Improper use of Hash for MAC
Bug #1191466 reported by
Donald Stufft
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned | ||
| python-keystoneclient |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
I noticed that within python-keystone client the memcache_crypt middleware uses a simple sha1 as a MAC. This is bad to do because a general hash function is not designed to work as a MAC and thus are often vulnerable to a number of attacks. I suggest that instead the hmac library in the python stdlib is used.
The code in question is here:
https:/
Revision history for this message
| Thierry Carrez (ttx) wrote | #1 |
| Changed in ossa: | |
| status: | New → Incomplete |
Revision history for this message
| Thierry Carrez (ttx) wrote | #2 |
Revision history for this message
| Donald Stufft (dstufft) wrote | #3 |
Revision history for this message
| Thierry Carrez (ttx) wrote | #4 |
| Changed in python-keystoneclient: | |
| status: | New → Invalid |
| Changed in ossa: | |
| status: | Incomplete → Invalid |
| information type: | Private Security → Public |
To post a comment you must log in.
Several improvements are being rolled up in a security advisory going out Wednesday. We'll see if this still applies after that one is disclosed.