From 7b07f870702de5675d4423042e8b018e3fc4b931 Mon Sep 17 00:00:00 2001
From: Dan Prince <dprince@redhat.com>
Date: Fri, 16 Mar 2012 23:38:19 -0400
Subject: [PATCH] Add MAX_PASSWORD_LENGTH check in backendutils.

Add a check for max password length to password hash/check
functions in backendutils.

Fixes an issue where large passwords can cause segfaults in
keystone diablo.

Fixes LP Bug #957359.

Change-Id: I24de1a295d5f54a070750315e78db968658898d3
---
 .mailmap                                |  1 +
 AUTHORS                                 |  2 +-
 keystone/backends/backendutils.py       |  6 +++++
 keystone/test/unit/test_backendutils.py | 33 +++++++++++++++++++++++++
 4 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 keystone/test/unit/test_backendutils.py

diff --git a/.mailmap b/.mailmap
index 0e68e3030e..3a6c3942f4 100644
--- a/.mailmap
+++ b/.mailmap
@@ -1,3 +1,4 @@
+<dprince@redhat.com> <dan.prince@rackspace.com>
 <dolph.mathews@rackspace.com> <dolph.mathews@gmail.com>
 <jeblair@hp.com> <corvus@gnu.org>
 <jeblair@hp.com> <james.blair@rackspace.com>
diff --git a/AUTHORS b/AUTHORS
index cad5c2b969..84027e5e20 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -3,7 +3,7 @@ Alex Silva <alex.silva@M1BPAGY.(none)>
 Anne Gentle <anne@openstack.org>
 Anthony Young <sleepsonthefloor@gmail.com>
 Brian Lamar <brian.lamar@gmail.com>
-Dan Prince <dan.prince@rackspace.com>
+Dan Prince <dprince@redhat.com>
 Dolph Mathews <dolph.mathews@gmail.com>
 gholt <gholt@brim.net>
 jabdul <abdulkader.j@hcl.com>
diff --git a/keystone/backends/backendutils.py b/keystone/backends/backendutils.py
index 02970b35f1..54dd496f5e 100644
--- a/keystone/backends/backendutils.py
+++ b/keystone/backends/backendutils.py
@@ -2,6 +2,8 @@ from keystone.backends import models
 import keystone.backends as backends
 from passlib.hash import sha512_crypt as sc
 
+MAX_PASSWORD_LENGTH = 4096
+
 
 def __get_hashed_password(password):
     if password != None and len(password) > 0:
@@ -28,6 +30,8 @@ def check_password(raw_password, enc_password):
     if not raw_password:
         return False
     if backends.SHOULD_HASH_PASSWORD:
+        if len(raw_password) > MAX_PASSWORD_LENGTH:
+            raw_password = raw_password[:MAX_PASSWORD_LENGTH]
         return sc.verify(raw_password, enc_password)
     else:
         return enc_password == raw_password
@@ -39,6 +43,8 @@ def __make_password(raw_password):
     """
     if raw_password is None:
         return None
+    if len(raw_password) > MAX_PASSWORD_LENGTH:
+        raw_password = raw_password[:MAX_PASSWORD_LENGTH]
     hsh = __get_hexdigest(raw_password)
     return '%s' % (hsh)
 
diff --git a/keystone/test/unit/test_backendutils.py b/keystone/test/unit/test_backendutils.py
new file mode 100644
index 0000000000..c90a47f4e0
--- /dev/null
+++ b/keystone/test/unit/test_backendutils.py
@@ -0,0 +1,33 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+# Copyright (c) 2010-2011 OpenStack, LLC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import unittest2 as unittest
+import keystone.backends.backendutils as backendutils
+import keystone.backends as backends
+
+
+class BackendUtilsTest(unittest.TestCase):
+
+    def setUp(self):
+        backends.SHOULD_HASH_PASSWORD = True
+
+    def test_check_long_password(self):
+        bigboy = '0' * 9999999
+        values = {'password': bigboy}
+        backendutils.set_hashed_password(values)
+        hashed_pw = values['password']
+        self.assertTrue(backendutils.check_password(bigboy, hashed_pw))