--- a/netwerk/test/unit/test_tls_server.js
+++ b/netwerk/test/unit/test_tls_server.js
@@ -15,16 +15,19 @@ const { Promise: promise } =
const certService = Cc["@mozilla.org/security/local-cert-service;1"]
.getService(Ci.nsILocalCertService);
const certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
.getService(Ci.nsICertOverrideService);
const socketTransportService =
Cc["@mozilla.org/network/socket-transport-service;1"]
.getService(Ci.nsISocketTransportService);
+const prefs = Cc["@mozilla.org/preferences-service;1"]
+ .getService(Ci.nsIPrefBranch);
+
function run_test() {
run_next_test();
}
function getCert() {
let deferred = promise.defer();
certService.getOrCreateCert("tls-test", {
handleCert: function(c, rv) {
@@ -33,17 +36,18 @@ function getCert() {
return;
}
deferred.resolve(c);
}
});
return deferred.promise;
}
-function startServer(cert, expectingPeerCert, clientCertificateConfig) {
+function startServer(cert, expectingPeerCert, clientCertificateConfig,
+ expectedVersion, expectedVersionStr) {
let tlsServer = Cc["@mozilla.org/network/tls-server-socket;1"]
.createInstance(Ci.nsITLSServerSocket);
tlsServer.init(-1, true, -1);
tlsServer.serverCert = cert;
let input, output;
let listener = {
@@ -59,18 +63,18 @@ function startServer(cert, expectingPeer
do_print("TLS handshake done");
if (expectingPeerCert) {
ok(!!status.peerCert, "Has peer cert");
ok(status.peerCert.equals(cert), "Peer cert matches expected cert");
} else {
ok(!status.peerCert, "No peer cert (as expected)");
}
- equal(status.tlsVersionUsed, Ci.nsITLSClientStatus.TLS_VERSION_1_2,
- "Using TLS 1.2");
+ equal(status.tlsVersionUsed, expectedVersion,
+ "Using " + expectedVersionStr);
equal(status.cipherName, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"Using expected cipher");
equal(status.keyLength, 128, "Using 128-bit key");
equal(status.macLength, 128, "Using 128-bit MAC");
input.asyncWait({
onInputStreamReady: function(input) {
NetUtil.asyncCopy(input, output);
@@ -116,16 +120,17 @@ function startClient(port, cert, expecti
},
onInputStreamReady: function(input) {
try {
let data = NetUtil.readInputStreamToString(input, input.available());
equal(data, "HELLO", "Echoed data received");
input.close();
output.close();
+ ok(!expectingBadCertAlert, "No bad cert alert expected");
inputDeferred.resolve();
} catch (e) {
let errorCode = -1 * (e.result & 0xFFFF);
if (expectingBadCertAlert && errorCode == SSL_ERROR_BAD_CERT_ALERT) {
inputDeferred.resolve();
} else {
inputDeferred.reject(e);
}
@@ -161,55 +166,66 @@ function startClient(port, cert, expecti
output = transport.openOutputStream(0, 0, 0);
return promise.all([inputDeferred.promise, outputDeferred.promise]);
}
// Replace the UI dialog that prompts the user to pick a client certificate.
do_load_manifest("client_cert_chooser.manifest");
-add_task(function*() {
- let cert = yield getCert();
- ok(!!cert, "Got self-signed cert");
- let port = startServer(cert, true, Ci.nsITLSServerSocket.REQUIRE_ALWAYS);
- storeCertOverride(port, cert);
- yield startClient(port, cert, false);
-});
+const tests = [{
+ expectingPeerCert: true,
+ clientCertificateConfig: Ci.nsITLSServerSocket.REQUIRE_ALWAYS,
+ sendClientCert: true,
+ expectingBadCertAlert: false
+}, {
+ expectingPeerCert: true,
+ clientCertificateConfig: Ci.nsITLSServerSocket.REQUIRE_ALWAYS,
+ sendClientCert: false,
+ expectingBadCertAlert: true
+}, {
+ expectingPeerCert: true,
+ clientCertificateConfig: Ci.nsITLSServerSocket.REQUEST_ALWAYS,
+ sendClientCert: true,
+ expectingBadCertAlert: false
+}, {
+ expectingPeerCert: false,
+ clientCertificateConfig: Ci.nsITLSServerSocket.REQUEST_ALWAYS,
+ sendClientCert: false,
+ expectingBadCertAlert: false
+}, {
+ expectingPeerCert: false,
+ clientCertificateConfig: Ci.nsITLSServerSocket.REQUEST_NEVER,
+ sendClientCert: true,
+ expectingBadCertAlert: false
+}, {
+ expectingPeerCert: false,
+ clientCertificateConfig: Ci.nsITLSServerSocket.REQUEST_NEVER,
+ sendClientCert: false,
+ expectingBadCertAlert: false
+}];
-add_task(function*() {
- let cert = yield getCert();
- ok(!!cert, "Got self-signed cert");
- let port = startServer(cert, true, Ci.nsITLSServerSocket.REQUIRE_ALWAYS);
- storeCertOverride(port, cert);
- yield startClient(port, null, true);
-});
+const versions = [{
+ prefValue: 3, version: Ci.nsITLSClientStatus.TLS_VERSION_1_2, versionStr: "TLS 1.2"
+}, {
+ prefValue: 4, version: Ci.nsITLSClientStatus.TLS_VERSION_1_3, versionStr: "TLS 1.3"
+}];
add_task(function*() {
let cert = yield getCert();
ok(!!cert, "Got self-signed cert");
- let port = startServer(cert, true, Ci.nsITLSServerSocket.REQUEST_ALWAYS);
- storeCertOverride(port, cert);
- yield startClient(port, cert, false);
-});
-
-add_task(function*() {
- let cert = yield getCert();
- ok(!!cert, "Got self-signed cert");
- let port = startServer(cert, false, Ci.nsITLSServerSocket.REQUEST_ALWAYS);
- storeCertOverride(port, cert);
- yield startClient(port, null, false);
+ for (let v of versions) {
+ prefs.setIntPref("security.tls.version.max", v.prefValue);
+ for (let t of tests) {
+ let port = startServer(cert,
+ t.expectingPeerCert,
+ t.clientCertificateConfig,
+ v.version,
+ v.versionStr);
+ storeCertOverride(port, cert);
+ yield startClient(port, t.sendClientCert ? cert : null, t.expectingBadCertAlert);
+ }
+ }
});
-add_task(function*() {
- let cert = yield getCert();
- ok(!!cert, "Got self-signed cert");
- let port = startServer(cert, false, Ci.nsITLSServerSocket.REQUEST_NEVER);
- storeCertOverride(port, cert);
- yield startClient(port, cert, false);
+do_register_cleanup(function() {
+ prefs.clearUserPref("security.tls.version.max");
});
-
-add_task(function*() {
- let cert = yield getCert();
- ok(!!cert, "Got self-signed cert");
- let port = startServer(cert, false, Ci.nsITLSServerSocket.REQUEST_NEVER);
- storeCertOverride(port, cert);
- yield startClient(port, null, false);
-});