feat: argon2id implementation with backwards compatibility for pdkbf2

Author: titanism

app/controllers/web/mobile-config.js

@@ -430,7 +430,11 @@ async function mobileConfig(ctx, next) {
 
     // validate password
     // ensure that the token is valid
-    const isValid = await isValidPassword(alias.tokens, decrypt(ctx.query.p));
+    const isValid = await isValidPassword(
+      alias.tokens,
+      decrypt(ctx.query.p),
+      alias
+    );
 
     if (!isValid) return next(); // 404
 

app/controllers/web/my-account/download-alias-backup.js

@@ -67,7 +67,8 @@ async function downloadAliasBackup(ctx) {
       // ensure that the token is valid
       const isValid = await isValidPassword(
         alias.tokens,
-        ctx.request.body.password
+        ctx.request.body.password,
+        alias
       );
 
       if (!isValid) {

app/controllers/web/my-account/generate-alias-password.js

@@ -105,7 +105,8 @@ async function generateAliasPassword(ctx) {
       // ensure that the token is valid
       const isValid = await isValidPassword(
         alias.tokens,
-        ctx.request.body.password
+        ctx.request.body.password,
+        alias
       );
 
       if (!isValid) {

app/controllers/web/my-account/retrieve-qrcode.js

@@ -74,7 +74,8 @@ async function retrieveQRCode(ctx) {
     // ensure that the token is valid
     const isValid = await isValidPassword(
       alias.tokens,
-      ctx.request.body.password
+      ctx.request.body.password,
+      alias
     );
 
     if (!isValid) {

app/models/aliases.js

@@ -57,13 +57,25 @@ const Token = new mongoose.Schema({
     type: String,
     select: false,
     required: true
+  },
+  has_pbkdf2_migration: {
+    type: Boolean,
+    default: false,
+    select: false
   }
 });
 
 Token.plugin(mongooseCommonPlugin, {
   object: 'token',
   omitCommonFields: false,
-  omitExtraFields: ['_id', '__v', 'description', 'salt', 'hash'],
+  omitExtraFields: [
+    '_id',
+    '__v',
+    'description',
+    'salt',
+    'hash',
+    'has_pbkdf2_migration'
+  ],
   uniqueId: false,
   locale: false
 });

app/models/domains.js

@@ -171,13 +171,18 @@ const Token = new mongoose.Schema({
     type: String,
     select: false,
     required: true
+  },
+  has_pbkdf2_migration: {
+    type: Boolean,
+    default: false,
+    select: false
   }
 });
 
 Token.plugin(mongooseCommonPlugin, {
   object: 'token',
   omitCommonFields: false,
-  omitExtraFields: ['_id', '__v', 'salt', 'hash'],
+  omitExtraFields: ['_id', '__v', 'salt', 'hash', 'has_pbkdf2_migration'],
   uniqueId: false,
   locale: false
 });

config/index.js

@@ -720,7 +720,7 @@ const config = {
   smtpQueueTimeout: ms('180s'),
   smtpLimitMessages: env.NODE_ENV === 'test' ? 10 : 300,
   smtpLimitAuth: env.NODE_ENV === 'test' ? Number.MAX_VALUE : 10,
-  smtpLimitAuthDuration: ms('1h'),
+  smtpLimitAuthDuration: ms('1d'),
   smtpLimitDuration: ms('1d'),
   smtpLimitNamespace: `smtp_auth_limit_${env.NODE_ENV.toLowerCase()}`,
   supportEmail: env.EMAIL_DEFAULT_FROM_EMAIL,
@@ -1194,6 +1194,21 @@ const config = {
     }
   },
 
+  //
+  // argon2 configuration for domain and alias tokens
+  // (separate from passportLocalMongoose which is used for user authentication)
+  // <https://github.com/napi-rs/node-rs>
+  // <https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html>
+  // Bitwarden uses Argon2id for key derivation, with default settings of:
+  // 64 MiB memory, 3 iterations, and 4 parallelism
+  //
+  argon2: {
+    memoryCost: 19456, // 19 MiB
+    timeCost: 2, // iterations
+    parallelism: 1,
+    outputLen: 32 // hash length in bytes (8 bits per byte, 32 x 8 = 256 bits)
+  },
+
   // passport callback options
   passportCallbackOptions: {
     successReturnToOrRedirect: '/my-account',
@@ -1666,6 +1681,7 @@ config.alternatives = alternatives;
 config.views.locals.config = _.pick(config, [
   'smtpMessageMaxSize',
   'alternatives',
+  'argon2',
   'smtpLimitMessages',
   'smtpLimitDuration',
   'supportEmail',

helpers/create-password.js

@@ -4,15 +4,13 @@
  */
 
 const crypto = require('node:crypto');
-const { Buffer } = require('node:buffer');
 const { promisify } = require('node:util');
 
 const Boom = require('@hapi/boom');
+const argon2 = require('@node-rs/argon2');
 const cryptoRandomString = require('crypto-random-string');
 const isSANB = require('is-string-and-not-blank');
 
-const pbkdf2 = require('./pbkdf2');
-
 const config = require('#config');
 const phrases = require('#config/phrases');
 
@@ -65,18 +63,17 @@ async function createPassword(existingPassword, userInputs = []) {
     (await cryptoRandomString.async({
       length: 24
     }));
+
+  //
+  // use argon2 for domain and alias tokens (quantum-resistant)
+  // <https://github.com/ranisalt/node-argon2>
+  //
+  const hash = await argon2.hash(password, config.argon2);
+
+  // generate a random salt for backwards compatibility checking
   const buffer = await randomBytes(config.passportLocalMongoose.saltlen);
   const salt = buffer.toString(config.passportLocalMongoose.encoding);
-  const rawHash = await pbkdf2({
-    password,
-    salt,
-    iterations: config.passportLocalMongoose.iterations,
-    keylen: config.passportLocalMongoose.keylen,
-    digestAlgorithm: config.passportLocalMongoose.digestAlgorithm
-  });
-  const hash = Buffer.from(rawHash, 'binary').toString(
-    config.passportLocalMongoose.encoding
-  );
+
   return { password, salt, hash };
 }
 

helpers/get-database.js

@@ -1066,7 +1066,8 @@ function retryGetDatabase(...args) {
           if (alias && Array.isArray(alias.tokens) && alias.tokens.length > 0) {
             isValid = await isValidPassword(
               alias.tokens,
-              decrypt(session.user.password)
+              decrypt(session.user.password),
+              alias
             );
           }
 

helpers/is-valid-password.js

@@ -6,6 +6,9 @@
 const crypto = require('node:crypto');
 const { Buffer } = require('node:buffer');
 
+const argon2 = require('@node-rs/argon2');
+const mongoose = require('mongoose');
+
 //
 // NOTE: scmp and tsse appear to be identical
 //       <https://github.com/freewil/scmp/issues/18>
@@ -17,6 +20,14 @@ const { Buffer } = require('node:buffer');
 const pbkdf2 = require('./pbkdf2');
 
 const config = require('#config');
+const logger = require('#helpers/logger');
+
+const conn = mongoose.connections.find(
+  (conn) => conn[Symbol.for('connection.name')] === 'MONGO_URI'
+);
+if (!conn) {
+  throw new Error('Mongoose connection does not exist');
+}
 
 function timingSafeCompare(a, b) {
   if (a.length !== b.length) {
@@ -29,7 +40,7 @@ function timingSafeCompare(a, b) {
   return crypto.timingSafeEqual(a, b);
 }
 
-async function isValidPassword(tokens = [], password) {
+async function isValidPassword(tokens = [], password, instance) {
   if (
     typeof tokens !== 'object' ||
     !Array.isArray(tokens) ||
@@ -40,6 +51,8 @@ async function isValidPassword(tokens = [], password) {
     return false;
 
   let match = false;
+  let matchedToken = null;
+
   for (const token of tokens) {
     if (
       typeof token !== 'object' ||
@@ -50,22 +63,141 @@ async function isValidPassword(tokens = [], password) {
     )
       continue;
 
-    const rawHash = await pbkdf2({
-      password,
-      salt: token.salt,
-      iterations: config.passportLocalMongoose.iterations,
-      keylen: config.passportLocalMongoose.keylen,
-      digestAlgorithm: config.passportLocalMongoose.digestAlgorithm
-    });
-
-    // const scmpResult = scmp(
-    const scmpResult = timingSafeCompare(
-      rawHash,
-      Buffer.from(token.hash, config.passportLocalMongoose.encoding)
-    );
-    if (scmpResult) {
-      match = true;
-      break;
+    //
+    // if the token has already been migrated to argon2, skip pbkdf2 check
+    //
+    if (token.has_pbkdf2_migration === true) {
+      try {
+        const isValid = await argon2.verify(token.hash, password);
+        if (isValid) {
+          match = true;
+          matchedToken = token;
+          break;
+        }
+      } catch {
+        // argon2 verification failed, continue to next token
+        continue;
+      }
+    } else {
+      //
+      // try argon2 first (new format)
+      //
+      try {
+        const isValid = await argon2.verify(token.hash, password);
+        if (isValid) {
+          match = true;
+          matchedToken = token;
+          break;
+        }
+      } catch {
+        // argon2 verification failed, try pbkdf2 (old format)
+      }
+
+      //
+      // fallback to pbkdf2 for backwards compatibility
+      //
+      const rawHash = await pbkdf2({
+        password,
+        salt: token.salt,
+        iterations: config.passportLocalMongoose.iterations,
+        keylen: config.passportLocalMongoose.keylen,
+        digestAlgorithm: config.passportLocalMongoose.digestAlgorithm
+      });
+
+      // const scmpResult = scmp(
+      const scmpResult = timingSafeCompare(
+        rawHash,
+        Buffer.from(token.hash, config.passportLocalMongoose.encoding)
+      );
+
+      if (scmpResult) {
+        match = true;
+        matchedToken = token;
+        break;
+      }
+    }
+  }
+
+  //
+  // if match found and token needs migration, perform live migration
+  // and automatically save if model instance is provided
+  //
+  if (match && matchedToken && matchedToken.has_pbkdf2_migration !== true) {
+    try {
+      // check if hash is argon2 format (starts with $argon2)
+      const isArgon2Hash = matchedToken.hash.startsWith('$argon2');
+      if (isArgon2Hash) {
+        // already argon2, just mark as migrated
+        matchedToken.has_pbkdf2_migration = true;
+      } else {
+        // this is a pbkdf2 hash, perform migration
+        const newHash = await argon2.hash(password, config.argon2);
+        matchedToken.hash = newHash;
+        matchedToken.has_pbkdf2_migration = true;
+      }
+
+      // if model instance provided, save the migration
+      if (instance) {
+        try {
+          if (!mongoose.isObjectIdOrHexString(instance._id))
+            throw new TypeError(
+              'instance._id was not an ObjectId nor hex string'
+            );
+          if (typeof instance.object !== 'string')
+            throw new TypeError('instance.object was undefined');
+          if (instance.object === 'domain') {
+            // enforce schema and require all required paths (dummyproof while we migrate)
+            if (
+              !tokens.every((token) => token.user && token.salt && token.hash)
+            )
+              throw new TypeError('token missing user, salt, or hash');
+            // TODO: this migration needs improved/safeguarded since we don't use __v version key
+            //       (e.g. if we detect `__v` then query for equality and increase it by 1 as well)
+            await conn.models.Domains.findOneAndUpdate(
+              {
+                _id: instance._id,
+                tokens: { $size: tokens.length }
+              },
+              {
+                $set: {
+                  tokens
+                }
+              }
+            );
+          } else if (instance.object === 'alias') {
+            // enforce schema and require all required paths (dummyproof while we migrate)
+            if (!tokens.every((token) => token.salt && token.hash))
+              throw new TypeError('token missing user, salt, or hash');
+            // TODO: this migration needs improved/safeguarded since we don't use __v version key
+            //       (e.g. if we detect `__v` then query for equality and increase it by 1 as well)
+            await conn.models.Aliases.findOneAndUpdate(
+              {
+                _id: instance._id,
+                tokens: { $size: tokens.length }
+              },
+              {
+                $set: {
+                  tokens
+                }
+              }
+            );
+          } else {
+            throw new TypeError(
+              'instance.object must be equal to "domain" or "alias"'
+            );
+          }
+        } catch (err) {
+          // log error but don't fail authentication
+          // the migration will be retried on next authentication
+          logger.fatal(err);
+          const _err = new TypeError('Failed to save argon2 migration');
+          _err.err = err;
+          console.error(_err);
+        }
+      }
+    } catch {
+      // migration failed, but authentication succeeded
+      // caller can retry migration later
     }
   }