21674580 Upgrade Solaris to BIND 9.6-ESV-R11-P3
authorWilliam.D.Johnston <William.D.Johnston@oracle.com>
Wed, 02 Sep 2015 14:24:30 -0700
changeset 4836 2963a732ee80
parent 4835 d5abd56e3fcf
child 4837 5c4d5a9885cc
21674580 Upgrade Solaris to BIND 9.6-ESV-R11-P3 21674511 problem in SERVICE/DNS-SERVER
components/bind/Makefile
components/bind/bindc.p5m
components/bind/patches/003-RT40212.patch
--- a/components/bind/Makefile	Wed Sep 02 11:01:59 2015 -0700
+++ b/components/bind/Makefile	Wed Sep 02 14:24:30 2015 -0700
@@ -24,8 +24,8 @@
 
 COMPONENT_NAME=		bind
 COMPONENT_VERSION=	9.6-ESV-R11
-HUMAN_VERSION=		$(COMPONENT_VERSION)-P2
-IPS_COMPONENT_VERSION=	9.6.3.11.2
+HUMAN_VERSION=		$(COMPONENT_VERSION)-P3
+IPS_COMPONENT_VERSION=	9.6.3.11.3
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_PROJECT_URL=	http://www.isc.org/software/bind/
@@ -37,7 +37,7 @@
 	http://ftp.isc.org/isc/bind9/$(COMPONENT_VERSION)/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	service/dns-server
 
-TPNO=			23687
+TPNO=			24244
 
 include $(WS_MAKE_RULES)/prep.mk
 include $(WS_MAKE_RULES)/configure.mk
--- a/components/bind/bindc.p5m	Wed Sep 02 11:01:59 2015 -0700
+++ b/components/bind/bindc.p5m	Wed Sep 02 14:24:30 2015 -0700
@@ -42,9 +42,9 @@
 link path=usr/lib/dns/libbind9.so target=libbind9.so.50.0.11
 link path=usr/lib/dns/libbind9.so.50 target=libbind9.so.50.0.11
 file path=usr/lib/dns/libbind9.so.50.0.11
-link path=usr/lib/dns/libdns.so target=libdns.so.113.1.1
-link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.1
-file path=usr/lib/dns/libdns.so.113.1.1
+link path=usr/lib/dns/libdns.so target=libdns.so.113.1.2
+link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.2
+file path=usr/lib/dns/libdns.so.113.1.2
 link path=usr/lib/dns/libisc.so target=libisc.so.110.0.2
 link path=usr/lib/dns/libisc.so.110 target=libisc.so.110.0.2
 file path=usr/lib/dns/libisc.so.110.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/003-RT40212.patch	Wed Sep 02 14:24:30 2015 -0700
@@ -0,0 +1,947 @@
+This patch was obtained from ISC for 9.6-ESV-R11-P3.
+
+--- old/CHANGES	Mon Aug 24 00:18:22 2015
++++ new/CHANGES	Mon Aug 24 00:18:22 2015
[email protected]@ -1,3 +1,10 @@
++	--- 9.6-ESV-R11-P3 released ---
++
++4168.	[security]	A buffer accounting error could trigger an
++			assertion failure when parsing certain malformed
++			DNSSEC keys. (CVE-2015-5722)
++			[RT #40212]
++
+ 	--- 9.6-ESV-R11-P2 released ---
+ 
+ 4165.	[security]	A failure to reset a value to NULL in tkey.c could
+--- old/lib/dns/api	Mon Aug 24 00:18:24 2015
++++ new/lib/dns/api	Mon Aug 24 00:18:23 2015
[email protected]@ -5,5 +5,5 @@
+ # 9.9: 90-109
+ # 9.9-sub: 130-139
+ LIBINTERFACE = 114
+-LIBREVISION = 1
++LIBREVISION = 2
+ LIBAGE = 1
+--- old/lib/dns/hmac_link.c	Mon Aug 24 00:18:24 2015
++++ new/lib/dns/hmac_link.c	Mon Aug 24 00:18:23 2015
[email protected]@ -1,5 +1,5 @@
+ /*
+- * Portions Copyright (C) 2004-2008, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
++ * Portions Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
[email protected]@ -51,14 +51,10 @@
+ #include "dst_internal.h"
+ #include "dst_parse.h"
+ 
+-#define HMAC_LEN	64
+-#define HMAC_IPAD	0x36
+-#define HMAC_OPAD	0x5c
+-
+ static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
+ 
+ struct dst_hmacmd5_key {
+-	unsigned char key[HMAC_LEN];
++	unsigned char key[ISC_MD5_BLOCK_LENGTH];
+ };
+ 
+ static isc_result_t
[email protected]@ -80,7 +76,7 @@
+ 	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
+ 	if (hmacmd5ctx == NULL)
+ 		return (ISC_R_NOMEMORY);
+-	isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
++	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
+ 	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
+ 	return (ISC_R_SUCCESS);
+ }
[email protected]@ -143,7 +139,7 @@
+ 	else if (hkey1 == NULL || hkey2 == NULL)
+ 		return (ISC_FALSE);
+ 
+-	if (isc_safe_memcmp(hkey1->key, hkey2->key, HMAC_LEN))
++	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
+ 		return (ISC_TRUE);
+ 	else
+ 		return (ISC_FALSE);
[email protected]@ -153,16 +149,16 @@
+ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {
+ 	isc_buffer_t b;
+ 	isc_result_t ret;
+-	int bytes;
+-	unsigned char data[HMAC_LEN];
++	unsigned int bytes;
++	unsigned char data[ISC_MD5_BLOCK_LENGTH];
+ 
+ 	bytes = (key->key_size + 7) / 8;
+-	if (bytes > HMAC_LEN) {
+-		bytes = HMAC_LEN;
+-		key->key_size = HMAC_LEN * 8;
++	if (bytes > ISC_MD5_BLOCK_LENGTH) {
++		bytes = ISC_MD5_BLOCK_LENGTH;
++		key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
+ 	}
+ 
+-	memset(data, 0, HMAC_LEN);
++	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+ 	if (ret != ISC_R_SUCCESS)
[email protected]@ -171,7 +167,7 @@
+ 	isc_buffer_init(&b, data, bytes);
+ 	isc_buffer_add(&b, bytes);
+ 	ret = hmacmd5_fromdns(key, &b);
+-	memset(data, 0, HMAC_LEN);
++	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ 
+ 	return (ret);
+ }
[email protected]@ -185,6 +181,7 @@
+ static void
+ hmacmd5_destroy(dst_key_t *key) {
+ 	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
++
+ 	memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
+ 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
+ 	key->keydata.hmacmd5 = NULL;
[email protected]@ -224,7 +221,7 @@
+ 
+ 	memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-	if (r.length > HMAC_LEN) {
++	if (r.length > ISC_MD5_BLOCK_LENGTH) {
+ 		isc_md5_init(&md5ctx);
+ 		isc_md5_update(&md5ctx, r.base, r.length);
+ 		isc_md5_final(&md5ctx, hkey->key);
[email protected]@ -237,6 +234,8 @@
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacmd5 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
[email protected]@ -276,7 +275,8 @@
+ 	unsigned int i;
+ 
+ 	/* read private key file */
+-	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
++	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx,
++				       &priv);
+ 	if (result != ISC_R_SUCCESS)
+ 		return (result);
+ 
[email protected]@ -337,7 +337,7 @@
+ static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
+ 
+ struct dst_hmacsha1_key {
+-	unsigned char key[ISC_SHA1_DIGESTLENGTH];
++	unsigned char key[ISC_SHA1_BLOCK_LENGTH];
+ };
+ 
+ static isc_result_t
[email protected]@ -348,7 +348,7 @@
+ 	hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
+ 	if (hmacsha1ctx == NULL)
+ 		return (ISC_R_NOMEMORY);
+-	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
++	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
+ 	dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
+ 	return (ISC_R_SUCCESS);
+ }
[email protected]@ -411,7 +411,7 @@
+ 	else if (hkey1 == NULL || hkey2 == NULL)
+ 		return (ISC_FALSE);
+ 
+-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH))
++	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
+ 		return (ISC_TRUE);
+ 	else
+ 		return (ISC_FALSE);
[email protected]@ -421,16 +421,16 @@
+ hmacsha1_generate(dst_key_t *key, int pseudorandom_ok) {
+ 	isc_buffer_t b;
+ 	isc_result_t ret;
+-	int bytes;
+-	unsigned char data[HMAC_LEN];
++	unsigned int bytes;
++	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
+ 
+ 	bytes = (key->key_size + 7) / 8;
+-	if (bytes > HMAC_LEN) {
+-		bytes = HMAC_LEN;
+-		key->key_size = HMAC_LEN * 8;
++	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
++		bytes = ISC_SHA1_BLOCK_LENGTH;
++		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
+ 	}
+ 
+-	memset(data, 0, HMAC_LEN);
++	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+ 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+ 	if (ret != ISC_R_SUCCESS)
[email protected]@ -439,7 +439,7 @@
+ 	isc_buffer_init(&b, data, bytes);
+ 	isc_buffer_add(&b, bytes);
+ 	ret = hmacsha1_fromdns(key, &b);
+-	memset(data, 0, ISC_SHA1_DIGESTLENGTH);
++	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+ 
+ 	return (ret);
+ }
[email protected]@ -453,6 +453,7 @@
+ static void
+ hmacsha1_destroy(dst_key_t *key) {
+ 	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
++
+ 	memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
+ 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
+ 	key->keydata.hmacsha1 = NULL;
[email protected]@ -492,7 +493,7 @@
+ 
+ 	memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-	if (r.length > ISC_SHA1_DIGESTLENGTH) {
++	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
+ 		isc_sha1_init(&sha1ctx);
+ 		isc_sha1_update(&sha1ctx, r.base, r.length);
+ 		isc_sha1_final(&sha1ctx, hkey->key);
[email protected]@ -505,6 +506,8 @@
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha1 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
[email protected]@ -606,7 +609,7 @@
+ static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
+ 
+ struct dst_hmacsha224_key {
+-	unsigned char key[ISC_SHA224_DIGESTLENGTH];
++	unsigned char key[ISC_SHA224_BLOCK_LENGTH];
+ };
+ 
+ static isc_result_t
[email protected]@ -617,7 +620,7 @@
+ 	hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
+ 	if (hmacsha224ctx == NULL)
+ 		return (ISC_R_NOMEMORY);
+-	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
++	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH);
+ 	dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
+ 	return (ISC_R_SUCCESS);
+ }
[email protected]@ -680,7 +683,7 @@
+ 	else if (hkey1 == NULL || hkey2 == NULL)
+ 		return (ISC_FALSE);
+ 
+-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH))
++	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH))
+ 		return (ISC_TRUE);
+ 	else
+ 		return (ISC_FALSE);
[email protected]@ -690,16 +693,16 @@
+ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok) {
+ 	isc_buffer_t b;
+ 	isc_result_t ret;
+-	int bytes;
+-	unsigned char data[HMAC_LEN];
++	unsigned int bytes;
++	unsigned char data[ISC_SHA224_BLOCK_LENGTH];
+ 
+ 	bytes = (key->key_size + 7) / 8;
+-	if (bytes > HMAC_LEN) {
+-		bytes = HMAC_LEN;
+-		key->key_size = HMAC_LEN * 8;
++	if (bytes > ISC_SHA224_BLOCK_LENGTH) {
++		bytes = ISC_SHA224_BLOCK_LENGTH;
++		key->key_size = ISC_SHA224_BLOCK_LENGTH * 8;
+ 	}
+ 
+-	memset(data, 0, HMAC_LEN);
++	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
+ 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+ 	if (ret != ISC_R_SUCCESS)
[email protected]@ -708,7 +711,7 @@
+ 	isc_buffer_init(&b, data, bytes);
+ 	isc_buffer_add(&b, bytes);
+ 	ret = hmacsha224_fromdns(key, &b);
+-	memset(data, 0, ISC_SHA224_DIGESTLENGTH);
++	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
+ 
+ 	return (ret);
+ }
[email protected]@ -722,6 +725,7 @@
+ static void
+ hmacsha224_destroy(dst_key_t *key) {
+ 	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
++
+ 	memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
+ 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
+ 	key->keydata.hmacsha224 = NULL;
[email protected]@ -761,7 +765,7 @@
+ 
+ 	memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-	if (r.length > ISC_SHA224_DIGESTLENGTH) {
++	if (r.length > ISC_SHA224_BLOCK_LENGTH) {
+ 		isc_sha224_init(&sha224ctx);
+ 		isc_sha224_update(&sha224ctx, r.base, r.length);
+ 		isc_sha224_final(hkey->key, &sha224ctx);
[email protected]@ -774,6 +778,8 @@
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha224 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
[email protected]@ -875,7 +881,7 @@
+ static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
+ 
+ struct dst_hmacsha256_key {
+-	unsigned char key[ISC_SHA256_DIGESTLENGTH];
++	unsigned char key[ISC_SHA256_BLOCK_LENGTH];
+ };
+ 
+ static isc_result_t
[email protected]@ -886,7 +892,7 @@
+ 	hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
+ 	if (hmacsha256ctx == NULL)
+ 		return (ISC_R_NOMEMORY);
+-	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
++	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH);
+ 	dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
+ 	return (ISC_R_SUCCESS);
+ }
[email protected]@ -949,7 +955,7 @@
+ 	else if (hkey1 == NULL || hkey2 == NULL)
+ 		return (ISC_FALSE);
+ 
+-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH))
++	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH))
+ 		return (ISC_TRUE);
+ 	else
+ 		return (ISC_FALSE);
[email protected]@ -959,16 +965,16 @@
+ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok) {
+ 	isc_buffer_t b;
+ 	isc_result_t ret;
+-	int bytes;
+-	unsigned char data[HMAC_LEN];
++	unsigned int bytes;
++	unsigned char data[ISC_SHA256_BLOCK_LENGTH];
+ 
+ 	bytes = (key->key_size + 7) / 8;
+-	if (bytes > HMAC_LEN) {
+-		bytes = HMAC_LEN;
+-		key->key_size = HMAC_LEN * 8;
++	if (bytes > ISC_SHA256_BLOCK_LENGTH) {
++		bytes = ISC_SHA256_BLOCK_LENGTH;
++		key->key_size = ISC_SHA256_BLOCK_LENGTH * 8;
+ 	}
+ 
+-	memset(data, 0, HMAC_LEN);
++	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
+ 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+ 	if (ret != ISC_R_SUCCESS)
[email protected]@ -977,7 +983,7 @@
+ 	isc_buffer_init(&b, data, bytes);
+ 	isc_buffer_add(&b, bytes);
+ 	ret = hmacsha256_fromdns(key, &b);
+-	memset(data, 0, ISC_SHA256_DIGESTLENGTH);
++	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
+ 
+ 	return (ret);
+ }
[email protected]@ -991,6 +997,7 @@
+ static void
+ hmacsha256_destroy(dst_key_t *key) {
+ 	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
++
+ 	memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
+ 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
+ 	key->keydata.hmacsha256 = NULL;
[email protected]@ -1030,7 +1037,7 @@
+ 
+ 	memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-	if (r.length > ISC_SHA256_DIGESTLENGTH) {
++	if (r.length > ISC_SHA256_BLOCK_LENGTH) {
+ 		isc_sha256_init(&sha256ctx);
+ 		isc_sha256_update(&sha256ctx, r.base, r.length);
+ 		isc_sha256_final(hkey->key, &sha256ctx);
[email protected]@ -1043,6 +1050,8 @@
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha256 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
[email protected]@ -1144,7 +1153,7 @@
+ static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
+ 
+ struct dst_hmacsha384_key {
+-	unsigned char key[ISC_SHA384_DIGESTLENGTH];
++	unsigned char key[ISC_SHA384_BLOCK_LENGTH];
+ };
+ 
+ static isc_result_t
[email protected]@ -1155,7 +1164,7 @@
+ 	hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
+ 	if (hmacsha384ctx == NULL)
+ 		return (ISC_R_NOMEMORY);
+-	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
++	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH);
+ 	dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
+ 	return (ISC_R_SUCCESS);
+ }
[email protected]@ -1218,7 +1227,7 @@
+ 	else if (hkey1 == NULL || hkey2 == NULL)
+ 		return (ISC_FALSE);
+ 
+-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH))
++	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH))
+ 		return (ISC_TRUE);
+ 	else
+ 		return (ISC_FALSE);
[email protected]@ -1228,16 +1237,16 @@
+ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok) {
+ 	isc_buffer_t b;
+ 	isc_result_t ret;
+-	int bytes;
+-	unsigned char data[HMAC_LEN];
++	unsigned int bytes;
++	unsigned char data[ISC_SHA384_BLOCK_LENGTH];
+ 
+ 	bytes = (key->key_size + 7) / 8;
+-	if (bytes > HMAC_LEN) {
+-		bytes = HMAC_LEN;
+-		key->key_size = HMAC_LEN * 8;
++	if (bytes > ISC_SHA384_BLOCK_LENGTH) {
++		bytes = ISC_SHA384_BLOCK_LENGTH;
++		key->key_size = ISC_SHA384_BLOCK_LENGTH * 8;
+ 	}
+ 
+-	memset(data, 0, HMAC_LEN);
++	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
+ 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+ 	if (ret != ISC_R_SUCCESS)
[email protected]@ -1246,7 +1255,7 @@
+ 	isc_buffer_init(&b, data, bytes);
+ 	isc_buffer_add(&b, bytes);
+ 	ret = hmacsha384_fromdns(key, &b);
+-	memset(data, 0, ISC_SHA384_DIGESTLENGTH);
++	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
+ 
+ 	return (ret);
+ }
[email protected]@ -1260,6 +1269,7 @@
+ static void
+ hmacsha384_destroy(dst_key_t *key) {
+ 	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
++
+ 	memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
+ 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
+ 	key->keydata.hmacsha384 = NULL;
[email protected]@ -1299,7 +1309,7 @@
+ 
+ 	memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-	if (r.length > ISC_SHA384_DIGESTLENGTH) {
++	if (r.length > ISC_SHA384_BLOCK_LENGTH) {
+ 		isc_sha384_init(&sha384ctx);
+ 		isc_sha384_update(&sha384ctx, r.base, r.length);
+ 		isc_sha384_final(hkey->key, &sha384ctx);
[email protected]@ -1312,6 +1322,8 @@
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha384 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
[email protected]@ -1413,7 +1425,7 @@
+ static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
+ 
+ struct dst_hmacsha512_key {
+-	unsigned char key[ISC_SHA512_DIGESTLENGTH];
++	unsigned char key[ISC_SHA512_BLOCK_LENGTH];
+ };
+ 
+ static isc_result_t
[email protected]@ -1424,7 +1436,7 @@
+ 	hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
+ 	if (hmacsha512ctx == NULL)
+ 		return (ISC_R_NOMEMORY);
+-	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
++	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH);
+ 	dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
+ 	return (ISC_R_SUCCESS);
+ }
[email protected]@ -1487,7 +1499,7 @@
+ 	else if (hkey1 == NULL || hkey2 == NULL)
+ 		return (ISC_FALSE);
+ 
+-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH))
++	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH))
+ 		return (ISC_TRUE);
+ 	else
+ 		return (ISC_FALSE);
[email protected]@ -1497,16 +1509,16 @@
+ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok) {
+ 	isc_buffer_t b;
+ 	isc_result_t ret;
+-	int bytes;
+-	unsigned char data[HMAC_LEN];
++	unsigned int bytes;
++	unsigned char data[ISC_SHA512_BLOCK_LENGTH];
+ 
+ 	bytes = (key->key_size + 7) / 8;
+-	if (bytes > HMAC_LEN) {
+-		bytes = HMAC_LEN;
+-		key->key_size = HMAC_LEN * 8;
++	if (bytes > ISC_SHA512_BLOCK_LENGTH) {
++		bytes = ISC_SHA512_BLOCK_LENGTH;
++		key->key_size = ISC_SHA512_BLOCK_LENGTH * 8;
+ 	}
+ 
+-	memset(data, 0, HMAC_LEN);
++	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
+ 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+ 	if (ret != ISC_R_SUCCESS)
[email protected]@ -1515,7 +1527,7 @@
+ 	isc_buffer_init(&b, data, bytes);
+ 	isc_buffer_add(&b, bytes);
+ 	ret = hmacsha512_fromdns(key, &b);
+-	memset(data, 0, ISC_SHA512_DIGESTLENGTH);
++	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
+ 
+ 	return (ret);
+ }
[email protected]@ -1529,6 +1541,7 @@
+ static void
+ hmacsha512_destroy(dst_key_t *key) {
+ 	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
++
+ 	memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
+ 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
+ 	key->keydata.hmacsha512 = NULL;
[email protected]@ -1568,7 +1581,7 @@
+ 
+ 	memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-	if (r.length > ISC_SHA512_DIGESTLENGTH) {
++	if (r.length > ISC_SHA512_BLOCK_LENGTH) {
+ 		isc_sha512_init(&sha512ctx);
+ 		isc_sha512_update(&sha512ctx, r.base, r.length);
+ 		isc_sha512_final(hkey->key, &sha512ctx);
[email protected]@ -1581,6 +1594,8 @@
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha512 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+--- old/lib/dns/include/dst/dst.h	Mon Aug 24 00:18:24 2015
++++ new/lib/dns/include/dst/dst.h	Mon Aug 24 00:18:23 2015
[email protected]@ -65,6 +65,7 @@
+ #define DST_ALG_HMACSHA256	163	/* XXXMPA */
+ #define DST_ALG_HMACSHA384	164	/* XXXMPA */
+ #define DST_ALG_HMACSHA512	165	/* XXXMPA */
++#define DST_ALG_INDIRECT	252
+ #define DST_ALG_PRIVATE		254
+ #define DST_ALG_EXPAND		255
+ #define DST_MAX_ALGS		255
+--- old/lib/dns/ncache.c	Mon Aug 24 00:18:24 2015
++++ new/lib/dns/ncache.c	Mon Aug 24 00:18:23 2015
[email protected]@ -35,7 +35,7 @@
+ #define DNS_NCACHE_RDATA 20U
+ 
+ /*
+- * The format of an ncache rdata is a sequence of one or more records of
++ * The format of an ncache rdata is a sequence of zero or more records of
+  * the following format:
+  *
+  *	owner name
[email protected]@ -665,13 +665,11 @@
+ 		dns_name_fromregion(&tname, &remaining);
+ 		INSIST(remaining.length >= tname.length);
+ 		isc_buffer_forward(&source, tname.length);
+-		remaining.length -= tname.length;
+-		remaining.base += tname.length;
++		isc_region_consume(&remaining, tname.length);
+ 
+ 		INSIST(remaining.length >= 2);
+ 		type = isc_buffer_getuint16(&source);
+-		remaining.length -= 2;
+-		remaining.base += 2;
++		isc_region_consume(&remaining, 2);
+ 
+ 		if (type != dns_rdatatype_rrsig ||
+ 		    !dns_name_equal(&tname, name)) {
[email protected]@ -683,8 +681,7 @@
+ 		INSIST(remaining.length >= 1);
+ 		trust = isc_buffer_getuint8(&source);
+ 		INSIST(trust <= dns_trust_ultimate);
+-		remaining.length -= 1;
+-		remaining.base += 1;
++		isc_region_consume(&remaining, 1);
+ 
+ 		raw = remaining.base;
+ 		count = raw[0] * 256 + raw[1];
+--- old/lib/dns/openssldh_link.c	Mon Aug 24 00:18:24 2015
++++ new/lib/dns/openssldh_link.c	Mon Aug 24 00:18:23 2015
[email protected]@ -1,5 +1,5 @@
+ /*
+- * Portions Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
++ * Portions Copyright (C) 2004-2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
+  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
[email protected]@ -93,7 +93,7 @@
+ 	if (r.length < len)
+ 		return (ISC_R_NOSPACE);
+ 	ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
+-	if (ret == 0)
++	if (ret <= 0)
+ 		return (dst__openssl_toresult2("DH_compute_key",
+ 					       DST_R_COMPUTESECRETFAILURE));
+ 	isc_buffer_add(secret, len);
[email protected]@ -236,8 +236,10 @@
+ 
+ static void
+ uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+-	*region->base++ = (val & 0xff00) >> 8;
+-	*region->base++ = (val & 0x00ff);
++	*region->base = (val & 0xff00) >> 8;
++	isc_region_consume(region, 1);
++	*region->base = (val & 0x00ff);
++	isc_region_consume(region, 1);
+ }
+ 
+ static isc_uint16_t
[email protected]@ -248,7 +250,8 @@
+ 	val = ((unsigned int)(cp[0])) << 8;
+ 	val |= ((unsigned int)(cp[1]));
+ 
+-	region->base += 2;
++	isc_region_consume(region, 2);
++
+ 	return (val);
+ }
+ 
[email protected]@ -289,16 +292,16 @@
+ 	}
+ 	else
+ 		BN_bn2bin(dh->p, r.base);
+-	r.base += plen;
++	isc_region_consume(&r, plen);
+ 
+ 	uint16_toregion(glen, &r);
+ 	if (glen > 0)
+ 		BN_bn2bin(dh->g, r.base);
+-	r.base += glen;
++	isc_region_consume(&r, glen);
+ 
+ 	uint16_toregion(publen, &r);
+ 	BN_bn2bin(dh->pub_key, r.base);
+-	r.base += publen;
++	isc_region_consume(&r, publen);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
[email protected]@ -339,10 +342,12 @@
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	if (plen == 1 || plen == 2) {
+-		if (plen == 1)
+-			special = *r.base++;
+-		else
++		if (plen == 1) {
++			special = *r.base;
++			isc_region_consume(&r, 1);
++		} else {
+ 			special = uint16_fromregion(&r);
++		}
+ 		switch (special) {
+ 			case 1:
+ 				dh->p = &bn768;
[email protected]@ -357,10 +362,9 @@
+ 				DH_free(dh);
+ 				return (DST_R_INVALIDPUBLICKEY);
+ 		}
+-	}
+-	else {
++	} else {
+ 		dh->p = BN_bin2bn(r.base, plen, NULL);
+-		r.base += plen;
++		isc_region_consume(&r, plen);
+ 	}
+ 
+ 	/*
[email protected]@ -391,8 +395,7 @@
+ 				return (DST_R_INVALIDPUBLICKEY);
+ 			}
+ 		}
+-	}
+-	else {
++	} else {
+ 		if (glen == 0) {
+ 			DH_free(dh);
+ 			return (DST_R_INVALIDPUBLICKEY);
[email protected]@ -399,7 +402,7 @@
+ 		}
+ 		dh->g = BN_bin2bn(r.base, glen, NULL);
+ 	}
+-	r.base += glen;
++	isc_region_consume(&r, glen);
+ 
+ 	if (r.length < 2) {
+ 		DH_free(dh);
[email protected]@ -411,7 +414,7 @@
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
+-	r.base += publen;
++	isc_region_consume(&r, publen);
+ 
+ 	key->key_size = BN_num_bits(dh->p);
+ 
[email protected]@ -577,11 +580,11 @@
+ 
+ 		s = strchr(hexdigits, tolower((unsigned char)str[i]));
+ 		RUNTIME_CHECK(s != NULL);
+-		high = s - hexdigits;
++		high = (unsigned int)(s - hexdigits);
+ 
+ 		s = strchr(hexdigits, tolower((unsigned char)str[i + 1]));
+ 		RUNTIME_CHECK(s != NULL);
+-		low = s - hexdigits;
++		low = (unsigned int)(s - hexdigits);
+ 
+ 		data[i/2] = (unsigned char)((high << 4) + low);
+ 	}
+--- old/lib/dns/openssldsa_link.c	Mon Aug 24 00:18:24 2015
++++ new/lib/dns/openssldsa_link.c	Mon Aug 24 00:18:23 2015
[email protected]@ -1,5 +1,5 @@
+ /*
+- * Portions Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
++ * Portions Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
+  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
[email protected]@ -137,6 +137,7 @@
+ 	DSA *dsa = key->keydata.dsa;
+ 	isc_region_t r;
+ 	DSA_SIG *dsasig;
++	unsigned int klen;
+ #if USE_EVP
+ 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+ 	EVP_PKEY *pkey;
[email protected]@ -209,11 +210,17 @@
+ 					       "DSA_do_sign",
+ 					       DST_R_SIGNFAILURE));
+ #endif
+-	*r.base++ = (key->key_size - 512)/64;
++
++	klen = (key->key_size - 512)/64;
++	if (klen > 255)
++		return (ISC_R_FAILURE);
++	*r.base = klen;
++	isc_region_consume(&r, 1);
++
+ 	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	DSA_SIG_free(dsasig);
+ 	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+ 
[email protected]@ -416,15 +423,16 @@
+ 	if (r.length < (unsigned int) dnslen)
+ 		return (ISC_R_NOSPACE);
+ 
+-	*r.base++ = t;
++	*r.base = t;
++	isc_region_consume(&r, 1);
+ 	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
[email protected]@ -449,7 +457,8 @@
+ 		return (ISC_R_NOMEMORY);
+ 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+ 
+-	t = (unsigned int) *r.base++;
++	t = (unsigned int) *r.base;
++	isc_region_consume(&r, 1);
+ 	if (t > 8) {
+ 		DSA_free(dsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
[email protected]@ -456,22 +465,22 @@
+ 	}
+ 	p_bytes = 64 + 8 * t;
+ 
+-	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
++	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+ 		DSA_free(dsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 
+ 	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 
+ 	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	key->key_size = p_bytes * 8;
+ 
+--- old/lib/dns/opensslrsa_link.c	Mon Aug 24 00:18:24 2015
++++ new/lib/dns/opensslrsa_link.c	Mon Aug 24 00:18:23 2015
[email protected]@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2004-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2004-2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
+  * Copyright (C) 2000-2003  Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
[email protected]@ -908,6 +908,7 @@
+ 	RSA *rsa;
+ 	isc_region_t r;
+ 	unsigned int e_bytes;
++	unsigned int length;
+ #if USE_EVP
+ 	EVP_PKEY *pkey;
+ #endif
[email protected]@ -915,6 +916,7 @@
+ 	isc_buffer_remainingregion(data, &r);
+ 	if (r.length == 0)
+ 		return (ISC_R_SUCCESS);
++	length = r.length;
+ 
+ 	rsa = RSA_new();
+ 	if (rsa == NULL)
[email protected]@ -925,8 +927,8 @@
+ 		RSA_free(rsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+-	e_bytes = *r.base++;
+-	r.length--;
++	e_bytes = *r.base;
++	isc_region_consume(&r, 1);
+ 
+ 	if (e_bytes == 0) {
+ 		if (r.length < 2) {
[email protected]@ -933,9 +935,10 @@
+ 			RSA_free(rsa);
+ 			return (DST_R_INVALIDPUBLICKEY);
+ 		}
+-		e_bytes = ((*r.base++) << 8);
+-		e_bytes += *r.base++;
+-		r.length -= 2;
++		e_bytes = (*r.base) << 8;
++		isc_region_consume(&r, 1);
++		e_bytes += *r.base;
++		isc_region_consume(&r, 1);
+ 	}
+ 
+ 	if (r.length < e_bytes) {
[email protected]@ -943,14 +946,13 @@
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
+-	r.base += e_bytes;
+-	r.length -= e_bytes;
++	isc_region_consume(&r, e_bytes);
+ 
+ 	rsa->n = BN_bin2bn(r.base, r.length, NULL);
+ 
+ 	key->key_size = BN_num_bits(rsa->n);
+ 
+-	isc_buffer_forward(data, r.length);
++	isc_buffer_forward(data, length);
+ 
+ #if USE_EVP
+ 	pkey = EVP_PKEY_new();
+--- old/lib/dns/resolver.c	Mon Aug 24 00:18:24 2015
++++ new/lib/dns/resolver.c	Mon Aug 24 00:18:23 2015
[email protected]@ -8572,6 +8572,12 @@
+ 
+ 	REQUIRE(VALID_RESOLVER(resolver));
+ 
++	/*
++	 * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
++	 */
++	if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
++		return (ISC_FALSE);
++
+ #if USE_ALGLOCK
+ 	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+ #endif
[email protected]@ -8591,6 +8597,7 @@
+ #endif
+ 	if (found)
+ 		return (ISC_FALSE);
++
+ 	return (dst_algorithm_supported(alg));
+ }
+ 
+--- old/lib/isc/include/isc/md5.h	Mon Aug 24 00:18:24 2015
++++ new/lib/isc/include/isc/md5.h	Mon Aug 24 00:18:23 2015
[email protected]@ -46,7 +46,8 @@
+ #include <isc/lang.h>
+ #include <isc/types.h>
+ 
+-#define ISC_MD5_DIGESTLENGTH 16U
++#define ISC_MD5_DIGESTLENGTH   16U
++#define        ISC_MD5_BLOCK_LENGTH    64U
+ 
+ typedef struct {
+ 	isc_uint32_t buf[4];
+--- old/version	Mon Aug 24 00:18:24 2015
++++ new/version	Mon Aug 24 00:18:23 2015
[email protected]@ -10,4 +10,4 @@
+ PATCHVER=
+ RELEASETYPE=-ESV
+ RELEASEVER=-R11
+-EXTENSIONS=-P2
++EXTENSIONS=-P3