failure and freeing up memory if a failure occurs.

PR:620

CA setting in each certificate on the chain is correct.  As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
  chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
  given)

This tidies up verify parameters and adds support for integrated policy
checking.

Add support for policy related command line options. Currently only in smime
application.

WARNING: experimental code subject to change.

verified structure can contain its own CRLs (such as PKCS#7 signedData).

Tidy up some of the verify code.

when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.

PR: 393

I've covered all the memset()s I felt safe modifying, but may have missed some.

Epoch.  offset isn't such a measurement, so let's stop pretend it is.

Reject certificates with unhandled critical extensions.

See the commit log message for that for more information.

NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented
(initialisation by "memset" won't/can't/doesn't work). This fixes that but
requires that X509_STORE_CTX_init() be able to handle errors - so its
prototype has been changed to return 'int' rather than 'void'. All uses of
that function throughout the source code have been tracked down and
adjusted.

setting stack (actually, array) values in ex_data. So only increment the
global counters if the underlying CRYPTO_get_ex_new_index() call succeeds.
This change doesn't make "ex_data" right (see the comment at the head of
ex_data.c to know why), but at least makes the source code marginally less
frustrating.

inherited from X509_STORE.

Add CRL checking options to other applications.

Initial CRL based revocation checking.

sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.

Only use the new informational verify codes if we
specifically ask for them.

Fix typo in docs.

add some whitespace for 'if ()', 'for ()', 'while ()' to distinguish
keywords from function names, and finally remove parens around return
values (why be stingy with whitespace but fill the source code
with an abundance of parentheses that are not needed to structure
expressions for readability?).

usually get a space between keyword and opening paranthesis
so that they don't look like function calls, where no space is
used.

Add support for settable verify time in X509_verify_cert().

Document rsautl utility.

The old code was painfully primitive and couldn't handle
distinct certificates using the same subject name.

The new code performs several tests on a candidate issuer
certificate based on certificate extensions.

It also adds several callbacks to X509_VERIFY_CTX so its
behaviour can be customised.

Unfortunately some hackery was needed to persuade X509_STORE
to tolerate this. This should go away when X509_STORE is
replaced, sometime...

This must have broken something though :-(

initialize ex_pathlen to -1 so it isn't checked if pathlen
is not present.

set ucert to NULL in apps/pkcs12.c otherwise it gets freed
twice.

remove extraneous '\r' in MIME encoder.

Allow a NULL to be passed to X509_gmtime_adj()


Make PKCS#7 code use definite length encoding rather then
the indefinite stuff it used previously.

ASN1_TIME fixes.

New function c2i_ASN1_OBJECT().

like Malloc, Realloc and especially Free conflict with already existing names
on some operating systems or other packages.  That is reason enough to change
the names of the OpenSSL memory allocation macros to something that has a
better chance of being unique, like prepending them with OPENSSL_.

This change includes all the name changes needed throughout all C files.

Fix bug which would free up a public key
twice if the verify callback tried to
continue after a signature failure.

where the new functions are mentioned.

eliminate some of the -Wcast-qual warnings (debug-ben-strict target)

Tidy up CRYPTO_EX_DATA structures.