From 3a1b79f6a1caca93a40361dbf5c3cf6fa3e39e38 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Mon, 30 Sep 2024 09:25:51 +0200
Subject: [PATCH] - Fix negative cache NSEC3 parameter compares for zero length
 NSEC3   salt.

---
 doc/Changelog         | 4 ++++
 validator/val_neg.c   | 6 ++++--
 validator/val_nsec3.c | 6 ++++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/doc/Changelog b/doc/Changelog
index 9172b2199..885ac55a7 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+30 September 2024: Wouter
+	- Fix negative cache NSEC3 parameter compares for zero length NSEC3
+	  salt.
+
 25 September 2024: Wouter
 	- Fix #1144: [FR] log timestamps in ISO8601 format with timezone.
 	  This adds the option `log-time-iso: yes` that logs in ISO8601
diff --git a/validator/val_neg.c b/validator/val_neg.c
index 52bc68387..b5b678fde 100644
--- a/validator/val_neg.c
+++ b/validator/val_neg.c
@@ -823,7 +823,8 @@ void neg_insert_data(struct val_neg_cache* neg,
 			it <= neg->nsec3_max_iter &&
 			(h != zone->nsec3_hash || it != zone->nsec3_iter ||
 			slen != zone->nsec3_saltlen || 
-			memcmp(zone->nsec3_salt, s, slen) != 0)) {
+			(slen != 0 && zone->nsec3_salt && s
+			  && memcmp(zone->nsec3_salt, s, slen) != 0))) {
 
 			if(slen > 0) {
 				uint8_t* sa = memdup(s, slen);
@@ -1206,7 +1207,8 @@ neg_params_ok(struct val_neg_zone* zone, struct ub_packed_rrset_key* rrset)
 		return 0;
 	return (h == zone->nsec3_hash && it == zone->nsec3_iter &&
 		slen == zone->nsec3_saltlen &&
-		memcmp(zone->nsec3_salt, s, slen) == 0);
+		(slen != 0 && zone->nsec3_salt && s
+		  && memcmp(zone->nsec3_salt, s, slen) == 0));
 }
 
 /** get next closer for nsec3 proof */
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index e790e9982..998fcc4e3 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -565,7 +565,8 @@ nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
 	sldns_buffer_clear(buf);
 	sldns_buffer_write(buf, nm, nmlen);
 	query_dname_tolower(sldns_buffer_begin(buf));
-	sldns_buffer_write(buf, salt, saltlen);
+	if(saltlen != 0)
+		sldns_buffer_write(buf, salt, saltlen);
 	sldns_buffer_flip(buf);
 	hash_len = nsec3_hash_algo_size_supported(algo);
 	if(hash_len == 0) {
@@ -580,7 +581,8 @@ nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
 	for(i=0; i<iter; i++) {
 		sldns_buffer_clear(buf);
 		sldns_buffer_write(buf, res, hash_len);
-		sldns_buffer_write(buf, salt, saltlen);
+		if(saltlen != 0)
+			sldns_buffer_write(buf, salt, saltlen);
 		sldns_buffer_flip(buf);
 		if(!secalgo_nsec3_hash(algo,
 			(unsigned char*)sldns_buffer_begin(buf),