Re: [PR] Decouple offline hash strength from online [couchdb]

Tue, 07 Nov 2023 15:40:16 -0800 


nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1385731412


##########
dev/run:
##########
@@ -571,8 +572,8 @@ def hashify(pwd, salt=COMMON_SALT, iterations=10, 
keylen=20):
     >>> hashify(candeira)
     
-pbkdf2-99eb34d97cdaa581e6ba7b5386e112c265c5c670,d1d2d4d8909c82c81b6c8184429a0739,10
     """
-    derived_key = pbkdf2_hex(pwd, salt, iterations, keylen)
-    return "-pbkdf2-%s,%s,%s" % (derived_key, salt, iterations)
+    derived_key = pbkdf2_hex(pwd, salt, iterations, keylen, 
hashfunc=hashlib.sha256)
+    return "-pbkdf2:sha256-%s,%s,%s" % (derived_key, salt, iterations)

Review Comment:
   `-n 3` seems to work though, so it's a bit strange.



##########
dev/run:
##########
@@ -571,8 +572,8 @@ def hashify(pwd, salt=COMMON_SALT, iterations=10, 
keylen=20):
     >>> hashify(candeira)
     
-pbkdf2-99eb34d97cdaa581e6ba7b5386e112c265c5c670,d1d2d4d8909c82c81b6c8184429a0739,10
     """
-    derived_key = pbkdf2_hex(pwd, salt, iterations, keylen)
-    return "-pbkdf2-%s,%s,%s" % (derived_key, salt, iterations)
+    derived_key = pbkdf2_hex(pwd, salt, iterations, keylen, 
hashfunc=hashlib.sha256)
+    return "-pbkdf2:sha256-%s,%s,%s" % (derived_key, salt, iterations)

Review Comment:
   I couldn't start a local dev n=1 node cluster for some reason.
   
   ```
    % ./dev/run --admin=adm:pass -n 1
   [ * ] Setup environment ... ok
   [ * ] Ensure CouchDB is built ... ok
   [ * ] Ensure Erlang boot script exists ... ok
   [ * ] Prepare configuration files ... ok
   [ * ] Start node node1 ... ok
   [ * ] Check node at http://127.0.0.1:15984/ ... ok
   [ * ] Running cluster setup ... failed: 
b'{"error":"unauthorized","reason":"Name or password is incorrect."}\n'
   Traceback (most recent call last):
     File "/Users/nvatama/asf/./dev/run", line 934, in <module>
       main()
     File "/Users/nvatama/asf/./dev/run", line 93, in main
       startup(ctx)
     File "/Users/nvatama/asf/./dev/run", line 593, in startup
       cluster_setup(ctx)
     File "/Users/nvatama/asf/./dev/run", line 73, in wrapper
       res = func(*args, **kwargs)
     File "/Users/nvatama/asf/./dev/run", line 743, in cluster_setup
       finish_cluster(lead_port, *ctx["admin"])
     File "/Users/nvatama/asf/./dev/run", line 829, in finish_cluster
       assert resp.status in (201, 400), resp.read()
   AssertionError: b'{"error":"unauthorized","reason":"Name or password is 
incorrect."}\n'
   ```
   
   The logs showed:
   
   ```
   [notice] 2023-11-07T23:19:16.524311Z [email protected] <0.494.0> -------- 
Missing system database _users
   [notice] 2023-11-07T23:19:17.254909Z [email protected] <0.430.0> e86161454e 
127.0.0.1:15984 127.0.0.1 undefined GET / 200 ok 63
   [notice] 2023-11-07T23:19:17.276089Z [email protected] <0.431.0> acf614ed19 
Setup: 
[{<<"action">>,<<"enable_cluster">>},{<<"bind_address">>,<<"0.0.0.0">>},{<<"username">>,<<"adm">>},{<<"password">>,<<"****">>},{<<"node_count">>,1}]
   
   [notice] 2023-11-07T23:19:17.278581Z [email protected] <0.141.0> -------- 
config: [admins] adm set to '****' for reason nil
   [notice] 2023-11-07T23:19:17.281576Z [email protected] <0.141.0> -------- 
config: [chttpd] bind_address set to 0.0.0.0 for reason nil
   [notice] 2023-11-07T23:19:17.282793Z [email protected] <0.141.0> -------- 
config: [cluster] n set to 1 for reason nil
   [error] 2023-11-07T23:19:17.282809Z [email protected] <0.427.0> -------- 
Supervisor chttpd_sup had child chttpd started with chttpd:start_link() at 
<0.429.0> exit with reason normal in context child_terminated
   [error] 2023-11-07T23:19:17.282840Z [email protected] <0.427.0> -------- 
Supervisor chttpd_sup had child chttpd started with chttpd:start_link() at 
<0.429.0> exit with reason normal in context child_terminated
   [notice] 2023-11-07T23:19:17.284662Z [email protected] <0.431.0> acf614ed19 
127.0.0.1:15984 127.0.0.1 adm POST /_cluster_setup 201 ok 26
   [notice] 2023-11-07T23:19:17.286358Z [email protected] <0.585.0> 53d7202075 
127.0.0.1:15984 127.0.0.1 undefined POST /_cluster_setup 401 ok 0
   [info] 2023-11-07T23:19:17.288890Z [email protected] <0.66.0> -------- SIGTERM 
received - shutting down
   [info] 2023-11-07T23:19:17.288923Z [email protected] <0.66.0> -------- SIGTERM 
received - shutting down
   ```
   I couldn't yet tell why though. I'll try adding more debug statements in 
there to figure it out
   



##########
src/fast_pbkdf2/.gitignore:
##########
@@ -0,0 +1,30 @@
+.rebar3

Review Comment:
   Noticed from rebar compiler, it leaves the 
`src/fast_pbkdf2/compile_commands.json` behind as well. Can probably add it to 
.gitignore. Either this one or the top level one.
   
   ```
   % git status
   
   Untracked files:
     (use "git add <file>..." to include in what will be committed)
        src/fast_pbkdf2/compile_commands.json
   ```



##########
src/fast_pbkdf2/rebar.config:
##########
@@ -0,0 +1,58 @@
+{erl_opts, [
+  deterministic
+ ]}.
+
+{deps, []}.
+
+{profiles, [
+  {test, [
+    {erl_opts, []},
+    {deps, [
+      {base16, "2.0.1"},
+      {proper, "1.4.0"}
+     ]},
+    {plugins, [
+       {rebar3_codecov, "0.3.0"}
+     ]},
+    {port_env,
+     [
+      {"CFLAGS", "$CFLAGS -std=c99 -O3 -g -Wall -Wextra -fPIC --coverage"},
+      {"LDFLAGS", "$LDFLAGS --coverage"},
+      {"LDLIBS", "$LDLIBS -lcrypto"},
+      {"DRV_LINK_TEMPLATE", "$DRV_LINK_TEMPLATE $LDLIBS"}
+     ]}
+   ]}
+ ]
+}.
+
+{plugins, [pc, rebar3_hex]}.
+
+{artifacts, ["priv/fast_pbkdf2.so"]}.
+
+{port_specs,
+ [
+    {
+        % Any arch
+        ".*",
+        % Create library
+        "priv/fast_pbkdf2.so",
+        % From files
+        ["c_src/*.c"],
+        % Using options
+        [ {env, [{"CFLAGS", "$CFLAGS -std=c99 -O3 -g -Wall -Wextra -fPIC"},

Review Comment:
   A full CI Jenkins showed that all the architecture and OSes looked good 
except macos. I think it may just need the openssl dev library installed:
   
   
https://ci-couchdb.apache.org/blue/organizations/jenkins/jenkins-cm1%2FFullPlatformMatrix/detail/jenkins-decouple_offline_hash_strength_from_online/1/pipeline/82/
   
   ```
   [2023-11-07T22:26:54.619Z] Compiling 
/Users/jenkins2/workspace/ffline_hash_strength_from_online/macos/build/src/fast_pbkdf2/c_src/fast_pbkdf2.c
   [2023-11-07T22:26:54.619Z] 
/Users/jenkins2/workspace/ffline_hash_strength_from_online/macos/build/src/fast_pbkdf2/c_src/fast_pbkdf2.c:35:10:
 fatal error: 'openssl/sha.h' file not found
   [2023-11-07T22:26:54.619Z] #include <openssl/sha.h>
   [2023-11-07T22:26:54.619Z]          ^~~~~~~~~~~~~~~
   [2023-11-07T22:26:54.619Z] 1 error generated.
   [2023-11-07T22:26:54.619Z] ERROR: compile failed while processing 
/Users/jenkins2/workspace/ffline_hash_strength_from_online/macos/build/src/fast_pbkdf2:
 rebar_abort
   [2023-11-07T22:26:54.619Z] make: *** [couch] Error 1
   ```
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to