Merge pull request #310 from matrix-org/markjh/bcrypt_rounds

Add config for how many bcrypt rounds to use for password hashes
2015-10-16 17:05:21 +01:00 · 2015-10-16 17:05:21 +01:00 · b19b9535f6
parent 524b708f98 f2f031fd57
commit b19b9535f6
2 changed files with 8 additions and 1 deletions
--- a/synapse/config/registration.py
+++ b/synapse/config/registration.py
@ -33,6 +33,7 @@ class RegistrationConfig(Config):

        self.registration_shared_secret = config.get("registration_shared_secret")
        self.macaroon_secret_key = config.get("macaroon_secret_key")
+        self.bcrypt_rounds = config.get("bcrypt_rounds", 12)

    def default_config(self, **kwargs):
        registration_shared_secret = random_string_with_symbols(50)
@ -48,6 +49,11 @@ class RegistrationConfig(Config):
        registration_shared_secret: "%(registration_shared_secret)s"

        macaroon_secret_key: "%(macaroon_secret_key)s"
+
+        # Set the number of bcrypt rounds used to generate password hash.
+        # Larger numbers increase the work factor needed to generate the hash.
+        # The default number of rounds is 12.
+        bcrypt_rounds: 12
        """ % locals()

    def add_arguments(self, parser):
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -44,6 +44,7 @@ class AuthHandler(BaseHandler):
            LoginType.EMAIL_IDENTITY: self._check_email_identity,
            LoginType.DUMMY: self._check_dummy_auth,
        }
+        self.bcrypt_rounds = hs.config.bcrypt_rounds
        self.sessions = {}

    @defer.inlineCallbacks
@ -432,7 +433,7 @@ class AuthHandler(BaseHandler):
        Returns:
            Hashed password (str).
        """
-        return bcrypt.hashpw(password, bcrypt.gensalt())
+        return bcrypt.hashpw(password, bcrypt.gensalt(self.bcrypt_rounds))

    def validate_hash(self, password, stored_hash):
        """Validates that self.hash(password) == stored_hash.