[PS-2251] Implement argon2 kdf

apps/browser/src/manifest.v3.json

@@ -71,7 +71,7 @@
   "optional_permissions": ["nativeMessaging"],
   "host_permissions": ["http://*/*", "https://*/*"],
   "content_security_policy": {
-    "extension_page": "script-src 'self' ; object-src 'self'"
+    "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self'"
   },
   "commands": {
     "_execute_action": {

apps/browser/webpack.config.js

@@ -66,6 +66,11 @@ const moduleRules = [
     test: /\.[jt]sx?$/,
     loader: "@ngtools/webpack",
   },
+  {
+    test: /\.wasm$/,
+    loader: "base64-loader",
+    type: "javascript/auto",
+  },
 ];
 
 const requiredPlugins = [
@@ -203,13 +208,18 @@ const mainConfig = {
       buffer: require.resolve("buffer/"),
       util: require.resolve("util/"),
       url: require.resolve("url/"),
+      fs: false,
+      path: false,
     },
   },
   output: {
     filename: "[name].js",
     path: path.resolve(__dirname, "build"),
   },
-  module: { rules: moduleRules },
+  module: {
+    noParse: /\.wasm$/,
+    rules: moduleRules,
+  },
   plugins: plugins,
 };
 
@@ -265,13 +275,23 @@ if (manifestVersion == 2) {
           test: /\.tsx?$/,
           loader: "ts-loader",
         },
+        {
+          test: /\.wasm$/,
+          loader: "base64-loader",
+          type: "javascript/auto",
+        },
       ],
+      noParse: /\.wasm$/,
     },
     resolve: {
       extensions: [".ts", ".js"],
       symlinks: false,
       modules: [path.resolve("../../node_modules")],
       plugins: [new TsconfigPathsPlugin()],
+      fallback: {
+        fs: false,
+        path: false,
+      },
     },
     dependencies: ["main"],
     plugins: [...requiredPlugins],

apps/desktop/webpack.main.js

@@ -73,6 +73,7 @@ const main = {
         "./src/package.json",
         { from: "./src/images", to: "images" },
         { from: "./src/locales", to: "locales" },
+        "../../node_modules/argon2-browser/dist/argon2.wasm",
       ],
     }),
     new EnvironmentPlugin({

apps/desktop/webpack.renderer.js

@@ -40,6 +40,11 @@ const common = {
         },
         type: "asset/resource",
       },
+      {
+        test: /\.wasm$/,
+        loader: "base64-loader",
+        type: "javascript/auto",
+      },
     ],
   },
   plugins: [],
@@ -122,6 +127,11 @@ const renderer = {
         test: /[\/\\]@angular[\/\\].+\.js$/,
         parser: { system: true },
       },
+      {
+        test: /\.wasm$/,
+        loader: "base64-loader",
+        type: "javascript/auto",
+      },
     ],
   },
   plugins: [

apps/web/src/app/settings/change-kdf.component.html

@@ -32,41 +32,79 @@ <h1>{{ "encKeySettings" | i18n }}</h1>
         >
           <i class="bwi bwi-question-circle" aria-hidden="true"></i>
         </a>
-        <select id="kdf" name="Kdf" [(ngModel)]="kdf" class="form-control" required>
+        <select
+          id="kdf"
+          name="Kdf"
+          [(ngModel)]="kdf"
+          (ngModelChange)="onChangeKdf($event)"
+          class="form-control"
+          required
+        >
           <option *ngFor="let o of kdfOptions" [ngValue]="o.value">{{ o.name }}</option>
         </select>
       </div>
     </div>
     <div class="col-6">
       <div class="form-group mb-0">
-        <label for="kdfIterations">{{ "kdfIterations" | i18n }}</label>
-        <a
-          class="ml-auto"
-          href="https://bitwarden.com/help/what-encryption-is-used/#pbkdf2"
-          target="_blank"
-          rel="noopener"
-          appA11yTitle="{{ 'learnMore' | i18n }}"
-        >
-          <i class="bwi bwi-question-circle" aria-hidden="true"></i>
-        </a>
-        <input
-          id="kdfIterations"
-          type="number"
-          min="5000"
-          max="2000000"
-          name="KdfIterations"
-          class="form-control"
-          [(ngModel)]="kdfIterations"
-          required
-        />
+        <ng-container *ngIf="kdf == kdfType.PBKDF2_SHA256">
+          <label for="kdfIterations">{{ "kdfIterations" | i18n }}</label>
+          <a
+            class="ml-auto"
+            href="https://bitwarden.com/help/what-encryption-is-used/#pbkdf2"
+            target="_blank"
+            rel="noopener"
+            appA11yTitle="{{ 'learnMore' | i18n }}"
+          >
+            <i class="bwi bwi-question-circle" aria-hidden="true"></i>
+          </a>
+          <input
+            id="kdfIterations"
+            type="number"
+            min="5000"
+            max="2000000"
+            name="KdfIterations"
+            class="form-control"
+            [(ngModel)]="kdfIterations"
+            required
+          />
+        </ng-container>
+        <ng-container *ngIf="kdf == kdfType.Argon2id">
+          <label for="kdfIterations">KDF Iterations</label>
+          <a
+            class="ml-auto"
+            href="https://bitwarden.com/help/what-encryption-is-used/#argon2"
+            target="_blank"
+            rel="noopener"
+            appA11yTitle="{{ 'learnMore' | i18n }}"
+          >
+            <i class="bwi bwi-question-circle" aria-hidden="true"></i>
+          </a>
+          <input
+            id="iterations"
+            type="number"
+            min="1"
+            max="1024"
+            name="Iterations"
+            class="form-control mb-3"
+            [(ngModel)]="kdfIterations"
+            required
+          />
+        </ng-container>
       </div>
     </div>
     <div class="col-12">
       <div class="form-group">
         <div class="small form-text text-muted">
-          <p>{{ "kdfIterationsDesc" | i18n: (recommendedKdfIterations | number) }}</p>
-          <strong>{{ "warning" | i18n }}</strong
-          >: {{ "kdfIterationsWarning" | i18n: (50000 | number) }}
+          <ng-container *ngIf="kdf == kdfType.PBKDF2_SHA256">
+            <p>{{ "kdfIterationsDesc" | i18n: (recommendedPBKDF2Iterations | number) }}</p>
+            <strong>{{ "warning" | i18n }}</strong
+            >: {{ "kdfIterationsWarning" | i18n: (50000 | number) }}
+          </ng-container>
+          <ng-container *ngIf="kdf == kdfType.Argon2id">
+            <p>
+              {{ "argon2MemoryDesc" | i18n }}
+            </p>
+          </ng-container>
         </div>
       </div>
     </div>

apps/web/src/app/settings/change-kdf.component.ts

@@ -7,7 +7,11 @@ import { LogService } from "@bitwarden/common/abstractions/log.service";
 import { MessagingService } from "@bitwarden/common/abstractions/messaging.service";
 import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUtils.service";
 import { StateService } from "@bitwarden/common/abstractions/state.service";
-import { DEFAULT_KDF_ITERATIONS, KdfType } from "@bitwarden/common/enums/kdfType";
+import {
+  DEFAULT_PBKDF2_ITERATIONS,
+  DEFAULT_ARGON2_ITERATIONS,
+  KdfType,
+} from "@bitwarden/common/enums/kdfType";
 import { KdfRequest } from "@bitwarden/common/models/request/kdf.request";
 
 @Component({
@@ -16,11 +20,12 @@ import { KdfRequest } from "@bitwarden/common/models/request/kdf.request";
 })
 export class ChangeKdfComponent implements OnInit {
   masterPassword: string;
-  kdfIterations: number;
   kdf = KdfType.PBKDF2_SHA256;
+  kdfIterations = DEFAULT_PBKDF2_ITERATIONS;
+  kdfType = KdfType;
   kdfOptions: any[] = [];
   formPromise: Promise<any>;
-  recommendedKdfIterations = DEFAULT_KDF_ITERATIONS;
+  recommendedPBKDF2Iterations = DEFAULT_PBKDF2_ITERATIONS;
 
   constructor(
     private apiService: ApiService,
@@ -31,7 +36,10 @@ export class ChangeKdfComponent implements OnInit {
     private logService: LogService,
     private stateService: StateService
   ) {
-    this.kdfOptions = [{ name: "PBKDF2 SHA-256", value: KdfType.PBKDF2_SHA256 }];
+    this.kdfOptions = [
+      { name: "PBKDF2 SHA-256", value: KdfType.PBKDF2_SHA256 },
+      { name: "Argon2id", value: KdfType.Argon2id },
+    ];
   }
 
   async ngOnInit() {
@@ -76,4 +84,14 @@ export class ChangeKdfComponent implements OnInit {
       this.logService.error(e);
     }
   }
+
+  async onChangeKdf(newValue: KdfType) {
+    if (newValue === KdfType.PBKDF2_SHA256) {
+      this.kdfIterations = DEFAULT_PBKDF2_ITERATIONS;
+    } else if (newValue === KdfType.Argon2id) {
+      this.kdfIterations = DEFAULT_ARGON2_ITERATIONS;
+    } else {
+      throw new Error("Unknown KDF type.");
+    }
+  }
 }

apps/web/src/locales/en/messages.json

@@ -1152,6 +1152,9 @@
       }
     }
   },
+  "argon2MemoryDesc": {
+    "message": "Higher Argon2 memory, iterations and parallelism can help protect your master password from being brute forced by an attacker."
+  },
   "changeKdf": {
     "message": "Change KDF"
   },

apps/web/webpack.config.js

@@ -79,6 +79,11 @@ const moduleRules = [
     test: /\.[jt]sx?$/,
     loader: "@ngtools/webpack",
   },
+  {
+    test: /\.wasm$/,
+    loader: "base64-loader",
+    type: "javascript/auto",
+  },
 ];
 
 const plugins = [
@@ -223,6 +228,8 @@ const devServer =
                 default-src 'self'
                 ;script-src
                   'self'
+                  'wasm-eval'
+                  'wasm-unsafe-eval'
                   'sha256-ryoU+5+IUZTuUyTElqkrQGBJXr1brEv6r2CA62WUw8w='
                   https://js.stripe.com
                   https://js.braintreegateway.com
@@ -349,13 +356,19 @@ const webpackConfig = {
       util: require.resolve("util/"),
       assert: false,
       url: false,
+      path: false,
+      fs: false,
+      process: false,
     },
   },
   output: {
     filename: "[name].[contenthash].js",
     path: path.resolve(__dirname, "build"),
   },
-  module: { rules: moduleRules },
+  module: {
+    noParse: /\.wasm$/,
+    rules: moduleRules,
+  },
   plugins: plugins,
 };
 

libs/angular/src/components/register.component.ts

@@ -15,7 +15,7 @@ import { LogService } from "@bitwarden/common/abstractions/log.service";
 import { PasswordGenerationService } from "@bitwarden/common/abstractions/passwordGeneration.service";
 import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUtils.service";
 import { StateService } from "@bitwarden/common/abstractions/state.service";
-import { DEFAULT_KDF_ITERATIONS, DEFAULT_KDF_TYPE } from "@bitwarden/common/enums/kdfType";
+import { DEFAULT_KDF_TYPE, DEFAULT_PBKDF2_ITERATIONS } from "@bitwarden/common/enums/kdfType";
 import { PasswordLogInCredentials } from "@bitwarden/common/models/domain/log-in-credentials";
 import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
 import { ReferenceEventRequest } from "@bitwarden/common/models/request/reference-event.request";
@@ -234,7 +234,7 @@ export class RegisterComponent extends CaptchaProtectedComponent implements OnIn
   ): Promise<RegisterRequest> {
     const hint = this.formGroup.value.hint;
     const kdf = DEFAULT_KDF_TYPE;
-    const kdfIterations = DEFAULT_KDF_ITERATIONS;
+    const kdfIterations = DEFAULT_PBKDF2_ITERATIONS;
     const key = await this.cryptoService.makeKey(masterPassword, email, kdf, kdfIterations);
     const encKey = await this.cryptoService.makeEncKey(key);
     const hashedPassword = await this.cryptoService.hashPassword(masterPassword, key);

libs/angular/src/components/set-password.component.ts

@@ -16,7 +16,7 @@ import { PolicyService } from "@bitwarden/common/abstractions/policy/policy.serv
 import { StateService } from "@bitwarden/common/abstractions/state.service";
 import { SyncService } from "@bitwarden/common/abstractions/sync/sync.service.abstraction";
 import { HashPurpose } from "@bitwarden/common/enums/hashPurpose";
-import { DEFAULT_KDF_ITERATIONS, DEFAULT_KDF_TYPE } from "@bitwarden/common/enums/kdfType";
+import { DEFAULT_KDF_TYPE, DEFAULT_PBKDF2_ITERATIONS } from "@bitwarden/common/enums/kdfType";
 import { Utils } from "@bitwarden/common/misc/utils";
 import { EncString } from "@bitwarden/common/models/domain/enc-string";
 import { SymmetricCryptoKey } from "@bitwarden/common/models/domain/symmetric-crypto-key";
@@ -93,7 +93,7 @@ export class SetPasswordComponent extends BaseChangePasswordComponent {
 
   async setupSubmitActions() {
     this.kdf = DEFAULT_KDF_TYPE;
-    this.kdfIterations = DEFAULT_KDF_ITERATIONS;
+    this.kdfIterations = DEFAULT_PBKDF2_ITERATIONS;
     return true;
   }
 

libs/common/package.json

@@ -16,5 +16,9 @@
     "clean": "rimraf dist/**/*",
     "build": "npm run clean && tsc",
     "build:watch": "npm run clean && tsc -watch"
+  },
+  "dependencies": {
+    "argon2-browser": "^1.18.0",
+    "base64-loader": "^1.0.0"
   }
 }

libs/common/spec/services/export.service.spec.ts

@@ -7,7 +7,7 @@ import { CryptoService } from "@bitwarden/common/abstractions/crypto.service";
 import { CryptoFunctionService } from "@bitwarden/common/abstractions/cryptoFunction.service";
 import { FolderService } from "@bitwarden/common/abstractions/folder/folder.service.abstraction";
 import { CipherType } from "@bitwarden/common/enums/cipherType";
-import { KdfType, DEFAULT_KDF_ITERATIONS } from "@bitwarden/common/enums/kdfType";
+import { KdfType, DEFAULT_PBKDF2_ITERATIONS } from "@bitwarden/common/enums/kdfType";
 import { Utils } from "@bitwarden/common/misc/utils";
 import { Cipher } from "@bitwarden/common/models/domain/cipher";
 import { EncString } from "@bitwarden/common/models/domain/enc-string";
@@ -232,7 +232,7 @@ describe("ExportService", () => {
       });
 
       it("specifies kdfIterations", () => {
-        expect(exportObject.kdfIterations).toEqual(DEFAULT_KDF_ITERATIONS);
+        expect(exportObject.kdfIterations).toEqual(DEFAULT_PBKDF2_ITERATIONS);
       });
 
       it("has kdfType", () => {

libs/common/src/abstractions/cryptoFunction.service.ts

@@ -8,6 +8,13 @@ export abstract class CryptoFunctionService {
     algorithm: "sha256" | "sha512",
     iterations: number
   ) => Promise<ArrayBuffer>;
+  argon2: (
+    password: string,
+    salt: string,
+    iterations: number,
+    memory: number,
+    parallelism: number
+  ) => Promise<ArrayBuffer>;
   hkdf: (
     ikm: ArrayBuffer,
     salt: string | ArrayBuffer,

libs/common/src/enums/kdfType.ts

@@ -1,7 +1,12 @@
 export enum KdfType {
   PBKDF2_SHA256 = 0,
+  Argon2id = 1,
 }
 
+export const DEFAULT_ARGON2_MEMORY = 16;
+export const DEFAULT_ARGON2_PARALLELISM = 2;
+export const DEFAULT_ARGON2_ITERATIONS = 2;
+
 export const DEFAULT_KDF_TYPE = KdfType.PBKDF2_SHA256;
-export const DEFAULT_KDF_ITERATIONS = 350000;
+export const DEFAULT_PBKDF2_ITERATIONS = 350000;
 export const SEND_KDF_ITERATIONS = 100000;