issue2551251 - migrate pbkdf2 passwords if more rounds configured

rouilj · rouilj · commit a1f35b392f73 · 2023-02-23T19:34:39.000-05:00
migrate/re-encrypt PBKDF2 password if stored password used a smaller
number of rounds than set in password_pbkdf2_default_rounds.

Also increase fallback number of rounds (when not set in config) to
2,000,000.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -74,6 +74,9 @@ Fixed:
   make sure that an 'X-Content-Type-Options: nosniff' header is sent.
 - issue2551252 - default number of rounds for PKDF2 password increased
   to 2,000,000.
+- issue2551251 - migrate/re-encrypt PBKDF2 password if stored
+  password used a smaller number of rounds than set in
+  password_pbkdf2_default_rounds.
 
 Features:
 
diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py
@@ -1399,7 +1399,8 @@ def verifyPassword(self, userid, givenpw):
         db = self.db
         stored = db.user.get(userid, 'password')
         if givenpw == stored:
-            if db.config.WEB_MIGRATE_PASSWORDS and stored.needs_migration():
+            if (db.config.WEB_MIGRATE_PASSWORDS and
+                stored.needs_migration(config=db.config)):
                 newpw = password.Password(givenpw, config=db.config)
                 db.user.set(userid, password=newpw)
                 db.commit()
diff --git a/roundup/password.py b/roundup/password.py
@@ -190,7 +190,7 @@ def encodePassword(plaintext, scheme, other=None, config=None):
             if config:
                 rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS
             else:
-                rounds = 10000
+                rounds = 2000000
         if rounds < 1000:
             raise PasswordValueError("invalid PBKDF2 hash (rounds too low)")
         raw_digest = pbkdf2(plaintext, raw_salt, rounds, 20)
@@ -325,7 +325,7 @@ def __init__(self, plaintext=None, scheme=None, encrypted=None,
     def __repr__(self):
         return self.__str__()
 
-    def needs_migration(self):
+    def needs_migration(self, config):
         """ Password has insecure scheme or other insecure parameters
             and needs migration to new password scheme
         """
@@ -334,6 +334,10 @@ def needs_migration(self):
         rounds, salt, raw_salt, digest = pbkdf2_unpack(self.password)
         if rounds < 1000:
             return True
+        if (self.scheme == "PBKDF2"):
+            new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS
+            if rounds < int(new_rounds):
+                return True
         return False
 
     def unpack(self, encrypted, scheme=None, strict=False, config=None):
diff --git a/test/test_security.py b/test/test_security.py
@@ -422,4 +422,14 @@ def test_password(self):
             roundup.password.test_missing_crypt()
         roundup.password.crypt = orig_crypt
 
+    def test_pbkdf2_migrate_rounds(self):
+        self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 10000
+
+        p = roundup.password.Password('sekrit', 'PBKDF2',
+                                      config=self.db.config)
+
+        self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 2000000
+
+        self.assertEqual(p.needs_migration(config=self.db.config), True)
+
 # vim: set filetype=python sts=4 sw=4 et si :
