New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add argon2 kdf fields #3210
add argon2 kdf fields #3210
Conversation
In the official server, kdfmemory and kdfparallelism are null if pbkdf2 is selected, and not null when argon2 is selected. If they are null, the fields can (should) be omitted from the API responses.
|
Yep, I saw the
They will only be NULL in the db, if we use
Right, but when someone switches to argon2, I rather not have 600,000 iterations... I haven't seen the UI yet, thus I don't know what the UI will do. e.g. will it automatically change the iterations to another value or will the user have to set the iterations manually? Btw, I am heading to bed, so I won't respond in the next few hours. |
I'd rather not have any defaults set into the database. Also, as @quexten mentioned the |
Some checks such as : Lines 676 to 679 in 9366e31
Need adjusting to distinguish between pbkdf2 and argon2.
The iterations when switching to argon2 are set in the client, not on the server. I think they should only matter on the server in case the client omits the values: vaultwarden/src/api/core/accounts.rs Lines 773 to 778 in 9366e31
|
By the way, the limits should be: The defaults on the clients are: Edit: vaultwarden/src/api/core/accounts.rs Lines 367 to 378 in 3896a82
Probably need to change the kdfIterations check though. So something like: if data.Kdf == 0 {
if data.KdfIterations < 100_000 {
err!("PBKDF2 iterations lower than 100000 are not allowed.")
}
} else if data.Kdf == 1 {
if data.KdfIterations < 1 {
err!("Argon2 iterations lower than 1 are not allowed.")
}
if data.KdfMemory < 15 || data.KdfMemory > 1024 {
err!("Argon2 memory must be between 15mb and 1024mb.")
}
if data.KdfParallelism < 1 || data.KdfParallelism > 16 {
err!("Argon2 parallelism must be between 1 and 16.")
}
} |
Oh, one more note: The CSP needs to be changed for the webvault. Due to webassembly not supporting hashes for the CSP yet, it requires the "wasm-unsafe-eval" policy in the CSP. Since the current CSP does not seem to allow it: Lines 56 to 82 in 9b7e86e
Hope my notes help! |
@quexten sorry, I read your edits too late, since I read the email notifications instead. I only add memory/parallelism when argon2 is used to the JSON in Let me know, if I should do the same for:
I can do the rest this evening. |
Yep, everwhere where KdfType, KdfIterations are sent, KdfMemory and KdfParallelism should now be sent too. |
By the way, feel free to ping me once you are done with the PR, I have the argon2 builds of the web and mobile clients anyways, so I'm happy to test. |
This is already happening. What I was asking was whether I should also exclude the argon2 values from the JSON response as you have stated here #3210 (comment) for the 4 functions I have listed. I have already done this for one function: https://github.com/dani-garcia/vaultwarden/pull/3210/files#diff-1c5b0c87dec2154a167b89110c637a7a4bc04f59af0b83e8ddba39eb2134518cR254 I can look into this again in 5-6 hours. |
Oh, sorry misunderstood. I don't think it would cause issues to respond values, since for the pbkdf2 case the wouldn't be used, but since the should be null in that case, it's better to just exclude them from the response (the same way as on the official server). For argon2 of course do send them. |
I had a look, and this looks correct to me 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good for your (as far as i know) first shot at Rust :).
Some small items to address.
I haven't validated/run the code it self though.
I am sorry, I had to take care of somehing last evening. I'll try to finish it in the morning. |
Unfortunately I have issues with
Sorry, I just don't know Rust very well. But other than that the code should be fine. Can someone please help me with this enum? |
I suggest to place that enum in the That should make it globally available when either |
Yes, I have done that already in my last commit.
This was the missing part. Thank you! I'll push another commit in a sec. At the end, after the review and when it is good to go, I'll squash my commits and force-push. |
@quexten I think it's ready for a test spin. |
Seriously, the pipeline failed because of the list not in alphabetical order?
Anyway, it would make sense to have the format check in the beginning and abend BEFORE building the code.... |
Very nice. I'll test it in a few hours. |
@tessus However, switching back to pbkdf2 does not work. I get "422 Unprocessable Entity" Did not tet database migrations (yet). |
From the log:
|
Hmm, not sure why it needs a KdfMemory field when switching back to pbkdf2. The field is in the database, but it won't be in a response when the type is not argon2. Any chance you can send me the web-vault? http://g0to.ca/drop should do it. |
I think some structure or function in the server code might be expecting the field when parsing the json request. Since it is not sent when using pbkdf2, the server throws an error. |
Thanks a bunch for the zip. I will look at this error this evening (hopefully). I think I might know what the problem could be (from thinking about the code I changed - I don't have it in front of me right now). But maybe BlackDex will find the issue during the review, who knows. ;-) |
Yea, that was very easy :). Those probably need to be converted to an |
Nice, I thought along the same lines. I have a few minutes. I'll fix it now. |
Switching back to Pbkdf2 works now. |
Thanks for the reply.
Yep, I know, but in this case the compiler sees that only integers were used for the 2 values in the enum.
I also understand this, but that's why I mentioned that the compiler could use a default, if nothing is explicitly specified. We have to enclose the integer values in |
Back to WIP. No idea how to fix those compile errors yet. Will have to do some research, but any hint might help. P.S.: Hmm, so I think I have to check whether the value is not |
17c334d
to
c55d8b0
Compare
c55d8b0
to
d4b51ca
Compare
Sqashed and force-pushed again. I dislike a messy git history, although it probably wouldn't matter, since merge commits are done when PRs are merged to master. |
Sorry, it seems that I can't re-request a review from more than one person. |
b660efe
to
08916aa
Compare
08916aa
to
68bcc7a
Compare
Is there still something missing for this change? |
In the sense of an approval? |
No, I know that reviewing a PR can take time. But rather whether I have addressed all the issues that came up in previous conversations. I think I addressed everything, but I could have missed something. But the people who have left comments would most likely know right away and can say "hold on, dude, what about xyz? you missed that one."
Well, this change does not require a new web-vault. It's the other way around. The new clients that have the argon2 code will require this code change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested with the main branch of the web vault, works correctly for me
In what version should we start seeing Argon2id in the Security>Keys>KDF_algorithm dropdown? |
Either currently in testing, or wait until next release. |
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [vaultwarden/server](https://togithub.com/dani-garcia/vaultwarden) | minor | `1.27.0` -> `1.28.1` | --- ### Release Notes <details> <summary>dani-garcia/vaultwarden</summary> ### [`v1.28.1`](https://togithub.com/dani-garcia/vaultwarden/releases/tag/1.28.1) [Compare Source](https://togithub.com/dani-garcia/vaultwarden/compare/1.28.0...1.28.1) #### What's Changed - Decode knowndevice `X-Request-Email` as base64url with no padding by [@​jjlin](https://togithub.com/jjlin) in [dani-garcia/vaultwarden#3376 - Fix abort on password reset mail error by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3390 - support `/users/<uuid>/invite/resend` admin api by [@​nikolaevn](https://togithub.com/nikolaevn) in [dani-garcia/vaultwarden#3397 - always return KdfMemory and KdfParallelism by [@​stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#3398 - Fix sending out multiple websocket notifications by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3405 - Revert setcap, update rust and crates by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3403 #### New Contributors - [@​nikolaevn](https://togithub.com/nikolaevn) made their first contribution in [dani-garcia/vaultwarden#3397 **Full Changelog**: dani-garcia/vaultwarden@1.28.0...1.28.1 ### [`v1.28.0`](https://togithub.com/dani-garcia/vaultwarden/releases/tag/1.28.0) [Compare Source](https://togithub.com/dani-garcia/vaultwarden/compare/1.27.0...1.28.0) #### Major changes - The project has changed license to the [**AGPLv3**](https://togithub.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt). If you're hosting a Vaultwarden instance, you now have a requirement to distribute the Vaultwarden source code to your users if they request it. The source code, and any changes you have made, need to be under the same AGPLv3 license. If you simply use our code without modifications, just pointing them to this repository is enough. - Added support for **Argon2** key derivation on the clients. To enable it for your account, make sure all your clients are using version v2023.2.0 or greater, then go to account settings > security > keys, and change the algorithm from PBKDF2 to Argon2id. - Added support for **Argon2** key derivation for the admin page token. To update your admin token to use it, [check the wiki](https://togithub.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token) - New **alternative registries** for the docker images are available (In **BETA** for now): - **Github Container Registry**: https://ghcr.io/dani-garcia/vaultwarden - **Quay**: https://quay.io/vaultwarden/server #### What's Changed - Remove patched multer-rs by [@​manofthepeace](https://togithub.com/manofthepeace) in [dani-garcia/vaultwarden#2968 - Removed unsafe-inline JS from CSP and other fixes by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3058 - Validate YUBICO_SERVER string ([#​3003](https://togithub.com/dani-garcia/vaultwarden/issues/3003)) by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3059 - Log message to stderr if LOG_FILE is not writable by [@​pjsier](https://togithub.com/pjsier) in [dani-garcia/vaultwarden#3061 - Update WebSocket Notifications by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3076 - Optimize config loading messages by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3092 - Percent-encode org_name in links by [@​am97](https://togithub.com/am97) in [dani-garcia/vaultwarden#3093 - Fix failing large note imports by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3087 - Change `text/plain` API responses to `application/json` by [@​jjlin](https://togithub.com/jjlin) in [dani-garcia/vaultwarden#3124 - Remove `shrink-to-fit=no` from viewport-meta-tag by [@​redwerkz](https://togithub.com/redwerkz) in [dani-garcia/vaultwarden#3126 - Update dependencies and MSRV by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3128 - Resolve uninlined_format_args clippy warnings by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3065 - Update Rust to v1.66.1 to patch CVE by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3136 - Fix remaining inline format by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3130 - Use more modern meta tag for charset encoding by [@​redwerkz](https://togithub.com/redwerkz) in [dani-garcia/vaultwarden#3131 - fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory by [@​GeekCornerGH](https://togithub.com/GeekCornerGH) in [dani-garcia/vaultwarden#3132 - Optimize CipherSyncData for very large vaults by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3133 - Add avatar color support by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3134 - Add MFA icon to org member overview by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3135 - Minor refactoring concering user.setpassword by [@​sirux88](https://togithub.com/sirux88) in [dani-garcia/vaultwarden#3139 - Validate note sizes on key-rotation. by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3157 - Update KDF Configuration and processing by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3163 - Remove `arm32v6`-specific tag by [@​jjlin](https://togithub.com/jjlin) in [dani-garcia/vaultwarden#3164 - Re-License Vaultwarden to AGPLv3 by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#2561 - Admin password reset by [@​sirux88](https://togithub.com/sirux88) in [dani-garcia/vaultwarden#3116 - "Spell-Jacking" mitigation ~ prevent sensitive data leak … by [@​dlehammer](https://togithub.com/dlehammer) in [dani-garcia/vaultwarden#3145 - Allow listening on privileged ports (below 1024) as non-root by [@​jjlin](https://togithub.com/jjlin) in [dani-garcia/vaultwarden#3170 - don't nullify key when editing emergency access by [@​stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#3215 - Fix trailing slash not getting removed from domain by [@​BlockListed](https://togithub.com/BlockListed) in [dani-garcia/vaultwarden#3228 - Generate distinct log messages for regex vs. IP blacklisting. by [@​kpfleming](https://togithub.com/kpfleming) in [dani-garcia/vaultwarden#3231 - allow editing/unhiding by group by [@​farodin91](https://togithub.com/farodin91) in [dani-garcia/vaultwarden#3108 - Fix Javascript issue on non sqlite databases by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3167 - add argon2 kdf fields by [@​tessus](https://togithub.com/tessus) in [dani-garcia/vaultwarden#3210 - add support for system mta though sendmail by [@​soruh](https://togithub.com/soruh) in [dani-garcia/vaultwarden#3147 - Updated Rust and crates by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3234 - docs: add build status badge in readme by [@​R3DRUN3](https://togithub.com/R3DRUN3) in [dani-garcia/vaultwarden#3245 - Validate all needed fields for client API login by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3251 - Fix Organization delete when groups are configured by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3252 - Fix Collection Read Only access for groups by [@​Misterbabou](https://togithub.com/Misterbabou) in [dani-garcia/vaultwarden#3254 - Make the admin session lifetime adjustable by [@​mittler-works](https://togithub.com/mittler-works) in [dani-garcia/vaultwarden#3262 - Add function to fetch user by email address by [@​mittler-works](https://togithub.com/mittler-works) in [dani-garcia/vaultwarden#3263 - Fix vault item display in org vault view by [@​jjlin](https://togithub.com/jjlin) in [dani-garcia/vaultwarden#3277 - Add confirmation for removing 2FA and deauthing sessions in admin panel by [@​JCBird1012](https://togithub.com/JCBird1012) in [dani-garcia/vaultwarden#3282 - Some Admin Interface updates by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3288 - Fix the web-vault v2023.2.0 API calls by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3281 - Fix confirmation for removing 2FA and deauthing sessions in admin panel by [@​dpinse](https://togithub.com/dpinse) in [dani-garcia/vaultwarden#3290 - Admin token Argon2 hashing support by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3289 - Add HEAD routes to avoid spurious error messages by [@​jjlin](https://togithub.com/jjlin) in [dani-garcia/vaultwarden#3307 - Fix web-vault Member UI show/edit/save by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3315 - Upd Crates, Rust, MSRV, GHA and remove Backtrace by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3310 - Add support for `/api/devices/knowndevice` with HTTP header params by [@​jjlin](https://togithub.com/jjlin) in [dani-garcia/vaultwarden#3329 - Update Rust, MSRV and Crates by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3348 - Merge ClientIp with Headers. by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3332 - add endpoints to bulk delete collections/groups by [@​stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#3354 - Add support for Quay.io and GHCR.io as registries by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3363 - Some small fixes and updates by [@​BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#3366 - Update web vault to v2023.3.0 by [@​dani-garcia](https://togithub.com/dani-garcia) #### New Contributors - [@​manofthepeace](https://togithub.com/manofthepeace) made their first contribution in [dani-garcia/vaultwarden#2968 - [@​pjsier](https://togithub.com/pjsier) made their first contribution in [dani-garcia/vaultwarden#3061 - [@​am97](https://togithub.com/am97) made their first contribution in [dani-garcia/vaultwarden#3093 - [@​redwerkz](https://togithub.com/redwerkz) made their first contribution in [dani-garcia/vaultwarden#3126 - [@​sirux88](https://togithub.com/sirux88) made their first contribution in [dani-garcia/vaultwarden#3139 - [@​dlehammer](https://togithub.com/dlehammer) made their first contribution in [dani-garcia/vaultwarden#3145 - [@​BlockListed](https://togithub.com/BlockListed) made their first contribution in [dani-garcia/vaultwarden#3228 - [@​kpfleming](https://togithub.com/kpfleming) made their first contribution in [dani-garcia/vaultwarden#3231 - [@​farodin91](https://togithub.com/farodin91) made their first contribution in [dani-garcia/vaultwarden#3108 - [@​soruh](https://togithub.com/soruh) made their first contribution in [dani-garcia/vaultwarden#3147 - [@​R3DRUN3](https://togithub.com/R3DRUN3) made their first contribution in [dani-garcia/vaultwarden#3245 - [@​Misterbabou](https://togithub.com/Misterbabou) made their first contribution in [dani-garcia/vaultwarden#3254 - [@​mittler-works](https://togithub.com/mittler-works) made their first contribution in [dani-garcia/vaultwarden#3262 - [@​JCBird1012](https://togithub.com/JCBird1012) made their first contribution in [dani-garcia/vaultwarden#3282 - [@​dpinse](https://togithub.com/dpinse) made their first contribution in [dani-garcia/vaultwarden#3290 **Full Changelog**: dani-garcia/vaultwarden@1.27.0...1.28.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/RickCoxDev/home-cluster). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS43OS4xIiwidXBkYXRlZEluVmVyIjoiMzUuNzkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Changes:
UserKdfType
Test plan:
Previous text (for reference)
This is still a work in progess. The following items have to be clarified first:
During compilation I get an error:
However in the code it says:
So, what now?