spelling fixes, just comments and readme.

     possible to have different stores per SSL structure or one store in

     the parent SSL_CTX. Include distinct stores for certificate chain

     verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN

     to build and store a certificate chain in CERT structure: returing

     to build and store a certificate chain in CERT structure: returning

     an error if the chain cannot be built: this will allow applications

     to test if a chain is correctly configured.

     3. Check DSA/ECDSA signatures use DER.

     Reencode DSA/ECDSA signatures and compare with the original received

     Re-encode DSA/ECDSA signatures and compare with the original received

     signature. Return an error if there is a mismatch.

     This will reject various cases including garbage after signature

  *) Add additional DigestInfo checks.

     Reencode DigestInto in DER and check against the original when

     Re-encode DigestInto in DER and check against the original when

     verifying RSA signature: this will reject any improperly encoded

     DigestInfo structures.

  *) An attacker can force an error condition which causes openssl to crash

     whilst processing DTLS packets due to memory being freed twice. This

     can be exploited through a Denial of Service attack.

     Thanks to Adam Langley and Wan-Teh Chang for discovering and researching

     Thanks to Adam Langley and Wan-The Chang for discovering and researching

     this issue.

     (CVE-2014-3505)

     [Adam Langley]

     in CMS and PKCS7 code. When RSA decryption fails use a random key for

     content decryption and always return the same error. Note: this attack

     needs on average 2^20 messages so it only affects automated senders. The

     old behaviour can be reenabled in the CMS code by setting the

     old behaviour can be re-enabled in the CMS code by setting the

     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where

     an MMA defence is not necessary.

     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering

     as part of the CRL checking and indicate a new error "CRL path validation

     error" in this case. Applications wanting additional details can use

     the verify callback and check the new "parent" field. If this is not

     NULL CRL path validation is taking place. Existing applications wont

     NULL CRL path validation is taking place. Existing applications won't

     see this because it requires extended CRL support which is off by

     default.

     This work was sponsored by Logica.

     [Steve Henson]

  *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using

  *) Fix bug in X509_ATTRIBUTE creation: don't set attribute using

     ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain

     attribute creation routines such as certifcate requests and PKCS#12

     attribute creation routines such as certificate requests and PKCS#12

     files.

     [Steve Henson]

     [Ian Lister (tweaked by Geoff Thorpe)]

  *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9

     implemention in the following ways:

     implementation in the following ways:

     Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be

     hard coded.

     implementation in BN_mod_exp_mont_consttime().)  The old name

     remains as a deprecated alias.

     Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general

     Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general

     RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses

     constant-time implementations for more than just exponentiation.

     Here too the old name is kept as a deprecated alias.

  *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD

     and DH_METHOD (eg. by ENGINE implementations) to override the normal

     software implementations. For DSA and DH, parameter generation can

     also be overriden by providing the appropriate method callbacks.

     also be overridden by providing the appropriate method callbacks.

     [Geoff Thorpe]

  *) Change the "progress" mechanism used in key-generation and

     the "shared" options was given to ./Configure or ./config.

     Otherwise, they are inserted in libcrypto.a.

     /usr/local/ssl/engines is the default directory for dynamic

     engines, but that can be overriden at configure time through

     engines, but that can be overridden at configure time through

     the usual use of --prefix and/or --openssldir, and at run

     time with the environment variable OPENSSL_ENGINES.

     [Geoff Thorpe and Richard Levitte]

     [Steve Henson]

  *) Perform some character comparisons of different types in X509_NAME_cmp:

     this is needed for some certificates that reencode DNs into UTF8Strings

     (in violation of RFC3280) and can't or wont issue name rollover

     this is needed for some certificates that re-encode DNs into UTF8Strings

     (in violation of RFC3280) and can't or won't issue name rollover

     certificates.

     [Steve Henson]

        const ASN1_ITEM *it = &ASN1_INTEGER_it;

     wont compile. This is used by the any applications that need to

     won't compile. This is used by the any applications that need to

     declare their own ASN1 modules. This was fixed by adding the option

     EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly

     needed for static libraries under Win32.

     entropy, EGD style sockets (served by EGD or PRNGD) will automatically

     be queried.

     The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and

     /etc/entropy will be queried once each in this sequence, quering stops

     /etc/entropy will be queried once each in this sequence, querying stops

     when enough entropy was collected without querying more sockets.

     [Lutz Jaenicke]

     information from an OCSP_CERTID structure (which will be created

     when the request structure is built). These are built from lower

     level functions which work on OCSP_SINGLERESP structures but

     wont normally be used unless the application wishes to examine

     won't normally be used unless the application wishes to examine

     extensions in the OCSP response for example.

     Replace nonce routines with a pair of functions.

  *) New function X509V3_add1_i2d(). This automatically encodes and

     adds an extension. Its behaviour can be customised with various

     flags to append, replace or delete. Various wrappers added for

     certifcates and CRLs.

     certificates and CRLs.

     [Steve Henson]

  *) Fix to avoid calling the underlying ASN1 print routine when

     [Nils Larsch <nla@trustcenter.de>]

  *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:

     an end-of-file condition would erronously be flagged, when the CRLF

     an end-of-file condition would erroneously be flagged, when the CRLF

     was just at the end of a processed block. The bug was discovered when

     processing data through a buffering memory BIO handing the data to a

     BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov

     [Steve Henson]

  *) When a certificate request is read in keep a copy of the

     original encoding of the signed data and use it when outputing

     original encoding of the signed data and use it when outputting

     again. Signatures then use the original encoding rather than

     a decoded, encoded version which may cause problems if the

     request is improperly encoded.

        echo "/* haha */" > haha.h

    ENDRAW[Makefile(unix)]

The word withing square brackets is the build_file configuration item

The word within square brackets is the build_file configuration item

or the build_file configuration item followed by the second word in the

build_scheme configuration item for the configured target within

parenthesis as shown above.  For example, with the following relevant

};

/*

 * This comand is so complex, special help is needed.

 * This command is so complex, special help is needed.

 */

static char* opt_helplist[] = {

    "Typical uses:",

// 'and' which in turn can be assigned to M-port [there're double as

// much M-ports as there're I-ports on Itanium 2]. By sacrificing few

// registers for small constants (255, 24 and 16) to be used with

// 'shr' and 'and' instructions I can achieve better ILP, Intruction

// 'shr' and 'and' instructions I can achieve better ILP, Instruction

// Level Parallelism, and performance. This code outperforms GCC 3.3

// generated code by over factor of 2 (two), GCC 3.4 - by 70% and

// HP C - by 40%. Measured best-case scenario, i.e. aligned

# February 2010

#

# Rescheduling instructions to favour Power6 pipeline gave 10%

# performance improvement on the platfrom in question (and marginal

# performance improvement on the platform in question (and marginal

# improvement even on others). It should be noted that Power6 fails

# to process byte in 18 cycles, only in 23, because it fails to issue

# 4 load instructions in two cycles, only in 3. As result non-compact