information. Add more informative message to verify callback to indicate
when CRL path validation is taking place.

a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.

Tidy CRL scoring system.

Add new CRL path validation error.

and CRL signing keys.

TODO: robustness checking on name forms.

handling to support this.

callbacks.

based on subject name.

New thread safe functions to retrieve matching STACK from X509_STORE.

Cache some IDP components.

a security threat on unexpecting applications.  Document and test.

CA setting in each certificate on the chain is correct.  As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
  chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
  given)

This tidies up verify parameters and adds support for integrated policy
checking.

Add support for policy related command line options. Currently only in smime
application.

WARNING: experimental code subject to change.

when trying to build a shared library on VMS or Windows...

verified structure can contain its own CRLs (such as PKCS#7 signedData).

Tidy up some of the verify code.

I'll remember to try to compile this with warnings enabled next time :-)

This is currently *very* experimental and needs to be more fully integrated
with the main verification code.

when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.

Reject certificates with unhandled critical extensions.

See the commit log message for that for more information.

NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented
(initialisation by "memset" won't/can't/doesn't work). This fixes that but
requires that X509_STORE_CTX_init() be able to handle errors - so its
prototype has been changed to return 'int' rather than 'void'. All uses of
that function throughout the source code have been tracked down and
adjusted.

sourcecode (including fgrep)

Purpose and trust setting functions for X509_STORE.

Tidy existing code.

inherited from X509_STORE.

Add CRL checking options to other applications.

Initial CRL based revocation checking.

sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.