Remove proxy tests. Add verify callback tests.

* Protocol - expected negotiated protocol. One of

  SSLv3, TLSv1, TLSv1.1, TLSv1.2.

* ClientVerifyCallback - the client's custom certificate verify callback.

  Used to test callback behaviour. One of

  - AcceptAll - accepts all certificates.

  - RejectAll - rejects all certificates.

## Configuring the client and server

The client and server configurations can be any valid `SSL_CTX`

#include <string.h>

#include <openssl/bio.h>

#include <openssl/x509_vfy.h>

#include <openssl/ssl.h>

#include "handshake_helper.h"

    }

}

static int verify_reject_callback(X509_STORE_CTX *ctx, void *arg) {

    X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);

    return 0;

}

static int verify_accept_callback(X509_STORE_CTX *ctx, void *arg) {

    return 1;

}

/*

 * Configure callbacks and other properties that can't be set directly

 * in the server/client CONF.

 */

static void configure_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,

                                const SSL_TEST_CTX *test_ctx)

{

    switch (test_ctx->client_verify_callback) {

    case SSL_TEST_VERIFY_ACCEPT_ALL:

        SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_callback,

                                         NULL);

        break;

    case SSL_TEST_VERIFY_REJECT_ALL:

        SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_callback,

                                         NULL);

        break;

    default:

        break;

    }

}

typedef enum {

    PEER_SUCCESS,

    PEER_RETRY,

    return INTERNAL_ERROR;

}

HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx)

HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,

                              const SSL_TEST_CTX *test_ctx)

{

    SSL *server, *client;

    BIO *client_to_server, *server_to_client;

    peer_status_t client_status = PEER_RETRY, server_status = PEER_RETRY;

    handshake_status_t status = HANDSHAKE_RETRY;

    configure_handshake(server_ctx, client_ctx, test_ctx);

    server = SSL_new(server_ctx);

    client = SSL_new(client_ctx);

    OPENSSL_assert(server != NULL && client != NULL);

} HANDSHAKE_RESULT;

/* Do a handshake and report some information about the result. */

HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx);

HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,

                              const SSL_TEST_CTX *test_ctx);

#endif  /* HEADER_HANDSHAKE_HELPER_H */

$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");

my @conf_srcs =  glob(srctop_file("test", "ssl-tests", "*.conf"));

my @conf_srcs =  glob(srctop_file("test", "ssl-tests", "*.conf.in"));

my @conf_files = map { basename($_) } @conf_srcs;

map { s/\.in// } @conf_files;

# 02-protocol-version.conf test results depend on the configuration of enabled

# protocols. We only verify generated sources in the default configuration.

# We hard-code the number of tests to double-check that the globbing above

# finds all files as expected.

plan tests => 2;  # = scalar @conf_files

plan tests => 3;  # = scalar @conf_srcs

sub test_conf {

    plan tests => 3;

plan tests =>

    1				# For testss

    + 14			# For the first testssl

    + 16			# For the first testsslproxy

    + 16			# For the second testsslproxy

    ;

subtest 'test_ss' => sub {

note('test_ssl -- key U');

testssl("keyU.ss", $Ucert, $CAcert);

note('test_ssl -- key P1');

testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss", "AB");

note('test_ssl -- key P2');

testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss", "BC");

# -----------

# subtest functions

sub testss {

        }

    };

}

sub testsslproxy {

    my $key = shift || srctop_file("apps","server.pem");

    my $cert = shift || srctop_file("apps","server.pem");

    my $CAtmp = shift;

    my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));

    my @extra = @_;

    my @ssltest = ("ssltest_old",

		   "-s_key", $key, "-s_cert", $cert,

		   "-c_key", $key, "-c_cert", $cert);

    # plan tests => 16;

    note('Testing a lot of proxy conditions.');

    # We happen to know that certP1.ss has policy letters "AB" and

    # certP2.ss has policy letters "BC".  However, because certP2.ss

    # has certP1.ss as issuer, when it's used, both their policy

    # letters get combined into just "B".

    # The policy letter(s) then get filtered with the given auth letter

    # in the table below, and the result gets tested with the given

    # condition.  For details, read ssltest_old.c

    #

    # certfilename => [ [ auth, cond, expected result ] ... ]

    my %expected = ( "certP1.ss" => [ [ [ 'A',  'A'      ], 1 ],

                                      [ [ 'A',  'B'      ], 0 ],

                                      [ [ 'A',  'C'      ], 0 ],

                                      [ [ 'A',  'A|B&!C' ], 1 ],

                                      [ [ 'B',  'A'      ], 0 ],

                                      [ [ 'B',  'B'      ], 1 ],

                                      [ [ 'B',  'C'      ], 0 ],

                                      [ [ 'B',  'A|B&!C' ], 1 ],

                                      [ [ 'C',  'A'      ], 0 ],

                                      [ [ 'C',  'B'      ], 0 ],

                                      [ [ 'C',  'C'      ], 0 ],

                                      [ [ 'C',  'A|B&!C' ], 0 ],

                                      [ [ 'BC', 'A'      ], 0 ],

                                      [ [ 'BC', 'B'      ], 1 ],

                                      [ [ 'BC', 'C'      ], 0 ],

                                      [ [ 'BC', 'A|B&!C' ], 1 ] ],

                     "certP2.ss" => [ [ [ 'A',  'A'      ], 0 ],

                                      [ [ 'A',  'B'      ], 0 ],

                                      [ [ 'A',  'C'      ], 0 ],

                                      [ [ 'A',  'A|B&!C' ], 0 ],

                                      [ [ 'B',  'A'      ], 0 ],

                                      [ [ 'B',  'B'      ], 1 ],

                                      [ [ 'B',  'C'      ], 0 ],

                                      [ [ 'B',  'A|B&!C' ], 1 ],

                                      [ [ 'C',  'A'      ], 0 ],

                                      [ [ 'C',  'B'      ], 0 ],

                                      [ [ 'C',  'C'      ], 0 ],

                                      [ [ 'C',  'A|B&!C' ], 0 ],

                                      [ [ 'BC', 'A'      ], 0 ],

                                      [ [ 'BC', 'B'      ], 1 ],

                                      [ [ 'BC', 'C'      ], 0 ],

                                      [ [ 'BC', 'A|B&!C' ], 1 ] ] );

  SKIP: {

      skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", scalar(@{$expected{$cert}})

	  if $no_anytls;

      foreach (@{$expected{$cert}}) {

	  my $auth = $_->[0]->[0];

	  my $cond = $_->[0]->[1];

	  my $res  = $_->[1];

	  is(run(test([@ssltest, "-server_auth", @CA,

		       "-proxy", "-proxy_auth", $auth,

		       "-proxy_cond", $cond])), $res,

	     "test tlsv1, server auth, proxy auth $auth and cond $cond (expect "

	     .($res ? "success" : "failure").")");

      }

    }

}