diff options
Diffstat (limited to 'netwerk/test/unit/test_httpssvc_retry_without_ech.js')
-rw-r--r-- | netwerk/test/unit/test_httpssvc_retry_without_ech.js | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/netwerk/test/unit/test_httpssvc_retry_without_ech.js b/netwerk/test/unit/test_httpssvc_retry_without_ech.js new file mode 100644 index 0000000000..8502ef492a --- /dev/null +++ b/netwerk/test/unit/test_httpssvc_retry_without_ech.js @@ -0,0 +1,138 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +let trrServer; + +const certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" +].getService(Ci.nsICertOverrideService); + +add_setup(async function setup() { + trr_test_setup(); + + Services.prefs.setIntPref("network.trr.mode", Ci.nsIDNSService.MODE_TRRFIRST); + Services.prefs.setBoolPref("network.dns.upgrade_with_https_rr", true); + Services.prefs.setBoolPref("network.dns.use_https_rr_as_altsvc", true); + Services.prefs.setBoolPref("network.dns.echconfig.enabled", true); + + // An arbitrary, non-ECH server. + await asyncStartTLSTestServer( + "DelegatedCredentialsServer", + "../../../security/manager/ssl/tests/unit/test_delegated_credentials" + ); + + let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent); + await nssComponent.asyncClearSSLExternalAndInternalSessionCache(); +}); + +registerCleanupFunction(async () => { + trr_clear_prefs(); + Services.prefs.clearUserPref("network.dns.upgrade_with_https_rr"); + Services.prefs.clearUserPref("network.dns.use_https_rr_as_altsvc"); + Services.prefs.clearUserPref("network.dns.echconfig.enabled"); + Services.prefs.clearUserPref( + "network.dns.echconfig.fallback_to_origin_when_all_failed" + ); + if (trrServer) { + await trrServer.stop(); + } +}); + +function makeChan(url) { + let chan = NetUtil.newChannel({ + uri: url, + loadUsingSystemPrincipal: true, + contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT, + }).QueryInterface(Ci.nsIHttpChannel); + return chan; +} + +function channelOpenPromise(chan, flags) { + return new Promise(resolve => { + function finish(req, buffer) { + certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( + false + ); + resolve([req, buffer]); + } + certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( + false + ); + let internal = chan.QueryInterface(Ci.nsIHttpChannelInternal); + internal.setWaitForHTTPSSVCRecord(); + chan.asyncOpen(new ChannelListener(finish, null, flags)); + }); +} + +add_task(async function testRetryWithoutECH() { + const ECH_CONFIG_FIXED = + "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA"; + trrServer = new TRRServer(); + await trrServer.start(); + + Services.prefs.setIntPref("network.trr.mode", 3); + Services.prefs.setCharPref( + "network.trr.uri", + `https://foo.example.com:${trrServer.port}/dns-query` + ); + Services.prefs.setBoolPref( + "network.dns.echconfig.fallback_to_origin_when_all_failed", + true + ); + + // Only the last record is valid to use. + await trrServer.registerDoHAnswers( + "delegated-disabled.example.com", + "HTTPS", + { + answers: [ + { + name: "delegated-disabled.example.com", + ttl: 55, + type: "HTTPS", + flush: false, + data: { + priority: 1, + name: "delegated-disabled.example.com", + values: [ + { + key: "echconfig", + value: ECH_CONFIG_FIXED, + needBase64Decode: true, + }, + ], + }, + }, + ], + } + ); + + await trrServer.registerDoHAnswers("delegated-disabled.example.com", "A", { + answers: [ + { + name: "delegated-disabled.example.com", + ttl: 55, + type: "A", + flush: false, + data: "127.0.0.1", + }, + ], + }); + + await new TRRDNSListener("delegated-disabled.example.com", { + type: Ci.nsIDNSService.RESOLVE_TYPE_HTTPSSVC, + }); + + let chan = makeChan(`https://delegated-disabled.example.com:8443`); + await channelOpenPromise(chan, CL_ALLOW_UNKNOWN_CL); + let securityInfo = chan.securityInfo; + + Assert.ok( + !securityInfo.isAcceptedEch, + "This host should not have accepted ECH" + ); + await trrServer.stop(); +}); |