diff options
| author | Stefan Fritsch <sf@apache.org> | 2013-01-01 21:16:30 +0100 |
|---|---|---|
| committer | Stefan Fritsch <sf@apache.org> | 2013-01-01 21:16:30 +0100 |
| commit | 40431c8d757f8bdaf0c1be4203ea5f79224e31de (patch) | |
| tree | 36ff69c34bdc6c56ad5e37c50fa58ca55465d7f0 /include | |
| parent | remove unneeded include statements (diff) | |
| download | apache2-40431c8d757f8bdaf0c1be4203ea5f79224e31de.tar.xz apache2-40431c8d757f8bdaf0c1be4203ea5f79224e31de.zip | |
Add some caching for password hash validation.
Password hash functions must be expensive in order to be secure. But
if they have to be re-evaluated for every request, performance
suffers.
As a minimal remedy, cache the most recent result for every
connection. This gives a great performance boost if a web browser
does many requests on the same connection with the same
user+password. In principle, this may keep the plain text password
around longer than before. But in practice, there won't be much
difference since user+password can already remain in some unused
data bucket for longer than the request duration.
A proper solution still needs to be found for connections from
proxies which may carry requests for many different users.
While it currently only requires the conn_rec, the new
ap_password_validate() function takes username and request_rec to
allow future extensions, like detection of brute-force attempts.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1427548 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'include')
| -rw-r--r-- | include/ap_mmn.h | 3 | ||||
| -rw-r--r-- | include/httpd.h | 18 |
2 files changed, 20 insertions, 1 deletions
diff --git a/include/ap_mmn.h b/include/ap_mmn.h index b5f9536482..66aff78734 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -412,6 +412,7 @@ * core_server_config again, add http09_enable * 20121222.1 (2.5.0-dev) Add http_conformance to core_server_config, * add ap_has_cntrl() + * 20121222.2 (2.5.0-dev) Add ap_password_validate() */ #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */ @@ -419,7 +420,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20121222 #endif -#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 2 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/include/httpd.h b/include/httpd.h index 0fd02a95b5..8f5d4f109b 100644 --- a/include/httpd.h +++ b/include/httpd.h @@ -2274,6 +2274,24 @@ AP_DECLARE(void) ap_bin2hex(const void *src, apr_size_t srclen, char *dest) AP_DECLARE(int) ap_has_cntrl(const char *str) AP_FN_ATTR_NONNULL_ALL; +/** + * Wrapper for @a apr_password_validate() to cache expensive calculations + * @param r the current request + * @param username username of the user + * @param passwd password string + * @param hash hash string to be passwd to @a apr_password_validate() + * @return APR_SUCCESS if passwords match, APR_EMISMATCH or error otherwise + * @note Currently, ap_password_validate() only caches the result of the + * most recent call with the same connection as @a r. + * In the future, it may also do rate-limiting against brute-force + * attacks. + */ +AP_DECLARE(apr_status_t) ap_password_validate(request_rec *r, + const char *username, + const char *passwd, + const char *hash); + + #define AP_NORESTART APR_OS_START_USEERR + 1 #ifdef __cplusplus |