From 0f66aced2640d964aeb6db41210711ba0640d7f2 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 7 Jan 2010 21:52:12 +0000
Subject: [PATCH] 2834.	[bug]		HMAC-SHA* keys that were longer than
 the algorithm 			digest length were used incorrectly, leading
 to 			interoperability problems with other DNS 	
 	implementations.  This has been corrected. 			(Note:
 If an oversize key is in use, and 			compatibility is
 needed with an older release of 			BIND, the new tool
 "isc-hmac-fixup" can convert 			the key secret to a form that
 will work with all 			versions.) [RT #20751]

---
 CHANGES                                  |  10 +
 bin/tools/.cvsignore                     |   1 +
 bin/tools/Makefile.in                    |  19 +-
 bin/tools/isc-hmac-fixup.8               |  59 +++++
 bin/tools/isc-hmac-fixup.c               | 148 +++++++++++
 bin/tools/isc-hmac-fixup.docbook         | 109 +++++++++
 bin/tools/isc-hmac-fixup.html            |  83 +++++++
 bin/tools/win32/ischmacfix.dsp           | 103 ++++++++
 bin/tools/win32/ischmacfix.dsw           |  29 +++
 bin/tools/win32/ischmacfix.mak           | 299 +++++++++++++++++++++++
 bin/tools/win32/journalprint.mak         |   2 +-
 bin/win32/BINDInstall/BINDInstallDlg.cpp |   3 +-
 doc/arm/Bv9ARM-book.xml                  |   3 +-
 doc/arm/man.isc-hmac-fixup.html          | 122 +++++++++
 lib/dns/hmac_link.c                      | 144 +++++------
 lib/isc/include/isc/md5.h                |   3 +-
 util/copyrights                          |   7 +
 win32utils/BINDBuild.dsw                 |  15 ++
 win32utils/BuildAll.bat                  |   1 +
 19 files changed, 1080 insertions(+), 80 deletions(-)
 create mode 100644 bin/tools/isc-hmac-fixup.8
 create mode 100644 bin/tools/isc-hmac-fixup.c
 create mode 100644 bin/tools/isc-hmac-fixup.docbook
 create mode 100644 bin/tools/isc-hmac-fixup.html
 create mode 100644 bin/tools/win32/ischmacfix.dsp
 create mode 100644 bin/tools/win32/ischmacfix.dsw
 create mode 100644 bin/tools/win32/ischmacfix.mak
 create mode 100644 doc/arm/man.isc-hmac-fixup.html

diff --git a/CHANGES b/CHANGES
index 97b1f3c460..ec775f0aa3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,13 @@
+2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
+			digest length were used incorrectly, leading to
+			interoperability problems with other DNS
+			implementations.  This has been corrected.
+			(Note: If an oversize key is in use, and
+			compatibility is needed with an older release of
+			BIND, the new tool "isc-hmac-fixup" can convert
+			the key secret to a form that will work with all
+			versions.) [RT #20751]
+
 2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
 			[RT #20851]
 
diff --git a/bin/tools/.cvsignore b/bin/tools/.cvsignore
index 57bf418d28..5bdc2913b5 100644
--- a/bin/tools/.cvsignore
+++ b/bin/tools/.cvsignore
@@ -1,5 +1,6 @@
 Makefile
 arpaname
 genrandom
+isc-hmac-fixup
 named-journalprint
 nsec3hash
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index 6e1cab4c0d..ec8ee88c62 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11 2009/12/05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.12 2010/01/07 21:52:11 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -43,12 +43,14 @@ NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
 SUBDIRS = 
 
 TARGETS =	arpaname@EXEEXT@ named-journalprint@EXEEXT@ nsec3hash@EXEEXT@ \
-		genrandom@EXEEXT@
-SRCS =		arpaname.c named-journalprint.c nsec3hash.c genrandom.c
+		genrandom@EXEEXT@ isc-hmac-fixup@EXEEXT@
+SRCS =		arpaname.c named-journalprint.c nsec3hash.c genrandom.c \
+		isc-hmac-fixup.c
 
-MANPAGES =	arpaname.1 named-journalprint.8 nsec3hash.8 genrandom.8
+MANPAGES =	arpaname.1 named-journalprint.8 nsec3hash.8 genrandom.8 \
+		isc-hmac-fixup.8
 HTMLPAGES =	arpaname.html named-journalprint.html nsec3hash.html \
-		genrandom.html
+		genrandom.html isc-hmac-fixup.html
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
@@ -67,6 +69,11 @@ nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	export LIBS0="${DNSLIBS}"; \
 	${FINALBUILDCMD}
 
+isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS}
+	export BASEOBJS="isc-hmac-fixup.@O@"; \
+	export LIBS0="${ISCLIBS}"; \
+	${FINALBUILDCMD}
+
 genrandom@EXEEXT@: genrandom.@O@
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
 
@@ -85,7 +92,9 @@ install:: ${TARGETS} installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ ${DESTDIR}${sbindir}
 	${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
+	${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
diff --git a/bin/tools/isc-hmac-fixup.8 b/bin/tools/isc-hmac-fixup.8
new file mode 100644
index 0000000000..88798e88d3
--- /dev/null
+++ b/bin/tools/isc-hmac-fixup.8
@@ -0,0 +1,59 @@
+.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: isc-hmac-fixup.8,v 1.1 2010/01/07 21:52:11 each Exp $
+.\"
+.hy 0
+.ad l
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "ISC-HMAC-FIXUP" 1 "January 5, 2010" "" ""
+.SH NAME
+isc-hmac-fixup \- fixes HMAC keys generated by older versions of BIND
+.SH "SYNOPSIS"
+.HP 15
+\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR}
+.SH "DESCRIPTION"
+.PP
+Versions of BIND 9 up to and including BIND 9\&.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i\&.e\&., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations\&.
+.PP
+This bug has been fixed in BIND 9\&.7\&. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys\&. \fBisc\-hmac\-fixup\fR modifies those keys to restore compatibility\&.
+.PP
+To modify a key, run \fBisc\-hmac\-fixup\fR and specify the key's algorithm and secret on the command line\&. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret\&. (If the secret did not require conversion, then it will be printed without modification\&.)
+.SH "SECURITY CONSIDERATIONS"
+.PP
+Secrets that have been converted by \fBisc\-hmac\-fixup\fR are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security\&. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength\&."
+.SH "SEE ALSO"
+.PP
+ BIND 9 Administrator Reference Manual, RFC 2104\&.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium 
diff --git a/bin/tools/isc-hmac-fixup.c b/bin/tools/isc-hmac-fixup.c
new file mode 100644
index 0000000000..0e506dbb5b
--- /dev/null
+++ b/bin/tools/isc-hmac-fixup.c
@@ -0,0 +1,148 @@
+/*
+ * Portions Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/md5.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+
+#define HMAC_LEN	64
+
+int
+main(int argc, char **argv)  {
+	isc_buffer_t buf;
+	unsigned char key[1024];
+	char secret[1024];
+	char base64[(1024*4)/3];
+	isc_region_t r;
+	isc_result_t result;
+
+	if (argc != 3) {
+		fprintf(stderr, "Usage:\t%s algorithm secret\n", argv[0]);
+		fprintf(stderr, "\talgorithm: (MD5 | SHA1 | SHA224 | "
+				"SHA256 | SHA384 | SHA512)\n");
+		return (1);
+	}
+
+	isc_buffer_init(&buf, secret, sizeof(secret));
+	result = isc_base64_decodestring(argv[2], &buf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "error: %s\n", isc_result_totext(result));
+		return (1);
+	}
+	isc__buffer_usedregion(&buf, &r);
+
+	if (!strcasecmp(argv[1], "md5") ||
+	    !strcasecmp(argv[1], "hmac-md5")) {
+		if (r.length > HMAC_LEN) {
+			isc_md5_t md5ctx;
+			isc_md5_init(&md5ctx);
+			isc_md5_update(&md5ctx, r.base, r.length);
+			isc_md5_final(&md5ctx, key);
+
+			r.base = key;
+			r.length = ISC_MD5_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha1") ||
+	           !strcasecmp(argv[1], "hmac-sha1")) {
+		if (r.length > ISC_SHA1_DIGESTLENGTH) {
+			isc_sha1_t sha1ctx;
+			isc_sha1_init(&sha1ctx);
+			isc_sha1_update(&sha1ctx, r.base, r.length);
+			isc_sha1_final(&sha1ctx, key);
+
+			r.base = key;
+			r.length = ISC_SHA1_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha224") ||
+	           !strcasecmp(argv[1], "hmac-sha224")) {
+		if (r.length > ISC_SHA224_DIGESTLENGTH) {
+			isc_sha224_t sha224ctx;
+			isc_sha224_init(&sha224ctx);
+			isc_sha224_update(&sha224ctx, r.base, r.length);
+			isc_sha224_final(key, &sha224ctx);
+
+			r.base = key;
+			r.length = ISC_SHA224_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha256") ||
+	           !strcasecmp(argv[1], "hmac-sha256")) {
+		if (r.length > ISC_SHA256_DIGESTLENGTH) {
+			isc_sha256_t sha256ctx;
+			isc_sha256_init(&sha256ctx);
+			isc_sha256_update(&sha256ctx, r.base, r.length);
+			isc_sha256_final(key, &sha256ctx);
+
+			r.base = key;
+			r.length = ISC_SHA256_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha384") ||
+		   !strcasecmp(argv[1], "hmac-sha384")) {
+		if (r.length > ISC_SHA384_DIGESTLENGTH) {
+			isc_sha384_t sha384ctx;
+			isc_sha384_init(&sha384ctx);
+			isc_sha384_update(&sha384ctx, r.base, r.length);
+			isc_sha384_final(key, &sha384ctx);
+
+			r.base = key;
+			r.length = ISC_SHA384_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha512") ||
+	           !strcasecmp(argv[1], "hmac-sha512")) {
+		if (r.length > ISC_SHA512_DIGESTLENGTH) {
+			isc_sha512_t sha512ctx;
+			isc_sha512_init(&sha512ctx);
+			isc_sha512_update(&sha512ctx, r.base, r.length);
+			isc_sha512_final(key, &sha512ctx);
+
+			r.base = key;
+			r.length = ISC_SHA512_DIGESTLENGTH;
+		}
+	} else {
+		fprintf(stderr, "unknown hmac/digest algorithm: %s\n", argv[1]);
+		return (1);
+	}
+
+	isc_buffer_init(&buf, base64, sizeof(base64));
+	result = isc_base64_totext(&r, 0, "", &buf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "error: %s\n", isc_result_totext(result));
+		return (1);
+	}
+	fprintf(stdout, "%.*s\n", isc_buffer_usedlength(&buf), base64);
+	return (0);
+}
diff --git a/bin/tools/isc-hmac-fixup.docbook b/bin/tools/isc-hmac-fixup.docbook
new file mode 100644
index 0000000000..c298a85861
--- /dev/null
+++ b/bin/tools/isc-hmac-fixup.docbook
@@ -0,0 +1,109 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: isc-hmac-fixup.docbook,v 1.2 2010/01/07 21:52:11 each Exp $ -->
+<refentry id="man.isc-hmac-fixup">
+  <refentryinfo>
+    <date>January 5, 2010</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>isc-hmac-fixup</application></refname>
+    <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2010</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>isc-hmac-fixup</command>
+      <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">secret</replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+      HMAC-SHA* TSIG keys which were longer than the digest length of the
+      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+      longer than 256 bits, etc) to be used incorrectly, generating a
+      message authentication code that was incompatible with other DNS
+      implementations.
+    </para>
+    <para>
+      This bug has been fixed in BIND 9.7.  However, the fix may
+      cause incompatibility between older and newer versions of
+      BIND, when using long keys.  <command>isc-hmac-fixup</command>
+      modifies those keys to restore compatibility.
+    </para>
+    <para>
+      To modify a key, run <command>isc-hmac-fixup</command> and
+      specify the key's algorithm and secret on the command line.  If the
+      secret is longer than the digest length of the algorithm (64 bytes
+      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+      new secret will be generated consisting of a hash digest of the old
+      secret.  (If the secret did not require conversion, then it will be
+      printed without modification.)
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SECURITY CONSIDERATIONS</title>
+    <para>
+      Secrets that have been converted by <command>isc-hmac-fixup</command>
+      are shortened, but as this is how the HMAC protocol works in
+      operation anyway, it does not affect security.  RFC 2104 notes,
+      "Keys longer than [the digest length] are acceptable but the
+      extra length would not significantly increase the function
+      strength."
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 2104</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/tools/isc-hmac-fixup.html b/bin/tools/isc-hmac-fixup.html
new file mode 100644
index 0000000000..640c942421
--- /dev/null
+++ b/bin/tools/isc-hmac-fixup.html
@@ -0,0 +1,83 @@
+<!--
+ - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: isc-hmac-fixup.html,v 1.1 2010/01/07 21:52:11 each Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>isc-hmac-fixup</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id215034"></a><h2>DESCRIPTION</h2>
+<p>
+      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+      HMAC-SHA* TSIG keys which were longer than the digest length of the
+      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+      longer than 256 bits, etc) to be used incorrectly, generating a
+      message authentication code that was incompatible with other DNS
+      implementations.
+    </p>
+<p>
+      This bug has been fixed in BIND 9.7.  However, the fix may
+      cause incompatibility between older and newer versions of
+      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
+      modifies those keys to restore compatibility.
+    </p>
+<p>
+      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
+      specify the key's algorithm and secret on the command line.  If the
+      secret is longer than the digest length of the algorithm (64 bytes
+      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+      new secret will be generated consisting of a hash digest of the old
+      secret.  (If the secret did not require conversion, then it will be
+      printed without modification.)
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id215065"></a><h2>SECURITY CONSIDERATIONS</h2>
+<p>
+      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
+      are shortened, but as this is how the HMAC protocol works in
+      operation anyway, it does not affect security.  RFC 2104 notes,
+      "Keys longer than [the digest length] are acceptable but the
+      extra length would not significantly increase the function
+      strength."
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id215080"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2104</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id215096"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/tools/win32/ischmacfix.dsp b/bin/tools/win32/ischmacfix.dsp
new file mode 100644
index 0000000000..b4ff3f550d
--- /dev/null
+++ b/bin/tools/win32/ischmacfix.dsp
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="ischmacfixup" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=ischmacfixup - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "ischmacfixup.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "ischmacfixup.mak" CFG="ischmacfixup - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "ischmacfixup - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "ischmacfixup - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "ischmacfixup - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/isc-hmac-fixup.exe"
+
+!ELSEIF  "$(CFG)" == "ischmacfixup - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/isc-hmac-fixup.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "ischmacfixup - Win32 Release"
+# Name "ischmacfixup - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\isc-hmac-fixup.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/tools/win32/ischmacfix.dsw b/bin/tools/win32/ischmacfix.dsw
new file mode 100644
index 0000000000..81d41f1c7f
--- /dev/null
+++ b/bin/tools/win32/ischmacfix.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "ischmacfixup"=".\ischmacfixup.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/tools/win32/ischmacfix.mak b/bin/tools/win32/ischmacfix.mak
new file mode 100644
index 0000000000..df494952ea
--- /dev/null
+++ b/bin/tools/win32/ischmacfix.mak
@@ -0,0 +1,299 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on ischmacfixup.dsp
+!IF "$(CFG)" == ""
+CFG=ischmacfixup - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to ischmacfixup - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "ischmacfixup - Win32 Release" && "$(CFG)" != "ischmacfixup - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "ischmacfixup.mak" CFG="ischmacfixup - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "ischmacfixup - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "ischmacfixup - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "ischmacfixup - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "ischmacfixup - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\isc-hmac-fixup.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\isc-hmac-fixup.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\isc-hmac-fixup.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\isc-hmac-fixup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\isc-hmac-fixup.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\isc-hmac-fixup.pdb" /machine:I386 /out:"../../../Build/Release/isc-hmac-fixup.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\isc-hmac-fixup.obj"
+
+"..\..\..\Build\Release\isc-hmac-fixup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "ischmacfixup - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\isc-hmac-fixup.exe" "$(OUTDIR)\isc-hmac-fixup.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\isc-hmac-fixup.obj"
+	-@erase "$(INTDIR)\isc-hmac-fixup.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\isc-hmac-fixup.pdb"
+	-@erase "$(OUTDIR)\isc-hmac-fixup.bsc"
+	-@erase "..\..\..\Build\Debug\isc-hmac-fixup.exe"
+	-@erase "..\..\..\Build\Debug\isc-hmac-fixup.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\isc-hmac-fixup.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\isc-hmac-fixup.sbr"
+
+"$(OUTDIR)\isc-hmac-fixup.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\isc-hmac-fixup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/isc-hmac-fixup.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\isc-hmac-fixup.obj"
+
+"..\..\..\Build\Debug\isc-hmac-fixup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("isc-hmac-fixup.dep")
+!INCLUDE "isc-hmac-fixup.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "isc-hmac-fixup.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "ischmacfixup - Win32 Release" || "$(CFG)" == "ischmacfixup - Win32 Debug"
+SOURCE="..\isc-hmac-fixup.c"
+
+!IF  "$(CFG)" == "ischmacfixup - Win32 Release"
+
+
+"$(INTDIR)\isc-hmac-fixup.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "ischmacfixup - Win32 Debug"
+
+
+"$(INTDIR)\isc-hmac-fixup.obj" "$(INTDIR)\isc-hmac-fixup.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/bin/tools/win32/journalprint.mak b/bin/tools/win32/journalprint.mak
index 2988be2607..98ad8e90c5 100644
--- a/bin/tools/win32/journalprint.mak
+++ b/bin/tools/win32/journalprint.mak
@@ -271,7 +271,7 @@ SOURCE="..\named-journalprint.c"
 !ELSEIF  "$(CFG)" == "journalprint - Win32 Debug"
 
 
-"$(INTDIR)\named-journalprint.obj"	"$(INTDIR)\named-journalprint.sbr" : $(SOURCE) "$(INTDIR)"
+"$(INTDIR)\named-journalprint.obj" "$(INTDIR)\named-journalprint.sbr" : $(SOURCE) "$(INTDIR)"
 	$(CPP) $(CPP_PROJ) $(SOURCE)
 
 
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index 91bbfb9976..574b63a3bb 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstallDlg.cpp,v 1.46 2009/12/04 21:59:23 marka Exp $ */
+/* $Id: BINDInstallDlg.cpp,v 1.47 2010/01/07 21:52:12 each Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -158,6 +158,7 @@ const FileData installFiles[] =
 	{"named-checkzone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
 	{"named-compilezone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
 	{"named-journalprint.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"isc-hmax-fixup.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
 	{"pkcs11-destroy.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
 	{"pkcs11-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
 	{"pkcs11-list.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 8620cdacd1..080189670c 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.451 2009/12/18 07:56:29 each Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.452 2010/01/07 21:52:12 each Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -15673,6 +15673,7 @@ zone "example.com" {
       <xi:include href="../../bin/confgen/ddns-confgen.docbook"/>
       <xi:include href="../../bin/tools/arpaname.docbook"/>
       <xi:include href="../../bin/tools/genrandom.docbook"/>
+      <xi:include href="../../bin/tools/isc-hmac-fixup.docbook"/>
       <xi:include href="../../bin/tools/nsec3hash.docbook"/>
     </reference>
 
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
new file mode 100644
index 0000000000..25a3003e69
--- /dev/null
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -0,0 +1,122 @@
+<!--
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.isc-hmac-fixup.html,v 1.1 2010/01/07 21:52:12 each Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>isc-hmac-fixup</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.genrandom.html" title="genrandom">
+<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id302013"></a><h2>DESCRIPTION</h2>
+<p>
+      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+      HMAC-SHA* TSIG keys which were longer than the digest length of the
+      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+      longer than 256 bits, etc) to be used incorrectly, generating a
+      message authentication code that was incompatible with other DNS
+      implementations.
+    </p>
+<p>
+      This bug has been fixed in BIND 9.7.  However, the fix may
+      cause incompatibility between older and newer versions of
+      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
+      modifies those keys to restore compatibility.
+    </p>
+<p>
+      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
+      specify the key's algorithm and secret on the command line.  If the
+      secret is longer than the digest length of the algorithm (64 bytes
+      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+      new secret will be generated consisting of a hash digest of the old
+      secret.  (If the secret did not require conversion, then it will be
+      printed without modification.)
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id272868"></a><h2>SECURITY CONSIDERATIONS</h2>
+<p>
+      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
+      are shortened, but as this is how the HMAC protocol works in
+      operation anyway, it does not affect security.  RFC 2104 notes,
+      "Keys longer than [the digest length] are acceptable but the
+      extra length would not significantly increase the function
+      strength."
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id306719"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2104</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id317945"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">genrandom</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 70eb41bef9..6a529f551c 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.15 2009/10/24 09:46:19 fdupont Exp $
+ * $Id: hmac_link.c,v 1.16 2010/01/07 21:52:12 each Exp $
  */
 
 #include <config.h>
@@ -50,14 +50,10 @@
 #include "dst_internal.h"
 #include "dst_parse.h"
 
-#define HMAC_LEN	64
-#define HMAC_IPAD	0x36
-#define HMAC_OPAD	0x5c
-
 static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacmd5_key {
-	unsigned char key[HMAC_LEN];
+	unsigned char key[ISC_MD5_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -79,7 +75,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
 	if (hmacmd5ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
+	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
 	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -142,7 +138,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, HMAC_LEN) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -152,18 +148,18 @@ static isc_result_t
 hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
 
 	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+		bytes = ISC_SHA1_BLOCK_LENGTH;
+		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -172,7 +168,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacmd5_fromdns(key, &b);
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -186,6 +182,7 @@ hmacmd5_isprivate(const dst_key_t *key) {
 static void
 hmacmd5_destroy(dst_key_t *key) {
 	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
+
 	memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
 	key->keydata.hmacmd5 = NULL;
@@ -225,7 +222,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > HMAC_LEN) {
+	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
 		isc_md5_init(&md5ctx);
 		isc_md5_update(&md5ctx, r.base, r.length);
 		isc_md5_final(&md5ctx, hkey->key);
@@ -341,7 +338,7 @@ dst__hmacmd5_init(dst_func_t **funcp) {
 static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha1_key {
-	unsigned char key[ISC_SHA1_DIGESTLENGTH];
+	unsigned char key[ISC_SHA1_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -352,7 +349,7 @@ hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
 	if (hmacsha1ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
+	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -415,7 +412,7 @@ hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -425,18 +422,18 @@ static isc_result_t
 hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
 
 	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+		bytes = ISC_SHA1_BLOCK_LENGTH;
+		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -445,7 +442,7 @@ hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha1_fromdns(key, &b);
-	memset(data, 0, ISC_SHA1_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -459,6 +456,7 @@ hmacsha1_isprivate(const dst_key_t *key) {
 static void
 hmacsha1_destroy(dst_key_t *key) {
 	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
+
 	memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
 	key->keydata.hmacsha1 = NULL;
@@ -498,7 +496,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA1_DIGESTLENGTH) {
+	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
 		isc_sha1_init(&sha1ctx);
 		isc_sha1_update(&sha1ctx, r.base, r.length);
 		isc_sha1_final(&sha1ctx, hkey->key);
@@ -614,7 +612,7 @@ dst__hmacsha1_init(dst_func_t **funcp) {
 static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha224_key {
-	unsigned char key[ISC_SHA224_DIGESTLENGTH];
+	unsigned char key[ISC_SHA224_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -625,7 +623,7 @@ hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
 	if (hmacsha224ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
+	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -688,7 +686,7 @@ hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -700,18 +698,18 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
 {
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA224_BLOCK_LENGTH];
 
 	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA224_BLOCK_LENGTH) {
+		bytes = ISC_SHA224_BLOCK_LENGTH;
+		key->key_size = ISC_SHA224_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -720,7 +718,7 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha224_fromdns(key, &b);
-	memset(data, 0, ISC_SHA224_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -734,6 +732,7 @@ hmacsha224_isprivate(const dst_key_t *key) {
 static void
 hmacsha224_destroy(dst_key_t *key) {
 	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
+
 	memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
 	key->keydata.hmacsha224 = NULL;
@@ -773,7 +772,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA224_DIGESTLENGTH) {
+	if (r.length > ISC_SHA224_BLOCK_LENGTH) {
 		isc_sha224_init(&sha224ctx);
 		isc_sha224_update(&sha224ctx, r.base, r.length);
 		isc_sha224_final(hkey->key, &sha224ctx);
@@ -889,7 +888,7 @@ dst__hmacsha224_init(dst_func_t **funcp) {
 static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha256_key {
-	unsigned char key[ISC_SHA256_DIGESTLENGTH];
+	unsigned char key[ISC_SHA256_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -900,7 +899,7 @@ hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
 	if (hmacsha256ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
+	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -963,7 +962,7 @@ hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -975,18 +974,18 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
 {
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA256_BLOCK_LENGTH];
 
 	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA256_BLOCK_LENGTH) {
+		bytes = ISC_SHA256_BLOCK_LENGTH;
+		key->key_size = ISC_SHA256_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -995,7 +994,7 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha256_fromdns(key, &b);
-	memset(data, 0, ISC_SHA256_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -1009,6 +1008,7 @@ hmacsha256_isprivate(const dst_key_t *key) {
 static void
 hmacsha256_destroy(dst_key_t *key) {
 	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
+
 	memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
 	key->keydata.hmacsha256 = NULL;
@@ -1048,7 +1048,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA256_DIGESTLENGTH) {
+	if (r.length > ISC_SHA256_BLOCK_LENGTH) {
 		isc_sha256_init(&sha256ctx);
 		isc_sha256_update(&sha256ctx, r.base, r.length);
 		isc_sha256_final(hkey->key, &sha256ctx);
@@ -1164,7 +1164,7 @@ dst__hmacsha256_init(dst_func_t **funcp) {
 static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha384_key {
-	unsigned char key[ISC_SHA384_DIGESTLENGTH];
+	unsigned char key[ISC_SHA384_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -1175,7 +1175,7 @@ hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
 	if (hmacsha384ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
+	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -1238,7 +1238,7 @@ hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -1250,18 +1250,18 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
 {
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA384_BLOCK_LENGTH];
 
 	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA384_BLOCK_LENGTH) {
+		bytes = ISC_SHA384_BLOCK_LENGTH;
+		key->key_size = ISC_SHA384_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -1270,7 +1270,7 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha384_fromdns(key, &b);
-	memset(data, 0, ISC_SHA384_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -1284,6 +1284,7 @@ hmacsha384_isprivate(const dst_key_t *key) {
 static void
 hmacsha384_destroy(dst_key_t *key) {
 	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
+
 	memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
 	key->keydata.hmacsha384 = NULL;
@@ -1323,7 +1324,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA384_DIGESTLENGTH) {
+	if (r.length > ISC_SHA384_BLOCK_LENGTH) {
 		isc_sha384_init(&sha384ctx);
 		isc_sha384_update(&sha384ctx, r.base, r.length);
 		isc_sha384_final(hkey->key, &sha384ctx);
@@ -1439,7 +1440,7 @@ dst__hmacsha384_init(dst_func_t **funcp) {
 static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha512_key {
-	unsigned char key[ISC_SHA512_DIGESTLENGTH];
+	unsigned char key[ISC_SHA512_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -1450,7 +1451,7 @@ hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
 	if (hmacsha512ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
+	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -1513,7 +1514,7 @@ hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -1525,18 +1526,18 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
 {
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA512_BLOCK_LENGTH];
 
 	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA512_BLOCK_LENGTH) {
+		bytes = ISC_SHA512_BLOCK_LENGTH;
+		key->key_size = ISC_SHA512_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -1545,7 +1546,7 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha512_fromdns(key, &b);
-	memset(data, 0, ISC_SHA512_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -1559,6 +1560,7 @@ hmacsha512_isprivate(const dst_key_t *key) {
 static void
 hmacsha512_destroy(dst_key_t *key) {
 	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
+
 	memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
 	key->keydata.hmacsha512 = NULL;
@@ -1598,7 +1600,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA512_DIGESTLENGTH) {
+	if (r.length > ISC_SHA512_BLOCK_LENGTH) {
 		isc_sha512_init(&sha512ctx);
 		isc_sha512_update(&sha512ctx, r.base, r.length);
 		isc_sha512_final(hkey->key, &sha512ctx);
diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
index 0a176e8f0f..af1cd7f899 100644
--- a/lib/isc/include/isc/md5.h
+++ b/lib/isc/include/isc/md5.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.h,v 1.18 2009/02/06 23:47:42 tbox Exp $ */
+/* $Id: md5.h,v 1.19 2010/01/07 21:52:12 each Exp $ */
 
 /*! \file isc/md5.h
  * \brief This is the header file for the MD5 message-digest algorithm.
@@ -48,6 +48,7 @@
 #include <isc/types.h>
 
 #define ISC_MD5_DIGESTLENGTH 16U
+#define ISC_MD5_BLOCK_LENGTH 64U
 
 #ifdef ISC_PLATFORM_OPENSSLHASH
 #include <openssl/evp.h>
diff --git a/util/copyrights b/util/copyrights
index 38f3dd6c56..ec2c799061 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1055,6 +1055,10 @@
 ./bin/tools/genrandom.c				C	2000,2001,2002,2003,2004,2005,2007,2009
 ./bin/tools/genrandom.docbook			SGML	2009
 ./bin/tools/genrandom.html			HTML	2009
+./bin/tools/isc-hmac-fixup.8				MAN	2010
+./bin/tools/isc-hmac-fixup.c				C	2010
+./bin/tools/isc-hmac-fixup.docbook			SGML	2010
+./bin/tools/isc-hmac-fixup.html			HTML	2010
 ./bin/tools/named-journalprint.8		MAN	2009
 ./bin/tools/named-journalprint.c		C	2000,2001,2004,2005,2006,2007,2008,2009
 ./bin/tools/named-journalprint.docbook		SGML	2009
@@ -1069,6 +1073,9 @@
 ./bin/tools/win32/genrandom.dsp			X	2009
 ./bin/tools/win32/genrandom.dsw			X	2009
 ./bin/tools/win32/genrandom.mak			X	2009
+./bin/tools/win32/ischmacfix.dsp		X	2010
+./bin/tools/win32/ischmacfix.dsw		X	2010
+./bin/tools/win32/ischmacfix.mak		X	2010
 ./bin/tools/win32/journalprint.dsp		X	2009
 ./bin/tools/win32/journalprint.dsw		X	2009
 ./bin/tools/win32/journalprint.mak		X	2009
diff --git a/win32utils/BINDBuild.dsw b/win32utils/BINDBuild.dsw
index c9af6df09a..8f31fb9256 100644
--- a/win32utils/BINDBuild.dsw
+++ b/win32utils/BINDBuild.dsw
@@ -660,6 +660,21 @@ Package=<4>
 
 ###############################################################################
 
+Project: "ischmacfixup"="..\bin\tools\win32\ischmacfixup.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
 Global:
 
 Package=<5>
diff --git a/win32utils/BuildAll.bat b/win32utils/BuildAll.bat
index 3627991d6c..d56e1776ce 100644
--- a/win32utils/BuildAll.bat
+++ b/win32utils/BuildAll.bat
@@ -124,6 +124,7 @@ nmake /nologo -f arpaname.mak CFG="arpaname - Win32 Release"  NO_EXTERNAL_DEPS="
 nmake /nologo -f genrandom.mak CFG="genrandom - Win32 Release"  NO_EXTERNAL_DEPS="1"
 nmake /nologo -f nsec3hash.mak CFG="nsec3hash - Win32 Release"  NO_EXTERNAL_DEPS="1"
 nmake /nologo -f journalprint.mak CFG="journalprint - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f ischmacfixup.mak CFG="ischmacfixup - Win32 Release"  NO_EXTERNAL_DEPS="1"
 cd ..\..
 rem This is the BIND 9 Installer