SSL tests: port CT tests, add a few more

  - server2 - the secondary context

  - invalid - an unknown context

* CTValidation - Certificate Transparency validation strategy. One of

  - None - no validation (default)

  - Permissive - SSL_CT_VALIDATION_PERMISSIVE

  - Strict - SSL_CT_VALIDATION_STRICT

#### Supported server-side options

* ServerNameCallback - the SNI switching callback to use

  test/ssl-tests/01-simple.conf

```

Some tests also need additional environment variables; for example, Certificate

Transparency tests need a `CTLOG_FILE`. See `test/recipes/80-test_ssl_new.t` for

details.

Note that the test expectations sometimes depend on the Configure settings. For

example, the negotiated protocol depends on the set of available (enabled)

protocols: a build with `enable-ssl3` has different test expectations than a

    OPENSSL_assert(SSL_CTX_set_tlsext_ticket_keys(server_ctx, ticket_keys,

                                                  ticket_key_len) == 1);

    OPENSSL_free(ticket_keys);

#ifndef OPENSSL_NO_CT

    OPENSSL_assert(SSL_CTX_set_default_ctlog_list_file(client_ctx));

    switch (extra->client.ct_validation) {

    case SSL_TEST_CT_VALIDATION_PERMISSIVE:

        OPENSSL_assert(SSL_CTX_enable_ct(client_ctx,

                                         SSL_CT_VALIDATION_PERMISSIVE));

        break;

    case SSL_TEST_CT_VALIDATION_STRICT:

        OPENSSL_assert(SSL_CTX_enable_ct(client_ctx,

                                         SSL_CT_VALIDATION_STRICT));

        break;

    case SSL_TEST_CT_VALIDATION_NONE:

        break;

    }

#endif

}

/* Configure per-SSL callbacks and other properties. */

setup("test_ssl_new");

$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");

$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");

my @conf_srcs =  glob(srctop_file("test", "ssl-tests", "*.conf.in"));

map { s/;.*// } @conf_srcs if $^O eq "VMS";

# We hard-code the number of tests to double-check that the globbing above

# finds all files as expected.

plan tests => 11;  # = scalar @conf_srcs

plan tests => 12;  # = scalar @conf_srcs

# Some test results depend on the configuration of enabled protocols. We only

# verify generated sources in the default configuration.

my $no_tls = alldisabled(available_protocols("tls"));

my $no_dtls = alldisabled(available_protocols("dtls"));

my $no_npn = disabled("nextprotoneg");

my $no_ct = disabled("ct");

my %conf_dependent_tests = (

  "02-protocol-version.conf" => !$is_default_tls,

  "08-npn.conf" => $no_tls || $no_npn,

  "10-resumption.conf" => disabled("tls1_1") || disabled("tls1_2"),

  "11-dtls_resumption.conf" => disabled("dtls1") || disabled("dtls1_2"),

  "12-ct.conf" => $no_tls || $no_ct,

);

foreach my $conf (@conf_files) {

# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.

plan tests =>

    1				# For testss

    +8  			# For the first testssl

    +7  			# For the first testssl

    ;

subtest 'test_ss' => sub {

	  ok(run(test([@ssltest, "-cipher", "AES128-SHA256", "-bytes", "8m"])));

	}

    };

    subtest 'Certificate Transparency tests' => sub {

	######################################################################

	plan tests => 3;

      SKIP: {

        skip "Certificate Transparency is not supported by this OpenSSL build", 3

            if $no_ct;

        skip "TLSv1.0 is not supported by this OpenSSL build", 3

            if $no_tls1;

        $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");

        my @ca = qw(-CAfile certCA.ss);

        ok(run(test([@ssltest, @ca, "-bio_pair", "-tls1", "-noct"])));

        # No SCTs provided, so this should fail.

        ok(run(test([@ssltest, @ca, "-bio_pair", "-tls1", "-ct",

                     "-should_negotiate", "fail-client"])));

        # No SCTs provided, unverified chains still succeed.

        ok(run(test([@ssltest, "-bio_pair", "-tls1", "-ct"])));

        }

    };

}

unlink $CAkey;

# Generated with generate_ssl_tests.pl

num_tests = 4

test-0 = 0-ct-permissive

test-1 = 1-ct-strict

test-2 = 2-ct-permissive-resumption

test-3 = 3-ct-strict-resumption

# ===========================================================

[0-ct-permissive]

ssl_conf = 0-ct-permissive-ssl

[0-ct-permissive-ssl]

server = 0-ct-permissive-server

client = 0-ct-permissive-client

[0-ct-permissive-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[0-ct-permissive-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-0]

ExpectedResult = Success

client = 0-ct-permissive-client-extra

[0-ct-permissive-client-extra]

CTValidation = Permissive

# ===========================================================

[1-ct-strict]

ssl_conf = 1-ct-strict-ssl

[1-ct-strict-ssl]

server = 1-ct-strict-server

client = 1-ct-strict-client

[1-ct-strict-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[1-ct-strict-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-1]

ExpectedClientAlert = HandshakeFailure

ExpectedResult = ClientFail

client = 1-ct-strict-client-extra

[1-ct-strict-client-extra]

CTValidation = Strict

# ===========================================================

[2-ct-permissive-resumption]

ssl_conf = 2-ct-permissive-resumption-ssl

[2-ct-permissive-resumption-ssl]

server = 2-ct-permissive-resumption-server

client = 2-ct-permissive-resumption-client

resume-server = 2-ct-permissive-resumption-server

resume-client = 2-ct-permissive-resumption-client

[2-ct-permissive-resumption-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[2-ct-permissive-resumption-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-2]

ExpectedResult = Success

HandshakeMode = Resume

ResumptionExpected = Yes

client = 2-ct-permissive-resumption-client-extra

resume-client = 2-ct-permissive-resumption-client-extra

[2-ct-permissive-resumption-client-extra]

CTValidation = Permissive

# ===========================================================

[3-ct-strict-resumption]

ssl_conf = 3-ct-strict-resumption-ssl

[3-ct-strict-resumption-ssl]

server = 3-ct-strict-resumption-server

client = 3-ct-strict-resumption-client

resume-server = 3-ct-strict-resumption-server

resume-client = 3-ct-strict-resumption-resume-client

[3-ct-strict-resumption-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[3-ct-strict-resumption-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[3-ct-strict-resumption-resume-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-3]

ExpectedResult = Success

HandshakeMode = Resume

ResumptionExpected = Yes

client = 3-ct-strict-resumption-client-extra

resume-client = 3-ct-strict-resumption-resume-client-extra

[3-ct-strict-resumption-client-extra]

CTValidation = Permissive

[3-ct-strict-resumption-resume-client-extra]

CTValidation = Strict