openstack-org

Two nonce collided - OpenStackID

Bug #1431496 reported by Jimmy McArthur on 2015-03-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openstack-org	Fix Released	Undecided	Jimmy McArthur

Bug Description

Openid.response_nonce
Value: A string 255 characters or less in length, that MUST be unique to this particular successful authentication response. The nonce MUST start with the current time on the server, and MAY contain additional ASCII characters in the range 33-126 inclusive (printable non-whitespace characters), as necessary to make each response unique. The date and time MUST be formatted as specified in section 5.6 of [RFC3339], with the following restrictions:

All times must be in the UTC timezone, indicated with a "Z".
No fractional seconds are allowed
For example: 2005-05-15T17:11:51ZUNIQUE
these are the offending entries on table oid_nonces
https://openstackid.org/accounts/openid2-1426152871-55015da78cfd
https://openstackid.org/accounts/openid2-1426153018-55015e3a844d

Revision history for this message

Jimmy McArthur (jimmy-l) wrote on 2015-03-12:

The following fix was applied and released shortly after the initial bug report:

used a stronger ramdon string generation algo (Zend lib)
https://review.openstack.org/#/c/163814/

Changed in openstack-org:
assignee:	nobody → Jimmy McArthur (jimmy-l)
status:	New → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-13: Fix proposed to openstackid (master)

Fix proposed to branch: master
Review: https://review.openstack.org/164203

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-13: Fix merged to openstackid (master)

Reviewed: https://review.openstack.org/164203
Committed: https://git.openstack.org/cgit/openstack-infra/openstackid/commit/?id=02218a989d6a33f49ed9b142f172f685168160fb
Submitter: Jenkins
Branch: master

commit 02218a989d6a33f49ed9b142f172f685168160fb
Author: Sebastian Marcet <email address hidden>
Date: Fri Mar 13 11:42:19 2015 -0300

Fix on NONCE collision

Now Algorithm uses REDIS cache to ensure uniqueness of
each emitted NONCE (OpendID/OAUTH2).

Change-Id: I0b47d47a8e68274f1b89d86e9b3e84bc6ff999eb
Closes-Bug: #1431496

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.