Bug 63124 - race condition in mod_auth_digest
Summary: race condition in mod_auth_digest
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth_digest (show other bugs)
Version: 2.4.37
Hardware: Other Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Reported: 2019-01-29 10:15 UTC by Simon Kappel
Modified: 2019-04-01 05:18 UTC (History)
1 user (show)

fix race condition in mod_auth_digest (3.61 KB, patch)
2019-01-29 10:15 UTC, Simon Kappel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Kappel 2019-01-29 10:15:36 UTC
Created attachment 36400 [details]
fix race condition in mod_auth_digest

When there are requests made from multiple different users
on the same host to the same protection space, a race condition occurs
so that the realmhash from another user may sometimes
be used for validation when comparing digest with
expected digest.

I can reproduce this by running two testscripts which repeatedly requests a resource using different users.

while 1
curl -u test:test --digest "http://<ip>/cgi/mycgi.cgi"

while 1
curl -u test2:test2 --digest" http://<ip>/cgi/mycgi.cgi"

Sometimes the digest module will claim that there is a password mismatch APLOGNO(01792).

Debugging this i found that the realmhash (ha1) used to compare digests was sometimes from the wrong user.
Comment 1 Simon Kappel 2019-02-04 14:09:00 UTC
It is my belief that this patch should be merged to trunk.
Please test and review attached patch.
Comment 2 Christophe JAILLET 2019-02-08 06:19:29 UTC

thx for the report, the reproducer and the patch.

I've only slightly changed your patch.
'char **rethash' has been turned into 'const char **rethash' to fix a compilation warning, at least in maintainer-mode.

This has been fixed in trunk in r1853190 and will be proposed soon for backport in 2.4.x.
Comment 3 Christophe JAILLET 2019-04-01 05:18:31 UTC
backported in r1855298.
This is part à 2.4.39