Mercurial > dovecot > core-2.2

changeset 10689:46ae2e53d688 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: When caching user-given passwords, cache their SHA1, not the plaintext.
author Timo Sirainen <tss@iki.fi>
date Fri, 12 Feb 2010 21:31:49 +0200
parents 134d59aece1a
children b7c8221cea5b
files src/auth/auth-request.c
diffstat 1 files changed, 10 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/auth/auth-request.c	Wed Feb 10 17:12:31 2010 +0200
+++ b/src/auth/auth-request.c	Fri Feb 12 21:31:49 2010 +0200
@@ -24,6 +24,8 @@
 #include <stdlib.h>
 #include <sys/stat.h>
 
+#define CACHED_PASSWORD_SCHEME "SHA1"
+
 static void get_log_prefix(string_t *str, struct auth_request *auth_request,
 			   const char *subsystem);
 
@@ -227,7 +229,7 @@
 				    enum passdb_result result)
 {
 	struct passdb_module *passdb = request->passdb->passdb;
-	const char *extra_fields;
+	const char *extra_fields, *encoded_password;
 	string_t *str;
 
 	switch (result) {
@@ -273,9 +275,14 @@
 		/* we can still cache valid password lookups though.
 		   strdup() it so that mech_password doesn't get
 		   cleared too early. */
+		if (!password_generate_encoded(request->mech_password,
+					       request->user,
+					       CACHED_PASSWORD_SCHEME,
+					       &encoded_password))
+			i_unreached();
 		request->passdb_password =
-			p_strconcat(request->pool, "{plain}",
-				    request->mech_password, NULL);
+			p_strconcat(request->pool, "{"CACHED_PASSWORD_SCHEME"}",
+				    encoded_password, NULL);
 	}
 
 	/* save all except the currently given password in cache */