and ASN1 code.

OCSP responses.

Documentation to follow...

Urgh.. this conflicted with the -VAfile patch I hope I haven't
broken it.

client code certificates to use to only check response signatures.
I'm not entirely sure if the way I just implemented the verification
is the right way to do it, and would be happy if someone would like to
review this.

Bleichenbacher's DSA attack.  With this implementation, the expected
number of iterations never exceeds 2.

New semantics for BN_rand_range():
BN_rand_range(r, min, range) now generates r such that
     min <= r < min+range.
(Previously, BN_rand_range(r, min, max) generated r such that
     min <= r < max.
It is more convenient to have the range; also the previous
prototype was misleading because max was larger than
the actual maximum.)

Fix AES code.

Update Rijndael source to v3.0

Add AES OIDs.

Change most references of Rijndael to AES.

Add new draft AES ciphersuites.

request to response.

Various OCSP responder utility functions.

Delete obsolete OCSP functions.

Largely untested at present...

certificates.

One is a valid CA which has no basicConstraints
but does have certSign keyUsage.

Other is S/MIME signer with nonRepudiation but
no digitalSignature.

ciphersuites.

Fix PKCS7 and PKCS12 memory leaks.

Initialise encapsulated content type properly.

Enhance s2i_ASN1_INTEGER().

of status info. Check nonce values. Option to disable
verify. Update usage message.

Rename status to string functions and make them global.

accordance with RFC2560.

Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".

This allows keeping extensions in a separate configuration file.

Submitted by: Massimiliano Pala <madwolf@comune.modena.it>

non null terminated passwords.

New OCSP utility. This can generate, parse and print
OCSP requests. It can also query reponders and parse or
print out responses.

Still needs some more work: OCSP response checks and
of course documentation.

commands.

Submitted by: Massimiliano Pala <madwolf@comune.modena.it>

Submitted by: Damien Miller <djm@mindrot.org>

OCSP basic response verify. Very incomplete
but will verify the signatures on a response
and locate the signers certifcate.

Still needs to implement a proper OCSP certificate
verify.

Fix warning in RAND_egd().

allocation callbacks so that it is no longer visible to applications
that these live at a different call level than conventional memory
allocation callbacks.

Add '-d' option for 'openssl version' (included in '-a').

handling routines that need file name and line number information,
I've added a call level to our memory handling routines to allow that
kind of hooking.

unicode strings. Certain PKCS#12 files contain these
in BMPStrings and it used to crash on them.

only queried when the /dev/[u]random devices did not return enough
entropy. Only the amount of entropy missing to reach the required minimum
is queried, as EGD may be drained.
Queried locations are: /etc/entropy, /var/run/egd-pool