change to work properly; BN_zero() should set 'neg' to zero as well as
'top' to match the behaviour of BN_new().

For reference. Note that both cc and gcc support -Wl flag, but we can't
use -Wl,-[not]all with both drivers, because cc rearranges options
passed through -Wl. We can't use -Wl,-all,libcrypto.a,-notall with cc
either, because it refuses to start with "no input" error.

redefine bn_clear_top2max() to be a NOP in the non-debugging case, and
remove some unnecessary usages in bn_nist.c.

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller

return a "zero" bignum as BN_new() does - so reset 'top'. During
BN_CTX_end(), released bignums should be consistent so enforce this in
debug builds. Also, reduce the number of wasted BN_clear_free() calls from
BN_CTX_end() (typically by 75% or so).

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller

when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.

Reported by: Jose Castejon-Amenedo <Jose.Castejon-Amenedo@hp.com>

Notified by Paul Siegel <psiegel@corestreet.com>

Submitted by: Nils Larsch

PR: 833

PR: 834

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe

The old raw format can't be handled by some implementations
and updates to RFC2560 will make this mandatory.

If -offset exceeds -length of data available exit with an error.

Don't read past end of total data available when -offset supplied.

If -length exceeds total available truncate it.

PR: 821

memory allocate when calling EVP_MD_CTX_copy_ex().

Without this HMAC is several times slower than
< 0.9.7.

more stuff.

Add the corresponding AES parts while I'm at it.
make update