Prepare for 1.0.0s release

Reviewed-by: Stephen Henson <steve@openssl.org>

CHANGES

@@ -2,9 +2,150 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 1.0.0q and 1.0.0r [xx XXX xxxx]
+ Changes between 1.0.0r and 1.0.0s [11 Jun 2015]
 
-  *)
+  *) Malformed ECParameters causes infinite loop
+
+     When processing an ECParameters structure OpenSSL enters an infinite loop
+     if the curve specified is over a specially malformed binary polynomial
+     field.
+
+     This can be used to perform denial of service against any
+     system which processes public keys, certificate requests or
+     certificates.  This includes TLS clients and TLS servers with
+     client authentication enabled.
+
+     This issue was reported to OpenSSL by Joseph Barr-Pixton.
+     (CVE-2015-1788)
+     [Andy Polyakov]
+
+  *) Exploitable out-of-bounds read in X509_cmp_time
+
+     X509_cmp_time does not properly check the length of the ASN1_TIME
+     string and can read a few bytes out of bounds. In addition,
+     X509_cmp_time accepts an arbitrary number of fractional seconds in the
+     time string.
+
+     An attacker can use this to craft malformed certificates and CRLs of
+     various sizes and potentially cause a segmentation fault, resulting in
+     a DoS on applications that verify certificates or CRLs. TLS clients
+     that verify CRLs are affected. TLS clients and servers with client
+     authentication enabled may be affected if they use custom verification
+     callbacks.
+
+     This issue was reported to OpenSSL by Robert Swiecki (Google), and
+     independently by Hanno B<>ck.
+     (CVE-2015-1789)
+     [Emilia K<>sper]
+
+  *) PKCS7 crash with missing EnvelopedContent
+
+     The PKCS#7 parsing code does not handle missing inner EncryptedContent
+     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
+     with missing content and trigger a NULL pointer dereference on parsing.
+
+     Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
+     structures from untrusted sources are affected. OpenSSL clients and
+     servers are not affected.
+
+     This issue was reported to OpenSSL by Michal Zalewski (Google).
+     (CVE-2015-1790)
+     [Emilia K<>sper]
+
+  *) CMS verify infinite loop with unknown hash function
+
+     When verifying a signedData message the CMS code can enter an infinite loop
+     if presented with an unknown hash function OID. This can be used to perform
+     denial of service against any system which verifies signedData messages using
+     the CMS code.
+     This issue was reported to OpenSSL by Johannes Bauer.
+     (CVE-2015-1792)
+     [Stephen Henson]
+
+  *) Race condition handling NewSessionTicket
+
+     If a NewSessionTicket is received by a multi-threaded client when attempting to
+     reuse a previous ticket then a race condition can occur potentially leading to
+     a double free of the ticket data.
+     (CVE-2015-1791)
+     [Matt Caswell]
+
+ Changes between 1.0.0q and 1.0.0r [19 Mar 2015]
+
+  *) Segmentation fault in ASN1_TYPE_cmp fix
+
+     The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
+     made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
+     certificate signature algorithm consistency this can be used to crash any
+     certificate verification operation and exploited in a DoS attack. Any
+     application which performs certificate verification is vulnerable including
+     OpenSSL clients and servers which enable client authentication.
+     (CVE-2015-0286)
+     [Stephen Henson]
+
+  *) ASN.1 structure reuse memory corruption fix
+
+     Reusing a structure in ASN.1 parsing may allow an attacker to cause
+     memory corruption via an invalid write. Such reuse is and has been
+     strongly discouraged and is believed to be rare.
+
+     Applications that parse structures containing CHOICE or ANY DEFINED BY
+     components may be affected. Certificate parsing (d2i_X509 and related
+     functions) are however not affected. OpenSSL clients and servers are
+     not affected.
+     (CVE-2015-0287)
+     [Stephen Henson]
+
+  *) PKCS7 NULL pointer dereferences fix
+
+     The PKCS#7 parsing code does not handle missing outer ContentInfo
+     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
+     missing content and trigger a NULL pointer dereference on parsing.
+
+     Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
+     otherwise parse PKCS#7 structures from untrusted sources are
+     affected. OpenSSL clients and servers are not affected.
+
+     This issue was reported to OpenSSL by Michal Zalewski (Google).
+     (CVE-2015-0289)
+     [Emilia K<>sper]
+
+  *) DoS via reachable assert in SSLv2 servers fix
+
+     A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
+     servers that both support SSLv2 and enable export cipher suites by sending
+     a specially crafted SSLv2 CLIENT-MASTER-KEY message.
+
+     This issue was discovered by Sean Burford (Google) and Emilia K<>sper
+     (OpenSSL development team).
+     (CVE-2015-0293)
+     [Emilia K<>sper]
+
+  *) Use After Free following d2i_ECPrivatekey error fix
+
+     A malformed EC private key file consumed via the d2i_ECPrivateKey function
+     could cause a use after free condition. This, in turn, could cause a double
+     free in several private key parsing functions (such as d2i_PrivateKey
+     or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
+     for applications that receive EC private keys from untrusted
+     sources. This scenario is considered rare.
+
+     This issue was discovered by the BoringSSL project and fixed in their
+     commit 517073cd4b.
+     (CVE-2015-0209)
+     [Matt Caswell]
+
+  *) X509_to_X509_REQ NULL pointer deref fix
+
+     The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+     the certificate key is invalid. This function is rarely used in practice.
+
+     This issue was discovered by Brian Carpenter.
+     (CVE-2015-0288)
+     [Stephen Henson]
+
+  *) Removed the export ciphers from the DEFAULT ciphers
+     [Kurt Roeckx]
 
  Changes between 1.0.0p and 1.0.0q [15 Jan 2015]
 
@@ -1320,228 +1461,6 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
- Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
-
-  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
-
-     This addresses the flaw in CBC record processing discovered by 
-     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
-     at: http://www.isg.rhul.ac.uk/tls/     
-
-     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
-     Security Group at Royal Holloway, University of London
-     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
-     Emilia K<>sper for the initial patch.
-     (CVE-2013-0169)
-     [Emilia K<>sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
-
-  *) Return an error when checking OCSP signatures when key is NULL.
-     This fixes a DoS attack. (CVE-2013-0166)
-     [Steve Henson]
-
-  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
-     the right response is stapled. Also change SSL_get_certificate()
-     so it returns the certificate actually sent.
-     See http://rt.openssl.org/Ticket/Display.html?id=2836.
-     (This is a backport)
-     [Rob Stradling <rob.stradling@comodo.com>]
-
-  *) Fix possible deadlock when decoding public keys.
-     [Steve Henson]
-
- Changes between 0.9.8w and 0.9.8x [10 May 2012]
-
-  *) Sanity check record length before skipping explicit IV in DTLS
-     to fix DoS attack.
-
-     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
-     fuzzing as a service testing platform.
-     (CVE-2012-2333)
-     [Steve Henson]
-
-  *) Initialise tkeylen properly when encrypting CMS messages.
-     Thanks to Solar Designer of Openwall for reporting this issue.
-     [Steve Henson]
-
- Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
-
-  *) The fix for CVE-2012-2110 did not take into account that the 
-     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
-     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 
-     rejecting negative len parameter. (CVE-2012-2131)
-     [Tomas Hoger <thoger@redhat.com>]
-
- Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
-
-  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
-     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
-     in CRYPTO_realloc_clean.
-
-     Thanks to Tavis Ormandy, Google Security Team, for discovering this
-     issue and to Adam Langley <agl@chromium.org> for fixing it.
-     (CVE-2012-2110)
-     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
-
- Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
-
-  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
-     in CMS and PKCS7 code. When RSA decryption fails use a random key for
-     content decryption and always return the same error. Note: this attack
-     needs on average 2^20 messages so it only affects automated senders. The
-     old behaviour can be reenabled in the CMS code by setting the
-     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
-     an MMA defence is not necessary.
-     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
-     this issue. (CVE-2012-0884)
-     [Steve Henson]
-
-  *) Fix CVE-2011-4619: make sure we really are receiving a 
-     client hello before rejecting multiple SGC restarts. Thanks to
-     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
-     [Steve Henson]
-
- Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
-
-  *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
-     Thanks to Antonio Martin, Enterprise Secure Access Research and
-     Development, Cisco Systems, Inc. for discovering this bug and
-     preparing a fix. (CVE-2012-0050)
-     [Antonio Martin]
-
- Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
-
-  *) Nadhem Alfardan and Kenny Paterson have discovered an extension
-     of the Vaudenay padding oracle attack on CBC mode encryption
-     which enables an efficient plaintext recovery attack against
-     the OpenSSL implementation of DTLS. Their attack exploits timing
-     differences arising during decryption processing. A research
-     paper describing this attack can be found at:
-                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf
-     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
-     Security Group at Royal Holloway, University of London
-     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
-     <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
-     for preparing the fix. (CVE-2011-4108)
-     [Robin Seggelmann, Michael Tuexen]
-
-  *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
-     [Ben Laurie, Kasper <ekasper@google.com>]
-
-  *) Clear bytes used for block padding of SSL 3.0 records.
-     (CVE-2011-4576)
-     [Adam Langley (Google)]
-
-  *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
-     Kadianakis <desnacked@gmail.com> for discovering this issue and
-     Adam Langley for preparing the fix. (CVE-2011-4619)
-     [Adam Langley (Google)]
- 
-  *) Prevent malformed RFC3779 data triggering an assertion failure.
-     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
-     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
-     [Rob Austein <sra@hactrn.net>]
-
-  *) Fix ssl_ciph.c set-up race.
-     [Adam Langley (Google)]
-
-  *) Fix spurious failures in ecdsatest.c.
-     [Emilia K<>sper (Google)]
-
-  *) Fix the BIO_f_buffer() implementation (which was mixing different
-     interpretations of the '..._len' fields).
-     [Adam Langley (Google)]
-
-  *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
-     BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
-     threads won't reuse the same blinding coefficients.
-
-     This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
-     lock to call BN_BLINDING_invert_ex, and avoids one use of
-     BN_BLINDING_update for each BN_BLINDING structure (previously,
-     the last update always remained unused).
-     [Emilia K<>sper (Google)]
-
-  *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
-     for multi-threaded use of ECDH.
-     [Adam Langley (Google)]
-
-  *) Fix x509_name_ex_d2i memory leak on bad inputs.
-     [Bodo Moeller]
-
-  *) Add protection against ECDSA timing attacks as mentioned in the paper
-     by Billy Bob Brumley and Nicola Tuveri, see:
-
-	http://eprint.iacr.org/2011/232.pdf
-
-     [Billy Bob Brumley and Nicola Tuveri]
-
- Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
-
-  *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
-     [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
-
-  *) Fix bug in string printing code: if *any* escaping is enabled we must
-     escape the escape character (backslash) or the resulting string is
-     ambiguous.
-     [Steve Henson]
-
- Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
-
-  *) Disable code workaround for ancient and obsolete Netscape browsers
-     and servers: an attacker can use it in a ciphersuite downgrade attack.
-     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
-     [Steve Henson]
-
-  *) Fixed J-PAKE implementation error, originally discovered by
-     Sebastien Martini, further info and confirmation from Stefan
-     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
-     [Ben Laurie]
-
- Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
-
-  *) Fix extension code to avoid race conditions which can result in a buffer
-     overrun vulnerability: resumed sessions must not be modified as they can
-     be shared by multiple threads. CVE-2010-3864
-     [Steve Henson]
-
-  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
-     [Steve Henson]
-
-  *) Don't reencode certificate when calculating signature: cache and use
-     the original encoding instead. This makes signature verification of
-     some broken encodings work correctly.
-     [Steve Henson]
-
-  *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT
-     is also one of the inputs.
-     [Emilia K<>sper <emilia.kasper@esat.kuleuven.be> (Google)]
-
-  *) Don't repeatedly append PBE algorithms to table if they already exist.
-     Sort table on each new add. This effectively makes the table read only
-     after all algorithms are added and subsequent calls to PKCS12_pbe_add
-     etc are non-op.
-     [Steve Henson]
-
- Changes between 0.9.8n and 0.9.8o [01 Jun 2010]
-
-  [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after
-  OpenSSL 1.0.0.]
-
-  *) Correct a typo in the CMS ASN1 module which can result in invalid memory
-     access or freeing data twice (CVE-2010-0742)
-     [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]
-
-  *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
-     common in certificates and some applications which only call
-     SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
-     [Steve Henson]
-
-  *) VMS fixes: 
-     Reduce copying into .apps and .test in makevms.com
-     Don't try to use blank CA certificate in CA.com
-     Allow use of C files from original directories in maketests.com
-     [Steven M. Schweda" <sms@antinode.info>]
-
  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
 
   *) When rejecting SSL/TLS records due to an incorrect version number, never

Makefile.org

@@ -416,6 +416,9 @@ tests: rehash
 report:
 	@$(PERL) util/selftest.pl
 
+update: errors stacks util/libeay.num util/ssleay.num TABLE
+	@set -e; target=update; $(RECURSIVE_BUILD_CMD)
+
 depend:
 	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
 
@@ -440,26 +443,10 @@ util/libeay.num::
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
 
-crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
-	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
-crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
-	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
-crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num
-	$(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h
-
-apps/openssl-vms.cnf: apps/openssl.cnf
-	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
-
-crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
-	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
-
-
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE
 
-update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
-
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
 # would occur. Therefore the list of files is temporarily stored into a file

NEWS

@@ -5,9 +5,23 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.0q and OpenSSL 1.0.0r [under development]
+  Major changes between OpenSSL 1.0.0r and OpenSSL 1.0.0s [11 Jun 2015]
 
-      o
+      o Malformed ECParameters causes infinite loop (CVE-2015-1788)
+      o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
+      o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
+      o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
+      o Race condition handling NewSessionTicket (CVE-2015-1791)
+
+  Major changes between OpenSSL 1.0.0q and OpenSSL 1.0.0r [19 Mar 2015]
+
+      o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
+      o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
+      o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
+      o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
+      o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
+      o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
+      o Removed the export ciphers from the DEFAULT ciphers
 
   Major changes between OpenSSL 1.0.0p and OpenSSL 1.0.0q [15 Jan 2015]
 
@@ -146,62 +160,6 @@
       o Opaque PRF Input TLS extension support.
       o Updated time routines to avoid OS limitations.
 
-  Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]:
-
-      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
-      o Fix OCSP bad key DoS attack CVE-2013-0166
-
-  Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]:
-
-      o Fix DTLS record length checking bug CVE-2012-2333
-
-  Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]:
-
-      o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
-
-  Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]:
-
-      o Fix for ASN1 overflow bug CVE-2012-2110
-
-  Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]:
-
-      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
-      o Corrected fix for CVE-2011-4619
-      o Various DTLS fixes.
-
-  Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]:
-
-      o Fix for DTLS DoS issue CVE-2012-0050
-
-  Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]:
-
-      o Fix for DTLS plaintext recovery attack CVE-2011-4108
-      o Fix policy check double free error CVE-2011-4109
-      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
-      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
-      o Check for malformed RFC3779 data CVE-2011-4577
-
-  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]:
-
-      o Fix for security issue CVE-2011-0014
-
-  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]:
-
-      o Fix for security issue CVE-2010-4180
-      o Fix for CVE-2010-4252
-
-  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]:
-
-      o Fix for security issue CVE-2010-3864.
-
-  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:
-
-      o Fix for security issue CVE-2010-0742.
-      o Various DTLS fixes.
-      o Recognise SHA2 certificates if only SSL algorithms added.
-      o Fix for no-rc4 compilation.
-      o Chil ENGINE unload workaround.
-
   Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
 
       o CFB cipher definition fixes.

README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.0r-dev
+ OpenSSL 1.0.0s 11 Jun 2015
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

apps/Makefile

@@ -94,6 +94,9 @@ req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
 sreq.o: req.c 
 	$(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c
 
+openssl-vms.cnf: openssl.cnf
+	$(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf
+
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 
@@ -127,12 +130,12 @@ links:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
-depend:
-	@if [ -z "$(THIS)" ]; then \
-	    $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \
-	else \
-	    $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \
-	fi
+update: openssl-vms.cnf local_depend
+
+depend: local_depend
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+local_depend:
+	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \
 
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new

apps/ca.c

@@ -600,10 +600,10 @@ int MAIN(int argc, char **argv)
 
             oid_bio = BIO_new_file(p, "r");
             if (oid_bio == NULL) {
-                                /*-
-                                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
-                                ERR_print_errors(bio_err);
-                                */
+                /*-
+                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
+                ERR_print_errors(bio_err);
+                */
                 ERR_clear_error();
             } else {
                 OBJ_create_objects(oid_bio);

apps/gendh.c

@@ -122,8 +122,8 @@ int MAIN(int argc, char **argv)
             outfile = *(++argv);
         } else if (strcmp(*argv, "-2") == 0)
             g = 2;
-        /*-     else if (strcmp(*argv,"-3") == 0)
-                        g=3; */
+/*-     else if (strcmp(*argv,"-3") == 0)
+                g=3; */
         else if (strcmp(*argv, "-5") == 0)
             g = 5;
 # ifndef OPENSSL_NO_ENGINE

apps/openssl.c

@@ -227,27 +227,27 @@ int main(int Argc, char *ARGV[])
     long errline;
 
 #if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
-        /*-
-         * 2011-03-22 SMS.
-         * If we have 32-bit pointers everywhere, then we're safe, and
-         * we bypass this mess, as on non-VMS systems.  (See ARGV,
-         * above.)
-         * Problem 1: Compaq/HP C before V7.3 always used 32-bit
-         * pointers for argv[].
-         * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
-         * everywhere else, we always allocate and use a 64-bit
-         * duplicate of argv[].
-         * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
-         * to NULL-terminate a 64-bit argv[].  (As this was written, the
-         * compiler ECO was available only on IA64.)
-         * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
-         * 64-bit argv[argc] for NULL, and, if necessary, use a
-         * (properly) NULL-terminated (64-bit) duplicate of argv[].
-         * The same code is used in either case to duplicate argv[].
-         * Some of these decisions could be handled in preprocessing,
-         * but the code tends to get even uglier, and the penalty for
-         * deciding at compile- or run-time is tiny.
-         */
+    /*-
+     * 2011-03-22 SMS.
+     * If we have 32-bit pointers everywhere, then we're safe, and
+     * we bypass this mess, as on non-VMS systems.  (See ARGV,
+     * above.)
+     * Problem 1: Compaq/HP C before V7.3 always used 32-bit
+     * pointers for argv[].
+     * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
+     * everywhere else, we always allocate and use a 64-bit
+     * duplicate of argv[].
+     * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
+     * to NULL-terminate a 64-bit argv[].  (As this was written, the
+     * compiler ECO was available only on IA64.)
+     * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
+     * 64-bit argv[argc] for NULL, and, if necessary, use a
+     * (properly) NULL-terminated (64-bit) duplicate of argv[].
+     * The same code is used in either case to duplicate argv[].
+     * Some of these decisions could be handled in preprocessing,
+     * but the code tends to get even uglier, and the penalty for
+     * deciding at compile- or run-time is tiny.
+     */
     char **Argv = NULL;
     int free_Argv = 0;
 

apps/req.c

@@ -495,10 +495,10 @@ int MAIN(int argc, char **argv)
 
             oid_bio = BIO_new_file(p, "r");
             if (oid_bio == NULL) {
-                                /*-
-                                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
-                                ERR_print_errors(bio_err);
-                                */
+                /*-
+                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
+                ERR_print_errors(bio_err);
+                */
             } else {
                 OBJ_create_objects(oid_bio);
                 BIO_free(oid_bio);

apps/s_cb.c

@@ -191,10 +191,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
 {
     if (cert_file != NULL) {
-                /*-
-                SSL *ssl;
-                X509 *x509;
-                */
+        /*-
+        SSL *ssl;
+        X509 *x509;
+        */
 
         if (SSL_CTX_use_certificate_file(ctx, cert_file,
                                          SSL_FILETYPE_PEM) <= 0) {
@@ -212,20 +212,20 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
             return (0);
         }
 
-                /*-
-                In theory this is no longer needed
-                ssl=SSL_new(ctx);
-                x509=SSL_get_certificate(ssl);
+        /*-
+        In theory this is no longer needed
+        ssl=SSL_new(ctx);
+        x509=SSL_get_certificate(ssl);
 
-                if (x509 != NULL) {
-                        EVP_PKEY *pktmp;
-                        pktmp = X509_get_pubkey(x509);
-                        EVP_PKEY_copy_parameters(pktmp,
-                                                SSL_get_privatekey(ssl));
-                        EVP_PKEY_free(pktmp);
-                }
-                SSL_free(ssl);
-                */
+        if (x509 != NULL) {
+                EVP_PKEY *pktmp;
+                pktmp = X509_get_pubkey(x509);
+                EVP_PKEY_copy_parameters(pktmp,
+                                        SSL_get_privatekey(ssl));
+                EVP_PKEY_free(pktmp);
+        }
+        SSL_free(ssl);
+        */
 
         /*
          * If we are using DSA, we can copy the parameters from the private

apps/s_client.c

@@ -1260,8 +1260,8 @@ int MAIN(int argc, char **argv)
                     openssl_fdset(SSL_get_fd(con), &writefds);
             }
 #endif
-/*-                     printf("mode tty(%d %d%d) ssl(%d%d)\n",
-                                tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
+/*-         printf("mode tty(%d %d%d) ssl(%d%d)\n",
+                    tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
 
             /*
              * Note: under VMS with SOCKETSHR the second parameter is

apps/s_server.c

@@ -2037,8 +2037,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                     ret = 1;
                     goto err;
                 }
-                l += k;
-                i -= k;
+                if (k > 0) {
+                    l += k;
+                    i -= k;
+                }
                 if (i <= 0)
                     break;
             }

apps/s_socket.c

@@ -426,13 +426,13 @@ static int do_accept(int acc_sock, int *sock, char **host)
     }
 
 /*-
-        ling.l_onoff=1;
-        ling.l_linger=0;
-        i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
-        if (i < 0) { perror("linger"); return(0); }
-        i=0;
-        i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-        if (i < 0) { perror("keepalive"); return(0); }
+    ling.l_onoff=1;
+    ling.l_linger=0;
+    i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
+    if (i < 0) { perror("linger"); return(0); }
+    i=0;
+    i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+    if (i < 0) { perror("keepalive"); return(0); }
 */
 
     if (host == NULL)

apps/ts.c

@@ -1101,19 +1101,19 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file)
 
 static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx)
 {
-        /*-
-        char buf[256];
+    /*-
+    char buf[256];
 
-        if (!ok)
-                {
-                X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
-                                  buf, sizeof(buf));
-                printf("%s\n", buf);
-                printf("error %d at %d depth lookup: %s\n",
-                       ctx->error, ctx->error_depth,
-                        X509_verify_cert_error_string(ctx->error));
-                }
-        */
+    if (!ok)
+            {
+            X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
+                              buf, sizeof(buf));
+            printf("%s\n", buf);
+            printf("error %d at %d depth lookup: %s\n",
+                   ctx->error, ctx->error_depth,
+                    X509_verify_cert_error_string(ctx->error));
+            }
+    */
 
     return ok;
 }

crypto/Makefile

@@ -121,12 +121,17 @@ install:
 lint:
 	@target=lint; $(RECURSIVE_MAKE)
 
-depend:
+update: local_depend
+	@[ -z "$(THIS)" ] || (set -e; target=update; $(RECURSIVE_MAKE) )
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+
+depend: local_depend
+	@[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) )
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+local_depend:
 	@[ -z "$(THIS)" -o -f buildinf.h ] || touch buildinf.h # fake buildinf.h if it does not exist
 	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 	@[ -z "$(THIS)" -o -s buildinf.h ] || rm buildinf.h
-	@[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) )
-	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 
 clean:
 	rm -f buildinf.h *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff

crypto/aes/Makefile

@@ -87,6 +87,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/asn1/Makefile

@@ -93,6 +93,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by top Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/asn1/a_int.c

@@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
     else {
         ret = a->length;
         i = a->data[0];
+        if (ret == 1 && i == 0)
+            neg = 0;
         if (!neg && (i > 127)) {
             pad = 1;
             pb = 0;
@@ -162,7 +164,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
         p += a->length - 1;
         i = a->length;
         /* Copy zeros to destination as long as source is zero */
-        while (!*n) {
+        while (!*n && i > 1) {
             *(p--) = 0;
             n--;
             i--;
@@ -419,7 +421,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai)
         ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_NESTED_ASN1_ERROR);
         goto err;
     }
-    if (BN_is_negative(bn))
+    if (BN_is_negative(bn) && !BN_is_zero(bn))
         ret->type = V_ASN1_NEG_INTEGER;
     else
         ret->type = V_ASN1_INTEGER;

crypto/asn1/a_type.c

@@ -119,6 +119,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
     case V_ASN1_OBJECT:
         result = OBJ_cmp(a->value.object, b->value.object);
         break;
+    case V_ASN1_BOOLEAN:
+        result = a->value.boolean - b->value.boolean;
+        break;
     case V_ASN1_NULL:
         result = 0;             /* They do not have content. */
         break;

crypto/asn1/asn1.h

@@ -796,6 +796,7 @@ DECLARE_ASN1_SET_OF(ASN1_OBJECT)
 
 ASN1_STRING *ASN1_STRING_new(void);
 void ASN1_STRING_free(ASN1_STRING *a);
+void ASN1_STRING_clear_free(ASN1_STRING *a);
 int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str);
 ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *a);
 ASN1_STRING *ASN1_STRING_type_new(int type);

crypto/asn1/asn1_gen.c

@@ -74,6 +74,8 @@
 #define ASN1_GEN_STR(str,val)   {str, sizeof(str) - 1, val}
 
 #define ASN1_FLAG_EXP_MAX       20
+/* Maximum number of nested sequences */
+#define ASN1_GEN_SEQ_MAX_DEPTH  50
 
 /* Input formats */
 
@@ -110,13 +112,16 @@ typedef struct {
     int exp_count;
 } tag_exp_arg;
 
+static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth,
+                              int *perr);
 static int bitstr_cb(const char *elem, int len, void *bitstr);
 static int asn1_cb(const char *elem, int len, void *bitstr);
 static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class,
                       int exp_constructed, int exp_pad, int imp_ok);
 static int parse_tagging(const char *vstart, int vlen, int *ptag,
                          int *pclass);
-static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf);
+static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
+                             int depth, int *perr);
 static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype);
 static int asn1_str2tag(const char *tagstr, int len);
 
@@ -132,6 +137,16 @@ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf)
 }
 
 ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
+{
+    int err = 0;
+    ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err);
+    if (err)
+        ASN1err(ASN1_F_ASN1_GENERATE_V3, err);
+    return ret;
+}
+
+static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth,
+                              int *perr)
 {
     ASN1_TYPE *ret;
     tag_exp_arg asn1_tags;
@@ -152,17 +167,22 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
     asn1_tags.imp_class = -1;
     asn1_tags.format = ASN1_GEN_FORMAT_ASCII;
     asn1_tags.exp_count = 0;
-    if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0)
+    if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) {
+        *perr = ASN1_R_UNKNOWN_TAG;
         return NULL;
+    }
 
     if ((asn1_tags.utype == V_ASN1_SEQUENCE)
         || (asn1_tags.utype == V_ASN1_SET)) {
         if (!cnf) {
-            ASN1err(ASN1_F_ASN1_GENERATE_V3,
-                    ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG);
+            *perr = ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG;
             return NULL;
         }
-        ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf);
+        if (depth >= ASN1_GEN_SEQ_MAX_DEPTH) {
+            *perr = ASN1_R_ILLEGAL_NESTED_TAGGING;
+            return NULL;
+        }
+        ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf, depth, perr);
     } else
         ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype);
 
@@ -279,6 +299,9 @@ static int asn1_cb(const char *elem, int len, void *bitstr)
 
     int tmp_tag, tmp_class;
 
+    if (elem == NULL)
+        return -1;
+
     for (i = 0, p = elem; i < len; p++, i++) {
         /* Look for the ':' in name value pairs */
         if (*p == ':') {
@@ -428,7 +451,8 @@ static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass)
 
 /* Handle multiple types: SET and SEQUENCE */
 
-static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
+static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
+                             int depth, int *perr)
 {
     ASN1_TYPE *ret = NULL;
     STACK_OF(ASN1_TYPE) *sk = NULL;
@@ -447,7 +471,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
             goto bad;
         for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
             ASN1_TYPE *typ =
-                ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf);
+                generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf,
+                            depth + 1, perr);
             if (!typ)
                 goto bad;
             if (!sk_ASN1_TYPE_push(sk, typ))

crypto/asn1/asn1_lib.c

@@ -430,6 +430,13 @@ void ASN1_STRING_free(ASN1_STRING *a)
     OPENSSL_free(a);
 }
 
+void ASN1_STRING_clear_free(ASN1_STRING *a)
+{
+    if (a && a->data && !(a->flags & ASN1_STRING_FLAG_NDEF))
+        OPENSSL_cleanse(a->data, a->length);
+    ASN1_STRING_free(a);
+}
+
 int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
 {
     int i;

crypto/asn1/p8_pkey.c

@@ -69,7 +69,8 @@ static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
     /* Since the structure must still be valid use ASN1_OP_FREE_PRE */
     if (operation == ASN1_OP_FREE_PRE) {
         PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
-        if (key->pkey->value.octet_string)
+        if (key->pkey && key->pkey->type == V_ASN1_OCTET_STRING
+            && key->pkey->value.octet_string != NULL)
             OPENSSL_cleanse(key->pkey->value.octet_string->data,
                             key->pkey->value.octet_string->length);
     }

crypto/asn1/tasn_dec.c

@@ -304,9 +304,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
     case ASN1_ITYPE_CHOICE:
         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
             goto auxerr;
-
-        /* Allocate structure */
-        if (!*pval && !ASN1_item_ex_new(pval, it)) {
+        if (*pval) {
+            /* Free up and zero CHOICE value if initialised */
+            i = asn1_get_choice_selector(pval, it);
+            if ((i >= 0) && (i < it->tcount)) {
+                tt = it->templates + i;
+                pchptr = asn1_get_field_ptr(pval, tt);
+                ASN1_template_free(pchptr, tt);
+                asn1_set_choice_selector(pval, -1, it);
+            }
+        } else if (!ASN1_item_ex_new(pval, it)) {
             ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
         }
@@ -386,6 +393,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
             goto auxerr;
 
+        /* Free up and zero any ADB found */
+        for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+            if (tt->flags & ASN1_TFLG_ADB_MASK) {
+                const ASN1_TEMPLATE *seqtt;
+                ASN1_VALUE **pseqval;
+                seqtt = asn1_do_adb(pval, tt, 1);
+                pseqval = asn1_get_field_ptr(pval, seqtt);
+                ASN1_template_free(pseqval, seqtt);
+            }
+        }
+
         /* Get each field entry */
         for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
             const ASN1_TEMPLATE *seqtt;

crypto/asn1/tasn_new.c

@@ -100,9 +100,6 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
     else
         asn1_cb = 0;
 
-    if (!combine)
-        *pval = NULL;
-
 #ifdef CRYPTO_MDEBUG
     if (it->sname)
         CRYPTO_push_info(it->sname);

crypto/asn1/tasn_prn.c

@@ -220,6 +220,7 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
             if (!asn1_template_print_ctx(out, fld, indent,
                                          it->templates, pctx))
                 return 0;
+            break;
         }
         /* fall thru */
     case ASN1_ITYPE_MSTRING:

crypto/asn1/x_bignum.c

@@ -98,46 +98,55 @@ ASN1_ITEM_end(CBIGNUM)
 
 static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-        *pval = (ASN1_VALUE *)BN_new();
-        if(*pval) return 1;
-        else return 0;
+    *pval = (ASN1_VALUE *)BN_new();
+    if (*pval)
+        return 1;
+    else
+        return 0;
 }
 
 static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-        if(!*pval) return;
-        if(it->size & BN_SENSITIVE) BN_clear_free((BIGNUM *)*pval);
-        else BN_free((BIGNUM *)*pval);
-        *pval = NULL;
+    if (!*pval)
+        return;
+    if (it->size & BN_SENSITIVE)
+        BN_clear_free((BIGNUM *)*pval);
+    else
+        BN_free((BIGNUM *)*pval);
+    *pval = NULL;
 }
 
-static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it)
+static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
+                  const ASN1_ITEM *it)
 {
-        BIGNUM *bn;
-        int pad;
-        if(!*pval) return -1;
-        bn = (BIGNUM *)*pval;
-        /* If MSB set in an octet we need a padding byte */
-        if(BN_num_bits(bn) & 0x7) pad = 0;
-        else pad = 1;
-        if(cont) {
-                if(pad) *cont++ = 0;
-                BN_bn2bin(bn, cont);
-        }
-        return pad + BN_num_bytes(bn);
+    BIGNUM *bn;
+    int pad;
+    if (!*pval)
+        return -1;
+    bn = (BIGNUM *)*pval;
+    /* If MSB set in an octet we need a padding byte */
+    if (BN_num_bits(bn) & 0x7)
+        pad = 0;
+    else
+        pad = 1;
+    if (cont) {
+        if (pad)
+            *cont++ = 0;
+        BN_bn2bin(bn, cont);
+    }
+    return pad + BN_num_bytes(bn);
 }
 
 static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
                   int utype, char *free_cont, const ASN1_ITEM *it)
 {
-        BIGNUM *bn;
-        if(!*pval) bn_new(pval, it);
-        bn  = (BIGNUM *)*pval;
-        if(!BN_bin2bn(cont, len, bn)) {
-                bn_free(pval, it);
-                return 0;
-        }
-        return 1;
+    BIGNUM *bn;
+    if (!*pval)
+        bn_new(pval, it);
+    bn = (BIGNUM *)*pval;
+    if (!BN_bin2bn(cont, len, bn)) {
+        bn_free(pval, it);
+        return 0;
+    }
+    return 1;
 }
-
-

crypto/asn1/x_long.c

@@ -97,87 +97,100 @@ ASN1_ITEM_end(ZLONG)
 
 static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-        *(long *)pval = it->size;
-        return 1;
+    *(long *)pval = it->size;
+    return 1;
 }
 
 static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-        *(long *)pval = it->size;
+    *(long *)pval = it->size;
 }
 
-static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it)
+static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
+                    const ASN1_ITEM *it)
 {
-        long ltmp;
-        unsigned long utmp;
-        int clen, pad, i;
-        /* this exists to bypass broken gcc optimization */
-        char *cp = (char *)pval;
+    long ltmp;
+    unsigned long utmp;
+    int clen, pad, i;
+    /* this exists to bypass broken gcc optimization */
+    char *cp = (char *)pval;
 
-        /* use memcpy, because we may not be long aligned */
-        memcpy(&ltmp, cp, sizeof(long));
+    /* use memcpy, because we may not be long aligned */
+    memcpy(&ltmp, cp, sizeof(long));
 
-        if(ltmp == it->size) return -1;
-        /* Convert the long to positive: we subtract one if negative so
-         * we can cleanly handle the padding if only the MSB of the leading
-         * octet is set.
-         */
-        if(ltmp < 0) utmp = -ltmp - 1;
-        else utmp = ltmp;
-        clen = BN_num_bits_word(utmp);
-        /* If MSB of leading octet set we need to pad */
-        if(!(clen & 0x7)) pad = 1;
-        else pad = 0;
+    if (ltmp == it->size)
+        return -1;
+    /*
+     * Convert the long to positive: we subtract one if negative so we can
+     * cleanly handle the padding if only the MSB of the leading octet is
+     * set.
+     */
+    if (ltmp < 0)
+        utmp = -ltmp - 1;
+    else
+        utmp = ltmp;
+    clen = BN_num_bits_word(utmp);
+    /* If MSB of leading octet set we need to pad */
+    if (!(clen & 0x7))
+        pad = 1;
+    else
+        pad = 0;
 
-        /* Convert number of bits to number of octets */
-        clen = (clen + 7) >> 3;
+    /* Convert number of bits to number of octets */
+    clen = (clen + 7) >> 3;
 
-        if(cont) {
-                if(pad) *cont++ = (ltmp < 0) ? 0xff : 0;
-                for(i = clen - 1; i >= 0; i--) {
-                        cont[i] = (unsigned char)(utmp & 0xff);
-                        if(ltmp < 0) cont[i] ^= 0xff;
-                        utmp >>= 8;
-                }
+    if (cont) {
+        if (pad)
+            *cont++ = (ltmp < 0) ? 0xff : 0;
+        for (i = clen - 1; i >= 0; i--) {
+            cont[i] = (unsigned char)(utmp & 0xff);
+            if (ltmp < 0)
+                cont[i] ^= 0xff;
+            utmp >>= 8;
         }
-        return clen + pad;
+    }
+    return clen + pad;
 }
 
 static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
                     int utype, char *free_cont, const ASN1_ITEM *it)
 {
-        int neg, i;
-        long ltmp;
-        unsigned long utmp = 0;
-        char *cp = (char *)pval;
-        if(len > (int)sizeof(long)) {
-                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
-                return 0;
-        }
-        /* Is it negative? */
-        if(len && (cont[0] & 0x80)) neg = 1;
-        else neg = 0;
-        utmp = 0;
-        for(i = 0; i < len; i++) {
-                utmp <<= 8;
-                if(neg) utmp |= cont[i] ^ 0xff;
-                else utmp |= cont[i];
-        }
-        ltmp = (long)utmp;
-        if(neg) {
-                ltmp++;
-                ltmp = -ltmp;
-        }
-        if(ltmp == it->size) {
-                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
-                return 0;
-        }
-        memcpy(cp, &ltmp, sizeof(long));
-        return 1;
+    int neg, i;
+    long ltmp;
+    unsigned long utmp = 0;
+    char *cp = (char *)pval;
+    if (len > (int)sizeof(long)) {
+        ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+        return 0;
+    }
+    /* Is it negative? */
+    if (len && (cont[0] & 0x80))
+        neg = 1;
+    else
+        neg = 0;
+    utmp = 0;
+    for (i = 0; i < len; i++) {
+        utmp <<= 8;
+        if (neg)
+            utmp |= cont[i] ^ 0xff;
+        else
+            utmp |= cont[i];
+    }
+    ltmp = (long)utmp;
+    if (neg) {
+        ltmp++;
+        ltmp = -ltmp;
+    }
+    if (ltmp == it->size) {
+        ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+        return 0;
+    }
+    memcpy(cp, &ltmp, sizeof(long));
+    return 1;
 }
 
 static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
-                        int indent, const ASN1_PCTX *pctx)
-        {
-        return BIO_printf(out, "%ld\n", *(long *)pval);
-        }
+                      int indent, const ASN1_PCTX *pctx)
+{
+    return BIO_printf(out, "%ld\n", *(long *)pval);
+}

crypto/asn1/x_x509.c

@@ -172,8 +172,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 {
     const unsigned char *q;
     X509 *ret;
+    int freeret = 0;
+
     /* Save start position */
     q = *pp;
+
+    if (!a || *a == NULL) {
+        freeret = 1;
+    }
     ret = d2i_X509(a, pp, length);
     /* If certificate unreadable then forget it */
     if (!ret)
@@ -186,7 +192,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
         goto err;
     return ret;
  err:
-    X509_free(ret);
+    if (freeret) {
+        X509_free(ret);
+        if (a)
+            *a = NULL;
+    }
     return NULL;
 }
 

crypto/bf/Makefile

@@ -72,6 +72,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/bio/Makefile

@@ -73,6 +73,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/bio/b_sock.c

@@ -530,13 +530,13 @@ int BIO_socket_ioctl(int fd, long type, void *arg)
     i = ioctlsocket(fd, type, (char *)arg);
 #  else
 #   if defined(OPENSSL_SYS_VMS)
-        /*-
-         * 2011-02-18 SMS.
-         * VMS ioctl() can't tolerate a 64-bit "void *arg", but we
-         * observe that all the consumers pass in an "unsigned long *",
-         * so we arrange a local copy with a short pointer, and use
-         * that, instead.
-         */
+    /*-
+     * 2011-02-18 SMS.
+     * VMS ioctl() can't tolerate a 64-bit "void *arg", but we
+     * observe that all the consumers pass in an "unsigned long *",
+     * so we arrange a local copy with a short pointer, and use
+     * that, instead.
+     */
 #    if __INITIAL_POINTER_SIZE == 64
 #     define ARG arg_32p
 #     pragma pointer_size save

crypto/bio/bf_null.c

@@ -103,11 +103,11 @@ static int nullf_free(BIO *a)
 {
     if (a == NULL)
         return (0);
-        /*-
-        a->ptr=NULL;
-        a->init=0;
-        a->flags=0;
-        */
+    /*-
+    a->ptr=NULL;
+    a->init=0;
+    a->flags=0;
+    */
     return (1);
 }
 

crypto/bio/bio.h

@@ -316,15 +316,15 @@ struct bio_st {
 DECLARE_STACK_OF(BIO)
 
 typedef struct bio_f_buffer_ctx_struct {
-        /*-
-         * Buffers are setup like this:
-         *
-         * <---------------------- size ----------------------->
-         * +---------------------------------------------------+
-         * | consumed | remaining          | free space        |
-         * +---------------------------------------------------+
-         * <-- off --><------- len ------->
-         */
+    /*-
+     * Buffers are setup like this:
+     *
+     * <---------------------- size ----------------------->
+     * +---------------------------------------------------+
+     * | consumed | remaining          | free space        |
+     * +---------------------------------------------------+
+     * <-- off --><------- len ------->
+     */
     /*- BIO *bio; *//*
      * this is now in the BIO struct
      */

crypto/bio/bss_acpt.c

@@ -421,12 +421,12 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
         ret = (long)data->bind_mode;
         break;
     case BIO_CTRL_DUP:
-/*-             dbio=(BIO *)ptr;
-                if (data->param_port) EAY EAY
-                        BIO_set_port(dbio,data->param_port);
-                if (data->param_hostname)
-                        BIO_set_hostname(dbio,data->param_hostname);
-                BIO_set_nbio(dbio,data->nbio); */
+/*-     dbio=(BIO *)ptr;
+        if (data->param_port) EAY EAY
+                BIO_set_port(dbio,data->param_port);
+        if (data->param_hostname)
+                BIO_set_hostname(dbio,data->param_hostname);
+        BIO_set_nbio(dbio,data->nbio); */
         break;
 
     default:

crypto/bn/Makefile

@@ -142,6 +142,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: bn_prime.h depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/bn/bn.h

@@ -894,6 +894,7 @@ void ERR_load_BN_strings(void);
 # define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR                  135
 # define BN_F_BN_GF2M_MOD_SQR                             136
 # define BN_F_BN_GF2M_MOD_SQRT                            137
+# define BN_F_BN_LSHIFT                                   145
 # define BN_F_BN_MOD_EXP2_MONT                            118
 # define BN_F_BN_MOD_EXP_MONT                             109
 # define BN_F_BN_MOD_EXP_MONT_CONSTTIME                   124
@@ -909,12 +910,14 @@ void ERR_load_BN_strings(void);
 # define BN_F_BN_NEW                                      113
 # define BN_F_BN_RAND                                     114
 # define BN_F_BN_RAND_RANGE                               122
+# define BN_F_BN_RSHIFT                                   146
 # define BN_F_BN_USUB                                     115
 
 /* Reason codes. */
 # define BN_R_ARG2_LT_ARG3                                100
 # define BN_R_BAD_RECIPROCAL                              101
 # define BN_R_BIGNUM_TOO_LONG                             114
+# define BN_R_BITS_TOO_SMALL                              118
 # define BN_R_CALLED_WITH_EVEN_MODULUS                    102
 # define BN_R_DIV_BY_ZERO                                 103
 # define BN_R_ENCODING_ERROR                              104
@@ -922,6 +925,7 @@ void ERR_load_BN_strings(void);
 # define BN_R_INPUT_NOT_REDUCED                           110
 # define BN_R_INVALID_LENGTH                              106
 # define BN_R_INVALID_RANGE                               115
+# define BN_R_INVALID_SHIFT                               119
 # define BN_R_NOT_A_SQUARE                                111
 # define BN_R_NOT_INITIALIZED                             107
 # define BN_R_NO_INVERSE                                  108

crypto/bn/bn_add.c

@@ -69,12 +69,12 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
     bn_check_top(a);
     bn_check_top(b);
 
-        /*-
-         *  a +  b      a+b
-         *  a + -b      a-b
-         * -a +  b      b-a
-         * -a + -b      -(a+b)
-         */
+    /*-
+     *  a +  b      a+b
+     *  a + -b      a-b
+     * -a +  b      b-a
+     * -a + -b      -(a+b)
+     */
     if (a_neg ^ b->neg) {
         /* only one is negative */
         if (a_neg) {
@@ -265,12 +265,12 @@ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
     bn_check_top(a);
     bn_check_top(b);
 
-        /*-
-         *  a -  b      a-b
-         *  a - -b      a+b
-         * -a -  b      -(a+b)
-         * -a - -b      b-a
-         */
+    /*-
+     *  a -  b      a-b
+     *  a - -b      a+b
+     * -a -  b      -(a+b)
+     * -a - -b      b-a
+     */
     if (a->neg) {
         if (b->neg) {
             tmp = a;

crypto/bn/bn_err.c

@@ -1,6 +1,6 @@
 /* crypto/bn/bn_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -94,6 +94,7 @@ static ERR_STRING_DATA BN_str_functs[] = {
     {ERR_FUNC(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR), "BN_GF2m_mod_solve_quad_arr"},
     {ERR_FUNC(BN_F_BN_GF2M_MOD_SQR), "BN_GF2m_mod_sqr"},
     {ERR_FUNC(BN_F_BN_GF2M_MOD_SQRT), "BN_GF2m_mod_sqrt"},
+    {ERR_FUNC(BN_F_BN_LSHIFT), "BN_lshift"},
     {ERR_FUNC(BN_F_BN_MOD_EXP2_MONT), "BN_mod_exp2_mont"},
     {ERR_FUNC(BN_F_BN_MOD_EXP_MONT), "BN_mod_exp_mont"},
     {ERR_FUNC(BN_F_BN_MOD_EXP_MONT_CONSTTIME), "BN_mod_exp_mont_consttime"},
@@ -109,6 +110,7 @@ static ERR_STRING_DATA BN_str_functs[] = {
     {ERR_FUNC(BN_F_BN_NEW), "BN_new"},
     {ERR_FUNC(BN_F_BN_RAND), "BN_rand"},
     {ERR_FUNC(BN_F_BN_RAND_RANGE), "BN_rand_range"},
+    {ERR_FUNC(BN_F_BN_RSHIFT), "BN_rshift"},
     {ERR_FUNC(BN_F_BN_USUB), "BN_usub"},
     {0, NULL}
 };
@@ -117,6 +119,7 @@ static ERR_STRING_DATA BN_str_reasons[] = {
     {ERR_REASON(BN_R_ARG2_LT_ARG3), "arg2 lt arg3"},
     {ERR_REASON(BN_R_BAD_RECIPROCAL), "bad reciprocal"},
     {ERR_REASON(BN_R_BIGNUM_TOO_LONG), "bignum too long"},
+    {ERR_REASON(BN_R_BITS_TOO_SMALL), "bits too small"},
     {ERR_REASON(BN_R_CALLED_WITH_EVEN_MODULUS), "called with even modulus"},
     {ERR_REASON(BN_R_DIV_BY_ZERO), "div by zero"},
     {ERR_REASON(BN_R_ENCODING_ERROR), "encoding error"},
@@ -125,6 +128,7 @@ static ERR_STRING_DATA BN_str_reasons[] = {
     {ERR_REASON(BN_R_INPUT_NOT_REDUCED), "input not reduced"},
     {ERR_REASON(BN_R_INVALID_LENGTH), "invalid length"},
     {ERR_REASON(BN_R_INVALID_RANGE), "invalid range"},
+    {ERR_REASON(BN_R_INVALID_SHIFT), "invalid shift"},
     {ERR_REASON(BN_R_NOT_A_SQUARE), "not a square"},
     {ERR_REASON(BN_R_NOT_INITIALIZED), "not initialized"},
     {ERR_REASON(BN_R_NO_INVERSE), "no inverse"},

crypto/bn/bn_exp.c

@@ -174,36 +174,36 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
     bn_check_top(p);
     bn_check_top(m);
 
-        /*-
-         * For even modulus  m = 2^k*m_odd,  it might make sense to compute
-         * a^p mod m_odd  and  a^p mod 2^k  separately (with Montgomery
-         * exponentiation for the odd part), using appropriate exponent
-         * reductions, and combine the results using the CRT.
-         *
-         * For now, we use Montgomery only if the modulus is odd; otherwise,
-         * exponentiation using the reciprocal-based quick remaindering
-         * algorithm is used.
-         *
-         * (Timing obtained with expspeed.c [computations  a^p mod m
-         * where  a, p, m  are of the same length: 256, 512, 1024, 2048,
-         * 4096, 8192 bits], compared to the running time of the
-         * standard algorithm:
-         *
-         *   BN_mod_exp_mont   33 .. 40 %  [AMD K6-2, Linux, debug configuration]
-         *                     55 .. 77 %  [UltraSparc processor, but
-         *                                  debug-solaris-sparcv8-gcc conf.]
-         *
-         *   BN_mod_exp_recp   50 .. 70 %  [AMD K6-2, Linux, debug configuration]
-         *                     62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]
-         *
-         * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont
-         * at 2048 and more bits, but at 512 and 1024 bits, it was
-         * slower even than the standard algorithm!
-         *
-         * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]
-         * should be obtained when the new Montgomery reduction code
-         * has been integrated into OpenSSL.)
-         */
+    /*-
+     * For even modulus  m = 2^k*m_odd,  it might make sense to compute
+     * a^p mod m_odd  and  a^p mod 2^k  separately (with Montgomery
+     * exponentiation for the odd part), using appropriate exponent
+     * reductions, and combine the results using the CRT.
+     *
+     * For now, we use Montgomery only if the modulus is odd; otherwise,
+     * exponentiation using the reciprocal-based quick remaindering
+     * algorithm is used.
+     *
+     * (Timing obtained with expspeed.c [computations  a^p mod m
+     * where  a, p, m  are of the same length: 256, 512, 1024, 2048,
+     * 4096, 8192 bits], compared to the running time of the
+     * standard algorithm:
+     *
+     *   BN_mod_exp_mont   33 .. 40 %  [AMD K6-2, Linux, debug configuration]
+     *                     55 .. 77 %  [UltraSparc processor, but
+     *                                  debug-solaris-sparcv8-gcc conf.]
+     *
+     *   BN_mod_exp_recp   50 .. 70 %  [AMD K6-2, Linux, debug configuration]
+     *                     62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]
+     *
+     * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont
+     * at 2048 and more bits, but at 512 and 1024 bits, it was
+     * slower even than the standard algorithm!
+     *
+     * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]
+     * should be obtained when the new Montgomery reduction code
+     * has been integrated into OpenSSL.)
+     */
 
 #define MONT_MUL_MOD
 #define MONT_EXP_WORD

crypto/bn/bn_gcd.c

@@ -267,13 +267,13 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
             goto err;
     }
     sign = -1;
-        /*-
-         * From  B = a mod |n|,  A = |n|  it follows that
-         *
-         *      0 <= B < A,
-         *     -sign*X*a  ==  B   (mod |n|),
-         *      sign*Y*a  ==  A   (mod |n|).
-         */
+    /*-
+     * From  B = a mod |n|,  A = |n|  it follows that
+     *
+     *      0 <= B < A,
+     *     -sign*X*a  ==  B   (mod |n|),
+     *      sign*Y*a  ==  A   (mod |n|).
+     */
 
     if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) {
         /*
@@ -285,12 +285,12 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
         int shift;
 
         while (!BN_is_zero(B)) {
-                        /*-
-                         *      0 < B < |n|,
-                         *      0 < A <= |n|,
-                         * (1) -sign*X*a  ==  B   (mod |n|),
-                         * (2)  sign*Y*a  ==  A   (mod |n|)
-                         */
+            /*-
+             *      0 < B < |n|,
+             *      0 < A <= |n|,
+             * (1) -sign*X*a  ==  B   (mod |n|),
+             * (2)  sign*Y*a  ==  A   (mod |n|)
+             */
 
             /*
              * Now divide B by the maximum possible power of two in the
@@ -336,18 +336,18 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
                     goto err;
             }
 
-                        /*-
-                         * We still have (1) and (2).
-                         * Both  A  and  B  are odd.
-                         * The following computations ensure that
-                         *
-                         *     0 <= B < |n|,
-                         *      0 < A < |n|,
-                         * (1) -sign*X*a  ==  B   (mod |n|),
-                         * (2)  sign*Y*a  ==  A   (mod |n|),
-                         *
-                         * and that either  A  or  B  is even in the next iteration.
-                         */
+            /*-
+             * We still have (1) and (2).
+             * Both  A  and  B  are odd.
+             * The following computations ensure that
+             *
+             *     0 <= B < |n|,
+             *      0 < A < |n|,
+             * (1) -sign*X*a  ==  B   (mod |n|),
+             * (2)  sign*Y*a  ==  A   (mod |n|),
+             *
+             * and that either  A  or  B  is even in the next iteration.
+             */
             if (BN_ucmp(B, A) >= 0) {
                 /* -sign*(X + Y)*a == B - A  (mod |n|) */
                 if (!BN_uadd(X, X, Y))
@@ -376,11 +376,11 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
         while (!BN_is_zero(B)) {
             BIGNUM *tmp;
 
-                        /*-
-                         *      0 < B < A,
-                         * (*) -sign*X*a  ==  B   (mod |n|),
-                         *      sign*Y*a  ==  A   (mod |n|)
-                         */
+            /*-
+             *      0 < B < A,
+             * (*) -sign*X*a  ==  B   (mod |n|),
+             *      sign*Y*a  ==  A   (mod |n|)
+             */
 
             /* (D, M) := (A/B, A%B) ... */
             if (BN_num_bits(A) == BN_num_bits(B)) {
@@ -427,12 +427,12 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
                     goto err;
             }
 
-                        /*-
-                         * Now
-                         *      A = D*B + M;
-                         * thus we have
-                         * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
-                         */
+            /*-
+             * Now
+             *      A = D*B + M;
+             * thus we have
+             * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
+             */
 
             tmp = A;            /* keep the BIGNUM object, the value does not
                                  * matter */
@@ -442,25 +442,25 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
             B = M;
             /* ... so we have  0 <= B < A  again */
 
-                        /*-
-                         * Since the former  M  is now  B  and the former  B  is now  A,
-                         * (**) translates into
-                         *       sign*Y*a  ==  D*A + B    (mod |n|),
-                         * i.e.
-                         *       sign*Y*a - D*A  ==  B    (mod |n|).
-                         * Similarly, (*) translates into
-                         *      -sign*X*a  ==  A          (mod |n|).
-                         *
-                         * Thus,
-                         *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),
-                         * i.e.
-                         *        sign*(Y + D*X)*a  ==  B  (mod |n|).
-                         *
-                         * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
-                         *      -sign*X*a  ==  B   (mod |n|),
-                         *       sign*Y*a  ==  A   (mod |n|).
-                         * Note that  X  and  Y  stay non-negative all the time.
-                         */
+            /*-
+             * Since the former  M  is now  B  and the former  B  is now  A,
+             * (**) translates into
+             *       sign*Y*a  ==  D*A + B    (mod |n|),
+             * i.e.
+             *       sign*Y*a - D*A  ==  B    (mod |n|).
+             * Similarly, (*) translates into
+             *      -sign*X*a  ==  A          (mod |n|).
+             *
+             * Thus,
+             *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),
+             * i.e.
+             *        sign*(Y + D*X)*a  ==  B  (mod |n|).
+             *
+             * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
+             *      -sign*X*a  ==  B   (mod |n|),
+             *       sign*Y*a  ==  A   (mod |n|).
+             * Note that  X  and  Y  stay non-negative all the time.
+             */
 
             /*
              * most of the time D is very small, so we can optimize tmp :=
@@ -497,13 +497,13 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
         }
     }
 
-        /*-
-         * The while loop (Euclid's algorithm) ends when
-         *      A == gcd(a,n);
-         * we have
-         *       sign*Y*a  ==  A  (mod |n|),
-         * where  Y  is non-negative.
-         */
+    /*-
+     * The while loop (Euclid's algorithm) ends when
+     *      A == gcd(a,n);
+     * we have
+     *       sign*Y*a  ==  A  (mod |n|),
+     * where  Y  is non-negative.
+     */
 
     if (sign < 0) {
         if (!BN_sub(Y, n, Y))
@@ -587,22 +587,22 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
             goto err;
     }
     sign = -1;
-        /*-
-         * From  B = a mod |n|,  A = |n|  it follows that
-         *
-         *      0 <= B < A,
-         *     -sign*X*a  ==  B   (mod |n|),
-         *      sign*Y*a  ==  A   (mod |n|).
-         */
+    /*-
+     * From  B = a mod |n|,  A = |n|  it follows that
+     *
+     *      0 <= B < A,
+     *     -sign*X*a  ==  B   (mod |n|),
+     *      sign*Y*a  ==  A   (mod |n|).
+     */
 
     while (!BN_is_zero(B)) {
         BIGNUM *tmp;
 
-                /*-
-                 *      0 < B < A,
-                 * (*) -sign*X*a  ==  B   (mod |n|),
-                 *      sign*Y*a  ==  A   (mod |n|)
-                 */
+        /*-
+         *      0 < B < A,
+         * (*) -sign*X*a  ==  B   (mod |n|),
+         *      sign*Y*a  ==  A   (mod |n|)
+         */
 
         /*
          * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
@@ -615,12 +615,12 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
         if (!BN_div(D, M, pA, B, ctx))
             goto err;
 
-                /*-
-                 * Now
-                 *      A = D*B + M;
-                 * thus we have
-                 * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
-                 */
+        /*-
+         * Now
+         *      A = D*B + M;
+         * thus we have
+         * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
+         */
 
         tmp = A;                /* keep the BIGNUM object, the value does not
                                  * matter */
@@ -630,25 +630,25 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
         B = M;
         /* ... so we have  0 <= B < A  again */
 
-                /*-
-                 * Since the former  M  is now  B  and the former  B  is now  A,
-                 * (**) translates into
-                 *       sign*Y*a  ==  D*A + B    (mod |n|),
-                 * i.e.
-                 *       sign*Y*a - D*A  ==  B    (mod |n|).
-                 * Similarly, (*) translates into
-                 *      -sign*X*a  ==  A          (mod |n|).
-                 *
-                 * Thus,
-                 *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),
-                 * i.e.
-                 *        sign*(Y + D*X)*a  ==  B  (mod |n|).
-                 *
-                 * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
-                 *      -sign*X*a  ==  B   (mod |n|),
-                 *       sign*Y*a  ==  A   (mod |n|).
-                 * Note that  X  and  Y  stay non-negative all the time.
-                 */
+        /*-
+         * Since the former  M  is now  B  and the former  B  is now  A,
+         * (**) translates into
+         *       sign*Y*a  ==  D*A + B    (mod |n|),
+         * i.e.
+         *       sign*Y*a - D*A  ==  B    (mod |n|).
+         * Similarly, (*) translates into
+         *      -sign*X*a  ==  A          (mod |n|).
+         *
+         * Thus,
+         *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),
+         * i.e.
+         *        sign*(Y + D*X)*a  ==  B  (mod |n|).
+         *
+         * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
+         *      -sign*X*a  ==  B   (mod |n|),
+         *       sign*Y*a  ==  A   (mod |n|).
+         * Note that  X  and  Y  stay non-negative all the time.
+         */
 
         if (!BN_mul(tmp, D, X, ctx))
             goto err;
@@ -662,13 +662,13 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
         sign = -sign;
     }
 
-        /*-
-         * The while loop (Euclid's algorithm) ends when
-         *      A == gcd(a,n);
-         * we have
-         *       sign*Y*a  ==  A  (mod |n|),
-         * where  Y  is non-negative.
-         */
+    /*-
+     * The while loop (Euclid's algorithm) ends when
+     *      A == gcd(a,n);
+     * we have
+     *       sign*Y*a  ==  A  (mod |n|),
+     * where  Y  is non-negative.
+     */
 
     if (sign < 0) {
         if (!BN_sub(Y, n, Y))

crypto/bn/bn_kron.c

@@ -66,13 +66,13 @@ int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
     int ret = -2;               /* avoid 'uninitialized' warning */
     int err = 0;
     BIGNUM *A, *B, *tmp;
-        /*-
-         * In 'tab', only odd-indexed entries are relevant:
-         * For any odd BIGNUM n,
-         *     tab[BN_lsw(n) & 7]
-         * is $(-1)^{(n^2-1)/8}$ (using TeX notation).
-         * Note that the sign of n does not matter.
-         */
+    /*-
+     * In 'tab', only odd-indexed entries are relevant:
+     * For any odd BIGNUM n,
+     *     tab[BN_lsw(n) & 7]
+     * is $(-1)^{(n^2-1)/8}$ (using TeX notation).
+     * Note that the sign of n does not matter.
+     */
     static const int tab[8] = { 0, 1, 0, -1, 0, -1, 0, 1 };
 
     bn_check_top(a);

crypto/bn/bn_mul.c

@@ -527,11 +527,11 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
         bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
     }
 
-        /*-
-         * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-         * r[10] holds (a[0]*b[0])
-         * r[32] holds (b[1]*b[1])
-         */
+    /*-
+     * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+     * r[10] holds (a[0]*b[0])
+     * r[32] holds (b[1]*b[1])
+     */
 
     c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
 
@@ -542,12 +542,12 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
         c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
     }
 
-        /*-
-         * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-         * r[10] holds (a[0]*b[0])
-         * r[32] holds (b[1]*b[1])
-         * c1 holds the carry bits
-         */
+    /*-
+     * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+     * r[10] holds (a[0]*b[0])
+     * r[32] holds (b[1]*b[1])
+     * c1 holds the carry bits
+     */
     c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
     if (c1) {
         p = &(r[n + n2]);
@@ -689,11 +689,11 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
         }
     }
 
-        /*-
-         * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-         * r[10] holds (a[0]*b[0])
-         * r[32] holds (b[1]*b[1])
-         */
+    /*-
+     * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+     * r[10] holds (a[0]*b[0])
+     * r[32] holds (b[1]*b[1])
+     */
 
     c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
 
@@ -704,12 +704,12 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
         c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
     }
 
-        /*-
-         * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-         * r[10] holds (a[0]*b[0])
-         * r[32] holds (b[1]*b[1])
-         * c1 holds the carry bits
-         */
+    /*-
+     * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+     * r[10] holds (a[0]*b[0])
+     * r[32] holds (b[1]*b[1])
+     * c1 holds the carry bits
+     */
     c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
     if (c1) {
         p = &(r[n + n2]);
@@ -828,13 +828,13 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
         bn_mul_recursive(r, &(a[n]), &(b[n]), n, 0, 0, &(t[n2]));
     }
 
-        /*-
-         * s0 == low(al*bl)
-         * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
-         * We know s0 and s1 so the only unknown is high(al*bl)
-         * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
-         * high(al*bl) == s1 - (r[0]+l[0]+t[0])
-         */
+    /*-
+     * s0 == low(al*bl)
+     * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
+     * We know s0 and s1 so the only unknown is high(al*bl)
+     * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
+     * high(al*bl) == s1 - (r[0]+l[0]+t[0])
+     */
     if (l != NULL) {
         lp = &(t[n2 + n]);
         c1 = (int)(bn_add_words(lp, &(r[0]), &(l[0]), n));
@@ -859,22 +859,22 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
             lp[i] = ((~mp[i]) + 1) & BN_MASK2;
     }
 
-        /*-
-         * s[0] = low(al*bl)
-         * t[3] = high(al*bl)
-         * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
-         * r[10] = (a[1]*b[1])
-         */
-        /*-
-         * R[10] = al*bl
-         * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
-         * R[32] = ah*bh
-         */
-        /*-
-         * R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
-         * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
-         * R[3]=r[1]+(carry/borrow)
-         */
+    /*-
+     * s[0] = low(al*bl)
+     * t[3] = high(al*bl)
+     * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
+     * r[10] = (a[1]*b[1])
+     */
+    /*-
+     * R[10] = al*bl
+     * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
+     * R[32] = ah*bh
+     */
+    /*-
+     * R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
+     * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
+     * R[3]=r[1]+(carry/borrow)
+     */
     if (l != NULL) {
         lp = &(t[n2]);
         c1 = (int)(bn_add_words(lp, &(t[n2 + n]), &(l[0]), n));

crypto/bn/bn_print.c

@@ -71,7 +71,12 @@ char *BN_bn2hex(const BIGNUM *a)
     char *buf;
     char *p;
 
-    buf = (char *)OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+    if (a->neg && BN_is_zero(a)) {
+        /* "-0" == 3 bytes including NULL terminator */
+        buf = OPENSSL_malloc(3);
+    } else {
+        buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+    }
     if (buf == NULL) {
         BNerr(BN_F_BN_BN2HEX, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -106,12 +111,12 @@ char *BN_bn2dec(const BIGNUM *a)
     BIGNUM *t = NULL;
     BN_ULONG *bn_data = NULL, *lp;
 
-        /*-
-         * get an upper bound for the length of the decimal integer
-         * num <= (BN_num_bits(a) + 1) * log(2)
-         *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error)
-         *     <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1
-         */
+    /*-
+     * get an upper bound for the length of the decimal integer
+     * num <= (BN_num_bits(a) + 1) * log(2)
+     *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error)
+     *     <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1
+     */
     i = BN_num_bits(a) * 3;
     num = (i / 10 + i / 1000 + 1) + 1;
     bn_data =

crypto/bn/bn_rand.c

@@ -121,6 +121,11 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
     int ret = 0, bit, bytes, mask;
     time_t tim;
 
+    if (bits < 0 || (bits == 1 && top > 0)) {
+        BNerr(BN_F_BNRAND, BN_R_BITS_TOO_SMALL);
+        return 0;
+    }
+
     if (bits == 0) {
         BN_zero(rnd);
         return 1;
@@ -168,7 +173,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
     }
 #endif
 
-    if (top != -1) {
+    if (top >= 0) {
         if (top) {
             if (bit == 0) {
                 buf[0] = 1;

crypto/bn/bn_shift.c

@@ -133,6 +133,11 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
     bn_check_top(r);
     bn_check_top(a);
 
+    if (n < 0) {
+        BNerr(BN_F_BN_LSHIFT, BN_R_INVALID_SHIFT);
+        return 0;
+    }
+
     r->neg = a->neg;
     nw = n / BN_BITS2;
     if (bn_wexpand(r, a->top + nw + 1) == NULL)
@@ -170,6 +175,11 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
     bn_check_top(r);
     bn_check_top(a);
 
+    if (n < 0) {
+        BNerr(BN_F_BN_RSHIFT, BN_R_INVALID_SHIFT);
+        return 0;
+    }
+
     nw = n / BN_BITS2;
     rb = n % BN_BITS2;
     lb = BN_BITS2 - rb;

crypto/bn/bn_sqr.c

@@ -249,23 +249,23 @@ void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
     bn_sqr_recursive(r, a, n, p);
     bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
 
-        /*-
-         * t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
-         * r[10] holds (a[0]*b[0])
-         * r[32] holds (b[1]*b[1])
-         */
+    /*-
+     * t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
+     * r[10] holds (a[0]*b[0])
+     * r[32] holds (b[1]*b[1])
+     */
 
     c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
 
     /* t[32] is negative */
     c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
 
-        /*-
-         * t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
-         * r[10] holds (a[0]*a[0])
-         * r[32] holds (a[1]*a[1])
-         * c1 holds the carry bits
-         */
+    /*-
+     * t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
+     * r[10] holds (a[0]*a[0])
+     * r[32] holds (a[1]*a[1])
+     * c1 holds the carry bits
+     */
     c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
     if (c1) {
         p = &(r[n + n2]);

crypto/bn/bn_sqrt.c

@@ -132,14 +132,14 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
     /* we'll set  q  later (if needed) */
 
     if (e == 1) {
-                /*-
-                 * The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
-                 * modulo  (|p|-1)/2,  and square roots can be computed
-                 * directly by modular exponentiation.
-                 * We have
-                 *     2 * (|p|+1)/4 == 1   (mod (|p|-1)/2),
-                 * so we can use exponent  (|p|+1)/4,  i.e.  (|p|-3)/4 + 1.
-                 */
+        /*-
+         * The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
+         * modulo  (|p|-1)/2,  and square roots can be computed
+         * directly by modular exponentiation.
+         * We have
+         *     2 * (|p|+1)/4 == 1   (mod (|p|-1)/2),
+         * so we can use exponent  (|p|+1)/4,  i.e.  (|p|-3)/4 + 1.
+         */
         if (!BN_rshift(q, p, 2))
             goto end;
         q->neg = 0;
@@ -152,32 +152,32 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
     }
 
     if (e == 2) {
-                /*-
-                 * |p| == 5  (mod 8)
-                 *
-                 * In this case  2  is always a non-square since
-                 * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime.
-                 * So if  a  really is a square, then  2*a  is a non-square.
-                 * Thus for
-                 *      b := (2*a)^((|p|-5)/8),
-                 *      i := (2*a)*b^2
-                 * we have
-                 *     i^2 = (2*a)^((1 + (|p|-5)/4)*2)
-                 *         = (2*a)^((p-1)/2)
-                 *         = -1;
-                 * so if we set
-                 *      x := a*b*(i-1),
-                 * then
-                 *     x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
-                 *         = a^2 * b^2 * (-2*i)
-                 *         = a*(-i)*(2*a*b^2)
-                 *         = a*(-i)*i
-                 *         = a.
-                 *
-                 * (This is due to A.O.L. Atkin,
-                 * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
-                 * November 1992.)
-                 */
+        /*-
+         * |p| == 5  (mod 8)
+         *
+         * In this case  2  is always a non-square since
+         * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime.
+         * So if  a  really is a square, then  2*a  is a non-square.
+         * Thus for
+         *      b := (2*a)^((|p|-5)/8),
+         *      i := (2*a)*b^2
+         * we have
+         *     i^2 = (2*a)^((1 + (|p|-5)/4)*2)
+         *         = (2*a)^((p-1)/2)
+         *         = -1;
+         * so if we set
+         *      x := a*b*(i-1),
+         * then
+         *     x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
+         *         = a^2 * b^2 * (-2*i)
+         *         = a*(-i)*(2*a*b^2)
+         *         = a*(-i)*i
+         *         = a.
+         *
+         * (This is due to A.O.L. Atkin,
+         * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
+         * November 1992.)
+         */
 
         /* t := 2*a */
         if (!BN_mod_lshift1_quick(t, A, p))
@@ -277,24 +277,24 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
         goto end;
     }
 
-        /*-
-         * Now we know that (if  p  is indeed prime) there is an integer
-         * k,  0 <= k < 2^e,  such that
-         *
-         *      a^q * y^k == 1   (mod p).
-         *
-         * As  a^q  is a square and  y  is not,  k  must be even.
-         * q+1  is even, too, so there is an element
-         *
-         *     X := a^((q+1)/2) * y^(k/2),
-         *
-         * and it satisfies
-         *
-         *     X^2 = a^q * a     * y^k
-         *         = a,
-         *
-         * so it is the square root that we are looking for.
-         */
+    /*-
+     * Now we know that (if  p  is indeed prime) there is an integer
+     * k,  0 <= k < 2^e,  such that
+     *
+     *      a^q * y^k == 1   (mod p).
+     *
+     * As  a^q  is a square and  y  is not,  k  must be even.
+     * q+1  is even, too, so there is an element
+     *
+     *     X := a^((q+1)/2) * y^(k/2),
+     *
+     * and it satisfies
+     *
+     *     X^2 = a^q * a     * y^k
+     *         = a,
+     *
+     * so it is the square root that we are looking for.
+     */
 
     /* t := (q-1)/2  (note that  q  is odd) */
     if (!BN_rshift1(t, q))
@@ -333,15 +333,15 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
         goto end;
 
     while (1) {
-                /*-
-                 * Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
-                 * where  E  refers to the original value of  e,  which we
-                 * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).
-                 *
-                 * We have  a*b = x^2,
-                 *    y^2^(e-1) = -1,
-                 *    b^2^(e-1) = 1.
-                 */
+        /*-
+         * Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
+         * where  E  refers to the original value of  e,  which we
+         * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).
+         *
+         * We have  a*b = x^2,
+         *    y^2^(e-1) = -1,
+         *    b^2^(e-1) = 1.
+         */
 
         if (BN_is_one(b)) {
             if (!BN_copy(ret, x))

crypto/buffer/Makefile

@@ -61,6 +61,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/camellia/Makefile

@@ -73,6 +73,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/cast/Makefile

@@ -69,6 +69,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/cast/casttest.c

@@ -134,9 +134,9 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE] = {
     0x59, 0xD8, 0xE2, 0x65, 0x00, 0x58, 0x6C, 0x3F,
     0x2C, 0x17, 0x25, 0xD0, 0x1A, 0x38, 0xB7, 0x2A,
     0x39, 0x61, 0x37, 0xDC, 0x79, 0xFB, 0x9F, 0x45
-/*-     0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
-        0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
-        0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
+/*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
+    0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
+    0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
 };
 # endif
 

crypto/cms/Makefile

@@ -65,6 +65,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/cms/cms_smime.c

@@ -131,7 +131,7 @@ static void do_free_upto(BIO *f, BIO *upto)
             BIO_free(f);
             f = tbio;
         }
-        while (f != upto);
+        while (f && f != upto);
     } else
         BIO_free_all(f);
 }

crypto/comp/Makefile

@@ -64,6 +64,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)

crypto/conf/Makefile

@@ -64,6 +64,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)

crypto/conf/conf_def.c

@@ -567,16 +567,16 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
                 }
                 e++;
             }
-                        /*-
-                         * So at this point we have
-                         * np which is the start of the name string which is
-                         *   '\0' terminated.
-                         * cp which is the start of the section string which is
-                         *   '\0' terminated.
-                         * e is the 'next point after'.
-                         * r and rr are the chars replaced by the '\0'
-                         * rp and rrp is where 'r' and 'rr' came from.
-                         */
+            /*-
+             * So at this point we have
+             * np which is the start of the name string which is
+             *   '\0' terminated.
+             * cp which is the start of the section string which is
+             *   '\0' terminated.
+             * e is the 'next point after'.
+             * r and rr are the chars replaced by the '\0'
+             * rp and rrp is where 'r' and 'rr' came from.
+             */
             p = _CONF_get_string(conf, cp, np);
             if (rrp != NULL)
                 *rrp = rr;

crypto/cryptlib.c

@@ -776,8 +776,6 @@ int OPENSSL_isservice(void)
     if (_OPENSSL_isservice.p != (void *)-1)
         return (*_OPENSSL_isservice.f) ();
 
-    (void)GetDesktopWindow();   /* return value is ignored */
-
     h = GetProcessWindowStation();
     if (h == NULL)
         return -1;

crypto/des/Makefile

@@ -94,6 +94,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/des/des.c

@@ -228,14 +228,14 @@ int main(int argc, char **argv)
     }
     if (error)
         usage();
-        /*-
-         * We either
-         * do checksum or
-         * do encrypt or
-         * do decrypt or
-         * do decrypt then ckecksum or
-         * do checksum then encrypt
-         */
+    /*-
+     * We either
+     * do checksum or
+     * do encrypt or
+     * do decrypt or
+     * do decrypt then ckecksum or
+     * do checksum then encrypt
+     */
     if (((eflag + dflag) == 1) || cflag) {
         if (eflag)
             do_encrypt = DES_ENCRYPT;

crypto/des/destest.c

@@ -404,13 +404,13 @@ int main(int argc, char *argv[])
                           DES_ENCRYPT);
     DES_ede3_cbcm_encrypt(&cbc_data[16], &cbc_out[16], i - 16, &ks, &ks2,
                           &ks3, &iv3, &iv2, DES_ENCRYPT);
-        /*-     if (memcmp(cbc_out,cbc3_ok,
-                (unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
-                {
-                printf("des_ede3_cbc_encrypt encrypt error\n");
-                err=1;
-                }
-        */
+/*- if (memcmp(cbc_out,cbc3_ok,
+        (unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
+        {
+        printf("des_ede3_cbc_encrypt encrypt error\n");
+        err=1;
+        }
+*/
     memcpy(iv3, cbc_iv, sizeof(cbc_iv));
     memset(iv2, '\0', sizeof iv2);
     DES_ede3_cbcm_encrypt(cbc_out, cbc_in, i, &ks, &ks2, &ks3, &iv3, &iv2,

crypto/des/enc_read.c

@@ -205,12 +205,12 @@ int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
          */
         num = len;
     } else {
-                /*-
-                 * >output is a multiple of 8 byes, if len < rnum
-                 * >we must be careful.  The user must be aware that this
-                 * >routine will write more bytes than he asked for.
-                 * >The length of the buffer must be correct.
-                 * FIXED - Should be ok now 18-9-90 - eay */
+        /*-
+         * >output is a multiple of 8 byes, if len < rnum
+         * >we must be careful.  The user must be aware that this
+         * >routine will write more bytes than he asked for.
+         * >The length of the buffer must be correct.
+         * FIXED - Should be ok now 18-9-90 - eay */
         if (len < rnum) {
 
             if (DES_rw_mode & DES_PCBC_MODE)

crypto/des/ofb64ede.c

@@ -102,8 +102,8 @@ void DES_ede3_ofb64_encrypt(register const unsigned char *in,
         n = (n + 1) & 0x07;
     }
     if (save) {
-/*-             v0=ti[0];
-                v1=ti[1];*/
+/*-     v0=ti[0];
+        v1=ti[1];*/
         iv = &(*ivec)[0];
         l2c(v0, iv);
         l2c(v1, iv);

crypto/des/spr.h

@@ -58,180 +58,155 @@
 
 OPENSSL_GLOBAL const DES_LONG DES_SPtrans[8][64] = {
     {
-/* nibble 0 */
-     0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L,
-     0x02000000L, 0x00080802L, 0x00080002L, 0x02000002L,
-     0x00080802L, 0x02080800L, 0x02080000L, 0x00000802L,
-     0x02000802L, 0x02000000L, 0x00000000L, 0x00080002L,
-     0x00080000L, 0x00000002L, 0x02000800L, 0x00080800L,
-     0x02080802L, 0x02080000L, 0x00000802L, 0x02000800L,
-     0x00000002L, 0x00000800L, 0x00080800L, 0x02080002L,
-     0x00000800L, 0x02000802L, 0x02080002L, 0x00000000L,
-     0x00000000L, 0x02080802L, 0x02000800L, 0x00080002L,
-     0x02080800L, 0x00080000L, 0x00000802L, 0x02000800L,
-     0x02080002L, 0x00000800L, 0x00080800L, 0x02000002L,
-     0x00080802L, 0x00000002L, 0x02000002L, 0x02080000L,
-     0x02080802L, 0x00080800L, 0x02080000L, 0x02000802L,
-     0x02000000L, 0x00000802L, 0x00080002L, 0x00000000L,
-     0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L,
-     0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L,
-     }, {
-/* nibble 1 */
-         0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L,
-         0x40000010L, 0x00008010L, 0x40008000L, 0x00108000L,
-         0x00008000L, 0x40100010L, 0x00000010L, 0x40008000L,
-         0x00100010L, 0x40108000L, 0x40100000L, 0x00000010L,
-         0x00100000L, 0x40008010L, 0x40100010L, 0x00008000L,
-         0x00108010L, 0x40000000L, 0x00000000L, 0x00100010L,
-         0x40008010L, 0x00108010L, 0x40108000L, 0x40000010L,
-         0x40000000L, 0x00100000L, 0x00008010L, 0x40108010L,
-         0x00100010L, 0x40108000L, 0x40008000L, 0x00108010L,
-         0x40108010L, 0x00100010L, 0x40000010L, 0x00000000L,
-         0x40000000L, 0x00008010L, 0x00100000L, 0x40100010L,
-         0x00008000L, 0x40000000L, 0x00108010L, 0x40008010L,
-         0x40108000L, 0x00008000L, 0x00000000L, 0x40000010L,
-         0x00000010L, 0x40108010L, 0x00108000L, 0x40100000L,
-         0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L,
-         0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L,
-         }, {
-/* nibble 2 */
-             0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L,
-             0x00040001L, 0x04000000L, 0x04000101L, 0x00040100L,
-             0x04000100L, 0x00040000L, 0x04040000L, 0x00000001L,
-             0x04040101L, 0x00000101L, 0x00000001L, 0x04040001L,
-             0x00000000L, 0x00040001L, 0x04040100L, 0x00000100L,
-             0x00000101L, 0x04040101L, 0x00040000L, 0x04000001L,
-             0x04040001L, 0x04000100L, 0x00040101L, 0x04040000L,
-             0x00040100L, 0x00000000L, 0x04000000L, 0x00040101L,
-             0x04040100L, 0x00000100L, 0x00000001L, 0x00040000L,
-             0x00000101L, 0x00040001L, 0x04040000L, 0x04000101L,
-             0x00000000L, 0x04040100L, 0x00040100L, 0x04040001L,
-             0x00040001L, 0x04000000L, 0x04040101L, 0x00000001L,
-             0x00040101L, 0x04000001L, 0x04000000L, 0x04040101L,
-             0x00040000L, 0x04000100L, 0x04000101L, 0x00040100L,
-             0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L,
-             0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L,
-             }, {
-/* nibble 3 */
-                 0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L,
-                 0x00000000L, 0x10400000L, 0x10001008L, 0x00400008L,
-                 0x10401000L, 0x10000008L, 0x10000000L, 0x00001008L,
-                 0x10000008L, 0x00401008L, 0x00400000L, 0x10000000L,
-                 0x10400008L, 0x00401000L, 0x00001000L, 0x00000008L,
-                 0x00401000L, 0x10001008L, 0x10400000L, 0x00001000L,
-                 0x00001008L, 0x00000000L, 0x00400008L, 0x10401000L,
-                 0x10001000L, 0x10400008L, 0x10401008L, 0x00400000L,
-                 0x10400008L, 0x00001008L, 0x00400000L, 0x10000008L,
-                 0x00401000L, 0x10001000L, 0x00000008L, 0x10400000L,
-                 0x10001008L, 0x00000000L, 0x00001000L, 0x00400008L,
-                 0x00000000L, 0x10400008L, 0x10401000L, 0x00001000L,
-                 0x10000000L, 0x10401008L, 0x00401008L, 0x00400000L,
-                 0x10401008L, 0x00000008L, 0x10001000L, 0x00401008L,
-                 0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L,
-                 0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L,
-                 }, {
-/* nibble 4 */
-                     0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L,
-                     0x08010020L, 0x08000400L, 0x00010420L, 0x08010000L,
-                     0x00010000L, 0x00000020L, 0x08000020L, 0x00010400L,
-                     0x08000420L, 0x08010020L, 0x08010400L, 0x00000000L,
-                     0x00010400L, 0x08000000L, 0x00010020L, 0x00000420L,
-                     0x08000400L, 0x00010420L, 0x00000000L, 0x08000020L,
-                     0x00000020L, 0x08000420L, 0x08010420L, 0x00010020L,
-                     0x08010000L, 0x00000400L, 0x00000420L, 0x08010400L,
-                     0x08010400L, 0x08000420L, 0x00010020L, 0x08010000L,
-                     0x00010000L, 0x00000020L, 0x08000020L, 0x08000400L,
-                     0x08000000L, 0x00010400L, 0x08010420L, 0x00000000L,
-                     0x00010420L, 0x08000000L, 0x00000400L, 0x00010020L,
-                     0x08000420L, 0x00000400L, 0x00000000L, 0x08010420L,
-                     0x08010020L, 0x08010400L, 0x00000420L, 0x00010000L,
-                     0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L,
-                     0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L,
-                     }, {
-/* nibble 5 */
-                         0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L,
-                         0x00200040L, 0x00002000L, 0x80002040L, 0x00200000L,
-                         0x00002040L, 0x80202040L, 0x00202000L, 0x80000000L,
-                         0x80002000L, 0x80000040L, 0x80200000L, 0x00202040L,
-                         0x00200000L, 0x80002040L, 0x80200040L, 0x00000000L,
-                         0x00002000L, 0x00000040L, 0x80202000L, 0x80200040L,
-                         0x80202040L, 0x80200000L, 0x80000000L, 0x00002040L,
-                         0x00000040L, 0x00202000L, 0x00202040L, 0x80002000L,
-                         0x00002040L, 0x80000000L, 0x80002000L, 0x00202040L,
-                         0x80202000L, 0x00200040L, 0x00000000L, 0x80002000L,
-                         0x80000000L, 0x00002000L, 0x80200040L, 0x00200000L,
-                         0x00200040L, 0x80202040L, 0x00202000L, 0x00000040L,
-                         0x80202040L, 0x00202000L, 0x00200000L, 0x80002040L,
-                         0x80000040L, 0x80200000L, 0x00202040L, 0x00000000L,
-                         0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L,
-                         0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L,
-                         }, {
-/* nibble 6 */
-                             0x00004000L, 0x00000200L, 0x01000200L,
-                             0x01000004L,
-                             0x01004204L, 0x00004004L, 0x00004200L,
-                             0x00000000L,
-                             0x01000000L, 0x01000204L, 0x00000204L,
-                             0x01004000L,
-                             0x00000004L, 0x01004200L, 0x01004000L,
-                             0x00000204L,
-                             0x01000204L, 0x00004000L, 0x00004004L,
-                             0x01004204L,
-                             0x00000000L, 0x01000200L, 0x01000004L,
-                             0x00004200L,
-                             0x01004004L, 0x00004204L, 0x01004200L,
-                             0x00000004L,
-                             0x00004204L, 0x01004004L, 0x00000200L,
-                             0x01000000L,
-                             0x00004204L, 0x01004000L, 0x01004004L,
-                             0x00000204L,
-                             0x00004000L, 0x00000200L, 0x01000000L,
-                             0x01004004L,
-                             0x01000204L, 0x00004204L, 0x00004200L,
-                             0x00000000L,
-                             0x00000200L, 0x01000004L, 0x00000004L,
-                             0x01000200L,
-                             0x00000000L, 0x01000204L, 0x01000200L,
-                             0x00004200L,
-                             0x00000204L, 0x00004000L, 0x01004204L,
-                             0x01000000L,
-                             0x01004200L, 0x00000004L, 0x00004004L,
-                             0x01004204L,
-                             0x01000004L, 0x01004200L, 0x01004000L,
-                             0x00004004L,
-                             }, {
-/* nibble 7 */
-                                 0x20800080L, 0x20820000L, 0x00020080L,
-                                 0x00000000L,
-                                 0x20020000L, 0x00800080L, 0x20800000L,
-                                 0x20820080L,
-                                 0x00000080L, 0x20000000L, 0x00820000L,
-                                 0x00020080L,
-                                 0x00820080L, 0x20020080L, 0x20000080L,
-                                 0x20800000L,
-                                 0x00020000L, 0x00820080L, 0x00800080L,
-                                 0x20020000L,
-                                 0x20820080L, 0x20000080L, 0x00000000L,
-                                 0x00820000L,
-                                 0x20000000L, 0x00800000L, 0x20020080L,
-                                 0x20800080L,
-                                 0x00800000L, 0x00020000L, 0x20820000L,
-                                 0x00000080L,
-                                 0x00800000L, 0x00020000L, 0x20000080L,
-                                 0x20820080L,
-                                 0x00020080L, 0x20000000L, 0x00000000L,
-                                 0x00820000L,
-                                 0x20800080L, 0x20020080L, 0x20020000L,
-                                 0x00800080L,
-                                 0x20820000L, 0x00000080L, 0x00800080L,
-                                 0x20020000L,
-                                 0x20820080L, 0x00800000L, 0x20800000L,
-                                 0x20000080L,
-                                 0x00820000L, 0x00020080L, 0x20020080L,
-                                 0x20800000L,
-                                 0x00000080L, 0x20820000L, 0x00820080L,
-                                 0x00000000L,
-                                 0x20000000L, 0x20800080L, 0x00020000L,
-                                 0x00820080L,
-                                 }
+        /* nibble 0 */
+        0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L,
+        0x02000000L, 0x00080802L, 0x00080002L, 0x02000002L,
+        0x00080802L, 0x02080800L, 0x02080000L, 0x00000802L,
+        0x02000802L, 0x02000000L, 0x00000000L, 0x00080002L,
+        0x00080000L, 0x00000002L, 0x02000800L, 0x00080800L,
+        0x02080802L, 0x02080000L, 0x00000802L, 0x02000800L,
+        0x00000002L, 0x00000800L, 0x00080800L, 0x02080002L,
+        0x00000800L, 0x02000802L, 0x02080002L, 0x00000000L,
+        0x00000000L, 0x02080802L, 0x02000800L, 0x00080002L,
+        0x02080800L, 0x00080000L, 0x00000802L, 0x02000800L,
+        0x02080002L, 0x00000800L, 0x00080800L, 0x02000002L,
+        0x00080802L, 0x00000002L, 0x02000002L, 0x02080000L,
+        0x02080802L, 0x00080800L, 0x02080000L, 0x02000802L,
+        0x02000000L, 0x00000802L, 0x00080002L, 0x00000000L,
+        0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L,
+        0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L,
+    },
+    {
+        /* nibble 1 */
+        0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L,
+        0x40000010L, 0x00008010L, 0x40008000L, 0x00108000L,
+        0x00008000L, 0x40100010L, 0x00000010L, 0x40008000L,
+        0x00100010L, 0x40108000L, 0x40100000L, 0x00000010L,
+        0x00100000L, 0x40008010L, 0x40100010L, 0x00008000L,
+        0x00108010L, 0x40000000L, 0x00000000L, 0x00100010L,
+        0x40008010L, 0x00108010L, 0x40108000L, 0x40000010L,
+        0x40000000L, 0x00100000L, 0x00008010L, 0x40108010L,
+        0x00100010L, 0x40108000L, 0x40008000L, 0x00108010L,
+        0x40108010L, 0x00100010L, 0x40000010L, 0x00000000L,
+        0x40000000L, 0x00008010L, 0x00100000L, 0x40100010L,
+        0x00008000L, 0x40000000L, 0x00108010L, 0x40008010L,
+        0x40108000L, 0x00008000L, 0x00000000L, 0x40000010L,
+        0x00000010L, 0x40108010L, 0x00108000L, 0x40100000L,
+        0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L,
+        0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L,
+    },
+    {
+        /* nibble 2 */
+        0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L,
+        0x00040001L, 0x04000000L, 0x04000101L, 0x00040100L,
+        0x04000100L, 0x00040000L, 0x04040000L, 0x00000001L,
+        0x04040101L, 0x00000101L, 0x00000001L, 0x04040001L,
+        0x00000000L, 0x00040001L, 0x04040100L, 0x00000100L,
+        0x00000101L, 0x04040101L, 0x00040000L, 0x04000001L,
+        0x04040001L, 0x04000100L, 0x00040101L, 0x04040000L,
+        0x00040100L, 0x00000000L, 0x04000000L, 0x00040101L,
+        0x04040100L, 0x00000100L, 0x00000001L, 0x00040000L,
+        0x00000101L, 0x00040001L, 0x04040000L, 0x04000101L,
+        0x00000000L, 0x04040100L, 0x00040100L, 0x04040001L,
+        0x00040001L, 0x04000000L, 0x04040101L, 0x00000001L,
+        0x00040101L, 0x04000001L, 0x04000000L, 0x04040101L,
+        0x00040000L, 0x04000100L, 0x04000101L, 0x00040100L,
+        0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L,
+        0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L,
+    },
+    {
+        /* nibble 3 */
+        0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L,
+        0x00000000L, 0x10400000L, 0x10001008L, 0x00400008L,
+        0x10401000L, 0x10000008L, 0x10000000L, 0x00001008L,
+        0x10000008L, 0x00401008L, 0x00400000L, 0x10000000L,
+        0x10400008L, 0x00401000L, 0x00001000L, 0x00000008L,
+        0x00401000L, 0x10001008L, 0x10400000L, 0x00001000L,
+        0x00001008L, 0x00000000L, 0x00400008L, 0x10401000L,
+        0x10001000L, 0x10400008L, 0x10401008L, 0x00400000L,
+        0x10400008L, 0x00001008L, 0x00400000L, 0x10000008L,
+        0x00401000L, 0x10001000L, 0x00000008L, 0x10400000L,
+        0x10001008L, 0x00000000L, 0x00001000L, 0x00400008L,
+        0x00000000L, 0x10400008L, 0x10401000L, 0x00001000L,
+        0x10000000L, 0x10401008L, 0x00401008L, 0x00400000L,
+        0x10401008L, 0x00000008L, 0x10001000L, 0x00401008L,
+        0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L,
+        0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L,
+    },
+    {
+        /* nibble 4 */
+        0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L,
+        0x08010020L, 0x08000400L, 0x00010420L, 0x08010000L,
+        0x00010000L, 0x00000020L, 0x08000020L, 0x00010400L,
+        0x08000420L, 0x08010020L, 0x08010400L, 0x00000000L,
+        0x00010400L, 0x08000000L, 0x00010020L, 0x00000420L,
+        0x08000400L, 0x00010420L, 0x00000000L, 0x08000020L,
+        0x00000020L, 0x08000420L, 0x08010420L, 0x00010020L,
+        0x08010000L, 0x00000400L, 0x00000420L, 0x08010400L,
+        0x08010400L, 0x08000420L, 0x00010020L, 0x08010000L,
+        0x00010000L, 0x00000020L, 0x08000020L, 0x08000400L,
+        0x08000000L, 0x00010400L, 0x08010420L, 0x00000000L,
+        0x00010420L, 0x08000000L, 0x00000400L, 0x00010020L,
+        0x08000420L, 0x00000400L, 0x00000000L, 0x08010420L,
+        0x08010020L, 0x08010400L, 0x00000420L, 0x00010000L,
+        0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L,
+        0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L,
+    },
+    {
+        /* nibble 5 */
+        0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L,
+        0x00200040L, 0x00002000L, 0x80002040L, 0x00200000L,
+        0x00002040L, 0x80202040L, 0x00202000L, 0x80000000L,
+        0x80002000L, 0x80000040L, 0x80200000L, 0x00202040L,
+        0x00200000L, 0x80002040L, 0x80200040L, 0x00000000L,
+        0x00002000L, 0x00000040L, 0x80202000L, 0x80200040L,
+        0x80202040L, 0x80200000L, 0x80000000L, 0x00002040L,
+        0x00000040L, 0x00202000L, 0x00202040L, 0x80002000L,
+        0x00002040L, 0x80000000L, 0x80002000L, 0x00202040L,
+        0x80202000L, 0x00200040L, 0x00000000L, 0x80002000L,
+        0x80000000L, 0x00002000L, 0x80200040L, 0x00200000L,
+        0x00200040L, 0x80202040L, 0x00202000L, 0x00000040L,
+        0x80202040L, 0x00202000L, 0x00200000L, 0x80002040L,
+        0x80000040L, 0x80200000L, 0x00202040L, 0x00000000L,
+        0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L,
+        0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L,
+    },
+    {
+        /* nibble 6 */
+        0x00004000L, 0x00000200L, 0x01000200L, 0x01000004L,
+        0x01004204L, 0x00004004L, 0x00004200L, 0x00000000L,
+        0x01000000L, 0x01000204L, 0x00000204L, 0x01004000L,
+        0x00000004L, 0x01004200L, 0x01004000L, 0x00000204L,
+        0x01000204L, 0x00004000L, 0x00004004L, 0x01004204L,
+        0x00000000L, 0x01000200L, 0x01000004L, 0x00004200L,
+        0x01004004L, 0x00004204L, 0x01004200L, 0x00000004L,
+        0x00004204L, 0x01004004L, 0x00000200L, 0x01000000L,
+        0x00004204L, 0x01004000L, 0x01004004L, 0x00000204L,
+        0x00004000L, 0x00000200L, 0x01000000L, 0x01004004L,
+        0x01000204L, 0x00004204L, 0x00004200L, 0x00000000L,
+        0x00000200L, 0x01000004L, 0x00000004L, 0x01000200L,
+        0x00000000L, 0x01000204L, 0x01000200L, 0x00004200L,
+        0x00000204L, 0x00004000L, 0x01004204L, 0x01000000L,
+        0x01004200L, 0x00000004L, 0x00004004L, 0x01004204L,
+        0x01000004L, 0x01004200L, 0x01004000L, 0x00004004L,
+    },
+    {
+        /* nibble 7 */
+        0x20800080L, 0x20820000L, 0x00020080L, 0x00000000L,
+        0x20020000L, 0x00800080L, 0x20800000L, 0x20820080L,
+        0x00000080L, 0x20000000L, 0x00820000L, 0x00020080L,
+        0x00820080L, 0x20020080L, 0x20000080L, 0x20800000L,
+        0x00020000L, 0x00820080L, 0x00800080L, 0x20020000L,
+        0x20820080L, 0x20000080L, 0x00000000L, 0x00820000L,
+        0x20000000L, 0x00800000L, 0x20020080L, 0x20800080L,
+        0x00800000L, 0x00020000L, 0x20820000L, 0x00000080L,
+        0x00800000L, 0x00020000L, 0x20000080L, 0x20820080L,
+        0x00020080L, 0x20000000L, 0x00000000L, 0x00820000L,
+        0x20800080L, 0x20020080L, 0x20020000L, 0x00800080L,
+        0x20820000L, 0x00000080L, 0x00800080L, 0x20020000L,
+        0x20820080L, 0x00800000L, 0x20800000L, 0x20000080L,
+        0x00820000L, 0x00020080L, 0x20020080L, 0x20800000L,
+        0x00000080L, 0x20820000L, 0x00820080L, 0x00000000L,
+        0x20000000L, 0x20800080L, 0x00020000L, 0x00820080L,
+    }
 };

crypto/dh/Makefile

@@ -63,6 +63,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/dh/dh_ameth.c

@@ -215,7 +215,7 @@ static int dh_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 
     EVP_PKEY_assign_DH(pkey, dh);
 
-    ASN1_INTEGER_free(privkey);
+    ASN1_STRING_clear_free(privkey);
 
     return 1;
 
@@ -223,6 +223,7 @@ static int dh_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
     DHerr(DH_F_DH_PRIV_DECODE, EVP_R_DECODE_ERROR);
  dherr:
     DH_free(dh);
+    ASN1_STRING_clear_free(privkey);
     return 0;
 }
 
@@ -257,7 +258,8 @@ static int dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 
     dplen = i2d_ASN1_INTEGER(prkey, &dp);
 
-    ASN1_INTEGER_free(prkey);
+    ASN1_STRING_clear_free(prkey);
+    prkey = NULL;
 
     if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dhKeyAgreement), 0,
                          V_ASN1_SEQUENCE, params, dp, dplen))
@@ -271,7 +273,7 @@ static int dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
     if (params != NULL)
         ASN1_STRING_free(params);
     if (prkey != NULL)
-        ASN1_INTEGER_free(prkey);
+        ASN1_STRING_clear_free(prkey);
     return 0;
 }
 

crypto/dsa/Makefile

@@ -63,6 +63,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/dsa/dsa_ameth.c

@@ -200,11 +200,11 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
             goto decerr;
         if (sk_ASN1_TYPE_num(ndsa) != 2)
             goto decerr;
-                /*-
-                 * Handle Two broken types:
-                 * SEQUENCE {parameters, priv_key}
-                 * SEQUENCE {pub_key, priv_key}
-                 */
+        /*-
+         * Handle Two broken types:
+         * SEQUENCE {parameters, priv_key}
+         * SEQUENCE {pub_key, priv_key}
+         */
 
         t1 = sk_ASN1_TYPE_value(ndsa, 0);
         t2 = sk_ASN1_TYPE_value(ndsa, 1);
@@ -226,7 +226,7 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
             goto decerr;
         if (privkey->type == V_ASN1_NEG_INTEGER) {
             p8->broken = PKCS8_NEG_PRIVKEY;
-            ASN1_INTEGER_free(privkey);
+            ASN1_STRING_clear_free(privkey);
             if (!(privkey = d2i_ASN1_UINTEGER(NULL, &q, pklen)))
                 goto decerr;
         }
@@ -264,7 +264,7 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
     if (ndsa)
         sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
     else
-        ASN1_INTEGER_free(privkey);
+        ASN1_STRING_clear_free(privkey);
 
     return 1;
 
@@ -273,7 +273,7 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
  dsaerr:
     BN_CTX_free(ctx);
     if (privkey)
-        ASN1_INTEGER_free(privkey);
+        ASN1_STRING_clear_free(privkey);
     sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
     DSA_free(dsa);
     return 0;
@@ -315,7 +315,7 @@ static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 
     dplen = i2d_ASN1_INTEGER(prkey, &dp);
 
-    ASN1_INTEGER_free(prkey);
+    ASN1_STRING_clear_free(prkey);
 
     if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dsa), 0,
                          V_ASN1_SEQUENCE, params, dp, dplen))
@@ -329,7 +329,7 @@ static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
     if (params != NULL)
         ASN1_STRING_free(params);
     if (prkey != NULL)
-        ASN1_INTEGER_free(prkey);
+        ASN1_STRING_clear_free(prkey);
     return 0;
 }
 

crypto/dsa/dsa_ossl.c

@@ -106,23 +106,23 @@ static DSA_METHOD openssl_dsa_meth = {
 #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
         do { \
         int _tmp_res53; \
-        if((dsa)->meth->dsa_mod_exp) \
+        if ((dsa)->meth->dsa_mod_exp) \
                 _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
                                 (a2), (p2), (m), (ctx), (in_mont)); \
         else \
                 _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
                                 (m), (ctx), (in_mont)); \
-        if(!_tmp_res53) err_instr; \
+        if (!_tmp_res53) err_instr; \
         } while(0)
 #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
         do { \
         int _tmp_res53; \
-        if((dsa)->meth->bn_mod_exp) \
+        if ((dsa)->meth->bn_mod_exp) \
                 _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
                                 (m), (ctx), (m_ctx)); \
         else \
                 _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
-        if(!_tmp_res53) err_instr; \
+        if (!_tmp_res53) err_instr; \
         } while(0)
 
 const DSA_METHOD *DSA_OpenSSL(void)

crypto/dso/Makefile

@@ -63,6 +63,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/dso/dso_lib.c

@@ -285,7 +285,7 @@ DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname)
  * honest. For one thing, I think I have to return a negative value for any
  * error because possible DSO_ctrl() commands may return values such as
  * "size"s that can legitimately be zero (making the standard
- * "if(DSO_cmd(...))" form that works almost everywhere else fail at odd
+ * "if (DSO_cmd(...))" form that works almost everywhere else fail at odd
  * times. I'd prefer "output" values to be passed by reference and the return
  * value as success/failure like usual ... but we conform when we must... :-)
  */

crypto/dso/dso_vms.c

@@ -178,23 +178,23 @@ static int vms_load(DSO *dso)
         goto err;
     }
 
-        /*-
-         * A file specification may look like this:
-         *
-         *      node::dev:[dir-spec]name.type;ver
-         *
-         * or (for compatibility with TOPS-20):
-         *
-         *      node::dev:<dir-spec>name.type;ver
-         *
-         * and the dir-spec uses '.' as separator.  Also, a dir-spec
-         * may consist of several parts, with mixed use of [] and <>:
-         *
-         *      [dir1.]<dir2>
-         *
-         * We need to split the file specification into the name and
-         * the rest (both before and after the name itself).
-         */
+    /*-
+     * A file specification may look like this:
+     *
+     *      node::dev:[dir-spec]name.type;ver
+     *
+     * or (for compatibility with TOPS-20):
+     *
+     *      node::dev:<dir-spec>name.type;ver
+     *
+     * and the dir-spec uses '.' as separator.  Also, a dir-spec
+     * may consist of several parts, with mixed use of [] and <>:
+     *
+     *      [dir1.]<dir2>
+     *
+     * We need to split the file specification into the name and
+     * the rest (both before and after the name itself).
+     */
     /*
      * Start with trying to find the end of a dir-spec, and save the position
      * of the byte after in sp1

crypto/ec/Makefile

@@ -66,6 +66,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/ec/ec.h

@@ -116,14 +116,14 @@ typedef enum {
 typedef struct ec_method_st EC_METHOD;
 
 typedef struct ec_group_st
-        /*-
-         EC_METHOD *meth;
-         -- field definition
-         -- curve coefficients
-         -- optional generator with associated information (order, cofactor)
-         -- optional extra data (precomputed table for fast computation of multiples of generator)
-         -- ASN1 stuff
-        */
+    /*-
+     EC_METHOD *meth;
+     -- field definition
+     -- curve coefficients
+     -- optional generator with associated information (order, cofactor)
+     -- optional extra data (precomputed table for fast computation of multiples of generator)
+     -- ASN1 stuff
+    */
     EC_GROUP;
 
 typedef struct ec_point_st EC_POINT;

crypto/ec/ec2_smpl.c

@@ -755,7 +755,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
     }
 
     /* test required by X9.62 */
-    if (!EC_POINT_is_on_curve(group, point, ctx)) {
+    if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
         ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
         goto err;
     }
@@ -950,12 +950,12 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
     if (lh == NULL)
         goto err;
 
-        /*-
-         * We have a curve defined by a Weierstrass equation
-         *      y^2 + x*y = x^3 + a*x^2 + b.
-         *  <=> x^3 + a*x^2 + x*y + b + y^2 = 0
-         *  <=> ((x + a) * x + y ) * x + b + y^2 = 0
-         */
+    /*-
+     * We have a curve defined by a Weierstrass equation
+     *      y^2 + x*y = x^3 + a*x^2 + b.
+     *  <=> x^3 + a*x^2 + x*y + b + y^2 = 0
+     *  <=> ((x + a) * x + y ) * x + b + y^2 = 0
+     */
     if (!BN_GF2m_add(lh, &point->X, &group->a))
         goto err;
     if (!field_mul(group, lh, lh, &point->X, ctx))

crypto/ec/ec_asn1.c

@@ -1014,8 +1014,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
             ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
             goto err;
         }
-        if (a)
-            *a = ret;
     } else
         ret = *a;
 
@@ -1083,10 +1081,12 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
         ret->enc_flag |= EC_PKEY_NO_PUBKEY;
     }
 
+    if (a)
+        *a = ret;
     ok = 1;
  err:
     if (!ok) {
-        if (ret)
+        if (ret && (a == NULL || *a != ret))
             EC_KEY_free(ret);
         ret = NULL;
     }
@@ -1213,16 +1213,19 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
             ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
             return NULL;
         }
-        if (a)
-            *a = ret;
     } else
         ret = *a;
 
     if (!d2i_ECPKParameters(&ret->group, in, len)) {
         ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
+        if (a == NULL || *a != ret)
+             EC_KEY_free(ret);
         return NULL;
     }
 
+    if (a)
+        *a = ret;
+
     return ret;
 }
 

crypto/ec/ec_check.c

@@ -85,7 +85,7 @@ int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx)
         ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_GENERATOR);
         goto err;
     }
-    if (!EC_POINT_is_on_curve(group, group->generator, ctx)) {
+    if (EC_POINT_is_on_curve(group, group->generator, ctx) <= 0) {
         ECerr(EC_F_EC_GROUP_CHECK, EC_R_POINT_IS_NOT_ON_CURVE);
         goto err;
     }

crypto/ec/ec_key.c

@@ -304,7 +304,7 @@ int EC_KEY_check_key(const EC_KEY *eckey)
         goto err;
 
     /* testing whether the pub_key is on the elliptic curve */
-    if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx)) {
+    if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) {
         ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE);
         goto err;
     }

crypto/ec/ec_lcl.h

@@ -115,14 +115,14 @@ struct ec_method_st {
     void (*point_finish) (EC_POINT *);
     void (*point_clear_finish) (EC_POINT *);
     int (*point_copy) (EC_POINT *, const EC_POINT *);
-        /*-
-         * used by EC_POINT_set_to_infinity,
-         * EC_POINT_set_Jprojective_coordinates_GFp,
-         * EC_POINT_get_Jprojective_coordinates_GFp,
-         * EC_POINT_set_affine_coordinates_GFp,     ..._GF2m,
-         * EC_POINT_get_affine_coordinates_GFp,     ..._GF2m,
-         * EC_POINT_set_compressed_coordinates_GFp, ..._GF2m:
-         */
+    /*-
+     * used by EC_POINT_set_to_infinity,
+     * EC_POINT_set_Jprojective_coordinates_GFp,
+     * EC_POINT_get_Jprojective_coordinates_GFp,
+     * EC_POINT_set_affine_coordinates_GFp,     ..._GF2m,
+     * EC_POINT_get_affine_coordinates_GFp,     ..._GF2m,
+     * EC_POINT_set_compressed_coordinates_GFp, ..._GF2m:
+     */
     int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *);
     int (*point_set_Jprojective_coordinates_GFp) (const EC_GROUP *,
                                                   EC_POINT *, const BIGNUM *x,

crypto/ec/ec_lib.c

@@ -993,6 +993,13 @@ int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
     return group->meth->is_at_infinity(group, point);
 }
 
+/*
+ * Check whether an EC_POINT is on the curve or not. Note that the return
+ * value for this function should NOT be treated as a boolean. Return values:
+ *  1: The point is on the curve
+ *  0: The point is not on the curve
+ * -1: An error occurred
+ */
 int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
                          BN_CTX *ctx)
 {

crypto/ec/ec_mult.c

@@ -602,13 +602,13 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
     if (!(tmp = EC_POINT_new(group)))
         goto err;
 
-        /*-
-         * prepare precomputed values:
-         *    val_sub[i][0] :=     points[i]
-         *    val_sub[i][1] := 3 * points[i]
-         *    val_sub[i][2] := 5 * points[i]
-         *    ...
-         */
+    /*-
+     * prepare precomputed values:
+     *    val_sub[i][0] :=     points[i]
+     *    val_sub[i][1] := 3 * points[i]
+     *    val_sub[i][2] := 5 * points[i]
+     *    ...
+     */
     for (i = 0; i < num + num_scalar; i++) {
         if (i < num) {
             if (!EC_POINT_copy(val_sub[i][0], points[i]))

crypto/ec/ecp_smpl.c

@@ -312,11 +312,11 @@ int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
             goto err;
     }
 
-        /*-
-         * check the discriminant:
-         * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
-         * 0 =< a, b < p
-         */
+    /*-
+     * check the discriminant:
+     * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
+     * 0 =< a, b < p
+     */
     if (BN_is_zero(a)) {
         if (BN_is_zero(b))
             goto err;
@@ -668,11 +668,11 @@ int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
     if (y == NULL)
         goto err;
 
-        /*-
-         * Recover y.  We have a Weierstrass equation
-         *     y^2 = x^3 + a*x + b,
-         * so  y  is one of the square roots of  x^3 + a*x + b.
-         */
+    /*-
+     * Recover y.  We have a Weierstrass equation
+     *     y^2 = x^3 + a*x + b,
+     * so  y  is one of the square roots of  x^3 + a*x + b.
+     */
 
     /* tmp1 := x^3 */
     if (!BN_nnmod(x, x_, &group->field, ctx))
@@ -985,7 +985,7 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
     }
 
     /* test required by X9.62 */
-    if (!EC_POINT_is_on_curve(group, point, ctx)) {
+    if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
         ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
         goto err;
     }
@@ -1251,10 +1251,10 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
             goto err;
         if (!BN_mod_add_quick(n1, n0, n1, p))
             goto err;
-                /*-
-                 * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
-                 *    = 3 * X_a^2 - 3 * Z_a^4
-                 */
+        /*-
+         * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
+         *    = 3 * X_a^2 - 3 * Z_a^4
+         */
     } else {
         if (!field_sqr(group, n0, &a->X, ctx))
             goto err;
@@ -1375,15 +1375,15 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
     if (Z6 == NULL)
         goto err;
 
-        /*-
-         * We have a curve defined by a Weierstrass equation
-         *      y^2 = x^3 + a*x + b.
-         * The point to consider is given in Jacobian projective coordinates
-         * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).
-         * Substituting this and multiplying by  Z^6  transforms the above equation into
-         *      Y^2 = X^3 + a*X*Z^4 + b*Z^6.
-         * To test this, we add up the right-hand side in 'rh'.
-         */
+    /*-
+     * We have a curve defined by a Weierstrass equation
+     *      y^2 = x^3 + a*x + b.
+     * The point to consider is given in Jacobian projective coordinates
+     * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).
+     * Substituting this and multiplying by  Z^6  transforms the above equation into
+     *      Y^2 = X^3 + a*X*Z^4 + b*Z^6.
+     * To test this, we add up the right-hand side in 'rh'.
+     */
 
     /* rh := X^2 */
     if (!field_sqr(group, rh, &point->X, ctx))
@@ -1450,12 +1450,12 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
                       const EC_POINT *b, BN_CTX *ctx)
 {
-        /*-
-         * return values:
-         *  -1   error
-         *   0   equal (in affine coordinates)
-         *   1   not equal
-         */
+    /*-
+     * return values:
+     *  -1   error
+     *   0   equal (in affine coordinates)
+     *   1   not equal
+     */
 
     int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
                       const BIGNUM *, BN_CTX *);
@@ -1494,12 +1494,12 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
     if (Zb23 == NULL)
         goto end;
 
-        /*-
-         * We have to decide whether
-         *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
-         * or equivalently, whether
-         *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
-         */
+    /*-
+     * We have to decide whether
+     *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
+     * or equivalently, whether
+     *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
+     */
 
     if (!b->Z_is_one) {
         if (!field_sqr(group, Zb23, &b->Z, ctx))

crypto/ec/ectest.c

@@ -303,7 +303,7 @@ void prime_field_tests()
         ABORT;
     if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx))
         ABORT;
-    if (!EC_POINT_is_on_curve(group, Q, ctx)) {
+    if (EC_POINT_is_on_curve(group, Q, ctx) <= 0) {
         if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx))
             ABORT;
         fprintf(stderr, "Point is not on curve: x = 0x");
@@ -436,7 +436,7 @@ void prime_field_tests()
         ABORT;
     if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
         ABORT;
-    if (!EC_POINT_is_on_curve(group, P, ctx))
+    if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
         ABORT;
     if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257"))
         ABORT;
@@ -501,7 +501,7 @@ void prime_field_tests()
         ABORT;
     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
         ABORT;
-    if (!EC_POINT_is_on_curve(group, P, ctx))
+    if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
         ABORT;
     if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831"))
         ABORT;
@@ -570,7 +570,7 @@ void prime_field_tests()
         ABORT;
     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
         ABORT;
-    if (!EC_POINT_is_on_curve(group, P, ctx))
+    if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
         ABORT;
     if (!BN_hex2bn
         (&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D"))
@@ -645,7 +645,7 @@ void prime_field_tests()
         ABORT;
     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
         ABORT;
-    if (!EC_POINT_is_on_curve(group, P, ctx))
+    if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
         ABORT;
     if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
                    "84F3B9CAC2FC632551"))
@@ -717,7 +717,7 @@ void prime_field_tests()
         ABORT;
     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
         ABORT;
-    if (!EC_POINT_is_on_curve(group, P, ctx))
+    if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
         ABORT;
     if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
                    "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"))
@@ -792,7 +792,7 @@ void prime_field_tests()
         ABORT;
     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
         ABORT;
-    if (!EC_POINT_is_on_curve(group, P, ctx))
+    if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
         ABORT;
     if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
                    "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
@@ -852,7 +852,7 @@ void prime_field_tests()
         ABORT;
     if (!EC_POINT_dbl(group, P, P, ctx))
         ABORT;
-    if (!EC_POINT_is_on_curve(group, P, ctx))
+    if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
         ABORT;
     if (!EC_POINT_invert(group, Q, ctx))
         ABORT;                  /* P = -2Q */
@@ -994,7 +994,7 @@ void prime_field_tests()
 #  define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \
         if (!BN_hex2bn(&x, _x)) ABORT; \
         if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \
-        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \
+        if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \
         if (!BN_hex2bn(&z, _order)) ABORT; \
         if (!BN_hex2bn(&cof, _cof)) ABORT; \
         if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \
@@ -1012,7 +1012,7 @@ void prime_field_tests()
         if (!BN_hex2bn(&x, _x)) ABORT; \
         if (!BN_hex2bn(&y, _y)) ABORT; \
         if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \
-        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \
+        if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \
         if (!BN_hex2bn(&z, _order)) ABORT; \
         if (!BN_hex2bn(&cof, _cof)) ABORT; \
         if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \
@@ -1151,7 +1151,7 @@ void char2_field_tests()
     if (!EC_POINT_set_affine_coordinates_GF2m(group, Q, x, y, ctx))
         ABORT;
 # endif
-    if (!EC_POINT_is_on_curve(group, Q, ctx)) {
+    if (EC_POINT_is_on_curve(group, Q, ctx) <= 0) {
 /* Change test based on whether binary point compression is enabled or not. */
 # ifdef OPENSSL_EC_BIN_PT_COMP
         if (!EC_POINT_get_affine_coordinates_GF2m(group, Q, x, y, ctx))
@@ -1372,7 +1372,7 @@ void char2_field_tests()
         ABORT;
     if (!EC_POINT_dbl(group, P, P, ctx))
         ABORT;
-    if (!EC_POINT_is_on_curve(group, P, ctx))
+    if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
         ABORT;
     if (!EC_POINT_invert(group, Q, ctx))
         ABORT;                  /* P = -2Q */

crypto/ecdh/Makefile

@@ -62,6 +62,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/ecdsa/Makefile

@@ -62,6 +62,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/engine/Makefile

@@ -69,6 +69,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/err/Makefile

@@ -61,6 +61,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/evp/Makefile

@@ -84,6 +84,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)

crypto/hmac/Makefile

@@ -61,6 +61,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/idea/Makefile

@@ -61,6 +61,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/idea/ideatest.c

@@ -102,9 +102,9 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE] = {
     0x59, 0xD8, 0xE2, 0x65, 0x00, 0x58, 0x6C, 0x3F,
     0x2C, 0x17, 0x25, 0xD0, 0x1A, 0x38, 0xB7, 0x2A,
     0x39, 0x61, 0x37, 0xDC, 0x79, 0xFB, 0x9F, 0x45
-/*-     0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
-        0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
-        0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
+/*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
+    0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
+    0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
 };
 
 static int cfb64_test(unsigned char *cfb_cipher);

crypto/jpake/Makefile

@@ -32,6 +32,8 @@ install:
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/krb5/Makefile

@@ -62,6 +62,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)

crypto/lhash/Makefile

@@ -61,6 +61,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/lhash/lhash.c

@@ -434,9 +434,9 @@ unsigned long lh_strhash(const char *c)
     if ((c == NULL) || (*c == '\0'))
         return (ret);
 /*-
-        unsigned char b[16];
-        MD5(c,strlen(c),b);
-        return(b[0]|(b[1]<<8)|(b[2]<<16)|(b[3]<<24));
+    unsigned char b[16];
+    MD5(c,strlen(c),b);
+    return(b[0]|(b[1]<<8)|(b[2]<<16)|(b[3]<<24));
 */
 
     n = 0x100;

crypto/md2/Makefile

@@ -61,6 +61,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/md32_common.h

@@ -225,15 +225,13 @@
 #  define HOST_c2l(c,l)   (l =(((unsigned long)(*((c)++)))<<24),          \
                          l|=(((unsigned long)(*((c)++)))<<16),          \
                          l|=(((unsigned long)(*((c)++)))<< 8),          \
-                         l|=(((unsigned long)(*((c)++)))    ),          \
-                         l)
+                         l|=(((unsigned long)(*((c)++)))    )   )
 # endif
 # ifndef HOST_l2c
 #  define HOST_l2c(l,c)   (*((c)++)=(unsigned char)(((l)>>24)&0xff),      \
                          *((c)++)=(unsigned char)(((l)>>16)&0xff),      \
                          *((c)++)=(unsigned char)(((l)>> 8)&0xff),      \
-                         *((c)++)=(unsigned char)(((l)    )&0xff),      \
-                         l)
+                         *((c)++)=(unsigned char)(((l)    )&0xff)   )
 # endif
 
 #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
@@ -253,8 +251,8 @@
 # if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
 #  ifndef B_ENDIAN
    /* See comment in DATA_ORDER_IS_BIG_ENDIAN section. */
-#   define HOST_c2l(c,l) ((l)=*((const unsigned int *)(c)), (c)+=4, l)
-#   define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4, l)
+#   define HOST_c2l(c,l) ((l)=*((const unsigned int *)(c)), (c)+=4)
+#   define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4)
 #  endif
 # endif
 

crypto/md4/Makefile

@@ -62,6 +62,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/md5/Makefile

@@ -76,6 +76,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

crypto/mdc2/Makefile

@@ -61,6 +61,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)