dovecot-2.0: auth_cache_negative_ttl is now also used for passwo...
dovecot at dovecot.org
dovecot at dovecot.org
Thu Mar 4 20:19:07 EET 2010
details: http://hg.dovecot.org/dovecot-2.0/rev/81e085f9bd75
changeset: 10836:81e085f9bd75
user: Timo Sirainen <tss at iki.fi>
date: Thu Mar 04 20:19:02 2010 +0200
description:
auth_cache_negative_ttl is now also used for password mismatches.
diffstat:
doc/example-config/conf.d/auth.conf | 3 ++-
src/auth/auth-cache.c | 9 +++++++--
src/auth/auth-cache.h | 2 +-
src/auth/auth-request.c | 4 ++--
src/auth/passdb-cache.c | 18 +++++++++++-------
5 files changed, 23 insertions(+), 13 deletions(-)
diffs (132 lines):
diff -r 40eb5d5e6fbf -r 81e085f9bd75 doc/example-config/conf.d/auth.conf
--- a/doc/example-config/conf.d/auth.conf Thu Mar 04 20:03:58 2010 +0200
+++ b/doc/example-config/conf.d/auth.conf Thu Mar 04 20:19:02 2010 +0200
@@ -11,7 +11,8 @@
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
-# TTL for negative hits (user not found). 0 disables caching them completely.
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
# Space separated list of realms for SASL authentication mechanisms that need
diff -r 40eb5d5e6fbf -r 81e085f9bd75 src/auth/auth-cache.c
--- a/src/auth/auth-cache.c Thu Mar 04 20:03:58 2010 +0200
+++ b/src/auth/auth-cache.c Thu Mar 04 20:19:02 2010 +0200
@@ -162,14 +162,16 @@
const char *
auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
const char *key, struct auth_cache_node **node_r,
- bool *expired_r)
+ bool *expired_r, bool *neg_expired_r)
{
string_t *str;
struct auth_cache_node *node;
const char *value;
unsigned int ttl_secs;
+ time_t now;
*expired_r = FALSE;
+ *neg_expired_r = FALSE;
/* %! is prepended automatically. it contains the passdb ID number. */
str = t_str_new(256);
@@ -187,7 +189,8 @@
value = node->data + strlen(node->data) + 1;
ttl_secs = *value == '\0' ? cache->neg_ttl_secs : cache->ttl_secs;
- if (node->created < time(NULL) - (time_t)ttl_secs) {
+ now = time(NULL);
+ if (node->created < now - (time_t)ttl_secs) {
/* TTL expired */
*expired_r = TRUE;
} else {
@@ -197,6 +200,8 @@
auth_cache_node_link_head(cache, node);
}
}
+ if (node->created < now - (time_t)cache->neg_ttl_secs)
+ *neg_expired_r = TRUE;
if (node_r != NULL)
*node_r = node;
diff -r 40eb5d5e6fbf -r 81e085f9bd75 src/auth/auth-cache.h
--- a/src/auth/auth-cache.h Thu Mar 04 20:03:58 2010 +0200
+++ b/src/auth/auth-cache.h Thu Mar 04 20:19:02 2010 +0200
@@ -37,7 +37,7 @@
const char *
auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
const char *key, struct auth_cache_node **node_r,
- bool *expired_r);
+ bool *expired_r, bool *neg_expired_r);
/* Insert key => value into cache. "" value means negative cache entry. */
void auth_cache_insert(struct auth_cache *cache, struct auth_request *request,
const char *key, const char *value, bool last_success);
diff -r 40eb5d5e6fbf -r 81e085f9bd75 src/auth/auth-request.c
--- a/src/auth/auth-request.c Thu Mar 04 20:03:58 2010 +0200
+++ b/src/auth/auth-request.c Thu Mar 04 20:19:02 2010 +0200
@@ -675,10 +675,10 @@
{
const char *value;
struct auth_cache_node *node;
- bool expired;
+ bool expired, neg_expired;
value = auth_cache_lookup(passdb_cache, request, key, &node,
- &expired);
+ &expired, &neg_expired);
if (value == NULL || (expired && !use_expired))
return FALSE;
diff -r 40eb5d5e6fbf -r 81e085f9bd75 src/auth/passdb-cache.c
--- a/src/auth/passdb-cache.c Thu Mar 04 20:03:58 2010 +0200
+++ b/src/auth/passdb-cache.c Thu Mar 04 20:19:02 2010 +0200
@@ -30,13 +30,14 @@
const char *value, *cached_pw, *scheme, *const *list;
struct auth_cache_node *node;
int ret;
- bool expired;
+ bool expired, neg_expired;
if (passdb_cache == NULL || key == NULL)
return FALSE;
/* value = password \t ... */
- value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+ value = auth_cache_lookup(passdb_cache, request, key, &node,
+ &expired, &neg_expired);
if (value == NULL || (expired && !use_expired)) {
auth_request_log_debug(request, "cache",
value == NULL ? "miss" : "expired");
@@ -65,9 +66,11 @@
ret = auth_request_password_verify(request, password, cached_pw,
scheme, "cache");
- if (ret == 0 && node->last_success) {
- /* the last authentication was successful. assume that
- the password was changed and cache is expired. */
+ if (ret == 0 && (node->last_success || neg_expired)) {
+ /* a) the last authentication was successful. assume
+ that the password was changed and cache is expired.
+ b) negative TTL reached, use it for password
+ mismatches too. */
node->last_success = FALSE;
return FALSE;
}
@@ -91,12 +94,13 @@
{
const char *value, *const *list;
struct auth_cache_node *node;
- bool expired;
+ bool expired, neg_expired;
if (passdb_cache == NULL)
return FALSE;
- value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+ value = auth_cache_lookup(passdb_cache, request, key, &node,
+ &expired, &neg_expired);
if (value == NULL || (expired && !use_expired)) {
auth_request_log_debug(request, "cache",
value == NULL ? "miss" : "expired");
More information about the dovecot-cvs
mailing list