OpenStack Identity (keystone)

Bug #2028809
Comment #23

Comment 23 for bug 2028809

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-07: Fix merged to keystone (stable/victoria)

#23

Reviewed: https://review.opendev.org/c/openstack/keystone/+/893944
Committed: https://opendev.org/openstack/keystone/commit/0d5186cb49f452423240e8c6234ca2b753918fe7
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 0d5186cb49f452423240e8c6234ca2b753918fe7
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Wed Feb 9 11:28:59 2022 -0600

Force algo specific maximum length & Properly trimm bcrypt hashed passwords

This is the squash of 2 patches related to bcrypt hashing settings.

1.
Force algo specific maximum length

    The bcrypt algorithm that we use for password hashing silently
    length limits the size of the password that is hashed giving the
    user a false sense of security [0]. This patch adds a check
    in the verify_length_and_trunc_password function for the hash in
    use and updates the max_length accordingly, this will override
    the configured value and log a warning if the password is truncated.

Conflicts:
* tox.ini

[0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues

2.
Properly trimm bcrypt hashed passwords

    bcrypt hashing algorythm has a limitation on length of passwords it
    can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
    implemented, which resulted in password being invalidated after the
    keystone upgrade, since passwords are trimmed differently by bcrypt
    itself, as well as len(str()) is not always equal to
    len(str().encode()) as trimming should be done based on bytes and not
    string itself.

    With the change we return a byte object from
    `verify_length_and_trunc_password`, so it does not need to
    be encoded afterwards, since we need to strip based on bytes
    rather then on length of the string.

[1] https://review.opendev.org/c/openstack/keystone/+/828595

    Closes-Bug: #2028809
    Related-Bug: #1901891
    original change id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1
    (cherry picked from commit 6730c761d18aa547998f2add833c13f45f257fe7)
    (cherry picked from commit 65f1fb6b4a54386f473369b05c8d10d77fb6710c)

    Closes-bug: #1901891
    Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
    (cherry picked from commit 3288af579de8ee312c36fb78ac9309ce8c554827)
    (cherry picked from commit 1b3536a7a4d72e7f7b95cc1874a450accad3ec8d)
    (cherry picked from commit 7852ca24a4eb86cb271ef7ec5e07f8f9c97f926d)
    (cherry picked from commit a38ba2a70cdf7e72c0f17bb80d895ccc1e39a010)
    (cherry picked from commit 11e1258ccda688fd6f1414ac664c50df56ca2989)

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/893944
Committed: https://opendev.org/openstack/keystone/commit/0d5186cb49f452423240e8c6234ca2b753918fe7
Submitter: "Zuul (22348)"
Branch:    stable/victoria

commit 0d5186cb49f452423240e8c6234ca2b753918fe7
Author: Dave Wilde (d34dh0r53) <dwilde@redhat.com>
Date:   Wed Feb 9 11:28:59 2022 -0600

Force algo specific maximum length & Properly trimm bcrypt hashed passwords
    
    This is the squash of 2 patches related to bcrypt hashing settings.
    
    1.
    Force algo specific maximum length
    
    The bcrypt algorithm that we use for password hashing silently
    length limits the size of the password that is hashed giving the
    user a false sense of security [0].  This patch adds a check
    in the verify_length_and_trunc_password function for the hash in
    use and updates the max_length accordingly, this will override
    the configured value and log a warning if the password is truncated.
    
    Conflicts:
    * tox.ini
    
    [0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues
    
    2.
    Properly trimm bcrypt hashed passwords
    
    bcrypt  hashing algorythm has a limitation on length of passwords it
    can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
    implemented, which resulted in password being invalidated after the
    keystone upgrade, since passwords are trimmed differently by bcrypt
    itself, as well as len(str()) is not always equal to
    len(str().encode()) as trimming should be done based on bytes and not
    string itself.
    
    With the change we return a byte object from
    `verify_length_and_trunc_password`, so it does not need to
    be encoded afterwards, since we need to strip based on bytes
    rather then on length of the string.
    
    [1] https://review.opendev.org/c/openstack/keystone/+/828595
    
    Closes-Bug: #2028809
    Related-Bug: #1901891
    original change id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1
    (cherry picked from commit 6730c761d18aa547998f2add833c13f45f257fe7)
    (cherry picked from commit 65f1fb6b4a54386f473369b05c8d10d77fb6710c)
    
    Closes-bug: #1901891
    Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
    (cherry picked from commit 3288af579de8ee312c36fb78ac9309ce8c554827)
    (cherry picked from commit 1b3536a7a4d72e7f7b95cc1874a450accad3ec8d)
    (cherry picked from commit 7852ca24a4eb86cb271ef7ec5e07f8f9c97f926d)
    (cherry picked from commit a38ba2a70cdf7e72c0f17bb80d895ccc1e39a010)
    (cherry picked from commit 11e1258ccda688fd6f1414ac664c50df56ca2989)