20 files changed, 1399 insertions, 950 deletions

diff --git a/src/lib/libcrypto/x509v3/Makefile.ssl b/src/lib/libcrypto/x509v3/Makefile.ssl
deleted file mode 100644
index 66df90c346..0000000000
--- a/src/lib/libcrypto/x509v3/Makefile.ssl
+++ /dev/null
@@ -1,603 +0,0 @@
-#
-# SSLeay/crypto/x509v3/Makefile
-#
-
-DIR=    x509v3
-TOP=    ../..
-CC=     cc
-INCLUDES= -I.. -I$(TOP) -I../../include
-CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKE=           make -f Makefile.ssl
-MAKEDEPPROG=    makedepend
-MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
-MAKEFILE=       Makefile.ssl
-AR=             ar r
-
-CFLAGS= $(INCLUDES) $(CFLAG)
-
-GENERAL=Makefile README
-TEST=
-APPS=
-
-LIB=$(TOP)/libcrypto.a
-LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
-v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
-v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
-v3_ocsp.c v3_akeya.c
-LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
-v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
-v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
-v3_ocsp.o v3_akeya.o
-
-SRC= $(LIBSRC)
-
-EXHEADER= x509v3.h
-HEADER= $(EXHEADER)
-
-ALL=    $(GENERAL) $(SRC) $(HEADER)
-
-top:
-        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
-
-all:    lib
-
-lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
-        $(RANLIB) $(LIB) || echo Never mind.
-        @touch lib
-
-files:
-        $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
-
-links:
-        @sh $(TOP)/util/point.sh Makefile.ssl Makefile
-        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
-
-install:
-        @for i in $(EXHEADER) ; \
-        do  \
-        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-        done;
-
-tags:
-        ctags $(SRC)
-
-tests:
-
-lint:
-        lint -DLINT $(INCLUDES) $(SRC)>fluff
-
-depend:
-        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
-
-dclean:
-        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-        mv -f Makefile.new $(MAKEFILE)
-
-clean:
-        rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.
-
-v3_akey.o: ../../e_os.h ../../include/openssl/aes.h
-v3_akey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_akey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_akey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_akey.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_akey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_akey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_akey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_akey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_akey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_akey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_akey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_akey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_akey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_akey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_akey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_akey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_akey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_akey.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_akey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_akey.o: ../cryptlib.h v3_akey.c
-v3_akeya.o: ../../e_os.h ../../include/openssl/aes.h
-v3_akeya.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_akeya.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_akeya.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_akeya.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_akeya.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_akeya.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_akeya.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_akeya.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_akeya.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_akeya.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_akeya.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_akeya.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_akeya.o: ../../include/openssl/opensslconf.h
-v3_akeya.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_akeya.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_akeya.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_akeya.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_akeya.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_akeya.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_akeya.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_akeya.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_akeya.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_akeya.c
-v3_alt.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_alt.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_alt.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_alt.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_alt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_alt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_alt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_alt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_alt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_alt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_alt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_alt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_alt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_alt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_alt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_alt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_alt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_alt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_alt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_alt.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_alt.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_alt.o: ../cryptlib.h v3_alt.c
-v3_bcons.o: ../../e_os.h ../../include/openssl/aes.h
-v3_bcons.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_bcons.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_bcons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_bcons.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_bcons.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_bcons.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_bcons.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_bcons.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_bcons.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_bcons.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_bcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_bcons.o: ../../include/openssl/opensslconf.h
-v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_bcons.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_bcons.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_bcons.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_bcons.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_bcons.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_bcons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_bcons.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bcons.c
-v3_bitst.o: ../../e_os.h ../../include/openssl/aes.h
-v3_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_bitst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_bitst.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_bitst.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_bitst.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_bitst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_bitst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_bitst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_bitst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_bitst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bitst.c
-v3_conf.o: ../../e_os.h ../../include/openssl/aes.h
-v3_conf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_conf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_conf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_conf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_conf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_conf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_conf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_conf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_conf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_conf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_conf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_conf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_conf.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_conf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_conf.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_conf.c
-v3_cpols.o: ../../e_os.h ../../include/openssl/aes.h
-v3_cpols.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_cpols.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_cpols.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_cpols.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_cpols.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_cpols.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_cpols.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_cpols.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_cpols.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_cpols.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_cpols.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_cpols.o: ../../include/openssl/opensslconf.h
-v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_cpols.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_cpols.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_cpols.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_cpols.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_cpols.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_cpols.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_cpols.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_cpols.c
-v3_crld.o: ../../e_os.h ../../include/openssl/aes.h
-v3_crld.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_crld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_crld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_crld.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_crld.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_crld.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_crld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_crld.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_crld.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_crld.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_crld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_crld.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_crld.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_crld.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_crld.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_crld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_crld.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_crld.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_crld.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_crld.o: ../cryptlib.h v3_crld.c
-v3_enum.o: ../../e_os.h ../../include/openssl/aes.h
-v3_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_enum.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_enum.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_enum.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_enum.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_enum.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_enum.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_enum.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_enum.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_enum.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_enum.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_enum.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_enum.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_enum.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_enum.c
-v3_extku.o: ../../e_os.h ../../include/openssl/aes.h
-v3_extku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_extku.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_extku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_extku.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_extku.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_extku.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_extku.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_extku.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_extku.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_extku.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_extku.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_extku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_extku.o: ../../include/openssl/opensslconf.h
-v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_extku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_extku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_extku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_extku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_extku.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_extku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_extku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_extku.c
-v3_genn.o: ../../e_os.h ../../include/openssl/aes.h
-v3_genn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_genn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_genn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_genn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_genn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_genn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_genn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_genn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_genn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_genn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_genn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_genn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_genn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_genn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_genn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_genn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_genn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_genn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_genn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_genn.o: ../cryptlib.h v3_genn.c
-v3_ia5.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_ia5.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_ia5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_ia5.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_ia5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_ia5.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_ia5.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_ia5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_ia5.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_ia5.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_ia5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_ia5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_ia5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_ia5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_ia5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_ia5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_ia5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_ia5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_ia5.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_ia5.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_ia5.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_ia5.o: ../cryptlib.h v3_ia5.c
-v3_info.o: ../../e_os.h ../../include/openssl/aes.h
-v3_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_info.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_info.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_info.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_info.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_info.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_info.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_info.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_info.o: ../cryptlib.h v3_info.c
-v3_int.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_int.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_int.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_int.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_int.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_int.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_int.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_int.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_int.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_int.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_int.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_int.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_int.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_int.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_int.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_int.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_int.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_int.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_int.o: ../cryptlib.h v3_int.c
-v3_lib.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_lib.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_lib.o: ../cryptlib.h ext_dat.h v3_lib.c
-v3_ocsp.o: ../../e_os.h ../../include/openssl/aes.h
-v3_ocsp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_ocsp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_ocsp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_ocsp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_ocsp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_ocsp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_ocsp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_ocsp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_ocsp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
-v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_ocsp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_ocsp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_ocsp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_ocsp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_ocsp.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_ocsp.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_ocsp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_ocsp.o: ../cryptlib.h v3_ocsp.c
-v3_pku.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_pku.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_pku.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_pku.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_pku.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_pku.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_pku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_pku.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_pku.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_pku.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_pku.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_pku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_pku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_pku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_pku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_pku.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_pku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_pku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pku.c
-v3_prn.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_prn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_prn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_prn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_prn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_prn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_prn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_prn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_prn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_prn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_prn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_prn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_prn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_prn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_prn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_prn.o: ../cryptlib.h v3_prn.c
-v3_purp.o: ../../e_os.h ../../include/openssl/aes.h
-v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_purp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_purp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_purp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_purp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_purp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_purp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_purp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_purp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_purp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_purp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_purp.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_purp.c
-v3_skey.o: ../../e_os.h ../../include/openssl/aes.h
-v3_skey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_skey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_skey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_skey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_skey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_skey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_skey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_skey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_skey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_skey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_skey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_skey.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_skey.c
-v3_sxnet.o: ../../e_os.h ../../include/openssl/aes.h
-v3_sxnet.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_sxnet.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_sxnet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_sxnet.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_sxnet.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_sxnet.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_sxnet.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_sxnet.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_sxnet.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_sxnet.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_sxnet.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_sxnet.o: ../../include/openssl/opensslconf.h
-v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_sxnet.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_sxnet.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_sxnet.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_sxnet.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_sxnet.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_sxnet.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_sxnet.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_sxnet.c
-v3_utl.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_utl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_utl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_utl.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_utl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_utl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_utl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_utl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_utl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_utl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_utl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_utl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_utl.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_utl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_utl.o: ../cryptlib.h v3_utl.c
-v3err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3err.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3err.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3err.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3err.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3err.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3err.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3err.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3err.o: v3err.c
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 3eaec46f8a..76daee6fcd 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -61,21 +61,19 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
 extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
-extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
+extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
 extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
 extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
-extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp;
-#ifndef OPENSSL_NO_RFC3779
+extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
 extern X509V3_EXT_METHOD v3_addr, v3_asid;
-#endif
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
  */
 
-static X509V3_EXT_METHOD *standard_exts[] = {
+static const X509V3_EXT_METHOD *standard_exts[] = {
 &v3_nscert,
 &v3_ns_ia5_list[0],
 &v3_ns_ia5_list[1],
@@ -122,7 +120,10 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_pci,
 &v3_name_constraints,
 &v3_policy_mappings,
-&v3_inhibit_anyp
+&v3_inhibit_anyp,
+&v3_idp,
+&v3_alt[2],
+&v3_freshest_crl,
 };
 
 /* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
index fb392b901f..3444b03195 100644
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -82,17 +82,21 @@ void policy_data_free(X509_POLICY_DATA *data)
  * another source.
  */
 
-X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
+X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
+                                        const ASN1_OBJECT *cid, int crit)
         {
         X509_POLICY_DATA *ret;
-        if (!policy && !id)
+        ASN1_OBJECT *id;
+        if (!policy && !cid)
                 return NULL;
-        if (id)
+        if (cid)
                 {
-                id = OBJ_dup(id);
+                id = OBJ_dup(cid);
                 if (!id)
                         return NULL;
                 }
+        else
+                id = NULL;
         ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
         if (!ret)
                 return NULL;
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
index 6c87a7f506..92f6b24556 100644
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -62,6 +62,75 @@
 
 #include "pcy_int.h"
 
+/* Enable this to print out the complete policy tree at various point during
+ * evaluation.
+ */
+
+/*#define OPENSSL_POLICY_DEBUG*/
+
+#ifdef OPENSSL_POLICY_DEBUG
+
+static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
+                                X509_POLICY_NODE *node, int indent)
+        {
+        if (        (lev->flags & X509_V_FLAG_INHIBIT_MAP)
+                || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
+                BIO_puts(err, "  Not Mapped\n");
+        else
+                {
+                int i;
+                STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
+                ASN1_OBJECT *oid;
+                BIO_puts(err, "  Expected: ");
+                for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++)
+                        {
+                        oid = sk_ASN1_OBJECT_value(pset, i);
+                        if (i)
+                                BIO_puts(err, ", ");
+                        i2a_ASN1_OBJECT(err, oid);
+                        }
+                BIO_puts(err, "\n");
+                }
+        }
+
+static void tree_print(char *str, X509_POLICY_TREE *tree,
+                        X509_POLICY_LEVEL *curr)
+        {
+        X509_POLICY_LEVEL *plev;
+        X509_POLICY_NODE *node;
+        int i;
+        BIO *err;
+        err = BIO_new_fp(stderr, BIO_NOCLOSE);
+        if (!curr)
+                curr = tree->levels + tree->nlevel;
+        else
+                curr++;
+        BIO_printf(err, "Level print after %s\n", str);
+        BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
+        for (plev = tree->levels; plev != curr; plev++)
+                {
+                BIO_printf(err, "Level %ld, flags = %x\n",
+                                plev - tree->levels, plev->flags);
+                for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++)
+                        {
+                        node = sk_X509_POLICY_NODE_value(plev->nodes, i);
+                        X509_POLICY_NODE_print(err, node, 2);
+                        expected_print(err, plev, node, 2);
+                        BIO_printf(err, "  Flags: %x\n", node->data->flags);
+                        }
+                if (plev->anyPolicy)
+                        X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
+                }
+
+        BIO_free(err);
+
+        }
+#else
+
+#define tree_print(a,b,c) /* */
+
+#endif
+
 /* Initialize policy tree. Return values:
  *  0 Some internal error occured.
  * -1 Inconsistent or invalid extensions in certificates.
@@ -87,8 +156,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         *ptree = NULL;
         n = sk_X509_num(certs);
 
+#if 0
         /* Disable policy mapping for now... */
         flags |= X509_V_FLAG_INHIBIT_MAP;
+#endif
 
         if (flags & X509_V_FLAG_EXPLICIT_POLICY)
                 explicit_policy = 0;
@@ -160,7 +231,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         tree->auth_policies = NULL;
         tree->user_policies = NULL;
 
-        if (!tree)
+        if (!tree->levels)
                 {
                 OPENSSL_free(tree);
                 return 0;
@@ -184,7 +255,6 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                 level++;
                 x = sk_X509_value(certs, i);
                 cache = policy_cache_set(x);
-
                 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
                 level->cert = x;
 
@@ -213,13 +283,13 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                         level->flags |= X509_V_FLAG_INHIBIT_MAP;
                 else
                         {
-                        map_skip--;
+                        if (!(x->ex_flags & EXFLAG_SI))
+                                map_skip--;
                         if ((cache->map_skip >= 0)
                                 && (cache->map_skip < map_skip))
                                 map_skip = cache->map_skip;
                         }
 
-
                 }
 
         *ptree = tree;
@@ -237,7 +307,32 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 
         }
 
-/* This corresponds to RFC3280 XXXX XXXXX:
+static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+                                const X509_POLICY_DATA *data)
+        {
+        X509_POLICY_LEVEL *last = curr - 1;
+        X509_POLICY_NODE *node;
+        int i, matched = 0;
+        /* Iterate through all in nodes linking matches */
+        for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
+                {
+                node = sk_X509_POLICY_NODE_value(last->nodes, i);
+                if (policy_node_match(last, node, data->valid_policy))
+                        {
+                        if (!level_add_node(curr, data, node, NULL))
+                                return 0;
+                        matched = 1;
+                        }
+                }
+        if (!matched && last->anyPolicy)
+                {
+                if (!level_add_node(curr, data, last->anyPolicy, NULL))
+                        return 0;
+                }
+        return 1;
+        }
+
+/* This corresponds to RFC3280 6.1.3(d)(1):
  * link any data from CertificatePolicies onto matching parent
  * or anyPolicy if no match.
  */
@@ -248,7 +343,6 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
         int i;
         X509_POLICY_LEVEL *last;
         X509_POLICY_DATA *data;
-        X509_POLICY_NODE *parent;
         last = curr - 1;
         for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
                 {
@@ -261,40 +355,109 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
                  * link because then it will have the mapping flags
                  * right and we can prune it later.
                  */
+#if 0
                 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
                         && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
                         continue;
-                /* Look for matching node in parent */
-                parent = level_find_node(last, data->valid_policy);
-                /* If no match link to anyPolicy */
-                if (!parent)
-                        parent = last->anyPolicy;
-                if (parent && !level_add_node(curr, data, parent, NULL))
+#endif
+                /* Look for matching nodes in previous level */
+                if (!tree_link_matching_nodes(curr, data))
                                 return 0;
                 }
         return 1;
         }
 
-/* This corresponds to RFC3280 XXXX XXXXX:
+/* This corresponds to RFC3280 6.1.3(d)(2):
  * Create new data for any unmatched policies in the parent and link
  * to anyPolicy.
  */
 
+static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
+                        const X509_POLICY_CACHE *cache,
+                        const ASN1_OBJECT *id,
+                        X509_POLICY_NODE *node,
+                        X509_POLICY_TREE *tree)
+        {
+        X509_POLICY_DATA *data;
+        if (id == NULL)
+                id = node->data->valid_policy;
+        /* Create a new node with qualifiers from anyPolicy and
+         * id from unmatched node.
+         */
+        data = policy_data_new(NULL, id, node_critical(node));
+
+        if (data == NULL)
+                return 0;
+        /* Curr may not have anyPolicy */
+        data->qualifier_set = cache->anyPolicy->qualifier_set;
+        data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+        if (!level_add_node(curr, data, node, tree))
+                {
+                policy_data_free(data);
+                return 0;
+                }
+
+        return 1;
+        }
+
+static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
+                        const X509_POLICY_CACHE *cache,
+                        X509_POLICY_NODE *node,
+                        X509_POLICY_TREE *tree)
+        {
+        const X509_POLICY_LEVEL *last = curr - 1;
+        int i;
+
+        if (        (last->flags & X509_V_FLAG_INHIBIT_MAP)
+                || !(node->data->flags & POLICY_DATA_FLAG_MAPPED))
+                {
+                /* If no policy mapping: matched if one child present */
+                if (node->nchild)
+                        return 1;
+                if (!tree_add_unmatched(curr, cache, NULL, node, tree))
+                        return 0;
+                /* Add it */
+                }
+        else
+                {
+                /* If mapping: matched if one child per expected policy set */
+                STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
+                if (node->nchild == sk_ASN1_OBJECT_num(expset))
+                        return 1;
+                /* Locate unmatched nodes */
+                for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++)
+                        {
+                        ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
+                        if (level_find_node(curr, node, oid))
+                                continue;
+                        if (!tree_add_unmatched(curr, cache, oid, node, tree))
+                                return 0;
+                        }
+
+                }
+
+        return 1;
+
+        }
+
 static int tree_link_any(X509_POLICY_LEVEL *curr,
                         const X509_POLICY_CACHE *cache,
                         X509_POLICY_TREE *tree)
         {
         int i;
-        X509_POLICY_DATA *data;
+        /*X509_POLICY_DATA *data;*/
         X509_POLICY_NODE *node;
-        X509_POLICY_LEVEL *last;
-
-        last = curr - 1;
+        X509_POLICY_LEVEL *last = curr - 1;
 
         for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
                 {
                 node = sk_X509_POLICY_NODE_value(last->nodes, i);
 
+                if (!tree_link_unmatched(curr, cache, node, tree))
+                        return 0;
+
+#if 0
+
                 /* Skip any node with any children: we only want unmathced
                  * nodes.
                  *
@@ -303,6 +466,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
                  */
                 if (node->nchild)
                         continue;
+
                 /* Create a new node with qualifiers from anyPolicy and
                  * id from unmatched node.
                  */
@@ -319,6 +483,9 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
                         policy_data_free(data);
                         return 0;
                         }
+
+#endif
+
                 }
         /* Finally add link to anyPolicy */
         if (last->anyPolicy)
@@ -337,30 +504,36 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
 
 static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
         {
+        STACK_OF(X509_POLICY_NODE) *nodes;
         X509_POLICY_NODE *node;
         int i;
-        for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--)
+        nodes = curr->nodes;
+        if (curr->flags & X509_V_FLAG_INHIBIT_MAP)
                 {
-                node = sk_X509_POLICY_NODE_value(curr->nodes, i);
-                /* Delete any mapped data: see RFC3280 XXXX */
-                if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
+                for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
                         {
-                        node->parent->nchild--;
-                        OPENSSL_free(node);
-                        (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
+                        node = sk_X509_POLICY_NODE_value(nodes, i);
+                        /* Delete any mapped data: see RFC3280 XXXX */
+                        if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
+                                {
+                                node->parent->nchild--;
+                                OPENSSL_free(node);
+                                (void)sk_X509_POLICY_NODE_delete(nodes,i);
+                                }
                         }
                 }
 
         for(;;) {
                 --curr;
-                for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--)
+                nodes = curr->nodes;
+                for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
                         {
-                        node = sk_X509_POLICY_NODE_value(curr->nodes, i);
+                        node = sk_X509_POLICY_NODE_value(nodes, i);
                         if (node->nchild == 0)
                                 {
                                 node->parent->nchild--;
                                 OPENSSL_free(node);
-                                (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
+                                (void)sk_X509_POLICY_NODE_delete(nodes, i);
                                 }
                         }
                 if (curr->anyPolicy && !curr->anyPolicy->nchild)
@@ -536,6 +709,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
                 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
                         && !tree_link_any(curr, cache, tree))
                         return 0;
+        tree_print("before tree_prune()", tree, curr);
                 ret = tree_prune(tree, curr);
                 if (ret != 1)
                         return ret;
@@ -604,7 +778,6 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
         *pexplicit_policy = 0;
         ret = tree_init(&tree, certs, flags);
 
-
         switch (ret)
                 {
 
@@ -613,6 +786,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
                 return 1;
 
                 /* Some internal error */
+                case -1:
+                return -1;
+
+                /* Some internal error */
                 case 0:
                 return 0;
 
@@ -646,6 +823,8 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
         if (!tree) goto error;
         ret = tree_evaluate(tree);
 
+        tree_print("tree_evaluate()", tree, NULL);
+
         if (ret <= 0)
                 goto error;
 
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
index efdf7c3ba7..9087d66e0a 100644
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -236,7 +236,7 @@ static int i2r_IPAddressOrRanges(BIO *out,
 /*
  * i2r handler for an IPAddrBlocks extension.
  */
-static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method,
+static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
                             void *ext,
                             BIO *out,
                             int indent)
@@ -315,8 +315,7 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
                                 const int length)
 {
   unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
-  int prefixlen_a = 0;
-  int prefixlen_b = 0;
+  int prefixlen_a = 0, prefixlen_b = 0;
   int r;
 
   switch (a->type) {
@@ -596,10 +595,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
     return NULL;
   switch (afi) {
   case IANA_AFI_IPV4:
-    (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+    sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
     break;
   case IANA_AFI_IPV6:
-    (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+    sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
     break;
   }
   f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -856,7 +855,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
       if (!make_addressRange(&merged, a_min, b_max, length))
         return 0;
       sk_IPAddressOrRange_set(aors, i, merged);
-      (void)sk_IPAddressOrRange_delete(aors, i + 1);
+      sk_IPAddressOrRange_delete(aors, i + 1);
       IPAddressOrRange_free(a);
       IPAddressOrRange_free(b);
       --i;
@@ -880,7 +879,7 @@ int v3_addr_canonize(IPAddrBlocks *addr)
                                     v3_addr_get_afi(f)))
       return 0;
   }
-  (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
+  sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
   sk_IPAddressFamily_sort(addr);
   OPENSSL_assert(v3_addr_is_canonical(addr));
   return 1;
@@ -889,7 +888,7 @@ int v3_addr_canonize(IPAddrBlocks *addr)
 /*
  * v2i handler for the IPAddrBlocks extension.
  */
-static void *v2i_IPAddrBlocks(struct v3_ext_method *method,
+static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
                               struct v3_ext_ctx *ctx,
                               STACK_OF(CONF_VALUE) *values)
 {
@@ -1125,7 +1124,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
     return 1;
   if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
     return 0;
-  (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
   for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
     IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
     int j = sk_IPAddressFamily_find(b, fa);
@@ -1167,7 +1166,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
 {
   IPAddrBlocks *child = NULL;
   int i, j, ret = 1;
-  X509 *x = NULL;
+  X509 *x;
 
   OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
   OPENSSL_assert(ctx != NULL || ext != NULL);
@@ -1180,6 +1179,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
    */
   if (ext != NULL) {
     i = -1;
+    x = NULL;
   } else {
     i = 0;
     x = sk_X509_value(chain, i);
@@ -1189,7 +1189,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
   }
   if (!v3_addr_is_canonical(ext))
     validation_err(X509_V_ERR_INVALID_EXTENSION);
-  (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
   if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
     X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
     ret = 0;
@@ -1215,7 +1215,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
       }
       continue;
     }
-    (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+    sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
     for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
       IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
       int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
@@ -1242,6 +1242,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
   /*
    * Trust anchor can't inherit.
    */
+  OPENSSL_assert(x != NULL);
   if (x->rfc3779_addr != NULL) {
     for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
       IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
index 75fda7f268..91aefcddc1 100644
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -82,6 +82,12 @@ NULL, NULL, NULL},
 (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
 (X509V3_EXT_V2I)v2i_issuer_alt,
 NULL, NULL, NULL},
+
+{ NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
+0,0,0,0,
+0,0,
+(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+NULL, NULL, NULL, NULL},
 };
 
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
@@ -147,9 +153,9 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
                                 BIO_snprintf(htmp, sizeof htmp,
                                              "%X", p[0] << 8 | p[1]);
                                 p += 2;
-                                strlcat(oline, htmp, sizeof oline);
+                                strlcat(oline, htmp, sizeof(oline));
                                 if (i != 7)
-                                        strlcat(oline, ":", sizeof oline);
+                                        strlcat(oline, ":", sizeof(oline));
                                 }
                         }
                 else
@@ -360,6 +366,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
                 if (move_p)
                         {
                         X509_NAME_delete_entry(nm, i);
+                        X509_NAME_ENTRY_free(ne);
                         i--;
                         }
                 if(!email || !(gen = GENERAL_NAME_new())) {
@@ -386,8 +393,8 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
         
 }
 
-GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
-                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
         GENERAL_NAME *gen;
         GENERAL_NAMES *gens = NULL;
@@ -408,28 +415,22 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
         return NULL;
 }
 
-GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                                                         CONF_VALUE *cnf)
+GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                               CONF_VALUE *cnf)
         {
         return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
         }
 
-GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
-                                X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                                                 CONF_VALUE *cnf, int is_nc)
+GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
+                               const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                               int gen_type, char *value, int is_nc)
         {
         char is_string = 0;
-        int type;
         GENERAL_NAME *gen = NULL;
 
-        char *name, *value;
-
-        name = cnf->name;
-        value = cnf->value;
-
         if(!value)
                 {
-                X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
+                X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
                 return NULL;
                 }
 
@@ -440,74 +441,62 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
                 gen = GENERAL_NAME_new();
                 if(gen == NULL)
                         {
-                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
+                        X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
                         return NULL;
                         }
                 }
 
-        if(!name_cmp(name, "email"))
-                {
-                is_string = 1;
-                type = GEN_EMAIL;
-                }
-        else if(!name_cmp(name, "URI"))
-                {
-                is_string = 1;
-                type = GEN_URI;
-                }
-        else if(!name_cmp(name, "DNS"))
+        switch (gen_type)
                 {
+                case GEN_URI:
+                case GEN_EMAIL:
+                case GEN_DNS:
                 is_string = 1;
-                type = GEN_DNS;
-                }
-        else if(!name_cmp(name, "RID"))
+                break;
+                
+                case GEN_RID:
                 {
                 ASN1_OBJECT *obj;
                 if(!(obj = OBJ_txt2obj(value,0)))
                         {
-                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_OBJECT);
+                        X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
                         ERR_add_error_data(2, "value=", value);
                         goto err;
                         }
                 gen->d.rid = obj;
-                type = GEN_RID;
                 }
-        else if(!name_cmp(name, "IP"))
-                {
+                break;
+
+                case GEN_IPADD:
                 if (is_nc)
                         gen->d.ip = a2i_IPADDRESS_NC(value);
                 else
                         gen->d.ip = a2i_IPADDRESS(value);
                 if(gen->d.ip == NULL)
                         {
-                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_IP_ADDRESS);
+                        X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
                         ERR_add_error_data(2, "value=", value);
                         goto err;
                         }
-                type = GEN_IPADD;
-                }
-        else if(!name_cmp(name, "dirName"))
-                {
-                type = GEN_DIRNAME;
+                break;
+
+                case GEN_DIRNAME:
                 if (!do_dirname(gen, value, ctx))
                         {
-                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_DIRNAME_ERROR);
+                        X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_DIRNAME_ERROR);
                         goto err;
                         }
-                }
-        else if(!name_cmp(name, "otherName"))
-                {
+                break;
+
+                case GEN_OTHERNAME:
                 if (!do_othername(gen, value, ctx))
                         {
-                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_OTHERNAME_ERROR);
+                        X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_OTHERNAME_ERROR);
                         goto err;
                         }
-                type = GEN_OTHERNAME;
-                }
-        else
-                {
-                X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
-                ERR_add_error_data(2, "name=", name);
+                break;
+                default:
+                X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_TYPE);
                 goto err;
                 }
 
@@ -517,12 +506,12 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
                               !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
                                                strlen(value)))
                         {
-                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
+                        X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
                         goto err;
                         }
                 }
 
-        gen->type = type;
+        gen->type = gen_type;
 
         return gen;
 
@@ -532,6 +521,48 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
         return NULL;
         }
 
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
+                                  const X509V3_EXT_METHOD *method,
+                                  X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
+        {
+        int type;
+
+        char *name, *value;
+
+        name = cnf->name;
+        value = cnf->value;
+
+        if(!value)
+                {
+                X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
+                return NULL;
+                }
+
+        if(!name_cmp(name, "email"))
+                type = GEN_EMAIL;
+        else if(!name_cmp(name, "URI"))
+                type = GEN_URI;
+        else if(!name_cmp(name, "DNS"))
+                type = GEN_DNS;
+        else if(!name_cmp(name, "RID"))
+                type = GEN_RID;
+        else if(!name_cmp(name, "IP"))
+                type = GEN_IPADD;
+        else if(!name_cmp(name, "dirName"))
+                type = GEN_DIRNAME;
+        else if(!name_cmp(name, "otherName"))
+                type = GEN_OTHERNAME;
+        else
+                {
+                X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
+                ERR_add_error_data(2, "name=", name);
+                return NULL;
+                }
+
+        return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
+
+        }
+
 static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
         {
         char *objtmp = NULL, *p;
@@ -577,6 +608,7 @@ static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
         if (!ret)
                 X509_NAME_free(nm);
         gen->d.dirn = nm;
+        X509V3_section_free(ctx, sk);
                 
         return ret;
         }
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
index abd497ed1f..56702f86b9 100644
--- a/src/lib/libcrypto/x509v3/v3_asid.c
+++ b/src/lib/libcrypto/x509v3/v3_asid.c
@@ -152,7 +152,7 @@ static int i2r_ASIdentifierChoice(BIO *out,
 /*
  * i2r method for an ASIdentifier extension.
  */
-static int i2r_ASIdentifiers(X509V3_EXT_METHOD *method,
+static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method,
                              void *ext,
                              BIO *out,
                              int indent)
@@ -466,7 +466,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
         break;
       }
       ASIdOrRange_free(b);
-      (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
+      sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
       i--;
       continue;
     }
@@ -495,7 +495,7 @@ int v3_asid_canonize(ASIdentifiers *asid)
 /*
  * v2i method for an ASIdentifier extension.
  */
-static void *v2i_ASIdentifiers(struct v3_ext_method *method,
+static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
                                struct v3_ext_ctx *ctx,
                                STACK_OF(CONF_VALUE) *values)
 {
@@ -707,7 +707,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
 {
   ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
   int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
-  X509 *x = NULL;
+  X509 *x;
 
   assert(chain != NULL && sk_X509_num(chain) > 0);
   assert(ctx != NULL || ext != NULL);
@@ -720,6 +720,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
    */
   if (ext != NULL) {
     i = -1;
+    x = NULL;
   } else {
     i = 0;
     x = sk_X509_value(chain, i);
@@ -799,6 +800,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
   /*
    * Trust anchor can't inherit.
    */
+  assert(x != NULL);
   if (x->rfc3779_asid != NULL) {
     if (x->rfc3779_asid->asnum != NULL &&
         x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
index 11eb6b7fd5..6730f9a6ee 100644
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -72,14 +72,14 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, in
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
 static char *conf_lhash_get_string(void *db, char *section, char *value);
 static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
-static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
-                                                 int crit, void *ext_struc);
+static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
+                                  int crit, void *ext_struc);
 static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
 /* CONF *conf:  Config file    */
 /* char *name:  Name    */
 /* char *value:  Value    */
 X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
-             char *value)
+                                 char *value)
         {
         int crit;
         int ext_type;
@@ -99,7 +99,7 @@ X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
 /* CONF *conf:  Config file    */
 /* char *value:  Value    */
 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-             char *value)
+                                     char *value)
         {
         int crit;
         int ext_type;
@@ -113,9 +113,9 @@ X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 /* CONF *conf:  Config file    */
 /* char *value:  Value    */
 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-             int crit, char *value)
+                                    int crit, char *value)
         {
-        X509V3_EXT_METHOD *method;
+        const X509V3_EXT_METHOD *method;
         X509_EXTENSION *ext;
         STACK_OF(CONF_VALUE) *nval;
         void *ext_struc;
@@ -172,8 +172,8 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 
         }
 
-static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
-                                                 int crit, void *ext_struc)
+static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
+                                  int crit, void *ext_struc)
         {
         unsigned char *ext_der;
         int ext_len;
@@ -214,7 +214,7 @@ static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
 
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
         {
-        X509V3_EXT_METHOD *method;
+        const X509V3_EXT_METHOD *method;
         if (!(method = X509V3_EXT_get_nid(ext_nid))) {
                 X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
                 return NULL;
@@ -258,7 +258,8 @@ static int v3_check_generic(char **value)
 
 /* Create a generic extension: for now just handle DER type */
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
-             int crit, int gen_type, X509V3_CTX *ctx)
+                                            int crit, int gen_type,
+                                            X509V3_CTX *ctx)
         {
         unsigned char *ext_der=NULL;
         long ext_len;
@@ -322,7 +323,7 @@ static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
 
 
 int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
-             STACK_OF(X509_EXTENSION) **sk)
+                            STACK_OF(X509_EXTENSION) **sk)
         {
         X509_EXTENSION *ext;
         STACK_OF(CONF_VALUE) *nval;
@@ -343,7 +344,7 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
 /* Convenience functions to add extensions to a certificate, CRL and request */
 
 int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
-             X509 *cert)
+                         X509 *cert)
         {
         STACK_OF(X509_EXTENSION) **sk = NULL;
         if (cert)
@@ -354,7 +355,7 @@ int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
 /* Same as above but for a CRL */
 
 int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
-             X509_CRL *crl)
+                             X509_CRL *crl)
         {
         STACK_OF(X509_EXTENSION) **sk = NULL;
         if (crl)
@@ -443,7 +444,7 @@ void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
         }
 
 void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
-             X509_CRL *crl, int flags)
+                    X509_CRL *crl, int flags)
         {
         ctx->issuer_cert = issuer;
         ctx->subject_cert = subj;
@@ -454,8 +455,8 @@ void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
 
 /* Old conf compatibility functions */
 
-X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
-             char *value)
+X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                                char *name, char *value)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
@@ -464,8 +465,8 @@ X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
 
 /* LHASH *conf:  Config file    */
 /* char *value:  Value    */
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
-             char *value)
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                                    int ext_nid, char *value)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
@@ -489,14 +490,14 @@ NULL,
 NULL
 };
 
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash)
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
         {
         ctx->db_meth = &conf_lhash_method;
         ctx->db = lhash;
         }
 
-int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
-             X509 *cert)
+int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                        char *section, X509 *cert)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
@@ -505,8 +506,8 @@ int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
 
 /* Same as above but for a CRL */
 
-int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
-             X509_CRL *crl)
+int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                            char *section, X509_CRL *crl)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
@@ -515,8 +516,8 @@ int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
 
 /* Add extensions to certificate request */
 
-int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
-             X509_REQ *req)
+int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                            char *section, X509_REQ *req)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
index ad0506d75c..1f0798b946 100644
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -450,5 +450,8 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
         else
                 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
         }
-        
+
+
 IMPLEMENT_STACK_OF(X509_POLICY_NODE)
+IMPLEMENT_STACK_OF(X509_POLICY_DATA)
+
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
index 181a8977b1..790a6dd032 100644
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -63,45 +63,254 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
-                STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
-static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
-                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-
-const X509V3_EXT_METHOD v3_crld = {
-NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS),
-0,0,0,0,
-0,0,
-(X509V3_EXT_I2V)i2v_crld,
-(X509V3_EXT_V2I)v2i_crld,
-0,0,
-NULL
+static void *v2i_crld(const X509V3_EXT_METHOD *method,
+                      X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
+                     int indent);
+
+const X509V3_EXT_METHOD v3_crld =
+        {
+        NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
+        0,0,0,0,
+        0,0,
+        0,
+        v2i_crld,
+        i2r_crldp,0,
+        NULL
+        };
+
+const X509V3_EXT_METHOD v3_freshest_crl =
+        {
+        NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
+        0,0,0,0,
+        0,0,
+        0,
+        v2i_crld,
+        i2r_crldp,0,
+        NULL
+        };
+
+static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
+        {
+        STACK_OF(CONF_VALUE) *gnsect;
+        STACK_OF(GENERAL_NAME) *gens;
+        if (*sect == '@')
+                gnsect = X509V3_get_section(ctx, sect + 1);
+        else
+                gnsect = X509V3_parse_list(sect);
+        if (!gnsect)
+                {
+                X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
+                                                X509V3_R_SECTION_NOT_FOUND);
+                return NULL;
+                }
+        gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
+        if (*sect == '@')
+                X509V3_section_free(ctx, gnsect);
+        else
+                sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
+        return gens;
+        }
+
+static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
+                                                        CONF_VALUE *cnf)
+        {
+        STACK_OF(GENERAL_NAME) *fnm = NULL;
+        STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
+        if (!strncmp(cnf->name, "fullname", 9))
+                {
+                fnm = gnames_from_sectname(ctx, cnf->value);
+                if (!fnm)
+                        goto err;
+                }
+        else if (!strcmp(cnf->name, "relativename"))
+                {
+                int ret;
+                STACK_OF(CONF_VALUE) *dnsect;
+                X509_NAME *nm;
+                nm = X509_NAME_new();
+                if (!nm)
+                        return -1;
+                dnsect = X509V3_get_section(ctx, cnf->value);
+                if (!dnsect)
+                        {
+                        X509V3err(X509V3_F_SET_DIST_POINT_NAME,
+                                                X509V3_R_SECTION_NOT_FOUND);
+                        return -1;
+                        }
+                ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
+                X509V3_section_free(ctx, dnsect);
+                rnm = nm->entries;
+                nm->entries = NULL;
+                X509_NAME_free(nm);
+                if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
+                        goto err;
+                /* Since its a name fragment can't have more than one
+                 * RDNSequence
+                 */
+                if (sk_X509_NAME_ENTRY_value(rnm,
+                                sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
+                        {
+                        X509V3err(X509V3_F_SET_DIST_POINT_NAME,
+                                                X509V3_R_INVALID_MULTIPLE_RDNS);
+                        goto err;
+                        }
+                }
+        else
+                return 0;
+
+        if (*pdp)
+                {
+                X509V3err(X509V3_F_SET_DIST_POINT_NAME,
+                                                X509V3_R_DISTPOINT_ALREADY_SET);
+                goto err;
+                }
+
+        *pdp = DIST_POINT_NAME_new();
+        if (!*pdp)
+                goto err;
+        if (fnm)
+                {
+                (*pdp)->type = 0;
+                (*pdp)->name.fullname = fnm;
+                }
+        else
+                {
+                (*pdp)->type = 1;
+                (*pdp)->name.relativename = rnm;
+                }
+
+        return 1;
+                
+        err:
+        if (fnm)
+                sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
+        if (rnm)
+                sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
+        return -1;
+        }
+
+static const BIT_STRING_BITNAME reason_flags[] = {
+{0, "Unused", "unused"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "CACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{7, "Privilege Withdrawn", "privilegeWithdrawn"},
+{8, "AA Compromise", "AACompromise"},
+{-1, NULL, NULL}
 };
 
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
-                        STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
-{
-        DIST_POINT *point;
+static int set_reasons(ASN1_BIT_STRING **preas, char *value)
+        {
+        STACK_OF(CONF_VALUE) *rsk = NULL;
+        const BIT_STRING_BITNAME *pbn;
+        const char *bnam;
+        int i, ret = 0;
+        rsk = X509V3_parse_list(value);
+        if (!rsk)
+                return 0;
+        if (*preas)
+                return 0;
+        for (i = 0; i < sk_CONF_VALUE_num(rsk); i++)
+                {
+                bnam = sk_CONF_VALUE_value(rsk, i)->name;
+                if (!*preas)
+                        {
+                        *preas = ASN1_BIT_STRING_new();
+                        if (!*preas)
+                                goto err;
+                        }
+                for (pbn = reason_flags; pbn->lname; pbn++)
+                        {
+                        if (!strcmp(pbn->sname, bnam))
+                                {
+                                if (!ASN1_BIT_STRING_set_bit(*preas,
+                                                        pbn->bitnum, 1))
+                                        goto err;
+                                break;
+                                }
+                        }
+                if (!pbn->lname)
+                        goto err;
+                }
+        ret = 1;
+
+        err:
+        sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
+        return ret;
+        }
+
+static int print_reasons(BIO *out, const char *rname,
+                        ASN1_BIT_STRING *rflags, int indent)
+        {
+        int first = 1;
+        const BIT_STRING_BITNAME *pbn;
+        BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
+        for (pbn = reason_flags; pbn->lname; pbn++)
+                {
+                if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
+                        {
+                        if (first)
+                                first = 0;
+                        else
+                                BIO_puts(out, ", ");
+                        BIO_puts(out, pbn->lname);
+                        }
+                }
+        if (first)
+                BIO_puts(out, "<EMPTY>\n");
+        else
+                BIO_puts(out, "\n");
+        return 1;
+        }
+
+static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
+                                                STACK_OF(CONF_VALUE) *nval)
+        {
         int i;
-        for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
-                point = sk_DIST_POINT_value(crld, i);
-                if(point->distpoint) {
-                        if(point->distpoint->type == 0)
-                                exts = i2v_GENERAL_NAMES(NULL,
-                                         point->distpoint->name.fullname, exts);
-                        else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
+        CONF_VALUE *cnf;
+        DIST_POINT *point = NULL;
+        point = DIST_POINT_new();
+        if (!point)
+                goto err;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
+                {
+                int ret;
+                cnf = sk_CONF_VALUE_value(nval, i);
+                ret = set_dist_point_name(&point->distpoint, ctx, cnf);
+                if (ret > 0)
+                        continue;
+                if (ret < 0)
+                        goto err;
+                if (!strcmp(cnf->name, "reasons"))
+                        {
+                        if (!set_reasons(&point->reasons, cnf->value))
+                                goto err;
+                        }
+                else if (!strcmp(cnf->name, "CRLissuer"))
+                        {
+                        point->CRLissuer =
+                                gnames_from_sectname(ctx, cnf->value);
+                        if (!point->CRLissuer)
+                                goto err;
+                        }
                 }
-                if(point->reasons) 
-                        X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
-                if(point->CRLissuer)
-                        X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+
+        return point;
+                        
+
+        err:
+        if (point)
+                DIST_POINT_free(point);
+        return NULL;
         }
-        return exts;
-}
 
-static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
-                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
-{
+static void *v2i_crld(const X509V3_EXT_METHOD *method,
+                      X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+        {
         STACK_OF(DIST_POINT) *crld = NULL;
         GENERAL_NAMES *gens = NULL;
         GENERAL_NAME *gen = NULL;
@@ -111,19 +320,44 @@ static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
         for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
                 DIST_POINT *point;
                 cnf = sk_CONF_VALUE_value(nval, i);
-                if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
-                if(!(gens = GENERAL_NAMES_new())) goto merr;
-                if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
-                gen = NULL;
-                if(!(point = DIST_POINT_new())) goto merr;
-                if(!sk_DIST_POINT_push(crld, point)) {
-                        DIST_POINT_free(point);
-                        goto merr;
-                }
-                if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
-                point->distpoint->name.fullname = gens;
-                point->distpoint->type = 0;
-                gens = NULL;
+                if (!cnf->value)
+                        {
+                        STACK_OF(CONF_VALUE) *dpsect;
+                        dpsect = X509V3_get_section(ctx, cnf->name);
+                        if (!dpsect)
+                                goto err;
+                        point = crldp_from_section(ctx, dpsect);
+                        X509V3_section_free(ctx, dpsect);
+                        if (!point)
+                                goto err;
+                        if(!sk_DIST_POINT_push(crld, point))
+                                {
+                                DIST_POINT_free(point);
+                                goto merr;
+                                }
+                        }
+                else
+                        {
+                        if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+                                goto err; 
+                        if(!(gens = GENERAL_NAMES_new()))
+                                goto merr;
+                        if(!sk_GENERAL_NAME_push(gens, gen))
+                                goto merr;
+                        gen = NULL;
+                        if(!(point = DIST_POINT_new()))
+                                goto merr;
+                        if(!sk_DIST_POINT_push(crld, point))
+                                {
+                                DIST_POINT_free(point);
+                                goto merr;
+                                }
+                        if(!(point->distpoint = DIST_POINT_NAME_new()))
+                                goto merr;
+                        point->distpoint->name.fullname = gens;
+                        point->distpoint->type = 0;
+                        gens = NULL;
+                        }
         }
         return crld;
 
@@ -139,11 +373,31 @@ static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
 IMPLEMENT_STACK_OF(DIST_POINT)
 IMPLEMENT_ASN1_SET_OF(DIST_POINT)
 
+static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+                                                                void *exarg)
+        {
+        DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
+
+        switch(operation)
+                {
+                case ASN1_OP_NEW_POST:
+                dpn->dpname = NULL;
+                break;
+
+                case ASN1_OP_FREE_POST:
+                if (dpn->dpname)
+                        X509_NAME_free(dpn->dpname);
+                break;
+                }
+        return 1;
+        }
+
 
-ASN1_CHOICE(DIST_POINT_NAME) = {
+ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
         ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
         ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
-} ASN1_CHOICE_END(DIST_POINT_NAME)
+} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
+
 
 IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
 
@@ -160,3 +414,203 @@ ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
 ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
 
 IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
+
+ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
+        ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
+        ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
+        ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
+        ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
+        ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
+        ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
+} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
+
+IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
+
+static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
+                   int indent);
+static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                     STACK_OF(CONF_VALUE) *nval);
+
+const X509V3_EXT_METHOD v3_idp =
+        {
+        NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
+        ASN1_ITEM_ref(ISSUING_DIST_POINT),
+        0,0,0,0,
+        0,0,
+        0,
+        v2i_idp,
+        i2r_idp,0,
+        NULL
+        };
+
+static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                     STACK_OF(CONF_VALUE) *nval)
+        {
+        ISSUING_DIST_POINT *idp = NULL;
+        CONF_VALUE *cnf;
+        char *name, *val;
+        int i, ret;
+        idp = ISSUING_DIST_POINT_new();
+        if (!idp)
+                goto merr;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
+                {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                name = cnf->name;
+                val = cnf->value;
+                ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
+                if (ret > 0)
+                        continue;
+                if (ret < 0)
+                        goto err;
+                if (!strcmp(name, "onlyuser"))
+                        {
+                        if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
+                                goto err;
+                        }
+                else if (!strcmp(name, "onlyCA"))
+                        {
+                        if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
+                                goto err;
+                        }
+                else if (!strcmp(name, "onlyAA"))
+                        {
+                        if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
+                                goto err;
+                        }
+                else if (!strcmp(name, "indirectCRL"))
+                        {
+                        if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
+                                goto err;
+                        }
+                else if (!strcmp(name, "onlysomereasons"))
+                        {
+                        if (!set_reasons(&idp->onlysomereasons, val))
+                                goto err;
+                        }
+                else
+                        {
+                        X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
+                        X509V3_conf_err(cnf);
+                        goto err;
+                        }
+                }
+        return idp;
+
+        merr:
+        X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE);
+        err:
+        ISSUING_DIST_POINT_free(idp);
+        return NULL;
+        }
+
+static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
+        {
+        int i;
+        for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
+                {
+                BIO_printf(out, "%*s", indent + 2, "");
+                GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
+                BIO_puts(out, "\n");
+                }
+        return 1;
+        }
+
+static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
+        {
+        if (dpn->type == 0)
+                {
+                BIO_printf(out, "%*sFull Name:\n", indent, "");
+                print_gens(out, dpn->name.fullname, indent);
+                }
+        else
+                {
+                X509_NAME ntmp;
+                ntmp.entries = dpn->name.relativename;
+                BIO_printf(out, "%*sRelative Name:\n%*s",
+                                                indent, "", indent + 2, "");
+                X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
+                BIO_puts(out, "\n");
+                }
+        return 1;
+        }
+
+static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
+                   int indent)
+        {
+        ISSUING_DIST_POINT *idp = pidp;
+        if (idp->distpoint)
+                print_distpoint(out, idp->distpoint, indent);
+        if (idp->onlyuser > 0)
+                BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
+        if (idp->onlyCA > 0)
+                BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
+        if (idp->indirectCRL > 0)
+                BIO_printf(out, "%*sIndirect CRL\n", indent, "");
+        if (idp->onlysomereasons)
+                print_reasons(out, "Only Some Reasons", 
+                                idp->onlysomereasons, indent);
+        if (idp->onlyattr > 0)
+                BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
+        if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
+                && (idp->indirectCRL <= 0) && !idp->onlysomereasons
+                && (idp->onlyattr <= 0))
+                BIO_printf(out, "%*s<EMPTY>\n", indent, "");
+                
+        return 1;
+        }
+
+static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
+                     int indent)
+        {
+        STACK_OF(DIST_POINT) *crld = pcrldp;
+        DIST_POINT *point;
+        int i;
+        for(i = 0; i < sk_DIST_POINT_num(crld); i++)
+                {
+                BIO_puts(out, "\n");
+                point = sk_DIST_POINT_value(crld, i);
+                if(point->distpoint)
+                        print_distpoint(out, point->distpoint, indent);
+                if(point->reasons) 
+                        print_reasons(out, "Reasons", point->reasons,
+                                                                indent);
+                if(point->CRLissuer)
+                        {
+                        BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
+                        print_gens(out, point->CRLissuer, indent);
+                        }
+                }
+        return 1;
+        }
+
+int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
+        {
+        int i;
+        STACK_OF(X509_NAME_ENTRY) *frag;
+        X509_NAME_ENTRY *ne;
+        if (!dpn || (dpn->type != 1))
+                return 1;
+        frag = dpn->name.relativename;
+        dpn->dpname = X509_NAME_dup(iname);
+        if (!dpn->dpname)
+                return 0;
+        for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++)
+                {
+                ne = sk_X509_NAME_ENTRY_value(frag, i);
+                if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1))
+                        {
+                        X509_NAME_free(dpn->dpname);
+                        dpn->dpname = NULL;
+                        return 0;
+                        }
+                }
+        /* generate cached encoding of name */
+        if (i2d_X509_NAME(dpn->dpname, NULL) < 0)
+                {
+                X509_NAME_free(dpn->dpname);
+                dpn->dpname = NULL;
+                return 0;
+                }
+        return 1;
+        }
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
index 36576eaa4d..c0575e368d 100644
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ b/src/lib/libcrypto/x509v3/v3_enum.c
@@ -61,14 +61,17 @@
 #include <openssl/x509v3.h>
 
 static ENUMERATED_NAMES crl_reasons[] = {
-{0, "Unspecified", "unspecified"},
-{1, "Key Compromise", "keyCompromise"},
-{2, "CA Compromise", "CACompromise"},
-{3, "Affiliation Changed", "affiliationChanged"},
-{4, "Superseded", "superseded"},
-{5, "Cessation Of Operation", "cessationOfOperation"},
-{6, "Certificate Hold", "certificateHold"},
-{8, "Remove From CRL", "removeFromCRL"},
+{CRL_REASON_UNSPECIFIED,         "Unspecified", "unspecified"},
+{CRL_REASON_KEY_COMPROMISE,      "Key Compromise", "keyCompromise"},
+{CRL_REASON_CA_COMPROMISE,       "CA Compromise", "CACompromise"},
+{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
+{CRL_REASON_SUPERSEDED,          "Superseded", "superseded"},
+{CRL_REASON_CESSATION_OF_OPERATION,
+                        "Cessation Of Operation", "cessationOfOperation"},
+{CRL_REASON_CERTIFICATE_HOLD,    "Certificate Hold", "certificateHold"},
+{CRL_REASON_REMOVE_FROM_CRL,     "Remove From CRL", "removeFromCRL"},
+{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
+{CRL_REASON_AA_COMPROMISE,       "AA Compromise", "AACompromise"},
 {-1, NULL, NULL}
 };
 
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
index c0d14500ed..1c66532757 100644
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ b/src/lib/libcrypto/x509v3/v3_extku.c
@@ -63,9 +63,10 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
-                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
+static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
+                                    X509V3_CTX *ctx,
+                                    STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
                 void *eku, STACK_OF(CONF_VALUE) *extlist);
 
 const X509V3_EXT_METHOD v3_ext_ku = {
@@ -97,8 +98,9 @@ ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE)
 
 IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
 
-static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
-                void *a, STACK_OF(CONF_VALUE) *ext_list)
+static STACK_OF(CONF_VALUE) *
+  i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
+                         STACK_OF(CONF_VALUE) *ext_list)
 {
         EXTENDED_KEY_USAGE *eku = a;
         int i;
@@ -112,8 +114,8 @@ static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
         return ext_list;
 }
 
-static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
-                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
+                                    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
         EXTENDED_KEY_USAGE *extku;
         char *extval;
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
index 84b4b1c881..b628357301 100644
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ b/src/lib/libcrypto/x509v3/v3_genn.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -99,3 +99,154 @@ ASN1_ITEM_TEMPLATE(GENERAL_NAMES) =
 ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)
 
 IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES)
+
+GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
+        {
+        return (GENERAL_NAME *) ASN1_dup((i2d_of_void *) i2d_GENERAL_NAME,
+                                         (d2i_of_void *) d2i_GENERAL_NAME,
+                                         (char *) a);
+        }
+
+/* Returns 0 if they are equal, != 0 otherwise. */
+int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+        {
+        int result = -1;
+
+        if (!a || !b || a->type != b->type) return -1;
+        switch(a->type)
+                {
+        case GEN_X400:
+        case GEN_EDIPARTY:
+                result = ASN1_TYPE_cmp(a->d.other, b->d.other);
+                break;
+
+        case GEN_OTHERNAME:
+                result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
+                break;
+
+        case GEN_EMAIL:
+        case GEN_DNS:
+        case GEN_URI:
+                result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
+                break;
+
+        case GEN_DIRNAME:
+                result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
+                break;
+
+        case GEN_IPADD:
+                result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
+                break;
+        
+        case GEN_RID:
+                result = OBJ_cmp(a->d.rid, b->d.rid);
+                break;
+                }
+        return result;
+        }
+
+/* Returns 0 if they are equal, != 0 otherwise. */
+int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
+        {
+        int result = -1;
+
+        if (!a || !b) return -1;
+        /* Check their type first. */
+        if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
+                return result;
+        /* Check the value. */
+        result = ASN1_TYPE_cmp(a->value, b->value);
+        return result;
+        }
+
+void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
+        {
+        switch(type)
+                {
+        case GEN_X400:
+        case GEN_EDIPARTY:
+                a->d.other = value;
+                break;
+
+        case GEN_OTHERNAME:
+                a->d.otherName = value;
+                break;
+
+        case GEN_EMAIL:
+        case GEN_DNS:
+        case GEN_URI:
+                a->d.ia5 = value;
+                break;
+
+        case GEN_DIRNAME:
+                a->d.dirn = value;
+                break;
+
+        case GEN_IPADD:
+                a->d.ip = value;
+                break;
+        
+        case GEN_RID:
+                a->d.rid = value;
+                break;
+                }
+        a->type = type;
+        }
+
+void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
+        {
+        if (ptype)
+                *ptype = a->type;
+        switch(a->type)
+                {
+        case GEN_X400:
+        case GEN_EDIPARTY:
+                return a->d.other;
+
+        case GEN_OTHERNAME:
+                return a->d.otherName;
+
+        case GEN_EMAIL:
+        case GEN_DNS:
+        case GEN_URI:
+                return a->d.ia5;
+
+        case GEN_DIRNAME:
+                return a->d.dirn;
+
+        case GEN_IPADD:
+                return a->d.ip;
+        
+        case GEN_RID:
+                return a->d.rid;
+
+        default:
+                return NULL;
+                }
+        }
+
+int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
+                                ASN1_OBJECT *oid, ASN1_TYPE *value)
+        {
+        OTHERNAME *oth;
+        oth = OTHERNAME_new();
+        if (!oth)
+                return 0;
+        oth->type_id = oid;
+        oth->value = value;
+        GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
+        return 1;
+        }
+
+int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, 
+                                ASN1_OBJECT **poid, ASN1_TYPE **pvalue)
+        {
+        if (gen->type != GEN_OTHERNAME)
+                return 0;
+        if (poid)
+                *poid = gen->d.otherName->type_id;
+        if (pvalue)
+                *pvalue = gen->d.otherName->value;
+        return 1;
+        }
+
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
index df3a48f43e..0f1e1d4422 100644
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -84,20 +84,24 @@ int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
 }
 
 static int ext_cmp(const X509V3_EXT_METHOD * const *a,
-                const X509V3_EXT_METHOD * const *b)
+                   const X509V3_EXT_METHOD * const *b)
 {
         return ((*a)->ext_nid - (*b)->ext_nid);
 }
 
-X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
+DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, const X509V3_EXT_METHOD *,
+                           ext);
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
+                             const X509V3_EXT_METHOD *, ext);
+
+const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
 {
-        X509V3_EXT_METHOD tmp, *t = &tmp, **ret;
+        X509V3_EXT_METHOD tmp;
+        const X509V3_EXT_METHOD *t = &tmp, * const *ret;
         int idx;
         if(nid < 0) return NULL;
         tmp.ext_nid = nid;
-        ret = (X509V3_EXT_METHOD **) OBJ_bsearch((char *)&t,
-                        (char *)standard_exts, STANDARD_EXTENSION_COUNT,
-                        sizeof(X509V3_EXT_METHOD *), (int (*)(const void *, const void *))ext_cmp);
+        ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
         if(ret) return *ret;
         if(!ext_list) return NULL;
         idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
@@ -105,7 +109,7 @@ X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
         return sk_X509V3_EXT_METHOD_value(ext_list, idx);
 }
 
-X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
+const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
 {
         int nid;
         if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
@@ -122,7 +126,9 @@ int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
 
 int X509V3_EXT_add_alias(int nid_to, int nid_from)
 {
-        X509V3_EXT_METHOD *ext, *tmpext;
+        const X509V3_EXT_METHOD *ext;
+        X509V3_EXT_METHOD *tmpext;
+
         if(!(ext = X509V3_EXT_get_nid(nid_from))) {
                 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
                 return 0;
@@ -161,7 +167,7 @@ int X509V3_add_standard_extensions(void)
 
 void *X509V3_EXT_d2i(X509_EXTENSION *ext)
 {
-        X509V3_EXT_METHOD *method;
+        const X509V3_EXT_METHOD *method;
         const unsigned char *p;
 
         if(!(method = X509V3_EXT_get(ext))) return NULL;
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
index e426ea930c..0c165af314 100644
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -68,19 +68,26 @@
 /* OCSP extensions and a couple of CRL entry extensions
  */
 
-static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
-static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
-static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent);
+static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
+                          BIO *out, int indent);
+static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
+                            BIO *out, int indent);
+static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
+                      int indent);
 
 static void *ocsp_nonce_new(void);
 static int i2d_ocsp_nonce(void *a, unsigned char **pp);
 static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
 static void ocsp_nonce_free(void *a);
-static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
+                          BIO *out, int indent);
 
-static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent);
-static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str);
-static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind);
+static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+                            void *nocheck, BIO *out, int indent);
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                              const char *str);
+static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
+                               BIO *bp, int ind);
 
 const X509V3_EXT_METHOD v3_ocsp_crlid = {
         NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
@@ -148,44 +155,47 @@ const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
         NULL
 };
 
-static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp,
+                          int ind)
 {
         OCSP_CRLID *a = in;
         if (a->crlUrl)
                 {
-                if (!BIO_printf(bp, "%*scrlUrl: ", ind, "")) goto err;
+                if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err;
                 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
-                if (!BIO_write(bp, "\n", 1)) goto err;
+                if (BIO_write(bp, "\n", 1) <= 0) goto err;
                 }
         if (a->crlNum)
                 {
-                if (!BIO_printf(bp, "%*scrlNum: ", ind, "")) goto err;
-                if (!i2a_ASN1_INTEGER(bp, a->crlNum)) goto err;
-                if (!BIO_write(bp, "\n", 1)) goto err;
+                if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err;
+                if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err;
+                if (BIO_write(bp, "\n", 1) <= 0) goto err;
                 }
         if (a->crlTime)
                 {
-                if (!BIO_printf(bp, "%*scrlTime: ", ind, "")) goto err;
+                if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err;
                 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
-                if (!BIO_write(bp, "\n", 1)) goto err;
+                if (BIO_write(bp, "\n", 1) <= 0) goto err;
                 }
         return 1;
         err:
         return 0;
 }
 
-static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, int ind)
+static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
+                            BIO *bp, int ind)
 {
-        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+        if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
         if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
         return 1;
 }
 
 
-static int i2r_object(X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
+static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
+                      int ind)
 {
-        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
-        if(!i2a_ASN1_OBJECT(bp, oid)) return 0;
+        if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
+        if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0;
         return 1;
 }
 
@@ -232,7 +242,8 @@ static void ocsp_nonce_free(void *a)
         M_ASN1_OCTET_STRING_free(a);
 }
 
-static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent)
+static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
+                          BIO *out, int indent)
 {
         if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
         if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
@@ -241,17 +252,20 @@ static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int
 
 /* Nocheck is just a single NULL. Don't print anything and always set it */
 
-static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent)
+static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
+                            BIO *out, int indent)
 {
         return 1;
 }
 
-static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str)
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                              const char *str)
 {
         return ASN1_NULL_new();
 }
 
-static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
+                               BIO *bp, int ind)
         {
         int i;
         OCSP_SERVICELOC *a = in;
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
index c1bb17f105..3146218708 100644
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -110,7 +110,7 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int inde
         void *ext_str = NULL;
         char *value = NULL;
         const unsigned char *p;
-        X509V3_EXT_METHOD *method;      
+        const X509V3_EXT_METHOD *method;        
         STACK_OF(CONF_VALUE) *nval = NULL;
         int ok = 1;
 
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index e18751e01c..181bd34979 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -71,6 +71,7 @@ static int purpose_smime(const X509 *x, int ca);
 static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
 
@@ -87,6 +88,7 @@ static X509_PURPOSE xstandard[] = {
         {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
         {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
         {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
+        {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
 };
 
 #define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
@@ -265,11 +267,14 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
         return xp->trust;
 }
 
-static int nid_cmp(int *a, int *b)
+static int nid_cmp(const int *a, const int *b)
         {
         return *a - *b;
         }
 
+DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
+
 int X509_supported_extension(X509_EXTENSION *ex)
         {
         /* This table is a list of the NIDs of supported extensions:
@@ -280,7 +285,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
          * searched using bsearch.
          */
 
-        static int supported_nids[] = {
+        static const int supported_nids[] = {
                 NID_netscape_cert_type, /* 71 */
                 NID_key_usage,          /* 83 */
                 NID_subject_alt_name,   /* 85 */
@@ -292,24 +297,62 @@ int X509_supported_extension(X509_EXTENSION *ex)
                 NID_sbgp_autonomousSysNum, /* 291 */
 #endif
                 NID_policy_constraints, /* 401 */
-                NID_proxyCertInfo,      /* 661 */
+                NID_proxyCertInfo,      /* 663 */
+                NID_name_constraints,   /* 666 */
+                NID_policy_mappings,    /* 747 */
                 NID_inhibit_any_policy  /* 748 */
         };
 
-        int ex_nid;
-
-        ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
+        int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
 
         if (ex_nid == NID_undef) 
                 return 0;
 
-        if (OBJ_bsearch((char *)&ex_nid, (char *)supported_nids,
-                sizeof(supported_nids)/sizeof(int), sizeof(int),
-                (int (*)(const void *, const void *))nid_cmp))
+        if (OBJ_bsearch_nid(&ex_nid, supported_nids,
+                        sizeof(supported_nids)/sizeof(int)))
                 return 1;
         return 0;
         }
- 
+
+static void setup_dp(X509 *x, DIST_POINT *dp)
+        {
+        X509_NAME *iname = NULL;
+        int i;
+        if (dp->reasons)
+                {
+                if (dp->reasons->length > 0)
+                        dp->dp_reasons = dp->reasons->data[0];
+                if (dp->reasons->length > 1)
+                        dp->dp_reasons |= (dp->reasons->data[1] << 8);
+                dp->dp_reasons &= CRLDP_ALL_REASONS;
+                }
+        else
+                dp->dp_reasons = CRLDP_ALL_REASONS;
+        if (!dp->distpoint || (dp->distpoint->type != 1))
+                return;
+        for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
+                {
+                GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
+                if (gen->type == GEN_DIRNAME)
+                        {
+                        iname = gen->d.directoryName;
+                        break;
+                        }
+                }
+        if (!iname)
+                iname = X509_get_issuer_name(x);
+
+        DIST_POINT_set_dpname(dp->distpoint, iname);
+
+        }
+
+static void setup_crldp(X509 *x)
+        {
+        int i;
+        x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
+        for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
+                setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
+        }
 
 static void x509v3_cache_extensions(X509 *x)
 {
@@ -417,16 +460,25 @@ static void x509v3_cache_extensions(X509 *x)
         }
         x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
         x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+        x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
+        x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
+        if (!x->nc && (i != -1))
+                x->ex_flags |= EXFLAG_INVALID;
+        setup_crldp(x);
+
 #ifndef OPENSSL_NO_RFC3779
-        x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
-        x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
-                                          NULL, NULL);
+        x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
+        x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
+                                          NULL, NULL);
 #endif
         for (i = 0; i < X509_get_ext_count(x); i++)
                 {
                 ex = X509_get_ext(x, i);
                 if (!X509_EXTENSION_get_critical(ex))
                         continue;
+                if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
+                                        == NID_freshest_crl)
+                        x->ex_flags |= EXFLAG_FRESHEST;
                 if (!X509_supported_extension(ex))
                         {
                         x->ex_flags |= EXFLAG_CRITICAL;
@@ -594,6 +646,41 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
         return 1;
 }
 
+static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
+                                        int ca)
+{
+        int i_ext;
+
+        /* If ca is true we must return if this is a valid CA certificate. */
+        if (ca) return check_ca(x);
+
+        /* 
+         * Check the optional key usage field:
+         * if Key Usage is present, it must be one of digitalSignature 
+         * and/or nonRepudiation (other values are not consistent and shall
+         * be rejected).
+         */
+        if ((x->ex_flags & EXFLAG_KUSAGE)
+            && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
+                !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
+                return 0;
+
+        /* Only time stamp key usage is permitted and it's required. */
+        if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
+                return 0;
+
+        /* Extended Key Usage MUST be critical */
+        i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
+        if (i_ext >= 0)
+                {
+                X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
+                if (!X509_EXTENSION_get_critical(ext))
+                        return 0;
+                }
+
+        return 1;
+}
+
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         return 1;
@@ -618,39 +705,14 @@ int X509_check_issued(X509 *issuer, X509 *subject)
                                 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
         x509v3_cache_extensions(issuer);
         x509v3_cache_extensions(subject);
-        if(subject->akid) {
-                /* Check key ids (if present) */
-                if(subject->akid->keyid && issuer->skid &&
-                 ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) )
-                                return X509_V_ERR_AKID_SKID_MISMATCH;
-                /* Check serial number */
-                if(subject->akid->serial &&
-                        ASN1_INTEGER_cmp(X509_get_serialNumber(issuer),
-                                                subject->akid->serial))
-                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-                /* Check issuer name */
-                if(subject->akid->issuer) {
-                        /* Ugh, for some peculiar reason AKID includes
-                         * SEQUENCE OF GeneralName. So look for a DirName.
-                         * There may be more than one but we only take any
-                         * notice of the first.
-                         */
-                        GENERAL_NAMES *gens;
-                        GENERAL_NAME *gen;
-                        X509_NAME *nm = NULL;
-                        int i;
-                        gens = subject->akid->issuer;
-                        for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-                                gen = sk_GENERAL_NAME_value(gens, i);
-                                if(gen->type == GEN_DIRNAME) {
-                                        nm = gen->d.dirn;
-                                        break;
-                                }
-                        }
-                        if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
-                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+
+        if(subject->akid)
+                {
+                int ret = X509_check_akid(issuer, subject->akid);
+                if (ret != X509_V_OK)
+                        return ret;
                 }
-        }
+
         if(subject->ex_flags & EXFLAG_PROXY)
                 {
                 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
@@ -661,3 +723,45 @@ int X509_check_issued(X509 *issuer, X509 *subject)
         return X509_V_OK;
 }
 
+int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
+        {
+
+        if(!akid)
+                return X509_V_OK;
+
+        /* Check key ids (if present) */
+        if(akid->keyid && issuer->skid &&
+                 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
+                                return X509_V_ERR_AKID_SKID_MISMATCH;
+        /* Check serial number */
+        if(akid->serial &&
+                ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
+                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+        /* Check issuer name */
+        if(akid->issuer)
+                {
+                /* Ugh, for some peculiar reason AKID includes
+                 * SEQUENCE OF GeneralName. So look for a DirName.
+                 * There may be more than one but we only take any
+                 * notice of the first.
+                 */
+                GENERAL_NAMES *gens;
+                GENERAL_NAME *gen;
+                X509_NAME *nm = NULL;
+                int i;
+                gens = akid->issuer;
+                for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
+                        {
+                        gen = sk_GENERAL_NAME_value(gens, i);
+                        if(gen->type == GEN_DIRNAME)
+                                {
+                                nm = gen->d.dirn;
+                                break;
+                                }
+                        }
+                if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
+                        return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+                }
+        return X509_V_OK;
+        }
+
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
index 2cb53008e3..e030234540 100644
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -67,9 +67,9 @@
 
 static char *strip_spaces(char *name);
 static int sk_strcmp(const char * const *a, const char * const *b);
-static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens);
-static void str_free(void *str);
-static int append_ia5(STACK **sk, ASN1_IA5STRING *email);
+static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens);
+static void str_free(OPENSSL_STRING str);
+static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
 
 static int ipv4_from_asc(unsigned char *v4, const char *in);
 static int ipv6_from_asc(unsigned char *v6, const char *in);
@@ -344,7 +344,7 @@ static char *strip_spaces(char *name)
         char *p, *q;
         /* Skip over leading spaces */
         p = name;
-        while(isspace((unsigned char)*p)) p++;
+        while(*p && isspace((unsigned char)*p)) p++;
         if(!*p) return NULL;
         q = p + strlen(p) - 1;
         while((q != p) && isspace((unsigned char)*q)) q--;
@@ -360,10 +360,10 @@ static char *strip_spaces(char *name)
  * @@@ (Contents of buffer are always kept in ASCII, also on EBCDIC machines)
  */
 
-char *hex_to_string(unsigned char *buffer, long len)
+char *hex_to_string(const unsigned char *buffer, long len)
 {
         char *tmp, *q;
-        unsigned char *p;
+        const unsigned char *p;
         int i;
         const static char hexdig[] = "0123456789ABCDEF";
         if(!buffer || !len) return NULL;
@@ -389,7 +389,7 @@ char *hex_to_string(unsigned char *buffer, long len)
  * a buffer
  */
 
-unsigned char *string_to_hex(char *str, long *len)
+unsigned char *string_to_hex(const char *str, long *len)
 {
         unsigned char *hexbuf, *q;
         unsigned char ch, cl, *p;
@@ -463,21 +463,23 @@ static int sk_strcmp(const char * const *a, const char * const *b)
         return strcmp(*a, *b);
 }
 
-STACK *X509_get1_email(X509 *x)
+STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
 {
         GENERAL_NAMES *gens;
-        STACK *ret;
+        STACK_OF(OPENSSL_STRING) *ret;
+
         gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
         ret = get_email(X509_get_subject_name(x), gens);
         sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
         return ret;
 }
 
-STACK *X509_get1_ocsp(X509 *x)
+STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
 {
         AUTHORITY_INFO_ACCESS *info;
-        STACK *ret = NULL;
+        STACK_OF(OPENSSL_STRING) *ret = NULL;
         int i;
+
         info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
         if (!info)
                 return NULL;
@@ -497,11 +499,12 @@ STACK *X509_get1_ocsp(X509 *x)
         return ret;
 }
 
-STACK *X509_REQ_get1_email(X509_REQ *x)
+STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
 {
         GENERAL_NAMES *gens;
         STACK_OF(X509_EXTENSION) *exts;
-        STACK *ret;
+        STACK_OF(OPENSSL_STRING) *ret;
+
         exts = X509_REQ_get_extensions(x);
         gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
         ret = get_email(X509_REQ_get_subject_name(x), gens);
@@ -511,9 +514,9 @@ STACK *X509_REQ_get1_email(X509_REQ *x)
 }
 
 
-static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens)
+static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens)
 {
-        STACK *ret = NULL;
+        STACK_OF(OPENSSL_STRING) *ret = NULL;
         X509_NAME_ENTRY *ne;
         ASN1_IA5STRING *email;
         GENERAL_NAME *gen;
@@ -536,23 +539,23 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens)
         return ret;
 }
 
-static void str_free(void *str)
+static void str_free(OPENSSL_STRING str)
 {
         OPENSSL_free(str);
 }
 
-static int append_ia5(STACK **sk, ASN1_IA5STRING *email)
+static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
 {
         char *emtmp;
         /* First some sanity checks */
         if(email->type != V_ASN1_IA5STRING) return 1;
         if(!email->data || !email->length) return 1;
-        if(!*sk) *sk = sk_new(sk_strcmp);
+        if(!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp);
         if(!*sk) return 0;
         /* Don't add duplicates */
-        if(sk_find(*sk, (char *)email->data) != -1) return 1;
+        if(sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) return 1;
         emtmp = BUF_strdup((char *)email->data);
-        if(!emtmp || !sk_push(*sk, emtmp)) {
+        if(!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
                 X509_email_free(*sk);
                 *sk = NULL;
                 return 0;
@@ -560,9 +563,9 @@ static int append_ia5(STACK **sk, ASN1_IA5STRING *email)
         return 1;
 }
 
-void X509_email_free(STACK *sk)
+void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
 {
-        sk_pop_free(sk, str_free);
+        sk_OPENSSL_STRING_pop_free(sk, str_free);
 }
 
 /* Convert IP addresses both IPv4 and IPv6 into an 
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
index d538ad8b80..f9f6f1f91f 100644
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -1,6 +1,6 @@
 /* crypto/x509v3/v3err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -70,6 +70,7 @@
 
 static ERR_STRING_DATA X509V3_str_functs[]=
         {
+{ERR_FUNC(X509V3_F_A2I_GENERAL_NAME),   "A2I_GENERAL_NAME"},
 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE),        "ASIDENTIFIERCHOICE_CANONIZE"},
 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL),    "ASIDENTIFIERCHOICE_IS_CANONICAL"},
 {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
@@ -79,6 +80,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
 {ERR_FUNC(X509V3_F_DO_EXT_NCONF),       "DO_EXT_NCONF"},
 {ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS),    "DO_I2V_NAME_CONSTRAINTS"},
+{ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME),       "GNAMES_FROM_SECTNAME"},
 {ERR_FUNC(X509V3_F_HEX_TO_STRING),      "hex_to_string"},
 {ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED),        "i2s_ASN1_ENUMERATED"},
 {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
@@ -95,6 +97,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING),      "s2i_ASN1_OCTET_STRING"},
 {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID),   "S2I_ASN1_SKEY_ID"},
 {ERR_FUNC(X509V3_F_S2I_SKEY_ID),        "S2I_SKEY_ID"},
+{ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME),        "SET_DIST_POINT_NAME"},
 {ERR_FUNC(X509V3_F_STRING_TO_HEX),      "string_to_hex"},
 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC),   "SXNET_add_id_asc"},
 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER),       "SXNET_add_id_INTEGER"},
@@ -110,6 +113,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE),     "V2I_EXTENDED_KEY_USAGE"},
 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES),  "v2i_GENERAL_NAMES"},
 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX),        "v2i_GENERAL_NAME_ex"},
+{ERR_FUNC(X509V3_F_V2I_IDP),    "V2I_IDP"},
 {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS),   "V2I_IPADDRBLOCKS"},
 {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT),     "V2I_ISSUER_ALT"},
 {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS),       "V2I_NAME_CONSTRAINTS"},
@@ -141,6 +145,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR)    ,"bn dec2bn error"},
 {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
 {ERR_REASON(X509V3_R_DIRNAME_ERROR)      ,"dirname error"},
+{ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET),"distpoint already set"},
 {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID)  ,"duplicate zone id"},
 {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
 {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
@@ -154,6 +159,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
 {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT)  ,"illegal hex digit"},
 {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
+{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS),"invalid multiple rdns"},
 {ERR_REASON(X509V3_R_INVALID_ASNUMBER)   ,"invalid asnumber"},
 {ERR_REASON(X509V3_R_INVALID_ASRANGE)    ,"invalid asrange"},
 {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
@@ -187,9 +193,9 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
 {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
 {ERR_REASON(X509V3_R_OTHERNAME_ERROR)    ,"othername error"},
-{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),"policy language already defined"},
 {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
-{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),"policy path length already defined"},
 {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
 {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
 {ERR_REASON(X509V3_R_SECTION_NOT_FOUND)  ,"section not found"},
@@ -200,6 +206,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"},
 {ERR_REASON(X509V3_R_UNKNOWN_OPTION)     ,"unknown option"},
 {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"},
+{ERR_REASON(X509V3_R_UNSUPPORTED_TYPE)   ,"unsupported type"},
 {ERR_REASON(X509V3_R_USER_TOO_LONG)      ,"user too long"},
 {0,NULL}
         };
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index 9ef83da755..b308abe7cd 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -76,12 +76,19 @@ typedef void * (*X509V3_EXT_NEW)(void);
 typedef void (*X509V3_EXT_FREE)(void *);
 typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
 typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
-typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
-typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values);
-typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext);
-typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
-typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent);
-typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
+typedef STACK_OF(CONF_VALUE) *
+  (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
+                    STACK_OF(CONF_VALUE) *extlist);
+typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
+                                 struct v3_ext_ctx *ctx,
+                                 STACK_OF(CONF_VALUE) *values);
+typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
+typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
+                                 struct v3_ext_ctx *ctx, const char *str);
+typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
+                              BIO *out, int indent);
+typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
+                                 struct v3_ext_ctx *ctx, const char *str);
 
 /* V3 extension structure */
 
@@ -220,24 +227,41 @@ union {
         GENERAL_NAMES *fullname;
         STACK_OF(X509_NAME_ENTRY) *relativename;
 } name;
+/* If relativename then this contains the full distribution point name */
+X509_NAME *dpname;
 } DIST_POINT_NAME;
-
-typedef struct DIST_POINT_st {
+/* All existing reasons */
+#define CRLDP_ALL_REASONS       0x807f
+
+#define CRL_REASON_NONE                         -1
+#define CRL_REASON_UNSPECIFIED                  0
+#define CRL_REASON_KEY_COMPROMISE               1
+#define CRL_REASON_CA_COMPROMISE                2
+#define CRL_REASON_AFFILIATION_CHANGED          3
+#define CRL_REASON_SUPERSEDED                   4
+#define CRL_REASON_CESSATION_OF_OPERATION       5
+#define CRL_REASON_CERTIFICATE_HOLD             6
+#define CRL_REASON_REMOVE_FROM_CRL              8
+#define CRL_REASON_PRIVILEGE_WITHDRAWN          9
+#define CRL_REASON_AA_COMPROMISE                10
+
+struct DIST_POINT_st {
 DIST_POINT_NAME *distpoint;
 ASN1_BIT_STRING *reasons;
 GENERAL_NAMES *CRLissuer;
-} DIST_POINT;
+int dp_reasons;
+};
 
 typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
 
 DECLARE_STACK_OF(DIST_POINT)
 DECLARE_ASN1_SET_OF(DIST_POINT)
 
-typedef struct AUTHORITY_KEYID_st {
+struct AUTHORITY_KEYID_st {
 ASN1_OCTET_STRING *keyid;
 GENERAL_NAMES *issuer;
 ASN1_INTEGER *serial;
-} AUTHORITY_KEYID;
+};
 
 /* Strong extranet structures */
 
@@ -303,10 +327,10 @@ typedef struct GENERAL_SUBTREE_st {
 
 DECLARE_STACK_OF(GENERAL_SUBTREE)
 
-typedef struct NAME_CONSTRAINTS_st {
+struct NAME_CONSTRAINTS_st {
         STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
         STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
-} NAME_CONSTRAINTS;
+};
 
 typedef struct POLICY_CONSTRAINTS_st {
         ASN1_INTEGER *requireExplicitPolicy;
@@ -329,6 +353,31 @@ typedef struct PROXY_CERT_INFO_EXTENSION_st
 DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
 DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 
+struct ISSUING_DIST_POINT_st
+        {
+        DIST_POINT_NAME *distpoint;
+        int onlyuser;
+        int onlyCA;
+        ASN1_BIT_STRING *onlysomereasons;
+        int indirectCRL;
+        int onlyattr;
+        };
+
+/* Values in idp_flags field */
+/* IDP present */
+#define IDP_PRESENT     0x1
+/* IDP values inconsistent */
+#define IDP_INVALID     0x2
+/* onlyuser true */
+#define IDP_ONLYUSER    0x4
+/* onlyCA true */
+#define IDP_ONLYCA      0x8
+/* onlyattr true */
+#define IDP_ONLYATTR    0x10
+/* indirectCRL true */
+#define IDP_INDIRECT    0x20
+/* onlysomereasons present */
+#define IDP_REASONS     0x40
 
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
@@ -373,6 +422,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_PROXY            0x400
 
 #define EXFLAG_INVALID_POLICY   0x800
+#define EXFLAG_FRESHEST         0x1000
 
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040
@@ -424,9 +474,10 @@ typedef struct x509_purpose_st {
 #define X509_PURPOSE_CRL_SIGN           6
 #define X509_PURPOSE_ANY                7
 #define X509_PURPOSE_OCSP_HELPER        8
+#define X509_PURPOSE_TIMESTAMP_SIGN     9
 
 #define X509_PURPOSE_MIN                1
-#define X509_PURPOSE_MAX                8
+#define X509_PURPOSE_MAX                9
 
 /* Flags for X509V3_EXT_print() */
 
@@ -471,6 +522,9 @@ DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
 DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
 
 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
+GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
+int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
+
 
 
 ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
@@ -486,11 +540,18 @@ DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
 
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
                 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
-GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
-                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 
 DECLARE_ASN1_FUNCTIONS(OTHERNAME)
 DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
+int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
+void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
+void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
+int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
+                                ASN1_OBJECT *oid, ASN1_TYPE *value);
+int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, 
+                                ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
 
 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
 ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
@@ -507,6 +568,11 @@ DECLARE_ASN1_FUNCTIONS(NOTICEREF)
 DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
 DECLARE_ASN1_FUNCTIONS(DIST_POINT)
 DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
+DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
+
+int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
+
+int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
 
 DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
 DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
@@ -524,11 +590,16 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
 DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
 
+GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
+                               const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                               int gen_type, char *value, int is_nc);
+
 #ifdef HEADER_CONF_H
-GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                                                        CONF_VALUE *cnf);
-GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_EXT_METHOD *method,
-                                X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
+GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                               CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
+                                  const X509V3_EXT_METHOD *method,
+                                  X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
 void X509V3_conf_free(CONF_VALUE *val);
 
 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
@@ -538,18 +609,23 @@ int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert)
 int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
 int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
 
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value);
-X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
-int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
-int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
-int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                                    int ext_nid, char *value);
+X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                                char *name, char *value);
+int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                        char *section, X509 *cert);
+int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                            char *section, X509_REQ *req);
+int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+                            char *section, X509_CRL *crl);
 
 int X509V3_add_value_bool_nf(char *name, int asn1_bool,
-                                                STACK_OF(CONF_VALUE) **extlist);
+                             STACK_OF(CONF_VALUE) **extlist);
 int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
 int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
 void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
 #endif
 
 char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
@@ -576,8 +652,8 @@ int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
 int X509V3_EXT_add_alias(int nid_to, int nid_from);
 void X509V3_EXT_cleanup(void);
 
-X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
-X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
+const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
+const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
 int X509V3_add_standard_extensions(void);
 STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
@@ -587,8 +663,8 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
 
-char *hex_to_string(unsigned char *buffer, long len);
-unsigned char *string_to_hex(char *str, long *len);
+char *hex_to_string(const unsigned char *buffer, long len);
+unsigned char *string_to_hex(const char *str, long *len);
 int name_cmp(const char *name, const char *cmp);
 
 void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
@@ -603,6 +679,7 @@ int X509_check_purpose(X509 *x, int id, int ca);
 int X509_supported_extension(X509_EXTENSION *ex);
 int X509_PURPOSE_set(int *p, int purpose);
 int X509_check_issued(X509 *issuer, X509 *subject);
+int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
 int X509_PURPOSE_get_count(void);
 X509_PURPOSE * X509_PURPOSE_get0(int idx);
 int X509_PURPOSE_get_by_sname(char *sname);
@@ -616,10 +693,10 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
 void X509_PURPOSE_cleanup(void);
 int X509_PURPOSE_get_id(X509_PURPOSE *);
 
-STACK *X509_get1_email(X509 *x);
-STACK *X509_REQ_get1_email(X509_REQ *x);
-void X509_email_free(STACK *sk);
-STACK *X509_get1_ocsp(X509 *x);
+STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
+STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
+void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
+STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
 
 ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
 ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
@@ -628,6 +705,7 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
                                                 unsigned long chtype);
 
 void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
+DECLARE_STACK_OF(X509_POLICY_NODE)
 
 #ifndef OPENSSL_NO_RFC3779
 
@@ -787,8 +865,9 @@ void ERR_load_X509V3_strings(void);
 /* Error codes for the X509V3 functions. */
 
 /* Function codes. */
-#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE             156
-#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL         157
+#define X509V3_F_A2I_GENERAL_NAME                        164
+#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE             161
+#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL         162
 #define X509V3_F_COPY_EMAIL                              122
 #define X509V3_F_COPY_ISSUER                             123
 #define X509V3_F_DO_DIRNAME                              144
@@ -796,6 +875,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_DO_EXT_I2D                              135
 #define X509V3_F_DO_EXT_NCONF                            151
 #define X509V3_F_DO_I2V_NAME_CONSTRAINTS                 148
+#define X509V3_F_GNAMES_FROM_SECTNAME                    156
 #define X509V3_F_HEX_TO_STRING                           111
 #define X509V3_F_I2S_ASN1_ENUMERATED                     121
 #define X509V3_F_I2S_ASN1_IA5STRING                      149
@@ -812,13 +892,14 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_S2I_ASN1_OCTET_STRING                   112
 #define X509V3_F_S2I_ASN1_SKEY_ID                        114
 #define X509V3_F_S2I_SKEY_ID                             115
+#define X509V3_F_SET_DIST_POINT_NAME                     158
 #define X509V3_F_STRING_TO_HEX                           113
 #define X509V3_F_SXNET_ADD_ID_ASC                        125
 #define X509V3_F_SXNET_ADD_ID_INTEGER                    126
 #define X509V3_F_SXNET_ADD_ID_ULONG                      127
 #define X509V3_F_SXNET_GET_ID_ASC                        128
 #define X509V3_F_SXNET_GET_ID_ULONG                      129
-#define X509V3_F_V2I_ASIDENTIFIERS                       158
+#define X509V3_F_V2I_ASIDENTIFIERS                       163
 #define X509V3_F_V2I_ASN1_BIT_STRING                     101
 #define X509V3_F_V2I_AUTHORITY_INFO_ACCESS               139
 #define X509V3_F_V2I_AUTHORITY_KEYID                     119
@@ -827,6 +908,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_V2I_EXTENDED_KEY_USAGE                  103
 #define X509V3_F_V2I_GENERAL_NAMES                       118
 #define X509V3_F_V2I_GENERAL_NAME_EX                     117
+#define X509V3_F_V2I_IDP                                 157
 #define X509V3_F_V2I_IPADDRBLOCKS                        159
 #define X509V3_F_V2I_ISSUER_ALT                          153
 #define X509V3_F_V2I_NAME_CONSTRAINTS                    147
@@ -855,6 +937,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_BN_DEC2BN_ERROR                         100
 #define X509V3_R_BN_TO_ASN1_INTEGER_ERROR                101
 #define X509V3_R_DIRNAME_ERROR                           149
+#define X509V3_R_DISTPOINT_ALREADY_SET                   160
 #define X509V3_R_DUPLICATE_ZONE_ID                       133
 #define X509V3_R_ERROR_CONVERTING_ZONE                   131
 #define X509V3_R_ERROR_CREATING_EXTENSION                144
@@ -868,12 +951,13 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_ILLEGAL_EMPTY_EXTENSION                 151
 #define X509V3_R_ILLEGAL_HEX_DIGIT                       113
 #define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG             152
-#define X509V3_R_INVALID_ASNUMBER                        160
-#define X509V3_R_INVALID_ASRANGE                         161
+#define X509V3_R_INVALID_MULTIPLE_RDNS                   161
+#define X509V3_R_INVALID_ASNUMBER                        162
+#define X509V3_R_INVALID_ASRANGE                         163
 #define X509V3_R_INVALID_BOOLEAN_STRING                  104
 #define X509V3_R_INVALID_EXTENSION_STRING                105
-#define X509V3_R_INVALID_INHERITANCE                     162
-#define X509V3_R_INVALID_IPADDRESS                       163
+#define X509V3_R_INVALID_INHERITANCE                     165
+#define X509V3_R_INVALID_IPADDRESS                       166
 #define X509V3_R_INVALID_NAME                            106
 #define X509V3_R_INVALID_NULL_ARGUMENT                   107
 #define X509V3_R_INVALID_NULL_NAME                       108
@@ -901,9 +985,9 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_ODD_NUMBER_OF_DIGITS                    112
 #define X509V3_R_OPERATION_NOT_DEFINED                   148
 #define X509V3_R_OTHERNAME_ERROR                         147
-#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED        155
+#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED         155
 #define X509V3_R_POLICY_PATH_LENGTH                      156
-#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED     157
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED      157
 #define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED   158
 #define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
 #define X509V3_R_SECTION_NOT_FOUND                       150
@@ -914,6 +998,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_UNKNOWN_EXTENSION_NAME                  130
 #define X509V3_R_UNKNOWN_OPTION                          120
 #define X509V3_R_UNSUPPORTED_OPTION                      117
+#define X509V3_R_UNSUPPORTED_TYPE                        167
 #define X509V3_R_USER_TOO_LONG                           132
 
 #ifdef  __cplusplus