From e11963ce69059d1fa47e92927ed48bd744b95348 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 25 Oct 2017 22:43:35 +0200
Subject: [PATCH 1/2] drop botan 1.x support

---
 build-scripts/debian-authoritative/control.in |  2 +-
 build-scripts/debian-authoritative/rules      |  1 -
 build-scripts/travis.sh                       |  6 +-
 m4/pdns_enable_botan.m4                       | 11 +---
 pdns/botansigners.cc                          | 57 +------------------
 5 files changed, 8 insertions(+), 69 deletions(-)

diff --git a/build-scripts/debian-authoritative/control.in b/build-scripts/debian-authoritative/control.in
index cac26994e406..8a02d908730c 100644
--- a/build-scripts/debian-authoritative/control.in
+++ b/build-scripts/debian-authoritative/control.in
@@ -4,7 +4,7 @@ Priority: extra
 Standards-Version: 3.9.8
 Maintainer: PowerDNS Autobuilder <powerdns.support@powerdns.com>
 Origin: PowerDNS
-Build-Depends: debhelper (>= 9~), dh-autoreconf, dh-systemd, po-debconf, curl, libtool, flex, bison, libmysqlclient-dev, libpq-dev, libssl-dev, libgdbm-dev, libldap2-dev, libsqlite3-dev, dpkg-dev (>= 1.17.0~), libboost-dev, libboost-serialization-dev, libboost-program-options-dev, libboost-test-dev, autotools-dev, automake, autoconf, libluajit5.1-dev, pkg-config, ragel, libgmp-dev, libbotan1.10-dev, libcurl4-openssl-dev, libzmq-dev, libyaml-cpp-dev (>= 0.5), libgeoip-dev, libopendbx1-dev, libcdb-dev, unixodbc-dev (>= 2.3.1), libprotobuf-dev, protobuf-compiler, libp11-kit-dev @LIBSYSTEMDDEV@ @LIBSODIUMDEV@
+Build-Depends: debhelper (>= 9~), dh-autoreconf, dh-systemd, po-debconf, curl, libtool, flex, bison, libmysqlclient-dev, libpq-dev, libssl-dev, libgdbm-dev, libldap2-dev, libsqlite3-dev, dpkg-dev (>= 1.17.0~), libboost-dev, libboost-serialization-dev, libboost-program-options-dev, libboost-test-dev, autotools-dev, automake, autoconf, libluajit5.1-dev, pkg-config, ragel, libgmp-dev, libcurl4-openssl-dev, libzmq-dev, libyaml-cpp-dev (>= 0.5), libgeoip-dev, libopendbx1-dev, libcdb-dev, unixodbc-dev (>= 2.3.1), libprotobuf-dev, protobuf-compiler, libp11-kit-dev @LIBSYSTEMDDEV@ @LIBSODIUMDEV@
 Homepage: http://www.powerdns.com/
 
 Package: pdns-server
diff --git a/build-scripts/debian-authoritative/rules b/build-scripts/debian-authoritative/rules
index e308ace0ffc1..cb7afb587261 100755
--- a/build-scripts/debian-authoritative/rules
+++ b/build-scripts/debian-authoritative/rules
@@ -50,7 +50,6 @@ override_dh_auto_configure:
 		--libexecdir='$${prefix}/lib' \
 		--with-dynmodules="$(backends)" \
 		--with-modules="" \
-		--enable-botan1.10 \
 		--enable-tools \
 		--enable-unit-tests \
 		--with-luajit \
diff --git a/build-scripts/travis.sh b/build-scripts/travis.sh
index b4299ae3776e..d33e0bc5887b 100755
--- a/build-scripts/travis.sh
+++ b/build-scripts/travis.sh
@@ -359,7 +359,7 @@ install_dnsdist() {
 
 build_auth() {
   run "./bootstrap"
-  # Build without --enable-botan1.10 option, Botan/SoftHSM conflict #2496
+  # Build without --enable-botan, no botan 2.x in Travis CI
   run "CFLAGS='-O1' CXXFLAGS='-O1' ./configure \
     --with-dynmodules='bind gmysql geoip gpgsql gsqlite3 ldap lua mydns opendbx pipe random remote tinydns godbc' \
     --with-modules='' \
@@ -386,9 +386,9 @@ build_recursor() {
   run "tar xf pdns-recursor-*.tar.bz2"
   run "rm -f pdns-recursor-*.tar.bz2"
   run "cd pdns-recursor-*"
+  # Build without --enable-botan, no botan 2.x in Travis CI
   run "CFLAGS='-O1' CXXFLAGS='-O1' CXX=${COMPILER} ./configure \
     --prefix=$PDNS_RECURSOR_DIR \
-    --enable-botan \
     --enable-libsodium \
     --enable-unit-tests \
     --disable-silent-rules"
@@ -567,12 +567,12 @@ test_repo(){
 }
 
 # global build requirements
+# Add botan 2.x when available in Travis CI
 run "sudo apt-get -qq --no-install-recommends install \
   libboost-all-dev \
   liblua5.1-dev \
   libedit-dev \
   libprotobuf-dev \
-  libbotan1.10-dev \
   pandoc\
   protobuf-compiler"
 
diff --git a/m4/pdns_enable_botan.m4 b/m4/pdns_enable_botan.m4
index 6728bf4c9e0f..6299d2793f8e 100644
--- a/m4/pdns_enable_botan.m4
+++ b/m4/pdns_enable_botan.m4
@@ -1,5 +1,5 @@
 AC_DEFUN([PDNS_ENABLE_BOTAN],[
-  AC_MSG_CHECKING([whether we will be linking in Botan])
+  AC_MSG_CHECKING([whether we will be linking in Botan 2.x])
   AC_ARG_ENABLE([botan],
     [AS_HELP_STRING([--enable-botan],[use Botan @<:@default=no@:>@])],
     [enable_botan=$enableval],
@@ -9,14 +9,9 @@ AC_DEFUN([PDNS_ENABLE_BOTAN],[
   AM_CONDITIONAL(BOTAN, [test "x$enable_botan" != "xno"])
 
   AS_IF([test "x$enable_botan" != "xno"], [
-    PKG_CHECK_MODULES([BOTAN], [botan-1.10],
+    PKG_CHECK_MODULES([BOTAN], [botan-2],
       [AC_DEFINE([HAVE_BOTAN],[1],[Define to 1 if you have botan])],
-      [
-        PKG_CHECK_MODULES([BOTAN], [botan-2],
-          [AC_DEFINE([HAVE_BOTAN],[1],[Define to 1 if you have botan])],
-          [AC_MSG_ERROR([Could not find botan])]
-        )
-      ]
+      [AC_MSG_ERROR([Could not find botan])]
     )]
   )
 ])
diff --git a/pdns/botansigners.cc b/pdns/botansigners.cc
index 4099b1837da9..603306707136 100644
--- a/pdns/botansigners.cc
+++ b/pdns/botansigners.cc
@@ -47,11 +47,7 @@ class GOSTDNSCryptoKeyEngine : public DNSCryptoKeyEngine
   explicit GOSTDNSCryptoKeyEngine(unsigned int algorithm) : DNSCryptoKeyEngine(algorithm) {}
   ~GOSTDNSCryptoKeyEngine(){}
   void create(unsigned int bits) override;
-#if BOTAN_VERSION_MAJOR < 2
-  string getName() const override { return "Botan 1.10 GOST"; }
-#else
   string getName() const override { return "Botan 2 GOST"; }
-#endif
   storvector_t convertToISCVector() const override;
   std::string getPubKeyHash() const override;
   std::string sign(const std::string& msg) const override;
@@ -70,17 +66,10 @@ class GOSTDNSCryptoKeyEngine : public DNSCryptoKeyEngine
   }
 
 private:
-#if BOTAN_VERSION_MAJOR < 2
-  static EC_Domain_Params getParams()
-  {
-    return EC_Domain_Params("1.2.643.2.2.35.1");
-  }
-#else
   static EC_Group getParams()
   {
     return EC_Group("gost_256A");
   }
-#endif
 
   shared_ptr<GOST_3410_PrivateKey> d_key;
   shared_ptr<GOST_3410_PublicKey> d_pubkey;
@@ -165,11 +154,7 @@ namespace {
 
 BigInt decode_le(const byte msg[], size_t msg_len)
    {
-#if BOTAN_VERSION_MAJOR < 2
-   SecureVector<byte> msg_le(msg, msg_len);
-#else
    Botan::secure_vector<byte> msg_le(msg, msg + msg_len);
-#endif
 
    for(size_t i = 0; i != msg_le.size() / 2; ++i)
       std::swap(msg_le[i], msg_le[msg_le.size()-1-i]);
@@ -206,11 +191,7 @@ std::string GOSTDNSCryptoKeyEngine::getPublicKeyString() const
   
   size_t part_size = std::max(x.bytes(), y.bytes());
  
-#if BOTAN_VERSION_MAJOR < 2
-  MemoryVector<byte> bits(2*part_size);
-#else
   std::vector<byte> bits(2*part_size);
-#endif
 
   x.binary_encode(&bits[part_size - x.bytes()]);
   y.binary_encode(&bits[2*part_size - y.bytes()]);
@@ -235,26 +216,10 @@ std::string GOSTDNSCryptoKeyEngine::getPublicKeyString() const
 std::string GOSTDNSCryptoKeyEngine::sign(const std::string& msg) const
 {
   AutoSeeded_RNG rng;
-#if BOTAN_VERSION_MAJOR < 2
-  GOST_3410_Signature_Operation ops(*d_key);
-  
-  string hash= this->hash(msg);
-  SecureVector<byte> signature=ops.sign((byte*)hash.c_str(), hash.length(), rng);
-
-#if BOTAN_VERSION_CODE <= BOTAN_VERSION_CODE_FOR(1,9,12)  // see http://bit.ly/gTytUf
-  string reversed((const char*)signature.begin()+ signature.size()/2, signature.size()/2);
-  reversed.append((const char*)signature.begin(), signature.size()/2);
-  return reversed;
-#else  
-  return string((const char*)signature.begin(), (const char*) signature.end());
-#endif
-
-#else /* BOTAN_VERSION_MAJOR < 2 */
   PK_Signer signer(*d_key, rng, "Raw");
   signer.update(hash(msg));
   auto signature = signer.signature(rng);
   return string(signature.begin(), signature.end());
-#endif /* BOTAN_VERSION_MAJOR < 2*/
 }
 
 std::string GOSTDNSCryptoKeyEngine::hash(const std::string& orig) const
@@ -268,23 +233,9 @@ std::string GOSTDNSCryptoKeyEngine::hash(const std::string& orig) const
 bool GOSTDNSCryptoKeyEngine::verify(const std::string& message, const std::string& signature) const
 {
   std::shared_ptr<GOST_3410_PublicKey> pk = d_pubkey ? d_pubkey : d_key;
-#if BOTAN_VERSION_MAJOR < 2
-  string hash = this->hash(message);
-
-  GOST_3410_Verification_Operation ops(*pk);
-#if BOTAN_VERSION_CODE <= BOTAN_VERSION_CODE_FOR(1,9,12)  // see http://bit.ly/gTytUf
-  string rsignature(signature.substr(32));
-  rsignature.append(signature.substr(0,32));
-  return ops.verify ((byte*)hash.c_str(), hash.length(), (byte*)rsignature.c_str(), rsignature.length());
-#else
-  return ops.verify ((byte*)hash.c_str(), hash.length(), (byte*)signature.c_str(), signature.length());
-#endif
-
-#else /* BOTAN_VERSION_MAJOR < 2 */
   PK_Verifier verifier(*pk, "Raw");
   verifier.update(hash(message));
   return verifier.check_signature(reinterpret_cast<const uint8_t*>(signature.c_str()), signature.size());
-#endif /* BOTAN_VERSION_MAJOR < 2*/
 }
 
 /*
@@ -302,13 +253,7 @@ struct LoaderStruct
 {
   LoaderStruct()
   {
-#if BOTAN_VERSION_MAJOR < 2
-    new Botan::LibraryInitializer("thread_safe=true");
-    // this leaks, but is fine
-    Botan::global_state().set_default_allocator("malloc"); // the other Botan allocator slows down for us
-#endif /* BOTAN_VERSION_MAJOR < 2*/
-
     DNSCryptoKeyEngine::report(12, &GOSTDNSCryptoKeyEngine::maker);
   }
-} loaderBotan110;
+} loaderBotan2;
 }

From 00f1924bb1900e8c6eab1bd0fe03ff21d41f38eb Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 26 Oct 2017 01:06:54 +0200
Subject: [PATCH 2/2] replace depricated botan.h include

---
 pdns/botansigners.cc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pdns/botansigners.cc b/pdns/botansigners.cc
index 603306707136..5d7b43b62b5b 100644
--- a/pdns/botansigners.cc
+++ b/pdns/botansigners.cc
@@ -22,8 +22,7 @@
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
-#include <botan/botan.h>
-#include <botan/build.h>
+#include <botan/auto_rng.h>
 #include <botan/gost_3410.h>
 #include <botan/gost_3411.h>
 #include <botan/pubkey.h>