From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 02:47:55 +0200
Subject: Adding upstream version 124.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 netwerk/test/unit/test_tls_server.js | 314 +++++++++++++++++++++++++++++++++++
 1 file changed, 314 insertions(+)
 create mode 100644 netwerk/test/unit/test_tls_server.js

(limited to 'netwerk/test/unit/test_tls_server.js')

diff --git a/netwerk/test/unit/test_tls_server.js b/netwerk/test/unit/test_tls_server.js
new file mode 100644
index 0000000000..5183f21fd7
--- /dev/null
+++ b/netwerk/test/unit/test_tls_server.js
@@ -0,0 +1,314 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Need profile dir to store the key / cert
+do_get_profile();
+// Ensure PSM is initialized
+Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+  "resource://testing-common/MockRegistrar.sys.mjs"
+);
+const certOverrideService = Cc[
+  "@mozilla.org/security/certoverride;1"
+].getService(Ci.nsICertOverrideService);
+const socketTransportService = Cc[
+  "@mozilla.org/network/socket-transport-service;1"
+].getService(Ci.nsISocketTransportService);
+
+const prefs = Services.prefs;
+
+function areCertsEqual(certA, certB) {
+  let derA = certA.getRawDER();
+  let derB = certB.getRawDER();
+  if (derA.length != derB.length) {
+    return false;
+  }
+  for (let i = 0; i < derA.length; i++) {
+    if (derA[i] != derB[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+
+function startServer(
+  cert,
+  expectingPeerCert,
+  clientCertificateConfig,
+  expectedVersion,
+  expectedVersionStr
+) {
+  let tlsServer = Cc["@mozilla.org/network/tls-server-socket;1"].createInstance(
+    Ci.nsITLSServerSocket
+  );
+  tlsServer.init(-1, true, -1);
+  tlsServer.serverCert = cert;
+
+  let input, output;
+
+  let listener = {
+    onSocketAccepted(socket, transport) {
+      info("Accept TLS client connection");
+      let connectionInfo = transport.securityCallbacks.getInterface(
+        Ci.nsITLSServerConnectionInfo
+      );
+      connectionInfo.setSecurityObserver(listener);
+      input = transport.openInputStream(0, 0, 0);
+      output = transport.openOutputStream(0, 0, 0);
+    },
+    onHandshakeDone(socket, status) {
+      info("TLS handshake done");
+      if (expectingPeerCert) {
+        ok(!!status.peerCert, "Has peer cert");
+        ok(
+          areCertsEqual(status.peerCert, cert),
+          "Peer cert matches expected cert"
+        );
+      } else {
+        ok(!status.peerCert, "No peer cert (as expected)");
+      }
+
+      equal(
+        status.tlsVersionUsed,
+        expectedVersion,
+        "Using " + expectedVersionStr
+      );
+      let expectedCipher;
+      if (expectedVersion >= 772) {
+        expectedCipher = "TLS_AES_128_GCM_SHA256";
+      } else {
+        expectedCipher = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
+      }
+      equal(status.cipherName, expectedCipher, "Using expected cipher");
+      equal(status.keyLength, 128, "Using 128-bit key");
+      equal(status.macLength, 128, "Using 128-bit MAC");
+
+      input.asyncWait(
+        {
+          onInputStreamReady(input1) {
+            NetUtil.asyncCopy(input1, output);
+          },
+        },
+        0,
+        0,
+        Services.tm.currentThread
+      );
+    },
+    onStopListening() {
+      info("onStopListening");
+      input.close();
+      output.close();
+    },
+  };
+
+  tlsServer.setSessionTickets(false);
+  tlsServer.setRequestClientCertificate(clientCertificateConfig);
+
+  tlsServer.asyncListen(listener);
+
+  return tlsServer;
+}
+
+function storeCertOverride(port, cert) {
+  certOverrideService.rememberValidityOverride(
+    "127.0.0.1",
+    port,
+    {},
+    cert,
+    true
+  );
+}
+
+function startClient(port, sendClientCert, expectingAlert, tlsVersion) {
+  gClientAuthDialogService.selectCertificate = sendClientCert;
+  let SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
+  let SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
+  let SSL_ERROR_RX_CERTIFICATE_REQUIRED_ALERT = SSL_ERROR_BASE + 181;
+  let transport = socketTransportService.createTransport(
+    ["ssl"],
+    "127.0.0.1",
+    port,
+    null,
+    null
+  );
+  let input;
+  let output;
+
+  let inputDeferred = Promise.withResolvers();
+  let outputDeferred = Promise.withResolvers();
+
+  let handler = {
+    onTransportStatus(transport1, status) {
+      if (status === Ci.nsISocketTransport.STATUS_CONNECTED_TO) {
+        output.asyncWait(handler, 0, 0, Services.tm.currentThread);
+      }
+    },
+
+    onInputStreamReady(input1) {
+      try {
+        let data = NetUtil.readInputStreamToString(input1, input1.available());
+        equal(data, "HELLO", "Echoed data received");
+        input1.close();
+        output.close();
+        ok(!expectingAlert, "No cert alert expected");
+        inputDeferred.resolve();
+      } catch (e) {
+        let errorCode = -1 * (e.result & 0xffff);
+        if (expectingAlert) {
+          if (
+            tlsVersion == Ci.nsITLSClientStatus.TLS_VERSION_1_2 &&
+            errorCode == SSL_ERROR_BAD_CERT_ALERT
+          ) {
+            info("Got bad cert alert as expected for tls 1.2");
+            input1.close();
+            output.close();
+            inputDeferred.resolve();
+            return;
+          }
+          if (
+            tlsVersion == Ci.nsITLSClientStatus.TLS_VERSION_1_3 &&
+            errorCode == SSL_ERROR_RX_CERTIFICATE_REQUIRED_ALERT
+          ) {
+            info("Got cert required alert as expected for tls 1.3");
+            input1.close();
+            output.close();
+            inputDeferred.resolve();
+            return;
+          }
+        }
+        inputDeferred.reject(e);
+      }
+    },
+
+    onOutputStreamReady(output1) {
+      try {
+        output1.write("HELLO", 5);
+        info("Output to server written");
+        outputDeferred.resolve();
+        input = transport.openInputStream(0, 0, 0);
+        input.asyncWait(handler, 0, 0, Services.tm.currentThread);
+      } catch (e) {
+        let errorCode = -1 * (e.result & 0xffff);
+        if (errorCode == SSL_ERROR_BAD_CERT_ALERT) {
+          info("Server doesn't like client cert");
+        }
+        outputDeferred.reject(e);
+      }
+    },
+  };
+
+  transport.setEventSink(handler, Services.tm.currentThread);
+  output = transport.openOutputStream(0, 0, 0);
+
+  return Promise.all([inputDeferred.promise, outputDeferred.promise]);
+}
+
+// Replace the UI dialog that prompts the user to pick a client certificate.
+const gClientAuthDialogService = {
+  _selectCertificate: false,
+
+  set selectCertificate(value) {
+    this._selectCertificate = value;
+  },
+
+  chooseCertificate(hostname, certArray, loadContext, callback) {
+    if (this._selectCertificate) {
+      callback.certificateChosen(certArray[0], false);
+    } else {
+      callback.certificateChose(null, false);
+    }
+  },
+
+  QueryInterface: ChromeUtils.generateQI([Ci.nsIClientAuthDialogService]),
+};
+
+const ClientAuthDialogServiceContractID =
+  "@mozilla.org/security/ClientAuthDialogService;1";
+MockRegistrar.register(
+  ClientAuthDialogServiceContractID,
+  gClientAuthDialogService
+);
+
+const tests = [
+  {
+    expectingPeerCert: true,
+    clientCertificateConfig: Ci.nsITLSServerSocket.REQUIRE_ALWAYS,
+    sendClientCert: true,
+    expectingAlert: false,
+  },
+  {
+    expectingPeerCert: true,
+    clientCertificateConfig: Ci.nsITLSServerSocket.REQUIRE_ALWAYS,
+    sendClientCert: false,
+    expectingAlert: true,
+  },
+  {
+    expectingPeerCert: true,
+    clientCertificateConfig: Ci.nsITLSServerSocket.REQUEST_ALWAYS,
+    sendClientCert: true,
+    expectingAlert: false,
+  },
+  {
+    expectingPeerCert: false,
+    clientCertificateConfig: Ci.nsITLSServerSocket.REQUEST_ALWAYS,
+    sendClientCert: false,
+    expectingAlert: false,
+  },
+  {
+    expectingPeerCert: false,
+    clientCertificateConfig: Ci.nsITLSServerSocket.REQUEST_NEVER,
+    sendClientCert: true,
+    expectingAlert: false,
+  },
+  {
+    expectingPeerCert: false,
+    clientCertificateConfig: Ci.nsITLSServerSocket.REQUEST_NEVER,
+    sendClientCert: false,
+    expectingAlert: false,
+  },
+];
+
+const versions = [
+  {
+    prefValue: 3,
+    version: Ci.nsITLSClientStatus.TLS_VERSION_1_2,
+    versionStr: "TLS 1.2",
+  },
+  {
+    prefValue: 4,
+    version: Ci.nsITLSClientStatus.TLS_VERSION_1_3,
+    versionStr: "TLS 1.3",
+  },
+];
+
+add_task(async function () {
+  let cert = getTestServerCertificate();
+  ok(!!cert, "Got self-signed cert");
+  for (let v of versions) {
+    prefs.setIntPref("security.tls.version.max", v.prefValue);
+    for (let t of tests) {
+      let server = startServer(
+        cert,
+        t.expectingPeerCert,
+        t.clientCertificateConfig,
+        v.version,
+        v.versionStr
+      );
+      storeCertOverride(server.port, cert);
+      await startClient(
+        server.port,
+        t.sendClientCert,
+        t.expectingAlert,
+        v.version
+      );
+      server.close();
+    }
+  }
+});
+
+registerCleanupFunction(function () {
+  prefs.clearUserPref("security.tls.version.max");
+});
-- 
cgit v1.2.3