auth: When caching user-given passwords, cache their SHA1, not the plaintext.

--HG--
branch : HEAD

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index 7f66e04fecf2d016c60b394a7016f84ecb7f15e6..7e3432d3e910533850e09e038d0f85f401be804e 100644 (file)
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -24,6 +24,8 @@
 #include <stdlib.h>
 #include <sys/stat.h>
 
+#define CACHED_PASSWORD_SCHEME "SHA1"
+
 static void get_log_prefix(string_t *str, struct auth_request *auth_request,
                           const char *subsystem);
 
@@ -227,7 +229,7 @@ static void auth_request_save_cache(struct auth_request *request,
                                    enum passdb_result result)
 {
        struct passdb_module *passdb = request->passdb->passdb;
-       const char *extra_fields;
+       const char *extra_fields, *encoded_password;
        string_t *str;
 
        switch (result) {
@@ -273,9 +275,14 @@ static void auth_request_save_cache(struct auth_request *request,
                /* we can still cache valid password lookups though.
                   strdup() it so that mech_password doesn't get
                   cleared too early. */
+               if (!password_generate_encoded(request->mech_password,
+                                              request->user,
+                                              CACHED_PASSWORD_SCHEME,
+                                              &encoded_password))
+                       i_unreached();
                request->passdb_password =
-                       p_strconcat(request->pool, "{plain}",
-                                   request->mech_password, NULL);
+                       p_strconcat(request->pool, "{"CACHED_PASSWORD_SCHEME"}",
+                                   encoded_password, NULL);
        }
 
        /* save all except the currently given password in cache */