saltyming/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-09-07 02:02:42 +00:00
Code Activity

Perform same checks when setting kdf

Browse source
This commit is contained in:
Timshel 2025-08-06 19:26:32 +02:00
commit a71da2d0a4
1 changed files with 34 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

75
src/api/core/accounts.rs
View file

@ -67,15 +67,22 @@ pub fn routes() -> Vec<rocket::Route> {
] ]
} }
#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct KDFData {
kdf: i32,
kdf_iterations: i32,
kdf_memory: Option<i32>,
kdf_parallelism: Option<i32>,
}
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")] #[serde(rename_all = "camelCase")]
pub struct RegisterData { pub struct RegisterData {
email: String, email: String,
kdf: Option<i32>, #[serde(flatten)]
kdf_iterations: Option<i32>, kdf: KDFData,
kdf_memory: Option<i32>,
kdf_parallelism: Option<i32>,
#[serde(alias = "userSymmetricKey")] #[serde(alias = "userSymmetricKey")]
key: String, key: String,
@ -101,10 +108,9 @@ pub struct RegisterData {
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")] #[serde(rename_all = "camelCase")]
pub struct SetPasswordData { pub struct SetPasswordData {
kdf: Option<i32>, #[serde(flatten)]
kdf_iterations: Option<i32>, kdf: KDFData,
kdf_memory: Option<i32>,
kdf_parallelism: Option<i32>,
key: String, key: String,
keys: Option<KeysData>, keys: Option<KeysData>,
master_password_hash: String, master_password_hash: String,
@ -281,16 +287,7 @@ pub async fn _register(data: Json<RegisterData>, email_verification: bool, mut c
// Make sure we don't leave a lingering invitation. // Make sure we don't leave a lingering invitation.
Invitation::take(&email, &mut conn).await; Invitation::take(&email, &mut conn).await;
if let Some(client_kdf_type) = data.kdf { set_kdf_data(&mut user, data.kdf)?;
user.client_kdf_type = client_kdf_type;
}
if let Some(client_kdf_iter) = data.kdf_iterations {
user.client_kdf_iter = client_kdf_iter;
}
user.client_kdf_memory = data.kdf_memory;
user.client_kdf_parallelism = data.kdf_parallelism;
user.set_password(&data.master_password_hash, Some(data.key), true, None); user.set_password(&data.master_password_hash, Some(data.key), true, None);
user.password_hint = password_hint; user.password_hint = password_hint;
@ -353,16 +350,7 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, mut co
let password_hint = clean_password_hint(&data.master_password_hint); let password_hint = clean_password_hint(&data.master_password_hint);
enforce_password_hint_setting(&password_hint)?; enforce_password_hint_setting(&password_hint)?;
if let Some(client_kdf_iter) = data.kdf_iterations { set_kdf_data(&mut user, data.kdf)?;
user.client_kdf_iter = client_kdf_iter;
}
if let Some(client_kdf_type) = data.kdf {
user.client_kdf_type = client_kdf_type;
}
user.client_kdf_memory = data.kdf_memory;
user.client_kdf_parallelism = data.kdf_parallelism;
user.set_password( user.set_password(
&data.master_password_hash, &data.master_password_hash,
@ -552,25 +540,15 @@ async fn post_password(data: Json<ChangePassData>, headers: Headers, mut conn: D
#[derive(Deserialize)] #[derive(Deserialize)]
#[serde(rename_all = "camelCase")] #[serde(rename_all = "camelCase")]
struct ChangeKdfData { struct ChangeKdfData {
kdf: i32, #[serde(flatten)]
kdf_iterations: i32, kdf: KDFData,
kdf_memory: Option<i32>,
kdf_parallelism: Option<i32>,
master_password_hash: String, master_password_hash: String,
new_master_password_hash: String, new_master_password_hash: String,
key: String, key: String,
} }
#[post("/accounts/kdf", data = "<data>")] fn set_kdf_data(user: &mut User, data: KDFData) -> EmptyResult {
async fn post_kdf(data: Json<ChangeKdfData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
let data: ChangeKdfData = data.into_inner();
let mut user = headers.user;
if !user.check_valid_password(&data.master_password_hash) {
err!("Invalid password")
}
if data.kdf == UserKdfType::Pbkdf2 as i32 && data.kdf_iterations < 100_000 { if data.kdf == UserKdfType::Pbkdf2 as i32 && data.kdf_iterations < 100_000 {
err!("PBKDF2 KDF iterations must be at least 100000.") err!("PBKDF2 KDF iterations must be at least 100000.")
} }
@ -601,6 +579,21 @@ async fn post_kdf(data: Json<ChangeKdfData>, headers: Headers, mut conn: DbConn,
} }
user.client_kdf_iter = data.kdf_iterations; user.client_kdf_iter = data.kdf_iterations;
user.client_kdf_type = data.kdf; user.client_kdf_type = data.kdf;
Ok(())
}
#[post("/accounts/kdf", data = "<data>")]
async fn post_kdf(data: Json<ChangeKdfData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
let data: ChangeKdfData = data.into_inner();
let mut user = headers.user;
if !user.check_valid_password(&data.master_password_hash) {
err!("Invalid password")
}
set_kdf_data(&mut user, data.kdf)?;
user.set_password(&data.new_master_password_hash, Some(data.key), true, None); user.set_password(&data.new_master_password_hash, Some(data.key), true, None);
let save_result = user.save(&mut conn).await; let save_result = user.save(&mut conn).await;