bcrypt hashing algorythm has a limitation on length of passwords it
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(str().encode()) as trimming should be done based on bytes and not
string itself.
With the change we return a byte object from
`verify_length_and_trunc_password`, so it does not need to
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.
Reviewed: https:/ /review. opendev. org/c/openstack /keystone/ +/891115 /opendev. org/openstack/ keystone/ commit/ df54af90d03b14e bcd6e662bc8ece1 fc52ea7c1d
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2023.1
commit df54af90d03b14e bcd6e662bc8ece1 fc52ea7c1d
Author: Dmitriy Rabotyagov <email address hidden>
Date: Wed Aug 9 20:41:05 2023 +0200
Properly trimm bcrypt hashed passwords
bcrypt hashing algorythm has a limitation on length of passwords it str().encode( )) as trimming should be done based on bytes and not
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(
string itself.
With the change we return a byte object from length_ and_trunc_ password` , so it does not need to
`verify_
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.
[1] https:/ /review. opendev. org/c/openstack /keystone/ +/828595
Closes-Bug: #2028809 0046647b3d3dade ad1a6d054d1 7998f2add833c13 f45f257fe7)
Related-Bug: #1901891
Change-Id: Iea95a3c2df041a
(cherry picked from commit 6730c761d18aa54