[Bug 62149] New: Passwords hashed with SHA-512 are not cached

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 62149] New: Passwords hashed with SHA-512 are not cached

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=62149

            Bug ID: 62149
           Summary: Passwords hashed with SHA-512 are not cached
           Product: Apache httpd-2
           Version: 2.4.6
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authn_socache
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Passwords hashed with SHA-512 are more than 100 bytes long, including the crypt
header and salt, e.g.

$6$3OGMZTLTfPf8nUS$sh4NpsJ4BnL8P6dBVlpWDhZYNJX0xPJ8VsELF1VuTLENykLJ7SvDEWRneAednI2FdCyejCq5gIyfEAFJvXCdI0

This leads to problems when using mod_authn_socache in combination with
socache_shmcb (and probably also others) because MAX_VAL_LEN, which is the
maximum amount of data when an entry is retrieved from the cache, is too small.
Increasing it from 100 to 128 solved the problem.

I consider this a major problem because it renders some of our services
unusable when the passwords are stored in an SQL database.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 62149] Passwords hashed with SHA-512 are not cached

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=62149

--- Comment #1 from [hidden email] ---
Any new on this? This is real problem for us because every time there is an
update to Apache we need to copy over our patched version of mod_authn_socache.
The fix is trivial, just increase the value of the constant and it's done.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 62149] Passwords hashed with SHA-512 are not cached

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=62149

--- Comment #2 from [hidden email] ---
Created attachment 36717
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36717&action=edit
Patch the fixed the bug

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 62149] Passwords hashed with SHA-512 are not cached

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=62149

Christophe JAILLET <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk,
                   |                            |PatchAvailable

--- Comment #3 from Christophe JAILLET <[hidden email]> ---
Hi,

100 bytes should be enough for most cases, but stack memory is cheap, so there
is no need to limit it to 100. Be more future proof.

Committed in trunk with a new upper limit of 256 bytes in r1865405.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 62149] Passwords hashed with SHA-512 are not cached

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=62149

--- Comment #4 from Christophe JAILLET <[hidden email]> ---
This has been backoprted in 2.4.x in r1869614.

This will be part of 2.4.42.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]