nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-01 08:02:49 -05:00
Code Activity

[PM-3565] Enforce higher minimum KDF (#3304)

Browse Source 
Extract KDF logic into a new Range class. Increase minimum iterations for PBKDF.
This commit is contained in:
Oscar Hinton
2023-12-05 17:21:46 +01:00
committed by GitHub
parent 26e6093c14
commit eedc96263a
10 changed files with 132 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
test/Api.Test/Controllers/AccountsControllerTests.cs
View File

@ -1,6 +1,7 @@
using System.Security.Claims;
using Bit.Api.Auth.Models.Request.Accounts;
using Bit.Api.Controllers;
using Bit.Core;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.AdminConsole.Services;
using Bit.Core.Auth.Models.Api.Request.Accounts;
@ -111,14 +112,14 @@ public class AccountsControllerTests : IDisposable
}
[Fact]
public async Task PostPrelogin_WhenUserDoesNotExist_ShouldDefaultToSha256And100000Iterations()
public async Task PostPrelogin_WhenUserDoesNotExist_ShouldDefaultToPBKDF()
{
_userRepository.GetKdfInformationByEmailAsync(Arg.Any<string>()).Returns(Task.FromResult((UserKdfInformation)null));
var response = await _sut.PostPrelogin(new PreloginRequestModel { Email = "user@example.com" });
Assert.Equal(KdfType.PBKDF2_SHA256, response.Kdf);
Assert.Equal(100000, response.KdfIterations);
Assert.Equal(AuthConstants.PBKDF2_ITERATIONS.Default, response.KdfIterations);
}
[Fact]

10
test/Api.Test/Models/Request/Accounts/KdfRequestModelTests.cs
View File

@ -9,11 +9,11 @@ public class KdfRequestModelTests
{
[Theory]
[InlineData(KdfType.PBKDF2_SHA256, 1_000_000, null, null)] // Somewhere in the middle
[InlineData(KdfType.PBKDF2_SHA256, 5000, null, null)] // Right on the lower boundary
[InlineData(KdfType.PBKDF2_SHA256, 600_000, null, null)] // Right on the lower boundary
[InlineData(KdfType.PBKDF2_SHA256, 2_000_000, null, null)] // Right on the upper boundary
[InlineData(KdfType.Argon2id, 10, 500, 8)] // Somewhere in the middle
[InlineData(KdfType.Argon2id, 1, 15, 1)] // Right on the lower boundary
[InlineData(KdfType.Argon2id, 5000, 1024, 16)] // Right on the upper boundary
[InlineData(KdfType.Argon2id, 5, 500, 8)] // Somewhere in the middle
[InlineData(KdfType.Argon2id, 2, 15, 1)] // Right on the lower boundary
[InlineData(KdfType.Argon2id, 10, 1024, 16)] // Right on the upper boundary
public void Validate_IsValid(KdfType kdfType, int? kdfIterations, int? kdfMemory, int? kdfParallelism)
{
var model = new KdfRequestModel
@ -32,7 +32,7 @@ public class KdfRequestModelTests
[Theory]
[InlineData(null, 350_000, null, null, 1)] // Although KdfType is nullable, it's marked as [Required]
[InlineData(KdfType.PBKDF2_SHA256, 1000, null, null, 1)] // Too few iterations
[InlineData(KdfType.PBKDF2_SHA256, 500_000, null, null, 1)] // Too few iterations
[InlineData(KdfType.PBKDF2_SHA256, 2_000_001, null, null, 1)] // Too many iterations
[InlineData(KdfType.Argon2id, 0, 30, 8, 1)] // Iterations must be greater than 0
[InlineData(KdfType.Argon2id, 10, 14, 8, 1)] // Too little memory