[PS-2267] Add KdfMemory and KDFParallelism fields (#2583)

* Add KdfMemory and KDFParallelism fields

* Revise argon2 support

This pull request makes the new attribues for argon2, kdfMemory and
kdfParallelism optional. Furthermore it adds checks for the argon2
parametrs and improves the database migration script.

* Add validation for argon2 in RegisterRequestModel

* update validation messages

* update sql scripts

* register data protection with migration factories

* add ef migrations

* update kdf option validation

* adjust validation

* Centralize and Test KDF Validation

Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>
Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

src/Core/Entities/User.cs

@@ -54,6 +54,8 @@ public class User : ITableObject<Guid>, ISubscriber, IStorable, IStorableSubscri
     public string ApiKey { get; set; }
     public KdfType Kdf { get; set; } = KdfType.PBKDF2_SHA256;
     public int KdfIterations { get; set; } = 5000;
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
     public DateTime CreationDate { get; set; } = DateTime.UtcNow;
     public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
     public bool ForcePasswordReset { get; set; }

src/Core/Enums/KdfType.cs

@@ -2,5 +2,6 @@
 
 public enum KdfType : byte
 {
-    PBKDF2_SHA256 = 0
+    PBKDF2_SHA256 = 0,
+    Argon2id = 1
 }

src/Core/Models/Api/Request/Accounts/RegisterRequestModel.cs

@@ -26,6 +26,8 @@ public class RegisterRequestModel : IValidatableObject, ICaptchaProtectedModel
     public Guid? OrganizationUserId { get; set; }
     public KdfType? Kdf { get; set; }
     public int? KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
     public Dictionary<string, object> ReferenceData { get; set; }
 
     public User ToUser()
@@ -37,6 +39,8 @@ public class RegisterRequestModel : IValidatableObject, ICaptchaProtectedModel
             MasterPasswordHint = MasterPasswordHint,
             Kdf = Kdf.GetValueOrDefault(KdfType.PBKDF2_SHA256),
             KdfIterations = KdfIterations.GetValueOrDefault(5000),
+            KdfMemory = KdfMemory,
+            KdfParallelism = KdfParallelism
         };
 
         if (ReferenceData != null)
@@ -61,17 +65,9 @@ public class RegisterRequestModel : IValidatableObject, ICaptchaProtectedModel
     {
         if (Kdf.HasValue && KdfIterations.HasValue)
         {
-            switch (Kdf.Value)
-            {
-                case KdfType.PBKDF2_SHA256:
-                    if (KdfIterations.Value < 5000 || KdfIterations.Value > 1_000_000)
-                    {
-                        yield return new ValidationResult("KDF iterations must be between 5000 and 1000000.");
-                    }
-                    break;
-                default:
-                    break;
-            }
+            return KdfSettingsValidator.Validate(Kdf.Value, KdfIterations.Value, KdfMemory, KdfParallelism);
         }
+
+        return Enumerable.Empty<ValidationResult>();
     }
 }

src/Core/Models/Api/Response/Accounts/PreloginResponseModel.cs

@@ -9,8 +9,12 @@ public class PreloginResponseModel
     {
         Kdf = kdfInformation.Kdf;
         KdfIterations = kdfInformation.KdfIterations;
+        KdfMemory = kdfInformation.KdfMemory;
+        KdfParallelism = kdfInformation.KdfParallelism;
     }
 
     public KdfType Kdf { get; set; }
     public int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
 }

src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserResetPasswordDetails.cs

@@ -24,11 +24,15 @@ public class OrganizationUserResetPasswordDetails
 
         Kdf = user.Kdf;
         KdfIterations = user.KdfIterations;
+        KdfMemory = user.KdfMemory;
+        KdfParallelism = user.KdfParallelism;
         ResetPasswordKey = orgUser.ResetPasswordKey;
         EncryptedPrivateKey = org.PrivateKey;
     }
     public KdfType Kdf { get; set; }
     public int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
     public string ResetPasswordKey { get; set; }
     public string EncryptedPrivateKey { get; set; }
 }

src/Core/Models/Data/UserKdfInformation.cs

@@ -6,4 +6,6 @@ public class UserKdfInformation
 {
     public KdfType Kdf { get; set; }
     public int KdfIterations { get; set; }
+    public int? KdfMemory { get; set; }
+    public int? KdfParallelism { get; set; }
 }

src/Core/Services/IUserService.cs

@@ -36,7 +36,7 @@ public interface IUserService
     Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType type, Guid orgId, Guid id, string newMasterPassword, string key);
     Task<IdentityResult> UpdateTempPasswordAsync(User user, string newMasterPassword, string key, string hint);
     Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key,
-        KdfType kdf, int kdfIterations);
+        KdfType kdf, int kdfIterations, int? kdfMemory, int? kdfParallelism);
     Task<IdentityResult> UpdateKeyAsync(User user, string masterPassword, string key, string privateKey,
         IEnumerable<Cipher> ciphers, IEnumerable<Folder> folders, IEnumerable<Send> sends);
     Task<IdentityResult> RefreshSecurityStampAsync(User user, string masterPasswordHash);

src/Core/Services/Implementations/UserService.cs

@@ -824,7 +824,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
     }
 
     public async Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword,
-        string key, KdfType kdf, int kdfIterations)
+        string key, KdfType kdf, int kdfIterations, int? kdfMemory, int? kdfParallelism)
     {
         if (user == null)
         {
@@ -843,6 +843,8 @@ public class UserService : UserManager<User>, IUserService, IDisposable
             user.Key = key;
             user.Kdf = kdf;
             user.KdfIterations = kdfIterations;
+            user.KdfMemory = kdfMemory;
+            user.KdfParallelism = kdfParallelism;
             await _userRepository.ReplaceAsync(user);
             await _pushService.PushLogOutAsync(user.Id);
             return IdentityResult.Success;

src/Core/Utilities/KdfSettingsValidator.cs

@@ -0,0 +1,37 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Enums;
+
+namespace Bit.Core.Utilities;
+
+public static class KdfSettingsValidator
+{
+    public static IEnumerable<ValidationResult> Validate(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism)
+    {
+        switch (kdfType)
+        {
+            case KdfType.PBKDF2_SHA256:
+                if (kdfIterations < 5000 || kdfIterations > 2_000_000)
+                {
+                    yield return new ValidationResult("KDF iterations must be between 5000 and 2000000.");
+                }
+                break;
+            case KdfType.Argon2id:
+                if (kdfIterations <= 0)
+                {
+                    yield return new ValidationResult("Argon2 iterations must be greater than 0.");
+                }
+                else if (!kdfMemory.HasValue || kdfMemory.Value < 15 || kdfMemory.Value > 1024)
+                {
+                    yield return new ValidationResult("Argon2 memory must be between 15mb and 1024mb.");
+                }
+                else if (!kdfParallelism.HasValue || kdfParallelism.Value < 1 || kdfParallelism.Value > 16)
+                {
+                    yield return new ValidationResult("Argon2 parallelism must be between 1 and 16.");
+                }
+                break;
+
+            default:
+                break;
+        }
+    }
+}