summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_encrypted_client_hello.js
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/tests/unit/test_encrypted_client_hello.js')
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello.js101
1 files changed, 101 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js
new file mode 100644
index 0000000000..945a9ea83f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js
@@ -0,0 +1,101 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of Encrypted Client Hello. These ECHConfigs
+// can be regenerated by running EncryptedClientHelloServer
+// and dumping the output of SSL_EncodeEchConfig. They do not
+// expire. An update here is only needed if the host or ECH
+// ciphersuite configuration changes, or if the keypair in
+// EncryptedClientHelloServer.cpp is modified.
+
+// Public name: ech-public.example.com
+const ECH_CONFIG_FIXED =
+ "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
+
+// Public name: ech-public.example.com, Unsupported AEAD to prompt retry_configs from a trusted host.
+const ECH_CONFIG_TRUSTED_RETRY =
+ "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
+
+// Public name: selfsigned.example.com. Unsupported AEAD to prompt retry_configs from an untrusted host.
+const ECH_CONFIG_UNTRUSTED_RETRY =
+ "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWc2VsZnNpZ25lZC5leGFtcGxlLmNvbQAA";
+
+function shouldBeAcceptedEch(aTransportSecurityInfo) {
+ Assert.ok(
+ aTransportSecurityInfo.isAcceptedEch,
+ "This host should have accepted ECH"
+ );
+ Assert.ok(
+ !aTransportSecurityInfo.usedPrivateDNS,
+ "This connection does not use DoH"
+ );
+}
+
+function shouldBeRejectedEch(aTransportSecurityInfo) {
+ Assert.ok(
+ !aTransportSecurityInfo.isAcceptedEch,
+ "This host should have rejected ECH"
+ );
+ Assert.ok(
+ !aTransportSecurityInfo.usedPrivateDNS,
+ "This connection does not use DoH"
+ );
+}
+
+do_get_profile();
+
+add_tls_server_setup(
+ "EncryptedClientHelloServer",
+ "test_encrypted_client_hello"
+);
+
+// Connect directly without ECH first
+add_connection_test(
+ "ech-public.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldBeRejectedEch
+);
+
+// Connect with ECH
+add_connection_test(
+ "ech-private.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldBeAcceptedEch,
+ null,
+ null,
+ ECH_CONFIG_FIXED
+);
+
+// Trigger retry_configs by setting an ECHConfig with a different.
+// AEAD than the server supports.
+add_connection_test(
+ "ech-private.example.com",
+ SSL_ERROR_ECH_RETRY_WITH_ECH,
+ null,
+ null,
+ null,
+ null,
+ ECH_CONFIG_TRUSTED_RETRY
+);
+
+// Trigger retry_configs, but from a host that is untrusted
+// (due to a self-signed certificate for the public name).
+// Retry_configs must not be used or reported as available.
+add_connection_test(
+ "ech-private.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
+ null,
+ null,
+ null,
+ null,
+ ECH_CONFIG_UNTRUSTED_RETRY
+);
+
+// A client-only (retry_without_ech) test is located in
+// test_encrypted_client_hello_client_only.js We can't easily restart
+// a different server (one without ECHConfigs) here, so put that
+// test in a different file that launches a non-ECH server.