From 51cdfd50e076b5983692657bc8df47ab7cdcb896 Mon Sep 17 00:00:00 2001 From: dimitr Date: Fri, 2 May 2008 11:10:00 +0000 Subject: [PATCH] Enabled security database connection caching and brute-force attack protection for SuperClassic. This code is almost useless for the regular Classic, but it doesn't hurt either. --- src/jrd/jrd_pwd.h | 11 ++++------- src/jrd/pwd.cpp | 44 +++++++++++++++----------------------------- 2 files changed, 19 insertions(+), 36 deletions(-) diff --git a/src/jrd/jrd_pwd.h b/src/jrd/jrd_pwd.h index 6e24935697..c37b32a2e6 100644 --- a/src/jrd/jrd_pwd.h +++ b/src/jrd/jrd_pwd.h @@ -96,8 +96,6 @@ private: isc_db_handle lookup_db; isc_req_handle lookup_req; - static const bool is_cached; - int counter; void fini(); @@ -107,10 +105,9 @@ private: static SecurityDatabase instance; - SecurityDatabase() - { - lookup_db = 0; - } + SecurityDatabase() + : lookup_db(0), lookup_req(0), counter(0) + {} public: // Shuts SecurityDatabase in case of errors during attach or create. @@ -159,4 +156,4 @@ public: } // namespace Jrd -#endif /* JRD_PWD_H */ +#endif // JRD_PWD_H diff --git a/src/jrd/pwd.cpp b/src/jrd/pwd.cpp index 3ccb7b1957..ca16ee5e26 100644 --- a/src/jrd/pwd.cpp +++ b/src/jrd/pwd.cpp @@ -44,12 +44,6 @@ using namespace Jrd; -#ifdef SUPERSERVER -const bool SecurityDatabase::is_cached = true; -#else -const bool SecurityDatabase::is_cached = false; -#endif - // BLR to search database for user name record const UCHAR SecurityDatabase::PWD_REQUEST[] = { @@ -113,8 +107,7 @@ SecurityDatabase SecurityDatabase::instance; #ifndef EMBEDDED namespace { -#ifdef SUPERSERVER -// Disable attempts to brutforce logins/passwords +// Disable attempts to brute-force logins/passwords class FailedLogin { public: @@ -211,16 +204,6 @@ namespace { } } }; -#else //SUPERSERVER - // Unfortunately, in case of multi-process architectire, this doesn't work. - class FailedLogins - { - public: - explicit FailedLogins(MemoryPool& p) {} - void loginFail(const Firebird::string& login) { } - void loginSuccess(const Firebird::string& login) {} - }; -#endif //SUPERSERVER Firebird::InitInstance usernameFailedLogins; Firebird::InitInstance remoteFailedLogins; @@ -235,19 +218,23 @@ namespace { void SecurityDatabase::fini() { Firebird::MutexLockGuard guard(mutex); - counter -= (is_cached) ? 1 : 0; -#ifndef EMBEDDED - if (counter == 1 && lookup_db) + if (--counter == 1) { - isc_detach_database(status, &lookup_db); + if (lookup_req) + { + isc_release_request(status, &lookup_req); + } + if (lookup_db) + { + isc_detach_database(status, &lookup_db); + } } -#endif } void SecurityDatabase::init() { Firebird::MutexLockGuard guard(mutex); - counter += (is_cached) ? 1 : 0; + ++counter; } bool SecurityDatabase::lookup_user(const TEXT* user_name, int* uid, int* gid, TEXT* pwd) @@ -274,6 +261,10 @@ bool SecurityDatabase::lookup_user(const TEXT* user_name, int* uid, int* gid, TE if (!prepare()) { + if (lookup_req) + { + isc_release_request(status, &lookup_req); + } if (lookup_db) { isc_db_handle tmp = lookup_db; @@ -314,11 +305,6 @@ bool SecurityDatabase::lookup_user(const TEXT* user_name, int* uid, int* gid, TE isc_rollback_transaction(status, &lookup_trans); - if (!is_cached) - { - isc_detach_database(status, &lookup_db); - } - return found; }