Issue: NEW_PASSWORD_BAD and The new salt is invalid when setting up 2FA with UpdatePasswordSettingsRequest in Telethon 1.40.0

[Shpongoltz]

Description

Description
I'm encountering errors when trying to set up Two-Factor Authentication (2FA) using UpdatePasswordSettingsRequest in Telethon version 1.40.0. The errors are:

1. RPCError 400: NEW_PASSWORD_BAD when using hashed passwords with or without HMAC.
2. The new salt is invalid when using a hashed password with g and p parameters or when trying with newly generated salts.

The issue persists despite multiple attempts with different hashing approaches and new salts. The algorithm returned by GetPasswordRequest is PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000SHA256ModPow, which seems non-standard for 2FA setup.

Environment
Telethon Version: 1.40.0
Python Version: 3.11
Operating System: Windows (assumed based on path in previous context)
Telegram API Layer: Not explicitly checked, but assumed latest supported by Telethon 1.40.0

Steps to Reproduce

1. Create a TelegramClient session with valid api_id, api_hash, and a proxy (if needed).
2. Ensure the account has no 2FA enabled (has_password: False from GetPasswordRequest).
3. Retrieve password settings using GetPasswordRequest, which returns:

Password details: {'_': 'Password', 'new_algo': {'_': 'PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000SHA256ModPow', 'salt1': b'&\x81\x96\x8f\x95\xb3A\x11', 'salt2': b'\x1dM\x9a\xed\xfa@L\xf5\x0f\xa2r\xac\x1b\xc0\xb7', 'g': 3, 'p': b'\xc7\x1c\xae\xb9...'}, 'has_password': False, 'current_algo': None, 'srp_B': None, 'srp_id': None, ...}`

4. Hash the password (2amj8Ma4Tr7S) using the provided salt1, salt2, and iterations=100000:

With HMAC:
`data = salt1 + new_password + salt1
hash1 = hashlib.sha256(data).digest()
data = salt2 + hash1 + salt2
hash2 = hashlib.sha256(data).digest()
hashed_password = hashlib.pbkdf2_hmac('sha512', hash2, salt1, 100000)
hashed_password_hmac = hmac.new(salt2, hashed_password, hashlib.sha512).digest()

Result: 4c6b174cfdc5830219f68cacda05997b1b3e183d3477d442dd325126fe9d8e2fcc012a79a53d70a4f11600a68bd9c38e5b24cb1bd861560b64db1fb314681aa1`

Without HMAC:
# Result: 4d5abe6356a5069bc538312f287bf0c804b5fe52010816769af9c2c577bacb14affa0d658da0aa5e443f271ba39a7c2fcab1ef06cbdc901b1761ea4284e8c8fc

With g and p (64 bytes):
g = algo.g p = int.from_bytes(algo.p, 'big') intermediate_hash = int.from_bytes(hashed_password_no_hmac, 'big') mod_pow = pow(intermediate_hash, g, p) hashed_password_modpow = mod_pow.to_bytes(64, 'big')

5. Attempt to set 2FA using UpdatePasswordSettingsRequest with InputCheckPasswordEmpty and PasswordInputSettings:

await client(UpdatePasswordSettingsRequest( password=InputCheckPasswordEmpty(), new_settings=PasswordInputSettings( new_algo=algo, new_password_hash=hashed_password_hmac, # or hashed_password_no_hmac, or hashed_password_modpow hint='', email=None ) ))

6. Try with a new new_algo using freshly generated salts:

`new_salt1 = os.urandom(8)
new_salt2 = os.urandom(16)
new_algo = PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000SHA256ModPow(
salt1=new_salt1, salt2=new_salt2, g=algo.g, p=algo.p
)

Hash with new salts and HMAC`

Expected Behavior
The 2FA should be successfully set, and UpdatePasswordSettingsRequest should return without errors.

Actual Behavior
For hashed_password_hmac and hashed_password_no_hmac: RPCError 400: NEW_PASSWORD_BAD.
For hashed_password_modpow or new salts: The new salt is invalid.

Additional Context
The class PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000 is missing in Telethon 1.40.0, so we use algo directly from GetPasswordRequest.
SetPasswordRequest is not available in Telethon 1.40.0, so UpdatePasswordSettingsRequest is used.
The SHA256ModPow in the algorithm name suggests modular arithmetic, but attempts to use g and p result in errors.
Relevant code snippet:

`import hashlib, hmac, os
from telethon.tl.functions.account import GetPasswordRequest, UpdatePasswordSettingsRequest
from telethon.tl.types import InputCheckPasswordEmpty, PasswordInputSettings
from telethon.tl.types.auth import PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000SHA256ModPow

async def process_session(session_file):
client = TelegramClient(...) # Initialize with api_id, api_hash, proxy
await client.connect()
password = await client(GetPasswordRequest())
algo = password.new_algo
new_password = "2amj8Ma4Tr7S".encode('utf-8')
salt1, salt2 = algo.salt1, algo.salt2
iterations = 100000
# Standard hashing (with HMAC, without HMAC, with g and p)
# New salt attempt
try:
await client(UpdatePasswordSettingsRequest(...))
except Exception as e:
print(f"Error: {str(e)}")
await client.disconnect()`

Logs:
Password details: {'_': 'Password', 'new_algo': {'_': 'PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000SHA256ModPow', ...}, ...} Algo details: {'_': 'PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000SHA256ModPow', 'salt1': b'&\x81\x96\x8f\x95\xb3A\x11', 'salt2': b'\x1dM\x9a\xed\xfa@L\xf5\x0f\xa2r\xac\x1b\xc0\xb7', 'g': 3, 'p': b'\xc7\x1c\xae\xb9...'}
g: 3, p: c71caeb9...
twofa_password (raw): 2amj8Ma4Tr7S
new_password: 32616d6a384d613454723753
Обработка 2.session: salt1=2681968f95b34111, salt2=1d604d9aedfa404cf50fa272ac1bc0b7, iterations=100000
hashed_password (with HMAC): 4c6b174cfdc5830219f68cacda05997b...
hashed_password (without HMAC): 4d5abe6356a5069bc538312f287bf0c8...
hashed_password (with g, p, 64 bytes): ...
Error (with HMAC): RPCError 400: NEW_PASSWORD_BAD
Error (without HMAC): RPCError 400: NEW_PASSWORD_BAD
Error (with g, p, 64 bytes): The new salt is invalid
Error (new salt, with HMAC): The new salt is invalid`

Possible Causes

1. Bug in Telethon: GetPasswordRequest may return an incorrect algorithm (SHA256ModPow instead of standard PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000).
2. Telegram API Change: The 2FA setup may require a different hashing approach for SHA256ModPow, not implemented in Telethon 1.40.0.
3. Invalid Salts: The provided or generated salt1/salt2 may be rejected by Telegram.

Request
Can you confirm if PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000SHA256ModPow is correctly handled in Telethon 1.40.0 for 2FA setup?
Is there a known workaround for NEW_PASSWORD_BAD and The new salt is invalid errors?
Could this be related to a missing implementation of PasswordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000 or changes in Telegram's API?
Any guidance or fixes would be greatly appreciated!

Checklist

• This is a documentation problem, not a question or a bug report.
• I have searched for this issue before posting it and there isn't a duplicate.

[Lonami]

AFAIK 2FA has not changed in a long time. I was not the one to implement it, and I never fully understood it, so I can't really make changes to it. I appreciate the detailed report, but it's unlikely I'll look into this any time soon (so if you're willing to send a PR, feel free).