--- a/components/bind/patches/003-RT40212.patch Mon Jun 06 06:11:42 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,947 +0,0 @@
-This patch was obtained from ISC for 9.6-ESV-R11-P3.
-
---- old/CHANGES Mon Aug 24 00:18:22 2015
-+++ new/CHANGES Mon Aug 24 00:18:22 2015
-@@ -1,3 +1,10 @@
-+ --- 9.6-ESV-R11-P3 released ---
-+
-+4168. [security] A buffer accounting error could trigger an
-+ assertion failure when parsing certain malformed
-+ DNSSEC keys. (CVE-2015-5722)
-+ [RT #40212]
-+
- --- 9.6-ESV-R11-P2 released ---
-
- 4165. [security] A failure to reset a value to NULL in tkey.c could
---- old/lib/dns/api Mon Aug 24 00:18:24 2015
-+++ new/lib/dns/api Mon Aug 24 00:18:23 2015
-@@ -5,5 +5,5 @@
- # 9.9: 90-109
- # 9.9-sub: 130-139
- LIBINTERFACE = 114
--LIBREVISION = 1
-+LIBREVISION = 2
- LIBAGE = 1
---- old/lib/dns/hmac_link.c Mon Aug 24 00:18:24 2015
-+++ new/lib/dns/hmac_link.c Mon Aug 24 00:18:23 2015
-@@ -1,5 +1,5 @@
- /*
-- * Portions Copyright (C) 2004-2008, 2012-2014 Internet Systems Consortium, Inc. ("ISC")
-+ * Portions Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
-@@ -51,14 +51,10 @@
- #include "dst_internal.h"
- #include "dst_parse.h"
-
--#define HMAC_LEN 64
--#define HMAC_IPAD 0x36
--#define HMAC_OPAD 0x5c
--
- static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
-
- struct dst_hmacmd5_key {
-- unsigned char key[HMAC_LEN];
-+ unsigned char key[ISC_MD5_BLOCK_LENGTH];
- };
-
- static isc_result_t
-@@ -80,7 +76,7 @@
- hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
- if (hmacmd5ctx == NULL)
- return (ISC_R_NOMEMORY);
-- isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
-+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
- dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
- return (ISC_R_SUCCESS);
- }
-@@ -143,7 +139,7 @@
- else if (hkey1 == NULL || hkey2 == NULL)
- return (ISC_FALSE);
-
-- if (isc_safe_memcmp(hkey1->key, hkey2->key, HMAC_LEN))
-+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
- return (ISC_TRUE);
- else
- return (ISC_FALSE);
-@@ -153,16 +149,16 @@
- hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {
- isc_buffer_t b;
- isc_result_t ret;
-- int bytes;
-- unsigned char data[HMAC_LEN];
-+ unsigned int bytes;
-+ unsigned char data[ISC_MD5_BLOCK_LENGTH];
-
- bytes = (key->key_size + 7) / 8;
-- if (bytes > HMAC_LEN) {
-- bytes = HMAC_LEN;
-- key->key_size = HMAC_LEN * 8;
-+ if (bytes > ISC_MD5_BLOCK_LENGTH) {
-+ bytes = ISC_MD5_BLOCK_LENGTH;
-+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
- }
-
-- memset(data, 0, HMAC_LEN);
-+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
- if (ret != ISC_R_SUCCESS)
-@@ -171,7 +167,7 @@
- isc_buffer_init(&b, data, bytes);
- isc_buffer_add(&b, bytes);
- ret = hmacmd5_fromdns(key, &b);
-- memset(data, 0, HMAC_LEN);
-+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
-
- return (ret);
- }
-@@ -185,6 +181,7 @@
- static void
- hmacmd5_destroy(dst_key_t *key) {
- dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
-+
- memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
- isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
- key->keydata.hmacmd5 = NULL;
-@@ -224,7 +221,7 @@
-
- memset(hkey->key, 0, sizeof(hkey->key));
-
-- if (r.length > HMAC_LEN) {
-+ if (r.length > ISC_MD5_BLOCK_LENGTH) {
- isc_md5_init(&md5ctx);
- isc_md5_update(&md5ctx, r.base, r.length);
- isc_md5_final(&md5ctx, hkey->key);
-@@ -237,6 +234,8 @@
- key->key_size = keylen * 8;
- key->keydata.hmacmd5 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -276,7 +275,8 @@
- unsigned int i;
-
- /* read private key file */
-- result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
-+ result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx,
-+ &priv);
- if (result != ISC_R_SUCCESS)
- return (result);
-
-@@ -337,7 +337,7 @@
- static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
-
- struct dst_hmacsha1_key {
-- unsigned char key[ISC_SHA1_DIGESTLENGTH];
-+ unsigned char key[ISC_SHA1_BLOCK_LENGTH];
- };
-
- static isc_result_t
-@@ -348,7 +348,7 @@
- hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
- if (hmacsha1ctx == NULL)
- return (ISC_R_NOMEMORY);
-- isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
-+ isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
- dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
- return (ISC_R_SUCCESS);
- }
-@@ -411,7 +411,7 @@
- else if (hkey1 == NULL || hkey2 == NULL)
- return (ISC_FALSE);
-
-- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH))
-+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
- return (ISC_TRUE);
- else
- return (ISC_FALSE);
-@@ -421,16 +421,16 @@
- hmacsha1_generate(dst_key_t *key, int pseudorandom_ok) {
- isc_buffer_t b;
- isc_result_t ret;
-- int bytes;
-- unsigned char data[HMAC_LEN];
-+ unsigned int bytes;
-+ unsigned char data[ISC_SHA1_BLOCK_LENGTH];
-
- bytes = (key->key_size + 7) / 8;
-- if (bytes > HMAC_LEN) {
-- bytes = HMAC_LEN;
-- key->key_size = HMAC_LEN * 8;
-+ if (bytes > ISC_SHA1_BLOCK_LENGTH) {
-+ bytes = ISC_SHA1_BLOCK_LENGTH;
-+ key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
- }
-
-- memset(data, 0, HMAC_LEN);
-+ memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
- if (ret != ISC_R_SUCCESS)
-@@ -439,7 +439,7 @@
- isc_buffer_init(&b, data, bytes);
- isc_buffer_add(&b, bytes);
- ret = hmacsha1_fromdns(key, &b);
-- memset(data, 0, ISC_SHA1_DIGESTLENGTH);
-+ memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-
- return (ret);
- }
-@@ -453,6 +453,7 @@
- static void
- hmacsha1_destroy(dst_key_t *key) {
- dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
-+
- memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
- isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
- key->keydata.hmacsha1 = NULL;
-@@ -492,7 +493,7 @@
-
- memset(hkey->key, 0, sizeof(hkey->key));
-
-- if (r.length > ISC_SHA1_DIGESTLENGTH) {
-+ if (r.length > ISC_SHA1_BLOCK_LENGTH) {
- isc_sha1_init(&sha1ctx);
- isc_sha1_update(&sha1ctx, r.base, r.length);
- isc_sha1_final(&sha1ctx, hkey->key);
-@@ -505,6 +506,8 @@
- key->key_size = keylen * 8;
- key->keydata.hmacsha1 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -606,7 +609,7 @@
- static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
-
- struct dst_hmacsha224_key {
-- unsigned char key[ISC_SHA224_DIGESTLENGTH];
-+ unsigned char key[ISC_SHA224_BLOCK_LENGTH];
- };
-
- static isc_result_t
-@@ -617,7 +620,7 @@
- hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
- if (hmacsha224ctx == NULL)
- return (ISC_R_NOMEMORY);
-- isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
-+ isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH);
- dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
- return (ISC_R_SUCCESS);
- }
-@@ -680,7 +683,7 @@
- else if (hkey1 == NULL || hkey2 == NULL)
- return (ISC_FALSE);
-
-- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH))
-+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH))
- return (ISC_TRUE);
- else
- return (ISC_FALSE);
-@@ -690,16 +693,16 @@
- hmacsha224_generate(dst_key_t *key, int pseudorandom_ok) {
- isc_buffer_t b;
- isc_result_t ret;
-- int bytes;
-- unsigned char data[HMAC_LEN];
-+ unsigned int bytes;
-+ unsigned char data[ISC_SHA224_BLOCK_LENGTH];
-
- bytes = (key->key_size + 7) / 8;
-- if (bytes > HMAC_LEN) {
-- bytes = HMAC_LEN;
-- key->key_size = HMAC_LEN * 8;
-+ if (bytes > ISC_SHA224_BLOCK_LENGTH) {
-+ bytes = ISC_SHA224_BLOCK_LENGTH;
-+ key->key_size = ISC_SHA224_BLOCK_LENGTH * 8;
- }
-
-- memset(data, 0, HMAC_LEN);
-+ memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
- if (ret != ISC_R_SUCCESS)
-@@ -708,7 +711,7 @@
- isc_buffer_init(&b, data, bytes);
- isc_buffer_add(&b, bytes);
- ret = hmacsha224_fromdns(key, &b);
-- memset(data, 0, ISC_SHA224_DIGESTLENGTH);
-+ memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
-
- return (ret);
- }
-@@ -722,6 +725,7 @@
- static void
- hmacsha224_destroy(dst_key_t *key) {
- dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
-+
- memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
- isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
- key->keydata.hmacsha224 = NULL;
-@@ -761,7 +765,7 @@
-
- memset(hkey->key, 0, sizeof(hkey->key));
-
-- if (r.length > ISC_SHA224_DIGESTLENGTH) {
-+ if (r.length > ISC_SHA224_BLOCK_LENGTH) {
- isc_sha224_init(&sha224ctx);
- isc_sha224_update(&sha224ctx, r.base, r.length);
- isc_sha224_final(hkey->key, &sha224ctx);
-@@ -774,6 +778,8 @@
- key->key_size = keylen * 8;
- key->keydata.hmacsha224 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -875,7 +881,7 @@
- static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
-
- struct dst_hmacsha256_key {
-- unsigned char key[ISC_SHA256_DIGESTLENGTH];
-+ unsigned char key[ISC_SHA256_BLOCK_LENGTH];
- };
-
- static isc_result_t
-@@ -886,7 +892,7 @@
- hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
- if (hmacsha256ctx == NULL)
- return (ISC_R_NOMEMORY);
-- isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
-+ isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH);
- dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
- return (ISC_R_SUCCESS);
- }
-@@ -949,7 +955,7 @@
- else if (hkey1 == NULL || hkey2 == NULL)
- return (ISC_FALSE);
-
-- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH))
-+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH))
- return (ISC_TRUE);
- else
- return (ISC_FALSE);
-@@ -959,16 +965,16 @@
- hmacsha256_generate(dst_key_t *key, int pseudorandom_ok) {
- isc_buffer_t b;
- isc_result_t ret;
-- int bytes;
-- unsigned char data[HMAC_LEN];
-+ unsigned int bytes;
-+ unsigned char data[ISC_SHA256_BLOCK_LENGTH];
-
- bytes = (key->key_size + 7) / 8;
-- if (bytes > HMAC_LEN) {
-- bytes = HMAC_LEN;
-- key->key_size = HMAC_LEN * 8;
-+ if (bytes > ISC_SHA256_BLOCK_LENGTH) {
-+ bytes = ISC_SHA256_BLOCK_LENGTH;
-+ key->key_size = ISC_SHA256_BLOCK_LENGTH * 8;
- }
-
-- memset(data, 0, HMAC_LEN);
-+ memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
- if (ret != ISC_R_SUCCESS)
-@@ -977,7 +983,7 @@
- isc_buffer_init(&b, data, bytes);
- isc_buffer_add(&b, bytes);
- ret = hmacsha256_fromdns(key, &b);
-- memset(data, 0, ISC_SHA256_DIGESTLENGTH);
-+ memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
-
- return (ret);
- }
-@@ -991,6 +997,7 @@
- static void
- hmacsha256_destroy(dst_key_t *key) {
- dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
-+
- memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
- isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
- key->keydata.hmacsha256 = NULL;
-@@ -1030,7 +1037,7 @@
-
- memset(hkey->key, 0, sizeof(hkey->key));
-
-- if (r.length > ISC_SHA256_DIGESTLENGTH) {
-+ if (r.length > ISC_SHA256_BLOCK_LENGTH) {
- isc_sha256_init(&sha256ctx);
- isc_sha256_update(&sha256ctx, r.base, r.length);
- isc_sha256_final(hkey->key, &sha256ctx);
-@@ -1043,6 +1050,8 @@
- key->key_size = keylen * 8;
- key->keydata.hmacsha256 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -1144,7 +1153,7 @@
- static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
-
- struct dst_hmacsha384_key {
-- unsigned char key[ISC_SHA384_DIGESTLENGTH];
-+ unsigned char key[ISC_SHA384_BLOCK_LENGTH];
- };
-
- static isc_result_t
-@@ -1155,7 +1164,7 @@
- hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
- if (hmacsha384ctx == NULL)
- return (ISC_R_NOMEMORY);
-- isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
-+ isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH);
- dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
- return (ISC_R_SUCCESS);
- }
-@@ -1218,7 +1227,7 @@
- else if (hkey1 == NULL || hkey2 == NULL)
- return (ISC_FALSE);
-
-- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH))
-+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH))
- return (ISC_TRUE);
- else
- return (ISC_FALSE);
-@@ -1228,16 +1237,16 @@
- hmacsha384_generate(dst_key_t *key, int pseudorandom_ok) {
- isc_buffer_t b;
- isc_result_t ret;
-- int bytes;
-- unsigned char data[HMAC_LEN];
-+ unsigned int bytes;
-+ unsigned char data[ISC_SHA384_BLOCK_LENGTH];
-
- bytes = (key->key_size + 7) / 8;
-- if (bytes > HMAC_LEN) {
-- bytes = HMAC_LEN;
-- key->key_size = HMAC_LEN * 8;
-+ if (bytes > ISC_SHA384_BLOCK_LENGTH) {
-+ bytes = ISC_SHA384_BLOCK_LENGTH;
-+ key->key_size = ISC_SHA384_BLOCK_LENGTH * 8;
- }
-
-- memset(data, 0, HMAC_LEN);
-+ memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
- if (ret != ISC_R_SUCCESS)
-@@ -1246,7 +1255,7 @@
- isc_buffer_init(&b, data, bytes);
- isc_buffer_add(&b, bytes);
- ret = hmacsha384_fromdns(key, &b);
-- memset(data, 0, ISC_SHA384_DIGESTLENGTH);
-+ memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
-
- return (ret);
- }
-@@ -1260,6 +1269,7 @@
- static void
- hmacsha384_destroy(dst_key_t *key) {
- dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
-+
- memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
- isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
- key->keydata.hmacsha384 = NULL;
-@@ -1299,7 +1309,7 @@
-
- memset(hkey->key, 0, sizeof(hkey->key));
-
-- if (r.length > ISC_SHA384_DIGESTLENGTH) {
-+ if (r.length > ISC_SHA384_BLOCK_LENGTH) {
- isc_sha384_init(&sha384ctx);
- isc_sha384_update(&sha384ctx, r.base, r.length);
- isc_sha384_final(hkey->key, &sha384ctx);
-@@ -1312,6 +1322,8 @@
- key->key_size = keylen * 8;
- key->keydata.hmacsha384 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -1413,7 +1425,7 @@
- static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
-
- struct dst_hmacsha512_key {
-- unsigned char key[ISC_SHA512_DIGESTLENGTH];
-+ unsigned char key[ISC_SHA512_BLOCK_LENGTH];
- };
-
- static isc_result_t
-@@ -1424,7 +1436,7 @@
- hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
- if (hmacsha512ctx == NULL)
- return (ISC_R_NOMEMORY);
-- isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
-+ isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH);
- dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
- return (ISC_R_SUCCESS);
- }
-@@ -1487,7 +1499,7 @@
- else if (hkey1 == NULL || hkey2 == NULL)
- return (ISC_FALSE);
-
-- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH))
-+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH))
- return (ISC_TRUE);
- else
- return (ISC_FALSE);
-@@ -1497,16 +1509,16 @@
- hmacsha512_generate(dst_key_t *key, int pseudorandom_ok) {
- isc_buffer_t b;
- isc_result_t ret;
-- int bytes;
-- unsigned char data[HMAC_LEN];
-+ unsigned int bytes;
-+ unsigned char data[ISC_SHA512_BLOCK_LENGTH];
-
- bytes = (key->key_size + 7) / 8;
-- if (bytes > HMAC_LEN) {
-- bytes = HMAC_LEN;
-- key->key_size = HMAC_LEN * 8;
-+ if (bytes > ISC_SHA512_BLOCK_LENGTH) {
-+ bytes = ISC_SHA512_BLOCK_LENGTH;
-+ key->key_size = ISC_SHA512_BLOCK_LENGTH * 8;
- }
-
-- memset(data, 0, HMAC_LEN);
-+ memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
- ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
- if (ret != ISC_R_SUCCESS)
-@@ -1515,7 +1527,7 @@
- isc_buffer_init(&b, data, bytes);
- isc_buffer_add(&b, bytes);
- ret = hmacsha512_fromdns(key, &b);
-- memset(data, 0, ISC_SHA512_DIGESTLENGTH);
-+ memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
-
- return (ret);
- }
-@@ -1529,6 +1541,7 @@
- static void
- hmacsha512_destroy(dst_key_t *key) {
- dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
-+
- memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
- isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
- key->keydata.hmacsha512 = NULL;
-@@ -1568,7 +1581,7 @@
-
- memset(hkey->key, 0, sizeof(hkey->key));
-
-- if (r.length > ISC_SHA512_DIGESTLENGTH) {
-+ if (r.length > ISC_SHA512_BLOCK_LENGTH) {
- isc_sha512_init(&sha512ctx);
- isc_sha512_update(&sha512ctx, r.base, r.length);
- isc_sha512_final(hkey->key, &sha512ctx);
-@@ -1581,6 +1594,8 @@
- key->key_size = keylen * 8;
- key->keydata.hmacsha512 = hkey;
-
-+ isc_buffer_forward(data, r.length);
-+
- return (ISC_R_SUCCESS);
- }
-
---- old/lib/dns/include/dst/dst.h Mon Aug 24 00:18:24 2015
-+++ new/lib/dns/include/dst/dst.h Mon Aug 24 00:18:23 2015
-@@ -65,6 +65,7 @@
- #define DST_ALG_HMACSHA256 163 /* XXXMPA */
- #define DST_ALG_HMACSHA384 164 /* XXXMPA */
- #define DST_ALG_HMACSHA512 165 /* XXXMPA */
-+#define DST_ALG_INDIRECT 252
- #define DST_ALG_PRIVATE 254
- #define DST_ALG_EXPAND 255
- #define DST_MAX_ALGS 255
---- old/lib/dns/ncache.c Mon Aug 24 00:18:24 2015
-+++ new/lib/dns/ncache.c Mon Aug 24 00:18:23 2015
-@@ -35,7 +35,7 @@
- #define DNS_NCACHE_RDATA 20U
-
- /*
-- * The format of an ncache rdata is a sequence of one or more records of
-+ * The format of an ncache rdata is a sequence of zero or more records of
- * the following format:
- *
- * owner name
-@@ -665,13 +665,11 @@
- dns_name_fromregion(&tname, &remaining);
- INSIST(remaining.length >= tname.length);
- isc_buffer_forward(&source, tname.length);
-- remaining.length -= tname.length;
-- remaining.base += tname.length;
-+ isc_region_consume(&remaining, tname.length);
-
- INSIST(remaining.length >= 2);
- type = isc_buffer_getuint16(&source);
-- remaining.length -= 2;
-- remaining.base += 2;
-+ isc_region_consume(&remaining, 2);
-
- if (type != dns_rdatatype_rrsig ||
- !dns_name_equal(&tname, name)) {
-@@ -683,8 +681,7 @@
- INSIST(remaining.length >= 1);
- trust = isc_buffer_getuint8(&source);
- INSIST(trust <= dns_trust_ultimate);
-- remaining.length -= 1;
-- remaining.base += 1;
-+ isc_region_consume(&remaining, 1);
-
- raw = remaining.base;
- count = raw[0] * 256 + raw[1];
---- old/lib/dns/openssldh_link.c Mon Aug 24 00:18:24 2015
-+++ new/lib/dns/openssldh_link.c Mon Aug 24 00:18:23 2015
-@@ -1,5 +1,5 @@
- /*
-- * Portions Copyright (C) 2004-2008, 2012 Internet Systems Consortium, Inc. ("ISC")
-+ * Portions Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
-@@ -93,7 +93,7 @@
- if (r.length < len)
- return (ISC_R_NOSPACE);
- ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
-- if (ret == 0)
-+ if (ret <= 0)
- return (dst__openssl_toresult2("DH_compute_key",
- DST_R_COMPUTESECRETFAILURE));
- isc_buffer_add(secret, len);
-@@ -236,8 +236,10 @@
-
- static void
- uint16_toregion(isc_uint16_t val, isc_region_t *region) {
-- *region->base++ = (val & 0xff00) >> 8;
-- *region->base++ = (val & 0x00ff);
-+ *region->base = (val & 0xff00) >> 8;
-+ isc_region_consume(region, 1);
-+ *region->base = (val & 0x00ff);
-+ isc_region_consume(region, 1);
- }
-
- static isc_uint16_t
-@@ -248,7 +250,8 @@
- val = ((unsigned int)(cp[0])) << 8;
- val |= ((unsigned int)(cp[1]));
-
-- region->base += 2;
-+ isc_region_consume(region, 2);
-+
- return (val);
- }
-
-@@ -289,16 +292,16 @@
- }
- else
- BN_bn2bin(dh->p, r.base);
-- r.base += plen;
-+ isc_region_consume(&r, plen);
-
- uint16_toregion(glen, &r);
- if (glen > 0)
- BN_bn2bin(dh->g, r.base);
-- r.base += glen;
-+ isc_region_consume(&r, glen);
-
- uint16_toregion(publen, &r);
- BN_bn2bin(dh->pub_key, r.base);
-- r.base += publen;
-+ isc_region_consume(&r, publen);
-
- isc_buffer_add(data, dnslen);
-
-@@ -339,10 +342,12 @@
- return (DST_R_INVALIDPUBLICKEY);
- }
- if (plen == 1 || plen == 2) {
-- if (plen == 1)
-- special = *r.base++;
-- else
-+ if (plen == 1) {
-+ special = *r.base;
-+ isc_region_consume(&r, 1);
-+ } else {
- special = uint16_fromregion(&r);
-+ }
- switch (special) {
- case 1:
- dh->p = &bn768;
-@@ -357,10 +362,9 @@
- DH_free(dh);
- return (DST_R_INVALIDPUBLICKEY);
- }
-- }
-- else {
-+ } else {
- dh->p = BN_bin2bn(r.base, plen, NULL);
-- r.base += plen;
-+ isc_region_consume(&r, plen);
- }
-
- /*
-@@ -391,8 +395,7 @@
- return (DST_R_INVALIDPUBLICKEY);
- }
- }
-- }
-- else {
-+ } else {
- if (glen == 0) {
- DH_free(dh);
- return (DST_R_INVALIDPUBLICKEY);
-@@ -399,7 +402,7 @@
- }
- dh->g = BN_bin2bn(r.base, glen, NULL);
- }
-- r.base += glen;
-+ isc_region_consume(&r, glen);
-
- if (r.length < 2) {
- DH_free(dh);
-@@ -411,7 +414,7 @@
- return (DST_R_INVALIDPUBLICKEY);
- }
- dh->pub_key = BN_bin2bn(r.base, publen, NULL);
-- r.base += publen;
-+ isc_region_consume(&r, publen);
-
- key->key_size = BN_num_bits(dh->p);
-
-@@ -577,11 +580,11 @@
-
- s = strchr(hexdigits, tolower((unsigned char)str[i]));
- RUNTIME_CHECK(s != NULL);
-- high = s - hexdigits;
-+ high = (unsigned int)(s - hexdigits);
-
- s = strchr(hexdigits, tolower((unsigned char)str[i + 1]));
- RUNTIME_CHECK(s != NULL);
-- low = s - hexdigits;
-+ low = (unsigned int)(s - hexdigits);
-
- data[i/2] = (unsigned char)((high << 4) + low);
- }
---- old/lib/dns/openssldsa_link.c Mon Aug 24 00:18:24 2015
-+++ new/lib/dns/openssldsa_link.c Mon Aug 24 00:18:23 2015
-@@ -1,5 +1,5 @@
- /*
-- * Portions Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
-+ * Portions Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
-@@ -137,6 +137,7 @@
- DSA *dsa = key->keydata.dsa;
- isc_region_t r;
- DSA_SIG *dsasig;
-+ unsigned int klen;
- #if USE_EVP
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- EVP_PKEY *pkey;
-@@ -209,11 +210,17 @@
- "DSA_do_sign",
- DST_R_SIGNFAILURE));
- #endif
-- *r.base++ = (key->key_size - 512)/64;
-+
-+ klen = (key->key_size - 512)/64;
-+ if (klen > 255)
-+ return (ISC_R_FAILURE);
-+ *r.base = klen;
-+ isc_region_consume(&r, 1);
-+
- BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- DSA_SIG_free(dsasig);
- isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
-
-@@ -416,15 +423,16 @@
- if (r.length < (unsigned int) dnslen)
- return (ISC_R_NOSPACE);
-
-- *r.base++ = t;
-+ *r.base = t;
-+ isc_region_consume(&r, 1);
- BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
- BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
- BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- isc_buffer_add(data, dnslen);
-
-@@ -449,7 +457,8 @@
- return (ISC_R_NOMEMORY);
- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-
-- t = (unsigned int) *r.base++;
-+ t = (unsigned int) *r.base;
-+ isc_region_consume(&r, 1);
- if (t > 8) {
- DSA_free(dsa);
- return (DST_R_INVALIDPUBLICKEY);
-@@ -456,22 +465,22 @@
- }
- p_bytes = 64 + 8 * t;
-
-- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
-+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
- DSA_free(dsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
-
- dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
-- r.base += ISC_SHA1_DIGESTLENGTH;
-+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-
- dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
-- r.base += p_bytes;
-+ isc_region_consume(&r, p_bytes);
-
- key->key_size = p_bytes * 8;
-
---- old/lib/dns/opensslrsa_link.c Mon Aug 24 00:18:24 2015
-+++ new/lib/dns/opensslrsa_link.c Mon Aug 24 00:18:23 2015
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (C) 2004-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
-+ * Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
-@@ -908,6 +908,7 @@
- RSA *rsa;
- isc_region_t r;
- unsigned int e_bytes;
-+ unsigned int length;
- #if USE_EVP
- EVP_PKEY *pkey;
- #endif
-@@ -915,6 +916,7 @@
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0)
- return (ISC_R_SUCCESS);
-+ length = r.length;
-
- rsa = RSA_new();
- if (rsa == NULL)
-@@ -925,8 +927,8 @@
- RSA_free(rsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
-- e_bytes = *r.base++;
-- r.length--;
-+ e_bytes = *r.base;
-+ isc_region_consume(&r, 1);
-
- if (e_bytes == 0) {
- if (r.length < 2) {
-@@ -933,9 +935,10 @@
- RSA_free(rsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
-- e_bytes = ((*r.base++) << 8);
-- e_bytes += *r.base++;
-- r.length -= 2;
-+ e_bytes = (*r.base) << 8;
-+ isc_region_consume(&r, 1);
-+ e_bytes += *r.base;
-+ isc_region_consume(&r, 1);
- }
-
- if (r.length < e_bytes) {
-@@ -943,14 +946,13 @@
- return (DST_R_INVALIDPUBLICKEY);
- }
- rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
-- r.base += e_bytes;
-- r.length -= e_bytes;
-+ isc_region_consume(&r, e_bytes);
-
- rsa->n = BN_bin2bn(r.base, r.length, NULL);
-
- key->key_size = BN_num_bits(rsa->n);
-
-- isc_buffer_forward(data, r.length);
-+ isc_buffer_forward(data, length);
-
- #if USE_EVP
- pkey = EVP_PKEY_new();
---- old/lib/dns/resolver.c Mon Aug 24 00:18:24 2015
-+++ new/lib/dns/resolver.c Mon Aug 24 00:18:23 2015
-@@ -8572,6 +8572,12 @@
-
- REQUIRE(VALID_RESOLVER(resolver));
-
-+ /*
-+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
-+ */
-+ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
-+ return (ISC_FALSE);
-+
- #if USE_ALGLOCK
- RWLOCK(&resolver->alglock, isc_rwlocktype_read);
- #endif
-@@ -8591,6 +8597,7 @@
- #endif
- if (found)
- return (ISC_FALSE);
-+
- return (dst_algorithm_supported(alg));
- }
-
---- old/lib/isc/include/isc/md5.h Mon Aug 24 00:18:24 2015
-+++ new/lib/isc/include/isc/md5.h Mon Aug 24 00:18:23 2015
-@@ -46,7 +46,8 @@
- #include <isc/lang.h>
- #include <isc/types.h>
-
--#define ISC_MD5_DIGESTLENGTH 16U
-+#define ISC_MD5_DIGESTLENGTH 16U
-+#define ISC_MD5_BLOCK_LENGTH 64U
-
- typedef struct {
- isc_uint32_t buf[4];
---- old/version Mon Aug 24 00:18:24 2015
-+++ new/version Mon Aug 24 00:18:23 2015
-@@ -10,4 +10,4 @@
- PATCHVER=
- RELEASETYPE=-ESV
- RELEASEVER=-R11
--EXTENSIONS=-P2
-+EXTENSIONS=-P3