dovecot-2.0: auth_cache_negative_ttl is now also used for passwo...

dovecot at dovecot.org dovecot at dovecot.org
Thu Mar 4 20:19:07 EET 2010


details:   http://hg.dovecot.org/dovecot-2.0/rev/81e085f9bd75
changeset: 10836:81e085f9bd75
user:      Timo Sirainen <tss at iki.fi>
date:      Thu Mar 04 20:19:02 2010 +0200
description:
auth_cache_negative_ttl is now also used for password mismatches.

diffstat:

 doc/example-config/conf.d/auth.conf |   3 ++-
 src/auth/auth-cache.c               |   9 +++++++--
 src/auth/auth-cache.h               |   2 +-
 src/auth/auth-request.c             |   4 ++--
 src/auth/passdb-cache.c             |  18 +++++++++++-------
 5 files changed, 23 insertions(+), 13 deletions(-)

diffs (132 lines):

diff -r 40eb5d5e6fbf -r 81e085f9bd75 doc/example-config/conf.d/auth.conf
--- a/doc/example-config/conf.d/auth.conf	Thu Mar 04 20:03:58 2010 +0200
+++ b/doc/example-config/conf.d/auth.conf	Thu Mar 04 20:19:02 2010 +0200
@@ -11,7 +11,8 @@
 # authentication was successful, but this one wasn't, the cache isn't used.
 # For now this works only with plaintext authentication.
 #auth_cache_ttl = 1 hour
-# TTL for negative hits (user not found). 0 disables caching them completely.
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
 #auth_cache_negative_ttl = 1 hour
 
 # Space separated list of realms for SASL authentication mechanisms that need
diff -r 40eb5d5e6fbf -r 81e085f9bd75 src/auth/auth-cache.c
--- a/src/auth/auth-cache.c	Thu Mar 04 20:03:58 2010 +0200
+++ b/src/auth/auth-cache.c	Thu Mar 04 20:19:02 2010 +0200
@@ -162,14 +162,16 @@
 const char *
 auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
 		  const char *key, struct auth_cache_node **node_r,
-		  bool *expired_r)
+		  bool *expired_r, bool *neg_expired_r)
 {
 	string_t *str;
 	struct auth_cache_node *node;
 	const char *value;
 	unsigned int ttl_secs;
+	time_t now;
 
 	*expired_r = FALSE;
+	*neg_expired_r = FALSE;
 
 	/* %! is prepended automatically. it contains the passdb ID number. */
 	str = t_str_new(256);
@@ -187,7 +189,8 @@
 	value = node->data + strlen(node->data) + 1;
 	ttl_secs = *value == '\0' ? cache->neg_ttl_secs : cache->ttl_secs;
 
-	if (node->created < time(NULL) - (time_t)ttl_secs) {
+	now = time(NULL);
+	if (node->created < now - (time_t)ttl_secs) {
 		/* TTL expired */
 		*expired_r = TRUE;
 	} else {
@@ -197,6 +200,8 @@
 			auth_cache_node_link_head(cache, node);
 		}
 	}
+	if (node->created < now - (time_t)cache->neg_ttl_secs)
+		*neg_expired_r = TRUE;
 
 	if (node_r != NULL)
 		*node_r = node;
diff -r 40eb5d5e6fbf -r 81e085f9bd75 src/auth/auth-cache.h
--- a/src/auth/auth-cache.h	Thu Mar 04 20:03:58 2010 +0200
+++ b/src/auth/auth-cache.h	Thu Mar 04 20:19:02 2010 +0200
@@ -37,7 +37,7 @@
 const char *
 auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
 		  const char *key, struct auth_cache_node **node_r,
-		  bool *expired_r);
+		  bool *expired_r, bool *neg_expired_r);
 /* Insert key => value into cache. "" value means negative cache entry. */
 void auth_cache_insert(struct auth_cache *cache, struct auth_request *request,
 		       const char *key, const char *value, bool last_success);
diff -r 40eb5d5e6fbf -r 81e085f9bd75 src/auth/auth-request.c
--- a/src/auth/auth-request.c	Thu Mar 04 20:03:58 2010 +0200
+++ b/src/auth/auth-request.c	Thu Mar 04 20:19:02 2010 +0200
@@ -675,10 +675,10 @@
 {
 	const char *value;
 	struct auth_cache_node *node;
-	bool expired;
+	bool expired, neg_expired;
 
 	value = auth_cache_lookup(passdb_cache, request, key, &node,
-				  &expired);
+				  &expired, &neg_expired);
 	if (value == NULL || (expired && !use_expired))
 		return FALSE;
 
diff -r 40eb5d5e6fbf -r 81e085f9bd75 src/auth/passdb-cache.c
--- a/src/auth/passdb-cache.c	Thu Mar 04 20:03:58 2010 +0200
+++ b/src/auth/passdb-cache.c	Thu Mar 04 20:19:02 2010 +0200
@@ -30,13 +30,14 @@
 	const char *value, *cached_pw, *scheme, *const *list;
 	struct auth_cache_node *node;
 	int ret;
-	bool expired;
+	bool expired, neg_expired;
 
 	if (passdb_cache == NULL || key == NULL)
 		return FALSE;
 
 	/* value = password \t ... */
-	value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+	value = auth_cache_lookup(passdb_cache, request, key, &node,
+				  &expired, &neg_expired);
 	if (value == NULL || (expired && !use_expired)) {
 		auth_request_log_debug(request, "cache",
 				       value == NULL ? "miss" : "expired");
@@ -65,9 +66,11 @@
 		ret = auth_request_password_verify(request, password, cached_pw,
 						   scheme, "cache");
 
-		if (ret == 0 && node->last_success) {
-			/* the last authentication was successful. assume that
-			   the password was changed and cache is expired. */
+		if (ret == 0 && (node->last_success || neg_expired)) {
+			/* a) the last authentication was successful. assume
+			   that the password was changed and cache is expired.
+			   b) negative TTL reached, use it for password
+			   mismatches too. */
 			node->last_success = FALSE;
 			return FALSE;
 		}
@@ -91,12 +94,13 @@
 {
 	const char *value, *const *list;
 	struct auth_cache_node *node;
-	bool expired;
+	bool expired, neg_expired;
 
 	if (passdb_cache == NULL)
 		return FALSE;
 
-	value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+	value = auth_cache_lookup(passdb_cache, request, key, &node,
+				  &expired, &neg_expired);
 	if (value == NULL || (expired && !use_expired)) {
 		auth_request_log_debug(request, "cache",
 				       value == NULL ? "miss" : "expired");


More information about the dovecot-cvs mailing list