# HG changeset patch # User Ben Chang # Date 1441301829 25200 # Node ID e445eab5467858537643f6ab631f1d79492d56d5 # Parent 92f799cb73918a37f3a037882b34eef859984868 21674580 Upgrade Solaris to BIND 9.6-ESV-R11-P3 21674511 problem in SERVICE/DNS-SERVER diff -r 92f799cb7391 -r e445eab54678 components/bind/Makefile --- a/components/bind/Makefile Fri Aug 28 05:13:20 2015 -0700 +++ b/components/bind/Makefile Thu Sep 03 10:37:09 2015 -0700 @@ -24,8 +24,8 @@ COMPONENT_NAME= bind COMPONENT_VERSION= 9.6-ESV-R11 -HUMAN_VERSION= $(COMPONENT_VERSION)-P2 -IPS_COMPONENT_VERSION= 9.6.3.11.2 +HUMAN_VERSION= $(COMPONENT_VERSION)-P3 +IPS_COMPONENT_VERSION= 9.6.3.11.3 COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz COMPONENT_PROJECT_URL= http://www.isc.org/software/bind/ @@ -37,7 +37,7 @@ http://ftp.isc.org/isc/bind9/$(COMPONENT_VERSION)/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= service/dns-server -TPNO= 23687 +TPNO= 24244 include ../../make-rules/prep.mk include ../../make-rules/configure.mk diff -r 92f799cb7391 -r e445eab54678 components/bind/bindc.p5m --- a/components/bind/bindc.p5m Fri Aug 28 05:13:20 2015 -0700 +++ b/components/bind/bindc.p5m Thu Sep 03 10:37:09 2015 -0700 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. # set name=pkg.fmri \ @@ -44,7 +44,7 @@ dir path=usr/sbin file path=usr/lib/dns/libbind9.so.50.0.11 -file path=usr/lib/dns/libdns.so.113.1.1 +file path=usr/lib/dns/libdns.so.113.1.2 file path=usr/lib/dns/libisc.so.110.0.2 file path=usr/lib/dns/libisccc.so.50.0.6 file path=usr/lib/dns/libisccfg.so.50.0.10 @@ -58,8 +58,8 @@ link path=usr/lib/dns/libbind9.so target=libbind9.so.50.0.11 link path=usr/lib/dns/libbind9.so.50 target=libbind9.so.50.0.11 -link path=usr/lib/dns/libdns.so target=libdns.so.113.1.1 -link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.1 +link path=usr/lib/dns/libdns.so target=libdns.so.113.1.2 +link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.2 link path=usr/lib/dns/libisc.so target=libisc.so.110.0.2 link path=usr/lib/dns/libisc.so.110 target=libisc.so.110.0.2 link path=usr/lib/dns/libisccc.so target=libisccc.so.50.0.6 diff -r 92f799cb7391 -r e445eab54678 components/bind/patches/003-RT40212.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bind/patches/003-RT40212.patch Thu Sep 03 10:37:09 2015 -0700 @@ -0,0 +1,947 @@ +This patch was obtained from ISC for 9.6-ESV-R11-P3. + +--- old/CHANGES Mon Aug 24 00:18:22 2015 ++++ new/CHANGES Mon Aug 24 00:18:22 2015 +@@ -1,3 +1,10 @@ ++ --- 9.6-ESV-R11-P3 released --- ++ ++4168. [security] A buffer accounting error could trigger an ++ assertion failure when parsing certain malformed ++ DNSSEC keys. (CVE-2015-5722) ++ [RT #40212] ++ + --- 9.6-ESV-R11-P2 released --- + + 4165. [security] A failure to reset a value to NULL in tkey.c could +--- old/lib/dns/api Mon Aug 24 00:18:24 2015 ++++ new/lib/dns/api Mon Aug 24 00:18:23 2015 +@@ -5,5 +5,5 @@ + # 9.9: 90-109 + # 9.9-sub: 130-139 + LIBINTERFACE = 114 +-LIBREVISION = 1 ++LIBREVISION = 2 + LIBAGE = 1 +--- old/lib/dns/hmac_link.c Mon Aug 24 00:18:24 2015 ++++ new/lib/dns/hmac_link.c Mon Aug 24 00:18:23 2015 +@@ -1,5 +1,5 @@ + /* +- * Portions Copyright (C) 2004-2008, 2012-2014 Internet Systems Consortium, Inc. ("ISC") ++ * Portions Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 1999-2002 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any +@@ -51,14 +51,10 @@ + #include "dst_internal.h" + #include "dst_parse.h" + +-#define HMAC_LEN 64 +-#define HMAC_IPAD 0x36 +-#define HMAC_OPAD 0x5c +- + static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data); + + struct dst_hmacmd5_key { +- unsigned char key[HMAC_LEN]; ++ unsigned char key[ISC_MD5_BLOCK_LENGTH]; + }; + + static isc_result_t +@@ -80,7 +76,7 @@ + hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t)); + if (hmacmd5ctx == NULL) + return (ISC_R_NOMEMORY); +- isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN); ++ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH); + dctx->ctxdata.hmacmd5ctx = hmacmd5ctx; + return (ISC_R_SUCCESS); + } +@@ -143,7 +139,7 @@ + else if (hkey1 == NULL || hkey2 == NULL) + return (ISC_FALSE); + +- if (isc_safe_memcmp(hkey1->key, hkey2->key, HMAC_LEN)) ++ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH)) + return (ISC_TRUE); + else + return (ISC_FALSE); +@@ -153,16 +149,16 @@ + hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) { + isc_buffer_t b; + isc_result_t ret; +- int bytes; +- unsigned char data[HMAC_LEN]; ++ unsigned int bytes; ++ unsigned char data[ISC_MD5_BLOCK_LENGTH]; + + bytes = (key->key_size + 7) / 8; +- if (bytes > HMAC_LEN) { +- bytes = HMAC_LEN; +- key->key_size = HMAC_LEN * 8; ++ if (bytes > ISC_MD5_BLOCK_LENGTH) { ++ bytes = ISC_MD5_BLOCK_LENGTH; ++ key->key_size = ISC_MD5_BLOCK_LENGTH * 8; + } + +- memset(data, 0, HMAC_LEN); ++ memset(data, 0, ISC_MD5_BLOCK_LENGTH); + ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); + + if (ret != ISC_R_SUCCESS) +@@ -171,7 +167,7 @@ + isc_buffer_init(&b, data, bytes); + isc_buffer_add(&b, bytes); + ret = hmacmd5_fromdns(key, &b); +- memset(data, 0, HMAC_LEN); ++ memset(data, 0, ISC_MD5_BLOCK_LENGTH); + + return (ret); + } +@@ -185,6 +181,7 @@ + static void + hmacmd5_destroy(dst_key_t *key) { + dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5; ++ + memset(hkey, 0, sizeof(dst_hmacmd5_key_t)); + isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t)); + key->keydata.hmacmd5 = NULL; +@@ -224,7 +221,7 @@ + + memset(hkey->key, 0, sizeof(hkey->key)); + +- if (r.length > HMAC_LEN) { ++ if (r.length > ISC_MD5_BLOCK_LENGTH) { + isc_md5_init(&md5ctx); + isc_md5_update(&md5ctx, r.base, r.length); + isc_md5_final(&md5ctx, hkey->key); +@@ -237,6 +234,8 @@ + key->key_size = keylen * 8; + key->keydata.hmacmd5 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -276,7 +275,8 @@ + unsigned int i; + + /* read private key file */ +- result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv); ++ result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, ++ &priv); + if (result != ISC_R_SUCCESS) + return (result); + +@@ -337,7 +337,7 @@ + static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data); + + struct dst_hmacsha1_key { +- unsigned char key[ISC_SHA1_DIGESTLENGTH]; ++ unsigned char key[ISC_SHA1_BLOCK_LENGTH]; + }; + + static isc_result_t +@@ -348,7 +348,7 @@ + hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t)); + if (hmacsha1ctx == NULL) + return (ISC_R_NOMEMORY); +- isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH); ++ isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH); + dctx->ctxdata.hmacsha1ctx = hmacsha1ctx; + return (ISC_R_SUCCESS); + } +@@ -411,7 +411,7 @@ + else if (hkey1 == NULL || hkey2 == NULL) + return (ISC_FALSE); + +- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH)) ++ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH)) + return (ISC_TRUE); + else + return (ISC_FALSE); +@@ -421,16 +421,16 @@ + hmacsha1_generate(dst_key_t *key, int pseudorandom_ok) { + isc_buffer_t b; + isc_result_t ret; +- int bytes; +- unsigned char data[HMAC_LEN]; ++ unsigned int bytes; ++ unsigned char data[ISC_SHA1_BLOCK_LENGTH]; + + bytes = (key->key_size + 7) / 8; +- if (bytes > HMAC_LEN) { +- bytes = HMAC_LEN; +- key->key_size = HMAC_LEN * 8; ++ if (bytes > ISC_SHA1_BLOCK_LENGTH) { ++ bytes = ISC_SHA1_BLOCK_LENGTH; ++ key->key_size = ISC_SHA1_BLOCK_LENGTH * 8; + } + +- memset(data, 0, HMAC_LEN); ++ memset(data, 0, ISC_SHA1_BLOCK_LENGTH); + ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); + + if (ret != ISC_R_SUCCESS) +@@ -439,7 +439,7 @@ + isc_buffer_init(&b, data, bytes); + isc_buffer_add(&b, bytes); + ret = hmacsha1_fromdns(key, &b); +- memset(data, 0, ISC_SHA1_DIGESTLENGTH); ++ memset(data, 0, ISC_SHA1_BLOCK_LENGTH); + + return (ret); + } +@@ -453,6 +453,7 @@ + static void + hmacsha1_destroy(dst_key_t *key) { + dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1; ++ + memset(hkey, 0, sizeof(dst_hmacsha1_key_t)); + isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t)); + key->keydata.hmacsha1 = NULL; +@@ -492,7 +493,7 @@ + + memset(hkey->key, 0, sizeof(hkey->key)); + +- if (r.length > ISC_SHA1_DIGESTLENGTH) { ++ if (r.length > ISC_SHA1_BLOCK_LENGTH) { + isc_sha1_init(&sha1ctx); + isc_sha1_update(&sha1ctx, r.base, r.length); + isc_sha1_final(&sha1ctx, hkey->key); +@@ -505,6 +506,8 @@ + key->key_size = keylen * 8; + key->keydata.hmacsha1 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -606,7 +609,7 @@ + static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data); + + struct dst_hmacsha224_key { +- unsigned char key[ISC_SHA224_DIGESTLENGTH]; ++ unsigned char key[ISC_SHA224_BLOCK_LENGTH]; + }; + + static isc_result_t +@@ -617,7 +620,7 @@ + hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t)); + if (hmacsha224ctx == NULL) + return (ISC_R_NOMEMORY); +- isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH); ++ isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH); + dctx->ctxdata.hmacsha224ctx = hmacsha224ctx; + return (ISC_R_SUCCESS); + } +@@ -680,7 +683,7 @@ + else if (hkey1 == NULL || hkey2 == NULL) + return (ISC_FALSE); + +- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH)) ++ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH)) + return (ISC_TRUE); + else + return (ISC_FALSE); +@@ -690,16 +693,16 @@ + hmacsha224_generate(dst_key_t *key, int pseudorandom_ok) { + isc_buffer_t b; + isc_result_t ret; +- int bytes; +- unsigned char data[HMAC_LEN]; ++ unsigned int bytes; ++ unsigned char data[ISC_SHA224_BLOCK_LENGTH]; + + bytes = (key->key_size + 7) / 8; +- if (bytes > HMAC_LEN) { +- bytes = HMAC_LEN; +- key->key_size = HMAC_LEN * 8; ++ if (bytes > ISC_SHA224_BLOCK_LENGTH) { ++ bytes = ISC_SHA224_BLOCK_LENGTH; ++ key->key_size = ISC_SHA224_BLOCK_LENGTH * 8; + } + +- memset(data, 0, HMAC_LEN); ++ memset(data, 0, ISC_SHA224_BLOCK_LENGTH); + ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); + + if (ret != ISC_R_SUCCESS) +@@ -708,7 +711,7 @@ + isc_buffer_init(&b, data, bytes); + isc_buffer_add(&b, bytes); + ret = hmacsha224_fromdns(key, &b); +- memset(data, 0, ISC_SHA224_DIGESTLENGTH); ++ memset(data, 0, ISC_SHA224_BLOCK_LENGTH); + + return (ret); + } +@@ -722,6 +725,7 @@ + static void + hmacsha224_destroy(dst_key_t *key) { + dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224; ++ + memset(hkey, 0, sizeof(dst_hmacsha224_key_t)); + isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t)); + key->keydata.hmacsha224 = NULL; +@@ -761,7 +765,7 @@ + + memset(hkey->key, 0, sizeof(hkey->key)); + +- if (r.length > ISC_SHA224_DIGESTLENGTH) { ++ if (r.length > ISC_SHA224_BLOCK_LENGTH) { + isc_sha224_init(&sha224ctx); + isc_sha224_update(&sha224ctx, r.base, r.length); + isc_sha224_final(hkey->key, &sha224ctx); +@@ -774,6 +778,8 @@ + key->key_size = keylen * 8; + key->keydata.hmacsha224 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -875,7 +881,7 @@ + static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data); + + struct dst_hmacsha256_key { +- unsigned char key[ISC_SHA256_DIGESTLENGTH]; ++ unsigned char key[ISC_SHA256_BLOCK_LENGTH]; + }; + + static isc_result_t +@@ -886,7 +892,7 @@ + hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t)); + if (hmacsha256ctx == NULL) + return (ISC_R_NOMEMORY); +- isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH); ++ isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH); + dctx->ctxdata.hmacsha256ctx = hmacsha256ctx; + return (ISC_R_SUCCESS); + } +@@ -949,7 +955,7 @@ + else if (hkey1 == NULL || hkey2 == NULL) + return (ISC_FALSE); + +- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH)) ++ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH)) + return (ISC_TRUE); + else + return (ISC_FALSE); +@@ -959,16 +965,16 @@ + hmacsha256_generate(dst_key_t *key, int pseudorandom_ok) { + isc_buffer_t b; + isc_result_t ret; +- int bytes; +- unsigned char data[HMAC_LEN]; ++ unsigned int bytes; ++ unsigned char data[ISC_SHA256_BLOCK_LENGTH]; + + bytes = (key->key_size + 7) / 8; +- if (bytes > HMAC_LEN) { +- bytes = HMAC_LEN; +- key->key_size = HMAC_LEN * 8; ++ if (bytes > ISC_SHA256_BLOCK_LENGTH) { ++ bytes = ISC_SHA256_BLOCK_LENGTH; ++ key->key_size = ISC_SHA256_BLOCK_LENGTH * 8; + } + +- memset(data, 0, HMAC_LEN); ++ memset(data, 0, ISC_SHA256_BLOCK_LENGTH); + ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); + + if (ret != ISC_R_SUCCESS) +@@ -977,7 +983,7 @@ + isc_buffer_init(&b, data, bytes); + isc_buffer_add(&b, bytes); + ret = hmacsha256_fromdns(key, &b); +- memset(data, 0, ISC_SHA256_DIGESTLENGTH); ++ memset(data, 0, ISC_SHA256_BLOCK_LENGTH); + + return (ret); + } +@@ -991,6 +997,7 @@ + static void + hmacsha256_destroy(dst_key_t *key) { + dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256; ++ + memset(hkey, 0, sizeof(dst_hmacsha256_key_t)); + isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t)); + key->keydata.hmacsha256 = NULL; +@@ -1030,7 +1037,7 @@ + + memset(hkey->key, 0, sizeof(hkey->key)); + +- if (r.length > ISC_SHA256_DIGESTLENGTH) { ++ if (r.length > ISC_SHA256_BLOCK_LENGTH) { + isc_sha256_init(&sha256ctx); + isc_sha256_update(&sha256ctx, r.base, r.length); + isc_sha256_final(hkey->key, &sha256ctx); +@@ -1043,6 +1050,8 @@ + key->key_size = keylen * 8; + key->keydata.hmacsha256 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -1144,7 +1153,7 @@ + static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data); + + struct dst_hmacsha384_key { +- unsigned char key[ISC_SHA384_DIGESTLENGTH]; ++ unsigned char key[ISC_SHA384_BLOCK_LENGTH]; + }; + + static isc_result_t +@@ -1155,7 +1164,7 @@ + hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t)); + if (hmacsha384ctx == NULL) + return (ISC_R_NOMEMORY); +- isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH); ++ isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH); + dctx->ctxdata.hmacsha384ctx = hmacsha384ctx; + return (ISC_R_SUCCESS); + } +@@ -1218,7 +1227,7 @@ + else if (hkey1 == NULL || hkey2 == NULL) + return (ISC_FALSE); + +- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH)) ++ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH)) + return (ISC_TRUE); + else + return (ISC_FALSE); +@@ -1228,16 +1237,16 @@ + hmacsha384_generate(dst_key_t *key, int pseudorandom_ok) { + isc_buffer_t b; + isc_result_t ret; +- int bytes; +- unsigned char data[HMAC_LEN]; ++ unsigned int bytes; ++ unsigned char data[ISC_SHA384_BLOCK_LENGTH]; + + bytes = (key->key_size + 7) / 8; +- if (bytes > HMAC_LEN) { +- bytes = HMAC_LEN; +- key->key_size = HMAC_LEN * 8; ++ if (bytes > ISC_SHA384_BLOCK_LENGTH) { ++ bytes = ISC_SHA384_BLOCK_LENGTH; ++ key->key_size = ISC_SHA384_BLOCK_LENGTH * 8; + } + +- memset(data, 0, HMAC_LEN); ++ memset(data, 0, ISC_SHA384_BLOCK_LENGTH); + ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); + + if (ret != ISC_R_SUCCESS) +@@ -1246,7 +1255,7 @@ + isc_buffer_init(&b, data, bytes); + isc_buffer_add(&b, bytes); + ret = hmacsha384_fromdns(key, &b); +- memset(data, 0, ISC_SHA384_DIGESTLENGTH); ++ memset(data, 0, ISC_SHA384_BLOCK_LENGTH); + + return (ret); + } +@@ -1260,6 +1269,7 @@ + static void + hmacsha384_destroy(dst_key_t *key) { + dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384; ++ + memset(hkey, 0, sizeof(dst_hmacsha384_key_t)); + isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t)); + key->keydata.hmacsha384 = NULL; +@@ -1299,7 +1309,7 @@ + + memset(hkey->key, 0, sizeof(hkey->key)); + +- if (r.length > ISC_SHA384_DIGESTLENGTH) { ++ if (r.length > ISC_SHA384_BLOCK_LENGTH) { + isc_sha384_init(&sha384ctx); + isc_sha384_update(&sha384ctx, r.base, r.length); + isc_sha384_final(hkey->key, &sha384ctx); +@@ -1312,6 +1322,8 @@ + key->key_size = keylen * 8; + key->keydata.hmacsha384 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -1413,7 +1425,7 @@ + static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data); + + struct dst_hmacsha512_key { +- unsigned char key[ISC_SHA512_DIGESTLENGTH]; ++ unsigned char key[ISC_SHA512_BLOCK_LENGTH]; + }; + + static isc_result_t +@@ -1424,7 +1436,7 @@ + hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t)); + if (hmacsha512ctx == NULL) + return (ISC_R_NOMEMORY); +- isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH); ++ isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH); + dctx->ctxdata.hmacsha512ctx = hmacsha512ctx; + return (ISC_R_SUCCESS); + } +@@ -1487,7 +1499,7 @@ + else if (hkey1 == NULL || hkey2 == NULL) + return (ISC_FALSE); + +- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH)) ++ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH)) + return (ISC_TRUE); + else + return (ISC_FALSE); +@@ -1497,16 +1509,16 @@ + hmacsha512_generate(dst_key_t *key, int pseudorandom_ok) { + isc_buffer_t b; + isc_result_t ret; +- int bytes; +- unsigned char data[HMAC_LEN]; ++ unsigned int bytes; ++ unsigned char data[ISC_SHA512_BLOCK_LENGTH]; + + bytes = (key->key_size + 7) / 8; +- if (bytes > HMAC_LEN) { +- bytes = HMAC_LEN; +- key->key_size = HMAC_LEN * 8; ++ if (bytes > ISC_SHA512_BLOCK_LENGTH) { ++ bytes = ISC_SHA512_BLOCK_LENGTH; ++ key->key_size = ISC_SHA512_BLOCK_LENGTH * 8; + } + +- memset(data, 0, HMAC_LEN); ++ memset(data, 0, ISC_SHA512_BLOCK_LENGTH); + ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); + + if (ret != ISC_R_SUCCESS) +@@ -1515,7 +1527,7 @@ + isc_buffer_init(&b, data, bytes); + isc_buffer_add(&b, bytes); + ret = hmacsha512_fromdns(key, &b); +- memset(data, 0, ISC_SHA512_DIGESTLENGTH); ++ memset(data, 0, ISC_SHA512_BLOCK_LENGTH); + + return (ret); + } +@@ -1529,6 +1541,7 @@ + static void + hmacsha512_destroy(dst_key_t *key) { + dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512; ++ + memset(hkey, 0, sizeof(dst_hmacsha512_key_t)); + isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t)); + key->keydata.hmacsha512 = NULL; +@@ -1568,7 +1581,7 @@ + + memset(hkey->key, 0, sizeof(hkey->key)); + +- if (r.length > ISC_SHA512_DIGESTLENGTH) { ++ if (r.length > ISC_SHA512_BLOCK_LENGTH) { + isc_sha512_init(&sha512ctx); + isc_sha512_update(&sha512ctx, r.base, r.length); + isc_sha512_final(hkey->key, &sha512ctx); +@@ -1581,6 +1594,8 @@ + key->key_size = keylen * 8; + key->keydata.hmacsha512 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +--- old/lib/dns/include/dst/dst.h Mon Aug 24 00:18:24 2015 ++++ new/lib/dns/include/dst/dst.h Mon Aug 24 00:18:23 2015 +@@ -65,6 +65,7 @@ + #define DST_ALG_HMACSHA256 163 /* XXXMPA */ + #define DST_ALG_HMACSHA384 164 /* XXXMPA */ + #define DST_ALG_HMACSHA512 165 /* XXXMPA */ ++#define DST_ALG_INDIRECT 252 + #define DST_ALG_PRIVATE 254 + #define DST_ALG_EXPAND 255 + #define DST_MAX_ALGS 255 +--- old/lib/dns/ncache.c Mon Aug 24 00:18:24 2015 ++++ new/lib/dns/ncache.c Mon Aug 24 00:18:23 2015 +@@ -35,7 +35,7 @@ + #define DNS_NCACHE_RDATA 20U + + /* +- * The format of an ncache rdata is a sequence of one or more records of ++ * The format of an ncache rdata is a sequence of zero or more records of + * the following format: + * + * owner name +@@ -665,13 +665,11 @@ + dns_name_fromregion(&tname, &remaining); + INSIST(remaining.length >= tname.length); + isc_buffer_forward(&source, tname.length); +- remaining.length -= tname.length; +- remaining.base += tname.length; ++ isc_region_consume(&remaining, tname.length); + + INSIST(remaining.length >= 2); + type = isc_buffer_getuint16(&source); +- remaining.length -= 2; +- remaining.base += 2; ++ isc_region_consume(&remaining, 2); + + if (type != dns_rdatatype_rrsig || + !dns_name_equal(&tname, name)) { +@@ -683,8 +681,7 @@ + INSIST(remaining.length >= 1); + trust = isc_buffer_getuint8(&source); + INSIST(trust <= dns_trust_ultimate); +- remaining.length -= 1; +- remaining.base += 1; ++ isc_region_consume(&remaining, 1); + + raw = remaining.base; + count = raw[0] * 256 + raw[1]; +--- old/lib/dns/openssldh_link.c Mon Aug 24 00:18:24 2015 ++++ new/lib/dns/openssldh_link.c Mon Aug 24 00:18:23 2015 +@@ -1,5 +1,5 @@ + /* +- * Portions Copyright (C) 2004-2008, 2012 Internet Systems Consortium, Inc. ("ISC") ++ * Portions Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 1999-2002 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any +@@ -93,7 +93,7 @@ + if (r.length < len) + return (ISC_R_NOSPACE); + ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv); +- if (ret == 0) ++ if (ret <= 0) + return (dst__openssl_toresult2("DH_compute_key", + DST_R_COMPUTESECRETFAILURE)); + isc_buffer_add(secret, len); +@@ -236,8 +236,10 @@ + + static void + uint16_toregion(isc_uint16_t val, isc_region_t *region) { +- *region->base++ = (val & 0xff00) >> 8; +- *region->base++ = (val & 0x00ff); ++ *region->base = (val & 0xff00) >> 8; ++ isc_region_consume(region, 1); ++ *region->base = (val & 0x00ff); ++ isc_region_consume(region, 1); + } + + static isc_uint16_t +@@ -248,7 +250,8 @@ + val = ((unsigned int)(cp[0])) << 8; + val |= ((unsigned int)(cp[1])); + +- region->base += 2; ++ isc_region_consume(region, 2); ++ + return (val); + } + +@@ -289,16 +292,16 @@ + } + else + BN_bn2bin(dh->p, r.base); +- r.base += plen; ++ isc_region_consume(&r, plen); + + uint16_toregion(glen, &r); + if (glen > 0) + BN_bn2bin(dh->g, r.base); +- r.base += glen; ++ isc_region_consume(&r, glen); + + uint16_toregion(publen, &r); + BN_bn2bin(dh->pub_key, r.base); +- r.base += publen; ++ isc_region_consume(&r, publen); + + isc_buffer_add(data, dnslen); + +@@ -339,10 +342,12 @@ + return (DST_R_INVALIDPUBLICKEY); + } + if (plen == 1 || plen == 2) { +- if (plen == 1) +- special = *r.base++; +- else ++ if (plen == 1) { ++ special = *r.base; ++ isc_region_consume(&r, 1); ++ } else { + special = uint16_fromregion(&r); ++ } + switch (special) { + case 1: + dh->p = &bn768; +@@ -357,10 +362,9 @@ + DH_free(dh); + return (DST_R_INVALIDPUBLICKEY); + } +- } +- else { ++ } else { + dh->p = BN_bin2bn(r.base, plen, NULL); +- r.base += plen; ++ isc_region_consume(&r, plen); + } + + /* +@@ -391,8 +395,7 @@ + return (DST_R_INVALIDPUBLICKEY); + } + } +- } +- else { ++ } else { + if (glen == 0) { + DH_free(dh); + return (DST_R_INVALIDPUBLICKEY); +@@ -399,7 +402,7 @@ + } + dh->g = BN_bin2bn(r.base, glen, NULL); + } +- r.base += glen; ++ isc_region_consume(&r, glen); + + if (r.length < 2) { + DH_free(dh); +@@ -411,7 +414,7 @@ + return (DST_R_INVALIDPUBLICKEY); + } + dh->pub_key = BN_bin2bn(r.base, publen, NULL); +- r.base += publen; ++ isc_region_consume(&r, publen); + + key->key_size = BN_num_bits(dh->p); + +@@ -577,11 +580,11 @@ + + s = strchr(hexdigits, tolower((unsigned char)str[i])); + RUNTIME_CHECK(s != NULL); +- high = s - hexdigits; ++ high = (unsigned int)(s - hexdigits); + + s = strchr(hexdigits, tolower((unsigned char)str[i + 1])); + RUNTIME_CHECK(s != NULL); +- low = s - hexdigits; ++ low = (unsigned int)(s - hexdigits); + + data[i/2] = (unsigned char)((high << 4) + low); + } +--- old/lib/dns/openssldsa_link.c Mon Aug 24 00:18:24 2015 ++++ new/lib/dns/openssldsa_link.c Mon Aug 24 00:18:23 2015 +@@ -1,5 +1,5 @@ + /* +- * Portions Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") ++ * Portions Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 1999-2002 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any +@@ -137,6 +137,7 @@ + DSA *dsa = key->keydata.dsa; + isc_region_t r; + DSA_SIG *dsasig; ++ unsigned int klen; + #if USE_EVP + EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; + EVP_PKEY *pkey; +@@ -209,11 +210,17 @@ + "DSA_do_sign", + DST_R_SIGNFAILURE)); + #endif +- *r.base++ = (key->key_size - 512)/64; ++ ++ klen = (key->key_size - 512)/64; ++ if (klen > 255) ++ return (ISC_R_FAILURE); ++ *r.base = klen; ++ isc_region_consume(&r, 1); ++ + BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); +- r.base += ISC_SHA1_DIGESTLENGTH; ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); + BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); +- r.base += ISC_SHA1_DIGESTLENGTH; ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); + DSA_SIG_free(dsasig); + isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); + +@@ -416,15 +423,16 @@ + if (r.length < (unsigned int) dnslen) + return (ISC_R_NOSPACE); + +- *r.base++ = t; ++ *r.base = t; ++ isc_region_consume(&r, 1); + BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); +- r.base += ISC_SHA1_DIGESTLENGTH; ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); + BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + + isc_buffer_add(data, dnslen); + +@@ -449,7 +457,8 @@ + return (ISC_R_NOMEMORY); + dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; + +- t = (unsigned int) *r.base++; ++ t = (unsigned int) *r.base; ++ isc_region_consume(&r, 1); + if (t > 8) { + DSA_free(dsa); + return (DST_R_INVALIDPUBLICKEY); +@@ -456,22 +465,22 @@ + } + p_bytes = 64 + 8 * t; + +- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { ++ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { + DSA_free(dsa); + return (DST_R_INVALIDPUBLICKEY); + } + + dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); +- r.base += ISC_SHA1_DIGESTLENGTH; ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); + + dsa->p = BN_bin2bn(r.base, p_bytes, NULL); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + + dsa->g = BN_bin2bn(r.base, p_bytes, NULL); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + + dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + + key->key_size = p_bytes * 8; + +--- old/lib/dns/opensslrsa_link.c Mon Aug 24 00:18:24 2015 ++++ new/lib/dns/opensslrsa_link.c Mon Aug 24 00:18:23 2015 +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2004-2012, 2014 Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any +@@ -908,6 +908,7 @@ + RSA *rsa; + isc_region_t r; + unsigned int e_bytes; ++ unsigned int length; + #if USE_EVP + EVP_PKEY *pkey; + #endif +@@ -915,6 +916,7 @@ + isc_buffer_remainingregion(data, &r); + if (r.length == 0) + return (ISC_R_SUCCESS); ++ length = r.length; + + rsa = RSA_new(); + if (rsa == NULL) +@@ -925,8 +927,8 @@ + RSA_free(rsa); + return (DST_R_INVALIDPUBLICKEY); + } +- e_bytes = *r.base++; +- r.length--; ++ e_bytes = *r.base; ++ isc_region_consume(&r, 1); + + if (e_bytes == 0) { + if (r.length < 2) { +@@ -933,9 +935,10 @@ + RSA_free(rsa); + return (DST_R_INVALIDPUBLICKEY); + } +- e_bytes = ((*r.base++) << 8); +- e_bytes += *r.base++; +- r.length -= 2; ++ e_bytes = (*r.base) << 8; ++ isc_region_consume(&r, 1); ++ e_bytes += *r.base; ++ isc_region_consume(&r, 1); + } + + if (r.length < e_bytes) { +@@ -943,14 +946,13 @@ + return (DST_R_INVALIDPUBLICKEY); + } + rsa->e = BN_bin2bn(r.base, e_bytes, NULL); +- r.base += e_bytes; +- r.length -= e_bytes; ++ isc_region_consume(&r, e_bytes); + + rsa->n = BN_bin2bn(r.base, r.length, NULL); + + key->key_size = BN_num_bits(rsa->n); + +- isc_buffer_forward(data, r.length); ++ isc_buffer_forward(data, length); + + #if USE_EVP + pkey = EVP_PKEY_new(); +--- old/lib/dns/resolver.c Mon Aug 24 00:18:24 2015 ++++ new/lib/dns/resolver.c Mon Aug 24 00:18:23 2015 +@@ -8572,6 +8572,12 @@ + + REQUIRE(VALID_RESOLVER(resolver)); + ++ /* ++ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. ++ */ ++ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) ++ return (ISC_FALSE); ++ + #if USE_ALGLOCK + RWLOCK(&resolver->alglock, isc_rwlocktype_read); + #endif +@@ -8591,6 +8597,7 @@ + #endif + if (found) + return (ISC_FALSE); ++ + return (dst_algorithm_supported(alg)); + } + +--- old/lib/isc/include/isc/md5.h Mon Aug 24 00:18:24 2015 ++++ new/lib/isc/include/isc/md5.h Mon Aug 24 00:18:23 2015 +@@ -46,7 +46,8 @@ + #include + #include + +-#define ISC_MD5_DIGESTLENGTH 16U ++#define ISC_MD5_DIGESTLENGTH 16U ++#define ISC_MD5_BLOCK_LENGTH 64U + + typedef struct { + isc_uint32_t buf[4]; +--- old/version Mon Aug 24 00:18:24 2015 ++++ new/version Mon Aug 24 00:18:23 2015 +@@ -10,4 +10,4 @@ + PATCHVER= + RELEASETYPE=-ESV + RELEASEVER=-R11 +-EXTENSIONS=-P2 ++EXTENSIONS=-P3