[PS-2267] Add KdfMemory and KDFParallelism fields (#2583)

* Add KdfMemory and KDFParallelism fields * Revise argon2 support This pull request makes the new attribues for argon2, kdfMemory and kdfParallelism optional. Furthermore it adds checks for the argon2 parametrs and improves the database migration script. * Add validation for argon2 in RegisterRequestModel * update validation messages * update sql scripts * register data protection with migration factories * add ef migrations * update kdf option validation * adjust validation * Centralize and Test KDF Validation Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com> Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
2025-06-30 23:52:50 -05:00 · 2023-01-25 13:56:54 +01:00
parent 59f5285c88
commit cb1ba50ce2
36 changed files with 6935 additions and 35 deletions
--- a/src/Api/Controllers/AccountsController.cs
+++ b/src/Api/Controllers/AccountsController.cs
@ -330,7 +330,7 @@ public class AccountsController : Controller
        }

        var result = await _userService.ChangeKdfAsync(user, model.MasterPasswordHash,
-            model.NewMasterPasswordHash, model.Key, model.Kdf.Value, model.KdfIterations.Value);
+            model.NewMasterPasswordHash, model.Key, model.Kdf.Value, model.KdfIterations.Value, model.KdfMemory, model.KdfParallelism);
        if (result.Succeeded)
        {
            return;
--- a/src/Api/Models/Request/Accounts/KdfRequestModel.cs
+++ b/src/Api/Models/Request/Accounts/KdfRequestModel.cs
@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Enums;
+using Bit.Core.Utilities;

 namespace Bit.Api.Models.Request.Accounts;

@ -9,22 +10,16 @@ public class KdfRequestModel : PasswordRequestModel, IValidatableObject
    public KdfType? Kdf { get; set; }
    [Required]
    public int? KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }

    public override IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
    {
        if (Kdf.HasValue && KdfIterations.HasValue)
        {
-            switch (Kdf.Value)
-            {
-                case KdfType.PBKDF2_SHA256:
-                    if (KdfIterations.Value < 5000 || KdfIterations.Value > 2_000_000)
-                    {
-                        yield return new ValidationResult("KDF iterations must be between 5000 and 2000000.");
-                    }
-                    break;
-                default:
-                    break;
-            }
+            return KdfSettingsValidator.Validate(Kdf.Value, KdfIterations.Value, KdfMemory, KdfParallelism);
        }
+
+        return Enumerable.Empty<ValidationResult>();
    }
 }
--- a/src/Api/Models/Request/Accounts/SetKeyConnectorKeyRequestModel.cs
+++ b/src/Api/Models/Request/Accounts/SetKeyConnectorKeyRequestModel.cs
@ -2,10 +2,11 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Api.Request.Accounts;
+using Bit.Core.Utilities;

 namespace Bit.Api.Models.Request.Accounts;

-public class SetKeyConnectorKeyRequestModel
+public class SetKeyConnectorKeyRequestModel : IValidatableObject
 {
    [Required]
    public string Key { get; set; }
@ -15,6 +16,8 @@ public class SetKeyConnectorKeyRequestModel
    public KdfType Kdf { get; set; }
    [Required]
    public int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
    [Required]
    public string OrgIdentifier { get; set; }

@ -22,8 +25,15 @@ public class SetKeyConnectorKeyRequestModel
    {
        existingUser.Kdf = Kdf;
        existingUser.KdfIterations = KdfIterations;
+        existingUser.KdfMemory = KdfMemory;
+        existingUser.KdfParallelism = KdfParallelism;
        existingUser.Key = Key;
        Keys.ToUser(existingUser);
        return existingUser;
    }
+
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        return KdfSettingsValidator.Validate(Kdf, KdfIterations, KdfMemory, KdfParallelism);
+    }
 }
--- a/src/Api/Models/Request/Accounts/SetPasswordRequestModel.cs
+++ b/src/Api/Models/Request/Accounts/SetPasswordRequestModel.cs
@ -2,10 +2,11 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Api.Request.Accounts;
+using Bit.Core.Utilities;

 namespace Bit.Api.Models.Request.Accounts;

-public class SetPasswordRequestModel
+public class SetPasswordRequestModel : IValidatableObject
 {
    [Required]
    [StringLength(300)]
@ -20,6 +21,8 @@ public class SetPasswordRequestModel
    public KdfType Kdf { get; set; }
    [Required]
    public int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
    public string OrgIdentifier { get; set; }

    public User ToUser(User existingUser)
@ -27,8 +30,15 @@ public class SetPasswordRequestModel
        existingUser.MasterPasswordHint = MasterPasswordHint;
        existingUser.Kdf = Kdf;
        existingUser.KdfIterations = KdfIterations;
+        existingUser.KdfMemory = KdfMemory;
+        existingUser.KdfParallelism = KdfParallelism;
        existingUser.Key = Key;
        Keys.ToUser(existingUser);
        return existingUser;
    }
+
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        return KdfSettingsValidator.Validate(Kdf, KdfIterations, KdfMemory, KdfParallelism);
+    }
 }
--- a/src/Api/Models/Response/EmergencyAccessResponseModel.cs
+++ b/src/Api/Models/Response/EmergencyAccessResponseModel.cs
@ -97,9 +97,13 @@ public class EmergencyAccessTakeoverResponseModel : ResponseModel
        KeyEncrypted = emergencyAccess.KeyEncrypted;
        Kdf = grantor.Kdf;
        KdfIterations = grantor.KdfIterations;
+        KdfMemory = grantor.KdfMemory;
+        KdfParallelism = grantor.KdfParallelism;
    }

    public int KdfIterations { get; private set; }
+    public int? KdfMemory { get; private set; }
+    public int? KdfParallelism { get; private set; }
    public KdfType Kdf { get; private set; }
    public string KeyEncrypted { get; private set; }
 }
--- a/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
@ -111,12 +111,16 @@ public class OrganizationUserResetPasswordDetailsResponseModel : ResponseModel

        Kdf = orgUser.Kdf;
        KdfIterations = orgUser.KdfIterations;
+        KdfMemory = orgUser.KdfMemory;
+        KdfParallelism = orgUser.KdfParallelism;
        ResetPasswordKey = orgUser.ResetPasswordKey;
        EncryptedPrivateKey = orgUser.EncryptedPrivateKey;
    }

    public KdfType Kdf { get; set; }
    public int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
    public string ResetPasswordKey { get; set; }
    public string EncryptedPrivateKey { get; set; }
 }