Change the trust and purpose code so it doesn't need init

either and has a static and dynamic mix.

10 files changed, 178 insertions, 134 deletions

diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c
index e2e100e2eb..2f9c09b705 100644
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c
@@ -66,6 +66,7 @@
 static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
 static void st_free(ASN1_STRING_TABLE *tbl);
 static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b);
+static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b);
 
 /* The following function generates an ASN1_STRING based on limits in a table.
  * Frequently the types and length of an ASN1_STRING are restricted by a 
@@ -79,7 +80,6 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 	ASN1_STRING *str = NULL;
 	int ret;
 	if(!out) out = &str;
-	if(!stable) ASN1_STRING_TABLE_add_standard();
 	tbl = ASN1_STRING_TABLE_get(nid);
 	if(tbl) ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask,
 					tbl->minsize, tbl->maxsize);
@@ -102,53 +102,45 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 #define ub_title			64
 #define ub_email_address		128
 
+/* This table must be kept in NID order */
+
 static ASN1_STRING_TABLE tbl_standard[] = {
-{NID_name,			1, ub_name, 0, 0},
-{NID_surname,			1, ub_name, 0, 0},
-{NID_givenName,			1, ub_name, 0, 0},
-{NID_initials,			1, ub_name, 0, 0},
 {NID_commonName,		1, ub_common_name, 0, 0},
+{NID_countryName,		2, 2, B_ASN1_PRINTABLESTRING, 0},
 {NID_localityName,		1, ub_locality_name, 0, 0},
 {NID_stateOrProvinceName,	1, ub_state_name, 0, 0},
 {NID_organizationName,		1, ub_organization_name, 0, 0},
 {NID_organizationalUnitName,	1, ub_organization_unit_name, 0, 0},
-{NID_dnQualifier,		-1, -1, B_ASN1_PRINTABLESTRING, 0},
-{NID_countryName,		2, 2, B_ASN1_PRINTABLESTRING, 0},
 {NID_pkcs9_emailAddress,	1, ub_email_address, B_ASN1_IA5STRING, 0},
-{NID_undef, 0, 0, 0, 0}
+{NID_givenName,			1, ub_name, 0, 0},
+{NID_surname,			1, ub_name, 0, 0},
+{NID_initials,			1, ub_name, 0, 0},
+{NID_name,			1, ub_name, 0, 0},
+{NID_dnQualifier,		-1, -1, B_ASN1_PRINTABLESTRING, 0},
 };
 
-int ASN1_STRING_TABLE_add_standard(void)
+static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b)
 {
-	static int done = 0;
-	ASN1_STRING_TABLE *tmp;
-	if(done) return 1;
-	if(!stable) stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp);
-	if(!stable) {
-		ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD_STANDARD,
-						ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	for(tmp = tbl_standard; tmp->nid != NID_undef; tmp++) {
-		if(!sk_ASN1_STRING_TABLE_push(stable, tmp)) {
-			ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD_STANDARD,
-							ERR_R_MALLOC_FAILURE);
-			return 0;
-		}
-	}
-	return 1;
+	return (*a)->nid - (*b)->nid;
 }
 
-static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b)
+static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b)
 {
-	return (*a)->nid - (*b)->nid;
+	return a->nid - b->nid;
 }
 
 ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
 {
 	int idx;
+	ASN1_STRING_TABLE *ttmp;
 	ASN1_STRING_TABLE fnd;
 	fnd.nid = nid;
+	ttmp = (ASN1_STRING_TABLE *) OBJ_bsearch((char *)&fnd,
+					(char *)tbl_standard, 
+			sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE),
+			sizeof(ASN1_STRING_TABLE), (int(*)())table_cmp);
+	if(ttmp) return ttmp;
+	if(!stable) return NULL;
 	idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
 	if(idx < 0) return NULL;
 	return sk_ASN1_STRING_TABLE_value(stable, idx);
@@ -160,6 +152,7 @@ int ASN1_STRING_TABLE_add(int nid,
 {
 	ASN1_STRING_TABLE *tmp;
 	char new_nid = 0;
+	flags &= ~STABLE_FLAGS_MALLOC;
 	if(!stable) stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp);
 	if(!stable) {
 		ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD, ERR_R_MALLOC_FAILURE);
@@ -172,14 +165,13 @@ int ASN1_STRING_TABLE_add(int nid,
 							ERR_R_MALLOC_FAILURE);
 			return 0;
 		}
-		tmp->flags = STABLE_FLAGS_MALLOC;
+		tmp->flags = flags | STABLE_FLAGS_MALLOC;
 		tmp->nid = nid;
 		new_nid = 1;
-	}
+	} else tmp->flags = (tmp->flags & STABLE_FLAGS_MALLOC) | flags;
 	if(minsize != -1) tmp->minsize = minsize;
 	if(maxsize != -1) tmp->maxsize = maxsize;
 	tmp->mask = mask;
-	tmp->flags = flags & ~STABLE_FLAGS_MALLOC;
 	if(new_nid) sk_ASN1_STRING_TABLE_push(stable, tmp);
 	return 1;
 }
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index d36e868e90..e54a61f6db 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -773,7 +773,6 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 
 ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, 
 		const unsigned char *in, int inlen, int inform, int nid);
-int ASN1_STRING_TABLE_add_standard(void);
 ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid);
 void ASN1_STRING_TABLE_cleanup(void);
 
@@ -812,7 +811,6 @@ void ASN1_STRING_TABLE_cleanup(void);
 #define ASN1_F_ASN1_SIGN				 114
 #define ASN1_F_ASN1_STRING_NEW				 115
 #define ASN1_F_ASN1_STRING_TABLE_ADD			 283
-#define ASN1_F_ASN1_STRING_TABLE_ADD_STANDARD		 284
 #define ASN1_F_ASN1_STRING_TYPE_NEW			 116
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING		 117
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING		 118
@@ -824,7 +822,7 @@ void ASN1_STRING_TABLE_cleanup(void);
 #define ASN1_F_BASIC_CONSTRAINTS_NEW			 226
 #define ASN1_F_BN_TO_ASN1_ENUMERATED			 234
 #define ASN1_F_BN_TO_ASN1_INTEGER			 122
-#define ASN1_F_D2I_ACCESS_DESCRIPTION			 292
+#define ASN1_F_D2I_ACCESS_DESCRIPTION			 284
 #define ASN1_F_D2I_ASN1_BIT_STRING			 123
 #define ASN1_F_D2I_ASN1_BMPSTRING			 124
 #define ASN1_F_D2I_ASN1_BOOLEAN				 125
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index c322d643ef..063750607d 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -92,7 +92,6 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_SIGN,0),	"ASN1_sign"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_NEW,0),	"ASN1_STRING_new"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),	"ASN1_STRING_TABLE_ADD"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD_STANDARD,0),	"ASN1_STRING_TABLE_add_standard"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),	"ASN1_STRING_type_new"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),	"ASN1_TYPE_get_int_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),	"ASN1_TYPE_get_octetstring"},
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index ed95058a74..5e4da0f7c4 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -280,10 +280,10 @@ DECLARE_ASN1_SET_OF(X509)
 /* This is used for a table of trust checking functions */
 
 typedef struct x509_trust_st {
-	int trust_id;
-	int trust_flags;
+	int trust;
+	int flags;
 	int (*check_trust)(struct x509_trust_st *, X509 *, int);
-	char *trust_name;
+	char *name;
 	int arg1;
 	void *arg2;
 } X509_TRUST;
@@ -298,6 +298,11 @@ DECLARE_STACK_OF(X509_TRUST)
 #define X509_TRUST_EMAIL	4
 #define X509_TRUST_OBJECT_SIGN	5
 
+/* Keep these up to date! */
+#define X509_TRUST_MIN		1
+#define X509_TRUST_MAX		5
+
+
 /* trust_flags values */
 #define	X509_TRUST_DYNAMIC 	1
 #define	X509_TRUST_DYNAMIC_NAME	2
@@ -1015,8 +1020,6 @@ int		X509_EXTENSION_set_data(X509_EXTENSION *ex,
 ASN1_OBJECT *	X509_EXTENSION_get_object(X509_EXTENSION *ex);
 ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
 int		X509_EXTENSION_get_critical(X509_EXTENSION *ex);
-void		X509_init(void);
-void		X509_cleanup(void);
 
 int		X509_verify_cert(X509_STORE_CTX *ctx);
 
@@ -1059,10 +1062,10 @@ int X509_check_trust(X509 *x, int id, int flags);
 int X509_TRUST_get_count(void);
 X509_TRUST * X509_TRUST_iget(int idx);
 int X509_TRUST_get_by_id(int id);
-int X509_TRUST_add(X509_TRUST *xp);
+int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
+					char *name, int arg1, void *arg2);
 void X509_TRUST_cleanup(void);
-void X509_TRUST_add_standard(void);
-int X509_TRUST_get_id(X509_TRUST *xp);
+int X509_TRUST_get_flags(X509_TRUST *xp);
 char *X509_TRUST_iget_name(X509_TRUST *xp);
 int X509_TRUST_get_trust(X509_TRUST *xp);
 
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 94c64a1bcf..f96f5f9b26 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -67,72 +67,110 @@ static void trtable_free(X509_TRUST *p);
 static int trust_1bit(X509_TRUST *trust, X509 *x, int flags);
 static int trust_any(X509_TRUST *trust, X509 *x, int flags);
 
+/* WARNING: the following table should be kept in order of trust
+ * and without any gaps so we can just subtract the minimum trust
+ * value to get an index into the table
+ */
+
 static X509_TRUST trstandard[] = {
 {X509_TRUST_ANY, 0, trust_any, "Any", 0, NULL},
 {X509_TRUST_SSL_CLIENT, 0, trust_1bit, "SSL Client", X509_TRUST_BIT_SSL_CLIENT, NULL},
 {X509_TRUST_SSL_SERVER, 0, trust_1bit, "SSL Client", X509_TRUST_BIT_SSL_SERVER, NULL},
 {X509_TRUST_EMAIL, 0, trust_1bit, "S/MIME email", X509_TRUST_BIT_EMAIL, NULL},
 {X509_TRUST_OBJECT_SIGN, 0, trust_1bit, "Object Signing", X509_TRUST_BIT_OBJECT_SIGN, NULL},
-{0, 0, NULL, NULL, 0, NULL}
 };
 
+#define X509_TRUST_COUNT	(sizeof(trstandard)/sizeof(X509_TRUST))
+
 IMPLEMENT_STACK_OF(X509_TRUST)
 
 static STACK_OF(X509_TRUST) *trtable = NULL;
 
 static int tr_cmp(X509_TRUST **a, X509_TRUST **b)
 {
-	return (*a)->trust_id - (*b)->trust_id;
+	return (*a)->trust - (*b)->trust;
 }
 
 int X509_check_trust(X509 *x, int id, int flags)
 {
-	int idx;
 	X509_TRUST *pt;
+	int idx;
 	if(id == -1) return 1;
-	idx = X509_TRUST_get_by_id(id);
-	if(idx == -1) return -1;
-	pt = sk_X509_TRUST_value(trtable, idx);
+	if(!(idx = X509_TRUST_get_by_id(id))) return 0;
+	pt = X509_TRUST_iget(idx);
 	return pt->check_trust(pt, x, flags);
 }
 
 int X509_TRUST_get_count(void)
 {
-	return sk_X509_TRUST_num(trtable);
+	if(!trtable) return X509_TRUST_COUNT;
+	return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
 }
 
 X509_TRUST * X509_TRUST_iget(int idx)
 {
-	return sk_X509_TRUST_value(trtable, idx);
+	if(idx < 0) return NULL;
+	if(idx < X509_TRUST_COUNT) return trstandard + idx;
+	return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
 }
 
 int X509_TRUST_get_by_id(int id)
 {
 	X509_TRUST tmp;
-	tmp.trust_id = id;
+	int idx;
+	if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
+				 return id - X509_TRUST_MIN;
+	tmp.trust = id;
 	if(!trtable) return -1;
-	return sk_X509_TRUST_find(trtable, &tmp);
+	idx = sk_X509_TRUST_find(trtable, &tmp);
+	if(idx == -1) return -1;
+	return idx + X509_TRUST_COUNT;
 }
 
-int X509_TRUST_add(X509_TRUST *xp)
+int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
+					char *name, int arg1, void *arg2)
 {
 	int idx;
-	if(!trtable)
-		{
-		trtable = sk_X509_TRUST_new(tr_cmp);
-		if (!trtable) 
-			{
+	X509_TRUST *trtmp;
+	/* This is set according to what we change: application can't set it */
+	flags &= ~X509_TRUST_DYNAMIC;
+	/* This will always be set for application modified trust entries */
+	flags |= X509_TRUST_DYNAMIC_NAME;
+	/* Get existing entry if any */
+	idx = X509_TRUST_get_by_id(id);
+	/* Need a new entry */
+	if(idx == -1) {
+		if(!(trtmp = Malloc(sizeof(X509_TRUST)))) {
 			X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
 			return 0;
-			}
 		}
-			
-	idx = X509_TRUST_get_by_id(xp->trust_id);
-	if(idx != -1) {
-		trtable_free(sk_X509_TRUST_value(trtable, idx));
-		sk_X509_TRUST_set(trtable, idx, xp);
-	} else {
-		if (!sk_X509_TRUST_push(trtable, xp)) {
+		trtmp->flags = X509_TRUST_DYNAMIC;
+	} else trtmp = X509_TRUST_iget(idx);
+
+	/* Free existing name if dynamic */
+	if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) Free(trtmp->name);
+	/* dup supplied name */
+	if(!(trtmp->name = BUF_strdup(name))) {
+		X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	/* Keep the dynamic flag of existing entry */
+	trtmp->flags &= X509_TRUST_DYNAMIC;
+	/* Set all other flags */
+	trtmp->flags |= flags;
+
+	trtmp->trust = id;
+	trtmp->check_trust = ck;
+	trtmp->arg1 = arg1;
+	trtmp->arg2 = arg2;
+
+	/* If its a new entry manage the dynamic table */
+	if(idx == -1) {
+		if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
+			X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		if (!sk_X509_TRUST_push(trtable, trtmp)) {
 			X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
 			return 0;
 		}
@@ -143,40 +181,35 @@ int X509_TRUST_add(X509_TRUST *xp)
 static void trtable_free(X509_TRUST *p)
 	{
 	if(!p) return;
-	if (p->trust_flags & X509_TRUST_DYNAMIC) 
+	if (p->flags & X509_TRUST_DYNAMIC) 
 		{
-		if (p->trust_flags & X509_TRUST_DYNAMIC_NAME)
-			Free(p->trust_name);
+		if (p->flags & X509_TRUST_DYNAMIC_NAME)
+			Free(p->name);
 		Free(p);
 		}
 	}
 
 void X509_TRUST_cleanup(void)
 {
+	int i;
+	for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
 	sk_X509_TRUST_pop_free(trtable, trtable_free);
 	trtable = NULL;
 }
 
-void X509_TRUST_add_standard(void)
-{
-	X509_TRUST *xp;
-	for(xp = trstandard; xp->trust_name; xp++)
-		X509_TRUST_add(xp);
-}
-
-int X509_TRUST_get_id(X509_TRUST *xp)
+int X509_TRUST_get_flags(X509_TRUST *xp)
 {
-	return xp->trust_id;
+	return xp->flags;
 }
 
 char *X509_TRUST_iget_name(X509_TRUST *xp)
 {
-	return xp->trust_name;
+	return xp->name;
 }
 
 int X509_TRUST_get_trust(X509_TRUST *xp)
 {
-	return xp->trust_id;
+	return xp->trust;
 }
 
 static int trust_1bit(X509_TRUST *trust, X509 *x, int flags)
diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c
index 100b08773c..52887986fe 100644
--- a/crypto/x509/x509_v3.c
+++ b/crypto/x509/x509_v3.c
@@ -265,24 +265,3 @@ int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
 	if (ex == NULL) return(0);
 	return(ex->critical);
 	}
-
-/* Initialisation routine: used to initialise the X509 and X509v3 tables */
-
-static int init_done = 0;
-
-void X509_init(void)
-{
-	if(init_done) return;
-	X509V3_add_standard_extensions();
-	X509_PURPOSE_add_standard();
-	X509_TRUST_add_standard();
-	init_done = 1;
-}
-
-void X509_cleanup(void)
-{
-	X509V3_EXT_cleanup();
-	X509_PURPOSE_cleanup();
-	X509_TRUST_cleanup();
-	init_done = 0;
-}
diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl
index 83bd70e313..8cf90be132 100644
--- a/crypto/x509v3/Makefile.ssl
+++ b/crypto/x509v3/Makefile.ssl
@@ -339,7 +339,7 @@ v3_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h
 v3_pku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 v3_pku.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 v3_pku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index c81f9a18b0..801a585a52 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -91,7 +91,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_info,
 };
 
-/* Number of standard extensions: keep up to date */
+/* Number of standard extensions */
 
-#define STANDARD_EXTENSION_COUNT 22
+#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
 
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index e350c8158b..5e7b4c3ab9 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -82,9 +82,10 @@ static X509_PURPOSE xstandard[] = {
 	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
 	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
 	{X509_PURPOSE_CRL_SIGN, X509_TRUST_ANY, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
-	{-1, 0, 0, NULL, NULL, NULL, NULL}
 };
 
+#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
+
 IMPLEMENT_STACK_OF(X509_PURPOSE)
 
 static STACK_OF(X509_PURPOSE) *xptable = NULL;
@@ -100,7 +101,6 @@ int X509_check_purpose(X509 *x, int id, int ca)
 	X509_PURPOSE *pt;
 	if(!(x->ex_flags & EXFLAG_SET)) {
 		CRYPTO_w_lock(CRYPTO_LOCK_X509);
-		X509_init();
 		x509v3_cache_extensions(x);
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
 	}
@@ -108,25 +108,28 @@ int X509_check_purpose(X509 *x, int id, int ca)
 	idx = X509_PURPOSE_get_by_id(id);
 	if(idx == -1) return -1;
 	pt = sk_X509_PURPOSE_value(xptable, idx);
-	return pt->check_purpose(pt, x,ca);
+	return pt->check_purpose(pt, x, ca);
 }
 
 int X509_PURPOSE_get_count(void)
 {
-	return sk_X509_PURPOSE_num(xptable);
+	if(!xptable) return X509_PURPOSE_COUNT;
+	return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
 }
 
 X509_PURPOSE * X509_PURPOSE_iget(int idx)
 {
-	return sk_X509_PURPOSE_value(xptable, idx);
+	if(idx < 0) return NULL;
+	if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
+	return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
 }
 
 int X509_PURPOSE_get_by_sname(char *sname)
 {
 	int i;
 	X509_PURPOSE *xptmp;
-	for(i = 0; i < sk_X509_PURPOSE_num(xptable); i++) {
-		xptmp = sk_X509_PURPOSE_value(xptable, i);
+	for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+		xptmp = X509_PURPOSE_iget(i);
 		if(!strcmp(xptmp->sname, sname)) return i;
 	}
 	return -1;
@@ -136,30 +139,66 @@ int X509_PURPOSE_get_by_sname(char *sname)
 int X509_PURPOSE_get_by_id(int purpose)
 {
 	X509_PURPOSE tmp;
+	int idx;
+	if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
+		return purpose - X509_PURPOSE_MIN;
 	tmp.purpose = purpose;
 	if(!xptable) return -1;
-	return sk_X509_PURPOSE_find(xptable, &tmp);
+	idx = sk_X509_PURPOSE_find(xptable, &tmp);
+	if(idx == -1) return -1;
+	return idx + X509_PURPOSE_COUNT;
 }
 
-int X509_PURPOSE_add(X509_PURPOSE *xp)
+int X509_PURPOSE_add(int id, int trust, int flags,
+			int (*ck)(X509_PURPOSE *, X509 *, int),
+					char *name, char *sname, void *arg)
 {
 	int idx;
-	if(!xptable)
-		{
-		xptable = sk_X509_PURPOSE_new(xp_cmp);
-		if (!xptable) 
-			{
+	X509_PURPOSE *ptmp;
+	/* This is set according to what we change: application can't set it */
+	flags &= ~X509_PURPOSE_DYNAMIC;
+	/* This will always be set for application modified trust entries */
+	flags |= X509_PURPOSE_DYNAMIC_NAME;
+	/* Get existing entry if any */
+	idx = X509_PURPOSE_get_by_id(id);
+	/* Need a new entry */
+	if(idx == -1) {
+		if(!(ptmp = Malloc(sizeof(X509_PURPOSE)))) {
 			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
 			return 0;
-			}
 		}
-			
-	idx = X509_PURPOSE_get_by_id(xp->purpose);
-	if(idx != -1) {
-		xptable_free(sk_X509_PURPOSE_value(xptable, idx));
-		sk_X509_PURPOSE_set(xptable, idx, xp);
-	} else {
-		if (!sk_X509_PURPOSE_push(xptable, xp)) {
+		ptmp->flags = X509_PURPOSE_DYNAMIC;
+	} else ptmp = X509_PURPOSE_iget(idx);
+
+	/* Free existing name if dynamic */
+	if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
+		Free(ptmp->name);
+		Free(ptmp->sname);
+	}
+	/* dup supplied name */
+	ptmp->name = BUF_strdup(name);
+	ptmp->sname = BUF_strdup(sname);
+	if(!ptmp->name || !ptmp->sname) {
+		X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	/* Keep the dynamic flag of existing entry */
+	ptmp->flags &= X509_PURPOSE_DYNAMIC;
+	/* Set all other flags */
+	ptmp->flags |= flags;
+
+	ptmp->purpose = id;
+	ptmp->trust = trust;
+	ptmp->check_purpose = ck;
+	ptmp->usr_data = arg;
+
+	/* If its a new entry manage the dynamic table */
+	if(idx == -1) {
+		if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
+			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
 			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
 			return 0;
 		}
@@ -182,16 +221,12 @@ static void xptable_free(X509_PURPOSE *p)
 
 void X509_PURPOSE_cleanup(void)
 {
+	int i;
 	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
+	for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
 	xptable = NULL;
 }
 
-void X509_PURPOSE_add_standard(void)
-{
-	X509_PURPOSE *xp;
-	for(xp = xstandard; xp->name; xp++) X509_PURPOSE_add(xp);
-}
-
 int X509_PURPOSE_get_id(X509_PURPOSE *xp)
 {
 	return xp->purpose;
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index bee56ab2d2..5e988a98b8 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -345,6 +345,9 @@ typedef struct x509_purpose_st {
 #define X509_PURPOSE_SMIME_ENCRYPT	5
 #define X509_PURPOSE_CRL_SIGN		6
 
+#define X509_PURPOSE_MIN		1
+#define X509_PURPOSE_MAX		6
+
 DECLARE_STACK_OF(X509_PURPOSE)
 
 void ERR_load_X509V3_strings(void);
@@ -532,7 +535,9 @@ int X509_PURPOSE_get_count(void);
 X509_PURPOSE * X509_PURPOSE_iget(int idx);
 int X509_PURPOSE_get_by_sname(char *sname);
 int X509_PURPOSE_get_by_id(int id);
-int X509_PURPOSE_add(X509_PURPOSE *xp);
+int X509_PURPOSE_add(int id, int trust, int flags,
+			int (*ck)(X509_PURPOSE *, X509 *, int),
+				char *name, char *sname, void *arg);
 char *X509_PURPOSE_iget_name(X509_PURPOSE *xp);
 char *X509_PURPOSE_iget_sname(X509_PURPOSE *xp);
 int X509_PURPOSE_get_trust(X509_PURPOSE *xp);