Changing KDF iterations breaks logged in clients #1600

New Issue

Closed

opened 2025-10-09 17:21:57 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2025-10-09 17:21:57 +03:00

Owner

Copy Link

Originally created by @julian-klode on GitHub.

Subject of the issue

Changing number KDF iterations breaks logged in clients. They should be logged out instead.

Your environment

• Bitwarden_rs version: 1.16.3
• Install method: Built from source
• Clients used: latest Android from play store and Desktop from snap store
• Reverse proxy and version: Nginx from focal

Steps to reproduce

Change KDF size, then sync client or wait for corruption to appear automatically.

Expected behaviour

Seeing what bitwarden.com does: Connected clients are logged out.

Actual behaviour

Connected clients fail to read the database

Relevant logs

Not much interesting going on. I triggered a sync on mobile manually, as it apparently did not get a push.

Sep 29 23:50:58 magenta bitwarden_rs[902666]: [2020-09-29 23:50:58.093][request][INFO] POST /api/accounts/kdf
Sep 29 23:50:58 magenta bitwarden_rs[902666]: [2020-09-29 23:50:58.181][response][INFO] POST /api/accounts/kdf (post_kdf) => 200 OK
Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.393][request][INFO] GET /api/accounts/revision-date
Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.393][response][INFO] GET /api/accounts/revision-date (revision_date) => 200 OK
Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.445][request][INFO] GET /api/sync
Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.459][response][INFO] GET /api/sync?<data..> (sync) => 200 OK

Originally created by @julian-klode on GitHub. ### Subject of the issue Changing number KDF iterations breaks logged in clients. They should be logged out instead. ### Your environment * Bitwarden_rs version: 1.16.3 * Install method: Built from source * Clients used: latest Android from play store and Desktop from snap store * Reverse proxy and version: Nginx from focal ### Steps to reproduce Change KDF size, then sync client or wait for corruption to appear automatically. ### Expected behaviour Seeing what bitwarden.com does: Connected clients are logged out. ### Actual behaviour Connected clients fail to read the database ### Relevant logs Not much interesting going on. I triggered a sync on mobile manually, as it apparently did not get a push. ``` Sep 29 23:50:58 magenta bitwarden_rs[902666]: [2020-09-29 23:50:58.093][request][INFO] POST /api/accounts/kdf Sep 29 23:50:58 magenta bitwarden_rs[902666]: [2020-09-29 23:50:58.181][response][INFO] POST /api/accounts/kdf (post_kdf) => 200 OK Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.393][request][INFO] GET /api/accounts/revision-date Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.393][response][INFO] GET /api/accounts/revision-date (revision_date) => 200 OK Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.445][request][INFO] GET /api/sync Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.459][response][INFO] GET /api/sync?<data..> (sync) => 200 OK ```

OVERLORD closed this issue 2025-10-09 17:21:57 +03:00

OVERLORD commented 2025-10-09 17:22:00 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Hmm, we have to deauthorize all the user sessions in this case it seems. Thanks for reporting.

Please note that we do not support push messages so that is not possible on our side.

@BlackDex commented on GitHub: Hmm, we have to deauthorize all the user sessions in this case it seems. Thanks for reporting. Please note that we do not support push messages so that is not possible on our side.

OVERLORD commented 2025-10-09 17:22:01 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub:

This should be fixed by 448e6ac917, which invalidates users sessions when they change email, pass or kdf params.

@dani-garcia commented on GitHub: This should be fixed by https://github.com/dani-garcia/bitwarden_rs/commit/448e6ac917e6bf34f7a5af175714eef9058b6021, which invalidates users sessions when they change email, pass or kdf params.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1600