commit 11e1258ccda688fd6f1414ac664c50df56ca2989
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Wed Feb 9 11:28:59 2022 -0600
Force algo specific maximum length & Properly trimm bcrypt hashed passwords
This is the squash of 2 patches related to bcrypt hashing settings.
1.
Force algo specific maximum length
The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0]. This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.
bcrypt hashing algorythm has a limitation on length of passwords it
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(str().encode()) as trimming should be done based on bytes and not
string itself.
With the change we return a byte object from
`verify_length_and_trunc_password`, so it does not need to
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.
Reviewed: https:/ /review. opendev. org/c/openstack /keystone/ +/893549 /opendev. org/openstack/ keystone/ commit/ 11e1258ccda688f d6f1414ac664c50 df56ca2989
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/wallaby
commit 11e1258ccda688f d6f1414ac664c50 df56ca2989
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Wed Feb 9 11:28:59 2022 -0600
Force algo specific maximum length & Properly trimm bcrypt hashed passwords
This is the squash of 2 patches related to bcrypt hashing settings.
1.
Force algo specific maximum length
The bcrypt algorithm that we use for password hashing silently length_ and_trunc_ password function for the hash in
length limits the size of the password that is hashed giving the
user a false sense of security [0]. This patch adds a check
in the verify_
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.
Conflicts:
* tox.ini
[0]: https:/ /passlib. readthedocs. io/en/stable/ lib/passlib. hash.bcrypt. html#security- issues
2.
Properly trimm bcrypt hashed passwords
bcrypt hashing algorythm has a limitation on length of passwords it str().encode( )) as trimming should be done based on bytes and not
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(
string itself.
With the change we return a byte object from length_ and_trunc_ password` , so it does not need to
`verify_
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.
[1] https:/ /review. opendev. org/c/openstack /keystone/ +/828595
Closes-Bug: #2028809 0046647b3d3dade ad1a6d054d1 7998f2add833c13 f45f257fe7) f473369b05c8d10 d77fb6710c)
Related-Bug: #1901891
original change id: Iea95a3c2df041a
(cherry picked from commit 6730c761d18aa54
(cherry picked from commit 65f1fb6b4a54386
Closes-bug: #1901891 7b5a66b94af6f8e 198084fcd8d 12c36fb78ac9309 ce8c554827) f7b95cc1874a450 accad3ec8d) b271ef7ec5e07f8 f9c97f926d) 2c0f17bb80d895c cc1e39a010)
Change-Id: I8d0bb2438b2322
(cherry picked from commit 3288af579de8ee3
(cherry picked from commit 1b3536a7a4d72e7
(cherry picked from commit 7852ca24a4eb86c
(cherry picked from commit a38ba2a70cdf7e7