-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade hash algorithm for cookie auth #4140
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as commented
af63e60
to
30ce151
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really great!
I wonder if it might be useful to implements tests that:
- Demonstrate successfully decoding a cookie with a non-primary hash
- Demonstrate logging an unsupported hash algorithm
?
Added some test cases. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for writing these tests!
module 'chttpd_auth_hash_algorithms_tests'
Testing hash algorithms for cookie auth
chttpd_auth_hash_algorithms_tests:31: -with/1-fun-0- (test_hash_algorithms_should_work)...[0.258 s] ok
chttpd_auth_hash_algorithms_tests:31: -with/1-fun-0- (test_hash_algorithms_should_fail)...[0.002 s] ok
[done in 0.266 s]
[done in 4.361 s]
=======================================================
2 tests passed.
LGTM! 👍
Noticed a recent failure in the full CI run referencing a "**error:{notsup,{"mac.c",264},"Unsupported digest algorithm"}"
It may be related to this change, I didn't get a chance to dig in to find out |
I will look at this again.
|
It fails on:
I think they are not supported by the openssl version in erlang. Need to investigate why they are executed, if they are not supported... |
Found it, the test itself doesn't check for supported hash algorithms. |
Introduce a new config setting "hash_algorithms". The values of the new config parameter is a list of comma-separated values of Erlang hash algorithms. An example: hash_algorithms = sha256, sha, md5 This line will use and generate new cookies with the sha256 hash algorithm and accept/verify cookies with the given hash algorithms sha256, sha and md5.
Introduce a new config setting
hash_algorithms
.The values of the new config parameter is a list of comma-separated values of Erlang hash algorithms.
An example:
hash_algorithms = sha256, sha, md5
This line will use and generate new cookies with the
sha256
hash algorithm and accept/verify cookies with the given hash algorithmssha
andmd5
.Closing #4119.