use algorithm number instead of name to create TSIG keys

the prior practice of passing a dns_name containing the expanded name of an algorithm to dns_tsigkey_create() and dns_tsigkey_createfromkey() is unnecessarily cumbersome; we can now pass the algorithm number instead.
2025-08-22 18:19:42 +00:00 · 2023-04-11 19:01:31 -07:00 · 2023-04-11 19:01:31 -07:00 · ffacf0aec6
commit ffacf0aec6
parent a6e187a8d5
16 changed files with 181 additions and 353 deletions
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@ -2457,7 +2457,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			ptr = ptr2;
 			ptr2 = ptr3;
 		} else {
-			hmacname = DNS_TSIG_HMACMD5_NAME;
+			hmac = DST_ALG_HMACMD5;
 			digestbits = 0;
 		}
 		/* XXXONDREJ: FIXME */
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@ -138,7 +138,7 @@ char keyfile[MXNAME] = "";
 char keysecret[MXNAME] = "";
 unsigned char cookie_secret[33];
 unsigned char cookie[8];
-const dns_name_t *hmacname = NULL;
+dst_algorithm_t hmac = DST_ALG_UNKNOWN;
 unsigned int digestbits = 0;
 isc_buffer_t *namebuf = NULL;
 dns_tsigkey_t *tsigkey = NULL;
@ -874,7 +874,7 @@ setup_text_key(void) {
 	secretsize = isc_buffer_usedlength(&secretbuf);
-	if (hmacname == NULL) {
+	if (hmac == DST_ALG_UNKNOWN) {
 		result = DST_R_UNSUPPORTEDALG;
 		goto failure;
 	}
@ -884,7 +884,7 @@ setup_text_key(void) {
 		goto failure;
 	}
-	result = dns_tsigkey_create(&keyname, hmacname, secretstore,
+	result = dns_tsigkey_create(&keyname, hmac, secretstore,
 				    (int)secretsize, mctx, &tsigkey);
 failure:
 	if (result != ISC_R_SUCCESS) {
@ -1021,50 +1021,50 @@ done:
 * Parse HMAC algorithm specification
 */
 void
-parse_hmac(const char *hmac) {
+parse_hmac(const char *algname) {
 	char buf[20];
 	size_t len;
-	REQUIRE(hmac != NULL);
+	REQUIRE(algname != NULL);
-	len = strlen(hmac);
+	len = strlen(algname);
 	if (len >= sizeof(buf)) {
-		fatal("unknown key type '%.*s'", (int)len, hmac);
+		fatal("unknown key type '%.*s'", (int)len, algname);
 	}
-	strlcpy(buf, hmac, sizeof(buf));
+	strlcpy(buf, algname, sizeof(buf));
 	digestbits = 0;
 	if (strcasecmp(buf, "hmac-md5") == 0) {
-		hmacname = DNS_TSIG_HMACMD5_NAME;
+		hmac = DST_ALG_HMACMD5;
 	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
-		hmacname = DNS_TSIG_HMACMD5_NAME;
+		hmac = DST_ALG_HMACMD5;
 		digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
 	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
-		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		hmac = DST_ALG_HMACSHA1;
 		digestbits = 0;
 	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
-		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		hmac = DST_ALG_HMACSHA1;
 		digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160);
 	} else if (strcasecmp(buf, "hmac-sha224") == 0) {
-		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		hmac = DST_ALG_HMACSHA224;
 	} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
-		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		hmac = DST_ALG_HMACSHA224;
 		digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224);
 	} else if (strcasecmp(buf, "hmac-sha256") == 0) {
-		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		hmac = DST_ALG_HMACSHA256;
 	} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
-		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		hmac = DST_ALG_HMACSHA256;
 		digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256);
 	} else if (strcasecmp(buf, "hmac-sha384") == 0) {
-		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		hmac = DST_ALG_HMACSHA384;
 	} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
-		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		hmac = DST_ALG_HMACSHA384;
 		digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384);
 	} else if (strcasecmp(buf, "hmac-sha512") == 0) {
-		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		hmac = DST_ALG_HMACSHA512;
 	} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
-		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		hmac = DST_ALG_HMACSHA512;
 		digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512);
 	} else {
 		fprintf(stderr,
@ -1165,38 +1165,29 @@ setup_file_key(void) {
 	switch (dst_key_alg(dstkey)) {
 	case DST_ALG_HMACMD5:
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 		break;
 	case DST_ALG_HMACSHA1:
 		hmacname = DNS_TSIG_HMACSHA1_NAME;
 		break;
 	case DST_ALG_HMACSHA224:
 		hmacname = DNS_TSIG_HMACSHA224_NAME;
 		break;
 	case DST_ALG_HMACSHA256:
 		hmacname = DNS_TSIG_HMACSHA256_NAME;
 		break;
 	case DST_ALG_HMACSHA384:
 		hmacname = DNS_TSIG_HMACSHA384_NAME;
 		break;
 	case DST_ALG_HMACSHA512:
-		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		hmac = dst_key_alg(dstkey);
 		break;
 	default:
 		dst_key_attach(dstkey, &sig0key);
 		dst_key_free(&dstkey);
 		return;
 	}
-	if (hmacname != NULL) {
+	if (dstkey != NULL) {
-		result = dns_tsigkey_createfromkey(
+		result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmac,
-			dst_key_name(dstkey), hmacname, dstkey, false, false,
+						   dstkey, false, false, NULL,
-			NULL, 0, 0, mctx, &tsigkey);
+						   0, 0, mctx, &tsigkey);
 		if (result != ISC_R_SUCCESS) {
 			printf(";; Couldn't create key %s: %s\n", keynametext,
 			       isc_result_totext(result));
 			goto failure;
 		}
 	} else {
 		dst_key_attach(dstkey, &sig0key);
 		dst_key_free(&dstkey);
 	}
 failure:
 	if (dstkey != NULL) {
 		dst_key_free(&dstkey);
--- a/bin/dig/dighost.h
+++ b/bin/dig/dighost.h
@ -259,7 +259,7 @@ extern isc_sockaddr_t localaddr;
 extern char keynametext[MXNAME];
 extern char keyfile[MXNAME];
 extern char keysecret[MXNAME];
-extern const dns_name_t *hmacname;
+extern dst_algorithm_t hmac;
 extern unsigned int digestbits;
 extern dns_tsigkey_t *tsigkey;
 extern bool validated;
@ -341,7 +341,7 @@ isc_result_t
 parse_netprefix(isc_sockaddr_t **sap, const char *value);
 void
-parse_hmac(const char *hmacstr);
+parse_hmac(const char *algname);
 dig_lookup_t *
 requeue_lookup(dig_lookup_t *lookold, bool servers);
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -922,14 +922,8 @@ struct keyalgorithms {
 		   { NULL, hmacnone, DST_ALG_UNKNOWN, 0 } };
 isc_result_t
-named_config_getkeyalgorithm(const char *str, const dns_name_t **name,
+named_config_getkeyalgorithm(const char *str, unsigned int *typep,
 			     uint16_t *digestbits) {
 	return (named_config_getkeyalgorithm2(str, name, NULL, digestbits));
 }
 isc_result_t
 named_config_getkeyalgorithm2(const char *str, const dns_name_t **name,
 			      unsigned int *typep, uint16_t *digestbits) {
 	int i;
 	size_t len = 0;
 	uint16_t bits;
@ -960,31 +954,6 @@ named_config_getkeyalgorithm2(const char *str, const dns_name_t **name,
 	} else {
 		bits = algorithms[i].size;
 	}
 	if (name != NULL) {
 		switch (algorithms[i].hmac) {
 		case hmacmd5:
 			*name = dns_tsig_hmacmd5_name;
 			break;
 		case hmacsha1:
 			*name = dns_tsig_hmacsha1_name;
 			break;
 		case hmacsha224:
 			*name = dns_tsig_hmacsha224_name;
 			break;
 		case hmacsha256:
 			*name = dns_tsig_hmacsha256_name;
 			break;
 		case hmacsha384:
 			*name = dns_tsig_hmacsha384_name;
 			break;
 		case hmacsha512:
 			*name = dns_tsig_hmacsha512_name;
 			break;
 		default:
 			UNREACHABLE();
 		}
 	}
 	if (typep != NULL) {
 		*typep = algorithms[i].type;
 	}
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@ -742,8 +742,8 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 			algstr = cfg_obj_asstring(algobj);
 			secretstr = cfg_obj_asstring(secretobj);
-			result = named_config_getkeyalgorithm2(algstr, NULL,
+			result = named_config_getkeyalgorithm(algstr, &algtype,
-							       &algtype, NULL);
+							      NULL);
 			if (result != ISC_R_SUCCESS) {
 				cfg_obj_log(control, named_g_lctx,
 					    ISC_LOG_WARNING,
@ -836,7 +836,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	algstr = cfg_obj_asstring(algobj);
 	secretstr = cfg_obj_asstring(secretobj);
-	result = named_config_getkeyalgorithm2(algstr, NULL, &algtype, NULL);
+	result = named_config_getkeyalgorithm(algstr, &algtype, NULL);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
 			    "unsupported algorithm '%s' in "
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@ -66,8 +66,5 @@ named_config_getport(const cfg_obj_t *config, const char *type,
 		     in_port_t *portp);
 isc_result_t
-named_config_getkeyalgorithm(const char *str, const dns_name_t **name,
+named_config_getkeyalgorithm(const char *str, unsigned int *typep,
 			     uint16_t *digestbits);
 isc_result_t
 named_config_getkeyalgorithm2(const char *str, const dns_name_t **name,
 			      unsigned int *typep, uint16_t *digestbits);
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -4024,28 +4024,6 @@ minimal_cache_allowed(const cfg_obj_t *maps[4],
 static const char *const response_synonyms[] = { "response", NULL };
 static const dns_name_t *
 algorithm_name(unsigned int alg) {
 	switch (alg) {
 	case DST_ALG_HMACMD5:
 		return (dns_tsig_hmacmd5_name);
 	case DST_ALG_HMACSHA1:
 		return (dns_tsig_hmacsha1_name);
 	case DST_ALG_HMACSHA224:
 		return (dns_tsig_hmacsha224_name);
 	case DST_ALG_HMACSHA256:
 		return (dns_tsig_hmacsha256_name);
 	case DST_ALG_HMACSHA384:
 		return (dns_tsig_hmacsha384_name);
 	case DST_ALG_HMACSHA512:
 		return (dns_tsig_hmacsha512_name);
 	case DST_ALG_GSSAPI:
 		return (dns_tsig_gssapi_name);
 	default:
 		UNREACHABLE();
 	}
 }
 /*
 * Configure 'view' according to 'vconfig', taking defaults from
 * 'config' where values are missing in 'vconfig'.
@ -5067,9 +5045,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 		dns_tsigkey_t *tsigkey = NULL;
 		result = dns_tsigkey_createfromkey(
 			named_g_server->session_keyname,
-			algorithm_name(named_g_server->session_keyalg),
+			named_g_server->session_keyalg,
 			named_g_server->sessionkey, false, false, NULL, 0, 0,
-			mctx, NULL, &tsigkey);
+			mctx, &tsigkey);
 		if (result == ISC_R_SUCCESS) {
 			result = dns_tsigkeyring_add(
 				ring, named_g_server->session_keyname, tsigkey);
@ -7480,9 +7458,9 @@ cleanup_session_key(named_server_t *server, isc_mem_t *mctx) {
 static isc_result_t
 generate_session_key(const char *filename, const char *keynamestr,
-		     const dns_name_t *keyname, const char *algstr,
+		     const dns_name_t *keyname, dst_algorithm_t alg,
-		     unsigned int algtype, uint16_t bits, isc_mem_t *mctx,
+		     uint16_t bits, isc_mem_t *mctx, bool first_time,
-		     bool first_time, dst_key_t **keyp) {
+		     dst_key_t **keyp) {
 	isc_result_t result = ISC_R_SUCCESS;
 	dst_key_t *key = NULL;
 	isc_buffer_t key_txtbuffer;
@ -7497,9 +7475,8 @@ generate_session_key(const char *filename, const char *keynamestr,
 		      "generating session key for dynamic DNS");
 	/* generate key */
-	result = dst_key_generate(keyname, algtype, bits, 1, 0,
+	result = dst_key_generate(keyname, alg, bits, 1, 0, DNS_KEYPROTO_ANY,
-				  DNS_KEYPROTO_ANY, dns_rdataclass_in, mctx,
+				  dns_rdataclass_in, mctx, &key, NULL);
 				  &key, NULL);
 	if (result != ISC_R_SUCCESS) {
 		return (result);
 	}
@ -7528,12 +7505,12 @@ generate_session_key(const char *filename, const char *keynamestr,
 		"key \"%s\" {\n"
 		"\talgorithm %s;\n"
 		"\tsecret \"%.*s\";\n};\n",
-		keynamestr, algstr, (int)isc_buffer_usedlength(&key_txtbuffer),
+		keynamestr, dst_hmac_algorithm_totext(alg),
 		(int)isc_buffer_usedlength(&key_txtbuffer),
 		(char *)isc_buffer_base(&key_txtbuffer));
 	CHECK(isc_stdio_flush(fp));
 	result = isc_stdio_close(fp);
 	fp = NULL;
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
 	}
@ -7561,14 +7538,13 @@ cleanup:
 static isc_result_t
 configure_session_key(const cfg_obj_t **maps, named_server_t *server,
 		      isc_mem_t *mctx, bool first_time) {
-	const char *keyfile, *keynamestr, *algstr;
+	const char *keyfile = NULL, *keynamestr = NULL, *algstr = NULL;
 	unsigned int algtype;
 	dns_fixedname_t fname;
-	dns_name_t *keyname;
+	dns_name_t *keyname = NULL;
 	const dns_name_t *algname;
 	isc_buffer_t buffer;
 	uint16_t bits;
-	const cfg_obj_t *obj;
+	const cfg_obj_t *obj = NULL;
 	bool need_deleteold = false;
 	bool need_createnew = false;
 	isc_result_t result;
@ -7601,9 +7577,7 @@ configure_session_key(const cfg_obj_t **maps, named_server_t *server,
 	result = named_config_get(maps, "session-keyalg", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	algstr = cfg_obj_asstring(obj);
-	algname = NULL;
+	result = named_config_getkeyalgorithm(algstr, &algtype, &bits);
 	result = named_config_getkeyalgorithm2(algstr, &algname, &algtype,
 					       &bits);
 	if (result != ISC_R_SUCCESS) {
 		const char *s = " (keeping current key)";
@ -7654,7 +7628,7 @@ configure_session_key(const cfg_obj_t **maps, named_server_t *server,
 		server->session_keyalg = algtype;
 		server->session_keybits = bits;
-		CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
+		CHECK(generate_session_key(keyfile, keynamestr, keyname,
 					   algtype, bits, mctx, first_time,
 					   &server->sessionkey));
 	}
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@ -47,7 +47,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsigkeyring_t *ring,
 		const cfg_obj_t *algobj = NULL;
 		const cfg_obj_t *secretobj = NULL;
 		dns_name_t keyname;
-		const dns_name_t *alg = NULL;
+		dst_algorithm_t alg = DST_ALG_UNKNOWN;
 		const char *algstr = NULL;
 		char keynamedata[1024];
 		isc_buffer_t keynamesrc, keynamebuf;
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@ -378,13 +378,13 @@ reset_system(void) {
 }
 static bool
-parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
+parse_hmac(const char *hmacstr, size_t len, dst_algorithm_t *hmac,
 	   uint16_t *digestbitsp) {
 	uint16_t digestbits = 0;
 	isc_result_t result;
 	char buf[20];
-	REQUIRE(hmac != NULL && *hmac == NULL);
+	REQUIRE(hmac != NULL);
 	REQUIRE(hmacstr != NULL);
 	if (len >= sizeof(buf)) {
@ -396,9 +396,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
 	strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf)));
 	if (strcasecmp(buf, "hmac-md5") == 0) {
-		*hmac = DNS_TSIG_HMACMD5_NAME;
+		*hmac = DST_ALG_HMACMD5;
 	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
-		*hmac = DNS_TSIG_HMACMD5_NAME;
+		*hmac = DST_ALG_HMACMD5;
 		result = isc_parse_uint16(&digestbits, &buf[9], 10);
 		if (result != ISC_R_SUCCESS || digestbits > 128) {
 			error("digest-bits out of range [0..128]");
@ -406,9 +406,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
 		}
 		*digestbitsp = (digestbits + 7) & ~0x7U;
 	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
-		*hmac = DNS_TSIG_HMACSHA1_NAME;
+		*hmac = DST_ALG_HMACSHA1;
 	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
-		*hmac = DNS_TSIG_HMACSHA1_NAME;
+		*hmac = DST_ALG_HMACSHA1;
 		result = isc_parse_uint16(&digestbits, &buf[10], 10);
 		if (result != ISC_R_SUCCESS || digestbits > 160) {
 			error("digest-bits out of range [0..160]");
@ -416,9 +416,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
 		}
 		*digestbitsp = (digestbits + 7) & ~0x7U;
 	} else if (strcasecmp(buf, "hmac-sha224") == 0) {
-		*hmac = DNS_TSIG_HMACSHA224_NAME;
+		*hmac = DST_ALG_HMACSHA224;
 	} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
-		*hmac = DNS_TSIG_HMACSHA224_NAME;
+		*hmac = DST_ALG_HMACSHA224;
 		result = isc_parse_uint16(&digestbits, &buf[12], 10);
 		if (result != ISC_R_SUCCESS || digestbits > 224) {
 			error("digest-bits out of range [0..224]");
@ -426,9 +426,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
 		}
 		*digestbitsp = (digestbits + 7) & ~0x7U;
 	} else if (strcasecmp(buf, "hmac-sha256") == 0) {
-		*hmac = DNS_TSIG_HMACSHA256_NAME;
+		*hmac = DST_ALG_HMACSHA256;
 	} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
-		*hmac = DNS_TSIG_HMACSHA256_NAME;
+		*hmac = DST_ALG_HMACSHA256;
 		result = isc_parse_uint16(&digestbits, &buf[12], 10);
 		if (result != ISC_R_SUCCESS || digestbits > 256) {
 			error("digest-bits out of range [0..256]");
@ -436,9 +436,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
 		}
 		*digestbitsp = (digestbits + 7) & ~0x7U;
 	} else if (strcasecmp(buf, "hmac-sha384") == 0) {
-		*hmac = DNS_TSIG_HMACSHA384_NAME;
+		*hmac = DST_ALG_HMACSHA384;
 	} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
-		*hmac = DNS_TSIG_HMACSHA384_NAME;
+		*hmac = DST_ALG_HMACSHA384;
 		result = isc_parse_uint16(&digestbits, &buf[12], 10);
 		if (result != ISC_R_SUCCESS || digestbits > 384) {
 			error("digest-bits out of range [0..384]");
@ -446,9 +446,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
 		}
 		*digestbitsp = (digestbits + 7) & ~0x7U;
 	} else if (strcasecmp(buf, "hmac-sha512") == 0) {
-		*hmac = DNS_TSIG_HMACSHA512_NAME;
+		*hmac = DST_ALG_HMACSHA512;
 	} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
-		*hmac = DNS_TSIG_HMACSHA512_NAME;
+		*hmac = DST_ALG_HMACSHA512;
 		result = isc_parse_uint16(&digestbits, &buf[12], 10);
 		if (result != ISC_R_SUCCESS || digestbits > 512) {
 			error("digest-bits out of range [0..512]");
@ -483,12 +483,12 @@ setup_keystr(void) {
 	isc_buffer_t secretbuf;
 	isc_result_t result;
 	isc_buffer_t keynamesrc;
-	char *secretstr;
+	char *secretstr = NULL;
-	char *s, *n;
+	char *s = NULL, *n = NULL;
 	dns_fixedname_t fkeyname;
-	dns_name_t *mykeyname;
+	dns_name_t *mykeyname = NULL;
-	char *name;
+	char *name = NULL;
-	const dns_name_t *hmacname = NULL;
+	dst_algorithm_t hmac;
 	uint16_t digestbits = 0;
 	mykeyname = dns_fixedname_initname(&fkeyname);
@ -507,11 +507,11 @@ setup_keystr(void) {
 		}
 		name = secretstr;
 		secretstr = n + 1;
-		if (!parse_hmac(&hmacname, keystr, s - keystr, &digestbits)) {
+		if (!parse_hmac(keystr, s - keystr, &hmac, &digestbits)) {
 			exit(1);
 		}
 	} else {
-		hmacname = DNS_TSIG_HMACMD5_NAME;
+		hmac = DST_ALG_HMACMD5;
 		name = keystr;
 		n = s;
 	}
@ -538,8 +538,8 @@ setup_keystr(void) {
 	secretlen = isc_buffer_usedlength(&secretbuf);
 	debug("keycreate");
-	result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,
+	result = dns_tsigkey_create(mykeyname, hmac, secret, secretlen, gmctx,
-				    gmctx, &tsigkey);
+				    &tsigkey);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not create key from %s: %s\n", keystr,
 			isc_result_totext(result));
@ -622,7 +622,7 @@ static void
 setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;
-	const dns_name_t *hmacname = NULL;
+	dst_algorithm_t hmac = DST_ALG_UNKNOWN;
 	debug("Creating key...");
@ -653,37 +653,26 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
 	switch (dst_key_alg(dstkey)) {
 	case DST_ALG_HMACMD5:
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 		break;
 	case DST_ALG_HMACSHA1:
 		hmacname = DNS_TSIG_HMACSHA1_NAME;
 		break;
 	case DST_ALG_HMACSHA224:
 		hmacname = DNS_TSIG_HMACSHA224_NAME;
 		break;
 	case DST_ALG_HMACSHA256:
 		hmacname = DNS_TSIG_HMACSHA256_NAME;
 		break;
 	case DST_ALG_HMACSHA384:
 		hmacname = DNS_TSIG_HMACSHA384_NAME;
 		break;
 	case DST_ALG_HMACSHA512:
-		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		hmac = dst_key_alg(dstkey);
 		break;
-	}
+	default:
 	if (hmacname != NULL) {
 		result = dns_tsigkey_createfromkey(
 			dst_key_name(dstkey), hmacname, dstkey, false, false,
 			NULL, 0, 0, mctx, &tsigkey);
 		dst_key_free(&dstkey);
 		if (result != ISC_R_SUCCESS) {
 			fprintf(stderr, "could not create key from %s: %s\n",
 				keyfile, isc_result_totext(result));
 			return;
 		}
 	} else {
 		dst_key_attach(dstkey, &sig0key);
 		dst_key_free(&dstkey);
 		return;
 	}
 	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmac, dstkey,
 					   false, false, NULL, 0, 0, mctx,
 					   &tsigkey);
 	dst_key_free(&dstkey);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not create key from %s: %s\n", keyfile,
 			isc_result_totext(result));
 	}
 }
@ -1650,7 +1639,7 @@ evaluate_key(char *cmdline) {
 	int secretlen;
 	unsigned char *secret = NULL;
 	isc_buffer_t secretbuf;
-	const dns_name_t *hmacname = NULL;
+	dst_algorithm_t hmac = DST_ALG_UNKNOWN;
 	uint16_t digestbits = 0;
 	char *n;
@ -1664,12 +1653,12 @@ evaluate_key(char *cmdline) {
 	n = strchr(namestr, ':');
 	if (n != NULL) {
-		if (!parse_hmac(&hmacname, namestr, n - namestr, &digestbits)) {
+		if (!parse_hmac(namestr, n - namestr, &hmac, &digestbits)) {
 			return (STATUS_SYNTAX);
 		}
 		namestr = n + 1;
 	} else {
-		hmacname = DNS_TSIG_HMACMD5_NAME;
+		hmac = DST_ALG_HMACMD5;
 	}
 	isc_buffer_init(&b, namestr, strlen(namestr));
@ -1701,8 +1690,8 @@ evaluate_key(char *cmdline) {
 	if (tsigkey != NULL) {
 		dns_tsigkey_detach(&tsigkey);
 	}
-	result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,
+	result = dns_tsigkey_create(mykeyname, hmac, secret, secretlen, gmctx,
-				    gmctx, &tsigkey);
+				    &tsigkey);
 	isc_mem_free(gmctx, secret);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not create key from %s %s: %s\n",
--- a/fuzz/dns_message_checksig.c
+++ b/fuzz/dns_message_checksig.c
@ -264,7 +264,7 @@ LLVMFuzzerInitialize(int *argc ISC_ATTR_UNUSED, char ***argv ISC_ATTR_UNUSED) {
 		return (1);
 	}
-	result = dns_tsigkey_create(name, dns_tsig_hmacsha256_name, secret,
+	result = dns_tsigkey_create(name, DST_ALG_HMACSHA256, secret,
 				    sizeof(secret), mctx, &tsigkey);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "dns_tsigkey_create failed: %s\n",
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@ -109,12 +109,12 @@ dns_tsigkey_identity(const dns_tsigkey_t *tsigkey);
 */
 isc_result_t
-dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm,
+dns_tsigkey_create(const dns_name_t *name, dst_algorithm_t algorithm,
 		   unsigned char *secret, int length, isc_mem_t *mctx,
 		   dns_tsigkey_t **key);
 isc_result_t
-dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
+dns_tsigkey_createfromkey(const dns_name_t *name, dst_algorithm_t algorithm,
 			  dst_key_t *dstkey, bool generated, bool restored,
 			  const dns_name_t *creator, isc_stdtime_t inception,
 			  isc_stdtime_t expire, isc_mem_t *mctx,
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@ -49,6 +49,7 @@
 #include <dst/gssapi.h>
 #include "dst_internal.h"
 #include "tsig_p.h"
 #define TEMP_BUFFER_SZ	   8192
 #define TKEY_RANDOM_AMOUNT 16
@ -264,8 +265,9 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 		}
 #endif /* HAVE_GSSAPI */
 		RETERR(dns_tsigkey_createfromkey(
-			name, &tkeyin->algorithm, dstkey, true, false,
+			name, dns__tsig_algfromname(&tkeyin->algorithm), dstkey,
-			principal, now, expire, ring->mctx, &tsigkey));
+			true, false, principal, now, expire, ring->mctx,
 			&tsigkey));
 		RETERR(dns_tsigkeyring_add(ring, name, tsigkey));
 		dst_key_free(&dstkey);
 		tkeyout->inception = now;
@ -680,20 +682,18 @@ dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
 		return (result);
 	}
-	tkey.common.rdclass = dns_rdataclass_any;
+	tkey = (dns_rdata_tkey_t){
-	tkey.common.rdtype = dns_rdatatype_tkey;
+		.common.rdclass = dns_rdataclass_any,
-	ISC_LINK_INIT(&tkey.common, link);
+		.common.rdtype = dns_rdatatype_tkey,
-	tkey.mctx = NULL;
+		.common.link = ISC_LINK_INITIALIZER,
 		.inception = now,
 		.expire = now + lifetime,
 		.mode = DNS_TKEYMODE_GSSAPI,
 		.key = isc_buffer_base(&token),
 		.keylen = isc_buffer_usedlength(&token),
 	};
 	dns_name_init(&tkey.algorithm, NULL);
 	dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
 	tkey.inception = now;
 	tkey.expire = now + lifetime;
 	tkey.mode = DNS_TKEYMODE_GSSAPI;
 	tkey.error = 0;
 	tkey.key = isc_buffer_base(&token);
 	tkey.keylen = isc_buffer_usedlength(&token);
 	tkey.other = NULL;
 	tkey.otherlen = 0;
 	return (buildquery(msg, name, &tkey));
 }
@ -816,8 +816,8 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 	 * anything yet.
 	 */
-	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME, dstkey,
+	RETERR(dns_tsigkey_createfromkey(tkeyname, DST_ALG_GSSAPI, dstkey, true,
-					 true, false, NULL, rtkey.inception,
+					 false, NULL, rtkey.inception,
 					 rtkey.expire, ring->mctx, &tsigkey));
 	RETERR(dns_tsigkeyring_add(ring, tkeyname, tsigkey));
 	if (outkey == NULL) {
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@ -187,19 +187,39 @@ adjust_lru(dns_tsigkey_t *tkey) {
 	}
 }
 static const dns_name_t *
 namefromalg(dst_algorithm_t alg) {
 	switch (alg) {
 	case DST_ALG_HMACMD5:
 		return (dns_tsig_hmacmd5_name);
 	case DST_ALG_HMACSHA1:
 		return (dns_tsig_hmacsha1_name);
 	case DST_ALG_HMACSHA224:
 		return (dns_tsig_hmacsha224_name);
 	case DST_ALG_HMACSHA256:
 		return (dns_tsig_hmacsha256_name);
 	case DST_ALG_HMACSHA384:
 		return (dns_tsig_hmacsha384_name);
 	case DST_ALG_HMACSHA512:
 		return (dns_tsig_hmacsha512_name);
 	case DST_ALG_GSSAPI:
 		return (dns_tsig_gssapi_name);
 	default:
 		return (NULL);
 	}
 }
 isc_result_t
-dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
+dns_tsigkey_createfromkey(const dns_name_t *name, dst_algorithm_t algorithm,
 			  dst_key_t *dstkey, bool generated, bool restored,
 			  const dns_name_t *creator, isc_stdtime_t inception,
 			  isc_stdtime_t expire, isc_mem_t *mctx,
 			  dns_tsigkey_t **keyp) {
 	dns_tsigkey_t *tkey = NULL;
 	isc_result_t ret;
 	unsigned int dstalg = 0;
 	REQUIRE(keyp != NULL && *keyp == NULL);
 	REQUIRE(name != NULL);
 	REQUIRE(algorithm != NULL);
 	REQUIRE(mctx != NULL);
 	tkey = isc_mem_get(mctx, sizeof(dns_tsigkey_t));
@ -215,31 +235,18 @@ dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
 	dns_name_dup(name, mctx, &tkey->name);
 	(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
-	/* Check against known algorithm names */
+	if (algorithm != DST_ALG_UNKNOWN) {
-	dstalg = dns__tsig_algfromname(algorithm);
+		if (dstkey != NULL && dst_key_alg(dstkey) != algorithm) {
 	if (dstalg != 0) {
 		/*
 		 * 'algorithm' must be set to a static pointer
 		 * so that dns__tsig_algallocated() can compare them.
 		 */
 		tkey->algorithm = dns__tsig_algnamefromname(algorithm);
 		if (dstkey != NULL && dst_key_alg(dstkey) != dstalg) {
 			ret = DNS_R_BADALG;
 			goto cleanup_name;
 		}
-	} else {
+	} else if (dstkey != NULL) {
-		dns_name_t *tmpname = NULL;
+		ret = DNS_R_BADALG;
-		if (dstkey != NULL) {
+		goto cleanup_name;
 			ret = DNS_R_BADALG;
 			goto cleanup_name;
 		}
 		tmpname = isc_mem_get(mctx, sizeof(dns_name_t));
 		dns_name_init(tmpname, NULL);
 		dns_name_dup(algorithm, mctx, tmpname);
 		(void)dns_name_downcase(tmpname, tmpname, NULL);
 		tkey->algorithm = tmpname;
 	}
 	tkey->algorithm = namefromalg(algorithm);
 	if (creator != NULL) {
 		tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
 		dns_name_init(tkey->creator, NULL);
@ -257,7 +264,7 @@ dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
 	 * Ignore this if it's a GSS key, since the key size is meaningless.
 	 */
 	if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
-	    dstalg != DST_ALG_GSSAPI)
+	    algorithm != DST_ALG_GSSAPI)
 	{
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(name, namestr, sizeof(namestr));
@ -360,34 +367,15 @@ ISC_REFCOUNT_IMPL(dns_tsigkeyring, destroyring);
 /*
 * Look up the DST_ALG_ constant for a given name.
 */
-unsigned int
+dst_algorithm_t
 dns__tsig_algfromname(const dns_name_t *algorithm) {
-	int i;
+	for (size_t i = 0; i < ARRAY_SIZE(known_algs); ++i) {
 	int n = sizeof(known_algs) / sizeof(*known_algs);
 	for (i = 0; i < n; ++i) {
 		const dns_name_t *name = known_algs[i].name;
 		if (algorithm == name || dns_name_equal(algorithm, name)) {
 			return (known_algs[i].dstalg);
 		}
 	}
-	return (0);
+	return (DST_ALG_UNKNOWN);
 }
 /*
 * Convert an algorithm name into a pointer to the
 * corresponding pre-defined dns_name_t structure.
 */
 const dns_name_t *
 dns__tsig_algnamefromname(const dns_name_t *algorithm) {
 	int i;
 	int n = sizeof(known_algs) / sizeof(*known_algs);
 	for (i = 0; i < n; ++i) {
 		const dns_name_t *name = known_algs[i].name;
 		if (algorithm == name || dns_name_equal(algorithm, name)) {
 			return (name);
 		}
 	}
 	return (NULL);
 }
 /*
@ -465,7 +453,7 @@ restore_key(dns_tsigkeyring_t *ring, isc_stdtime_t now, FILE *fp) {
 	}
 	dstalg = dns__tsig_algfromname(algorithm);
-	if (dstalg == 0) {
+	if (dstalg == DST_ALG_UNKNOWN) {
 		return (DNS_R_BADALG);
 	}
@ -476,7 +464,7 @@ restore_key(dns_tsigkeyring_t *ring, isc_stdtime_t now, FILE *fp) {
 		return (result);
 	}
-	result = dns_tsigkey_createfromkey(name, algorithm, dstkey, true, true,
+	result = dns_tsigkey_createfromkey(name, dstalg, dstkey, true, true,
 					   creator, inception, expire,
 					   ring->mctx, &tkey);
 	if (result == ISC_R_SUCCESS) {
@ -573,27 +561,25 @@ dns_tsigkey_identity(const dns_tsigkey_t *tsigkey) {
 }
 isc_result_t
-dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm,
+dns_tsigkey_create(const dns_name_t *name, dst_algorithm_t algorithm,
 		   unsigned char *secret, int length, isc_mem_t *mctx,
 		   dns_tsigkey_t **key) {
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;
 	unsigned int dstalg = 0;
 	REQUIRE(length >= 0);
 	if (length > 0) {
 		REQUIRE(secret != NULL);
 	}
-	dstalg = dns__tsig_algfromname(algorithm);
+	if (dns__tsig_algvalid(algorithm)) {
 	if (dns__tsig_algvalid(dstalg)) {
 		if (secret != NULL) {
 			isc_buffer_t b;
 			isc_buffer_init(&b, secret, length);
 			isc_buffer_add(&b, length);
 			result = dst_key_frombuffer(
-				name, dstalg, DNS_KEYOWNER_ENTITY,
+				name, algorithm, DNS_KEYOWNER_ENTITY,
 				DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, &b,
 				mctx, &dstkey);
 			if (result != ISC_R_SUCCESS) {
@ -685,36 +671,24 @@ dns_tsig_sign(dns_message_t *msg) {
 	mctx = msg->mctx;
-	tsig.mctx = mctx;
+	now = msg->fuzzing ? msg->fuzztime : isc_stdtime_now();
-	tsig.common.rdclass = dns_rdataclass_any;
+	tsig = (dns_rdata_any_tsig_t){
-	tsig.common.rdtype = dns_rdatatype_tsig;
+		.mctx = mctx,
-	ISC_LINK_INIT(&tsig.common, link);
+		.common.rdclass = dns_rdataclass_any,
 		.common.rdtype = dns_rdatatype_tsig,
 		.common.link = ISC_LINK_INITIALIZER,
 		.timesigned = now + msg->timeadjust,
 		.fudge = DNS_TSIG_FUDGE,
 		.originalid = msg->id,
 		.error = response ? msg->querytsigstatus : dns_rcode_noerror,
 	};
 	dns_name_init(&tsig.algorithm, NULL);
 	dns_name_clone(key->algorithm, &tsig.algorithm);
 	if (msg->fuzzing) {
 		now = msg->fuzztime;
 	} else {
 		now = isc_stdtime_now();
 	}
 	tsig.timesigned = now + msg->timeadjust;
 	tsig.fudge = DNS_TSIG_FUDGE;
 	tsig.originalid = msg->id;
 	isc_buffer_init(&databuf, data, sizeof(data));
-	if (response) {
+	if (tsig.error == dns_tsigerror_badtime) {
 		tsig.error = msg->querytsigstatus;
 	} else {
 		tsig.error = dns_rcode_noerror;
 	}
 	if (tsig.error != dns_tsigerror_badtime) {
 		tsig.otherlen = 0;
 		tsig.other = NULL;
 	} else {
 		isc_buffer_t otherbuf;
 		tsig.otherlen = BADTIMELEN;
@ -1067,8 +1041,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		}
 		if (ret != ISC_R_SUCCESS) {
 			msg->tsigstatus = dns_tsigerror_badkey;
-			ret = dns_tsigkey_create(keyname, &tsig.algorithm, NULL,
+			ret = dns_tsigkey_create(
-						 0, mctx, &msg->tsigkey);
+				keyname, dns__tsig_algfromname(&tsig.algorithm),
 				NULL, 0, mctx, &msg->tsigkey);
 			if (ret != ISC_R_SUCCESS) {
 				return (ret);
 			}
@ -1714,6 +1689,7 @@ dns_tsigkeyring_add(dns_tsigkeyring_t *ring, const dns_name_t *name,
 	REQUIRE(VALID_TSIGKEY(tkey));
 	REQUIRE(VALID_TSIGKEYRING(ring));
 	REQUIRE(tkey->ring == NULL);
 	REQUIRE(name != NULL);
 	RWLOCK(&ring->lock, isc_rwlocktype_write);
--- a/lib/dns/tsig_p.h
+++ b/lib/dns/tsig_p.h
@ -30,10 +30,8 @@ ISC_LANG_BEGINDECLS
 bool
 dns__tsig_algvalid(unsigned int alg);
-unsigned int
+dst_algorithm_t
 dns__tsig_algfromname(const dns_name_t *algorithm);
 const dns_name_t *
 dns__tsig_algnamefromname(const dns_name_t *algorithm);
 bool
 dns__tsig_algallocated(const dns_name_t *algorithm);
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@ -2095,8 +2095,7 @@ ns_client_request(isc_nmhandle_t *handle, isc_result_t eresult,
 		signame = NULL;
 		if (dns_message_gettsig(client->message, &signame) != NULL) {
 			char namebuf[DNS_NAME_FORMATSIZE];
-			char cnamebuf[DNS_NAME_FORMATSIZE];
+
 			dns_name_format(signame, namebuf, sizeof(namebuf));
 			status = client->message->tsigstatus;
 			isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
 			tresult = dns_tsigrcode_totext(status, &b);
@ -2105,23 +2104,17 @@ ns_client_request(isc_nmhandle_t *handle, isc_result_t eresult,
 			if (client->message->tsigkey->generated) {
 				dns_name_format(
 					client->message->tsigkey->creator,
-					cnamebuf, sizeof(cnamebuf));
+					namebuf, sizeof(namebuf));
 				ns_client_log(
 					client, DNS_LOGCATEGORY_SECURITY,
 					NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
 					"request has invalid signature: "
 					"TSIG %s (%s): %s (%s)",
 					namebuf, cnamebuf,
 					isc_result_totext(result), tsigrcode);
 			} else {
-				ns_client_log(
+				dns_name_format(signame, namebuf,
-					client, DNS_LOGCATEGORY_SECURITY,
+						sizeof(namebuf));
 					NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
 					"request has invalid signature: "
 					"TSIG %s: %s (%s)",
 					namebuf, isc_result_totext(result),
 					tsigrcode);
 			}
 			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
 				      "request has invalid signature: "
 				      "TSIG %s: %s (%s)",
 				      namebuf, isc_result_totext(result),
 				      tsigrcode);
 		} else {
 			status = client->message->sig0status;
 			isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
--- a/tests/dns/tsig_test.c
+++ b/tests/dns/tsig_test.c
@ -293,7 +293,7 @@ ISC_RUN_TEST_IMPL(tsig_tcp) {
 	result = dns_tsigkeyring_create(mctx, &ring);
 	assert_int_equal(result, ISC_R_SUCCESS);
-	result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name, secret,
+	result = dns_tsigkey_create(keyname, DST_ALG_HMACSHA256, secret,
 				    sizeof(secret), mctx, &key);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	result = dns_tsigkeyring_add(ring, keyname, key);
@ -485,63 +485,6 @@ ISC_RUN_TEST_IMPL(algvalid) {
 	assert_false(dns__tsig_algvalid(DST_ALG_GSSAPI));
 }
 /* Tests the dns__tsig_algfromname function */
 ISC_RUN_TEST_IMPL(algfromname) {
 	UNUSED(state);
 	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACMD5_NAME),
 			 DST_ALG_HMACMD5);
 	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA1_NAME),
 			 DST_ALG_HMACSHA1);
 	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA224_NAME),
 			 DST_ALG_HMACSHA224);
 	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA256_NAME),
 			 DST_ALG_HMACSHA256);
 	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA384_NAME),
 			 DST_ALG_HMACSHA384);
 	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA512_NAME),
 			 DST_ALG_HMACSHA512);
 	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_GSSAPI_NAME),
 			 DST_ALG_GSSAPI);
 	assert_int_equal(dns__tsig_algfromname(dns_rootname), 0);
 }
 /* Tests the dns__tsig_algnamefromname function */
 /*
 * Helper function to create a dns_name_t from a string and see if
 * the dns__tsig_algnamefromname function can correctly match it against the
 * static table of known algorithms.
 */
 static void
 test_name(const char *name_string, const dns_name_t *expected) {
 	dns_name_t name;
 	dns_name_init(&name, NULL);
 	assert_int_equal(dns_name_fromstring(&name, name_string, 0, mctx),
 			 ISC_R_SUCCESS);
 	assert_ptr_equal(dns__tsig_algnamefromname(&name), expected);
 	dns_name_free(&name, mctx);
 }
 ISC_RUN_TEST_IMPL(algnamefromname) {
 	UNUSED(state);
 	/* test the standard algorithms */
 	test_name("hmac-md5.sig-alg.reg.int", DNS_TSIG_HMACMD5_NAME);
 	test_name("hmac-sha1", DNS_TSIG_HMACSHA1_NAME);
 	test_name("hmac-sha224", DNS_TSIG_HMACSHA224_NAME);
 	test_name("hmac-sha256", DNS_TSIG_HMACSHA256_NAME);
 	test_name("hmac-sha384", DNS_TSIG_HMACSHA384_NAME);
 	test_name("hmac-sha512", DNS_TSIG_HMACSHA512_NAME);
 	test_name("gss-tsig", DNS_TSIG_GSSAPI_NAME);
 	/* try another name that isn't a standard algorithm name */
 	assert_null(dns__tsig_algnamefromname(dns_rootname));
 }
 /* Tests the dns__tsig_algallocated function */
 ISC_RUN_TEST_IMPL(algallocated) {
 	UNUSED(state);
@ -564,8 +507,6 @@ ISC_RUN_TEST_IMPL(algallocated) {
 ISC_TEST_LIST_START
 ISC_TEST_ENTRY_CUSTOM(tsig_tcp, setup_test, teardown_test)
 ISC_TEST_ENTRY(algvalid)
 ISC_TEST_ENTRY(algfromname)
 ISC_TEST_ENTRY_CUSTOM(algnamefromname, setup_test, teardown_test)
 ISC_TEST_ENTRY(algallocated)
 ISC_TEST_LIST_END