Apply patch, requested by spz in ticket 1329: netbsd-6
authorbouyer <bouyer@NetBSD.org>
Sun, 15 Nov 2015 19:09:08 +0000
branchnetbsd-6
changeset 257334 d1e1366cb7a7
parent 257333 bb4cceeaddf0
child 257335 1eee5173ce9e
Apply patch, requested by spz in ticket 1329: Update bind to 9.9.7-P3
external/bsd/bind/dist/CHANGES
external/bsd/bind/dist/COPYRIGHT
external/bsd/bind/dist/FAQ.xml
external/bsd/bind/dist/README
external/bsd/bind/dist/bin/check/named-checkconf.c
external/bsd/bind/dist/bin/dig/dig.1
external/bsd/bind/dist/bin/dig/dig.docbook
external/bsd/bind/dist/bin/dig/dig.html
external/bsd/bind/dist/bin/dig/dighost.c
external/bsd/bind/dist/bin/dig/host.c
external/bsd/bind/dist/bin/dig/include/dig/dig.h
external/bsd/bind/dist/bin/dig/nslookup.c
external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c
external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c
external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html
external/bsd/bind/dist/bin/dnssec/dnssec-settime.8
external/bsd/bind/dist/bin/dnssec/dnssec-settime.c
external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook
external/bsd/bind/dist/bin/dnssec/dnssec-settime.html
external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c
external/bsd/bind/dist/bin/dnssec/dnssec-verify.c
external/bsd/bind/dist/bin/dnssec/dnssectool.c
external/bsd/bind/dist/bin/dnssec/dnssectool.h
external/bsd/bind/dist/bin/named/client.c
external/bsd/bind/dist/bin/named/config.c
external/bsd/bind/dist/bin/named/include/named/globals.h
external/bsd/bind/dist/bin/named/interfacemgr.c
external/bsd/bind/dist/bin/named/main.c
external/bsd/bind/dist/bin/named/named.html
external/bsd/bind/dist/bin/named/query.c
external/bsd/bind/dist/bin/named/server.c
external/bsd/bind/dist/bin/named/update.c
external/bsd/bind/dist/bin/named/zoneconf.c
external/bsd/bind/dist/bin/nsupdate/nsupdate.c
external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8za-patch
external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8zc-patch
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0m-patch
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0o-patch
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1h-patch
external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1j-patch
external/bsd/bind/dist/bin/rndc/rndc.c
external/bsd/bind/dist/bin/tests/system/additional/ns1/named.args
external/bsd/bind/dist/bin/tests/system/additional/ns1/named1.conf
external/bsd/bind/dist/bin/tests/system/additional/ns1/named2.conf
external/bsd/bind/dist/bin/tests/system/additional/ns1/naptr.db
external/bsd/bind/dist/bin/tests/system/additional/ns1/naptr2.db
external/bsd/bind/dist/bin/tests/system/additional/ns1/nid.db
external/bsd/bind/dist/bin/tests/system/additional/ns1/rt.db
external/bsd/bind/dist/bin/tests/system/additional/ns1/rt2.db
external/bsd/bind/dist/bin/tests/system/checkconf/bad-sharedwritable1.conf
external/bsd/bind/dist/bin/tests/system/checkconf/bad-sharedwritable2.conf
external/bsd/bind/dist/bin/tests/system/checkconf/good.conf
external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh
external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh
external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad3.db
external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad4.db
external/bsd/bind/dist/bin/tests/system/checkzone/zones/badttl.db
external/bsd/bind/dist/bin/tests/system/checkzone/zones/inherit.db
external/bsd/bind/dist/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db
external/bsd/bind/dist/bin/tests/system/checkzone/zones/warn.inherit.origin.db
external/bsd/bind/dist/bin/tests/system/checkzone/zones/warn.inherited.owner.db
external/bsd/bind/dist/bin/tests/system/conf.sh.in
external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh
external/bsd/bind/dist/bin/tests/system/dnssec/ns2/example.db.in
external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/future.example.db.in
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/named.conf
external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh
external/bsd/bind/dist/bin/tests/system/dnssec/ns5/named.conf
external/bsd/bind/dist/bin/tests/system/dnssec/ns5/named1.conf
external/bsd/bind/dist/bin/tests/system/dnssec/ns5/named2.conf
external/bsd/bind/dist/bin/tests/system/dnssec/ns5/sign.sh
external/bsd/bind/dist/bin/tests/system/dnssec/setup.sh
external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh
external/bsd/bind/dist/bin/tests/system/emptyzones/clean.sh
external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/named2.conf
external/bsd/bind/dist/bin/tests/system/emptyzones/tests.sh
external/bsd/bind/dist/bin/tests/system/forward/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/forward/ns4/named.conf
external/bsd/bind/dist/bin/tests/system/forward/tests.sh
external/bsd/bind/dist/bin/tests/system/genzone.sh
external/bsd/bind/dist/bin/tests/system/inline/clean.sh
external/bsd/bind/dist/bin/tests/system/inline/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/inline/setup.sh
external/bsd/bind/dist/bin/tests/system/legacy/build.sh
external/bsd/bind/dist/bin/tests/system/legacy/clean.sh
external/bsd/bind/dist/bin/tests/system/legacy/ns1/named1.conf
external/bsd/bind/dist/bin/tests/system/legacy/ns1/named2.conf
external/bsd/bind/dist/bin/tests/system/legacy/ns1/root.db
external/bsd/bind/dist/bin/tests/system/legacy/ns1/trusted.conf
external/bsd/bind/dist/bin/tests/system/legacy/ns2/dropedns.db
external/bsd/bind/dist/bin/tests/system/legacy/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/legacy/ns2/named.dropedns
external/bsd/bind/dist/bin/tests/system/legacy/ns3/dropedns-notcp.db
external/bsd/bind/dist/bin/tests/system/legacy/ns3/named.conf
external/bsd/bind/dist/bin/tests/system/legacy/ns3/named.dropedns
external/bsd/bind/dist/bin/tests/system/legacy/ns3/named.notcp
external/bsd/bind/dist/bin/tests/system/legacy/ns4/named.args
external/bsd/bind/dist/bin/tests/system/legacy/ns4/named.conf
external/bsd/bind/dist/bin/tests/system/legacy/ns4/plain.db
external/bsd/bind/dist/bin/tests/system/legacy/ns5/named.args
external/bsd/bind/dist/bin/tests/system/legacy/ns5/named.conf
external/bsd/bind/dist/bin/tests/system/legacy/ns5/named.notcp
external/bsd/bind/dist/bin/tests/system/legacy/ns5/plain-notcp.db
external/bsd/bind/dist/bin/tests/system/legacy/ns6/edns512.db.in
external/bsd/bind/dist/bin/tests/system/legacy/ns6/edns512.db.signed
external/bsd/bind/dist/bin/tests/system/legacy/ns6/named.args
external/bsd/bind/dist/bin/tests/system/legacy/ns6/named.conf
external/bsd/bind/dist/bin/tests/system/legacy/ns6/sign.sh
external/bsd/bind/dist/bin/tests/system/legacy/ns7/edns512-notcp.db.in
external/bsd/bind/dist/bin/tests/system/legacy/ns7/edns512-notcp.db.signed
external/bsd/bind/dist/bin/tests/system/legacy/ns7/named.args
external/bsd/bind/dist/bin/tests/system/legacy/ns7/named.conf
external/bsd/bind/dist/bin/tests/system/legacy/ns7/named.notcp
external/bsd/bind/dist/bin/tests/system/legacy/ns7/sign.sh
external/bsd/bind/dist/bin/tests/system/legacy/setup.sh
external/bsd/bind/dist/bin/tests/system/legacy/tests.sh
external/bsd/bind/dist/bin/tests/system/notify/clean.sh
external/bsd/bind/dist/bin/tests/system/notify/ns2/generic.db
external/bsd/bind/dist/bin/tests/system/notify/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/notify/ns4/named.conf
external/bsd/bind/dist/bin/tests/system/notify/ns4/named.port
external/bsd/bind/dist/bin/tests/system/notify/ns5/named.conf
external/bsd/bind/dist/bin/tests/system/notify/ns5/x21.db
external/bsd/bind/dist/bin/tests/system/notify/setup.sh
external/bsd/bind/dist/bin/tests/system/notify/tests.sh
external/bsd/bind/dist/bin/tests/system/reclimit/README
external/bsd/bind/dist/bin/tests/system/reclimit/ans2/ans.pl
external/bsd/bind/dist/bin/tests/system/reclimit/ans4/ans.pl
external/bsd/bind/dist/bin/tests/system/reclimit/ans7/ans.pl
external/bsd/bind/dist/bin/tests/system/reclimit/clean.sh
external/bsd/bind/dist/bin/tests/system/reclimit/ns1/named.conf
external/bsd/bind/dist/bin/tests/system/reclimit/ns1/root.db
external/bsd/bind/dist/bin/tests/system/reclimit/ns3/hints.db
external/bsd/bind/dist/bin/tests/system/reclimit/ns3/named1.conf
external/bsd/bind/dist/bin/tests/system/reclimit/ns3/named2.conf
external/bsd/bind/dist/bin/tests/system/reclimit/ns3/named3.conf
external/bsd/bind/dist/bin/tests/system/reclimit/ns3/named4.conf
external/bsd/bind/dist/bin/tests/system/reclimit/setup.sh
external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh
external/bsd/bind/dist/bin/tests/system/redirect/tests.sh
external/bsd/bind/dist/bin/tests/system/resolver/ns4/root.db
external/bsd/bind/dist/bin/tests/system/resolver/ns4/tld1.db
external/bsd/bind/dist/bin/tests/system/resolver/ns4/tld2.db
external/bsd/bind/dist/bin/tests/system/resolver/ns7/all-cnames.db
external/bsd/bind/dist/bin/tests/system/resolver/ns7/named1.conf
external/bsd/bind/dist/bin/tests/system/resolver/ns7/named2.conf
external/bsd/bind/dist/bin/tests/system/resolver/tests.sh
external/bsd/bind/dist/bin/tests/system/rpz/tests.sh
external/bsd/bind/dist/bin/tests/system/start.pl
external/bsd/bind/dist/bin/tests/system/upforwd/clean.sh
external/bsd/bind/dist/bin/tests/system/upforwd/ns1/named.conf
external/bsd/bind/dist/bin/tests/system/upforwd/ns2/named.conf
external/bsd/bind/dist/bin/tests/system/upforwd/ns3/named.conf
external/bsd/bind/dist/bin/tests/system/upforwd/setup.sh
external/bsd/bind/dist/bin/tests/system/upforwd/tests.sh
external/bsd/bind/dist/bin/tests/system/views/clean.sh
external/bsd/bind/dist/bin/tests/system/views/ns2/external/inline.db
external/bsd/bind/dist/bin/tests/system/views/ns2/internal/inline.db
external/bsd/bind/dist/bin/tests/system/views/ns2/named2.conf
external/bsd/bind/dist/bin/tests/system/views/setup.sh
external/bsd/bind/dist/bin/tests/system/views/tests.sh
external/bsd/bind/dist/bin/tests/system/xfer/dig1.good
external/bsd/bind/dist/bin/tests/system/xfer/dig2.good
external/bsd/bind/dist/config.h.in
external/bsd/bind/dist/config.h.win32
external/bsd/bind/dist/configure
external/bsd/bind/dist/configure.in
external/bsd/bind/dist/contrib/dlz/example/README
external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/README.md
external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/README
external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/dns-data.txt
external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/named.conf
external/bsd/bind/dist/contrib/sdb/ldap/ldapdb.c
external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml
external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html
external/bsd/bind/dist/doc/arm/Bv9ARM.html
external/bsd/bind/dist/doc/arm/Makefile.in
external/bsd/bind/dist/doc/arm/dnssec.xml
external/bsd/bind/dist/doc/arm/latex-fixup.pl
external/bsd/bind/dist/doc/arm/man.arpaname.html
external/bsd/bind/dist/doc/arm/man.ddns-confgen.html
external/bsd/bind/dist/doc/arm/man.dig.html
external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html
external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html
external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html
external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html
external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html
external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html
external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
external/bsd/bind/dist/doc/arm/man.genrandom.html
external/bsd/bind/dist/doc/arm/man.host.html
external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
external/bsd/bind/dist/doc/arm/man.named-checkconf.html
external/bsd/bind/dist/doc/arm/man.named-checkzone.html
external/bsd/bind/dist/doc/arm/man.named-journalprint.html
external/bsd/bind/dist/doc/arm/man.named.html
external/bsd/bind/dist/doc/arm/man.nsec3hash.html
external/bsd/bind/dist/doc/arm/man.nsupdate.html
external/bsd/bind/dist/doc/arm/man.rndc-confgen.html
external/bsd/bind/dist/doc/arm/man.rndc.conf.html
external/bsd/bind/dist/doc/arm/man.rndc.html
external/bsd/bind/dist/doc/arm/notes-wrapper.xml
external/bsd/bind/dist/doc/arm/notes.html
external/bsd/bind/dist/doc/arm/notes.xml
external/bsd/bind/dist/doc/xsl/Makefile.in
external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in
external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in
external/bsd/bind/dist/doc/xsl/isc-docbook-latex.xsl.in
external/bsd/bind/dist/doc/xsl/isc-notes-html.xsl.in
external/bsd/bind/dist/doc/xsl/isc-notes-latex.xsl.in
external/bsd/bind/dist/lib/bind9/api
external/bsd/bind/dist/lib/bind9/check.c
external/bsd/bind/dist/lib/bind9/getaddresses.c
external/bsd/bind/dist/lib/dns/adb.c
external/bsd/bind/dist/lib/dns/api
external/bsd/bind/dist/lib/dns/diff.c
external/bsd/bind/dist/lib/dns/dispatch.c
external/bsd/bind/dist/lib/dns/gen.c
external/bsd/bind/dist/lib/dns/hmac_link.c
external/bsd/bind/dist/lib/dns/include/dns/dispatch.h
external/bsd/bind/dist/lib/dns/include/dns/log.h
external/bsd/bind/dist/lib/dns/include/dns/rbt.h
external/bsd/bind/dist/lib/dns/include/dns/request.h
external/bsd/bind/dist/lib/dns/include/dst/dst.h
external/bsd/bind/dist/lib/dns/journal.c
external/bsd/bind/dist/lib/dns/keytable.c
external/bsd/bind/dist/lib/dns/log.c
external/bsd/bind/dist/lib/dns/master.c
external/bsd/bind/dist/lib/dns/masterdump.c
external/bsd/bind/dist/lib/dns/message.c
external/bsd/bind/dist/lib/dns/name.c
external/bsd/bind/dist/lib/dns/ncache.c
external/bsd/bind/dist/lib/dns/nsec3.c
external/bsd/bind/dist/lib/dns/openssldh_link.c
external/bsd/bind/dist/lib/dns/openssldsa_link.c
external/bsd/bind/dist/lib/dns/opensslecdsa_link.c
external/bsd/bind/dist/lib/dns/opensslgost_link.c
external/bsd/bind/dist/lib/dns/opensslrsa_link.c
external/bsd/bind/dist/lib/dns/private.c
external/bsd/bind/dist/lib/dns/rbt.c
external/bsd/bind/dist/lib/dns/rbtdb.c
external/bsd/bind/dist/lib/dns/rdata.c
external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.c
external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.c
external/bsd/bind/dist/lib/dns/rdata/generic/keydata_65533.c
external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c
external/bsd/bind/dist/lib/dns/rdata/generic/openpgpkey_61.c
external/bsd/bind/dist/lib/dns/rdata/generic/openpgpkey_61.h
external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c
external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c
external/bsd/bind/dist/lib/dns/rdata/generic/sig_24.c
external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.h
external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c
external/bsd/bind/dist/lib/dns/rdataset.c
external/bsd/bind/dist/lib/dns/request.c
external/bsd/bind/dist/lib/dns/resolver.c
external/bsd/bind/dist/lib/dns/rootns.c
external/bsd/bind/dist/lib/dns/spnego_asn1.c
external/bsd/bind/dist/lib/dns/tests/Kdh.+002+18602.key
external/bsd/bind/dist/lib/dns/tests/Makefile.in
external/bsd/bind/dist/lib/dns/tests/db_test.c
external/bsd/bind/dist/lib/dns/tests/dbversion_test.c
external/bsd/bind/dist/lib/dns/tests/dh_test.c
external/bsd/bind/dist/lib/dns/tests/master_test.c
external/bsd/bind/dist/lib/dns/tests/name_test.c
external/bsd/bind/dist/lib/dns/tests/zonemgr_test.c
external/bsd/bind/dist/lib/dns/tkey.c
external/bsd/bind/dist/lib/dns/tsig.c
external/bsd/bind/dist/lib/dns/validator.c
external/bsd/bind/dist/lib/dns/zone.c
external/bsd/bind/dist/lib/dns/zt.c
external/bsd/bind/dist/lib/export/isc/Makefile.in
external/bsd/bind/dist/lib/export/isc/unix/Makefile.in
external/bsd/bind/dist/lib/export/samples/nsprobe.c
external/bsd/bind/dist/lib/export/samples/sample-request.c
external/bsd/bind/dist/lib/export/samples/sample-update.c
external/bsd/bind/dist/lib/irs/getnameinfo.c
external/bsd/bind/dist/lib/isc/api
external/bsd/bind/dist/lib/isc/hash.c
external/bsd/bind/dist/lib/isc/hmacmd5.c
external/bsd/bind/dist/lib/isc/hmacsha.c
external/bsd/bind/dist/lib/isc/httpd.c
external/bsd/bind/dist/lib/isc/include/isc/platform.h.in
external/bsd/bind/dist/lib/isc/include/isc/radix.h
external/bsd/bind/dist/lib/isc/include/isc/ratelimiter.h
external/bsd/bind/dist/lib/isc/md5.c
external/bsd/bind/dist/lib/isc/mem.c
external/bsd/bind/dist/lib/isc/radix.c
external/bsd/bind/dist/lib/isc/ratelimiter.c
external/bsd/bind/dist/lib/isc/result.c
external/bsd/bind/dist/lib/isc/sha1.c
external/bsd/bind/dist/lib/isc/sha2.c
external/bsd/bind/dist/lib/isc/tests/Makefile.in
external/bsd/bind/dist/lib/isc/tests/hash_test.c
external/bsd/bind/dist/lib/isc/tests/radix_test.c
external/bsd/bind/dist/lib/isc/tests/time_test.c
external/bsd/bind/dist/lib/isc/unix/app.c
external/bsd/bind/dist/lib/isc/unix/include/isc/net.h
external/bsd/bind/dist/lib/isc/unix/include/isc/time.h
external/bsd/bind/dist/lib/isc/unix/net.c
external/bsd/bind/dist/lib/isc/unix/socket.c
external/bsd/bind/dist/lib/isc/unix/stdio.c
external/bsd/bind/dist/lib/isc/unix/time.c
external/bsd/bind/dist/lib/isccfg/api
external/bsd/bind/dist/lib/isccfg/parser.c
external/bsd/bind/dist/lib/lwres/api
external/bsd/bind/dist/lib/lwres/compat.c
external/bsd/bind/dist/lib/lwres/gethost.c
external/bsd/bind/dist/srcid
external/bsd/bind/dist/version
external/bsd/bind/include/config.h
external/bsd/bind/include/dns/code.h
external/bsd/bind/include/dns/enumclass.h
external/bsd/bind/include/dns/enumtype.h
external/bsd/bind/include/dns/rdatastruct.h
external/bsd/bind/include/isc/platform.h
--- a/external/bsd/bind/dist/CHANGES	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/CHANGES	Sun Nov 15 19:09:08 2015 +0000
@@ -1,13 +1,166 @@
-	--- 9.9.6-P2 released ---
+	--- 9.9.7-P3 released ---
+
+4170.	[security]	An incorrect boundary check in the OPENPGPKEY
+			rdatatype could trigger an assertion failure.
+			(CVE-2015-5986) [RT #40286]
+
+4168.	[security]	A buffer accounting error could trigger an
+			assertion failure when parsing certain malformed 
+			DNSSEC keys. (CVE-2015-5722) [RT #40212]
+
+	--- 9.9.7-P2 released ---
+
+4165.	[security]	A failure to reset a value to NULL in tkey.c could
+			result in an assertion failure. (CVE-2015-5477)
+			[RT #40046]
+
+	--- 9.9.7-P1 released ---
+
+4138.	[bug]		An uninitialized value in validator.c could result
+			in an assertion failure. (CVE-2015-4620) [RT #39795]
+
+	--- 9.9.7 released ---
+
+	--- 9.9.7rc2 released ---
+
+4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
+
+4060.	[bug]		dns_rdata_freestruct could be called on a
+			uninitialised structure when handling a error.
+			[RT #38568]
+
+4059.	[bug]		Addressed valgrind warnings. [RT #38549]
+
+4058.	[bug]		UDP dispatches could use the wrong pseudorandom
+			number generator context. [RT #38578]
+
+4056.	[bug]		Fixed several small bugs in automatic trust anchor
+			management, including a memory leak and a possible
+			loss of key state information. [RT #38458]
+
+4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
+			[RT #38565]
 
 4053.	[security]	Revoking a managed trust anchor and supplying
 			an untrusted replacement could cause named
 			to crash with an assertion failure.
 			(CVE-2015-1349) [RT #38344]
 
+4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
+
+4050.	[bug]		RPZ could send spurious SERVFAILs in response
+			to duplicate queries. [RT #38510]
+
+4049.	[bug]		CDS and CDNSKEY had the wrong attributes. [RT #38491]
+
+4048.	[bug]		adb hash table was not being grown. [RT #38470]
+
+	--- 9.9.7rc1 released ---
+
+4047.	[cleanup]	"named -V" now reports the current running versions
+			of OpenSSL and the libxml2 libraries, in addition to
+			the versions that were in use at build time.
+
+4046.	[bug]		Accounting of "total use" in memory context
+			statistics was not correct. [RT #38370]
+
+4045.	[bug]		Skip to next master on dns_request_createvia4 failure.
+			[RT #25185]
+
+4044.	[bug]		Change 3955 was not complete, resulting in an assertion
+			failure if the timing was just right. [RT #38352]
+
+4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
+
+4038.	[bug]		Add 'rpz' flag to node and use it to determine whether
+			to call dns_rpz_delete.  This should prevent unbalanced
+			add / delete calls. [RT #36888]
+
+4037.	[bug]		also-notify was ignoring the tsig key when checking
+			for duplicates resulting in some expected notify
+			messages not being sent. [RT #38369]
+
+4035.	[bug]		Close temporary and NZF FILE pointers before moving
+			the former into the latter's place, as required on
+			Windows. [RT #38332]
+
+4032.	[bug]		Built-in "empty" zones did not correctly inherit the
+			"allow-transfer" ACL from the options or view.
+			[RT #38310]
+
+4031.	[bug]		named-checkconf -z failed to report a missing file
+			with a hint zone. [RT #38294]
+
+4028.	[bug]		$GENERATE with a zero step was not being caught as a
+			error.  A $GENERATE with a / but no step was not being
+			caught as a error. [RT #38262]
+
+3973.	[test]		Added hooks for Google Performance Tools CPU profiler,
+			including real-time/wall-clock profiling. Use
+			"configure --with-gperftools-profiler" to enable.
+			[RT #37339]
+
+	--- 9.9.7b1 released ---
+
 4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]
 
-	--- 9.9.6-P1 released ---
+4026.	[bug]		Fix RFC 3658 reference in dig +sigchase. [RT #38173]
+
+4025.	[port]		bsdi: failed to build. [RT #38047]
+
+4024.	[bug]		dns_rdata_opt_first, dns_rdata_opt_next,
+			dns_rdata_opt_current, dns_rdata_txt_first,
+			dns_rdata_txt_next and dns_rdata_txt_current were
+			documented but not implemented.  These have now been
+			implemented.
+
+			dns_rdata_spf_first, dns_rdata_spf_next and
+			dns_rdata_spf_current were documented but not
+			implemented.  The prototypes for these
+			functions have been removed. [RT #38068]
+
+4023.	[bug]		win32: socket handling with explicit ports and
+			invoking named with -4 was broken for some
+			configurations. [RT #38068]
+
+4021.	[bug]		Adjust max-recursion-queries to accommodate
+			the need for more queries when the cache is
+			empty. [RT #38104]
+
+4020.	[bug]		Change 3736 broke nsupdate's SOA MNAME discovery
+			resulting in updates being sent to the wrong server.
+			[RT #37925]
+
+4019.	[func]		If named is not configured to validate the answer
+			then allow fallback to plain DNS on timeout even
+			when we know the server supports EDNS. [RT #37978]
+
+4018.	[bug]		Fall back to plain DNS when EDNS queries are being
+			dropped was failing. [RT #37965]
+
+4017.	[test]		Add system test to check lookups to legacy servers
+			with broken DNS behavior. [RT #37965]
+
+4016.	[bug]		Fix a dig segfault due to bad linked list usage.
+			[RT #37591]
+
+4015.	[bug]		Nameservers that are skipped due to them being
+			CNAMEs were not being logged. They are now logged
+			to category 'cname' as per BIND 8. [RT #37935]
+
+4014.	[bug]		When including a master file origin_changed was
+			not being properly set leading to a potentially
+			spurious 'inherited owner' warning. [RT #37919]
+
+4012.	[bug]		Check returned status of OpenSSL digest and HMAC
+			functions when they return one. Note this applies
+			only to FIPS capable OpenSSL libraries put in
+			FIPS mode and MD5. [RT #37944]
+
+4011.	[bug]		master's list port inheritance was not properly
+			implemented. [RT #37792]
+
+4007.	[doc]		Remove acl forward reference restriction. [RT #37772]
 
 4006.	[security]	A flaw in delegation handling could be exploited
 			to put named into an infinite loop.  This has
@@ -21,6 +174,99 @@
 			"max-recursion-depth" option, and the query limit
 			via the "max-recursion-queries" option.  [RT #37580]
 
+4004.	[bug]		When delegations had AAAA glue but not A, a
+			reference could be leaked causing an assertion
+			failure on shutdown. [RT #37796]
+
+4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
+			from the redirect zone. [RT #37722]
+
+3998.	[bug]		isc_radix_search was returning matches that were
+			too precise. [RT #37680]
+
+3997.	[protocol]	Add OPENGPGKEY record. [RT# 37671]
+
+3996.	[bug]		Address use after free on out of memory error in
+			keyring_add. [RT #37639]
+
+3995.	[bug]		receive_secure_serial holds the zone lock for too
+			long. [RT #37626]
+
+3990.	[testing]	Add tests for unknown DNSSEC algorithm handling.
+			[RT #37541]
+
+3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]
+
+3987.	[func]		Handle future Visual Studio 14 incompatible changes.
+			[RT #37380]
+
+3986.	[doc]		Add the BIND version number to page footers
+			in the ARM. [RT #37398]
+
+3985.	[doc]		Describe how +ndots and +search interact in dig.
+			[RT #37529]
+
+3982.	[doc]		Include release notes in product documentation.
+			[RT #37272]
+
+3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
+			[RT #37467]
+
+3978.	[test]		Added a unit test for Diffie-Hellman key
+			computation, completing change #3974. [RT #37477]
+
+3976.	[bug]		When refreshing managed-key trust anchors, clear
+			any cached trust so that they will always be
+			revalidated with the current set of secure
+			roots. [RT #37506]
+
+3974.	[bug]		Handle DH_compute_key() failure correctly in
+			openssldh_link.c. [RT #37477]
+
+3972.	[bug]		Fix host's usage statement. [RT #37397]
+
+3971.	[bug]		Reduce the cascading failures due to a bad $TTL line
+			in named-checkconf / named-checkzone. [RT #37138]
+
+3970.	[contrib]	Fixed a use after free bug in the SDB LDAP driver.
+			[RT #37237]
+
+3968.	[bug]		Silence spurious log messages when using 'named -[46]'.
+			[RT #37308]
+
+3967.	[test]		Add test for inlined signed zone in multiple views
+			with different DNSKEY sets. [RT #35759]
+
+3966.	[bug]		Missing dns_db_closeversion call in receive_secure_db.
+			[RT #35746]
+
+3962.	[bug]		'dig +topdown +trace +sigchase' address unhandled error
+			conditions. [RT #34663]
+
+3961.	[bug]		Forwarding of SIG(0) signed UPDATE messages failed with
+			BADSIG.  [RT #37216]
+
+3960.	[bug]		'dig +sigchase' could loop forever. [RT #37220]
+
+3959.	[bug]		Updates could be lost if they arrived immediately
+			after a rndc thaw. [RT #37233]
+
+3958.	[bug]		Detect when writeable files have multiple references
+			in named.conf. [RT #37172]
+
+3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
+			and ECDSAP384SHA384. [RT #37183]
+
+3955.	[bug]		Notify messages due to changes are no longer queued
+			behind startup notify messages. [RT #24454]
+
+3954.	[bug]		Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
+
+3953.	[bug]		Don't escape semi-colon in TXT fields. [RT #37159]
+
+3952.	[bug]		dns_name_fullcompare failed to set *nlabelsp when the
+			two name pointers were the same. [RT #37176]
+
 	--- 9.9.6 released ---
 
 3950.	[port]		Changed the bin/python Makefile to work around a
--- a/external/bsd/bind/dist/COPYRIGHT	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/COPYRIGHT	Sun Nov 15 19:09:08 2015 +0000
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and/or distribute this software for any
--- a/external/bsd/bind/dist/FAQ.xml	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/FAQ.xml	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
 <!--
- - Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -31,6 +31,7 @@
       <year>2009</year>
       <year>2010</year>
       <year>2013</year>
+      <year>2014</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
--- a/external/bsd/bind/dist/README	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/README	Sun Nov 15 19:09:08 2015 +0000
@@ -51,15 +51,26 @@
         For up-to-date release notes and errata, see
         http://www.isc.org/software/bind9/releasenotes
 
-BIND 9.9.6-P2
+BIND 9.9.7-P3
+
+	BIND 9.9.7-P3 is a security release addressing the flaws
+	described in CVE-2015-5722 and CVE-2015-5986.
 
-	BIND 9.9.6-P2 is a security release and addresses the security
-	flaw described in CVE-2015-1349.
+BIND 9.9.7-P2
+
+       BIND 9.9.7-P2 is a security release addressing the flaw
+       described in CVE-2015-5477.
 
-BIND 9.9.6-P1
+BIND 9.9.7-P1
+
+       BIND 9.9.7-P1 is a security release addressing the flaw
+       described in CVE-2015-4620.
 
-	BIND 9.9.6-P1 is a security release and addresses the security
-	flaw described in CVE-2014-8500.
+BIND 9.9.7
+
+	BIND 9.9.7 is a maintenance release and addresses bugs
+	found in BIND 9.9.6 and earlier, as well as the security
+	flaws described in CVE-2014-8500 and CVE-2015-1349.
 
 BIND 9.9.6
 
--- a/external/bsd/bind/dist/bin/check/named-checkconf.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/check/named-checkconf.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: named-checkconf.c,v 1.3.4.2 2014/12/25 17:53:59 msaitoh Exp $	*/
+/*	$NetBSD: named-checkconf.c,v 1.3.4.3 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
  * Copyright (C) 2004-2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -490,7 +490,33 @@
 
 	isc_commandline_errprint = ISC_FALSE;
 
-	while ((c = isc_commandline_parse(argc, argv, "dhjt:pvxz")) != EOF) {
+	/*
+	 * Process memory debugging argument first.
+	 */
+#define CMDLINE_FLAGS "dhjm:t:pvxz"
+	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (c) {
+		case 'm':
+			if (strcasecmp(isc_commandline_argument, "record") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			if (strcasecmp(isc_commandline_argument, "size") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = ISC_TRUE;
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
 		switch (c) {
 		case 'd':
 			debug++;
@@ -500,6 +526,9 @@
 			nomerge = ISC_FALSE;
 			break;
 
+		case 'm':
+			break;
+
 		case 't':
 			result = isc_dir_chroot(isc_commandline_argument);
 			if (result != ISC_R_SUCCESS) {
@@ -559,8 +588,6 @@
 	InitSockets();
 #endif
 
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
 	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
--- a/external/bsd/bind/dist/bin/dig/dig.1	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.1	Sun Nov 15 19:09:08 2015 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: dig.1,v 1.3.4.2 2014/12/25 17:54:00 msaitoh Exp $
+.\"	$NetBSD: dig.1,v 1.3.4.3 2015/11/15 19:09:09 bouyer Exp $
 .\"
 .\" Copyright (C) 2004-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
@@ -390,7 +390,10 @@
 or
 \fBdomain\fR
 directive in
-\fI/etc/resolv.conf\fR.
+\fI/etc/resolv.conf\fR
+if
+\fB+search\fR
+is set.
 .RE
 .PP
 \fB+[no]nsid\fR
@@ -449,6 +452,12 @@
 Use [do not use] the search list defined by the searchlist or domain directive in
 \fIresolv.conf\fR
 (if any). The search list is not used by default.
+.sp
+\'ndots' from
+\fIresolv.conf\fR
+(default 1) which may be overridden by
+\fI+ndots\fR
+determines if the name will be treated as relative or not and hence whether a search is eventually performed or not.
 .RE
 .PP
 \fB+[no]short\fR
--- a/external/bsd/bind/dist/bin/dig/dig.docbook	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.docbook	Sun Nov 15 19:09:08 2015 +0000
@@ -1,5 +1,5 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
  - Copyright (C) 2004-2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
@@ -157,13 +157,13 @@
 
       <variablelist>
 
-        <varlistentry>
-          <term><constant>server</constant></term>
-          <listitem>
-            <para>
+	<varlistentry>
+	  <term><constant>server</constant></term>
+	  <listitem>
+	    <para>
 	      is the name or IP address of the name server to query.  This
 	      can be an IPv4 address in dotted-decimal notation or an IPv6
-              address in colon-delimited notation.  When the supplied
+	      address in colon-delimited notation.  When the supplied
 	      <parameter>server</parameter> argument is a hostname,
 	      <command>dig</command> resolves that name before querying
 	      that name server.
@@ -180,33 +180,33 @@
 	      <command>dig</command> will send the query to the
 	      local host.  The reply from the name server that
 	      responds is displayed.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
-          <term><constant>name</constant></term>
-          <listitem>
-            <para>
-              is the name of the resource record that is to be looked up.
-            </para>
-          </listitem>
-        </varlistentry>
+	<varlistentry>
+	  <term><constant>name</constant></term>
+	  <listitem>
+	    <para>
+	      is the name of the resource record that is to be looked up.
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
-          <term><constant>type</constant></term>
-          <listitem>
-            <para>
-              indicates what type of query is required &mdash;
-              ANY, A, MX, SIG, etc.
-              <parameter>type</parameter> can be any valid query
-              type.  If no
-              <parameter>type</parameter> argument is supplied,
-              <command>dig</command> will perform a lookup for an
-              A record.
-            </para>
-          </listitem>
-        </varlistentry>
+	<varlistentry>
+	  <term><constant>type</constant></term>
+	  <listitem>
+	    <para>
+	      indicates what type of query is required &mdash;
+	      ANY, A, MX, SIG, etc.
+	      <parameter>type</parameter> can be any valid query
+	      type.  If no
+	      <parameter>type</parameter> argument is supplied,
+	      <command>dig</command> will perform a lookup for an
+	      A record.
+	    </para>
+	  </listitem>
+	</varlistentry>
 
       </variablelist>
     </para>
@@ -246,7 +246,7 @@
     <para>
       The <option>-m</option> option enables memory usage debugging.
       <!-- It enables ISC_MEM_DEBUGTRACE and ISC_MEM_DEBUGRECORD
-           documented in include/isc/mem.h -->
+	   documented in include/isc/mem.h -->
     </para>
 
     <para>
@@ -321,13 +321,13 @@
       base-64
       encoded string, typically generated by
       <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+	<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>.
 
       Caution should be taken when using the <option>-y</option> option on
       multi-user systems as the key can be visible in the output from
       <citerefentry>
-        <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
+	<refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
       </citerefentry>
       or in the shell's history file.  When
       using TSIG authentication with <command>dig</command>, the name
@@ -362,38 +362,38 @@
 
       <variablelist>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]aaflag</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      A synonym for <parameter>+[no]aaonly</parameter>.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]aaonly</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Sets the "aa" flag in the query.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]additional</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Display [do not display] the additional section of a
 	      reply.  The default is to display it.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]adflag</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Set [do not set] the AD (authentic data) bit in the
 	      query.  This requests the server to return whether
 	      all of the answer and authority sections have all
@@ -403,65 +403,65 @@
 	      from a OPT-OUT range.  AD=0 indicate that some part
 	      of the answer was insecure or not validated.  This
 	      bit is set by default.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]all</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Set or clear all display flags.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]answer</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Display [do not display] the answer section of a
 	      reply.  The default is to display it.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]authority</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Display [do not display] the authority section of a
 	      reply.  The default is to display it.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]besteffort</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Attempt to display the contents of messages which are
 	      malformed.  The default is to not display malformed
 	      answers.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+bufsize=B</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Set the UDP message buffer size advertised using EDNS0
 	      to <parameter>B</parameter> bytes.  The maximum and
 	      minimum sizes of this buffer are 65535 and 0 respectively.
 	      Values outside this range are rounded up or down
 	      appropriately.  Values other than zero will cause a
 	      EDNS query to be sent.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]cdflag</option></term>
 	  <listitem>
 	    <para>
@@ -472,39 +472,39 @@
 	  </listitem>
 	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]cl</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Display [do not display] the CLASS when printing the
 	      record.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]cmd</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Toggles the printing of the initial comment in the
 	      output identifying the version of <command>dig</command>
 	      and the query options that have been applied.  This
 	      comment is printed by default.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]comments</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Toggle the display of comment lines in the output.
 	      The default is to print comments.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]defname</option></term>
 	  <listitem>
 	    <para>
@@ -514,20 +514,20 @@
 	  </listitem>
 	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]dnssec</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Requests DNSSEC records be sent by setting the DNSSEC
 	      OK bit (DO) in the OPT record in the additional section
 	      of the query.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+domain=somename</option></term>
-          <listitem>
+	  <listitem>
 	    <para>
 	      Set the search list to contain the single domain
 	      <parameter>somename</parameter>, as if specified in
@@ -539,82 +539,82 @@
 	  </listitem>
 	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]edns[=#]</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	       Specify the EDNS version to query with.  Valid values
 	       are 0 to 255.  Setting the EDNS version will cause
 	       a EDNS query to be sent.  <option>+noedns</option>
 	       clears the remembered EDNS version.  EDNS is set to
 	       0 by default.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]fail</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Do not try the next server if you receive a SERVFAIL.
 	      The default is to not try the next server which is
 	      the reverse of normal stub resolver behavior.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
-          <term><option>+[no]identify</option></term>
-          <listitem>
-            <para>
+	<varlistentry>
+	  <term><option>+[no]identify</option></term>
+	  <listitem>
+	    <para>
 	      Show [or do not show] the IP address and port number
 	      that supplied the answer when the
 	      <parameter>+short</parameter> option is enabled.  If
 	      short form answers are requested, the default is not
 	      to show the source address and port number of the
 	      server that provided the answer.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]ignore</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Ignore truncation in UDP responses instead of retrying
 	      with TCP.  By default, TCP retries are performed.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]keepopen</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Keep the TCP socket open between queries and reuse
 	      it rather than creating a new TCP socket for each
 	      lookup.  The default is <option>+nokeepopen</option>.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]multiline</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Print records like the SOA records in a verbose
 	      multi-line format with human-readable comments.  The
 	      default is to print each record on a single line, to
 	      facilitate machine parsing of the <command>dig</command>
 	      output.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+ndots=D</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Set the number of dots that have to appear in
 	      <parameter>name</parameter> to <parameter>D</parameter>
 	      for it to be considered absolute.  The default value
@@ -624,135 +624,143 @@
 	      are interpreted as relative names and will be searched
 	      for in the domains listed in the <option>search</option>
 	      or <option>domain</option> directive in
-	      <filename>/etc/resolv.conf</filename>.
-            </para>
-          </listitem>
-        </varlistentry>
+	      <filename>/etc/resolv.conf</filename> if
+	      <option>+search</option> is set.
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]nsid</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Include an EDNS name server ID request when sending
 	      a query.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]nssearch</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      When this option is set, <command>dig</command>
 	      attempts to find the authoritative name servers for
 	      the zone containing the name being looked up and
 	      display the SOA record that each name server has for
 	      the zone.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]onesoa</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Print only one (starting) SOA record when performing
 	      an AXFR. The default is to print both the starting
 	      and ending SOA records.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]qr</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Print [do not print] the query as it is sent.  By
 	      default, the query is not printed.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]question</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Print [do not print] the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]recurse</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Toggle the setting of the RD (recursion desired) bit
 	      in the query.  This bit is set by default, which means
 	      <command>dig</command> normally sends recursive
 	      queries.  Recursion is automatically disabled when
 	      the <parameter>+nssearch</parameter> or
 	      <parameter>+trace</parameter> query options are used.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+retry=T</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Sets the number of times to retry UDP queries to
 	      server to <parameter>T</parameter> instead of the
 	      default, 2.  Unlike <parameter>+tries</parameter>,
 	      this does not include the initial query.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]rrcomments</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Toggle the display of per-record comments in the
 	      output (for example, human-readable key information
 	      about DNSKEY records).  The default is not to print
 	      record comments unless multiline mode is active.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]search</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Use [do not use] the search list defined by the
 	      searchlist or domain directive in
 	      <filename>resolv.conf</filename> (if any).  The search
 	      list is not used by default.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	    <para>
+	      'ndots' from <filename>resolv.conf</filename> (default 1)
+	       which may be overridden by <parameter>+ndots</parameter>
+	      determines if the name will be treated as relative
+	      or not and hence whether a search is eventually
+	      performed or not.
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]short</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Provide a terse answer.  The default is to print the
 	      answer in a verbose form.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]showsearch</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Perform [do not perform] a search showing intermediate
 	      results.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
 	<varlistentry>
 	  <term><option>+[no]sigchase</option></term>
@@ -764,10 +772,10 @@
 	  </listitem>
 	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+split=W</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Split long hex- or base64-formatted fields in resource
 	      records into chunks of <parameter>W</parameter>
 	      characters (where <parameter>W</parameter> is rounded
@@ -776,9 +784,9 @@
 	      <parameter>+split=0</parameter> causes fields not to
 	      be split at all.  The default is 56 characters, or
 	      44 characters when multiline mode is active.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
 	<varlistentry>
 	  <term><option>+[no]stats</option></term>
@@ -792,23 +800,23 @@
 	  </listitem>
 	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]tcp</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Use [do not use] TCP when querying name servers. The
 	      default behavior is to use UDP unless an
 	      <literal>ixfr=N</literal> query is requested, in which
 	      case the default is TCP.  AXFR queries always use
 	      TCP.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+time=T</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 
 	      Sets the timeout for a query to
 	      <parameter>T</parameter> seconds.  The default
@@ -816,24 +824,24 @@
 	      An attempt to set <parameter>T</parameter> to less
 	      than 1 will result
 	      in a query timeout of 1 second being applied.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]topdown</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      When chasing DNSSEC signature chains perform a top-down
 	      validation.  Requires dig be compiled with -DDIG_SIGCHASE.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]trace</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Toggle tracing of the delegation path from the root
 	      name servers for the name being looked up.  Tracing
 	      is disabled by default.  When tracing is enabled,
@@ -845,14 +853,14 @@
 	      <command>+dnssec</command> is also set when +trace
 	      is set to better emulate the default queries from a
 	      nameserver.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+tries=T</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Sets the number of times to try UDP queries to server
 	      to <parameter>T</parameter> instead of the default,
 	      3.  If <parameter>T</parameter> is less than or equal
@@ -875,32 +883,32 @@
 	      <filename>trusted-key.key</filename> in the current
 	      directory.
 	    </para> <para>
-              Requires dig be compiled with -DDIG_SIGCHASE.
+	      Requires dig be compiled with -DDIG_SIGCHASE.
 	    </para>
-          </listitem>
-        </varlistentry>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]ttlid</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Display [do not display] the TTL when printing the
 	      record.
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
-        <varlistentry>
+	<varlistentry>
 	  <term><option>+[no]vc</option></term>
-          <listitem>
-            <para>
+	  <listitem>
+	    <para>
 	      Use [do not use] TCP when querying name servers.  This
 	      alternate syntax to <parameter>+[no]tcp</parameter>
 	      is provided for backwards compatibility.  The "vc"
 	      stands for "virtual circuit".
-            </para>
-          </listitem>
-        </varlistentry>
+	    </para>
+	  </listitem>
+	</varlistentry>
 
       </variablelist>
 
@@ -982,13 +990,13 @@
   <refsect1>
     <title>SEE ALSO</title>
     <para><citerefentry>
-        <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
+	<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+	<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>RFC1035</citetitle>.
     </para>
--- a/external/bsd/bind/dist/bin/dig/dig.html	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/dig.html	Sun Nov 15 19:09:08 2015 +0000
@@ -96,7 +96,7 @@
 <p>
 	      is the name or IP address of the name server to query.  This
 	      can be an IPv4 address in dotted-decimal notation or an IPv6
-              address in colon-delimited notation.  When the supplied
+	      address in colon-delimited notation.  When the supplied
 	      <em class="parameter"><code>server</code></em> argument is a hostname,
 	      <span><strong class="command">dig</strong></span> resolves that name before querying
 	      that name server.
@@ -117,18 +117,18 @@
 </dd>
 <dt><span class="term"><code class="constant">name</code></span></dt>
 <dd><p>
-              is the name of the resource record that is to be looked up.
-            </p></dd>
+	      is the name of the resource record that is to be looked up.
+	    </p></dd>
 <dt><span class="term"><code class="constant">type</code></span></dt>
 <dd><p>
-              indicates what type of query is required &#8212;
-              ANY, A, MX, SIG, etc.
-              <em class="parameter"><code>type</code></em> can be any valid query
-              type.  If no
-              <em class="parameter"><code>type</code></em> argument is supplied,
-              <span><strong class="command">dig</strong></span> will perform a lookup for an
-              A record.
-            </p></dd>
+	      indicates what type of query is required &#8212;
+	      ANY, A, MX, SIG, etc.
+	      <em class="parameter"><code>type</code></em> can be any valid query
+	      type.  If no
+	      <em class="parameter"><code>type</code></em> argument is supplied,
+	      <span><strong class="command">dig</strong></span> will perform a lookup for an
+	      A record.
+	    </p></dd>
 </dl></div>
 <p>
     </p>
@@ -265,16 +265,16 @@
 <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
 <dd><p>
 	      A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
 <dd><p>
-              Sets the "aa" flag in the query.
-            </p></dd>
+	      Sets the "aa" flag in the query.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]additional</code></span></dt>
 <dd><p>
 	      Display [do not display] the additional section of a
 	      reply.  The default is to display it.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
 <dd><p>
 	      Set [do not set] the AD (authentic data) bit in the
@@ -321,19 +321,19 @@
 	      Set [do not set] the CD (checking disabled) bit in
 	      the query.  This requests the server to not perform
 	      DNSSEC validation of responses.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cl</code></span></dt>
 <dd><p>
 	      Display [do not display] the CLASS when printing the
 	      record.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
 <dd><p>
 	      Toggles the printing of the initial comment in the
 	      output identifying the version of <span><strong class="command">dig</strong></span>
 	      and the query options that have been applied.  This
 	      comment is printed by default.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
 <dd><p>
 	      Toggle the display of comment lines in the output.
@@ -343,13 +343,13 @@
 <dd><p>
 	      Deprecated, treated as a synonym for
 	      <em class="parameter"><code>+[no]search</code></em>
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
 <dd><p>
 	      Requests DNSSEC records be sent by setting the DNSSEC
 	      OK bit (DO) in the OPT record in the additional section
 	      of the query.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+domain=somename</code></span></dt>
 <dd><p>
 	      Set the search list to contain the single domain
@@ -358,7 +358,7 @@
 	      <code class="filename">/etc/resolv.conf</code>, and enable
 	      search list processing as if the
 	      <em class="parameter"><code>+search</code></em> option were given.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
 <dd><p>
 	       Specify the EDNS version to query with.  Valid values
@@ -366,13 +366,13 @@
 	       a EDNS query to be sent.  <code class="option">+noedns</code>
 	       clears the remembered EDNS version.  EDNS is set to
 	       0 by default.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
 <dd><p>
 	      Do not try the next server if you receive a SERVFAIL.
 	      The default is to not try the next server which is
 	      the reverse of normal stub resolver behavior.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]identify</code></span></dt>
 <dd><p>
 	      Show [or do not show] the IP address and port number
@@ -381,18 +381,18 @@
 	      short form answers are requested, the default is not
 	      to show the source address and port number of the
 	      server that provided the answer.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
 <dd><p>
 	      Ignore truncation in UDP responses instead of retrying
 	      with TCP.  By default, TCP retries are performed.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]keepopen</code></span></dt>
 <dd><p>
 	      Keep the TCP socket open between queries and reuse
 	      it rather than creating a new TCP socket for each
 	      lookup.  The default is <code class="option">+nokeepopen</code>.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
 <dd><p>
 	      Print records like the SOA records in a verbose
@@ -400,7 +400,7 @@
 	      default is to print each record on a single line, to
 	      facilitate machine parsing of the <span><strong class="command">dig</strong></span>
 	      output.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+ndots=D</code></span></dt>
 <dd><p>
 	      Set the number of dots that have to appear in
@@ -412,13 +412,14 @@
 	      are interpreted as relative names and will be searched
 	      for in the domains listed in the <code class="option">search</code>
 	      or <code class="option">domain</code> directive in
-	      <code class="filename">/etc/resolv.conf</code>.
-            </p></dd>
+	      <code class="filename">/etc/resolv.conf</code> if
+	      <code class="option">+search</code> is set.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
 <dd><p>
 	      Include an EDNS name server ID request when sending
 	      a query.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
 <dd><p>
 	      When this option is set, <span><strong class="command">dig</strong></span>
@@ -426,24 +427,24 @@
 	      the zone containing the name being looked up and
 	      display the SOA record that each name server has for
 	      the zone.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
 <dd><p>
 	      Print only one (starting) SOA record when performing
 	      an AXFR. The default is to print both the starting
 	      and ending SOA records.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
 <dd><p>
 	      Print [do not print] the query as it is sent.  By
 	      default, the query is not printed.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
 <dd><p>
 	      Print [do not print] the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
 <dd><p>
 	      Toggle the setting of the RD (recursion desired) bit
@@ -452,28 +453,37 @@
 	      queries.  Recursion is automatically disabled when
 	      the <em class="parameter"><code>+nssearch</code></em> or
 	      <em class="parameter"><code>+trace</code></em> query options are used.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
 <dd><p>
 	      Sets the number of times to retry UDP queries to
 	      server to <em class="parameter"><code>T</code></em> instead of the
 	      default, 2.  Unlike <em class="parameter"><code>+tries</code></em>,
 	      this does not include the initial query.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
 <dd><p>
 	      Toggle the display of per-record comments in the
 	      output (for example, human-readable key information
 	      about DNSKEY records).  The default is not to print
 	      record comments unless multiline mode is active.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]search</code></span></dt>
-<dd><p>
+<dd>
+<p>
 	      Use [do not use] the search list defined by the
 	      searchlist or domain directive in
 	      <code class="filename">resolv.conf</code> (if any).  The search
 	      list is not used by default.
-            </p></dd>
+	    </p>
+<p>
+	      'ndots' from <code class="filename">resolv.conf</code> (default 1)
+	       which may be overridden by <em class="parameter"><code>+ndots</code></em>
+	      determines if the name will be treated as relative
+	      or not and hence whether a search is eventually
+	      performed or not.
+	    </p>
+</dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
 <dd><p>
 	      Provide a terse answer.  The default is to print the
@@ -483,7 +493,7 @@
 <dd><p>
 	      Perform [do not perform] a search showing intermediate
 	      results.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
 <dd><p>
 	      Chase DNSSEC signature chains.  Requires dig be
@@ -499,14 +509,14 @@
 	      <em class="parameter"><code>+split=0</code></em> causes fields not to
 	      be split at all.  The default is 56 characters, or
 	      44 characters when multiline mode is active.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
 <dd><p>
 	      This query option toggles the printing of statistics:
 	      when the query was made, the size of the reply and
 	      so on.  The default behavior is to print the query
 	      statistics.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
 <dd><p>
 	      Use [do not use] TCP when querying name servers. The
@@ -514,7 +524,7 @@
 	      <code class="literal">ixfr=N</code> query is requested, in which
 	      case the default is TCP.  AXFR queries always use
 	      TCP.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+time=T</code></span></dt>
 <dd><p>
 
@@ -554,14 +564,14 @@
 	      3.  If <em class="parameter"><code>T</code></em> is less than or equal
 	      to zero, the number of tries is silently rounded up
 	      to 1.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
 <dd>
 <p>
 	      Specifies a file containing trusted keys to be used
 	      with <code class="option">+sigchase</code>.  Each DNSKEY record
 	      must be on its own line.
-            </p>
+	    </p>
 <p>
 	      If not specified, <span><strong class="command">dig</strong></span> will look
 	      for <code class="filename">/etc/trusted-key.key</code> then
@@ -569,28 +579,28 @@
 	      directory.
 	    </p>
 <p>
-              Requires dig be compiled with -DDIG_SIGCHASE.
+	      Requires dig be compiled with -DDIG_SIGCHASE.
 	    </p>
 </dd>
 <dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
 <dd><p>
 	      Display [do not display] the TTL when printing the
 	      record.
-            </p></dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]vc</code></span></dt>
 <dd><p>
 	      Use [do not use] TCP when querying name servers.  This
 	      alternate syntax to <em class="parameter"><code>+[no]tcp</code></em>
 	      is provided for backwards compatibility.  The "vc"
 	      stands for "virtual circuit".
-            </p></dd>
+	    </p></dd>
 </dl></div>
 <p>
 
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545168"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545181"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -636,7 +646,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545229"></a><h2>IDN SUPPORT</h2>
+<a name="id2545243"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -650,14 +660,14 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545252"></a><h2>FILES</h2>
+<a name="id2545266"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545269"></a><h2>SEE ALSO</h2>
+<a name="id2545283"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -665,7 +675,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545306"></a><h2>BUGS</h2>
+<a name="id2545320"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
--- a/external/bsd/bind/dist/bin/dig/dighost.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/dighost.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dighost.c,v 1.8.4.2 2014/12/25 17:54:00 msaitoh Exp $	*/
+/*	$NetBSD: dighost.c,v 1.8.4.3 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -60,6 +60,7 @@
 #include <dns/log.h>
 #include <dns/message.h>
 #include <dns/name.h>
+#include <dns/rcode.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
@@ -1073,10 +1074,9 @@
  */
 static isc_result_t
 read_confkey(void) {
-	isc_log_t *lctx = NULL;
 	cfg_parser_t *pctx = NULL;
 	cfg_obj_t *file = NULL;
-	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *keyobj = NULL;
 	const cfg_obj_t *secretobj = NULL;
 	const cfg_obj_t *algorithmobj = NULL;
 	const char *keyname;
@@ -1087,7 +1087,7 @@
 	if (! isc_file_exists(keyfile))
 		return (ISC_R_FILENOTFOUND);
 
-	result = cfg_parser_create(mctx, lctx, &pctx);
+	result = cfg_parser_create(mctx, NULL, &pctx);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1096,16 +1096,16 @@
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	result = cfg_map_get(file, "key", &key);
+	result = cfg_map_get(file, "key", &keyobj);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	(void) cfg_map_get(key, "secret", &secretobj);
-	(void) cfg_map_get(key, "algorithm", &algorithmobj);
+	(void) cfg_map_get(keyobj, "secret", &secretobj);
+	(void) cfg_map_get(keyobj, "algorithm", &algorithmobj);
 	if (secretobj == NULL || algorithmobj == NULL)
 		fatal("key must have algorithm and secret");
 
-	keyname = cfg_obj_asstring(cfg_map_getname(key));
+	keyname = cfg_obj_asstring(cfg_map_getname(keyobj));
 	secretstr = cfg_obj_asstring(secretobj);
 	algorithm = cfg_obj_asstring(algorithmobj);
 
@@ -2219,7 +2219,6 @@
 		if (result != ISC_R_SUCCESS) {
 			dns_message_puttempname(lookup->sendmsg,
 						&lookup->name);
-			isc_buffer_init(&b, store, MXNAME);
 			fatal("'%s' is not a legal name "
 			      "(%s)", lookup->textname,
 			      isc_result_totext(result));
@@ -2979,7 +2978,8 @@
 		query->waiting_connect = ISC_FALSE;
 		isc_event_free(&event);
 		l = query->lookup;
-		if (l->current_query != NULL)
+		if ((l->current_query != NULL) &&
+		    (ISC_LINK_LINKED(l->current_query, link)))
 			next = ISC_LIST_NEXT(l->current_query, link);
 		else
 			next = NULL;
@@ -3521,7 +3521,7 @@
 #endif
 				printmessage(query, msg, ISC_TRUE);
 		} else if (l->trace) {
-			int n = 0;
+			int nl = 0;
 			int count = msg->counts[DNS_SECTION_ANSWER];
 
 			debug("in TRACE code");
@@ -3532,13 +3532,13 @@
 			if (l->trace_root || (l->ns_search_only && count > 0)) {
 				if (!l->trace_root)
 					l->rdtype = dns_rdatatype_soa;
-				n = followup_lookup(msg, query,
+				nl = followup_lookup(msg, query,
 						    DNS_SECTION_ANSWER);
 				l->trace_root = ISC_FALSE;
 			} else if (count == 0)
-				n = followup_lookup(msg, query,
+				nl = followup_lookup(msg, query,
 						    DNS_SECTION_AUTHORITY);
-			if (n == 0)
+			if (nl == 0)
 				docancel = ISC_TRUE;
 		} else {
 			debug("in NSSEARCH code");
@@ -3547,12 +3547,12 @@
 				/*
 				 * This is the initial NS query.
 				 */
-				int n;
+				int nl;
 
 				l->rdtype = dns_rdatatype_soa;
-				n = followup_lookup(msg, query,
+				nl = followup_lookup(msg, query,
 						    DNS_SECTION_ANSWER);
-				if (n == 0)
+				if (nl == 0)
 					docancel = ISC_TRUE;
 				l->trace_root = ISC_FALSE;
 				usesearch = ISC_FALSE;
@@ -3682,12 +3682,12 @@
  * routines, since they may be using a non-DNS system for these lookups.
  */
 isc_result_t
-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
+get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr) {
 	int count;
 	isc_result_t result;
 
 	isc_app_block();
-	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
+	result = bind9_getaddresses(host, myport, sockaddr, 1, &count);
 	isc_app_unblock();
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -4154,6 +4154,9 @@
 	dns_rdataset_t *rdataset;
 	dns_name_t *msg_name = NULL;
 
+	if (msg->counts[section] == 0)
+		return (NULL);
+
 	do {
 		dns_message_currentname(msg, section, &msg_name);
 		if (dns_name_compare(msg_name, name) == 0) {
@@ -4360,8 +4363,8 @@
 	dns_rdatacallbacks_init_stdio(&callbacks);
 	callbacks.add = insert_trustedkey;
 	return (dns_master_loadfile(filename, dns_rootname, dns_rootname,
-				    current_lookup->rdclass, 0, &callbacks,
-				    mctx));
+				    current_lookup->rdclass, DNS_MASTER_NOTTL,
+				    &callbacks, mctx));
 }
 
 
@@ -4561,36 +4564,36 @@
 }
 
 isc_result_t
-grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
-{
-	isc_result_t result;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset) {
 	dns_rdata_sig_t siginfo;
-
-	result = dns_rdataset_first(sigrdataset);
+	dns_rdataset_t mysigrdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&mysigrdataset);
+	dns_rdataset_clone(sigrdataset, &mysigrdataset);
+
+	result = dns_rdataset_first(&mysigrdataset);
 	check_result(result, "empty RRSIG dataset");
-	dns_rdata_init(&sigrdata);
 
 	do {
-		dns_rdataset_current(sigrdataset, &sigrdata);
+		dns_rdata_t sigrdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&mysigrdataset, &sigrdata);
 
 		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
 		check_result(result, "sigrdata tostruct siginfo");
 
 		if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
-			dns_rdata_freestruct(&siginfo);
-			dns_rdata_reset(&sigrdata);
-			return (ISC_R_SUCCESS);
+			result = ISC_R_SUCCESS;
+			goto cleanup;
 		}
-
-		dns_rdata_freestruct(&siginfo);
-		dns_rdata_reset(&sigrdata);
-
-	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&sigrdata);
-
-	return (ISC_R_FAILURE);
+	} while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);
+
+	result = ISC_R_FAILURE;
+cleanup:
+	dns_rdataset_disassociate(&mysigrdataset);
+
+	return (result);
 }
 
 
@@ -4670,26 +4673,30 @@
 		     dns_rdataset_t *sigrdataset,
 		     isc_mem_t *mctx)
 {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t myrdataset;
 	dst_key_t *dnsseckey = NULL;
 	int i;
+	isc_result_t result;
 
 	if (name == NULL || rdataset == NULL)
 		return (ISC_R_FAILURE);
 
-	result = dns_rdataset_first(rdataset);
+	dns_rdataset_init(&myrdataset);
+	dns_rdataset_clone(rdataset, &myrdataset);
+
+	result = dns_rdataset_first(&myrdataset);
 	check_result(result, "empty rdataset");
 
 	do {
-		dns_rdataset_current(rdataset, &rdata);
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&myrdataset, &rdata);
 		INSIST(rdata.type == dns_rdatatype_dnskey);
 
 		result = dns_dnssec_keyfromrdata(name, &rdata,
 						 mctx, &dnsseckey);
 		check_result(result, "dns_dnssec_keyfromrdata");
 
-
 		for (i = 0; i < tk_list.nb_tk; i++) {
 			if (dst_key_compare(tk_list.key[i], dnsseckey)
 			    == ISC_TRUE) {
@@ -4698,22 +4705,21 @@
 				printf(";; Ok, find a Trusted Key in the "
 				       "DNSKEY RRset: %d\n",
 				       dst_key_id(dnsseckey));
-				if (sigchase_verify_sig_key(name, rdataset,
+				result = sigchase_verify_sig_key(name, rdataset,
 							    dnsseckey,
 							    sigrdataset,
-							    mctx)
-				    == ISC_R_SUCCESS) {
-					dst_key_free(&dnsseckey);
-					dnsseckey = NULL;
-					return (ISC_R_SUCCESS);
-				}
+								 mctx);
+				if (result == ISC_R_SUCCESS)
+					goto cleanup;
 			}
 		}
-
-		dns_rdata_reset(&rdata);
+		dst_key_free(&dnsseckey);
+	} while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS);
+
+cleanup:
 		if (dnsseckey != NULL)
 			dst_key_free(&dnsseckey);
-	} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
+	dns_rdataset_disassociate(&myrdataset);
 
 	return (ISC_R_NOTFOUND);
 }
@@ -4724,16 +4730,20 @@
 		    dns_rdataset_t *sigrdataset,
 		    isc_mem_t *mctx)
 {
-	isc_result_t result;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT;
+	dns_rdataset_t mykeyrdataset;
 	dst_key_t *dnsseckey = NULL;
-
-	result = dns_rdataset_first(keyrdataset);
+	isc_result_t result;
+
+	dns_rdataset_init(&mykeyrdataset);
+	dns_rdataset_clone(keyrdataset, &mykeyrdataset);
+
+	result = dns_rdataset_first(&mykeyrdataset);
 	check_result(result, "empty DNSKEY dataset");
-	dns_rdata_init(&keyrdata);
 
 	do {
-		dns_rdataset_current(keyrdataset, &keyrdata);
+		dns_rdata_t keyrdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&mykeyrdataset, &keyrdata);
 		INSIST(keyrdata.type == dns_rdatatype_dnskey);
 
 		result = dns_dnssec_keyfromrdata(name, &keyrdata,
@@ -4742,18 +4752,19 @@
 
 		result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
 						 sigrdataset, mctx);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&keyrdata);
-			dst_key_free(&dnsseckey);
-			return (ISC_R_SUCCESS);
-		}
+		if (result == ISC_R_SUCCESS)
+			goto cleanup;
 		dst_key_free(&dnsseckey);
-		dns_rdata_reset(&keyrdata);
-	} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&keyrdata);
-
-	return (ISC_R_NOTFOUND);
+	} while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS);
+
+	result = ISC_R_NOTFOUND;
+
+ cleanup:
+	if (dnsseckey != NULL)
+		dst_key_free(&dnsseckey);
+	dns_rdataset_disassociate(&mykeyrdataset);
+
+	return (result);
 }
 
 isc_result_t
@@ -4761,16 +4772,23 @@
 			dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,
 			isc_mem_t *mctx)
 {
+	dns_rdata_sig_t siginfo;
+	dns_rdataset_t myrdataset;
+	dns_rdataset_t mysigrdataset;
 	isc_result_t result;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_sig_t siginfo;
-
-	result = dns_rdataset_first(sigrdataset);
+
+	dns_rdataset_init(&myrdataset);
+	dns_rdataset_clone(rdataset, &myrdataset);
+	dns_rdataset_init(&mysigrdataset);
+	dns_rdataset_clone(sigrdataset, &mysigrdataset);
+
+	result = dns_rdataset_first(&mysigrdataset);
 	check_result(result, "empty RRSIG dataset");
-	dns_rdata_init(&sigrdata);
 
 	do {
-		dns_rdataset_current(sigrdataset, &sigrdata);
+		dns_rdata_t sigrdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&mysigrdataset, &sigrdata);
 
 		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
 		check_result(result, "sigrdata tostruct siginfo");
@@ -4781,10 +4799,10 @@
 		 */
 		if (siginfo.keyid == dst_key_id(dnsseckey)) {
 
-			result = dns_rdataset_first(rdataset);
+			result = dns_rdataset_first(&myrdataset);
 			check_result(result, "empty DS dataset");
 
-			result = dns_dnssec_verify(name, rdataset, dnsseckey,
+			result = dns_dnssec_verify(name, &myrdataset, dnsseckey,
 						   ISC_FALSE, mctx, &sigrdata);
 
 			printf(";; VERIFYING ");
@@ -4794,19 +4812,18 @@
 			printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),
 			       isc_result_totext(result));
 
-			if (result == ISC_R_SUCCESS) {
-				dns_rdata_reset(&sigrdata);
-				return (result);
-			}
+			if (result == ISC_R_SUCCESS)
+				goto cleanup;
 		}
-		dns_rdata_freestruct(&siginfo);
-		dns_rdata_reset(&sigrdata);
-
-	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&sigrdata);
-
-	return (ISC_R_NOTFOUND);
+	} while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);
+
+	result = ISC_R_NOTFOUND;
+
+ cleanup:
+	dns_rdataset_disassociate(&myrdataset);
+	dns_rdataset_disassociate(&mysigrdataset);
+
+	return (result);
 }
 
 
@@ -4814,27 +4831,35 @@
 sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 		   dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
 {
+	dns_rdata_ds_t dsinfo;
+	dns_rdataset_t mydsrdataset;
+	dns_rdataset_t mykeyrdataset;
+	dst_key_t *dnsseckey = NULL;
 	isc_result_t result;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT;
-	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-	dns_rdata_t dsrdata = DNS_RDATA_INIT;
-	dns_rdata_ds_t dsinfo;
-	dst_key_t *dnsseckey = NULL;
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
 
-	result = dns_rdataset_first(dsrdataset);
+	dns_rdataset_init(&mydsrdataset);
+	dns_rdataset_clone(dsrdataset, &mydsrdataset);
+	dns_rdataset_init(&mykeyrdataset);
+	dns_rdataset_clone(keyrdataset, &mykeyrdataset);
+
+	result = dns_rdataset_first(&mydsrdataset);
 	check_result(result, "empty DSset dataset");
 	do {
-		dns_rdataset_current(dsrdataset, &dsrdata);
+		dns_rdata_t dsrdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&mydsrdataset, &dsrdata);
 
 		result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
 		check_result(result, "dns_rdata_tostruct for DS");
 
-		result = dns_rdataset_first(keyrdataset);
+		result = dns_rdataset_first(&mykeyrdataset);
 		check_result(result, "empty KEY dataset");
 
 		do {
-			dns_rdataset_current(keyrdataset, &keyrdata);
+			dns_rdata_t keyrdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(&mykeyrdataset, &keyrdata);
 			INSIST(keyrdata.type == dns_rdatatype_dnskey);
 
 			result = dns_dnssec_keyfromrdata(name, &keyrdata,
@@ -4846,6 +4871,7 @@
 			 * id of DNSKEY referenced by the DS
 			 */
 			if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
+				dns_rdata_t newdsrdata = DNS_RDATA_INIT;
 
 				result = dns_ds_buildrdata(name, &keyrdata,
 							   dsinfo.digest_type,
@@ -4853,14 +4879,9 @@
 				dns_rdata_freestruct(&dsinfo);
 
 				if (result != ISC_R_SUCCESS) {
-					dns_rdata_reset(&keyrdata);
-					dns_rdata_reset(&newdsrdata);
-					dns_rdata_reset(&dsrdata);
-					dst_key_free(&dnsseckey);
-					dns_rdata_freestruct(&dsinfo);
 					printf("Oops: impossible to build"
 					       " new DS rdata\n");
-					return (result);
+					goto cleanup;
 				}
 
 
@@ -4877,34 +4898,26 @@
 							 dnsseckey,
 							 chase_sigkeyrdataset,
 							 mctx);
-					if (result ==  ISC_R_SUCCESS) {
-						dns_rdata_reset(&keyrdata);
-						dns_rdata_reset(&newdsrdata);
-						dns_rdata_reset(&dsrdata);
-						dst_key_free(&dnsseckey);
-
-						return (result);
-					}
+					if (result ==  ISC_R_SUCCESS)
+						goto cleanup;
 				} else {
 					printf(";; This DS is NOT the DS for"
 					       " the chasing KEY: FAILED\n");
 				}
-
-				dns_rdata_reset(&newdsrdata);
 			}
 			dst_key_free(&dnsseckey);
-			dns_rdata_reset(&keyrdata);
-			dnsseckey = NULL;
-		} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
-		dns_rdata_reset(&dsrdata);
-
-	} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&keyrdata);
-	dns_rdata_reset(&newdsrdata);
-	dns_rdata_reset(&dsrdata);
-
-	return (ISC_R_NOTFOUND);
+		} while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS);
+	} while (dns_rdataset_next(&mydsrdataset) == ISC_R_SUCCESS);
+
+	result = ISC_R_NOTFOUND;
+
+ cleanup:
+	if (dnsseckey != NULL)
+		dst_key_free(&dnsseckey);
+	dns_rdataset_disassociate(&mydsrdataset);
+	dns_rdataset_disassociate(&mykeyrdataset);
+
+	return (result);
 }
 
 /*
@@ -4952,6 +4965,20 @@
 	isc_boolean_t have_answer = ISC_FALSE;
 	isc_boolean_t true = ISC_TRUE;
 
+	if (msg->rcode != dns_rcode_noerror &&
+	    msg->rcode != dns_rcode_nxdomain) {
+		char buf[20];
+		isc_buffer_t b;
+
+		isc_buffer_init(&b, buf, sizeof(buf));
+		result = dns_rcode_totext(msg->rcode, &b);
+		check_result(result, "dns_rcode_totext failed");
+		printf("error response code %.*s\n",
+		       (int)isc_buffer_usedlength(&b), buf);
+		error_message = msg;
+		return;
+	}
+
 	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
 	    == ISC_R_SUCCESS) {
 		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
@@ -4964,9 +4991,12 @@
 		if (!current_lookup->trace_root_sigchase) {
 			result = dns_message_firstname(msg,
 						       DNS_SECTION_AUTHORITY);
-			if (result == ISC_R_SUCCESS)
-				dns_message_currentname(msg,
-							DNS_SECTION_AUTHORITY,
+			if (result != ISC_R_SUCCESS) {
+				printf("no answer or authority section\n");
+				error_message = msg;
+				return;
+			}
+			dns_message_currentname(msg, DNS_SECTION_AUTHORITY,
 							&name);
 			chase_nsrdataset
 				= chase_scanname_section(msg, name,
@@ -5104,7 +5134,7 @@
 			dns_name_t tmp_name;
 
 			printf("\n;; We are in a Grand Father Problem:"
-			       " See 2.2.1 in RFC 3568\n");
+			       " See 2.2.1 in RFC 3658\n");
 			chase_rdataset = NULL;
 			chase_sigrdataset = NULL;
 			have_response = ISC_FALSE;
@@ -5407,8 +5437,7 @@
 
 	if (chase_dsrdataset == NULL) {
 		result = advanced_rrsearch(&chase_dsrdataset, &chase_signame,
-					   dns_rdatatype_ds,
-					   dns_rdatatype_any,
+					   dns_rdatatype_ds, dns_rdatatype_any,
 		&chase_dslookedup);
 		if (result == ISC_R_FAILURE) {
 			printf("\n;; WARNING There is no DS for the zone: ");
@@ -5697,7 +5726,6 @@
 		     result = dns_rdataset_next(nsecset)) {
 			dns_rdataset_current(nsecset, &nsec);
 
-
 			signsecset
 				= chase_scanname_section(msg, nsecname,
 						 dns_rdatatype_rrsig,
--- a/external/bsd/bind/dist/bin/dig/host.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/host.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: host.c,v 1.3.4.2 2014/12/25 17:54:00 msaitoh Exp $	*/
+/*	$NetBSD: host.c,v 1.3.4.3 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -167,7 +167,7 @@
 "       -4 use IPv4 query transport only\n"
 "       -6 use IPv6 query transport only\n"
 "       -m set memory debugging flag (trace|record|usage)\n"
-"       -v print version number and exit\n", stderr);
+"       -V print version number and exit\n", stderr);
 	exit(1);
 }
 
@@ -257,7 +257,7 @@
 	isc_result_t result, loopresult;
 	isc_region_t r;
 	dns_name_t empty_name;
-	char t[4096];
+	char tbuf[4096];
 	isc_boolean_t first;
 	isc_boolean_t no_rdata;
 
@@ -281,7 +281,7 @@
 		name = NULL;
 		dns_message_currentname(msg, sectionid, &name);
 
-		isc_buffer_init(&target, t, sizeof(t));
+		isc_buffer_init(&target, tbuf, sizeof(tbuf));
 		first = ISC_TRUE;
 		print_name = name;
 
@@ -372,13 +372,13 @@
 	isc_buffer_t target;
 	isc_result_t result;
 	isc_region_t r;
-	char t[4096];
+	char tbuf[4096];
 
 	UNUSED(msg);
 	if (headers)
 		printf(";; %s SECTION:\n", set_name);
 
-	isc_buffer_init(&target, t, sizeof(t));
+	isc_buffer_init(&target, tbuf, sizeof(tbuf));
 
 	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
 				     &target);
--- a/external/bsd/bind/dist/bin/dig/include/dig/dig.h	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/include/dig/dig.h	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dig.h,v 1.5.4.2 2014/12/25 17:54:00 msaitoh Exp $	*/
+/*	$NetBSD: dig.h,v 1.5.4.3 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id: dig.h,v 1.114 2011/12/07 17:23:28 each Exp  */
-
 #ifndef DIG_H
 #define DIG_H
 
@@ -261,7 +259,6 @@
 extern in_port_t port;
 extern unsigned int timeout;
 extern isc_mem_t *mctx;
-extern dns_messageid_t id;
 extern int sendcount;
 extern int ndots;
 extern int lookup_counter;
--- a/external/bsd/bind/dist/bin/dig/nslookup.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dig/nslookup.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: nslookup.c,v 1.3.4.3 2014/12/25 17:54:00 msaitoh Exp $	*/
+/*	$NetBSD: nslookup.c,v 1.3.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -427,13 +427,12 @@
 	puts("");
 
 	if (!short_form) {
-		isc_boolean_t headers = ISC_TRUE;
 		puts("------------");
 		/*		detailheader(query, msg);*/
-		detailsection(query, msg, headers, DNS_SECTION_QUESTION);
-		detailsection(query, msg, headers, DNS_SECTION_ANSWER);
-		detailsection(query, msg, headers, DNS_SECTION_AUTHORITY);
-		detailsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
+		detailsection(query, msg, ISC_TRUE, DNS_SECTION_QUESTION);
+		detailsection(query, msg, ISC_TRUE, DNS_SECTION_ANSWER);
+		detailsection(query, msg, ISC_TRUE, DNS_SECTION_AUTHORITY);
+		detailsection(query, msg, ISC_TRUE, DNS_SECTION_ADDITIONAL);
 		puts("------------");
 	}
 
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-dsfromkey.c,v 1.3.4.3 2014/12/25 17:54:00 msaitoh Exp $	*/
+/*	$NetBSD: dnssec-dsfromkey.c,v 1.3.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2008-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -63,6 +63,7 @@
 static dns_name_t	*name = NULL;
 static isc_mem_t	*mctx = NULL;
 static isc_uint32_t	ttl;
+static isc_boolean_t	emitttl = ISC_FALSE;
 
 static isc_result_t
 initname(char *setname) {
@@ -297,7 +298,7 @@
 	isc_buffer_usedregion(&nameb, &r);
 	printf("%.*s ", (int)r.length, r.base);
 
-	if (ttl != 0U)
+	if (emitttl)
 		printf("%u ", ttl);
 
 	isc_buffer_usedregion(&classb, &r);
@@ -417,6 +418,7 @@
 			usekeyset = ISC_TRUE;
 			break;
 		case 'T':
+			emitttl = ISC_TRUE;
 			ttl = atol(isc_commandline_argument);
 			break;
 		case 'v':
@@ -491,7 +493,7 @@
 		      isc_result_totext(result));
 	isc_entropy_stopcallbacksources(ectx);
 
-	setup_logging(verbose, mctx, &log);
+	setup_logging(mctx, &log);
 
 	dns_rdataset_init(&rdataset);
 
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*        $NetBSD: dnssec-importkey.c,v 1.5.2.2 2014/12/25 17:54:00 msaitoh Exp $      */
+/*        $NetBSD: dnssec-importkey.c,v 1.5.2.3 2015/11/15 19:09:09 bouyer Exp $      */
 
 /*
- * Copyright (C) 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -382,7 +382,7 @@
 		      isc_result_totext(result));
 	isc_entropy_stopcallbacksources(ectx);
 
-	setup_logging(verbose, mctx, &log);
+	setup_logging(mctx, &log);
 
 	dns_rdataset_init(&rdataset);
 
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-keyfromlabel.c,v 1.6.4.3 2014/12/25 17:54:00 msaitoh Exp $	*/
+/*	$NetBSD: dnssec-keyfromlabel.c,v 1.6.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2007-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -321,7 +321,7 @@
 		fatal("could not initialize dst: %s",
 		      isc_result_totext(ret));
 
-	setup_logging(verbose, mctx, &log);
+	setup_logging(mctx, &log);
 
 	if (predecessor == NULL) {
 	if (label == NULL)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8	Sun Nov 15 19:09:08 2015 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-keygen.8,v 1.3.4.3 2014/12/25 17:54:00 msaitoh Exp $
+.\"	$NetBSD: dnssec-keygen.8,v 1.3.4.4 2015/11/15 19:09:09 bouyer Exp $
 .\"
-.\" Copyright (C) 2004, 2005, 2007-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -138,11 +138,11 @@
 .PP
 \-L \fIttl\fR
 .RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL. Setting the default TTL to
 0
 or
 none
-removes it.
+is the same as leaving it unset.
 .RE
 .PP
 \-p \fIprotocol\fR
@@ -309,7 +309,7 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-keygen.c,v 1.7.4.3 2014/12/25 17:54:00 msaitoh Exp $	*/
+/*	$NetBSD: dnssec-keygen.c,v 1.7.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Portions Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -478,7 +478,7 @@
 		fatal("could not initialize dst: %s",
 		      isc_result_totext(ret));
 
-	setup_logging(verbose, mctx, &log);
+	setup_logging(mctx, &log);
 
 	if (predecessor == NULL) {
 		if (prepub == -1)
@@ -543,6 +543,9 @@
 				options |= DST_TYPE_KEY;
 		}
 
+		if (!dst_algorithm_supported(alg))
+			fatal("unsupported algorithm: %d", alg);
+
 		if (use_nsec3 &&
 		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
 		    alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
@@ -710,8 +713,13 @@
 			fatal("invalid DSS key size: %d", size);
 		break;
 	case DST_ALG_ECCGOST:
+		size = 256;
+		break;
 	case DST_ALG_ECDSA256:
+		size = 256;
+		break;
 	case DST_ALG_ECDSA384:
+		size = 384;
 		break;
 	case DST_ALG_HMACMD5:
 		options |= DST_TYPE_KEY;
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook	Sun Nov 15 19:09:08 2015 +0000
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -45,6 +45,7 @@
       <year>2011</year>
       <year>2012</year>
       <year>2014</year>
+      <year>2015</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -301,8 +302,10 @@
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <literal>0</literal> or <literal>none</literal> removes it.
+            would take precedence.  If this value is not set and there
+            is no existing DNSKEY RRset, the TTL will default to the
+            SOA TTL. Setting the default TTL to <literal>0</literal>
+            or <literal>none</literal> is the same as leaving it unset.
           </para>
         </listitem>
       </varlistentry>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html	Sun Nov 15 19:09:08 2015 +0000
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543605"></a><h2>DESCRIPTION</h2>
+<a name="id2543608"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -46,7 +46,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543623"></a><h2>OPTIONS</h2>
+<a name="id2543626"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -175,8 +175,10 @@
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <code class="literal">0</code> or <code class="literal">none</code> removes it.
+            would take precedence.  If this value is not set and there
+            is no existing DNSKEY RRset, the TTL will default to the
+            SOA TTL. Setting the default TTL to <code class="literal">0</code>
+            or <code class="literal">none</code> is the same as leaving it unset.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd><p>
@@ -260,7 +262,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544216"></a><h2>TIMING OPTIONS</h2>
+<a name="id2544220"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -334,7 +336,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544406"></a><h2>GENERATED KEYS</h2>
+<a name="id2544410"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -380,7 +382,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544625"></a><h2>EXAMPLE</h2>
+<a name="id2544492"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -401,7 +403,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544668"></a><h2>SEE ALSO</h2>
+<a name="id2544604"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
@@ -410,7 +412,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544699"></a><h2>AUTHOR</h2>
+<a name="id2544635"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.8	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.8	Sun Nov 15 19:09:08 2015 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: dnssec-settime.8,v 1.3.4.2 2014/12/25 17:54:00 msaitoh Exp $
+.\"	$NetBSD: dnssec-settime.8,v 1.3.4.3 2015/11/15 19:09:09 bouyer Exp $
 .\"
-.\" Copyright (C) 2009-2011, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -71,11 +71,11 @@
 .PP
 \-L \fIttl\fR
 .RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL. Setting the default TTL to
 0
 or
 none
-removes it.
+removes it from the key.
 .RE
 .PP
 \-h
@@ -178,5 +178,5 @@
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2009\-2011, 2014 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009\-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
 .br
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-settime.c,v 1.3.4.3 2014/12/25 17:54:00 msaitoh Exp $	*/
+/*	$NetBSD: dnssec-settime.c,v 1.3.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2009-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -164,7 +164,7 @@
 	if (result != ISC_R_SUCCESS)
 		fatal("Out of memory");
 
-	setup_logging(verbose, mctx, &log);
+	setup_logging(mctx, &log);
 
 	dns_result_register();
 
@@ -335,7 +335,6 @@
 	isc_entropy_stopcallbacksources(ectx);
 
 	if (predecessor != NULL) {
-		char keystr[DST_KEY_FORMATSIZE];
 		int major, minor;
 
 		if (prepub == -1)
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook	Sun Nov 15 19:09:08 2015 +0000
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
                [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2009-2011, 2014  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -39,6 +39,7 @@
       <year>2010</year>
       <year>2011</year>
       <year>2014</year>
+      <year>2015</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -126,8 +127,10 @@
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <literal>0</literal> or <literal>none</literal> removes it.
+            would take precedence.  If this value is not set and there
+            is no existing DNSKEY RRset, the TTL will default to the
+            SOA TTL. Setting the default TTL to <literal>0</literal>
+            or <literal>none</literal> removes it from the key.
           </para>
         </listitem>
       </varlistentry>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-settime.html	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-settime.html	Sun Nov 15 19:09:08 2015 +0000
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009-2011, 2014 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -31,7 +31,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543447"></a><h2>DESCRIPTION</h2>
+<a name="id2543450"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-settime</strong></span>
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
@@ -57,7 +57,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543495"></a><h2>OPTIONS</h2>
+<a name="id2543498"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f</span></dt>
 <dd><p>
@@ -80,8 +80,10 @@
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <code class="literal">0</code> or <code class="literal">none</code> removes it.
+            would take precedence.  If this value is not set and there
+            is no existing DNSKEY RRset, the TTL will default to the
+            SOA TTL. Setting the default TTL to <code class="literal">0</code>
+            or <code class="literal">none</code> removes it from the key.
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -103,7 +105,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543692"></a><h2>TIMING OPTIONS</h2>
+<a name="id2543697"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -182,7 +184,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543831"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2543835"></a><h2>PRINTING OPTIONS</h2>
 <p>
       <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
       timing metadata associated with a key.
@@ -208,7 +210,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543909"></a><h2>SEE ALSO</h2>
+<a name="id2543913"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -216,7 +218,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543942"></a><h2>AUTHOR</h2>
+<a name="id2543946"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-signzone.c,v 1.5.4.3 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: dnssec-signzone.c,v 1.5.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Portions Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -134,7 +134,7 @@
 static isc_entropy_t *ectx = NULL;
 static dns_ttl_t zone_soa_min_ttl;
 static dns_ttl_t soa_ttl;
-static FILE *fp = NULL;
+static FILE *outfp = NULL;
 static char *tempfile = NULL;
 static const dns_master_style_t *masterstyle;
 static dns_masterformat_t inputformat = dns_masterformat_text;
@@ -154,7 +154,7 @@
 static int nsec3flags = 0;
 static dns_iterations_t nsec3iter = 10U;
 static unsigned char saltbuf[255];
-static unsigned char *salt = saltbuf;
+static unsigned char *gsalt = saltbuf;
 static size_t salt_length = 0;
 static isc_task_t *master = NULL;
 static unsigned int ntasks = 0;
@@ -204,7 +204,7 @@
 
 	if (!output_dnssec_only) {
 		result = dns_master_dumpnodetostream(mctx, gdb, gversion, node,
-						     name, masterstyle, fp);
+						     name, masterstyle, outfp);
 		check_result(result, "dns_master_dumpnodetostream");
 		return;
 	}
@@ -246,7 +246,7 @@
 		check_result(result, "dns_master_rdatasettotext");
 
 		isc_buffer_usedregion(buffer, &r);
-		result = isc_stdio_write(r.base, 1, r.length, fp, NULL);
+		result = isc_stdio_write(r.base, 1, r.length, outfp, NULL);
 		check_result(result, "isc_stdio_write");
 		isc_buffer_clear(buffer);
 
@@ -287,8 +287,6 @@
 				 mctx, &b, &trdata);
 	isc_entropy_stopcallbacksources(ectx);
 	if (result != ISC_R_SUCCESS) {
-		char keystr[DST_KEY_FORMATSIZE];
-		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("dnskey '%s' failed to sign data: %s",
 		      keystr, isc_result_totext(result));
 	}
@@ -739,7 +737,7 @@
 static void
 hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
 		      unsigned int hashalg, unsigned int iterations,
-		      const unsigned char *salt, size_t salt_length,
+		      const unsigned char *salt, size_t salt_len,
 		      isc_boolean_t speculative)
 {
 	char nametext[DNS_NAME_FORMATSIZE];
@@ -748,7 +746,7 @@
 	size_t i;
 
 	len = isc_iterated_hash(hash, hashalg, iterations,
-				salt, (int)salt_length,
+				salt, (int)salt_len,
 				name->ndata, name->length);
 	if (verbose) {
 		dns_name_format(name, nametext, sizeof nametext);
@@ -830,7 +828,7 @@
 static void
 addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name,
 		  unsigned int hashalg, unsigned int iterations,
-		  const unsigned char *salt, size_t salt_length)
+		  const unsigned char *salt, size_t salt_len)
 {
 	dns_fixedname_t fixed;
 	dns_name_t *wild;
@@ -857,7 +855,7 @@
 		fprintf(stderr, "adding no-wildcardhash for %s\n", namestr);
 	}
 
-	hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_length,
+	hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_len,
 			      ISC_TRUE);
 }
 
@@ -1828,7 +1826,7 @@
 }
 
 static void
-addnsec3param(const unsigned char *salt, size_t salt_length,
+addnsec3param(const unsigned char *salt, size_t salt_len,
 	      dns_iterations_t iterations)
 {
 	dns_dbnode_t *node = NULL;
@@ -1849,7 +1847,7 @@
 	nsec3param.flags = 0;
 	nsec3param.hash = unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1;
 	nsec3param.iterations = iterations;
-	nsec3param.salt_length = (unsigned char)salt_length;
+	nsec3param.salt_length = (unsigned char)salt_len;
 	DE_CONST(salt, nsec3param.salt);
 
 	isc_buffer_init(&b, nsec3parambuf, sizeof(nsec3parambuf));
@@ -1888,7 +1886,7 @@
 
 static void
 addnsec3(dns_name_t *name, dns_dbnode_t *node,
-	 const unsigned char *salt, size_t salt_length,
+	 const unsigned char *salt, size_t salt_len,
 	 unsigned int iterations, hashlist_t *hashlist,
 	 dns_ttl_t ttl)
 {
@@ -1902,7 +1900,7 @@
 	isc_result_t result;
 	dns_dbnode_t *nsec3node = NULL;
 	char namebuf[DNS_NAME_FORMATSIZE];
-	size_t hash_length;
+	size_t hash_len;
 
 	dns_name_format(name, namebuf, sizeof(namebuf));
 
@@ -1910,16 +1908,16 @@
 	dns_rdataset_init(&rdataset);
 
 	dns_name_downcase(name, name, NULL);
-	result = dns_nsec3_hashname(&hashname, hash, &hash_length,
+	result = dns_nsec3_hashname(&hashname, hash, &hash_len,
 				    name, gorigin, dns_hash_sha1, iterations,
-				    salt, salt_length);
+				    salt, salt_len);
 	check_result(result, "addnsec3: dns_nsec3_hashname()");
 	nexthash = hashlist_findnext(hashlist, hash);
 	result = dns_nsec3_buildrdata(gdb, gversion, node,
 				      unknownalg ?
 					  DNS_NSEC3_UNKNOWNALG : dns_hash_sha1,
 				      nsec3flags, iterations,
-				      salt, salt_length,
+				      salt, salt_len,
 				      nexthash, ISC_SHA1_DIGESTLENGTH,
 				      nsec3buffer, &rdata);
 	check_result(result, "addnsec3: dns_nsec3_buildrdata()");
@@ -1955,7 +1953,7 @@
 static void
 nsec3clean(dns_name_t *name, dns_dbnode_t *node,
 	   unsigned int hashalg, unsigned int iterations,
-	   const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)
+	   const unsigned char *salt, size_t salt_len, hashlist_t *hashlist)
 {
 	dns_label_t label;
 	dns_rdata_nsec3_t nsec3;
@@ -2015,8 +2013,8 @@
 		check_result(result, "dns_rdata_tostruct");
 		if (exists && nsec3.hash == hashalg &&
 		    nsec3.iterations == iterations &&
-		    nsec3.salt_length == salt_length &&
-		    !memcmp(nsec3.salt, salt, salt_length))
+		    nsec3.salt_length == salt_len &&
+		    !memcmp(nsec3.salt, salt, salt_len))
 			continue;
 		rdatalist.rdclass = rdata.rdclass;
 		rdatalist.type = rdata.type;
@@ -2147,7 +2145,7 @@
  */
 static void
 nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
-	 const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)
+	 const unsigned char *salt, size_t salt_len, hashlist_t *hashlist)
 {
 	dns_dbiterator_t *dbiter = NULL;
 	dns_dbnode_t *node = NULL, *nextnode = NULL;
@@ -2243,7 +2241,7 @@
 			      isc_result_totext(result));
 		dns_name_downcase(name, name, NULL);
 		hashlist_add_dns_name(hashlist, name, hashalg, iterations,
-				      salt, salt_length, ISC_FALSE);
+				      salt, salt_len, ISC_FALSE);
 		dns_db_detachnode(gdb, &node);
 		/*
 		 * Add hashs for empty nodes.  Use closest encloser logic.
@@ -2254,16 +2252,16 @@
 		dns_name_downcase(nextname, nextname, NULL);
 		dns_name_fullcompare(name, nextname, &order, &nlabels);
 		addnowildcardhash(hashlist, name, hashalg, iterations,
-				  salt, salt_length);
+				  salt, salt_len);
 		count = dns_name_countlabels(nextname);
 		while (count > nlabels + 1) {
 			count--;
 			dns_name_split(nextname, count, NULL, nextname);
 			hashlist_add_dns_name(hashlist, nextname, hashalg,
-					      iterations, salt, salt_length,
+					      iterations, salt, salt_len,
 					      ISC_FALSE);
 			addnowildcardhash(hashlist, nextname, hashalg,
-					  iterations, salt, salt_length);
+					  iterations, salt, salt_len);
 		}
 	}
 	dns_dbiterator_destroy(&dbiter);
@@ -2286,7 +2284,7 @@
 	zonecut = NULL;
 	done = ISC_FALSE;
 
-	addnsec3param(salt, salt_length, iterations);
+	addnsec3param(salt, salt_len, iterations);
 
 	/*
 	 * Clean out NSEC3 records which don't match this chain.
@@ -2299,7 +2297,7 @@
 	     result = dns_dbiterator_next(dbiter)) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
-		nsec3clean(name, node, hashalg, iterations, salt, salt_length,
+		nsec3clean(name, node, hashalg, iterations, salt, salt_len,
 			   hashlist);
 		dns_db_detachnode(gdb, &node);
 	}
@@ -2373,7 +2371,7 @@
 		 * We need to pause here to release the lock on the database.
 		 */
 		dns_dbiterator_pause(dbiter);
-		addnsec3(name, node, salt, salt_length, iterations,
+		addnsec3(name, node, salt, salt_len, iterations,
 			 hashlist, zone_soa_min_ttl);
 		dns_db_detachnode(gdb, &node);
 		/*
@@ -2384,7 +2382,7 @@
 		while (count > nlabels + 1) {
 			count--;
 			dns_name_split(nextname, count, NULL, nextname);
-			addnsec3(nextname, NULL, salt, salt_length,
+			addnsec3(nextname, NULL, salt, salt_len,
 				 iterations, hashlist, zone_soa_min_ttl);
 		}
 	}
@@ -2646,7 +2644,7 @@
 }
 
 static void
-set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
+set_nsec3params(isc_boolean_t update, isc_boolean_t set_salt,
 		isc_boolean_t set_optout, isc_boolean_t set_iter)
 {
 	isc_result_t result;
@@ -2674,7 +2672,7 @@
 
 	nsec_datatype = dns_rdatatype_nsec3;
 
-	if (!update_chain && set_salt) {
+	if (!update && set_salt) {
 		if (salt_length != orig_saltlen ||
 		    memcmp(saltbuf, orig_salt, salt_length) != 0)
 			fatal("An NSEC3 chain exists with a different salt. "
@@ -2682,10 +2680,10 @@
 	} else if (!set_salt) {
 		salt_length = orig_saltlen;
 		memmove(saltbuf, orig_salt, orig_saltlen);
-		salt = saltbuf;
+		gsalt = saltbuf;
 	}
 
-	if (!update_chain && set_iter) {
+	if (!update && set_iter) {
 		if (nsec3iter != orig_iter)
 			fatal("An NSEC3 chain exists with different "
 			      "iterations. Use -u to update it.");
@@ -2719,7 +2717,7 @@
 	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
 	check_result(result, "dns_rdata_tostruct");
 
-	if (!update_chain && set_optout) {
+	if (!update && set_optout) {
 		if (nsec3flags != nsec3.flags)
 			fatal("An NSEC3 chain exists with%s OPTOUT. "
 			      "Use -u -%s to %s it.",
@@ -3409,7 +3407,7 @@
 	if (directory == NULL)
 		directory = ".";
 
-	setup_logging(verbose, mctx, &log);
+	setup_logging(mctx, &log);
 
 	argc -= isc_commandline_index;
 	argv += isc_commandline_index;
@@ -3610,7 +3608,7 @@
 
 	if (!nonsecify) {
 	if (IS_NSEC3)
-		nsec3ify(dns_hash_sha1, nsec3iter, salt, salt_length,
+		nsec3ify(dns_hash_sha1, nsec3iter, gsalt, salt_length,
 			 &hashlist);
 	else
 		nsecify();
@@ -3626,7 +3624,7 @@
 	}
 
 	if (output_stdout) {
-		fp = stdout;
+		outfp = stdout;
 		if (outputformatstr == NULL)
 			masterstyle = &dns_master_style_full;
 	} else {
@@ -3639,9 +3637,9 @@
 		check_result(result, "isc_file_mktemplate");
 
 		if (outputformat == dns_masterformat_text)
-		result = isc_file_openunique(tempfile, &fp);
+			result = isc_file_openunique(tempfile, &outfp);
 		else
-			result = isc_file_bopenunique(tempfile, &fp);
+			result = isc_file_bopenunique(tempfile, &outfp);
 		if (result != ISC_R_SUCCESS)
 			fatal("failed to open temporary output file: %s",
 			      isc_result_totext(result));
@@ -3649,8 +3647,8 @@
 		setfatalcallback(&removetempfile);
 	}
 
-	print_time(fp);
-	print_version(fp);
+	print_time(outfp);
+	print_version(outfp);
 
 	result = isc_taskmgr_create(mctx, ntasks, 0, &taskmgr);
 	if (result != ISC_R_SUCCESS)
@@ -3720,7 +3718,7 @@
 		}
 		result = dns_master_dumptostream3(mctx, gdb, gversion,
 						  masterstyle, outputformat,
-						  &header, fp);
+						  &header, outfp);
 		check_result(result, "dns_master_dumptostream3");
 	}
 
@@ -3729,7 +3727,7 @@
 		DESTROYLOCK(&statslock);
 
 	if (!output_stdout) {
-		result = isc_stdio_close(fp);
+		result = isc_stdio_close(outfp);
 		check_result(result, "isc_stdio_close");
 		removefile = ISC_FALSE;
 
--- a/external/bsd/bind/dist/bin/dnssec/dnssec-verify.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssec-verify.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssec-verify.c,v 1.2.2.3 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: dnssec-verify.c,v 1.2.2.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -274,7 +274,7 @@
 
 	rdclass = strtoclass(classname);
 
-	setup_logging(verbose, mctx, &log);
+	setup_logging(mctx, &log);
 
 	argc -= isc_commandline_index;
 	argv += isc_commandline_index;
--- a/external/bsd/bind/dist/bin/dnssec/dnssectool.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssectool.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssectool.c,v 1.2.6.3 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: dnssectool.c,v 1.2.6.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -122,8 +122,8 @@
 }
 
 void
-version(const char *program) {
-	fprintf(stderr, "%s %s\n", program, VERSION);
+version(const char *name) {
+	fprintf(stderr, "%s %s\n", name, VERSION);
 	exit(0);
 }
 
@@ -151,7 +151,7 @@
 }
 
 void
-setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
+setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	isc_result_t result;
 	isc_logdestination_t destination;
 	isc_logconfig_t *logconfig = NULL;
--- a/external/bsd/bind/dist/bin/dnssec/dnssectool.h	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/dnssec/dnssectool.h	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: dnssectool.h,v 1.2.6.3 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: dnssectool.h,v 1.2.6.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004, 2007-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -59,7 +59,7 @@
 #define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
 
 void
-setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);
+setup_logging(isc_mem_t *mctx, isc_log_t **logp);
 
 void
 cleanup_logging(isc_log_t **logp);
--- a/external/bsd/bind/dist/bin/named/client.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/client.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: client.c,v 1.4.4.3 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: client.c,v 1.4.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -534,6 +534,17 @@
 		INSIST(client->recursionquota == NULL);
 		INSIST(!ISC_QLINK_LINKED(client, ilink));
 
+		if (manager != NULL) {
+			LOCK(&manager->listlock);
+			ISC_LIST_UNLINK(manager->clients, client, link);
+			LOCK(&manager->lock);
+			if (manager->exiting &&
+			    ISC_LIST_EMPTY(manager->clients))
+				destroy_manager = ISC_TRUE;
+			UNLOCK(&manager->lock);
+			UNLOCK(&manager->listlock);
+		}
+
 		ns_query_free(client);
 		isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE);
 		isc_event_free((isc_event_t **)&client->sendevent);
@@ -551,16 +562,6 @@
 		}
 
 		dns_message_destroy(&client->message);
-		if (manager != NULL) {
-			LOCK(&manager->listlock);
-			ISC_LIST_UNLINK(manager->clients, client, link);
-			LOCK(&manager->lock);
-			if (manager->exiting &&
-			    ISC_LIST_EMPTY(manager->clients))
-				destroy_manager = ISC_TRUE;
-			UNLOCK(&manager->lock);
-			UNLOCK(&manager->listlock);
-		}
 
 		/*
 		 * Detaching the task must be done after unlinking from
@@ -581,6 +582,13 @@
 			isc_mem_stats(client->mctx, stderr);
 			INSIST(0);
 		}
+
+		/*
+		 * Destroy the fetchlock mutex that was created in
+		 * ns_query_init().
+		 */
+		DESTROYLOCK(&client->query.fetchlock);
+
 		isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
 	}
 
@@ -1285,7 +1293,6 @@
 	    (ns_g_server->server_id != NULL ||
 	     ns_g_server->server_usehostname)) {
 		if (ns_g_server->server_usehostname) {
-			isc_result_t result;
 			result = ns_os_gethostname(nsid, sizeof(nsid));
 			if (result != ISC_R_SUCCESS) {
 				goto no_nsid;
@@ -1679,8 +1686,18 @@
 	/*
 	 * Deal with EDNS.
 	 */
+	if (ns_g_noedns)
+		opt = NULL;
+	else
 	opt = dns_message_getopt(client->message);
 	if (opt != NULL) {
+		/*
+		 * Are we dropping all EDNS queries?
+		 */
+		if (ns_g_dropedns) {
+			ns_client_next(client, ISC_R_SUCCESS);
+			goto cleanup;
+		}
 		result = process_opt(client, opt);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
--- a/external/bsd/bind/dist/bin/named/config.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/config.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: config.c,v 1.4.4.3 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: config.c,v 1.4.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -524,6 +524,13 @@
 	REQUIRE(keysp != NULL && *keysp == NULL);
 	REQUIRE(countp != NULL);
 
+	/*
+	 * Get system defaults.
+	 */
+	result = ns_config_getport(config, &port);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
  newlist:
 	addrlist = cfg_tuple_get(list, "addresses");
 	portobj = cfg_tuple_get(list, "port");
@@ -536,10 +543,6 @@
 			goto cleanup;
 		}
 		port = (in_port_t) val;
-	} else {
-		result = ns_config_getport(config, &port);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
 	}
 
 	result = ISC_R_NOMEMORY;
--- a/external/bsd/bind/dist/bin/named/include/named/globals.h	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/include/named/globals.h	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: globals.h,v 1.3.4.2 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: globals.h,v 1.3.4.3 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -159,9 +159,15 @@
 EXTERN isc_time_t		ns_g_boottime;
 EXTERN isc_boolean_t		ns_g_memstatistics	INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_clienttest		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_dropedns		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_noedns		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_nosoa		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_noaa		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_nonearest		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_notcp		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_disable6		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_disable4		INIT(ISC_FALSE);
+
 
 #undef EXTERN
 #undef INIT
--- a/external/bsd/bind/dist/bin/named/interfacemgr.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/interfacemgr.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: interfacemgr.c,v 1.3.4.2 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: interfacemgr.c,v 1.3.4.3 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -394,7 +394,7 @@
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_interface;
 
-	if (accept_tcp == ISC_TRUE) {
+	if (!ns_g_notcp && accept_tcp == ISC_TRUE) {
 		result = ns_interface_accepttcp(ifp);
 		if (result != ISC_R_SUCCESS) {
 			/*
@@ -640,7 +640,7 @@
 	if (isc_net_probeipv6() == ISC_R_SUCCESS)
 		scan_ipv6 = ISC_TRUE;
 #ifdef WANT_IPV6
-	else
+	else if (!ns_g_disable6)
 		isc_log_write(IFMGR_COMMON_LOGARGS,
 			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
 			      "no IPv6 interfaces found");
@@ -648,7 +648,7 @@
 
 	if (isc_net_probeipv4() == ISC_R_SUCCESS)
 		scan_ipv4 = ISC_TRUE;
-	else
+	else if (!ns_g_disable4)
 		isc_log_write(IFMGR_COMMON_LOGARGS,
 			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
 			      "no IPv4 interfaces found");
--- a/external/bsd/bind/dist/bin/named/main.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/main.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: main.c,v 1.8.4.2 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: main.c,v 1.8.4.3 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -53,6 +53,10 @@
 
 #include <dlz/dlz_dlopen_driver.h>
 
+#ifdef HAVE_GPERFTOOLS_PROFILER
+#include <gperftools/profiler.h>
+#endif
+
 /*
  * Defining NS_MAIN provides storage declarations (rather than extern)
  * for variables in named/globals.h.
@@ -74,6 +78,7 @@
 
 #ifdef OPENSSL
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
 #endif
 #ifdef HAVE_LIBXML2
 #include <libxml/xmlversion.h>
@@ -97,6 +102,10 @@
 #define BACKTRACE_MAXFRAME 128
 #endif
 
+extern unsigned int dns_zone_mkey_hour;
+extern unsigned int dns_zone_mkey_day;
+extern unsigned int dns_zone_mkey_month;
+
 static isc_boolean_t	want_stats = ISC_FALSE;
 static char		program_name[ISC_DIR_NAMEMAX] = "named";
 static char		absolute_conffile[ISC_DIR_PATHMAX];
@@ -411,8 +420,6 @@
 	int ch;
 	int port;
 	const char *p;
-	isc_boolean_t disable6 = ISC_FALSE;
-	isc_boolean_t disable4 = ISC_FALSE;
 
 	save_command_line(argc, argv);
 
@@ -422,20 +429,20 @@
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case '4':
-			if (disable4)
+			if (ns_g_disable4)
 				ns_main_earlyfatal("cannot specify -4 and -6");
 			if (isc_net_probeipv4() != ISC_R_SUCCESS)
 				ns_main_earlyfatal("IPv4 not supported by OS");
 			isc_net_disableipv6();
-			disable6 = ISC_TRUE;
+			ns_g_disable6 = ISC_TRUE;
 			break;
 		case '6':
-			if (disable6)
+			if (ns_g_disable6)
 				ns_main_earlyfatal("cannot specify -4 and -6");
 			if (isc_net_probeipv6() != ISC_R_SUCCESS)
 				ns_main_earlyfatal("IPv6 not supported by OS");
 			isc_net_disableipv4();
-			disable4 = ISC_TRUE;
+			ns_g_disable4 = ISC_TRUE;
 			break;
 		case 'c':
 			ns_g_conffile = isc_commandline_argument;
@@ -524,10 +531,50 @@
 				maxudp = 512;
 			else if (!strcmp(isc_commandline_argument, "maxudp1460"))
 				maxudp = 1460;
+			else if (!strcmp(isc_commandline_argument, "dropedns"))
+				ns_g_dropedns = ISC_TRUE;
+			else if (!strcmp(isc_commandline_argument, "noedns"))
+				ns_g_noedns = ISC_TRUE;
+			else if (!strncmp(isc_commandline_argument,
+					  "maxudp=", 7))
+				maxudp = atoi(isc_commandline_argument + 7);
 			else if (!strcmp(isc_commandline_argument, "nosyslog"))
 				ns_g_nosyslog = ISC_TRUE;
 			else if (!strcmp(isc_commandline_argument, "nonearest"))
 				ns_g_nonearest = ISC_TRUE;
+			else if (!strncmp(isc_commandline_argument,
+					  "mkeytimers=", 11))
+			{
+				p = strtok(isc_commandline_argument + 11, "/");
+				if (p == NULL)
+					ns_main_earlyfatal("bad mkeytimer");
+				dns_zone_mkey_hour = atoi(p);
+				if (dns_zone_mkey_hour == 0)
+					ns_main_earlyfatal("bad mkeytimer");
+
+				p = strtok(NULL, "/");
+				if (p == NULL) {
+					dns_zone_mkey_day =
+						(24 * dns_zone_mkey_hour);
+					dns_zone_mkey_month =
+						(30 * dns_zone_mkey_day);
+					break;
+				}
+				dns_zone_mkey_day = atoi(p);
+				if (dns_zone_mkey_day < dns_zone_mkey_hour)
+					ns_main_earlyfatal("bad mkeytimer");
+
+				p = strtok(NULL, "/");
+				if (p == NULL) {
+					dns_zone_mkey_month =
+						(30 * dns_zone_mkey_day);
+					break;
+				}
+				dns_zone_mkey_month = atoi(p);
+				if (dns_zone_mkey_month < dns_zone_mkey_day)
+					ns_main_earlyfatal("bad mkeytimer");
+			} else if (!strcmp(isc_commandline_argument, "notcp"))
+				ns_g_notcp = ISC_TRUE;
 			else
 				fprintf(stderr, "unknown -T flag '%s\n",
 					isc_commandline_argument);
@@ -570,12 +617,20 @@
 			printf("compiled by Solaris Studio %x\n", __SUNPRO_C);
 #endif
 #ifdef OPENSSL
-			printf("using OpenSSL version: %s\n",
+			printf("compiled with OpenSSL version: %s\n",
 			       OPENSSL_VERSION_TEXT);
+#ifndef WIN32
+			printf("linked to OpenSSL version: %s\n",
+			       SSLeay_version(SSLEAY_VERSION));
+#endif
 #endif
 #ifdef HAVE_LIBXML2
-			printf("using libxml2 version: %s\n",
+			printf("compiled with libxml2 version: %s\n",
 			       LIBXML_DOTTED_VERSION);
+#ifndef WIN32
+			printf("linked to libxml2 version: %s\n",
+			       xmlParserVersion);
+#endif
 #endif
 			exit(0);
 		case 'F':
@@ -1082,15 +1137,19 @@
 	char *instance = NULL;
 #endif
 
+#ifdef HAVE_GPERFTOOLS_PROFILER
+	(void) ProfilerStart(NULL);
+#endif
+
 	/*
 	 * Record version in core image.
 	 * strings named.core | grep "named version:"
 	 */
 	strlcat(version,
 #if defined(NO_VERSION_DATE) || !defined(__DATE__)
-		"named version: BIND 9.9.6-P1 <489c6c10>",
+		"named version: BIND 9.9.7-P3 <464a99d>",
 #else
-		"named version: BIND 9.9.6-P1 <489c6c10> (" __DATE__ ")",
+		"named version: BIND 9.9.7-P3 <464a99d> (" __DATE__ ")",
 #endif
 		sizeof(version));
 	result = isc_file_progname(*argv, program_name, sizeof(program_name));
@@ -1198,5 +1257,9 @@
 
 	ns_os_shutdown();
 
+#ifdef HAVE_GPERFTOOLS_PROFILER
+	ProfilerStop();
+#endif
+
 	return (0);
 }
--- a/external/bsd/bind/dist/bin/named/named.html	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/named.html	Sun Nov 15 19:09:08 2015 +0000
@@ -261,7 +261,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544205"></a><h2>CONFIGURATION</h2>
+<a name="id2544137"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
--- a/external/bsd/bind/dist/bin/named/query.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/query.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: query.c,v 1.7.2.5 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: query.c,v 1.7.2.6 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -616,6 +616,10 @@
 	client->query.timerset = ISC_FALSE;
 	client->query.rpz_st = NULL;
 	client->query.qname = NULL;
+	/*
+	 * This mutex is destroyed when the client is destroyed in
+	 * exit_check().
+	 */
 	result = isc_mutex_init(&client->query.fetchlock);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -635,8 +639,10 @@
 		return (result);
 	}
 	result = query_newnamebuf(client);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		query_freefreeversions(client, ISC_TRUE);
+		DESTROYLOCK(&client->query.fetchlock);
+	}
 
 	return (result);
 }
@@ -4733,6 +4739,8 @@
 					       DNS_RPZ_DONE_IPv4);
 				break;
 			case DNS_R_DELEGATION:
+			case DNS_R_DUPLICATE:
+			case DNS_R_DROP:
 				goto cleanup;
 			case DNS_R_EMPTYNAME:
 			case DNS_R_NXRRSET:
@@ -4751,12 +4759,13 @@
 			case ISC_R_FAILURE:
 				rpz_rewrite_ns_skip(client, nsname, result,
 						DNS_RPZ_DEBUG_LEVEL3,
-						"NS db_find() ");
+						" NS rpz_rrset_find() ");
 				continue;
 			default:
 				rpz_rewrite_ns_skip(client, nsname, result,
 						DNS_RPZ_INFO_LEVEL,
-						"unrecognized NS db_find() ");
+						" unrecognized NS"
+						" rpz_rrset_find() ");
 				continue;
 			}
 		}
@@ -5455,7 +5464,7 @@
  * Only perform the update if the client is in the allow query acl and
  * returning the update would not cause a DNSSEC validation failure.
  */
-static isc_boolean_t
+static isc_result_t
 redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
 	 dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp,
 	 dns_rdatatype_t qtype)
@@ -5474,7 +5483,7 @@
 	CTRACE("redirect");
 
 	if (client->view->redirect == NULL)
-		return (ISC_FALSE);
+		return (ISC_R_NOTFOUND);
 
 	dns_fixedname_init(&fixed);
 	found = dns_fixedname_name(&fixed);
@@ -5484,15 +5493,15 @@
 	dns_clientinfo_init(&ci, client);
 
 	if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
-		return (ISC_FALSE);
+		return (ISC_R_NOTFOUND);
 
 	if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
 		if (rdataset->trust == dns_trust_secure)
-			return (ISC_FALSE);
+			return (ISC_R_NOTFOUND);
 		if (rdataset->trust == dns_trust_ultimate &&
 		    (rdataset->type == dns_rdatatype_nsec ||
 		     rdataset->type == dns_rdatatype_nsec3))
-			return (ISC_FALSE);
+			return (ISC_R_NOTFOUND);
 		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
 			for (result = dns_rdataset_first(rdataset);
 			     result == ISC_R_SUCCESS;
@@ -5503,7 +5512,7 @@
 				if (type == dns_rdatatype_nsec ||
 				    type == dns_rdatatype_nsec3 ||
 				    type == dns_rdatatype_rrsig)
-					return (ISC_FALSE);
+					return (ISC_R_NOTFOUND);
 			}
 		}
 	}
@@ -5512,16 +5521,16 @@
 				 dns_zone_getqueryacl(client->view->redirect),
 					  ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
+		return (ISC_R_NOTFOUND);
 
 	result = dns_zone_getdb(client->view->redirect, &db);
 	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
+		return (ISC_R_NOTFOUND);
 
 	dbversion = query_findversion(client, db);
 	if (dbversion == NULL) {
 		dns_db_detach(&db);
-		return (ISC_FALSE);
+		return (ISC_R_NOTFOUND);
 	}
 
 	/*
@@ -5530,16 +5539,22 @@
 	result = dns_db_findext(db, client->query.qname, dbversion->version,
 				qtype, 0, client->now, &node, found, &cm, &ci,
 				&trdataset, NULL);
-	if (result != ISC_R_SUCCESS) {
+	if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (dns_rdataset_isassociated(&trdataset))
+			dns_rdataset_disassociate(&trdataset);
+		goto nxrrset;
+	} else if (result != ISC_R_SUCCESS) {
 		if (dns_rdataset_isassociated(&trdataset))
 			dns_rdataset_disassociate(&trdataset);
 		if (node != NULL)
 			dns_db_detachnode(db, &node);
 		dns_db_detach(&db);
-		return (ISC_FALSE);
-	}
+		return (ISC_R_NOTFOUND);
+	}
+
 	CTRACE("redirect: found data: done");
-
 	dns_name_copy(found, name, NULL);
 	if (dns_rdataset_isassociated(rdataset))
 		dns_rdataset_disassociate(rdataset);
@@ -5547,6 +5562,7 @@
 		dns_rdataset_clone(&trdataset, rdataset);
 		dns_rdataset_disassociate(&trdataset);
 	}
+ nxrrset:
 	if (*nodep != NULL)
 		dns_db_detachnode(*dbp, nodep);
 	dns_db_detach(dbp);
@@ -5559,7 +5575,7 @@
 	client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
 				     NS_QUERYATTR_NOADDITIONAL);
 
-	return (ISC_TRUE);
+	return (result);
 }
 
 /*
@@ -5586,7 +5602,7 @@
 	int order;
 	isc_buffer_t *dbuf;
 	isc_buffer_t b;
-	isc_result_t result, eresult;
+	isc_result_t result, eresult, tresult;
 	dns_fixedname_t fixed;
 	dns_fixedname_t wildcardname;
 	dns_dbversion_t *version, *zversion;
@@ -5601,6 +5617,7 @@
 	int line = -1;
 	isc_boolean_t dns64_exclude, dns64;
 	isc_boolean_t nxrewrite = ISC_FALSE;
+	isc_boolean_t redirected = ISC_FALSE;
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
 	isc_boolean_t associated;
@@ -5787,7 +5804,6 @@
 		dns_db_t *tdb = NULL;
 		dns_zone_t *tzone = NULL;
 		dns_dbversion_t *tversion = NULL;
-		isc_result_t tresult;
 
 		tresult = query_getzonedb(client, client->query.qname, qtype,
 					 DNS_GETDB_PARTIAL, &tzone, &tdb,
@@ -6277,8 +6293,6 @@
 			 * We're authoritative for an ancestor of QNAME.
 			 */
 			if (!USECACHE(client) || !RECURSIONOK(client)) {
-				dns_fixedname_t fixed;
-
 				dns_fixedname_init(&fixed);
 				dns_name_copy(fname,
 					      dns_fixedname_name(&fixed), NULL);
@@ -6424,8 +6438,6 @@
 				else
 					RECURSE_ERROR(result);
 			} else {
-				dns_fixedname_t fixed;
-
 				dns_fixedname_init(&fixed);
 				dns_name_copy(fname,
 					      dns_fixedname_name(&fixed), NULL);
@@ -6540,6 +6552,8 @@
 		 * Look for a NSEC3 record if we don't have a NSEC record.
 		 */
  nxrrset_rrsig:
+		if (redirected)
+			goto cleanup;
 		if (!dns_rdataset_isassociated(rdataset) &&
 		     WANTDNSSEC(client)) {
 			if ((fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
@@ -6660,10 +6674,21 @@
 
 	case DNS_R_NXDOMAIN:
 		INSIST(is_zone);
-		if (!empty_wild &&
-		    redirect(client, fname, rdataset, &node, &db, &version,
-			     type))
+		if (!empty_wild) {
+			tresult = redirect(client, fname, rdataset, &node,
+					   &db, &version, type);
+			if (tresult == ISC_R_SUCCESS)
 			break;
+			if (tresult == DNS_R_NXRRSET) {
+				redirected = ISC_TRUE;
+				goto iszone_nxrrset;
+			}
+			if (tresult == DNS_R_NCACHENXRRSET) {
+				redirected = ISC_TRUE;
+				is_zone = ISC_FALSE;
+				goto ncache_nxrrset;
+			}
+		}
 		if (dns_rdataset_isassociated(rdataset)) {
 			/*
 			 * If we've got a NSEC record, we need to save the
@@ -6726,9 +6751,22 @@
 		goto cleanup;
 
 	case DNS_R_NCACHENXDOMAIN:
-		if (redirect(client, fname, rdataset, &node, &db, &version,
-			     type))
+		tresult = redirect(client, fname, rdataset, &node,
+				   &db, &version, type);
+		if (tresult == ISC_R_SUCCESS)
 			break;
+		if (tresult == DNS_R_NXRRSET) {
+			redirected = ISC_TRUE;
+			is_zone = ISC_TRUE;
+			goto iszone_nxrrset;
+		}
+		if (tresult == DNS_R_NCACHENXRRSET) {
+			redirected = ISC_TRUE;
+			result = tresult;
+			goto ncache_nxrrset;
+		}
+		/* FALLTHROUGH */
+
 	case DNS_R_NCACHENXRRSET:
 	ncache_nxrrset:
 		INSIST(!is_zone);
--- a/external/bsd/bind/dist/bin/named/server.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/server.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: server.c,v 1.10.4.3 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: server.c,v 1.10.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id */
-
 /*! \file */
 
 #include <config.h>
@@ -2019,15 +2017,18 @@
 	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
 	dns_zone_setnotifytype(zone, dns_notifytype_no);
 	dns_zone_setdialup(zone, dns_dialuptype_no);
-	if (view->queryacl)
+	if (view->queryacl != NULL)
 		dns_zone_setqueryacl(zone, view->queryacl);
 	else
 		dns_zone_clearqueryacl(zone);
-	if (view->queryonacl)
+	if (view->queryonacl != NULL)
 		dns_zone_setqueryonacl(zone, view->queryonacl);
 	else
 		dns_zone_clearqueryonacl(zone);
 	dns_zone_clearupdateacl(zone);
+	if (view->transferacl != NULL)
+		dns_zone_setxfracl(zone, view->transferacl);
+	else
 	dns_zone_clearxfracl(zone);
 
 	CHECK(setquerystats(zone, view->mctx, statlevel));
@@ -2054,6 +2055,9 @@
 		dns_db_closeversion(db, &version, ISC_FALSE);
 	if (db != NULL)
 		dns_db_detach(&db);
+
+	INSIST(version == NULL);
+
 	return (result);
 }
 
@@ -2425,7 +2429,6 @@
 	result = ns_config_get(maps, "dns64", &obj);
 	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
 	    strcmp(view->name, "_meta")) {
-		const cfg_listelt_t *element;
 		isc_netaddr_t na, suffix, *sp;
 		unsigned int prefixlen;
 		const char *server, *contact;
@@ -2896,7 +2899,6 @@
 	 */
 	{
 		const cfg_obj_t *peers = NULL;
-		const cfg_listelt_t *element;
 		dns_peerlist_t *newpeers = NULL;
 
 		(void)ns_config_get(cfgmaps, "server", &peers);
@@ -2921,7 +2923,6 @@
 	 */
 	{
 		const cfg_obj_t *rrsetorder = NULL;
-		const cfg_listelt_t *element;
 
 		(void)ns_config_get(maps, "rrset-order", &rrsetorder);
 		CHECK(dns_order_create(mctx, &order));
@@ -3221,17 +3222,12 @@
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			const char *str;
-			isc_buffer_t b;
 			dns_name_t *dlv;
 
 			obj = cfg_listelt_value(element);
-			str = cfg_obj_asstring(cfg_tuple_get(obj,
-							     "trust-anchor"));
-			isc_buffer_constinit(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
+			obj = cfg_tuple_get(obj, "trust-anchor");
 			dlv = dns_fixedname_name(&view->dlv_fixed);
-			CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
+			CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
 						DNS_NAME_DOWNCASE, NULL));
 			view->dlv = dns_fixedname_name(&view->dlv_fixed);
 		}
@@ -3266,28 +3262,22 @@
 	obj = NULL;
 	result = ns_config_get(maps, "root-delegation-only", &obj);
 	if (result == ISC_R_SUCCESS) {
-		dns_view_setrootdelonly(view, ISC_TRUE);
-		if (!cfg_obj_isvoid(obj)) {
 			dns_fixedname_t fixed;
 			dns_name_t *name;
-			isc_buffer_t b;
-			const char *str;
 			const cfg_obj_t *exclude;
 
+		dns_view_setrootdelonly(view, ISC_TRUE);
+
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
 			for (element = cfg_list_first(obj);
 			     element != NULL;
 			     element = cfg_list_next(element)) {
 				exclude = cfg_listelt_value(element);
-				str = cfg_obj_asstring(exclude);
-				isc_buffer_constinit(&b, str, strlen(str));
-				isc_buffer_add(&b, strlen(str));
-				CHECK(dns_name_fromtext(name, &b, dns_rootname,
+			CHECK(dns_name_fromstring(name,
+						  cfg_obj_asstring(exclude),
 							0, NULL));
-				CHECK(dns_view_excludedelegationonly(view,
-								     name));
-			}
+			CHECK(dns_view_excludedelegationonly(view, name));
 		}
 	} else
 		dns_view_setrootdelonly(view, ISC_FALSE);
@@ -3316,7 +3306,6 @@
 		dns_fixedname_t fixed;
 		dns_name_t *name;
 		isc_buffer_t buffer;
-		const char *str;
 		char server[DNS_NAME_FORMATSIZE + 1];
 		char contact[DNS_NAME_FORMATSIZE + 1];
 		const char *empty_dbtype[4] =
@@ -3330,11 +3319,8 @@
 		obj = NULL;
 		result = ns_config_get(maps, "empty-server", &obj);
 		if (result == ISC_R_SUCCESS) {
-			str = cfg_obj_asstring(obj);
-			isc_buffer_constinit(&buffer, str, strlen(str));
-			isc_buffer_add(&buffer, strlen(str));
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
-						NULL));
+			CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj),
+						  0, NULL));
 			isc_buffer_init(&buffer, server, sizeof(server) - 1);
 			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
 			server[isc_buffer_usedlength(&buffer)] = 0;
@@ -3345,11 +3331,8 @@
 		obj = NULL;
 		result = ns_config_get(maps, "empty-contact", &obj);
 		if (result == ISC_R_SUCCESS) {
-			str = cfg_obj_asstring(obj);
-			isc_buffer_constinit(&buffer, str, strlen(str));
-			isc_buffer_add(&buffer, strlen(str));
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
-						NULL));
+			CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj),
+						 0, NULL));
 			isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
 			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
 			contact[isc_buffer_usedlength(&buffer)] = 0;
@@ -3381,16 +3364,12 @@
 		     empty != NULL;
 		     empty = empty_zones[++empty_zone])
 		{
-			dns_forwarders_t *forwarders = NULL;
-			dns_view_t *pview = NULL;
-
-			isc_buffer_constinit(&buffer, empty, strlen(empty));
-			isc_buffer_add(&buffer, strlen(empty));
+			dns_forwarders_t *dnsforwarders = NULL;
+
 			/*
 			 * Look for zone on drop list.
 			 */
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
-						NULL));
+			CHECK(dns_name_fromstring(name, empty, 0, NULL));
 			if (disablelist != NULL &&
 			    on_disable_list(disablelist, name))
 				continue;
@@ -3409,9 +3388,9 @@
 			 * empty zone for it.
 			 */
 			result = dns_fwdtable_find(view->fwdtable, name,
-						   &forwarders);
+						   &dnsforwarders);
 			if (result == ISC_R_SUCCESS &&
-			    forwarders->fwdpolicy == dns_fwdpolicy_only)
+			    dnsforwarders->fwdpolicy == dns_fwdpolicy_only)
 				continue;
 
 			/*
@@ -3862,16 +3841,8 @@
 		if (dns_name_equal(origin, dns_rootname)) {
 			const char *hintsfile = cfg_obj_asstring(fileobj);
 
-			result = configure_hints(view, hintsfile);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_SERVER,
-					      ISC_LOG_ERROR,
-					      "could not configure root hints "
-					      "from '%s': %s", hintsfile,
-					      isc_result_totext(result));
-				goto cleanup;
-			}
+			CHECK(configure_hints(view, hintsfile));
+
 			/*
 			 * Hint zones may also refer to delegation only points.
 			 */
@@ -5160,10 +5131,11 @@
 			isc_portset_addrange(v4portset, udpport_low,
 					     udpport_high);
 		}
+		if (!ns_g_disable4)
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "using default UDP/IPv4 port range: [%d, %d]",
-			      udpport_low, udpport_high);
+				      "using default UDP/IPv4 port range: "
+				      "[%d, %d]", udpport_low, udpport_high);
 	}
 	(void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
 	if (avoidv4ports != NULL)
@@ -5182,10 +5154,11 @@
 			isc_portset_addrange(v6portset, udpport_low,
 					     udpport_high);
 		}
+		if (!ns_g_disable6)
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "using default UDP/IPv6 port range: [%d, %d]",
-			      udpport_low, udpport_high);
+				      "using default UDP/IPv6 port range: "
+				      "[%d, %d]", udpport_low, udpport_high);
 	}
 	(void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
 	if (avoidv6ports != NULL)
@@ -5688,7 +5661,6 @@
 				(void)cfg_map_get(logobj, "category",
 						  &categories);
 			if (categories != NULL) {
-				const cfg_listelt_t *element;
 				for (element = cfg_list_first(categories);
 				     element != NULL;
 				     element = cfg_list_next(element))
@@ -6654,7 +6626,7 @@
 
 		tresult = putstr(text, problem);
 		if (tresult == ISC_R_SUCCESS)
-			putnull(text);
+			(void) putnull(text);
 	}
 
  cleanup:
@@ -7401,7 +7373,7 @@
 			continue;
 		result = dns_view_flushcache(view);
 		if (result != ISC_R_SUCCESS)
-			goto out;
+			goto cleanup;
 		view->enablevalidation = enable;
 		changed = ISC_TRUE;
 	}
@@ -7409,7 +7381,7 @@
 		result = ISC_R_SUCCESS;
 	else
 		result = ISC_R_FAILURE;
- out:
+ cleanup:
 	isc_task_endexclusive(server->task);
 	return (result);
 }
@@ -7814,7 +7786,6 @@
 	dns_name_t *origin;
 	dns_rbtnode_t *node;
 	dns_tsigkey_t *tkey;
-	unsigned int n;
 	const char *viewname;
 
 	if (view != NULL)
@@ -7848,21 +7819,26 @@
 			if (tkey->generated) {
 				dns_name_format(tkey->creator, creatorstr,
 						sizeof(creatorstr));
-				n = snprintf((char *)isc_buffer_used(text),
-					     isc_buffer_availablelength(text),
-					     "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",
-					     viewname, namestr, creatorstr);
+				if (*foundkeys != 0)
+					CHECK(putstr(text, "\n"));
+				CHECK(putstr(text, "view \""));
+				CHECK(putstr(text, viewname));
+				CHECK(putstr(text,
+					     "\"; type \"dynamic\"; key \""));
+				CHECK(putstr(text, namestr));
+				CHECK(putstr(text, "\"; creator \""));
+				CHECK(putstr(text, creatorstr));
+				CHECK(putstr(text, "\";"));
 			} else {
-				n = snprintf((char *)isc_buffer_used(text),
-					     isc_buffer_availablelength(text),
-					     "view \"%s\"; type \"static\"; key \"%s\";\n",
-					     viewname, namestr);
+				if (*foundkeys != 0)
+					CHECK(putstr(text, "\n"));
+				CHECK(putstr(text, "view \""));
+				CHECK(putstr(text, viewname));
+				CHECK(putstr(text,
+					     "\"; type \"static\"; key \""));
+				CHECK(putstr(text, namestr));
+				CHECK(putstr(text, "\";"));
 			}
-			if (n >= isc_buffer_availablelength(text)) {
-				dns_rbtnodechain_invalidate(&chain);
-				return (ISC_R_NOSPACE);
-			}
-			isc_buffer_add(text, n);
 		}
 		result = dns_rbtnodechain_next(&chain, &foundname, origin);
 		if (result == ISC_R_NOMORE)
@@ -7874,12 +7850,14 @@
 	}
 
 	return (ISC_R_SUCCESS);
+
+cleanup:
+	return (result);
 }
 
 isc_result_t
 ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
 	isc_result_t result;
-	unsigned int n;
 	dns_view_t *view;
 	unsigned int foundkeys = 0;
 
@@ -7907,16 +7885,16 @@
 	}
 	isc_task_endexclusive(server->task);
 
-	if (foundkeys == 0) {
-		n = snprintf((char *)isc_buffer_used(text),
-			     isc_buffer_availablelength(text),
-			     "no tsig keys found.\n");
-		if (n >= isc_buffer_availablelength(text))
-			return (ISC_R_NOSPACE);
-		isc_buffer_add(text, n);
-	}
+	if (foundkeys == 0)
+		CHECK(putstr(text, "no tsig keys found."));
+
+	if (isc_buffer_usedlength(text) > 0)
+		CHECK(putnull(text));
 
 	return (ISC_R_SUCCESS);
+
+ cleanup:
+	return (result);
 }
 
 /*
@@ -8579,6 +8557,16 @@
 				result = isc_stdio_read(buf, 1, 1024, ifp, &n);
 			}
 
+			/*
+			 * Close files before overwriting the nzfile
+			 * with the temporary file as it's necessary on
+			 * some platforms (win32).
+			 */
+			(void) isc_stdio_close(ifp);
+			ifp = NULL;
+			(void) isc_stdio_close(ofp);
+			ofp = NULL;
+
 			/* Move temporary into place */
 			CHECK(isc_file_rename(tmpname, view->new_zone_file));
 		} else {
@@ -8609,12 +8597,12 @@
 		putnull(text);
 	if (ifp != NULL)
 		isc_stdio_close(ifp);
-	if (ofp != NULL) {
+	if (ofp != NULL)
 		isc_stdio_close(ofp);
+	if (tmpname != NULL) {
 		isc_file_remove(tmpname);
-	}
-	if (tmpname != NULL)
 		isc_mem_free(server->mctx, tmpname);
+	}
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 
@@ -8660,7 +8648,7 @@
 	isc_boolean_t first = ISC_TRUE;
 	isc_boolean_t list = ISC_FALSE, clear = ISC_FALSE;
 	isc_boolean_t chain = ISC_FALSE;
-	char keystr[DNS_SECALG_FORMATSIZE + 7];
+	char keystr[DNS_SECALG_FORMATSIZE + 7]; /* <5-digit keyid>/<alg> */
 	unsigned short hash = 0, flags = 0, iter = 0, saltlen = 0;
 	unsigned char salt[255];
 	const char *ptr;
@@ -8686,7 +8674,7 @@
 		ptr = next_token(&args, " \t");
 		if (ptr == NULL)
 			return (ISC_R_UNEXPECTEDEND);
-		memmove(keystr, ptr, sizeof(keystr));
+		strlcpy(keystr, ptr, sizeof(keystr));
 	} else if(strcasecmp(ptr, "-nsec3param") == 0) {
 		const char *hashstr, *flagstr, *iterstr;
 		char nbuf[512];
--- a/external/bsd/bind/dist/bin/named/update.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/update.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: update.c,v 1.4.4.2 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: update.c,v 1.4.4.3 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -3241,6 +3241,8 @@
 	uev->ev_type = DNS_EVENT_UPDATEDONE;
 	uev->ev_action = updatedone_action;
 	isc_task_send(client->task, &event);
+
+	INSIST(ver == NULL);
 	INSIST(event == NULL);
 }
 
--- a/external/bsd/bind/dist/bin/named/zoneconf.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/zoneconf.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: zoneconf.c,v 1.3.4.2 2014/12/25 17:54:01 msaitoh Exp $	*/
+/*	$NetBSD: zoneconf.c,v 1.3.4.3 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -712,6 +712,8 @@
 		}
 	}
 
+	INSIST(dbversion == NULL);
+
 	return (result);
 }
 
--- a/external/bsd/bind/dist/bin/nsupdate/nsupdate.c	Sun Nov 15 17:52:49 2015 +0000
+++ b/external/bsd/bind/dist/bin/nsupdate/nsupdate.c	Sun Nov 15 19:09:08 2015 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: nsupdate.c,v 1.3.4.3 2014/12/25 17:54:02 msaitoh Exp $	*/
+/*	$NetBSD: nsupdate.c,v 1.3.4.4 2015/11/15 19:09:09 bouyer Exp $	*/
 
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -17,8 +17,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Id */
-
 /*! \file */
 
 #include <config.h>
@@ -142,8 +140,8 @@
 static isc_taskmgr_t *taskmgr = NULL;
 static isc_task_t *global_task = NULL;
 static isc_event_t *global_event = NULL;
-static isc_log_t *lctx = NULL;
-static isc_mem_t *mctx = NULL;
+static isc_log_t *glctx = NULL;
+static isc_mem_t *gmctx = NULL;
 static dns_dispatchmgr_t *dispatchmgr = NULL;
 static dns_requestmgr_t *requestmgr = NULL;
 static isc_socketmgr_t *socketmgr = NULL;
@@ -153,7 +151,7 @@
 static dns_message_t *updatemsg = NULL;
 static dns_fixedname_t fuserzone;
 static dns_name_t *userzone = NULL;
-static dns_name_t *zonename = NULL;
+static dns_name_t *zname = NULL;
 static dns_name_t tmpzonename;
 static dns_name_t restart_master;
 static dns_tsig_keyring_t *gssring = NULL;
@@ -162,10 +160,14 @@
 static lwres_context_t *lwctx = NULL;
 static lwres_conf_t *lwconf;
 static isc_sockaddr_t *servers = NULL;
+static isc_sockaddr_t *master_servers = NULL;
 static isc_boolean_t default_servers = ISC_TRUE;
 static int ns_inuse = 0;
+static int master_inuse = 0;
 static int ns_total = 0;
-static isc_sockaddr_t *localaddr = NULL;
+static int master_total = 0;
+static isc_sockaddr_t *localaddr4 = NULL;
+static isc_sockaddr_t *localaddr6 = NULL;
 static const char *keyfile = NULL;
 static char *keystr = NULL;
 static isc_entropy_t *entropy = NULL;
@@ -191,8 +193,10 @@
 } nsu_requestinfo_t;
 
 static void
-sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-	    dns_message_t *msg, dns_request_t **request);
+sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
+	    dns_request_t **request);
+static void
+send_update(dns_name_t *zonename, isc_sockaddr_t *master);
 
 ISC_PLATFORM_NORETURN_PRE static void
 fatal(const char *format, ...)
@@ -219,9 +223,8 @@
 static void
 start_gssrequest(dns_name_t *master);
 static void
-send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		dns_message_t *msg, dns_request_t **request,
-		gss_ctx_id_t context);
+send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
+		dns_request_t **request, gss_ctx_id_t context);
 static void
 recvgss(isc_task_t *task, isc_event_t *event);
 #endif /* GSSAPI */
@@ -245,8 +248,7 @@
 static ISC_LIST(entropysource_t) sources;
 
 static void
-setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx)
-{
+setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 	isc_result_t result;
 	isc_entropysource_t *source = NULL;
 	entropysource_t *elt;
@@ -296,6 +298,16 @@
 	isc_entropy_detach(ectx);
 }
 
+static void
+master_from_servers(void) {
+
+	if (master_servers != NULL && master_servers != servers)
+		isc_mem_put(gmctx, master_servers,
+			    master_total * sizeof(isc_sockaddr_t));
+	master_servers = servers;
+	master_total = ns_total;
+	master_inuse = ns_inuse;
+}
 
 static dns_rdataclass_t
 getzoneclass(void) {
@@ -418,7 +430,7 @@
 	if (updatemsg != NULL)
 		dns_message_reset(updatemsg, DNS_MESSAGE_INTENTRENDER);
 	else {
-		result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+		result = dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER,
 					    &updatemsg);
 		check_result(result, "dns_message_create");
 	}
@@ -523,13 +535,13 @@
 	char *secretstr;
 	char *s, *n;
 	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
+	dns_name_t *mykeyname;
 	char *name;
 	dns_name_t *hmacname = NULL;
 	isc_uint16_t digestbits = 0;
 
 	dns_fixedname_init(&fkeyname);
-	keyname = dns_fixedname_name(&fkeyname);
+	mykeyname = dns_fixedname_name(&fkeyname);
 
 	debug("Creating key...");
 
@@ -554,11 +566,12 @@
 	isc_buffer_add(&keynamesrc, (unsigned int)(n - name));
 
 	debug("namefromtext");
-	result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname, 0, NULL);
+	result = dns_name_fromtext(mykeyname, &keynamesrc, dns_rootname, 0,
+				   NULL);
 	check_result(result, "dns_name_fromtext");
 
 	secretlen = strlen(secretstr) * 3 / 4;
-	secret = isc_mem_allocate(mctx, secretlen);
+	secret = isc_mem_allocate(gmctx, secretlen);
 	if (secret == NULL)
 		fatal("out of memory");
 
@@ -573,8 +586,8 @@
 	secretlen = isc_buffer_usedlength(&secretbuf);
 
 	debug("keycreate");
-	result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,
-				    ISC_FALSE, NULL, 0, 0, mctx, NULL,
+	result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,
+				    ISC_FALSE, NULL, 0, 0, gmctx, NULL,
 				    &tsigkey);
 	if (result != ISC_R_SUCCESS)
 		fprintf(stderr, "could not create key from %s: %s\n",
@@ -583,7 +596,7 @@
 		dst_key_setbits(tsigkey->key, digestbits);
  failure:
 	if (secret != NULL)
-		isc_mem_free(mctx, secret);
+		isc_mem_free(gmctx, secret);
 }
 
 /*
@@ -596,7 +609,7 @@
 	const cfg_obj_t *key = NULL;
 	const cfg_obj_t *secretobj = NULL;
 	const cfg_obj_t *algorithmobj = NULL;
-	const char *keyname;
+	const char *mykeyname;
 	const char *secretstr;
 	const char *algorithm;
 	isc_result_t result;
@@ -623,13 +636,13 @@
 	if (secretobj == NULL || algorithmobj == NULL)
 		fatal("key must have algorithm and secret");
 
-	keyname = cfg_obj_asstring(cfg_map_getname(key));
+	mykeyname = cfg_obj_asstring(cfg_map_getname(key));
 	secretstr = cfg_obj_asstring(secretobj);
 	algorithm = cfg_obj_asstring(algorithmobj);
 
-	len = strlen(algorithm) + strlen(keyname) + strlen(secretstr) + 3;
+	len = strlen(algorithm) + strlen(mykeyname) + strlen(secretstr) + 3;
 	keystr = isc_mem_allocate(mctx, len);
-	snprintf(keystr, len, "%s:%s:%s", algorithm, keyname, secretstr);
+	snprintf(keystr, len, "%s:%s:%s", algorithm, mykeyname, secretstr);
 	setup_keystr();
 
  cleanup:
@@ -716,11 +729,23 @@
 doshutdown(void) {
 	isc_task_detach(&global_task);
 
+	/*
+	 * The isc_mem_put of master_servers must be before the
+	 * isc_mem_put of servers as it sets the servers pointer
+	 * to NULL.
+	 */
+	if (master_servers != NULL && master_servers != servers)
+		isc_mem_put(gmctx, master_servers,
+			    master_total * sizeof(isc_sockaddr_t));
+
 	if (servers != NULL)
-		isc_mem_put(mctx, servers, ns_total * sizeof(isc_sockaddr_t));
-
-	if (localaddr != NULL)
-		isc_mem_put(mctx, localaddr, sizeof(isc_sockaddr_t));
+		isc_mem_put(gmctx, servers, ns_total * sizeof(isc_sockaddr_t));
+
+	if (localaddr4 != NULL)
+		isc_mem_put(gmctx, localaddr4, sizeof(isc_sockaddr_t));
+
+	if (localaddr6 != NULL)
+		isc_mem_put(gmctx, localaddr6, sizeof(isc_sockaddr_t));
 
 	if (tsigkey != NULL) {
 		ddebug("Freeing TSIG key");
@@ -807,25 +832,31 @@
 	if (!have_ipv4 && !have_ipv6)
 		fatal("could not find either IPv4 or IPv6");
 
-	result = isc_log_create(mctx, &lctx, &logconfig);
+	result = isc_log_create(gmctx, &glctx, &logconfig);
 	check_result(result, "isc_log_create");
 
-	isc_log_setcontext(lctx);
-	dns_log_init(lctx);
-	dns_log_setcontext(lctx);
+	isc_log_setcontext(glctx);
+	dns_log_init(glctx);
+	dns_log_setcontext(glctx);
 
 	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
 	check_result(result, "isc_log_usechannel");
 
-	isc_log_setdebuglevel(lctx, logdebuglevel);
-
-	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
+	isc_log_setdebuglevel(glctx, logdebuglevel);
+
+	lwresult = lwres_context_create(&lwctx, gmctx, mem_alloc, mem_free, 1);
 	if (lwresult != LWRES_R_SUCCESS)
 		fatal("lwres_context_create failed");
 
 	(void)lwres_conf_parse(lwctx, RESOLV_CONF);
 	lwconf = lwres_conf_get(lwctx);
 
+	if (servers != NULL) {
+		if (master_servers == servers)
+			master_servers = NULL;
+		isc_mem_put(gmctx, servers, ns_total * sizeof(isc_sockaddr_t));
+	}
+
 	ns_inuse = 0;
 	if (local_only || lwconf->nsnext <= 0) {
 		struct in_addr in;
@@ -834,14 +865,10 @@
 		if (local_only && keyfile == NULL)
 			keyfile = SESSION_KEYFILE;
 
-		default_servers = ISC_FALSE;
-
-		if (servers != NULL)
-			isc_mem_put(mctx, servers,
-				    ns_total * sizeof(isc_sockaddr_t));
+		default_servers = !local_only;
 
 		ns_total = (have_ipv4 ? 1 : 0) + (have_ipv6 ? 1 : 0);
-		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
+		servers = isc_mem_get(gmctx, ns_total * sizeof(isc_sockaddr_t));
 		if (servers == NULL)
 			fatal("out of memory");
 
@@ -857,7 +884,7 @@
 		}
 	} else {
 		ns_total = lwconf->nsnext;
-		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
+		servers = isc_mem_get(gmctx, ns_total * sizeof(isc_sockaddr_t));
 		if (servers == NULL)
 			fatal("out of memory");
 		for (i = 0; i < ns_total; i++) {
@@ -878,22 +905,22 @@
 		}
 	}
 
-	setup_entropy(mctx, NULL, &entropy);
-
-	result = isc_hash_create(mctx, entropy, DNS_NAME_MAXWIRE);
+	setup_entropy(gmctx, NULL, &entropy);
+
+	result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE);
 	check_result(result, "isc_hash_create");
 	isc_hash_init();
 
-	result = dns_dispatchmgr_create(mctx, entropy, &dispatchmgr);
+	result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
 	check_result(result, "dns_dispatchmgr_create");
 
-	result = isc_socketmgr_create(mctx, &socketmgr);
+	result = isc_socketmgr_create(gmctx, &socketmgr);
 	check_result(result, "dns_socketmgr_create");
 
-	result = isc_timermgr_create(mctx, &timermgr);
+	result = isc_timermgr_create(gmctx, &timermgr);
 	check_result(result, "dns_timermgr_create");
 
-	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
+	result = isc_taskmgr_create(gmctx, 1, 0, &taskmgr);
 	check_result(result, "isc_taskmgr_create");
 
 	result = isc_task_create(taskmgr, 0, &global_task);
@@ -902,7 +929,7 @@
 	result = isc_task_onshutdown(global_task, shutdown_program, NULL);
 	check_result(result, "isc_task_onshutdown");
 
-	result = dst_lib_init(mctx, entropy, 0);
+	result = dst_lib_init(gmctx, entropy, 0);
 	check_result(result, "dst_lib_init");
 	is_dst_up = ISC_TRUE;
 
@@ -933,7 +960,7 @@
 		check_result(result, "dns_dispatch_getudp (v4)");
 	}
 
-	result = dns_requestmgr_create(mctx, timermgr,
+	result = dns_requestmgr_create(gmctx, timermgr,
 				       socketmgr, taskmgr, dispatchmgr,
 				       dispatchv4, dispatchv6, &requestmgr);
 	check_result(result, "dns_requestmgr_create");
@@ -941,12 +968,12 @@
 	if (keystr != NULL)
 		setup_keystr();
 	else if (local_only) {
-		result = read_sessionkey(mctx, lctx);
+		result = read_sessionkey(gmctx, glctx);
 		if (result != ISC_R_SUCCESS)
 			fatal("can't read key from %s: %s\n",
 			      keyfile, isc_result_totext(result));
 	} else if (keyfile != NULL)
-		setup_keyfile(mctx, lctx);
+		setup_keyfile(gmctx, glctx);
 }
 
 static void
@@ -1156,7 +1183,7 @@
 
 	result = dns_message_gettempname(msg, namep);
 	check_result(result, "dns_message_gettempname");
-	result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);
+	result = isc_buffer_allocate(gmctx, &namebuf, DNS_NAME_MAXWIRE);
 	check_result(result, "isc_buffer_allocate");
 	dns_name_init(*namep, NULL);
 	dns_name_setbuffer(*namep, namebuf);
@@ -1191,21 +1218,21 @@
 
 	if (*cmdline != 0) {
 		dns_rdatacallbacks_init(&callbacks);
-		result = isc_lex_create(mctx, strlen(cmdline), &lex);
+		result = isc_lex_create(gmctx, strlen(cmdline), &lex);
 		check_result(result, "isc_lex_create");
 		isc_buffer_init(&source, cmdline, strlen(cmdline));
 		isc_buffer_add(&source, strlen(cmdline));
 		result = isc_lex_openbuffer(lex, &source);
 		check_result(result, "isc_lex_openbuffer");
-		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
+		result = isc_buffer_allocate(gmctx, &buf, MAXWIRE);
 		check_result(result, "isc_buffer_allocate");
 		result = dns_rdata_fromtext(NULL, rdataclass, rdatatype, lex,
-					    dns_rootname, 0, mctx, buf,
+					    dns_rootname, 0, gmctx, buf,
 					    &callbacks);
 		isc_lex_destroy(&lex);
 		if (result == ISC_R_SUCCESS) {
 			isc_buffer_usedregion(buf, &r);
-			result = isc_buffer_allocate(mctx, &newbuf, r.length);
+			result = isc_buffer_allocate(gmctx, &newbuf, r.length);
 			check_result(result, "isc_buffer_allocate");
 			isc_buffer_putmem(newbuf, r.base, r.length);
 			isc_buffer_usedregion(newbuf, &r);
@@ -1398,13 +1425,17 @@
 		}
 	}
 
-	if (servers != NULL)
-		isc_mem_put(mctx, servers, ns_total * sizeof(isc_sockaddr_t));
+	if (servers != NULL) {
+		if (master_servers == servers)
+			master_servers = NULL;
+		isc_mem_put(gmctx, servers, ns_total * sizeof(isc_sockaddr_t));
+	}
 
 	default_servers = ISC_FALSE;
 
 	ns_total = MAX_SERVERADDRS;
-	servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
+	ns_inuse = 0;
+	servers = isc_mem_get(gmctx, ns_total * sizeof(isc_sockaddr_t));
 	if (servers == NULL)
 			fatal("out of memory");
 
@@ -1444,17 +1475,19 @@
 		}
 	}
 
-	if (localaddr == NULL) {
-		localaddr = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
-		if (localaddr == NULL)
+	if (have_ipv6 && inet_pton(AF_INET6, local, &in6) == 1) {
+		if (localaddr6 == NULL)
+			localaddr6 = isc_mem_get(gmctx, sizeof(isc_sockaddr_t));
+		if (localaddr6 == NULL)
 			fatal("out of memory");
-	}
-
-	if (have_ipv6 && inet_pton(AF_INET6, local, &in6) == 1)
-		isc_sockaddr_fromin6(localaddr, &in6, (in_port_t)port);
-	else if (have_ipv4 && inet_pton(AF_INET, local, &in4) == 1)
-		isc_sockaddr_fromin(localaddr, &in4, (in_port_t)port);
-	else {
+		isc_sockaddr_fromin6(localaddr6, &in6, (in_port_t)port);
+	} else if (have_ipv4 && inet_pton(AF_INET, local, &in4) == 1) {
+		if (localaddr4 == NULL)
+			localaddr4 = isc_mem_get(gmctx, sizeof(isc_sockaddr_t));
+		if (localaddr4 == NULL)
+			fatal("out of memory");
+		isc_sockaddr_fromin(localaddr4, &in4, (in_port_t)port);
+	} else {
 		fprintf(stderr, "invalid address %s", local);
 		return (STATUS_SYNTAX);
 	}
@@ -1469,7 +1502,7 @@
 	isc_buffer_t b;
 	isc_result_t result;
 	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
+	dns_name_t *mykeyname;
 	int secretlen;
 	unsigned char *secret = NULL;
 	isc_buffer_t secretbuf;
@@ -1484,7 +1517,7 @@
 	}
 
 	dns_fixedname_init(&fkeyname);
-	keyname = dns_fixedname_name(&fkeyname);
+	mykeyname = dns_fixedname_name(&fkeyname);
 
 	n = strchr(namestr, ':');
 	if (n != NULL) {
@@ -1495,7 +1528,7 @@
 
 	isc_buffer_init(&b, namestr, strlen(namestr));
 	isc_buffer_add(&b, strlen(namestr));
-	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
+	result = dns_name_fromtext(mykeyname, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not parse key name\n");
 		return (STATUS_SYNTAX);
@@ -1507,7 +1540,7 @@
 		return (STATUS_SYNTAX);
 	}
 	secretlen = strlen(secretstr) * 3 / 4;
-	secret = isc_mem_allocate(mctx, secretlen);
+	secret = isc_mem_allocate(gmctx, secretlen);
 	if (secret == NULL)
 		fatal("out of memory");
 
@@ -1516,17 +1549,17 @@
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not create key from %s: %s\n",
 			secretstr, isc_result_totext(result));
-		isc_mem_free(mctx, secret);
+		isc_mem_free(gmctx, secret);
 		return (STATUS_SYNTAX);
 	}
 	secretlen = isc_buffer_usedlength(&secretbuf);
 
 	if (tsigkey != NULL)
 		dns_tsigkey_detach(&tsigkey);
-	result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,
-				    ISC_FALSE, NULL, 0, 0, mctx, NULL,
+	result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,
+				    ISC_FALSE, NULL, 0, 0, gmctx, NULL,
 				    &tsigkey);
-	isc_mem_free(mctx, secret);
+	isc_mem_free(gmctx, secret);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not create key from %s %s: %s\n",
 			namestr, secretstr, dns_result_totext(result));
@@ -1570,7 +1603,7 @@
 	int n;
 
 	if (realm != NULL) {
-			isc_mem_free(mctx, realm);
+		isc_mem_free(gmctx, realm);
 		realm = NULL;
 	}
 
@@ -1581,7 +1614,7 @@
 	n = snprintf(buf, sizeof(buf), "@%s", word);
 	if (n < 0 || (size_t)n >= sizeof(buf))
 		fatal("realm is too long");
-	realm = isc_mem_strdup(mctx, buf);
+	realm = isc_mem_strdup(gmctx, buf);
 	if (realm == NULL)
 		fatal("out of memory");
 	return (STATUS_MORE);
@@ -1906,7 +1939,7 @@
 		}
 		if (buf != NULL)
 			isc_buffer_free(&buf);
-		result = isc_buffer_allocate(mctx, &buf, bufsz);
+		result = isc_buffer_allocate(gmctx, &buf, bufsz);
 		check_result(result, "isc_buffer_allocate");
 		result = dns_message_totext(msg, style, 0, buf);
 		bufsz *= 2;
@@ -2119,6 +2152,19 @@
 	}
 }
 
+static isc_boolean_t
+next_master(const char *caller, isc_sockaddr_t *addr, isc_result_t eresult) {
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+	fprintf(stderr, "; Communication with %s failed: %s\n",
+		addrbuf, isc_result_totext(eresult));
+	if (++master_inuse >= master_total)
+		return (ISC_FALSE);
+	ddebug("%s: trying next server", caller);
+	return (ISC_TRUE);
+}
+
 static void
 update_completed(isc_task_t *task, isc_event_t *event) {
 	dns_requestevent_t *reqev = NULL;
@@ -2143,13 +2189,22 @@
 	}
 
 	if (reqev->result != ISC_R_SUCCESS) {
-		fprintf(stderr, "; Communication with server failed: %s\n",
-			isc_result_totext(reqev->result));
+		if (!next_master("recvsoa", &master_servers[master_inuse],
+				 reqev->result)) {
 		seenerror = ISC_TRUE;
 		goto done;
 	}
 
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &answer);
+		ddebug("Destroying request [%p]", request);
+		dns_request_destroy(&request);
+		dns_message_renderreset(updatemsg);
+		dns_message_settsigkey(updatemsg, NULL);
+		send_update(zname, &master_servers[master_inuse]);
+		isc_event_free(&event);
+		return;
+	}
+
+	result = dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &answer);
 	check_result(result, "dns_message_create");
 	result = dns_request_getresponse(request, answer,
 					 DNS_MESSAGEPARSE_PRESERVEORDER);
@@ -2203,24 +2258,23 @@
  done:
 	dns_request_destroy(&request);
 	if (usegsstsig) {
-		dns_name_free(&tmpzonename, mctx);
-		dns_name_free(&restart_master, mctx);
+		dns_name_free(&tmpzonename, gmctx);
+		dns_name_free(&restart_master, gmctx);
 	}
 	isc_event_free(&event);
 	done_update();
 }
 
 static void
-send_update(dns_name_t *zonename, isc_sockaddr_t *master,
-	    isc_sockaddr_t *srcaddr)
-{
+send_update(dns_name_t *zone, isc_sockaddr_t *master) {
 	isc_result_t result;
 	dns_request_t *request = NULL;
 	unsigned int options = DNS_REQUESTOPT_CASE;
+	isc_sockaddr_t *srcaddr;
 
 	ddebug("send_update()");
 
-	setzone(zonename);
+	setzone(zone);
 
 	if (usevc)
 		options |= DNS_REQUESTOPT_TCP;
@@ -2235,6 +2289,11 @@
 		fprintf(stderr, "Sending update to %s\n", addrbuf);
 	}
 
+	if (isc_sockaddr_pf(master) == AF_INET6)
+		srcaddr = localaddr6;
+	else
+		srcaddr = localaddr4;
+
 	/* Windows doesn't like the tsig name to be compressed. */
 	if (updatemsg->tsigname)
 		updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
@@ -2280,6 +2339,7 @@
 	nsu_requestinfo_t *reqinfo;
 	dns_message_t *soaquery = NULL;
 	isc_sockaddr_t *addr;
+	isc_sockaddr_t *srcaddr;
 	isc_boolean_t seencname = ISC_FALSE;
 	dns_name_t tname;
 	unsigned int nlabels;
@@ -2301,7 +2361,7 @@
 	if (shuttingdown) {
 		dns_request_destroy(&request);
 		dns_message_destroy(&soaquery);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
+		isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));
 		isc_event_free(&event);
 		maybeshutdown();
 		return;
@@ -2313,20 +2373,20 @@
 		dns_request_destroy(&request);
 		dns_message_renderreset(soaquery);
 		dns_message_settsigkey(soaquery, NULL);
-		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
+		sendrequest(&servers[ns_inuse], soaquery, &request);
+		isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));
 		isc_event_free(&event);
 		setzoneclass(dns_rdataclass_none);
 		return;
 	}
 
-	isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
+	isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));
 	reqinfo = NULL;
 	isc_event_free(&event);
 	reqev = NULL;
 
 	ddebug("About to create rcvmsg");
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	result = dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
 	check_result(result, "dns_message_create");
 	result = dns_request_getresponse(request, rcvmsg,
 					 DNS_MESSAGEPARSE_PRESERVEORDER);
@@ -2334,15 +2394,21 @@
 		dns_message_destroy(&rcvmsg);
 		ddebug("Destroying request [%p]", request);
 		dns_request_destroy(&request);
-		reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));
+		reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t));
 		if (reqinfo == NULL)
 			fatal("out of memory");
 		reqinfo->msg = soaquery;
 		reqinfo->addr = addr;
 		dns_message_renderreset(soaquery);
 		ddebug("retrying soa request without TSIG");
-		result = dns_request_createvia3(requestmgr, soaquery,
-						localaddr, addr, 0, NULL,
+
+		if (isc_sockaddr_pf(addr) == AF_INET6)
+			srcaddr = localaddr6;
+		else
+			srcaddr = localaddr4;
+
+		result = dns_request_createvia3(requestmgr, soaquery, srcaddr,
+						addr, 0, NULL,
 						FIND_TIMEOUT * 20,
 						FIND_TIMEOUT, 3,
 						global_task, recvsoa, reqinfo,
@@ -2436,9 +2502,9 @@
 	dns_name_clone(&soa.origin, &master);
 
 	if (userzone != NULL)
-		zonename = userzone;
+		zname = userzone;
 	else
-		zonename = name;
+		zname = name;
 
 	if (debugging) {
 		char namestr[DNS_NAME_FORMATSIZE];
@@ -2446,38 +2512,45 @@
 		fprintf(stderr, "The master is: %s\n", namestr);
 	}
 
-	if (servers == NULL) {
+	if (default_servers) {
 		char serverstr[DNS_NAME_MAXTEXT+1];
 		isc_buffer_t buf;
+		size_t size;
 
 		isc_buffer_init(&buf, serverstr, sizeof(serverstr));
 		result = dns_name_totext(&master, ISC_TRUE, &buf);
 		check_result(result, "dns_name_totext");
 		serverstr[isc_buffer_usedlength(&buf)] = 0;
 
-		ns_total = MAX_SERVERADDRS;
-		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
-		if (servers == NULL)
+		if (master_servers != NULL && master_servers != servers)
+			isc_mem_put(gmctx, master_servers,
+				    master_total * sizeof(isc_sockaddr_t));
+		master_total = MAX_SERVERADDRS;
+		size = master_total * sizeof(isc_sockaddr_t);
+		master_servers = isc_mem_get(gmctx, size);
+		if (master_servers == NULL)
 			fatal("out of memory");
 
-		memset(servers, 0, ns_total * sizeof(isc_sockaddr_t));
-		get_addresses(serverstr, dnsport, servers, ns_total);
-	}
+		memset(master_servers, 0, size);
+		get_addresses(serverstr, dnsport, master_servers, master_total);
+		master_inuse = 0;
+	} else
+		master_from_servers();
 	dns_rdata_freestruct(&soa);
 
 #ifdef GSSAPI
 	if (usegsstsig) {
 		dns_name_init(&tmpzonename, NULL);
-		dns_name_dup(zonename, mctx, &tmpzonename);
+		dns_name_dup(zname, gmctx, &tmpzonename);
 		dns_name_init(&restart_master, NULL);
-		dns_name_dup(&master, mctx, &restart_master);
+		dns_name_dup(&master, gmctx, &restart_master);
 		start_gssrequest(&master);
 	} else {
-		send_update(zonename, &servers[ns_inuse], localaddr);
+		send_update(zname, &master_servers[master_inuse]);
 		setzoneclass(dns_rdataclass_none);
 	}
 #else
-	send_update(zonename, &servers[ns_inuse], localaddr);
+	send_update(zname, &master_servers[master_inuse]);
 	setzoneclass(dns_rdataclass_none);
 #endif
 
@@ -2503,22 +2576,29 @@
 	dns_request_destroy(&request);
 	dns_message_renderreset(soaquery);
 	dns_message_settsigkey(soaquery, NULL);
-		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
+	sendrequest(&servers[ns_inuse], soaquery, &request);
 	goto out;
 }
 
 static void
-sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-	    dns_message_t *msg, dns_request_t **request)
+sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
+	    dns_request_t **request)
 {
 	isc_result_t result;
 	nsu_requestinfo_t *reqinfo;
-
-	reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));
+	isc_sockaddr_t *srcaddr;
+
+	reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t));
 	if (reqinfo == NULL)
 		fatal("out of memory");
 	reqinfo->msg = msg;
 	reqinfo->addr = destaddr;
+
+	if (isc_sockaddr_pf(destaddr) == AF_INET6)
+		srcaddr = localaddr6;
+	else
+		srcaddr = localaddr4;
+
 	result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr, 0,
 					default_servers ? NULL : tsigkey,
 					FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
@@ -2533,8 +2613,7 @@
  * Get the realm from the users kerberos ticket if possible
  */
 static void
-get_ticket_realm(isc_mem_t *mctx)
-{
+get_ticket_realm(isc_mem_t *mctx) {
 	krb5_context ctx;
 	krb5_error_code rc;
 	krb5_ccache ccache;
@@ -2591,7 +2670,7 @@
 	dns_name_t *servname;
 	dns_fixedname_t fname;
 	char namestr[DNS_NAME_FORMATSIZE];
-	char keystr[DNS_NAME_FORMATSIZE];
+	char mykeystr[DNS_NAME_FORMATSIZE];
 	char *err_message = NULL;
 
 	debug("start_gssrequest");
@@ -2600,7 +2679,7 @@
 	if (gssring != NULL)
 		dns_tsigkeyring_detach(&gssring);
 	gssring = NULL;
-	result = dns_tsigkeyring_create(mctx, &gssring);
+	result = dns_tsigkeyring_create(gmctx, &gssring);
 
 	if (result != ISC_R_SUCCESS)
 		fatal("dns_tsigkeyring_create failed: %s",
@@ -2608,7 +2687,7 @@
 
 	dns_name_format(master, namestr, sizeof(namestr));
 	if (kserver == NULL) {
-		kserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
+		kserver = isc_mem_get(gmctx, sizeof(isc_sockaddr_t));
 		if (kserver == NULL)
 			fatal("out of memory");
 	}
@@ -2621,7 +2700,7 @@
 	servname = dns_fixedname_name(&fname);
 
 	if (realm == NULL)
-		get_ticket_realm(mctx);
+		get_ticket_realm(gmctx);
 
 	result = isc_string_printf(servicename, sizeof(servicename),
 				   "DNS/%s%s", namestr, realm ? realm : "");
@@ -2639,13 +2718,13 @@
 	keyname = dns_fixedname_name(&fkname);
 
 	isc_random_get(&val);
-	result = isc_string_printf(keystr, sizeof(keystr), "%u.sig-%s",
+	result = isc_string_printf(mykeystr, sizeof(mykeystr), "%u.sig-%s",
 				   val, namestr);
 	if (result != ISC_R_SUCCESS)
-		fatal("isc_string_printf(keystr) failed: %s",
+		fatal("isc_string_printf(mykeystr) failed: %s",
 		      isc_result_totext(result));
-	isc_buffer_init(&buf, keystr, strlen(keystr));
-	isc_buffer_add(&buf, strlen(keystr));
+	isc_buffer_init(&buf, mykeystr, strlen(mykeystr));
+	isc_buffer_add(&buf, strlen(mykeystr));
 
 	result = dns_name_fromtext(keyname, &buf, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
@@ -2656,7 +2735,7 @@
 	keyname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
 
 	rmsg = NULL;
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &rmsg);
+	result = dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER, &rmsg);
 	if (result != ISC_R_SUCCESS)
 		fatal("dns_message_create failed: %s",
 		      isc_result_totext(result));
@@ -2665,7 +2744,7 @@
 	context = GSS_C_NO_CONTEXT;
 	result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,
 					&context, use_win2k_gsstsig,
-					mctx, &err_message);
+					gmctx, &err_message);
 	if (result == ISC_R_FAILURE)
 		fatal("tkey query failed: %s",
 		      err_message != NULL ? err_message : "unknown error");
@@ -2673,20 +2752,20 @@
 		fatal("dns_tkey_buildgssquery failed: %s",
 		      isc_result_totext(result));
 
-	send_gssrequest(localaddr, kserver, rmsg, &request, context);
+	send_gssrequest(kserver, rmsg, &request, context);
 }
 
 static void
-send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		dns_message_t *msg, dns_request_t **request,
-		gss_ctx_id_t context)
+send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
+		dns_request_t **request, gss_ctx_id_t context)
 {
 	isc_result_t result;
 	nsu_gssinfo_t *reqinfo;
 	unsigned int options = 0;
+	isc_sockaddr_t *srcaddr;
 
 	debug("send_gssrequest");
-	reqinfo = isc_mem_get(mctx, sizeof(nsu_gssinfo_t));
+	reqinfo = isc_mem_get(gmctx, sizeof(nsu_gssinfo_t));
 	if (reqinfo == NULL)
 		fatal("out of memory");
 	reqinfo->msg = msg;
@@ -2694,6 +2773,12 @@
 	reqinfo->context = context;
 
 	options |= DNS_REQUESTOPT_TCP;
+
+	if (isc_sockaddr_pf(destaddr) == AF_INET6)
+		srcaddr = localaddr6;
+	else
+		srcaddr = localaddr4;
+
 	result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr,
 					options, tsigkey, FIND_TIMEOUT * 20,
 					FIND_TIMEOUT, 3, global_task, recvgss,
@@ -2737,7 +2822,7 @@
 	if (shuttingdown) {
 		dns_request_destroy(&request);
 		dns_message_destroy(&tsigquery);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
+		isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
 		isc_event_free(&event);
 		maybeshutdown();
 		return;
@@ -2748,18 +2833,18 @@
 		ddebug("Destroying request [%p]", request);
 		dns_request_destroy(&request);
 		dns_message_renderreset(tsigquery);
-		sendrequest(localaddr, &servers[ns_inuse], tsigquery, &request);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
+		sendrequest(&servers[ns_inuse], tsigquery, &request);
+		isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
 		isc_event_free(&event);
 		return;
 	}
-	isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
+	isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
 
 	isc_event_free(&event);
 	reqev = NULL;
 
 	ddebug("recvgss creating rcvmsg");
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	result = dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
 	check_result(result, "dns_message_create");
 
 	result = dns_request_getresponse(request, rcvmsg,
@@ -2802,8 +2887,7 @@
 	switch (result) {
 
 	case DNS_R_CONTINUE:
-		send_gssrequest(localaddr, kserver, tsigquery, &request,
-				context);
+		send_gssrequest(kserver, tsigquery, &request, context);
 		break;
 
 	case ISC_R_SUCCESS:
@@ -2836,7 +2920,7 @@
 		check_result(result, "dns_message_checksig");
 #endif /* 0 */
 
-		send_update(&tmpzonename, &servers[ns_inuse], localaddr);
+		send_update(&tmpzonename, &master_servers[master_inuse]);
 		setzoneclass(dns_rdataclass_none);
 		break;
 
@@ -2870,13 +2954,19 @@
 	if (answer != NULL)
 		dns_message_destroy(&answer);
 
-	if (userzone != NULL && ! usegsstsig) {
-		send_update(userzone, &servers[ns_inuse], localaddr);
+	/* 
+	 * If we have both the zone and the servers we have enough information
+	 * to send the update straight away otherwise we need to discover
+	 * the zone and / or the master server.
+	 */
+	if (userzone != NULL && !default_servers && !usegsstsig) {
+		master_from_servers();
+		send_update(userzone, &master_servers[master_inuse]);
 		setzoneclass(dns_rdataclass_none);
 		return;
 	}
 
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+	result = dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER,
 				    &soaquery);
 	check_result(result, "dns_message_create");
 
@@ -2933,7 +3023,7 @@
 	dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);
 
 		ns_inuse = 0;
-		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
+		sendrequest(&servers[ns_inuse], soaquery, &request);
 	}
 
 static void
@@ -2953,11 +3043,11 @@
 		dns_tsigkeyring_detach(&gssring);
 	}
 	if (kserver != NULL) {
-		isc_mem_put(mctx, kserver, sizeof(isc_sockaddr_t));
+		isc_mem_put(gmctx, kserver, sizeof(isc_sockaddr_t));
 		kserver = NULL;
 	}
 	if (realm != NULL) {
-		isc_mem_free(mctx, realm);
+		isc_mem_free(gmctx, realm);
 		realm = NULL;
 	}
 #endif
@@ -2984,12 +3074,12 @@
 	dns_name_destroy();
 
 	ddebug("Removing log context");
-	isc_log_destroy(&lctx);
+	isc_log_destroy(&glctx);
 
 	ddebug("Destroying memory context");
 	if (memdebugging)
-		isc_mem_stats(mctx, stderr);
-	isc_mem_destroy(&mctx);
+		isc_mem_stats(gmctx, stderr);
+	isc_mem_destroy(&gmctx);
 }
 
 static void
@@ -3029,14 +3119,14 @@
 
 	pre_parse_args(argc, argv);
 
-	result = isc_mem_create(0, 0, &mctx);
+	result = isc_mem_create(0, 0, &gmctx);
 	check_result(result, "isc_mem_create");
 
-	parse_args(argc, argv, mctx, &entropy);
+	parse_args(argc, argv, gmctx, &entropy);
 
 	setup_system();
 
-	result = isc_app_onrun(mctx, global_task, getinput, NULL);
+	result = isc_app_onrun(gmctx, global_task, getinput, NULL);
 	check_result(result, "isc_app_onrun");
 
 	(void)isc_app_run();
--- a/external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8za-patch	Sun Nov 15 17:52:49 2015 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,15908 +0,0 @@
-Index: openssl/Configure
-diff -u openssl/Configure:1.8.6.1.4.1.2.1 openssl/Configure:1.8.2.2
---- openssl/Configure:1.8.6.1.4.1.2.1	Thu Jul  3 12:12:31 2014
-+++ openssl/Configure	Thu Jul  3 12:31:57 2014
-@@ -12,7 +12,7 @@
- 
- # see INSTALL for instructions.
- 
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-+my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION --pk11-flavor=FLAVOR [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
- 
- # Options:
- #
-@@ -25,6 +25,12 @@
- #               default).  This needn't be set in advance, you can
- #               just as well use "make INSTALL_PREFIX=/whatever install".
- #
-+# --pk11-libname  PKCS#11 library name.
-+#               (No default)
-+#
-+# --pk11-flavor either crypto-accelerator or sign-only
-+#               (No default)
-+#
- # --with-krb5-dir  Declare where Kerberos 5 lives.  The libraries are expected
- #		to live in the subdirectory lib/ and the header files in
- #		include/.  A value is required.
-@@ -336,7 +342,7 @@
- "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- #### IA-32 targets...
- "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
- ####
- "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -344,7 +350,7 @@
- "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT -pthread::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- #### SPARC Linux setups
- # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
- # assisted with debugging of following two configs.
-@@ -591,6 +597,10 @@
- my $idx_ranlib = $idx++;
- my $idx_arflags = $idx++;
- 
-+# PKCS#11 engine patch
-+my $pk11_libname="";
-+my $pk11_flavor="";
-+
- my $prefix="";
- my $libdir="";
- my $openssldir="";
-@@ -829,6 +839,14 @@
- 				{
- 				$flags.=$_." ";
- 				}
-+			elsif (/^--pk11-libname=(.*)$/)
-+				{
-+				$pk11_libname=$1;
-+				}
-+			elsif (/^--pk11-flavor=(.*)$/)
-+				{
-+				$pk11_flavor=$1;
-+				}
- 			elsif (/^--prefix=(.*)$/)
- 				{
- 				$prefix=$1;
-@@ -964,6 +982,22 @@
- 	exit 0;
- }
- 
-+if (! $pk11_libname)
-+        {
-+        print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
-+        print STDERR "See README.pkcs11 for more information.\n";
-+        exit 1;
-+        }
-+
-+if (! $pk11_flavor
-+    || !($pk11_flavor eq "crypto-accelerator" || $pk11_flavor eq "sign-only"))
-+	{
-+	print STDERR "You must set --pk11-flavor.\n";
-+	print STDERR "Choices are crypto-accelerator and sign-only.\n";
-+	print STDERR "See README.pkcs11 for more information.\n";
-+	exit 1;
-+	}
-+
- if ($target =~ m/^CygWin32(-.*)$/) {
- 	$target = "Cygwin".$1;
- }
-@@ -1079,6 +1113,25 @@
- 	print "\n";
- 	}
- 
-+if ($pk11_flavor eq "crypto-accelerator")
-+	{
-+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11SO\n";
-+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
-+	$depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
-+	$options .= " no-hw-pkcs11so";
-+	print "    no-hw-pkcs11so  [pk11-flavor]";
-+	print " OPENSSL_NO_HW_PKCS11SO\n";
-+	}
-+else
-+	{
-+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11CA\n";
-+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
-+	$depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
-+	$options .= " no-hw-pkcs11ca";
-+	print "    no-hw-pkcs11ca  [pk11-flavor]";
-+	print " OPENSSL_NO_HW_PKCS11CA\n";
-+}
-+
- my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
- 
- $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
-@@ -1130,6 +1183,8 @@
- if ($flags ne "")	{ $cflags="$flags$cflags"; }
- else			{ $no_user_cflags=1;       }
- 
-+$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
-+
- # Kerberos settings.  The flavor must be provided from outside, either through
- # the script "config" or manually.
- if (!$no_krb5)
-@@ -1493,6 +1548,7 @@
- 	s/^VERSION=.*/VERSION=$version/;
- 	s/^MAJOR=.*/MAJOR=$major/;
- 	s/^MINOR=.*/MINOR=$minor/;
-+	s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
- 	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
- 	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
- 	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
-Index: openssl/Makefile.org
-diff -u openssl/Makefile.org:1.4.6.1.6.1 openssl/Makefile.org:1.4.2.1
---- openssl/Makefile.org:1.4.6.1.6.1	Thu Jul  3 12:12:31 2014
-+++ openssl/Makefile.org	Thu Jul  3 12:31:58 2014
-@@ -26,6 +26,9 @@
- INSTALL_PREFIX=
- INSTALLTOP=/usr/local/ssl
- 
-+# You must set this through --pk11-libname configure option.
-+PK11_LIB_LOCATION=
-+
- # Do not edit this manually. Use Configure --openssldir=DIR do change this!
- OPENSSLDIR=/usr/local/ssl
- 
-Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.6.4.2
---- /dev/null	Thu Jul  3 12:39:57 2014
-+++ openssl/README.pkcs11	Fri Oct  4 14:45:25 2013
-@@ -0,0 +1,266 @@
-+ISC modified
-+============
-+
-+The previous key naming scheme was kept for backward compatibility.
-+
-+The PKCS#11 engine exists in two flavors, crypto-accelerator and
-+sign-only. The first one is from the Solaris patch and uses the
-+PKCS#11 device for all crypto operations it supports. The second
-+is a stripped down version which provides only the useful
-+function (i.e., signature with a RSA private key in the device
-+protected key store and key loading).
-+
-+As a hint PKCS#11 boards should use the crypto-accelerator flavor,
-+external PKCS#11 devices the sign-only. SCA 6000 is an example
-+of the first, AEP Keyper of the second.
-+
-+Note it is mandatory to set a pk11-flavor (and only one) in
-+config/Configure.
-+
-+It is highly recommended to compile in (vs. as a DSO) the engine.
-+The way to configure this is system dependent, on Unixes it is no-shared
-+(and is in general the default), on WIN32 it is enable-static-engine
-+(and still enable to build the OpenSSL libraries as DLLs).
-+
-+PKCS#11 engine support for OpenSSL 0.9.8l
-+=========================================
-+
-+[Nov 19, 2009]
-+
-+Contents:
-+
-+Overview
-+Revisions of the patch for 0.9.8 branch
-+FAQs
-+Feedback
-+
-+Overview
-+========
-+
-+This patch containing code available in OpenSolaris adds support for PKCS#11
-+engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
-+OpenSSL 0.9.8l source code distribution as shipped by OpenSSL.Org. Your system
-+must provide PKCS#11 backend otherwise the patch is useless. You provide the
-+PKCS#11 library name during the build configuration phase, see below.
-+
-+Patch can be applied like this:
-+
-+	# NOTE: use gtar if on Solaris
-+	tar xfzv openssl-0.9.8l.tar.gz
-+	# now download the patch to the current directory
-+	# ...
-+	cd openssl-0.9.8l
-+	# NOTE: must use gpatch if on Solaris (is part of the system)
-+	patch -p1 < path-to/pkcs11_engine-0.9.8l.patch.2009-11-19
-+
-+It is designed to support pure acceleration for RSA, DSA, DH and all the
-+symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
-+except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
-+
-+According to the PKCS#11 providers installed on your machine, it can support
-+following mechanisms:
-+
-+	RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
-+	AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
-+	AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
-+	SHA256, SHA384, SHA512
-+
-+Note that for AES counter mode the application must provide their own EVP
-+functions since OpenSSL doesn't support counter mode through EVP yet. You may
-+see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
-+example of code that uses the PKCS#11 engine and deals with the fork-safety
-+problem (see engine.c and packet.c files if interested).
-+
-+You must provide the location of PKCS#11 library in your system to the
-+configure script. You will be instructed to do that when you try to run the
-+config script:
-+
-+	$ ./config 
-+	Operating system: i86pc-whatever-solaris2
-+	Configuring for solaris-x86-cc
-+	You must set --pk11-libname for PKCS#11 library.
-+	See README.pkcs11 for more information.
-+
-+Taking openCryptoki project on Linux AMD64 box as an example, you would run
-+configure script like this:
-+
-+	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
-+
-+To check whether newly built openssl really supports PKCS#11 it's enough to run
-+"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
-+output. If you see no PKCS#11 engine support check that the built openssl binary
-+and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
-+
-+The patch, during various phases of development, was tested on Solaris against
-+PKCS#11 engine available from Solaris Cryptographic Framework (Solaris 10 and
-+OpenSolaris) and also on Linux using PKCS#11 libraries from openCryptoki project
-+(see openCryptoki website http://sourceforge.net/projects/opencryptoki for more
-+information). Some Linux distributions even ship those libraries with the
-+system. The patch should work on any system that is supported by OpenSSL itself
-+and has functional PKCS#11 library.
-+
-+The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
-+copyrighted by RSA Security Inc., see pkcs11.h for more information.
-+
-+Other added/modified code in this patch is copyrighted by Sun Microsystems,
-+Inc. and is released under the OpenSSL license (see LICENSE file for more
-+information).
-+
-+Revisions of the patch for 0.9.8 branch
-+=======================================
-+
-+2009-11-19
-+- adjusted for OpenSSL version 0.9.8l
-+
-+- bugs and RFEs:
-+
-+	6479874 OpenSSL should support RSA key by reference/hardware keystores
-+	6896677 PKCS#11 engine's hw_pk11_err.h needs to be split
-+	6732677 make check to trigger Solaris specific code automatic in the
-+		PKCS#11 engine
-+
-+2009-03-11
-+- adjusted for OpenSSL version 0.9.8j 
-+
-+- README.pkcs11 moved out of the patch, and is shipped together with it in a
-+  tarball instead so that it can be read before the patch is applied.
-+
-+- fixed bugs:
-+
-+	6804216 pkcs#11 engine should support a key length range for RC4
-+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
-+		meta slot is disabled
-+
-+2008-12-02
-+- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
-+
-+	6723504 more granular locking in PKCS#11 engine
-+	6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
-+	6710420 PKCS#11 engine source should be lint clean
-+	6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
-+		it seriously
-+	6746712 PKCS#11 engine source code should be cstyle clean
-+	6731380 return codes of several functions are not checked in the PKCS#11
-+		engine code
-+	6746735 PKCS#11 engine should use extended FILE space API
-+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
-+		meta slot is disabled
-+
-+2008-08-01
-+- fixed bug
-+
-+	6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
-+		and digests
-+
-+- Solaris specific code for slot selection made automatic
-+
-+2008-07-29
-+- update the patch to OpenSSL 0.9.8h version
-+- pkcs11t.h updated to the latest version:
-+
-+	6545665 make CKM_AES_CTR available to non-kernel users
-+
-+- fixed bugs in the engine code:
-+
-+	6602801 PK11_SESSION cache has to employ reference counting scheme for
-+		asymmetric key operations
-+	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
-+		atomically
-+	6607307 pkcs#11 engine can't read RSA private keys
-+	6652362 pk11_RSA_finish() is cutting corners
-+	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
-+		suboptimal way
-+	6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
-+		resilient to destroy failures
-+	6667273 OpenSSL engine should not use free() but OPENSSL_free()
-+	6670363 PKCS#11 engine fails to reuse existing symmetric keys
-+	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
-+	6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
-+		of big numbers leading to failures
-+	6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
-+		-1
-+	6706622 pk11_load_{pub,priv}key create corrupted RSA key references
-+	6707129 return values from BN_new() in pk11_DH_generate_key() are not
-+		checked
-+	6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
-+		structure reuse
-+	6707782 OpenSSL PKCS#11 engine pretends to be aware of
-+		OPENSSL_NO_{RSA,DSA,DH}
-+	defines but fails miserably
-+	6709966 make check_new_*() to return values to indicate cache hit/miss
-+	6705200 pk11_dh struct initialization in PKCS#11 engine is missing
-+		generate_params parameter
-+	6709513 PKCS#11 engine sets IV length even for ECB modes
-+	6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
-+		PKCS#11 engine
-+	6728871 PKCS#11 engine must reset global_session in pk11_finish()
-+
-+- new features and enhancements:
-+
-+	6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
-+	6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
-+	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
-+		ciphers and digests
-+
-+2007-10-15
-+- update for 0.9.8f version
-+- update for "6607670 teach pkcs#11 engine how to use keys be reference"
-+
-+2007-10-02
-+- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
-+- draft for "6607307 pkcs#11 engine can't read RSA private keys"
-+
-+2007-09-26
-+- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
-+	  significant performance drop
-+- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
-+
-+2007-05-25
-+- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
-+
-+2007-05-19
-+- initial patch for 0.9.8e using latest OpenSolaris code
-+
-+FAQs
-+====
-+
-+(1) my build failed on Linux distro with this error:
-+
-+../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
-+hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
-+
-+Answer:
-+
-+	- don't use "no-threads" when configuring
-+	- if you didn't then OpenSSL failed to create a threaded library by
-+	  default. You may manually edit Configure and try again. Look for the
-+	  architecture that Configure printed, for example:
-+
-+Configured for linux-elf.
-+
-+	- then edit Configure, find string "linux-elf" (inluding the quotes),
-+	  and add flags to support threads to the 4th column of the 2nd string.
-+	  If you build with GCC then adding "-pthread" should be enough. With
-+	  "linux-elf" as an example, you would add " -pthread" right after
-+	  "-D_REENTRANT", like this:
-+
-+....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
-+
-+(2) I'm using MinGW/MSYS environment and get undeclared reference error for
-+pthread_atfork() function when trying to build OpenSSL with the patch.
-+
-+Answer:
-+
-+	Sorry, pthread_atfork() is not implemented in the current pthread-win32
-+	(as of Nov 2009). You can not use the patch there.
-+
-+
-+Feedback
-+========
-+
-+Please send feedback to security-discuss@opensolaris.org. The patch was
-+created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
-+
-+Latest version should be always available on http://blogs.sun.com/janp.
-+
-Index: openssl/crypto/opensslconf.h
-diff -u openssl/crypto/opensslconf.h:1.5.10.1 openssl/crypto/opensslconf.h:1.5
---- openssl/crypto/opensslconf.h:1.5.10.1	Sun Jan 15 15:45:34 2012
-+++ openssl/crypto/opensslconf.h	Fri Sep  4 10:43:21 2009
-@@ -38,6 +38,9 @@
- 
- #endif /* OPENSSL_DOING_MAKEDEPEND */
- 
-+#ifndef OPENSSL_THREADS
-+# define OPENSSL_THREADS
-+#endif
- #ifndef OPENSSL_NO_DYNAMIC_ENGINE
- # define OPENSSL_NO_DYNAMIC_ENGINE
- #endif
-@@ -79,6 +82,8 @@
- # endif
- #endif
- 
-+#define OPENSSL_CPUID_OBJ
-+
- /* crypto/opensslconf.h.in */
- 
- #ifdef OPENSSL_DOING_MAKEDEPEND
-@@ -140,7 +145,7 @@
-  * This enables code handling data aligned at natural CPU word
-  * boundary. See crypto/rc4/rc4_enc.c for further details.
-  */
--#undef RC4_CHUNK
-+#define RC4_CHUNK unsigned long
- #endif
- #endif
- 
-@@ -148,7 +153,7 @@
- /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
-  * %20 speed up (longs are 8 bytes, int's are 4). */
- #ifndef DES_LONG
--#define DES_LONG unsigned long
-+#define DES_LONG unsigned int
- #endif
- #endif
- 
-@@ -162,9 +167,9 @@
- /* The prime number generation stuff may not work when
-  * EIGHT_BIT but I don't care since I've only used this mode
-  * for debuging the bignum libraries */
--#undef SIXTY_FOUR_BIT_LONG
-+#define SIXTY_FOUR_BIT_LONG
- #undef SIXTY_FOUR_BIT
--#define THIRTY_TWO_BIT
-+#undef THIRTY_TWO_BIT
- #undef SIXTEEN_BIT
- #undef EIGHT_BIT
- #endif
-@@ -178,7 +183,7 @@
- 
- #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
- #define CONFIG_HEADER_BF_LOCL_H
--#undef BF_PTR
-+#define BF_PTR2
- #endif /* HEADER_BF_LOCL_H */
- 
- #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-@@ -208,7 +213,7 @@
- /* Unroll the inner loop, this sometimes helps, sometimes hinders.
-  * Very mucy CPU dependant */
- #ifndef DES_UNROLL
--#undef DES_UNROLL
-+#define DES_UNROLL
- #endif
- 
- /* These default values were supplied by
-Index: openssl/crypto/bio/bss_file.c
-diff -u openssl/crypto/bio/bss_file.c:1.5.6.1 openssl/crypto/bio/bss_file.c:1.5
---- openssl/crypto/bio/bss_file.c:1.5.6.1	Sun Jan 15 15:45:35 2012
-+++ openssl/crypto/bio/bss_file.c	Mon Jun 13 14:25:17 2011
-@@ -125,7 +125,7 @@
- 		{
- 		SYSerr(SYS_F_FOPEN,get_last_sys_error());
- 		ERR_add_error_data(5,"fopen('",filename,"','",mode,"')");
--		if (errno == ENOENT)
-+		if ((errno == ENOENT) || ((*mode == 'r') && (errno == EACCES)))
- 			BIOerr(BIO_F_BIO_NEW_FILE,BIO_R_NO_SUCH_FILE);
- 		else
- 			BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB);
-Index: openssl/crypto/engine/Makefile
-diff -u openssl/crypto/engine/Makefile:1.6.6.1 openssl/crypto/engine/Makefile:1.6
---- openssl/crypto/engine/Makefile:1.6.6.1	Sun Jan 15 15:45:35 2012
-+++ openssl/crypto/engine/Makefile	Mon Jun 13 14:25:19 2011
-@@ -21,12 +21,14 @@
- 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
- 	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
- 	tb_cipher.c tb_digest.c \
--	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
-+	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \
-+	hw_pk11.c hw_pk11_pub.c hw_pk11so.c hw_pk11so_pub.c
- LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
- 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
- 	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
- 	tb_cipher.o tb_digest.o \
--	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
-+	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \
-+	hw_pk11.o hw_pk11_pub.o hw_pk11so.o hw_pk11so_pub.o
- 
- SRC= $(LIBSRC)
- 
-@@ -288,6 +290,102 @@
- eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
- eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
- eng_table.o: eng_table.c
-+hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11.c
-+hw_pk11_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c
-+hw_pk11so.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11so.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11so.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11so.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11so.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11so.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11so.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11so.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11so.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11so.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11so.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11so.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11so.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11so.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11so.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11so.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11so.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11so.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11so.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11so.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11so.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11so.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11so.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11so.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so.c
-+hw_pk11so_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11so_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11so_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11so_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11so_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11so_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11so_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11so_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11so_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11so_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11so_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11so_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11so_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11so_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11so_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11so_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11so_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11so_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11so_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11so_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11so_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11so_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11so_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11so_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so_pub.c
- tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
- tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
- tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-Index: openssl/crypto/engine/cryptoki.h
-diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null	Thu Jul  3 12:39:57 2014
-+++ openssl/crypto/engine/cryptoki.h	Thu Dec 18 00:14:12 2008
-@@ -0,0 +1,103 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License, Version 1.0 only
-+ * (the "License").  You may not use this file except in compliance
-+ * with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ */
-+/*
-+ * Copyright 2003 Sun Microsystems, Inc.   All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+#ifndef	_CRYPTOKI_H
-+#define	_CRYPTOKI_H
-+
-+/* ident	"@(#)cryptoki.h	1.2	05/06/08 SMI" */
-+
-+#ifdef	__cplusplus
-+extern "C" {
-+#endif
-+
-+#ifndef	CK_PTR
-+#define	CK_PTR *
-+#endif
-+
-+#ifndef CK_DEFINE_FUNCTION
-+#define	CK_DEFINE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION
-+#define	CK_DECLARE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION_POINTER
-+#define	CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef CK_CALLBACK_FUNCTION
-+#define	CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef NULL_PTR
-+#include <unistd.h>	/* For NULL */
-+#define	NULL_PTR NULL
-+#endif
-+
-+/*
-+ * pkcs11t.h defines TRUE and FALSE in a way that upsets lint
-+ */
-+#ifndef	CK_DISABLE_TRUE_FALSE
-+#define	CK_DISABLE_TRUE_FALSE
-+#ifndef	TRUE
-+#define	TRUE	1
-+#endif /* TRUE */
-+#ifndef	FALSE
-+#define	FALSE	0
-+#endif /* FALSE */
-+#endif /* CK_DISABLE_TRUE_FALSE */
-+
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+#include "pkcs11.h"
-+
-+/* Solaris specific functions */
-+
-+#include <stdlib.h>
-+
-+/*
-+ * SUNW_C_GetMechSession will initialize the framework and do all
-+ * the necessary PKCS#11 calls to create a session capable of
-+ * providing operations on the requested mechanism
-+ */
-+CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
-+    CK_SESSION_HANDLE_PTR hSession);
-+
-+/*
-+ * SUNW_C_KeyToObject will create a secret key object for the given
-+ * mechanism from the rawkey data.
-+ */
-+CK_RV SUNW_C_KeyToObject(CK_SESSION_HANDLE hSession,
-+    CK_MECHANISM_TYPE mech, const void *rawkey, size_t rawkey_len,
-+    CK_OBJECT_HANDLE_PTR obj);
-+
-+
-+#ifdef	__cplusplus
-+}
-+#endif
-+
-+#endif	/* _CRYPTOKI_H */
-Index: openssl/crypto/engine/eng_all.c
-diff -u openssl/crypto/engine/eng_all.c:1.4.6.1.6.1 openssl/crypto/engine/eng_all.c:1.4.2.1
---- openssl/crypto/engine/eng_all.c:1.4.6.1.6.1	Thu Jul  3 12:12:33 2014
-+++ openssl/crypto/engine/eng_all.c	Thu Jul  3 12:31:59 2014
-@@ -110,6 +110,14 @@
- #if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
- 	ENGINE_load_cryptodev();
- #endif
-+#ifndef OPENSSL_NO_HW_PKCS11
-+#ifndef OPENSSL_NO_HW_PKCS11CA
-+	ENGINE_load_pk11ca();
-+#endif
-+#ifndef OPENSSL_NO_HW_PKCS11SO
-+	ENGINE_load_pk11so();
-+#endif
-+#endif
- #endif
- 	}
- 
-Index: openssl/crypto/engine/engine.h
-diff -u openssl/crypto/engine/engine.h:1.4.6.1.6.1 openssl/crypto/engine/engine.h:1.4.2.1
---- openssl/crypto/engine/engine.h:1.4.6.1.6.1	Thu Jul  3 12:12:33 2014
-+++ openssl/crypto/engine/engine.h	Thu Jul  3 12:32:00 2014
-@@ -344,6 +344,12 @@
- void ENGINE_load_cryptodev(void);
- void ENGINE_load_padlock(void);
- void ENGINE_load_builtin_engines(void);
-+#ifndef OPENSSL_NO_HW_PKCS11CA
-+void ENGINE_load_pk11ca(void);
-+#endif
-+#ifndef OPENSSL_NO_HW_PKCS11SO
-+void ENGINE_load_pk11so(void);
-+#endif
- 
- /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
-  * "registry" handling. */
-Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.4
---- /dev/null	Thu Jul  3 12:39:57 2014
-+++ openssl/crypto/engine/hw_pk11.c	Fri Oct  4 14:45:25 2013
-@@ -0,0 +1,4116 @@
-+/*
-+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/types.h>
-+
-+#include <openssl/e_os2.h>
-+#include <openssl/crypto.h>
-+#include <cryptlib.h>
-+#include <openssl/engine.h>
-+#include <openssl/dso.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/md5.h>
-+#include <openssl/pem.h>
-+#ifndef OPENSSL_NO_RSA
-+#include <openssl/rsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+#include <openssl/dsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DH
-+#include <openssl/dh.h>
-+#endif
-+#include <openssl/rand.h>
-+#include <openssl/objects.h>
-+#include <openssl/x509.h>
-+#include <openssl/aes.h>
-+#include <openssl/des.h>
-+
-+#ifdef OPENSSL_SYS_WIN32
-+typedef int pid_t;
-+#define getpid() GetCurrentProcessId()
-+#define NOPTHREADS
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include <signal.h>
-+#include <unistd.h>
-+#include <dlfcn.h>
-+#endif
-+
-+/* Debug mutexes */
-+/*#undef DEBUG_MUTEX */
-+#define DEBUG_MUTEX
-+
-+#ifndef NOPTHREADS
-+/* for pthread error check on Linuxes */
-+#ifdef DEBUG_MUTEX
-+#define __USE_UNIX98
-+#endif
-+#include <pthread.h>
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+#ifndef OPENSSL_NO_HW_PK11CA
-+
-+/* label for debug messages printed on stderr */
-+#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
-+/* prints a lot of debug messages on stderr about slot selection process */
-+/* #undef	DEBUG_SLOT_SELECTION */
-+/*
-+ * Solaris specific code. See comment at check_hw_mechanisms() for more
-+ * information.
-+ */
-+#if defined(__SVR4) && defined(__sun)
-+#undef	SOLARIS_HW_SLOT_SELECTION
-+#endif
-+
-+/*
-+ * AES counter mode is not supported in the OpenSSL EVP API yet and neither
-+ * there are official OIDs for mechanisms based on this mode. With our changes,
-+ * an application can define its own EVP calls for AES counter mode and then
-+ * it can make use of hardware acceleration through this engine. However, it's
-+ * better if we keep AES CTR support code under ifdef's.
-+ */
-+#define	SOLARIS_AES_CTR
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11ca.h"
-+#include "hw_pk11_err.c"
-+
-+#ifdef	SOLARIS_AES_CTR
-+/*
-+ * NIDs for AES counter mode that will be defined during the engine
-+ * initialization.
-+ */
-+static int NID_aes_128_ctr = NID_undef;
-+static int NID_aes_192_ctr = NID_undef;
-+static int NID_aes_256_ctr = NID_undef;
-+#endif	/* SOLARIS_AES_CTR */
-+
-+/*
-+ * We use this lock to prevent multiple C_Login()s, guard getpassphrase(),
-+ * uri_struct manipulation, and static token info. All of that is used by the
-+ * RSA keys by reference feature.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *token_lock;
-+#endif
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+/*
-+ * Tables for symmetric ciphers and digest mechs found in the pkcs11_kernel
-+ * library. See comment at check_hw_mechanisms() for more information.
-+ */
-+static int *hw_cnids;
-+static int *hw_dnids;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* PKCS#11 session caches and their locks for all operation types */
-+static PK11_CACHE session_cache[OP_MAX];
-+
-+/*
-+ * We cache the flags so that we do not have to run C_GetTokenInfo() again when
-+ * logging into the token.
-+ */
-+CK_FLAGS pubkey_token_flags;
-+
-+/*
-+ * As stated in v2.20, 11.7 Object Management Function, in section for
-+ * C_FindObjectsInit(), at most one search operation may be active at a given
-+ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
-+ * grouped together to form one atomic search operation. This is already
-+ * ensured by the property of unique PKCS#11 session handle used for each
-+ * PK11_SESSION object.
-+ *
-+ * This is however not the biggest concern - maintaining consistency of the
-+ * underlying object store is more important. The same section of the spec also
-+ * says that one thread can be in the middle of a search operation while another
-+ * thread destroys the object matching the search template which would result in
-+ * invalid handle returned from the search operation.
-+ *
-+ * Hence, the following locks are used for both protection of the object stores.
-+ * They are also used for active list protection.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *find_lock[OP_MAX] = { NULL };
-+#endif
-+
-+/*
-+ * lists of asymmetric key handles which are active (referenced by at least one
-+ * PK11_SESSION structure, either held by a thread or present in free_session
-+ * list) for given algorithm type
-+ */
-+PK11_active *active_list[OP_MAX] = { NULL };
-+
-+/*
-+ * Create all secret key objects in a global session so that they are available
-+ * to use for other sessions. These other sessions may be opened or closed
-+ * without losing the secret key objects.
-+ */
-+static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
-+
-+/* ENGINE level stuff */
-+static int pk11_init(ENGINE *e);
-+static int pk11_library_init(ENGINE *e);
-+static int pk11_finish(ENGINE *e);
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
-+static int pk11_destroy(ENGINE *e);
-+
-+/* RAND stuff */
-+static void pk11_rand_seed(const void *buf, int num);
-+static void pk11_rand_add(const void *buf, int num, double add_entropy);
-+static void pk11_rand_cleanup(void);
-+static int pk11_rand_bytes(unsigned char *buf, int num);
-+static int pk11_rand_status(void);
-+
-+/* These functions are also used in other files */
-+PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
-+void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+
-+/* active list manipulation functions used in this file */
-+extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
-+extern void pk11_free_active_list(PK11_OPTYPE type);
-+
-+#ifndef OPENSSL_NO_RSA
-+int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DH
-+int pk11_destroy_dh_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dh_object(PK11_SESSION *session, CK_BBOOL uselock);
-+#endif
-+
-+/* Local helper functions */
-+static int pk11_free_all_sessions(void);
-+static int pk11_free_session_list(PK11_OPTYPE optype);
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+static int pk11_destroy_cipher_key_objects(PK11_SESSION *session);
-+static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh,
-+	CK_BBOOL persistent);
-+static const char *get_PK11_LIBNAME(void);
-+static void free_PK11_LIBNAME(void);
-+static long set_PK11_LIBNAME(const char *name);
-+
-+/* Symmetric cipher and digest support functions */
-+static int cipher_nid_to_pk11(int nid);
-+#ifdef	SOLARIS_AES_CTR
-+static int pk11_add_NID(char *sn, char *ln);
-+static int pk11_add_aes_ctr_NIDs(void);
-+#endif	/* SOLARIS_AES_CTR */
-+static int pk11_usable_ciphers(const int **nids);
-+static int pk11_usable_digests(const int **nids);
-+static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+	const unsigned char *iv, int enc);
-+static int pk11_cipher_final(PK11_SESSION *sp);
-+#if OPENSSL_VERSION_NUMBER < 0x10000000L
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, unsigned int inl);
-+#else
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, size_t inl);
-+#endif
-+static int pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx);
-+static int pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-+	const int **nids, int nid);
-+static int pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
-+	const int **nids, int nid);
-+static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
-+	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp);
-+static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
-+	int key_len);
-+static int md_nid_to_pk11(int nid);
-+static int pk11_digest_init(EVP_MD_CTX *ctx);
-+static int pk11_digest_update(EVP_MD_CTX *ctx, const void *data,
-+	size_t count);
-+static int pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md);
-+static int pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from);
-+static int pk11_digest_cleanup(EVP_MD_CTX *ctx);
-+
-+static int pk11_choose_slots(int *any_slot_found);
-+static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_cipher,
-+    int *local_cipher_nids);
-+static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_digest,
-+    int *local_digest_nids);
-+static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids,
-+    int id);
-+static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
-+    int id);
-+
-+static int pk11_init_all_locks(void);
-+static void pk11_free_all_locks(void);
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+static int check_hw_mechanisms(void);
-+static int nid_in_table(int nid, int *nid_table);
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* Index for the supported ciphers */
-+enum pk11_cipher_id {
-+	PK11_DES_CBC,
-+	PK11_DES3_CBC,
-+	PK11_DES_ECB,
-+	PK11_DES3_ECB,
-+	PK11_RC4,
-+	PK11_AES_128_CBC,
-+	PK11_AES_192_CBC,
-+	PK11_AES_256_CBC,
-+	PK11_AES_128_ECB,
-+	PK11_AES_192_ECB,
-+	PK11_AES_256_ECB,
-+	PK11_BLOWFISH_CBC,
-+#ifdef	SOLARIS_AES_CTR
-+	PK11_AES_128_CTR,
-+	PK11_AES_192_CTR,
-+	PK11_AES_256_CTR,
-+#endif	/* SOLARIS_AES_CTR */
-+	PK11_CIPHER_MAX
-+};
-+
-+/* Index for the supported digests */
-+enum pk11_digest_id {
-+	PK11_MD5,
-+	PK11_SHA1,
-+	PK11_SHA224,
-+	PK11_SHA256,
-+	PK11_SHA384,
-+	PK11_SHA512,
-+	PK11_DIGEST_MAX
-+};
-+
-+#define	TRY_OBJ_DESTROY(sp, obj_hdl, retval, uselock, alg_type, priv)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
-+		{							\
-+		  retval = pk11_destroy_object(sp->session, obj_hdl,	\
-+		  priv ? sp->priv_persistent : sp->pub_persistent);	\
-+		}							\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+static int cipher_nids[PK11_CIPHER_MAX];
-+static int digest_nids[PK11_DIGEST_MAX];
-+static int cipher_count		= 0;
-+static int digest_count		= 0;
-+static CK_BBOOL pk11_have_rsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_recover = CK_FALSE;
-+static CK_BBOOL pk11_have_dsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_dh	= CK_FALSE;
-+static CK_BBOOL pk11_have_random = CK_FALSE;
-+
-+typedef struct PK11_CIPHER_st
-+	{
-+	enum pk11_cipher_id	id;
-+	int			nid;
-+	int			iv_len;
-+	int			min_key_len;
-+	int			max_key_len;
-+	CK_KEY_TYPE		key_type;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_CIPHER;
-+
-+static PK11_CIPHER ciphers[] =
-+	{
-+	{ PK11_DES_CBC,		NID_des_cbc,		8,	 8,   8,
-+		CKK_DES,	CKM_DES_CBC, },
-+	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,  24,
-+		CKK_DES3,	CKM_DES3_CBC, },
-+	{ PK11_DES_ECB,		NID_des_ecb,		0,	 8,   8,
-+		CKK_DES,	CKM_DES_ECB, },
-+	{ PK11_DES3_ECB,	NID_des_ede3_ecb,	0,	24,  24,
-+		CKK_DES3,	CKM_DES3_ECB, },
-+	{ PK11_RC4,		NID_rc4,		0,	16, 256,
-+		CKK_RC4,	CKM_RC4, },
-+	{ PK11_AES_128_CBC,	NID_aes_128_cbc,	16,	16,  16,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_192_CBC,	NID_aes_192_cbc,	16,	24,  24,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_256_CBC,	NID_aes_256_cbc,	16,	32,  32,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_128_ECB,	NID_aes_128_ecb,	0,	16,  16,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_192_ECB,	NID_aes_192_ecb,	0,	24,  24,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_256_ECB,	NID_aes_256_ecb,	0,	32,  32,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,  16,
-+		CKK_BLOWFISH,	CKM_BLOWFISH_CBC, },
-+#ifdef	SOLARIS_AES_CTR
-+	/* we don't know the correct NIDs until the engine is initialized */
-+	{ PK11_AES_128_CTR,	NID_undef,		16,	16,  16,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_192_CTR,	NID_undef,		16,	24,  24,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_256_CTR,	NID_undef,		16,	32,  32,
-+		CKK_AES,	CKM_AES_CTR, },
-+#endif	/* SOLARIS_AES_CTR */
-+	};
-+
-+typedef struct PK11_DIGEST_st
-+	{
-+	enum pk11_digest_id	id;
-+	int			nid;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_DIGEST;
-+
-+static PK11_DIGEST digests[] =
-+	{
-+	{PK11_MD5,	NID_md5,	CKM_MD5, },
-+	{PK11_SHA1,	NID_sha1,	CKM_SHA_1, },
-+	{PK11_SHA224,	NID_sha224,	CKM_SHA224, },
-+	{PK11_SHA256,	NID_sha256,	CKM_SHA256, },
-+	{PK11_SHA384,	NID_sha384,	CKM_SHA384, },
-+	{PK11_SHA512,	NID_sha512,	CKM_SHA512, },
-+	{0,		NID_undef,	0xFFFF, },
-+	};
-+
-+/*
-+ * Structure to be used for the cipher_data/md_data in
-+ * EVP_CIPHER_CTX/EVP_MD_CTX structures in order to use the same pk11
-+ * session in multiple cipher_update calls
-+ */
-+typedef struct PK11_CIPHER_STATE_st
-+	{
-+	PK11_SESSION	*sp;
-+	} PK11_CIPHER_STATE;
-+
-+
-+/*
-+ * libcrypto EVP stuff - this is how we get wired to EVP so the engine gets
-+ * called when libcrypto requests a cipher NID.
-+ *
-+ * Note how the PK11_CIPHER_STATE is used here.
-+ */
-+
-+/* DES CBC EVP */
-+static const EVP_CIPHER pk11_des_cbc =
-+	{
-+	NID_des_cbc,
-+	8, 8, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/* 3DES CBC EVP */
-+static const EVP_CIPHER pk11_3des_cbc =
-+	{
-+	NID_des_ede3_cbc,
-+	8, 24, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use an Initial Vector so that's why set_asn1_parameters and
-+ * get_asn1_parameters fields are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_des_ecb =
-+	{
-+	NID_des_ecb,
-+	8, 8, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_3des_ecb =
-+	{
-+	NID_des_ede3_ecb,
-+	8, 24, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+
-+static const EVP_CIPHER pk11_aes_128_cbc =
-+	{
-+	NID_aes_128_cbc,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_cbc =
-+	{
-+	NID_aes_192_cbc,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_cbc =
-+	{
-+	NID_aes_256_cbc,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use IV so that's why set_asn1_parameters and
-+ * get_asn1_parameters are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_aes_128_ecb =
-+	{
-+	NID_aes_128_ecb,
-+	16, 16, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_ecb =
-+	{
-+	NID_aes_192_ecb,
-+	16, 24, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_ecb =
-+	{
-+	NID_aes_256_ecb,
-+	16, 32, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+#ifdef	SOLARIS_AES_CTR
-+/*
-+ * NID_undef's will be changed to the AES counter mode NIDs as soon they are
-+ * created in pk11_library_init(). Note that the need to change these structures
-+ * is the reason why we don't define them with the const keyword.
-+ */
-+static EVP_CIPHER pk11_aes_128_ctr =
-+	{
-+	NID_undef,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static EVP_CIPHER pk11_aes_192_ctr =
-+	{
-+	NID_undef,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static EVP_CIPHER pk11_aes_256_ctr =
-+	{
-+	NID_undef,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+#endif	/* SOLARIS_AES_CTR */
-+
-+static const EVP_CIPHER pk11_bf_cbc =
-+	{
-+	NID_bf_cbc,
-+	8, 16, 8,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_rc4 =
-+	{
-+	NID_rc4,
-+	1, 16, 0,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_MD pk11_md5 =
-+	{
-+	NID_md5,
-+	NID_md5WithRSAEncryption,
-+	MD5_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	MD5_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha1 =
-+	{
-+	NID_sha1,
-+	NID_sha1WithRSAEncryption,
-+	SHA_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha224 =
-+	{
-+	NID_sha224,
-+	NID_sha224WithRSAEncryption,
-+	SHA224_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-224 uses the same cblock size as SHA-256 */
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha256 =
-+	{
-+	NID_sha256,
-+	NID_sha256WithRSAEncryption,
-+	SHA256_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha384 =
-+	{
-+	NID_sha384,
-+	NID_sha384WithRSAEncryption,
-+	SHA384_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-384 uses the same cblock size as SHA-512 */
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha512 =
-+	{
-+	NID_sha512,
-+	NID_sha512WithRSAEncryption,
-+	SHA512_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * The definitions for control commands specific to this engine
-+ */
-+#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
-+#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
-+#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
-+static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
-+	{
-+		{
-+		PK11_CMD_SO_PATH,
-+		"SO_PATH",
-+		"Specifies the path to the 'pkcs#11' shared library",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_PIN,
-+		"PIN",
-+		"Specifies the pin code",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_SLOT,
-+		"SLOT",
-+		"Specifies the slot (default is auto select)",
-+		ENGINE_CMD_FLAG_NUMERIC,
-+		},
-+		{0, NULL, NULL, 0}
-+	};
-+
-+
-+static RAND_METHOD pk11_random =
-+	{
-+	pk11_rand_seed,
-+	pk11_rand_bytes,
-+	pk11_rand_cleanup,
-+	pk11_rand_add,
-+	pk11_rand_bytes,
-+	pk11_rand_status
-+	};
-+
-+
-+/* Constants used when creating the ENGINE */
-+#ifdef OPENSSL_NO_HW_PK11SO
-+#error "can't load both crypto-accelerator and sign-only PKCS#11 engines"
-+#endif
-+static const char *engine_pk11_id = "pkcs11";
-+static const char *engine_pk11_name =
-+	"PKCS #11 engine support (crypto accelerator)";
-+
-+CK_FUNCTION_LIST_PTR pFuncList = NULL;
-+static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
-+
-+/*
-+ * This is a static string constant for the DSO file name and the function
-+ * symbol names to bind to. We set it in the Configure script based on whether
-+ * this is 32 or 64 bit build.
-+ */
-+static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
-+
-+static CK_BBOOL mytrue = TRUE;
-+static CK_BBOOL myfalse = FALSE;
-+/* Needed in hw_pk11_pub.c as well so that's why it is not static. */
-+CK_SLOT_ID pubkey_SLOTID = 0;
-+static CK_SLOT_ID rand_SLOTID = 0;
-+static CK_SLOT_ID SLOTID = 0;
-+char *pk11_pin = NULL;
-+static CK_BBOOL pk11_library_initialized = FALSE;
-+static CK_BBOOL pk11_atfork_initialized = FALSE;
-+static int pk11_pid = 0;
-+
-+static DSO *pk11_dso = NULL;
-+
-+/* allocate and initialize all locks used by the engine itself */
-+static int pk11_init_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+	pthread_mutexattr_t attr;
-+
-+	if (pthread_mutexattr_init(&attr) != 0)
-+	{
-+		PK11err(PK11_F_INIT_ALL_LOCKS, 100);
-+		return (0);
-+	}
-+
-+#ifdef DEBUG_MUTEX
-+	if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
-+	{
-+		PK11err(PK11_F_INIT_ALL_LOCKS, 101);
-+		return (0);
-+	}
-+#endif
-+
-+	if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(token_lock, &attr);
-+
-+#ifndef OPENSSL_NO_RSA
-+	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_RSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_RSA], &attr);
-+#endif /* OPENSSL_NO_RSA */
-+
-+#ifndef OPENSSL_NO_DSA
-+	find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DSA], &attr);
-+#endif /* OPENSSL_NO_DSA */
-+
-+#ifndef OPENSSL_NO_DH
-+	find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DH] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DH], &attr);
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		session_cache[type].lock =
-+		    OPENSSL_malloc(sizeof (pthread_mutex_t));
-+		if (session_cache[type].lock == NULL)
-+			goto malloc_err;
-+		(void) pthread_mutex_init(session_cache[type].lock, &attr);
-+		}
-+
-+	return (1);
-+
-+malloc_err:
-+	pk11_free_all_locks();
-+	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
-+	return (0);
-+#else
-+	return (1);
-+#endif
-+	}
-+
-+static void pk11_free_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+	if (token_lock != NULL)
-+		{
-+		(void) pthread_mutex_destroy(token_lock);
-+		OPENSSL_free(token_lock);
-+		token_lock = NULL;
-+		}
-+
-+#ifndef OPENSSL_NO_RSA
-+	if (find_lock[OP_RSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
-+		OPENSSL_free(find_lock[OP_RSA]);
-+		find_lock[OP_RSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (find_lock[OP_DSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DSA]);
-+		OPENSSL_free(find_lock[OP_DSA]);
-+		find_lock[OP_DSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (find_lock[OP_DH] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DH]);
-+		OPENSSL_free(find_lock[OP_DH]);
-+		find_lock[OP_DH] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (session_cache[type].lock != NULL)
-+			{
-+			(void) pthread_mutex_destroy(session_cache[type].lock);
-+			OPENSSL_free(session_cache[type].lock);
-+			session_cache[type].lock = NULL;
-+			}
-+		}
-+#endif
-+	}
-+
-+/*
-+ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
-+ */
-+static int bind_pk11(ENGINE *e)
-+	{
-+#ifndef OPENSSL_NO_RSA
-+	const RSA_METHOD *rsa = NULL;
-+	RSA_METHOD *pk11_rsa = PK11_RSA();
-+#endif	/* OPENSSL_NO_RSA */
-+	if (!pk11_library_initialized)
-+		if (!pk11_library_init(e))
-+			return (0);
-+
-+	if (!ENGINE_set_id(e, engine_pk11_id) ||
-+	    !ENGINE_set_name(e, engine_pk11_name) ||
-+	    !ENGINE_set_ciphers(e, pk11_engine_ciphers) ||
-+	    !ENGINE_set_digests(e, pk11_engine_digests))
-+		return (0);
-+#ifndef OPENSSL_NO_RSA
-+	if (pk11_have_rsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
-+		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
-+		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (pk11_have_dsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DSA(e, PK11_DSA()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (pk11_have_dh == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DH(e, PK11_DH()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DH\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DH */
-+	if (pk11_have_random)
-+		{
-+		if (!ENGINE_set_RAND(e, &pk11_random))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered random\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+	if (!ENGINE_set_init_function(e, pk11_init) ||
-+	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
-+	    !ENGINE_set_finish_function(e, pk11_finish) ||
-+	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
-+	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
-+		return (0);
-+
-+/*
-+ * Apache calls OpenSSL function RSA_blinding_on() once during startup
-+ * which in turn calls bn_mod_exp. Since we do not implement bn_mod_exp
-+ * here, we wire it back to the OpenSSL software implementation.
-+ * Since it is used only once, performance is not a concern.
-+ */
-+#ifndef OPENSSL_NO_RSA
-+	rsa = RSA_PKCS1_SSLeay();
-+	pk11_rsa->rsa_mod_exp = rsa->rsa_mod_exp;
-+	pk11_rsa->bn_mod_exp = rsa->bn_mod_exp;
-+	if (pk11_have_recover != CK_TRUE)
-+		pk11_rsa->rsa_pub_dec = rsa->rsa_pub_dec;
-+#endif	/* OPENSSL_NO_RSA */
-+
-+	/* Ensure the pk11 error handling is set up */
-+	ERR_load_pk11_strings();
-+
-+	return (1);
-+	}
-+
-+/* Dynamic engine support is disabled at a higher level for Solaris */
-+#ifdef	ENGINE_DYNAMIC_SUPPORT
-+#error  "dynamic engine not supported"
-+static int bind_helper(ENGINE *e, const char *id)
-+	{
-+	if (id && (strcmp(id, engine_pk11_id) != 0))
-+		return (0);
-+
-+	if (!bind_pk11(e))
-+		return (0);
-+
-+	return (1);
-+	}
-+
-+IMPLEMENT_DYNAMIC_CHECK_FN()
-+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
-+
-+#else
-+static ENGINE *engine_pk11(void)
-+	{
-+	ENGINE *ret = ENGINE_new();
-+
-+	if (!ret)
-+		return (NULL);
-+
-+	if (!bind_pk11(ret))
-+		{
-+		ENGINE_free(ret);
-+		return (NULL);
-+		}
-+
-+	return (ret);
-+	}
-+
-+void
-+ENGINE_load_pk11(void)
-+	{
-+	ENGINE *e_pk11 = NULL;
-+
-+	/*
-+	 * Do not use dynamic PKCS#11 library on Solaris due to
-+	 * security reasons. We will link it in statically.
-+	 */
-+	/* Attempt to load PKCS#11 library */
-+	if (!pk11_dso)
-+		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
-+		return;
-+		}
-+
-+	e_pk11 = engine_pk11();
-+	if (!e_pk11)
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		return;
-+		}
-+
-+	/*
-+	 * At this point, the pk11 shared library is either dynamically
-+	 * loaded or statically linked in. So, initialize the pk11
-+	 * library before calling ENGINE_set_default since the latter
-+	 * needs cipher and digest algorithm information
-+	 */
-+	if (!pk11_library_init(e_pk11))
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		ENGINE_free(e_pk11);
-+		return;
-+		}
-+
-+	ENGINE_add(e_pk11);
-+
-+	ENGINE_free(e_pk11);
-+	ERR_clear_error();
-+	}
-+#endif	/* ENGINE_DYNAMIC_SUPPORT */
-+
-+/*
-+ * These are the static string constants for the DSO file name and
-+ * the function symbol names to bind to.
-+ */
-+static const char *PK11_LIBNAME = NULL;
-+
-+static const char *get_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		return (PK11_LIBNAME);
-+
-+	return (def_PK11_LIBNAME);
-+	}
-+
-+static void free_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		OPENSSL_free((void*)PK11_LIBNAME);
-+
-+	PK11_LIBNAME = NULL;
-+	}
-+
-+static long set_PK11_LIBNAME(const char *name)
-+	{
-+	free_PK11_LIBNAME();
-+
-+	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
-+	}
-+
-+/* acquire all engine specific mutexes before fork */
-+static void pk11_fork_prepare(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	LOCK_OBJSTORE(OP_RSA);
-+	LOCK_OBJSTORE(OP_DSA);
-+	LOCK_OBJSTORE(OP_DH);
-+	OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
-+	for (i = 0; i < OP_MAX; i++)
-+		{
-+		OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
-+		}
-+#endif
-+	}
-+
-+/* release all engine specific mutexes */
-+static void pk11_fork_parent(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+	OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
-+#endif
-+	}
-+
-+/*
-+ * same situation as in parent - we need to unlock all locks to make them
-+ * accessible to all threads.
-+ */
-+static void pk11_fork_child(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+	OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
-+#endif
-+	}
-+
-+/* Initialization function for the pk11 engine */
-+static int pk11_init(ENGINE *e)
-+{
-+	return (pk11_library_init(e));
-+}
-+
-+static CK_C_INITIALIZE_ARGS pk11_init_args =
-+	{
-+	NULL_PTR,		/* CreateMutex */
-+	NULL_PTR,		/* DestroyMutex */
-+	NULL_PTR,		/* LockMutex */
-+	NULL_PTR,		/* UnlockMutex */
-+	CKF_OS_LOCKING_OK,	/* flags */
-+	NULL_PTR,		/* pReserved */
-+	};
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * It selects a slot based on predefined critiera. In the process, it also
-+ * count how many ciphers and digests to support. Since the cipher and
-+ * digest information is needed when setting default engine, this function
-+ * needs to be called before calling ENGINE_set_default.
-+ */
-+/* ARGSUSED */
-+static int pk11_library_init(ENGINE *e)
-+	{
-+	CK_C_GetFunctionList p;
-+	CK_RV rv = CKR_OK;
-+	CK_INFO info;
-+	CK_ULONG ul_state_len;
-+	int any_slot_found;
-+	int i;
-+#ifndef OPENSSL_SYS_WIN32
-+	struct sigaction sigint_act, sigterm_act, sighup_act;
-+#endif
-+
-+	/*
-+	 * pk11_library_initialized is set to 0 in pk11_finish() which
-+	 * is called from ENGINE_finish(). However, if there is still
-+	 * at least one existing functional reference to the engine
-+	 * (see engine(3) for more information), pk11_finish() is
-+	 * skipped. For example, this can happen if an application
-+	 * forgets to clear one cipher context. In case of a fork()
-+	 * when the application is finishing the engine so that it can
-+	 * be reinitialized in the child, forgotten functional
-+	 * reference causes pk11_library_initialized to stay 1. In
-+	 * that case we need the PID check so that we properly
-+	 * initialize the engine again.
-+	 */
-+	if (pk11_library_initialized)
-+		{
-+		if (pk11_pid == getpid())
-+			{
-+			return (1);
-+			}
-+		else
-+			{
-+			global_session = CK_INVALID_HANDLE;
-+			/*
-+			 * free the locks first to prevent memory leak in case
-+			 * the application calls fork() without finishing the
-+			 * engine first.
-+			 */
-+			pk11_free_all_locks();
-+			}
-+		}
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+#ifdef	SOLARIS_AES_CTR
-+	/*
-+	 * We must do this before we start working with slots since we need all
-+	 * NIDs there.
-+	 */
-+	if (pk11_add_aes_ctr_NIDs() == 0)
-+		goto err;
-+#endif	/* SOLARIS_AES_CTR */
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+	if (check_hw_mechanisms() == 0)
-+		goto err;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+	/* get the C_GetFunctionList function from the loaded library */
-+	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
-+		PK11_GET_FUNCTION_LIST);
-+	if (!p)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the full function list from the loaded library */
-+	rv = p(&pFuncList);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
-+		goto err;
-+		}
-+
-+#ifndef OPENSSL_SYS_WIN32
-+	/* Not all PKCS#11 library are signal safe! */
-+
-+	(void) memset(&sigint_act, 0, sizeof(sigint_act));
-+	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
-+	(void) memset(&sighup_act, 0, sizeof(sighup_act));
-+	(void) sigaction(SIGINT, NULL, &sigint_act);
-+	(void) sigaction(SIGTERM, NULL, &sigterm_act);
-+	(void) sigaction(SIGHUP, NULL, &sighup_act);
-+#endif
-+	rv = pFuncList->C_Initialize((CK_VOID_PTR)&pk11_init_args);
-+#ifndef OPENSSL_SYS_WIN32
-+	(void) sigaction(SIGINT, &sigint_act, NULL);
-+	(void) sigaction(SIGTERM, &sigterm_act, NULL);
-+	(void) sigaction(SIGHUP, &sighup_act, NULL);
-+#endif
-+	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetInfo(&info);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
-+		goto err;
-+		}
-+
-+	if (pk11_choose_slots(&any_slot_found) == 0)
-+		goto err;
-+
-+	/*
-+	 * The library we use, set in def_PK11_LIBNAME, may not offer any
-+	 * slot(s). In that case, we must not proceed but we must not return an
-+	 * error. The reason is that applications that try to set up the PKCS#11
-+	 * engine don't exit on error during the engine initialization just
-+	 * because no slot was present.
-+	 */
-+	if (any_slot_found == 0)
-+		return (1);
-+
-+	if (global_session == CK_INVALID_HANDLE)
-+		{
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LIBRARY_INIT,
-+			    PK11_R_OPENSESSION, rv);
-+			goto err;
-+			}
-+		}
-+
-+	/*
-+	 * Disable digest if C_GetOperationState is not supported since
-+	 * this function is required by OpenSSL digest copy function
-+	 */
-+	/* Keyper fails to return CKR_FUNCTION_NOT_SUPPORTED */
-+	if (pFuncList->C_GetOperationState(global_session, NULL, &ul_state_len)
-+			!= CKR_OK) {
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: C_GetOperationState() not supported, "
-+		    "setting digest_count to 0\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		digest_count = 0;
-+	}
-+
-+	pk11_library_initialized = TRUE;
-+	pk11_pid = getpid();
-+	/*
-+	 * if initialization of the locks fails pk11_init_all_locks()
-+	 * will do the cleanup.
-+	 */
-+	if (!pk11_init_all_locks())
-+		goto err;
-+	for (i = 0; i < OP_MAX; i++)
-+		session_cache[i].head = NULL;
-+	/*
-+	 * initialize active lists. We only use active lists
-+	 * for asymmetric ciphers.
-+	 */
-+	for (i = 0; i < OP_MAX; i++)
-+		active_list[i] = NULL;
-+
-+#ifndef NOPTHREADS
-+	if (!pk11_atfork_initialized)
-+		{
-+		if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
-+		    pk11_fork_child) != 0)
-+			{
-+			PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
-+			goto err;
-+			}
-+		pk11_atfork_initialized = TRUE;
-+		}
-+#endif
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Destructor (complements the "ENGINE_pk11()" constructor) */
-+/* ARGSUSED */
-+static int pk11_destroy(ENGINE *e)
-+	{
-+	free_PK11_LIBNAME();
-+	ERR_unload_pk11_strings();
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+	return (1);
-+	}
-+
-+/*
-+ * Termination function to clean up the session, the token, and the pk11
-+ * library.
-+ */
-+/* ARGSUSED */
-+static int pk11_finish(ENGINE *e)
-+	{
-+	int i;
-+
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
-+		goto err;
-+		}
-+
-+	OPENSSL_assert(pFuncList != NULL);
-+
-+	if (pk11_free_all_sessions() == 0)
-+		goto err;
-+
-+	/* free all active lists */
-+	for (i = 0; i < OP_MAX; i++)
-+		pk11_free_active_list(i);
-+
-+	pFuncList->C_CloseSession(global_session);
-+	global_session = CK_INVALID_HANDLE;
-+
-+	/*
-+	 * Since we are part of a library (libcrypto.so), calling this function
-+	 * may have side-effects.
-+	 */
-+#if 0
-+	pFuncList->C_Finalize(NULL);
-+#endif
-+
-+	if (!DSO_free(pk11_dso))
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+	pk11_dso = NULL;
-+	pFuncList = NULL;
-+	pk11_library_initialized = FALSE;
-+	pk11_pid = 0;
-+	/*
-+	 * There is no way how to unregister atfork handlers (other than
-+	 * unloading the library) so we just free the locks. For this reason
-+	 * the atfork handlers check if the engine is initialized and bail out
-+	 * immediately if not. This is necessary in case a process finishes
-+	 * the engine before calling fork().
-+	 */
-+	pk11_free_all_locks();
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Standard engine interface function to set the dynamic library path */
-+/* ARGSUSED */
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
-+	{
-+	int initialized = ((pk11_dso == NULL) ? 0 : 1);
-+
-+	switch (cmd)
-+		{
-+	case PK11_CMD_SO_PATH:
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		if (initialized)
-+			{
-+			PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
-+			return (0);
-+			}
-+
-+		return (set_PK11_LIBNAME((const char *)p));
-+	case PK11_CMD_PIN:
-+		if (pk11_pin) {
-+			memset(pk11_pin, 0, strlen(pk11_pin));
-+			OPENSSL_free((void*)pk11_pin);
-+		}
-+		pk11_pin = NULL;
-+
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		pk11_pin = BUF_strdup(p);
-+		if (pk11_pin == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
-+			return (0);
-+			}
-+		return (1);
-+	case PK11_CMD_SLOT:
-+		SLOTID = (CK_SLOT_ID)i;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: slot set\n", PK11_DBG);
-+#endif
-+		return (1);
-+	default:
-+		break;
-+		}
-+
-+	PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
-+
-+	return (0);
-+	}
-+
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static void pk11_rand_cleanup(void)
-+	{
-+	return;
-+	}
-+
-+/* ARGSUSED */
-+static void pk11_rand_add(const void *buf, int num, double add)
-+	{
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return;
-+
-+	/*
-+	 * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
-+	 * the calling functions do not care anyway
-+	 */
-+	pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
-+	pk11_return_session(sp, OP_RAND);
-+
-+	return;
-+	}
-+
-+static void pk11_rand_seed(const void *buf, int num)
-+	{
-+	pk11_rand_add(buf, num, 0);
-+	}
-+
-+static int pk11_rand_bytes(unsigned char *buf, int num)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return (0);
-+
-+	rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
-+		pk11_return_session(sp, OP_RAND);
-+		return (0);
-+		}
-+
-+	pk11_return_session(sp, OP_RAND);
-+	return (1);
-+	}
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static int pk11_rand_status(void)
-+	{
-+	return (1);
-+	}
-+
-+/* Free all BIGNUM structures from PK11_SESSION. */
-+static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+	switch (optype)
-+		{
-+#ifndef	OPENSSL_NO_RSA
-+		case OP_RSA:
-+			if (sp->opdata_rsa_n_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_n_num);
-+				sp->opdata_rsa_n_num = NULL;
-+				}
-+			if (sp->opdata_rsa_e_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_e_num);
-+				sp->opdata_rsa_e_num = NULL;
-+				}
-+			if (sp->opdata_rsa_pn_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_pn_num);
-+				sp->opdata_rsa_pn_num = NULL;
-+				}
-+			if (sp->opdata_rsa_pe_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_pe_num);
-+				sp->opdata_rsa_pe_num = NULL;
-+				}
-+			if (sp->opdata_rsa_d_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_d_num);
-+				sp->opdata_rsa_d_num = NULL;
-+				}
-+			break;
-+#endif
-+#ifndef	OPENSSL_NO_DSA
-+		case OP_DSA:
-+			if (sp->opdata_dsa_pub_num != NULL)
-+				{
-+				BN_free(sp->opdata_dsa_pub_num);
-+				sp->opdata_dsa_pub_num = NULL;
-+				}
-+			if (sp->opdata_dsa_priv_num != NULL)
-+				{
-+				BN_free(sp->opdata_dsa_priv_num);
-+				sp->opdata_dsa_priv_num = NULL;
-+				}
-+			break;
-+#endif
-+#ifndef	OPENSSL_NO_DH
-+		case OP_DH:
-+			if (sp->opdata_dh_priv_num != NULL)
-+				{
-+				BN_free(sp->opdata_dh_priv_num);
-+				sp->opdata_dh_priv_num = NULL;
-+				}
-+			break;
-+#endif
-+		default:
-+			break;
-+		}
-+	}
-+
-+/*
-+ * Get new PK11_SESSION structure ready for use. Every process must have
-+ * its own freelist of PK11_SESSION structures so handle fork() here
-+ * by destroying the old and creating new freelist.
-+ * The returned PK11_SESSION structure is disconnected from the freelist.
-+ */
-+PK11_SESSION *
-+pk11_get_session(PK11_OPTYPE optype)
-+	{
-+	PK11_SESSION *sp = NULL, *sp1, *freelist;
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock = NULL;
-+#endif
-+	static pid_t pid = 0;
-+	pid_t new_pid;
-+	CK_RV rv;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return (NULL);
-+		}
-+#ifndef NOPTHREADS
-+	OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	/*
-+	 * Will use it to find out if we forked. We cannot use the PID field in
-+	 * the session structure because we could get a newly allocated session
-+	 * here, with no PID information.
-+	 */
-+	if (pid == 0)
-+		pid = getpid();
-+
-+	freelist = session_cache[optype].head;
-+	sp = freelist;
-+
-+	/*
-+	 * If the free list is empty, allocate new unitialized (filled
-+	 * with zeroes) PK11_SESSION structure otherwise return first
-+	 * structure from the freelist.
-+	 */
-+	if (sp == NULL)
-+		{
-+		if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		(void) memset(sp, 0, sizeof (PK11_SESSION));
-+
-+		/*
-+		 * It is a new session so it will look like a cache miss to the
-+		 * code below. So, we must not try to to destroy its members so
-+		 * mark them as unused.
-+		 */
-+		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+		}
-+	else
-+		{
-+		freelist = sp->next;
-+		}
-+
-+	/*
-+	 * Check whether we have forked. In that case, we must get rid of all
-+	 * inherited sessions and start allocating new ones.
-+	 */
-+	if (pid != (new_pid = getpid()))
-+		{
-+		pid = new_pid;
-+
-+		/*
-+		 * We are a new process and thus need to free any inherited
-+		 * PK11_SESSION objects aside from the first session (sp) which
-+		 * is the only PK11_SESSION structure we will reuse (for the
-+		 * head of the list).
-+		 */
-+		while ((sp1 = freelist) != NULL)
-+			{
-+			freelist = sp1->next;
-+			/*
-+			 * NOTE: we do not want to call pk11_free_all_sessions()
-+			 * here because it would close underlying PKCS#11
-+			 * sessions and destroy all objects.
-+			 */
-+			pk11_free_nums(sp1, optype);
-+			OPENSSL_free(sp1);
-+			}
-+
-+		/* we have to free the active list as well. */
-+		pk11_free_active_list(optype);
-+
-+		/* Initialize the process */
-+		rv = pFuncList->C_Initialize((CK_VOID_PTR)&pk11_init_args);
-+		if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/*
-+		 * Choose slot here since the slot table is different on this
-+		 * process. If we are here then we must have found at least one
-+		 * usable slot before so we don't need to check any_slot_found.
-+		 * See pk11_library_init()'s usage of this function for more
-+		 * information.
-+		 */
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+		if (check_hw_mechanisms() == 0)
-+			goto err;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+		if (pk11_choose_slots(NULL) == 0)
-+			goto err;
-+
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/*
-+		 * It is an inherited session from our parent so it needs
-+		 * re-initialization.
-+		 */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+		if (pk11_token_relogin(sp->session) == 0) 
-+			{
-+			/*
-+			 * We will keep the session in the cache list and let
-+			 * the caller cope with the situation.
-+			 */
-+			freelist = sp;
-+			sp = NULL;
-+			goto err;
-+			}
-+		}
-+
-+	if (sp->pid == 0)
-+		{
-+		/* It is a new session and needs initialization. */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+
-+	/* set new head for the list of PK11_SESSION objects */
-+	session_cache[optype].head = freelist;
-+
-+err:
-+	if (sp != NULL)
-+		sp->next = NULL;
-+
-+#ifndef NOPTHREADS
-+	OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (sp);
-+	}
-+
-+
-+void
-+pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock;
-+#endif
-+	PK11_SESSION *freelist;
-+
-+	/*
-+	 * If this is a session from the parent it will be taken care of and
-+	 * freed in pk11_get_session() as part of the post-fork clean up the
-+	 * next time we will ask for a new session.
-+	 */
-+	if (sp == NULL || sp->pid != getpid())
-+		return;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		defa