Use the built-in crypto:pbkdf2_hmac function

The fix to make `crypto:pbkdf2_hmac/5` yield properly is now in all the supported Erlang/OTP versions, so we can switch to use it [1]. This also removes the build dependency on OpenSSL dev package. [1] erlang/otp#8174
apache · May 13, 2024 · ada5135 · ada5135
1 parent 105cf01
commit ada5135
Show file tree

Hide file tree

Showing 17 changed files with 10 additions and 1,338 deletions.
diff --git a/rebar.config.script b/rebar.config.script
@@ -80,9 +80,15 @@ BadErlang = fun(Ver) ->
     end
 end.
 
+% crypto:pbkdf2_hmac/5 was blocking schedulers in
+% versions < 24.3.4.17, < 25.3.2.10 and < 26.2.3
+%
 case VerList of
     % Leave example around if we have to exlude specific versions
     % [22, 0, N | _] when N < 5 -> BadErlang(VerString);
+    [24, 3, 4, N | _] when N < 17 -> BadErlang(VerString);
+    [25, 3, 2, N | _] when N < 10 -> BadErlang(VerString);
+    [26, 2, N | _] when N < 3 -> BadErlang(VerString);
     _ -> ok
 end.
 
@@ -116,7 +122,6 @@ SubDirs = [
     "src/chttpd",
     "src/couch",
     "src/couch_event",
-    "src/fast_pbkdf2",
     "src/mem3",
     "src/couch_index",
     "src/couch_mrview",

diff --git a/rel/reltool.config b/rel/reltool.config
@@ -66,8 +66,7 @@
 
         %% extra
         nouveau,
-        recon,
-        fast_pbkdf2
+        recon
     ]},
     {rel, "start_clean", "", [kernel, stdlib]},
     {boot_rel, "couchdb"},
@@ -130,8 +129,7 @@
 
     %% extra
     {app, nouveau, [{incl_cond, include}]},
-    {app, recon, [{incl_cond, include}]},
-    {app, fast_pbkdf2, [{incl_cond, include}]}
+    {app, recon, [{incl_cond, include}]}
 ]}.
 
 {overlay_vars, "couchdb.config"}.

diff --git a/src/couch/src/couch.app.src b/src/couch/src/couch.app.src
@@ -38,7 +38,6 @@
         % Upstream deps
         ibrowse,
         mochiweb,
-        fast_pbkdf2,
 
         % ASF deps
         couch_epi,

diff --git a/src/couch/src/couch_passwords.erl b/src/couch/src/couch_passwords.erl
@@ -108,7 +108,7 @@ pbkdf2(PRF, Password, Salt, Iterations, KeyLen) when
     KeyLen > 0
 ->
     couch_stats:increment_counter([couchdb, password_hashing_slow]),
-    DerivedKey = fast_pbkdf2:pbkdf2(PRF, Password, Salt, Iterations, KeyLen),
+    DerivedKey = crypto:pbkdf2_hmac(PRF, Password, Salt, Iterations, KeyLen),
     couch_util:to_hex_bin(DerivedKey);
 pbkdf2(PRF, Password, Salt, Iterations, KeyLen) when
     is_atom(PRF),

diff --git a/src/couch/src/couch_passwords_cache.erl b/src/couch/src/couch_passwords_cache.erl
@@ -72,4 +72,4 @@ insert(AuthModule, UserName, Password, Salt) when
 
 hash(Password, Salt) ->
     couch_stats:increment_counter([couchdb, password_hashing_fast]),
-    fast_pbkdf2:pbkdf2(sha256, Password, Salt, ?FAST_ITERATIONS, ?SHA256_OUTPUT_LEN).
+    crypto:pbkdf2_hmac(sha256, Password, Salt, ?FAST_ITERATIONS, ?SHA256_OUTPUT_LEN).
diff --git a/src/fast_pbkdf2/.gitignore b/src/fast_pbkdf2/.gitignore
diff --git a/src/fast_pbkdf2/LICENSE b/src/fast_pbkdf2/LICENSE
diff --git a/src/fast_pbkdf2/README.md b/src/fast_pbkdf2/README.md
diff --git a/src/fast_pbkdf2/benchmarks/bench.ex b/src/fast_pbkdf2/benchmarks/bench.ex