diff options
| author | Brant Knudson <bknudson@us.ibm.com> | 2014-08-23 11:35:25 -0500 |
|---|---|---|
| committer | Brant Knudson <bknudson@us.ibm.com> | 2014-08-24 23:23:52 +0000 |
| commit | ed1e31eca6cd34677feb6674973c4f8989b2b4e4 (patch) | |
| tree | 2dffeb78b3cf5850823d1ccb29160ebcd095556d | |
| parent | 41f868edaab2c9979459c338dde4b02e5f033f15 (diff) | |
| download | django_openstack_auth-ed1e31eca6cd34677feb6674973c4f8989b2b4e4.tar.gz | |
Configurable token hashing algorithm
The user's authentication token was hashed using the MD5 algorithm.
The MD5 algorithm shouldn't be used because of the potential for
hash collisions. Some security standards mandate a SHA2 algorithm
or better must be used.
With this change the algorithm to use for hashing tokens can be
configured by setting the OPENSTACK_TOKEN_HASH_ALGORITHM
configuration option to a hash algorithm supported by Python's
hashlib library[1]. For example, a deployer could set the option to
'sha256' to meet a SHA2 security standard.
The algorithm chosen must match the hash algorithm that the
identity server is configured to use (Keystone and the auth_token
middleware can be configured to use any hash algorithm supported by
hashlib).
This is for security hardening.
[1] https://docs.python.org/2/library/hashlib.html
DocImpact
SecurityImpact
Change-Id: I9e3eba7e0a12ae40a08d0ed851ea916ec6591bcc
Closes-Bug: #1174499
| -rw-r--r-- | openstack_auth/user.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/openstack_auth/user.py b/openstack_auth/user.py index ebd49b4..5880693 100644 --- a/openstack_auth/user.py +++ b/openstack_auth/user.py @@ -68,8 +68,12 @@ class Token(object): # Token-related attributes self.id = auth_ref.auth_token - if len(self.id) > 32: - self.id = hashlib.md5(self.id).hexdigest() + if len(self.id) > 64: + algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM', + 'md5') + hasher = hashlib.new(algorithm) + hasher.update(self.id) + self.id = hasher.hexdigest() self.expires = auth_ref.expires # Project-related attributes |