From 83c50ae4ebd4d72988a781ec4183f1c62f6a63a4 Mon Sep 17 00:00:00 2001 From: Prashanth Pai Date: Fri, 5 Aug 2016 11:25:42 +0530 Subject: Don't include salt in HMAC computation Currently, the input to HMAC function is the entire stored credential in the format '$` but it should rather be only the hashed key/password. This is a minimal manual backport of this upstream swauth change: https://review.openstack.org/#/c/292529/ Change-Id: Ib119522d36359f87579ff8e4ada7331643695634 Signed-off-by: Prashanth Pai Reviewed-on: http://review.gluster.org/15097 Reviewed-by: Thiago da Silva Tested-by: Thiago da Silva --- gluster/swift/common/middleware/gswauth/swauth/middleware.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'gluster/swift/common/middleware/gswauth/swauth/middleware.py') diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py index 745c6f1..48f1d71 100644 --- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py +++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py @@ -318,7 +318,7 @@ class Swauth(object): account_id, 1) detail = json.loads(resp.body) - password = detail['auth'].split(':')[-1] + password_type, password = detail['auth'].split(':') msg = base64.urlsafe_b64decode(unquote(token)) # https://bugs.python.org/issue5285 @@ -327,6 +327,10 @@ class Swauth(object): if isinstance(msg, unicode): msg = msg.encode('utf-8') + if password_type != 'plaintext': + # Password isn't plaintext, contains salt string + password = password.split('$')[-1] + s = base64.encodestring(hmac.new(password, msg, sha1).digest()).strip() if s != sign: -- cgit