Mercurial > dovecot > core-2.2
changeset 10689:46ae2e53d688 HEAD
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Fri, 12 Feb 2010 21:31:49 +0200 |
parents | 134d59aece1a |
children | b7c8221cea5b |
files | src/auth/auth-request.c |
diffstat | 1 files changed, 10 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-request.c Wed Feb 10 17:12:31 2010 +0200 +++ b/src/auth/auth-request.c Fri Feb 12 21:31:49 2010 +0200 @@ -24,6 +24,8 @@ #include <stdlib.h> #include <sys/stat.h> +#define CACHED_PASSWORD_SCHEME "SHA1" + static void get_log_prefix(string_t *str, struct auth_request *auth_request, const char *subsystem); @@ -227,7 +229,7 @@ enum passdb_result result) { struct passdb_module *passdb = request->passdb->passdb; - const char *extra_fields; + const char *extra_fields, *encoded_password; string_t *str; switch (result) { @@ -273,9 +275,14 @@ /* we can still cache valid password lookups though. strdup() it so that mech_password doesn't get cleared too early. */ + if (!password_generate_encoded(request->mech_password, + request->user, + CACHED_PASSWORD_SCHEME, + &encoded_password)) + i_unreached(); request->passdb_password = - p_strconcat(request->pool, "{plain}", - request->mech_password, NULL); + p_strconcat(request->pool, "{"CACHED_PASSWORD_SCHEME"}", + encoded_password, NULL); } /* save all except the currently given password in cache */