cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-13626) Check hashed password matches expected bcrypt hash format before checking
Date Wed, 30 Aug 2017 19:29:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-13626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16147887#comment-16147887
] 

Sam Tunnicliffe commented on CASSANDRA-13626:
---------------------------------------------

+1 LGTM.

I pushed some *tiny* additions to {{PasswordAuthenticatorTest}} [here|https://github.com/beobal/cassandra/commit/fba4d7fcb3630b4ba67833f9e451cf03aa11aa62].
If you think they're overkill, I won't argue too hard.

> Check hashed password matches expected bcrypt hash format before checking
> -------------------------------------------------------------------------
>
>                 Key: CASSANDRA-13626
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13626
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Auth
>            Reporter: Jeff Jirsa
>            Assignee: Jeff Jirsa
>            Priority: Minor
>             Fix For: 3.0.x, 3.11.x, 4.x
>
>
> We use {{Bcrypt.checkpw}} in the auth subsystem, but do a reasonably poor job of guaranteeing
that the hashed password we send to it is really a hashed password, and {{checkpw}} does an
even worse job of failing nicely. We should at least sanity check the hash complies with the
expected format prior to validating.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message