From 4795f0ca89a3e907cbcc2d406da27b38f9aed8dd Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 22 Jun 2018 09:50:10 +1000
Subject: [PATCH 1/2] the client cookie was being hashed twice when computing
 the server cookie for sha1 and sha256

---
 lib/ns/client.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/lib/ns/client.c b/lib/ns/client.c
index ad5f492d82..e0aa915c7b 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -1851,8 +1851,6 @@ compute_cookie(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
 			INSIST(0);
 		}
 		isc_hmacsha1_update(&hmacsha1, cp, length);
-		isc_hmacsha1_update(&hmacsha1, client->cookie,
-				    sizeof(client->cookie));
 		isc_hmacsha1_sign(&hmacsha1, digest, sizeof(digest));
 		isc_buffer_putmem(buf, digest, 8);
 		isc_hmacsha1_invalidate(&hmacsha1);
@@ -1888,8 +1886,6 @@ compute_cookie(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
 			INSIST(0);
 		}
 		isc_hmacsha256_update(&hmacsha256, cp, length);
-		isc_hmacsha256_update(&hmacsha256, client->cookie,
-				      sizeof(client->cookie));
 		isc_hmacsha256_sign(&hmacsha256, digest, sizeof(digest));
 		isc_buffer_putmem(buf, digest, 8);
 		isc_hmacsha256_invalidate(&hmacsha256);

From 8755a249bc50f0f166fd2164bc6605348f915eec Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 22 Jun 2018 10:26:21 +1000
Subject: [PATCH 2/2] 4975.   [bug]           The server cookie computation for
 sha1 and sha256 did                         not match the method described in
 RFC 7873. [GL #356]

---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index e06bf62a3b..1c69daab9b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4975.	[bug]		The server cookie computation for sha1 and sha256 did
+			not match the method described in RFC 7873. [GL #356]
+
 4974.	[bug]		Restore default rrset-order to random. [GL #336]
 
 4973.	[func]		verifyzone() and the functions it uses were moved to