Implement KDF iterations change (Fixes #195)

2025-06-12 13:17:43 +02:00 · 2018-09-19 17:30:14 +02:00
parent 89e3c41043
commit ebb66c374e
6 changed files with 69 additions and 22 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -14,6 +14,8 @@ use CONFIG;
 #[allow(non_snake_case)]
 struct RegisterData {
    Email: String,
+    Kdf: Option<i32>,
+    KdfIterations: Option<i32>,
    Key: String,
    Keys: Option<KeysData>,
    MasterPasswordHash: String,
@ -56,6 +58,14 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
        }
    };

+    if let Some(client_kdf_iter) = data.KdfIterations {
+        user.client_kdf_iter = client_kdf_iter;
+    }
+
+    if let Some(client_kdf_type) = data.Kdf {
+        user.client_kdf_type = client_kdf_type;
+    }
+
    user.set_password(&data.MasterPasswordHash);
    user.key = data.Key;

@ -165,6 +175,35 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
    Ok(())
 }

+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct ChangeKdfData {
+    Kdf: i32,
+    KdfIterations: i32,
+
+    MasterPasswordHash: String,
+    NewMasterPasswordHash: String,
+    Key: String,
+}
+
+#[post("/accounts/kdf", data = "<data>")]
+fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    let data: ChangeKdfData = data.into_inner().data;
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    user.client_kdf_iter = data.KdfIterations;
+    user.client_kdf_type = data.Kdf;
+    user.set_password(&data.NewMasterPasswordHash);
+    user.key = data.Key;
+    user.save(&conn);
+
+    Ok(())
+}
+
 #[post("/accounts/security-stamp", data = "<data>")]
 fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
    let data: PasswordData = data.into_inner().data;
@ -325,17 +364,9 @@ struct PreloginData {
 fn prelogin(data: JsonUpcase<PreloginData>, conn: DbConn) -> JsonResult {
    let data: PreloginData = data.into_inner().data;

-    const KDF_TYPE_DEFAULT: i32 = 0; // PBKDF2: 0
-    const KDF_ITER_DEFAULT: i32 = 5_000;
-
    let (kdf_type, kdf_iter) = match User::find_by_mail(&data.Email, &conn) {
-        Some(user) => {
-            let _server_iter = user.password_iterations;
-            let client_iter = KDF_ITER_DEFAULT; // TODO: Make iterations user configurable
-            
-            (KDF_TYPE_DEFAULT, client_iter)
-        },
-        None => (KDF_TYPE_DEFAULT, KDF_ITER_DEFAULT), // Return default values when no user
+        Some(user) => (user.client_kdf_type, user.client_kdf_iter),
+        None => (User::CLIENT_KDF_TYPE_DEFAULT, User::CLIENT_KDF_ITER_DEFAULT),
    };

    Ok(Json(json!({
@ -343,4 +374,3 @@ fn prelogin(data: JsonUpcase<PreloginData>, conn: DbConn) -> JsonResult {
        "KdfIterations": kdf_iter
    })))
 }
-
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@ -19,6 +19,7 @@ pub fn routes() -> Vec<Route> {
        get_public_keys,
        post_keys,
        post_password,
+        post_kdf,
        post_sstamp,
        post_email_token,
        post_email,