Bug 62149 - Passwords hashed with SHA-512 are not cached
Summary: Passwords hashed with SHA-512 are not cached
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authn_socache (show other bugs)
Version: 2.4.6
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
 
Reported: 2018-03-01 15:20 UTC by thorsten.meinl
Modified: 2019-08-18 18:56 UTC (History)
0 users



Attachments
Patch the fixed the bug (380 bytes, patch)
2019-08-14 08:12 UTC, thorsten.meinl
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description thorsten.meinl 2018-03-01 15:20:04 UTC
Passwords hashed with SHA-512 are more than 100 bytes long, including the crypt header and salt, e.g.

$6$3OGMZTLTfPf8nUS$sh4NpsJ4BnL8P6dBVlpWDhZYNJX0xPJ8VsELF1VuTLENykLJ7SvDEWRneAednI2FdCyejCq5gIyfEAFJvXCdI0

This leads to problems when using mod_authn_socache in combination with socache_shmcb (and probably also others) because MAX_VAL_LEN, which is the maximum amount of data when an entry is retrieved from the cache, is too small. Increasing it from 100 to 128 solved the problem.

I consider this a major problem because it renders some of our services unusable when the passwords are stored in an SQL database.
Comment 1 thorsten.meinl 2019-08-14 08:11:44 UTC
Any new on this? This is real problem for us because every time there is an update to Apache we need to copy over our patched version of mod_authn_socache. The fix is trivial, just increase the value of the constant and it's done.
Comment 2 thorsten.meinl 2019-08-14 08:12:16 UTC
Created attachment 36717 [details]
Patch the fixed the bug
Comment 3 Christophe JAILLET 2019-08-18 18:56:19 UTC
Hi,

100 bytes should be enough for most cases, but stack memory is cheap, so there is no need to limit it to 100. Be more future proof.

Committed in trunk with a new upper limit of 256 bytes in r1865405.