[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change Ie524125dc5f6f1076bfd47db3a414b178e4dac80
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Thu Apr 3 19:33:14 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/80398
Log:
commit dde7670369cc8cbc3fe1633935eeab218b93ea17
Author: Brant Knudson <bknudson at us.ibm.com>
Date: Thu Mar 13 15:38:34 2014 -0500
Allow hash tokens with sha256
Tokens were always hashed with md5. This change allows tokens to
be hashed with sha256 or any other algorithm supported by hashlib.
This is for security hardening.
If the new 'hash_algorithm' configuration option is set to 'sha256'
then the auth_token middleware will hash tokens using 'sha256' when
a) Tokens are stored to the cache.
b) Tokens are hashed to compare against the revocation list.
Using this will require that the Keystone server is also configured
to use the same algorithm for tokens, otherwise the revocation list
comparison isn't going to work. The 'hash_algorithm' option defaults
to 'md5' for backwards compatibility.
SecurityImpact
DocImpact
Closes-Bug: #1174499
Change-Id: Ie524125dc5f6f1076bfd47db3a414b178e4dac80
More information about the Openstack-security
mailing list