The reference count for reused nodes needs to be bumped once
for every occurence...

This bug was triggered at least by the empty loop ==> assignment rules,
with the effect that the free list in block alloc got corrupted.

Example code that triggered the bug:

  int i;
  array a;
  for(; i < sizeof(a); i++)
    ;

Added support for extension local ASN1 types. Implemented parsing of authorityKeyIdentifier keyIdentifier (i.e. key hash).

The Pike compiler now uses a dedicated reentrant lock instead
of the brute-force approach of using threads_disable().

This should improve concurrency with other threads.

Verify that the signing certificates of the trusted issuers actually is allowed to sign other certificates. I'm also more than 50% sure that the wrong certificate was used from the chain.

Updated the documentation to verify_certificate_chain. Add the decoded certificates in the returned mapping. Don't check the keyUsage of the leaf node.

Use xcalloc instead of xalloc, and avoid doing as much initializations when the memory is already cleared.

Fixes complaints about the GCM suites not being supported.

The alert that caused the SSL failure should now be logged if
a failure wasn't expected.

Fixed reporting of the SSL/TLS version in several places.

Some upcoming AEAD suites use an unsalted nonce/iv. Make sure
not not to fail due to adding zeroes and strings.

Improve the API a bit by having ext_basicConstraints_pathLenConstraint be the number of following certificates, instead of only intermediate certificates.

Added certificate check failure modes CERT_EXCEEDED_PATH_LENGTH and CERT_UNAUTHORIZED_SIGNING. Improved the extensions code somewhat and removed some debug left on.

SSL.state()->session was sometimes an SSL.connection and sometimes
an SSL.session. Change the name to connection, and have it always
be an SSL.connection.

SSL.state now creates its alerts via SSL.connection()->Alert(),
which in turn uses the alert_factory() in SSL.context.

Also adds descriptive messages to the alerts created in SSL.state.

Handle the keyUsage properly. All 9 flags can now be extracted, and the BitString is now generated in its most compact form.

Move the certificate extension parsing into the TBSCertificate object. Not really a great API, but we need to start somewhere.

It helps to complain... :-)

The various tastes of GCM now follow the AEAD API properly.

Crypto.GCM is no more, instead there are Crypto.AES.GCM,
Crypto.Camellia.GCM etc.

Also updates the SSL code accordingly.

Under some circumstances parent_storage() could return
a storage pointer to a class that had inherited the
parent program. Fix this by making sure that we get the
storage for the program that we expect to find as parent.