if rounds < 1000: |
| 195 raise PasswordValueError("invalid PBKDF2 hash (rounds too low)") | 195 raise PasswordValueError("invalid PBKDF2 hash (rounds too low)") |
| 196 raw_digest = pbkdf2(plaintext, raw_salt, rounds, 20) | 196 raw_digest = pbkdf2(plaintext, raw_salt, rounds, 20) |
| 197 return "%d$%s$%s" % (rounds, salt, h64encode(raw_digest)) | 197 return "%d$%s$%s" % (rounds, salt, h64encode(raw_digest)) |
| 198 elif scheme == 'SSHA': | 198 elif scheme == 'SSHA': |
| 323 self.plaintext = None | 323 self.plaintext = None |
| 324 | 324 |
| 325 def __repr__(self): | 325 def __repr__(self): |
| 326 return self.__str__() | 326 return self.__str__() |
| 327 | 327 |
| 328 def needs_migration(self): | 328 def needs_migration(self, config): |
| 329 """ Password has insecure scheme or other insecure parameters | 329 """ Password has insecure scheme or other insecure parameters |
| 330 and needs migration to new password scheme | 330 and needs migration to new password scheme |
| 331 """ | 331 """ |
| 332 if self.scheme in self.deprecated_schemes: | 332 if self.scheme in self.deprecated_schemes: |
| 333 return True | 333 return True |
| 334 rounds, salt, raw_salt, digest = pbkdf2_unpack(self.password) | 334 rounds, salt, raw_salt, digest = pbkdf2_unpack(self.password) |
| 335 if rounds < 1000: | 335 if rounds < 1000: |
| 336 return True | 336 return True |
| 337 if (self.scheme == "PBKDF2"): | |
| 338 new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS | |
| 339 if rounds < int(new_rounds): | |
| 340 return True | |
| 337 return False | 341 return False |
| 338 | 342 |
| 339 def unpack(self, encrypted, scheme=None, strict=False, config=None): | 343 def unpack(self, encrypted, scheme=None, strict=False, config=None): |
| 340 """Set the password info from the scheme:<encryted info> string | 344 """Set the password info from the scheme:<encryted info> string |
| 341 (the inverse of __str__) | 345 (the inverse of __str__) |