c88997
From 4827d4b06c2aaec913536143e4a26a0904d1fc58 Mon Sep 17 00:00:00 2001
c88997
From: Mark Andrews <marka@isc.org>
c88997
Date: Fri, 7 Jul 2017 23:19:05 +1000
c88997
Subject: [PATCH] 4647. [bug] Change 4643 broke verification of TSIG signed TCP
c88997
 message sequences where not all the messages contain TSIG records. These may
c88997
 be used in AXFR and IXFR responses. [RT #45509]
c88997
c88997
(cherry picked from commit 58f0fb325bbd9258d06431281eb8fdea2b126305)
c88997
---
c88997
 lib/dns/tests/Makefile.in |   9 +-
c88997
 lib/dns/tests/tsig_test.c | 489 ++++++++++++++++++++++++++++++++++++++++++++++
c88997
 lib/dns/tsig.c            |  10 +-
c88997
 3 files changed, 504 insertions(+), 4 deletions(-)
c88997
 create mode 100644 lib/dns/tests/tsig_test.c
c88997
c88997
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
c88997
index 8d1b83e..023e60c 100644
c88997
--- a/lib/dns/tests/Makefile.in
c88997
+++ b/lib/dns/tests/Makefile.in
c88997
@@ -39,13 +39,13 @@ LIBS =		@LIBS@ @ATFLIBS@
c88997
 
c88997
 OBJS =		dnstest.@O@
c88997
 SRCS =		dnstest.c gost_test.c master_test.c dbiterator_test.c time_test.c \
c88997
-		private_test.c update_test.c zonemgr_test.c zt_test.c \
c88997
+		private_test.c tsig_test.c update_test.c zonemgr_test.c zt_test.c \
c88997
 		dbdiff_test.c geoip_test.c dispatch_test.c nsec3_test.c \
c88997
 		rdataset_test.c rdata_test.c
c88997
 
c88997
 SUBDIRS =
c88997
 TARGETS =	gost_test@EXEEXT@ master_test@EXEEXT@ dbiterator_test@EXEEXT@ time_test@EXEEXT@ \
c88997
-		private_test@EXEEXT@ update_test@EXEEXT@ zonemgr_test@EXEEXT@ \
c88997
+		private_test@EXEEXT@ tsig_test@EXEEXT@ update_test@EXEEXT@ zonemgr_test@EXEEXT@ \
c88997
 		zt_test@EXEEXT@ dbversion_test@EXEEXT@ dbdiff_test@EXEEXT@ geoip_test@EXEEXT@ \
c88997
 		dispatch_test@EXEEXT@ nsec3_test@EXEEXT@ \
c88997
 		rdataset_test@EXEEXT@ rdata_test@EXEEXT@
c88997
@@ -134,6 +134,11 @@ geoip_test@EXEEXT@: geoip_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
c88997
 			geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \
c88997
 			${ISCLIBS} ${LIBS}
c88997
 
c88997
+tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
c88997
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
c88997
+			tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \
c88997
+			${ISCLIBS} ${LIBS}
c88997
+
c88997
 unit::
c88997
 	sh ${top_srcdir}/unit/unittest.sh
c88997
 
c88997
diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
c88997
new file mode 100644
c88997
index 0000000..956e4a0
c88997
--- /dev/null
c88997
+++ b/lib/dns/tests/tsig_test.c
c88997
@@ -0,0 +1,489 @@
c88997
+/*
c88997
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
c88997
+ *
c88997
+ * This Source Code Form is subject to the terms of the Mozilla Public
c88997
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
c88997
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
c88997
+ */
c88997
+
c88997
+/* ! \file */
c88997
+
c88997
+#include <config.h>
c88997
+#include <atf-c.h>
c88997
+#include <isc/mem.h>
c88997
+
c88997
+#include <dns/rdatalist.h>
c88997
+#include <dns/rdataset.h>
c88997
+#include <dns/tsig.h>
c88997
+
c88997
+#include "dnstest.h"
c88997
+
c88997
+#ifdef HAVE_INTTYPES_H
c88997
+#include <inttypes.h> /* uintptr_t */
c88997
+#endif
c88997
+
c88997
+static int debug = 0;
c88997
+
c88997
+static isc_result_t
c88997
+add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) {
c88997
+	dns_rdata_any_tsig_t tsig;
c88997
+	dns_rdata_t rdata = DNS_RDATA_INIT;
c88997
+	isc_buffer_t databuf;
c88997
+	isc_region_t r;
c88997
+	isc_result_t result;
c88997
+	unsigned char tsigbuf[1024];
c88997
+
c88997
+	isc_buffer_usedregion(buf, &r);
c88997
+	dns_rdata_fromregion(&rdata, dns_rdataclass_any,
c88997
+			     dns_rdatatype_tsig, &r);
c88997
+	isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
c88997
+	CHECK(dns_rdata_tostruct(&rdata, &tsig, NULL));
c88997
+	isc_buffer_putuint16(&databuf, tsig.siglen);
c88997
+	isc_buffer_putmem(&databuf, tsig.signature, tsig.siglen);
c88997
+	isc_buffer_usedregion(&databuf, &r);
c88997
+	result = dst_context_adddata(tsigctx, &r);
c88997
+	dns_rdata_freestruct(&tsig);
c88997
+ cleanup:
c88997
+	return (result);
c88997
+}
c88997
+
c88997
+static isc_result_t
c88997
+add_tsig(dst_context_t *tsigctx, dns_tsigkey_t *key, isc_buffer_t *target) {
c88997
+	dns_compress_t cctx;
c88997
+	dns_rdata_any_tsig_t tsig;
c88997
+	dns_rdata_t rdata = DNS_RDATA_INIT;
c88997
+	dns_rdatalist_t rdatalist;
c88997
+	dns_rdataset_t rdataset;
c88997
+	isc_buffer_t *dynbuf = NULL;
c88997
+	isc_buffer_t databuf;
c88997
+	isc_buffer_t sigbuf;
c88997
+	isc_region_t r;
c88997
+	isc_result_t result = ISC_R_SUCCESS;
c88997
+	isc_stdtime_t now;
c88997
+	unsigned char tsigbuf[1024];
c88997
+	unsigned int count;
c88997
+	unsigned int sigsize;
c88997
+	isc_boolean_t invalidate_ctx = ISC_FALSE;
c88997
+
c88997
+	CHECK(dns_compress_init(&cctx, -1, mctx));
c88997
+	invalidate_ctx = ISC_TRUE;
c88997
+
c88997
+	memset(&tsig, 0, sizeof(tsig));
c88997
+	       tsig.common.rdclass = dns_rdataclass_any;
c88997
+	tsig.common.rdtype = dns_rdatatype_tsig;
c88997
+	ISC_LINK_INIT(&tsig.common, link);
c88997
+	dns_name_init(&tsig.algorithm, NULL);
c88997
+	dns_name_clone(key->algorithm, &tsig.algorithm);
c88997
+
c88997
+	isc_stdtime_get(&now;;
c88997
+	tsig.timesigned = now;
c88997
+	tsig.fudge = DNS_TSIG_FUDGE;
c88997
+	tsig.originalid = 50;
c88997
+	tsig.error = dns_rcode_noerror;
c88997
+	tsig.otherlen = 0;
c88997
+	tsig.other = NULL;
c88997
+
c88997
+	isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
c88997
+	isc_buffer_putuint48(&databuf, tsig.timesigned);
c88997
+	isc_buffer_putuint16(&databuf, tsig.fudge);
c88997
+	isc_buffer_usedregion(&databuf, &r);
c88997
+	CHECK(dst_context_adddata(tsigctx, &r);;
c88997
+
c88997
+	CHECK(dst_key_sigsize(key->key, &sigsize));
c88997
+	tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
c88997
+	if (tsig.signature == NULL)
c88997
+		CHECK(ISC_R_NOMEMORY);
c88997
+	isc_buffer_init(&sigbuf, tsig.signature, sigsize);
c88997
+	CHECK(dst_context_sign(tsigctx, &sigbuf));
c88997
+	tsig.siglen = isc_buffer_usedlength(&sigbuf);
c88997
+
c88997
+	CHECK(isc_buffer_allocate(mctx, &dynbuf, 512));
c88997
+	CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_any,
c88997
+				   dns_rdatatype_tsig, &tsig, dynbuf));
c88997
+	dns_rdatalist_init(&rdatalist);
c88997
+	rdatalist.rdclass = dns_rdataclass_any;
c88997
+	rdatalist.type = dns_rdatatype_tsig;
c88997
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
c88997
+	dns_rdataset_init(&rdataset);
c88997
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
c88997
+	CHECK(dns_rdataset_towire(&rdataset, &key->name, &cctx,
c88997
+				  target, 0, &count));
c88997
+
c88997
+	/*
c88997
+	 * Fixup additional record count.
c88997
+	 */
c88997
+	((unsigned char*)target->base)[11]++;
c88997
+	if (((unsigned char*)target->base)[11] == 0)
c88997
+		((unsigned char*)target->base)[10]++;
c88997
+ cleanup:
c88997
+	if (tsig.signature != NULL)
c88997
+		isc_mem_put(mctx, tsig.signature, sigsize);
c88997
+	if (dynbuf != NULL)
c88997
+		isc_buffer_free(&dynbuf);
c88997
+	if (invalidate_ctx)
c88997
+		dns_compress_invalidate(&cctx);
c88997
+
c88997
+	return (result);
c88997
+}
c88997
+
c88997
+static void
c88997
+printmessage(dns_message_t *msg) {
c88997
+	isc_buffer_t b;
c88997
+	char *buf = NULL;
c88997
+	int len = 1024;
c88997
+	isc_result_t result = ISC_R_SUCCESS;
c88997
+
c88997
+	if (!debug)
c88997
+		return;
c88997
+
c88997
+	do {
c88997
+		buf = isc_mem_get(mctx, len);
c88997
+		if (buf == NULL) {
c88997
+			result = ISC_R_NOMEMORY;
c88997
+			break;
c88997
+		}
c88997
+
c88997
+		isc_buffer_init(&b, buf, len);
c88997
+		result = dns_message_totext(msg, &dns_master_style_debug,
c88997
+					    0, &b);
c88997
+		if (result == ISC_R_NOSPACE) {
c88997
+			isc_mem_put(mctx, buf, len);
c88997
+			len *= 2;
c88997
+		} else if (result == ISC_R_SUCCESS)
c88997
+			printf("%.*s\n", (int) isc_buffer_usedlength(&b), buf);
c88997
+	} while (result == ISC_R_NOSPACE);
c88997
+
c88997
+	if (buf != NULL)
c88997
+		isc_mem_put(mctx, buf, len);
c88997
+}
c88997
+
c88997
+static void
c88997
+render(isc_buffer_t *buf, unsigned flags, dns_tsigkey_t *key,
c88997
+       isc_buffer_t **tsigin, isc_buffer_t **tsigout,
c88997
+       dst_context_t *tsigctx)
c88997
+{
c88997
+	dns_message_t *msg = NULL;
c88997
+	dns_compress_t cctx;
c88997
+	isc_result_t result;
c88997
+
c88997
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &msg;;
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_create: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	msg->id = 50;
c88997
+	msg->rcode = dns_rcode_noerror;
c88997
+	msg->flags = flags;
c88997
+
c88997
+	if (tsigin == tsigout)
c88997
+		msg->tcp_continuation = 1;
c88997
+
c88997
+	if (tsigctx == NULL) {
c88997
+		result = dns_message_settsigkey(msg, key);
c88997
+		ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+				 "dns_message_settsigkey: %s",
c88997
+				 dns_result_totext(result));
c88997
+
c88997
+		result = dns_message_setquerytsig(msg, *tsigin);
c88997
+		ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+				 "dns_message_setquerytsig: %s",
c88997
+				 dns_result_totext(result));
c88997
+	}
c88997
+
c88997
+	result = dns_compress_init(&cctx, -1, mctx);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_compress_init: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	result = dns_message_renderbegin(msg, &cctx, buf);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_renderbegin: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	result = dns_message_renderend(msg);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_renderend: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	if (tsigctx != NULL) {
c88997
+		isc_region_t r;
c88997
+
c88997
+		isc_buffer_usedregion(buf, &r);
c88997
+		result = dst_context_adddata(tsigctx, &r);
c88997
+	} else {
c88997
+		if (tsigin == tsigout && *tsigin != NULL)
c88997
+			isc_buffer_free(tsigin);
c88997
+
c88997
+		result = dns_message_getquerytsig(msg, mctx, tsigout);
c88997
+		ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+				 "dns_message_getquerytsig: %s",
c88997
+				 dns_result_totext(result));
c88997
+	}
c88997
+
c88997
+	dns_compress_invalidate(&cctx);
c88997
+	dns_message_destroy(&msg;;
c88997
+}
c88997
+
c88997
+/*
c88997
+ * Check that a simulated three message TCP sequence where the first
c88997
+ * and last messages contain TSIGs but the intermediate message doesn't
c88997
+ * correctly verifies.
c88997
+ */
c88997
+ATF_TC(tsig_tcp);
c88997
+ATF_TC_HEAD(tsig_tcp, tc) {
c88997
+	atf_tc_set_md_var(tc, "descr", "test tsig tcp-continuation validation");
c88997
+}
c88997
+ATF_TC_BODY(tsig_tcp, tc) {
c88997
+	dns_name_t *tsigowner = NULL;
c88997
+	dns_fixedname_t fkeyname;
c88997
+	dns_message_t *msg = NULL;
c88997
+	dns_name_t *keyname;
c88997
+	dns_tsig_keyring_t *ring = NULL;
c88997
+	dns_tsigkey_t *key = NULL;
c88997
+	isc_buffer_t *buf = NULL;
c88997
+	isc_buffer_t *querytsig = NULL;
c88997
+	isc_buffer_t *tsigin = NULL;
c88997
+	isc_buffer_t *tsigout = NULL;
c88997
+	isc_result_t result;
c88997
+	unsigned char secret[16] = { 0 };
c88997
+	dst_context_t *tsigctx = NULL;
c88997
+	dst_context_t *outctx = NULL;
c88997
+
c88997
+	UNUSED(tc);
c88997
+
c88997
+	result = dns_test_begin(stderr, ISC_FALSE);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+
c88997
+	/* isc_log_setdebuglevel(lctx, 99); */
c88997
+
c88997
+	dns_fixedname_init(&fkeyname);
c88997
+	keyname = dns_fixedname_name(&fkeyname);
c88997
+	result = dns_name_fromstring(keyname, "test", 0, NULL);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+
c88997
+	result = dns_tsigkeyring_create(mctx, &ring);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+
c88997
+	result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name,
c88997
+				    secret, sizeof(secret), ISC_FALSE,
c88997
+				    NULL, 0, 0, mctx, ring, &key);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+
c88997
+	/*
c88997
+	 * Create request.
c88997
+	 */
c88997
+	result = isc_buffer_allocate(mctx, &buf, 65535);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+	render(buf, 0, key, &tsigout, &querytsig, NULL);
c88997
+	isc_buffer_free(&buf;;
c88997
+
c88997
+	/*
c88997
+	 * Create response message 1.
c88997
+	 */
c88997
+	result = isc_buffer_allocate(mctx, &buf, 65535);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+	render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL);
c88997
+
c88997
+	/*
c88997
+	 * Process response message 1.
c88997
+	 */
c88997
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg;;
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_create: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	result = dns_message_settsigkey(msg, key);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_settsigkey: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	result = dns_message_parse(msg, buf, 0);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_parse: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	printmessage(msg);
c88997
+
c88997
+	result = dns_message_setquerytsig(msg, querytsig);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_setquerytsig: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	result = dns_tsig_verify(buf, msg, NULL, NULL);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_tsig_verify: %s",
c88997
+			 dns_result_totext(result));
c88997
+	ATF_CHECK_EQ(msg->verified_sig, 1);
c88997
+	ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
c88997
+
c88997
+	/*
c88997
+	 * Check that we have a TSIG in the first message.
c88997
+	 */
c88997
+	ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
c88997
+
c88997
+	result = dns_message_getquerytsig(msg, mctx, &tsigin);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_getquerytsig: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	tsigctx = msg->tsigctx;
c88997
+	msg->tsigctx = NULL;
c88997
+	isc_buffer_free(&buf;;
c88997
+	dns_message_destroy(&msg;;
c88997
+
c88997
+	result = dst_context_create2(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
c88997
+				     &outctx);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+
c88997
+	/*
c88997
+	 * Start digesting.
c88997
+	 */
c88997
+	result = add_mac(outctx, tsigout);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+
c88997
+	/*
c88997
+	 * Create response message 2.
c88997
+	 */
c88997
+	result = isc_buffer_allocate(mctx, &buf, 65535);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+	render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
c88997
+
c88997
+	/*
c88997
+	 * Process response message 2.
c88997
+	 */
c88997
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg;;
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_create: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	msg->tcp_continuation = 1;
c88997
+	msg->tsigctx = tsigctx;
c88997
+	tsigctx = NULL;
c88997
+
c88997
+	result = dns_message_settsigkey(msg, key);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_settsigkey: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	result = dns_message_parse(msg, buf, 0);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_parse: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	printmessage(msg);
c88997
+
c88997
+	result = dns_message_setquerytsig(msg, tsigin);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_setquerytsig: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	result = dns_tsig_verify(buf, msg, NULL, NULL);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_tsig_verify: %s",
c88997
+			 dns_result_totext(result));
c88997
+	ATF_CHECK_EQ(msg->verified_sig, 1);
c88997
+	ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
c88997
+
c88997
+	/*
c88997
+	 * Check that we don't have a TSIG in the second message.
c88997
+	 */
c88997
+	tsigowner = NULL;
c88997
+	ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) == NULL);
c88997
+
c88997
+	tsigctx = msg->tsigctx;
c88997
+	msg->tsigctx = NULL;
c88997
+	isc_buffer_free(&buf;;
c88997
+	dns_message_destroy(&msg;;
c88997
+
c88997
+	/*
c88997
+	 * Create response message 3.
c88997
+	 */
c88997
+	result = isc_buffer_allocate(mctx, &buf, 65535);
c88997
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
c88997
+	render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
c88997
+
c88997
+	result = add_tsig(outctx, key, buf);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "add_tsig: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	/*
c88997
+	 * Process response message 3.
c88997
+	 */
c88997
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg;;
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_create: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	msg->tcp_continuation = 1;
c88997
+	msg->tsigctx = tsigctx;
c88997
+	tsigctx = NULL;
c88997
+
c88997
+	result = dns_message_settsigkey(msg, key);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_settsigkey: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	result = dns_message_parse(msg, buf, 0);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_parse: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	printmessage(msg);
c88997
+
c88997
+	/*
c88997
+	 * Check that we had a TSIG in the third message.
c88997
+	 */
c88997
+	ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
c88997
+
c88997
+	result = dns_message_setquerytsig(msg, tsigin);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_setquerytsig: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	result = dns_tsig_verify(buf, msg, NULL, NULL);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_tsig_verify: %s",
c88997
+			 dns_result_totext(result));
c88997
+	ATF_CHECK_EQ(msg->verified_sig, 1);
c88997
+	ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
c88997
+
c88997
+	if (tsigin != NULL)
c88997
+		isc_buffer_free(&tsigin);
c88997
+
c88997
+	result = dns_message_getquerytsig(msg, mctx, &tsigin);
c88997
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
c88997
+			 "dns_message_getquerytsig: %s",
c88997
+			 dns_result_totext(result));
c88997
+
c88997
+	isc_buffer_free(&buf;;
c88997
+	dns_message_destroy(&msg;;
c88997
+
c88997
+	if (outctx != NULL)
c88997
+		dst_context_destroy(&outctx);
c88997
+	if (querytsig != NULL)
c88997
+		isc_buffer_free(&querytsig);
c88997
+	if (tsigin != NULL)
c88997
+		isc_buffer_free(&tsigin);
c88997
+	if (tsigout != NULL)
c88997
+		isc_buffer_free(&tsigout);
c88997
+	if (buf != NULL)
c88997
+		isc_buffer_free(&buf;;
c88997
+	if (msg != NULL)
c88997
+		dns_message_destroy(&msg;;
c88997
+	if (key != NULL)
c88997
+		dns_tsigkey_detach(&key);
c88997
+	if (ring != NULL)
c88997
+		dns_tsigkeyring_detach(&ring);
c88997
+	dns_test_end();
c88997
+}
c88997
+
c88997
+/*
c88997
+ * Main
c88997
+ */
c88997
+ATF_TP_ADD_TCS(tp) {
c88997
+	ATF_TP_ADD_TC(tp, tsig_tcp);
c88997
+	return (atf_no_error());
c88997
+}
c88997
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
c88997
index 7b91d1e..325c901 100644
c88997
--- a/lib/dns/tsig.c
c88997
+++ b/lib/dns/tsig.c
c88997
@@ -1535,7 +1535,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
c88997
 	msg->verified_sig = 1;
c88997
 	ret = ISC_R_SUCCESS;
c88997
 
c88997
-cleanup_context:
c88997
+ cleanup_context:
c88997
 	if (ctx != NULL)
c88997
 		dst_context_destroy(&ctx;;
c88997
 
c88997
@@ -1859,8 +1859,14 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
c88997
 	ret = ISC_R_SUCCESS;
c88997
 
c88997
  cleanup_context:
c88997
-	if (msg->tsigctx != NULL)
c88997
+	/*
c88997
+	 * Except in error conditions, don't destroy the DST context
c88997
+	 * for unsigned messages; it is a running sum till the next
c88997
+	 * TSIG signed message.
c88997
+	 */
c88997
+	if ((ret != ISC_R_SUCCESS || has_tsig) && msg->tsigctx != NULL) {
c88997
 		dst_context_destroy(&msg->tsigctx);
c88997
+	}
c88997
 
c88997
  cleanup_querystruct:
c88997
 	dns_rdata_freestruct(&querytsig);
c88997
-- 
c88997
2.9.4
c88997