rnewson merged PR #4814:
URL: https://github.com/apache/couchdb/pull/4814
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail:
nickva commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1806072709
Makes sense that we can just ignore the conflict as they should be the same
content. Even if a conflict is generated it should merge cleanly.
> I can't trigger the conflict cases
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1805656312
I can't trigger the conflict cases locally but I've added a `catch` on the
front `couch_password_hasher`'s call to `AuthModule:update_user_creds`.
--
This is an automated message from
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1805625536
I'd like to suppress the conflict errors since those are benign. Each node
might elect to hash and update the user doc when it gets a request. however, by
design of this PR, they will
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1388693671
##
src/couch/src/couch_httpd_auth.erl:
##
@@ -662,10 +643,14 @@ authenticate(Pass, UserProps) ->
couch_util:get_value(<<"password_sha">>,
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1388694964
##
src/couch/src/couch_primary_sup.erl:
##
@@ -23,7 +23,18 @@ init([]) ->
{couch_task_status, {couch_task_status, start_link, []},
permanent, brutal_kill,
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1388693671
##
src/couch/src/couch_httpd_auth.erl:
##
@@ -662,10 +643,14 @@ authenticate(Pass, UserProps) ->
couch_util:get_value(<<"password_sha">>,
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1388152414
##
src/couch/src/couch_httpd_auth.erl:
##
@@ -662,10 +643,14 @@ authenticate(Pass, UserProps) ->
couch_util:get_value(<<"password_sha">>,
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1387468425
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,69 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1387468425
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,69 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1387463659
##
src/couch/src/couch_primary_sup.erl:
##
@@ -23,7 +23,18 @@ init([]) ->
{couch_task_status, {couch_task_status, start_link, []},
permanent, brutal_kill,
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1387210911
##
src/couch/src/couch_httpd_auth.erl:
##
@@ -662,10 +643,14 @@ authenticate(Pass, UserProps) ->
couch_util:get_value(<<"password_sha">>,
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1387188923
##
src/couch/src/couch_httpd_auth.erl:
##
@@ -662,10 +643,14 @@ authenticate(Pass, UserProps) ->
couch_util:get_value(<<"password_sha">>,
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1386854453
##
dev/run:
##
@@ -571,8 +572,8 @@ def hashify(pwd, salt=COMMON_SALT, iterations=10,
keylen=20):
>>> hashify(candeira)
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1801774838
I'm open to not importing fast_pbkdf2 and just enhancing our home-grown
pbkdf2 implementation to allow sha-256, it's trivial to do. Since we're
planning to use the native one if it gets
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1386397163
##
dev/run:
##
@@ -571,8 +572,8 @@ def hashify(pwd, salt=COMMON_SALT, iterations=10,
keylen=20):
>>> hashify(candeira)
big-r81 commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1800865306
Solved the "OpenSSL not found" error. Installed the wrong architecture (x86
instead x64).
Needed to tweak the 'rebar.config' again, that the liibrary linking is
working:
big-r81 commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1800788556
First compile run:
```
==> fast_pbkdf2 (compile)
Compiling
c:/Users/couchdb/Documents/couchdb/src/fast_pbkdf2/c_src/fast_pbkdf2.c
ERROR: compile failed while processing
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1385731412
##
dev/run:
##
@@ -571,8 +572,8 @@ def hashify(pwd, salt=COMMON_SALT, iterations=10,
keylen=20):
>>> hashify(candeira)
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1385708436
##
src/fast_pbkdf2/.gitignore:
##
@@ -0,0 +1,30 @@
+.rebar3
Review Comment:
Noticed from rebar compiler, it leaves the
`src/fast_pbkdf2/compile_commands.json`
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1385708436
##
src/fast_pbkdf2/.gitignore:
##
@@ -0,0 +1,30 @@
+.rebar3
Review Comment:
Noticed from rebar compiler, it leaves the
`src/fast_pbkdf2/compile_commands.json`
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1383786902
##
rebar.config.script:
##
@@ -157,7 +157,8 @@ DepDescs = [
{jiffy,"jiffy",{tag, "CouchDB-1.0.9-2"}},
{mochiweb, "mochiweb",
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1383718427
##
rebar.config.script:
##
@@ -157,7 +157,8 @@ DepDescs = [
{jiffy,"jiffy",{tag, "CouchDB-1.0.9-2"}},
{mochiweb, "mochiweb",
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1383684384
##
rebar.config.script:
##
@@ -157,7 +157,8 @@ DepDescs = [
{jiffy,"jiffy",{tag, "CouchDB-1.0.9-2"}},
{mochiweb, "mochiweb",
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1383534528
##
rebar.config.script:
##
@@ -157,7 +157,8 @@ DepDescs = [
{jiffy,"jiffy",{tag, "CouchDB-1.0.9-2"}},
{mochiweb, "mochiweb",
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-179079
sorry, I've modified this yet again. Notably I increase the default
iterations to 50,000. I override this in a test to avoid adding a timer:sleep
hack.
I changed needs_upgrade to
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1379094457
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,65 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1379093773
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,65 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1379093552
##
src/couch/src/couch_passwords.erl:
##
@@ -69,106 +68,74 @@ get_unhashed_admins() ->
({_User, "-pbkdf2-" ++ _}) ->
% already hashed
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1379093251
##
src/couch/src/couch_password_hasher.erl:
##
@@ -21,20 +21,41 @@
init/1,
handle_call/3,
handle_cast/2,
+handle_info/2,
code_change/3
]).
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378989463
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,65 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378976731
##
src/couch/src/couch_password_hasher.erl:
##
@@ -21,20 +21,41 @@
init/1,
handle_call/3,
handle_cast/2,
+handle_info/2,
code_change/3
]).
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378872713
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,65 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378861581
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,65 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378853926
##
src/couch/src/couch_password_hasher.erl:
##
@@ -45,29 +66,95 @@ start_link() ->
init(_Args) ->
hash_admin_passwords(true),
-{ok, #state{}}.
+
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378759270
##
src/couch/src/couch_password_hasher.erl:
##
@@ -45,29 +66,95 @@ start_link() ->
init(_Args) ->
hash_admin_passwords(true),
-{ok, #state{}}.
+
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378758404
##
src/couch/src/couch_password_hasher.erl:
##
@@ -45,29 +66,95 @@ start_link() ->
init(_Args) ->
hash_admin_passwords(true),
-{ok, #state{}}.
+
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378756370
##
src/couch/src/couch_password_hasher.erl:
##
@@ -21,20 +21,41 @@
init/1,
handle_call/3,
handle_cast/2,
+handle_info/2,
code_change/3
]).
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378756370
##
src/couch/src/couch_password_hasher.erl:
##
@@ -21,20 +21,41 @@
init/1,
handle_call/3,
handle_cast/2,
+handle_info/2,
code_change/3
]).
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378756370
##
src/couch/src/couch_password_hasher.erl:
##
@@ -21,20 +21,41 @@
init/1,
handle_call/3,
handle_cast/2,
+handle_info/2,
code_change/3
]).
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378395364
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,65 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378393624
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,65 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378384582
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,65 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378382278
##
src/couch/src/couch_passwords_cache.erl:
##
@@ -0,0 +1,65 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378380253
##
src/couch/src/couch_passwords.erl:
##
@@ -69,106 +68,74 @@ get_unhashed_admins() ->
({_User, "-pbkdf2-" ++ _}) ->
% already hashed
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378380590
##
src/couch/src/couch_passwords.erl:
##
@@ -69,106 +68,74 @@ get_unhashed_admins() ->
({_User, "-pbkdf2-" ++ _}) ->
% already hashed
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378380253
##
src/couch/src/couch_passwords.erl:
##
@@ -69,106 +68,74 @@ get_unhashed_admins() ->
({_User, "-pbkdf2-" ++ _}) ->
% already hashed
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378379988
##
src/couch/src/couch_passwords.erl:
##
@@ -69,106 +68,74 @@ get_unhashed_admins() ->
({_User, "-pbkdf2-" ++ _}) ->
% already hashed
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378379078
##
src/couch/src/couch_password_hasher.erl:
##
@@ -45,29 +66,95 @@ start_link() ->
init(_Args) ->
hash_admin_passwords(true),
-{ok, #state{}}.
+
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378376532
##
src/couch/src/couch_password_hasher.erl:
##
@@ -45,29 +66,95 @@ start_link() ->
init(_Args) ->
hash_admin_passwords(true),
-{ok, #state{}}.
+
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378374291
##
src/couch/src/couch_password_hasher.erl:
##
@@ -21,20 +21,41 @@
init/1,
handle_call/3,
handle_cast/2,
+handle_info/2,
code_change/3
]).
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378329308
##
src/couch/src/couch_password_hasher.erl:
##
@@ -45,29 +66,95 @@ start_link() ->
init(_Args) ->
hash_admin_passwords(true),
-{ok, #state{}}.
+
rnewson commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378048823
##
src/couch/src/couch_users_db.erl:
##
@@ -63,6 +64,21 @@ before_doc_update(Doc, Db, _UpdateType) ->
save_doc(#doc{body = {Body}} = Doc) ->
%% Support both
nickva commented on code in PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#discussion_r1378046612
##
src/couch/src/couch_users_db.erl:
##
@@ -63,6 +64,21 @@ before_doc_update(Doc, Db, _UpdateType) ->
save_doc(#doc{body = {Body}} = Doc) ->
%% Support both
nickva commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1781911798
Ah indeed, is invoking the sha* functions from OpenSSL. The macros in
fast_pbkdf2.c looked a bit confusing and it was hard to tell what was happening
there. And you're right, in that
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1781811900
(of course our current PBKDF2 implementation is bespoke anyway)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1781799017
hm, on FIPS-140 the fundamental algorithms (the SHA family) are invoked from
openssl, which in such an environment is where the FIPS-140 "compliance" comes
from. It will prevent the use
nickva commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1781372183
> I've made the cache a configurable option. for deployments that are
confident they avoid basic auth they can disable it without negative
consequences
Makes sense.
Also,
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1781301946
noting I just rebased after making an important internal change. the salt
value for the internal cache is now the same as the one from the users doc.
This ensures that the entry is not
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1781298717
@nickva I've made the cache a configurable option. for deployments that are
confident they avoid basic auth they can disable it without negative
consequences.
--
This is an automated
nickva commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1773480674
> I deliberately separated into multiple commits but I feel adding
pbkdf2-sha256 with high iterations without the cache would lead to problems for
folks.
>
The cache would be
big-r81 commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1773263772
Some additional infos about the iteration count:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
--
This is an automated message from the Apache
nickva commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1773223659
Upstream OTP issue: https://github.com/erlang/otp/issues/7769
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
nickva commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1773108294
> I'd considered https://github.com/esl/fast_pbkdf2/ before I noticed they'd
made it part of crypto.erl. It just hadn't occurred to me that it would be
worse. I will switch to fast_pbkdf2
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1773072702
I deliberately separated into multiple commits but I feel adding
pbkdf2-sha256 with high iterations without the cache would lead to problems for
folks.
the password cache could be
rnewson commented on PR #4814:
URL: https://github.com/apache/couchdb/pull/4814#issuecomment-1773068107
I'd considered https://github.com/esl/fast_pbkdf2/ before I noticed they'd
made it part of crypto.erl. It just hadn't occurred to me that it would be
worse. I will switch to fast_pbkdf2
66 matches
Mail list logo
