handling to support this.

based on subject name.

New thread safe functions to retrieve matching STACK from X509_STORE.

Cache some IDP components.

and response verification.

Submitted by: Zoltan Glozik <zglozik@opentsa.org>
Reviewed by: Ulf Moeller

Submitted by: David Hartman <david_hartman@symantec.com>

"make errors".

PR: 1182

PR: 1170
Submitted by: Yair Elharrar
Reviewed and edited by: Nils Larsch

Cosmetic changes to IDP printout.

[most importantly] put back dependencies accidentaly eliminated in
check-in #13342.

(Also improve util/ck_errf.pl script, and occasionally
fix source code formatting.)

a security threat on unexpecting applications.  Document and test.

 - Enforce that there should be no policy settings when the language
   is one of id-ppl-independent or id-ppl-inheritAll.
 - Add functionality to ssltest.c so that it can process proxy rights
   and check that they are set correctly.  Rights consist of ASCII
   letters, and the condition is a boolean expression that includes
   letters, parenthesis, &, | and ^.
 - Change the proxy certificate configurations so they get proxy
   rights that are understood by ssltest.c.
 - Add a script that tests proxy certificates with SSL operations.

Other changes:

 - Change the copyright end year in mkerr.pl.
 - make update.

failure and freeing up memory if a failure occurs.

PR:620

check_ca(), to resolve constness issue.  check_ca() is called from the
purpose checkers instead of X509_check_ca(), since the stuff done by
the latter (except for calling check_ca()) is also done by
X509_check_purpose().

CA setting in each certificate on the chain is correct.  As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
  chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
  given)