From: Aki Tuomi <cmouse@desteem.org>
Date: Tue, 31 Mar 2015 20:09:22 +0000 (+0300)
Subject: Use hashed input for ECDSA
X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~98^2~25^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2404%2Fhead;p=thirdparty%2Fpdns.git

Use hashed input for ECDSA
---

diff --git a/pdns/pkcs11signers.cc b/pdns/pkcs11signers.cc
index f955fe28f9..5db3386fad 100644
--- a/pdns/pkcs11signers.cc
+++ b/pdns/pkcs11signers.cc
@@ -738,7 +738,12 @@ std::string PKCS11DNSCryptoKeyEngine::sign(const std::string& msg) const {
   mech.mechanism = dnssec2smech[d_algorithm];
   mech.pParameter = NULL;
   mech.ulParameterLen = 0;
-  if (d_slot->Sign(msg, result, &mech)) throw PDNSException("Could not sign data");
+
+  if (mech.mechanism == CKM_ECDSA) {
+    if (d_slot->Sign(this->hash(msg), result, &mech)) throw PDNSException("Could not sign data");
+  } else {
+    if (d_slot->Sign(msg, result, &mech)) throw PDNSException("Could not sign data");
+  }
   return result;
 };
 
@@ -798,7 +803,11 @@ bool PKCS11DNSCryptoKeyEngine::verify(const std::string& msg, const std::string&
   mech.mechanism = dnssec2smech[d_algorithm];
   mech.pParameter = NULL;
   mech.ulParameterLen = 0;
-  return (d_slot->Verify(msg, signature, &mech) == 0);
+  if (mech.mechanism == CKM_ECDSA) {
+    return (d_slot->Verify(this->hash(msg), signature, &mech)==0);
+  } else {
+    return (d_slot->Verify(msg, signature, &mech) == 0);
+  }
 };
 
 std::string PKCS11DNSCryptoKeyEngine::getPubKeyHash() const {