Mercurial > p > roundup > code
diff roundup/password.py @ 7165:970cd6d2b8ea
issue2551251 - migrate pbkdf2 passwords if more rounds configured
migrate/re-encrypt PBKDF2 password if stored password used a smaller
number of rounds than set in password_pbkdf2_default_rounds.
Also increase fallback number of rounds (when not set in config) to
2,000,000.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 19:34:39 -0500 |
| parents | 0b52ee664580 |
| children | f6b24a8524cd |
line wrap: on
line diff
--- a/roundup/password.py Fri Feb 24 17:15:29 2023 -0500 +++ b/roundup/password.py Thu Feb 23 19:34:39 2023 -0500 @@ -190,7 +190,7 @@ if config: rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS else: - rounds = 10000 + rounds = 2000000 if rounds < 1000: raise PasswordValueError("invalid PBKDF2 hash (rounds too low)") raw_digest = pbkdf2(plaintext, raw_salt, rounds, 20) @@ -325,7 +325,7 @@ def __repr__(self): return self.__str__() - def needs_migration(self): + def needs_migration(self, config): """ Password has insecure scheme or other insecure parameters and needs migration to new password scheme """ @@ -334,6 +334,10 @@ rounds, salt, raw_salt, digest = pbkdf2_unpack(self.password) if rounds < 1000: return True + if (self.scheme == "PBKDF2"): + new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS + if rounds < int(new_rounds): + return True return False def unpack(self, encrypted, scheme=None, strict=False, config=None):