[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change Ie524125dc5f6f1076bfd47db3a414b178e4dac80

gerrit2 at review.openstack.org gerrit2 at review.openstack.org
Wed May 7 00:55:26 UTC 2014


Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/80398

Log:
commit da9fca124ab59ca9d61f7d9111455fed2f4bbeb8
Author: Brant Knudson <bknudson at us.ibm.com>
Date:   Tue May 6 19:36:59 2014 -0500

    auth_token middleware hashes tokens with configurable algorithm
    
    The auth_token middleware always hashed PKI Tokens with MD5. This
    change makes it so that PKI tokens can be hashed with SHA256 or any
    other algorithm supported by hashlib.new(). This is for security
    hardening.
    
    auth_token has a new config option 'hash_algorithms' that is set
    to the list of algorithms that will be used for hashing PKI tokens.
    This will typically be set to a single hash algorithm which must
    match the hash algorithm set in Keystone. Otherwise the tokens
    in the revocation list will not match, leading to revoked tokens
    being still usable.
    
    During a transition from one algorithm to another,
    'hash_algorithms' is set to both the new algorithm and the old
    algorithm. Both of the hash algorithms will be used to match
    against the revocation list and cache. Once the tokens using the
    old algorithm have expired the old algorithm can be removed from
    the list.
    
    'hash_algorithms' defaults to ['md5'] for backwards compatibility.
    
    DocImpact
    SecurityImpact
    Closes-Bug: #1174499
    
    Change-Id: Ie524125dc5f6f1076bfd47db3a414b178e4dac80





More information about the Openstack-security mailing list