[PM-23277] Force KDF updates if below minimums (#1880)

Author: matt-livefront

BitwardenResources/Localizations/en.lproj/Localizable.strings

@@ -1287,3 +1287,7 @@
 "WarningStartsWithIsAnAdvancedOptionWithIncreasedRiskOfExposingCredentials" = "**Warning:** “Starts with” is an advanced option with increased risk of exposing credentials.";
 "WarningRegularExpressionIsAnAdvancedOptionWithIncreasedRiskOfExposingCredentials" = "**Warning:** “Regular expression” is an advanced option with increased risk of exposing credentials if used incorrectly.";
 "DefaultX" = "Default (%1$@)";
+"UpdateYourEncryptionSettings" = "Update your encryption settings";
+"TheNewRecommendedEncryptionSettingsDescriptionLong" = "The new recommended encryption settings will improve your account security. Enter your master password to update now.";
+"Updating" = "Updating...";
+"EncryptionSettingsUpdated" = "Encryption settings updated";

BitwardenShared/Core/Auth/Models/Domains/KdfConfig.swift

@@ -1,10 +1,16 @@
 import BitwardenKit
+import BitwardenSdk
 
 // MARK: - KdfConfig
 
 /// A model for configuring KDF options.
 ///
 struct KdfConfig: Codable, Equatable, Hashable {
+    // MARK: Type Properties
+
+    /// The default `KdfConfig` used for new accounts or when upgrading the KDF config to minimums.
+    static let defaultKdfConfig = KdfConfig(kdfType: .pbkdf2sha256, iterations: Constants.pbkdf2Iterations)
+
     // MARK: Properties
 
     /// The type of KDF used in the request.
@@ -40,6 +46,24 @@ struct KdfConfig: Codable, Equatable, Hashable {
         self.memory = memory
         self.parallelism = parallelism
     }
+
+    /// Initializes a `KdfConfig` from the SDK's `Kdf` type.
+    ///
+    /// - Parameter kdf: The type of KDF used in the request.
+    ///
+    init(kdf: Kdf) {
+        switch kdf {
+        case let .argon2id(iterations, memory, parallelism):
+            self.init(
+                kdfType: .argon2id,
+                iterations: Int(iterations),
+                memory: Int(memory),
+                parallelism: Int(parallelism)
+            )
+        case let .pbkdf2(iterations):
+            self.init(kdfType: .pbkdf2sha256, iterations: Int(iterations))
+        }
+    }
 }
 
 // MARK: - KdfConfigProtocol

BitwardenShared/Core/Auth/Models/Domains/KdfConfigTests.swift

@@ -0,0 +1,35 @@
+import XCTest
+
+@testable import BitwardenShared
+
+class KdfConfigTests: BitwardenTestCase {
+    // MARK: Tests
+
+    /// `init(kdf:)` initializes `KdfConfig` from `BitwardenSdk.Kdf` when using `argon2id`.
+    func test_init_kdf_argon2() {
+        let subject = KdfConfig(kdf: .argon2id(iterations: 3, memory: 64, parallelism: 4))
+        XCTAssertEqual(
+            subject,
+            KdfConfig(
+                kdfType: .argon2id,
+                iterations: 3,
+                memory: 64,
+                parallelism: 4
+            )
+        )
+    }
+
+    /// `init(kdf:)` initializes `KdfConfig` from `BitwardenSdk.Kdf` when using `pbkdf2`.
+    func test_init_kdf_pbkdf2() {
+        let subject = KdfConfig(kdf: .pbkdf2(iterations: 600_000))
+        XCTAssertEqual(
+            subject,
+            KdfConfig(
+                kdfType: .pbkdf2sha256,
+                iterations: 600_000,
+                memory: nil,
+                parallelism: nil
+            )
+        )
+    }
+}

BitwardenShared/Core/Auth/Models/Request/MasterPasswordAuthenticationDataRequestModel.swift

@@ -0,0 +1,33 @@
+import BitwardenSdk
+
+// MARK: - MasterPasswordAuthenticationDataRequestModel
+
+/// A request model for a user's master password authentication data.
+///
+struct MasterPasswordAuthenticationDataRequestModel: Encodable, Equatable {
+    // MARK: Properties
+
+    /// The KDF settings.
+    let kdf: KdfConfig
+
+    /// The master password hash.
+    let masterPasswordAuthenticationHash: String
+
+    /// The salt used to compute the master password hash.
+    let salt: String
+}
+
+extension MasterPasswordAuthenticationDataRequestModel {
+    /// Initialize `MasterPasswordAuthenticationDataRequestModel` from `MasterPasswordAuthenticationData`.
+    ///
+    /// - Parameter authenticationData: The `MasterPasswordAuthenticationData` used to initialize a
+    ///     `MasterPasswordAuthenticationDataRequestModel`.
+    ///
+    init(authenticationData: MasterPasswordAuthenticationData) {
+        self.init(
+            kdf: KdfConfig(kdf: authenticationData.kdf),
+            masterPasswordAuthenticationHash: authenticationData.masterPasswordAuthenticationHash,
+            salt: authenticationData.salt
+        )
+    }
+}

BitwardenShared/Core/Auth/Models/Request/MasterPasswordUnlockDataRequestModel.swift

@@ -0,0 +1,33 @@
+import BitwardenSdk
+
+// MARK: - MasterPasswordUnlockDataRequestModel
+
+/// A request model for a user's unlock data.
+///
+struct MasterPasswordUnlockDataRequestModel: Encodable, Equatable {
+    // MARK: Properties
+
+    /// The KDF settings.
+    let kdf: KdfConfig
+
+    /// The user's master key encrypted with their user key.
+    let masterKeyWrappedUserKey: String
+
+    /// The salt used to encrypt the user key.
+    let salt: String
+}
+
+extension MasterPasswordUnlockDataRequestModel {
+    /// Initialize `MasterPasswordUnlockDataRequestModel` from `MasterPasswordUnlockData`.
+    ///
+    /// - Parameter authenticationData: The `MasterPasswordUnlockData` used to initialize a
+    ///     `MasterPasswordUnlockDataRequestModel`.
+    ///
+    init(unlockData: MasterPasswordUnlockData) {
+        self.init(
+            kdf: KdfConfig(kdf: unlockData.kdf),
+            masterKeyWrappedUserKey: unlockData.masterKeyWrappedUserKey,
+            salt: unlockData.salt
+        )
+    }
+}

BitwardenShared/Core/Auth/Models/Request/UpdateKdfRequestModel.swift

@@ -0,0 +1,45 @@
+import BitwardenSdk
+import Networking
+
+// MARK: - UpdateKdfRequestModel
+
+/// The request body for an update KDF request.
+///
+struct UpdateKdfRequestModel: JSONRequestBody, Equatable {
+    // MARK: Properties
+
+    /// The user's data for authentication.
+    let authenticationData: MasterPasswordAuthenticationDataRequestModel
+
+    /// The user's key.
+    let key: String
+
+    /// The hash of the old master password.
+    let masterPasswordHash: String
+
+    /// The hash of the new master password.
+    let newMasterPasswordHash: String
+
+    /// The user's data for unlock.
+    let unlockData: MasterPasswordUnlockDataRequestModel
+}
+
+extension UpdateKdfRequestModel {
+    /// Initialize `UpdateKdfRequestModel` from `UpdateKdfResponse`.
+    ///
+    /// - Parameter response: The `UpdateKdfResponse` used to initialize a `UpdateKdfRequestModel`.
+    ///
+    init(response: UpdateKdfResponse) {
+        self.init(
+            authenticationData: MasterPasswordAuthenticationDataRequestModel(
+                authenticationData: response.masterPasswordAuthenticationData
+            ),
+            key: response.masterPasswordUnlockData.masterKeyWrappedUserKey,
+            masterPasswordHash: response.oldMasterPasswordAuthenticationData.masterPasswordAuthenticationHash,
+            newMasterPasswordHash: response.masterPasswordAuthenticationData.masterPasswordAuthenticationHash,
+            unlockData: MasterPasswordUnlockDataRequestModel(
+                unlockData: response.masterPasswordUnlockData
+            )
+        )
+    }
+}

BitwardenShared/Core/Auth/Models/Request/UpdateKdfRequestModelTests.swift

@@ -0,0 +1,49 @@
+import BitwardenSdk
+import XCTest
+
+@testable import BitwardenShared
+
+class UpdateKdfRequestModelTests: BitwardenTestCase {
+    // MARK: Tests
+
+    /// `init(response:)` initializes `UpdateKdfRequestModel` from a `UpdateKdfResponse`.
+    func test_init_response() {
+        let subject = UpdateKdfRequestModel(
+            response: UpdateKdfResponse(
+                masterPasswordAuthenticationData: MasterPasswordAuthenticationData(
+                    kdf: .pbkdf2(iterations: 600_000),
+                    salt: "AUTHENTICATION_SALT",
+                    masterPasswordAuthenticationHash: "MASTER_PASSWORD_AUTHENTICATION_HASH"
+                ),
+                masterPasswordUnlockData: MasterPasswordUnlockData(
+                    kdf: .argon2id(iterations: 3, memory: 64, parallelism: 4),
+                    masterKeyWrappedUserKey: "MASTER_KEY_WRAPPED_USER_KEY",
+                    salt: "UNLOCK_SALT"
+                ),
+                oldMasterPasswordAuthenticationData: MasterPasswordAuthenticationData(
+                    kdf: .pbkdf2(iterations: 100_000),
+                    salt: "OLD_SALT",
+                    masterPasswordAuthenticationHash: "OLD_MASTER_PASSWORD_AUTHENTICATION_HASH"
+                )
+            )
+        )
+        XCTAssertEqual(
+            subject,
+            UpdateKdfRequestModel(
+                authenticationData: MasterPasswordAuthenticationDataRequestModel(
+                    kdf: KdfConfig(kdfType: .pbkdf2sha256, iterations: 600_000),
+                    masterPasswordAuthenticationHash: "MASTER_PASSWORD_AUTHENTICATION_HASH",
+                    salt: "AUTHENTICATION_SALT"
+                ),
+                key: "MASTER_KEY_WRAPPED_USER_KEY",
+                masterPasswordHash: "OLD_MASTER_PASSWORD_AUTHENTICATION_HASH",
+                newMasterPasswordHash: "MASTER_PASSWORD_AUTHENTICATION_HASH",
+                unlockData: MasterPasswordUnlockDataRequestModel(
+                    kdf: KdfConfig(kdfType: .argon2id, iterations: 3, memory: 64, parallelism: 4),
+                    masterKeyWrappedUserKey: "MASTER_KEY_WRAPPED_USER_KEY",
+                    salt: "UNLOCK_SALT"
+                )
+            )
+        )
+    }
+}

BitwardenShared/Core/Auth/Repositories/AuthRepository.swift

@@ -420,6 +420,9 @@ class DefaultAuthRepository {
     /// The service to use system Biometrics for vault unlock.
     let biometricsRepository: BiometricsRepository
 
+    /// The service used to change the user's KDF settings.
+    private let changeKdfService: ChangeKdfService
+
     /// The service that handles common client functionality such as encryption and decryption.
     private let clientService: ClientService
 
@@ -468,6 +471,7 @@ class DefaultAuthRepository {
     ///   - appContextHelper: The helper to know about the app context.
     ///   - authService: The service used that handles some of the auth logic.
     ///   - biometricsRepository: The service to use system Biometrics for vault unlock.
+    ///   - changeKdfService: The service used to change the user's KDF settings.
     ///   - clientService: The service that handles common client functionality such as encryption and decryption.
     ///   - configService: The service to get server-specified configuration.
     ///   - environmentService: The service used by the application to manage the environment settings.
@@ -488,6 +492,7 @@ class DefaultAuthRepository {
         appContextHelper: AppContextHelper,
         authService: AuthService,
         biometricsRepository: BiometricsRepository,
+        changeKdfService: ChangeKdfService,
         clientService: ClientService,
         configService: ConfigService,
         environmentService: EnvironmentService,
@@ -506,6 +511,7 @@ class DefaultAuthRepository {
         self.appContextHelper = appContextHelper
         self.authService = authService
         self.biometricsRepository = biometricsRepository
+        self.changeKdfService = changeKdfService
         self.clientService = clientService
         self.configService = configService
         self.environmentService = environmentService
@@ -1113,6 +1119,7 @@ extension DefaultAuthRepository: AuthRepository {
                 purpose: .localAuthorization
             )
             try await stateService.setMasterPasswordHash(hashedPassword)
+            await updateKdfToMinimumsIfNeeded(password: password)
         case .decryptedKey,
              .deviceKey,
              .keyConnector,
@@ -1137,6 +1144,20 @@ extension DefaultAuthRepository: AuthRepository {
         }
     }
 
+    /// Updates the user's KDF settings to the minimums.
+    ///
+    /// - Parameter password: The user's master password.
+    ///
+    private func updateKdfToMinimumsIfNeeded(password: String) async {
+        do {
+            try await changeKdfService.updateKdfToMinimumsIfNeeded(password: password)
+        } catch {
+            // If an error occurs, log the error. Don't throw since that would block the vault from
+            // unlocking.
+            errorReporter.log(error: error)
+        }
+    }
+
     func updateMasterPassword(
         currentPassword: String,
         newPassword: String,