From 0fda1d9170f0e460c134e1ce7851de7089440277 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <cmouse@desteem.org>
Date: Tue, 31 Mar 2015 23:09:22 +0300
Subject: [PATCH] Use hashed input for ECDSA

---
 pdns/pkcs11signers.cc | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/pdns/pkcs11signers.cc b/pdns/pkcs11signers.cc
index ace7eab17..4d97b219b 100644
--- a/pdns/pkcs11signers.cc
+++ b/pdns/pkcs11signers.cc
@@ -736,7 +736,12 @@ std::string PKCS11DNSCryptoKeyEngine::sign(const std::string& msg) const {
   mech.mechanism = dnssec2smech[d_algorithm];
   mech.pParameter = NULL;
   mech.ulParameterLen = 0;
-  if (d_slot->Sign(msg, result, &mech)) throw PDNSException("Could not sign data");
+
+  if (mech.mechanism == CKM_ECDSA) {
+    if (d_slot->Sign(this->hash(msg), result, &mech)) throw PDNSException("Could not sign data");
+  } else {
+    if (d_slot->Sign(msg, result, &mech)) throw PDNSException("Could not sign data");
+  }
   return result;
 };
 
@@ -796,7 +801,11 @@ bool PKCS11DNSCryptoKeyEngine::verify(const std::string& msg, const std::string&
   mech.mechanism = dnssec2smech[d_algorithm];
   mech.pParameter = NULL;
   mech.ulParameterLen = 0;
-  return (d_slot->Verify(msg, signature, &mech) == 0);
+  if (mech.mechanism == CKM_ECDSA) {
+    return (d_slot->Verify(this->hash(msg), signature, &mech)==0);
+  } else {
+    return (d_slot->Verify(msg, signature, &mech) == 0);
+  }
 };
 
 std::string PKCS11DNSCryptoKeyEngine::getPubKeyHash() const {
-- 
2.40.0