Use the new DST API

2025-09-03 08:05:21 +00:00 · 2000-06-02 18:59:33 +00:00
parent 011463c376
commit 4fe8755480
11 changed files with 282 additions and 222 deletions
--- a/bin/tests/dst/dst_test.c
+++ b/bin/tests/dst/dst_test.c
@@ -37,12 +37,13 @@ char *current;
 const char *tmp = "/tmp";
 static void
-use(dst_key_t *key) {
+use(dst_key_t *key, isc_mem_t *mctx) {
 	isc_result_t ret;
 	const char *data = "This is some data";
 	unsigned char sig[512];
 	isc_buffer_t databuf, sigbuf;
 	isc_region_t datareg, sigreg;
 	dst_context_t *ctx = NULL;
 	isc_buffer_init(&sigbuf, sig, sizeof(sig));
 	/*
@@ -54,15 +55,33 @@ use(dst_key_t *key) {
 	isc_buffer_add(&databuf, strlen(data));
 	isc_buffer_usedregion(&databuf, &datareg);
-	ret = dst_key_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
+	ret = dst_context_create(key, mctx, &ctx);
 	if (ret != ISC_R_SUCCESS)
 		printf("contextcreate(%d) returned: %s\n", dst_key_alg(key),
 		       isc_result_totext(ret));
 	ret = dst_context_adddata(ctx, &datareg);
 	if (ret != ISC_R_SUCCESS)
 		printf("adddata(%d) returned: %s\n", dst_key_alg(key),
 		       isc_result_totext(ret));
 	ret = dst_context_sign(ctx, &sigbuf);
 	printf("sign(%d) returned: %s\n", dst_key_alg(key),
 	       isc_result_totext(ret));
 	dst_context_destroy(&ctx);
 	isc_buffer_forward(&sigbuf, 1);
 	isc_buffer_remainingregion(&sigbuf, &sigreg);
-	ret = dst_key_verify(DST_SIGMODE_ALL, key, NULL, &datareg, &sigreg);
+	ret = dst_context_create(key, mctx, &ctx);
 	if (ret != ISC_R_SUCCESS)
 		printf("contextcreate(%d) returned: %s\n", dst_key_alg(key),
 		       isc_result_totext(ret));
 	ret = dst_context_adddata(ctx, &datareg);
 	if (ret != ISC_R_SUCCESS)
 		printf("adddata(%d) returned: %s\n", dst_key_alg(key),
 		       isc_result_totext(ret));
 	ret = dst_context_verify(ctx, &sigreg);
 	printf("verify(%d) returned: %s\n", dst_key_alg(key),
 	       isc_result_totext(ret));
 	dst_context_destroy(&ctx);
 }
 static void
@@ -116,7 +135,7 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx) {
 	printf("write(%d) returned: %s\n", alg, isc_result_totext(ret));
 	if (ret != 0)
 		return;
-	use(key);
+	use(key, mctx);
 	dns(key, mctx);
 	dst_key_free(&key);
 }
@@ -192,7 +211,7 @@ generate(int alg, isc_mem_t *mctx) {
 	printf("generate(%d) returned: %s\n", alg, isc_result_totext(ret));
 	if (alg != DST_ALG_DH)
-		use(key);
+		use(key, mctx);
 	dst_key_free(&key);
 }
--- a/bin/tests/dst/t_dst.c
+++ b/bin/tests/dst/t_dst.c
@@ -78,37 +78,68 @@ cleandir(char *path) {
 }
 static void
-use(dst_key_t *key, isc_result_t exp_result, int *nfails) {
+use(dst_key_t *key, isc_mem_t *mctx, isc_result_t exp_result, int *nfails) {
 	isc_result_t ret;
 	const char *data = "This is some data";
 	unsigned char sig[512];
 	isc_buffer_t databuf, sigbuf;
 	isc_region_t datareg, sigreg;
 	dst_context_t *ctx = NULL;
 	isc_buffer_init(&sigbuf, sig, sizeof(sig));
 	isc_buffer_init(&databuf, data, strlen(data));
 	isc_buffer_add(&databuf, strlen(data));
 	isc_buffer_usedregion(&databuf, &datareg);
-	ret = dst_key_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
+	ret = dst_context_create(key, mctx, &ctx);
 	if (ret != ISC_R_SUCCESS) {
 		t_info("dst_context_create(%d) returned (%s)\n",
 				dst_key_alg(key), dst_result_totext(ret));
 		++*nfails;
 		return;
 	}
 	ret = dst_context_adddata(ctx, &datareg);
 	if (ret != ISC_R_SUCCESS) {
 		t_info("dst_context_adddata(%d) returned (%s)\n",
 				dst_key_alg(key), dst_result_totext(ret));
 		++*nfails;
 		return;
 	}
 	ret = dst_context_sign(ctx, &sigbuf);
 	if (ret != exp_result) {
-		t_info("dst_sign(%d) returned (%s) expected (%s)\n",
+		t_info("dst_context_sign(%d) returned (%s) expected (%s)\n",
 				dst_key_alg(key), dst_result_totext(ret),
 				dst_result_totext(exp_result));
 		++*nfails;
 		return;
 	}
-
+	dst_context_destroy(&ctx);
 	isc_buffer_remainingregion(&sigbuf, &sigreg);
-	ret = dst_key_verify(DST_SIGMODE_ALL, key, NULL, &datareg, &sigreg);
+	ret = dst_context_create(key, mctx, &ctx);
 	if (ret != ISC_R_SUCCESS) {
 		t_info("dst_context_create(%d) returned (%s)\n",
 				dst_key_alg(key), dst_result_totext(ret));
 		++*nfails;
 		return;
 	}
 	ret = dst_context_adddata(ctx, &datareg);
 	if (ret != ISC_R_SUCCESS) {
 		t_info("dst_context_adddata(%d) returned (%s)\n",
 				dst_key_alg(key), dst_result_totext(ret));
 		++*nfails;
 		return;
 	}
 	ret = dst_context_verify(ctx, &sigreg);
 	if (ret != exp_result) {
-		t_info("dst_verify(%d) returned (%s) expected (%s)\n",
+		t_info("dst_context_verify(%d) returned (%s) expected (%s)\n",
 				dst_key_alg(key), dst_result_totext(ret),
 				dst_result_totext(exp_result));
 		++*nfails;
 		return;
 	}
 	dst_context_destroy(&ctx);
 }
 static void
@@ -287,7 +318,7 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
 	}
 	if (dst_key_alg(key) != DST_ALG_DH)
-		use(key, exp_result, nfails);
+		use(key, mctx, exp_result, nfails);
 	if (chdir(current)) {
 		t_info("chdir failed %d\n", errno);
@@ -314,7 +345,7 @@ generate(int alg, isc_mem_t *mctx, int size, int *nfails) {
 	}
 	if (alg != DST_ALG_DH)
-		use(key, ISC_R_SUCCESS, nfails);
+		use(key, mctx, ISC_R_SUCCESS, nfails);
 	dst_key_free(&key);
 }
@@ -618,6 +649,7 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
 	isc_buffer_t	b;
 	dst_context_t	*ctx = NULL;
 	/*
 	 * Read data from file in a form usable by dst_verify.
@@ -686,7 +718,25 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	memset(sig, 0, sizeof(sig));
 	isc_buffer_init(&sigbuf, sig, sizeof(sig));
-	isc_result = dst_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
+	isc_result = dst_context_create(key, mctx, &ctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dst_context_create(%d) failed %s\n",
 		       dst_result_totext(isc_result));
 		(void) free(data);
 		dst_key_free(&key);
 		++*nprobs;
 		return;
 	}
 	isc_result = dst_context_adddata(ctx, &datareg);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dst_context_adddata(%d) failed %s\n",
 		       dst_result_totext(isc_result));
 		(void) free(data);
 		dst_key_free(&key);
 		++*nprobs;
 		return;
 	}
 	isc_result = dst_context_sign(ctx, &sigbuf);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dst_sign(%d) failed %s\n",
 		       dst_result_totext(isc_result));
@@ -695,6 +745,7 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 		++*nprobs;
 		return;
 	}
 	dst_context_destroy(&ctx);
 	rval = sig_tofile(sigpath, &sigbuf);
 	if (rval != 0) {
@@ -731,18 +782,30 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	if (strstr(expected_result, "!"))
 		exp_res = 1;
-	isc_result = dst_key_verify(DST_SIGMODE_ALL, key, NULL, &datareg,
+	isc_result = dst_context_create(key, mctx, &ctx);
-				    &sigreg);
+	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dst_context_create returned %s\n",
 			isc_result_totext(isc_result));
 		++*nfails;
 	}
 	isc_result = dst_context_adddata(ctx, &datareg);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dst_context_adddata returned %s\n",
 			isc_result_totext(isc_result));
 		++*nfails;
 	}
 	isc_result = dst_context_verify(ctx, &sigreg);
 	if (	((exp_res == 0) && (isc_result != ISC_R_SUCCESS))	||
 		((exp_res != 0) && (isc_result == ISC_R_SUCCESS)))	{
-		t_info("dst_verify returned %s, expected %s\n",
+		t_info("dst_context_verify returned %s, expected %s\n",
 			isc_result_totext(isc_result),
 			expected_result);
 		++*nfails;
 	}
 	(void) free(data);
 	dst_context_destroy(&ctx);
 	dst_key_free(&key);
 	return;
 }
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
 */
 /*
- * $Id: dnssec.c,v 1.41 2000/06/01 18:25:29 tale Exp $
+ * $Id: dnssec.c,v 1.42 2000/06/02 18:59:12 bwelling Exp $
 * Principal Author: Brian Wellington
 */
@@ -55,12 +55,6 @@
 #define TYPE_SIGN 0
 #define TYPE_VERIFY 1
 typedef struct digestctx {
 	dst_key_t *key;
 	dst_context_t context;
 	isc_uint8_t type;
 } digestctx_t;
 static isc_result_t
 digest_callback(void *arg, isc_region_t *data);
@@ -73,18 +67,9 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
 static isc_result_t
 digest_callback(void *arg, isc_region_t *data) {
-	digestctx_t *ctx = arg;
+	dst_context_t *ctx = arg;
 	isc_result_t result;
-	REQUIRE(ctx->type == TYPE_SIGN || ctx->type == TYPE_VERIFY);
+	return (dst_context_adddata(ctx, data));
 	if (ctx->type == TYPE_SIGN)
 		result = dst_key_sign(DST_SIGMODE_UPDATE, ctx->key,
 				      &ctx->context, data, NULL);
 	else
 		result = dst_key_verify(DST_SIGMODE_UPDATE, ctx->key,
 					&ctx->context, data, NULL);
 	return (result);
 }
 /*
@@ -169,10 +154,9 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	int nrdatas, i;
 	isc_buffer_t b, sigbuf, envbuf;
 	isc_region_t r;
-	dst_context_t ctx = NULL;
+	dst_context_t *ctx = NULL;
 	isc_result_t ret;
 	unsigned char data[300];
 	digestctx_t dctx;
 	isc_uint32_t flags;
 	unsigned int sigsize;
@@ -230,15 +214,17 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	isc_buffer_usedregion(&b, &r);
 	ret = dst_context_create(key, mctx, &ctx);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_signature;
 	/*
 	 * Digest the SIG rdata.
 	 */
 	r.length -= sig.siglen;
-	ret = dst_key_sign(DST_SIGMODE_INIT | DST_SIGMODE_UPDATE,
+	ret = dst_context_adddata(ctx, &r);
 			   key, &ctx, &r, NULL);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
+		goto cleanup_context;
 	dns_name_toregion(name, &r);
@@ -252,14 +238,9 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	isc_buffer_putuint16(&envbuf, set->rdclass);
 	isc_buffer_putuint32(&envbuf, set->ttl);
 	memset(&dctx, 0, sizeof(dctx));
 	dctx.key = key;
 	dctx.context = ctx;
 	dctx.type = TYPE_SIGN;
 	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
+		goto cleanup_context;
 	isc_buffer_usedregion(&envbuf, &r);
 	for (i = 0; i < nrdatas; i++) {
@@ -270,7 +251,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		/*
 		 * Digest the envelope.
 		 */
-		ret = dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL);
+		ret = dst_context_adddata(ctx, &r);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
@@ -281,20 +262,20 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		INSIST(rdatas[i].length < 65536);
 		isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
 		isc_buffer_usedregion(&lenbuf, &lenr);
-		ret = dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &lenr, NULL);
+		ret = dst_context_adddata(ctx, &lenr);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
 		/*
 		 * Digest the rdata.
 		 */
-		ret = dns_rdata_digest(&rdatas[i], digest_callback, &dctx);
+		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
 	}
 	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
-	ret = dst_key_sign(DST_SIGMODE_FINAL, key, &ctx, NULL, &sigbuf);
+	ret = dst_context_sign(ctx, &sigbuf);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_array;
 	isc_buffer_usedregion(&sigbuf, &r);
@@ -309,6 +290,8 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 cleanup_array:
 	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
 cleanup_context:
 	dst_context_destroy(&ctx);
 cleanup_signature:
 	isc_mem_put(mctx, sig.signature, sig.siglen);
@@ -329,8 +312,7 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	isc_stdtime_t now;
 	isc_result_t ret;
 	unsigned char data[300];
-	dst_context_t ctx;
+	dst_context_t *ctx = NULL;
 	digestctx_t dctx;
 	int labels;
 	isc_uint32_t flags;
@@ -372,8 +354,13 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	r.length -= sig.siglen;
 	RUNTIME_CHECK(r.length >= 19);
-	ret = dst_key_verify(DST_SIGMODE_INIT | DST_SIGMODE_UPDATE,
+	ret = dst_context_create(key, mctx, &ctx);
-			     key, &ctx, &r, NULL);
+	if (ret != ISC_R_SUCCESS)
 		goto cleanup_struct;
 	ret = dst_context_adddata(ctx, &r);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_struct;
 	/*
 	 * If the name is an expanded wildcard, use the wildcard name.
@@ -404,14 +391,10 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	isc_buffer_putuint16(&envbuf, set->rdclass);
 	isc_buffer_putuint32(&envbuf, sig.originalttl);
 	memset(&dctx, 0, sizeof(dctx));
 	dctx.key = key;
 	dctx.context = ctx;
 	dctx.type = TYPE_VERIFY;
 	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_struct;
+		goto cleanup_context;
 	isc_buffer_usedregion(&envbuf, &r);
 	for (i = 0; i < nrdatas; i++) {
@@ -422,7 +405,7 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		/*
 		 * Digest the envelope.
 		 */
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL);
+		ret = dst_context_adddata(ctx, &r);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
@@ -437,23 +420,24 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		/*
 		 * Digest the rdata.
 		 */
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &lenr,
+		ret = dst_context_adddata(ctx, &lenr);
 				     NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
-		ret = dns_rdata_digest(&rdatas[i], digest_callback, &dctx);
+		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
 	}
 	r.base = sig.signature;
 	r.length = sig.siglen;
-	ret = dst_key_verify(DST_SIGMODE_FINAL, key, &ctx, NULL, &r);
+	ret = dst_context_verify(ctx, &r);
-	if (ret == DST_R_VERIFYFINALFAILURE)
+	if (ret == DST_R_VERIFYFAILURE)
 		ret = DNS_R_SIGINVALID;
 cleanup_array:
 	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
 cleanup_context:
 	dst_context_destroy(&ctx);
 cleanup_struct:
 	dns_rdata_freestruct(&sig);
@@ -534,7 +518,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	dns_rdataset_t *dataset;
 	isc_region_t r;
 	isc_stdtime_t now;
-	dst_context_t ctx;
+	dst_context_t *ctx = NULL;
 	isc_mem_t *mctx;
 	isc_result_t result;
 	isc_boolean_t signeedsfree = ISC_TRUE;
@@ -573,11 +557,10 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	isc_buffer_init(&databuf, data, sizeof(data));
-	RETERR(dst_key_sign(DST_SIGMODE_INIT, key, &ctx, NULL, NULL));
+	RETERR(dst_context_create(key, mctx, &ctx));
 	if (is_response(msg))
-		RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, msg->query,
+		RETERR(dst_context_adddata(ctx, msg->query));
 				    NULL));
 	/*
 	 * Digest the header.
@@ -585,14 +568,14 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	isc_buffer_init(&headerbuf, header, sizeof(header));
 	dns_message_renderheader(msg, &headerbuf);
 	isc_buffer_usedregion(&headerbuf, &r);
-	RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	RETERR(dst_context_adddata(ctx, &r));
 	/*
 	 * Digest the remainder of the message.
 	 */
 	isc_buffer_usedregion(msg->buffer, &r);
 	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-	RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	RETERR(dst_context_adddata(ctx, &r));
 	/*
 	 * Digest the fields of the SIG - we can cheat and use
@@ -603,7 +586,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 				    dns_rdatatype_sig, &sig, &databuf));
 	isc_buffer_usedregion(&databuf, &r);
 	r.length -= 2;
-	RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	RETERR(dst_context_adddata(ctx, &r));
 	RETERR(dst_key_sigsize(key, &sigsize));
 	sig.siglen = sigsize;
@@ -614,7 +597,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	}
 	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
-	RETERR(dst_key_sign(DST_SIGMODE_FINAL, key, &ctx, NULL, &sigbuf));
+	RETERR(dst_context_sign(ctx, &sigbuf));
 	rdata = NULL;
 	RETERR(dns_message_gettemprdata(msg, &rdata));
@@ -649,6 +632,8 @@ failure:
 		isc_buffer_free(&dynbuf);
 	if (signeedsfree)
 		isc_mem_put(mctx, sig.signature, sig.siglen);
 	if (ctx != NULL)
 		dst_context_destroy(&ctx);
 	return (result);
 }
@@ -663,7 +648,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	dns_name_t tname;
 	isc_region_t r, r2, source_r, sig_r, header_r;
 	isc_stdtime_t now;
-	dst_context_t ctx;
+	dst_context_t *ctx = NULL;
 	isc_mem_t *mctx;
 	isc_result_t result;
 	isc_uint16_t addcount;
@@ -707,14 +692,13 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	/* XXXBEW ensure that sig.signer refers to this key */
-	RETERR(dst_key_verify(DST_SIGMODE_INIT, key, &ctx, NULL, NULL));
+	RETERR(dst_context_create(key, mctx, &ctx));
 	/*
 	 * If this is a response, digest the query.
 	 */
 	if (is_response(msg))
-		RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx,
+		RETERR(dst_context_adddata(ctx, msg->query));
 				      msg->query, NULL));
 	/*
 	 * Extract the header.
@@ -733,14 +717,14 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	 */
 	header_r.base = (unsigned char *) header;
 	header_r.length = DNS_MESSAGE_HEADERLEN;
-	RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r, NULL));
+	RETERR(dst_context_adddata(ctx, &header_r));
 	/*
 	 * Digest all non-SIG(0) records.
 	 */
 	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
 	r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-	RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	RETERR(dst_context_adddata(ctx, &r));
 	/*
 	 * Digest the SIG(0) record .  Find the start of the record, skip
@@ -754,11 +738,11 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	dns_name_toregion(&tname, &r2);
 	isc_region_consume(&r, r2.length + 10);
 	r.length -= (sig.siglen + 2);
-	RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	RETERR(dst_context_adddata(ctx, &r));
 	sig_r.base = sig.signature;
 	sig_r.length = sig.siglen;
-	result = dst_key_verify(DST_SIGMODE_FINAL, key, &ctx, NULL, &sig_r);
+	result = dst_context_verify(ctx, &sig_r);
 	if (result != ISC_R_SUCCESS) {
 		msg->sig0status = dns_tsigerror_badsig;
 		goto failure;
@@ -773,6 +757,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 failure:
 	if (signeedsfree)
 		dns_rdata_freestruct(&sig);
 	if (ctx != NULL)
 		dst_context_destroy(&ctx);
 	return (result);
 }
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -201,7 +201,7 @@ struct dns_message {
 	dns_name_t		       *tsigname;
 	dns_rdataset_t		       *querytsig;
 	dns_tsigkey_t		       *tsigkey;
-	void			       *tsigctx;
+	dst_context_t		       *tsigctx;
 	int				sigstart;
 	dns_name_t		       *sig0name;
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -16,7 +16,7 @@
 */
 /*
- * $Id: tkey.c,v 1.41 2000/05/30 22:28:37 bwelling Exp $
+ * $Id: tkey.c,v 1.42 2000/06/02 18:59:14 bwelling Exp $
 * Principal Author: Brian Wellington
 */
@@ -148,9 +148,10 @@ add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
 static isc_result_t
 compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
-	       isc_region_t *serverrandomness, isc_buffer_t *secret)
+	       isc_region_t *serverrandomness, isc_mem_t *mctx,
 	       isc_buffer_t *secret)
 {
-	dst_context_t ctx;
+	dst_context_t *ctx = NULL;
 	isc_result_t result;
 	isc_region_t r, r2;
 	char digests[32];
@@ -163,26 +164,20 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
 	/*
 	 * MD5 ( query data | DH value ).
 	 */
-	RETERR(dst_key_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL,
+	RETERR(dst_context_create(DST_KEY_MD5, mctx, &ctx));
-			      NULL));
+	RETERR(dst_context_adddata(ctx, queryrandomness));
-	RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
+	RETERR(dst_context_adddata(ctx, &r));
-			      queryrandomness, NULL));
+	RETERR(dst_context_digest(ctx, &b));
-	RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r,
+	dst_context_destroy(&ctx);
 			      NULL));
 	RETERR(dst_key_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL,
 			      &b));
 	/*
 	 * MD5 ( server data | DH value ).
 	 */
-	RETERR(dst_key_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL,
+	RETERR(dst_context_create(DST_KEY_MD5, mctx, &ctx));
-			      NULL));
+	RETERR(dst_context_adddata(ctx, serverrandomness));
-	RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
+	RETERR(dst_context_adddata(ctx, &r));
-			      serverrandomness, NULL));
+	RETERR(dst_context_digest(ctx, &b));
-	RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r,
+	dst_context_destroy(&ctx);
 			      NULL));
 	RETERR(dst_key_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL,
 			      &b));
 	/*
 	 * XOR ( DH value, MD5-1 | MD5-2).
@@ -205,7 +200,10 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
 	}
 failure:
-	return result;
+	if (ctx != NULL)
 		dst_context_destroy(&ctx);
 	return (result);
 }
@@ -335,7 +333,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	isc_buffer_usedregion(&randombuf, &r);
 	r2.base = tkeyin->key;
 	r2.length = tkeyin->keylen;
-	RETERR(compute_secret(shared, &r2, &r, &secret));
+	RETERR(compute_secret(shared, &r2, &r, msg->mctx, &secret));
 	dst_key_free(&pubkey);
 	isc_buffer_usedregion(&secret, &r);
@@ -938,7 +936,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 		r2.base = isc_mem_get(rmsg->mctx, 0);
 		r2.length = 0;
 	}
-	RETERR(compute_secret(shared, &r2, &r, &secret));
+	RETERR(compute_secret(shared, &r2, &r, rmsg->mctx, &secret));
 	if (nonce == NULL)
 		isc_mem_put(rmsg->mctx, r2.base, 0);
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
 */
 /*
- * $Id: tsig.c,v 1.68 2000/06/01 18:25:38 tale Exp $
+ * $Id: tsig.c,v 1.69 2000/06/02 18:59:17 bwelling Exp $
 * Principal Author: Brian Wellington
 */
@@ -250,8 +250,8 @@ dns_tsig_sign(dns_message_t *msg) {
 	dns_rdataset_t *dataset;
 	isc_region_t r, r2;
 	isc_stdtime_t now;
 	dst_context_t ctx;
 	isc_mem_t *mctx;
 	dst_context_t *ctx = NULL;
 	isc_result_t ret;
 	REQUIRE(msg != NULL);
@@ -313,8 +313,7 @@ dns_tsig_sign(dns_message_t *msg) {
 		isc_buffer_t headerbuf;
 		unsigned int sigsize;
-		ret = dst_key_sign(DST_SIGMODE_INIT, key->key, &ctx, NULL,
+		ret = dst_context_create(key->key, mctx, &ctx);
 				   NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_other;
@@ -326,26 +325,25 @@ dns_tsig_sign(dns_message_t *msg) {
 			ret = dns_rdataset_first(msg->querytsig);
 			if (ret != ISC_R_SUCCESS)
-				goto cleanup_other;
+				goto cleanup_context;
 			dns_rdataset_current(msg->querytsig, &querytsigrdata);
 			ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
 						 NULL);
 			if (ret != ISC_R_SUCCESS)
-				goto cleanup_other;
+				goto cleanup_context;
 			isc_buffer_putuint16(&databuf, querytsig.siglen);
 			if (isc_buffer_availablelength(&databuf) <
 			    querytsig.siglen)
 			{
 				ret = ISC_R_NOSPACE;
-				goto cleanup_other;
+				goto cleanup_context;
 			}
 			isc_buffer_putmem(&databuf, querytsig.signature,
 					  querytsig.siglen);
 			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+			ret = dst_context_adddata(ctx, &r);
 					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
-				goto cleanup_other;
+				goto cleanup_context;
 		}
 		/*
@@ -354,45 +352,40 @@ dns_tsig_sign(dns_message_t *msg) {
 		isc_buffer_init(&headerbuf, header, sizeof(header));
 		dns_message_renderheader(msg, &headerbuf);
 		isc_buffer_usedregion(&headerbuf, &r);
-		ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
+		ret = dst_context_adddata(ctx, &r);
 				   NULL);
 		if (ret != ISC_R_SUCCESS)
-			goto cleanup_other;
+			goto cleanup_context;
 		/*
 		 * Digest the remainder of the message.
 		 */
 		isc_buffer_usedregion(msg->buffer, &r);
 		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-		ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
+		ret = dst_context_adddata(ctx, &r);
 				   NULL);
 		if (ret != ISC_R_SUCCESS)
-			goto cleanup_other;
+			goto cleanup_context;
 		if (msg->tcp_continuation == 0) {
 			/*
 			 * Digest the name, class, ttl, alg.
 			 */
 			dns_name_toregion(&key->name, &r);
-			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+			ret = dst_context_adddata(ctx, &r);
 					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
-				goto cleanup_other;
+				goto cleanup_context;
 			isc_buffer_clear(&databuf);
 			isc_buffer_putuint16(&databuf, dns_rdataclass_any);
 			isc_buffer_putuint32(&databuf, 0); /* ttl */
 			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+			ret = dst_context_adddata(ctx, &r);
 					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
-				goto cleanup_other;
+				goto cleanup_context;
 			dns_name_toregion(&tsig.algorithm, &r);
-			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+			ret = dst_context_adddata(ctx, &r);
 					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
-				goto cleanup_other;
+				goto cleanup_context;
 		}
 		/* Digest the timesigned and fudge */
@@ -416,10 +409,9 @@ dns_tsig_sign(dns_message_t *msg) {
 		}
 		isc_buffer_putuint16(&databuf, tsig.fudge);
 		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
+		ret = dst_context_adddata(ctx, &r);
 				   NULL);
 		if (ret != ISC_R_SUCCESS)
-			goto cleanup_other;
+			goto cleanup_context;
 		if (msg->tcp_continuation == 0) {
 			/*
@@ -430,10 +422,9 @@ dns_tsig_sign(dns_message_t *msg) {
 			isc_buffer_putuint16(&databuf, tsig.otherlen);
 			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+			ret = dst_context_adddata(ctx, &r);
 					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
-				goto cleanup_other;
+				goto cleanup_context;
 			/*
 			 * Digest the error and other data.
@@ -441,29 +432,28 @@ dns_tsig_sign(dns_message_t *msg) {
 			if (tsig.otherlen > 0) {
 				r.length = tsig.otherlen;
 				r.base = tsig.other;
-				ret = dst_key_sign(DST_SIGMODE_UPDATE,
+				ret = dst_context_adddata(ctx, &r);
 						   key->key, &ctx, &r, NULL);
 				if (ret != ISC_R_SUCCESS)
-					goto cleanup_other;
+					goto cleanup_context;
 			}
 		}
 		ret = dst_key_sigsize(key->key, &sigsize);
 		if (ret != ISC_R_SUCCESS)
-			goto cleanup_other;
+			goto cleanup_context;
 		tsig.siglen = sigsize;
 		tsig.signature = (unsigned char *)
 				  isc_mem_get(mctx, tsig.siglen);
 		if (tsig.signature == NULL) {
 			ret = ISC_R_NOMEMORY;
-			goto cleanup_other;
+			goto cleanup_context;
 		}
 		isc_buffer_init(&sigbuf, tsig.signature, tsig.siglen);
-		ret = dst_key_sign(DST_SIGMODE_FINAL, key->key, &ctx, NULL,
+		ret = dst_context_sign(ctx, &sigbuf);
 				   &sigbuf);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_signature;
 		dst_context_destroy(&ctx);
 	}
 	else {
 		tsig.siglen = 0;
@@ -535,6 +525,9 @@ cleanup_dynbuf:
 cleanup_signature:
 	if (tsig.signature != NULL)
 		isc_mem_put(mctx, tsig.signature, tsig.siglen);
 cleanup_context:
 	if (ctx != NULL)
 		dst_context_destroy(&ctx);
 cleanup_other:
 	if (tsig.other != NULL)
 		isc_mem_put(mctx, tsig.other, tsig.otherlen);
@@ -557,7 +550,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	dns_tsigkey_t *tsigkey;
 	dst_key_t *key = NULL;
 	unsigned char header[DNS_MESSAGE_HEADERLEN];
-	dst_context_t ctx;
+	dst_context_t *ctx = NULL;
 	isc_mem_t *mctx;
 	isc_uint16_t addcount, id;
@@ -666,8 +659,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		sig_r.base = tsig.signature;
 		sig_r.length = tsig.siglen;
-		ret = dst_key_verify(DST_SIGMODE_INIT, key, &ctx, NULL,
+		ret = dst_context_create(key, mctx, &ctx);
 				     &sig_r);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_key;
@@ -675,17 +667,15 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 			isc_buffer_init(&databuf, data, sizeof(data));
 			isc_buffer_putuint16(&databuf, querytsig.siglen);
 			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
+			ret = dst_context_adddata(ctx, &r);
 					     NULL);
 			if (ret != ISC_R_SUCCESS)
-				goto cleanup_key;
+				goto cleanup_context;
 			if (querytsig.siglen > 0) {
 				r.length = querytsig.siglen;
 				r.base = querytsig.signature;
-				ret = dst_key_verify(DST_SIGMODE_UPDATE, key,
+				ret = dst_context_adddata(ctx, &r);
 						     &ctx, &r, NULL);
 				if (ret != ISC_R_SUCCESS)
-					goto cleanup_key;
+					goto cleanup_context;
 			}
 		}
@@ -714,10 +704,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		 */
 		header_r.base = (unsigned char *) header;
 		header_r.length = DNS_MESSAGE_HEADERLEN;
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r,
+		ret = dst_context_adddata(ctx, &header_r);
 				     &sig_r);
 		if (ret != ISC_R_SUCCESS)
-			goto cleanup_key;
+			goto cleanup_context;
 		/*
 		 * Digest all non-TSIG records.
@@ -725,37 +714,33 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		isc_buffer_usedregion(source, &source_r);
 		r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
 		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
+		ret = dst_context_adddata(ctx, &r);
 				     &sig_r);
 		if (ret != ISC_R_SUCCESS)
-			goto cleanup_key;
+			goto cleanup_context;
 		/*
 		 * Digest the key name.
 		 */
 		dns_name_toregion(&tsigkey->name, &r);
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
+		ret = dst_context_adddata(ctx, &r);
 				     &sig_r);
 		if (ret != ISC_R_SUCCESS)
-			goto cleanup_key;
+			goto cleanup_context;
 		isc_buffer_init(&databuf, data, sizeof(data));
 		isc_buffer_putuint16(&databuf, tsig.common.rdclass);
 		isc_buffer_putuint32(&databuf, msg->tsig->ttl);
 		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
+		ret = dst_context_adddata(ctx, &r);
 				     &sig_r);
 		if (ret != ISC_R_SUCCESS)
-			goto cleanup_key;
+			goto cleanup_context;
 		/*
 		 * Digest the key algorithm.
 		 */
 		dns_name_toregion(&tsigkey->algorithm, &r);
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
+		ret = dst_context_adddata(ctx, &r);
 				     &sig_r);
 		if (ret != ISC_R_SUCCESS)
-			goto cleanup_key;
+			goto cleanup_context;
 		isc_buffer_clear(&databuf);
 		isc_buffer_putuint16(&databuf, (isc_uint16_t)(tsig.timesigned
@@ -766,26 +751,25 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		isc_buffer_putuint16(&databuf, tsig.error);
 		isc_buffer_putuint16(&databuf, tsig.otherlen);
 		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
+		ret = dst_context_adddata(ctx, &r);
-				     &sig_r);
+		if (ret != ISC_R_SUCCESS)
 			goto cleanup_context;
 		if (tsig.otherlen > 0) {
 			r.base = tsig.other;
 			r.length = tsig.otherlen;
-			ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
+			ret = dst_context_adddata(ctx, &r);
 					     &sig_r);
 			if (ret != ISC_R_SUCCESS)
-				goto cleanup_key;
+				goto cleanup_context;
 		}
-		ret = dst_key_verify(DST_SIGMODE_FINAL, key, &ctx, NULL,
+		ret = dst_context_verify(ctx, &sig_r);
-				     &sig_r);
+		if (ret == DST_R_VERIFYFAILURE) {
 		if (ret == DST_R_VERIFYFINALFAILURE) {
 			msg->tsigstatus = dns_tsigerror_badsig;
 			return (DNS_R_TSIGVERIFYFAILURE);
 		}
 		else if (ret != ISC_R_SUCCESS)
-			goto cleanup_key;
+			goto cleanup_context;
 	}
 	else if (tsig.error != dns_tsigerror_badsig &&
 		 tsig.error != dns_tsigerror_badkey)
@@ -809,6 +793,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	return (ISC_R_SUCCESS);
 cleanup_context:
 	if (ctx != NULL)
 		dst_context_destroy(&ctx);
 cleanup_key:
 	if (dns_tsigkey_empty(tsigkey))
 		dns_tsigkey_detach(&tsigkey);
@@ -831,6 +818,7 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	unsigned char header[DNS_MESSAGE_HEADERLEN];
 	isc_uint16_t addcount, id;
 	isc_boolean_t has_tsig = ISC_FALSE;
 	isc_mem_t *mctx;
 	REQUIRE(source != NULL);
 	REQUIRE(msg != NULL);
@@ -839,6 +827,8 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	REQUIRE(is_response(msg));
 	REQUIRE(msg->querytsig != NULL);
 	mctx = msg->mctx;
 	tsigkey = dns_message_gettsigkey(msg);
 	if (msg->tsig != NULL) {
@@ -883,25 +873,22 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	key = tsigkey->key;
 	if (msg->tsigctx == NULL) {
-		ret = dst_key_verify(DST_SIGMODE_INIT, key, &msg->tsigctx,
+		ret = dst_context_create(key, mctx, &msg->tsigctx);
 				     NULL, NULL);
 		if (ret != ISC_R_SUCCESS)
 			return (ret);
 		isc_buffer_init(&databuf, data, sizeof(data));
 		isc_buffer_putuint16(&databuf, querytsig.siglen);
 		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx,
+		ret = dst_context_adddata(msg->tsigctx, &r);
 				     &r, NULL);
 		if (ret != ISC_R_SUCCESS)
-			return (ret);
+			goto cleanup_context;
 		if (querytsig.siglen > 0) {
 			r.length = querytsig.siglen;
 			r.base = querytsig.signature;
-			ret = dst_key_verify(DST_SIGMODE_UPDATE, key,
+			ret = dst_context_adddata(msg->tsigctx, &r);
 					     &msg->tsigctx, &r, NULL);
 			if (ret != ISC_R_SUCCESS)
-				return (ret);
+				goto cleanup_context;
 		}
 	}
@@ -935,10 +922,9 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	 */
 	header_r.base = (unsigned char *) header;
 	header_r.length = DNS_MESSAGE_HEADERLEN;
-	ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &header_r,
+	ret = dst_context_adddata(msg->tsigctx, &header_r);
 			     NULL);
 	if (ret != ISC_R_SUCCESS)
-		return (ret);
+		goto cleanup_context;
 	/*
 	 * Digest all non-TSIG records.
@@ -949,9 +935,9 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
 	else
 		r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
-	ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &r, NULL);
+	ret = dst_context_adddata(msg->tsigctx, &r);
 	if (ret != ISC_R_SUCCESS)
-		return (ret);
+		goto cleanup_context;
 	/*
 	 * Digest the time signed and fudge.
@@ -964,8 +950,9 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 							      & 0xFFFFFFFF));
 		isc_buffer_putuint16(&databuf, tsig.fudge);
 		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx,
+		ret = dst_context_adddata(msg->tsigctx, &r);
-				     &r, NULL);
+		if (ret != ISC_R_SUCCESS)
 			goto cleanup_context;
 		sig_r.base = tsig.signature;
 		sig_r.length = tsig.siglen;
@@ -974,23 +961,28 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 				ret = DNS_R_TSIGERRORSET;
 			else
 				ret = DNS_R_TSIGVERIFYFAILURE;
-			return (ret);
+			goto cleanup_context;
 		}
-		ret = dst_key_verify(DST_SIGMODE_FINAL, key, &msg->tsigctx,
+		ret = dst_context_verify(msg->tsigctx, &sig_r);
-				     NULL, &sig_r);
+		if (ret == DST_R_VERIFYFAILURE) {
 		if (ret == DST_R_VERIFYFINALFAILURE) {
 			msg->tsigstatus = dns_tsigerror_badsig;
-			return (DNS_R_TSIGVERIFYFAILURE);
+			ret = DNS_R_TSIGVERIFYFAILURE;
 			goto cleanup_context;
 		}
 		else if (ret != ISC_R_SUCCESS)
-			return (ret);
+			goto cleanup_context;
-		msg->tsigctx = NULL;
+		dst_context_destroy(&msg->tsigctx);
 	}
 	msg->tsigstatus = dns_rcode_noerror;
 	return (ISC_R_SUCCESS);
 cleanup_context:
 	dst_context_destroy(&msg->tsigctx);
 	return (ret);
 }
 isc_result_t
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -15,7 +15,7 @@
 * SOFTWARE.
 */
-/* $Id: xfrin.c,v 1.76 2000/06/01 18:04:37 gson Exp $ */
+/* $Id: xfrin.c,v 1.77 2000/06/02 18:59:19 bwelling Exp $ */
 #include <config.h>
@@ -40,6 +40,8 @@
 #include <dns/xfrin.h>
 #include <dns/zone.h>
 #include <dst/dst.h>
 /*
 * Incoming AXFR and IXFR.
 */
@@ -133,7 +135,7 @@ struct dns_xfrin_ctx {
 	dns_tsigkey_t		*tsigkey;	/* Key used to create TSIG */
 	isc_buffer_t		*lasttsig;	/* The last TSIG */
-	void			*tsigctx;	/* TSIG verification context */
+	dst_context_t		*tsigctx;	/* TSIG verification context */
 	unsigned int		sincetsig;	/* recvd since the last TSIG */
 	dns_xfrindone_t		done;
--- a/lib/omapi/connection.c
+++ b/lib/omapi/connection.c
@@ -15,7 +15,7 @@
 * SOFTWARE.
 */
-/* $Id: connection.c,v 1.28 2000/06/01 17:33:35 tale Exp $ */
+/* $Id: connection.c,v 1.29 2000/06/02 18:59:24 bwelling Exp $ */
 /* Principal Author: DCL */
@@ -643,9 +643,8 @@ omapi_connection_putmem(omapi_object_t *c, const unsigned char *src,
 	if (protocol->dst_update) {
 		region.base = src;
 		region.length = len;
-		result = dst_key_sign(DST_SIGMODE_UPDATE, protocol->key,
+		result = dst_context_adddata(protocol->dstctx,
-				      &protocol->dstctx,
+					     (isc_region_t *)&region);
 				      (isc_region_t *)&region, NULL);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
@@ -740,10 +739,7 @@ connection_copyout(unsigned char *dst, omapi_connection_t *connection,
 		if (protocol->dst_update &&
 		    protocol->verify_result == ISC_R_SUCCESS)
 			protocol->verify_result =
-				dst_key_verify(DST_SIGMODE_UPDATE,
+				dst_context_adddata(protocol->dstctx, &region);
 					       protocol->key,
 					       &protocol->dstctx,
 					       &region, NULL);
 		isc_buffer_forward(buffer, copy_bytes);
--- a/lib/omapi/include/omapi/private.h
+++ b/lib/omapi/include/omapi/private.h
@@ -236,7 +236,7 @@ struct omapi_protocol {
 	unsigned int			algorithm;
 	isc_boolean_t			dst_update;
 	dst_key_t			*key;
-	dst_context_t			dstctx;
+	dst_context_t			*dstctx;
 	isc_region_t			signature_in;
 	isc_buffer_t			*signature_out;
 	isc_result_t			verify_result;
--- a/lib/omapi/message.c
+++ b/lib/omapi/message.c
@@ -167,8 +167,8 @@ omapi_message_send(omapi_object_t *message, omapi_object_t *protocol) {
 	m = (omapi_message_t *)message;
 	if (p->key != NULL) {
-		result = dst_key_sign(DST_SIGMODE_INIT, p->key, &p->dstctx,
+		p->dstctx = NULL;
-				      NULL, NULL);
+		result = dst_context_create(p->key, omapi_mctx, &p->dstctx);
 		if (result == ISC_R_SUCCESS)
 			result = dst_key_sigsize(p->key, &authlen);
@@ -249,8 +249,9 @@ omapi_message_send(omapi_object_t *message, omapi_object_t *protocol) {
 		isc_buffer_clear(p->signature_out);
-		result = dst_key_sign(DST_SIGMODE_FINAL, p->key, &p->dstctx,
+		result = dst_context_sign(p->dstctx, p->signature_out);
-				      NULL, p->signature_out);
+
 		dst_context_destroy(&p->dstctx);
 		isc_buffer_region(p->signature_out, &r);
@@ -374,12 +375,13 @@ message_process(omapi_object_t *mo, omapi_object_t *po) {
 		m = NULL;
 	if (protocol->key != NULL) {
-		if (protocol->verify_result == ISC_R_SUCCESS)
+		if (protocol->verify_result == ISC_R_SUCCESS) {
 			protocol->verify_result =
-				dst_key_verify(DST_SIGMODE_FINAL,
+				dst_context_verify(protocol->dstctx,
-					       protocol->key,
+						   &protocol->signature_in);
-					       &protocol->dstctx, NULL,
+
-					       &protocol->signature_in);
+			dst_context_destroy(&protocol->dstctx);
 		}
 		if (protocol->verify_result != ISC_R_SUCCESS) {
 			if (connection->is_client) {
--- a/lib/omapi/protocol.c
+++ b/lib/omapi/protocol.c
@@ -357,9 +357,11 @@ dispatch_messages(omapi_protocol_t *protocol,
 			break;
 		if (protocol->key != NULL) {
 			protocol->dstctx = NULL;
 			protocol->verify_result =
-				dst_key_verify(DST_SIGMODE_INIT, protocol->key,
+				dst_context_create(protocol->key,
-					       &protocol->dstctx, NULL, NULL);
+						   omapi_mctx,
 						   &protocol->dstctx);
 			protocol->dst_update = ISC_TRUE;
 		}