diff options
Diffstat (limited to '')
13 files changed, 235 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_faulty_server.js b/security/manager/ssl/tests/unit/test_faulty_server.js new file mode 100644 index 0000000000..7536a91104 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server.js @@ -0,0 +1,142 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* based on netwerk/test/unit/test_retry_0rtt.js */ + +"use strict"; + +/* import-globals-from ../../../../../netwerk/test/unit/head_channels.js */ +load("../../../../../netwerk/test/unit/head_channels.js"); + +var httpServer = null; + +let handlerCallbacks = {}; + +function listenHandler(metadata, response) { + info(metadata.path); + handlerCallbacks[metadata.path] = (handlerCallbacks[metadata.path] || 0) + 1; +} + +function handlerCount(path) { + return handlerCallbacks[path] || 0; +} + +ChromeUtils.importESModule("resource://gre/modules/AppConstants.sys.mjs"); + +// Bug 1805371: Tests that require FaultyServer can't currently be built +// with system NSS. +add_setup( + { + skip_if: () => AppConstants.MOZ_SYSTEM_NSS, + }, + async () => { + do_get_profile(); + Services.fog.initializeFOG(); + + httpServer = new HttpServer(); + httpServer.registerPrefixHandler("/callback/", listenHandler); + httpServer.start(-1); + + registerCleanupFunction(async () => { + await httpServer.stop(); + }); + + Services.env.set( + "FAULTY_SERVER_CALLBACK_PORT", + httpServer.identity.primaryPort + ); + await asyncStartTLSTestServer("FaultyServer", "test_faulty_server"); + } +); + +function makeChan(url) { + let chan = NetUtil.newChannel({ + uri: url, + loadUsingSystemPrincipal: true, + }).QueryInterface(Ci.nsIHttpChannel); + + chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI; + return chan; +} + +function channelOpenPromise(chan, flags) { + return new Promise(resolve => { + chan.asyncOpen( + new ChannelListener((req, buffer) => resolve([req, buffer]), null, flags) + ); + }); +} + +add_task( + { + skip_if: () => AppConstants.MOZ_SYSTEM_NSS, + }, + async function testRetryXyber() { + const retryDomain = "xyber-net-interrupt.example.com"; + + Services.prefs.setBoolPref("security.tls.enable_kyber", true); + Services.prefs.setCharPref("network.dns.localDomains", [retryDomain]); + Services.prefs.setIntPref("network.http.speculative-parallel-limit", 0); + + // Get the number of xyber / x25519 callbacks prior to making the request + // ssl_grp_kem_xyber768d00 = 25497 + // ssl_grp_ec_curve25519 = 29 + let countOfXyber = handlerCount("/callback/25497"); + let countOfX25519 = handlerCount("/callback/29"); + let chan = makeChan(`https://${retryDomain}:8443`); + let [, buf] = await channelOpenPromise(chan, CL_ALLOW_UNKNOWN_CL); + ok(buf); + // The server will make a xyber768d00 callback for the initial request, and + // then an x25519 callback for the retry. Both callback counts should + // increment by one. + equal( + handlerCount("/callback/25497"), + countOfXyber + 1, + "negotiated xyber768d00" + ); + equal(handlerCount("/callback/29"), countOfX25519 + 1, "negotiated x25519"); + if (!mozinfo.socketprocess_networking) { + // Bug 1824574 + equal( + 1, + await Glean.tls.xyberIntoleranceReason.PR_END_OF_FILE_ERROR.testGetValue(), + "PR_END_OF_FILE_ERROR telemetry accumulated" + ); + } + } +); + +add_task( + { + skip_if: () => AppConstants.MOZ_SYSTEM_NSS, + }, + async function testNoRetryXyber() { + const retryDomain = "xyber-alert-after-server-hello.example.com"; + + Services.prefs.setBoolPref("security.tls.enable_kyber", true); + Services.prefs.setCharPref("network.dns.localDomains", [retryDomain]); + Services.prefs.setIntPref("network.http.speculative-parallel-limit", 0); + + // Get the number of xyber / x25519 / p256 callbacks prior to making the request + // ssl_grp_kem_xyber768d00 = 25497 + // ssl_grp_ec_curve25519 = 29 + let countOfXyber = handlerCount("/callback/25497"); + let countOfX25519 = handlerCount("/callback/29"); + let chan = makeChan(`https://${retryDomain}:8443`); + let [req] = await channelOpenPromise(chan, CL_EXPECT_FAILURE); + equal(req.status, 0x805a2f4d); // psm::GetXPCOMFromNSSError(SSL_ERROR_HANDSHAKE_FAILED) + // The server will make a xyber768d00 callback for the initial request and + // the client should not retry. + equal( + handlerCount("/callback/25497"), + countOfXyber + 1, + "negotiated xyber768d00" + ); + equal( + handlerCount("/callback/29"), + countOfX25519, + "did not negotiate x25519" + ); + } +); diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key new file mode 100644 index 0000000000..a926a54efb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM +1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec new file mode 100644 index 0000000000..03c3ce198f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec @@ -0,0 +1 @@ +secp256r1 diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem new file mode 100644 index 0000000000..9d3b41a1bf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICMjCCARqgAwIBAgIUddkSg4Xa4Tq2i+Q1Ebvjh6EWuAkwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaZmF1bHR5LXNlcnZlci1pbnRlcm1lZGlhdGUwIhgPMjAy +MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowFTETMBEGA1UEAwwKZGVmYXVs +dC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLs +BQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCj +MTAvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5j +b20wDQYJKoZIhvcNAQELBQADggEBAKhgmF34y6L3lvO2tL56geQBnUeY0L/buzAt +tyW+0KqDDFjMrPkF1uKUH4d59xF7mq57KgMNPNyB0kSnlvu09nZP0yD6BQ67biVa +YEyLuaJIfa9Ym51Yjx3GqLIRKiiZ9sAPLalIpguh3yvfEfWwCV6HxHWJv6PJ1zVt +l/89i5J8B+rzRjXluiK+lPiUeRnp2RfXvst1u8KtNh1hbabjAkeox4EXbAqxFTJK +bzp9IwqlNxlKK93WyeF3wCndEn2nFYwSOR8tBZFcTtv9Z8F8Xu2gF5C0GYTfy6iX +Y/N5gkxDUGTn+LtG+VyTNNqmS0bXFFuPbuE0mt9OiAydFKpkgJU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec new file mode 100644 index 0000000000..5d471da110 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:faulty-server-intermediate +subjectKey:secp256r1 +subject:default-ee +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:*.example.com diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem new file mode 100644 index 0000000000..fdb59ed65a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFjCB/6ADAgECAhR/GplP7a+yU4EAPSMvru2gC2X6uTANBgkqhkiG9w0BAQsF +ADAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWludGVybWVkaWF0ZTAiGA8yMDIy +MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAUMRIwEAYDVQQDDAluby1zYW4t +ZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AUL +Qj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAoxcw +FTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAmHFKAXfd +4vHVJJ7LBHTp4BGpfNQTQXy7sSTOExJi+2WGqtbAubZUQv71WWXqKf7IBpcxzXBy +D18Hb8aN0wDDVVodQ7eZJ0XPOitfkZeHQHSwhCwinT46030oGffk/m7nRpi/eS/T +7mvFLaYiKRXssP6FxBHCyYd8DLQ0RPTbigyDdrYkqh7dS8Ei06bCJukUrWbACHvW +ONUNiY44VaVK/BBZQHn/nqzgNeYZEd7xhJA2yVboP2xZY5E7426V6dUzfU2zqxld +TNpIDzWmQUUGi080YiYIY24rvjx0Sj7+X2xAYQNXgR16VGpxvi4RcEpzXXafX5e+ +BWRSWF7XdM9k5Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec new file mode 100644 index 0000000000..68eb6b0202 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:faulty-server-intermediate +subjectKey:secp256r1 +subject:no-san-ee +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key new file mode 100644 index 0000000000..a926a54efb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM +1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec new file mode 100644 index 0000000000..03c3ce198f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec @@ -0,0 +1 @@ +secp256r1 diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem new file mode 100644 index 0000000000..d90875fdc8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUTz5eaR08Vrv3WMdQyfUb6nPdzWIwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjAbMRkwFwYDVQQDDBBmYXVsdHktc2VydmVyLWNh +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B +AQsFAAOCAQEAVTes4P52u8R5tF6eEN4IO7sT8YjihE63JQ+VDaV9m/KFA1fuBlDH +4N3LWXK9ilZLQQFl+z+QPYA74dNmzvZPWjsUv0nVLkkV5KPoN1SJV0bZeh8+as4r +Yy6N4wZf43XN0xDYJpPB1TX7UQV/MEumy3HXXFzOyXUBR2bdNspfe6ok70eLOggf +vTT3x8usO1rocX7bYf9eqgID85dDYq/VAJXg6HcEsZJ+w4F7w3BI9K/w2TPu0nAt +TElnzEMcBW235zRXRFV+Z06fUL8mJfzH2IU56CHG7AkCblw5ZqzMtfsjjxRSpzTC +fJC0xufCzKoee4K74JZmgkreL1kqxpfesg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec new file mode 100644 index 0000000000..bcbf751bb2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:faulty-server-ca +subject:faulty-server-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem new file mode 100644 index 0000000000..c25d6cf85d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUUTRjZwJOxeTcJu+hEU5Nslh/bfIwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWlu +dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw +DQYJKoZIhvcNAQELBQADggEBAFagmFEAlfPNh0dcr8ZP8we4hEpzkLiCkn/bn4+D +aEZps/yPkQ5R+tRLucwVwVKHdaubp3M8TFSWzCD2DRpQxDLbvdY2+jZyXce/fG8x +ar7p/x+NVKeMfbKq/Dqb4v1mg7PERpnIbrzaQco2CkCcoptAcWxMqSSlZwPTqNpH +b7J1fnjasPXS75rSmkNhbXi9AIjIH5qpOmaxOHpMI7IhFbCS01lQZa+w4JHOwKPt +6Omx7pyy1K1vbjOrlF6oX+q625mJA1YXxipkFPM+WVby97fIEnr3HBipY/f+p3UN +toiFaLPMe4yTHVcHxYqroFfLebh6YF17tifc4UnQUBTnk2k= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec new file mode 100644 index 0000000000..5be535c81d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec @@ -0,0 +1,4 @@ +issuer:faulty-server-ca +subject:faulty-server-intermediate +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign |