[openssl] master update

Dr. Paul Dale pauli at openssl.org
Sat Jun 19 12:02:54 UTC 2021


The branch master has been updated
       via  c602fadc443fad88aafbab35cdc11ba5ffdf6e30 (commit)
       via  555fea854d6c59efc2ff38d78b4812aeae3c5cd5 (commit)
       via  bb82ef11153c2c386787c988970d4aec3acad8f2 (commit)
       via  2d6f72aa03ab36f2b281d9e01058a824c69cd46d (commit)
       via  f6f3a5d34a1ff9a2f5cf2a6efd461f20370dd5ec (commit)
       via  43c02d9ce267fce7111e67d35f1f5733755f36cf (commit)
       via  d05bfc12541c95fb41a560cb813255c6aafdb2d7 (commit)
       via  a0430488c12036f88d52c96ca941199571304786 (commit)
       via  5ea4d7648cb2cd23d42850865686390896c6e607 (commit)
       via  e69bde88e44c431412d7cf9f9361b84c95fe549d (commit)
      from  d0e5230dcecc6013d351545ceb275aa2ba5baa80 (commit)


- Log -----------------------------------------------------------------
commit c602fadc443fad88aafbab35cdc11ba5ffdf6e30
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 19:56:29 2021 +1000

    test: fix indentation
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

commit 555fea854d6c59efc2ff38d78b4812aeae3c5cd5
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 19:47:06 2021 +1000

    rsa:  fix indentation
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

commit bb82ef11153c2c386787c988970d4aec3acad8f2
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 19:46:50 2021 +1000

    asn1: fix indentation
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

commit 2d6f72aa03ab36f2b281d9e01058a824c69cd46d
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 19:46:36 2021 +1000

    ssl: fix indentation
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

commit f6f3a5d34a1ff9a2f5cf2a6efd461f20370dd5ec
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 19:46:27 2021 +1000

    ssl: fix indentation
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

commit 43c02d9ce267fce7111e67d35f1f5733755f36cf
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 19:46:16 2021 +1000

    punycode: fix indentation
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

commit d05bfc12541c95fb41a560cb813255c6aafdb2d7
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 17:50:54 2021 +1000

    crypto: repalce tabs with spaces
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

commit a0430488c12036f88d52c96ca941199571304786
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 17:46:40 2021 +1000

    test: replace tabs with spaces in test recipes
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

commit 5ea4d7648cb2cd23d42850865686390896c6e607
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 17:44:57 2021 +1000

    ssl: replace tabs with spaces
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

commit e69bde88e44c431412d7cf9f9361b84c95fe549d
Author: Pauli <pauli at openssl.org>
Date:   Fri Jun 18 17:44:44 2021 +1000

    include: replace tabs with spaces in headers
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15824)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/x_algor.c                       |  10 +-
 crypto/property/property.c                  |   2 +-
 crypto/rsa/rsa_sp800_56b_gen.c              |  12 +-
 include/crypto/punycode.h                   |   8 +-
 include/openssl/configuration.h.in          |  12 +-
 ssl/ktls.c                                  |  16 +-
 ssl/record/rec_layer_s3.c                   |  14 +-
 ssl/statem/extensions.c                     |   2 +-
 ssl/t1_lib.c                                |   2 +-
 test/recipes/15-test_rsa.t                  |  10 +-
 test/recipes/20-test_enc.t                  |  34 +--
 test/recipes/25-test_req.t                  |   2 +-
 test/recipes/25-test_verify.t               |   2 +-
 test/recipes/25-test_verify_store.t         |   2 +-
 test/recipes/60-test_x509_check_cert_pkey.t |   4 +-
 test/recipes/70-test_sslsessiontick.t       |  60 +++---
 test/recipes/80-test_ca.t                   |  14 +-
 test/recipes/80-test_ocsp.t                 | 110 +++++-----
 test/recipes/80-test_ssl_old.t              | 322 ++++++++++++++--------------
 19 files changed, 319 insertions(+), 319 deletions(-)

diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c
index ff83ce4fef..c0a5f76803 100644
--- a/crypto/asn1/x_algor.c
+++ b/crypto/asn1/x_algor.c
@@ -98,7 +98,7 @@ int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
 int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src)
 {
     if (src == NULL || dest == NULL)
-	return 0;
+        return 0;
 
     if (dest->algorithm)
          ASN1_OBJECT_free(dest->algorithm);
@@ -110,7 +110,7 @@ int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src)
 
     if (src->algorithm)
         if ((dest->algorithm = OBJ_dup(src->algorithm)) == NULL)
-	    return 0;
+            return 0;
 
     if (src->parameter != NULL) {
         dest->parameter = ASN1_TYPE_new();
@@ -120,9 +120,9 @@ int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src)
         /* Assuming this is also correct for a BOOL.
          * set does copy as a side effect.
          */
-        if (ASN1_TYPE_set1(dest->parameter, 
-              src->parameter->type, src->parameter->value.ptr) == 0)
-	    return 0;
+        if (ASN1_TYPE_set1(dest->parameter, src->parameter->type,
+                           src->parameter->value.ptr) == 0)
+            return 0;
     }
 
     return 1;
diff --git a/crypto/property/property.c b/crypto/property/property.c
index 535120b581..c3f1c5ac58 100644
--- a/crypto/property/property.c
+++ b/crypto/property/property.c
@@ -412,7 +412,7 @@ int ossl_method_store_fetch(OSSL_METHOD_STORE *store, int nid,
 
 #ifndef FIPS_MODULE
     if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
-	return 0;
+        return 0;
 #endif
 
     if (nid <= 0 || method == NULL || store == NULL)
diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c
index 365996fd07..df2240555b 100644
--- a/crypto/rsa/rsa_sp800_56b_gen.c
+++ b/crypto/rsa/rsa_sp800_56b_gen.c
@@ -285,7 +285,7 @@ int ossl_rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits,
     if (rsa->dmp1 == NULL)
         rsa->dmp1 = BN_secure_new();
     if (rsa->dmp1 == NULL)
-	    goto err;
+        goto err;
     BN_set_flags(rsa->dmp1, BN_FLG_CONSTTIME);
     if (!BN_mod(rsa->dmp1, rsa->d, p1, ctx))
         goto err;
@@ -294,7 +294,7 @@ int ossl_rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits,
     if (rsa->dmq1 == NULL)
         rsa->dmq1 = BN_secure_new();
     if (rsa->dmq1 == NULL)
-	    goto err;
+        goto err;
     BN_set_flags(rsa->dmq1, BN_FLG_CONSTTIME);
     if (!BN_mod(rsa->dmq1, rsa->d, q1, ctx))
         goto err;
@@ -303,7 +303,7 @@ int ossl_rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits,
     BN_free(rsa->iqmp);
     rsa->iqmp = BN_secure_new();
     if (rsa->iqmp == NULL)
-	    goto err;
+        goto err;
     BN_set_flags(rsa->iqmp, BN_FLG_CONSTTIME);
     if (BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx) == NULL)
         goto err;
@@ -429,9 +429,9 @@ int ossl_rsa_sp800_56b_pairwise_test(RSA *rsa, BN_CTX *ctx)
     BN_set_flags(k, BN_FLG_CONSTTIME);
 
     ret = (BN_set_word(k, 2)
-          && BN_mod_exp(tmp, k, rsa->e, rsa->n, ctx)
-          && BN_mod_exp(tmp, tmp, rsa->d, rsa->n, ctx)
-          && BN_cmp(k, tmp) == 0);
+           && BN_mod_exp(tmp, k, rsa->e, rsa->n, ctx)
+           && BN_mod_exp(tmp, tmp, rsa->d, rsa->n, ctx)
+           && BN_cmp(k, tmp) == 0);
     if (ret == 0)
         ERR_raise(ERR_LIB_RSA, RSA_R_PAIRWISE_TEST_FAILURE);
 err:
diff --git a/include/crypto/punycode.h b/include/crypto/punycode.h
index f47eded262..133826d87e 100644
--- a/include/crypto/punycode.h
+++ b/include/crypto/punycode.h
@@ -12,10 +12,10 @@
 # pragma once
 
 int ossl_punycode_decode (
-	const char *pEncoded,
-	const size_t enc_len,
-	unsigned int *pDecoded,
-	unsigned int *pout_length
+    const char *pEncoded,
+    const size_t enc_len,
+    unsigned int *pDecoded,
+    unsigned int *pout_length
 );
 
 int ossl_a2ulabel(const char *in, char *out, size_t *outlen);
diff --git a/include/openssl/configuration.h.in b/include/openssl/configuration.h.in
index e4d4f526b3..b84dc1dfe3 100644
--- a/include/openssl/configuration.h.in
+++ b/include/openssl/configuration.h.in
@@ -27,9 +27,9 @@ extern "C" {
 
 {- if (@{$config{openssl_sys_defines}}) {
       foreach (@{$config{openssl_sys_defines}}) {
-	$OUT .= "# ifndef $_\n";
-	$OUT .= "#  define $_ 1\n";
-	$OUT .= "# endif\n";
+        $OUT .= "# ifndef $_\n";
+        $OUT .= "#  define $_ 1\n";
+        $OUT .= "# endif\n";
       }
     }
     foreach (@{$config{openssl_api_defines}}) {
@@ -38,9 +38,9 @@ extern "C" {
     }
     if (@{$config{openssl_feature_defines}}) {
       foreach (@{$config{openssl_feature_defines}}) {
-	$OUT .= "# ifndef $_\n";
-	$OUT .= "#  define $_\n";
-	$OUT .= "# endif\n";
+        $OUT .= "# ifndef $_\n";
+        $OUT .= "#  define $_\n";
+        $OUT .= "# endif\n";
       }
     }
     "";
diff --git a/ssl/ktls.c b/ssl/ktls.c
index a5de8bd720..2d691fdeb2 100644
--- a/ssl/ktls.c
+++ b/ssl/ktls.c
@@ -180,11 +180,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
         crypto_info->gcm128.info.version = s->version;
         crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm128);
         memcpy(crypto_info->gcm128.iv, iiv + EVP_GCM_TLS_FIXED_IV_LEN,
-                TLS_CIPHER_AES_GCM_128_IV_SIZE);
+               TLS_CIPHER_AES_GCM_128_IV_SIZE);
         memcpy(crypto_info->gcm128.salt, iiv, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
         memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c));
         memcpy(crypto_info->gcm128.rec_seq, rl_sequence,
-                TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+               TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
         if (rec_seq != NULL)
             *rec_seq = crypto_info->gcm128.rec_seq;
         return 1;
@@ -195,11 +195,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
         crypto_info->gcm256.info.version = s->version;
         crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm256);
         memcpy(crypto_info->gcm256.iv, iiv + EVP_GCM_TLS_FIXED_IV_LEN,
-                TLS_CIPHER_AES_GCM_256_IV_SIZE);
+               TLS_CIPHER_AES_GCM_256_IV_SIZE);
         memcpy(crypto_info->gcm256.salt, iiv, TLS_CIPHER_AES_GCM_256_SALT_SIZE);
         memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c));
         memcpy(crypto_info->gcm256.rec_seq, rl_sequence,
-                TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+               TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
         if (rec_seq != NULL)
             *rec_seq = crypto_info->gcm256.rec_seq;
         return 1;
@@ -210,11 +210,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
         crypto_info->ccm128.info.version = s->version;
         crypto_info->tls_crypto_info_len = sizeof(crypto_info->ccm128);
         memcpy(crypto_info->ccm128.iv, iiv + EVP_CCM_TLS_FIXED_IV_LEN,
-                TLS_CIPHER_AES_CCM_128_IV_SIZE);
+               TLS_CIPHER_AES_CCM_128_IV_SIZE);
         memcpy(crypto_info->ccm128.salt, iiv, TLS_CIPHER_AES_CCM_128_SALT_SIZE);
         memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c));
         memcpy(crypto_info->ccm128.rec_seq, rl_sequence,
-                TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+               TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
         if (rec_seq != NULL)
             *rec_seq = crypto_info->ccm128.rec_seq;
         return 1;
@@ -225,11 +225,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
         crypto_info->chacha20poly1305.info.version = s->version;
         crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305);
         memcpy(crypto_info->chacha20poly1305.iv, iiv,
-		TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+               TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
         memcpy(crypto_info->chacha20poly1305.key, key,
                EVP_CIPHER_get_key_length(c));
         memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
-                TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
+               TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
         if (rec_seq != NULL)
             *rec_seq = crypto_info->chacha20poly1305.rec_seq;
         return 1;
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index aacd5694fc..28e02e642c 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1203,13 +1203,13 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len,
             i = -1;
         }
 
-	/*
-	 * When an empty fragment is sent on a connection using KTLS,
-	 * it is sent as a write of zero bytes.  If this zero byte
-	 * write succeeds, i will be 0 rather than a non-zero value.
-	 * Treat i == 0 as success rather than an error for zero byte
-	 * writes to permit this case.
-	 */
+        /*
+         * When an empty fragment is sent on a connection using KTLS,
+         * it is sent as a write of zero bytes.  If this zero byte
+         * write succeeds, i will be 0 rather than a non-zero value.
+         * Treat i == 0 as success rather than an error for zero byte
+         * writes to permit this case.
+         */
         if (i >= 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) {
             SSL3_BUFFER_set_left(&wb[currbuf], 0);
             SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit);
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index f58111c95c..bc437be26a 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -953,7 +953,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
      * exceed sess_accept (zero) for the new context.
      */
     if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
-		    && s->hello_retry_request == SSL_HRR_NONE) {
+            && s->hello_retry_request == SSL_HRR_NONE) {
         tsan_counter(&s->ctx->stats.sess_accept);
         tsan_decr(&s->session_ctx->stats.sess_accept);
     }
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2ee97c2ae6..3579202c22 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1431,7 +1431,7 @@ static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu)
          * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2
          * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
          * puts a chosen-prefix attack for MD5 at 2^39.
-	 */
+         */
         if (md_type == NID_sha1)
             secbits = 64;
         else if (md_type == NID_md5_sha1)
diff --git a/test/recipes/15-test_rsa.t b/test/recipes/15-test_rsa.t
index abcdb0490c..089986f0d8 100644
--- a/test/recipes/15-test_rsa.t
+++ b/test/recipes/15-test_rsa.t
@@ -34,14 +34,14 @@ sub run_rsa_tests {
 
      SKIP: {
          skip "Skipping $cmd conversion test", 3
-	     if disabled("rsa");
+             if disabled("rsa");
 
          subtest "$cmd conversions -- private key" => sub {
-	     tconversion( -type => $cmd, -prefix => "$cmd-priv",
+             tconversion( -type => $cmd, -prefix => "$cmd-priv",
                           -in => srctop_file("test", "testrsa.pem") );
          };
          subtest "$cmd conversions -- private key PKCS#8" => sub {
-	     tconversion( -type => $cmd, -prefix => "$cmd-pkcs8",
+             tconversion( -type => $cmd, -prefix => "$cmd-pkcs8",
                           -in => srctop_file("test", "testrsa.pem"),
                           -args => ["pkey"] );
          };
@@ -49,10 +49,10 @@ sub run_rsa_tests {
 
      SKIP: {
          skip "Skipping msblob conversion test", 1
-	     if disabled($cmd) || $cmd eq 'pkey';
+             if disabled($cmd) || $cmd eq 'pkey';
 
          subtest "$cmd conversions -- public key" => sub {
-	     tconversion( -type => 'msb', -prefix => "$cmd-msb-pub",
+             tconversion( -type => 'msb', -prefix => "$cmd-msb-pub",
                           -in => srctop_file("test", "testrsapub.pem"),
                           -args => ["rsa", "-pubin", "-pubout"] );
          };
diff --git a/test/recipes/20-test_enc.t b/test/recipes/20-test_enc.t
index 32a62ef2fd..9a38aed4d0 100644
--- a/test/recipes/20-test_enc.t
+++ b/test/recipes/20-test_enc.t
@@ -52,24 +52,24 @@ plan tests => 2 + (scalar @ciphers)*2;
      }
 
      foreach my $c (@ciphers) {
-	 my %variant = ("$c" => [],
-			"$c base64" => [ "-a" ]);
+         my %variant = ("$c" => [],
+                        "$c base64" => [ "-a" ]);
 
-	 foreach my $t (sort keys %variant) {
-	     my $cipherfile = "$test.$c.cipher";
-	     my $clearfile = "$test.$c.clear";
-	     my @e = ( "$c", "-bufsize", "113", @{$variant{$t}}, "-e", "-k", "test" );
-	     my @d = ( "$c", "-bufsize", "157", @{$variant{$t}}, "-d", "-k", "test" );
-	     if ($c eq "cat") {
-		 $cipherfile = "$test.cipher";
-		 $clearfile = "$test.clear";
-		 @e = ( "enc", @{$variant{$t}}, "-e" );
-		 @d = ( "enc", @{$variant{$t}}, "-d" );
-	     }
+         foreach my $t (sort keys %variant) {
+             my $cipherfile = "$test.$c.cipher";
+             my $clearfile = "$test.$c.clear";
+             my @e = ( "$c", "-bufsize", "113", @{$variant{$t}}, "-e", "-k", "test" );
+             my @d = ( "$c", "-bufsize", "157", @{$variant{$t}}, "-d", "-k", "test" );
+             if ($c eq "cat") {
+                 $cipherfile = "$test.cipher";
+                 $clearfile = "$test.clear";
+                 @e = ( "enc", @{$variant{$t}}, "-e" );
+                 @d = ( "enc", @{$variant{$t}}, "-d" );
+             }
 
-	     ok(run(app([$cmd, @e, @prov, "-in", $test, "-out", $cipherfile]))
-		&& run(app([$cmd, @d, @prov, "-in", $cipherfile, "-out", $clearfile]))
-		&& compare_text($test,$clearfile) == 0, $t);
-	 }
+             ok(run(app([$cmd, @e, @prov, "-in", $test, "-out", $cipherfile]))
+                && run(app([$cmd, @d, @prov, "-in", $cipherfile, "-out", $clearfile]))
+                && compare_text($test,$clearfile) == 0, $t);
+         }
      }
 }
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 9783fe3960..5781f26a9a 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -114,7 +114,7 @@ subtest "generating certificate requests with RSA" => sub {
                     "-config", srctop_file("test", "test.cnf"),
                     "-new", "-out", "testreq_withattrs_der.pem", "-utf8",
                     "-key", srctop_file("test", "testrsa_withattrs.der"),
-	            "-keyform", "DER"])),
+                    "-keyform", "DER"])),
            "Generating request from a key with extra attributes - PEM");
 
         ok(run(app(["openssl", "req",
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 269b2ba4aa..acb26f0afd 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -417,7 +417,7 @@ ok(verify("ee-ss-with-keyCertSign", "", ["ee-ss-with-keyCertSign"], []),
 
 SKIP: {
     skip "Ed25519 is not supported by this OpenSSL build", 6
-	      if disabled("ec");
+        if disabled("ec");
 
     # ED25519 certificate from draft-ietf-curdle-pkix-04
     ok(verify("ee-ed25519", "", ["root-ed25519"], []),
diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t
index d66dd9d48d..346396a628 100644
--- a/test/recipes/25-test_verify_store.t
+++ b/test/recipes/25-test_verify_store.t
@@ -25,7 +25,7 @@ my $CAkey = "keyCA.ss";
 my $CAcert="certCA.ss";
 my $CAserial="certCA.srl";
 my $CAreq="reqCA.ss";
-my $CAreq2="req2CA.ss";	# temp
+my $CAreq2="req2CA.ss"; # temp
 my $Ukey="keyU.ss";
 my $Ureq="reqU.ss";
 my $Ucert="certU.ss";
diff --git a/test/recipes/60-test_x509_check_cert_pkey.t b/test/recipes/60-test_x509_check_cert_pkey.t
index 0c8a567fe5..6e7112b4cf 100644
--- a/test/recipes/60-test_x509_check_cert_pkey.t
+++ b/test/recipes/60-test_x509_check_cert_pkey.t
@@ -37,8 +37,8 @@ SKIP: {
     skip "DSA disabled", 1, if disabled("dsa");
     # dsa
     ok(run(test(["x509_check_cert_pkey_test",
-		 src_file("server-dsa-cert.pem"),
-		 src_file("server-dsa-key.pem"), "cert", "ok"])));
+                 src_file("server-dsa-cert.pem"),
+                 src_file("server-dsa-key.pem"), "cert", "ok"])));
 }
 # ecc
 SKIP: {
diff --git a/test/recipes/70-test_sslsessiontick.t b/test/recipes/70-test_sslsessiontick.t
index 648cb7590c..ce112fd51f 100644
--- a/test/recipes/70-test_sslsessiontick.t
+++ b/test/recipes/70-test_sslsessiontick.t
@@ -221,38 +221,38 @@ sub checkmessages($$$$$$)
 
     subtest $testname => sub {
 
-	foreach my $message (@{$proxy->message_list}) {
-	    if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
+        foreach my $message (@{$proxy->message_list}) {
+            if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
                 || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
-		#Get the extensions data
-		my %extensions = %{$message->extension_data};
-		if (defined
+                #Get the extensions data
+                my %extensions = %{$message->extension_data};
+                if (defined
                     $extensions{TLSProxy::Message::EXT_SESSION_TICKET}) {
-		    if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
-			$chellotickext = 1;
-		    } else {
-			$shellotickext = 1;
-		    }
-		}
-	    } elsif ($message->mt == TLSProxy::Message::MT_CERTIFICATE) {
-		#Must be doing a full handshake
-		$fullhand = 1;
-	    } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
-		$ticketseen = 1;
-	    }
-	}
-
-	plan tests => 5;
-
-	ok(TLSProxy::Message->success, "Handshake");
-	ok(($testch && $chellotickext) || (!$testch && !$chellotickext),
-	   "ClientHello extension Session Ticket check");
-	ok(($testsh && $shellotickext) || (!$testsh && !$shellotickext),
-	   "ServerHello extension Session Ticket check");
-	ok(($testtickseen && $ticketseen) || (!$testtickseen && !$ticketseen),
-	   "Session Ticket message presence check");
-	ok(($testhand && $fullhand) || (!$testhand && !$fullhand),
-	   "Session Ticket full handshake check");
+                    if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
+                        $chellotickext = 1;
+                    } else {
+                        $shellotickext = 1;
+                    }
+                }
+            } elsif ($message->mt == TLSProxy::Message::MT_CERTIFICATE) {
+                #Must be doing a full handshake
+                $fullhand = 1;
+            } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
+                $ticketseen = 1;
+            }
+        }
+
+        plan tests => 5;
+
+        ok(TLSProxy::Message->success, "Handshake");
+        ok(($testch && $chellotickext) || (!$testch && !$chellotickext),
+           "ClientHello extension Session Ticket check");
+        ok(($testsh && $shellotickext) || (!$testsh && !$shellotickext),
+           "ServerHello extension Session Ticket check");
+        ok(($testtickseen && $ticketseen) || (!$testtickseen && !$ticketseen),
+           "Session Ticket message presence check");
+        ok(($testhand && $fullhand) || (!$testhand && !$fullhand),
+           "Session Ticket full handshake check");
     }
 }
 
diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t
index dce9c64120..c1e09032de 100644
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -32,20 +32,20 @@ plan tests => 15;
      my $cakey = srctop_file("test", "certs", "ca-key.pem");
      $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating CA structure", 4
-	 if !ok(run(perlapp(["CA.pl","-newca",
+         if !ok(run(perlapp(["CA.pl","-newca",
                              "-extra-req", "-key $cakey"], stdin => undef)),
-		'creating CA structure');
+                'creating CA structure');
 
      my $eekey = srctop_file("test", "certs", "ee-key.pem");
      $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating new certificate request", 3
-	 if !ok(run(perlapp(["CA.pl","-newreq",
+         if !ok(run(perlapp(["CA.pl","-newreq",
                              '-extra-req', "-outform DER -section userreq -key $eekey"])),
-		'creating certificate request');
+                'creating certificate request');
      $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
      skip "failed to sign certificate request", 2
-	 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
-		'signing certificate request');
+         if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
+                'signing certificate request');
 
      ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
         'verifying new certificate');
@@ -61,7 +61,7 @@ plan tests => 15;
 
 SKIP: {
     skip "SM2 is not supported by this OpenSSL build", 1
-	      if disabled("sm2");
+        if disabled("sm2");
 
     is(yes(cmdstr(app(["openssl", "ca", "-config",
                        $cnf,
diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t
index 3727c360ba..bf00386a0f 100644
--- a/test/recipes/80-test_ocsp.t
+++ b/test/recipes/80-test_ocsp.t
@@ -55,143 +55,143 @@ subtest "=== VALID OCSP RESPONSES ===" => sub {
     plan tests => 7;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ND1.ors", "ND1_Issuer_ICA.pem", "", 0);
+              "ND1.ors", "ND1_Issuer_ICA.pem", "", 0);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ND2.ors", "ND2_Issuer_Root.pem", "", 0);
+              "ND2.ors", "ND2_Issuer_Root.pem", "", 0);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ND3.ors", "ND3_Issuer_Root.pem", "", 0);
+              "ND3.ors", "ND3_Issuer_Root.pem", "", 0);
     test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
-	      "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);
+              "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "D1.ors", "D1_Issuer_ICA.pem", "", 0);
+              "D1.ors", "D1_Issuer_ICA.pem", "", 0);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "D2.ors", "D2_Issuer_Root.pem", "", 0);
+              "D2.ors", "D2_Issuer_Root.pem", "", 0);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "D3.ors", "D3_Issuer_Root.pem", "", 0);
+              "D3.ors", "D3_Issuer_Root.pem", "", 0);
 };
 
 subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
+              "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
+              "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
+              "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);
+              "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);
+              "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);
+              "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
+              "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
+              "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
+              "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);
+              "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);
+              "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);
+              "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
+              "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
+              "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
+              "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
+              "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);
+              "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);
+              "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
+              "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
+              "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
+              "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
+              "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);
+              "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);
+              "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
     plan tests => 3;
 
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
+              "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
+              "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
+              "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
     plan tests => 3;
 
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
+              "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
+              "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
+              "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);
+              "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);
+              "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);
+              "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);
+              "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);
+              "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);
+              "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
     plan tests => 6;
 
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);
+              "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);
+              "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);
+              "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);
+              "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);
+              "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);
+              "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);
 };
 
 subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
@@ -199,17 +199,17 @@ subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
 
     # Expect success, because we're explicitly trusting the issuer certificate.
     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
-	      "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);
+              "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);
     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
-	      "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);
+              "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);
     test_ocsp("NON-DELEGATED; Root CA -> EE",
-	      "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);
+              "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);
     test_ocsp("DELEGATED; Intermediate CA -> EE",
-	      "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);
+              "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);
     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-	      "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);
+              "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);
     test_ocsp("DELEGATED; Root CA -> EE",
-	      "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
+              "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
 };
 
 subtest "=== OCSP API TESTS===" => sub {
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index b71bc01655..a69f53b606 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -50,7 +50,7 @@ my $CAkey = srctop_file("test", "certs", "ca-key.pem"); # "keyCA.ss"
 my $CAcert="certCA.ss";
 my $CAserial="certCA.srl";
 my $CAreq="reqCA.ss";
-my $CAreq2="req2CA.ss";	# temp
+my $CAreq2="req2CA.ss"; # temp
 my $Ukey = srctop_file("test", "certs", "ee-key.pem"); # "keyU.ss";
 my $Ureq="reqU.ss";
 my $Ucert="certU.ss";
@@ -85,13 +85,13 @@ plan tests =>
 
 subtest 'test_ss' => sub {
     if (testss()) {
-	open OUT, ">", "intP1.ss";
-	copy($CAcert, \*OUT); copy($Ucert, \*OUT);
-	close OUT;
+        open OUT, ">", "intP1.ss";
+        copy($CAcert, \*OUT); copy($Ucert, \*OUT);
+        close OUT;
 
-	open OUT, ">", "intP2.ss";
-	copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT);
-	close OUT;
+        open OUT, ">", "intP2.ss";
+        copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT);
+        close OUT;
     }
 };
 
@@ -115,68 +115,68 @@ sub testss {
     my $dsaparams = data_file("dsa2048.pem");
     my @req_new;
     if ($no_rsa) {
-	@req_new = @req_dsa;
+        @req_new = @req_dsa;
     } else {
-	@req_new = ("-new");
+        @req_new = ("-new");
     }
 
     plan tests => 17;
 
   SKIP: {
       skip 'failure', 16 unless
-	  ok(run(app([@reqcmd, "-config", $cnf,
-		      "-out", $CAreq, "-key", $CAkey,
-		      @req_new])),
-	     'make cert request');
+          ok(run(app([@reqcmd, "-config", $cnf,
+                      "-out", $CAreq, "-key", $CAkey,
+                      @req_new])),
+             'make cert request');
 
       skip 'failure', 15 unless
-	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
-		      "-req", "-out", $CAcert, "-signkey", $CAkey,
-		      "-extfile", $cnf, "-extensions", "v3_ca"],
-		     stdout => "err.ss")),
-	     'convert request into self-signed cert');
+          ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
+                      "-req", "-out", $CAcert, "-signkey", $CAkey,
+                      "-extfile", $cnf, "-extensions", "v3_ca"],
+                     stdout => "err.ss")),
+             'convert request into self-signed cert');
 
       skip 'failure', 14 unless
-	  ok(run(app([@x509cmd, "-in", $CAcert,
-		      "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2],
-		     stdout => "err.ss")),
-	     'convert cert into a cert request');
+          ok(run(app([@x509cmd, "-in", $CAcert,
+                      "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2],
+                     stdout => "err.ss")),
+             'convert cert into a cert request');
 
       skip 'failure', 13 unless
-	  ok(run(app([@reqcmd, "-config", $dummycnf,
-		      "-verify", "-in", $CAreq, "-noout"])),
-	     'verify request 1');
+          ok(run(app([@reqcmd, "-config", $dummycnf,
+                      "-verify", "-in", $CAreq, "-noout"])),
+             'verify request 1');
 
 
       skip 'failure', 12 unless
-	  ok(run(app([@reqcmd, "-config", $dummycnf,
-		      "-verify", "-in", $CAreq2, "-noout"])),
-	     'verify request 2');
+          ok(run(app([@reqcmd, "-config", $dummycnf,
+                      "-verify", "-in", $CAreq2, "-noout"])),
+             'verify request 2');
 
       skip 'failure', 11 unless
-	  ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])),
-	     'verify signature');
+          ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])),
+             'verify signature');
 
       skip 'failure', 10 unless
-	  ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
-		      "-out", $Ureq, "-key", $Ukey, @req_new],
-		     stdout => "err.ss")),
-	     'make a user cert request');
+          ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
+                      "-out", $Ureq, "-key", $Ukey, @req_new],
+                     stdout => "err.ss")),
+             'make a user cert request');
 
       skip 'failure', 9 unless
-	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
-		      "-req", "-out", $Ucert,
-		      "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
-		      "-extfile", $cnf, "-extensions", "v3_ee"],
-		     stdout => "err.ss"))
-	     && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
-	     'sign user cert request');
+          ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
+                      "-req", "-out", $Ucert,
+                      "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
+                      "-extfile", $cnf, "-extensions", "v3_ee"],
+                     stdout => "err.ss"))
+             && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
+             'sign user cert request');
 
       skip 'failure', 8 unless
-	  ok(run(app([@x509cmd,
-		      "-subject", "-issuer", "-startdate", "-enddate",
-		      "-noout", "-in", $Ucert])),
-	     'Certificate details');
+          ok(run(app([@x509cmd,
+                      "-subject", "-issuer", "-startdate", "-enddate",
+                      "-noout", "-in", $Ucert])),
+             'Certificate details');
 
       skip 'failure', 7 unless
           subtest 'DSA certificate creation' => sub {
@@ -270,54 +270,54 @@ sub testss {
       };
 
       skip 'failure', 5 unless
-	  ok(run(app([@reqcmd, "-config", $proxycnf,
-		      "-out", $P1req, "-key", $P1key, @req_new],
-		     stdout => "err.ss")),
-	     'make a proxy cert request');
+          ok(run(app([@reqcmd, "-config", $proxycnf,
+                      "-out", $P1req, "-key", $P1key, @req_new],
+                     stdout => "err.ss")),
+             'make a proxy cert request');
 
 
       skip 'failure', 4 unless
-	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
-		      "-req", "-out", $P1cert,
-		      "-CA", $Ucert, "-CAkey", $Ukey,
-		      "-extfile", $proxycnf, "-extensions", "proxy"],
-		     stdout => "err.ss")),
-	     'sign proxy with user cert');
+          ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
+                      "-req", "-out", $P1cert,
+                      "-CA", $Ucert, "-CAkey", $Ukey,
+                      "-extfile", $proxycnf, "-extensions", "proxy"],
+                     stdout => "err.ss")),
+             'sign proxy with user cert');
 
       copy($Ucert, $P1intermediate);
       run(app([@verifycmd, "-CAfile", $CAcert,
-	       "-untrusted", $P1intermediate, $P1cert]));
+               "-untrusted", $P1intermediate, $P1cert]));
       ok(run(app([@x509cmd,
-		  "-subject", "-issuer", "-startdate", "-enddate",
-		  "-noout", "-in", $P1cert])),
-	 'Certificate details');
+                  "-subject", "-issuer", "-startdate", "-enddate",
+                  "-noout", "-in", $P1cert])),
+         'Certificate details');
 
       skip 'failure', 2 unless
-	  ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
-		      "-out", $P2req, "-key", $P2key,
-		      @req_new],
-		     stdout => "err.ss")),
-	     'make another proxy cert request');
+          ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
+                      "-out", $P2req, "-key", $P2key,
+                      @req_new],
+                     stdout => "err.ss")),
+             'make another proxy cert request');
 
 
       skip 'failure', 1 unless
-	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
-		      "-req", "-out", $P2cert,
-		      "-CA", $P1cert, "-CAkey", $P1key,
-		      "-extfile", $proxycnf, "-extensions", "proxy_2"],
-		     stdout => "err.ss")),
-	     'sign second proxy cert request with the first proxy cert');
+          ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
+                      "-req", "-out", $P2cert,
+                      "-CA", $P1cert, "-CAkey", $P1key,
+                      "-extfile", $proxycnf, "-extensions", "proxy_2"],
+                     stdout => "err.ss")),
+             'sign second proxy cert request with the first proxy cert');
 
 
       open OUT, ">", $P2intermediate;
       copy($Ucert, \*OUT); copy($P1cert, \*OUT);
       close OUT;
       run(app([@verifycmd, "-CAfile", $CAcert,
-	       "-untrusted", $P2intermediate, $P2cert]));
+               "-untrusted", $P2intermediate, $P2cert]));
       ok(run(app([@x509cmd,
-		  "-subject", "-issuer", "-startdate", "-enddate",
-		  "-noout", "-in", $P2cert])),
-	 'Certificate details');
+                  "-subject", "-issuer", "-startdate", "-enddate",
+                  "-noout", "-in", $P2cert])),
+         'Certificate details');
     }
 }
 
@@ -341,69 +341,69 @@ sub testssl {
 
     my $dsa_cert = 0;
     if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert,
-					"-text", "-noout"]), capture => 1)) {
-	$dsa_cert = 1;
+                                        "-text", "-noout"]), capture => 1)) {
+        $dsa_cert = 1;
     }
 
 
     # plan tests => 11;
 
     subtest 'standard SSL tests' => sub {
-	######################################################################
-      plan tests => 13;
+        ######################################################################
+        plan tests => 13;
 
       SKIP: {
-	  skip "SSLv3 is not supported by this OpenSSL build", 4
-	      if disabled("ssl3");
-
-	  skip "SSLv3 is not supported by the FIPS provider", 4
-	      if $provider eq "fips";
-
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
-	     'test sslv3 via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
-	     'test sslv3 with server authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
-	     'test sslv3 with client authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
-	     'test sslv3 with both server and client authentication via BIO pair');
-	}
+          skip "SSLv3 is not supported by this OpenSSL build", 4
+              if disabled("ssl3");
+
+          skip "SSLv3 is not supported by the FIPS provider", 4
+              if $provider eq "fips";
+
+          ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
+             'test sslv3 via BIO pair');
+          ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
+             'test sslv3 with server authentication via BIO pair');
+          ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
+             'test sslv3 with client authentication via BIO pair');
+          ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
+             'test sslv3 with both server and client authentication via BIO pair');
+        }
 
       SKIP: {
-	  skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
-	      if $no_anytls;
+          skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
+              if $no_anytls;
 
-	  ok(run(test([@ssltest, "-bio_pair"])),
-	     'test sslv2/sslv3 via BIO pair');
-	}
+          ok(run(test([@ssltest, "-bio_pair"])),
+             'test sslv2/sslv3 via BIO pair');
+        }
 
       SKIP: {
-	  skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8
-	      if $no_anytls;
+          skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8
+              if $no_anytls;
 
-	SKIP: {
-	    skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
+        SKIP: {
+            skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
 
-	    ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
-	       'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
-	  }
+            ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
+               'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
+          }
 
-	SKIP: {
-	    skip "skipping dhe1024dsa test", 1
+        SKIP: {
+            skip "skipping dhe1024dsa test", 1
                 if ($no_dh);
 
             ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
           }
 
-	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
-	     'test sslv2/sslv3 with server authentication');
-	  ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
-	     'test sslv2/sslv3 with client authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
-	     'test sslv2/sslv3 with both client and server authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
-	     'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
+          ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
+             'test sslv2/sslv3 with server authentication');
+          ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
+             'test sslv2/sslv3 with client authentication via BIO pair');
+          ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
+             'test sslv2/sslv3 with both client and server authentication via BIO pair');
+          ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
+             'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
 
         SKIP: {
             skip "No IPv4 available on this machine", 1
@@ -518,45 +518,45 @@ sub testssl {
     };
 
     subtest 'RSA/(EC)DHE/PSK tests' => sub {
-	######################################################################
+        ######################################################################
 
-	plan tests => 6;
+        plan tests => 6;
 
       SKIP: {
-	  skip "TLSv1.0 is not supported by this OpenSSL build", 6
-	      if $no_tls1 || $provider eq "fips";
+            skip "TLSv1.0 is not supported by this OpenSSL build", 6
+                if $no_tls1 || $provider eq "fips";
 
-	SKIP: {
-	    skip "skipping anonymous DH tests", 1
-	      if ($no_dh);
+        SKIP: {
+            skip "skipping anonymous DH tests", 1
+                if ($no_dh);
 
-	    ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])),
-	       'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
-	  }
+            ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])),
+               'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
+          }
 
-	SKIP: {
-	    skip "skipping RSA tests", 2
-		if $no_rsa;
+        SKIP: {
+            skip "skipping RSA tests", 2
+                if $no_rsa;
 
-	    ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])),
-	       'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
+            ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])),
+               'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
 
-	    skip "skipping RSA+DHE tests", 1
-		if $no_dh;
+            skip "skipping RSA+DHE tests", 1
+                if $no_dh;
 
-	    ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])),
-	       'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
-	  }
+            ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])),
+               'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
+          }
 
-	SKIP: {
-	    skip "skipping PSK tests", 3
-	        if ($no_psk);
+        SKIP: {
+            skip "skipping PSK tests", 3
+                if ($no_psk);
 
-	    ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
-	       'test tls1 with PSK');
+            ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
+               'test tls1 with PSK');
 
-	    ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
-	       'test tls1 with PSK via BIO pair');
+            ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
+               'test tls1 with PSK via BIO pair');
 
             ok(run(test(['ssl_old_test', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
                'test auto DH meets security strength');
@@ -566,34 +566,34 @@ sub testssl {
     };
 
     subtest 'Custom Extension tests' => sub {
-	######################################################################
+        ######################################################################
 
-	plan tests => 1;
+        plan tests => 1;
 
       SKIP: {
-	  skip "TLSv1.0 is not supported by this OpenSSL build", 1
-	      if $no_tls1 || $provider eq "fips";
+          skip "TLSv1.0 is not supported by this OpenSSL build", 1
+              if $no_tls1 || $provider eq "fips";
 
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])),
-	     'test tls1 with custom extensions');
-	}
+          ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])),
+             'test tls1 with custom extensions');
+        }
     };
 
     subtest 'Serverinfo tests' => sub {
-	######################################################################
+        ######################################################################
 
-	plan tests => 5;
+        plan tests => 5;
 
       SKIP: {
-	  skip "TLSv1.0 is not supported by this OpenSSL build", 5
-	      if $no_tls1 || $provider eq "fips";
-
-	  note('echo test tls1 with serverinfo');
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo])));
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"])));
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"])));
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
-	}
+          skip "TLSv1.0 is not supported by this OpenSSL build", 5
+              if $no_tls1 || $provider eq "fips";
+
+          note('echo test tls1 with serverinfo');
+          ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo])));
+          ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"])));
+          ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"])));
+          ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
+          ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
+        }
     };
 }


More information about the openssl-commits mailing list