dovecot-1.2: auth_cache_negative_ttl is now also used for passwo...
dovecot at dovecot.org
dovecot at dovecot.org
Mon Jun 1 06:36:03 EEST 2009
details: http://hg.dovecot.org/dovecot-1.2/rev/8a23ab43132a
changeset: 9110:8a23ab43132a
user: Timo Sirainen <tss at iki.fi>
date: Sun May 31 23:35:56 2009 -0400
description:
auth_cache_negative_ttl is now also used for password mismatches.
diffstat:
5 files changed, 23 insertions(+), 13 deletions(-)
dovecot-example.conf | 3 ++-
src/auth/auth-cache.c | 9 +++++++--
src/auth/auth-cache.h | 2 +-
src/auth/auth-request.c | 4 ++--
src/auth/passdb-cache.c | 18 +++++++++++-------
diffs (132 lines):
diff -r 0c99b67068cb -r 8a23ab43132a dovecot-example.conf
--- a/dovecot-example.conf Sun May 31 22:41:22 2009 -0400
+++ b/dovecot-example.conf Sun May 31 23:35:56 2009 -0400
@@ -754,7 +754,8 @@ protocol lda {
# user's previous authentication was successful, but this one wasn't, the
# cache isn't used. For now this works only with plaintext authentication.
#auth_cache_ttl = 3600
-# TTL for negative hits (user not found). 0 disables caching them completely.
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
#auth_cache_negative_ttl = 3600
# Space separated list of realms for SASL authentication mechanisms that need
diff -r 0c99b67068cb -r 8a23ab43132a src/auth/auth-cache.c
--- a/src/auth/auth-cache.c Sun May 31 22:41:22 2009 -0400
+++ b/src/auth/auth-cache.c Sun May 31 23:35:56 2009 -0400
@@ -162,14 +162,16 @@ const char *
const char *
auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
const char *key, struct auth_cache_node **node_r,
- bool *expired_r)
+ bool *expired_r, bool *neg_expired_r)
{
string_t *str;
struct auth_cache_node *node;
const char *value;
unsigned int ttl_secs;
+ time_t now;
*expired_r = FALSE;
+ *neg_expired_r = FALSE;
/* %! is prepended automatically. it contains the passdb ID number. */
str = t_str_new(256);
@@ -187,7 +189,8 @@ auth_cache_lookup(struct auth_cache *cac
value = node->data + strlen(node->data) + 1;
ttl_secs = *value == '\0' ? cache->neg_ttl_secs : cache->ttl_secs;
- if (node->created < time(NULL) - (time_t)ttl_secs) {
+ now = time(NULL);
+ if (node->created < now - (time_t)ttl_secs) {
/* TTL expired */
*expired_r = TRUE;
} else {
@@ -197,6 +200,8 @@ auth_cache_lookup(struct auth_cache *cac
auth_cache_node_link_head(cache, node);
}
}
+ if (node->created < now - (time_t)cache->neg_ttl_secs)
+ *neg_expired_r = TRUE;
if (node_r != NULL)
*node_r = node;
diff -r 0c99b67068cb -r 8a23ab43132a src/auth/auth-cache.h
--- a/src/auth/auth-cache.h Sun May 31 22:41:22 2009 -0400
+++ b/src/auth/auth-cache.h Sun May 31 23:35:56 2009 -0400
@@ -37,7 +37,7 @@ const char *
const char *
auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
const char *key, struct auth_cache_node **node_r,
- bool *expired_r);
+ bool *expired_r, bool *neg_expired_r);
/* Insert key => value into cache. "" value means negative cache entry. */
void auth_cache_insert(struct auth_cache *cache, struct auth_request *request,
const char *key, const char *value, bool last_success);
diff -r 0c99b67068cb -r 8a23ab43132a src/auth/auth-request.c
--- a/src/auth/auth-request.c Sun May 31 22:41:22 2009 -0400
+++ b/src/auth/auth-request.c Sun May 31 23:35:56 2009 -0400
@@ -658,10 +658,10 @@ static bool auth_request_lookup_user_cac
{
const char *value;
struct auth_cache_node *node;
- bool expired;
+ bool expired, neg_expired;
value = auth_cache_lookup(passdb_cache, request, key, &node,
- &expired);
+ &expired, &neg_expired);
if (value == NULL || (expired && !use_expired))
return FALSE;
diff -r 0c99b67068cb -r 8a23ab43132a src/auth/passdb-cache.c
--- a/src/auth/passdb-cache.c Sun May 31 22:41:22 2009 -0400
+++ b/src/auth/passdb-cache.c Sun May 31 23:35:56 2009 -0400
@@ -30,13 +30,14 @@ bool passdb_cache_verify_plain(struct au
const char *value, *cached_pw, *scheme, *const *list;
struct auth_cache_node *node;
int ret;
- bool expired;
+ bool expired, neg_expired;
if (passdb_cache == NULL || key == NULL)
return FALSE;
/* value = password \t ... */
- value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+ value = auth_cache_lookup(passdb_cache, request, key, &node,
+ &expired, &neg_expired);
if (value == NULL || (expired && !use_expired)) {
auth_request_log_debug(request, "cache",
value == NULL ? "miss" : "expired");
@@ -65,9 +66,11 @@ bool passdb_cache_verify_plain(struct au
ret = auth_request_password_verify(request, password, cached_pw,
scheme, "cache");
- if (ret == 0 && node->last_success) {
- /* the last authentication was successful. assume that
- the password was changed and cache is expired. */
+ if (ret == 0 && (node->last_success || neg_expired)) {
+ /* a) the last authentication was successful. assume
+ that the password was changed and cache is expired.
+ b) negative TTL reached, use it for password
+ mismatches too. */
node->last_success = FALSE;
return FALSE;
}
@@ -91,12 +94,13 @@ bool passdb_cache_lookup_credentials(str
{
const char *value, *const *list;
struct auth_cache_node *node;
- bool expired;
+ bool expired, neg_expired;
if (passdb_cache == NULL)
return FALSE;
- value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+ value = auth_cache_lookup(passdb_cache, request, key, &node,
+ &expired, &neg_expired);
if (value == NULL || (expired && !use_expired)) {
auth_request_log_debug(request, "cache",
value == NULL ? "miss" : "expired");
More information about the dovecot-cvs
mailing list