[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change Ie524125dc5f6f1076bfd47db3a414b178e4dac80
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Fri Apr 11 14:36:21 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/80398
Log:
commit 370f452617a7857ec7e7a6b3bb1dc3e3222bfd71
Author: Brant Knudson <bknudson at us.ibm.com>
Date: Tue Apr 8 20:52:27 2014 -0500
auth_token middleware hashes tokens with configurable algorithm
The auth_token middleware always hashed PKI Tokens with MD5. This
change makes it so that PKI tokens can be hashed with SHA256 or any
other algorithm supported by hashlib.new(). This is for security
hardening.
auth_token has a new config option 'hash_algorithms' that is set
to the list of algorithms that will be used for hashing PKI tokens.
This will typically be set to a single hash algorithm which must
match the hash algorithm set in Keystone. Otherwise the tokens
in the revocation list will not match, leading to revoked tokens
being still usable.
During a transition from one algorithm to another,
'hash_algorithms' is set to both the new algorithm and the old
algorithm. Both of the hash algorithms will be used to match
against the revocation list and cache. Once the tokens using the
old algorithm have expired the old algorithm can be removed from
the list.
'hash_algorithms' defaults to ['md5'] for backwards compatibility.
DocImpact
SecurityImpact
Closes-Bug: #1174499
Change-Id: Ie524125dc5f6f1076bfd47db3a414b178e4dac80
More information about the Openstack-security
mailing list