From: Timo Sirainen <tss@iki.fi>
Date: Fri, 12 Feb 2010 19:31:49 +0000 (+0200)
Subject: auth: When caching user-given passwords, cache their SHA1, not the plaintext.
X-Git-Tag: 2.0.beta3~109
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a8162bd24c9ddc4fa1d991fdd6b15f4c48599e7d;p=thirdparty%2Fdovecot%2Fcore.git

auth: When caching user-given passwords, cache their SHA1, not the plaintext.

--HG--
branch : HEAD
---

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index 7f66e04fec..7e3432d3e9 100644
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -24,6 +24,8 @@
 #include <stdlib.h>
 #include <sys/stat.h>
 
+#define CACHED_PASSWORD_SCHEME "SHA1"
+
 static void get_log_prefix(string_t *str, struct auth_request *auth_request,
 			   const char *subsystem);
 
@@ -227,7 +229,7 @@ static void auth_request_save_cache(struct auth_request *request,
 				    enum passdb_result result)
 {
 	struct passdb_module *passdb = request->passdb->passdb;
-	const char *extra_fields;
+	const char *extra_fields, *encoded_password;
 	string_t *str;
 
 	switch (result) {
@@ -273,9 +275,14 @@ static void auth_request_save_cache(struct auth_request *request,
 		/* we can still cache valid password lookups though.
 		   strdup() it so that mech_password doesn't get
 		   cleared too early. */
+		if (!password_generate_encoded(request->mech_password,
+					       request->user,
+					       CACHED_PASSWORD_SCHEME,
+					       &encoded_password))
+			i_unreached();
 		request->passdb_password =
-			p_strconcat(request->pool, "{plain}",
-				    request->mech_password, NULL);
+			p_strconcat(request->pool, "{"CACHED_PASSWORD_SCHEME"}",
+				    encoded_password, NULL);
 	}
 
 	/* save all except the currently given password in cache */