Remove duplicated code in EVP.

Second phase of EVP cipher overhaul.

Change functions like EVP_EncryptUpdate() so they now return a
value. These normally have software only implementations
which cannot fail so this was acceptable. However ciphers
can be implemented in hardware and these could return errors.

Beginnings of EVP cipher overhaul. This should eventually
enhance and tidy up the EVP interface.

This patch adds initial support for variable length ciphers
and changes S/MIME code to use this.

Some other library functions need modifying to support use
of modified cipher parameters.

Also need to change all the cipher functions that should
return error codes, but currenly don't.

And of course it needs extensive testing...

Call dh_tmp_cb with correct 'is_export' flag.

Avoid tabs in CHANGES.

ASN1 encoding.

Add a couple of FAQs.

for it).

Submitted by:
Reviewed by:
PR:

initialised, at which point an appropriate default was chosen. This meant a
call to RSA_get_default_method might have returned FALSE.

This change fixes that; now any called to RSA_new(), RSA_new_method(NULL), or
RSA_get_default_method() will ensure that a default is chosen if it wasn't
already.

technique used is far from perfect and alternatives are welcome.
Basically if the translation flag is set, the string is not too
long, and there appears to be no path information in the string,
then it is converted to whatever the standard should be for the
DSO_METHOD in question, eg;
    blah --> libblah.so   on *nix, and
    blah --> blah.dll     on win32.

This change also introduces the DSO_ctrl() function that is used
by the name translation stuff.

as important to keep a low profile here :-))

0.9.5a should not break anything that works in 0.9.5.

Don't copy private key to X509 etc public key structures.
Fix for warning.

See http://www.pdc.kth.se/kth-krb/

Their solution for CRAY is somewhat awkward.
I'll assume that a "short" is 32 bits on CRAY to avoid the
#ifdef _CRAY
    typedef struct {
        unsigned int a:32;
        unsigned int b:32;
    } XXX;
#else
    typedef DES_LONG XXX;
#endif

"openssl list-standard-commands".

in SSL_new.
If SSL_OP_SINGLE_DH_USE is set, don't waste time in SSL_[CTX_]set_tmp_dh
on computing a DH key that will be ignored anyway.

ssltest -dhe1024dsa (w/ 160-bit sub-prime) had an unfair performance
advantage over -dhe1024 (safe prime): SSL_OP_SINGLE_DH_USE was
effectively always enabled because SSL_new ignored the DH key set in
the SSL_CTX.  Now -dhe1024 takes the server only about twice as long
as -dhe1024dsa instead of three times as long (for 1024 bit RSA
with 1024 bit DH).

broken formats worked but the valid didn't :-(