From 13c03888b965bd0458ef67a08b553a19b2d06fc1 Mon Sep 17 00:00:00 2001
From: Bob Halley <halley@dnspython.org>
Date: Mon, 26 Aug 2013 09:14:01 -0700
Subject: [PATCH] Make multi-message TSIGs compute correctly for algorithms
 other than MD5

---
 ChangeLog   | 7 +++++++
 dns/tsig.py | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 6a076d1c..4cfcf8f9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-08-26  Bob Halley  <halley@dnspython.org>
+
+	* dns/tsig.py (sign): multi-message TSIGs were broken for
+	algorithms other than HMAC-MD5 because we weren't passing the
+	right digest module to the HMAC code.  Thanks to salzmdan for
+	reporting the bug.
+
 2013-07-01  Bob Halley  <halley@dnspython.org>
 
 	* (Version 1.11.0 released)
diff --git a/dns/tsig.py b/dns/tsig.py
index 63b925af..6e97dcea 100644
--- a/dns/tsig.py
+++ b/dns/tsig.py
@@ -111,7 +111,7 @@ def sign(wire, keyname, secret, time, fudge, original_id, error,
     mpack = struct.pack('!H', len(mac))
     tsig_rdata = pre_mac + mpack + mac + id + post_mac
     if multi:
-        ctx = hmac.new(secret)
+        ctx = hmac.new(secret, digestmod=digestmod)
         ml = len(mac)
         ctx.update(struct.pack('!H', ml))
         ctx.update(mac)
-- 
2.47.3