[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change Ie524125dc5f6f1076bfd47db3a414b178e4dac80
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Thu Apr 3 21:38:10 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/80398
Log:
commit e2156a1ade245f947ba4a418962b8c3ca87ff389
Author: Brant Knudson <bknudson at us.ibm.com>
Date: Thu Mar 13 15:38:34 2014 -0500
Allow hash tokens with sha256
PKI Tokens were always hashed with MD5. This change allows
tokens to be hashed with SHA256 or any other algorithm
supported by hashlib. This is for security hardening.
If the new 'hash_algorithm' configuration option is set to
'sha256' then the auth_token middleware will hash tokens using
SHA256 when tokens are stored in the cache. The
'hash_algorithm' option defaults to 'md5' for backwards
compatiblity.
The auth_token middleware will also accept a new format for
the revocation list. If the revocation list has the
'hash_algorithm' field set then that algorithm will be used to
hash the PKI token to compare against the IDs in the
revocation list. If the revocation list doesn't have the
'hash_algorithm' field set then MD5 will be used for backwards
compatibility.
SecurityImpact
DocImpact
Closes-Bug: #1174499
Change-Id: Ie524125dc5f6f1076bfd47db3a414b178e4dac80
More information about the Openstack-security
mailing list