# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1243827356 14400
# Node ID 8a23ab43132a8aec66990c982336ac3bd155b4ac
# Parent  0c99b67068cbe9761172653e26e43d59aa31d548
auth_cache_negative_ttl is now also used for password mismatches.

diff -r 0c99b67068cb -r 8a23ab43132a dovecot-example.conf
--- a/dovecot-example.conf	Sun May 31 22:41:22 2009 -0400
+++ b/dovecot-example.conf	Sun May 31 23:35:56 2009 -0400
@@ -754,7 +754,8 @@
 # user's previous authentication was successful, but this one wasn't, the
 # cache isn't used. For now this works only with plaintext authentication.
 #auth_cache_ttl = 3600
-# TTL for negative hits (user not found). 0 disables caching them completely.
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
 #auth_cache_negative_ttl = 3600
 
 # Space separated list of realms for SASL authentication mechanisms that need
diff -r 0c99b67068cb -r 8a23ab43132a src/auth/auth-cache.c
--- a/src/auth/auth-cache.c	Sun May 31 22:41:22 2009 -0400
+++ b/src/auth/auth-cache.c	Sun May 31 23:35:56 2009 -0400
@@ -162,14 +162,16 @@
 const char *
 auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
 		  const char *key, struct auth_cache_node **node_r,
-		  bool *expired_r)
+		  bool *expired_r, bool *neg_expired_r)
 {
 	string_t *str;
 	struct auth_cache_node *node;
 	const char *value;
 	unsigned int ttl_secs;
+	time_t now;
 
 	*expired_r = FALSE;
+	*neg_expired_r = FALSE;
 
 	/* %! is prepended automatically. it contains the passdb ID number. */
 	str = t_str_new(256);
@@ -187,7 +189,8 @@
 	value = node->data + strlen(node->data) + 1;
 	ttl_secs = *value == '\0' ? cache->neg_ttl_secs : cache->ttl_secs;
 
-	if (node->created < time(NULL) - (time_t)ttl_secs) {
+	now = time(NULL);
+	if (node->created < now - (time_t)ttl_secs) {
 		/* TTL expired */
 		*expired_r = TRUE;
 	} else {
@@ -197,6 +200,8 @@
 			auth_cache_node_link_head(cache, node);
 		}
 	}
+	if (node->created < now - (time_t)cache->neg_ttl_secs)
+		*neg_expired_r = TRUE;
 
 	if (node_r != NULL)
 		*node_r = node;
diff -r 0c99b67068cb -r 8a23ab43132a src/auth/auth-cache.h
--- a/src/auth/auth-cache.h	Sun May 31 22:41:22 2009 -0400
+++ b/src/auth/auth-cache.h	Sun May 31 23:35:56 2009 -0400
@@ -37,7 +37,7 @@
 const char *
 auth_cache_lookup(struct auth_cache *cache, const struct auth_request *request,
 		  const char *key, struct auth_cache_node **node_r,
-		  bool *expired_r);
+		  bool *expired_r, bool *neg_expired_r);
 /* Insert key => value into cache. "" value means negative cache entry. */
 void auth_cache_insert(struct auth_cache *cache, struct auth_request *request,
 		       const char *key, const char *value, bool last_success);
diff -r 0c99b67068cb -r 8a23ab43132a src/auth/auth-request.c
--- a/src/auth/auth-request.c	Sun May 31 22:41:22 2009 -0400
+++ b/src/auth/auth-request.c	Sun May 31 23:35:56 2009 -0400
@@ -658,10 +658,10 @@
 {
 	const char *value;
 	struct auth_cache_node *node;
-	bool expired;
+	bool expired, neg_expired;
 
 	value = auth_cache_lookup(passdb_cache, request, key, &node,
-				  &expired);
+				  &expired, &neg_expired);
 	if (value == NULL || (expired && !use_expired))
 		return FALSE;
 
diff -r 0c99b67068cb -r 8a23ab43132a src/auth/passdb-cache.c
--- a/src/auth/passdb-cache.c	Sun May 31 22:41:22 2009 -0400
+++ b/src/auth/passdb-cache.c	Sun May 31 23:35:56 2009 -0400
@@ -30,13 +30,14 @@
 	const char *value, *cached_pw, *scheme, *const *list;
 	struct auth_cache_node *node;
 	int ret;
-	bool expired;
+	bool expired, neg_expired;
 
 	if (passdb_cache == NULL || key == NULL)
 		return FALSE;
 
 	/* value = password \t ... */
-	value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+	value = auth_cache_lookup(passdb_cache, request, key, &node,
+				  &expired, &neg_expired);
 	if (value == NULL || (expired && !use_expired)) {
 		auth_request_log_debug(request, "cache",
 				       value == NULL ? "miss" : "expired");
@@ -65,9 +66,11 @@
 		ret = auth_request_password_verify(request, password, cached_pw,
 						   scheme, "cache");
 
-		if (ret == 0 && node->last_success) {
-			/* the last authentication was successful. assume that
-			   the password was changed and cache is expired. */
+		if (ret == 0 && (node->last_success || neg_expired)) {
+			/* a) the last authentication was successful. assume
+			   that the password was changed and cache is expired.
+			   b) negative TTL reached, use it for password
+			   mismatches too. */
 			node->last_success = FALSE;
 			return FALSE;
 		}
@@ -91,12 +94,13 @@
 {
 	const char *value, *const *list;
 	struct auth_cache_node *node;
-	bool expired;
+	bool expired, neg_expired;
 
 	if (passdb_cache == NULL)
 		return FALSE;
 
-	value = auth_cache_lookup(passdb_cache, request, key, &node, &expired);
+	value = auth_cache_lookup(passdb_cache, request, key, &node,
+				  &expired, &neg_expired);
 	if (value == NULL || (expired && !use_expired)) {
 		auth_request_log_debug(request, "cache",
 				       value == NULL ? "miss" : "expired");