topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Update KDF Configuration and processing 

- Change default Password Hash KDF Storage from 100_000 to 600_000 iterations
- Update Password Hash when the default iteration value is different
- Validate password_iterations
- Validate client-side KDF to prevent it from being set lower than 100_000
pull/3163/head
BlackDex 3 years ago
parent
9b7e86efc2
commit
2d8c8e18f7
No known key found for this signature in database GPG Key ID: 58C80A2AA6C765E1
6 changed files with 35 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      .env.template
  2. 11
      src/api/core/accounts.rs
  3. 2
      src/api/core/emergency_access.rs
  4. 13
      src/api/identity.rs
  5. 10
      src/config.rs
  6. 8
      src/db/models/user.rs

6
.env.template
View File

@ -298,9 +298,9 @@
## This setting applies globally to all users. ## This setting applies globally to all users.
# INCOMPLETE_2FA_TIME_LIMIT=3 # INCOMPLETE_2FA_TIME_LIMIT=3
## Controls the PBBKDF password iterations to apply on the server ## Number of server-side passwords hashing iterations for the password hash.
## The change only applies when the password is changed ## The default for new users. If changed, it will be updated during login for existing users.
# PASSWORD_ITERATIONS=100000 # PASSWORD_ITERATIONS=350000
## Controls whether users can set password hints. This setting applies globally to all users. ## Controls whether users can set password hints. This setting applies globally to all users.
# PASSWORD_HINTS_ALLOWED=true # PASSWORD_HINTS_ALLOWED=true

11
src/api/core/accounts.rs
View File

@ -161,7 +161,7 @@ pub async fn _register(data: JsonUpcase<RegisterData>, mut conn: DbConn) -> Json
user.client_kdf_type = client_kdf_type; user.client_kdf_type = client_kdf_type;
} }
user.set_password(&data.MasterPasswordHash, None); user.set_password(&data.MasterPasswordHash, true, None);
user.akey = data.Key; user.akey = data.Key;
user.password_hint = password_hint; user.password_hint = password_hint;
@ -318,6 +318,7 @@ async fn post_password(
user.set_password( user.set_password(
&data.NewMasterPasswordHash, &data.NewMasterPasswordHash,
true,
Some(vec![String::from("post_rotatekey"), String::from("get_contacts"), String::from("get_public_keys")]), Some(vec![String::from("post_rotatekey"), String::from("get_contacts"), String::from("get_public_keys")]),
); );
user.akey = data.Key; user.akey = data.Key;
@ -348,9 +349,13 @@ async fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, mut conn: D
err!("Invalid password") err!("Invalid password")
} }
if data.KdfIterations < 100_000 {
err!("KDF iterations lower then 100000 are not allowed.")
}
user.client_kdf_iter = data.KdfIterations; user.client_kdf_iter = data.KdfIterations;
user.client_kdf_type = data.Kdf; user.client_kdf_type = data.Kdf;
user.set_password(&data.NewMasterPasswordHash, None); user.set_password(&data.NewMasterPasswordHash, true, None);
user.akey = data.Key; user.akey = data.Key;
let save_result = user.save(&mut conn).await; let save_result = user.save(&mut conn).await;
@ -560,7 +565,7 @@ async fn post_email(
user.email_new = None; user.email_new = None;
user.email_new_token = None; user.email_new_token = None;
user.set_password(&data.NewMasterPasswordHash, None); user.set_password(&data.NewMasterPasswordHash, true, None);
user.akey = data.Key; user.akey = data.Key;
let save_result = user.save(&mut conn).await; let save_result = user.save(&mut conn).await;

2
src/api/core/emergency_access.rs
View File

@ -662,7 +662,7 @@ async fn password_emergency_access(
}; };
// change grantor_user password // change grantor_user password
grantor_user.set_password(new_master_password_hash, None); grantor_user.set_password(new_master_password_hash, true, None);
grantor_user.akey = key; grantor_user.akey = key;
grantor_user.save(&mut conn).await?; grantor_user.save(&mut conn).await?;

13
src/api/identity.rs
View File

@ -130,7 +130,7 @@ async fn _password_login(
// Get the user // Get the user
let username = data.username.as_ref().unwrap().trim(); let username = data.username.as_ref().unwrap().trim();
let user = match User::find_by_mail(username, conn).await { let mut user = match User::find_by_mail(username, conn).await {
Some(user) => user, Some(user) => user,
None => err!("Username or password is incorrect. Try again", format!("IP: {}. Username: {}.", ip.ip, username)), None => err!("Username or password is incorrect. Try again", format!("IP: {}. Username: {}.", ip.ip, username)),
}; };
@ -150,6 +150,16 @@ async fn _password_login(
) )
} }
// Change the KDF Iterations
if user.password_iterations != CONFIG.password_iterations() {
user.password_iterations = CONFIG.password_iterations();
user.set_password(password, false, None);
if let Err(e) = user.save(conn).await {
error!("Error updating user: {:#?}", e);
}
}
// Check if the user is disabled // Check if the user is disabled
if !user.enabled { if !user.enabled {
err!( err!(
@ -172,7 +182,6 @@ async fn _password_login(
if resend_limit == 0 || user.login_verify_count < resend_limit { if resend_limit == 0 || user.login_verify_count < resend_limit {
// We want to send another email verification if we require signups to verify // We want to send another email verification if we require signups to verify
// their email address, and we haven't sent them a reminder in a while... // their email address, and we haven't sent them a reminder in a while...
let mut user = user;
user.last_verifying_at = Some(now); user.last_verifying_at = Some(now);
user.login_verify_count += 1; user.login_verify_count += 1;

10
src/config.rs
View File

@ -463,9 +463,9 @@ make_config! {
invitation_expiration_hours: u32, false, def, 120; invitation_expiration_hours: u32, false, def, 120;
/// Allow emergency access |> Controls whether users can enable emergency access to their accounts. This setting applies globally to all users. /// Allow emergency access |> Controls whether users can enable emergency access to their accounts. This setting applies globally to all users.
emergency_access_allowed: bool, true, def, true; emergency_access_allowed: bool, true, def, true;
/// Password iterations |> Number of server-side passwords hashing iterations. /// Password iterations |> Number of server-side passwords hashing iterations for the password hash.
/// The changes only apply when a user changes their password. Not recommended to lower the value /// The default for new users. If changed, it will be updated during login for existing users.
password_iterations: i32, true, def, 100_000; password_iterations: i32, true, def, 600_000;
/// Allow password hints |> Controls whether users can set password hints. This setting applies globally to all users. /// Allow password hints |> Controls whether users can set password hints. This setting applies globally to all users.
password_hints_allowed: bool, true, def, true; password_hints_allowed: bool, true, def, true;
/// Show password hint |> Controls whether a password hint should be shown directly in the web page /// Show password hint |> Controls whether a password hint should be shown directly in the web page
@ -673,6 +673,10 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
} }
} }
if cfg.password_iterations < 100_000 {
err!("PASSWORD_ITERATIONS should be at least 100000 or higher. The default is 600000!");
}
let limit = 256; let limit = 256;
if cfg.database_max_conns < 1 || cfg.database_max_conns > limit { if cfg.database_max_conns < 1 || cfg.database_max_conns > limit {
err!(format!("`DATABASE_MAX_CONNS` contains an invalid value. Ensure it is between 1 and {limit}.",)); err!(format!("`DATABASE_MAX_CONNS` contains an invalid value. Ensure it is between 1 and {limit}.",));

8
src/db/models/user.rs
View File

@ -74,7 +74,7 @@ pub struct UserStampException {
/// Local methods /// Local methods
impl User { impl User {
pub const CLIENT_KDF_TYPE_DEFAULT: i32 = 0; // PBKDF2: 0 pub const CLIENT_KDF_TYPE_DEFAULT: i32 = 0; // PBKDF2: 0
pub const CLIENT_KDF_ITER_DEFAULT: i32 = 100_000; pub const CLIENT_KDF_ITER_DEFAULT: i32 = 600_000;
pub fn new(email: String) -> Self { pub fn new(email: String) -> Self {
let now = Utc::now().naive_utc(); let now = Utc::now().naive_utc();
@ -151,14 +151,16 @@ impl User {
/// These routes are able to use the previous stamp id for the next 2 minutes. /// These routes are able to use the previous stamp id for the next 2 minutes.
/// After these 2 minutes this stamp will expire. /// After these 2 minutes this stamp will expire.
/// ///
pub fn set_password(&mut self, password: &str, allow_next_route: Option<Vec<String>>) { pub fn set_password(&mut self, password: &str, reset_security_stamp: bool, allow_next_route: Option<Vec<String>>) {
self.password_hash = crypto::hash_password(password.as_bytes(), &self.salt, self.password_iterations as u32); self.password_hash = crypto::hash_password(password.as_bytes(), &self.salt, self.password_iterations as u32);
if let Some(route) = allow_next_route { if let Some(route) = allow_next_route {
self.set_stamp_exception(route); self.set_stamp_exception(route);
} }
self.reset_security_stamp() if reset_security_stamp {
self.reset_security_stamp()
}
} }
pub fn reset_security_stamp(&mut self) { pub fn reset_security_stamp(&mut self) {

Write Preview
Loading…
Cancel
Save