Bug 63124

Summary: race condition in mod_auth_digest
Product: Apache httpd-2 Reporter: Simon Kappel <simon.kappel>
Component: mod_auth_digestAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: normal CC: simon.kappel
Priority: P2 Keywords: FixedInTrunk, PatchAvailable
Version: 2.4.37   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
Attachments: fix race condition in mod_auth_digest

Description Simon Kappel 2019-01-29 10:15:36 UTC
Created attachment 36400 [details]
fix race condition in mod_auth_digest

When there are requests made from multiple different users
on the same host to the same protection space, a race condition occurs
so that the realmhash from another user may sometimes
be used for validation when comparing digest with
expected digest.

I can reproduce this by running two testscripts which repeatedly requests a resource using different users.

while 1
curl -u test:test --digest "http://<ip>/cgi/mycgi.cgi"

while 1
curl -u test2:test2 --digest" http://<ip>/cgi/mycgi.cgi"

Sometimes the digest module will claim that there is a password mismatch APLOGNO(01792).

Debugging this i found that the realmhash (ha1) used to compare digests was sometimes from the wrong user.
Comment 1 Simon Kappel 2019-02-04 14:09:00 UTC
It is my belief that this patch should be merged to trunk.
Please test and review attached patch.
Comment 2 Christophe JAILLET 2019-02-08 06:19:29 UTC

thx for the report, the reproducer and the patch.

I've only slightly changed your patch.
'char **rethash' has been turned into 'const char **rethash' to fix a compilation warning, at least in maintainer-mode.

This has been fixed in trunk in r1853190 and will be proposed soon for backport in 2.4.x.
Comment 3 Christophe JAILLET 2019-04-01 05:18:31 UTC
backported in r1855298.
This is part à 2.4.39