auth: cache: don't log password mismatch twice

If auth cache is enabled and the last auth was successful dovecot assumes the
password has been changed and invalidates the cache which results in
double logging of the same password mismatch.
This also applies to expired negative cache entries.

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index cd014f6a7cb9fac0387a9ed05ea368c30bf2f263..3d3d88f77ada2c1c298fc2069324064ffc631887 100644 (file)
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -2483,6 +2483,16 @@ int auth_request_password_verify(struct auth_request *request,
                                 const char *plain_password,
                                 const char *crypted_password,
                                 const char *scheme, const char *subsystem)
+{
+       return auth_request_password_verify_log(request, plain_password,
+                       crypted_password, scheme, subsystem, TRUE);
+}
+
+int auth_request_password_verify_log(struct auth_request *request,
+                                const char *plain_password,
+                                const char *crypted_password,
+                                const char *scheme, const char *subsystem,
+                                bool log_password_mismatch)
 {
        const unsigned char *raw_password;
        size_t raw_password_size;
@@ -2531,7 +2541,8 @@ int auth_request_password_verify(struct auth_request *request,
                                        "Invalid password%s in passdb: %s",
                                        password_str, error);
        } else if (ret == 0) {
-               auth_request_log_password_mismatch(request, subsystem);
+               if (log_password_mismatch)
+                       auth_request_log_password_mismatch(request, subsystem);
        }
        if (ret <= 0 && request->set->debug_passwords) T_BEGIN {
                log_password_failure(request, plain_password,

diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h
index c1358403d4a5cf4edeb9bcb71092aee91d8001d5..41acbc731eb70c3a7cace80d32db614ff6aa45e3 100644 (file)
--- a/src/auth/auth-request.h
+++ b/src/auth/auth-request.h
@@ -238,6 +238,11 @@ int auth_request_password_verify(struct auth_request *request,
                                 const char *plain_password,
                                 const char *crypted_password,
                                 const char *scheme, const char *subsystem);
+int auth_request_password_verify_log(struct auth_request *request,
+                                const char *plain_password,
+                                const char *crypted_password,
+                                const char *scheme, const char *subsystem,
+                                bool log_password_mismatch);
 
 void auth_request_log_debug(struct auth_request *auth_request,
                            const char *subsystem,

diff --git a/src/auth/passdb-cache.c b/src/auth/passdb-cache.c
index 2670da78aaf0e8851c283e03e04803d500e50a43..c8815807eae9d93b66b0c15859ce5f1ba6b36720 100644 (file)
--- a/src/auth/passdb-cache.c
+++ b/src/auth/passdb-cache.c
@@ -85,8 +85,9 @@ bool passdb_cache_verify_plain(struct auth_request *request, const char *key,
                scheme = password_get_scheme(&cached_pw);
                i_assert(scheme != NULL);
 
-               ret = auth_request_password_verify(request, password, cached_pw,
-                                                  scheme, AUTH_SUBSYS_DB);
+               ret = auth_request_password_verify_log(request, password, cached_pw,
+                                                  scheme, AUTH_SUBSYS_DB,
+                                                  !(node->last_success || neg_expired));
 
                if (ret == 0 && (node->last_success || neg_expired)) {
                        /* a) the last authentication was successful. assume