From owner-svn-src-stable@FreeBSD.ORG  Mon Dec  6 22:45:29 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D2B3D106566C;
	Mon,  6 Dec 2010 22:45:29 +0000 (UTC)
	(envelope-from emax@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id A6C738FC14;
	Mon,  6 Dec 2010 22:45:29 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB6MjTiL047034;
	Mon, 6 Dec 2010 22:45:29 GMT (envelope-from emax@svn.freebsd.org)
Received: (from emax@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB6MjTA4047031;
	Mon, 6 Dec 2010 22:45:29 GMT (envelope-from emax@svn.freebsd.org)
Message-Id: <201012062245.oB6MjTA4047031@svn.freebsd.org>
From: Maksim Yevmenkin <emax@FreeBSD.org>
Date: Mon, 6 Dec 2010 22:45:29 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216245 - in stable/8: etc etc/periodic/daily
	usr.sbin/bluetooth usr.sbin/bluetooth/ath3kfw
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2010 22:45:29 -0000

Author: emax
Date: Mon Dec  6 22:45:29 2010
New Revision: 216245
URL: http://svn.freebsd.org/changeset/base/216245

Log:
  MFC r215195
  
  Add firmware downloader for Atheros AR3011 based USB Bluetooth devices.
  
  Hardware donated by:	Rusty Nejdl rnejdl at ringofsaturn dot com
  Tested by:		Rusty Nejdl rnejdl at ringofsaturn dot com
  Tested by:		Andrzej Tobola ato at iem dot pw dot edu dot pl
  Approved by:		re

Added:
  stable/8/usr.sbin/bluetooth/ath3kfw/
     - copied from r215195, head/usr.sbin/bluetooth/ath3kfw/
Modified:
  stable/8/etc/devd.conf
  stable/8/usr.sbin/bluetooth/Makefile
Directory Properties:
  stable/8/etc/   (props changed)
  stable/8/etc/periodic/daily/   (props changed)
  stable/8/etc/periodic/daily/800.scrub-zfs   (props changed)
  stable/8/etc/periodic/security/   (props changed)
  stable/8/usr.sbin/bluetooth/   (props changed)
  stable/8/usr.sbin/bluetooth/bthidcontrol/   (props changed)
  stable/8/usr.sbin/bluetooth/bthidd/   (props changed)

Modified: stable/8/etc/devd.conf
==============================================================================
--- stable/8/etc/devd.conf	Mon Dec  6 21:15:46 2010	(r216244)
+++ stable/8/etc/devd.conf	Mon Dec  6 22:45:29 2010	(r216245)
@@ -97,6 +97,13 @@ detach 100 {
 	action "/etc/rc.d/bluetooth quietstop $device-name";
 };
 
+# Firmware downloader for Atheros AR3011 based USB Bluetooth devices
+#attach 100 {
+#	match "vendor" "0x0cf3";
+#	match "product" "0x3000";
+#	action "sleep 2 && /usr/sbin/ath3kfw -d $device-name -f /usr/local/etc/ath3k-1.fw";
+#};
+
 # When a USB keyboard arrives, attach it as the console keyboard.
 attach 100 {
 	device-name "ukbd0";

Modified: stable/8/usr.sbin/bluetooth/Makefile
==============================================================================
--- stable/8/usr.sbin/bluetooth/Makefile	Mon Dec  6 21:15:46 2010	(r216244)
+++ stable/8/usr.sbin/bluetooth/Makefile	Mon Dec  6 22:45:29 2010	(r216245)
@@ -2,6 +2,7 @@
 # $FreeBSD$
 
 SUBDIR= \
+	ath3kfw \
 	bcmfw \
 	bt3cfw \
 	bthidcontrol \

From owner-svn-src-stable@FreeBSD.ORG  Tue Dec  7 18:14:38 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 683B31065673;
	Tue,  7 Dec 2010 18:14:38 +0000 (UTC)
	(envelope-from jkim@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 573988FC13;
	Tue,  7 Dec 2010 18:14:38 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB7IEcWE076061;
	Tue, 7 Dec 2010 18:14:38 GMT (envelope-from jkim@svn.freebsd.org)
Received: (from jkim@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB7IEc0S076058;
	Tue, 7 Dec 2010 18:14:38 GMT (envelope-from jkim@svn.freebsd.org)
Message-Id: <201012071814.oB7IEc0S076058@svn.freebsd.org>
From: Jung-uk Kim <jkim@FreeBSD.org>
Date: Tue, 7 Dec 2010 18:14:38 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216261 - in stable/8/sys: amd64/amd64 i386/i386
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 18:14:38 -0000

Author: jkim
Date: Tue Dec  7 18:14:38 2010
New Revision: 216261
URL: http://svn.freebsd.org/changeset/base/216261

Log:
  MFC:	r216159
  
  Do not change CPU ticker frequency if TSC is P-state invariant.
  
  Approved by:	re (kib)

Modified:
  stable/8/sys/amd64/amd64/tsc.c
  stable/8/sys/i386/i386/tsc.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/amd64/amd64/tsc.c
==============================================================================
--- stable/8/sys/amd64/amd64/tsc.c	Tue Dec  7 17:54:04 2010	(r216260)
+++ stable/8/sys/amd64/amd64/tsc.c	Tue Dec  7 18:14:38 2010	(r216261)
@@ -146,6 +146,9 @@ tsc_levels_changed(void *arg, int unit)
 	int count, error;
 	uint64_t max_freq;
 
+	if (tsc_is_invariant)
+		return;
+
 	/* Only use values from the first CPU, assuming all are equal. */
 	if (unit != 0)
 		return;

Modified: stable/8/sys/i386/i386/tsc.c
==============================================================================
--- stable/8/sys/i386/i386/tsc.c	Tue Dec  7 17:54:04 2010	(r216260)
+++ stable/8/sys/i386/i386/tsc.c	Tue Dec  7 18:14:38 2010	(r216261)
@@ -170,6 +170,9 @@ tsc_levels_changed(void *arg, int unit)
 	int count, error;
 	uint64_t max_freq;
 
+	if (tsc_is_invariant)
+		return;
+
 	/* Only use values from the first CPU, assuming all are equal. */
 	if (unit != 0)
 		return;

From owner-svn-src-stable@FreeBSD.ORG  Tue Dec  7 18:15:18 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 943671065674;
	Tue,  7 Dec 2010 18:15:18 +0000 (UTC)
	(envelope-from jkim@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 835CA8FC18;
	Tue,  7 Dec 2010 18:15:18 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB7IFIWQ076121;
	Tue, 7 Dec 2010 18:15:18 GMT (envelope-from jkim@svn.freebsd.org)
Received: (from jkim@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB7IFIaw076118;
	Tue, 7 Dec 2010 18:15:18 GMT (envelope-from jkim@svn.freebsd.org)
Message-Id: <201012071815.oB7IFIaw076118@svn.freebsd.org>
From: Jung-uk Kim <jkim@FreeBSD.org>
Date: Tue, 7 Dec 2010 18:15:18 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216262 - in stable/7/sys: amd64/amd64 i386/i386
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 18:15:18 -0000

Author: jkim
Date: Tue Dec  7 18:15:18 2010
New Revision: 216262
URL: http://svn.freebsd.org/changeset/base/216262

Log:
  MFC:	r216159
  
  Do not change CPU ticker frequency if TSC is P-state invariant.
  
  Approved by:	re (kib)

Modified:
  stable/7/sys/amd64/amd64/tsc.c
  stable/7/sys/i386/i386/tsc.c
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/amd64/amd64/tsc.c
==============================================================================
--- stable/7/sys/amd64/amd64/tsc.c	Tue Dec  7 18:14:38 2010	(r216261)
+++ stable/7/sys/amd64/amd64/tsc.c	Tue Dec  7 18:15:18 2010	(r216262)
@@ -151,6 +151,9 @@ tsc_levels_changed(void *arg, int unit)
 	int count, error;
 	uint64_t max_freq;
 
+	if (tsc_is_invariant)
+		return;
+
 	/* Only use values from the first CPU, assuming all are equal. */
 	if (unit != 0)
 		return;

Modified: stable/7/sys/i386/i386/tsc.c
==============================================================================
--- stable/7/sys/i386/i386/tsc.c	Tue Dec  7 18:14:38 2010	(r216261)
+++ stable/7/sys/i386/i386/tsc.c	Tue Dec  7 18:15:18 2010	(r216262)
@@ -170,6 +170,9 @@ tsc_levels_changed(void *arg, int unit)
 	int count, error;
 	uint64_t max_freq;
 
+	if (tsc_is_invariant)
+		return;
+
 	/* Only use values from the first CPU, assuming all are equal. */
 	if (unit != 0)
 		return;

From owner-svn-src-stable@FreeBSD.ORG  Tue Dec  7 19:14:18 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AF4461065673;
	Tue,  7 Dec 2010 19:14:18 +0000 (UTC)
	(envelope-from yongari@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 83ABE8FC16;
	Tue,  7 Dec 2010 19:14:18 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB7JEICA077529;
	Tue, 7 Dec 2010 19:14:18 GMT (envelope-from yongari@svn.freebsd.org)
Received: (from yongari@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB7JEI5E077527;
	Tue, 7 Dec 2010 19:14:18 GMT (envelope-from yongari@svn.freebsd.org)
Message-Id: <201012071914.oB7JEI5E077527@svn.freebsd.org>
From: Pyun YongHyeon <yongari@FreeBSD.org>
Date: Tue, 7 Dec 2010 19:14:18 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216264 - stable/8/sys/dev/fxp
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 19:14:18 -0000

Author: yongari
Date: Tue Dec  7 19:14:18 2010
New Revision: 216264
URL: http://svn.freebsd.org/changeset/base/216264

Log:
  MFC r216111:
    If RX lockup workaround is enabled, fxp(4) will periodically reset
    the controller to workaround silicon bug of i82557. Each reset will
    re-establish link which in turn triggers MII status change
    callback. The callback will try to reconfigure controller if the
    controller is not i82557 to enable flow-control. This caused
    endless link UP/DOWN when the workaround was enabled on non-i82557
    controller.
  
    To fix the issue, apply RX lockup workaround only for i82557.
    Previously it blindly checked undocumented EEPROM location such
    that it sometimes enabled the workaround for other controllers. At
    this time, only i82557 is known to have the silicon bug.
    This fixes a regression introduced in r215906 which enabled flow
    control support for all controllers except i82557.
  
    Reported by:	Karl Denninger (karl <> denninger dot net)
    Tested by:	Karl Denninger (karl <> denninger dot net)
    Approved by:	re (kensmith)

Modified:
  stable/8/sys/dev/fxp/if_fxp.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/dev/fxp/if_fxp.c
==============================================================================
--- stable/8/sys/dev/fxp/if_fxp.c	Tue Dec  7 18:49:11 2010	(r216263)
+++ stable/8/sys/dev/fxp/if_fxp.c	Tue Dec  7 19:14:18 2010	(r216264)
@@ -526,10 +526,12 @@ fxp_attach(device_t dev)
 	}
 
 	/* Receiver lock-up workaround detection. */
-	fxp_read_eeprom(sc, &data, 3, 1);
-	if ((data & 0x03) != 0x03) {
-		sc->flags |= FXP_FLAG_RXBUG;
-		device_printf(dev, "Enabling Rx lock-up workaround\n");
+	if (sc->revision < FXP_REV_82558_A4) {
+		fxp_read_eeprom(sc, &data, 3, 1);
+		if ((data & 0x03) != 0x03) {
+			sc->flags |= FXP_FLAG_RXBUG;
+			device_printf(dev, "Enabling Rx lock-up workaround\n");
+		}
 	}
 
 	/*

From owner-svn-src-stable@FreeBSD.ORG  Tue Dec  7 19:15:34 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6D79A106566C;
	Tue,  7 Dec 2010 19:15:34 +0000 (UTC)
	(envelope-from yongari@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 41C1C8FC13;
	Tue,  7 Dec 2010 19:15:34 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB7JFYTD077595;
	Tue, 7 Dec 2010 19:15:34 GMT (envelope-from yongari@svn.freebsd.org)
Received: (from yongari@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB7JFYL5077593;
	Tue, 7 Dec 2010 19:15:34 GMT (envelope-from yongari@svn.freebsd.org)
Message-Id: <201012071915.oB7JFYL5077593@svn.freebsd.org>
From: Pyun YongHyeon <yongari@FreeBSD.org>
Date: Tue, 7 Dec 2010 19:15:34 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216265 - stable/7/sys/dev/fxp
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 19:15:34 -0000

Author: yongari
Date: Tue Dec  7 19:15:33 2010
New Revision: 216265
URL: http://svn.freebsd.org/changeset/base/216265

Log:
  MFC r216111:
    If RX lockup workaround is enabled, fxp(4) will periodically reset
    the controller to workaround silicon bug of i82557. Each reset will
    re-establish link which in turn triggers MII status change
    callback. The callback will try to reconfigure controller if the
    controller is not i82557 to enable flow-control. This caused
    endless link UP/DOWN when the workaround was enabled on non-i82557
    controller.
  
    To fix the issue, apply RX lockup workaround only for i82557.
    Previously it blindly checked undocumented EEPROM location such
    that it sometimes enabled the workaround for other controllers. At
    this time, only i82557 is known to have the silicon bug.
    This fixes a regression introduced in r215906 which enabled flow
    control support for all controllers except i82557.
  
    Reported by:	Karl Denninger (karl <> denninger dot net)
    Tested by:	Karl Denninger (karl <> denninger dot net)
    Approved by:	re (kensmith)

Modified:
  stable/7/sys/dev/fxp/if_fxp.c
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/dev/fxp/if_fxp.c
==============================================================================
--- stable/7/sys/dev/fxp/if_fxp.c	Tue Dec  7 19:14:18 2010	(r216264)
+++ stable/7/sys/dev/fxp/if_fxp.c	Tue Dec  7 19:15:33 2010	(r216265)
@@ -527,10 +527,12 @@ fxp_attach(device_t dev)
 	}
 
 	/* Receiver lock-up workaround detection. */
-	fxp_read_eeprom(sc, &data, 3, 1);
-	if ((data & 0x03) != 0x03) {
-		sc->flags |= FXP_FLAG_RXBUG;
-		device_printf(dev, "Enabling Rx lock-up workaround\n");
+	if (sc->revision < FXP_REV_82558_A4) {
+		fxp_read_eeprom(sc, &data, 3, 1);
+		if ((data & 0x03) != 0x03) {
+			sc->flags |= FXP_FLAG_RXBUG;
+			device_printf(dev, "Enabling Rx lock-up workaround\n");
+		}
 	}
 
 	/*

From owner-svn-src-stable@FreeBSD.ORG  Tue Dec  7 22:00:49 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 398F31065672;
	Tue,  7 Dec 2010 22:00:49 +0000 (UTC)
	(envelope-from trasz@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 28C948FC0A;
	Tue,  7 Dec 2010 22:00:49 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB7M0nju081264;
	Tue, 7 Dec 2010 22:00:49 GMT (envelope-from trasz@svn.freebsd.org)
Received: (from trasz@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB7M0nFa081262;
	Tue, 7 Dec 2010 22:00:49 GMT (envelope-from trasz@svn.freebsd.org)
Message-Id: <201012072200.oB7M0nFa081262@svn.freebsd.org>
From: Edward Tomasz Napierala <trasz@FreeBSD.org>
Date: Tue, 7 Dec 2010 22:00:49 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216271 - stable/8/sys/cddl/compat/opensolaris/kern
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 22:00:49 -0000

Author: trasz
Date: Tue Dec  7 22:00:48 2010
New Revision: 216271
URL: http://svn.freebsd.org/changeset/base/216271

Log:
  MFC r216084:
  
  Don't panic when we read an empty ACL from ZFS.  Apparently this may happen
  with filesystems created under MacOS X ZFS port.  This is kind of filesystem
  corruption (we don't allow for setting empty ACLs), so make acl_get_file(3)
  and related syscalls fail with EINVAL in that case.  In theory, we could
  return empty ACL to userland, but I'm afraid this would break some code.
  
  Approved by:	re (kib)

Modified:
  stable/8/sys/cddl/compat/opensolaris/kern/opensolaris_acl.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/cddl/compat/opensolaris/kern/opensolaris_acl.c
==============================================================================
--- stable/8/sys/cddl/compat/opensolaris/kern/opensolaris_acl.c	Tue Dec  7 21:39:36 2010	(r216270)
+++ stable/8/sys/cddl/compat/opensolaris/kern/opensolaris_acl.c	Tue Dec  7 22:00:48 2010	(r216271)
@@ -105,7 +105,10 @@ acl_from_aces(struct acl *aclp, const ac
 	struct acl_entry *entry;
 	const ace_t *ace;
 
-	KASSERT(nentries >= 1, ("empty ZFS ACL"));
+	if (nentries < 1) {
+		printf("acl_from_aces: empty ZFS ACL; returning EINVAL.\n");
+		return (EINVAL);
+	}
 
 	if (nentries > ACL_MAX_ENTRIES) {
 		/*

From owner-svn-src-stable@FreeBSD.ORG  Wed Dec  8 07:00:23 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 38105106566B;
	Wed,  8 Dec 2010 07:00:23 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 273FF8FC18;
	Wed,  8 Dec 2010 07:00:23 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB870Nj8093630;
	Wed, 8 Dec 2010 07:00:23 GMT (envelope-from dougb@svn.freebsd.org)
Received: (from dougb@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB870NLR093628;
	Wed, 8 Dec 2010 07:00:23 GMT (envelope-from dougb@svn.freebsd.org)
Message-Id: <201012080700.oB870NLR093628@svn.freebsd.org>
From: Doug Barton <dougb@FreeBSD.org>
Date: Wed, 8 Dec 2010 07:00:23 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216286 - stable/8/share/man/man4
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 07:00:23 -0000

Author: dougb
Date: Wed Dec  8 07:00:22 2010
New Revision: 216286
URL: http://svn.freebsd.org/changeset/base/216286

Log:
  MFC r216065:
  
  Update the description of green_saver.ko
  
  Improvements to my suggested text from: jhb
  
  Approved by:	re (kib)

Modified:
  stable/8/share/man/man4/splash.4
Directory Properties:
  stable/8/share/man/man4/   (props changed)

Modified: stable/8/share/man/man4/splash.4
==============================================================================
--- stable/8/share/man/man4/splash.4	Wed Dec  8 01:35:19 2010	(r216285)
+++ stable/8/share/man/man4/splash.4	Wed Dec  8 07:00:22 2010	(r216286)
@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 15, 2006
+.Dd November 29, 2010
 .Dt SPLASH 4
 .Os
 .Sh NAME
@@ -108,7 +108,10 @@ The screen will gradually fade away.
 .It Pa fire_saver.ko
 A fire which becomes higher as load increases.
 .It Pa green_saver.ko
-If the monitor supports power saving mode, it will be turned off.
+The screen will be blanked, similar to
+.Pa blank_saver.ko .
+If the monitor and the video card's BIOS support it
+the screen will also be powered off.
 .It Pa logo_saver.ko
 Animated graphical
 .Bx

From owner-svn-src-stable@FreeBSD.ORG  Wed Dec  8 07:00:53 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C7E9A10656A7;
	Wed,  8 Dec 2010 07:00:53 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id B71B38FC27;
	Wed,  8 Dec 2010 07:00:53 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB870rDd093673;
	Wed, 8 Dec 2010 07:00:53 GMT (envelope-from dougb@svn.freebsd.org)
Received: (from dougb@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB870r1i093671;
	Wed, 8 Dec 2010 07:00:53 GMT (envelope-from dougb@svn.freebsd.org)
Message-Id: <201012080700.oB870r1i093671@svn.freebsd.org>
From: Doug Barton <dougb@FreeBSD.org>
Date: Wed, 8 Dec 2010 07:00:53 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216287 - stable/7/share/man/man4
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 07:00:53 -0000

Author: dougb
Date: Wed Dec  8 07:00:53 2010
New Revision: 216287
URL: http://svn.freebsd.org/changeset/base/216287

Log:
  MFC r216065:
  
  Update the description of green_saver.ko
  
  Improvements to my suggested text from: jhb
  
  Approved by:	re (kib)

Modified:
  stable/7/share/man/man4/splash.4
Directory Properties:
  stable/7/share/man/man4/   (props changed)

Modified: stable/7/share/man/man4/splash.4
==============================================================================
--- stable/7/share/man/man4/splash.4	Wed Dec  8 07:00:22 2010	(r216286)
+++ stable/7/share/man/man4/splash.4	Wed Dec  8 07:00:53 2010	(r216287)
@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 15, 2006
+.Dd November 29, 2010
 .Dt SPLASH 4
 .Os
 .Sh NAME
@@ -108,7 +108,10 @@ The screen will gradually fade away.
 .It Pa fire_saver.ko
 A fire which becomes higher as load increases.
 .It Pa green_saver.ko
-If the monitor supports power saving mode, it will be turned off.
+The screen will be blanked, similar to
+.Pa blank_saver.ko .
+If the monitor and the video card's BIOS support it
+the screen will also be powered off.
 .It Pa logo_saver.ko
 Animated graphical
 .Bx

From owner-svn-src-stable@FreeBSD.ORG  Wed Dec  8 19:48:30 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1C2B0106566C;
	Wed,  8 Dec 2010 19:48:30 +0000 (UTC)
	(envelope-from cperciva@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 013978FC08;
	Wed,  8 Dec 2010 19:48:30 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB8JmTMu013093;
	Wed, 8 Dec 2010 19:48:29 GMT (envelope-from cperciva@svn.freebsd.org)
Received: (from cperciva@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB8JmTOT013091;
	Wed, 8 Dec 2010 19:48:29 GMT (envelope-from cperciva@svn.freebsd.org)
Message-Id: <201012081948.oB8JmTOT013091@svn.freebsd.org>
From: Colin Percival <cperciva@FreeBSD.org>
Date: Wed, 8 Dec 2010 19:48:29 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216305 - stable/8/sys/i386/i386
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 19:48:30 -0000

Author: cperciva
Date: Wed Dec  8 19:48:29 2010
New Revision: 216305
URL: http://svn.freebsd.org/changeset/base/216305

Log:
  MFC r216194 / MFamd64 r206610: Enforce stronger alignment semantics in
  order to unbreak the Xen blkfront driver.
  
  Approved by:	re (kib)

Modified:
  stable/8/sys/i386/i386/busdma_machdep.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/i386/i386/busdma_machdep.c
==============================================================================
--- stable/8/sys/i386/i386/busdma_machdep.c	Wed Dec  8 19:42:21 2010	(r216304)
+++ stable/8/sys/i386/i386/busdma_machdep.c	Wed Dec  8 19:48:29 2010	(r216305)
@@ -249,8 +249,7 @@ bus_dma_tag_create(bus_dma_tag_t parent,
 	newtag->alignment = alignment;
 	newtag->boundary = boundary;
 	newtag->lowaddr = trunc_page((vm_paddr_t)lowaddr) + (PAGE_SIZE - 1);
-	newtag->highaddr = trunc_page((vm_paddr_t)highaddr) +
-	    (PAGE_SIZE - 1);
+	newtag->highaddr = trunc_page((vm_paddr_t)highaddr) + (PAGE_SIZE - 1);
 	newtag->filter = filter;
 	newtag->filterarg = filterarg;
 	newtag->maxsize = maxsize;
@@ -597,15 +596,19 @@ _bus_dmamap_count_pages(bus_dma_tag_t dm
 		vendaddr = (vm_offset_t)buf + buflen;
 
 		while (vaddr < vendaddr) {
+			bus_size_t sg_len;
+
+			sg_len = PAGE_SIZE - ((vm_offset_t)vaddr & PAGE_MASK);
 			if (pmap)
 				paddr = pmap_extract(pmap, vaddr);
 			else
 				paddr = pmap_kextract(vaddr);
 			if (((dmat->flags & BUS_DMA_COULD_BOUNCE) != 0) &&
 			    run_filter(dmat, paddr) != 0) {
+				sg_len = roundup2(sg_len, dmat->alignment);
 				map->pagesneeded++;
 			}
-			vaddr += (PAGE_SIZE - ((vm_offset_t)vaddr & PAGE_MASK));
+			vaddr += sg_len;
 		}
 		CTR1(KTR_BUSDMA, "pagesneeded= %d\n", map->pagesneeded);
 	}
@@ -672,6 +675,8 @@ _bus_dmamap_load_buffer(bus_dma_tag_t dm
 	bmask = ~(dmat->boundary - 1);
 
 	for (seg = *segp; buflen > 0 ; ) {
+		bus_size_t max_sgsize;
+
 		/*
 		 * Get the physical address for this segment.
 		 */
@@ -683,11 +688,16 @@ _bus_dmamap_load_buffer(bus_dma_tag_t dm
 		/*
 		 * Compute the segment size, and adjust counts.
 		 */
-		sgsize = PAGE_SIZE - ((u_long)curaddr & PAGE_MASK);
-		if (sgsize > dmat->maxsegsz)
-			sgsize = dmat->maxsegsz;
-		if (buflen < sgsize)
-			sgsize = buflen;
+		max_sgsize = MIN(buflen, dmat->maxsegsz);
+		sgsize = PAGE_SIZE - ((vm_offset_t)curaddr & PAGE_MASK);
+		if (((dmat->flags & BUS_DMA_COULD_BOUNCE) != 0) &&
+		    map->pagesneeded != 0 && run_filter(dmat, curaddr)) {
+			sgsize = roundup2(sgsize, dmat->alignment);
+			sgsize = MIN(sgsize, max_sgsize);
+			curaddr = add_bounce_page(dmat, map, vaddr, sgsize);
+		} else {
+			sgsize = MIN(sgsize, max_sgsize);
+		}
 
 		/*
 		 * Make sure we don't cross any boundaries.
@@ -698,10 +708,6 @@ _bus_dmamap_load_buffer(bus_dma_tag_t dm
 				sgsize = (baddr - curaddr);
 		}
 
-		if (((dmat->flags & BUS_DMA_COULD_BOUNCE) != 0) &&
-		    map->pagesneeded != 0 && run_filter(dmat, curaddr))
-			curaddr = add_bounce_page(dmat, map, vaddr, sgsize);
-
 		/*
 		 * Insert chunk into a segment, coalescing with
 		 * previous segment if possible.

From owner-svn-src-stable@FreeBSD.ORG  Wed Dec  8 19:59:54 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 22D23106564A;
	Wed,  8 Dec 2010 19:59:54 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 0DD9C8FC19;
	Wed,  8 Dec 2010 19:59:54 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB8JxsWv013411;
	Wed, 8 Dec 2010 19:59:54 GMT (envelope-from dougb@svn.freebsd.org)
Received: (from dougb@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB8JxrPK013393;
	Wed, 8 Dec 2010 19:59:53 GMT (envelope-from dougb@svn.freebsd.org)
Message-Id: <201012081959.oB8JxrPK013393@svn.freebsd.org>
From: Doug Barton <dougb@FreeBSD.org>
Date: Wed, 8 Dec 2010 19:59:53 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216307 - in stable/8/contrib/bind9: . bin/check
	bin/dig bin/named bin/named/include/named lib/dns
	lib/dns/include/dns lib/isc
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 19:59:54 -0000

Author: dougb
Date: Wed Dec  8 19:59:53 2010
New Revision: 216307
URL: http://svn.freebsd.org/changeset/base/216307

Log:
  Update to version 9.6-ESV-R4, the latest from ISC, which addresses
  the following security vulnerabilities.
  
  For more information regarding these issues please see:
  http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
  
  1. Cache incorrectly allows ncache and rrsig for the same type
  
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
  
     Affects resolver operators whose servers are open to potential
     attackers. Triggering the bug will cause the server to crash.
  
     This bug applies even if you do not have DNSSEC enabled.
  
  2. Key algorithm rollover
  
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
  
     Affects resolver operators who are validating with DNSSEC, and
     querying zones which are in a key rollover period. The bug will
     cause answers to incorrectly be marked as insecure.
  
  Approved by:	re (kensmith)

Added:
  stable/8/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html
     - copied unchanged from r216290, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.html
  stable/8/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf
     - copied unchanged from r216290, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.pdf
  stable/8/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt
     - copied unchanged from r216290, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.txt
  stable/8/contrib/bind9/release-notes.css
     - copied unchanged from r216290, vendor/bind9/dist/release-notes.css
Modified:
  stable/8/contrib/bind9/CHANGES
  stable/8/contrib/bind9/bin/check/check-tool.c
  stable/8/contrib/bind9/bin/check/check-tool.h
  stable/8/contrib/bind9/bin/check/named-checkconf.c
  stable/8/contrib/bind9/bin/check/named-checkzone.c
  stable/8/contrib/bind9/bin/dig/host.c
  stable/8/contrib/bind9/bin/named/client.c
  stable/8/contrib/bind9/bin/named/include/named/query.h
  stable/8/contrib/bind9/bin/named/query.c
  stable/8/contrib/bind9/bin/named/server.c
  stable/8/contrib/bind9/lib/dns/api
  stable/8/contrib/bind9/lib/dns/include/dns/view.h
  stable/8/contrib/bind9/lib/dns/journal.c
  stable/8/contrib/bind9/lib/dns/rbtdb.c
  stable/8/contrib/bind9/lib/dns/validator.c
  stable/8/contrib/bind9/lib/dns/view.c
  stable/8/contrib/bind9/lib/isc/api
  stable/8/contrib/bind9/lib/isc/print.c
  stable/8/contrib/bind9/version
Directory Properties:
  stable/8/contrib/bind9/   (props changed)

Modified: stable/8/contrib/bind9/CHANGES
==============================================================================
--- stable/8/contrib/bind9/CHANGES	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/CHANGES	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,3 +1,55 @@
+
+	--- 9.6-ESV-R3 released ---
+
+2972.	[bug]		win32: address windows socket errors. [RT #21906]
+
+2971.	[bug]		Fixed a bug that caused journal files not to be
+			compacted on Windows systems as a result of
+			non-POSIX-compliant rename() semantics. [RT #22434]
+
+2970.	[security]	Adding a NO DATA negative cache entry failed to clear
+			any matching RRSIG records.  A subsequent lookup of
+			of NO DATA cache entry could trigger a INSIST when the
+			unexpected RRSIG was also returned with the NO DATA
+			cache entry.
+
+			CVE-2010-3613, VU#706148. [RT #22288]
+
+2969.	[security]	Fix acl type processing so that allow-query works
+			in options and view statements.  Also add a new
+			set of tests to verify proper functioning.
+
+			CVE-2010-3615, VU#510208. [RT #22418]
+
+2968.	[security]	Named could fail to prove a data set was insecure
+			before marking it as insecure.  One set of conditions
+			that can trigger this occurs naturally when rolling
+			DNSKEY algorithms.
+
+			CVE-2010-3614, VU#837744. [RT #22309]
+
+2967.	[bug]		'host -D' now turns on debugging messages earlier.
+			[RT #22361]
+
+2966.	[bug]		isc_print_vsnprintf() failed to check if there was
+			space available in the buffer when adding a left
+			justified character with a non zero width,
+			(e.g. "%-1c"). [RT #22270]
+
+2964.	[bug]		view->queryacl was being overloaded.  Seperate the
+			usage into view->queryacl, view->cacheacl and
+			view->queryonacl. [RT #22114]
+
+2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
+			[RT #22062]
+
+2952.	[port]		win32: named-checkzone and named-checkconf failed
+			to initialise winsock. [RT #21932]
+
+2951.	[bug]		named failed to generate a correct signed response
+			in a optout, delegation only zone with no secure
+			delegations. [RT #22007]
+
 	--- 9.6-ESV-R2 released ---
 
 2939.	[func]		Check that named successfully skips NSEC3 records

Copied: stable/8/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html (from r216290, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.html)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/8/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html	Wed Dec  8 19:59:53 2010	(r216307, copy of r216290, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.html)
@@ -0,0 +1,225 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!--
+ - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: RELEASE-NOTES-BIND-9.6-ESV.html,v 1.1.2.2 2010/11/29 01:16:39 tbox Exp $ -->
+
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" type="text/css" href="release-notes.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article"><div class="titlepage"><hr /></div>
+
+  <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111950"></a>Introduction</h2></div></div></div>
+    
+    <p>
+			BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV.
+		</p>
+    <p>
+			This document summarizes changes from BIND 9.6-ESV-R1 to BIND 9.6-ESV-R3.
+			Please see the CHANGES file in the source code release for a
+			complete list of all changes.
+		</p>
+  </div>
+
+  <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112014"></a>Download</h2></div></div></div>
+    
+    <p>
+			The latest release of BIND 9 software can always be found
+	 		on our web site at
+      <a class="ulink" href="http://www.isc.org/software/bind" target="_top">http://www.isc.org/software/bind</a>.
+  		There you will find additional information about each release,
+ 			source code, and some pre-compiled versions for certain operating
+ 			systems.
+		</p>
+  </div>
+
+  <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112037"></a>Support</h2></div></div></div>
+    
+    <p>Product support information is available on
+      <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
+      for paid support options.  Free support is provided by our user
+ 			community via a mailing list.  Information on all public email
+ 			lists is available at
+      <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
+    </p>
+  </div>
+
+  <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111986"></a>New Features</h2></div></div></div>
+    
+		<div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112025"></a>9.6-ESV-R2</h3></div></div></div>
+			
+			<p>None.</p>
+		</div>
+		<div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112098"></a>9.6-ESV-R3</h3></div></div></div>
+			
+			<p>None.</p>
+		</div>
+  </div>
+
+  <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112120"></a>Feature Changes</h2></div></div></div>
+    
+		<div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112125"></a>9.6-ESV-R2</h3></div></div></div>
+			
+			<p>None.</p>
+		</div>
+		<div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112135"></a>9.6-ESV-R3</h3></div></div></div>
+			
+			<p>None.</p>
+		</div>
+  </div>
+
+  <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112146"></a>Security Fixes</h2></div></div></div>
+    
+		<div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112151"></a>9.6-ESV-R2</h3></div></div></div>
+			
+			<p>None.</p>
+		</div>
+		<div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112160"></a>9.6-ESV-R3</h3></div></div></div>
+			
+			<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+				 	Adding a NO DATA signed negative response to cache failed to clear
+				  any matching RRSIG records already in cache. A subsequent lookup
+				  of the cached NO DATA entry could crash named (INSIST) when the
+				  unexpected RRSIG was also returned with the NO DATA cache entry.
+				  [RT #22288] [CVE-2010-3613] [VU#706148]
+				</li><li class="listitem">
+					BIND, acting as a DNSSEC validator, was determining if the NS RRset
+				  is insecure based on a value that could mean either that the RRset
+				  is actually insecure or that there wasn't a matching key for the RRSIG
+				  in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
+				  This can happen when in the middle of a DNSKEY algorithm rollover,
+				  when two different algorithms were used to sign a zone but only the
+				  new set of keys are in the zone DNSKEY RRset.
+					[RT #22309] [CVE-2010-3614] [VU#837744]
+				</li></ul></div>
+		</div>
+  </div>
+
+  <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112186"></a>Bug Fixes</h2></div></div></div>
+    
+		<div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112191"></a>9.6-ESV-R2</h3></div></div></div>
+			
+	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+					Check that named successfully skips NSEC3 records
+					that fail to match the NSEC3PARAM record currently
+					in use.
+					[RT #21868]
+				</li><li class="listitem">
+					Worked around a race condition in the cache database memory
+					handling.  Without this fix a DNS cache DB or ADB could
+					incorrectly stay in an over memory state, effectively refusing
+					further caching, which subsequently made a BIND 9 caching
+					server unworkable.
+					[RT #21818]
+				</li><li class="listitem">
+					BIND did not properly handle non-cacheable negative responses
+					from insecure zones. This caused several non-protocol-compliant
+					zones to become unresolvable.  BIND is now more accepting of
+					responses it receives from less strict servers.
+					[RT #21555]
+				</li><li class="listitem">
+					The resolver could attempt to destroy a fetch context too
+					soon, resulting in a crash.
+					[RT #19878]
+				</li><li class="listitem">
+					The placeholder negative caching element was not
+					properly constructed triggering a crash (INSIST) in 
+					dns_ncache_towire().
+					[RT #21346]
+				</li><li class="listitem">
+					Handle the introduction of new trusted-keys and
+					DS, DLV RRsets better.
+					[RT #21097]
+				</li><li class="listitem">
+					Fix arguments to dns_keytable_findnextkeynode() call.
+					[RT #20877]
+				</li></ul></div>
+		</div>
+		<div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112232"></a>9.6-ESV-R3</h3></div></div></div>
+			
+	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+					Microsoft changed the behavior of sockets between NT/XP based
+				  stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
+				  behavior, 2008r2 has the new behavior. With the change, different
+				  error results are possible, so ISC adapted BIND to handle the new
+				  error results.
+				  This resolves an issue where sockets would shut down on
+				  Windows servers causing named to stop responding to queries.
+					[RT #21906]
+				</li><li class="listitem">
+				 	Windows has non-POSIX compliant behavior in its rename() and unlink()
+				  calls. This caused journal compaction to fail on Windows BIND servers
+				  with the log error: "dns_journal_compact failed: failure".
+					[RT #22434]
+				</li><li class="listitem">
+					'host -D' now turns on debugging messages earlier.
+					[RT #22361]
+				</li><li class="listitem">
+          isc_print_vsnprintf() failed to check if there was
+					space available in the buffer when adding a left
+					justified character with a non zero width,
+					(e.g. "%-1c").
+					[RT #22270]
+				</li><li class="listitem">
+          view-&gt;queryacl was being overloaded.  Seperate the
+					usage into view-&gt;queryacl, view-&gt;cacheacl and
+					view-&gt;queryonacl.
+					[RT #22114]
+				</li><li class="listitem">
+          win32: add more dependencies to BINDBuild.dsw.
+          [RT #22062]
+				</li><li class="listitem">
+          win32: named-checkzone and named-checkconf failed
+          to initialise winsock.
+					[RT #21932]
+				</li><li class="listitem">
+          named failed to generate a correct signed response
+          in a optout, delegation only zone with no secure
+          delegations.
+					[RT #22007]
+				</li></ul></div>
+		</div>
+  </div>
+  
+  <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112280"></a>Known issues in this release</h2></div></div></div>
+    
+    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+        <p>
+          "make test" will fail on OSX and possibly other operating systems.
+          The failure occurs in a new test to check for allow-query ACLs.
+          The failure is caused because the source address is not specified on
+          the dig commands issued in the test.
+        </p>
+        <p>
+          If running "make test" is part of your usual acceptance process,
+          please edit the file <code class="code">bin/tests/system/allow_query/test.sh</code>
+          and add
+          </p><p>
+            <code class="code">-b 10.53.0.2</code>
+          </p><p>
+          to the <code class="code">DIGOPTS</code> line.
+        </p>
+      </li></ul></div>
+  </div>
+
+  <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112315"></a>Thank You</h2></div></div></div>
+    
+    <p>
+      Thank you to everyone who assisted us in making this release possible.
+      If you would like to contribute to ISC to assist us in continuing to make
+      quality open source software, please visit our donations page at
+      <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
+    </p>
+  </div>
+</div></body></html>

Copied: stable/8/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf (from r216290, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.pdf)
==============================================================================
Binary file (source and/or target). No diff available.

Copied: stable/8/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt (from r216290, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.txt)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/8/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt	Wed Dec  8 19:59:53 2010	(r216307, copy of r216290, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.txt)
@@ -0,0 +1,133 @@
+     __________________________________________________________________
+
+Introduction
+
+   BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV.
+
+   This document summarizes changes from BIND 9.6-ESV-R1 to BIND
+   9.6-ESV-R3. Please see the CHANGES file in the source code release for
+   a complete list of all changes.
+
+Download
+
+   The latest release of BIND 9 software can always be found on our web
+   site at http://www.isc.org/software/bind. There you will find
+   additional information about each release, source code, and some
+   pre-compiled versions for certain operating systems.
+
+Support
+
+   Product support information is available on
+   http://www.isc.org/services/support for paid support options. Free
+   support is provided by our user community via a mailing list.
+   Information on all public email lists is available at
+   https://lists.isc.org/mailman/listinfo.
+
+New Features
+
+9.6-ESV-R2
+
+   None.
+
+9.6-ESV-R3
+
+   None.
+
+Feature Changes
+
+9.6-ESV-R2
+
+   None.
+
+9.6-ESV-R3
+
+   None.
+
+Security Fixes
+
+9.6-ESV-R2
+
+   None.
+
+9.6-ESV-R3
+
+     * Adding a NO DATA signed negative response to cache failed to clear
+       any matching RRSIG records already in cache. A subsequent lookup of
+       the cached NO DATA entry could crash named (INSIST) when the
+       unexpected RRSIG was also returned with the NO DATA cache entry.
+       [RT #22288] [CVE-2010-3613] [VU#706148]
+     * BIND, acting as a DNSSEC validator, was determining if the NS RRset
+       is insecure based on a value that could mean either that the RRset
+       is actually insecure or that there wasn't a matching key for the
+       RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
+       RRset. This can happen when in the middle of a DNSKEY algorithm
+       rollover, when two different algorithms were used to sign a zone
+       but only the new set of keys are in the zone DNSKEY RRset. [RT
+       #22309] [CVE-2010-3614] [VU#837744]
+
+Bug Fixes
+
+9.6-ESV-R2
+
+     * Check that named successfully skips NSEC3 records that fail to
+       match the NSEC3PARAM record currently in use. [RT #21868]
+     * Worked around a race condition in the cache database memory
+       handling. Without this fix a DNS cache DB or ADB could incorrectly
+       stay in an over memory state, effectively refusing further caching,
+       which subsequently made a BIND 9 caching server unworkable. [RT
+       #21818]
+     * BIND did not properly handle non-cacheable negative responses from
+       insecure zones. This caused several non-protocol-compliant zones to
+       become unresolvable. BIND is now more accepting of responses it
+       receives from less strict servers. [RT #21555]
+     * The resolver could attempt to destroy a fetch context too soon,
+       resulting in a crash. [RT #19878]
+     * The placeholder negative caching element was not properly
+       constructed triggering a crash (INSIST) in dns_ncache_towire(). [RT
+       #21346]
+     * Handle the introduction of new trusted-keys and DS, DLV RRsets
+       better. [RT #21097]
+     * Fix arguments to dns_keytable_findnextkeynode() call. [RT #20877]
+
+9.6-ESV-R3
+
+     * Microsoft changed the behavior of sockets between NT/XP based
+       stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
+       behavior, 2008r2 has the new behavior. With the change, different
+       error results are possible, so ISC adapted BIND to handle the new
+       error results. This resolves an issue where sockets would shut down
+       on Windows servers causing named to stop responding to queries. [RT
+       #21906]
+     * Windows has non-POSIX compliant behavior in its rename() and
+       unlink() calls. This caused journal compaction to fail on Windows
+       BIND servers with the log error: "dns_journal_compact failed:
+       failure". [RT #22434]
+     * 'host -D' now turns on debugging messages earlier. [RT #22361]
+     * isc_print_vsnprintf() failed to check if there was space available
+       in the buffer when adding a left justified character with a non
+       zero width, (e.g. "%-1c"). [RT #22270]
+     * view->queryacl was being overloaded. Seperate the usage into
+       view->queryacl, view->cacheacl and view->queryonacl. [RT #22114]
+     * win32: add more dependencies to BINDBuild.dsw. [RT #22062]
+     * win32: named-checkzone and named-checkconf failed to initialise
+       winsock. [RT #21932]
+     * named failed to generate a correct signed response in a optout,
+       delegation only zone with no secure delegations. [RT #22007]
+
+Known issues in this release
+
+     * "make test" will fail on OSX and possibly other operating systems.
+       The failure occurs in a new test to check for allow-query ACLs. The
+       failure is caused because the source address is not specified on
+       the dig commands issued in the test.
+       If running "make test" is part of your usual acceptance process,
+       please edit the file bin/tests/system/allow_query/test.sh and add
+       -b 10.53.0.2
+       to the DIGOPTS line.
+
+Thank You
+
+   Thank you to everyone who assisted us in making this release possible.
+   If you would like to contribute to ISC to assist us in continuing to
+   make quality open source software, please visit our donations page at
+   http://www.isc.org/supportisc.

Modified: stable/8/contrib/bind9/bin/check/check-tool.c
==============================================================================
--- stable/8/contrib/bind9/bin/check/check-tool.c	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/bin/check/check-tool.c	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */
+/* $Id: check-tool.c,v 1.35.36.3.24.2 2010/09/07 23:46:25 tbox Exp $ */
 
 /*! \file */
 
@@ -23,6 +23,10 @@
 
 #include <stdio.h>
 
+#ifdef _WIN32
+#include <Winsock2.h>
+#endif
+
 #include "check-tool.h"
 #include <isc/buffer.h>
 #include <isc/log.h>
@@ -662,3 +666,26 @@ dump_zone(const char *zonename, dns_zone
 
 	return (result);
 }
+
+#ifdef _WIN32
+void
+InitSockets(void) {
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int err;
+
+	wVersionRequested = MAKEWORD(2, 0);
+
+	err = WSAStartup( wVersionRequested, &wsaData );
+	if (err != 0) {
+		fprintf(stderr, "WSAStartup() failed: %d\n", err);
+		exit(1);
+	}
+}
+
+void
+DestroySockets(void) {
+	WSACleanup();
+}
+#endif
+

Modified: stable/8/contrib/bind9/bin/check/check-tool.h
==============================================================================
--- stable/8/contrib/bind9/bin/check/check-tool.h	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/bin/check/check-tool.h	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.h,v 1.14 2007/06/18 23:47:17 tbox Exp $ */
+/* $Id: check-tool.h,v 1.14.628.2 2010/09/07 23:46:26 tbox Exp $ */
 
 #ifndef CHECK_TOOL_H
 #define CHECK_TOOL_H
@@ -43,6 +43,11 @@ isc_result_t
 dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	  dns_masterformat_t fileformat, const dns_master_style_t *style);
 
+#ifdef _WIN32
+void InitSockets(void);
+void DestroySockets(void);
+#endif
+
 extern int debug;
 extern isc_boolean_t nomerge;
 extern isc_boolean_t docheckmx;

Modified: stable/8/contrib/bind9/bin/check/named-checkconf.c
==============================================================================
--- stable/8/contrib/bind9/bin/check/named-checkconf.c	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/bin/check/named-checkconf.c	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: named-checkconf.c,v 1.46.222.2.24.2 2010/09/07 23:46:26 tbox Exp $ */
 
 /*! \file */
 
@@ -453,6 +453,10 @@ main(int argc, char **argv) {
 	if (conffile == NULL || conffile[0] == '\0')
 		conffile = NAMED_CONFFILE;
 
+#ifdef _WIN32
+	InitSockets();
+#endif
+
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
@@ -494,5 +498,9 @@ main(int argc, char **argv) {
 
 	isc_mem_destroy(&mctx);
 
+#ifdef _WIN32
+	DestroySockets();
+#endif
+
 	return (exit_status);
 }

Modified: stable/8/contrib/bind9/bin/check/named-checkzone.c
==============================================================================
--- stable/8/contrib/bind9/bin/check/named-checkzone.c	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/bin/check/named-checkzone.c	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkzone.c,v 1.51.34.4 2009/11/10 20:01:41 each Exp $ */
+/* $Id: named-checkzone.c,v 1.51.34.4.10.2 2010/09/07 23:46:26 tbox Exp $ */
 
 /*! \file */
 
@@ -419,6 +419,10 @@ main(int argc, char **argv) {
 	if (isc_commandline_index + 2 != argc)
 		usage();
 
+#ifdef _WIN32
+	InitSockets();
+#endif
+
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 	if (!quiet)
 		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
@@ -453,5 +457,8 @@ main(int argc, char **argv) {
 	isc_hash_destroy();
 	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
+#ifdef _WIN32
+	DestroySockets();
+#endif
 	return ((result == ISC_R_SUCCESS) ? 0 : 1);
 }

Modified: stable/8/contrib/bind9/bin/dig/host.c
==============================================================================
--- stable/8/contrib/bind9/bin/dig/host.c	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/bin/dig/host.c	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.116.216.3 2009/09/08 23:28:20 marka Exp $ */
+/* $Id: host.c,v 1.116.216.3.10.2 2010/10/19 23:46:25 tbox Exp $ */
 
 /*! \file */
 
@@ -625,7 +625,9 @@ pre_parse_args(int argc, char **argv) {
 		case 'v': break;
 		case 'w': break;
 		case 'C': break;
-		case 'D': break;
+		case 'D':
+			debugging = ISC_TRUE;
+			break;
 		case 'N': break;
 		case 'R': break;
 		case 'T': break;
@@ -792,7 +794,7 @@ parse_args(isc_boolean_t is_batchfile, i
 			ndots = atoi(isc_commandline_argument);
 			break;
 		case 'D':
-			debugging = ISC_TRUE;
+			/* Handled by pre_parse_args(). */
 			break;
 		case '4':
 			if (have_ipv4) {

Modified: stable/8/contrib/bind9/bin/named/client.c
==============================================================================
--- stable/8/contrib/bind9/bin/named/client.c	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/bin/named/client.c	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.259.12.3 2009/01/29 22:40:33 jinmei Exp $ */
+/* $Id: client.c,v 1.259.12.3.24.2 2010/09/29 23:46:31 tbox Exp $ */
 
 #include <config.h>
 
@@ -1859,13 +1859,13 @@ client_request(isc_task_t *task, isc_eve
 				     client->view->recursionacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
 	    ns_client_checkaclsilent(client, NULL,
-				     client->view->queryacl,
+				     client->view->cacheacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
 	    ns_client_checkaclsilent(client, &client->interface->addr,
 				     client->view->recursiononacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
 	    ns_client_checkaclsilent(client, &client->interface->addr,
-				     client->view->queryonacl,
+				     client->view->cacheonacl,
 				     ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
 

Modified: stable/8/contrib/bind9/bin/named/include/named/query.h
==============================================================================
--- stable/8/contrib/bind9/bin/named/include/named/query.h	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/bin/named/include/named/query.h	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.h,v 1.40 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: query.h,v 1.40.626.2 2010/09/29 23:46:31 tbox Exp $ */
 
 #ifndef NAMED_QUERY_H
 #define NAMED_QUERY_H 1
@@ -71,6 +71,8 @@ struct ns_query {
 #define NS_QUERYATTR_SECURE		0x0200
 #define NS_QUERYATTR_NOAUTHORITY	0x0400
 #define NS_QUERYATTR_NOADDITIONAL	0x0800
+#define NS_QUERYATTR_CACHEACLOKVALID	0x1000
+#define NS_QUERYATTR_CACHEACLOK		0x2000
 
 isc_result_t
 ns_query_init(ns_client_t *client);

Modified: stable/8/contrib/bind9/bin/named/query.c
==============================================================================
--- stable/8/contrib/bind9/bin/named/query.c	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/bin/named/query.c	Wed Dec  8 19:59:53 2010	(r216307)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.313.20.16.10.2 2010/06/26 23:46:14 tbox Exp $ */
+/* $Id: query.c,v 1.313.20.16.10.3 2010/09/29 00:03:32 marka Exp $ */
 
 /*! \file */
 
@@ -820,17 +820,15 @@ query_getcachedb(ns_client_t *client, dn
 		return (DNS_R_REFUSED);
 	dns_db_attach(client->view->cachedb, &db);
 
-	if ((client->query.attributes &
-	     NS_QUERYATTR_QUERYOKVALID) != 0) {
+	if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) {
 		/*
-		 * We've evaluated the view's queryacl already.  If
-		 * NS_QUERYATTR_QUERYOK is set, then the client is
+		 * We've evaluated the view's cacheacl already.  If
+		 * NS_QUERYATTR_CACHEACLOK is set, then the client is
 		 * allowed to make queries, otherwise the query should
 		 * be refused.
 		 */
 		check_acl = ISC_FALSE;
-		if ((client->query.attributes &
-		     NS_QUERYATTR_QUERYOK) == 0)
+		if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0)
 			goto refuse;
 	} else {
 		/*
@@ -844,16 +842,15 @@ query_getcachedb(ns_client_t *client, dn
 		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
 
 		result = ns_client_checkaclsilent(client, NULL,
-						  client->view->queryacl,
+						  client->view->cacheacl,
 						  ISC_TRUE);
 		if (result == ISC_R_SUCCESS) {
 			/*
-			 * We were allowed by the default
-			 * "allow-query" ACL.  Remember this so we
-			 * don't have to check again.
+			 * We were allowed by the "allow-query-cache" ACL.
+			 * Remember this so we don't have to check again.
 			 */
 			client->query.attributes |=
-				NS_QUERYATTR_QUERYOK;
+				NS_QUERYATTR_CACHEACLOK;
 			if (log && isc_log_wouldlog(ns_g_lctx,
 						     ISC_LOG_DEBUG(3)))
 			{
@@ -876,9 +873,9 @@ query_getcachedb(ns_client_t *client, dn
 		}
 		/*
 		 * We've now evaluated the view's query ACL, and
-		 * the NS_QUERYATTR_QUERYOK attribute is now valid.
+		 * the NS_QUERYATTR_CACHEACLOKVALID attribute is now valid.
 		 */
-		client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
+		client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID;
 
 		if (result != ISC_R_SUCCESS)
 			goto refuse;

Modified: stable/8/contrib/bind9/bin/named/server.c
==============================================================================
--- stable/8/contrib/bind9/bin/named/server.c	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/bin/named/server.c	Wed Dec  8 19:59:53 2010	(r216307)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.520.12.11.10.1 2010/03/03 22:06:36 marka Exp $ */
+/* $Id: server.c,v 1.520.12.11.10.4 2010/11/16 22:42:03 marka Exp $ */
 
 /*! \file */
 
@@ -1132,6 +1132,14 @@ configure_view(dns_view_t *view, const c
 		dns_acache_setcachesize(view->acache, max_acache_size);
 	}
 
+	CHECK(configure_view_acl(vconfig, config, "allow-query", actx,
+				 ns_g_mctx, &view->queryacl));
+
+	if (view->queryacl == NULL) {
+		CHECK(configure_view_acl(NULL, ns_g_config, "allow-query", actx,
+					 ns_g_mctx, &view->queryacl));
+	}
+
 	/*
 	 * Configure the zones.
 	 */
@@ -1606,13 +1614,13 @@ configure_view(dns_view_t *view, const c
 	 * configured in named.conf.
 	 */
 	CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
-				 actx, ns_g_mctx, &view->queryacl));
+				 actx, ns_g_mctx, &view->cacheacl));
 	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on",
-				 actx, ns_g_mctx, &view->queryonacl));
-	if (view->queryonacl == NULL)
+				 actx, ns_g_mctx, &view->cacheonacl));
+	if (view->cacheonacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
 					 "allow-query-cache-on", actx,
-					 ns_g_mctx, &view->queryonacl));
+					 ns_g_mctx, &view->cacheonacl));
 	if (strcmp(view->name, "_bind") != 0) {
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
 					 actx, ns_g_mctx,
@@ -1628,14 +1636,14 @@ configure_view(dns_view_t *view, const c
 	 * "allow-recursion" inherits from "allow-query-cache" if set,
 	 * otherwise from "allow-query" if set.
 	 */
-	if (view->queryacl == NULL && view->recursionacl != NULL)
-		dns_acl_attach(view->recursionacl, &view->queryacl);
-	if (view->queryacl == NULL && view->recursion)
+	if (view->cacheacl == NULL && view->recursionacl != NULL)
+		dns_acl_attach(view->recursionacl, &view->cacheacl);
+	if (view->cacheacl == NULL && view->recursion)
 		CHECK(configure_view_acl(vconfig, config, "allow-query",
-					 actx, ns_g_mctx, &view->queryacl));
+					 actx, ns_g_mctx, &view->cacheacl));
 	if (view->recursion &&
-	    view->recursionacl == NULL && view->queryacl != NULL)
-		dns_acl_attach(view->queryacl, &view->recursionacl);
+	    view->recursionacl == NULL && view->cacheacl != NULL)
+		dns_acl_attach(view->cacheacl, &view->recursionacl);
 
 	/*
 	 * Set default "allow-recursion", "allow-recursion-on" and
@@ -1651,16 +1659,13 @@ configure_view(dns_view_t *view, const c
 					 "allow-recursion-on",
 					 actx, ns_g_mctx,
 					 &view->recursiononacl));
-	if (view->queryacl == NULL) {
+	if (view->cacheacl == NULL) {
 		if (view->recursion)
 			CHECK(configure_view_acl(NULL, ns_g_config,
 						 "allow-query-cache", actx,
-						 ns_g_mctx, &view->queryacl));
-		else {
-			if (view->queryacl != NULL)
-				dns_acl_detach(&view->queryacl);
-			CHECK(dns_acl_none(ns_g_mctx, &view->queryacl));
-		}
+						 ns_g_mctx, &view->cacheacl));
+		else
+			CHECK(dns_acl_none(ns_g_mctx, &view->cacheacl));
 	}
 
 	/*

Modified: stable/8/contrib/bind9/lib/dns/api
==============================================================================
--- stable/8/contrib/bind9/lib/dns/api	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/lib/dns/api	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,3 +1,3 @@
-LIBINTERFACE = 57
+LIBINTERFACE = 58
 LIBREVISION = 0
-LIBAGE = 2
+LIBAGE = 0

Modified: stable/8/contrib/bind9/lib/dns/include/dns/view.h
==============================================================================
--- stable/8/contrib/bind9/lib/dns/include/dns/view.h	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/lib/dns/include/dns/view.h	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.111.88.4 2009/01/29 22:40:35 jinmei Exp $ */
+/* $Id: view.h,v 1.111.88.4.24.2 2010/09/29 23:46:31 tbox Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -118,6 +118,8 @@ struct dns_view {
 	isc_boolean_t			enablevalidation;
 	isc_boolean_t			acceptexpired;
 	dns_transfer_format_t		transfer_format;
+	dns_acl_t *			cacheacl;
+	dns_acl_t *			cacheonacl;
 	dns_acl_t *			queryacl;
 	dns_acl_t *			queryonacl;
 	dns_acl_t *			recursionacl;

Modified: stable/8/contrib/bind9/lib/dns/journal.c
==============================================================================
--- stable/8/contrib/bind9/lib/dns/journal.c	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/lib/dns/journal.c	Wed Dec  8 19:59:53 2010	(r216307)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.c,v 1.103.48.6 2009/11/04 23:47:25 tbox Exp $ */
+/* $Id: journal.c,v 1.103.48.6.10.2 2010/11/17 23:46:16 tbox Exp $ */
 
 #include <config.h>
 
@@ -2173,6 +2173,12 @@ dns_journal_compact(isc_mem_t *mctx, cha
 
 		indexend = new->header.end.offset;
 	}
+
+	/*
+	 * Close both journals before trying to rename files (this is
+	 * necessary on WIN32).
+	 */
+	dns_journal_destroy(&j);
 	dns_journal_destroy(&new);
 
 	/*
@@ -2180,12 +2186,14 @@ dns_journal_compact(isc_mem_t *mctx, cha
 	 * Any IXFR outs will just continue and the old journal will be
 	 * removed on final close.
 	 *
-	 * With MSDOS / NTFS we need to do a two stage rename triggered
-	 * bu EEXISTS.  Hopefully all IXFR's that were active at the last
-	 * rename are now complete.
+	 * With MSDOS / NTFS we need to do a two stage rename, triggered
+	 * by EEXIST.  (If any IXFR's are running in other threads, however,
+	 * this will fail, and the journal will not be compacted.  But
+	 * if so, hopefully they'll be finished by the next time we
+	 * compact.)
 	 */
 	if (rename(newname, filename) == -1) {
-		if (errno == EACCES && !is_backup) {
+		if (errno == EEXIST && !is_backup) {
 			result = isc_file_remove(backup);
 			if (result != ISC_R_SUCCESS &&
 			    result != ISC_R_FILENOTFOUND)
@@ -2202,7 +2210,6 @@ dns_journal_compact(isc_mem_t *mctx, cha
 		}
 	}
 
-	dns_journal_destroy(&j);
 	result = ISC_R_SUCCESS;
 
  failure:

Modified: stable/8/contrib/bind9/lib/dns/rbtdb.c
==============================================================================
--- stable/8/contrib/bind9/lib/dns/rbtdb.c	Wed Dec  8 19:52:04 2010	(r216306)
+++ stable/8/contrib/bind9/lib/dns/rbtdb.c	Wed Dec  8 19:59:53 2010	(r216307)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.270.12.16.10.3 2010/08/13 07:25:21 marka Exp $ */
+/* $Id: rbtdb.c,v 1.270.12.16.10.6 2010/11/16 07:46:23 marka Exp $ */
 
 /*! \file */
 
@@ -5421,14 +5421,14 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *r
     dns_rdataset_t *addedrdataset, isc_stdtime_t now)
 {
 	rbtdb_changed_t *changed = NULL;
-	rdatasetheader_t *topheader, *topheader_prev, *header;
+	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
 	unsigned char *merged;
 	isc_result_t result;
 	isc_boolean_t header_nx;
 	isc_boolean_t newheader_nx;
 	isc_boolean_t merge;
 	dns_rdatatype_t rdtype, covers;
-	rbtdb_rdatatype_t negtype;
+	rbtdb_rdatatype_t negtype, sigtype;
 	dns_trust_t trust;
 	int idx;
 
@@ -5466,7 +5466,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *r
 
 	newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
 	topheader_prev = NULL;
-
+	sigheader = NULL;
 	negtype = 0;
 	if (rbtversion == NULL && !newheader_nx) {
 		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
@@ -5475,26 +5475,34 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *r
 			 * We're adding a negative cache entry.
 			 */
 			covers = RBTDB_RDATATYPE_EXT(newheader->type);
-			if (covers == dns_rdatatype_any) {
+			sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
+							covers);
+			for (topheader = rbtnode->data;
+			     topheader != NULL;
+			     topheader = topheader->next) {
 				/*
-				 * We're adding an negative cache entry
+				 * If we're adding an negative cache entry
 				 * which covers all types (NXDOMAIN,
 				 * NODATA(QTYPE=ANY)).
 				 *
 				 * We make all other data stale so that the
 				 * only rdataset that can be found at this
 				 * node is the negative cache entry.
+				 *
+				 * Otherwise look for any RRSIGs of the
+				 * given type so they can be marked stale
+				 * later.
 				 */
-				for (topheader = rbtnode->data;
-				     topheader != NULL;
-				     topheader = topheader->next) {
+				if (covers == dns_rdatatype_any) {
 					set_ttl(rbtdb, topheader, 0);
 					topheader->attributes |=
 						RDATASET_ATTR_STALE;
-				}
-				rbtnode->dirty = 1;
-				goto find_header;

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-stable@FreeBSD.ORG  Thu Dec  9 15:24:59 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AC2F61065670;
	Thu,  9 Dec 2010 15:24:59 +0000 (UTC)
	(envelope-from brucec@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 9AC888FC13;
	Thu,  9 Dec 2010 15:24:59 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB9FOxrr042431;
	Thu, 9 Dec 2010 15:24:59 GMT (envelope-from brucec@svn.freebsd.org)
Received: (from brucec@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB9FOxKD042428;
	Thu, 9 Dec 2010 15:24:59 GMT (envelope-from brucec@svn.freebsd.org)
Message-Id: <201012091524.oB9FOxKD042428@svn.freebsd.org>
From: Bruce Cran <brucec@FreeBSD.org>
Date: Thu, 9 Dec 2010 15:24:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216325 - stable/8/usr.sbin/sysinstall
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 15:24:59 -0000

Author: brucec
Date: Thu Dec  9 15:24:59 2010
New Revision: 216325
URL: http://svn.freebsd.org/changeset/base/216325

Log:
  MFC r216243:
  
  Ignore any failures with the "local" distribution since it's not present
  on release CDs and so will normally fail.
  installCommit() returns a DITEM_ value, not a Boolean.
  distExtractAll() returns a Boolean, not a DITEM_ value.
  
  Approved by:	re (kensmith)

Modified:
  stable/8/usr.sbin/sysinstall/dist.c
  stable/8/usr.sbin/sysinstall/install.c
Directory Properties:
  stable/8/usr.sbin/sysinstall/   (props changed)

Modified: stable/8/usr.sbin/sysinstall/dist.c
==============================================================================
--- stable/8/usr.sbin/sysinstall/dist.c	Thu Dec  9 12:30:13 2010	(r216324)
+++ stable/8/usr.sbin/sysinstall/dist.c	Thu Dec  9 15:24:59 2010	(r216325)
@@ -765,6 +765,9 @@ distExtract(char *parent, Distribution *
 			canceled = 1;	
 
 		    status = FALSE;
+		} else {
+			// ignore any failures with DIST_LOCAL
+			status = TRUE;
 		}
 	    }
 	    break;
@@ -921,7 +924,7 @@ distExtractAll(dialogMenuItem *self)
     restorescr(w);
 
     if (extract_status == FALSE)
-	status = DITEM_FAILURE;
+	status = FALSE;
 
     return status;
 }

Modified: stable/8/usr.sbin/sysinstall/install.c
==============================================================================
--- stable/8/usr.sbin/sysinstall/install.c	Thu Dec  9 12:30:13 2010	(r216324)
+++ stable/8/usr.sbin/sysinstall/install.c	Thu Dec  9 15:24:59 2010	(r216325)
@@ -853,7 +853,7 @@ try_media:
     i = distExtractAll(self);
 
     if (i == FALSE)
-	    return FALSE;
+	    return DITEM_FAILURE;
 
     /* When running as init, *now* it's safe to grab the rc.foo vars */
     installEnvironment();

From owner-svn-src-stable@FreeBSD.ORG  Thu Dec  9 15:26:38 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 82766106566B;
	Thu,  9 Dec 2010 15:26:38 +0000 (UTC)
	(envelope-from brucec@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 7189E8FC0C;
	Thu,  9 Dec 2010 15:26:38 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB9FQcev042532;
	Thu, 9 Dec 2010 15:26:38 GMT (envelope-from brucec@svn.freebsd.org)
Received: (from brucec@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB9FQcnd042530;
	Thu, 9 Dec 2010 15:26:38 GMT (envelope-from brucec@svn.freebsd.org)
Message-Id: <201012091526.oB9FQcnd042530@svn.freebsd.org>
From: Bruce Cran <brucec@FreeBSD.org>
Date: Thu, 9 Dec 2010 15:26:38 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216326 - stable/8/usr.sbin/boot0cfg
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 15:26:38 -0000

Author: brucec
Date: Thu Dec  9 15:26:38 2010
New Revision: 216326
URL: http://svn.freebsd.org/changeset/base/216326

Log:
  MFC r216229:
  
  Revert r209469: it causes the rest of the function to be bypassed.
  
  Approved by:	re (kensmith)

Modified:
  stable/8/usr.sbin/boot0cfg/boot0cfg.c
Directory Properties:
  stable/8/usr.sbin/boot0cfg/   (props changed)

Modified: stable/8/usr.sbin/boot0cfg/boot0cfg.c
==============================================================================
--- stable/8/usr.sbin/boot0cfg/boot0cfg.c	Thu Dec  9 15:24:59 2010	(r216325)
+++ stable/8/usr.sbin/boot0cfg/boot0cfg.c	Thu Dec  9 15:26:38 2010	(r216326)
@@ -356,8 +356,6 @@ write_mbr(const char *fname, int flags, 
 	if (n != mbr_size)
 	   errx(1, "%s: short write", fname);
 	return;
-    } else {
-	    err(1, "write_mbr: %s", fname);
     }
 
     /*

From owner-svn-src-stable@FreeBSD.ORG  Thu Dec  9 15:27:43 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AF2F71065679;
	Thu,  9 Dec 2010 15:27:43 +0000 (UTC)
	(envelope-from brucec@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 9DDAB8FC17;
	Thu,  9 Dec 2010 15:27:43 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB9FRhvV042593;
	Thu, 9 Dec 2010 15:27:43 GMT (envelope-from brucec@svn.freebsd.org)
Received: (from brucec@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB9FRh8k042590;
	Thu, 9 Dec 2010 15:27:43 GMT (envelope-from brucec@svn.freebsd.org)
Message-Id: <201012091527.oB9FRh8k042590@svn.freebsd.org>
From: Bruce Cran <brucec@FreeBSD.org>
Date: Thu, 9 Dec 2010 15:27:43 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216327 - stable/7/usr.sbin/sysinstall
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 15:27:43 -0000

Author: brucec
Date: Thu Dec  9 15:27:43 2010
New Revision: 216327
URL: http://svn.freebsd.org/changeset/base/216327

Log:
  MFC r216243:
  
  Ignore any failures with the "local" distribution since it's not present
  on release CDs and so will normally fail.
  installCommit() returns a DITEM_ value, not a Boolean.
  distExtractAll() returns a Boolean, not a DITEM_ value.
  
  Approved by:	re (kensmith)

Modified:
  stable/7/usr.sbin/sysinstall/dist.c
  stable/7/usr.sbin/sysinstall/install.c
Directory Properties:
  stable/7/usr.sbin/sysinstall/   (props changed)

Modified: stable/7/usr.sbin/sysinstall/dist.c
==============================================================================
--- stable/7/usr.sbin/sysinstall/dist.c	Thu Dec  9 15:26:38 2010	(r216326)
+++ stable/7/usr.sbin/sysinstall/dist.c	Thu Dec  9 15:27:43 2010	(r216327)
@@ -781,6 +781,9 @@ distExtract(char *parent, Distribution *
 			canceled = 1;	
 
 		    status = FALSE;
+		} else {
+			// ignore any failures with DIST_LOCAL
+			status = TRUE;
 		}
 	    }
 	    break;
@@ -878,7 +881,7 @@ distExtractAll(dialogMenuItem *self)
     restorescr(w);
 
     if (extract_status == FALSE)
-	status = DITEM_FAILURE;
+	status = FALSE;
 
     return status;
 }

Modified: stable/7/usr.sbin/sysinstall/install.c
==============================================================================
--- stable/7/usr.sbin/sysinstall/install.c	Thu Dec  9 15:26:38 2010	(r216326)
+++ stable/7/usr.sbin/sysinstall/install.c	Thu Dec  9 15:27:43 2010	(r216327)
@@ -817,7 +817,7 @@ try_media:
     i = distExtractAll(self);
 
     if (i == FALSE)
-	    return FALSE;
+	    return DITEM_FAILURE;
 
     /* When running as init, *now* it's safe to grab the rc.foo vars */
     installEnvironment();

From owner-svn-src-stable@FreeBSD.ORG  Thu Dec  9 15:28:59 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 97067106566C;
	Thu,  9 Dec 2010 15:28:59 +0000 (UTC)
	(envelope-from brucec@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 85F648FC15;
	Thu,  9 Dec 2010 15:28:59 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB9FSxN6042652;
	Thu, 9 Dec 2010 15:28:59 GMT (envelope-from brucec@svn.freebsd.org)
Received: (from brucec@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB9FSxcV042650;
	Thu, 9 Dec 2010 15:28:59 GMT (envelope-from brucec@svn.freebsd.org)
Message-Id: <201012091528.oB9FSxcV042650@svn.freebsd.org>
From: Bruce Cran <brucec@FreeBSD.org>
Date: Thu, 9 Dec 2010 15:28:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216328 - stable/7/usr.sbin/boot0cfg
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 15:28:59 -0000

Author: brucec
Date: Thu Dec  9 15:28:59 2010
New Revision: 216328
URL: http://svn.freebsd.org/changeset/base/216328

Log:
  MFC r216229:
  
  Revert r209469: it causes the rest of the function to be bypassed.
  
  Approved by:	re (kensmith)

Modified:
  stable/7/usr.sbin/boot0cfg/boot0cfg.c
Directory Properties:
  stable/7/usr.sbin/boot0cfg/   (props changed)

Modified: stable/7/usr.sbin/boot0cfg/boot0cfg.c
==============================================================================
--- stable/7/usr.sbin/boot0cfg/boot0cfg.c	Thu Dec  9 15:27:43 2010	(r216327)
+++ stable/7/usr.sbin/boot0cfg/boot0cfg.c	Thu Dec  9 15:28:59 2010	(r216328)
@@ -355,8 +355,6 @@ write_mbr(const char *fname, int flags, 
 	if (n != mbr_size)
 	   errx(1, "%s: short write", fname);
 	return;
-    } else {
-	    err(1, "write_mbr: %s", fname);
     }
 
     if (flags != 0)

From owner-svn-src-stable@FreeBSD.ORG  Thu Dec  9 21:11:53 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C2222106566B;
	Thu,  9 Dec 2010 21:11:53 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id AD2C48FC0C;
	Thu,  9 Dec 2010 21:11:53 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB9LBrrs050906;
	Thu, 9 Dec 2010 21:11:53 GMT (envelope-from dougb@svn.freebsd.org)
Received: (from dougb@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB9LBrp0050900;
	Thu, 9 Dec 2010 21:11:53 GMT (envelope-from dougb@svn.freebsd.org)
Message-Id: <201012092111.oB9LBrp0050900@svn.freebsd.org>
From: Doug Barton <dougb@FreeBSD.org>
Date: Thu, 9 Dec 2010 21:11:53 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216336 - in stable/7/contrib/bind9: . bin/named
	doc/draft lib/dns lib/dns/include/dns lib/isc
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 21:11:53 -0000

Author: dougb
Date: Thu Dec  9 21:11:53 2010
New Revision: 216336
URL: http://svn.freebsd.org/changeset/base/216336

Log:
  MFV: vendor/bind9/dist-9.4
  
  Update to version 9.4-ESV-R4, the latest from ISC, which addresses
  the following security vulnerabilities.
  
  For more information regarding these issues please see:
  http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
  
  1. Cache incorrectly allows ncache and rrsig for the same type
  
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
  
     Affects resolver operators whose servers are open to potential
     attackers. Triggering the bug will cause the server to crash.
  
     This bug applies even if you do not have DNSSEC enabled.
  
  2. Key algorithm rollover
  
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
  
     Affects resolver operators who are validating with DNSSEC, and
     querying zones which are in a key rollover period. The bug will
     cause answers to incorrectly be marked as insecure.
  
  Approved by:	re (kib)

Added:
  stable/7/contrib/bind9/RELEASE-NOTES-BIND-9.4-ESV.html
     - copied unchanged from r216303, vendor/bind9/dist-9.4/RELEASE-NOTES-BIND-9.4-ESV.html
  stable/7/contrib/bind9/RELEASE-NOTES-BIND-9.4-ESV.pdf
     - copied unchanged from r216303, vendor/bind9/dist-9.4/RELEASE-NOTES-BIND-9.4-ESV.pdf
  stable/7/contrib/bind9/RELEASE-NOTES-BIND-9.4-ESV.txt
     - copied unchanged from r216303, vendor/bind9/dist-9.4/RELEASE-NOTES-BIND-9.4-ESV.txt
  stable/7/contrib/bind9/doc/draft/draft-ietf-behave-dns64-11.txt
     - copied unchanged from r216303, vendor/bind9/dist-9.4/doc/draft/draft-ietf-behave-dns64-11.txt
  stable/7/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-12.txt
     - copied unchanged from r216303, vendor/bind9/dist-9.4/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-12.txt
  stable/7/contrib/bind9/release-notes.css
     - copied unchanged from r216303, vendor/bind9/dist-9.4/release-notes.css
Deleted:
  stable/7/contrib/bind9/doc/draft/draft-ietf-behave-dns64-10.txt
  stable/7/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-10.txt
Modified:
  stable/7/contrib/bind9/CHANGES
  stable/7/contrib/bind9/bin/named/query.c
  stable/7/contrib/bind9/lib/dns/api
  stable/7/contrib/bind9/lib/dns/include/dns/db.h
  stable/7/contrib/bind9/lib/dns/rbtdb.c
  stable/7/contrib/bind9/lib/dns/validator.c
  stable/7/contrib/bind9/lib/isc/api
  stable/7/contrib/bind9/lib/isc/print.c
  stable/7/contrib/bind9/version
Directory Properties:
  stable/7/contrib/bind9/   (props changed)

Modified: stable/7/contrib/bind9/CHANGES
==============================================================================
--- stable/7/contrib/bind9/CHANGES	Thu Dec  9 21:02:22 2010	(r216335)
+++ stable/7/contrib/bind9/CHANGES	Thu Dec  9 21:11:53 2010	(r216336)
@@ -1,3 +1,30 @@
+	--- 9.4-ESV-R4 released ---
+
+2970.	[security]	Adding a NO DATA negative cache entry failed to clear
+			any matching RRSIG records.  A subsequent lookup of
+			of NO DATA cache entry could trigger a INSIST when the
+			unexpected RRSIG was also returned with the NO DATA
+			cache entry.
+
+			CVE-2010-3613, VU#706148. [RT #22288]
+
+2968.	[security]	Named could fail to prove a data set was insecure
+			before marking it as insecure.  One set of conditions
+			that can trigger this occurs naturally when rolling
+			DNSKEY algorithms.
+
+			CVE-2010-3614, VU#837744. [RT #22309]
+
+2966.	[bug]		isc_print_vsnprintf() failed to check if there was
+			space available in the buffer when adding a left
+			justified character with a non zero width,
+			(e.g. "%-1c"). [RT #22270]
+
+2962.	[port]		win32: add more dependancies to BINDBuild.dsw.
+			[RT #22062]
+
+2786.	[bug]		Additional could be promoted to answer. [RT #20663]
+
 	--- 9.4-ESV-R3 released ---
 
 2925.	[bug]		Named failed to accept uncachable negative responses

Copied: stable/7/contrib/bind9/RELEASE-NOTES-BIND-9.4-ESV.html (from r216303, vendor/bind9/dist-9.4/RELEASE-NOTES-BIND-9.4-ESV.html)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/7/contrib/bind9/RELEASE-NOTES-BIND-9.4-ESV.html	Thu Dec  9 21:11:53 2010	(r216336, copy of r216303, vendor/bind9/dist-9.4/RELEASE-NOTES-BIND-9.4-ESV.html)
@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!--
+ - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: RELEASE-NOTES-BIND-9.4-ESV.html,v 1.1.2.2 2010/11/29 01:15:44 tbox Exp $ -->
+
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" type="text/css" href="release-notes.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article"><div class="titlepage"><hr /></div>
+
+  <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111797"></a>Introduction</h2></div></div></div>
+    
+    <p>
+			BIND 9.3-ESV-R4 is a maintenance release for BIND 9.4-ESV.
+		</p>
+    <p>
+			This document summarizes changes from BIND 9.4-ESV-R3 to BIND 9.4-ESV-R4.
+			Please see the CHANGES file in the source code release for a
+			complete list of all changes.
+		</p>
+  </div>
+
+  <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111880"></a>Download</h2></div></div></div>
+    
+    <p>
+			The latest release of BIND 9 software can always be found
+	 		on our web site at
+      <a class="ulink" href="http://www.isc.org/software/bind" target="_top">http://www.isc.org/software/bind</a>.
+  		There you will find additional information about each release,
+ 			source code, and some pre-compiled versions for certain operating
+ 			systems.
+		</p>
+  </div>
+
+  <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111815"></a>Support</h2></div></div></div>
+    
+    <p>Product support information is available on
+      <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
+      for paid support options.  Free support is provided by our user
+ 			community via a mailing list.  Information on all public email
+ 			lists is available at
+      <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
+    </p>
+  </div>
+
+  <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111957"></a>New Features</h2></div></div></div>
+    
+		<div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36111972"></a>9.4-ESV-R4</h3></div></div></div>
+			
+			<p>None.</p>
+		</div>
+  </div>
+
+  <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111905"></a>Feature Changes</h2></div></div></div>
+    
+		<div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36111988"></a>9.4-ESV-R4</h3></div></div></div>
+			
+			<p>None.</p>
+		</div>
+  </div>
+
+  <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111999"></a>Security Fixes</h2></div></div></div>
+    
+		<div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36112004"></a>9.4-ESV-R4</h3></div></div></div>
+			
+			<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+				 	Adding a NO DATA signed negative response to cache failed to clear
+				  any matching RRSIG records already in cache. A subsequent lookup
+				  of the cached NO DATA entry could crash named (INSIST) when the
+				  unexpected RRSIG was also returned with the NO DATA cache entry.
+				  [RT #22288] [CVE-2010-3613] [VU#706148]
+				</li><li class="listitem">
+					BIND, acting as a DNSSEC validator, was determining if the NS RRset
+				  is insecure based on a value that could mean either that the RRset
+				  is actually insecure or that there wasn't a matching key for the RRSIG
+				  in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
+				  This can happen when in the middle of a DNSKEY algorithm rollover,
+				  when two different algorithms were used to sign a zone but only the
+				  new set of keys are in the zone DNSKEY RRset.
+					[RT #22309] [CVE-2010-3614] [VU#837744]
+				</li></ul></div>
+		</div>
+  </div>
+
+  <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112029"></a>Bug Fixes</h2></div></div></div>
+    
+		<div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36112035"></a>9.4-ESV-R4</h3></div></div></div>
+			
+	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+          isc_print_vsnprintf() failed to check if there was
+					space available in the buffer when adding a left
+					justified character with a non zero width,
+					(e.g. "%-1c").
+					[RT #22270]
+				</li><li class="listitem">
+          win32: add more dependencies to BINDBuild.dsw.
+          [RT #22062]
+				</li></ul></div>
+		</div>
+  </div>
+
+  <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112054"></a>Thank You</h2></div></div></div>
+    
+    <p>
+      Thank you to everyone who assisted us in making this release possible.
+      If you would like to contribute to ISC to assist us in continuing to make
+      quality open source software, please visit our donations page at
+      <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
+    </p>
+  </div>
+</div></body></html>

Copied: stable/7/contrib/bind9/RELEASE-NOTES-BIND-9.4-ESV.pdf (from r216303, vendor/bind9/dist-9.4/RELEASE-NOTES-BIND-9.4-ESV.pdf)
==============================================================================
Binary file (source and/or target). No diff available.

Copied: stable/7/contrib/bind9/RELEASE-NOTES-BIND-9.4-ESV.txt (from r216303, vendor/bind9/dist-9.4/RELEASE-NOTES-BIND-9.4-ESV.txt)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/7/contrib/bind9/RELEASE-NOTES-BIND-9.4-ESV.txt	Thu Dec  9 21:11:53 2010	(r216336, copy of r216303, vendor/bind9/dist-9.4/RELEASE-NOTES-BIND-9.4-ESV.txt)
@@ -0,0 +1,70 @@
+     __________________________________________________________________
+
+Introduction
+
+   BIND 9.3-ESV-R4 is a maintenance release for BIND 9.4-ESV.
+
+   This document summarizes changes from BIND 9.4-ESV-R3 to BIND
+   9.4-ESV-R4. Please see the CHANGES file in the source code release for
+   a complete list of all changes.
+
+Download
+
+   The latest release of BIND 9 software can always be found on our web
+   site at http://www.isc.org/software/bind. There you will find
+   additional information about each release, source code, and some
+   pre-compiled versions for certain operating systems.
+
+Support
+
+   Product support information is available on
+   http://www.isc.org/services/support for paid support options. Free
+   support is provided by our user community via a mailing list.
+   Information on all public email lists is available at
+   https://lists.isc.org/mailman/listinfo.
+
+New Features
+
+9.4-ESV-R4
+
+   None.
+
+Feature Changes
+
+9.4-ESV-R4
+
+   None.
+
+Security Fixes
+
+9.4-ESV-R4
+
+     * Adding a NO DATA signed negative response to cache failed to clear
+       any matching RRSIG records already in cache. A subsequent lookup of
+       the cached NO DATA entry could crash named (INSIST) when the
+       unexpected RRSIG was also returned with the NO DATA cache entry.
+       [RT #22288] [CVE-2010-3613] [VU#706148]
+     * BIND, acting as a DNSSEC validator, was determining if the NS RRset
+       is insecure based on a value that could mean either that the RRset
+       is actually insecure or that there wasn't a matching key for the
+       RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
+       RRset. This can happen when in the middle of a DNSKEY algorithm
+       rollover, when two different algorithms were used to sign a zone
+       but only the new set of keys are in the zone DNSKEY RRset. [RT
+       #22309] [CVE-2010-3614] [VU#837744]
+
+Bug Fixes
+
+9.4-ESV-R4
+
+     * isc_print_vsnprintf() failed to check if there was space available
+       in the buffer when adding a left justified character with a non
+       zero width, (e.g. "%-1c"). [RT #22270]
+     * win32: add more dependencies to BINDBuild.dsw. [RT #22062]
+
+Thank You
+
+   Thank you to everyone who assisted us in making this release possible.
+   If you would like to contribute to ISC to assist us in continuing to
+   make quality open source software, please visit our donations page at
+   http://www.isc.org/supportisc.

Modified: stable/7/contrib/bind9/bin/named/query.c
==============================================================================
--- stable/7/contrib/bind9/bin/named/query.c	Thu Dec  9 21:02:22 2010	(r216335)
+++ stable/7/contrib/bind9/bin/named/query.c	Thu Dec  9 21:11:53 2010	(r216336)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.257.18.55 2010/07/03 23:45:26 tbox Exp $ */
+/* $Id: query.c,v 1.257.18.56 2010/11/17 10:21:01 marka Exp $ */
 
 /*! \file */
 
@@ -1129,7 +1129,8 @@ query_addadditional(void *arg, dns_name_
 			goto cleanup;
 	}
 	result = dns_db_find(db, name, version, type,
-			     client->query.dboptions | DNS_DBFIND_GLUEOK,
+			     client->query.dboptions |
+			     DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
 			     client->now, &node, fname, rdataset,
 			     sigrdataset);
 	if (result == DNS_R_GLUE &&
@@ -1614,7 +1615,8 @@ query_addadditional2(void *arg, dns_name
 		goto try_glue;
 
 	result = dns_db_find(db, name, version, type,
-			     client->query.dboptions | DNS_DBFIND_GLUEOK,
+			     client->query.dboptions |
+			     DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
 			     client->now, &node, fname, NULL, NULL);
 	if (result == ISC_R_SUCCESS)
 		goto found;

Copied: stable/7/contrib/bind9/doc/draft/draft-ietf-behave-dns64-11.txt (from r216303, vendor/bind9/dist-9.4/doc/draft/draft-ietf-behave-dns64-11.txt)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/7/contrib/bind9/doc/draft/draft-ietf-behave-dns64-11.txt	Thu Dec  9 21:11:53 2010	(r216336, copy of r216303, vendor/bind9/dist-9.4/doc/draft/draft-ietf-behave-dns64-11.txt)
@@ -0,0 +1,1792 @@
+
+
+
+BEHAVE WG                                                     M. Bagnulo
+Internet-Draft                                                      UC3M
+Intended status: Standards Track                             A. Sullivan
+Expires: April 4, 2011                                          Shinkuro
+                                                             P. Matthews
+                                                          Alcatel-Lucent
+                                                          I. van Beijnum
+                                                          IMDEA Networks
+                                                         October 1, 2010
+
+
+DNS64: DNS extensions for Network Address Translation from IPv6 Clients
+                            to IPv4 Servers
+                       draft-ietf-behave-dns64-11
+
+Abstract
+
+   DNS64 is a mechanism for synthesizing AAAA records from A records.
+   DNS64 is used with an IPv6/IPv4 translator to enable client-server
+   communication between an IPv6-only client and an IPv4-only server,
+   without requiring any changes to either the IPv6 or the IPv4 node,
+   for the class of applications that work through NATs.  This document
+   specifies DNS64, and provides suggestions on how it should be
+   deployed in conjunction with IPv6/IPv4 translators.
+
+Status of this Memo
+
+   This Internet-Draft is submitted in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF).  Note that other groups may also distribute
+   working documents as Internet-Drafts.  The list of current Internet-
+   Drafts is at http://datatracker.ietf.org/drafts/current/.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   This Internet-Draft will expire on April 4, 2011.
+
+Copyright Notice
+
+   Copyright (c) 2010 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                 [Page 1]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.  Code Components extracted from this document must
+   include Simplified BSD License text as described in Section 4.e of
+   the Trust Legal Provisions and are provided without warranty as
+   described in the Simplified BSD License.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                 [Page 2]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
+   2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
+   3.  Background to DNS64-DNSSEC interaction . . . . . . . . . . . .  8
+   4.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 10
+   5.  DNS64 Normative Specification  . . . . . . . . . . . . . . . . 11
+     5.1.  Resolving AAAA queries and the answer section  . . . . . . 11
+       5.1.1.  The answer when there is AAAA data available . . . . . 12
+       5.1.2.  The answer when there is an error  . . . . . . . . . . 12
+       5.1.3.  Dealing with timeouts  . . . . . . . . . . . . . . . . 12
+       5.1.4.  Special exclusion set for AAAA records . . . . . . . . 13
+       5.1.5.  Dealing with CNAME and DNAME . . . . . . . . . . . . . 13
+       5.1.6.  Data for the answer when performing synthesis  . . . . 13
+       5.1.7.  Performing the synthesis . . . . . . . . . . . . . . . 14
+       5.1.8.  Querying in parallel . . . . . . . . . . . . . . . . . 14
+     5.2.  Generation of the IPv6 representations of IPv4
+           addresses  . . . . . . . . . . . . . . . . . . . . . . . . 15
+     5.3.  Handling other Resource Records and the Additional
+           Section  . . . . . . . . . . . . . . . . . . . . . . . . . 16
+       5.3.1.  PTR Resource Record  . . . . . . . . . . . . . . . . . 16
+       5.3.2.  Handling the additional section  . . . . . . . . . . . 17
+       5.3.3.  Other Resource Records . . . . . . . . . . . . . . . . 17
+     5.4.  Assembling a synthesized response to a AAAA query  . . . . 18
+     5.5.  DNSSEC processing: DNS64 in validating resolver mode . . . 18
+   6.  Deployment notes . . . . . . . . . . . . . . . . . . . . . . . 19
+     6.1.  DNS resolvers and DNS64  . . . . . . . . . . . . . . . . . 19
+     6.2.  DNSSEC validators and DNS64  . . . . . . . . . . . . . . . 20
+     6.3.  DNS64 and multihomed and dual-stack hosts  . . . . . . . . 20
+       6.3.1.  IPv6 multihomed hosts  . . . . . . . . . . . . . . . . 20
+       6.3.2.  Accidental dual-stack DNS64 use  . . . . . . . . . . . 21
+       6.3.3.  Intentional dual-stack DNS64 use . . . . . . . . . . . 21
+   7.  Deployment scenarios and examples  . . . . . . . . . . . . . . 22
+     7.1.  Example of An-IPv6-network-to-IPv4-Internet setup with
+           DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 22
+     7.2.  An example of an-IPv6-network-to-IPv4-Internet setup
+           with DNS64 in stub-resolver mode . . . . . . . . . . . . . 24
+     7.3.  Example of IPv6-Internet-to-an-IPv4-network setup
+           DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 25
+   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 27
+   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 28
+   10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 28
+   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
+   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
+     12.1. Normative References . . . . . . . . . . . . . . . . . . . 28
+     12.2. Informative References . . . . . . . . . . . . . . . . . . 29
+   Appendix A.  Motivations and Implications of synthesizing AAAA
+                Resource Records when real AAAA Resource Records
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                 [Page 3]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+                exist . . . . . . . . . . . . . . . . . . . . . . . . 30
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                 [Page 4]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+1.  Introduction
+
+   This document specifies DNS64, a mechanism that is part of the
+   toolbox for IPv6-IPv4 transition and co-existence.  DNS64, used
+   together with an IPv6/IPv4 translator such as stateful NAT64
+   [I-D.ietf-behave-v6v4-xlate-stateful], allows an IPv6-only client to
+   initiate communications by name to an IPv4-only server.
+
+   DNS64 is a mechanism for synthesizing AAAA resource records (RRs)
+   from A RRs.  A synthetic AAAA RR created by the DNS64 from an
+   original A RR contains the same owner name of the original A RR but
+   it contains an IPv6 address instead of an IPv4 address.  The IPv6
+   address is an IPv6 representation of the IPv4 address contained in
+   the original A RR.  The IPv6 representation of the IPv4 address is
+   algorithmically generated from the IPv4 address returned in the A RR
+   and a set of parameters configured in the DNS64 (typically, an IPv6
+   prefix used by IPv6 representations of IPv4 addresses and optionally
+   other parameters).
+
+   Together with an IPv6/IPv4 translator, these two mechanisms allow an
+   IPv6-only client to initiate communications to an IPv4-only server
+   using the FQDN of the server.
+
+   These mechanisms are expected to play a critical role in the IPv4-
+   IPv6 transition and co-existence.  Due to IPv4 address depletion, it
+   is likely that in the future, many IPv6-only clients will want to
+   connect to IPv4-only servers.  In the typical case, the approach only
+   requires the deployment of IPv6/IPv4 translators that connect an
+   IPv6-only network to an IPv4-only network, along with the deployment
+   of one or more DNS64-enabled name servers.  However, some features
+   require performing the DNS64 function directly in the end-hosts
+   themselves.
+
+   This document is structured as follows: section 2 provides a non-
+   normative overview of the behaviour of DNS64.  Section 3 provides a
+   non-normative background required to understand the interaction
+   between DNS64 and DNSSEC.  The normative specification of DNS64 is
+   provided in sections 4, 5 and 6.  Section 4 defines the terminology,
+   section 5 is the actual DNS64 specification and section 6 covers
+   deployments issues.  Section 7 is non-normative and provides a set of
+   examples and typical deployment scenarios.
+
+
+2.  Overview
+
+   This section provides an introduction to the DNS64 mechanism.
+
+   We assume that we have one or more IPv6/IPv4 translator boxes
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                 [Page 5]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+   connecting an IPv4 network and an IPv6 network.  The IPv6/IPv4
+   translator device provides translation services between the two
+   networks enabling communication between IPv4-only hosts and IPv6-only
+   hosts.  (NOTE: By IPv6-only hosts we mean hosts running IPv6-only
+   applications, hosts that can only use IPv6, as well as cases where
+   only IPv6 connectivity is available to the client.  By IPv4-only
+   servers we mean servers running IPv4-only applications, servers that
+   can only use IPv4, as well as cases where only IPv4 connectivity is
+   available to the server).  Each IPv6/IPv4 translator used in
+   conjunction with DNS64 must allow communications initiated from the
+   IPv6-only host to the IPv4-only host.
+
+   To allow an IPv6 initiator to do a standard AAAA RR DNS lookup to
+   learn the address of the responder, DNS64 is used to synthesize a
+   AAAA record from an A record containing a real IPv4 address of the
+   responder, whenever the DNS64 cannot retrieve a AAAA record for the
+   queried name.  The DNS64 service appears as a regular DNS server or
+   resolver to the IPv6 initiator.  The DNS64 receives a AAAA DNS query
+   generated by the IPv6 initiator.  It first attempts a resolution for
+   the requested AAAA records.  If there are no AAAA records available
+   for the target node (which is the normal case when the target node is
+   an IPv4-only node), DNS64 performs a query for A records.  For each A
+   record discovered, DNS64 creates a synthetic AAAA RR from the
+   information retrieved in the A RR.
+
+   The owner name of a synthetic AAAA RR is the same as that of the
+   original A RR, but an IPv6 representation of the IPv4 address
+   contained in the original A RR is included in the AAAA RR.  The IPv6
+   representation of the IPv4 address is algorithmically generated from
+   the IPv4 address and additional parameters configured in the DNS64.
+   Among those parameters configured in the DNS64, there is at least one
+   IPv6 prefix.  If not explicitly mentioned, all prefixes are treated
+   equally and the operations described in this document are performed
+   using the prefixes available.  So as to be general, we will call any
+   of these prefixes Pref64::/n, and describe the operations made with
+   the generic prefix Pref64::/n.  The IPv6 address representing IPv4
+   addresses included in the AAAA RR synthesized by the DNS64 contain
+   Pref64::/n and they also embed the original IPv4 address.
+
+   The same algorithm and the same Pref64::/n prefix(es) must be
+   configured both in the DNS64 device and the IPv6/IPv4 translator(s),
+   so that both can algorithmically generate the same IPv6
+   representation for a given IPv4 address.  In addition, it is required
+   that IPv6 packets addressed to an IPv6 destination address that
+   contains the Pref64::/n be delivered to an IPv6/IPv4 translator that
+   has that particular Pref64::/n configured, so they can be translated
+   into IPv4 packets.
+
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                 [Page 6]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+   Once the DNS64 has synthesized the AAAA RRs, the synthetic AAAA RRs
+   are passed back to the IPv6 initiator, which will initiate an IPv6
+   communication with the IPv6 address associated with the IPv4
+   receiver.  The packet will be routed to an IPv6/IPv4 translator which
+   will forward it to the IPv4 network.
+
+   In general, the only shared state between the DNS64 and the IPv6/IPv4
+   translator is the Pref64::/n and an optional set of static
+   parameters.  The Pref64::/n and the set of static parameters must be
+   configured to be the same on both; there is no communication between
+   the DNS64 device and IPv6/IPv4 translator functions.  The mechanism
+   to be used for configuring the parameters of the DNS64 is beyond the
+   scope of this memo.
+
+   The prefixes to be used as Pref64::/n and their applicability are
+   discussed in [I-D.ietf-behave-address-format].  There are two types
+   of prefixes that can be used as Pref64::/n.
+
+      The Pref64::/n can be the Well-Known Prefix 64:FF9B::/96 reserved
+      by [I-D.ietf-behave-address-format] for the purpose of
+      representing IPv4 addresses in IPv6 address space.
+
+      The Pref64::/n can be a Network-Specific Prefix (NSP).  An NSP is
+      an IPv6 prefix assigned by an organization to create IPv6
+      representations of IPv4 addresses.
+
+   The main difference in the nature of the two types of prefixes is
+   that the NSP is a locally assigned prefix that is under control of
+   the organization that is providing the translation services, while
+   the Well-Known Prefix is a prefix that has a global meaning since it
+   has been assigned for the specific purpose of representing IPv4
+   addresses in IPv6 address space.
+
+   The DNS64 function can be performed in any of three places.  The
+   terms below are more formally defined in Section 4.
+
+   The first option is to locate the DNS64 function in authoritative
+   servers for a zone.  In this case, the authoritative server provides
+   synthetic AAAA RRs for an IPv4-only host in its zone.  This is one
+   type of DNS64 server.
+
+   Another option is to locate the DNS64 function in recursive name
+   servers serving end hosts.  In this case, when an IPv6-only host
+   queries the name server for AAAA RRs for an IPv4-only host, the name
+   server can perform the synthesis of AAAA RRs and pass them back to
+   the IPv6-only initiator.  The main advantage of this mode is that
+   current IPv6 nodes can use this mechanism without requiring any
+   modification.  This mode is called "DNS64 in DNS recursive resolver
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                 [Page 7]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+   mode".  This is a second type of DNS64 server, and it is also one
+   type of DNS64 resolver.
+
+   The last option is to place the DNS64 function in the end hosts,
+   coupled to the local (stub) resolver.  In this case, the stub
+   resolver will try to obtain (real) AAAA RRs and in case they are not
+   available, the DNS64 function will synthesize AAAA RRs for internal
+   usage.  This mode is compatible with some functions like DNSSEC
+   validation in the end host.  The main drawback of this mode is its
+   deployability, since it requires changes in the end hosts.  This mode
+   is called "DNS64 in stub-resolver mode".  This is the second type of
+   DNS64 resolver.
+
+
+3.  Background to DNS64-DNSSEC interaction
+
+   DNSSEC ([RFC4033], [RFC4034], [RFC4035]) presents a special challenge
+   for DNS64, because DNSSEC is designed to detect changes to DNS
+   answers, and DNS64 may alter answers coming from an authoritative
+   server.
+
+   A recursive resolver can be security-aware or security-oblivious.
+   Moreover, a security-aware recursive resolver can be validating or
+   non-validating, according to operator policy.  In the cases below,
+   the recursive resolver is also performing DNS64, and has a local
+   policy to validate.  We call this general case vDNS64, but in all the
+   cases below the DNS64 functionality should be assumed needed.
+
+   DNSSEC includes some signaling bits that offer some indicators of
+   what the query originator understands.
+
+   If a query arrives at a vDNS64 device with the "DNSSEC OK" (DO) bit
+   set, the query originator is signaling that it understands DNSSEC.
+   The DO bit does not indicate that the query originator will validate
+   the response.  It only means that the query originator can understand
+   responses containing DNSSEC data.  Conversely, if the DO bit is
+   clear, that is evidence that the querying agent is not aware of
+   DNSSEC.
+
+   If a query arrives at a vDNS64 device with the "Checking Disabled"
+   (CD) bit set, it is an indication that the querying agent wants all
+   the validation data so it can do checking itself.  By local policy,
+   vDNS64 could still validate, but it must return all data to the
+   querying agent anyway.
+
+   Here are the possible cases:
+
+
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                 [Page 8]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+   1.  A DNS64 (DNSSEC-aware or DNSSEC-oblivious) receives a query with
+       the DO bit clear.  In this case, DNSSEC is not a concern, because
+       the querying agent does not understand DNSSEC responses.  The
+       DNS64 can do validation of the response, if dictated by its local
+       policy.
+
+   2.  A security-oblivious DNS64 receives a query with the DO bit set,
+       and the CD bit clear or set.  This is just like the case of a
+       non-DNS64 case: the server doesn't support it, so the querying
+       agent is out of luck.
+
+   3.  A security-aware and non-validating DNS64 receives a query with
+       the DO bit set and the CD bit clear.  Such a resolver is not
+       validating responses, likely due to local policy (see [RFC4035],
+       section 4.2).  For that reason, this case amounts to the same as
+       the previous case, and no validation happens.
+
+   4.  A security-aware and non-validating DNS64 receives a query with
+       the DO bit set and the CD bit set.  In this case, the DNS64 is
+       supposed to pass on all the data it gets to the query initiator
+       (see section 3.2.2 of [RFC4035]).  This case will not work with
+       DNS64, unless the validating resolver is prepared to do DNS64
+       itself.  If the DNS64 modifies the record, the client will get
+       the data back and try to validate it, and the data will be
+       invalid as far as the client is concerned.
+
+   5.  A security-aware and validating DNS64 resolver receives a query
+       with the DO bit clear and CD clear.  In this case, the resolver
+       validates the data.  If it fails, it returns RCODE 2 (Server
+       failure); otherwise, it returns the answer.  This is the ideal
+       case for vDNS64.  The resolver validates the data, and then
+       synthesizes the new record and passes that to the client.  The
+       client, which is presumably not validating (else it should have
+       set DO and CD), cannot tell that DNS64 is involved.
+
+   6.  A security-aware and validating DNS64 resolver receives a query
+       with the DO bit set and CD clear.  This works like the previous
+       case, except that the resolver should also set the "Authentic
+       Data" (AD) bit on the response.
+
+   7.  A security-aware and validating DNS64 resolver receives a query
+       with the DO bit set and CD set.  This is effectively the same as
+       the case where a security-aware and non-validating recursive
+       resolver receives a similar query, and the same thing will
+       happen: the downstream validator will mark the data as invalid if
+       DNS64 has performed synthesis.  The node needs to do DNS64
+       itself, or else communication will fail.
+
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                 [Page 9]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+4.  Terminology
+
+   This section provides definitions for the special terms used in the
+   document.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC2119].
+
+   Authoritative server:  A DNS server that can answer authoritatively a
+      given DNS request.
+
+   DNS64:  A logical function that synthesizes DNS resource records (e.g
+      AAAA records containing IPv6 addresses) from DNS resource records
+      actually contained in the DNS (e.g., A records containing IPv4
+      addresses).
+
+   DNS64 recursive resolver:  A recursive resolver that provides the
+      DNS64 functionality as part of its operation.  This is the same
+      thing as "DNS64 in recursive resolver mode".
+
+   DNS64 resolver:  Any resolver (stub resolver or recursive resolver)
+      that provides the DNS64 function.
+
+   DNS64 server:  Any server providing the DNS64 function.  This
+      includes the server portion of a recursive resolver when it is
+      providing the DNS64 function.
+
+   IPv4-only server:  Servers running IPv4-only applications, servers
+      that can only use IPv4, as well as cases where only IPv4
+      connectivity is available to the server.
+
+   IPv6-only hosts:  Hosts running IPv6-only applications, hosts that
+      can only use IPv6, as well as cases where only IPv6 connectivity
+      is available to the client.
+
+   Recursive resolver:  A DNS server that accepts requests from one
+      resolver, and asks another server (of some description) for the
+      answer on behalf of the first resolver.  Full discussion of DNS
+      recursion is beyond the scope of this document; see [RFC1034] and
+      [RFC1035] for full details.
+
+   Synthetic RR:  A DNS resource record (RR) that is not contained in
+      the authoritative servers' zone data, but which is instead
+      synthesized from other RRs in the same zone.  An example is a
+      synthetic AAAA record created from an A record.
+
+
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                [Page 10]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+   IPv6/IPv4 translator:  A device that translates IPv6 packets to IPv4
+      packets and vice-versa.  It is only required that the
+      communication initiated from the IPv6 side be supported.
+
+   For a detailed understanding of this document, the reader should also
+   be familiar with DNS terminology from [RFC1034], [RFC1035] and
+   current NAT terminology from [RFC4787].  Some parts of this document
+   assume familiarity with the terminology of the DNS security
+   extensions outlined in [RFC4035].  It is worth emphasizing that while
+   DNS64 is a logical function separate from the DNS, it is nevertheless
+   closely associated with that protocol.  It depends on the DNS
+   protocol, and some behavior of DNS64 will interact with regular DNS
+   responses.
+
+
+5.  DNS64 Normative Specification
+
+   DNS64 is a logical function that synthesizes AAAA records from A
+   records.  The DNS64 function may be implemented in a stub resolver,
+   in a recursive resolver, or in an authoritative name server.  It
+   works within those DNS functions, and appears on the network as
+   though it were a "plain" DNS resolver or name server conforming to
+   [RFC1034], and [RFC1035].
+
+   The implementation SHOULD support mapping of separate IPv4 address
+   ranges to separate IPv6 prefixes for AAAA record synthesis.  This
+   allows handling of special use IPv4 addresses [RFC5735].
+
+   DNS messages contain several sections.  The portion of a DNS message
+   that is altered by DNS64 is the Answer section, which is discussed
+   below in section Section 5.1.  The resulting synthetic answer is put
+   together with other sections, and that creates the message that is
+   actually returned as the response to the DNS query.  Assembling that
+   response is covered below in section Section 5.4.
+
+   DNS64 also responds to PTR queries involving addresses containing any
+   of the IPv6 prefixes it uses for synthesis of AAAA RRs.
+
+5.1.  Resolving AAAA queries and the answer section
+
+   When the DNS64 receives a query for RRs of type AAAA and class IN, it
+   first attempts to retrieve non-synthetic RRs of this type and class,
+   either by performing a query or, in the case of an authoritative
+   server, by examining its own results.  The query may be answered from
+   a local cache, if one is available.  DNS64 operation for classes
+   other than IN is undefined, and a DNS64 MUST behave as though no
+   DNS64 function is configured.
+
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                [Page 11]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+5.1.1.  The answer when there is AAAA data available
+
+   If the query results in one or more AAAA records in the answer
+   section, the result is returned to the requesting client as per
+   normal DNS semantics, except in the case where any of the AAAA
+   records match a special exclusion set of prefixes, considered in
+   Section 5.1.4.  If there is (non-excluded) AAAA data available, DNS64
+   SHOULD NOT include synthetic AAAA RRs in the response (see Appendix A
+   for an analysis of the motivations for and the implications of not
+   complying with this recommendation).  By default DNS64
+   implementations MUST NOT synthesize AAAA RRs when real AAAA RRs
+   exist.
+
+5.1.2.  The answer when there is an error
+
+   If the query results in a response with RCODE other than 0 (No error
+   condition), then there are two possibilities.  A result with RCODE=3
+   (Name Error) is handled according to normal DNS operation (which is
+   normally to return the error to the client).  This stage is still
+   prior to any synthesis having happened, so a response to be returned
+   to the client does not need any special assembly than would usually
+   happen in DNS operation.
+
+   Any other RCODE is treated as though the RCODE were 0 (see sections
+   Section 5.1.6 and Section 5.1.7) and the answer section were empty.
+   This is because of the large number of different responses from
+   deployed name servers when they receive AAAA queries without a AAAA
+   record being available (see [RFC4074]).  Note that this means, for
+   practical purposes, that several different classes of error in the
+   DNS are all treated as though a AAAA record is not available for that
+   owner name.
+
+   It is important to note that, as of this writing, some servers
+   respond with RCODE=3 to a AAAA query even if there is an A record
+   available for that owner name.  Those servers are in clear violation
+   of the meaning of RCODE 3, and it is expected that they will decline
+   in use as IPv6 deployment increases.
+
+5.1.3.  Dealing with timeouts
+
+   If the query receives no answer before the timeout (which might be
+   the timeout from every authoritative server, depending on whether the
+   DNS64 is in recursive resolver mode), it is treated as RCODE=2
+   (Server failure).
+
+
+
+
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                [Page 12]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+5.1.4.  Special exclusion set for AAAA records
+
+   Some IPv6 addresses are not actually usable by IPv6-only hosts.  If
+   they are returned to IPv6-only querying agents as AAAA records,
+   therefore, the goal of decreasing the number of failure modes will
+   not be attained.  Examples include AAAA records with addresses in the
+   ::ffff:0:0/96 network, and possibly (depending on the context) AAAA
+   records with the site's Pref::64/n or the Well-Known Prefix (see
+   below for more about the Well-Known Prefix).  A DNS64 implementation
+   SHOULD provide a mechanism to specify IPv6 prefix ranges to be
+   treated as though the AAAA containing them were an empty answer.  An
+   implementation SHOULD include the ::ffff/96 network in that range by
+   default.  Failure to provide this facility will mean that clients
+   querying the DNS64 function may not be able to communicate with hosts
+   that would be reachable from a dual-stack host.
+
+   When the DNS64 performs its initial AAAA query, if it receives an
+   answer with only AAAA records containing addresses in the excluded
+   range(s), then it MUST treat the answer as though it were an empty
+   answer, and proceed accordingly.  If it receives an answer with at
+   least one AAAA record containing an address outside any of the
+   excluded range(s), then it MAY build an answer section for a response
+   including only the AAAA record(s) that do not contain any of the
+   addresses inside the excluded ranges.  That answer section is used in
+   the assembly of a response as detailed in Section 5.4.
+   Alternatively, it MAY treat the answer as though it were an empty
+   answer, and proceed accordingly.  It MUST NOT return the offending
+   AAAA records as part of a response.
+
+5.1.5.  Dealing with CNAME and DNAME
+
+   If the response contains a CNAME or a DNAME, then the CNAME or DNAME
+   chain is followed until the first terminating A or AAAA record is
+   reached.  This may require the DNS64 to ask for an A record, in case
+   the response to the original AAAA query is a CNAME or DNAME without a
+   AAAA record to follow.  The resulting AAAA or A record is treated
+   like any other AAAA or A case, as appropriate.
+
+   When assembling the answer section, any chains of CNAME or DNAME RRs
+   are included as part of the answer along with the synthetic AAAA (if
+   appropriate).
+
+5.1.6.  Data for the answer when performing synthesis
+
+   If the query results in no error but an empty answer section in the
+   response, the DNS64 attempts to retrieve A records for the name in
+   question, either by performing another query or, in the case of an
+   authoritative server, by examining its own results.  If this new A RR
+
+
+
+Bagnulo, et al.           Expires April 4, 2011                [Page 13]
+
+Internet-Draft                    DNS64                     October 2010
+
+
+   query results in an empty answer or in an error, then the empty
+   result or error is used as the basis for the answer returned to the
+   querying client.  If instead the query results in one or more A RRs,

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-stable@FreeBSD.ORG  Thu Dec  9 22:03:54 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7B60B1065675;
	Thu,  9 Dec 2010 22:03:54 +0000 (UTC)
	(envelope-from simon@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 64F538FC20;
	Thu,  9 Dec 2010 22:03:54 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB9M3sPO052266;
	Thu, 9 Dec 2010 22:03:54 GMT (envelope-from simon@svn.freebsd.org)
Received: (from simon@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB9M3re6052192;
	Thu, 9 Dec 2010 22:03:53 GMT (envelope-from simon@svn.freebsd.org)
Message-Id: <201012092203.oB9M3re6052192@svn.freebsd.org>
From: "Simon L. Nielsen" <simon@FreeBSD.org>
Date: Thu, 9 Dec 2010 22:03:53 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216341 - in stable/8: crypto/openssl
	crypto/openssl/crypto crypto/openssl/crypto/evp
	crypto/openssl/crypto/jpake crypto/openssl/crypto/stack
	crypto/openssl/doc/ssl crypto/openssl/ssl s...
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 22:03:54 -0000

Author: simon
Date: Thu Dec  9 22:03:53 2010
New Revision: 216341
URL: http://svn.freebsd.org/changeset/base/216341

Log:
  MFC r216166, r216167:
  
  Merge in OpenSSL 0.9.8q.
  
  Approved by:	re (kib)
  Security:	CVE-2010-4180
  Security:	http://www.openssl.org/news/secadv_20101202.txt

Added:
  stable/8/crypto/openssl/ACKNOWLEDGMENTS
     - copied unchanged from r216301, head/crypto/openssl/ACKNOWLEDGMENTS
Modified:
  stable/8/crypto/openssl/CHANGES
  stable/8/crypto/openssl/FAQ
  stable/8/crypto/openssl/Makefile
  stable/8/crypto/openssl/NEWS
  stable/8/crypto/openssl/README
  stable/8/crypto/openssl/crypto/evp/p_sign.c
  stable/8/crypto/openssl/crypto/evp/p_verify.c
  stable/8/crypto/openssl/crypto/jpake/jpake.c
  stable/8/crypto/openssl/crypto/jpake/jpake.h
  stable/8/crypto/openssl/crypto/jpake/jpake_err.c
  stable/8/crypto/openssl/crypto/opensslv.h
  stable/8/crypto/openssl/crypto/stack/safestack.h
  stable/8/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
  stable/8/crypto/openssl/openssl.spec
  stable/8/crypto/openssl/ssl/s3_clnt.c
  stable/8/crypto/openssl/ssl/s3_srvr.c
  stable/8/secure/lib/libcrypto/Makefile.inc
  stable/8/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
  stable/8/secure/lib/libcrypto/man/ASN1_STRING_length.3
  stable/8/secure/lib/libcrypto/man/ASN1_STRING_new.3
  stable/8/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
  stable/8/secure/lib/libcrypto/man/ASN1_generate_nconf.3
  stable/8/secure/lib/libcrypto/man/BIO_ctrl.3
  stable/8/secure/lib/libcrypto/man/BIO_f_base64.3
  stable/8/secure/lib/libcrypto/man/BIO_f_buffer.3
  stable/8/secure/lib/libcrypto/man/BIO_f_cipher.3
  stable/8/secure/lib/libcrypto/man/BIO_f_md.3
  stable/8/secure/lib/libcrypto/man/BIO_f_null.3
  stable/8/secure/lib/libcrypto/man/BIO_f_ssl.3
  stable/8/secure/lib/libcrypto/man/BIO_find_type.3
  stable/8/secure/lib/libcrypto/man/BIO_new.3
  stable/8/secure/lib/libcrypto/man/BIO_push.3
  stable/8/secure/lib/libcrypto/man/BIO_read.3
  stable/8/secure/lib/libcrypto/man/BIO_s_accept.3
  stable/8/secure/lib/libcrypto/man/BIO_s_bio.3
  stable/8/secure/lib/libcrypto/man/BIO_s_connect.3
  stable/8/secure/lib/libcrypto/man/BIO_s_fd.3
  stable/8/secure/lib/libcrypto/man/BIO_s_file.3
  stable/8/secure/lib/libcrypto/man/BIO_s_mem.3
  stable/8/secure/lib/libcrypto/man/BIO_s_null.3
  stable/8/secure/lib/libcrypto/man/BIO_s_socket.3
  stable/8/secure/lib/libcrypto/man/BIO_set_callback.3
  stable/8/secure/lib/libcrypto/man/BIO_should_retry.3
  stable/8/secure/lib/libcrypto/man/BN_BLINDING_new.3
  stable/8/secure/lib/libcrypto/man/BN_CTX_new.3
  stable/8/secure/lib/libcrypto/man/BN_CTX_start.3
  stable/8/secure/lib/libcrypto/man/BN_add.3
  stable/8/secure/lib/libcrypto/man/BN_add_word.3
  stable/8/secure/lib/libcrypto/man/BN_bn2bin.3
  stable/8/secure/lib/libcrypto/man/BN_cmp.3
  stable/8/secure/lib/libcrypto/man/BN_copy.3
  stable/8/secure/lib/libcrypto/man/BN_generate_prime.3
  stable/8/secure/lib/libcrypto/man/BN_mod_inverse.3
  stable/8/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
  stable/8/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
  stable/8/secure/lib/libcrypto/man/BN_new.3
  stable/8/secure/lib/libcrypto/man/BN_num_bytes.3
  stable/8/secure/lib/libcrypto/man/BN_rand.3
  stable/8/secure/lib/libcrypto/man/BN_set_bit.3
  stable/8/secure/lib/libcrypto/man/BN_swap.3
  stable/8/secure/lib/libcrypto/man/BN_zero.3
  stable/8/secure/lib/libcrypto/man/CONF_modules_free.3
  stable/8/secure/lib/libcrypto/man/CONF_modules_load_file.3
  stable/8/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
  stable/8/secure/lib/libcrypto/man/DH_generate_key.3
  stable/8/secure/lib/libcrypto/man/DH_generate_parameters.3
  stable/8/secure/lib/libcrypto/man/DH_get_ex_new_index.3
  stable/8/secure/lib/libcrypto/man/DH_new.3
  stable/8/secure/lib/libcrypto/man/DH_set_method.3
  stable/8/secure/lib/libcrypto/man/DH_size.3
  stable/8/secure/lib/libcrypto/man/DSA_SIG_new.3
  stable/8/secure/lib/libcrypto/man/DSA_do_sign.3
  stable/8/secure/lib/libcrypto/man/DSA_dup_DH.3
  stable/8/secure/lib/libcrypto/man/DSA_generate_key.3
  stable/8/secure/lib/libcrypto/man/DSA_generate_parameters.3
  stable/8/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
  stable/8/secure/lib/libcrypto/man/DSA_new.3
  stable/8/secure/lib/libcrypto/man/DSA_set_method.3
  stable/8/secure/lib/libcrypto/man/DSA_sign.3
  stable/8/secure/lib/libcrypto/man/DSA_size.3
  stable/8/secure/lib/libcrypto/man/ERR_GET_LIB.3
  stable/8/secure/lib/libcrypto/man/ERR_clear_error.3
  stable/8/secure/lib/libcrypto/man/ERR_error_string.3
  stable/8/secure/lib/libcrypto/man/ERR_get_error.3
  stable/8/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
  stable/8/secure/lib/libcrypto/man/ERR_load_strings.3
  stable/8/secure/lib/libcrypto/man/ERR_print_errors.3
  stable/8/secure/lib/libcrypto/man/ERR_put_error.3
  stable/8/secure/lib/libcrypto/man/ERR_remove_state.3
  stable/8/secure/lib/libcrypto/man/ERR_set_mark.3
  stable/8/secure/lib/libcrypto/man/EVP_BytesToKey.3
  stable/8/secure/lib/libcrypto/man/EVP_DigestInit.3
  stable/8/secure/lib/libcrypto/man/EVP_EncryptInit.3
  stable/8/secure/lib/libcrypto/man/EVP_OpenInit.3
  stable/8/secure/lib/libcrypto/man/EVP_PKEY_new.3
  stable/8/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
  stable/8/secure/lib/libcrypto/man/EVP_SealInit.3
  stable/8/secure/lib/libcrypto/man/EVP_SignInit.3
  stable/8/secure/lib/libcrypto/man/EVP_VerifyInit.3
  stable/8/secure/lib/libcrypto/man/OBJ_nid2obj.3
  stable/8/secure/lib/libcrypto/man/OPENSSL_Applink.3
  stable/8/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
  stable/8/secure/lib/libcrypto/man/OPENSSL_config.3
  stable/8/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
  stable/8/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
  stable/8/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
  stable/8/secure/lib/libcrypto/man/PKCS12_create.3
  stable/8/secure/lib/libcrypto/man/PKCS12_parse.3
  stable/8/secure/lib/libcrypto/man/PKCS7_decrypt.3
  stable/8/secure/lib/libcrypto/man/PKCS7_encrypt.3
  stable/8/secure/lib/libcrypto/man/PKCS7_sign.3
  stable/8/secure/lib/libcrypto/man/PKCS7_verify.3
  stable/8/secure/lib/libcrypto/man/RAND_add.3
  stable/8/secure/lib/libcrypto/man/RAND_bytes.3
  stable/8/secure/lib/libcrypto/man/RAND_cleanup.3
  stable/8/secure/lib/libcrypto/man/RAND_egd.3
  stable/8/secure/lib/libcrypto/man/RAND_load_file.3
  stable/8/secure/lib/libcrypto/man/RAND_set_rand_method.3
  stable/8/secure/lib/libcrypto/man/RSA_blinding_on.3
  stable/8/secure/lib/libcrypto/man/RSA_check_key.3
  stable/8/secure/lib/libcrypto/man/RSA_generate_key.3
  stable/8/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
  stable/8/secure/lib/libcrypto/man/RSA_new.3
  stable/8/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
  stable/8/secure/lib/libcrypto/man/RSA_print.3
  stable/8/secure/lib/libcrypto/man/RSA_private_encrypt.3
  stable/8/secure/lib/libcrypto/man/RSA_public_encrypt.3
  stable/8/secure/lib/libcrypto/man/RSA_set_method.3
  stable/8/secure/lib/libcrypto/man/RSA_sign.3
  stable/8/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
  stable/8/secure/lib/libcrypto/man/RSA_size.3
  stable/8/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
  stable/8/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
  stable/8/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
  stable/8/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
  stable/8/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
  stable/8/secure/lib/libcrypto/man/X509_NAME_print_ex.3
  stable/8/secure/lib/libcrypto/man/X509_new.3
  stable/8/secure/lib/libcrypto/man/bio.3
  stable/8/secure/lib/libcrypto/man/blowfish.3
  stable/8/secure/lib/libcrypto/man/bn.3
  stable/8/secure/lib/libcrypto/man/bn_internal.3
  stable/8/secure/lib/libcrypto/man/buffer.3
  stable/8/secure/lib/libcrypto/man/crypto.3
  stable/8/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
  stable/8/secure/lib/libcrypto/man/d2i_DHparams.3
  stable/8/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
  stable/8/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
  stable/8/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
  stable/8/secure/lib/libcrypto/man/d2i_X509.3
  stable/8/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
  stable/8/secure/lib/libcrypto/man/d2i_X509_CRL.3
  stable/8/secure/lib/libcrypto/man/d2i_X509_NAME.3
  stable/8/secure/lib/libcrypto/man/d2i_X509_REQ.3
  stable/8/secure/lib/libcrypto/man/d2i_X509_SIG.3
  stable/8/secure/lib/libcrypto/man/des.3
  stable/8/secure/lib/libcrypto/man/dh.3
  stable/8/secure/lib/libcrypto/man/dsa.3
  stable/8/secure/lib/libcrypto/man/ecdsa.3
  stable/8/secure/lib/libcrypto/man/engine.3
  stable/8/secure/lib/libcrypto/man/err.3
  stable/8/secure/lib/libcrypto/man/evp.3
  stable/8/secure/lib/libcrypto/man/hmac.3
  stable/8/secure/lib/libcrypto/man/lh_stats.3
  stable/8/secure/lib/libcrypto/man/lhash.3
  stable/8/secure/lib/libcrypto/man/md5.3
  stable/8/secure/lib/libcrypto/man/mdc2.3
  stable/8/secure/lib/libcrypto/man/pem.3
  stable/8/secure/lib/libcrypto/man/rand.3
  stable/8/secure/lib/libcrypto/man/rc4.3
  stable/8/secure/lib/libcrypto/man/ripemd.3
  stable/8/secure/lib/libcrypto/man/rsa.3
  stable/8/secure/lib/libcrypto/man/sha.3
  stable/8/secure/lib/libcrypto/man/threads.3
  stable/8/secure/lib/libcrypto/man/ui.3
  stable/8/secure/lib/libcrypto/man/ui_compat.3
  stable/8/secure/lib/libcrypto/man/x509.3
  stable/8/secure/lib/libssl/man/SSL_CIPHER_get_name.3
  stable/8/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
  stable/8/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
  stable/8/secure/lib/libssl/man/SSL_CTX_add_session.3
  stable/8/secure/lib/libssl/man/SSL_CTX_ctrl.3
  stable/8/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
  stable/8/secure/lib/libssl/man/SSL_CTX_free.3
  stable/8/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
  stable/8/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
  stable/8/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
  stable/8/secure/lib/libssl/man/SSL_CTX_new.3
  stable/8/secure/lib/libssl/man/SSL_CTX_sess_number.3
  stable/8/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
  stable/8/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
  stable/8/secure/lib/libssl/man/SSL_CTX_sessions.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_mode.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_options.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_timeout.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
  stable/8/secure/lib/libssl/man/SSL_CTX_set_verify.3
  stable/8/secure/lib/libssl/man/SSL_CTX_use_certificate.3
  stable/8/secure/lib/libssl/man/SSL_SESSION_free.3
  stable/8/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
  stable/8/secure/lib/libssl/man/SSL_SESSION_get_time.3
  stable/8/secure/lib/libssl/man/SSL_accept.3
  stable/8/secure/lib/libssl/man/SSL_alert_type_string.3
  stable/8/secure/lib/libssl/man/SSL_clear.3
  stable/8/secure/lib/libssl/man/SSL_connect.3
  stable/8/secure/lib/libssl/man/SSL_do_handshake.3
  stable/8/secure/lib/libssl/man/SSL_free.3
  stable/8/secure/lib/libssl/man/SSL_get_SSL_CTX.3
  stable/8/secure/lib/libssl/man/SSL_get_ciphers.3
  stable/8/secure/lib/libssl/man/SSL_get_client_CA_list.3
  stable/8/secure/lib/libssl/man/SSL_get_current_cipher.3
  stable/8/secure/lib/libssl/man/SSL_get_default_timeout.3
  stable/8/secure/lib/libssl/man/SSL_get_error.3
  stable/8/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
  stable/8/secure/lib/libssl/man/SSL_get_ex_new_index.3
  stable/8/secure/lib/libssl/man/SSL_get_fd.3
  stable/8/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
  stable/8/secure/lib/libssl/man/SSL_get_peer_certificate.3
  stable/8/secure/lib/libssl/man/SSL_get_rbio.3
  stable/8/secure/lib/libssl/man/SSL_get_session.3
  stable/8/secure/lib/libssl/man/SSL_get_verify_result.3
  stable/8/secure/lib/libssl/man/SSL_get_version.3
  stable/8/secure/lib/libssl/man/SSL_library_init.3
  stable/8/secure/lib/libssl/man/SSL_load_client_CA_file.3
  stable/8/secure/lib/libssl/man/SSL_new.3
  stable/8/secure/lib/libssl/man/SSL_pending.3
  stable/8/secure/lib/libssl/man/SSL_read.3
  stable/8/secure/lib/libssl/man/SSL_rstate_string.3
  stable/8/secure/lib/libssl/man/SSL_session_reused.3
  stable/8/secure/lib/libssl/man/SSL_set_bio.3
  stable/8/secure/lib/libssl/man/SSL_set_connect_state.3
  stable/8/secure/lib/libssl/man/SSL_set_fd.3
  stable/8/secure/lib/libssl/man/SSL_set_session.3
  stable/8/secure/lib/libssl/man/SSL_set_shutdown.3
  stable/8/secure/lib/libssl/man/SSL_set_verify_result.3
  stable/8/secure/lib/libssl/man/SSL_shutdown.3
  stable/8/secure/lib/libssl/man/SSL_state_string.3
  stable/8/secure/lib/libssl/man/SSL_want.3
  stable/8/secure/lib/libssl/man/SSL_write.3
  stable/8/secure/lib/libssl/man/d2i_SSL_SESSION.3
  stable/8/secure/lib/libssl/man/ssl.3
  stable/8/secure/usr.bin/openssl/man/CA.pl.1
  stable/8/secure/usr.bin/openssl/man/asn1parse.1
  stable/8/secure/usr.bin/openssl/man/ca.1
  stable/8/secure/usr.bin/openssl/man/ciphers.1
  stable/8/secure/usr.bin/openssl/man/crl.1
  stable/8/secure/usr.bin/openssl/man/crl2pkcs7.1
  stable/8/secure/usr.bin/openssl/man/dgst.1
  stable/8/secure/usr.bin/openssl/man/dhparam.1
  stable/8/secure/usr.bin/openssl/man/dsa.1
  stable/8/secure/usr.bin/openssl/man/dsaparam.1
  stable/8/secure/usr.bin/openssl/man/ec.1
  stable/8/secure/usr.bin/openssl/man/ecparam.1
  stable/8/secure/usr.bin/openssl/man/enc.1
  stable/8/secure/usr.bin/openssl/man/errstr.1
  stable/8/secure/usr.bin/openssl/man/gendsa.1
  stable/8/secure/usr.bin/openssl/man/genrsa.1
  stable/8/secure/usr.bin/openssl/man/nseq.1
  stable/8/secure/usr.bin/openssl/man/ocsp.1
  stable/8/secure/usr.bin/openssl/man/openssl.1
  stable/8/secure/usr.bin/openssl/man/passwd.1
  stable/8/secure/usr.bin/openssl/man/pkcs12.1
  stable/8/secure/usr.bin/openssl/man/pkcs7.1
  stable/8/secure/usr.bin/openssl/man/pkcs8.1
  stable/8/secure/usr.bin/openssl/man/rand.1
  stable/8/secure/usr.bin/openssl/man/req.1
  stable/8/secure/usr.bin/openssl/man/rsa.1
  stable/8/secure/usr.bin/openssl/man/rsautl.1
  stable/8/secure/usr.bin/openssl/man/s_client.1
  stable/8/secure/usr.bin/openssl/man/s_server.1
  stable/8/secure/usr.bin/openssl/man/s_time.1
  stable/8/secure/usr.bin/openssl/man/sess_id.1
  stable/8/secure/usr.bin/openssl/man/smime.1
  stable/8/secure/usr.bin/openssl/man/speed.1
  stable/8/secure/usr.bin/openssl/man/spkac.1
  stable/8/secure/usr.bin/openssl/man/verify.1
  stable/8/secure/usr.bin/openssl/man/version.1
  stable/8/secure/usr.bin/openssl/man/x509.1
  stable/8/secure/usr.bin/openssl/man/x509v3_config.1
Directory Properties:
  stable/8/crypto/openssl/   (props changed)
  stable/8/secure/lib/libcrypto/   (props changed)
  stable/8/secure/lib/libssl/   (props changed)
  stable/8/secure/usr.bin/openssl/   (props changed)

Copied: stable/8/crypto/openssl/ACKNOWLEDGMENTS (from r216301, head/crypto/openssl/ACKNOWLEDGMENTS)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/8/crypto/openssl/ACKNOWLEDGMENTS	Thu Dec  9 22:03:53 2010	(r216341, copy of r216301, head/crypto/openssl/ACKNOWLEDGMENTS)
@@ -0,0 +1,25 @@
+The OpenSSL project depends on volunteer efforts and financial support from
+the end user community. That support comes in the form of donations and paid
+sponsorships, software support contracts, paid consulting services
+and commissioned software development.
+
+Since all these activities support the continued development and improvement
+of OpenSSL we consider all these clients and customers as sponsors of the
+OpenSSL project.
+
+We would like to identify and thank the following such sponsors for their past
+or current significant support of the OpenSSL project:
+
+Very significant support:
+
+	OpenGear: www.opengear.com
+
+Significant support:
+
+	PSW Group: www.psw.net
+
+Please note that we ask permission to identify sponsors and that some sponsors
+we consider eligible for inclusion here have requested to remain anonymous.
+
+Additional sponsorship or financial support is always welcome: for more
+information please contact the OpenSSL Software Foundation.

Modified: stable/8/crypto/openssl/CHANGES
==============================================================================
--- stable/8/crypto/openssl/CHANGES	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/CHANGES	Thu Dec  9 22:03:53 2010	(r216341)
@@ -2,6 +2,18 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
+
+  *) Disable code workaround for ancient and obsolete Netscape browsers
+     and servers: an attacker can use it in a ciphersuite downgrade attack.
+     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
+     [Steve Henson]
+
+  *) Fixed J-PAKE implementation error, originally discovered by
+     Sebastien Martini, further info and confirmation from Stefan
+     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
+     [Ben Laurie]
+
  Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
 
   *) Fix extension code to avoid race conditions which can result in a buffer

Modified: stable/8/crypto/openssl/FAQ
==============================================================================
--- stable/8/crypto/openssl/FAQ	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/FAQ	Thu Dec  9 22:03:53 2010	(r216341)
@@ -52,6 +52,9 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL test suite fail in sha512t on x86 CPU?
 * Why does compiler fail to compile sha512.c?
 * Test suite still fails, what to do?
+* I think I've found a bug, what should I do?
+* I'm SURE I've found a bug, how do I report it?
+* I've found a security issue, how do I report it?
 
 [PROG] Questions about programming with OpenSSL
 
@@ -79,7 +82,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0b was released on Nov 16th, 2010.
+OpenSSL 1.0.0c was released on Dec 2nd, 2010.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -131,7 +134,7 @@ OpenSSL.  Information on the OpenSSL mai
 * Where can I get a compiled version of OpenSSL?
 
 You can finder pointers to binary distributions in
-http://www.openssl.org/related/binaries.html .
+<URL: http://www.openssl.org/related/binaries.html> .
 
 Some applications that use OpenSSL are distributed in binary form.
 When using such an application, you don't need to install OpenSSL
@@ -463,7 +466,7 @@ administrators.
 Other projects do have other policies so you can for example extract the CA
 bundle used by Mozilla and/or modssl as described in this article:
 
-  http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
+  <URL: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html>
 
 
 [BUILD] =======================================================================
@@ -505,7 +508,7 @@ when you run the test suite (using "make
 "bc: 1 not implemented".
 
 The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
 for download instructions) can be safely used, for example.
 
 
@@ -516,7 +519,7 @@ that the OpenSSL bntest throws at it.  T
 test suite (using "make test").  The message returned is "bc: stack empty".
 
 The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
 for download instructions) can be safely used, for example.
 
 
@@ -709,6 +712,46 @@ never make sense, and tend to emerge whe
 to identify one, drop optimization level, e.g. by editing CFLAG line in
 top-level Makefile, recompile and re-run the test.
 
+* I think I've found a bug, what should I do?
+
+If you are a new user then it is quite likely you haven't found a bug and
+something is happening you aren't familiar with. Check this FAQ, the associated
+documentation and the mailing lists for similar queries. If you are still
+unsure whether it is a bug or not submit a query to the openssl-users mailing
+list.
+
+
+* I'm SURE I've found a bug, how do I report it?
+
+Bug reports with no security implications should be sent to the request
+tracker. This can be done by mailing the report to <rt@openssl.org> (or its
+alias <openssl-bugs@openssl.org>), please note that messages sent to the
+request tracker also appear in the public openssl-dev mailing list.
+
+The report should be in plain text. Any patches should be sent as
+plain text attachments because some mailers corrupt patches sent inline.
+If your issue affects multiple versions of OpenSSL check any patches apply
+cleanly and, if possible include patches to each affected version.
+
+The report should be given a meaningful subject line briefly summarising the
+issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
+
+By sending reports to the request tracker the bug can then be given a priority
+and assigned to the appropriate maintainer. The history of discussions can be
+accessed and if the issue has been addressed or a reason why not. If patches
+are only sent to openssl-dev they can be mislaid if a team member has to
+wade through months of old messages to review the discussion.
+
+See also <URL: http://www.openssl.org/support/rt.html>
+
+
+* I've found a security issue, how do I report it?
+
+If you think your bug has security implications then please send it to
+openssl-security@openssl.org if you don't get a prompt reply at least 
+acknowledging receipt then resend or mail it directly to one of the
+more active team members (e.g. Steve).
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?

Modified: stable/8/crypto/openssl/Makefile
==============================================================================
--- stable/8/crypto/openssl/Makefile	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/Makefile	Thu Dec  9 22:03:53 2010	(r216341)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=0.9.8p
+VERSION=0.9.8q
 MAJOR=0
 MINOR=9.8
 SHLIB_VERSION_NUMBER=0.9.8

Modified: stable/8/crypto/openssl/NEWS
==============================================================================
--- stable/8/crypto/openssl/NEWS	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/NEWS	Thu Dec  9 22:03:53 2010	(r216341)
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
+
+      o Fix for security issue CVE-2010-4180
+      o Fix for CVE-2010-4252
+
   Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
 
       o Fix for security issue CVE-2010-3864.

Modified: stable/8/crypto/openssl/README
==============================================================================
--- stable/8/crypto/openssl/README	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/README	Thu Dec  9 22:03:53 2010	(r216341)
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8p 16 Nov 2010
+ OpenSSL 0.9.8q 2 Dec 2010
 
  Copyright (c) 1998-2009 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: stable/8/crypto/openssl/crypto/evp/p_sign.c
==============================================================================
--- stable/8/crypto/openssl/crypto/evp/p_sign.c	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/crypto/evp/p_sign.c	Thu Dec  9 22:03:53 2010	(r216341)
@@ -81,7 +81,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
 	unsigned char m[EVP_MAX_MD_SIZE];
 	unsigned int m_len;
 	int i,ok=0,v;
-	MS_STATIC EVP_MD_CTX tmp_ctx;
+	EVP_MD_CTX tmp_ctx;
 
 	*siglen=0;
 	for (i=0; i<4; i++)

Modified: stable/8/crypto/openssl/crypto/evp/p_verify.c
==============================================================================
--- stable/8/crypto/openssl/crypto/evp/p_verify.c	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/crypto/evp/p_verify.c	Thu Dec  9 22:03:53 2010	(r216341)
@@ -68,7 +68,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
 	unsigned char m[EVP_MAX_MD_SIZE];
 	unsigned int m_len;
 	int i,ok=0,v;
-	MS_STATIC EVP_MD_CTX tmp_ctx;
+	EVP_MD_CTX tmp_ctx;
 
 	for (i=0; i<4; i++)
 		{

Modified: stable/8/crypto/openssl/crypto/jpake/jpake.c
==============================================================================
--- stable/8/crypto/openssl/crypto/jpake/jpake.c	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/crypto/jpake/jpake.c	Thu Dec  9 22:03:53 2010	(r216341)
@@ -283,23 +283,53 @@ int JPAKE_STEP1_generate(JPAKE_STEP1 *se
     return 1;
     }
 
+/* g^x is a legal value */
+static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx)
+    {
+    BIGNUM *t;
+    int res;
+    
+    if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0)
+	return 0;
+
+    t = BN_new();
+    BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);
+    res = BN_is_one(t);
+    BN_free(t);
+
+    return res;
+    }
+
 int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received)
     {
-   /* verify their ZKP(xc) */
+    if(!is_legal(received->p1.gx, ctx))
+	{
+	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL);
+	return 0;
+	}
+
+    if(!is_legal(received->p2.gx, ctx))
+	{
+	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL);
+	return 0;
+	}
+
+
+    /* verify their ZKP(xc) */
     if(!verify_zkp(&received->p1, ctx->p.g, ctx))
 	{
 	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED);
 	return 0;
 	}
 
-   /* verify their ZKP(xd) */
+    /* verify their ZKP(xd) */
     if(!verify_zkp(&received->p2, ctx->p.g, ctx))
 	{
 	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED);
 	return 0;
 	}
 
-   /* g^xd != 1 */
+    /* g^xd != 1 */
     if(BN_is_one(received->p2.gx))
 	{
 	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE);

Modified: stable/8/crypto/openssl/crypto/jpake/jpake.h
==============================================================================
--- stable/8/crypto/openssl/crypto/jpake/jpake.h	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/crypto/jpake/jpake.h	Thu Dec  9 22:03:53 2010	(r216341)
@@ -115,6 +115,8 @@ void ERR_load_JPAKE_strings(void);
 #define JPAKE_F_VERIFY_ZKP				 100
 
 /* Reason codes. */
+#define JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL		 108
+#define JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL		 109
 #define JPAKE_R_G_TO_THE_X4_IS_ONE			 105
 #define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH		 106
 #define JPAKE_R_HASH_OF_KEY_MISMATCH			 107

Modified: stable/8/crypto/openssl/crypto/jpake/jpake_err.c
==============================================================================
--- stable/8/crypto/openssl/crypto/jpake/jpake_err.c	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/crypto/jpake/jpake_err.c	Thu Dec  9 22:03:53 2010	(r216341)
@@ -1,6 +1,6 @@
 /* crypto/jpake/jpake_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -80,6 +80,8 @@ static ERR_STRING_DATA JPAKE_str_functs[
 
 static ERR_STRING_DATA JPAKE_str_reasons[]=
 	{
+{ERR_REASON(JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL),"g to the x3 is not legal"},
+{ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL),"g to the x4 is not legal"},
 {ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_ONE)  ,"g to the x4 is one"},
 {ERR_REASON(JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),"hash of hash of key mismatch"},
 {ERR_REASON(JPAKE_R_HASH_OF_KEY_MISMATCH),"hash of key mismatch"},

Modified: stable/8/crypto/openssl/crypto/opensslv.h
==============================================================================
--- stable/8/crypto/openssl/crypto/opensslv.h	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/crypto/opensslv.h	Thu Dec  9 22:03:53 2010	(r216341)
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x0090810f
+#define OPENSSL_VERSION_NUMBER	0x0090811f
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8p-fips 16 Nov 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8q-fips 2 Dec 2010"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8p 16 Nov 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8q 2 Dec 2010"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

Modified: stable/8/crypto/openssl/crypto/stack/safestack.h
==============================================================================
--- stable/8/crypto/openssl/crypto/stack/safestack.h	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/crypto/stack/safestack.h	Thu Dec  9 22:03:53 2010	(r216341)
@@ -127,7 +127,7 @@ STACK_OF(type) \
 	sk_is_sorted(CHECKED_PTR_OF(STACK_OF(type), st))
 
 #define	SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
-	(STACK_OF(type) *)d2i_ASN1_SET(CHECKED_PTR_OF(STACK_OF(type), st), \
+	(STACK_OF(type) *)d2i_ASN1_SET(CHECKED_PTR_OF(STACK_OF(type)*, st), \
 				pp, length, \
 				CHECKED_D2I_OF(type, d2i_func), \
 				CHECKED_SK_FREE_FUNC(type, free_func), \

Modified: stable/8/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
==============================================================================
--- stable/8/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod	Thu Dec  9 22:03:53 2010	(r216341)
@@ -78,18 +78,7 @@ this breaks this server so 16 bytes is t
 
 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
 
-ssl3.netscape.com:443, first a connection is established with RC4-MD5.
-If it is then resumed, we end up using DES-CBC3-SHA.  It should be
-RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
-
-Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
-It only really shows up when connecting via SSLv2/v3 then reconnecting
-via SSLv3. The cipher list changes....
-
-NEW INFORMATION.  Try connecting with a cipher list of just
-DES-CBC-SHA:RC4-MD5.  For some weird reason, each new connection uses
-RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
-doing a re-connect, always takes the first cipher in the cipher list.
+As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
 
 =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
 

Modified: stable/8/crypto/openssl/openssl.spec
==============================================================================
--- stable/8/crypto/openssl/openssl.spec	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/openssl.spec	Thu Dec  9 22:03:53 2010	(r216341)
@@ -2,7 +2,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 8
-%define librev p
+%define librev q
 Release: 1
 
 %define openssldir /var/ssl

Modified: stable/8/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- stable/8/crypto/openssl/ssl/s3_clnt.c	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/ssl/s3_clnt.c	Thu Dec  9 22:03:53 2010	(r216341)
@@ -814,8 +814,11 @@ int ssl3_get_server_hello(SSL *s)
 		s->session->cipher_id = s->session->cipher->id;
 	if (s->hit && (s->session->cipher_id != c->id))
 		{
+/* Workaround is now obsolete */
+#if 0
 		if (!(s->options &
 			SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+#endif
 			{
 			al=SSL_AD_ILLEGAL_PARAMETER;
 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);

Modified: stable/8/crypto/openssl/ssl/s3_srvr.c
==============================================================================
--- stable/8/crypto/openssl/ssl/s3_srvr.c	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/crypto/openssl/ssl/s3_srvr.c	Thu Dec  9 22:03:53 2010	(r216341)
@@ -927,6 +927,10 @@ int ssl3_get_client_hello(SSL *s)
 				break;
 				}
 			}
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
 		if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
 			{
 			/* Special case as client bug workaround: the previously used cipher may
@@ -941,6 +945,7 @@ int ssl3_get_client_hello(SSL *s)
 				j = 1;
 				}
 			}
+#endif
 		if (j == 0)
 			{
 			/* we need to have the cipher in the cipher

Modified: stable/8/secure/lib/libcrypto/Makefile.inc
==============================================================================
--- stable/8/secure/lib/libcrypto/Makefile.inc	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/Makefile.inc	Thu Dec  9 22:03:53 2010	(r216341)
@@ -3,8 +3,8 @@
 .include <bsd.own.mk>
 
 # OpenSSL version used for manual page generation
-OPENSSL_VER=	0.9.8p
-OPENSSL_DATE=	2010-11-16
+OPENSSL_VER=	0.9.8q
+OPENSSL_DATE=	2010-12-02
 
 LCRYPTO_SRC=	${.CURDIR}/../../../crypto/openssl
 LCRYPTO_DOC=	${.CURDIR}/../../../crypto/openssl/doc

Modified: stable/8/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/ASN1_OBJECT_new.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/ASN1_OBJECT_new.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_OBJECT_new 3"
-.TH ASN1_OBJECT_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_OBJECT_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/ASN1_STRING_length.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/ASN1_STRING_length.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/ASN1_STRING_length.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_length 3"
-.TH ASN1_STRING_length 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_STRING_length 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/ASN1_STRING_new.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/ASN1_STRING_new.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/ASN1_STRING_new.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_new 3"
-.TH ASN1_STRING_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_STRING_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_print_ex 3"
-.TH ASN1_STRING_print_ex 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_STRING_print_ex 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/ASN1_generate_nconf.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/ASN1_generate_nconf.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/ASN1_generate_nconf.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_generate_nconf 3"
-.TH ASN1_generate_nconf 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_generate_nconf 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_ctrl.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_ctrl.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_ctrl.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_ctrl 3"
-.TH BIO_ctrl 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_ctrl 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_f_base64.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_f_base64.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_f_base64.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_base64 3"
-.TH BIO_f_base64 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_base64 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_f_buffer.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_f_buffer.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_f_buffer.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_buffer 3"
-.TH BIO_f_buffer 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_buffer 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_f_cipher.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_f_cipher.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_f_cipher.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_cipher 3"
-.TH BIO_f_cipher 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_cipher 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_f_md.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_f_md.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_f_md.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_md 3"
-.TH BIO_f_md 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_md 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_f_null.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_f_null.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_f_null.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_null 3"
-.TH BIO_f_null 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_null 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_f_ssl.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_f_ssl.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_f_ssl.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_ssl 3"
-.TH BIO_f_ssl 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_ssl 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_find_type.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_find_type.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_find_type.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_find_type 3"
-.TH BIO_find_type 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_find_type 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_new.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_new.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_new.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_new 3"
-.TH BIO_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_push.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_push.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_push.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_push 3"
-.TH BIO_push 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_push 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_read.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_read.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_read.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_read 3"
-.TH BIO_read 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_read 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_s_accept.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_s_accept.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_s_accept.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_accept 3"
-.TH BIO_s_accept 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_accept 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_s_bio.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_s_bio.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_s_bio.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_bio 3"
-.TH BIO_s_bio 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_bio 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_s_connect.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_s_connect.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_s_connect.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_connect 3"
-.TH BIO_s_connect 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_connect 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_s_fd.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_s_fd.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_s_fd.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_fd 3"
-.TH BIO_s_fd 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_fd 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_s_file.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_s_file.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_s_file.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_file 3"
-.TH BIO_s_file 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_file 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_s_mem.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_s_mem.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_s_mem.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_mem 3"
-.TH BIO_s_mem 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_mem 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_s_null.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_s_null.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_s_null.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_null 3"
-.TH BIO_s_null 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_null 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_s_socket.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_s_socket.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_s_socket.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_socket 3"
-.TH BIO_s_socket 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_socket 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_set_callback.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_set_callback.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_set_callback.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_set_callback 3"
-.TH BIO_set_callback 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_set_callback 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BIO_should_retry.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BIO_should_retry.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BIO_should_retry.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_should_retry 3"
-.TH BIO_should_retry 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_should_retry 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_BLINDING_new.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_BLINDING_new.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_BLINDING_new.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_BLINDING_new 3"
-.TH BN_BLINDING_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_BLINDING_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_CTX_new.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_CTX_new.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_CTX_new.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_new 3"
-.TH BN_CTX_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_CTX_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_CTX_start.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_CTX_start.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_CTX_start.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_start 3"
-.TH BN_CTX_start 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_CTX_start 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_add.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_add.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_add.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_add 3"
-.TH BN_add 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_add 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_add_word.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_add_word.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_add_word.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_add_word 3"
-.TH BN_add_word 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_add_word 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_bn2bin.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_bn2bin.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_bn2bin.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_bn2bin 3"
-.TH BN_bn2bin 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_bn2bin 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_cmp.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_cmp.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_cmp.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_cmp 3"
-.TH BN_cmp 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_cmp 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_copy.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_copy.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_copy.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_copy 3"
-.TH BN_copy 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_copy 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_generate_prime.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_generate_prime.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_generate_prime.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_generate_prime 3"
-.TH BN_generate_prime 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_generate_prime 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_mod_inverse.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_mod_inverse.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_mod_inverse.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_inverse 3"
-.TH BN_mod_inverse 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_mod_inverse 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_mul_montgomery 3"
-.TH BN_mod_mul_montgomery 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_mod_mul_montgomery 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_mul_reciprocal 3"
-.TH BN_mod_mul_reciprocal 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_mod_mul_reciprocal 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_new.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_new.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_new.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_new 3"
-.TH BN_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_num_bytes.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_num_bytes.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_num_bytes.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_num_bytes 3"
-.TH BN_num_bytes 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_num_bytes 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_rand.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_rand.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_rand.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_rand 3"
-.TH BN_rand 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_rand 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_set_bit.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_set_bit.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_set_bit.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_set_bit 3"
-.TH BN_set_bit 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_set_bit 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_swap.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_swap.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_swap.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_swap 3"
-.TH BN_swap 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_swap 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/BN_zero.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/BN_zero.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/BN_zero.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_zero 3"
-.TH BN_zero 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_zero 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/CONF_modules_free.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/CONF_modules_free.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/CONF_modules_free.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CONF_modules_free 3"
-.TH CONF_modules_free 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH CONF_modules_free 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/CONF_modules_load_file.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/CONF_modules_load_file.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/CONF_modules_load_file.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CONF_modules_load_file 3"
-.TH CONF_modules_load_file 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH CONF_modules_load_file 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRYPTO_set_ex_data 3"
-.TH CRYPTO_set_ex_data 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH CRYPTO_set_ex_data 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/DH_generate_key.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/DH_generate_key.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/DH_generate_key.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_generate_key 3"
-.TH DH_generate_key 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_generate_key 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/DH_generate_parameters.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/DH_generate_parameters.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/DH_generate_parameters.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_generate_parameters 3"
-.TH DH_generate_parameters 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_generate_parameters 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/DH_get_ex_new_index.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/DH_get_ex_new_index.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/DH_get_ex_new_index.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_get_ex_new_index 3"
-.TH DH_get_ex_new_index 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_get_ex_new_index 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/DH_new.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/DH_new.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/DH_new.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_new 3"
-.TH DH_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/DH_set_method.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/DH_set_method.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/DH_set_method.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_set_method 3"
-.TH DH_set_method 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_set_method 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/DH_size.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/DH_size.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/DH_size.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_size 3"
-.TH DH_size 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_size 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/8/secure/lib/libcrypto/man/DSA_SIG_new.3
==============================================================================
--- stable/8/secure/lib/libcrypto/man/DSA_SIG_new.3	Thu Dec  9 22:02:48 2010	(r216340)
+++ stable/8/secure/lib/libcrypto/man/DSA_SIG_new.3	Thu Dec  9 22:03:53 2010	(r216341)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_SIG_new 3"
-.TH DSA_SIG_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DSA_SIG_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-stable@FreeBSD.ORG  Thu Dec  9 22:05:17 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B1ADB1065674;
	Thu,  9 Dec 2010 22:05:17 +0000 (UTC)
	(envelope-from simon@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B5FB8FC0A;
	Thu,  9 Dec 2010 22:05:17 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB9M5HQW052399;
	Thu, 9 Dec 2010 22:05:17 GMT (envelope-from simon@svn.freebsd.org)
Received: (from simon@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB9M5GSn052325;
	Thu, 9 Dec 2010 22:05:16 GMT (envelope-from simon@svn.freebsd.org)
Message-Id: <201012092205.oB9M5GSn052325@svn.freebsd.org>
From: "Simon L. Nielsen" <simon@FreeBSD.org>
Date: Thu, 9 Dec 2010 22:05:16 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216342 - in stable/7: crypto/openssl
	crypto/openssl/crypto crypto/openssl/crypto/evp
	crypto/openssl/crypto/jpake crypto/openssl/crypto/stack
	crypto/openssl/doc/ssl crypto/openssl/ssl s...
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 22:05:17 -0000

Author: simon
Date: Thu Dec  9 22:05:16 2010
New Revision: 216342
URL: http://svn.freebsd.org/changeset/base/216342

Log:
  MFC r216166, r216167:
  
  Merge in OpenSSL 0.9.8q.
  
  Approved by:	re (kib)
  Security:	CVE-2010-4180
  Security:	http://www.openssl.org/news/secadv_20101202.txt

Added:
  stable/7/crypto/openssl/ACKNOWLEDGMENTS
     - copied unchanged from r216303, head/crypto/openssl/ACKNOWLEDGMENTS
Modified:
  stable/7/crypto/openssl/CHANGES
  stable/7/crypto/openssl/FAQ
  stable/7/crypto/openssl/Makefile
  stable/7/crypto/openssl/NEWS
  stable/7/crypto/openssl/README
  stable/7/crypto/openssl/crypto/evp/p_sign.c
  stable/7/crypto/openssl/crypto/evp/p_verify.c
  stable/7/crypto/openssl/crypto/jpake/jpake.c
  stable/7/crypto/openssl/crypto/jpake/jpake.h
  stable/7/crypto/openssl/crypto/jpake/jpake_err.c
  stable/7/crypto/openssl/crypto/opensslv.h
  stable/7/crypto/openssl/crypto/stack/safestack.h
  stable/7/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
  stable/7/crypto/openssl/openssl.spec
  stable/7/crypto/openssl/ssl/s3_clnt.c
  stable/7/crypto/openssl/ssl/s3_srvr.c
  stable/7/secure/lib/libcrypto/Makefile.inc
  stable/7/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
  stable/7/secure/lib/libcrypto/man/ASN1_STRING_length.3
  stable/7/secure/lib/libcrypto/man/ASN1_STRING_new.3
  stable/7/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
  stable/7/secure/lib/libcrypto/man/ASN1_generate_nconf.3
  stable/7/secure/lib/libcrypto/man/BIO_ctrl.3
  stable/7/secure/lib/libcrypto/man/BIO_f_base64.3
  stable/7/secure/lib/libcrypto/man/BIO_f_buffer.3
  stable/7/secure/lib/libcrypto/man/BIO_f_cipher.3
  stable/7/secure/lib/libcrypto/man/BIO_f_md.3
  stable/7/secure/lib/libcrypto/man/BIO_f_null.3
  stable/7/secure/lib/libcrypto/man/BIO_f_ssl.3
  stable/7/secure/lib/libcrypto/man/BIO_find_type.3
  stable/7/secure/lib/libcrypto/man/BIO_new.3
  stable/7/secure/lib/libcrypto/man/BIO_push.3
  stable/7/secure/lib/libcrypto/man/BIO_read.3
  stable/7/secure/lib/libcrypto/man/BIO_s_accept.3
  stable/7/secure/lib/libcrypto/man/BIO_s_bio.3
  stable/7/secure/lib/libcrypto/man/BIO_s_connect.3
  stable/7/secure/lib/libcrypto/man/BIO_s_fd.3
  stable/7/secure/lib/libcrypto/man/BIO_s_file.3
  stable/7/secure/lib/libcrypto/man/BIO_s_mem.3
  stable/7/secure/lib/libcrypto/man/BIO_s_null.3
  stable/7/secure/lib/libcrypto/man/BIO_s_socket.3
  stable/7/secure/lib/libcrypto/man/BIO_set_callback.3
  stable/7/secure/lib/libcrypto/man/BIO_should_retry.3
  stable/7/secure/lib/libcrypto/man/BN_BLINDING_new.3
  stable/7/secure/lib/libcrypto/man/BN_CTX_new.3
  stable/7/secure/lib/libcrypto/man/BN_CTX_start.3
  stable/7/secure/lib/libcrypto/man/BN_add.3
  stable/7/secure/lib/libcrypto/man/BN_add_word.3
  stable/7/secure/lib/libcrypto/man/BN_bn2bin.3
  stable/7/secure/lib/libcrypto/man/BN_cmp.3
  stable/7/secure/lib/libcrypto/man/BN_copy.3
  stable/7/secure/lib/libcrypto/man/BN_generate_prime.3
  stable/7/secure/lib/libcrypto/man/BN_mod_inverse.3
  stable/7/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
  stable/7/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
  stable/7/secure/lib/libcrypto/man/BN_new.3
  stable/7/secure/lib/libcrypto/man/BN_num_bytes.3
  stable/7/secure/lib/libcrypto/man/BN_rand.3
  stable/7/secure/lib/libcrypto/man/BN_set_bit.3
  stable/7/secure/lib/libcrypto/man/BN_swap.3
  stable/7/secure/lib/libcrypto/man/BN_zero.3
  stable/7/secure/lib/libcrypto/man/CONF_modules_free.3
  stable/7/secure/lib/libcrypto/man/CONF_modules_load_file.3
  stable/7/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
  stable/7/secure/lib/libcrypto/man/DH_generate_key.3
  stable/7/secure/lib/libcrypto/man/DH_generate_parameters.3
  stable/7/secure/lib/libcrypto/man/DH_get_ex_new_index.3
  stable/7/secure/lib/libcrypto/man/DH_new.3
  stable/7/secure/lib/libcrypto/man/DH_set_method.3
  stable/7/secure/lib/libcrypto/man/DH_size.3
  stable/7/secure/lib/libcrypto/man/DSA_SIG_new.3
  stable/7/secure/lib/libcrypto/man/DSA_do_sign.3
  stable/7/secure/lib/libcrypto/man/DSA_dup_DH.3
  stable/7/secure/lib/libcrypto/man/DSA_generate_key.3
  stable/7/secure/lib/libcrypto/man/DSA_generate_parameters.3
  stable/7/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
  stable/7/secure/lib/libcrypto/man/DSA_new.3
  stable/7/secure/lib/libcrypto/man/DSA_set_method.3
  stable/7/secure/lib/libcrypto/man/DSA_sign.3
  stable/7/secure/lib/libcrypto/man/DSA_size.3
  stable/7/secure/lib/libcrypto/man/ERR_GET_LIB.3
  stable/7/secure/lib/libcrypto/man/ERR_clear_error.3
  stable/7/secure/lib/libcrypto/man/ERR_error_string.3
  stable/7/secure/lib/libcrypto/man/ERR_get_error.3
  stable/7/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
  stable/7/secure/lib/libcrypto/man/ERR_load_strings.3
  stable/7/secure/lib/libcrypto/man/ERR_print_errors.3
  stable/7/secure/lib/libcrypto/man/ERR_put_error.3
  stable/7/secure/lib/libcrypto/man/ERR_remove_state.3
  stable/7/secure/lib/libcrypto/man/ERR_set_mark.3
  stable/7/secure/lib/libcrypto/man/EVP_BytesToKey.3
  stable/7/secure/lib/libcrypto/man/EVP_DigestInit.3
  stable/7/secure/lib/libcrypto/man/EVP_EncryptInit.3
  stable/7/secure/lib/libcrypto/man/EVP_OpenInit.3
  stable/7/secure/lib/libcrypto/man/EVP_PKEY_new.3
  stable/7/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
  stable/7/secure/lib/libcrypto/man/EVP_SealInit.3
  stable/7/secure/lib/libcrypto/man/EVP_SignInit.3
  stable/7/secure/lib/libcrypto/man/EVP_VerifyInit.3
  stable/7/secure/lib/libcrypto/man/OBJ_nid2obj.3
  stable/7/secure/lib/libcrypto/man/OPENSSL_Applink.3
  stable/7/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
  stable/7/secure/lib/libcrypto/man/OPENSSL_config.3
  stable/7/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
  stable/7/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
  stable/7/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
  stable/7/secure/lib/libcrypto/man/PKCS12_create.3
  stable/7/secure/lib/libcrypto/man/PKCS12_parse.3
  stable/7/secure/lib/libcrypto/man/PKCS7_decrypt.3
  stable/7/secure/lib/libcrypto/man/PKCS7_encrypt.3
  stable/7/secure/lib/libcrypto/man/PKCS7_sign.3
  stable/7/secure/lib/libcrypto/man/PKCS7_verify.3
  stable/7/secure/lib/libcrypto/man/RAND_add.3
  stable/7/secure/lib/libcrypto/man/RAND_bytes.3
  stable/7/secure/lib/libcrypto/man/RAND_cleanup.3
  stable/7/secure/lib/libcrypto/man/RAND_egd.3
  stable/7/secure/lib/libcrypto/man/RAND_load_file.3
  stable/7/secure/lib/libcrypto/man/RAND_set_rand_method.3
  stable/7/secure/lib/libcrypto/man/RSA_blinding_on.3
  stable/7/secure/lib/libcrypto/man/RSA_check_key.3
  stable/7/secure/lib/libcrypto/man/RSA_generate_key.3
  stable/7/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
  stable/7/secure/lib/libcrypto/man/RSA_new.3
  stable/7/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
  stable/7/secure/lib/libcrypto/man/RSA_print.3
  stable/7/secure/lib/libcrypto/man/RSA_private_encrypt.3
  stable/7/secure/lib/libcrypto/man/RSA_public_encrypt.3
  stable/7/secure/lib/libcrypto/man/RSA_set_method.3
  stable/7/secure/lib/libcrypto/man/RSA_sign.3
  stable/7/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
  stable/7/secure/lib/libcrypto/man/RSA_size.3
  stable/7/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
  stable/7/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
  stable/7/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
  stable/7/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
  stable/7/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
  stable/7/secure/lib/libcrypto/man/X509_NAME_print_ex.3
  stable/7/secure/lib/libcrypto/man/X509_new.3
  stable/7/secure/lib/libcrypto/man/bio.3
  stable/7/secure/lib/libcrypto/man/blowfish.3
  stable/7/secure/lib/libcrypto/man/bn.3
  stable/7/secure/lib/libcrypto/man/bn_internal.3
  stable/7/secure/lib/libcrypto/man/buffer.3
  stable/7/secure/lib/libcrypto/man/crypto.3
  stable/7/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
  stable/7/secure/lib/libcrypto/man/d2i_DHparams.3
  stable/7/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
  stable/7/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
  stable/7/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
  stable/7/secure/lib/libcrypto/man/d2i_X509.3
  stable/7/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
  stable/7/secure/lib/libcrypto/man/d2i_X509_CRL.3
  stable/7/secure/lib/libcrypto/man/d2i_X509_NAME.3
  stable/7/secure/lib/libcrypto/man/d2i_X509_REQ.3
  stable/7/secure/lib/libcrypto/man/d2i_X509_SIG.3
  stable/7/secure/lib/libcrypto/man/des.3
  stable/7/secure/lib/libcrypto/man/dh.3
  stable/7/secure/lib/libcrypto/man/dsa.3
  stable/7/secure/lib/libcrypto/man/ecdsa.3
  stable/7/secure/lib/libcrypto/man/engine.3
  stable/7/secure/lib/libcrypto/man/err.3
  stable/7/secure/lib/libcrypto/man/evp.3
  stable/7/secure/lib/libcrypto/man/hmac.3
  stable/7/secure/lib/libcrypto/man/lh_stats.3
  stable/7/secure/lib/libcrypto/man/lhash.3
  stable/7/secure/lib/libcrypto/man/md5.3
  stable/7/secure/lib/libcrypto/man/mdc2.3
  stable/7/secure/lib/libcrypto/man/pem.3
  stable/7/secure/lib/libcrypto/man/rand.3
  stable/7/secure/lib/libcrypto/man/rc4.3
  stable/7/secure/lib/libcrypto/man/ripemd.3
  stable/7/secure/lib/libcrypto/man/rsa.3
  stable/7/secure/lib/libcrypto/man/sha.3
  stable/7/secure/lib/libcrypto/man/threads.3
  stable/7/secure/lib/libcrypto/man/ui.3
  stable/7/secure/lib/libcrypto/man/ui_compat.3
  stable/7/secure/lib/libcrypto/man/x509.3
  stable/7/secure/usr.bin/openssl/man/CA.pl.1
  stable/7/secure/usr.bin/openssl/man/asn1parse.1
  stable/7/secure/usr.bin/openssl/man/ca.1
  stable/7/secure/usr.bin/openssl/man/ciphers.1
  stable/7/secure/usr.bin/openssl/man/crl.1
  stable/7/secure/usr.bin/openssl/man/crl2pkcs7.1
  stable/7/secure/usr.bin/openssl/man/dgst.1
  stable/7/secure/usr.bin/openssl/man/dhparam.1
  stable/7/secure/usr.bin/openssl/man/dsa.1
  stable/7/secure/usr.bin/openssl/man/dsaparam.1
  stable/7/secure/usr.bin/openssl/man/ec.1
  stable/7/secure/usr.bin/openssl/man/ecparam.1
  stable/7/secure/usr.bin/openssl/man/enc.1
  stable/7/secure/usr.bin/openssl/man/errstr.1
  stable/7/secure/usr.bin/openssl/man/gendsa.1
  stable/7/secure/usr.bin/openssl/man/genrsa.1
  stable/7/secure/usr.bin/openssl/man/nseq.1
  stable/7/secure/usr.bin/openssl/man/ocsp.1
  stable/7/secure/usr.bin/openssl/man/openssl.1
  stable/7/secure/usr.bin/openssl/man/passwd.1
  stable/7/secure/usr.bin/openssl/man/pkcs12.1
  stable/7/secure/usr.bin/openssl/man/pkcs7.1
  stable/7/secure/usr.bin/openssl/man/pkcs8.1
  stable/7/secure/usr.bin/openssl/man/rand.1
  stable/7/secure/usr.bin/openssl/man/req.1
  stable/7/secure/usr.bin/openssl/man/rsa.1
  stable/7/secure/usr.bin/openssl/man/rsautl.1
  stable/7/secure/usr.bin/openssl/man/s_client.1
  stable/7/secure/usr.bin/openssl/man/s_server.1
  stable/7/secure/usr.bin/openssl/man/s_time.1
  stable/7/secure/usr.bin/openssl/man/sess_id.1
  stable/7/secure/usr.bin/openssl/man/smime.1
  stable/7/secure/usr.bin/openssl/man/speed.1
  stable/7/secure/usr.bin/openssl/man/spkac.1
  stable/7/secure/usr.bin/openssl/man/verify.1
  stable/7/secure/usr.bin/openssl/man/version.1
  stable/7/secure/usr.bin/openssl/man/x509.1
  stable/7/secure/usr.bin/openssl/man/x509v3_config.1
Directory Properties:
  stable/7/crypto/openssl/   (props changed)
  stable/7/secure/lib/libcrypto/   (props changed)
  stable/7/secure/usr.bin/openssl/   (props changed)

Copied: stable/7/crypto/openssl/ACKNOWLEDGMENTS (from r216303, head/crypto/openssl/ACKNOWLEDGMENTS)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/7/crypto/openssl/ACKNOWLEDGMENTS	Thu Dec  9 22:05:16 2010	(r216342, copy of r216303, head/crypto/openssl/ACKNOWLEDGMENTS)
@@ -0,0 +1,25 @@
+The OpenSSL project depends on volunteer efforts and financial support from
+the end user community. That support comes in the form of donations and paid
+sponsorships, software support contracts, paid consulting services
+and commissioned software development.
+
+Since all these activities support the continued development and improvement
+of OpenSSL we consider all these clients and customers as sponsors of the
+OpenSSL project.
+
+We would like to identify and thank the following such sponsors for their past
+or current significant support of the OpenSSL project:
+
+Very significant support:
+
+	OpenGear: www.opengear.com
+
+Significant support:
+
+	PSW Group: www.psw.net
+
+Please note that we ask permission to identify sponsors and that some sponsors
+we consider eligible for inclusion here have requested to remain anonymous.
+
+Additional sponsorship or financial support is always welcome: for more
+information please contact the OpenSSL Software Foundation.

Modified: stable/7/crypto/openssl/CHANGES
==============================================================================
--- stable/7/crypto/openssl/CHANGES	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/CHANGES	Thu Dec  9 22:05:16 2010	(r216342)
@@ -2,6 +2,18 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
+
+  *) Disable code workaround for ancient and obsolete Netscape browsers
+     and servers: an attacker can use it in a ciphersuite downgrade attack.
+     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
+     [Steve Henson]
+
+  *) Fixed J-PAKE implementation error, originally discovered by
+     Sebastien Martini, further info and confirmation from Stefan
+     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
+     [Ben Laurie]
+
  Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
 
   *) Fix extension code to avoid race conditions which can result in a buffer

Modified: stable/7/crypto/openssl/FAQ
==============================================================================
--- stable/7/crypto/openssl/FAQ	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/FAQ	Thu Dec  9 22:05:16 2010	(r216342)
@@ -52,6 +52,9 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL test suite fail in sha512t on x86 CPU?
 * Why does compiler fail to compile sha512.c?
 * Test suite still fails, what to do?
+* I think I've found a bug, what should I do?
+* I'm SURE I've found a bug, how do I report it?
+* I've found a security issue, how do I report it?
 
 [PROG] Questions about programming with OpenSSL
 
@@ -79,7 +82,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0b was released on Nov 16th, 2010.
+OpenSSL 1.0.0c was released on Dec 2nd, 2010.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -131,7 +134,7 @@ OpenSSL.  Information on the OpenSSL mai
 * Where can I get a compiled version of OpenSSL?
 
 You can finder pointers to binary distributions in
-http://www.openssl.org/related/binaries.html .
+<URL: http://www.openssl.org/related/binaries.html> .
 
 Some applications that use OpenSSL are distributed in binary form.
 When using such an application, you don't need to install OpenSSL
@@ -463,7 +466,7 @@ administrators.
 Other projects do have other policies so you can for example extract the CA
 bundle used by Mozilla and/or modssl as described in this article:
 
-  http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
+  <URL: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html>
 
 
 [BUILD] =======================================================================
@@ -505,7 +508,7 @@ when you run the test suite (using "make
 "bc: 1 not implemented".
 
 The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
 for download instructions) can be safely used, for example.
 
 
@@ -516,7 +519,7 @@ that the OpenSSL bntest throws at it.  T
 test suite (using "make test").  The message returned is "bc: stack empty".
 
 The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
 for download instructions) can be safely used, for example.
 
 
@@ -709,6 +712,46 @@ never make sense, and tend to emerge whe
 to identify one, drop optimization level, e.g. by editing CFLAG line in
 top-level Makefile, recompile and re-run the test.
 
+* I think I've found a bug, what should I do?
+
+If you are a new user then it is quite likely you haven't found a bug and
+something is happening you aren't familiar with. Check this FAQ, the associated
+documentation and the mailing lists for similar queries. If you are still
+unsure whether it is a bug or not submit a query to the openssl-users mailing
+list.
+
+
+* I'm SURE I've found a bug, how do I report it?
+
+Bug reports with no security implications should be sent to the request
+tracker. This can be done by mailing the report to <rt@openssl.org> (or its
+alias <openssl-bugs@openssl.org>), please note that messages sent to the
+request tracker also appear in the public openssl-dev mailing list.
+
+The report should be in plain text. Any patches should be sent as
+plain text attachments because some mailers corrupt patches sent inline.
+If your issue affects multiple versions of OpenSSL check any patches apply
+cleanly and, if possible include patches to each affected version.
+
+The report should be given a meaningful subject line briefly summarising the
+issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
+
+By sending reports to the request tracker the bug can then be given a priority
+and assigned to the appropriate maintainer. The history of discussions can be
+accessed and if the issue has been addressed or a reason why not. If patches
+are only sent to openssl-dev they can be mislaid if a team member has to
+wade through months of old messages to review the discussion.
+
+See also <URL: http://www.openssl.org/support/rt.html>
+
+
+* I've found a security issue, how do I report it?
+
+If you think your bug has security implications then please send it to
+openssl-security@openssl.org if you don't get a prompt reply at least 
+acknowledging receipt then resend or mail it directly to one of the
+more active team members (e.g. Steve).
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?

Modified: stable/7/crypto/openssl/Makefile
==============================================================================
--- stable/7/crypto/openssl/Makefile	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/Makefile	Thu Dec  9 22:05:16 2010	(r216342)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=0.9.8p
+VERSION=0.9.8q
 MAJOR=0
 MINOR=9.8
 SHLIB_VERSION_NUMBER=0.9.8

Modified: stable/7/crypto/openssl/NEWS
==============================================================================
--- stable/7/crypto/openssl/NEWS	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/NEWS	Thu Dec  9 22:05:16 2010	(r216342)
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
+
+      o Fix for security issue CVE-2010-4180
+      o Fix for CVE-2010-4252
+
   Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
 
       o Fix for security issue CVE-2010-3864.

Modified: stable/7/crypto/openssl/README
==============================================================================
--- stable/7/crypto/openssl/README	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/README	Thu Dec  9 22:05:16 2010	(r216342)
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8p 16 Nov 2010
+ OpenSSL 0.9.8q 2 Dec 2010
 
  Copyright (c) 1998-2009 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: stable/7/crypto/openssl/crypto/evp/p_sign.c
==============================================================================
--- stable/7/crypto/openssl/crypto/evp/p_sign.c	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/crypto/evp/p_sign.c	Thu Dec  9 22:05:16 2010	(r216342)
@@ -81,7 +81,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
 	unsigned char m[EVP_MAX_MD_SIZE];
 	unsigned int m_len;
 	int i,ok=0,v;
-	MS_STATIC EVP_MD_CTX tmp_ctx;
+	EVP_MD_CTX tmp_ctx;
 
 	*siglen=0;
 	for (i=0; i<4; i++)

Modified: stable/7/crypto/openssl/crypto/evp/p_verify.c
==============================================================================
--- stable/7/crypto/openssl/crypto/evp/p_verify.c	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/crypto/evp/p_verify.c	Thu Dec  9 22:05:16 2010	(r216342)
@@ -68,7 +68,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
 	unsigned char m[EVP_MAX_MD_SIZE];
 	unsigned int m_len;
 	int i,ok=0,v;
-	MS_STATIC EVP_MD_CTX tmp_ctx;
+	EVP_MD_CTX tmp_ctx;
 
 	for (i=0; i<4; i++)
 		{

Modified: stable/7/crypto/openssl/crypto/jpake/jpake.c
==============================================================================
--- stable/7/crypto/openssl/crypto/jpake/jpake.c	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/crypto/jpake/jpake.c	Thu Dec  9 22:05:16 2010	(r216342)
@@ -283,23 +283,53 @@ int JPAKE_STEP1_generate(JPAKE_STEP1 *se
     return 1;
     }
 
+/* g^x is a legal value */
+static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx)
+    {
+    BIGNUM *t;
+    int res;
+    
+    if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0)
+	return 0;
+
+    t = BN_new();
+    BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);
+    res = BN_is_one(t);
+    BN_free(t);
+
+    return res;
+    }
+
 int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received)
     {
-   /* verify their ZKP(xc) */
+    if(!is_legal(received->p1.gx, ctx))
+	{
+	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL);
+	return 0;
+	}
+
+    if(!is_legal(received->p2.gx, ctx))
+	{
+	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL);
+	return 0;
+	}
+
+
+    /* verify their ZKP(xc) */
     if(!verify_zkp(&received->p1, ctx->p.g, ctx))
 	{
 	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED);
 	return 0;
 	}
 
-   /* verify their ZKP(xd) */
+    /* verify their ZKP(xd) */
     if(!verify_zkp(&received->p2, ctx->p.g, ctx))
 	{
 	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED);
 	return 0;
 	}
 
-   /* g^xd != 1 */
+    /* g^xd != 1 */
     if(BN_is_one(received->p2.gx))
 	{
 	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE);

Modified: stable/7/crypto/openssl/crypto/jpake/jpake.h
==============================================================================
--- stable/7/crypto/openssl/crypto/jpake/jpake.h	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/crypto/jpake/jpake.h	Thu Dec  9 22:05:16 2010	(r216342)
@@ -115,6 +115,8 @@ void ERR_load_JPAKE_strings(void);
 #define JPAKE_F_VERIFY_ZKP				 100
 
 /* Reason codes. */
+#define JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL		 108
+#define JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL		 109
 #define JPAKE_R_G_TO_THE_X4_IS_ONE			 105
 #define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH		 106
 #define JPAKE_R_HASH_OF_KEY_MISMATCH			 107

Modified: stable/7/crypto/openssl/crypto/jpake/jpake_err.c
==============================================================================
--- stable/7/crypto/openssl/crypto/jpake/jpake_err.c	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/crypto/jpake/jpake_err.c	Thu Dec  9 22:05:16 2010	(r216342)
@@ -1,6 +1,6 @@
 /* crypto/jpake/jpake_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -80,6 +80,8 @@ static ERR_STRING_DATA JPAKE_str_functs[
 
 static ERR_STRING_DATA JPAKE_str_reasons[]=
 	{
+{ERR_REASON(JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL),"g to the x3 is not legal"},
+{ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL),"g to the x4 is not legal"},
 {ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_ONE)  ,"g to the x4 is one"},
 {ERR_REASON(JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),"hash of hash of key mismatch"},
 {ERR_REASON(JPAKE_R_HASH_OF_KEY_MISMATCH),"hash of key mismatch"},

Modified: stable/7/crypto/openssl/crypto/opensslv.h
==============================================================================
--- stable/7/crypto/openssl/crypto/opensslv.h	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/crypto/opensslv.h	Thu Dec  9 22:05:16 2010	(r216342)
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x0090810f
+#define OPENSSL_VERSION_NUMBER	0x0090811f
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8p-fips 16 Nov 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8q-fips 2 Dec 2010"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8p 16 Nov 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8q 2 Dec 2010"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

Modified: stable/7/crypto/openssl/crypto/stack/safestack.h
==============================================================================
--- stable/7/crypto/openssl/crypto/stack/safestack.h	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/crypto/stack/safestack.h	Thu Dec  9 22:05:16 2010	(r216342)
@@ -127,7 +127,7 @@ STACK_OF(type) \
 	sk_is_sorted(CHECKED_PTR_OF(STACK_OF(type), st))
 
 #define	SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
-	(STACK_OF(type) *)d2i_ASN1_SET(CHECKED_PTR_OF(STACK_OF(type), st), \
+	(STACK_OF(type) *)d2i_ASN1_SET(CHECKED_PTR_OF(STACK_OF(type)*, st), \
 				pp, length, \
 				CHECKED_D2I_OF(type, d2i_func), \
 				CHECKED_SK_FREE_FUNC(type, free_func), \

Modified: stable/7/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
==============================================================================
--- stable/7/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod	Thu Dec  9 22:05:16 2010	(r216342)
@@ -78,18 +78,7 @@ this breaks this server so 16 bytes is t
 
 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
 
-ssl3.netscape.com:443, first a connection is established with RC4-MD5.
-If it is then resumed, we end up using DES-CBC3-SHA.  It should be
-RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
-
-Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
-It only really shows up when connecting via SSLv2/v3 then reconnecting
-via SSLv3. The cipher list changes....
-
-NEW INFORMATION.  Try connecting with a cipher list of just
-DES-CBC-SHA:RC4-MD5.  For some weird reason, each new connection uses
-RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
-doing a re-connect, always takes the first cipher in the cipher list.
+As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
 
 =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
 

Modified: stable/7/crypto/openssl/openssl.spec
==============================================================================
--- stable/7/crypto/openssl/openssl.spec	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/openssl.spec	Thu Dec  9 22:05:16 2010	(r216342)
@@ -2,7 +2,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 8
-%define librev p
+%define librev q
 Release: 1
 
 %define openssldir /var/ssl

Modified: stable/7/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- stable/7/crypto/openssl/ssl/s3_clnt.c	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/ssl/s3_clnt.c	Thu Dec  9 22:05:16 2010	(r216342)
@@ -814,8 +814,11 @@ int ssl3_get_server_hello(SSL *s)
 		s->session->cipher_id = s->session->cipher->id;
 	if (s->hit && (s->session->cipher_id != c->id))
 		{
+/* Workaround is now obsolete */
+#if 0
 		if (!(s->options &
 			SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+#endif
 			{
 			al=SSL_AD_ILLEGAL_PARAMETER;
 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);

Modified: stable/7/crypto/openssl/ssl/s3_srvr.c
==============================================================================
--- stable/7/crypto/openssl/ssl/s3_srvr.c	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/crypto/openssl/ssl/s3_srvr.c	Thu Dec  9 22:05:16 2010	(r216342)
@@ -927,6 +927,10 @@ int ssl3_get_client_hello(SSL *s)
 				break;
 				}
 			}
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
 		if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
 			{
 			/* Special case as client bug workaround: the previously used cipher may
@@ -941,6 +945,7 @@ int ssl3_get_client_hello(SSL *s)
 				j = 1;
 				}
 			}
+#endif
 		if (j == 0)
 			{
 			/* we need to have the cipher in the cipher

Modified: stable/7/secure/lib/libcrypto/Makefile.inc
==============================================================================
--- stable/7/secure/lib/libcrypto/Makefile.inc	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/Makefile.inc	Thu Dec  9 22:05:16 2010	(r216342)
@@ -3,8 +3,8 @@
 .include <bsd.own.mk>
 
 # OpenSSL version used for manual page generation
-OPENSSL_VER=	0.9.8p
-OPENSSL_DATE=	2010-11-16
+OPENSSL_VER=	0.9.8q
+OPENSSL_DATE=	2010-12-02
 
 LCRYPTO_SRC=	${.CURDIR}/../../../crypto/openssl
 LCRYPTO_DOC=	${.CURDIR}/../../../crypto/openssl/doc

Modified: stable/7/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/ASN1_OBJECT_new.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/ASN1_OBJECT_new.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_OBJECT_new 3"
-.TH ASN1_OBJECT_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_OBJECT_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/ASN1_STRING_length.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/ASN1_STRING_length.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/ASN1_STRING_length.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_length 3"
-.TH ASN1_STRING_length 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_STRING_length 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/ASN1_STRING_new.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/ASN1_STRING_new.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/ASN1_STRING_new.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_new 3"
-.TH ASN1_STRING_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_STRING_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_print_ex 3"
-.TH ASN1_STRING_print_ex 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_STRING_print_ex 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/ASN1_generate_nconf.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/ASN1_generate_nconf.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/ASN1_generate_nconf.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_generate_nconf 3"
-.TH ASN1_generate_nconf 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH ASN1_generate_nconf 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_ctrl.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_ctrl.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_ctrl.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_ctrl 3"
-.TH BIO_ctrl 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_ctrl 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_f_base64.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_f_base64.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_f_base64.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_base64 3"
-.TH BIO_f_base64 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_base64 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_f_buffer.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_f_buffer.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_f_buffer.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_buffer 3"
-.TH BIO_f_buffer 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_buffer 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_f_cipher.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_f_cipher.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_f_cipher.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_cipher 3"
-.TH BIO_f_cipher 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_cipher 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_f_md.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_f_md.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_f_md.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_md 3"
-.TH BIO_f_md 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_md 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_f_null.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_f_null.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_f_null.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_null 3"
-.TH BIO_f_null 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_null 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_f_ssl.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_f_ssl.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_f_ssl.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_ssl 3"
-.TH BIO_f_ssl 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_f_ssl 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_find_type.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_find_type.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_find_type.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_find_type 3"
-.TH BIO_find_type 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_find_type 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_new.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_new.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_new.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_new 3"
-.TH BIO_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_push.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_push.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_push.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_push 3"
-.TH BIO_push 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_push 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_read.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_read.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_read.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_read 3"
-.TH BIO_read 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_read 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_s_accept.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_s_accept.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_s_accept.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_accept 3"
-.TH BIO_s_accept 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_accept 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_s_bio.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_s_bio.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_s_bio.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_bio 3"
-.TH BIO_s_bio 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_bio 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_s_connect.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_s_connect.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_s_connect.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_connect 3"
-.TH BIO_s_connect 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_connect 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_s_fd.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_s_fd.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_s_fd.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_fd 3"
-.TH BIO_s_fd 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_fd 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_s_file.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_s_file.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_s_file.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_file 3"
-.TH BIO_s_file 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_file 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_s_mem.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_s_mem.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_s_mem.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_mem 3"
-.TH BIO_s_mem 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_mem 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_s_null.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_s_null.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_s_null.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_null 3"
-.TH BIO_s_null 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_null 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_s_socket.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_s_socket.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_s_socket.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_socket 3"
-.TH BIO_s_socket 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_s_socket 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_set_callback.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_set_callback.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_set_callback.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_set_callback 3"
-.TH BIO_set_callback 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_set_callback 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BIO_should_retry.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BIO_should_retry.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BIO_should_retry.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_should_retry 3"
-.TH BIO_should_retry 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BIO_should_retry 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_BLINDING_new.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_BLINDING_new.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_BLINDING_new.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_BLINDING_new 3"
-.TH BN_BLINDING_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_BLINDING_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_CTX_new.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_CTX_new.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_CTX_new.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_new 3"
-.TH BN_CTX_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_CTX_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_CTX_start.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_CTX_start.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_CTX_start.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_start 3"
-.TH BN_CTX_start 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_CTX_start 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_add.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_add.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_add.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_add 3"
-.TH BN_add 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_add 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_add_word.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_add_word.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_add_word.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_add_word 3"
-.TH BN_add_word 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_add_word 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_bn2bin.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_bn2bin.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_bn2bin.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_bn2bin 3"
-.TH BN_bn2bin 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_bn2bin 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_cmp.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_cmp.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_cmp.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_cmp 3"
-.TH BN_cmp 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_cmp 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_copy.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_copy.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_copy.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_copy 3"
-.TH BN_copy 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_copy 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_generate_prime.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_generate_prime.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_generate_prime.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_generate_prime 3"
-.TH BN_generate_prime 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_generate_prime 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_mod_inverse.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_mod_inverse.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_mod_inverse.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_inverse 3"
-.TH BN_mod_inverse 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_mod_inverse 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_mul_montgomery 3"
-.TH BN_mod_mul_montgomery 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_mod_mul_montgomery 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_mul_reciprocal 3"
-.TH BN_mod_mul_reciprocal 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_mod_mul_reciprocal 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_new.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_new.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_new.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_new 3"
-.TH BN_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_num_bytes.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_num_bytes.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_num_bytes.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_num_bytes 3"
-.TH BN_num_bytes 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_num_bytes 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_rand.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_rand.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_rand.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_rand 3"
-.TH BN_rand 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_rand 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_set_bit.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_set_bit.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_set_bit.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_set_bit 3"
-.TH BN_set_bit 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_set_bit 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_swap.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_swap.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_swap.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_swap 3"
-.TH BN_swap 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_swap 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/BN_zero.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/BN_zero.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/BN_zero.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_zero 3"
-.TH BN_zero 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH BN_zero 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/CONF_modules_free.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/CONF_modules_free.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/CONF_modules_free.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CONF_modules_free 3"
-.TH CONF_modules_free 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH CONF_modules_free 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/CONF_modules_load_file.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/CONF_modules_load_file.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/CONF_modules_load_file.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CONF_modules_load_file 3"
-.TH CONF_modules_load_file 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH CONF_modules_load_file 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRYPTO_set_ex_data 3"
-.TH CRYPTO_set_ex_data 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH CRYPTO_set_ex_data 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/DH_generate_key.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/DH_generate_key.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/DH_generate_key.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_generate_key 3"
-.TH DH_generate_key 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_generate_key 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/DH_generate_parameters.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/DH_generate_parameters.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/DH_generate_parameters.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_generate_parameters 3"
-.TH DH_generate_parameters 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_generate_parameters 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/DH_get_ex_new_index.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/DH_get_ex_new_index.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/DH_get_ex_new_index.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_get_ex_new_index 3"
-.TH DH_get_ex_new_index 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_get_ex_new_index 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/DH_new.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/DH_new.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/DH_new.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_new 3"
-.TH DH_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/DH_set_method.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/DH_set_method.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/DH_set_method.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_set_method 3"
-.TH DH_set_method 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_set_method 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/DH_size.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/DH_size.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/DH_size.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_size 3"
-.TH DH_size 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DH_size 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: stable/7/secure/lib/libcrypto/man/DSA_SIG_new.3
==============================================================================
--- stable/7/secure/lib/libcrypto/man/DSA_SIG_new.3	Thu Dec  9 22:03:53 2010	(r216341)
+++ stable/7/secure/lib/libcrypto/man/DSA_SIG_new.3	Thu Dec  9 22:05:16 2010	(r216342)
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_SIG_new 3"
-.TH DSA_SIG_new 3 "2010-11-16" "0.9.8p" "OpenSSL"
+.TH DSA_SIG_new 3 "2010-12-02" "0.9.8q" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 00:52:54 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BB200106566C;
	Fri, 10 Dec 2010 00:52:54 +0000 (UTC)
	(envelope-from delphij@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id A9B128FC0A;
	Fri, 10 Dec 2010 00:52:54 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBA0qsM9056196;
	Fri, 10 Dec 2010 00:52:54 GMT (envelope-from delphij@svn.freebsd.org)
Received: (from delphij@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBA0qsQr056194;
	Fri, 10 Dec 2010 00:52:54 GMT (envelope-from delphij@svn.freebsd.org)
Message-Id: <201012100052.oBA0qsQr056194@svn.freebsd.org>
From: Xin LI <delphij@FreeBSD.org>
Date: Fri, 10 Dec 2010 00:52:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216344 - stable/8/share/syscons/fonts
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 00:52:54 -0000

Author: delphij
Date: Fri Dec 10 00:52:54 2010
New Revision: 216344
URL: http://svn.freebsd.org/changeset/base/216344

Log:
  MFC r216040:
  
  Make German formal clause to be consistent with the keymap counterpart.
  
  Submitted by:	arundel
  Approved by:	re (kensmith, bz)

Modified:
  stable/8/share/syscons/fonts/INDEX.fonts
Directory Properties:
  stable/8/share/syscons/   (props changed)

Modified: stable/8/share/syscons/fonts/INDEX.fonts
==============================================================================
--- stable/8/share/syscons/fonts/INDEX.fonts	Thu Dec  9 23:57:23 2010	(r216343)
+++ stable/8/share/syscons/fonts/INDEX.fonts	Fri Dec 10 00:52:54 2010	(r216344)
@@ -49,7 +49,7 @@
 # Language support: MENU, FONT
 #
 MENU:en:Choose your keyboard font
-MENU:de:Wähle Deine Schrift
+MENU:de:Wählen Sie Ihre Schrift
 MENU:fr:Choisissez votre fonte écran
 MENU:pl:Wybierz czcionkê ekranow±
 MENU:es:Escoja el juego de caracteres

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 00:53:17 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3CEE5106564A;
	Fri, 10 Dec 2010 00:53:17 +0000 (UTC)
	(envelope-from delphij@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 2B6528FC1D;
	Fri, 10 Dec 2010 00:53:17 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBA0rHER056251;
	Fri, 10 Dec 2010 00:53:17 GMT (envelope-from delphij@svn.freebsd.org)
Received: (from delphij@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBA0rHjR056249;
	Fri, 10 Dec 2010 00:53:17 GMT (envelope-from delphij@svn.freebsd.org)
Message-Id: <201012100053.oBA0rHjR056249@svn.freebsd.org>
From: Xin LI <delphij@FreeBSD.org>
Date: Fri, 10 Dec 2010 00:53:17 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216345 - stable/7/share/syscons/fonts
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 00:53:17 -0000

Author: delphij
Date: Fri Dec 10 00:53:16 2010
New Revision: 216345
URL: http://svn.freebsd.org/changeset/base/216345

Log:
  MFC r216040:
  
  Make German formal clause to be consistent with the keymap counterpart.
  
  Submitted by:	arundel
  Approved by:	re (kensmith, bz)

Modified:
  stable/7/share/syscons/fonts/INDEX.fonts
Directory Properties:
  stable/7/share/syscons/   (props changed)
  stable/7/share/syscons/keymaps/   (props changed)

Modified: stable/7/share/syscons/fonts/INDEX.fonts
==============================================================================
--- stable/7/share/syscons/fonts/INDEX.fonts	Fri Dec 10 00:52:54 2010	(r216344)
+++ stable/7/share/syscons/fonts/INDEX.fonts	Fri Dec 10 00:53:16 2010	(r216345)
@@ -49,7 +49,7 @@
 # Language support: MENU, FONT
 #
 MENU:en:Choose your keyboard font
-MENU:de:Wähle Deine Schrift
+MENU:de:Wählen Sie Ihre Schrift
 MENU:fr:Choisissez votre fonte écran
 MENU:pl:Wybierz czcionkê ekranow±
 MENU:es:Escoja el juego de caracteres

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 05:15:48 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2B53A1065672;
	Fri, 10 Dec 2010 05:15:48 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 1A3638FC15;
	Fri, 10 Dec 2010 05:15:48 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBA5FlY8062153;
	Fri, 10 Dec 2010 05:15:47 GMT (envelope-from ae@svn.freebsd.org)
Received: (from ae@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBA5FlLa062151;
	Fri, 10 Dec 2010 05:15:47 GMT (envelope-from ae@svn.freebsd.org)
Message-Id: <201012100515.oBA5FlLa062151@svn.freebsd.org>
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Fri, 10 Dec 2010 05:15:47 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216346 - stable/8/sbin/ipfw
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 05:15:48 -0000

Author: ae
Date: Fri Dec 10 05:15:47 2010
New Revision: 216346
URL: http://svn.freebsd.org/changeset/base/216346

Log:
  MFC r206494 by luigi:
    fix a buffer overflow with large (100k+) number of input lines.
  
  Approved by:	re (bz)

Modified:
  stable/8/sbin/ipfw/main.c
Directory Properties:
  stable/8/sbin/ipfw/   (props changed)

Modified: stable/8/sbin/ipfw/main.c
==============================================================================
--- stable/8/sbin/ipfw/main.c	Fri Dec 10 00:53:16 2010	(r216345)
+++ stable/8/sbin/ipfw/main.c	Fri Dec 10 05:15:47 2010	(r216346)
@@ -553,11 +553,11 @@ ipfw_readfile(int ac, char *av[])
 	}
 
 	while (fgets(buf, BUFSIZ, f)) {		/* read commands */
-		char linename[10];
+		char linename[20];
 		char *args[2];
 
 		lineno++;
-		sprintf(linename, "Line %d", lineno);
+		snprintf(linename, sizeof(linename), "Line %d", lineno);
 		setprogname(linename); /* XXX */
 		args[0] = progname;
 		args[1] = buf;

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 05:16:26 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3D8D11065674;
	Fri, 10 Dec 2010 05:16:26 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 2CA518FC22;
	Fri, 10 Dec 2010 05:16:26 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBA5GQV0062207;
	Fri, 10 Dec 2010 05:16:26 GMT (envelope-from ae@svn.freebsd.org)
Received: (from ae@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBA5GQ9n062205;
	Fri, 10 Dec 2010 05:16:26 GMT (envelope-from ae@svn.freebsd.org)
Message-Id: <201012100516.oBA5GQ9n062205@svn.freebsd.org>
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Fri, 10 Dec 2010 05:16:26 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216347 - stable/7/sbin/ipfw
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 05:16:26 -0000

Author: ae
Date: Fri Dec 10 05:16:25 2010
New Revision: 216347
URL: http://svn.freebsd.org/changeset/base/216347

Log:
  MFC r206494 by luigi:
    fix a buffer overflow with large (100k+) number of input lines.
  
  Approved by:	re (bz)

Modified:
  stable/7/sbin/ipfw/main.c
Directory Properties:
  stable/7/sbin/ipfw/   (props changed)

Modified: stable/7/sbin/ipfw/main.c
==============================================================================
--- stable/7/sbin/ipfw/main.c	Fri Dec 10 05:15:47 2010	(r216346)
+++ stable/7/sbin/ipfw/main.c	Fri Dec 10 05:16:25 2010	(r216347)
@@ -491,11 +491,11 @@ ipfw_readfile(int ac, char *av[])
 	}
 
 	while (fgets(buf, BUFSIZ, f)) {		/* read commands */
-		char linename[10];
+		char linename[20];
 		char *args[2];
 
 		lineno++;
-		sprintf(linename, "Line %d", lineno);
+		snprintf(linename, sizeof(linename), "Line %d", lineno);
 		setprogname(linename); /* XXX */
 		args[0] = progname;
 		args[1] = buf;

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 05:18:38 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3379F1065670;
	Fri, 10 Dec 2010 05:18:38 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 229038FC1D;
	Fri, 10 Dec 2010 05:18:38 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBA5IcWR062278;
	Fri, 10 Dec 2010 05:18:38 GMT (envelope-from ae@svn.freebsd.org)
Received: (from ae@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBA5IcgC062276;
	Fri, 10 Dec 2010 05:18:38 GMT (envelope-from ae@svn.freebsd.org)
Message-Id: <201012100518.oBA5IcgC062276@svn.freebsd.org>
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Fri, 10 Dec 2010 05:18:38 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216348 - stable/8/sys/netinet/ipfw
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 05:18:38 -0000

Author: ae
Date: Fri Dec 10 05:18:37 2010
New Revision: 216348
URL: http://svn.freebsd.org/changeset/base/216348

Log:
  MFC r213254 by luigi:
     fix breakage in in-kernel NAT: the code did not honor
     net.inet.ip.fw.one_pass and always moved to the next rule
     in case of a successful nat.
  
     This should fix several related PR (waiting for feedback
     before closing them)
  
     PR:		145167 149572 150141
  
  Approved by:	re (bz)

Modified:
  stable/8/sys/netinet/ipfw/ip_fw_pfil.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/netinet/ipfw/ip_fw_pfil.c
==============================================================================
--- stable/8/sys/netinet/ipfw/ip_fw_pfil.c	Fri Dec 10 05:16:25 2010	(r216347)
+++ stable/8/sys/netinet/ipfw/ip_fw_pfil.c	Fri Dec 10 05:18:37 2010	(r216348)
@@ -231,6 +231,11 @@ again:
 		break;
 
 	case IP_FW_NAT:
+		/* honor one-pass in case of successful nat */
+		if (V_fw_one_pass)
+			break; /* ret is already 0 */
+		goto again;
+
 	case IP_FW_REASS:
 		goto again;		/* continue with packet */
 	

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 07:16:20 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B2CC7106566B;
	Fri, 10 Dec 2010 07:16:20 +0000 (UTC)
	(envelope-from luigi@onelab2.iet.unipi.it)
Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238])
	by mx1.freebsd.org (Postfix) with ESMTP id 775FD8FC0C;
	Fri, 10 Dec 2010 07:16:20 +0000 (UTC)
Received: by onelab2.iet.unipi.it (Postfix, from userid 275)
	id 9E5F073098; Fri, 10 Dec 2010 08:10:09 +0100 (CET)
Date: Fri, 10 Dec 2010 08:10:09 +0100
From: Luigi Rizzo <rizzo@iet.unipi.it>
To: "Andrey V. Elsukov" <ae@FreeBSD.org>
Message-ID: <20101210071009.GA59553@onelab2.iet.unipi.it>
References: <201012100515.oBA5FlLa062151@svn.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201012100515.oBA5FlLa062151@svn.freebsd.org>
User-Agent: Mutt/1.4.2.3i
Cc: svn-src-stable@FreeBSD.org, svn-src-all@FreeBSD.org,
	src-committers@FreeBSD.org, svn-src-stable-8@FreeBSD.org
Subject: Re: svn commit: r216346 - stable/8/sbin/ipfw
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 07:16:20 -0000

thank you for doing these three MFC

cheers
luigi

On Fri, Dec 10, 2010 at 05:15:47AM +0000, Andrey V. Elsukov wrote:
> Author: ae
> Date: Fri Dec 10 05:15:47 2010
> New Revision: 216346
> URL: http://svn.freebsd.org/changeset/base/216346
> 
> Log:
>   MFC r206494 by luigi:
>     fix a buffer overflow with large (100k+) number of input lines.
>   
>   Approved by:	re (bz)
> 
> Modified:
>   stable/8/sbin/ipfw/main.c
> Directory Properties:
>   stable/8/sbin/ipfw/   (props changed)
> 
> Modified: stable/8/sbin/ipfw/main.c
> ==============================================================================
> --- stable/8/sbin/ipfw/main.c	Fri Dec 10 00:53:16 2010	(r216345)
> +++ stable/8/sbin/ipfw/main.c	Fri Dec 10 05:15:47 2010	(r216346)
> @@ -553,11 +553,11 @@ ipfw_readfile(int ac, char *av[])
>  	}
>  
>  	while (fgets(buf, BUFSIZ, f)) {		/* read commands */
> -		char linename[10];
> +		char linename[20];
>  		char *args[2];
>  
>  		lineno++;
> -		sprintf(linename, "Line %d", lineno);
> +		snprintf(linename, sizeof(linename), "Line %d", lineno);
>  		setprogname(linename); /* XXX */
>  		args[0] = progname;
>  		args[1] = buf;

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 10:37:53 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A73D1106566B;
	Fri, 10 Dec 2010 10:37:53 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 5E7368FC0A;
	Fri, 10 Dec 2010 10:37:53 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBAAbrEJ071068;
	Fri, 10 Dec 2010 10:37:53 GMT (envelope-from kib@svn.freebsd.org)
Received: (from kib@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBAAbrGB071066;
	Fri, 10 Dec 2010 10:37:53 GMT (envelope-from kib@svn.freebsd.org)
Message-Id: <201012101037.oBAAbrGB071066@svn.freebsd.org>
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Fri, 10 Dec 2010 10:37:53 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216352 - stable/8/sys/sys
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 10:37:53 -0000

Author: kib
Date: Fri Dec 10 10:37:53 2010
New Revision: 216352
URL: http://svn.freebsd.org/changeset/base/216352

Log:
  MFC r216149:
  Add SLIST_SWAP() macro.
  
  Approved by:	re (bz)

Modified:
  stable/8/sys/sys/queue.h
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/sys/queue.h
==============================================================================
--- stable/8/sys/sys/queue.h	Fri Dec 10 08:53:06 2010	(r216351)
+++ stable/8/sys/sys/queue.h	Fri Dec 10 10:37:53 2010	(r216352)
@@ -213,6 +213,12 @@ struct {								\
 	SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field);	\
 } while (0)
 
+#define SLIST_SWAP(head1, head2, type) do {				\
+	struct type *swap_first = SLIST_FIRST(head1);			\
+	SLIST_FIRST(head1) = SLIST_FIRST(head2);			\
+	SLIST_FIRST(head2) = swap_first;				\
+} while (0)
+
 /*
  * Singly-linked Tail queue declarations.
  */

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 10:48:54 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D87C2106566C;
	Fri, 10 Dec 2010 10:48:54 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id C67368FC13;
	Fri, 10 Dec 2010 10:48:54 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBAAmsJE071365;
	Fri, 10 Dec 2010 10:48:54 GMT (envelope-from kib@svn.freebsd.org)
Received: (from kib@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBAAms6w071363;
	Fri, 10 Dec 2010 10:48:54 GMT (envelope-from kib@svn.freebsd.org)
Message-Id: <201012101048.oBAAms6w071363@svn.freebsd.org>
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Fri, 10 Dec 2010 10:48:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216353 - stable/8/sys/kern
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 10:48:55 -0000

Author: kib
Date: Fri Dec 10 10:48:54 2010
New Revision: 216353
URL: http://svn.freebsd.org/changeset/base/216353

Log:
  MFC r216150, r216158:
  If unix socket has a unix socket attached as the rights that has a
  unix socket attached as the rights that has a unix socket attached as
  the rights ... Kernel may overflow the stack on attempt to close such
  socket.
  
  Only close the rights file in the context of the current close if the
  file is not unix domain socket. Otherwise, postpone the work to
  taskqueue, preventing unlimited recursion.
  
  Approved by:	re (bz)

Modified:
  stable/8/sys/kern/uipc_usrreq.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/kern/uipc_usrreq.c
==============================================================================
--- stable/8/sys/kern/uipc_usrreq.c	Fri Dec 10 10:37:53 2010	(r216352)
+++ stable/8/sys/kern/uipc_usrreq.c	Fri Dec 10 10:48:54 2010	(r216353)
@@ -75,6 +75,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/namei.h>
 #include <sys/proc.h>
 #include <sys/protosw.h>
+#include <sys/queue.h>
 #include <sys/resourcevar.h>
 #include <sys/rwlock.h>
 #include <sys/socket.h>
@@ -113,6 +114,13 @@ static int		unp_rights;	/* (g) File desc
 static struct unp_head	unp_shead;	/* (l) List of stream sockets. */
 static struct unp_head	unp_dhead;	/* (l) List of datagram sockets. */
 
+struct unp_defer {
+	SLIST_ENTRY(unp_defer) ud_link;
+	struct file *ud_fp;
+};
+static SLIST_HEAD(, unp_defer) unp_defers;
+static int unp_defers_count;
+
 static const struct sockaddr	sun_noname = { sizeof(sun_noname), AF_LOCAL };
 
 /*
@@ -124,6 +132,13 @@ static const struct sockaddr	sun_noname 
 static struct task	unp_gc_task;
 
 /*
+ * The close of unix domain sockets attached as SCM_RIGHTS is
+ * postponed to the taskqueue, to avoid arbitrary recursion depth.
+ * The attached sockets might have another sockets attached.
+ */
+static struct task	unp_defer_task;
+
+/*
  * Both send and receive buffers are allocated PIPSIZ bytes of buffering for
  * stream sockets, although the total for sender and receiver is actually
  * only PIPSIZ.
@@ -152,8 +167,11 @@ SYSCTL_ULONG(_net_local_dgram, OID_AUTO,
 	   &unpdg_sendspace, 0, "Default datagram send space.");
 SYSCTL_ULONG(_net_local_dgram, OID_AUTO, recvspace, CTLFLAG_RW,
 	   &unpdg_recvspace, 0, "Default datagram receive space.");
-SYSCTL_INT(_net_local, OID_AUTO, inflight, CTLFLAG_RD, &unp_rights, 0, 
+SYSCTL_INT(_net_local, OID_AUTO, inflight, CTLFLAG_RD, &unp_rights, 0,
     "File descriptors in flight.");
+SYSCTL_INT(_net_local, OID_AUTO, deferred, CTLFLAG_RD,
+    &unp_defers_count, 0,
+    "File descriptors deferred to taskqueue for close.");
 
 /*-
  * Locking and synchronization:
@@ -203,6 +221,7 @@ SYSCTL_INT(_net_local, OID_AUTO, infligh
  */
 static struct rwlock	unp_link_rwlock;
 static struct mtx	unp_list_lock;
+static struct mtx	unp_defers_lock;
 
 #define	UNP_LINK_LOCK_INIT()		rw_init(&unp_link_rwlock,	\
 					    "unp_link_rwlock")
@@ -224,6 +243,11 @@ static struct mtx	unp_list_lock;
 #define	UNP_LIST_LOCK()			mtx_lock(&unp_list_lock)
 #define	UNP_LIST_UNLOCK()		mtx_unlock(&unp_list_lock)
 
+#define	UNP_DEFERRED_LOCK_INIT()	mtx_init(&unp_defers_lock, \
+					    "unp_defer", NULL, MTX_DEF)
+#define	UNP_DEFERRED_LOCK()		mtx_lock(&unp_defers_lock)
+#define	UNP_DEFERRED_UNLOCK()		mtx_unlock(&unp_defers_lock)
+
 #define UNP_PCB_LOCK_INIT(unp)		mtx_init(&(unp)->unp_mtx,	\
 					    "unp_mtx", "unp_mtx",	\
 					    MTX_DUPOK|MTX_DEF|MTX_RECURSE)
@@ -249,8 +273,9 @@ static void	unp_init(void);
 static int	unp_internalize(struct mbuf **, struct thread *);
 static void	unp_internalize_fp(struct file *);
 static int	unp_externalize(struct mbuf *, struct mbuf **);
-static void	unp_externalize_fp(struct file *);
+static int	unp_externalize_fp(struct file *);
 static struct mbuf	*unp_addsockcred(struct thread *, struct mbuf *);
+static void	unp_process_defers(void * __unused, int);
 
 /*
  * Definitions of protocols supported in the LOCAL domain.
@@ -1658,9 +1683,12 @@ unp_init(void)
 	    NULL, EVENTHANDLER_PRI_ANY);
 	LIST_INIT(&unp_dhead);
 	LIST_INIT(&unp_shead);
+	SLIST_INIT(&unp_defers);
 	TASK_INIT(&unp_gc_task, 0, unp_gc, NULL);
+	TASK_INIT(&unp_defer_task, 0, unp_process_defers, NULL);
 	UNP_LINK_LOCK_INIT();
 	UNP_LIST_LOCK_INIT();
+	UNP_DEFERRED_LOCK_INIT();
 }
 
 static int
@@ -1864,9 +1892,45 @@ fptounp(struct file *fp)
 static void
 unp_discard(struct file *fp)
 {
+	struct unp_defer *dr;
+
+	if (unp_externalize_fp(fp)) {
+		dr = malloc(sizeof(*dr), M_TEMP, M_WAITOK);
+		dr->ud_fp = fp;
+		UNP_DEFERRED_LOCK();
+		SLIST_INSERT_HEAD(&unp_defers, dr, ud_link);
+		UNP_DEFERRED_UNLOCK();
+		atomic_add_int(&unp_defers_count, 1);
+		taskqueue_enqueue(taskqueue_thread, &unp_defer_task);
+	} else
+		(void) closef(fp, (struct thread *)NULL);
+}
+
+static void
+unp_process_defers(void *arg __unused, int pending)
+{
+	struct unp_defer *dr;
+	SLIST_HEAD(, unp_defer) drl;
+	int count;
 
-	unp_externalize_fp(fp);
-	(void) closef(fp, (struct thread *)NULL);
+	SLIST_INIT(&drl);
+	for (;;) {
+		UNP_DEFERRED_LOCK();
+		if (SLIST_FIRST(&unp_defers) == NULL) {
+			UNP_DEFERRED_UNLOCK();
+			break;
+		}
+		SLIST_SWAP(&unp_defers, &drl, unp_defer);
+		UNP_DEFERRED_UNLOCK();
+		count = 0;
+		while ((dr = SLIST_FIRST(&drl)) != NULL) {
+			SLIST_REMOVE_HEAD(&drl, ud_link);
+			closef(dr->ud_fp, NULL);
+			free(dr, M_TEMP);
+			count++;
+		}
+		atomic_add_int(&unp_defers_count, -count);
+	}
 }
 
 static void
@@ -1884,16 +1948,21 @@ unp_internalize_fp(struct file *fp)
 	UNP_LINK_WUNLOCK();
 }
 
-static void
+static int
 unp_externalize_fp(struct file *fp)
 {
 	struct unpcb *unp;
+	int ret;
 
 	UNP_LINK_WLOCK();
-	if ((unp = fptounp(fp)) != NULL)
+	if ((unp = fptounp(fp)) != NULL) {
 		unp->unp_msgcount--;
+		ret = 1;
+	} else
+		ret = 0;
 	unp_rights--;
 	UNP_LINK_WUNLOCK();
+	return (ret);
 }
 
 /*

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 11:03:00 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 58D5E106566C;
	Fri, 10 Dec 2010 11:03:00 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 2C7058FC08;
	Fri, 10 Dec 2010 11:03:00 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBAB30oJ071712;
	Fri, 10 Dec 2010 11:03:00 GMT (envelope-from kib@svn.freebsd.org)
Received: (from kib@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBAB30g9071710;
	Fri, 10 Dec 2010 11:03:00 GMT (envelope-from kib@svn.freebsd.org)
Message-Id: <201012101103.oBAB30g9071710@svn.freebsd.org>
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Fri, 10 Dec 2010 11:03:00 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216354 - stable/8/tools/regression/sockets/unix_gc
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 11:03:00 -0000

Author: kib
Date: Fri Dec 10 11:02:59 2010
New Revision: 216354
URL: http://svn.freebsd.org/changeset/base/216354

Log:
  MFC r216151:
  Extend the unix gc regression test to cover the case of r216150.
  
  Approved by:    re (bz)

Modified:
  stable/8/tools/regression/sockets/unix_gc/unix_gc.c
Directory Properties:
  stable/8/tools/regression/sockets/unix_gc/   (props changed)

Modified: stable/8/tools/regression/sockets/unix_gc/unix_gc.c
==============================================================================
--- stable/8/tools/regression/sockets/unix_gc/unix_gc.c	Fri Dec 10 10:48:54 2010	(r216353)
+++ stable/8/tools/regression/sockets/unix_gc/unix_gc.c	Fri Dec 10 11:02:59 2010	(r216354)
@@ -55,27 +55,36 @@ static char dpath[PATH_MAX];
 static const char *test;
 
 static int
-getopenfiles(void)
+getsysctl(const char *name)
 {
 	size_t len;
 	int i;
 
 	len = sizeof(i);
-	if (sysctlbyname("kern.openfiles", &i, &len, NULL, 0) < 0)
-		err(-1, "kern.openfiles");
+	if (sysctlbyname(name, &i, &len, NULL, 0) < 0)
+		err(-1, "%s", name);
 	return (i);
 }
 
 static int
+getopenfiles(void)
+{
+
+	return (getsysctl("kern.openfiles"));
+}
+
+static int
 getinflight(void)
 {
-	size_t len;
-	int i;
 
-	len = sizeof(i);
-	if (sysctlbyname("net.local.inflight", &i, &len, NULL, 0) < 0)
-		err(-1, "net.local.inflight");
-	return (i);
+	return (getsysctl("net.local.inflight"));
+}
+
+static int
+getdeferred(void)
+{
+
+	return (getsysctl("net.local.deferred"));
 }
 
 static void
@@ -707,6 +716,40 @@ listen_connect_drop(void)
 	test_sysctls(inflight, openfiles);
 }
 
+static void
+recursion(void)
+{
+	int fd[2], ff[2];
+	int inflight, openfiles, deferred, deferred1;
+
+	test = "recursion";
+	printf("%s\n", test);
+	save_sysctls(&inflight, &openfiles);
+	deferred = getdeferred();
+
+	my_socketpair(fd);
+
+	for (;;) {
+		if (socketpair(PF_UNIX, SOCK_STREAM, 0, ff) == -1) {
+			if (errno == EMFILE || errno == ENFILE)
+				break;
+			err(-1, "socketpair");
+		}
+		sendfd(ff[0], fd[0]);
+		sendfd(ff[0], fd[1]);
+		close2(fd[1], fd[0]);
+		fd[0] = ff[0];
+		fd[1] = ff[1];
+	}
+	close2(fd[0], fd[1]);
+	sleep(1);
+	test_sysctls(inflight, openfiles);
+	deferred1 = getdeferred();
+	if (deferred != deferred1)
+		errx(-1, "recursion: deferred before %d after %d", deferred,
+		    deferred1);
+}
+
 #define	RMDIR	"rm -Rf "
 int
 main(int argc, char *argv[])
@@ -757,6 +800,8 @@ main(int argc, char *argv[])
 	listen_connect_nothing();
 	listen_connect_drop();
 
+	recursion();
+
 	printf("Finish: inflight %d open %d\n", getinflight(),
 	    getopenfiles());
 	return (0);

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 14:06:51 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 414F11065675;
	Fri, 10 Dec 2010 14:06:51 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 302548FC16;
	Fri, 10 Dec 2010 14:06:51 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBAE6pgL076191;
	Fri, 10 Dec 2010 14:06:51 GMT (envelope-from bz@svn.freebsd.org)
Received: (from bz@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBAE6pw4076189;
	Fri, 10 Dec 2010 14:06:51 GMT (envelope-from bz@svn.freebsd.org)
Message-Id: <201012101406.oBAE6pw4076189@svn.freebsd.org>
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Fri, 10 Dec 2010 14:06:51 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216356 - stable/8/sys/netinet
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 14:06:51 -0000

Author: bz
Date: Fri Dec 10 14:06:50 2010
New Revision: 216356
URL: http://svn.freebsd.org/changeset/base/216356

Log:
  MFC r216192:
  
    Use correct field to track statistics counting error as bad header length.
    This assimilates the code to what ip_input has been doing since r1.1 in
    this case.
  
    Submitted by: Rozhuk Ivan (rozhuk.im gmail.com)
  
  Approved by:	re (kib)

Modified:
  stable/8/sys/netinet/ip_fastfwd.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/netinet/ip_fastfwd.c
==============================================================================
--- stable/8/sys/netinet/ip_fastfwd.c	Fri Dec 10 14:04:41 2010	(r216355)
+++ stable/8/sys/netinet/ip_fastfwd.c	Fri Dec 10 14:06:50 2010	(r216356)
@@ -218,7 +218,7 @@ ip_fastforward(struct mbuf *m)
 	 */
 	hlen = ip->ip_hl << 2;
 	if (hlen < sizeof(struct ip)) {	/* minimum header length */
-		IPSTAT_INC(ips_badlen);
+		IPSTAT_INC(ips_badhlen);
 		goto drop;
 	}
 	if (hlen > m->m_len) {

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 14:07:09 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7EF0E10656A3;
	Fri, 10 Dec 2010 14:07:09 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 3B35A8FC29;
	Fri, 10 Dec 2010 14:07:09 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBAE79Gl076236;
	Fri, 10 Dec 2010 14:07:09 GMT (envelope-from bz@svn.freebsd.org)
Received: (from bz@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBAE79Qn076234;
	Fri, 10 Dec 2010 14:07:09 GMT (envelope-from bz@svn.freebsd.org)
Message-Id: <201012101407.oBAE79Qn076234@svn.freebsd.org>
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Fri, 10 Dec 2010 14:07:09 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216357 - stable/7/sys/netinet
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 14:07:09 -0000

Author: bz
Date: Fri Dec 10 14:07:08 2010
New Revision: 216357
URL: http://svn.freebsd.org/changeset/base/216357

Log:
  MFC r216192:
  
    Use correct field to track statistics counting error as bad header length.
    This assimilates the code to what ip_input has been doing since r1.1 in
    this case.
  
    Submitted by: Rozhuk Ivan (rozhuk.im gmail.com)
  
  Approved by:	re (kib)

Modified:
  stable/7/sys/netinet/ip_fastfwd.c
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/netinet/ip_fastfwd.c
==============================================================================
--- stable/7/sys/netinet/ip_fastfwd.c	Fri Dec 10 14:06:50 2010	(r216356)
+++ stable/7/sys/netinet/ip_fastfwd.c	Fri Dec 10 14:07:08 2010	(r216357)
@@ -215,7 +215,7 @@ ip_fastforward(struct mbuf *m)
 	 */
 	hlen = ip->ip_hl << 2;
 	if (hlen < sizeof(struct ip)) {	/* minimum header length */
-		ipstat.ips_badlen++;
+		ipstat.ips_badhlen++;
 		goto drop;
 	}
 	if (hlen > m->m_len) {

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 15:37:55 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2E6C61065697;
	Fri, 10 Dec 2010 15:37:55 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 02EFB8FC21;
	Fri, 10 Dec 2010 15:37:55 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBAFbsQA078494;
	Fri, 10 Dec 2010 15:37:54 GMT (envelope-from bz@svn.freebsd.org)
Received: (from bz@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBAFbsAC078492;
	Fri, 10 Dec 2010 15:37:54 GMT (envelope-from bz@svn.freebsd.org)
Message-Id: <201012101537.oBAFbsAC078492@svn.freebsd.org>
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Fri, 10 Dec 2010 15:37:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216359 - stable/8/sys/netinet6
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 15:37:55 -0000

Author: bz
Date: Fri Dec 10 15:37:54 2010
New Revision: 216359
URL: http://svn.freebsd.org/changeset/base/216359

Log:
  MFC r216277:
  
    Loosen the locking in nd6-free() again after r216022 (r216118 in stable/8)
    to avoid a LOR and a recursed lock.
  
    Reported by:	delphij
    Tested by:	delphij
  PR:		kern/148857
  Approved by:	re (kib)

Modified:
  stable/8/sys/netinet6/nd6.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/netinet6/nd6.c
==============================================================================
--- stable/8/sys/netinet6/nd6.c	Fri Dec 10 15:05:49 2010	(r216358)
+++ stable/8/sys/netinet6/nd6.c	Fri Dec 10 15:37:54 2010	(r216359)
@@ -1049,15 +1049,6 @@ nd6_free(struct llentry *ln, int gc)
 			return (next);
 		}
 
-		if (ln->ln_router || dr) {
-			/*
-			 * rt6_flush must be called whether or not the neighbor
-			 * is in the Default Router List.
-			 * See a corresponding comment in nd6_na_input().
-			 */
-			rt6_flush(&L3_ADDR_SIN6(ln)->sin6_addr, ifp);
-		}
-
 		if (dr) {
 			/*
 			 * Unreachablity of a router might affect the default
@@ -1073,8 +1064,28 @@ nd6_free(struct llentry *ln, int gc)
 			 * or the entry itself will be deleted.
 			 */
 			ln->ln_state = ND6_LLINFO_INCOMPLETE;
+		}
+
+		if (ln->ln_router || dr) {
 
 			/*
+			 * We need to unlock to avoid a LOR with rt6_flush() with the
+			 * rnh and for the calls to pfxlist_onlink_check() and
+			 * defrouter_select() in the block further down for calls
+			 * into nd6_lookup().  We still hold a ref.
+			 */
+			LLE_WUNLOCK(ln);
+
+			/*
+			 * rt6_flush must be called whether or not the neighbor
+			 * is in the Default Router List.
+			 * See a corresponding comment in nd6_na_input().
+			 */
+			rt6_flush(&L3_ADDR_SIN6(ln)->sin6_addr, ifp);
+		}
+
+		if (dr) {
+			/*
 			 * Since defrouter_select() does not affect the
 			 * on-link determination and MIP6 needs the check
 			 * before the default router selection, we perform
@@ -1083,13 +1094,13 @@ nd6_free(struct llentry *ln, int gc)
 			pfxlist_onlink_check();
 
 			/*
-			 * Refresh default router list.  Have to unlock as
-			 * it calls into nd6_lookup(), still holding a ref.
+			 * Refresh default router list.
 			 */
-			LLE_WUNLOCK(ln);
 			defrouter_select();
-			LLE_WLOCK(ln);
 		}
+
+		if (ln->ln_router || dr)
+			LLE_WLOCK(ln);
 	}
 
 	/*

From owner-svn-src-stable@FreeBSD.ORG  Fri Dec 10 22:59:09 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BAC0F106564A;
	Fri, 10 Dec 2010 22:59:09 +0000 (UTC) (envelope-from jfv@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id A90328FC0A;
	Fri, 10 Dec 2010 22:59:09 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBAMx9R7088143;
	Fri, 10 Dec 2010 22:59:09 GMT (envelope-from jfv@svn.freebsd.org)
Received: (from jfv@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBAMx9tF088141;
	Fri, 10 Dec 2010 22:59:09 GMT (envelope-from jfv@svn.freebsd.org)
Message-Id: <201012102259.oBAMx9tF088141@svn.freebsd.org>
From: Jack F Vogel <jfv@FreeBSD.org>
Date: Fri, 10 Dec 2010 22:59:09 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216366 - stable/8/sys/dev/ixgbe
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 22:59:09 -0000

Author: jfv
Date: Fri Dec 10 22:59:09 2010
New Revision: 216366
URL: http://svn.freebsd.org/changeset/base/216366

Log:
  Remove bogus logic in the TX path, when using
  VLANs and HW_TAGGING in IPv6 the tag is not yet
  in the frame, and thus an ICMP6 packet fails this
  condition and does not get sent.
  
  Approved by: re

Modified:
  stable/8/sys/dev/ixgbe/ixgbe.c

Modified: stable/8/sys/dev/ixgbe/ixgbe.c
==============================================================================
--- stable/8/sys/dev/ixgbe/ixgbe.c	Fri Dec 10 22:22:01 2010	(r216365)
+++ stable/8/sys/dev/ixgbe/ixgbe.c	Fri Dec 10 22:59:09 2010	(r216366)
@@ -46,7 +46,7 @@ int             ixgbe_display_debug_stat
 /*********************************************************************
  *  Driver version
  *********************************************************************/
-char ixgbe_driver_version[] = "2.3.6";
+char ixgbe_driver_version[] = "2.3.7";
 
 /*********************************************************************
  *  PCI Device ID Table
@@ -3023,16 +3023,12 @@ ixgbe_tx_ctx_setup(struct tx_ring *txr, 
 		case ETHERTYPE_IP:
 			ip = (struct ip *)(mp->m_data + ehdrlen);
 			ip_hlen = ip->ip_hl << 2;
-			if (mp->m_len < ehdrlen + ip_hlen)
-				return (FALSE);
 			ipproto = ip->ip_p;
 			type_tucmd_mlhl |= IXGBE_ADVTXD_TUCMD_IPV4;
 			break;
 		case ETHERTYPE_IPV6:
 			ip6 = (struct ip6_hdr *)(mp->m_data + ehdrlen);
 			ip_hlen = sizeof(struct ip6_hdr);
-			if (mp->m_len < ehdrlen + ip_hlen)
-				return (FALSE);
 			ipproto = ip6->ip6_nxt;
 			type_tucmd_mlhl |= IXGBE_ADVTXD_TUCMD_IPV6;
 			break;

From owner-svn-src-stable@FreeBSD.ORG  Sat Dec 11 23:48:10 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E5B911065672;
	Sat, 11 Dec 2010 23:48:10 +0000 (UTC) (envelope-from mm@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id BA2908FC13;
	Sat, 11 Dec 2010 23:48:10 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oBBNmALp021554;
	Sat, 11 Dec 2010 23:48:10 GMT (envelope-from mm@svn.freebsd.org)
Received: (from mm@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oBBNmAeZ021552;
	Sat, 11 Dec 2010 23:48:10 GMT (envelope-from mm@svn.freebsd.org)
Message-Id: <201012112348.oBBNmAeZ021552@svn.freebsd.org>
From: Martin Matuska <mm@FreeBSD.org>
Date: Sat, 11 Dec 2010 23:48:10 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216386 -
	stable/8/cddl/contrib/opensolaris/lib/libzfs/common
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2010 23:48:11 -0000

Author: mm
Date: Sat Dec 11 23:48:10 2010
New Revision: 216386
URL: http://svn.freebsd.org/changeset/base/216386

Log:
  MFC r216291, r216293:
  
  MFC r216291:
  Do not print OpenSolaris hint to use (non-existing) installgrub(1) command
  if creating a mirror by attaching a new vdev to a root pool.
  
  MFC r216293:
  Print message with information about updating the boot code if a new
  vdev is attached to a root pool (e.g. when creating a mirrored boot pool).
  
  Reported by:	James R. Van Artsdalen (on freebsd-fs@freebsd.org)
  Reviewed by:	pjd
  Approved by:	re (kib), delphij (mentor)

Modified:
  stable/8/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_pool.c
Directory Properties:
  stable/8/cddl/contrib/opensolaris/   (props changed)

Modified: stable/8/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_pool.c
==============================================================================
--- stable/8/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_pool.c	Sat Dec 11 22:33:33 2010	(r216385)
+++ stable/8/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_pool.c	Sat Dec 11 23:48:10 2010	(r216386)
@@ -48,11 +48,13 @@
 
 static int read_efi_label(nvlist_t *config, diskaddr_t *sb);
 
+#ifdef sun
 #if defined(__i386) || defined(__amd64)
 #define	BOOTCMD	"installgrub(1M)"
 #else
 #define	BOOTCMD	"installboot(1M)"
 #endif
+#endif	/* sun */
 
 /*
  * ====================================================================
@@ -1889,14 +1891,15 @@ zpool_vdev_attach(zpool_handle_t *zhp,
 
 	if (ret == 0) {
 		if (rootpool) {
-			/*
-			 * XXX - This should be removed once we can
-			 * automatically install the bootblocks on the
-			 * newly attached disk.
-			 */
-			(void) fprintf(stderr, dgettext(TEXT_DOMAIN, "Please "
-			    "be sure to invoke %s to make '%s' bootable.\n"),
-			    BOOTCMD, new_disk);
+			(void) fprintf(stderr, dgettext(TEXT_DOMAIN, "If "
+			    "you boot from pool '%s', you may need to update\n"
+			    "boot code on newly attached disk '%s'.\n\n"
+			    "Assuming you use GPT partitioning and 'da0' is "
+			    "your new boot disk\n"
+			    "you may use the following command:\n\n"
+			    "\tgpart bootcode -b /boot/pmbr -p "
+			    "/boot/gptzfsboot -i 1 da0\n\n"),
+			    zhp->zpool_name, new_disk);
 		}
 		return (0);
 	}