From: Bob Halley <halley@dnspython.org>
Date: Mon, 26 Aug 2013 16:14:51 +0000 (-0700)
Subject: Make multi-message TSIGs compute correctly for algorithms other than MD5
X-Git-Tag: v1.11.1-py3~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e25ee875d9d5b6f1cd4cd06e4127c1fbfa557bef;p=thirdparty%2Fdnspython.git

Make multi-message TSIGs compute correctly for algorithms other than MD5
---

diff --git a/ChangeLog b/ChangeLog
index 2e442209..31544869 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-08-26  Bob Halley  <halley@dnspython.org>
+
+	* dns/tsig.py (sign): multi-message TSIGs were broken for
+	algorithms other than HMAC-MD5 because we weren't passing the
+	right digest module to the HMAC code.  Thanks to salzmdan for
+	reporting the bug.
+
 2013-07-01  Bob Halley  <halley@dnspython.org>
 
 	* (Version 1.11.0 released)
diff --git a/dns/tsig.py b/dns/tsig.py
index 603f039c..6d801d49 100644
--- a/dns/tsig.py
+++ b/dns/tsig.py
@@ -111,7 +111,7 @@ def sign(wire, keyname, secret, time, fudge, original_id, error,
     mpack = struct.pack('!H', len(mac))
     tsig_rdata = pre_mac + mpack + mac + id + post_mac
     if multi:
-        ctx = hmac.new(secret)
+        ctx = hmac.new(secret, digestmod=digestmod)
         ml = len(mac)
         ctx.update(struct.pack('!H', ml))
         ctx.update(mac)