[PM-16982] Make argon2 the default kdf for new accounts

apps/browser/src/auth/popup/register.component.ts

@@ -9,6 +9,7 @@
 import { LoginStrategyServiceAbstraction } from "@bitwarden/auth/common";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AuditService } from "@bitwarden/common/abstractions/audit.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -42,6 +43,7 @@
     auditService: AuditService,
     dialogService: DialogService,
     toastService: ToastService,
+    configService: ConfigService,
   ) {
     super(
       formValidationErrorService,
@@ -59,6 +61,7 @@
       auditService,
       dialogService,
       toastService,
+      configService,
     );
   }
 }

apps/desktop/src/auth/register.component.ts

@@ -8,6 +8,7 @@
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AuditService } from "@bitwarden/common/abstractions/audit.service";
 import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -42,6 +43,7 @@
     auditService: AuditService,
     dialogService: DialogService,
     toastService: ToastService,
+    configService: ConfigService,
   ) {
     super(
       formValidationErrorService,
@@ -59,6 +61,7 @@
       auditService,
       dialogService,
       toastService,
+      configService,
     );
   }
 

apps/web/src/app/auth/register-form/register-form.component.ts

@@ -13,6 +13,7 @@ import { PolicyService } from "@bitwarden/common/admin-console/abstractions/poli
 import { MasterPasswordPolicyOptions } from "@bitwarden/common/admin-console/models/domain/master-password-policy-options";
 import { ReferenceEventRequest } from "@bitwarden/common/models/request/reference-event.request";
 import { RegisterRequest } from "@bitwarden/common/models/request/register.request";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -55,6 +56,7 @@ export class RegisterFormComponent extends BaseRegisterComponent implements OnIn
     dialogService: DialogService,
     acceptOrgInviteService: AcceptOrganizationInviteService,
     toastService: ToastService,
+    configService: ConfigService,
   ) {
     super(
       formValidationErrorService,
@@ -72,6 +74,7 @@ export class RegisterFormComponent extends BaseRegisterComponent implements OnIn
       auditService,
       dialogService,
       toastService,
+      configService,
     );
     this.modifyRegisterRequest = async (request: RegisterRequest) => {
       // Org invites are deep linked. Non-existent accounts are redirected to the register page.

libs/angular/src/auth/components/register.component.ts

@@ -8,9 +8,11 @@
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AuditService } from "@bitwarden/common/abstractions/audit.service";
 import { RegisterResponse } from "@bitwarden/common/auth/models/response/register.response";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
 import { ReferenceEventRequest } from "@bitwarden/common/models/request/reference-event.request";
 import { RegisterRequest } from "@bitwarden/common/models/request/register.request";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -19,7 +21,12 @@
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { DialogService, ToastService } from "@bitwarden/components";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/generator-legacy";
-import { DEFAULT_KDF_CONFIG, KeyService } from "@bitwarden/key-management";
+import {
+  DEFAULT_KDF_CONFIG,
+  KdfConfig,
+  KeyService,
+  NEW_ARGON2_DEFAULT_KDF_CONFIG,
+} from "@bitwarden/key-management";
 
 import {
   AllValidationErrors,
@@ -99,6 +106,7 @@
     protected auditService: AuditService,
     protected dialogService: DialogService,
     protected toastService: ToastService,
+    private configService: ConfigService,
   ) {
     super(environmentService, i18nService, platformUtilsService, toastService);
     this.showTerms = !platformUtilsService.isSelfHost();
@@ -283,7 +291,11 @@
     name: string,
   ): Promise<RegisterRequest> {
     const hint = this.formGroup.value.hint;
-    const kdfConfig = DEFAULT_KDF_CONFIG;
+    // Create and hash new master key
+    let kdfConfig: KdfConfig = DEFAULT_KDF_CONFIG;
+    if (await this.configService.getFeatureFlag(FeatureFlag.Argon2Default)) {
+      kdfConfig = NEW_ARGON2_DEFAULT_KDF_CONFIG;
+    }
     const key = await this.keyService.makeMasterKey(masterPassword, email, kdfConfig);
     const newUserKey = await this.keyService.makeUserKey(key);
     const masterKeyHash = await this.keyService.hashMasterKey(masterPassword, key);
@@ -298,6 +310,8 @@
       this.captchaToken,
       kdfConfig.kdfType,
       kdfConfig.iterations,
+      kdfConfig.memory,
+      kdfConfig.parallelism,
     );
     request.keys = new KeysRequest(keys[0], keys[1].encryptedString);
     if (this.modifyRegisterRequest) {

libs/auth/src/angular/input-password/input-password.component.ts

@@ -11,6 +11,8 @@
 import { AuditService } from "@bitwarden/common/abstractions/audit.service";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { MasterPasswordPolicyOptions } from "@bitwarden/common/admin-console/models/domain/master-password-policy-options";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { HashPurpose } from "@bitwarden/common/platform/enums";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
@@ -24,7 +26,12 @@
   InputModule,
   ToastService,
 } from "@bitwarden/components";
-import { DEFAULT_KDF_CONFIG, KeyService } from "@bitwarden/key-management";
+import {
+  DEFAULT_KDF_CONFIG,
+  KdfConfig,
+  KeyService,
+  NEW_ARGON2_DEFAULT_KDF_CONFIG,
+} from "@bitwarden/key-management";
 
 // FIXME: remove `src` and fix import
 // eslint-disable-next-line no-restricted-imports
@@ -107,6 +114,7 @@
     private i18nService: I18nService,
     private policyService: PolicyService,
     private toastService: ToastService,
+    private configService: ConfigService,
   ) {}
 
   get minPasswordLengthMsg() {
@@ -145,7 +153,10 @@
     }
 
     // Create and hash new master key
-    const kdfConfig = DEFAULT_KDF_CONFIG;
+    let kdfConfig: KdfConfig = DEFAULT_KDF_CONFIG;
+    if (await this.configService.getFeatureFlag(FeatureFlag.Argon2Default)) {
+      kdfConfig = NEW_ARGON2_DEFAULT_KDF_CONFIG;
+    }
 
     if (this.email == null) {
       throw new Error("Email is required to create master key.");

libs/auth/src/angular/input-password/password-input-result.ts

@@ -1,11 +1,11 @@
 import { MasterKey } from "@bitwarden/common/types/key";
-import { PBKDF2KdfConfig } from "@bitwarden/key-management";
+import { KdfConfig } from "@bitwarden/key-management";
 
 export interface PasswordInputResult {
   masterKey: MasterKey;
   masterKeyHash: string;
   localMasterKeyHash: string;
-  kdfConfig: PBKDF2KdfConfig;
+  kdfConfig: KdfConfig;
   hint: string;
   password: string;
 }

libs/auth/src/angular/set-password-jit/default-set-password-jit.service.ts

@@ -19,7 +19,7 @@ import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
 import { UserId } from "@bitwarden/common/types/guid";
 import { MasterKey, UserKey } from "@bitwarden/common/types/key";
-import { PBKDF2KdfConfig, KdfConfigService, KeyService } from "@bitwarden/key-management";
+import { KdfConfigService, KeyService, KdfConfig } from "@bitwarden/key-management";
 
 import {
   SetPasswordCredentials,
@@ -125,7 +125,7 @@ export class DefaultSetPasswordJitService implements SetPasswordJitService {
 
   private async updateAccountDecryptionProperties(
     masterKey: MasterKey,
-    kdfConfig: PBKDF2KdfConfig,
+    kdfConfig: KdfConfig,
     protectedUserKey: [UserKey, EncString],
     userId: UserId,
   ) {

libs/auth/src/angular/set-password-jit/set-password-jit.service.abstraction.ts

@@ -2,13 +2,13 @@
 // @ts-strict-ignore
 import { UserId } from "@bitwarden/common/types/guid";
 import { MasterKey } from "@bitwarden/common/types/key";
-import { PBKDF2KdfConfig } from "@bitwarden/key-management";
+import { KdfConfig } from "@bitwarden/key-management";
 
 export interface SetPasswordCredentials {
   masterKey: MasterKey;
   masterKeyHash: string;
   localMasterKeyHash: string;
-  kdfConfig: PBKDF2KdfConfig;
+  kdfConfig: KdfConfig;
   hint: string;
   orgSsoIdentifier: string;
   orgId: string;

libs/common/src/enums/feature-flag.enum.ts

@@ -45,6 +45,7 @@ export enum FeatureFlag {
   PM12443RemovePagingLogic = "pm-12443-remove-paging-logic",
   PrivateKeyRegeneration = "pm-12241-private-key-regeneration",
   ResellerManagedOrgAlert = "PM-15814-alert-owners-of-reseller-managed-orgs",
+  Argon2Default = "argon2-default",
 }
 
 export type AllowedFeatureFlagTypes = boolean | number | string;
@@ -100,6 +101,7 @@ export const DefaultFeatureFlagValue = {
   [FeatureFlag.PM12443RemovePagingLogic]: FALSE,
   [FeatureFlag.PrivateKeyRegeneration]: FALSE,
   [FeatureFlag.ResellerManagedOrgAlert]: FALSE,
+  [FeatureFlag.Argon2Default]: FALSE,
 } satisfies Record<FeatureFlag, AllowedFeatureFlagTypes>;
 
 export type DefaultFeatureFlagValueType = typeof DefaultFeatureFlagValue;

libs/key-management/src/index.ts

@@ -15,6 +15,7 @@
   Argon2KdfConfig,
   KdfConfig,
   DEFAULT_KDF_CONFIG,
+  NEW_ARGON2_DEFAULT_KDF_CONFIG,
 } from "./models/kdf-config";
 export { KdfConfigService } from "./abstractions/kdf-config.service";
 export { DefaultKdfConfigService } from "./kdf-config.service";

libs/key-management/src/models/kdf-config.ts

@@ -47,6 +47,14 @@
     }
   }
 
+  get memory(): number | undefined {
+    return undefined;
+  }
+
+  get parallelism(): number | undefined {
+    return undefined;
+  }
+
   static fromJSON(json: Jsonify<PBKDF2KdfConfig>): PBKDF2KdfConfig {
     return new PBKDF2KdfConfig(json.iterations);
   }
@@ -128,3 +136,8 @@
 }
 
 export const DEFAULT_KDF_CONFIG = new PBKDF2KdfConfig(PBKDF2KdfConfig.ITERATIONS.defaultValue);
+export const NEW_ARGON2_DEFAULT_KDF_CONFIG = new Argon2KdfConfig(
+  Argon2KdfConfig.ITERATIONS.defaultValue,
+  Argon2KdfConfig.MEMORY.defaultValue,
+  Argon2KdfConfig.PARALLELISM.defaultValue,
+);