Add MAX_PASSWORD_LENGTH check in backendutils.

Add a check for max password length to password hash/check functions in backendutils. Fixes an issue where large passwords can cause segfaults in keystone diablo. Fixes LP Bug #957359. Change-Id: I24de1a295d5f54a070750315e78db968658898d3
dprince · Mar 27, 2012 · 7b07f87 · 7b07f87
1 parent 355d98a
commit 7b07f87
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 1 deletion.
diff --git a/.mailmap b/.mailmap
@@ -1,3 +1,4 @@
+<dprince@redhat.com> <dan.prince@rackspace.com>
 <dolph.mathews@rackspace.com> <dolph.mathews@gmail.com>
 <jeblair@hp.com> <corvus@gnu.org>
 <jeblair@hp.com> <james.blair@rackspace.com>

diff --git a/AUTHORS b/AUTHORS
@@ -3,7 +3,7 @@ Alex Silva <alex.silva@M1BPAGY.(none)>
 Anne Gentle <anne@openstack.org>
 Anthony Young <sleepsonthefloor@gmail.com>
 Brian Lamar <brian.lamar@gmail.com>
-Dan Prince <dan.prince@rackspace.com>
+Dan Prince <dprince@redhat.com>
 Dolph Mathews <dolph.mathews@gmail.com>
 gholt <gholt@brim.net>
 jabdul <abdulkader.j@hcl.com>

diff --git a/keystone/backends/backendutils.py b/keystone/backends/backendutils.py
@@ -2,6 +2,8 @@
 import keystone.backends as backends
 from passlib.hash import sha512_crypt as sc
 
+MAX_PASSWORD_LENGTH = 4096
+
 
 def __get_hashed_password(password):
     if password != None and len(password) > 0:
@@ -28,6 +30,8 @@ def check_password(raw_password, enc_password):
     if not raw_password:
         return False
     if backends.SHOULD_HASH_PASSWORD:
+        if len(raw_password) > MAX_PASSWORD_LENGTH:
+            raw_password = raw_password[:MAX_PASSWORD_LENGTH]
         return sc.verify(raw_password, enc_password)
     else:
         return enc_password == raw_password
@@ -39,6 +43,8 @@ def __make_password(raw_password):
     """
     if raw_password is None:
         return None
+    if len(raw_password) > MAX_PASSWORD_LENGTH:
+        raw_password = raw_password[:MAX_PASSWORD_LENGTH]
     hsh = __get_hexdigest(raw_password)
     return '%s' % (hsh)
 

diff --git a/keystone/test/unit/test_backendutils.py b/keystone/test/unit/test_backendutils.py
@@ -0,0 +1,33 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+# Copyright (c) 2010-2011 OpenStack, LLC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import unittest2 as unittest
+import keystone.backends.backendutils as backendutils
+import keystone.backends as backends
+
+
+class BackendUtilsTest(unittest.TestCase):
+
+    def setUp(self):
+        backends.SHOULD_HASH_PASSWORD = True
+
+    def test_check_long_password(self):
+        bigboy = '0' * 9999999
+        values = {'password': bigboy}
+        backendutils.set_hashed_password(values)
+        hashed_pw = values['password']
+        self.assertTrue(backendutils.check_password(bigboy, hashed_pw))