search

dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
39.25k stars 1.9k forks source link

KDF values shown wrong in webvault, also warning popup is wrong (2 problems) #5109

Closed rdslw closed 1 month ago

rdslw commented 1 month ago

Vaultwarden Build Version

v1.32.2

Deployment method

Other method

Custom deployment method

personalized docker container

Reverse Proxy

none

Host/Server Operating System

Linux

Clients

Web Vault

Client Version

firefox 131.0.3

Steps To Reproduce

  1. change KDF to non default, and i.e. 700007 while being on 1.2* version
  2. update container to 1.32.* from below and restart
  3. login, see first bug: brown popup saying: "Low KDF iterations. Increase your iterations to improve the security of your account. Change KDF settings "
  4. go to 'change KDF setting' panel, and see '100000', (see sqlite verification)
  5. while beeing at panel, change type to argon, do not change anything
  6. change back to PBKDF2, and see '600000' -> second bug as I did not change anything, just switched tabs.

Expected Result

  1. no popup
  2. proper KDF 700007
  3. no change in KDF displayed upon switching KDF types back & forth

Actual Result

sqlite> select email,password_iterations from users; x1@x1|100000 x2@x2|700007 x3@x3|700007

Above steps used login x2. Login x3 also shows bug no 2 (wrong value upon type switching), while there was popup, but was dismissed and does not appear again, ALTHOUGH kdf was not changed.

I'm not sure in which version it happenes.

Logs

No response

Screenshots or Videos

No response

Additional Context

No response

BlackDex commented 1 month ago

Not sure what we can do here. Vaultwarden stores what it receives. I find the steps a bit strange but will try to reproduce it.

Are you sure you didn't mixed and the Vaultwarden KDF settings with the account KDF settings? Those are two totally different items.

rdslw commented 1 month ago

Thanks for fast reply.

  1. as to reproducability: problem no2 (webvault shows different values just on clicking PKDF2 vs argon type) shall be easy to reproduce, as it happens on newest v1.32.2. Can provide short video here if interested to see it.

  2. As to the problem no1 (different value in sqlite users table vs what webvault shows) and popup warning -> I'm not sure when it started, probably earlier. while on v1.3?.*

  3. I understand that users table, and webavult (settings -> security -> keys) both shows account KDF settings. Am I correct?

  4. where can I check/see Vaultwarden KDF settings? config.json + /admin ?

BlackDex commented 1 month ago

Also the kdf can't change without user interaction. Else you wouldn't be able to login again anymore.

BlackDex commented 1 month ago

The Vaultwarden kdf is visible in the admin settings

rdslw commented 1 month ago

ok, so what I'm seeing is relevant to the account KDF settings.

To summarize:

problem 1: popup shows, even if KDF settings (as verified in sqlite) are 700007

problem 2: values shown for KDF settings are wrong (settings -> security -> keys)

a. I have 700007 as sqlite shows b. go to the settings>security>keys: I see there 100000 as current KDF c. while being there, change PBKDF2 to argontype, and back (NB: just clicking, no clicking 'change kdf' button. d. KDF shows 600000 (vaultwarden default)

BlackDex commented 1 month ago

Again, which column are you looking at? Since I am not able to reproduce this at all using the steps you mentioned.

I have done the following. For the database i used this query:

SELECT uuid, password_iterations, client_kdf_type, client_kdf_iter, client_kdf_memory, client_kdf_parallelism FROM users
  1. Started Vaultwarden 1.20.0 (The very first v1.2* version): docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 docker.io/bitwardenrs/server:1.20.0
  2. Created a user and checked the database Account-Created_1 20 0_100_000
  3. Updated the KDF Settings and checked the database Account-Updated_1 20 0_700_007
  4. Upgraded Vaultwarden to 1.32.2: docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 ghcr.io/dani-garcia/vaultwarden:1.32.2
  5. Checked the settings and database Account-VW-Upgrade_1 20 0-1 32 2
Database results: version uuid password_iterations client_kdf_type client_kdf_iter client_kdf_memory client_kdf_parallelism
v1.20.0 5ce61ca9-9694-40ee-bac2-017851ff8637 100000 0 100000 - -
v1.20.0 5ce61ca9-9694-40ee-bac2-017851ff8637 100000 0 700007 - -
v1.32.2 5ce61ca9-9694-40ee-bac2-017851ff8637 600000 0 700007 NULL NULL

I Did the same but then started from v1.29.2 which is the last v1.2* verison.

  1. docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 ghcr.io/dani-garcia/vaultwarden:1.29.2
  2. Account-Created_1 29 0_600_000
  3. Account-Updated_1 29 0_700_007
  4. docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 ghcr.io/dani-garcia/vaultwarden:1.32.2
  5. Account-VW-Upgrade_1 29 0-1 32 2
Database results: version uuid password_iterations client_kdf_type client_kdf_iter client_kdf_memory client_kdf_parallelism
v1.29.0 cd1b2ee6-aac0-4345-a1a6-20946df19c4d 600000 0 600000 NULL NULL
v1.29.0 cd1b2ee6-aac0-4345-a1a6-20946df19c4d 600000 0 700007 NULL NULL
v1.32.2 cd1b2ee6-aac0-4345-a1a6-20946df19c4d 600000 0 700007 NULL NULL
rdslw commented 1 month ago

I was originally looking at passwords_iterations column.

Here is result of your query run now. sqlite> SELECT uuid, password_iterations, client_kdf_type, client_kdf_iter, client_kdf_memory, client_kdf_parallelism FROM users ...> ; X1..e3|100000|0|100000|| X2..12|700007|0|900009|| X3..e4|700007|0|100000||

Looks like problem no1 was my mistake of X2 vs X3 user, which with problem no2 make me no trusting values shown. sorry for that. shall probably change issue title to "KDF values shown wrong in webavult upon selecting different algo type"

Looks like only problem 2 exists, on both users (X2 and X3).

How to reproduce:

  1. use current version v1.32.2

  2. login to webavaul

  3. go to settings/security/keys, see: Screenshot 2024-10-19 19 45 22+02 00

  4. switch algorithm type to argon, DO NOT click button 'change kdf', see: Screenshot 2024-10-19 19 46 07+02 00

  5. switch again algorithm type to PBKDF2, see wrong iterations: Screenshot 2024-10-19 19 46 50+02 00

problem no2 visible here: iterations is now 600000 while was 100000 on step 3. User iterations is 100000.

BlackDex commented 1 month ago

Well, that seems like a UI client issue, and it shows the default recommend value. If you do not click on save then it will still be 100_000 unless you save of course.

As this is a web-vault/client issue, and this project does not maintain or develop those, it's not something we can fix (easily).

If anything, I would suggest to check and verify if this also happens on the Bitwarden Cloud environment, if so, report this in there client repo on GitHub. Else it might be fixed already in a version newer than v2024.6.2, which Vaultwarden does not (yet) support.

As this is a client issue, I'm going to move this to a discussion.