Bug 62149

Summary: Passwords hashed with SHA-512 are not cached
Product: Apache httpd-2 Reporter: thorsten.meinl
Component: mod_authn_socacheAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal Keywords: FixedInTrunk, PatchAvailable
Priority: P2    
Version: 2.4.6   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Patch the fixed the bug

Description thorsten.meinl 2018-03-01 15:20:04 UTC 
Passwords hashed with SHA-512 are more than 100 bytes long, including the crypt header and salt, e.g.

$6$3OGMZTLTfPf8nUS$sh4NpsJ4BnL8P6dBVlpWDhZYNJX0xPJ8VsELF1VuTLENykLJ7SvDEWRneAednI2FdCyejCq5gIyfEAFJvXCdI0

This leads to problems when using mod_authn_socache in combination with socache_shmcb (and probably also others) because MAX_VAL_LEN, which is the maximum amount of data when an entry is retrieved from the cache, is too small. Increasing it from 100 to 128 solved the problem.

I consider this a major problem because it renders some of our services unusable when the passwords are stored in an SQL database.
Comment 1 thorsten.meinl 2019-08-14 08:11:44 UTC 
Any new on this? This is real problem for us because every time there is an update to Apache we need to copy over our patched version of mod_authn_socache. The fix is trivial, just increase the value of the constant and it's done.
Comment 2 thorsten.meinl 2019-08-14 08:12:16 UTC 
Created attachment 36717 [details]
Patch the fixed the bug
Comment 3 Christophe JAILLET 2019-08-18 18:56:19 UTC 
Hi,

100 bytes should be enough for most cases, but stack memory is cheap, so there is no need to limit it to 100. Be more future proof.

Committed in trunk with a new upper limit of 256 bytes in r1865405.
Comment 4 Christophe JAILLET 2019-11-09 21:46:55 UTC 
This has been backoprted in 2.4.x in r1869614.

This will be part of 2.4.42.