Upgrade hash algorithm for cookie auth

[big-r81]

Introduce a new config setting hash_algorithms.

The values of the new config parameter is a list of comma-separated values of Erlang hash algorithms.

An example:

hash_algorithms = sha256, sha, md5

This line will use and generate new cookies with the sha256 hash algorithm and accept/verify cookies with the given hash algorithms sha and md5.

Closing #4119.

[rnewson]

as commented

[jaydoane]

This looks really great!

I wonder if it might be useful to implements tests that:

• Demonstrate successfully decoding a cookie with a non-primary hash
• Demonstrate logging an unsupported hash algorithm

?

[big-r81]

This looks really great!

I wonder if it might be useful to implements tests that:

* Demonstrate successfully decoding a cookie with a non-primary hash

* Demonstrate logging an unsupported hash algorithm

?

Added some test cases.

[jaydoane]

Thanks for writing these tests!

module 'chttpd_auth_hash_algorithms_tests'
  Testing hash algorithms for cookie auth
    chttpd_auth_hash_algorithms_tests:31: -with/1-fun-0- (test_hash_algorithms_should_work)...[0.258 s] ok
    chttpd_auth_hash_algorithms_tests:31: -with/1-fun-0- (test_hash_algorithms_should_fail)...[0.002 s] ok
    [done in 0.266 s]
  [done in 4.361 s]
=======================================================
  2 tests passed.

LGTM! 👍

[nickva]

Noticed a recent failure in the full CI run referencing a "**error:{notsup,{"mac.c",264},"Unsupported digest algorithm"}"

https://ci-couchdb.apache.org/blue/organizations/jenkins/jenkins-cm1%2FFullPlatformMatrix/detail/main/327/pipeline/203

[2022-08-24T16:57:41.113Z] module 'chttpd_auth_hash_algorithms_tests'

[2022-08-24T16:57:41.113Z]   Testing hash algorithms for cookie auth

[2022-08-24T16:57:41.467Z]     chttpd_auth_hash_algorithms_tests:31: with (test_hash_algorithms_should_work)...*failed*

[2022-08-24T16:57:41.467Z] in function crypto:mac_nif/4

[2022-08-24T16:57:41.467Z]   called as mac_nif(hmac,blake2s,<<"305ead508cce07ab432b7cd9d6455349bc1dd8ebfa0524f039f502d3"...>>,"adm_user:63065885")

[2022-08-24T16:57:41.467Z] in call from chttpd_auth_hash_algorithms_tests:make_auth_session_string/4 (test/eunit/chttpd_auth_hash_algorithms_tests.erl, line 68)

[2022-08-24T16:57:41.467Z] in call from chttpd_auth_hash_algorithms_tests:test_hash_algorithm/2 (test/eunit/chttpd_auth_hash_algorithms_tests.erl, line 85)

[2022-08-24T16:57:41.467Z] in call from eunit_test:run_testfun/1 (eunit_test.erl, line 71)

[2022-08-24T16:57:41.467Z] in call from eunit_proc:run_test/1 (eunit_proc.erl, line 522)

[2022-08-24T16:57:41.467Z] in call from eunit_proc:with_timeout/3 (eunit_proc.erl, line 347)

[2022-08-24T16:57:41.467Z] in call from eunit_proc:handle_test/2 (eunit_proc.erl, line 505)

[2022-08-24T16:57:41.467Z] in call from eunit_proc:tests_inorder/3 (eunit_proc.erl, line 447)

[2022-08-24T16:57:41.467Z] **error:{notsup,{"mac.c",264},"Unsupported digest algorithm"}

[2022-08-24T16:57:41.467Z]   output:<<"">>

It may be related to this change, I didn't get a chance to dig in to find out

[big-r81]

I will look at this again.

1. why didn’t it fail in the PR-CI?
2. What Erlang version do we use in the Full CI?
3. It should skip a algorithm which doesn’t exists…
4. It seems blake2s as a test algorithm is the trigger…

[big-r81]

It fails on:

1. CentOS 7 with blake2s and
2. Ubuntu 22.04 with md4

I think they are not supported by the openssl version in erlang. Need to investigate why they are executed, if they are not supported...

[big-r81]

Found it, the test itself doesn't check for supported hash algorithms.
Refactor the test to use the checks too. See #4156.