Move the readdir() lines out of the if statement, so
that flist is available globally.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Say where to email bug reports.
Mention general RT tracker info in a separate paragraph.
Reviewed-by: NTim Hudson <tjh@openssl.org>

This is funny; Ben commented in the source, Matt opend a ticket,
and Rich is doing the submit.  Need more code-review? :)
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Previous commit was reviewed by Geoff, not Stephen:
Reviewed-by: NGeoff Thorpe <geoff@openssl.org>

For portability don't use "if ! expr"
Reviewed-by: NGeoff Thorpe <geoff@openssl.org>

For portability don't use "if ! expr"
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

When calling X509_set_version to set v1 certificate, that
should mean that the version number field is omitted.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

This is a more comprehensive fix.  It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1.  This is from
Kurt's upstream Debian changes.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

For consistency.
Reviewed-by: NBodo Moeller <bodo@openssl.org>

In addition to Matthias's change, I also added -n to
not remove links. And updated the manpage.
Reviewed-by: NTim Hudson <tjh@openssl.org>

The EXT_BITSTRING and EXT_IA5STRING are defined in x509v3.h, but
the low-level functions are not public. They are useful, no need
to make them static. Note that BITSTRING already was exposed since
this RT was created, so now we just export IA5STRING functions.
Reviewed-by: NTim Hudson <tjh@openssl.org>

The documentation is wrong about what happens when the
session cache fills up.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

I added some error-checking while integrating this patch.
Reviewed-by: NTim Hudson <tjh@openssl.org>

pod2man now complains when item tags are not sequential.
Also complains about missing =back and other tags.
Silence the warnings; most were already done.
Reviewed-by: NTim Hudson <tjh@openssl.org>

The original RT request included a patch.  By the time
we got around to doing it, however, the callback scheme
had changed. So I wrote a new function RSA_check_key_ex()
that uses the BN_GENCB callback.  But thanks very much
to Vinet Sharma <vineet.sharma@gmail.com> for the
initial implementation.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Copy the ifdef/undef stanza from x509.h to x509v3.h
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

In the current code, the check isn't redundant.
And in fact the REAL check was missing.
This avoids a NULL-deref crash.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Also, I (rsalz) changed "#ifdef undef" to "#if 0"
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

empty merge; script hiccup.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

The function returns 0 or 1, only.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

The function returns 0 or 1, only.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Regexp was bracketed wrong.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NDr Stephen Henson <steve@openssl.org>

i2d_re_X509_tbs re-encodes the TBS portion of the certificate.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NDr Stephen Henson <steve@openssl.org>

Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.

(Original patch amended to achieve strnlen in a different way.)
Reviewed-by: NRich Salz <rsalz@openssl.org>

string returns 0 with errno = ENOENT.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Can't really happen, but the flow of control isn't obvious.
Add an initializer.
Reviewed-by: NMatt Caswell <matt@openssl.org>

"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.
Reviewed-by: NGeoff Thorpe <geoff@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>