nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

[PS-2267] Add KdfMemory and KDFParallelism fields (#2583)

Browse Source 
* Add KdfMemory and KDFParallelism fields

* Revise argon2 support

This pull request makes the new attribues for argon2, kdfMemory and
kdfParallelism optional. Furthermore it adds checks for the argon2
parametrs and improves the database migration script.

* Add validation for argon2 in RegisterRequestModel

* update validation messages

* update sql scripts

* register data protection with migration factories

* add ef migrations

* update kdf option validation

* adjust validation

* Centralize and Test KDF Validation

Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>
Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
This commit is contained in:
Bernd Schoolmann
2023-01-25 13:56:54 +01:00
committed by GitHub
parent 59f5285c88
commit cb1ba50ce2
36 changed files with 6935 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Api/Controllers/AccountsController.cs
View File

@ -330,7 +330,7 @@ public class AccountsController : Controller
}
var result = await _userService.ChangeKdfAsync(user, model.MasterPasswordHash,
model.NewMasterPasswordHash, model.Key, model.Kdf.Value, model.KdfIterations.Value);
model.NewMasterPasswordHash, model.Key, model.Kdf.Value, model.KdfIterations.Value, model.KdfMemory, model.KdfParallelism);
if (result.Succeeded)
{
return;

17
src/Api/Models/Request/Accounts/KdfRequestModel.cs
View File

@ -1,5 +1,6 @@
using System.ComponentModel.DataAnnotations;
using Bit.Core.Enums;
using Bit.Core.Utilities;
namespace Bit.Api.Models.Request.Accounts;
@ -9,22 +10,16 @@ public class KdfRequestModel : PasswordRequestModel, IValidatableObject
public KdfType? Kdf { get; set; }
[Required]
public int? KdfIterations { get; set; }
public int? KdfMemory { get; set; }
public int? KdfParallelism { get; set; }
public override IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
{
if (Kdf.HasValue && KdfIterations.HasValue)
{
switch (Kdf.Value)
{
case KdfType.PBKDF2_SHA256:
if (KdfIterations.Value < 5000 || KdfIterations.Value > 2_000_000)
{
yield return new ValidationResult("KDF iterations must be between 5000 and 2000000.");
}
break;
default:
break;
}
return KdfSettingsValidator.Validate(Kdf.Value, KdfIterations.Value, KdfMemory, KdfParallelism);
}
return Enumerable.Empty<ValidationResult>();
}
}

12
src/Api/Models/Request/Accounts/SetKeyConnectorKeyRequestModel.cs
View File

@ -2,10 +2,11 @@
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Models.Api.Request.Accounts;
using Bit.Core.Utilities;
namespace Bit.Api.Models.Request.Accounts;
public class SetKeyConnectorKeyRequestModel
public class SetKeyConnectorKeyRequestModel : IValidatableObject
{
[Required]
public string Key { get; set; }
@ -15,6 +16,8 @@ public class SetKeyConnectorKeyRequestModel
public KdfType Kdf { get; set; }
[Required]
public int KdfIterations { get; set; }
public int? KdfMemory { get; set; }
public int? KdfParallelism { get; set; }
[Required]
public string OrgIdentifier { get; set; }
@ -22,8 +25,15 @@ public class SetKeyConnectorKeyRequestModel
{
existingUser.Kdf = Kdf;
existingUser.KdfIterations = KdfIterations;
existingUser.KdfMemory = KdfMemory;
existingUser.KdfParallelism = KdfParallelism;
existingUser.Key = Key;
Keys.ToUser(existingUser);
return existingUser;
}
public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
{
return KdfSettingsValidator.Validate(Kdf, KdfIterations, KdfMemory, KdfParallelism);
}
}

12
src/Api/Models/Request/Accounts/SetPasswordRequestModel.cs
View File

@ -2,10 +2,11 @@
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Models.Api.Request.Accounts;
using Bit.Core.Utilities;
namespace Bit.Api.Models.Request.Accounts;
public class SetPasswordRequestModel
public class SetPasswordRequestModel : IValidatableObject
{
[Required]
[StringLength(300)]
@ -20,6 +21,8 @@ public class SetPasswordRequestModel
public KdfType Kdf { get; set; }
[Required]
public int KdfIterations { get; set; }
public int? KdfMemory { get; set; }
public int? KdfParallelism { get; set; }
public string OrgIdentifier { get; set; }
public User ToUser(User existingUser)
@ -27,8 +30,15 @@ public class SetPasswordRequestModel
existingUser.MasterPasswordHint = MasterPasswordHint;
existingUser.Kdf = Kdf;
existingUser.KdfIterations = KdfIterations;
existingUser.KdfMemory = KdfMemory;
existingUser.KdfParallelism = KdfParallelism;
existingUser.Key = Key;
Keys.ToUser(existingUser);
return existingUser;
}
public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
{
return KdfSettingsValidator.Validate(Kdf, KdfIterations, KdfMemory, KdfParallelism);
}
}

4
src/Api/Models/Response/EmergencyAccessResponseModel.cs
View File

@ -97,9 +97,13 @@ public class EmergencyAccessTakeoverResponseModel : ResponseModel
KeyEncrypted = emergencyAccess.KeyEncrypted;
Kdf = grantor.Kdf;
KdfIterations = grantor.KdfIterations;
KdfMemory = grantor.KdfMemory;
KdfParallelism = grantor.KdfParallelism;
}
public int KdfIterations { get; private set; }
public int? KdfMemory { get; private set; }
public int? KdfParallelism { get; private set; }
public KdfType Kdf { get; private set; }
public string KeyEncrypted { get; private set; }
}

4
src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
View File

@ -111,12 +111,16 @@ public class OrganizationUserResetPasswordDetailsResponseModel : ResponseModel
Kdf = orgUser.Kdf;
KdfIterations = orgUser.KdfIterations;
KdfMemory = orgUser.KdfMemory;
KdfParallelism = orgUser.KdfParallelism;
ResetPasswordKey = orgUser.ResetPasswordKey;
EncryptedPrivateKey = orgUser.EncryptedPrivateKey;
}
public KdfType Kdf { get; set; }
public int KdfIterations { get; set; }
public int? KdfMemory { get; set; }
public int? KdfParallelism { get; set; }
public string ResetPasswordKey { get; set; }
public string EncryptedPrivateKey { get; set; }
}

2
src/Core/Entities/User.cs
View File

@ -54,6 +54,8 @@ public class User : ITableObject<Guid>, ISubscriber, IStorable, IStorableSubscri
public string ApiKey { get; set; }
public KdfType Kdf { get; set; } = KdfType.PBKDF2_SHA256;
public int KdfIterations { get; set; } = 5000;
public int? KdfMemory { get; set; }
public int? KdfParallelism { get; set; }
public DateTime CreationDate { get; set; } = DateTime.UtcNow;
public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
public bool ForcePasswordReset { get; set; }

3
src/Core/Enums/KdfType.cs
View File

@ -2,5 +2,6 @@
public enum KdfType : byte
{
PBKDF2_SHA256 = 0
PBKDF2_SHA256 = 0,
Argon2id = 1
}

18
src/Core/Models/Api/Request/Accounts/RegisterRequestModel.cs
View File

@ -26,6 +26,8 @@ public class RegisterRequestModel : IValidatableObject, ICaptchaProtectedModel
public Guid? OrganizationUserId { get; set; }
public KdfType? Kdf { get; set; }
public int? KdfIterations { get; set; }
public int? KdfMemory { get; set; }
public int? KdfParallelism { get; set; }
public Dictionary<string, object> ReferenceData { get; set; }
public User ToUser()
@ -37,6 +39,8 @@ public class RegisterRequestModel : IValidatableObject, ICaptchaProtectedModel
MasterPasswordHint = MasterPasswordHint,
Kdf = Kdf.GetValueOrDefault(KdfType.PBKDF2_SHA256),
KdfIterations = KdfIterations.GetValueOrDefault(5000),
KdfMemory = KdfMemory,
KdfParallelism = KdfParallelism
};
if (ReferenceData != null)
@ -61,17 +65,9 @@ public class RegisterRequestModel : IValidatableObject, ICaptchaProtectedModel
{
if (Kdf.HasValue && KdfIterations.HasValue)
{
switch (Kdf.Value)
{
case KdfType.PBKDF2_SHA256:
if (KdfIterations.Value < 5000 || KdfIterations.Value > 1_000_000)
{
yield return new ValidationResult("KDF iterations must be between 5000 and 1000000.");
}
break;
default:
break;
}
return KdfSettingsValidator.Validate(Kdf.Value, KdfIterations.Value, KdfMemory, KdfParallelism);
}
return Enumerable.Empty<ValidationResult>();
}
}

4
src/Core/Models/Api/Response/Accounts/PreloginResponseModel.cs
View File

@ -9,8 +9,12 @@ public class PreloginResponseModel
{
Kdf = kdfInformation.Kdf;
KdfIterations = kdfInformation.KdfIterations;
KdfMemory = kdfInformation.KdfMemory;
KdfParallelism = kdfInformation.KdfParallelism;
}
public KdfType Kdf { get; set; }
public int KdfIterations { get; set; }
public int? KdfMemory { get; set; }
public int? KdfParallelism { get; set; }
}

4
src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserResetPasswordDetails.cs
View File

@ -24,11 +24,15 @@ public class OrganizationUserResetPasswordDetails
Kdf = user.Kdf;
KdfIterations = user.KdfIterations;
KdfMemory = user.KdfMemory;
KdfParallelism = user.KdfParallelism;
ResetPasswordKey = orgUser.ResetPasswordKey;
EncryptedPrivateKey = org.PrivateKey;
}
public KdfType Kdf { get; set; }
public int KdfIterations { get; set; }
public int? KdfMemory { get; set; }
public int? KdfParallelism { get; set; }
public string ResetPasswordKey { get; set; }
public string EncryptedPrivateKey { get; set; }
}

2
src/Core/Models/Data/UserKdfInformation.cs
View File

@ -6,4 +6,6 @@ public class UserKdfInformation
{
public KdfType Kdf { get; set; }
public int KdfIterations { get; set; }
public int? KdfMemory { get; set; }
public int? KdfParallelism { get; set; }
}

2
src/Core/Services/IUserService.cs
View File

@ -36,7 +36,7 @@ public interface IUserService
Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType type, Guid orgId, Guid id, string newMasterPassword, string key);
Task<IdentityResult> UpdateTempPasswordAsync(User user, string newMasterPassword, string key, string hint);
Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key,
KdfType kdf, int kdfIterations);
KdfType kdf, int kdfIterations, int? kdfMemory, int? kdfParallelism);
Task<IdentityResult> UpdateKeyAsync(User user, string masterPassword, string key, string privateKey,
IEnumerable<Cipher> ciphers, IEnumerable<Folder> folders, IEnumerable<Send> sends);
Task<IdentityResult> RefreshSecurityStampAsync(User user, string masterPasswordHash);

4
src/Core/Services/Implementations/UserService.cs
View File

@ -824,7 +824,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
}
public async Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword,
string key, KdfType kdf, int kdfIterations)
string key, KdfType kdf, int kdfIterations, int? kdfMemory, int? kdfParallelism)
{
if (user == null)
{
@ -843,6 +843,8 @@ public class UserService : UserManager<User>, IUserService, IDisposable
user.Key = key;
user.Kdf = kdf;
user.KdfIterations = kdfIterations;
user.KdfMemory = kdfMemory;
user.KdfParallelism = kdfParallelism;
await _userRepository.ReplaceAsync(user);
await _pushService.PushLogOutAsync(user.Id);
return IdentityResult.Success;

37
src/Core/Utilities/KdfSettingsValidator.cs Normal file
View File

@ -0,0 +1,37 @@
using System.ComponentModel.DataAnnotations;
using Bit.Core.Enums;
namespace Bit.Core.Utilities;
public static class KdfSettingsValidator
{
public static IEnumerable<ValidationResult> Validate(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism)
{
switch (kdfType)
{
case KdfType.PBKDF2_SHA256:
if (kdfIterations < 5000 || kdfIterations > 2_000_000)
{
yield return new ValidationResult("KDF iterations must be between 5000 and 2000000.");
}
break;
case KdfType.Argon2id:
if (kdfIterations <= 0)
{
yield return new ValidationResult("Argon2 iterations must be greater than 0.");
}
else if (!kdfMemory.HasValue || kdfMemory.Value < 15 || kdfMemory.Value > 1024)
{
yield return new ValidationResult("Argon2 memory must be between 15mb and 1024mb.");
}
else if (!kdfParallelism.HasValue || kdfParallelism.Value < 1 || kdfParallelism.Value > 16)
{
yield return new ValidationResult("Argon2 parallelism must be between 1 and 16.");
}
break;
default:
break;
}
}
}

2
src/Identity/IdentityServer/BaseRequestValidator.cs
View File

@ -187,6 +187,8 @@ public abstract class BaseRequestValidator<T> where T : class
customResponse.Add("ResetMasterPassword", string.IsNullOrWhiteSpace(user.MasterPassword));
customResponse.Add("Kdf", (byte)user.Kdf);
customResponse.Add("KdfIterations", user.KdfIterations);
customResponse.Add("KdfMemory", user.KdfMemory);
customResponse.Add("KdfParallelism", user.KdfParallelism);
if (sendRememberToken)
{

4
src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
View File

@ -32,7 +32,9 @@ public class UserRepository : Repository<Core.Entities.User, User, Guid>, IUserR
.Select(e => new DataModel.UserKdfInformation
{
Kdf = e.Kdf,
KdfIterations = e.KdfIterations
KdfIterations = e.KdfIterations,
KdfMemory = e.KdfMemory,
KdfParallelism = e.KdfParallelism
}).SingleOrDefaultAsync();
}
}

3
src/Sql/Sql.sqlproj
View File

@ -67,6 +67,7 @@
<Folder Include="dbo\Functions\" />
<Folder Include="dbo\Stored Procedures\" />
<Folder Include="dbo\User Defined Types\" />
<Folder Include="dbo\Stored Procedures\ApiKey\" />
</ItemGroup>
<ItemGroup>
<Build Include="dbo\Functions\CipherDetails.sql" />
@ -437,4 +438,4 @@
<Build Include="SecretsManager\dbo\Views\ApiKeyDetailsView.sql" />
<Build Include="SecretsManager\dbo\Views\ApiKeyView.sql" />
</ItemGroup>
</Project>
</Project>

10
src/Sql/dbo/Stored Procedures/User_Create.sql
View File

@ -27,6 +27,8 @@
@LicenseKey VARCHAR(100),
@Kdf TINYINT,
@KdfIterations INT,
@KdfMemory INT = NULL,
@KdfParallelism INT = NULL,
@CreationDate DATETIME2(7),
@RevisionDate DATETIME2(7),
@ApiKey VARCHAR(30),
@ -78,7 +80,9 @@ BEGIN
[FailedLoginCount],
[LastFailedLoginDate],
[UnknownDeviceVerificationEnabled],
[AvatarColor]
[AvatarColor],
[KdfMemory],
[KdfParallelism]
)
VALUES
(
@ -118,6 +122,8 @@ BEGIN
@FailedLoginCount,
@LastFailedLoginDate,
@UnknownDeviceVerificationEnabled,
@AvatarColor
@AvatarColor,
@KdfMemory,
@KdfParallelism
)
END

2
src/Sql/dbo/Stored Procedures/User_ReadKdfByEmail.sql
View File

@ -7,6 +7,8 @@ BEGIN
SELECT
[Kdf],
[KdfIterations]
[KdfMemory],
[KdfParallelism]
FROM
[dbo].[User]
WHERE

4
src/Sql/dbo/Stored Procedures/User_Update.sql
View File

@ -27,6 +27,8 @@
@LicenseKey VARCHAR(100),
@Kdf TINYINT,
@KdfIterations INT,
@KdfMemory INT = NULL,
@KdfParallelism INT = NULL,
@CreationDate DATETIME2(7),
@RevisionDate DATETIME2(7),
@ApiKey VARCHAR(30),
@ -70,6 +72,8 @@ BEGIN
[LicenseKey] = @LicenseKey,
[Kdf] = @Kdf,
[KdfIterations] = @KdfIterations,
[KdfMemory] = @KdfMemory,
[KdfParallelism] = @KdfParallelism,
[CreationDate] = @CreationDate,
[RevisionDate] = @RevisionDate,
[ApiKey] = @ApiKey,

2
src/Sql/dbo/Tables/User.sql
View File

@ -27,6 +27,8 @@
[LicenseKey] VARCHAR (100) NULL,
[Kdf] TINYINT NOT NULL,
[KdfIterations] INT NOT NULL,
[KdfMemory] INT NULL,
[KdfParallelism] INT NULL,
[CreationDate] DATETIME2 (7) NOT NULL,
[RevisionDate] DATETIME2 (7) NOT NULL,
[ApiKey] VARCHAR (30) NOT NULL,