Add some caching for password hash validation.

Password hash functions must be expensive in order to be secure. But
if they have to be re-evaluated for every request, performance
suffers.

As a minimal remedy, cache the most recent result for every
connection. This gives a great performance boost if a web browser
does many requests on the same connection with the same
user+password.  In principle, this may keep the plain text password
around longer than before. But in practice, there won't be much
difference since user+password can already remain in some unused
data bucket for longer than the request duration.

A proper solution still needs to be found for connections from
proxies which may carry requests for many different users.

While it currently only requires the conn_rec, the new
ap_password_validate() function takes username and request_rec to
allow future extensions, like detection of brute-force attempts.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1427548 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 1 insertions, 2 deletions

diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c
index cccd076b02..601997784d 100644
--- a/modules/aaa/mod_authn_socache.c
+++ b/modules/aaa/mod_authn_socache.c
@@ -15,7 +15,6 @@
  */
 
 #include "apr_strings.h"
-#include "apr_md5.h"            /* for apr_password_validate */
 
 #include "ap_config.h"
 #include "ap_provider.h"
@@ -375,7 +374,7 @@ static authn_status check_password(request_rec *r, const char *user,
         return AUTH_USER_NOT_FOUND;
     }
 
-    rv = apr_password_validate(password, (char*) val);
+    rv = ap_password_validate(r, user, password, (char*) val);
     if (rv != APR_SUCCESS) {
         return AUTH_DENIED;
     }