OpenStack Identity (keystone)

  1. Bug #2028809
  2. Comment #9

Comment 9 for bug 2028809

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/891115
Committed: https://opendev.org/openstack/keystone/commit/df54af90d03b14ebcd6e662bc8ece1fc52ea7c1d
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit df54af90d03b14ebcd6e662bc8ece1fc52ea7c1d
Author: Dmitriy Rabotyagov <email address hidden>
Date: Wed Aug 9 20:41:05 2023 +0200

    Properly trimm bcrypt hashed passwords

    bcrypt hashing algorythm has a limitation on length of passwords it
    can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
    implemented, which resulted in password being invalidated after the
    keystone upgrade, since passwords are trimmed differently by bcrypt
    itself, as well as len(str()) is not always equal to
    len(str().encode()) as trimming should be done based on bytes and not
    string itself.

    With the change we return a byte object from
    `verify_length_and_trunc_password`, so it does not need to
    be encoded afterwards, since we need to strip based on bytes
    rather then on length of the string.

    [1] https://review.opendev.org/c/openstack/keystone/+/828595

    Closes-Bug: #2028809
    Related-Bug: #1901891
    Change-Id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1
    (cherry picked from commit 6730c761d18aa547998f2add833c13f45f257fe7)