[Openstack-security] [openstack/keystone] SecurityImpact review request change Iafe3c975d59818c8f362647f7ea5149a03deee47
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Fri Apr 4 00:07:04 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/80401
Log:
commit 893e048b2eb9cddea9a64396bf2c80cb56711845
Author: Brant Knudson <bknudson at us.ibm.com>
Date: Thu Mar 27 19:10:10 2014 -0500
Configurable token hash algorithm
Tokens were always hashed with MD5. This change allows tokens to
be hashed with SHA256 (or any other algorithm supported by the
keystoneclient token hash function). This is for security
hardening.
There's a new configuration option 'hash_algorithm' in the [token]
section. This is the algorithm to use for hashing PKI tokens, so is
used
a) when storing the token in the db
b) as the hash in the revocation list
hash_algorithm defaults to 'md5' for backwards compatibility, and
can be set to any hash algorithm that keystoneclient supports
(such as 'sha256').
The hash algorithm is set on the revocation list object for use
by the auth_token middleware.
SecurityImpact
DocImpact
Closes-Bug: #1174499
Change-Id: Iafe3c975d59818c8f362647f7ea5149a03deee47
More information about the Openstack-security
mailing list