Allow inibit any policy flag to be set in apps.

Ignore self issued certificates when checking path length constraints.

Duplicate OIDs in policy tree in case they are allocated.

Use anyPolicy from certificate cache and not current tree level.

Fix additional gcc 4.2 value not used warnings.

free of those objects

loaded. Add new function X509_CRL_get0_by_serial() to lookup a revoked
entry to avoid the need to access the structure directly.

Add new X509_CRL_METHOD to allow common CRL operations (verify, lookup) to be
redirected.

handling to support this.

callbacks.

based on subject name.

New thread safe functions to retrieve matching STACK from X509_STORE.

Cache some IDP components.

verify logic to try to use an unexpired CRL if possible.

PR: 1097

expiry.

(Also improve util/ck_errf.pl script, and occasionally
fix source code formatting.)

Remove more bogus shadow warnings.

Fix Win32 build system to use 'Makefile' instead of 'Makefile.ssl'.

a security threat on unexpecting applications.  Document and test.

 - Enforce that there should be no policy settings when the language
   is one of id-ppl-independent or id-ppl-inheritAll.
 - Add functionality to ssltest.c so that it can process proxy rights
   and check that they are set correctly.  Rights consist of ASCII
   letters, and the condition is a boolean expression that includes
   letters, parenthesis, &, | and ^.
 - Change the proxy certificate configurations so they get proxy
   rights that are understood by ssltest.c.
 - Add a script that tests proxy certificates with SSL operations.

Other changes:

 - Change the copyright end year in mkerr.pl.
 - make update.

failure and freeing up memory if a failure occurs.

PR:620

CA setting in each certificate on the chain is correct.  As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
  chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
  given)

This tidies up verify parameters and adds support for integrated policy
checking.

Add support for policy related command line options. Currently only in smime
application.

WARNING: experimental code subject to change.

verified structure can contain its own CRLs (such as PKCS#7 signedData).

Tidy up some of the verify code.

when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.

PR: 393

I've covered all the memset()s I felt safe modifying, but may have missed some.

Epoch.  offset isn't such a measurement, so let's stop pretend it is.

Reject certificates with unhandled critical extensions.

See the commit log message for that for more information.

NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented
(initialisation by "memset" won't/can't/doesn't work). This fixes that but
requires that X509_STORE_CTX_init() be able to handle errors - so its
prototype has been changed to return 'int' rather than 'void'. All uses of
that function throughout the source code have been tracked down and
adjusted.