From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sun, 9 Jan 2011 18:26:04 +0000 (+0000)
Subject: index the signature cache on the hash of the public key instead of on the whole key!
X-Git-Tag: auth-3.0~398
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6e015d20a605833b2b9963dbb25f3201ebc0f001;p=pdns

index the signature cache on the hash of the public key instead of on the whole key!


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1849 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 2b8fc64fd..92afa221a 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -33,6 +33,22 @@ void RSAContext::create(unsigned int bits)
     throw runtime_error("Key generation failed");
 }
 
+std::string RSAContext::getPubKeyHash()
+{
+  unsigned char hash[20];
+  unsigned char N[mpi_size(&d_context.N)];
+  mpi_write_binary(&d_context.N, N, sizeof(N));
+  unsigned char E[mpi_size(&d_context.E)];
+  mpi_write_binary(&d_context.E, E, sizeof(E));
+  
+  sha1_context ctx;
+  sha1_starts(&ctx);
+  sha1_update(&ctx, N, sizeof(N));
+  sha1_update(&ctx, E, sizeof(E));
+  sha1_finish(&ctx, hash);
+  return string((char*)hash, sizeof(hash));
+}
+
 std::string RSAContext::convertToISC(unsigned int algorithm) const
 {
   string ret;
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index ad99fe3ec..8d2850868 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -80,7 +80,7 @@ public:
 
   void create(unsigned int bits);
   std::string convertToISC(unsigned int algorithm) const;
-
+  std::string getPubKeyHash();
 private:
   rsa_context d_context;
 };
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 4484a6764..c8a34fefd 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -120,7 +120,7 @@ void addSignature(DNSSECKeeper& dk, const std::string signQName, const std::stri
 }
 
 static pthread_mutex_t g_signatures_lock = PTHREAD_MUTEX_INITIALIZER;
-static map<pair<RSAContext, string>, string> g_signatures;
+static map<pair<string, string>, string> g_signatures;
 
 void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign) 
 {
@@ -131,15 +131,17 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
   string realhash=getHashForRRSET(signQName, rrc, toSign); // this is what we sign
 
   unsigned char signature[mpi_size(&rc.getContext().N)];
-
+  pair<string, string> lookup(rc.getPubKeyHash(), realhash);
+  
   {
     Lock l(&g_signatures_lock);
-    
-    // this is mindbogglingly inefficient, we store the whole private key as index!
-    if(g_signatures.count(make_pair(rc, realhash))) {
-      rrc.d_signature=g_signatures[make_pair(rc, realhash)];
+    if(g_signatures.count(lookup)) {
+      // cerr<<"Hit!"<<endl;
+      rrc.d_signature=g_signatures[lookup];
       return;
     }
+    else
+      cerr<<"Miss!"<<endl;
   }
   
   int ret=rsa_pkcs1_sign(&rc.getContext(), RSA_PRIVATE, 
@@ -155,5 +157,5 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
   rrc.d_signature.assign((char*)signature, sizeof(signature));
 
   Lock l(&g_signatures_lock);
-  g_signatures[make_pair(rc, realhash)] = rrc.d_signature;
+  g_signatures[lookup] = rrc.d_signature;
 }