# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
-# TTL for negative hits (user not found). 0 disables caching them completely.
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
# Space separated list of realms for SASL authentication mechanisms that need
const char *
auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
const char *key, struct auth_cache_node **node_r,
- bool *expired_r)
+ bool *expired_r, bool *neg_expired_r)
{
string_t *str;
struct auth_cache_node *node;
const char *value;
unsigned int ttl_secs;
+ time_t now;
*expired_r = FALSE;
+ *neg_expired_r = FALSE;
/* %! is prepended automatically. it contains the passdb ID number. */
str = t_str_new(256);
value = node->data + strlen(node->data) + 1;
ttl_secs = *value == '\0' ? cache->neg_ttl_secs : cache->ttl_secs;
- if (node->created < time(NULL) - (time_t)ttl_secs) {
+ now = time(NULL);
+ if (node->created < now - (time_t)ttl_secs) {
/* TTL expired */
*expired_r = TRUE;
} else {
auth_cache_node_link_head(cache, node);
}
}
+ if (node->created < now - (time_t)cache->neg_ttl_secs)
+ *neg_expired_r = TRUE;
if (node_r != NULL)
*node_r = node;
const char *
auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
const char *key, struct auth_cache_node **node_r,
- bool *expired_r);
+ bool *expired_r, bool *neg_expired_r);
/* Insert key => value into cache. "" value means negative cache entry. */
void auth_cache_insert(struct auth_cache *cache, struct auth_request *request,
const char *key, const char *value, bool last_success);
const char *value, *cached_pw, *scheme, *const *list;
struct auth_cache_node *node;
int ret;
- bool expired;
+ bool expired, neg_expired;
if (passdb_cache == NULL || key == NULL)
return FALSE;
/* value = password \t ... */
- value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+ value = auth_cache_lookup(passdb_cache, request, key, &node,
+ &expired, &neg_expired);
if (value == NULL || (expired && !use_expired)) {
auth_request_log_debug(request, "cache",
value == NULL ? "miss" : "expired");
ret = auth_request_password_verify(request, password, cached_pw,
scheme, "cache");
- if (ret == 0 && node->last_success) {
- /* the last authentication was successful. assume that
- the password was changed and cache is expired. */
+ if (ret == 0 && (node->last_success || neg_expired)) {
+ /* a) the last authentication was successful. assume
+ that the password was changed and cache is expired.
+ b) negative TTL reached, use it for password
+ mismatches too. */
node->last_success = FALSE;
return FALSE;
}
{
const char *value, *const *list;
struct auth_cache_node *node;
- bool expired;
+ bool expired, neg_expired;
if (passdb_cache == NULL)
return FALSE;
- value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+ value = auth_cache_lookup(passdb_cache, request, key, &node,
+ &expired, &neg_expired);
if (value == NULL || (expired && !use_expired)) {
auth_request_log_debug(request, "cache",
value == NULL ? "miss" : "expired");
projects / thirdparty / dovecot / core.git / commitdiff
