move pbkdf2 to web crypto with shim fallback

2026-01-06 10:33:57 +00:00 · 2017-07-08 23:41:02 -04:00
parent b62950fa2b
commit bc8892a237
21 changed files with 284 additions and 192 deletions
--- a/src/app/settings/settingsChangeEmailController.js
+++ b/src/app/settings/settingsChangeEmailController.js
@@ -11,22 +11,25 @@

        $scope.token = function (model) {
            _masterPassword = model.masterPassword;
-            _masterPasswordHash = cryptoService.hashPassword(_masterPassword);
            _newEmail = model.newEmail.toLowerCase();

-            var encKey = cryptoService.getEncKey();
-            if (encKey) {
-                $scope.tokenPromise = requestToken(model);
-            }
-            else {
-                // User is not using an enc key, let's make them one
-                $scope.tokenPromise = cipherService.updateKey(_masterPasswordHash, function () {
-                    return requestToken(model);
-                }, processError);
-            }
+            cryptoService.hashPassword(_masterPassword).then(function (hash) {
+                _masterPasswordHash = hash;
+
+                var encKey = cryptoService.getEncKey();
+                if (encKey) {
+                    $scope.tokenPromise = requestToken();
+                }
+                else {
+                    // User is not using an enc key, let's make them one
+                    $scope.tokenPromise = cipherService.updateKey(_masterPasswordHash, function () {
+                        return requestToken();
+                    }, processError);
+                }
+            });
        };

-        function requestToken(model) {
+        function requestToken() {
            var request = {
                newEmail: _newEmail,
                masterPasswordHash: _masterPasswordHash
@@ -40,33 +43,31 @@
        $scope.confirm = function (model) {
            $scope.processing = true;

-            var newKey = cryptoService.makeKey(_masterPassword, _newEmail);
-            var encKey = cryptoService.getEncKey();
-            var newEncKey = cryptoService.encrypt(encKey.key, newKey, 'raw');
+            $scope.confirmPromise = cryptoService.makeKeyAndHash(_newEmail, _masterPassword).then(function (result) {
+                var encKey = cryptoService.getEncKey();
+                var newEncKey = cryptoService.encrypt(encKey.key, result.key, 'raw');
+                var request = {
+                    token: model.token,
+                    newEmail: _newEmail,
+                    masterPasswordHash: _masterPasswordHash,
+                    newMasterPasswordHash: result.hash,
+                    key: newEncKey
+                };

-            var request = {
-                token: model.token,
-                newEmail: _newEmail,
-                masterPasswordHash: _masterPasswordHash,
-                newMasterPasswordHash: cryptoService.hashPassword(_masterPassword, newKey),
-                key: newEncKey
-            };
-
-            $scope.confirmPromise = apiService.accounts.email(request).$promise.then(function () {
+                return apiService.accounts.email(request).$promise;
+            }).then(function () {
                $uibModalInstance.dismiss('cancel');
                authService.logOut();
                $analytics.eventTrack('Changed Email');
                return $state.go('frontend.login.info');
-            }, processError).then(function () {
+            }).then(function () {
                toastr.success('Please log back in.', 'Email Changed');
-            }, processError);
+            }, function () {
+                $uibModalInstance.dismiss('cancel');
+                toastr.error('Something went wrong. Try again.', 'Oh No!');
+            });
        };

-        function processError() {
-            $uibModalInstance.dismiss('cancel');
-            toastr.error('Something went wrong. Try again.', 'Oh No!');
-        }
-
        $scope.close = function () {
            $uibModalInstance.dismiss('cancel');
        };
--- a/src/app/settings/settingsChangePasswordController.js
+++ b/src/app/settings/settingsChangePasswordController.js
@@ -31,39 +31,43 @@
            }
            else {
                // User is not using an enc key, let's make them one
-                var mpHash = cryptoService.hashPassword(model.masterPassword);
-                $scope.savePromise = cipherService.updateKey(mpHash, function () {
+                $scope.savePromise = cryptoService.hashPassword(model.masterPassword).then(function (hash) {
+                    return cipherService.updateKey(hash);
+                }, processError).then(function () {
                    return changePassword(model);
                }, processError);
            }
        };

        function changePassword(model) {
+            var makeResult;
            return authService.getUserProfile().then(function (profile) {
-                var newKey = cryptoService.makeKey(model.newMasterPassword, profile.email.toLowerCase());
+                return cryptoService.makeKeyAndHash(profile.email, model.newMasterPassword);
+            }).then(function (result) {
+                makeResult = result;
+                return cryptoService.hashPassword(model.masterPassword);
+            }).then(function (hash) {
                var encKey = cryptoService.getEncKey();
-                var newEncKey = cryptoService.encrypt(encKey.key, newKey, 'raw');
+                var newEncKey = cryptoService.encrypt(encKey.key, makeResult.key, 'raw');

                var request = {
-                    masterPasswordHash: cryptoService.hashPassword(model.masterPassword),
-                    newMasterPasswordHash: cryptoService.hashPassword(model.newMasterPassword, newKey),
+                    masterPasswordHash: hash,
+                    newMasterPasswordHash: makeResult.hash,
                    key: newEncKey
                };

                return apiService.accounts.putPassword(request).$promise;
-            }, processError).then(function () {
+            }).then(function () {
                $uibModalInstance.dismiss('cancel');
                authService.logOut();
                $analytics.eventTrack('Changed Password');
                return $state.go('frontend.login.info');
-            }, processError).then(function () {
+            }).then(function () {
                toastr.success('Please log back in.', 'Master Password Changed');
-            }, processError);
-        }
-
-        function processError() {
-            $uibModalInstance.dismiss('cancel');
-            toastr.error('Something went wrong.', 'Oh No!');
+            }, function () {
+                $uibModalInstance.dismiss('cancel');
+                toastr.error('Something went wrong.', 'Oh No!');
+            });
        }

        $scope.close = function () {
--- a/src/app/settings/settingsDeleteController.js
+++ b/src/app/settings/settingsDeleteController.js
@@ -5,18 +5,18 @@
        authService, toastr, $analytics) {
        $analytics.eventTrack('settingsDeleteController', { category: 'Modal' });
        $scope.submit = function (model) {
-            var request = {
-                masterPasswordHash: cryptoService.hashPassword(model.masterPassword)
-            };
-
-            $scope.submitPromise = apiService.accounts.postDelete(request, function () {
+            $scope.submitPromise = cryptoService.hashPassword(model.masterPassword).then(function (hash) {
+                return apiService.accounts.postDelete({
+                    masterPasswordHash: hash
+                }).$promise;
+            }).then(function () {
                $uibModalInstance.dismiss('cancel');
                authService.logOut();
                $analytics.eventTrack('Deleted Account');
-                $state.go('frontend.login.info').then(function () {
-                    toastr.success('Your account has been closed and all associated data has been deleted.', 'Account Deleted');
-                });
-            }).$promise;
+                return $state.go('frontend.login.info');
+            }).then(function () {
+                toastr.success('Your account has been closed and all associated data has been deleted.', 'Account Deleted');
+            });
        };

        $scope.close = function () {
--- a/src/app/settings/settingsSessionsController.js
+++ b/src/app/settings/settingsSessionsController.js
@@ -5,22 +5,25 @@
        authService, tokenService, toastr, $analytics) {
        $analytics.eventTrack('settingsSessionsController', { category: 'Modal' });
        $scope.submit = function (model) {
-            var request = {
-                masterPasswordHash: cryptoService.hashPassword(model.masterPassword)
-            };
+            var hash, profile;

-            $scope.submitPromise =
-                authService.getUserProfile().then(function (profile) {
-                    return apiService.accounts.putSecurityStamp(request, function () {
-                        $uibModalInstance.dismiss('cancel');
-                        authService.logOut();
-                        tokenService.clearTwoFactorToken(profile.email);
-                        $analytics.eventTrack('Deauthorized Sessions');
-                        $state.go('frontend.login.info').then(function () {
-                            toastr.success('Please log back in.', 'All Sessions Deauthorized');
-                        });
-                    }).$promise;
-                });
+            $scope.submitPromise = cryptoService.hashPassword(model.masterPassword).then(function (theHash) {
+                hash = theHash;
+                return authService.getUserProfile();
+            }).then(function (theProfile) {
+                profile = theProfile;
+                return apiService.accounts.putSecurityStamp({
+                    masterPasswordHash: hash
+                }).$promise;
+            }).then(function () {
+                $uibModalInstance.dismiss('cancel');
+                authService.logOut();
+                tokenService.clearTwoFactorToken(profile.email);
+                $analytics.eventTrack('Deauthorized Sessions');
+                return $state.go('frontend.login.info');
+            }).then(function () {
+                toastr.success('Please log back in.', 'All Sessions Deauthorized');
+            });
        };

        $scope.close = function () {
--- a/src/app/settings/settingsTwoStepAuthenticatorController.js
+++ b/src/app/settings/settingsTwoStepAuthenticatorController.js
@@ -10,12 +10,13 @@
            _key = null;

        $scope.auth = function (model) {
-            _masterPasswordHash = cryptoService.hashPassword(model.masterPassword);
-
            var response = null;
-            $scope.authPromise = apiService.twoFactor.getAuthenticator({}, {
-                masterPasswordHash: _masterPasswordHash
-            }).$promise.then(function (apiResponse) {
+            $scope.authPromise = cryptoService.hashPassword(model.masterPassword).then(function (hash) {
+                _masterPasswordHash = hash;
+                return apiService.twoFactor.getAuthenticator({}, {
+                    masterPasswordHash: _masterPasswordHash
+                }).$promise;
+            }).then(function (apiResponse) {
                response = apiResponse;
                return authService.getUserProfile();
            }).then(function (profile) {
--- a/src/app/settings/settingsTwoStepDuoController.js
+++ b/src/app/settings/settingsTwoStepDuoController.js
@@ -14,10 +14,12 @@
        };

        $scope.auth = function (model) {
-            _masterPasswordHash = cryptoService.hashPassword(model.masterPassword);
-            $scope.authPromise = apiService.twoFactor.getDuo({}, {
-                masterPasswordHash: _masterPasswordHash
-            }).$promise.then(function (apiResponse) {
+            $scope.authPromise = cryptoService.hashPassword(model.masterPassword).then(function (hash) {
+                _masterPasswordHash = hash;
+                return apiService.twoFactor.getDuo({}, {
+                    masterPasswordHash: _masterPasswordHash
+                }).$promise;
+            }).then(function (apiResponse) {
                processResult(apiResponse);
                $scope.authed = true;
            });
--- a/src/app/settings/settingsTwoStepEmailController.js
+++ b/src/app/settings/settingsTwoStepEmailController.js
@@ -13,12 +13,13 @@
        };

        $scope.auth = function (model) {
-            _masterPasswordHash = cryptoService.hashPassword(model.masterPassword);
-
            var response = null;
-            $scope.authPromise = apiService.twoFactor.getEmail({}, {
-                masterPasswordHash: _masterPasswordHash
-            }).$promise.then(function (apiResponse) {
+            $scope.authPromise = cryptoService.hashPassword(model.masterPassword).then(function (hash) {
+                _masterPasswordHash = hash;
+                return apiService.twoFactor.getEmail({}, {
+                    masterPasswordHash: _masterPasswordHash
+                }).$promise;
+            }).then(function (apiResponse) {
                response = apiResponse;
                return authService.getUserProfile();
            }).then(function (profile) {
--- a/src/app/settings/settingsTwoStepRecoverController.js
+++ b/src/app/settings/settingsTwoStepRecoverController.js
@@ -7,11 +7,11 @@
        $scope.code = null;

        $scope.auth = function (model) {
-            var masterPasswordHash = cryptoService.hashPassword(model.masterPassword);
-
-            $scope.authPromise = apiService.twoFactor.getRecover({}, {
-                masterPasswordHash: masterPasswordHash
-            }).$promise.then(function (apiResponse) {
+            $scope.authPromise = cryptoService.hashPassword(model.masterPassword).then(function (hash) {
+                return apiService.twoFactor.getRecover({}, {
+                    masterPasswordHash: hash
+                }).$promise;
+            }).then(function (apiResponse) {
                $scope.code = formatString(apiResponse.Code);
                $scope.authed = true;
            });
--- a/src/app/settings/settingsTwoStepU2fController.js
+++ b/src/app/settings/settingsTwoStepU2fController.js
@@ -12,11 +12,12 @@
        $scope.deviceError = false;

        $scope.auth = function (model) {
-            _masterPasswordHash = cryptoService.hashPassword(model.masterPassword);
-
-            $scope.authPromise = apiService.twoFactor.getU2f({}, {
-                masterPasswordHash: _masterPasswordHash
-            }).$promise.then(function (response) {
+            $scope.authPromise = cryptoService.hashPassword(model.masterPassword).then(function (hash) {
+                _masterPasswordHash = hash;
+                return apiService.twoFactor.getU2f({}, {
+                    masterPasswordHash: _masterPasswordHash
+                }).$promise;
+            }).then(function (response) {
                $scope.enabled = response.Enabled;
                $scope.challenge = response.Challenge;
                $scope.authed = true;
--- a/src/app/settings/settingsTwoStepYubiController.js
+++ b/src/app/settings/settingsTwoStepYubiController.js
@@ -8,12 +8,13 @@
            _masterPasswordHash;

        $scope.auth = function (model) {
-            _masterPasswordHash = cryptoService.hashPassword(model.masterPassword);
-
            var response = null;
-            $scope.authPromise = apiService.twoFactor.getYubi({}, {
-                masterPasswordHash: _masterPasswordHash
-            }).$promise.then(function (apiResponse) {
+            $scope.authPromise = cryptoService.hashPassword(model.masterPassword).then(function (hash) {
+                _masterPasswordHash = hash;
+                return apiService.twoFactor.getYubi({}, {
+                    masterPasswordHash: _masterPasswordHash
+                }).$promise;
+            }).then(function (apiResponse) {
                response = apiResponse;
                return authService.getUserProfile();
            }).then(function (profile) {
--- a/src/app/settings/settingsUpdateKeyController.js
+++ b/src/app/settings/settingsUpdateKeyController.js
@@ -14,8 +14,9 @@
            }

            $scope.processing = true;
-            var mpHash = cryptoService.hashPassword($scope.masterPassword);
-            $scope.savePromise = cipherService.updateKey(mpHash, function () {
+            $scope.savePromise = cryptoService.hashPassword($scope.masterPassword).then(function (hash) {
+                return cipherService.updateKey(hash);
+            }).then(function () {
                $uibModalInstance.dismiss('cancel');
                authService.logOut();
                $analytics.eventTrack('Key Updated');
@@ -23,14 +24,12 @@
            }).then(function () {
                toastr.success('Please log back in. If you are using other bitwarden applications, ' +
                    'log out and back in to those as well.', 'Key Updated', { timeOut: 10000 });
-            }, processError);
+            }, function () {
+                $uibModalInstance.dismiss('cancel');
+                toastr.error('Something went wrong.', 'Oh No!');
+            });
        };

-        function processError() {
-            $uibModalInstance.dismiss('cancel');
-            toastr.error('Something went wrong.', 'Oh No!');
-        }
-
        $scope.close = function () {
            $uibModalInstance.dismiss('cancel');
        };