argon2id - implement using argon2-cffi

commonism · commonism · commit 409466f8957d · 2025-11-18T15:08:02.000+01:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -35,6 +35,7 @@ classifiers = [
 requires-python = ">=3.10"
 dependencies = [
     "hkdf >=0.0.3",
+    "argon2-cffi >= 25.1.0",
     "pycryptodome >=3.17.0",
     "pydantic >=2.5.0",
     "httpx >=0.24.1",
diff --git a/src/vaultwarden/utils/crypto.py b/src/vaultwarden/utils/crypto.py
@@ -127,8 +127,18 @@ def make_master_key(password: str, salt: str, kdf: "vaultwarden.models.bitwarden
     match kdf.Kdf:
         case vaultwarden.models.bitwarden.KdfType.Pbkdf2:
             return pbkdf2_hmac("sha256", password, salt, kdf.KdfIterations)
-        case vaultwarden.models.bitwarden.KdfType.Argon2:
-            raise NotImplementedError("x")
+        case vaultwarden.models.bitwarden.KdfType.Argon2id:
+            # c.f.
+            # https://github.com/vaultwarden/vw_web_builds/blob/355bddc6c9d5c110e55fe74c5fcfa86ddd85572c/libs/common/src/platform/services/key-generation.service.ts#L55-L75
+            import argon2
+            hsalt = hashlib.new("sha256",salt).digest()
+            v = argon2.low_level.hash_secret_raw(password, hsalt,
+                                             time_cost=kdf.KdfIterations,
+                                             memory_cost=kdf.KdfMemory * 1024,
+                                             parallelism=kdf.KdfParallelism,
+                                             hash_len=32,
+                                             type=argon2.Type.ID)
+            return v
         case _:
             return None
 
