Import OpenSSL 1.1.0i

test/build.info

@@ -1,5 +1,6 @@
 IF[{- !$disabled{tests} -}]
   PROGRAMS_NO_INST=\
+          versions \
           aborttest \
           sanitytest exdatatest bntest \
           ectest ecdsatest gmdifftest pbelutest ideatest \
@@ -17,7 +18,11 @@ IF[{- !$disabled{tests} -}]
           dtlsv1listentest ct_test threadstest afalgtest d2i_test \
           ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
           bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
-          ocspapitest fatalerrtest
+          ocspapitest fatalerrtest x509_time_test x509_dup_cert_test errtest
+
+  SOURCE[versions]=versions.c
+  INCLUDE[versions]=../include
+  DEPEND[versions]=../libcrypto
 
   SOURCE[aborttest]=aborttest.c
   INCLUDE[aborttest]=../include
@@ -292,11 +297,23 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[bio_enc_test]=../include
   DEPEND[bio_enc_test]=../libcrypto
 
+  SOURCE[x509_time_test]=x509_time_test.c testutil.c
+  INCLUDE[x509_time_test]=.. ../include
+  DEPEND[x509_time_test]=../libcrypto
+
+  SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c
+  INCLUDE[x509_dup_cert_test]=../include
+  DEPEND[x509_dup_cert_test]=../libcrypto
+
   IF[{- !$disabled{shared} -}]
     PROGRAMS_NO_INST=shlibloadtest
     SOURCE[shlibloadtest]=shlibloadtest.c
     INCLUDE[shlibloadtest]=../include
   ENDIF
+
+  SOURCE[errtest]=errtest.c testutil.c
+  INCLUDE[errtest]=../include
+  DEPEND[errtest]=../libcrypto
 ENDIF
 
 {-

test/certs/alt1-cert.pem

@@ -1,22 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDlTCCAn2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
-IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGgxIzAh
-BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
-Z29vZC5vcmcxEzARBgNVBAMMCkpvZSBCbG9nZ3MxFTATBgNVBAMMDGFueS5nb29k
-LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALAv1X8S8uUpnjTa
-3bv7m1jJbbX7bC9w7k4TfxiU5XL/m3EhN//EUBJSoamy6vFC6oy/6jA8XmptlVrY
-Sp3ZKFdjdZh+CyYZKcrv4JReF2lfRIINn6d6EgcAobGTNwdcv67xuNtMi0meAvmK
-gLjOa/IhCHNC+l8vNDJx/a+7mxH+yNxPL6lC/kJMja6oaYndx74WJpPC22LJ/cCp
-xspKKsoPYYjk0BX9RvbKO8s4b86Wjzzntht+NpQ4LLh9XwPZog11qGE4UIrsV8XA
-YxJrMGQNZd69cnCOz8vnOVCszFOa4qVvXeAGr0iFlZAXbQJevpiiXaXHMEt8C1qH
-xpcW8DcCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUw8nB25NP0gUaFCrOwAO5KzllnREw
-HwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMwCQYDVR0TBAIwADBIBgNV
-HREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNvbYENZ29vZEBnb29kLm9y
-Z4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQBUnDMrg1py
-8/iYXzs11Qbw7bBhc/HQDpu5QVgriaX2zDUpTLSEUV7qZFSHmwWm91ILw2VA1Xni
-ua2sF19o/tJT0ZHpapkfqGpfsym2H04NDMKy0l0fSZhlCB5Kv5wpiFt9hBUrxS/2
-Dd6Kg+Ka02nD5QBXSAk/xz0FmgezzGGCLjg85/Sfe9Y7tNhQXh3HuGXuJizYccdQ
-Fh1IAFYW3DZoDKS7dDTCltvDEma/2IE684+CRJiA6PH9rYfJ1CCUfAMpyA85CxKT
-P68GDKI++WoUgM8LDfxS0KOL7A9cqcpM2L27hjyEgnqIBPHFfm9fxztBotuCTl5L
-vRlTFVjv65nn
+MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTgwNTE2MDIzODEzWhgPMjExODA1MTcwMjM4MTNaMFQxIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRgwFgYDVQQDDA93d3cu
+ZXhhbXBsZS5uZXQxEzARBgNVBAMMCkpvZSBCbG9nZ3MwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDTqvf6j+WxCtn4RU8/6uXXgCTcksv6NDXCZ9JAz4Vv
+cQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzPlrt36cevsoPmpuqGbHrUaOLneme2
+x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awcid4SiotLOY2F1jBazmqprqKZBUiyQ
+XqpSp+9uSav77ydwDXCrQozBdns1YRshgU9omQrTcIqHCj1f9Lo+A2y4+TZYZkvS
+DuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24N+zz3O3jwH82BZEjzavw92J9npJB
+UXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnVpchwr3VHAgMBAAGjgZgwgZUwHQYD
+VR0OBBYEFHvLhGWckFjVXdDI3ds9Wti6zgXAMB8GA1UdIwQYMBaAFAjRm/nm1WRw
+oPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYDVR0RBEEwP4IMd3d3Lmdvb2Qub3Jn
+ggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgA
+ATANBgkqhkiG9w0BAQsFAAOCAQEATVcTyrAxsehdQNrkL6kquXxWlyegJcxvVxUe
+hfh9+Lw4620b2S1/l2YxFM3peLAsRgJOznmJOeG18+y7/kx/3UNqYGY7e8iJQ3Gl
+JwDIJp5JCaUOlodjhMJtRc7jn9RcsL97oizXdcryyWT0vSlM9Pie9NtHG5iq5X4+
+oL3X8+OG25MOkF2h3YVCEG3vDu7quyTlHc2ebwpdLZRndcOewO2Cap1ettyWXUPP
+Mha6wyJE8LJhrGmrI8Lw+i7gGscP0xYZn3yCLk5BtOabn4dvCiDmb+TPruKQQARw
+BG45LEZzGxz+Ad3xRdZyVi1I67v9YShoYTCpMTSxJaR0erH74g==
 -----END CERTIFICATE-----

test/certs/alt1-key.pem

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwL9V/EvLlKZ40
-2t27+5tYyW21+2wvcO5OE38YlOVy/5txITf/xFASUqGpsurxQuqMv+owPF5qbZVa
-2Eqd2ShXY3WYfgsmGSnK7+CUXhdpX0SCDZ+nehIHAKGxkzcHXL+u8bjbTItJngL5
-ioC4zmvyIQhzQvpfLzQycf2vu5sR/sjcTy+pQv5CTI2uqGmJ3ce+FiaTwttiyf3A
-qcbKSirKD2GI5NAV/Ub2yjvLOG/Olo8857YbfjaUOCy4fV8D2aINdahhOFCK7FfF
-wGMSazBkDWXevXJwjs/L5zlQrMxTmuKlb13gBq9IhZWQF20CXr6Yol2lxzBLfAta
-h8aXFvA3AgMBAAECggEAa073DcqQvhq3DSIw4wm/+DfW5nwXzF1QB6XAR0yI453j
-IuhEnzcGPeKuLBmZFxDWoptRG8fpCZFs4kPSTomxFGizewlp6O5ykfPAKR2VzMwF
-geCiWPL0f+dWlD1Byu4moXsASDE6tL/UuAAvnl+7R2HvL6SfsdGiTQc4qAvvyukM
-szks+MePHSlXmL5Eld7HfKgpvxY1SbYOQU0aPXAQAnLaOT931q+tgZMG6nBWN+pu
-w5bgKCA26BMAAaUAdIIDEa9fjzkpXjElCT4qhJYVKQn9Pb7aSc4jihSpCknqbb9c
-55nW5PWMZJyCbCOUG/SVTblXV+NmhdtwrgUbHImXIQKBgQDcb/7vp+rq06uNx3b4
-AjTZdzCVbHM8gp7b1GkGD0SncrzX6RxPSzNn7d4AUKY065bwa89A+TRwV8DSo7G8
-hxjzdU/FKCg8ce0eqoCtWjIT2r+rV2P9dFhfRT5jdOwHrym8LeSGzANjIBNV7FOf
-FIRkQ1BVD0QSPla+26ASqsw60wKBgQDMnEzChQWgAsBelALmGaj/wDdWDUXK8xRg
-s7dG1Sx41SLk39SAjCUYXPyy8IHBitJtPZNDp23tR4/m8Ui1pB2T0EnlzBsuzrZ/
-0aCbJnQ08FXE8iVajrgce4ZCdT8vkeH8EVhqDpJIlAhoKy3HaoAr4o2/uRoGDpHZ
-iAbDLTEOjQKBgFrp4dXLhkqFNArMShetKUjLLIFj8f7xzDzT1ODH6UO6QYI2xRM6
-65+gbd/pYzMOOvk7LYYZgXQX7RGyq3oaqcK3Dkg88KNFRUtRfLKCMYcYv9YVu8pr
-cosQTtPMBBCDQI44yziA6aC3OOJGDpLcbmG/lWEPY762cSZUBCfOw147AoGAd8S+
-AdcPtdwmcrY9BCfdDuea/JoEUon7UaehDqtVvt0z8bk7kIt4Y0x69ttleL8j8aHr
-g9yLsisDhvGR2BFa5t0zhHn3J20E0skINAlMWHieHAyJ5PpJtxJvQpOTCutf1sbo
-dBxXcHiGe0NbJrGmmQmiY6mcHBOHOEgxfSoE3zkCgYAc+ozIr3xmUcooUeA7uqpd
-LvGGqHThGrtXVFIErOIcajC9bHEeZw4Do/oT5L7Wr7pOZ20VUmuRvwytd7IYYTVV
-g+nIyKaMttEaCzHEsO0CQUHexOkJbL4rpc3HiK5hIhL8Yo2L/obQgCxYmvyChpo3
-sXJAoFllBNfAK3aanFOR1Q==
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDTqvf6j+WxCtn4
+RU8/6uXXgCTcksv6NDXCZ9JAz4VvcQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzP
+lrt36cevsoPmpuqGbHrUaOLneme2x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awci
+d4SiotLOY2F1jBazmqprqKZBUiyQXqpSp+9uSav77ydwDXCrQozBdns1YRshgU9o
+mQrTcIqHCj1f9Lo+A2y4+TZYZkvSDuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24
+N+zz3O3jwH82BZEjzavw92J9npJBUXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnV
+pchwr3VHAgMBAAECggEACPTB+1sdV+lioaulF8pDoWOtq5uWf+a3o5sq/U0Kk1WP
++PSZnWWq6oGZyzxUKhf8CFjxt+qJUKY6Zbo2AnPk3B1MkXTclYV/iP9LIoo+WzCH
+EoYaBB6MTd+ycg/jri8oqEnxHgo/681yhtXRyePj0ZHI7OVZjI3tyhJfvoHQmuci
+u6qYYUP0GWuyM+kHS11vn6Q1U8nOZWvXpEDXDDdJ7+2QRuv01AXcjFxpbFzkMn2W
+JkhKkCTIQpUU66VMRHwNexi+TR2rRESq0G+fa+6gaVFVIs0vBukq48IeC5W21j1L
+zyftHxci67FlYC9iaiUxDVt3KB+lcukx6Cz5mjtzqQKBgQD/GrAtFfjiXKj9O5ld
+K7dnnBHE8fzyWQWyOfwpVjNAC1J7tgwFvDpBpTHOwS5JnCwMWWM3rkBPRhCusmrF
+AtfE8b643G+cJbTgDuEhGh11QR0p9VWMVFQL9kZxx12PegDtFBfzcfcI3XQwKVKL
+ZbQn4ibW3BKSt9+Nh3APa0s5iwKBgQDUaTxZBajTdzoDd6Pg3warL5BhsxWr2tUQ
+qf+iVoba2Y9NTBdxBht2whSaYweU9kxmeNZvnCu95B8HeRGE69Dxb7IWwpsaxoaf
+ND0NcCF7aPZgx7hvhbHF7duzt3nuv+q5sOuuyHPzm+nF2snAuY3Zg+Bpv3nlYekf
+18aXZdwStQKBgEpF8e9ei1UUl1sLZC6dUMvIw9+sePHye1cVzNYYM9m8sio0qbFt
+ySRdvW+uDRT/dE+wItQOVsj95FOIvM9ZcYr0u4vFGnXDALOPgXqKyPLfn2cc9+hg
+kQvei0oLOrFQWz6rcAHAN6WMHIz9KvxNAzPtg1NhRcMT5/Gj8jt7CK7bAoGAIeKz
+7OO5Phr8F0eDzkDmGHMbDmr6XxMnAGSOUoCJPOqOMN+dsbsusHBfxw1bTUlJgONw
+GhgI5l85EAEhaVoRWCLgfz8GbWwUV9uGjdlAjiZ9f4z9AFWMua2rae0wN4VIVd1C
+i/yQeuF5lsXDf8paNcQTDeus74oCHcFXfhmS1S0CgYB2q8E+H0kFHbUxkIZYwhsM
+r0lTecn+kVsyPPje2UlzfTwvcC9dFIC4ppCdJGUJAwi/PJnr6xNyOH6I1pjUA8ER
+Aofm4Oj2DwX8W+81oO71/RXSfEFUjdOw0H6iRDyvWa1gqftj2/aWjV7Ifdo49thx
+EzX/9GdsRInifN6FfOfo/A==
 -----END PRIVATE KEY-----

test/certs/badalt6-cert.pem

@@ -1,22 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDljCCAn6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
-IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGkxIjAg
+MIIDeDCCAmCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTgwNTE2MDMyNjMyWhgPMjExODA1MTcwMzI2MzJaMGkxIjAg
 BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDYxFzAVBgNVBAMMDm90aGVy
 Lmdvb2Qub3JnMRMwEQYDVQQDDApKb2UgQmxvZ2dzMRUwEwYDVQQDDAxhbnkuZ29v
-ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKz8F/ndKz0vuv
-BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu
-9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd
-7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+
-6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb
-jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8
-1L6m8ngXAgMBAAGjgZgwgZUwHQYDVR0OBBYEFBIKyD5bUUNIFxlQJl/rBvvIm0XZ
-MB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYD
-VR0RBEEwP4IMd3d3Lmdvb2Qub3JnggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5v
-cmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG9w0BAQsFAAOCAQEAa2lydA7a
-YgRhYeIuPEtR+bKyDkIKNjvx2IRL/FL70s/IWFWDK1rpsMYLGNa7rWpW5gq4T6zb
-JIwC/770Rw1p+0j9eAC95d2wCEhyNcLdoP4ch7whr0MhxYHUJ8zQGPdQ97DWGoEB
-2seLjrhMrX004TM4UlM+lpjsb88QEcD+kOEhdDTKm0ABUygOr1KRay437mtUhAzb
-WyUbAjKbhgyv6IFRNHKy6YtCMugPihn+Pd1NY6c2ACRVOAUS/+rvVyjxBCATW5Wk
-zAtNIxYgcm3rYRroGYT2BGj8Ic7oqPOWPdGWhsieX0c+y2ZnS727Kwc5tXFfW9By
-GH32QmEN5o5jZQ==
+ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl46xhstHmmYhp
+XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ
+E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP
+DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc
+qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg
+gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2
+KRL2Le8jAgMBAAGjezB5MB0GA1UdDgQWBBRJJljvheyfKr9neNplhIMIFx25QjAf
+BgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMCwGA1Ud
+EQQlMCOBDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG
+9w0BAQsFAAOCAQEAPfRFkpkTsPlH54n/i3kxR8Hw17kUOV0/v39fnNzV+PXS/IIU
+9OFfP7qNeuoWVQKXCwNWGWYXb7O0LNJMJQWWtyXtzWH3rOSxdSRIrTsCVHA41Lbo
+te2nrfnGMtg6em51Do6Kk0JM304sVAWl5OY/eckBmuDgN/5WfZudOLd8Ohv8vZ6U
+ZNoSBNpu1x5gfEPywMUGAgbkNZVpzNAfulx3/D2kWk0qwEKqnphUyaXiTVqO49gr
+n1LwSVdqBcmapBmEO3puV4TBWFwM49iMMNGn0fp/JBVsLjt+q7TK96qGBo/BSEL+
+e2TXTNpdkn3l+ZK2FYdf7s8fytoe+6o92dN+fA==
 -----END CERTIFICATE-----

test/certs/badalt6-key.pem

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKz8F/ndKz0vuv
-BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu
-9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd
-7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+
-6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb
-jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8
-1L6m8ngXAgMBAAECggEBAJNMHK8BAvzTqTPPsfAGu4bTvgxRdKGy609FFAiqxUF3
-UmQsCZEfgwyqCszFPfSeS43xuPRukObE6L6MV4ls8GwWqvp1nKfCClJX3/9jK6tq
-2tDQ416a7Wb+FvfgW0tDEg7oLKfcqRyAoQFNuxWHbGDiTQlz2dzzFYkzhlzBDUYH
-/pu9qkNFGfYMFwsBUd8pp8zMnv552CCIgalBBFr1hy9q47HBaJPaF2/CjZJmsqkp
-rVMBH7+j0y1DW3JO5rSKcRdz+mgEd9m/yQIazvBPJKxeGza8JfLBuACYFLIoO1S+
-b8s/zmQPHeZwTxSsM64M1uYi4dmJy0viozLlWsjrE1ECgYEA/GxGG/lB1mL+Hzmc
-kXzWmA2nLPxZXGxMBOYH/n8l4OyDmKi2Bmly7kS0kLdY6gYTVBWFCRcvPxf+UJu9
-x4NcKDkjXVXSg7Muux3Bh1JoRCOKB2Hk3pqdDe55GcT5bSikkd5PYCNobcnqzSK1
-HzKveDdukraZxIPFpVs1VM9/gxMCgYEAza+BJUAEWoq925a1RKlMwdXW1ONBhFqU
-fXon15fgycHkiYIBGbGE65Oyz8BwE6jNAT+SwKlNCc6jPAkXvEUpczEi5Rcox8Ec
-hNoXBHcBxHEhtfV2VKX5I9JFAadmvnfS5St7HjRLzE2Y6xym1+fKfnAlSLpdb3W2
-eRqVBi3F020CgYEA6K/yrQTHwRX+BdC42JCIzSAA1IJG6eDW7skR43NX+pBr+sTD
-DwQTszrYbHLnXst888zmluutXO8EO1Bl0E3yHQ4W4IolhcweLtUOOm0nunA8Y/PE
-48MJNfd34N5nw01s7x5Mc2YQdOxmKvVsmzbA9AO9RTdYZgPGpVh/wA+LDssCgYBh
-F2+G/ekQNF3awhFfD+vDtAVtCLlsmLVvZbJY+sCJfJU8s7mBP2LXMSk/GD/Ph+b9
-p9zGRSSwdHJpbIFfxeYDEja+nWgKowWrUKd83BBhgmW/Vtc8rfwlBKS+Wx8M2dMb
-iqLbZyRAlICSuzumvyu+84EmC5L/gjlYgUvHVuQDIQKBgHH7q3hrKI5mQ0BR9h75
-4yP98c+Duz8IsQllIG0gzCiiOYIVTl3uzTCa/E9Sa+jG+kFsCeUDchmC6LmHdF/Z
-ZHfECcQT4B37xMMwvjwNW7E6/FyRx3XC762Fd5vlz3fBuVKburfh1JpfpcO85Wvo
-R1UfsJugW9Yetsqd9WB6q3ln
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDl46xhstHmmYhp
+XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ
+E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP
+DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc
+qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg
+gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2
+KRL2Le8jAgMBAAECggEBAMcDjTTa2GmYWoZUr+UPizqyvsTnMmg/NoFBhy9WJVne
+kpR3kJvvm30XNiEGbCV1GGryL5p7w5UVuPXjhQ7xIkY3feQNC4H361iP93HK7dXJ
+i9V9AfGCdLzSuILsT2Wpm88MifUQIpqrRmqtqakKHkyMFG655409rpYlZNVogl9H
+vzrTE8rjysNMjP+bpbgkxUJfeATw8OYhEwd9ahj/E0r0r2enYhGEP3j+1zYsGdmM
+L2Uy4M+modaAWpZg5pUWpFjxl+V2cSJHdaQc8KYg8Z8RUyzYipFk3YzjP5jtprq5
+dHf9FqlcXk+MtzcYe+x8mIb3uwZhOtdpnUqe5l+GTyECgYEA9j++rS9sajQzMqp0
+p+EptacD/p7A3wldIDGEpPJsSQL+vhcigyn4iPCM1pGWR4iuR7Od9RpQSf3Tfnqc
+ZwUJQOpiYpxo1+QlqlBJkDjDRztp+kETZAgzc084ZhwQv9PfYyxa+8layQFhnClt
+Z9G0o4AV1povVeQLO5+9CQZQ4VMCgYEA7v4WuydzlLGKppsJEG8vvieR64mjOfO4
+gHBMEYnzEeTZPDvIfEfguM1upJCvt5GXp3huVHCAsFgs6kDjVbpIL1A2HzrMPtOa
+MNDSOrpuLcakAgEgx2VFv4TMnA1QKPg3//YCqEqqTJyX0C4OwaADRZJS7YfHp9lg
+mpv90baE8PECgYAv3oxulj15F9SsEL7Es9yr11/La4kK0oMr8vRaLFYoi1CCG3U2
+Ej6iQEDgpUSVe1iFz8DxGMBq4dDvUV5+GFiIKggeK1GmRk+cICdsxdwQSNh9MZFX
+bNCzpb7M+r+2yrUuTj0RnT7svDwBY3xFJlr7PbcBFNAG3mHgoVjaHEQ0yQKBgHbS
+zepvSv/65bzACFmrbklU0zAQVp9RlcIGE0wFEl0rMvbHon5oHkrDmOcpKLRUJtqU
+/gXtiY4jyPEPIfhVjd44OzB7w2DZRChRKrUYS/9ma9SzSuDYcT0vgat00w4Lm4wf
+fGK//Lvqf3B59cw/CmFkxuZiQ9ooMees9x11adOBAoGBAMdb0r8sAtgh+KTbA8Kq
+guIWiknOk6/LYUTuT3fidPIPbErrUQQR9WWHuXjrj2RyHI/RLjYLFamikvhU7PmE
+jPjPAo4p1a0WBwrYgjGDIRjTVjbUK282vuYkunGWYfgnZurAyjJCndL/eNZuX2F5
+m1rTfab8O+tOOGKGyzfouD2A
 -----END PRIVATE KEY-----

test/certs/badalt7-cert.pem

@@ -1,23 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIID1DCCArygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
-IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMIGmMTsw
+MIIDtjCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTgwNTE2MDMyNzA5WhgPMjExODA1MTcwMzI3MDlaMIGmMTsw
 OQYDVQQKHjIAQgBhAGQAIABOAEMAIABUAGUAcwB0ACAAQwBlAHIAdABpAGYAaQBj
 AGEAdABlACAANzElMCMGA1UEAx4cAG8AdABoAGUAcgAuAGcAbwBvAGQALgBvAHIA
 ZzEdMBsGA1UEAx4UAEoAbwBlACAAQgBsAG8AZwBnAHMxITAfBgNVBAMeGABhAG4A
 eQAuAGcAbwBvAGQALgBjAG8AbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBANStByWr70u2A49OO+LYu0ivQP+uBu2n3E6RoEYf+op/+JF3clwfMQCGqiSg
-QxOJMHkcu4gJDudRLCSXqHPnR0hOd+mQ5wQQJmLj8A99ImcD2oN5R3V5I4bSlXP9
-GCq2pFDnwXuEcJ3d2Dt1HYO4jA4Ol/RBT3NIqmwSnQzXv98mjYFpy6AuAIaYGmbh
-1DLWxsTPI2NjNafJYS85NrQDLkTpq48nCmQCJ+ly6Zzu7WuJiDKD1Rxs7ZwgNtLi
-Zhp41TeFHxCbfSFKe9u4rnUmImKxwgc9KuzOLpLAzD9avWpPGHtkCsLFsiw/EJYf
-UdeCXc7tz9WhXZzOk/ffLOcrorMCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUwYsR1XfZ
-2cPcAR7i5i9obalnJcIwHwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMw
-CQYDVR0TBAIwADBIBgNVHREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNv
-bYENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEB
-CwUAA4IBAQAN/klfzMLi2acp5KdH9UZR4XCk3cZBOuMuI0vU+wrU/ETgY6rFhAwY
-gSZsO6vX0mt/G6QfOmY5+kW4FY5XavGhhNVY2x5ATZKvQCf+orIsUHOBxVTjH6az
-uEnxGDRTbjXSkBTCTSoOqdJNeOmEwiaHEVy/atumUW2B2KP5FeBGdud/94c4Q9/O
-WBJ0EICGF6hYTDra63lAjxyARTvocVakIE8zytT1SbU4yO05mYPyNdXxiXikepFE
-phPQWNSLx4EPBIorGCFj7MPDmFCH/+EjDjGz3SNUvqsak6MstzK94KVriQyIHKex
-IL5WuKFm0XSGKTX8SzyMGErMGeriveL2
+ggEBAOG4PegItzkmJDwlSA/FyVHWLWUIQrnxgS0KSds3On2CMsjDJ+X77B4s1IPI
+yKHuqNbXqV/hJGAxKnZRZe0D6VsmKlYOYpz9QtFxvpo5DwA3q6BTx6sIElFn/lip
+Pbu5ZeIMNeN4bot7x5sBobr6OgidAVaAuqQHHJnD7mQ1s22qY0UqkBqNBhhJWOmx
+YC0Q56WDi9+C7Cy2+kiiSlT4jCZ8m1K0F7tTK5mF0p4HppXmXLzcecZ/Sw8jOqQK
+JM/4UCj/nxWCGYKWkv8zLJtG+ryfZMf15/0Cd1dzHAS9mYU4mFssPdFyT+WFpw7b
+K3TOTXkS/tAPbj0xin2wqBJz8m8CAwEAAaN7MHkwHQYDVR0OBBYEFOWYNq+H1LH6
+lZUpgijb/S/sAiDsMB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkG
+A1UdEwQCMAAwLAYDVR0RBCUwI4ENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29t
+hwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQAwUxnqq0gBgKmEHIRgZVu10KtOknjt
+p/wEcqQ9METvXb+4/a4U6ftjTgaOrPVjamNFlaoUcTgx2nk2zRsjM+e+tpnxDgRR
+/yoVB3HsISpdeN70s/WYAgvev/FdV3O+JWhUYHdKrDB4DMfPhlRIfSgOymJljo6+
+wL8qa7lVonF91Im4SCbq4dqtAnbg4ttblQ3yjFfQtuwzyJD/3ism6FQPLbg1K4eu
+1Si0EDL4Fct581Gb5D+NU8PYiwg7Nk8ubNlRHXydoVGDLmT0hLE+/IsPd1M8tMqm
+sifRl2Is+lGVeg4pPHFjB0npTNkaYafu89dz/3PNRRr5If06B+apk4AX
 -----END CERTIFICATE-----

test/certs/badalt7-key.pem

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDUrQclq+9LtgOP
-Tjvi2LtIr0D/rgbtp9xOkaBGH/qKf/iRd3JcHzEAhqokoEMTiTB5HLuICQ7nUSwk
-l6hz50dITnfpkOcEECZi4/APfSJnA9qDeUd1eSOG0pVz/RgqtqRQ58F7hHCd3dg7
-dR2DuIwODpf0QU9zSKpsEp0M17/fJo2BacugLgCGmBpm4dQy1sbEzyNjYzWnyWEv
-OTa0Ay5E6auPJwpkAifpcumc7u1riYgyg9UcbO2cIDbS4mYaeNU3hR8Qm30hSnvb
-uK51JiJiscIHPSrszi6SwMw/Wr1qTxh7ZArCxbIsPxCWH1HXgl3O7c/VoV2czpP3
-3yznK6KzAgMBAAECggEADjQ0Kv7tr3fLixGljEP/Vh5mT+02hz7TxueQ9b4DBKcB
-We3JVH+8zRUxXdraP/7EnwIdQDuipC5WrWb3mC4VI64h8hZ8Z1gQyEAC83XfC1RF
-jsxVynG5vrJnyuRXbdre5Ixl7rLsto5vd6EdxINZz0KIQYbvIHr07tzbYlUyelvA
-mu0kYdtbjm2p2AGJJ99zN3EiQ9lZDyiFirOXEA9P/YdKKVlIwpDPbn/TmNY/k6Ul
-mRxgAJKwKiR6Gg3QMdTUKeaXBpKf/pa+5rzR7zxNbiQO3IXOVx7ZzQ2R0Wuivpqk
-yjMaqUa7dDuvtIHJBpJB7TIL6SlQkiS1lEQFhO7EAQKBgQDz30obdymxqQVy7IsH
-NLo5xRX1hRRN9h34Y4qC0JXkCTG1fWJ19KYHod0S5peaIo/ThDVf1UXln6amdCjM
-oIfhmo0baNIdMMpxxBdsdLfUKwyVh8qROaBscPE4FGBUrfEW/wSn1WRYcWh+oda3
-LuLVf5Qt9a9f6ZYuy1X6dDi8swKBgQDfQJTSFUNkV8yKfMX54x0DcUkiWOu3LaET
-GSu0UXqBVn1Q+u6CUAkh5jA9fpyM5sp9+t5FuwjO+ITHfiNFoD/LCeMUfYVDF7O2
-uCLTsN+7gTGpKMnfL/rg9exrsfDdsmbQe4BhrUFBsYfKgBlBraL0QGD+25qgU8CS
-CQ6toGCCAQKBgQDCYJskwRoObPXW4AsAN1qnaRtTkjrY2O6SaGSiV7bhByMD0WiF
-M/aR5sXapsj3Jc0Vfi88rzUDDPk7eyJ51wn3G8SUsDuo4Ja7jtxMqctL5PQmyxD+
-J7xiMrNRS4xscifTeHgxfbh5dgsfw8bsQwaxvPpSl5ytCfWWXqOs+K2wWQKBgBM4
-Mher8PNQg7FgcILExJipRgyI7zID4ZwNTK/nW86KrZstHx9k2IRslraUkdGnhMM3
-t671HRsEVhn+h/bUhulp3nzDGZffEH+odocW8QvpYWcYtdha/xQi18mltgC//Q3x
-s+m0yqtnJzONt57p3d99M1x9d2BaFXf9A6B68BQBAoGBAOatu9+wGaIEB//fpaQt
-mnsS2XBJco5gHTjOegCSNe3gQQsB5mhTEekOeMzJ8WLTMVXQVCXx9/8HxKoycbq8
-M/7ScH1iT/wJTkSsjyeycUgH31GPeRvmo9YU2PsW3NN6ZyNpxWJFdcPYHAzZqJeA
-cZtQWiEyaf026DdR8YBYn6tf
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhuD3oCLc5JiQ8
+JUgPxclR1i1lCEK58YEtCknbNzp9gjLIwyfl++weLNSDyMih7qjW16lf4SRgMSp2
+UWXtA+lbJipWDmKc/ULRcb6aOQ8AN6ugU8erCBJRZ/5YqT27uWXiDDXjeG6Le8eb
+AaG6+joInQFWgLqkBxyZw+5kNbNtqmNFKpAajQYYSVjpsWAtEOelg4vfguwstvpI
+okpU+IwmfJtStBe7UyuZhdKeB6aV5ly83HnGf0sPIzqkCiTP+FAo/58VghmClpL/
+MyybRvq8n2TH9ef9AndXcxwEvZmFOJhbLD3Rck/lhacO2yt0zk15Ev7QD249MYp9
+sKgSc/JvAgMBAAECggEAZG2cJawTEXtV7ejMii//Jck8g1JMlfzM86Q7Pizxejw+
+qjKiguI2qSpbF5NzKRFNz+E+e+lpTN8zPFd1GSJ/Zk2x0n4uBBlu7E9GdcnjUb5z
+Py9njEJYHB4//WS3kdmoag3ywBWqYaceJWpxcga5YXGx0bIO2MJNSGDzpWR7Q9QQ
+tG/lWmno5goY2BxI08BTKSlqNIBkg/rr9jJo3axRcEmbx7hj4vUkAlypFKtmR4dW
+bNo0f6VAd5Y6c9YbnKybR/44lScBksuSkZjm076cbbbp5PpsiLGe/12bqUcwCH+T
+8hRVndmOLdOxC11OZOvMbX6x2uXNh3/Qr/GMyfzZcQKBgQD4we7E9vOygk1J5Vbl
+1zETR9x3dujpBBx3xaHXUSJNUTNwmnZ+0JoFTqPkRmmPMNK7XfZuPymBehtk8WYt
+NnezM2UNTdbfVOnJWnU6igRNGBaDW6F9AezlADBNwIbFVw6RqP4fTUFsmm9TQ/8M
+4kZmmlW4uLZyX0WQO+AJa7NShwKBgQDoSpnQgmWqXMcaHwY2l8fEDuDc41nDoJIm
+/CMppPbr7GkUX4OU785p6E0N0o1ONt+xCBT1lxHwWEeMAKZXrNC1XGpfvhpVZ72v
+VruATDFs1rcL3S2Sty7A+jhFKKXlGeDWNcpaKY8nDvv2uJG0+J3bLprdMqnY/gQ1
+C+FzyQ6S2QKBgDnHIaRSD6xoo3cEc7iS0O0/ha+hyNtGfy46kyqlx6fZsm73EYrG
+/N86ssp0qFP/7RJj8rcMqKFQMUiy4R6jRg4zY8dBSyU4XczM2+mq4PDfJWuBPvMA
+HXvbHV0R2LvBSrr+W3f9w7Jr9GuMoZLmg5+VPU/YZ1gNVOT5Y0IM5+vFAoGBANx9
+CzlGvLeTrw1VS3GAaobn1Hr2dlrhTDki9UFvK03PLgK/ksdJRLV0YcdwBt6p6XRB
+hpuC1O087lSuvTXVfJnZacMNUDOm7/7BpeJm8DcuK7tgKwTrSb61A7ppleY7xRWv
+Iy6n6hCaAYIzuWJ85mGJAEhb8apdmqK7bzmXK3UpAoGBALdOvJfqbF0YlHbdQCVi
+ftjtxs/dZKdF1rNARR0VMqUtZX+WP2b6OPXlwux94Cr//iNv5ih3B4Z4LIgTpgBJ
+AKGXEBGMMthAlptC4BcOAEs9cYeWGLAoYk8jpNmXvXjhGqvzhPO2YrX5xy46dVOG
+iiCseyA7Kr8Axt9QhUzoi5f7
 -----END PRIVATE KEY-----

test/certs/badcn1-cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTgwNTE2MDI0MTMyWhgPMjExODA1MTcwMjQxMzJaME4xIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
+Z29vZC5vcmcxEDAOBgNVBAMMB2JhZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDN9WI6OyxnW+R98FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh
+8wFR9gfNrKhqXubJ3lCHKgaApTXNKM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R
+03Yn+dJnZLDz7BDpnuhORp8XzQqfxSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos
+/LIDvjzye5GaPXqXkAkcBcLBpWlgMm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+A
+jSbT522yHy1r6WeElbSY7WOFvnmgbZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh
+/YuRhCgRExvdQ6kImwdKAfO7RLkxho6jny1HAgMBAAGjXjBcMB0GA1UdDgQWBBT5
+fenRjyFKUb1XvUnm4GV9kZmONDAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa
+3fVQQzAJBgNVHRMEAjAAMA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQAD
+ggEBACKtfZCcP/pY8Bu+lb/pGZj5txsmNbJ1l2RVACQA7CGjwfUr7VaQGMuT+FuA
+Erlh+UnEC3R/e1xQwgJeuAXBOWFkxA61isVSrmM7YM6vDB0+t8N9lMUFjPbRyEkM
+A5kaSLPrgSOg7ONsO6YGbaWm1XCoUC6Ilrdzy+ckzklgjYRth99b2d5WrjIxEWIq
+BX2DI2ruetjXYGRzsqSK+O9d4fsqrb5M0ZCNWQZ4WnrMNaAeHWpW6NqSvof/N21x
+WC5zcU7GXLrDigwWPMDLQhVtu4OihWjsqugh6Jl7DxDBhi8JKO6tJQAISHjKaL98
+yXZFsQ//q7ATwlcHyB81B+X16AI=
+-----END CERTIFICATE-----

test/certs/badcn1-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDN9WI6OyxnW+R9
+8FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh8wFR9gfNrKhqXubJ3lCHKgaApTXN
+KM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R03Yn+dJnZLDz7BDpnuhORp8XzQqf
+xSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos/LIDvjzye5GaPXqXkAkcBcLBpWlg
+Mm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+AjSbT522yHy1r6WeElbSY7WOFvnmg
+bZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh/YuRhCgRExvdQ6kImwdKAfO7RLkx
+ho6jny1HAgMBAAECggEBAKDxiUHx7cATShm0ElZnd6+dtQfKwv8zsuIpm+hk62Ef
+d0zYI+UhrT1sIiryKmV9JaJITOtixtQOxl088D+Obrx8cnC4B84rUTVXpnfgVf9j
+FljDtjpxIZsZmPbc836ZUZoOaICKpVYHD69Mb+NWG+mN2oaLc8VP0L4FXKLzvl7u
+69NQlTPG2CS61BktVqMtWWc/9CvdOwqwVbckyISj9QLUgSXIyB4IP3bjp0RYSpOu
+m3nhuhil1G3c05R4UfiE2d9Er7SBBoQ304ld892YRinSgtZqC1G25uZmWJ3ekAAM
+bg6P0hBd86F/G2TxNdelYrxTazjqZShYi1N48SK6kUECgYEA+51O19Q5XkskD/Dn
+VfaCjSOTFwDlb5ATmVCrJu+13/5IJfmJgWA6xdqfWoqxSOsJzXBEETKWgkahoo4K
+OU1UaBTHEJ588xOpoMzbJkKlb5hPseEQsvu055Ky0euMgmlrALPQQ9e1DUSlowui
+Cq9wCak4dqq9NNs6FMIeGhqczGECgYEA0YxcajJFxPHJsdFCVa4tdy9jgfC64t4Y
+CWDzRfUnuX24ILbW9+olvvoZkMSzoVpiQ9YU8kPJUaOyFrw6jUV5GRHUCMgfkx2Y
+nqe+7aSFmv0Nlo0RMV2PqaOZzlxnG9FzyNE+4PygZqtFhN21b5Idc69k2Ltu7K4J
+J4MG1kMUGqcCgYEA0ttUPEisPtoHgZhntUFczHx4gnmMzH5X/k5876dIqkrFGZXR
+5urGthHtIwpBYZMeZtxjHmpfeRNJ1xjjdnvYdVScMdAvc+ERcSDbsmd9jlR8zNuI
+jAWl576nPoX//TXspu0JZiE5p8HUcRuJkxzMbjwyhje1Ubs6JDU81rFgn2ECgYAG
+3WVNqVX1zMIBzEwzCGC+7dOBt0Q4GHSLIhz2JsDlZ8P3dmX2ezo/Vmwt/POxjod3
+l3TaNvRKc2VrL0FvzV3ZP2dF3mCCbk7Iq9AqcuBZon6mdvqgNmN1eEGarBZIqAT2
+CDzaHAyZMHU3lBfUjuHeH1nba9CHenAcVkOME2h+MwKBgQDiHAnTK4ovCNmT5E9i
+03x/wPSH8FZ3Wrb1GMtNlTc7lOtB5eYIvwkaloJkNKHbUDv57V66hnYT6CyH4u45
+dPtuohtafL9mdScYqmicGLtbLLglSQpJYt4J59hffNZ30E84dKXtyDN7E5P5Z00Z
+8PbOMUy3oK6j+GMP/xRNI76RtA==
+-----END PRIVATE KEY-----

test/certs/goodcn1-cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAnmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTgwNTE2MDI0MDA0WhgPMjExODA1MTcwMjQwMDRaMIGeMSMw
+IQYDVQQKDBpHb29kIE5DIFRlc3QgQ2VydGlmaWNhdGUgMTEVMBMGA1UEAwwMd3d3
+Lmdvb2Qub3JnMRUwEwYDVQQDDAxhbnkuZ29vZC5jb20xETAPBgNVBAMMCG5vdC4u
+ZG5zMRAwDgYDVQQDDAdub3RAZG5zMREwDwYDVQQDDAhub3QtLmRuczERMA8GA1UE
+AwwIbm90LmRucy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDigxI
+nlYVjHtrFI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7
+jZe+gMX+sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADe
+mD/YdekRf3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9Txa
+ZeFvWvvc6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLs
+FPkw4yUtJHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLT
+OKw6dm1UG2J7iuqtAgMBAAGjXjBcMB0GA1UdDgQWBBSTKvqap2ab0z/UPrdDgc0V
+m88R3TAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAA
+MA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQADggEBADcdm62qaOHbIDoa
+5oUjXGHSQjV1g4BFe6DLH5/CZ0wOws3QzfQbPIxJrp3yJgDcQyZNOE/xQlq/nASS
+thU6cUTB07voFVnbotB8YQuNU1wM9TAJOHC9LT1Y0J2GIP6QeXts6Cz6aBlqaQEZ
+IrGRLuKVZePTO0Haup0mZ91XoXs3CBzkSerl0XpFL7BeugSigrhprFRPB4UC3IWb
+pdNar61Wk4bN/COb6utRkK3iYk5YUTqYFib9EG4VBdxYfXv/tiBIGqQLnqPbId6w
+q+McpSEPF1DIcCyL0vEDdIVN0SzxMfnfHMx0Qp0sh2aydIZk4xfEqXHZgZthSrse
+u7nhn7s=
+-----END CERTIFICATE-----

test/certs/goodcn1-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDigxInlYVjHtr
+FI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7jZe+gMX+
+sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADemD/YdekR
+f3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9TxaZeFvWvvc
+6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLsFPkw4yUt
+JHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLTOKw6dm1U
+G2J7iuqtAgMBAAECggEAeQ1xZVOAf36kuTnVUhdplTii6v3JcQIIUjG0dG/U/P8M
+otS45uNZ36CelvaVStwHaJEvcVzK4EjgSjiSNJvwkxzPbkA3XkgNVptPmdcG5yqO
+RLNOChVeqYdOurdcR1XXbXv57dPbUqpMS2TWjdzieW/QXKuTRsbjTo3D75tJqUO6
+1Bm4sSM3PogmsQwTP8HlZAmJXuSD+ZSB22Np5pT1dn5TvQU6xeA3NJR4ZO/HEZz4
+CHJEiOx2BuGD6M0V1ZL6DzEsyIS/KKsvj4I2F4ROAK1j3lSD5VqrYPXn3oEsQdlm
+OW8aVnHPYO6FI0LVLgcIEKxhdwGV3i6v/GRUe0Y9kQKBgQD0Zqn1trAuP5Peiy1K
+Wc91yRjQxQTwSD00hzXMtvKzkEIiLEuVZq9qrqQ2TRRa5xneDGHDuUY9eZY8JwEr
+l7f8CcfYC93PXLyRM2Gaz0jMxZxVPz5w7zssK3DZ+7JvH3nKkCUl7+Y0tH26qTO0
+wTD9w9jd9bf85SLVgk3zSbUDwwKBgQDM0b2ffZpxyA16h7w8ZBuk1Z+iumrxnn5/
+lKtffR2b4dZN37KiWw2c265vYhRfe/ANnVuagXb9aRM97yeQloRlWR10AaXJz3EB
+sromqFShkorYRhwZoRiJC0laLG3W76wKMRr2T6TM1UG9gJ0szdGFG/yUDU+9pTRo
+uq514rGgzwKBgQCGtsAgLF7YXzsGg/im7vInnn0LNk4OlAMInS7OdFk7GN0bMQdI
+hp1SVIk3VS1PHetoNbL9y3YoFIj3BxjiCnLjfhClyYSt9BQMhSHbzz31gUc2xfGJ
+FpSrOBawUMh97/+V4/ZV/vIJQyO6a+GQVJzIg9daIUMVJsgYoAaPf6VDOQKBgFyH
+eHnf/XDfpq8vOOuzcgWieG7EduHW72DlohIObNzqRq2BnKraJakyWXh6P6fvTsBn
+0WVYjY/n80hsjVw1k3RRsQuiXupv66aPvqcOLsWbdVxFOBaf/3yR+75gCfMq7Xbh
+PkP+MP5UbVGWE+uUw821mgKsjNSpGKcjhwM8uXBjAoGAFEU3O8gQXfocVB8lxUeU
+c0inLdAIgiw/36NPuW4NwKxzLOmHzlmvn7C98ihnbnGoQ0XBRfLw8siTbD3INgHY
+NA0JeK8Qrt56b6wK14w9RzLQTu9gy1pULW21p1wswdNK4tlxfnnnozISZAYxeqAx
+YMTtYZN77nb+yY4oE6XEugQ=
+-----END PRIVATE KEY-----

test/certs/setup.sh

@@ -241,15 +241,30 @@ NC="$NC excluded;DNS:bad.ok.good.com"
 NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
         ncca1-key ncca1-cert
 
-# all subjectAltNames allowed by CA1.
+# all subjectAltNames allowed by CA1.  Some CNs are not!
 
 ./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \
-    "1.CN=www.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
+    "1.CN=www.example.net" "2.CN=Joe Bloggs" | \
     ./mkcert.sh geneealt alt1-key alt1-cert ncca1-key ncca1-cert \
     "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
     "email.1 = good@good.org" "email.2 = any@good.com" \
     "IP = 127.0.0.1" "IP = 192.168.0.1"
 
+# all DNS-like CNs allowed by CA1, no DNS SANs.
+
+./mkcert.sh req goodcn1-key "O = Good NC Test Certificate 1" \
+    "1.CN=www.good.org" "2.CN=any.good.com" \
+    "3.CN=not..dns" "4.CN=not@dns" "5.CN=not-.dns" "6.CN=not.dns." | \
+    ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# Some DNS-like CNs not permitted by CA1, no DNS SANs.
+
+./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \
+    "1.CN=www.good.org" "3.CN=bad.net" | \
+    ./mkcert.sh geneealt badcn1-key badcn1-cert ncca1-key ncca1-cert \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
 # no subjectAltNames excluded by CA2.
 
 ./mkcert.sh req alt2-key "O = Good NC Test Certificate 2" | \
@@ -293,19 +308,17 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
     "email.1 = good@good.org" "email.2 = any@good.com" \
     "IP = 127.0.0.2"
 
-# all subject alt names OK but subject CN not allowed by CA1.
+# No DNS-ID SANs and subject CN not allowed by CA1.
 ./mkcert.sh req badalt6-key "O = Bad NC Test Certificate 6" \
     "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
     ./mkcert.sh geneealt badalt6-key badalt6-cert ncca1-key ncca1-cert \
-    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
     "email.1 = good@good.org" "email.2 = any@good.com" \
     "IP = 127.0.0.1" "IP = 192.168.0.1"
 
-# all subject alt names OK but subject CN not allowed by CA1, BMPSTRING
+# No DNS-ID SANS and subject CN not allowed by CA1, BMPSTRING
 REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
     "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
     ./mkcert.sh geneealt badalt7-key badalt7-cert ncca1-key ncca1-cert \
-    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
     "email.1 = good@good.org" "email.2 = any@good.com" \
     "IP = 127.0.0.1" "IP = 192.168.0.1"
 

test/errtest.c

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/opensslconf.h>
+#include <openssl/err.h>
+
+#include "testutil.h"
+
+#if defined(OPENSSL_SYS_WINDOWS)
+# include <windows.h>
+#else
+# include <errno.h>
+#endif
+
+/* Test that querying the error queue preserves the OS error. */
+static int preserves_system_error(void)
+{
+#if defined(OPENSSL_SYS_WINDOWS)
+    SetLastError(ERROR_INVALID_FUNCTION);
+    ERR_get_error();
+    return GetLastError() == ERROR_INVALID_FUNCTION;
+#else
+    errno = EINVAL;
+    ERR_get_error();
+    return errno == EINVAL;
+#endif
+}
+
+int main(int argc, char **argv)
+{
+    ADD_TEST(preserves_system_error);
+
+    return run_tests(argv[0]);
+}

test/evp_test.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -1592,19 +1592,19 @@ static int pderive_test_run(struct evp_test *t)
     struct pkey_data *kdata = t->data;
     unsigned char *out = NULL;
     size_t out_len;
-    const char *err = "INTERNAL_ERROR";
+    const char *err = "DERIVE_ERROR";
 
-    out_len = kdata->output_len;
+    if (EVP_PKEY_derive(kdata->ctx, NULL, &out_len) <= 0)
+        goto err;
     out = OPENSSL_malloc(out_len);
     if (!out) {
         fprintf(stderr, "Error allocating output buffer!\n");
         exit(1);
     }
-    err = "DERIVE_ERROR";
     if (EVP_PKEY_derive(kdata->ctx, out, &out_len) <= 0)
         goto err;
     err = "SHARED_SECRET_LENGTH_MISMATCH";
-    if (out_len != kdata->output_len)
+    if (kdata->output == NULL || out_len != kdata->output_len)
         goto err;
     err = "SHARED_SECRET_MISMATCH";
     if (check_output(t, kdata->output, out, out_len))

test/evptests.txt

@@ -1,5 +1,5 @@
 #
-# Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -19144,6 +19144,35 @@ PeerKey=KAS-ECC-CDH_B-571_C24-Peer-PUBLIC
 Ctrl=ecdh_cofactor_mode:1
 SharedSecret=02da266a269bdc8d8b2a0c6bb5762f102fc801c8d5394a9271539136bd81d4b69cfbb7525cd0a983fb7f7e9deec583b8f8e574c6184b2d79831ec770649e484dc006fa35b0bffd0b
 
+# for cofactor-order points, ECC CDH (co-factor ECDH) should fail. Test that.
+
+PrivateKey=ALICE_cf_sect283k1
+-----BEGIN PRIVATE KEY-----
+MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAHtPwRfQZ9pWgSctyHdt
+xt3pd8ESMI3ugVx8MDLkiVB8GkCRoUwDSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3
+n68A32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM
+8uKr
+-----END PRIVATE KEY-----
+
+PublicKey=ALICE_cf_sect283k1_PUB
+-----BEGIN PUBLIC KEY-----
+MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3n68A
+32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM8uKr
+-----END PUBLIC KEY-----
+
+PublicKey=BOB_cf_sect283k1_PUB
+-----BEGIN PUBLIC KEY-----
+MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB
+-----END PUBLIC KEY-----
+
+PrivPubKeyPair = ALICE_cf_sect283k1:ALICE_cf_sect283k1_PUB
+
+# ECDH Alice with Bob peer
+Derive=ALICE_cf_sect283k1
+PeerKey=BOB_cf_sect283k1_PUB
+Ctrl=ecdh_cofactor_mode:1
+Result = DERIVE_ERROR
 
 # Test mismatches
 PrivPubKeyPair = Alice-25519:Bob-25519-PUBLIC

test/recipes/04-test_err.t

@@ -0,0 +1,12 @@
+#! /usr/bin/env perl
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test::Simple;
+
+simple_test("test_err", "errtest");

test/recipes/15-test_genrsa.t

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -18,9 +18,38 @@ setup("test_genrsa");
 
 plan tests => 5;
 
+# We want to know that an absurdly small number of bits isn't support
 is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8");
-ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '16'])), "genrsa -3 16");
-ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check");
-ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', '16'])), "genrsa -f4 16");
-ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check");
+
+# Depending on the shared library, we might have different lower limits.
+# Let's find it!  This is a simple binary search
+# ------------------------------------------------------------
+# NOTE: $good may need an update in the future
+# ------------------------------------------------------------
+note "Looking for lowest amount of bits";
+my $bad = 3;                    # Log2 of number of bits (2 << 3  == 8)
+my $good = 11;                  # Log2 of number of bits (2 << 11 == 2048)
+while ($good > $bad + 1) {
+    my $checked = int(($good + $bad + 1) / 2);
+    if (run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem',
+                  2 ** $checked ], stderr => undef))) {
+        note 2 ** $checked, " bits is good";
+        $good = $checked;
+    } else {
+        note 2 ** $checked, " bits is bad";
+        $bad = $checked;
+    }
+}
+$good++ if $good == $bad;
+$good = 2 ** $good;
+note "Found lowest allowed amount of bits to be $good";
+
+ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', $good ])),
+   "genrsa -3 $good");
+ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
+   "rsa -check");
+ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])),
+   "genrsa -f4 $good");
+ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
+   "rsa -check");
 unlink 'genrsatest.pem';

test/recipes/25-test_verify.t

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -30,7 +30,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 127;
+plan tests => 129;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -326,6 +326,12 @@ ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ),
 ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
    "Name Constraints nested test all permitted");
 
+ok(verify("goodcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints CNs permitted");
+
+ok(!verify("badcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints CNs not permitted");
+
 ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
    "Name Constraints hostname not permitted");
 

test/recipes/60-test_x509_dup_cert.t

@@ -0,0 +1,19 @@
+#! /usr/bin/env perl
+# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# ======================================================================
+# Copyright (c) 2017 Oracle and/or its affiliates.  All rights reserved.
+
+
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+setup("test_x509_dup_cert");
+
+plan tests => 1;
+
+ok(run(test(["x509_dup_cert_test", srctop_file("test", "certs", "leaf.pem")])));

test/recipes/60-test_x509_time.t

@@ -0,0 +1,12 @@
+#! /usr/bin/env perl
+# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test::Simple;
+
+simple_test("test_x509_time", "x509_time_test");

test/recipes/80-test_cipherlist.t

@@ -1,6 +1,6 @@
 #! /usr/bin/perl
 #
-# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -12,11 +12,16 @@ use strict;
 use warnings;
 
 use OpenSSL::Test::Simple;
-use OpenSSL::Test;
+use OpenSSL::Test qw(:DEFAULT openssl_versions);
 use OpenSSL::Test::Utils qw(alldisabled available_protocols);
 
 setup("test_cipherlist");
 
+my ($build_version, $library_version) = openssl_versions();
+plan skip_all =>
+    "This test recipe isn't supported when doing regression testing"
+    if $build_version != $library_version;
+
 my $no_anytls = alldisabled(available_protocols("tls"));
 
 # If we have no protocols, then we also have no supported ciphers.

test/recipes/90-test_fuzz.t

@@ -1,5 +1,5 @@
 #!/usr/bin/env perl
-# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -26,14 +26,14 @@ plan tests => scalar @fuzzers;
 
 foreach my $f (@fuzzers) {
     subtest "Fuzzing $f" => sub {
-        my @files = glob(srctop_file('fuzz', 'corpora', $f, '*'));
-        push @files, glob(srctop_file('fuzz', 'corpora', "$f-*", '*'));
+        my @dirs = glob(srctop_file('fuzz', 'corpora', $f));
+        push @dirs, glob(srctop_file('fuzz', 'corpora', "$f-*"));
 
-        plan skip_all => "No corpora for $f-test" unless @files;
+        plan skip_all => "No corpora for $f-test" unless @dirs;
 
-        plan tests => scalar @files;
+        plan tests => scalar @dirs;
 
-        foreach (@files) {
+        foreach (@dirs) {
             ok(run(fuzz(["$f-test", $_])));
         }
     }

test/recipes/90-test_shlibload.t

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -20,7 +20,7 @@ use configdata;
 
 plan skip_all => "Test only supported in a shared build" if disabled("shared");
 
-plan tests => 3;
+plan tests => 4;
 
 my $libcrypto_idx = $unified_info{rename}->{libcrypto} // "libcrypto";
 my $libssl_idx = $unified_info{rename}->{libssl} // "libssl";
@@ -35,4 +35,6 @@ ok(run(test(["shlibloadtest", "-ssl_first", $libcrypto, $libssl])),
    "running shlibloadtest -ssl_first");
 ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl])),
    "running shlibloadtest -just_crypto");
+ok(run(test(["shlibloadtest", "-dso_ref", $libcrypto, $libssl])),
+   "running shlibloadtest -dso_ref");
 

test/shlibloadtest.c

@@ -40,6 +40,16 @@ static OpenSSL_version_num_t OpenSSL_version_num;
 
 #ifdef DSO_DLFCN
 
+# define DSO_DSOBYADDR "DSO_dsobyaddr"
+# define DSO_FREE "DSO_free"
+
+typedef void DSO;
+typedef DSO * (*DSO_dsobyaddr_t)(void (*addr)(void), int flags);
+typedef int (*DSO_free_t)(DSO *dso);
+
+static DSO_dsobyaddr_t DSO_dsobyaddr;
+static DSO_free_t DSO_free;
+
 # include <dlfcn.h>
 
 typedef void * SHLIB;
@@ -108,11 +118,13 @@ static int shlib_close(SHLIB lib)
 # define CRYPTO_FIRST_OPT    "-crypto_first"
 # define SSL_FIRST_OPT       "-ssl_first"
 # define JUST_CRYPTO_OPT     "-just_crypto"
+# define DSO_REFTEST_OPT     "-dso_ref"
 
 enum test_types_en {
     CRYPTO_FIRST,
     SSL_FIRST,
-    JUST_CRYPTO
+    JUST_CRYPTO,
+    DSO_REFTEST
 };
 
 int main(int argc, char **argv)
@@ -123,7 +135,7 @@ int main(int argc, char **argv)
         void (*func) (void);
         SHLIB_SYM sym;
     } tls_method_sym, ssl_ctx_new_sym, ssl_ctx_free_sym, err_get_error_sym,
-    openssl_version_num_sym;
+    openssl_version_num_sym, dso_dsobyaddr_sym, dso_free_sym;
     enum test_types_en test_type;
     int i;
 
@@ -138,6 +150,8 @@ int main(int argc, char **argv)
             test_type = SSL_FIRST;
     } else if (strcmp(argv[1], JUST_CRYPTO_OPT) == 0) {
             test_type = JUST_CRYPTO;
+    } else if (strcmp(argv[1], DSO_REFTEST_OPT) == 0) {
+            test_type = DSO_REFTEST;
     } else {
         printf("Unrecognised argument\n");
         return 1;
@@ -145,7 +159,8 @@ int main(int argc, char **argv)
 
     for (i = 0; i < 2; i++) {
         if ((i == 0 && (test_type == CRYPTO_FIRST
-                       || test_type == JUST_CRYPTO))
+                       || test_type == JUST_CRYPTO
+                       || test_type == DSO_REFTEST))
                || (i == 1 && test_type == SSL_FIRST)) {
             if (!shlib_load(argv[2], &cryptolib)) {
                 printf("Unable to load libcrypto\n");
@@ -161,7 +176,7 @@ int main(int argc, char **argv)
         }
     }
 
-    if (test_type != JUST_CRYPTO) {
+    if (test_type != JUST_CRYPTO && test_type != DSO_REFTEST) {
         if (!shlib_sym(ssllib, TLS_METHOD, &tls_method_sym.sym)
                 || !shlib_sym(ssllib, SSL_CTX_NEW, &ssl_ctx_new_sym.sym)
                 || !shlib_sym(ssllib, SSL_CTX_FREE, &ssl_ctx_free_sym.sym)) {
@@ -215,6 +230,38 @@ int main(int argc, char **argv)
         return 1;
     }
 
+    if (test_type == DSO_REFTEST) {
+# ifdef DSO_DLFCN
+        /*
+         * This is resembling the code used in ossl_init_base() and
+         * OPENSSL_atexit() to block unloading the library after dlclose().
+         * We are not testing this on Windows, because it is done there in a
+         * completely different way. Especially as a call to DSO_dsobyaddr()
+         * will always return an error, because DSO_pathbyaddr() is not
+         * implemented there.
+         */
+        if (!shlib_sym(cryptolib, DSO_DSOBYADDR, &dso_dsobyaddr_sym.sym)
+            || !shlib_sym(cryptolib, DSO_FREE, &dso_free_sym.sym)) {
+            printf("Unable to load crypto dso symbols\n");
+            return 1;
+        }
+
+        DSO_dsobyaddr = (DSO_dsobyaddr_t)dso_dsobyaddr_sym.func;
+        DSO_free = (DSO_free_t)dso_free_sym.func;
+
+        {
+            DSO *hndl;
+            /* use known symbol from crypto module */
+            if ((hndl = DSO_dsobyaddr((void (*)(void))ERR_get_error, 0)) != NULL) {
+                DSO_free(hndl);
+            } else {
+                printf("Unable to obtain DSO reference from crypto symbol\n");
+                return 1;
+            }
+        }
+# endif /* DSO_DLFCN */
+    }
+
     for (i = 0; i < 2; i++) {
         if ((i == 0 && test_type == CRYPTO_FIRST)
                 || (i == 1 && test_type == SSL_FIRST)) {
@@ -224,7 +271,8 @@ int main(int argc, char **argv)
             }
         }
         if ((i == 0 && (test_type == SSL_FIRST
-                       || test_type == JUST_CRYPTO))
+                       || test_type == JUST_CRYPTO
+                       || test_type == DSO_REFTEST))
                 || (i == 1 && test_type == CRYPTO_FIRST)) {
             if (!shlib_close(cryptolib)) {
                 printf("Unable to close libcrypto\n");

test/sslapitest.c

@@ -1208,6 +1208,61 @@ end:
     return testresult;
 }
 
+static int test_ssl_pending(int tst)
+{
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL;
+    int testresult = 0;
+    char msg[] = "A test message";
+    char buf[5];
+    size_t written;
+
+    if (tst == 0) {
+        if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+                                 TLS1_VERSION, TLS_MAX_VERSION,
+                                 &sctx, &cctx, cert, privkey)) {
+            printf("Failed creating SSL_CTX pair\n");
+            goto end;
+        }
+    } else {
+#ifndef OPENSSL_NO_DTLS
+        if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(),
+                                 DTLS1_VERSION, DTLS_MAX_VERSION,
+                                 &sctx, &cctx, cert, privkey)) {
+            printf("Failed creating SSL_CTX pair\n");
+            goto end;
+        }
+#else
+        return 1;
+#endif
+    }
+
+    if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)
+            || !create_ssl_connection(serverssl, clientssl)) {
+            printf("Failed creating connection\n");
+        goto end;
+    }
+
+    written = SSL_write(serverssl, msg, sizeof(msg));
+    if (written != sizeof(msg)
+            || SSL_read(clientssl, buf, sizeof(buf)) != sizeof(buf)
+            || SSL_pending(clientssl) != (int)(written - sizeof(buf))) {
+        printf("Failed checking SSL_pending\n");
+        goto end;
+    }
+
+    testresult = 1;
+
+ end:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+
+    return testresult;
+}
+
+
 int main(int argc, char *argv[])
 {
     BIO *err = NULL;
@@ -1244,6 +1299,7 @@ int main(int argc, char *argv[])
     ADD_TEST(test_ssl_bio_change_wbio);
     ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
     ADD_ALL_TESTS(test_custom_exts, 2);
+    ADD_ALL_TESTS(test_ssl_pending, 2);
 
     testresult = run_tests(argv[0]);
 

test/verify_extra_test.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -137,6 +137,43 @@ static int test_alt_chains_cert_forgery(const char *roots_f,
     return ret;
 }
 
+static int test_store_ctx(const char *bad_f)
+{
+    X509_STORE_CTX *sctx = NULL;
+    X509 *x = NULL;
+    BIO *bio = NULL;
+    int testresult = 0, ret;
+
+    bio = BIO_new_file(bad_f, "r");
+    if (bio == NULL)
+        goto err;
+
+    x = PEM_read_bio_X509(bio, NULL, 0, NULL);
+    if (x == NULL)
+        goto err;
+
+    sctx = X509_STORE_CTX_new();
+    if (sctx == NULL)
+        goto err;
+
+    if (!X509_STORE_CTX_init(sctx, NULL, x, NULL))
+        goto err;
+
+    /* Verifying a cert where we have no trusted certs should fail */
+    ret = X509_verify_cert(sctx);
+
+    if (ret == 0) {
+        /* This is the result we were expecting: Test passed */
+        testresult = 1;
+    }
+
+ err:
+    X509_STORE_CTX_free(sctx);
+    X509_free(x);
+    BIO_free(bio);
+    return testresult;
+}
+
 int main(int argc, char **argv)
 {
     CRYPTO_set_mem_debug(1);
@@ -152,6 +189,11 @@ int main(int argc, char **argv)
         return 1;
     }
 
+    if (!test_store_ctx(argv[3])) {
+        fprintf(stderr, "Test X509_STORE_CTX failed\n");
+        return 1;
+    }
+
 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
     if (CRYPTO_mem_leaks_fp(stderr) <= 0)
         return 1;

test/versions.c

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+
+/* A simple helper for the perl function OpenSSL::Test::openssl_versions */
+int main(void)
+{
+    printf("Build version: 0x%08lX\n", OPENSSL_VERSION_NUMBER);
+    printf("Library version: 0x%08lX\n", OpenSSL_version_num());
+    return 0;
+}

test/x509_dup_cert_test.c

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* ====================================================================
+ * Copyright (c) 2017, 2018 Oracle and/or its affiliates.  All rights reserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/x509_vfy.h>
+
+static int test_509_dup_cert(const char *cert_f)
+{
+    int ret = 0;
+    X509_STORE_CTX *sctx = NULL;
+    X509_STORE *store = NULL;
+    X509_LOOKUP *lookup = NULL;
+
+    store = X509_STORE_new();
+    if (store == NULL)
+        goto err;
+
+    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+    if (lookup == NULL)
+        goto err;
+
+    if (!X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM))
+        goto err;
+    if (!X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM))
+        goto err;
+
+    ret = 1;
+
+ err:
+    X509_STORE_CTX_free(sctx);
+    X509_STORE_free(store);
+    if (ret != 1)
+        ERR_print_errors_fp(stderr);
+    return ret;
+}
+
+int main(int argc, char **argv)
+{
+    CRYPTO_set_mem_debug(1);
+    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+    if (argc != 2) {
+        fprintf(stderr, "usage: x509_dup_cert_test cert.pem\n");
+        return 1;
+    }
+
+    if (!test_509_dup_cert(argv[1])) {
+        fprintf(stderr, "Test X509 duplicate cert failed\n");
+        return 1;
+    }
+
+#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+    if (CRYPTO_mem_leaks_fp(stderr) <= 0)
+        return 1;
+#endif
+
+    printf("PASS\n");
+    return 0;
+}

test/x509_time_test.c

@@ -0,0 +1,212 @@
+/*
+ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Tests for X509 time functions */
+
+#include <string.h>
+#include <time.h>
+
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include "testutil.h"
+#include "e_os.h"
+
+typedef struct {
+    const char *data;
+    int type;
+    time_t cmp_time;
+    /* -1 if asn1_time <= cmp_time, 1 if asn1_time > cmp_time, 0 if error. */
+    int expected;
+} TESTDATA;
+
+static TESTDATA x509_cmp_tests[] = {
+    {
+        "20170217180154Z", V_ASN1_GENERALIZEDTIME,
+        /* The same in seconds since epoch. */
+        1487354514, -1,
+    },
+    {
+        "20170217180154Z", V_ASN1_GENERALIZEDTIME,
+        /* One second more. */
+        1487354515, -1,
+    },
+    {
+        "20170217180154Z", V_ASN1_GENERALIZEDTIME,
+        /* One second less. */
+        1487354513, 1,
+    },
+    /* Same as UTC time. */
+    {
+        "170217180154Z", V_ASN1_UTCTIME,
+        /* The same in seconds since epoch. */
+        1487354514, -1,
+    },
+    {
+        "170217180154Z", V_ASN1_UTCTIME,
+        /* One second more. */
+        1487354515, -1,
+    },
+    {
+        "170217180154Z", V_ASN1_UTCTIME,
+        /* One second less. */
+        1487354513, 1,
+    },
+    /* UTCTime from the 20th century. */
+    {
+        "990217180154Z", V_ASN1_UTCTIME,
+        /* The same in seconds since epoch. */
+        919274514, -1,
+    },
+    {
+        "990217180154Z", V_ASN1_UTCTIME,
+        /* One second more. */
+        919274515, -1,
+    },
+    {
+        "990217180154Z", V_ASN1_UTCTIME,
+        /* One second less. */
+        919274513, 1,
+    },
+    /* Various invalid formats. */
+    {
+        /* No trailing Z. */
+        "20170217180154", V_ASN1_GENERALIZEDTIME, 0, 0,
+    },
+    {
+        /* No trailing Z, UTCTime. */
+        "170217180154", V_ASN1_UTCTIME, 0, 0,
+    },
+    {
+        /* No seconds. */
+        "201702171801Z", V_ASN1_GENERALIZEDTIME, 0, 0,
+    },
+    {
+        /* No seconds, UTCTime. */
+        "1702171801Z", V_ASN1_UTCTIME, 0, 0,
+    },
+    {
+        /* Fractional seconds. */
+        "20170217180154.001Z", V_ASN1_GENERALIZEDTIME, 0, 0,
+    },
+    {
+        /* Fractional seconds, UTCTime. */
+        "170217180154.001Z", V_ASN1_UTCTIME, 0, 0,
+    },
+    {
+        /* Timezone offset. */
+        "20170217180154+0100", V_ASN1_GENERALIZEDTIME, 0, 0,
+    },
+    {
+        /* Timezone offset, UTCTime. */
+        "170217180154+0100", V_ASN1_UTCTIME, 0, 0,
+    },
+    {
+        /* Extra digits. */
+        "2017021718015400Z", V_ASN1_GENERALIZEDTIME, 0, 0,
+    },
+    {
+        /* Extra digits, UTCTime. */
+        "17021718015400Z", V_ASN1_UTCTIME, 0, 0,
+    },
+    {
+        /* Non-digits. */
+        "2017021718015aZ", V_ASN1_GENERALIZEDTIME, 0, 0,
+    },
+    {
+        /* Non-digits, UTCTime. */
+        "17021718015aZ", V_ASN1_UTCTIME, 0, 0,
+    },
+    {
+        /* Trailing garbage. */
+        "20170217180154Zlongtrailinggarbage", V_ASN1_GENERALIZEDTIME, 0, 0,
+    },
+    {
+        /* Trailing garbage, UTCTime. */
+        "170217180154Zlongtrailinggarbage", V_ASN1_UTCTIME, 0, 0,
+    },
+    {
+         /* Swapped type. */
+        "20170217180154Z", V_ASN1_UTCTIME, 0, 0,
+    },
+    {
+        /* Swapped type. */
+        "170217180154Z", V_ASN1_GENERALIZEDTIME, 0, 0,
+    },
+    {
+        /* Bad type. */
+        "20170217180154Z", V_ASN1_OCTET_STRING, 0, 0,
+    },
+};
+
+static int test_x509_cmp_time(int idx)
+{
+    ASN1_TIME t;
+    int result;
+
+    memset(&t, 0, sizeof(t));
+    t.type = x509_cmp_tests[idx].type;
+    t.data = (unsigned char*)(x509_cmp_tests[idx].data);
+    t.length = strlen(x509_cmp_tests[idx].data);
+
+    result = X509_cmp_time(&t, &x509_cmp_tests[idx].cmp_time);
+    if (result != x509_cmp_tests[idx].expected) {
+        fprintf(stderr, "test_x509_cmp_time(%d) failed: expected %d, got %d\n",
+                idx, x509_cmp_tests[idx].expected, result);
+        return 0;
+    }
+    return 1;
+}
+
+static int test_x509_cmp_time_current()
+{
+    time_t now = time(NULL);
+    /* Pick a day earlier and later, relative to any system clock. */
+    ASN1_TIME *asn1_before = NULL, *asn1_after = NULL;
+    int cmp_result, failed = 0;
+
+    asn1_before = ASN1_TIME_adj(NULL, now, -1, 0);
+    asn1_after = ASN1_TIME_adj(NULL, now, 1, 0);
+
+    cmp_result  = X509_cmp_time(asn1_before, NULL);
+    if (cmp_result != -1) {
+        fprintf(stderr, "test_x509_cmp_time_current failed: expected -1, got %d\n",
+                cmp_result);
+        failed = 1;
+    }
+
+    cmp_result = X509_cmp_time(asn1_after, NULL);
+    if (cmp_result != 1) {
+        fprintf(stderr, "test_x509_cmp_time_current failed: expected 1, got %d\n",
+                cmp_result);
+        failed = 1;
+    }
+
+    ASN1_TIME_free(asn1_before);
+    ASN1_TIME_free(asn1_after);
+
+    return failed == 0;
+}
+
+int main(int argc, char **argv)
+{
+    int ret = 0;
+    unsigned int idx;
+
+    if (!test_x509_cmp_time_current())
+        ret = 1;
+
+    for (idx=0 ; idx < OSSL_NELEM(x509_cmp_tests) ; ++idx) {
+        if (!test_x509_cmp_time(idx))
+            ret = 1;
+    }
+
+    if (ret == 0)
+        printf("PASS\n");
+    return ret;
+}