keystone/releasenotes/notes/bcrypt_truncation_fix-674dc5d7f1e776f2.yaml
Dmitriy Rabotyagov 6730c761d1 Properly trimm bcrypt hashed passwords
bcrypt  hashing algorythm has a limitation on length of passwords it
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(str().encode()) as trimming should be done based on bytes and not
string itself.

With the change we return a byte object from
`verify_length_and_trunc_password`, so it does not need to
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.

[1] https://review.opendev.org/c/openstack/keystone/+/828595

Closes-Bug: #2028809
Related-Bug: #1901891
Change-Id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1
2023-08-10 11:35:32 +00:00

8 lines
261 B
YAML

---
fixes:
- |
Passwords that are hashed using bcrypt are now truncated properly to the
maximum allowed length by the algorythm. This solves regression, when
passwords longer then 54 symbols are getting invalidated after the
Keystone upgrade.