27 files changed, 755 insertions, 215 deletions

diff --git a/crypto/x509/Makefile.ssl b/crypto/x509/Makefile.ssl
index e54a74d1e8..1c1ca2ffa0 100644
--- a/crypto/x509/Makefile.ssl
+++ b/crypto/x509/Makefile.ssl
@@ -91,6 +91,6 @@ clean:
 
 errors:
 	perl $(TOP)/util/err-ins.pl $(ERR).err $(ERR).h
-	perl ../err/err_genc.pl $(ERR).h $(ERRC).c
+	perl ../err/err_genc.pl -s $(ERR).h $(ERRC).c
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 6676a2e404..11725ec94c 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -1,5 +1,5 @@
 /* crypto/x509/by_dir.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -250,21 +250,46 @@ X509_NAME *name;
 X509_OBJECT *ret;
 	{
 	BY_DIR *ctx;
-	X509 st_x509;
-	X509_CINF st_x509_cinf;
+	union	{
+		struct	{
+			X509 st_x509;
+			X509_CINF st_x509_cinf;
+			} x509;
+		struct	{
+			X509_CRL st_crl;
+			X509_CRL_INFO st_crl_info;
+			} crl;
+		} data;
 	int ok=0;
 	int i,j,k;
 	unsigned long h;
 	BUF_MEM *b=NULL;
 	struct stat st;
 	X509_OBJECT stmp,*tmp;
+	char *postfix="";
 
 	if (name == NULL) return(0);
 
-	st_x509.cert_info= &st_x509_cinf;
-	st_x509_cinf.subject=name;
-	stmp.data.x509= &st_x509;
 	stmp.type=type;
+	if (type == X509_LU_X509)
+		{
+		data.x509.st_x509.cert_info= &data.x509.st_x509_cinf;
+		data.x509.st_x509_cinf.subject=name;
+		stmp.data.x509= &data.x509.st_x509;
+		postfix="";
+		}
+	else if (type == X509_LU_CRL)
+		{
+		data.crl.st_crl.crl= &data.crl.st_crl_info;
+		data.crl.st_crl_info.issuer=name;
+		stmp.data.crl= &data.crl.st_crl;
+		postfix="r";
+		}
+	else
+		{
+		X509err(X509_F_GET_CERT_BY_SUBJECT,X509_R_WRONG_LOOKUP_TYPE);
+		goto finish;
+		}
 
 	if ((b=BUF_MEM_new()) == NULL)
 		{
@@ -277,7 +302,7 @@ X509_OBJECT *ret;
 	h=X509_NAME_hash(name);
 	for (i=0; i<ctx->num_dirs; i++)
 		{
-		j=strlen(ctx->dirs[i])+1+8+6+1;
+		j=strlen(ctx->dirs[i])+1+8+6+1+1;
 		if (!BUF_MEM_grow(b,j))
 			{
 			X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_MALLOC_FAILURE);
@@ -286,14 +311,25 @@ X509_OBJECT *ret;
 		k=0;
 		for (;;)
 			{
-			sprintf(b->data,"%s/%08lx.%d",ctx->dirs[i],h,k);
+			sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h,
+				postfix,k);
 			k++;
 			if (stat(b->data,&st) < 0)
 				break;
 			/* found one. */
-			if ((X509_load_cert_file(xl,b->data,
-				ctx->dirs_type[i])) == 0)
+			if (type == X509_LU_X509)
+				{
+				if ((X509_load_cert_file(xl,b->data,
+					ctx->dirs_type[i])) == 0)
+					break;
+				}
+			else if (type == X509_LU_CRL)
+				{
+				if ((X509_load_crl_file(xl,b->data,
+					ctx->dirs_type[i])) == 0)
 					break;
+				}
+			/* else case will caught higher up */
 			}
 
 		/* we have added it to the cache so now pull
@@ -307,7 +343,10 @@ X509_OBJECT *ret;
 			{
 			ok=1;
 			ret->type=tmp->type;
-			ret->data.x509=tmp->data.x509;
+			memcpy(&ret->data,&tmp->data,sizeof(ret->data));
+			/* If we were going to up the reference count,
+			 * we would need to do it on a perl 'type'
+			 * basis */
 	/*		CRYPTO_add(&tmp->data.x509->references,1,
 				CRYPTO_LOCK_X509);*/
 			goto finish;
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index 2dac28f542..09ebb9bf08 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -1,5 +1,5 @@
 /* crypto/x509/by_file.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -68,6 +68,8 @@
 #include "x509.h"
 #include "pem.h"
 
+#ifndef NO_STDIO
+
 #ifndef NOPROTO
 static int by_file_ctrl(X509_LOOKUP *ctx,int cmd,char *argc,
 	long argl,char **ret);
@@ -101,7 +103,7 @@ char *argp;
 long argl;
 char **ret;
 	{
-	int ok=0;
+	int ok=0,ok2=0;
 	char *file;
 
 	switch (cmd)
@@ -111,7 +113,9 @@ char **ret;
 			{
 			ok=X509_load_cert_file(ctx,X509_get_default_cert_file(),
 				X509_FILETYPE_PEM);
-			if (!ok)
+			ok2=X509_load_crl_file(ctx,X509_get_default_cert_file(),
+				X509_FILETYPE_PEM);
+			if (!ok || !ok2)
 				{
 				X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
 				}
@@ -120,13 +124,18 @@ char **ret;
 				file=(char *)Getenv(X509_get_default_cert_file_env());
 				ok=X509_load_cert_file(ctx,file,
 					X509_FILETYPE_PEM);
+				ok2=X509_load_crl_file(ctx,file,
+					X509_FILETYPE_PEM);
 				}
 			}
 		else
+			{
 			ok=X509_load_cert_file(ctx,argp,(int)argl);
+			ok2=X509_load_crl_file(ctx,argp,(int)argl);
+			}
 		break;
 		}
-	return(ok);
+	return((ok && ok2)?ok:0);
 	}
 
 int X509_load_cert_file(ctx,file,type)
@@ -140,11 +149,7 @@ int type;
 	X509 *x=NULL;
 
 	if (file == NULL) return(1);
-#ifndef WIN16
-	in=BIO_new(BIO_s_file());
-#else
-	in=BIO_new(BIO_s_file_internal_w16());
-#endif
+	in=BIO_new(BIO_s_file_internal());
 
 	if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
 		{
@@ -203,3 +208,75 @@ err:
 	return(ret);
 	}
 
+int X509_load_crl_file(ctx,file,type)
+X509_LOOKUP *ctx;
+char *file;
+int type;
+	{
+	int ret=0;
+	BIO *in=NULL;
+	int i,count=0;
+	X509_CRL *x=NULL;
+
+	if (file == NULL) return(1);
+	in=BIO_new(BIO_s_file_internal());
+
+	if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
+		{
+		X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_SYS_LIB);
+		goto err;
+		}
+
+	if (type == X509_FILETYPE_PEM)
+		{
+		for (;;)
+			{
+			x=PEM_read_bio_X509_CRL(in,NULL,NULL);
+			if (x == NULL)
+				{
+				if ((ERR_GET_REASON(ERR_peek_error()) ==
+					PEM_R_NO_START_LINE) && (count > 0))
+					{
+					ERR_clear_error();
+					break;
+					}
+				else
+					{
+					X509err(X509_F_X509_LOAD_CRL_FILE,
+						ERR_R_PEM_LIB);
+					goto err;
+					}
+				}
+			i=X509_STORE_add_crl(ctx->store_ctx,x);
+			if (!i) goto err;
+			count++;
+			X509_CRL_free(x);
+			x=NULL;
+			}
+		ret=count;
+		}
+	else if (type == X509_FILETYPE_ASN1)
+		{
+		x=d2i_X509_CRL_bio(in,NULL);
+		if (x == NULL)
+			{
+			X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_ASN1_LIB);
+			goto err;
+			}
+		i=X509_STORE_add_crl(ctx->store_ctx,x);
+		if (!i) goto err;
+		ret=i;
+		}
+	else
+		{
+		X509err(X509_F_X509_LOAD_CRL_FILE,X509_R_BAD_X509_FILETYPE);
+		goto err;
+		}
+err:
+	if (x != NULL) X509_CRL_free(x);
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+
+#endif /* NO_STDIO */
+
diff --git a/crypto/x509/v3_net.c b/crypto/x509/v3_net.c
index 5e79a57f03..0c2d276d13 100644
--- a/crypto/x509/v3_net.c
+++ b/crypto/x509/v3_net.c
@@ -1,5 +1,5 @@
 /* crypto/x509/v3_net.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -66,9 +66,9 @@
 #define NETSCAPE_X509_EXT_NUM	8
 
 static X509_EXTENSION_METHOD netscape_x509_ext[NETSCAPE_X509_EXT_NUM]={
-{NID_netscape_ca_policy_url,V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
-{NID_netscape_ssl_server_name,V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
-{NID_netscape_revocation_url,V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
+{NID_netscape_ca_policy_url,	V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
+{NID_netscape_ssl_server_name,	V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
+{NID_netscape_revocation_url,	V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
 {NID_netscape_base_url,V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
 {NID_netscape_cert_type,V_ASN1_BIT_STRING,X509_EXT_PACK_STRING},
 {NID_netscape_ca_revocation_url,V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
diff --git a/crypto/x509/v3_x509.c b/crypto/x509/v3_x509.c
index 57a7b17df1..f685aa4c71 100644
--- a/crypto/x509/v3_x509.c
+++ b/crypto/x509/v3_x509.c
@@ -1,5 +1,5 @@
 /* crypto/x509/v3_x509.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -57,32 +57,197 @@
  */
 
 #include <stdio.h>
+#include <ctype.h>
 #include "stack.h"
 #include "cryptlib.h"
+#include "bio.h"
 #include "asn1.h"
 #include "objects.h"
 #include "x509.h"
 
+#if 0
+static int i2a_key_usage(BIO *bp, X509 *x);
+static int a2i_key_usage(X509 *x, char *str, int len);
+#endif
+
+int X509v3_get_key_usage(X509 *x);
+int X509v3_set_key_usage(X509 *x,unsigned int use);
+int i2a_X509v3_key_usage(BIO *bp, unsigned int use);
+unsigned int a2i_X509v3_key_usage(char *p);
+
 #define STD_X509_EXT_NUM	9
 
-static X509_EXTENSION_METHOD std_x509_ext[STD_X509_EXT_NUM]={
-{NID_subject_key_identifier,	V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
-{NID_key_usage,			V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
-{NID_private_key_usage_period,	V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
-{NID_subject_alt_name,		V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
-{NID_issuer_alt_name,		V_ASN1_BIT_STRING,X509_EXT_PACK_STRING},
-{NID_basic_constraints,		V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
-{NID_crl_number,		V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
-{NID_certificate_policies,	V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
-{NID_authority_key_identifier,  V_ASN1_IA5STRING,X509_EXT_PACK_STRING},
+#if 0
+static X509_OBJECTS std_x509_ext[STD_X509_EXT_NUM]={
+{NID_subject_key_identifier,	NULL,NULL},
+{NID_key_usage,			a2i_key_usage,i2a_key_usage}, /**/
+{NID_private_key_usage_period,	NULL,NULL},
+{NID_subject_alt_name,		NULL,NULL},
+{NID_issuer_alt_name,		NULL,NULL},
+{NID_basic_constraints,		NULL,NULL},
+{NID_crl_number,		NULL,NULL},
+{NID_certificate_policies,	NULL,NULL},
+{NID_authority_key_identifier,  NULL,NULL},
 	};
+#endif
 
 int X509v3_add_standard_extensions()
 	{
-	int i;
 
+#if 0
 	for (i=0; i<STD_X509_EXT_NUM; i++)
 		if (!X509v3_add_extension(&(std_x509_ext[i])))
 			return(0);
+#endif
+	return(1);
+	}
+
+int X509v3_get_key_usage(x)
+X509 *x;
+	{
+	X509_EXTENSION *ext;
+	ASN1_STRING *st;
+	char *p;
+	int i;
+
+	i=X509_get_ext_by_NID(x,NID_key_usage,-1);
+	if (i < 0) return(X509v3_KU_UNDEF);
+	ext=X509_get_ext(x,i);
+	st=X509v3_unpack_string(NULL,V_ASN1_BIT_STRING,
+		X509_EXTENSION_get_data(X509_get_ext(x,i)));
+
+	p=(char *)ASN1_STRING_data(st);
+	if (ASN1_STRING_length(st) == 1)
+		i=p[0];
+	else if (ASN1_STRING_length(st) == 2)
+		i=p[0]|(p[1]<<8);
+	else
+		i=0;
+	return(i);
+	}
+
+static struct
+	{
+	char *name;
+	unsigned int value;
+	} key_usage_data[] ={
+	{"digitalSignature",	X509v3_KU_DIGITAL_SIGNATURE},
+	{"nonRepudiation",	X509v3_KU_NON_REPUDIATION},
+	{"keyEncipherment",	X509v3_KU_KEY_ENCIPHERMENT},
+	{"dataEncipherment",	X509v3_KU_DATA_ENCIPHERMENT},
+	{"keyAgreement",	X509v3_KU_KEY_AGREEMENT},
+	{"keyCertSign",		X509v3_KU_KEY_CERT_SIGN},
+	{"cRLSign",		X509v3_KU_CRL_SIGN},
+	{"encipherOnly",	X509v3_KU_ENCIPHER_ONLY},
+	{"decipherOnly",	X509v3_KU_DECIPHER_ONLY},
+	{NULL,0},
+	};
+
+#if 0
+static int a2i_key_usage(x,str,len)
+X509 *x;
+char *str;
+int len;
+	{
+	return(X509v3_set_key_usage(x,a2i_X509v3_key_usage(str)));
+	}
+
+static int i2a_key_usage(bp,x)
+BIO *bp;
+X509 *x;
+	{
+	return(i2a_X509v3_key_usage(bp,X509v3_get_key_usage(x)));
+	}
+#endif
+
+int i2a_X509v3_key_usage(bp,use)
+BIO *bp;
+unsigned int use;
+	{
+	int i=0,first=1;
+
+	for (;;)
+		{
+		if (use | key_usage_data[i].value)
+			{
+			BIO_printf(bp,"%s%s",((first)?"":" "),
+				key_usage_data[i].name);
+			first=0;
+			}
+		}
 	return(1);
 	}
+
+unsigned int a2i_X509v3_key_usage(p)
+char *p;
+	{
+	unsigned int ret=0;
+	char *q,*s;
+	int i,n;
+
+	q=p;
+	for (;;)
+		{
+		while ((*q != '\0') && isalnum(*q))
+			q++;
+		if (*q == '\0') break;
+		s=q++;
+		while (isalnum(*q))
+			q++;
+		n=q-s;
+		i=0;
+		for (;;)
+			{
+			if (strncmp(key_usage_data[i].name,s,n) == 0)
+				{
+				ret|=key_usage_data[i].value;
+				break;
+				}
+			i++;
+			if (key_usage_data[i].name == NULL)
+				return(X509v3_KU_UNDEF);
+			}
+		}
+	return(ret);
+	}
+
+int X509v3_set_key_usage(x,use)
+X509 *x;
+unsigned int use;
+	{
+	ASN1_OCTET_STRING *os;
+	X509_EXTENSION *ext;
+	int i;
+	unsigned char data[4];
+
+	i=X509_get_ext_by_NID(x,NID_key_usage,-1);
+	if (i < 0)
+		{
+		i=X509_get_ext_count(x)+1;
+		if ((ext=X509_EXTENSION_new()) == NULL) return(0);
+		if (!X509_add_ext(x,ext,i))
+			{
+			X509_EXTENSION_free(ext);
+			return(0);
+			}
+		}
+	else
+		ext=X509_get_ext(x,i);
+
+	/* fill in 'ext' */
+	os=X509_EXTENSION_get_data(ext);
+
+	i=0;
+	if (use > 0)
+		{
+		i=1;
+		data[0]=use&0xff;
+		}
+	if (use > 0xff)
+		{
+		i=2;
+		data[1]=(use>>8)&0xff;
+		}
+	return((X509v3_pack_string(&os,V_ASN1_BIT_STRING,data,i) == NULL)?0:1);
+	}
+
diff --git a/crypto/x509/x509.err b/crypto/x509/x509.err
index 7f8b33ed89..8d0862d7d1 100644
--- a/crypto/x509/x509.err
+++ b/crypto/x509/x509.err
@@ -13,20 +13,22 @@
 #define X509_F_X509_EXTENSION_CREATE_BY_OBJ		 109
 #define X509_F_X509_GET_PUBKEY_PARAMETERS		 110
 #define X509_F_X509_LOAD_CERT_FILE			 111
-#define X509_F_X509_NAME_ADD_ENTRY			 112
-#define X509_F_X509_NAME_ENTRY_CREATE_BY_NID		 113
-#define X509_F_X509_NAME_ENTRY_SET_OBJECT		 114
-#define X509_F_X509_NAME_ONELINE			 115
-#define X509_F_X509_NAME_PRINT				 116
-#define X509_F_X509_PRINT_FP				 117
-#define X509_F_X509_PUBKEY_GET				 118
-#define X509_F_X509_PUBKEY_SET				 119
-#define X509_F_X509_REQ_PRINT				 120
-#define X509_F_X509_REQ_PRINT_FP			 121
-#define X509_F_X509_REQ_TO_X509				 122
-#define X509_F_X509_STORE_ADD_CERT			 123
-#define X509_F_X509_TO_X509_REQ				 124
-#define X509_F_X509_VERIFY_CERT				 125
+#define X509_F_X509_LOAD_CRL_FILE			 112
+#define X509_F_X509_NAME_ADD_ENTRY			 113
+#define X509_F_X509_NAME_ENTRY_CREATE_BY_NID		 114
+#define X509_F_X509_NAME_ENTRY_SET_OBJECT		 115
+#define X509_F_X509_NAME_ONELINE			 116
+#define X509_F_X509_NAME_PRINT				 117
+#define X509_F_X509_PRINT_FP				 118
+#define X509_F_X509_PUBKEY_GET				 119
+#define X509_F_X509_PUBKEY_SET				 120
+#define X509_F_X509_REQ_PRINT				 121
+#define X509_F_X509_REQ_PRINT_FP			 122
+#define X509_F_X509_REQ_TO_X509				 123
+#define X509_F_X509_STORE_ADD_CERT			 124
+#define X509_F_X509_STORE_ADD_CRL			 125
+#define X509_F_X509_TO_X509_REQ				 126
+#define X509_F_X509_VERIFY_CERT				 127
 
 /* Reason codes. */
 #define X509_R_BAD_X509_FILETYPE			 100
@@ -41,3 +43,4 @@
 #define X509_R_UNKNOWN_NID				 109
 #define X509_R_UNKNOWN_STRING_TYPE			 110
 #define X509_R_UNSUPPORTED_ALGORITHM			 111
+#define X509_R_WRONG_LOOKUP_TYPE			 112
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index a1f7556818..95114f7c43 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -1,5 +1,5 @@
 /* crypto/x509/x509.h */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -90,6 +90,24 @@ extern "C" {
 #define X509_FILETYPE_ASN1	2
 #define X509_FILETYPE_DEFAULT	3
 
+#define X509v3_KU_DIGITAL_SIGNATURE	0x0080
+#define X509v3_KU_NON_REPUDIATION	0x0040
+#define X509v3_KU_KEY_ENCIPHERMENT	0x0020
+#define X509v3_KU_DATA_ENCIPHERMENT	0x0010
+#define X509v3_KU_KEY_AGREEMENT		0x0008
+#define X509v3_KU_KEY_CERT_SIGN		0x0004
+#define X509v3_KU_CRL_SIGN		0x0002
+#define X509v3_KU_ENCIPHER_ONLY		0x0001
+#define X509v3_KU_DECIPHER_ONLY		0x8000
+#define X509v3_KU_UNDEF			0xffff
+
+typedef struct X509_objects_st
+	{
+	int nid;
+	int (*a2i)();
+	int (*i2a)();
+	} X509_OBJECTS;
+
 typedef struct X509_algor_st
 	{
 	ASN1_OBJECT *algorithm;
@@ -133,25 +151,39 @@ typedef struct X509_name_st
 #else
 	char *bytes;
 #endif
+	unsigned long hash; /* Keep the hash around for lookups */
 	} X509_NAME;
 
+#define X509_EX_V_NETSCAPE_HACK		0x8000
+#define X509_EX_V_INIT			0x0001
 typedef struct X509_extension_st
 	{
 	ASN1_OBJECT *object;
 	short critical;
 	short netscape_hack;
 	ASN1_OCTET_STRING *value;
+	long argl;			/* used when decoding */
+	char *argp;			/* used when decoding */
+	void (*ex_free)();		/* clear argp stuff */
 	} X509_EXTENSION;
 
-#define X509_EXT_PACK_UNKNOWN	0
-#define X509_EXT_PACK_STRING	1 /* X509v3_pack_string() */
-
+/* #if 1 */
 typedef struct x509_extension_method_st
 	{
 	int nid;
 	int data_type;
 	int pack_type;
+	void (*ex_clear)();
+	int (*ex_get_bool)();
+	int (*ex_set_bool)();
+	int (*ex_get_str)();
+	int (*ex_set_str)();
+	char *(*ex_get_struct)();
+	int (*ex_set_struct)();
+	int (*a2i)();
+	int (*i2a)();
 	} X509_EXTENSION_METHOD;
+/* #endif */
 
 typedef struct X509_req_info_st
 	{
@@ -307,8 +339,6 @@ typedef struct CBCParameter_st
 	a->sig_alg,a->signature,(char *)a->req_info,r)
 #define X509_CRL_verify(a,r) ASN1_verify((int (*)())i2d_X509_CRL_INFO, \
 	a->sig_alg, a->signature,(char *)a->crl,r)
-#define NETSCAPE_SPKI_verify(a,r) ASN1_verify((int (*)())i2d_NETSCAPE_SPKAC, \
-		a->sig_algor,a->signature, (char *)a->spkac,r)
 
 #define X509_sign(x,pkey,md) \
 	ASN1_sign((int (*)())i2d_X509_CINF, x->cert_info->signature, \
@@ -428,6 +458,9 @@ typedef struct CBCParameter_st
 		(char *)data,md,len)
 #endif
 
+#define X509_EXT_PACK_UNKNOWN	1
+#define X509_EXT_PACK_STRING	2
+
 #define		X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version)
 /* #define	X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */
 #define		X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
@@ -448,7 +481,7 @@ typedef struct CBCParameter_st
 #ifndef SSLEAY_MACROS
 #ifdef HEADER_ENVELOPE_H
 int X509_verify(X509 *a, EVP_PKEY *r);
-char *X509_verify_cert_error_string(int n);
+char *X509_verify_cert_error_string(long n);
 
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
 int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
@@ -464,7 +497,7 @@ int X509_NAME_digest(X509_NAME *data,EVP_MD *type,
 	unsigned char *md,unsigned int *len);
 #endif
 
-#ifndef WIN16
+#ifndef NO_FP_API
 X509 *d2i_X509_fp(FILE *fp, X509 *x509);
 int i2d_X509_fp(FILE *fp,X509 *x509);
 X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL *crl);
@@ -515,7 +548,7 @@ char *		X509_get_default_cert_dir_env(void );
 char *		X509_get_default_cert_file_env(void );
 char *		X509_get_default_private_dir(void );
 
-X509_REQ *	X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey);
+X509_REQ *	X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md);
 X509 *		X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
 void ERR_load_X509_strings(void );
 
@@ -674,7 +707,7 @@ int		X509_NAME_cmp (X509_NAME *a, X509_NAME *b);
 unsigned long	X509_NAME_hash(X509_NAME *x);
 
 int		X509_CRL_cmp(X509_CRL *a,X509_CRL *b);
-#ifndef WIN16
+#ifndef NO_FP_API
 int		X509_print_fp(FILE *bp,X509 *x);
 int		X509_REQ_print_fp(FILE *bp,X509_REQ *req);
 #endif
@@ -691,9 +724,11 @@ int 		X509_NAME_get_text_by_NID(X509_NAME *name, int nid,
 int		X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
 			char *buf,int len);
 
-int 		X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int oldpos);
+/* NOTE: you should be passsing -1, not 0 as lastpos.  The functions that use
+ * lastpos, seach after that position on. */
+int 		X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos);
 int 		X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj,
-			int oldpos);
+			int lastpos);
 X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc);
 X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
 int 		X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne,
@@ -711,37 +746,38 @@ ASN1_OBJECT *	X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
 ASN1_STRING *	X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
 
 int		X509v3_get_ext_count(STACK *x);
-int		X509v3_get_ext_by_NID(STACK *x, int nid, int oldpos);
-int		X509v3_get_ext_by_OBJ(STACK *x,ASN1_OBJECT *obj,int oldpos);
-int		X509v3_get_ext_by_critical(STACK *x, int crit, int oldpos);
+int		X509v3_get_ext_by_NID(STACK *x, int nid, int lastpos);
+int		X509v3_get_ext_by_OBJ(STACK *x,ASN1_OBJECT *obj,int lastpos);
+int		X509v3_get_ext_by_critical(STACK *x, int crit, int lastpos);
 X509_EXTENSION *X509v3_get_ext(STACK *x, int loc);
 X509_EXTENSION *X509v3_delete_ext(STACK *x, int loc);
 STACK *		X509v3_add_ext(STACK **x, X509_EXTENSION *ex, int loc);
+
 int		X509v3_data_type_by_OBJ(ASN1_OBJECT *obj);
 int		X509v3_data_type_by_NID(int nid);
 int		X509v3_pack_type_by_OBJ(ASN1_OBJECT *obj);
 int		X509v3_pack_type_by_NID(int nid);
 
 int		X509_get_ext_count(X509 *x);
-int		X509_get_ext_by_NID(X509 *x, int nid, int oldpos);
-int		X509_get_ext_by_OBJ(X509 *x,ASN1_OBJECT *obj,int oldpos);
-int		X509_get_ext_by_critical(X509 *x, int crit, int oldpos);
+int		X509_get_ext_by_NID(X509 *x, int nid, int lastpos);
+int		X509_get_ext_by_OBJ(X509 *x,ASN1_OBJECT *obj,int lastpos);
+int		X509_get_ext_by_critical(X509 *x, int crit, int lastpos);
 X509_EXTENSION *X509_get_ext(X509 *x, int loc);
 X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
 int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
 
 int		X509_CRL_get_ext_count(X509_CRL *x);
-int		X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int oldpos);
-int		X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int oldpos);
-int		X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int oldpos);
+int		X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos);
+int		X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int lastpos);
+int		X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos);
 X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
 X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
 int		X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
 
 int		X509_REVOKED_get_ext_count(X509_REVOKED *x);
-int		X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int oldpos);
-int		X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x,ASN1_OBJECT *obj,int oldpos);
-int		X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int oldpos);
+int		X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos);
+int		X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x,ASN1_OBJECT *obj,int lastpos);
+int		X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos);
 X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc);
 X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
 int		X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
@@ -787,7 +823,7 @@ int X509_digest();
 int X509_NAME_digest();
 #endif
 
-#ifndef WIN16
+#ifndef NO_FP_API
 X509 *d2i_X509_fp();
 int i2d_X509_fp();
 X509_CRL *d2i_X509_CRL_fp();
@@ -979,7 +1015,7 @@ int		X509_NAME_cmp ();
 unsigned long	X509_NAME_hash();
 
 int		X509_CRL_cmp();
-#ifndef WIN16
+#ifndef NO_FP_API
 int		X509_print_fp();
 int		X509_REQ_print_fp();
 #endif
@@ -1011,12 +1047,12 @@ int		X509v3_get_ext_by_critical();
 X509_EXTENSION *X509v3_get_ext();
 X509_EXTENSION *X509v3_delete_ext();
 STACK *		X509v3_add_ext();
+
 int		X509v3_data_type_by_OBJ();
 int		X509v3_data_type_by_NID();
 int		X509v3_pack_type_by_OBJ();
 int		X509v3_pack_type_by_NID();
 
-
 int		X509_get_ext_count();
 int		X509_get_ext_by_NID();
 int		X509_get_ext_by_OBJ();
@@ -1077,20 +1113,22 @@ X509 *X509_find_by_subject();
 #define X509_F_X509_EXTENSION_CREATE_BY_OBJ		 109
 #define X509_F_X509_GET_PUBKEY_PARAMETERS		 110
 #define X509_F_X509_LOAD_CERT_FILE			 111
-#define X509_F_X509_NAME_ADD_ENTRY			 112
-#define X509_F_X509_NAME_ENTRY_CREATE_BY_NID		 113
-#define X509_F_X509_NAME_ENTRY_SET_OBJECT		 114
-#define X509_F_X509_NAME_ONELINE			 115
-#define X509_F_X509_NAME_PRINT				 116
-#define X509_F_X509_PRINT_FP				 117
-#define X509_F_X509_PUBKEY_GET				 118
-#define X509_F_X509_PUBKEY_SET				 119
-#define X509_F_X509_REQ_PRINT				 120
-#define X509_F_X509_REQ_PRINT_FP			 121
-#define X509_F_X509_REQ_TO_X509				 122
-#define X509_F_X509_STORE_ADD_CERT			 123
-#define X509_F_X509_TO_X509_REQ				 124
-#define X509_F_X509_VERIFY_CERT				 125
+#define X509_F_X509_LOAD_CRL_FILE			 112
+#define X509_F_X509_NAME_ADD_ENTRY			 113
+#define X509_F_X509_NAME_ENTRY_CREATE_BY_NID		 114
+#define X509_F_X509_NAME_ENTRY_SET_OBJECT		 115
+#define X509_F_X509_NAME_ONELINE			 116
+#define X509_F_X509_NAME_PRINT				 117
+#define X509_F_X509_PRINT_FP				 118
+#define X509_F_X509_PUBKEY_GET				 119
+#define X509_F_X509_PUBKEY_SET				 120
+#define X509_F_X509_REQ_PRINT				 121
+#define X509_F_X509_REQ_PRINT_FP			 122
+#define X509_F_X509_REQ_TO_X509				 123
+#define X509_F_X509_STORE_ADD_CERT			 124
+#define X509_F_X509_STORE_ADD_CRL			 125
+#define X509_F_X509_TO_X509_REQ				 126
+#define X509_F_X509_VERIFY_CERT				 127
 
 /* Reason codes. */
 #define X509_R_BAD_X509_FILETYPE			 100
@@ -1105,6 +1143,7 @@ X509 *X509_find_by_subject();
 #define X509_R_UNKNOWN_NID				 109
 #define X509_R_UNKNOWN_STRING_TYPE			 110
 #define X509_R_UNSUPPORTED_ALGORITHM			 111
+#define X509_R_WRONG_LOOKUP_TYPE			 112
  
 #ifdef  __cplusplus
 }
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 14eebbfcb8..f9d9510ac5 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_cmp.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -188,17 +188,27 @@ X509_NAME *b;
 	}
 
 #ifndef NO_MD5
-/* I should do a DER encoding of the name and then hash it. */
+/* I now DER encode the name and hash it.  Since I cache the DER encoding,
+ * this is reasonably effiecent. */
 unsigned long X509_NAME_hash(x)
 X509_NAME *x;
 	{
 	unsigned long ret=0;
 	unsigned char md[16];
-	char str[256];
+	unsigned char str[256],*p,*pp;
+	int i;
+
+	i=i2d_X509_NAME(x,NULL);
+	if (i > sizeof(str))
+		p=Malloc(i);
+	else
+		p=str;
+
+	pp=p;
+	i2d_X509_NAME(x,&pp);
+	MD5((unsigned char *)p,i,&(md[0]));
+	if (p != str) Free(p);
 
-	X509_NAME_oneline(x,str,256);
-	ret=strlen(str);
-	MD5((unsigned char *)str,ret,&(md[0]));
 	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
 		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
 		)&0xffffffffL;
@@ -226,7 +236,7 @@ ASN1_INTEGER *serial;
 		if (X509_issuer_and_serial_cmp(x509,&x) == 0)
 			return(x509);
 		}
-	return(x509);
+	return(NULL);
 	}
 
 X509 *X509_find_by_subject(sk,name)
diff --git a/crypto/x509/x509_d2.c b/crypto/x509/x509_d2.c
index 235d70f8d7..01e22f4cb4 100644
--- a/crypto/x509/x509_d2.c
+++ b/crypto/x509/x509_d2.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_d2.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -63,6 +63,7 @@
 #include "crypto.h"
 #include "x509.h"
 
+#ifndef NO_STDIO
 int X509_STORE_set_default_paths(ctx)
 X509_STORE *ctx;
 	{
@@ -101,6 +102,9 @@ char *path;
 		if (lookup == NULL) return(0);
 		X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM);
 		}
+	if ((path == NULL) && (file == NULL))
+		return(0);
 	return(1);
 	}
 
+#endif
diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c
index 497923828c..d9ab39b15a 100644
--- a/crypto/x509/x509_def.c
+++ b/crypto/x509/x509_def.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_def.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index bfcc47fe03..9304721612 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -60,6 +60,7 @@
 #include "x509.h"
 
 /* BEGIN ERROR CODES */
+#ifndef NO_ERR
 static ERR_STRING_DATA X509_str_functs[]=
 	{
 {ERR_PACK(0,X509_F_ADD_CERT_DIR,0),	"ADD_CERT_DIR"},
@@ -74,6 +75,7 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_OBJ,0),	"X509_EXTENSION_create_by_OBJ"},
 {ERR_PACK(0,X509_F_X509_GET_PUBKEY_PARAMETERS,0),	"X509_get_pubkey_parameters"},
 {ERR_PACK(0,X509_F_X509_LOAD_CERT_FILE,0),	"X509_LOAD_CERT_FILE"},
+{ERR_PACK(0,X509_F_X509_LOAD_CRL_FILE,0),	"X509_LOAD_CRL_FILE"},
 {ERR_PACK(0,X509_F_X509_NAME_ADD_ENTRY,0),	"X509_NAME_add_entry"},
 {ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_NID,0),	"X509_NAME_ENTRY_create_by_NID"},
 {ERR_PACK(0,X509_F_X509_NAME_ENTRY_SET_OBJECT,0),	"X509_NAME_ENTRY_set_object"},
@@ -86,6 +88,7 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_X509_REQ_PRINT_FP,0),	"X509_REQ_print_fp"},
 {ERR_PACK(0,X509_F_X509_REQ_TO_X509,0),	"X509_REQ_to_X509"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_ADD_CERT"},
+{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_ADD_CRL"},
 {ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},
 {ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},
 {0,NULL},
@@ -105,17 +108,23 @@ static ERR_STRING_DATA X509_str_reasons[]=
 {X509_R_UNKNOWN_NID                      ,"unknown nid"},
 {X509_R_UNKNOWN_STRING_TYPE              ,"unknown string type"},
 {X509_R_UNSUPPORTED_ALGORITHM            ,"unsupported algorithm"},
+{X509_R_WRONG_LOOKUP_TYPE                ,"wrong lookup type"},
 {0,NULL},
 	};
 
+#endif
+
 void ERR_load_X509_strings()
 	{
 	static int init=1;
 
-	if (init)
-		{
+	if (init);
+		{;
 		init=0;
+#ifndef NO_ERR
 		ERR_load_strings(ERR_LIB_X509,X509_str_functs);
 		ERR_load_strings(ERR_LIB_X509,X509_str_reasons);
+#endif
+
 		}
 	}
diff --git a/crypto/x509/x509_ext.c b/crypto/x509/x509_ext.c
index 7495183e88..1d76ecfcfd 100644
--- a/crypto/x509/x509_ext.c
+++ b/crypto/x509/x509_ext.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_ext.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -70,28 +70,28 @@ X509_CRL *x;
 	return(X509v3_get_ext_count(x->crl->extensions));
 	}
 
-int X509_CRL_get_ext_by_NID(x,nid,oldpos)
+int X509_CRL_get_ext_by_NID(x,nid,lastpos)
 X509_CRL *x;
 int nid;
-int oldpos;
+int lastpos;
 	{
-	return(X509v3_get_ext_by_NID(x->crl->extensions,nid,oldpos));
+	return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
 	}
 
-int X509_CRL_get_ext_by_OBJ(x,obj,oldpos)
+int X509_CRL_get_ext_by_OBJ(x,obj,lastpos)
 X509_CRL *x;
 ASN1_OBJECT *obj;
-int oldpos;
+int lastpos;
 	{
-	return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,oldpos));
+	return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
 	}
 
-int X509_CRL_get_ext_by_critical(x,crit,oldpos)
+int X509_CRL_get_ext_by_critical(x,crit,lastpos)
 X509_CRL *x;
 int crit;
-int oldpos;
+int lastpos;
 	{
-	return(X509v3_get_ext_by_critical(x->crl->extensions,crit,oldpos));
+	return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
 	}
 
 X509_EXTENSION *X509_CRL_get_ext(x,loc)
@@ -122,28 +122,28 @@ X509 *x;
 	return(X509v3_get_ext_count(x->cert_info->extensions));
 	}
 
-int X509_get_ext_by_NID(x,nid,oldpos)
+int X509_get_ext_by_NID(x,nid,lastpos)
 X509 *x;
 int nid;
-int oldpos;
+int lastpos;
 	{
-	return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,oldpos));
+	return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
 	}
 
-int X509_get_ext_by_OBJ(x,obj,oldpos)
+int X509_get_ext_by_OBJ(x,obj,lastpos)
 X509 *x;
 ASN1_OBJECT *obj;
-int oldpos;
+int lastpos;
 	{
-	return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,oldpos));
+	return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
 	}
 
-int X509_get_ext_by_critical(x,crit,oldpos)
+int X509_get_ext_by_critical(x,crit,lastpos)
 X509 *x;
 int crit;
-int oldpos;
+int lastpos;
 	{
-	return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,oldpos));
+	return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
 	}
 
 X509_EXTENSION *X509_get_ext(x,loc)
@@ -174,28 +174,28 @@ X509_REVOKED *x;
 	return(X509v3_get_ext_count(x->extensions));
 	}
 
-int X509_REVOKED_get_ext_by_NID(x,nid,oldpos)
+int X509_REVOKED_get_ext_by_NID(x,nid,lastpos)
 X509_REVOKED *x;
 int nid;
-int oldpos;
+int lastpos;
 	{
-	return(X509v3_get_ext_by_NID(x->extensions,nid,oldpos));
+	return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
 	}
 
-int X509_REVOKED_get_ext_by_OBJ(x,obj,oldpos)
+int X509_REVOKED_get_ext_by_OBJ(x,obj,lastpos)
 X509_REVOKED *x;
 ASN1_OBJECT *obj;
-int oldpos;
+int lastpos;
 	{
-	return(X509v3_get_ext_by_OBJ(x->extensions,obj,oldpos));
+	return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
 	}
 
-int X509_REVOKED_get_ext_by_critical(x,crit,oldpos)
+int X509_REVOKED_get_ext_by_critical(x,crit,lastpos)
 X509_REVOKED *x;
 int crit;
-int oldpos;
+int lastpos;
 	{
-	return(X509v3_get_ext_by_critical(x->extensions,crit,oldpos));
+	return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
 	}
 
 X509_EXTENSION *X509_REVOKED_get_ext(x,loc)
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 455ad5af45..2c7e10a46e 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_lu.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -61,6 +61,9 @@
 #include "lhash.h"
 #include "x509.h"
 
+static STACK *x509_store_meth=NULL;
+static STACK *x509_store_ctx_meth=NULL;
+
 X509_LOOKUP *X509_LOOKUP_new(method)
 X509_LOOKUP_METHOD *method;
 	{
@@ -170,7 +173,7 @@ char *str;
 int len;
 X509_OBJECT *ret;
 	{
-	if ((ctx->method == NULL) || (ctx->method->get_by_alias))
+	if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
 		return(X509_LU_FAIL);
 	return(ctx->method->get_by_alias(ctx,str,len,ret));
 	}
@@ -226,7 +229,7 @@ X509_STORE *X509_STORE_new()
 	ret->get_cert_methods=sk_new_null();
 	ret->verify=NULL;
 	ret->verify_cb=NULL;
-	ret->app_data=NULL;
+	memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA));
 	ret->references=1;
 	return(ret);
 	}
@@ -264,6 +267,7 @@ X509_STORE *vfy;
 		}
 	sk_free(sk);
 
+	CRYPTO_free_ex_data(x509_store_meth,(char *)vfy,&vfy->ex_data);
 	lh_doall(vfy->certs,cleanup);
 	lh_free(vfy->certs);
 	Free(vfy);
@@ -425,6 +429,7 @@ STACK *chain;
 	ctx->depth=10;
 	ctx->error=0;
 	ctx->current_cert=NULL;
+	memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
 	}
 
 void X509_STORE_CTX_cleanup(ctx)
@@ -435,5 +440,7 @@ X509_STORE_CTX *ctx;
 		sk_pop_free(ctx->chain,X509_free);
 		ctx->chain=NULL;
 		}
+	CRYPTO_free_ex_data(x509_store_ctx_meth,(char *)ctx,&(ctx->ex_data));
+	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
 	}
 
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index 2b53af1e61..c0576fd6f6 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_obj.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -76,6 +76,7 @@ int len;
 	BUF_MEM *b=NULL;
 	static char hex[17]="0123456789ABCDEF";
 	int gs_doit[4];
+	char tmp_buf[80];
 
 	if (a == NULL) return("NO X509_NAME");
 	if (buf == NULL)
@@ -92,12 +93,10 @@ int len;
 		{
 		ne=(X509_NAME_ENTRY *)sk_value(a->entries,i);
 		n=OBJ_obj2nid(ne->object);
-		if (n == NID_undef)
-			s="UNKNOWN";
-		else
+		if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL))
 			{
-			s=OBJ_nid2sn(n);
-			if (s == NULL) s="UNKNOWN2";
+			i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
+			s=tmp_buf;
 			}
 		l1=strlen(s);
 
diff --git a/crypto/x509/x509_r2x.c b/crypto/x509/x509_r2x.c
index 7e79959c8a..6aec2427f7 100644
--- a/crypto/x509/x509_r2x.c
+++ b/crypto/x509/x509_r2x.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_r2x.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index c1f10c2428..5004365bad 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_req.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -66,9 +66,10 @@
 #include "buffer.h"
 #include "pem.h"
 
-X509_REQ *X509_to_X509_REQ(x,pkey)
+X509_REQ *X509_to_X509_REQ(x,pkey,md)
 X509 *x;
 EVP_PKEY *pkey;
+EVP_MD *md;
 	{
 	X509_REQ *ret;
 	X509_REQ_INFO *ri;
@@ -94,9 +95,11 @@ EVP_PKEY *pkey;
 	i=X509_REQ_set_pubkey(ret,X509_get_pubkey(x));
 	if (!i) goto err;
 
-/* NEEDS FIXING EAY EAY EAY */
-	if (!X509_REQ_sign(ret,pkey,EVP_md5()))
-		goto err;
+	if (pkey != NULL)
+		{
+		if (!X509_REQ_sign(ret,pkey,md))
+			goto err;
+		}
 	return(ret);
 err:
 	X509_REQ_free(ret);
@@ -106,6 +109,8 @@ err:
 EVP_PKEY *X509_REQ_get_pubkey(req)
 X509_REQ *req;
 	{
+	if ((req == NULL) || (req->req_info == NULL))
+		return(NULL);
 	return(X509_PUBKEY_get(req->req_info->pubkey));
 	}
 
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index f65ae91f53..5d0a3a0c0e 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_set.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index d5fc5839a1..408d1c277c 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_txt.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -71,11 +71,11 @@
 #include "pem.h"
 
 char *X509_verify_cert_error_string(n)
-int n;
+long n;
 	{
 	static char buf[100];
 
-	switch (n)
+	switch ((int)n)
 		{
 	case X509_V_OK:
 		return("ok");
@@ -105,9 +105,9 @@ int n;
 		return("format error in certificate's notBefore field");
 	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
 		return("format error in certificate's notAfter field");
-	case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FILED:
+	case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
 		return("format error in CRL's lastUpdate field");
-	case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FILED:
+	case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
 		return("format error in CRL's nextUpdate field");
 	case X509_V_ERR_OUT_OF_MEM:
 		return("out of memory");
@@ -121,8 +121,10 @@ int n;
 		return("unable to verify the first certificate");
 	case X509_V_ERR_CERT_CHAIN_TOO_LONG:
 		return("certificate chain too long");
+	case X509_V_ERR_APPLICATION_VERIFICATION:
+		return("application verification failure");
 	default:
-		sprintf(buf,"error number %d",n);
+		sprintf(buf,"error number %ld",n);
 		return(buf);
 		}
 	}
diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c
index 388130b1d7..1c03602f0b 100644
--- a/crypto/x509/x509_v3.c
+++ b/crypto/x509/x509_v3.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_v3.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -81,59 +81,59 @@ STACK *x;
 	return(sk_num(x));
 	}
 
-int X509v3_get_ext_by_NID(x,nid,oldpos)
+int X509v3_get_ext_by_NID(x,nid,lastpos)
 STACK *x;
 int nid;
-int oldpos;
+int lastpos;
 	{
 	ASN1_OBJECT *obj;
 
 	obj=OBJ_nid2obj(nid);
 	if (obj == NULL) return(-2);
-	return(X509v3_get_ext_by_OBJ(x,obj,oldpos));
+	return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
 	}
 
-int X509v3_get_ext_by_OBJ(sk,obj,oldpos)
+int X509v3_get_ext_by_OBJ(sk,obj,lastpos)
 STACK *sk;
 ASN1_OBJECT *obj;
-int oldpos;
+int lastpos;
 	{
 	int n;
 	X509_EXTENSION *ex;
 
 	if (sk == NULL) return(-1);
-	oldpos++;
-	if (oldpos < 0)
-		oldpos=0;
+	lastpos++;
+	if (lastpos < 0)
+		lastpos=0;
 	n=sk_num(sk);
-	for ( ; oldpos < n; oldpos++)
+	for ( ; lastpos < n; lastpos++)
 		{
-		ex=(X509_EXTENSION *)sk_value(sk,oldpos);
+		ex=(X509_EXTENSION *)sk_value(sk,lastpos);
 		if (OBJ_cmp(ex->object,obj) == 0)
-			return(oldpos);
+			return(lastpos);
 		}
 	return(-1);
 	}
 
-int X509v3_get_ext_by_critical(sk,crit,oldpos)
+int X509v3_get_ext_by_critical(sk,crit,lastpos)
 STACK *sk;
 int crit;
-int oldpos;
+int lastpos;
 	{
 	int n;
 	X509_EXTENSION *ex;
 
 	if (sk == NULL) return(-1);
-	oldpos++;
-	if (oldpos < 0)
-		oldpos=0;
+	lastpos++;
+	if (lastpos < 0)
+		lastpos=0;
 	n=sk_num(sk);
-	for ( ; oldpos < n; oldpos++)
+	for ( ; lastpos < n; lastpos++)
 		{
-		ex=(X509_EXTENSION *)sk_value(sk,oldpos);
+		ex=(X509_EXTENSION *)sk_value(sk,lastpos);
 		if (	(ex->critical && crit) ||
 			(!ex->critical && !crit))
-			return(oldpos);
+			return(lastpos);
 		}
 	return(-1);
 	}
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f6dba6f9ef..c1be91edba 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_vfy.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -62,6 +62,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 
+#include "crypto.h"
 #include "cryptlib.h"
 #include "lhash.h"
 #include "buffer.h"
@@ -79,7 +80,13 @@ static int null_callback();
 static int internal_verify();
 #endif
 
-char *X509_version="X509 part of SSLeay 0.8.1b 29-Jun-1998";
+char *X509_version="X509 part of SSLeay 0.9.0b 29-Jun-1998";
+static STACK *x509_store_ctx_method=NULL;
+static int x509_store_ctx_num=0;
+#if 0
+static int x509_store_num=1;
+static STACK *x509_store_method=NULL;
+#endif
 
 static int null_callback(ok,e)
 int ok;
@@ -427,13 +434,13 @@ ASN1_UTCTIME *ctm;
 		offset=((str[1]-'0')*10+(str[2]-'0'))*60;
 		offset+=(str[3]-'0')*10+(str[4]-'0');
 		if (*str == '-')
-			offset-=offset;
+			offset=-offset;
 		}
 	atm.type=V_ASN1_UTCTIME;
 	atm.length=sizeof(buff2);
 	atm.data=(unsigned char *)buff2;
 
-	X509_gmtime_adj(&atm,offset);
+	X509_gmtime_adj(&atm,-offset);
 
 	i=(buff1[0]-'0')*10+(buff1[1]-'0');
 	if (i < 70) i+=100;
@@ -505,6 +512,8 @@ STACK *chain;
 EVP_PKEY *X509_get_pubkey(x)
 X509 *x;
 	{
+	if ((x == NULL) || (x->cert_info == NULL))
+		return(NULL);
 	return(X509_PUBKEY_get(x->cert_info->key));
 	}
 
@@ -582,4 +591,114 @@ X509 *x;
 	return(ret);	
 	}
 
+int X509_STORE_add_crl(ctx,x)
+X509_STORE *ctx;
+X509_CRL *x;
+	{
+	X509_OBJECT *obj,*r;
+	int ret=1;
+
+	if (x == NULL) return(0);
+	obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
+	if (obj == NULL)
+		{
+		X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	obj->type=X509_LU_CRL;
+	obj->data.crl=x;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+	X509_OBJECT_up_ref_count(obj);
+
+	r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
+	if (r != NULL)
+		{ /* oops, put it back */
+		lh_delete(ctx->certs,(char *)obj);
+		X509_OBJECT_free_contents(obj);
+		Free(obj);
+		lh_insert(ctx->certs,(char *)r);
+		X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
+		ret=0;
+		}
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+
+	return(ret);	
+	}
+
+int X509_STORE_CTX_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
+long argl;
+char *argp;
+int (*new_func)();
+int (*dup_func)();
+void (*free_func)();
+        {
+        x509_store_ctx_num++;
+        return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
+		&x509_store_ctx_method,
+                argl,argp,new_func,dup_func,free_func));
+        }
+
+int X509_STORE_CTX_set_ex_data(ctx,idx,data)
+X509_STORE_CTX *ctx;
+int idx;
+char *data;
+	{
+	return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
+	}
+
+char *X509_STORE_CTX_get_ex_data(ctx,idx)
+X509_STORE_CTX *ctx;
+int idx;
+	{
+	return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
+	}
+
+int X509_STORE_CTX_get_error(ctx)
+X509_STORE_CTX *ctx;
+	{
+	return(ctx->error);
+	}
+
+void X509_STORE_CTX_set_error(ctx,err)
+X509_STORE_CTX *ctx;
+int err;
+	{
+	ctx->error=err;
+	}
+
+int X509_STORE_CTX_get_error_depth(ctx)
+X509_STORE_CTX *ctx;
+	{
+	return(ctx->error_depth);
+	}
+
+X509 *X509_STORE_CTX_get_current_cert(ctx)
+X509_STORE_CTX *ctx;
+	{
+	return(ctx->current_cert);
+	}
+
+STACK *X509_STORE_CTX_get_chain(ctx)
+X509_STORE_CTX *ctx;
+	{
+	return(ctx->chain);
+	}
+
+void X509_STORE_CTX_set_cert(ctx,x)
+X509_STORE_CTX *ctx;
+X509 *x;
+	{
+	ctx->cert=x;
+	}
+
+void X509_STORE_CTX_set_chain(ctx,sk)
+X509_STORE_CTX *ctx;
+STACK *sk;
+	{
+	ctx->untrusted=sk;
+	}
+
 
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index b92e1ba432..dfc060f899 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -1,5 +1,5 @@
 /* crypto/x509/x509_vfy.h */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -63,6 +63,9 @@
 extern "C" {
 #endif
 
+#include "bio.h"
+#include "crypto.h"
+
 /* Outer object */
 typedef struct x509_hash_dir_st
 	{
@@ -149,12 +152,12 @@ typedef struct x509_store_st
 	int (*verify)();	/* called to verify a certificate */
 	int (*verify_cb)();	/* error callback */
 
-	char *app_data;
+	CRYPTO_EX_DATA ex_data;
 	int references;
 	int depth;		/* how deep to look */
 	}  X509_STORE;
 
-#define X509_STORE_set_depth(ctx,depth)	((ctx)->depth=(depth))
+#define X509_STORE_set_depth(ctx,d)       ((ctx)->depth=(d))
 
 #define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
 #define X509_STORE_set_verify_func(ctx,func)	((ctx)->verify=(func))
@@ -193,19 +196,13 @@ typedef struct x509_store_state_st
 	int error;
 	X509 *current_cert;
 
-	char *app_data;
+	CRYPTO_EX_DATA ex_data;
 	} X509_STORE_CTX;
 
-#define X509_STORE_CTX_set_app_data(ctx,data)	((ctx)->app_data=(data))
-#define X509_STORE_CTX_get_app_data(ctx)	((ctx)->app_data)
-#define X509_STORE_CTX_get_error(ctx)		((ctx)->error)
-#define X509_STORE_CTX_set_error(ctx,s)		((ctx)->error=(s))
-#define X509_STORE_CTX_get_error_depth(ctx)	((ctx)->error_depth)
-#define X509_STORE_CTX_get_current_cert(ctx)	((ctx)->current_cert)
-#define X509_STORE_CTX_get_chain(ctx)		((ctx)->chain)
-
-#define X509_STORE_CTX_set_cert(c,ch)	((c)->cert=(ch))
-#define X509_STORE_CTX_set_chain(c,ch)	((c)->untrusted=(ch))
+#define X509_STORE_CTX_set_app_data(ctx,data) \
+	X509_STORE_CTX_set_ex_data(ctx,0,data)
+#define X509_STORE_CTX_get_app_data(ctx) \
+	X509_STORE_CTX_get_ex_data(ctx,0)
 
 #define X509_L_FILE_LOAD	1
 #define X509_L_ADD_DIR		2
@@ -233,14 +230,18 @@ X509_LOOKUP_METHOD *X509_LOOKUP_dir();
 #define		X509_V_ERR_CRL_HAS_EXPIRED			12
 #define		X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD	13
 #define		X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD	14
-#define		X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FILED	15
-#define		X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FILED	16
+#define		X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD	15
+#define		X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD	16
 #define		X509_V_ERR_OUT_OF_MEM				17
 #define		X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT		18
 #define		X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN		19
 #define		X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY	20
 #define		X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE	21
 #define		X509_V_ERR_CERT_CHAIN_TOO_LONG			22
+#define		X509_V_ERR_CERT_REVOKED				23
+
+/* The application is not happy */
+#define		X509_V_ERR_APPLICATION_VERIFICATION		50
 
 #ifndef NOPROTO
 #ifdef HEADER_LHASH_H
@@ -261,12 +262,17 @@ X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
 X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
 
 int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
+int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
 
 int X509_STORE_get_by_subject(X509_STORE_CTX *vs,int type,X509_NAME *name,
 	X509_OBJECT *ret);
 
 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx,int cmd,char *argc,long argl,char **ret);
+
+#ifndef NO_STDIO
 int X509_load_cert_file(X509_LOOKUP *ctx, char *file, int type);
+int X509_load_crl_file(X509_LOOKUP *ctx, char *file, int type);
+#endif
 
 void X509v3_cleanup_extensions(void );
 int X509v3_add_extension(X509_EXTENSION_METHOD *x);
@@ -286,9 +292,23 @@ int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
 	int len, X509_OBJECT *ret);
 int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
 
+#ifndef NO_STDIO
 int	X509_STORE_load_locations (X509_STORE *ctx,
 		char *file, char *dir);
 int	X509_STORE_set_default_paths(X509_STORE *ctx);
+#endif
+
+int X509_STORE_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+	int (*dup_func)(), void (*free_func)());
+int	X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx,int idx,char *data);
+char *	X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx);
+int	X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
+void	X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
+int	X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
+X509 *	X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+STACK *	X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
+void	X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
+void	X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK /* X509 */ *sk);
 
 #else
 
@@ -309,11 +329,16 @@ X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir();
 X509_LOOKUP_METHOD *X509_LOOKUP_file();
 
 int X509_STORE_add_cert();
+int X509_STORE_add_crl();
 
 int X509_STORE_get_by_subject();
 
 int X509_LOOKUP_ctrl();
+
+#ifndef NO_STDIO
 int X509_load_cert_file();
+int X509_load_crl_file();
+#endif
 
 void X509v3_cleanup_extensions();
 int X509v3_add_extension();
@@ -329,8 +354,20 @@ int X509_LOOKUP_by_fingerprint();
 int X509_LOOKUP_by_alias();
 int X509_LOOKUP_shutdown();
 
+#ifndef NO_STDIO
 int	X509_STORE_load_locations ();
 int	X509_STORE_set_default_paths();
+#endif
+
+int	X509_STORE_CTX_set_ex_data();
+char *	X509_STORE_CTX_get_ex_data();
+int	X509_STORE_CTX_get_error();
+void	X509_STORE_CTX_set_error();
+int	X509_STORE_CTX_get_error_depth();
+X509 *	X509_STORE_CTX_get_current_cert();
+STACK *	X509_STORE_CTX_get_chain();
+void	X509_STORE_CTX_set_cert();
+void	X509_STORE_CTX_set_chain();
 
 #endif
 
diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c
index 8223ec069d..650e71b1b5 100644
--- a/crypto/x509/x509name.c
+++ b/crypto/x509/x509name.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509name.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -103,37 +103,38 @@ X509_NAME *name;
 	return(sk_num(name->entries));
 	}
 
-int X509_NAME_get_index_by_NID(name,nid,oldpos)
+int X509_NAME_get_index_by_NID(name,nid,lastpos)
 X509_NAME *name;
 int nid;
-int oldpos;
+int lastpos;
 	{
 	ASN1_OBJECT *obj;
 
 	obj=OBJ_nid2obj(nid);
 	if (obj == NULL) return(-2);
-	return(X509_NAME_get_index_by_OBJ(name,obj,oldpos));
+	return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
 	}
 
-int X509_NAME_get_index_by_OBJ(name,obj,oldpos)
+/* NOTE: you should be passsing -1, not 0 as lastpos */
+int X509_NAME_get_index_by_OBJ(name,obj,lastpos)
 X509_NAME *name;
 ASN1_OBJECT *obj;
-int oldpos;
+int lastpos;
 	{
 	int n;
 	X509_NAME_ENTRY *ne;
 	STACK *sk;
 
 	if (name == NULL) return(-1);
-	if (oldpos < 0)
-		oldpos= -1;
+	if (lastpos < 0)
+		lastpos= -1;
 	sk=name->entries;
 	n=sk_num(sk);
-	for (oldpos++; oldpos < n; oldpos++)
+	for (lastpos++; lastpos < n; lastpos++)
 		{
-		ne=(X509_NAME_ENTRY *)sk_value(sk,oldpos);
+		ne=(X509_NAME_ENTRY *)sk_value(sk,lastpos);
 		if (OBJ_cmp(ne->object,obj) == 0)
-			return(oldpos);
+			return(lastpos);
 		}
 	return(-1);
 	}
diff --git a/crypto/x509/x509pack.c b/crypto/x509/x509pack.c
index 949943fca5..846f125859 100644
--- a/crypto/x509/x509pack.c
+++ b/crypto/x509/x509pack.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509pack.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -141,7 +141,7 @@ ASN1_OCTET_STRING *os;
 			(ASN1_BIT_STRING **)ex,&p,os->length);
 		break;
 	case V_ASN1_OCTET_STRING:
-		ret=(ASN1_STRING *)d2i_ASN1_BIT_STRING(
+		ret=(ASN1_STRING *)d2i_ASN1_OCTET_STRING(
 			(ASN1_BIT_STRING **)ex,&p,os->length);
 		break;
 	case V_ASN1_IA5STRING:
diff --git a/crypto/x509/x509rset.c b/crypto/x509/x509rset.c
index 2ff456f2ee..323b25470a 100644
--- a/crypto/x509/x509rset.c
+++ b/crypto/x509/x509rset.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509rset.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 05d6919d6a..42c23bcfca 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509type.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
diff --git a/crypto/x509/x509v3.doc b/crypto/x509/x509v3.doc
new file mode 100644
index 0000000000..1e760a9469
--- /dev/null
+++ b/crypto/x509/x509v3.doc
@@ -0,0 +1,24 @@
+The 'new' system.
+
+The X509_EXTENSION_METHOD includes extensions and attributes and/or names. 
+Basically everthing that can be added to an X509 with an OID identifying it.
+
+It operates via 2 methods per object id.
+int a2i_XXX(X509 *x,char *str,int len);
+int i2a_XXX(BIO *bp,X509 *x);
+
+The a2i_XXX function will add the object with a value converted from the
+string into the X509.  Len can be -1 in which case the length is calculated
+via strlen(str).   Applications can always use direct knowledge to load and
+unload the relevent objects themselves.
+
+i2a_XXX will print to the passed BIO, a text representation of the
+relevet object.  Use a memory BIO if you want it printed to a buffer :-).
+
+X509_add_by_NID(X509 *x,int nid,char *str,int len);
+X509_add_by_OBJ(X509 *x,ASN1_OBJECT *obj,char *str,int len);
+
+X509_print_by_name(BIO *bp,X509 *x);
+X509_print_by_NID(BIO *bp,X509 *x);
+X509_print_by_OBJ(BIO *bp,X509 *x);
+
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 2f554f597b..b7dde23e9a 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x_all.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -148,7 +148,7 @@ X509_EXTENSION *ex;
 		(char *(*)())d2i_X509_EXTENSION,(char *)ex));
 	}
 
-#ifndef WIN16
+#ifndef NO_FP_API
 X509 *d2i_X509_fp(fp,x509)
 FILE *fp;
 X509 *x509;
@@ -187,7 +187,7 @@ X509_CRL *crl;
 		(char *(*)())d2i_X509_CRL,(char *)crl));
 	}
 
-#ifndef WIN16
+#ifndef NO_FP_API
 X509_CRL *d2i_X509_CRL_fp(fp,crl)
 FILE *fp;
 X509_CRL *crl;
@@ -228,7 +228,7 @@ PKCS7 *p7;
 		(char *(*)())d2i_PKCS7,(char *)p7));
 	}
 
-#ifndef WIN16
+#ifndef NO_FP_API
 PKCS7 *d2i_PKCS7_fp(fp,p7)
 FILE *fp;
 PKCS7 *p7;
@@ -269,7 +269,7 @@ X509_REQ *req;
 		(char *(*)())d2i_X509_REQ,(char *)req));
 	}
 
-#ifndef WIN16
+#ifndef NO_FP_API
 X509_REQ *d2i_X509_REQ_fp(fp,req)
 FILE *fp;
 X509_REQ *req;
@@ -318,7 +318,7 @@ RSA *rsa;
 		(char *(*)())d2i_RSAPrivateKey,(char *)rsa));
 	}
 
-#ifndef WIN16
+#ifndef NO_FP_API
 RSA *d2i_RSAPrivateKey_fp(fp,rsa)
 FILE *fp;
 RSA *rsa;
@@ -386,7 +386,7 @@ RSA *rsa;
 #endif
 
 #ifndef NO_DSA
-#ifndef WIN16
+#ifndef NO_FP_API
 DSA *d2i_DSAPrivateKey_fp(fp,dsa)
 FILE *fp;
 DSA *dsa;