$OpenBSD: patch-dnssec_sign_c,v 1.1 2016/01/16 13:15:26 sthen Exp $

Fix ECDSA signature generation, do not omit leading zeroes.
http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=1139fdc7f6d78cc9a93e46d3defcd05d15c45af0

--- dnssec_sign.c.orig	Fri Jan 10 16:04:41 2014
+++ dnssec_sign.c	Fri Jan 15 23:06:29 2016
@@ -367,6 +367,7 @@ ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
 
 #ifdef USE_ECDSA
 #ifndef S_SPLINT_S
+/** returns the number of bytes per signature-component (i.e. bits/8), or 0. */
 static int
 ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
 {
@@ -380,11 +381,13 @@ ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
                 EC_KEY_free(ec);
                 return 0;
         }
-        if(EC_GROUP_get_curve_name(g) == NID_secp224r1 ||
-                EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1 ||
-                EC_GROUP_get_curve_name(g) == NID_secp384r1) {
+        if(EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1) {
                 EC_KEY_free(ec);
-                return 1;
+                return 32; /* 256/8 */
+	}
+        if(EC_GROUP_get_curve_name(g) == NID_secp384r1) {
+                EC_KEY_free(ec);
+                return 48; /* 384/8 */
         }
         /* downref the eckey, the original is still inside the pkey */
         EC_KEY_free(ec);
@@ -448,7 +451,8 @@ ldns_sign_public_evp(ldns_buffer *to_sign,
 #ifdef USE_ECDSA
         } else if(EVP_PKEY_type(key->type) == EVP_PKEY_EC &&
                 ldns_pkey_is_ecdsa(key)) {
-                sigdata_rdf = ldns_convert_ecdsa_rrsig_asn12rdf(b64sig, siglen);
+                sigdata_rdf = ldns_convert_ecdsa_rrsig_asn1len2rdf(
+			b64sig, siglen, ldns_pkey_is_ecdsa(key));
 #endif
 	} else {
 		/* ok output for other types is the same */
