Backed out changeset b9a80242b74c (bug 1754746) for causing xpc failures in security/manager/ssl/tests/unit/test_ev_certs.js

netwerk/protocol/http/nsHttpTransaction.cpp

@@ -759,7 +759,6 @@ nsresult nsHttpTransaction::ReadSegments(nsAHttpSegmentReader* reader,
 
   if (m0RTTInProgress && (mEarlyDataDisposition == EARLY_NONE) &&
       NS_SUCCEEDED(rv) && (*countRead > 0)) {
-    LOG(("mEarlyDataDisposition = EARLY_SENT"));
     mEarlyDataDisposition = EARLY_SENT;
   }
 
@@ -2953,7 +2952,6 @@ void nsHttpTransaction::GetNetworkAddresses(NetAddr& self, NetAddr& peer,
 }
 
 bool nsHttpTransaction::Do0RTT() {
-  LOG(("nsHttpTransaction::Do0RTT"));
   mEarlyDataWasAvailable = true;
   if (mRequestHead->IsSafeMethod() && !mDoNotTryEarlyData &&
       (!mConnection || !mConnection->IsProxyConnectInProgress())) {

netwerk/test/unit/test_retry_0rtt.js

@@ -1,110 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-"use strict";
-
-const { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js");
-var httpServer = null;
-
-let handlerCallbacks = {};
-
-function listenHandler(metadata, response) {
-  info(metadata.path);
-  handlerCallbacks[metadata.path] = (handlerCallbacks[metadata.path] || 0) + 1;
-}
-
-function handlerCount(path) {
-  return handlerCallbacks[path] || 0;
-}
-
-function setup() {
-  httpServer = new HttpServer();
-  httpServer.registerPrefixHandler("/callback/", listenHandler);
-  httpServer.start(-1);
-
-  registerCleanupFunction(async () => {
-    await httpServer.stop();
-  });
-
-  let envSvc = Cc["@mozilla.org/process/environment;1"].getService(
-    Ci.nsIEnvironment
-  );
-  envSvc.set("FAULTY_SERVER_CALLBACK_PORT", httpServer.identity.primaryPort);
-  envSvc.set("MOZ_TLS_SERVER_0RTT", "1");
-  add_tls_server_setup(
-    "FaultyServer",
-    "../../../security/manager/ssl/tests/unit/test_faulty_server"
-  );
-
-  let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
-  nssComponent.clearSSLExternalAndInternalSessionCache();
-}
-
-setup();
-
-async function sleep(time) {
-  return new Promise(resolve => {
-    do_timeout(time * 1000, resolve);
-  });
-}
-
-function makeChan(url) {
-  let chan = NetUtil.newChannel({
-    uri: url,
-    loadUsingSystemPrincipal: true,
-  }).QueryInterface(Ci.nsIHttpChannel);
-
-  chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI;
-  return chan;
-}
-
-function channelOpenPromise(chan, flags) {
-  return new Promise(resolve => {
-    chan.asyncOpen(
-      new ChannelListener((req, buffer) => resolve([req, buffer]), null, flags)
-    );
-  });
-}
-
-add_task(async function testRetry0Rtt() {
-  var retryDomains = [
-    "0rtt-alert-bad-mac.example.com",
-    "0rtt-alert-protocol-version.example.com",
-    //"0rtt-alert-unexpected.example.com", // TODO(bug 1753204): uncomment this
-  ];
-
-  Services.prefs.setCharPref("network.dns.localDomains", retryDomains);
-
-  Services.prefs.setBoolPref("network.ssl_tokens_cache_enabled", true);
-
-  for (var i = 0; i < retryDomains.length; i++) {
-    {
-      let countOfEarlyData = handlerCount("/callback/1");
-      let chan = makeChan(`https://${retryDomains[i]}:8443`);
-      let [, buf] = await channelOpenPromise(chan, CL_ALLOW_UNKNOWN_CL);
-      ok(buf);
-      equal(
-        handlerCount("/callback/1"),
-        countOfEarlyData,
-        "no early data sent"
-      );
-    }
-
-    // The server has an anti-replay mechanism that prohibits it from
-    // accepting 0-RTT connections immediately at startup.
-    await sleep(1);
-
-    {
-      let countOfEarlyData = handlerCount("/callback/1");
-      let chan = makeChan(`https://${retryDomains[i]}:8443`);
-      let [, buf] = await channelOpenPromise(chan, CL_ALLOW_UNKNOWN_CL);
-      ok(buf);
-      equal(
-        handlerCount("/callback/1"),
-        countOfEarlyData + 1,
-        "got early data"
-      );
-    }
-  }
-});

netwerk/test/unit/xpcshell.ini

@@ -631,10 +631,6 @@ skip-if =
 run-sequentially = node server exceptions dont replay well
 [test_http_408_retry.js]
 [test_brotli_decoding.js]
-[test_retry_0rtt.js]
-skip-if =
-  verify && (os == 'android')
-run-sequentially = tlsserver uses fixed port
 [test_http2-proxy-failing.js]
 run-sequentially = node server exceptions dont replay well
 [test_tls13_disabled.js]

python/mozbuild/mozbuild/action/test_archive.py

@@ -35,7 +35,6 @@ TEST_HARNESS_BINS = [
     "BadCertAndPinningServer",
     "DelegatedCredentialsServer",
     "EncryptedClientHelloServer",
-    "FaultyServer",
     "GenerateOCSPResponse",
     "OCSPStaplingServer",
     "SanctionsTestServer",

python/mozbuild/mozbuild/artifacts.py

@@ -116,7 +116,6 @@ class ArtifactJob(object):
         ("bin/BadCertAndPinningServer", ("bin", "bin")),
         ("bin/DelegatedCredentialsServer", ("bin", "bin")),
         ("bin/EncryptedClientHelloServer", ("bin", "bin")),
-        ("bin/FaultyServer", ("bin", "bin")),
         ("bin/GenerateOCSPResponse", ("bin", "bin")),
         ("bin/OCSPStaplingServer", ("bin", "bin")),
         ("bin/SanctionsTestServer", ("bin", "bin")),
@@ -716,7 +715,6 @@ class WinArtifactJob(ArtifactJob):
         ("bin/BadCertAndPinningServer.exe", ("bin", "bin")),
         ("bin/DelegatedCredentialsServer.exe", ("bin", "bin")),
         ("bin/EncryptedClientHelloServer.exe", ("bin", "bin")),
-        ("bin/FaultyServer.exe", ("bin", "bin")),
         ("bin/GenerateOCSPResponse.exe", ("bin", "bin")),
         ("bin/OCSPStaplingServer.exe", ("bin", "bin")),
         ("bin/SanctionsTestServer.exe", ("bin", "bin")),

security/manager/ssl/tests/unit/test_faulty_server/default-ee.key

@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
-1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
-9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
------END EC PRIVATE KEY-----

security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec

@@ -1 +0,0 @@
-secp256r1

security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem

@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICMjCCARqgAwIBAgIUDxOfZDiqdzi5M04XzWduZmEKIwswDQYJKoZIhvcNAQEL
-BQAwJTEjMCEGA1UEAwwaZmF1bHR5LXNlcnZlci1pbnRlcm1lZGlhdGUwIhgPMjAy
-MDExMjcwMDAwMDBaGA8yMDIzMDIwNTAwMDAwMFowFTETMBEGA1UEAwwKZGVmYXVs
-dC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLs
-BQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCj
-MTAvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5j
-b20wDQYJKoZIhvcNAQELBQADggEBAGI5gBOoRJy7VLdTljZM4MoHWszpTKalezwA
-/YhPwNqz667sw2vJ0SmciRKr4wywu9Zx/5zpCBYyXg2z3pVLyuitneqiRZF6mUTV
-QC1pcwEERiXIhB/IwhO5ImwkTjrhiBupEdOsbvo2scJy3ea3B48IGxk093Lv6et8
-tV7Cm5dm4ITk4RwOGtQNLZuv6zER9L19E7Qd3+opUdkqmHLWc2dMF2l8V3rCgqlZ
-cygRf5Lbc1nG65/gaMw6e/G2yFDg98rfvOMmBcxKT7C49by1UdclnkfE0G/ffjzQ
-cwsKddToDvm22PHhEQtF1gKYrjTvMD+k10GZJpIiOGTqPyfqZ5w=
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec

@@ -1,5 +0,0 @@
-issuer:faulty-server-intermediate
-subjectKey:secp256r1
-subject:default-ee
-extension:extKeyUsage:serverAuth
-extension:subjectAlternativeName:*.example.com

security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem

@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICFjCB/6ADAgECAhR9EeL2lBaHxdyv+c3QX252JxsPqjANBgkqhkiG9w0BAQsF
-ADAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWludGVybWVkaWF0ZTAiGA8yMDIw
-MTEyNzAwMDAwMFoYDzIwMjMwMjA1MDAwMDAwWjAUMRIwEAYDVQQDDAluby1zYW4t
-ZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AUL
-Qj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAoxcw
-FTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAOwk2PEkm
-uwCI9BISODXONWwwYmpfNbGQ+FgKvaQMxUrXdV+drdqppAg13I5FvG6DCm+s+6Sz
-+a06WzX4g3MsbPC3XlZDsLY3XZrWsp/tR/0ACRQjSjTI71ICYjz0/vrtVLyyoawR
-C+S74wTIIGNNJs9Dc2TUAP6HTDVKpl33vHaNQqOmb0AeBRBuus85k9xfyJNsO5UL
-NQur8b5cB4Uo13Uday9eXF4xYOXeH+9Cs/medqQ66DqDc8m4Njhsbe9I/+u4VWQD
-3Eg52tIJK6BTYWXebnjFw2qRwT9RDBYPdhR6jXyoySJhk621ttBh9dmqyc5BMFAz
-m+DoYCLPumWdPw==
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec

@@ -1,4 +0,0 @@
-issuer:faulty-server-intermediate
-subjectKey:secp256r1
-subject:no-san-ee
-extension:extKeyUsage:serverAuth

security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key

@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
-1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
-9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
------END EC PRIVATE KEY-----

security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec

@@ -1 +0,0 @@
-secp256r1

security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC5TCCAc2gAwIBAgIUJcEpHPj68EESKgMFwzoUysaFOvMwDQYJKoZIhvcNAQEL
-BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIwMTEyNzAwMDAw
-MFoYDzIwMjMwMjA1MDAwMDAwWjAbMRkwFwYDVQQDDBBmYXVsdHktc2VydmVyLWNh
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
-ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
-h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
-cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
-OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
-tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
-jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
-AQsFAAOCAQEAShfYMbPEqmi6G+GSdHB2C3oV4fwFFK1iMcT+Esvucy3/2+eE9nXK
-cS77DyMkPj503S2diNQw4SixOZd32Kli6pIALUqRrGqQDPlLhwTWbPutZHeqRo23
-MwmsorYeHU365dvCgORKMl4EgZZmk0ZNxbUcO/8d048fJnSkNcBPeUu7pAyQvYQg
-tLKM91ZXpvx+Fg43j0Pvn+JfOtVkGUkZr8UIDwF2nI6J8Jf1Y0Pd2YRsZ4MXlh0f
-/hjdQk0PRu516SHO1aF8HyH8+L/sKwDQ9On6pHcXEj94ufqh1RtRKsMa/vsSU4y1
-ee4T+bf7Q3w1pN6jyuKC6X9muYXXLtfVKg==
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec

@@ -1,4 +0,0 @@
-issuer:faulty-server-ca
-subject:faulty-server-ca
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign

security/manager/ssl/tests/unit/test_faulty_server/test-int.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7zCCAdegAwIBAgIUZ5PMkD+ufopAxVZH0RZ4TPFm3WcwDQYJKoZIhvcNAQEL
-BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIwMTEyNzAwMDAw
-MFoYDzIwMjMwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWlu
-dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
-jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
-a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
-GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
-2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
-p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
-xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw
-DQYJKoZIhvcNAQELBQADggEBAG9UgoC91jW/QW1EFLLljD9jn85rE5Xqj6sXebme
-+iZrsg/HrvB4shohEtz6nVMgTGzCDYXZpQ4vHd0VaShgt0dhVFaI5MSeLpCB+aqW
-FXjpJrJBHdVdbb67JlTJRnZsCiLoxY/CvPrD7m5lngHw2vecuM595xrI3ejj3kO2
-0lyRJvI5Hy0sNGX2M6hP7f7phs6L4Lh6HAyiORSuf0a/T8L7WnsUyDXXtH1w6Nv3
-PH4KNny01VJB5YSP9ODFcQh/upWymqUSECLU1u3dIcQfn8xWn9EErZtgEc7nUR9C
-la6bhPjPEuKJkfdMxhuw8p40hghi+o8Du357M66HZL+XeIY=
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec

@@ -1,4 +0,0 @@
-issuer:faulty-server-ca
-subject:faulty-server-intermediate
-extension:basicConstraints:cA,
-extension:keyUsage:keyCertSign,cRLSign

security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp

@@ -1,204 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <stdio.h>
-
-#include "nspr.h"
-#include "ScopedNSSTypes.h"
-#include "ssl.h"
-#include "ssl3prot.h"
-#include "sslexp.h"
-#include "sslimpl.h"
-#include "TLSServer.h"
-
-using namespace mozilla;
-using namespace mozilla::test;
-
-enum FaultType {
-  None = 0,
-  ZeroRtt,
-  UnknownSNI,
-};
-
-struct FaultyServerHost {
-  const char* mHostName;
-  const char* mCertName;
-  FaultType mFaultType;
-};
-
-const char* kHostOk = "ok.example.com";
-const char* kHostUnknown = "unknown.example.com";
-const char* kHostZeroRttAlertBadMac = "0rtt-alert-bad-mac.example.com";
-const char* kHostZeroRttAlertVersion =
-    "0rtt-alert-protocol-version.example.com";
-const char* kHostZeroRttAlertUnexpected = "0rtt-alert-unexpected.example.com";
-const char* kHostZeroRttAlertDowngrade = "0rtt-alert-downgrade.example.com";
-
-const char* kCertWildcard = "default-ee";
-
-/* Each type of failure gets a different SNI.
- * the "default-ee" cert has a SAN for *.example.com
- * the "no-san-ee" cert is signed by the test-ca, but it doesn't have any SANs.
- */
-const FaultyServerHost sFaultyServerHosts[]{
-    {kHostOk, kCertWildcard, None},
-    {kHostUnknown, kCertWildcard, UnknownSNI},
-    {kHostZeroRttAlertBadMac, kCertWildcard, ZeroRtt},
-    {kHostZeroRttAlertVersion, kCertWildcard, ZeroRtt},
-    {kHostZeroRttAlertUnexpected, kCertWildcard, ZeroRtt},
-    {kHostZeroRttAlertDowngrade, kCertWildcard, ZeroRtt},
-    {nullptr, nullptr},
-};
-
-nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) {
-  if (gDebugLevel >= DEBUG_VERBOSE) {
-    fprintf(stderr, "sending '%s'\n", aData);
-  }
-
-  int32_t len = static_cast<int32_t>(aDataLen);
-  while (len > 0) {
-    int32_t bytesSent = PR_Send(aSocket, aData, len, 0, PR_INTERVAL_NO_TIMEOUT);
-    if (bytesSent == -1) {
-      PrintPRError("PR_Send failed");
-      return NS_ERROR_FAILURE;
-    }
-
-    len -= bytesSent;
-    aData += bytesSent;
-  }
-
-  return NS_OK;
-}
-
-// returns 0 on success, non-zero on error
-int DoCallback(const char* path) {
-  UniquePRFileDesc socket(PR_NewTCPSocket());
-  if (!socket) {
-    PrintPRError("PR_NewTCPSocket failed");
-    return 1;
-  }
-
-  uint32_t port = 0;
-  const char* callbackPort = PR_GetEnv("FAULTY_SERVER_CALLBACK_PORT");
-  if (callbackPort) {
-    port = atoi(callbackPort);
-  }
-  if (!port) {
-    return 0;
-  }
-
-  PRNetAddr addr;
-  PR_InitializeNetAddr(PR_IpAddrLoopback, port, &addr);
-  if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) {
-    PrintPRError("PR_Connect failed");
-    return 1;
-  }
-
-  char request[512];
-  sprintf(request, "GET %s HTTP/1.0\r\n\r\n", path);
-  SendAll(socket.get(), request, strlen(request));
-  char buf[4096];
-  memset(buf, 0, sizeof(buf));
-  int32_t bytesRead =
-      PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT);
-  if (bytesRead < 0) {
-    PrintPRError("PR_Recv failed 1");
-    return 1;
-  }
-  if (bytesRead == 0) {
-    fprintf(stderr, "PR_Recv eof 1\n");
-    return 1;
-  }
-  // fprintf(stderr, "%s\n", buf);
-  return 0;
-}
-
-/* These are very rough examples. In practice the `arg` parameter to a callback
- * might need to be an object that holds some state, like the various traffic
- * secrets. */
-
-/* An SSLSecretCallback is called after every key derivation step in the TLS
- * 1.3 key schedule.
- *
- * Epoch 1 is for the early traffic secret.
- * Epoch 2 is for the handshake traffic secrets.
- * Epoch 3 is for the application traffic secrets.
- */
-void SecretCallbackFailZeroRtt(PRFileDesc* fd, PRUint16 epoch,
-                               SSLSecretDirection dir, PK11SymKey* secret,
-                               void* arg) {
-  fprintf(stderr, "0RTT handler epoch=%d dir=%d\n", epoch, (uint32_t)dir);
-  FaultyServerHost* host = static_cast<FaultyServerHost*>(arg);
-
-  if (epoch == 1 && dir == ssl_secret_read) {
-    sslSocket* ss = ssl_FindSocket(fd);
-    if (!ss) {
-      fprintf(stderr, "0RTT handler, no ss!\n");
-      return;
-    }
-
-    char path[256];
-    sprintf(path, "/callback/%d", epoch);
-    DoCallback(path);
-
-    fprintf(stderr, "0RTT handler, configuring alert\n");
-    if (!strcmp(host->mHostName, kHostZeroRttAlertBadMac)) {
-      SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
-    } else if (!strcmp(host->mHostName, kHostZeroRttAlertVersion)) {
-      SSL3_SendAlert(ss, alert_fatal, protocol_version);
-    } else if (!strcmp(host->mHostName, kHostZeroRttAlertUnexpected)) {
-      SSL3_SendAlert(ss, alert_fatal, no_alert);
-    }
-  }
-}
-
-/* An SSLRecordWriteCallback can replace the TLS record layer. */
-SECStatus WriteCallbackExample(PRFileDesc* fd, PRUint16 epoch,
-                               SSLContentType contentType, const PRUint8* data,
-                               unsigned int len, void* arg) {
-  /* do something */
-  return SECSuccess;
-}
-
-int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
-                          uint32_t aSrvNameArrSize, void* aArg) {
-  const FaultyServerHost* host =
-      GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sFaultyServerHosts);
-  if (!host || host->mFaultType == UnknownSNI) {
-    PrintPRError("No cert found for hostname");
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  if (gDebugLevel >= DEBUG_VERBOSE) {
-    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
-  }
-
-  switch (host->mFaultType) {
-    case ZeroRtt:
-      SSL_SecretCallback(aFd, &SecretCallbackFailZeroRtt, (void*)host);
-      break;
-    case None:
-      break;
-    default:
-      break;
-  }
-
-  UniqueCERTCertificate cert;
-  SSLKEAType certKEA;
-  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
-                                                    &certKEA, nullptr)) {
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  return 0;
-}
-
-SECStatus ConfigureServer(PRFileDesc* aFd) { return SECSuccess; }
-
-int main(int argc, char* argv[]) {
-  int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer);
-  if (rv < 0) {
-    return rv;
-  }
-}

security/manager/ssl/tests/unit/tlsserver/cmd/moz.build

@@ -9,7 +9,6 @@ GeckoSimplePrograms(
         "BadCertAndPinningServer",
         "DelegatedCredentialsServer",
         "EncryptedClientHelloServer",
-        "FaultyServer",
         "GenerateOCSPResponse",
         "OCSPStaplingServer",
         "SanctionsTestServer",
@@ -17,14 +16,14 @@ GeckoSimplePrograms(
     linkage=None,
 )
 
-DEFINES["NSS_USE_STATIC_LIBS"] = True
-
 LOCAL_INCLUDES += [
-    "../../../../../../nss/lib/ssl",
     "../lib",
 ]
 
 USE_LIBS += [
+    "mozpkix",
+    "nspr",
+    "nss",
     "tlsserver",
 ]
 

security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp

@@ -28,7 +28,6 @@
 #include "prnetdb.h"
 #include "prtime.h"
 #include "ssl.h"
-#include "sslexp.h"
 #include "sslproto.h"
 
 namespace mozilla {
@@ -36,8 +35,6 @@ namespace test {
 
 static const uint16_t LISTEN_PORT = 8443;
 
-SSLAntiReplayContext* antiReplay = nullptr;
-
 DebugLevel gDebugLevel = DEBUG_ERRORS;
 uint16_t gCallbackPort = 0;
 
@@ -293,19 +290,9 @@ nsresult SetupTLS(Connection* aConn, PRFileDesc* aModelSocket) {
   }
   aConn->mSocket = sslSocket;
 
-  /* anti-replay must be configured to accept 0RTT */
-  SECStatus rv = SSL_SetAntiReplayContext(sslSocket, antiReplay);
-  if (rv != SECSuccess) {
-    PrintPRError("error configuring anti-replay ");
-    return NS_ERROR_FAILURE;
-  }
-
   SSL_OptionSet(sslSocket, SSL_SECURITY, true);
   SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, false);
   SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, true);
-  // Unconditionally enabling 0RTT makes test_session_resumption.js fail
-  SSL_OptionSet(sslSocket, SSL_ENABLE_0RTT_DATA,
-                !!PR_GetEnv("MOZ_TLS_SERVER_0RTT"));
 
   SSL_ResetHandshake(sslSocket, /* asServer */ 1);
 
@@ -480,8 +467,6 @@ SECStatus ConfigSecureServerWithNamedCert(
 
   SSL_OptionSet(fd, SSL_NO_CACHE, false);
   SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, true);
-  // Unconditionally enabling 0RTT makes test_session_resumption.js fail
-  SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, !!PR_GetEnv("MOZ_TLS_SERVER_0RTT"));
 
   return SECSuccess;
 }
@@ -605,12 +590,6 @@ int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
     }
   }
 
-  if (SSL_CreateAntiReplayContext(PR_Now(), 1L * PR_USEC_PER_SEC, 7, 14,
-                                  &antiReplay) != SECSuccess) {
-    PrintPRError("Unable to create anti-replay context for 0-RTT.");
-    return 1;
-  }
-
   if (SSL_SNISocketConfigHook(modelSocket.get(), sniSocketConfig,
                               sniSocketConfigArg) != SECSuccess) {
     PrintPRError("SSL_SNISocketConfigHook failed");

security/manager/ssl/tests/unit/tlsserver/lib/moz.build

@@ -9,32 +9,10 @@ UNIFIED_SOURCES += [
     "TLSServer.cpp",
 ]
 
-DEFINES["NSS_USE_STATIC_LIBS"] = True
-
 USE_LIBS += [
-    "certdb",
-    "certhi",
-    "cryptohi",
-    "freebl",
-    "mozpkix",
     "mozpkix-testlib",
-    "nspr",
-    "nss_static",
-    "nssb",
-    "nssdev",
-    "nsspki",
-    "pk11wrap",
-    "smime",
-    "softokn3",
-    "sqlite",
-    "ssl",
 ]
 
-if CONFIG["MOZ_FOLD_LIBS"]:
-    USE_LIBS += ["nssutil"]
-else:
-    USE_LIBS += ["nssutil3"]
-
 Library("tlsserver")
 
 REQUIRES_UNIFIED_BUILD = True

security/manager/ssl/tests/unit/xpcshell.ini

@@ -30,7 +30,6 @@ support-files =
   test_delegated_credentials/**
   test_encrypted_client_hello/**
   test_ev_certs/**
-  test_faulty_server/**
   test_intermediate_basic_usage_constraints/**
   test_intermediate_preloads/**
   test_keysize/**

testing/xpcshell/remotexpcshelltests.py

@@ -624,7 +624,6 @@ class XPCShellRemote(xpcshell.XPCShellTests, object):
             "BadCertAndPinningServer",
             "DelegatedCredentialsServer",
             "EncryptedClientHelloServer",
-            "FaultyServer",
             "OCSPStaplingServer",
             "GenerateOCSPResponse",
             "SanctionsTestServer",

toolkit/mozapps/installer/upload-files.mk

@@ -264,7 +264,6 @@ NO_PKG_FILES += \
 	BadCertAndPinningServer* \
 	DelegatedCredentialsServer* \
 	EncryptedClientHelloServer* \
-	FaultyServer* \
 	OCSPStaplingServer* \
 	SanctionsTestServer* \
 	GenerateOCSPResponse* \