svn commit: r293365 - user/cperciva/freebsd-update-build/patches/9.3-RELEASE
Gleb Smirnoff
glebius at FreeBSD.org
Thu Jan 7 20:56:33 UTC 2016
Author: glebius
Date: Thu Jan 7 20:56:30 2016
New Revision: 293365
URL: https://svnweb.freebsd.org/changeset/base/293365
Log:
Add missing files for 9.3-RELEASE.
Added:
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/17-EN-15:08.sendmail
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/18-EN-15:08.sendmail
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/18-EN-15:09.xlocale
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/19-SA-15:11.bind
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/20-SA-15:13.tcp
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/21-SA-15:14.tcp
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/21-SA-15:16.openssh
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/21-SA-15:17.bind
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/22-SA-15:19.routed
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/23-SA-15:20.expat
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/24-EN-15:15.pkg
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/24-SA-15:21.amd64
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/24-SA-15:22.openssh
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/25-SA-15:23.bind
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/26-EN-15:18.pkg
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/27-SA-15:24.rpcbind
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/28-SA-15:24.rpcbind
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/29-SA-15:25.ntp
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/30-EN-15:19.ntp
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/30-EN-15:20.vm
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/30-EN-15:21.kqueue
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/31-SA-15:26.openssl
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/32-SA-15:27.bind
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/17-EN-15:08.sendmail
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/17-EN-15:08.sendmail Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,24 @@
+Index: contrib/sendmail/src/tls.c
+===================================================================
+--- contrib/sendmail/src/tls.c
++++ contrib/sendmail/src/tls.c
+@@ -650,7 +650,7 @@
+ ** 1024 generate 1024 bit parameters
+ ** 2048 generate 2048 bit parameters
+ ** /file/name read parameters from /file/name
+- ** default is: 1024 for server, 512 for client (OK? XXX)
++ ** default is: 1024
+ */
+
+ if (bitset(TLS_I_TRY_DH, req))
+@@ -676,8 +676,8 @@
+ }
+ if (dhparam == NULL)
+ {
+- dhparam = srv ? "1" : "5";
+- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
++ dhparam = "1";
++ req |= TLS_I_DH1024;
+ }
+ else if (*dhparam == '/')
+ {
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/18-EN-15:08.sendmail
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/18-EN-15:08.sendmail Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,13 @@
+Index: contrib/sendmail/src/sendmail.h
+===================================================================
+--- contrib/sendmail/src/sendmail.h (revision 284940)
++++ contrib/sendmail/src/sendmail.h (working copy)
+@@ -1935,7 +1935,7 @@ struct termescape
+
+ /* server requirements */
+ #define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
+- TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
++ TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
+ TLS_I_CACHE)
+
+ /* client requirements */
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/18-EN-15:09.xlocale
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/18-EN-15:09.xlocale Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,58 @@
+Index: lib/libc/locale/setrunelocale.c
+===================================================================
+--- lib/libc/locale/setrunelocale.c (revision 284940)
++++ lib/libc/locale/setrunelocale.c (working copy)
+@@ -202,6 +202,8 @@ __set_thread_rune_locale(locale_t loc)
+
+ if (loc == NULL) {
+ _ThreadRuneLocale = &_DefaultRuneLocale;
++ } else if (loc == LC_GLOBAL_LOCALE) {
++ _ThreadRuneLocale = 0;
+ } else {
+ _ThreadRuneLocale = XLOCALE_CTYPE(loc)->runes;
+ }
+Index: lib/libc/locale/xlocale.c
+===================================================================
+--- lib/libc/locale/xlocale.c (revision 284940)
++++ lib/libc/locale/xlocale.c (working copy)
+@@ -154,23 +154,24 @@ __get_locale(void)
+ static void
+ set_thread_locale(locale_t loc)
+ {
++ locale_t l = (loc == LC_GLOBAL_LOCALE) ? 0 : loc;
+
+ _once(&once_control, init_key);
+
+- if (NULL != loc) {
+- xlocale_retain((struct xlocale_refcounted*)loc);
++ if (NULL != l) {
++ xlocale_retain((struct xlocale_refcounted*)l);
+ }
+ locale_t old = pthread_getspecific(locale_info_key);
+- if ((NULL != old) && (loc != old)) {
++ if ((NULL != old) && (l != old)) {
+ xlocale_release((struct xlocale_refcounted*)old);
+ }
+ if (fake_tls) {
+- thread_local_locale = loc;
++ thread_local_locale = l;
+ } else {
+- pthread_setspecific(locale_info_key, loc);
++ pthread_setspecific(locale_info_key, l);
+ }
+ #ifndef __NO_TLS
+- __thread_locale = loc;
++ __thread_locale = l;
+ __set_thread_rune_locale(loc);
+ #endif
+ }
+@@ -361,9 +362,6 @@ locale_t uselocale(locale_t loc)
+ {
+ locale_t old = get_thread_locale();
+ if (NULL != loc) {
+- if (LC_GLOBAL_LOCALE == loc) {
+- loc = NULL;
+- }
+ set_thread_locale(loc);
+ }
+ return (old ? old : LC_GLOBAL_LOCALE);
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/19-SA-15:11.bind
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/19-SA-15:11.bind Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,22 @@
+Index: contrib/bind9/lib/dns/validator.c
+===================================================================
+--- contrib/bind9/lib/dns/validator.c (revision 284940)
++++ contrib/bind9/lib/dns/validator.c (working copy)
+@@ -1420,7 +1420,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnske
+ */
+ static isc_boolean_t
+ isselfsigned(dns_validator_t *val) {
+- dns_fixedname_t fixed;
+ dns_rdataset_t *rdataset, *sigrdataset;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
+@@ -1476,8 +1475,7 @@ isselfsigned(dns_validator_t *val) {
+ result = dns_dnssec_verify3(name, rdataset, dstkey,
+ ISC_TRUE,
+ val->view->maxbits,
+- mctx, &sigrdata,
+- dns_fixedname_name(&fixed));
++ mctx, &sigrdata, NULL);
+ dst_key_free(&dstkey);
+ if (result != ISC_R_SUCCESS)
+ continue;
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/20-SA-15:13.tcp
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/20-SA-15:13.tcp Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,31 @@
+Index: sys/netinet/tcp_output.c
+===================================================================
+--- sys/netinet/tcp_output.c (revision 285435)
++++ sys/netinet/tcp_output.c (working copy)
+@@ -397,7 +397,7 @@ after_sack_rexmit:
+ flags &= ~TH_FIN;
+ }
+
+- if (len < 0) {
++ if (len <= 0) {
+ /*
+ * If FIN has been sent but not acked,
+ * but we haven't been called to retransmit,
+@@ -407,9 +407,16 @@ after_sack_rexmit:
+ * to (closed) window, and set the persist timer
+ * if it isn't already going. If the window didn't
+ * close completely, just wait for an ACK.
++ *
++ * We also do a general check here to ensure that
++ * we will set the persist timer when we have data
++ * to send, but a 0-byte window. This makes sure
++ * the persist timer is set even if the packet
++ * hits one of the "goto send" lines below.
+ */
+ len = 0;
+- if (sendwin == 0) {
++ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
++ (off < (int) so->so_snd.sb_cc)) {
+ tcp_timer_activate(tp, TT_REXMT, 0);
+ tp->t_rxtshift = 0;
+ tp->snd_nxt = tp->snd_una;
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/21-SA-15:14.tcp
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/21-SA-15:14.tcp Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,194 @@
+Index: sys/netinet/tcp_reass.c
+===================================================================
+--- sys/netinet/tcp_reass.c (revision 285923)
++++ sys/netinet/tcp_reass.c (working copy)
+@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
+ static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
+ "TCP Segment Reassembly Queue");
+
+-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
+-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
+- &VNET_NAME(tcp_reass_maxseg), 0,
++static int tcp_reass_maxseg = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
++ &tcp_reass_maxseg, 0,
+ "Global maximum number of TCP Segments in Reassembly Queue");
+
+-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
++SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
+ (CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
+ "Global number of TCP Segments currently in Reassembly Queue");
+
+-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
+-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
++static int tcp_reass_overflows = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
+ CTLTYPE_INT | CTLFLAG_RD,
+- &VNET_NAME(tcp_reass_overflows), 0,
++ &tcp_reass_overflows, 0,
+ "Global number of TCP Segment Reassembly Queue Overflows");
+
+-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
+-#define V_tcp_reass_zone VNET(tcp_reass_zone)
++static uma_zone_t tcp_reass_zone;
+
+ /* Initialize TCP reassembly queue */
+ static void
+@@ -105,37 +102,28 @@ tcp_reass_zone_change(void *tag)
+ {
+
+ /* Set the zone limit and read back the effective value. */
+- V_tcp_reass_maxseg = nmbclusters / 16;
+- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
+- V_tcp_reass_maxseg);
++ tcp_reass_maxseg = nmbclusters / 16;
++ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
++ tcp_reass_maxseg);
+ }
+
+ void
+-tcp_reass_init(void)
++tcp_reass_global_init(void)
+ {
+
+- V_tcp_reass_maxseg = nmbclusters / 16;
++ tcp_reass_maxseg = nmbclusters / 16;
+ TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
+- &V_tcp_reass_maxseg);
+- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
++ &tcp_reass_maxseg);
++ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+ NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+ /* Set the zone limit and read back the effective value. */
+- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
+- V_tcp_reass_maxseg);
++ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
++ tcp_reass_maxseg);
+ EVENTHANDLER_REGISTER(nmbclusters_change,
+ tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
+ }
+
+-#ifdef VIMAGE
+ void
+-tcp_reass_destroy(void)
+-{
+-
+- uma_zdestroy(V_tcp_reass_zone);
+-}
+-#endif
+-
+-void
+ tcp_reass_flush(struct tcpcb *tp)
+ {
+ struct tseg_qent *qe;
+@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
+ while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
+ LIST_REMOVE(qe, tqe_q);
+ m_freem(qe->tqe_m);
+- uma_zfree(V_tcp_reass_zone, qe);
++ uma_zfree(tcp_reass_zone, qe);
+ tp->t_segqlen--;
+ }
+
+@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
+ {
+ int qsize;
+
+- qsize = uma_zone_get_cur(V_tcp_reass_zone);
++ qsize = uma_zone_get_cur(tcp_reass_zone);
+ return (sysctl_handle_int(oidp, &qsize, 0, req));
+ }
+
+@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ */
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+- V_tcp_reass_overflows++;
++ tcp_reass_overflows++;
+ TCPSTAT_INC(tcps_rcvmemdrop);
+ m_freem(m);
+ *tlenp = 0;
+@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ * Use a temporary structure on the stack for the missing segment
+ * when the zone is exhausted. Otherwise we may get stuck.
+ */
+- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
++ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
+ if (te == NULL) {
+ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ m_freem(m);
+ if (te != &tqs)
+- uma_zfree(V_tcp_reass_zone, te);
++ uma_zfree(tcp_reass_zone, te);
+ tp->t_segqlen--;
+ /*
+ * Try to present any queued data
+@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ nq = LIST_NEXT(q, tqe_q);
+ LIST_REMOVE(q, tqe_q);
+ m_freem(q->tqe_m);
+- uma_zfree(V_tcp_reass_zone, q);
++ uma_zfree(tcp_reass_zone, q);
+ tp->t_segqlen--;
+ q = nq;
+ }
+@@ -353,7 +341,7 @@ present:
+ else
+ sbappendstream_locked(&so->so_rcv, q->tqe_m);
+ if (q != &tqs)
+- uma_zfree(V_tcp_reass_zone, q);
++ uma_zfree(tcp_reass_zone, q);
+ tp->t_segqlen--;
+ q = nq;
+ } while (q && q->tqe_th->th_seq == tp->rcv_nxt);
+Index: sys/netinet/tcp_subr.c
+===================================================================
+--- sys/netinet/tcp_subr.c (revision 285923)
++++ sys/netinet/tcp_subr.c (working copy)
+@@ -375,7 +375,6 @@ tcp_init(void)
+ tcp_tw_init();
+ syncache_init();
+ tcp_hc_init();
+- tcp_reass_init();
+
+ TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
+ V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
+@@ -385,6 +384,8 @@ tcp_init(void)
+ if (!IS_DEFAULT_VNET(curvnet))
+ return;
+
++ tcp_reass_global_init();
++
+ /* XXX virtualize those bellow? */
+ tcp_delacktime = TCPTV_DELACK;
+ tcp_keepinit = TCPTV_KEEP_INIT;
+@@ -432,7 +433,6 @@ void
+ tcp_destroy(void)
+ {
+
+- tcp_reass_destroy();
+ tcp_hc_destroy();
+ syncache_destroy();
+ tcp_tw_destroy();
+Index: sys/netinet/tcp_var.h
+===================================================================
+--- sys/netinet/tcp_var.h (revision 285923)
++++ sys/netinet/tcp_var.h (working copy)
+@@ -666,11 +666,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct t
+ char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
+ const void *);
+ int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
+-void tcp_reass_init(void);
++void tcp_reass_global_init(void);
+ void tcp_reass_flush(struct tcpcb *);
+-#ifdef VIMAGE
+-void tcp_reass_destroy(void);
+-#endif
+ void tcp_input(struct mbuf *, int);
+ u_long tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
+ u_long tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/21-SA-15:16.openssh
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/21-SA-15:16.openssh Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,90 @@
+Index: crypto/openssh/auth2-chall.c
+===================================================================
+--- crypto/openssh/auth2-chall.c (revision 285923)
++++ crypto/openssh/auth2-chall.c (working copy)
+@@ -82,6 +82,7 @@ struct KbdintAuthctxt
+ void *ctxt;
+ KbdintDevice *device;
+ u_int nreq;
++ u_int devices_done;
+ };
+
+ #ifdef USE_PAM
+@@ -168,11 +169,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthc
+ if (len == 0)
+ break;
+ for (i = 0; devices[i]; i++) {
+- if (!auth2_method_allowed(authctxt,
++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++ !auth2_method_allowed(authctxt,
+ "keyboard-interactive", devices[i]->name))
+ continue;
+- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++ if (strncmp(kbdintctxt->devices, devices[i]->name,
++ len) == 0) {
+ kbdintctxt->device = devices[i];
++ kbdintctxt->devices_done |= 1 << i;
++ }
+ }
+ t = kbdintctxt->devices;
+ kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+Index: crypto/openssh/sshconnect.c
+===================================================================
+--- crypto/openssh/sshconnect.c (revision 285923)
++++ crypto/openssh/sshconnect.c (working copy)
+@@ -1247,29 +1247,39 @@ verify_host_key(char *host, struct sockaddr *hosta
+ {
+ int flags = 0;
+ char *fp;
++ Key *plain = NULL;
+
+ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ debug("Server host key: %s %s", key_type(host_key), fp);
+ free(fp);
+
+- /* XXX certs are not yet supported for DNS */
+- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+- if (flags & DNS_VERIFY_FOUND) {
+-
+- if (options.verify_host_key_dns == 1 &&
+- flags & DNS_VERIFY_MATCH &&
+- flags & DNS_VERIFY_SECURE)
+- return 0;
+-
+- if (flags & DNS_VERIFY_MATCH) {
+- matching_host_key_dns = 1;
+- } else {
+- warn_changed_key(host_key);
+- error("Update the SSHFP RR in DNS with the new "
+- "host key to get rid of this message.");
++ if (options.verify_host_key_dns) {
++ /*
++ * XXX certs are not yet supported for DNS, so downgrade
++ * them and try the plain key.
++ */
++ plain = key_from_private(host_key);
++ if (key_is_cert(plain))
++ key_drop_cert(plain);
++ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++ if (flags & DNS_VERIFY_FOUND) {
++ if (options.verify_host_key_dns == 1 &&
++ flags & DNS_VERIFY_MATCH &&
++ flags & DNS_VERIFY_SECURE) {
++ key_free(plain);
++ return 0;
++ }
++ if (flags & DNS_VERIFY_MATCH) {
++ matching_host_key_dns = 1;
++ } else {
++ warn_changed_key(plain);
++ error("Update the SSHFP RR in DNS "
++ "with the new host key to get rid "
++ "of this message.");
++ }
+ }
+ }
++ key_free(plain);
+ }
+
+ return check_host_key(host, hostaddr, options.port, host_key, RDRW,
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/21-SA-15:17.bind
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/21-SA-15:17.bind Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,12 @@
+Index: contrib/bind9/lib/dns/tkey.c
+===================================================================
+--- contrib/bind9/lib/dns/tkey.c (revision 285922)
++++ contrib/bind9/lib/dns/tkey.c (working copy)
+@@ -650,6 +650,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey
+ * Try the answer section, since that's where Win2000
+ * puts it.
+ */
++ name = NULL;
+ if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+ dns_rdatatype_tkey, 0, &name,
+ &tkeyset) != ISC_R_SUCCESS) {
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/22-SA-15:19.routed
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/22-SA-15:19.routed Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,17 @@
+Index: sbin/routed/input.c
+===================================================================
+--- sbin/routed/input.c (revision 286262)
++++ sbin/routed/input.c (working copy)
+@@ -160,6 +160,12 @@ input(struct sockaddr_in *from, /* received from
+
+ trace_rip("Recv", "from", from, sifp, rip, cc);
+
++ if (sifp == 0) {
++ trace_pkt(" discard a request from an indirect router"
++ " (possibly an attack)");
++ return;
++ }
++
+ if (rip->rip_vers == 0) {
+ msglim(&bad_router, FROM_NADDR,
+ "RIP version 0, cmd %d, packet received from %s",
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/23-SA-15:20.expat
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/23-SA-15:20.expat Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,49 @@
+Index: contrib/expat/lib/xmlparse.c
+===================================================================
+--- contrib/expat/lib/xmlparse.c (revision 286868)
++++ contrib/expat/lib/xmlparse.c (working copy)
+@@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int is
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
++/* BEGIN MOZILLA CHANGE (sanity check len) */
++ if (len < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ switch (ps_parsing) {
+ case XML_SUSPENDED:
+ errorCode = XML_ERROR_SUSPENDED;
+@@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len)
+ }
+
+ if (len > bufferLim - bufferEnd) {
+- /* FIXME avoid integer overflow */
+ int neededSize = len + (int)(bufferEnd - bufferPtr);
++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
++ if (neededSize < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+ int keep = (int)(bufferPtr - buffer);
+
+@@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len)
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+ bufferSize *= 2;
+- } while (bufferSize < neededSize);
++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
++ } while (bufferSize < neededSize && bufferSize > 0);
++/* END MOZILLA CHANGE */
++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
++ if (bufferSize <= 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ newBuf = (char *)MALLOC(bufferSize);
+ if (newBuf == 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/24-EN-15:15.pkg
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/24-EN-15:15.pkg Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,34 @@
+Index: usr.sbin/pkg/pkg.c
+===================================================================
+--- usr.sbin/pkg/pkg.c (revision 286787)
++++ usr.sbin/pkg/pkg.c (working copy)
+@@ -749,7 +749,13 @@ bootstrap_pkg(bool force)
+ goto fetchfail;
+
+ if (signature_type != NULL &&
+- strcasecmp(signature_type, "FINGERPRINTS") == 0) {
++ strcasecmp(signature_type, "NONE") != 0) {
++ if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
++ warnx("Signature type %s is not supported for "
++ "bootstrapping.", signature_type);
++ goto cleanup;
++ }
++
+ snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
+ getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
+ snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
+@@ -834,7 +840,13 @@ bootstrap_pkg_local(const char *pkgpath, bool forc
+ return (-1);
+ }
+ if (signature_type != NULL &&
+- strcasecmp(signature_type, "FINGERPRINTS") == 0) {
++ strcasecmp(signature_type, "NONE") != 0) {
++ if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
++ warnx("Signature type %s is not supported for "
++ "bootstrapping.", signature_type);
++ goto cleanup;
++ }
++
+ snprintf(path, sizeof(path), "%s.sig", pkgpath);
+
+ if ((fd_sig = open(path, O_RDONLY)) == -1) {
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/24-SA-15:21.amd64
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/24-SA-15:21.amd64 Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,53 @@
+Index: sys/amd64/amd64/exception.S
+===================================================================
+--- sys/amd64/amd64/exception.S (revision 286969)
++++ sys/amd64/amd64/exception.S (working copy)
+@@ -154,9 +154,13 @@ IDTVEC(xmm)
+ IDTVEC(tss)
+ TRAP_ERR(T_TSSFLT)
+ IDTVEC(missing)
+- TRAP_ERR(T_SEGNPFLT)
++ subq $TF_ERR,%rsp
++ movl $T_SEGNPFLT,TF_TRAPNO(%rsp)
++ jmp prot_addrf
+ IDTVEC(stk)
+- TRAP_ERR(T_STKFLT)
++ subq $TF_ERR,%rsp
++ movl $T_STKFLT,TF_TRAPNO(%rsp)
++ jmp prot_addrf
+ IDTVEC(align)
+ TRAP_ERR(T_ALIGNFLT)
+
+@@ -319,6 +323,7 @@ IDTVEC(page)
+ IDTVEC(prot)
+ subq $TF_ERR,%rsp
+ movl $T_PROTFLT,TF_TRAPNO(%rsp)
++prot_addrf:
+ movq $0,TF_ADDR(%rsp)
+ movq %rdi,TF_RDI(%rsp) /* free up a GP register */
+ leaq doreti_iret(%rip),%rdi
+Index: sys/amd64/amd64/machdep.c
+===================================================================
+--- sys/amd64/amd64/machdep.c (revision 286969)
++++ sys/amd64/amd64/machdep.c (working copy)
+@@ -428,6 +428,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *
+ regs->tf_rflags &= ~(PSL_T | PSL_D);
+ regs->tf_cs = _ucodesel;
+ regs->tf_ds = _udatasel;
++ regs->tf_ss = _udatasel;
+ regs->tf_es = _udatasel;
+ regs->tf_fs = _ufssel;
+ regs->tf_gs = _ugssel;
+Index: sys/amd64/amd64/trap.c
+===================================================================
+--- sys/amd64/amd64/trap.c (revision 286969)
++++ sys/amd64/amd64/trap.c (working copy)
+@@ -473,8 +473,6 @@ trap(struct trapframe *frame)
+ goto out;
+
+ case T_STKFLT: /* stack fault */
+- break;
+-
+ case T_PROTFLT: /* general protection fault */
+ case T_SEGNPFLT: /* segment not present fault */
+ if (td->td_intr_nesting_level != 0)
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/24-SA-15:22.openssh
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/24-SA-15:22.openssh Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,68 @@
+Index: crypto/openssh/monitor.c
+===================================================================
+--- crypto/openssh/monitor.c (revision 286787)
++++ crypto/openssh/monitor.c (working copy)
+@@ -1027,9 +1027,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ debug3("%s", __func__);
+- authctxt->user = buffer_get_string(m, NULL);
+ sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ sshpam_authok = NULL;
+ buffer_clear(m);
+@@ -1111,14 +1109,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+
+ debug3("%s", __func__);
+ (sshpam_device.free_ctx)(sshpam_ctxt);
++ sshpam_ctxt = sshpam_authok = NULL;
+ buffer_clear(m);
+ mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
+- return (sshpam_authok == sshpam_ctxt);
++ return r;
+ }
+ #endif
+
+Index: crypto/openssh/monitor_wrap.c
+===================================================================
+--- crypto/openssh/monitor_wrap.c (revision 286787)
++++ crypto/openssh/monitor_wrap.c (working copy)
+@@ -820,7 +820,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+- buffer_put_cstring(&m, authctxt->user);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
+Index: crypto/openssh/mux.c
+===================================================================
+--- crypto/openssh/mux.c (revision 286787)
++++ crypto/openssh/mux.c (working copy)
+@@ -635,7 +635,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer
+ u_int lport, cport;
+ int i, ret = 0, freefwd = 1;
+
+- fwd.listen_host = fwd.connect_host = NULL;
++ memset(&fwd, 0, sizeof(fwd));
++
+ if (buffer_get_int_ret(&ftype, m) != 0 ||
+ (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
+ buffer_get_int_ret(&lport, m) != 0 ||
+@@ -785,7 +786,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffe
+ int i, listen_port, ret = 0;
+ u_int lport, cport;
+
+- fwd.listen_host = fwd.connect_host = NULL;
++ memset(&fwd, 0, sizeof(fwd));
++
+ if (buffer_get_int_ret(&ftype, m) != 0 ||
+ (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
+ buffer_get_int_ret(&lport, m) != 0 ||
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/25-SA-15:23.bind
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/25-SA-15:23.bind Thu Jan 7 20:56:30 2016 (r293365)
@@ -0,0 +1,485 @@
+Index: contrib/bind9/lib/dns/hmac_link.c
+===================================================================
+--- contrib/bind9/lib/dns/hmac_link.c (revision 287393)
++++ contrib/bind9/lib/dns/hmac_link.c (working copy)
+@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *d
+ hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
+ if (hmacmd5ctx == NULL)
+ return (ISC_R_NOMEMORY);
+- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
++ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
+ dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
+ return (ISC_R_SUCCESS);
+ }
+@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_k
+ else if (hkey1 == NULL || hkey2 == NULL)
+ return (ISC_FALSE);
+
+- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
++ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
+ return (ISC_TRUE);
+ else
+ return (ISC_FALSE);
+@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_
+ isc_buffer_t b;
+ isc_result_t ret;
+ unsigned int bytes;
+- unsigned char data[ISC_SHA1_BLOCK_LENGTH];
++ unsigned char data[ISC_MD5_BLOCK_LENGTH];
+
+ UNUSED(callback);
+
+ bytes = (key->key_size + 7) / 8;
+- if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+- bytes = ISC_SHA1_BLOCK_LENGTH;
+- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
++ if (bytes > ISC_MD5_BLOCK_LENGTH) {
++ bytes = ISC_MD5_BLOCK_LENGTH;
++ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
+ }
+
+- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
++ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+
+ if (ret != ISC_R_SUCCESS)
+@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_
+ isc_buffer_init(&b, data, bytes);
+ isc_buffer_add(&b, bytes);
+ ret = hmacmd5_fromdns(key, &b);
+- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
++ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+
+ return (ret);
+ }
+@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data
+
+ memset(hkey->key, 0, sizeof(hkey->key));
+
+- if (r.length > ISC_SHA1_BLOCK_LENGTH) {
++ if (r.length > ISC_MD5_BLOCK_LENGTH) {
+ isc_md5_init(&md5ctx);
+ isc_md5_update(&md5ctx, r.base, r.length);
+ isc_md5_final(&md5ctx, hkey->key);
+@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data
+ key->key_size = keylen * 8;
+ key->keydata.hmacmd5 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *dat
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha1 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *d
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha224 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *d
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha256 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *d
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha384 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *d
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha512 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+Index: contrib/bind9/lib/dns/include/dst/dst.h
+===================================================================
+--- contrib/bind9/lib/dns/include/dst/dst.h (revision 287393)
++++ contrib/bind9/lib/dns/include/dst/dst.h (working copy)
+@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_t;
+ #define DST_ALG_HMACSHA256 163 /* XXXMPA */
+ #define DST_ALG_HMACSHA384 164 /* XXXMPA */
+ #define DST_ALG_HMACSHA512 165 /* XXXMPA */
++#define DST_ALG_INDIRECT 252
+ #define DST_ALG_PRIVATE 254
+ #define DST_ALG_EXPAND 255
+ #define DST_MAX_ALGS 255
+Index: contrib/bind9/lib/dns/ncache.c
+===================================================================
+--- contrib/bind9/lib/dns/ncache.c (revision 287393)
++++ contrib/bind9/lib/dns/ncache.c (working copy)
+@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherd
+ dns_name_fromregion(&tname, &remaining);
+ INSIST(remaining.length >= tname.length);
+ isc_buffer_forward(&source, tname.length);
+- remaining.length -= tname.length;
+- remaining.base += tname.length;
++ isc_region_consume(&remaining, tname.length);
+
+ INSIST(remaining.length >= 2);
+ type = isc_buffer_getuint16(&source);
+- remaining.length -= 2;
+- remaining.base += 2;
++ isc_region_consume(&remaining, 2);
+
+ if (type != dns_rdatatype_rrsig ||
+ !dns_name_equal(&tname, name)) {
+@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherd
+ INSIST(remaining.length >= 1);
+ trust = isc_buffer_getuint8(&source);
+ INSIST(trust <= dns_trust_ultimate);
+- remaining.length -= 1;
+- remaining.base += 1;
++ isc_region_consume(&remaining, 1);
+
+ raw = remaining.base;
+ count = raw[0] * 256 + raw[1];
+Index: contrib/bind9/lib/dns/openssldh_link.c
+===================================================================
+--- contrib/bind9/lib/dns/openssldh_link.c (revision 287393)
++++ contrib/bind9/lib/dns/openssldh_link.c (working copy)
+@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
+
+ static void
+ uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+- *region->base++ = (val & 0xff00) >> 8;
+- *region->base++ = (val & 0x00ff);
++ *region->base = (val & 0xff00) >> 8;
++ isc_region_consume(region, 1);
++ *region->base = (val & 0x00ff);
++ isc_region_consume(region, 1);
+ }
+
+ static isc_uint16_t
+@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) {
+ val = ((unsigned int)(cp[0])) << 8;
+ val |= ((unsigned int)(cp[1]));
+
+- region->base += 2;
++ isc_region_consume(region, 2);
++
+ return (val);
+ }
+
+@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t
+ }
+ else
+ BN_bn2bin(dh->p, r.base);
+- r.base += plen;
++ isc_region_consume(&r, plen);
+
+ uint16_toregion(glen, &r);
+ if (glen > 0)
+ BN_bn2bin(dh->g, r.base);
+- r.base += glen;
++ isc_region_consume(&r, glen);
+
+ uint16_toregion(publen, &r);
+ BN_bn2bin(dh->pub_key, r.base);
+- r.base += publen;
++ isc_region_consume(&r, publen);
+
+ isc_buffer_add(data, dnslen);
+
+@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ if (plen == 1 || plen == 2) {
+- if (plen == 1)
+- special = *r.base++;
+- else
++ if (plen == 1) {
++ special = *r.base;
++ isc_region_consume(&r, 1);
++ } else {
+ special = uint16_fromregion(&r);
++ }
+ switch (special) {
+ case 1:
+ dh->p = &bn768;
+@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
+ DH_free(dh);
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+- }
+- else {
++ } else {
+ dh->p = BN_bin2bn(r.base, plen, NULL);
+- r.base += plen;
++ isc_region_consume(&r, plen);
+ }
+
+ /*
+@@ -421,8 +425,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ }
+- }
+- else {
++ } else {
+ if (glen == 0) {
+ DH_free(dh);
+ return (DST_R_INVALIDPUBLICKEY);
+@@ -429,7 +432,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
+ }
+ dh->g = BN_bin2bn(r.base, glen, NULL);
+ }
+- r.base += glen;
++ isc_region_consume(&r, glen);
+
+ if (r.length < 2) {
+ DH_free(dh);
+@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ dh->pub_key = BN_bin2bn(r.base, publen, NULL);
+- r.base += publen;
++ isc_region_consume(&r, publen);
+
+ key->key_size = BN_num_bits(dh->p);
+
+Index: contrib/bind9/lib/dns/openssldsa_link.c
+===================================================================
+--- contrib/bind9/lib/dns/openssldsa_link.c (revision 287393)
++++ contrib/bind9/lib/dns/openssldsa_link.c (working copy)
+@@ -29,8 +29,6 @@
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+-/* $Id$ */
+-
+ #ifdef OPENSSL
+ #ifndef USE_EVP
+ #define USE_EVP 1
+@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t
+ DSA *dsa = key->keydata.dsa;
+ isc_region_t r;
+ DSA_SIG *dsasig;
++ unsigned int klen;
+ #if USE_EVP
+ EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+ EVP_PKEY *pkey;
+@@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t
+ ISC_R_FAILURE));
+ }
+ free(sigbuf);
++
+ #elif 0
+ /* Only use EVP for the Digest */
+ if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
+@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-user
mailing list