Generate a fresh certificate and DSA private key in their respective PEM
files.  Modify the resulting ASCII in various ways so as to produce input
files that might be generated by non-openssl programs (openssl always
generates "standard" PEM files, with base64 data in 64-character lines
except for a possible shorter last line).

Exercise various combinations of line lengths, leading/trailing
whitespace, non-base64 characters, comments, and padding, for both
unencrypted and encrypted files.  (We do not have any other test coverage
that uses encrypted files, as far as I can see, and the parser enforces
different rules for the body of encrypted files.)

Add a recipe to parse these test files and verify that they contain the
expected string or are rejected, according to the expected status.
Some of the current behavior is perhaps suboptimal and could be revisited.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2756)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2787)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2788)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2788)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2789)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2774)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2784)

It is empty and is not compiled
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2777)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2783)

This removes the fips configure option. This option is broken as the
required FIPS code is not available.

FIPS_mode() and FIPS_mode_set() are retained for compatibility, but
FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to
turn FIPS mode off.
Reviewed-by: NStephen Henson <steve@openssl.org>

The second loop in the remove_space function doesn't check for walking
back off of the start of the string while setting white space to 0.

This fix exits this loop once the pointer is before the (updated) beginning
of the string.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2752)

This file tests code that doesn't exist.
Reviewed-by: NStephen Henson <steve@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2739)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2739)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2738)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2738)

- Reject fractional seconds
- Reject offsets
- Check that the date/time digits are in valid range.
- Add documentation for X509_cmp_time

GH issue 2620
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

Avoid a -Wundef warning in refcount.h
Avoid a -Wundef warning in o_str.c
Avoid a -Wundef warning in testutil.h
Include internal/cryptlib.h before openssl/stack.h
to avoid use of undefined symbol OPENSSL_API_COMPAT.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2712)

Make sure that we can stop handshake processing and resume it later.
Also check that the cipher list and compression methods are sane.
Unfortunately, we don't have the client-side APIs needed to force
a specific (known) session ID to be sent in the ClientHello, so
that accessor cannot be tested here.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)

Certain callback APIs allow the callback to request async processing
by trickling a particular error value up the stack to the application
as an error return from the handshake function.  In those cases,
SSL_want() returns a code specific to the type of async processing
needed.

The create_ssl_connection() helper function for the tests is very
helpful for several things, including creating API tests.  However,
it does not currently let us test the async processing functionality
of these callback interfaces, because the special SSL error codes
are treated as generic errors and the helper continues to loop until
it reaches its maximum iteration count.

Add a new parameter, 'want', that indicates an expected/desired
special SSL error code, so that the helper will terminate when
either side reports that error, giving control back to the calling
function and allowing the test to proceed.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)

create_ssl_connection() prints out the results if SSL_accept() and/or
SSL_connect() fail, but was reusing the client return value when printing
about SSL_accept() failures.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)

Plumb things through in the same place as the SNI callback, since
we recommend that the early callback replace (and supplement) the
SNI callback, and add a few test cases.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2715)

Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)

TODO(robpercival): Should actually test that the output certificate
contains the poison extension.
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)

The condition wasn't quite right
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2702)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2679)

This implementation is written in endian agnostic C code. No attempt
at providing machine specific assembly code has been made. This
implementation expands the evptests by including the test cases from
RFC 5794 and ARIA official site rather than providing an individual
test case. Support for ARIA has been integrated into the command line
applications, but not TLS. Implemented modes are CBC, CFB1, CFB8,
CFB128, CTR, ECB and OFB128.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2337)

Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2649)

On VMS, file names with more than one period get all but the last get
escaped with a ^, so 21-key-update.conf.in becomes 21-key-update^.conf.in
That means that %conf_dependent_tests and %skip become useless unless
we massage the file names that are used as indexes.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2678)

Since 20-cert-select.conf will vary depending in no-dh and no-dsa,
don't check it against original when those options are selected
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2680)

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)

Don't run this test unless 'openssl rehash' works properly.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2664)

We use an int instead. That means SSL_key_update() also should use an int.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2609)