keystone

History

Dave Wilde (d34dh0r53) 7852ca24a4 Force algo specific maximum length & Properly trimm bcrypt hashed passwords This is the squash of 2 patches related to bcrypt hashing settings. 1. Force algo specific maximum length The bcrypt algorithm that we use for password hashing silently length limits the size of the password that is hashed giving the user a false sense of security [0]. This patch adds a check in the verify_length_and_trunc_password function for the hash in use and updates the max_length accordingly, this will override the configured value and log a warning if the password is truncated. Conflicts: * tox.ini [0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues 2. Properly trimm bcrypt hashed passwords bcrypt hashing algorythm has a limitation on length of passwords it can hash on 72 bytes. In [1] a password trimm to 54 symbols has been implemented, which resulted in password being invalidated after the keystone upgrade, since passwords are trimmed differently by bcrypt itself, as well as len(str()) is not always equal to len(str().encode()) as trimming should be done based on bytes and not string itself. With the change we return a byte object from `verify_length_and_trunc_password`, so it does not need to be encoded afterwards, since we need to strip based on bytes rather then on length of the string. [1] https://review.opendev.org/c/openstack/keystone/+/828595 Closes-Bug: #2028809 Related-Bug: #1901891 original change id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1 (cherry picked from commit `6730c761d1`) (cherry picked from commit `65f1fb6b4a`) Closes-bug: #1901891 Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d (cherry picked from commit `3288af579d`) (cherry picked from commit `1b3536a7a4`)	2023-08-22 15:07:05 +02:00
..
notes	Force algo specific maximum length & Properly trimm bcrypt hashed passwords	2023-08-22 15:07:05 +02:00
source	Update master for stable/xena	2021-09-17 15:54:38 +00:00

Dave Wilde (d34dh0r53) 7852ca24a4 Force algo specific maximum length & Properly trimm bcrypt hashed passwords

This is the squash of 2 patches related to bcrypt hashing settings.

1.
Force algo specific maximum length

The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0].  This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.

Conflicts:
* tox.ini

[0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues

2.
Properly trimm bcrypt hashed passwords

bcrypt  hashing algorythm has a limitation on length of passwords it
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(str().encode()) as trimming should be done based on bytes and not
string itself.

With the change we return a byte object from
`verify_length_and_trunc_password`, so it does not need to
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.

[1] https://review.opendev.org/c/openstack/keystone/+/828595

Closes-Bug: #2028809
Related-Bug: #1901891
original change id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1
(cherry picked from commit 6730c761d1)
(cherry picked from commit 65f1fb6b4a)

Closes-bug: #1901891
Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
(cherry picked from commit 3288af579d)
(cherry picked from commit 1b3536a7a4)

2023-08-22 15:07:05 +02:00

notes Force algo specific maximum length & Properly trimm bcrypt hashed passwords 2023-08-22 15:07:05 +02:00

source Update master for stable/xena 2021-09-17 15:54:38 +00:00