From 8f125accf3a925ea9b418b8b955db8126ea49412 Mon Sep 17 00:00:00 2001
From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Thu, 27 Jan 2011 15:37:11 +0000
Subject: [PATCH] with this patch, PowerDNS works around a bug in the Botan
 GOST code. Post Botan 1.9.12, the bugfix will automatically disable itself,
 so let's hope they have it fixed by then ;-) See http://bit.ly/gTytUf

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1920 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---
 pdns/botan19signers.cc | 20 +++++++++++++-------
 pdns/pdnssec.cc        |  5 ++---
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/pdns/botan19signers.cc b/pdns/botan19signers.cc
index 398e59a0ef..7ce6ed8a8c 100644
--- a/pdns/botan19signers.cc
+++ b/pdns/botan19signers.cc
@@ -211,8 +211,14 @@ std::string GOSTDNSPrivateKey::sign(const std::string& hash) const
   GOST_3410_Signature_Operation ops(*d_key);
   AutoSeeded_RNG rng;
   SecureVector<byte> signature=ops.sign((byte*)hash.c_str(), hash.length(), rng);
-  
+
+#if BOTAN_VERSION_CODE <= BOTAN_VERSION_CODE_FOR(1,9,12)  // see http://bit.ly/gTytUf
+  string reversed((const char*)signature.begin()+ signature.size()/2, signature.size()/2);
+  reversed.append((const char*)signature.begin(), signature.size()/2);
+  return reversed;
+#else  
   return string((const char*)signature.begin(), (const char*) signature.end());
+#endif
 }
 
 std::string GOSTDNSPrivateKey::hash(const std::string& orig) const
@@ -229,19 +235,19 @@ bool GOSTDNSPrivateKey::verify(const std::string& hash, const std::string& signa
 {
   GOST_3410_PublicKey* pk;
   if(d_pubkey) {
-    cerr<<"Worked from the public key"<<endl;
     pk =d_pubkey.get();
   }
   else
     pk = d_key.get();
     
   GOST_3410_Verification_Operation ops(*pk);
-  /* 
-  string rhash(hash);
-  for(string::size_type pos = 0 ; pos < rhash.size()/2; ++pos)
-    swap(rhash[pos], rhash[rhash.size()-1-pos]);
-  */
+#if BOTAN_VERSION_CODE <= BOTAN_VERSION_CODE_FOR(1,9,12)  // see http://bit.ly/gTytUf
+  string rsignature(signature.substr(32));
+  rsignature.append(signature.substr(0,32));
+  return ops.verify ((byte*)hash.c_str(), hash.length(), (byte*)rsignature.c_str(), rsignature.length());
+#else
   return ops.verify ((byte*)hash.c_str(), hash.length(), (byte*)signature.c_str(), signature.length());
+#endif
 }
 
 /*
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index ecab770f13..61f93f43cf 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -207,10 +207,9 @@ void verifyCrypto(const string& zone)
       toSign.push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content)));
     }
   }
-  DNSPrivateKey* dpk = DNSPrivateKey::makeFromPublicKeyString(drc.d_algorithm, drc.d_key);
-  string hash = getHashForRRSET(qname, rrc, toSign);        
   
-  cerr<<"Verify: "<<dpk->verify(hash, rrc.d_signature)<<endl;
+  string hash = getHashForRRSET(qname, rrc, toSign);        
+  cerr<<"Verify: "<<DNSPrivateKey::makeFromPublicKeyString(drc.d_algorithm, drc.d_key)->verify(hash, rrc.d_signature)<<endl;
   if(dsrc.d_digesttype) {
     cerr<<"Calculated DS: "<<apex<<" IN DS "<<makeDSFromDNSKey(apex, drc, dsrc.d_digesttype).getZoneRepresentation()<<endl;
     cerr<<"Original DS:   "<<apex<<" IN DS "<<dsrc.getZoneRepresentation()<<endl;
-- 
2.47.3