diff -up nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
--- nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc 2017-03-14 11:01:42.563689719 +0100
@@ -24,6 +24,8 @@ namespace nss_test {
TEST_P(TlsConnectTls13, ZeroRtt) {
SetupForZeroRtt();
+ client_->SetExpectedAlertSentCount(1);
+ server_->SetExpectedAlertReceivedCount(1);
client_->Set0RttEnabled(true);
server_->Set0RttEnabled(true);
ExpectResumption(RESUME_TICKET);
@@ -103,6 +105,8 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRtt
EnableAlpn();
SetupForZeroRtt();
EnableAlpn();
+ client_->SetExpectedAlertSentCount(1);
+ server_->SetExpectedAlertReceivedCount(1);
client_->Set0RttEnabled(true);
server_->Set0RttEnabled(true);
ExpectResumption(RESUME_TICKET);
diff -up nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_exporter_unittest.cc
--- nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/gtests/ssl_gtest/ssl_exporter_unittest.cc 2017-03-14 11:01:42.563689719 +0100
@@ -90,6 +90,8 @@ int32_t RegularExporterShouldFail(TlsAge
TEST_P(TlsConnectTls13, EarlyExporter) {
SetupForZeroRtt();
+ client_->SetExpectedAlertSentCount(1);
+ server_->SetExpectedAlertReceivedCount(1);
client_->Set0RttEnabled(true);
server_->Set0RttEnabled(true);
ExpectResumption(RESUME_TICKET);
diff -up nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_extension_unittest.cc
--- nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler 2017-03-14 11:01:42.563689719 +0100
+++ nss/gtests/ssl_gtest/ssl_extension_unittest.cc 2017-03-14 11:06:39.215006989 +0100
@@ -167,27 +167,69 @@ class TlsExtensionTestBase : public TlsC
: TlsConnectTestBase(mode, version) {}
void ClientHelloErrorTest(PacketFilter* filter,
- uint8_t alert = kTlsAlertDecodeError) {
+ uint8_t desc = kTlsAlertDecodeError) {
+ SSLAlert alert;
+
auto alert_recorder = new TlsAlertRecorder();
server_->SetPacketFilter(alert_recorder);
if (filter) {
client_->SetPacketFilter(filter);
}
ConnectExpectFail();
+
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
- EXPECT_EQ(alert, alert_recorder->description());
+ EXPECT_EQ(desc, alert_recorder->description());
+
+ // verify no alerts received by the server
+ EXPECT_EQ(0U, server_->alert_received_count());
+
+ // verify the alert sent by the server
+ EXPECT_EQ(1U, server_->alert_sent_count());
+ EXPECT_TRUE(server_->GetLastAlertSent(&alert));
+ EXPECT_EQ(kTlsAlertFatal, alert.level);
+ EXPECT_EQ(desc, alert.description);
+
+ // verify the alert received by the client
+ EXPECT_EQ(1U, client_->alert_received_count());
+ EXPECT_TRUE(client_->GetLastAlertReceived(&alert));
+ EXPECT_EQ(kTlsAlertFatal, alert.level);
+ EXPECT_EQ(desc, alert.description);
+
+ // verify no alerts sent by the client
+ EXPECT_EQ(0U, client_->alert_sent_count());
}
void ServerHelloErrorTest(PacketFilter* filter,
- uint8_t alert = kTlsAlertDecodeError) {
+ uint8_t desc = kTlsAlertDecodeError) {
+ SSLAlert alert;
+
auto alert_recorder = new TlsAlertRecorder();
client_->SetPacketFilter(alert_recorder);
if (filter) {
server_->SetPacketFilter(filter);
}
ConnectExpectFail();
+
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
- EXPECT_EQ(alert, alert_recorder->description());
+ EXPECT_EQ(desc, alert_recorder->description());
+
+ // verify no alerts received by the client
+ EXPECT_EQ(0U, client_->alert_received_count());
+
+ // verify the alert sent by the client
+ EXPECT_EQ(1U, client_->alert_sent_count());
+ EXPECT_TRUE(client_->GetLastAlertSent(&alert));
+ EXPECT_EQ(kTlsAlertFatal, alert.level);
+ EXPECT_EQ(desc, alert.description);
+
+ // verify the alert received by the server
+ EXPECT_EQ(1U, server_->alert_received_count());
+ EXPECT_TRUE(server_->GetLastAlertReceived(&alert));
+ EXPECT_EQ(kTlsAlertFatal, alert.level);
+ EXPECT_EQ(desc, alert.description);
+
+ // verify no alerts sent by the server
+ EXPECT_EQ(0U, server_->alert_sent_count());
}
static void InitSimpleSni(DataBuffer* extension) {
diff -up nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_version_unittest.cc
--- nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/gtests/ssl_gtest/ssl_version_unittest.cc 2017-03-14 11:01:42.563689719 +0100
@@ -225,6 +225,7 @@ TEST_F(TlsConnectTest, Tls13RejectsRehan
TEST_P(TlsConnectGeneric, AlertBeforeServerHello) {
EnsureTlsSetup();
+ client_->SetExpectedAlertReceivedCount(1);
client_->StartConnect();
server_->StartConnect();
client_->Handshake(); // Send ClientHello.
diff -up nss/gtests/ssl_gtest/tls_agent.cc.alert-handler nss/gtests/ssl_gtest/tls_agent.cc
--- nss/gtests/ssl_gtest/tls_agent.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/gtests/ssl_gtest/tls_agent.cc 2017-03-14 11:07:22.414890511 +0100
@@ -61,6 +61,12 @@ TlsAgent::TlsAgent(const std::string& na
can_falsestart_hook_called_(false),
sni_hook_called_(false),
auth_certificate_hook_called_(false),
+ alert_received_count_(0),
+ expected_alert_received_count_(0),
+ last_alert_received_({0, 0}),
+ alert_sent_count_(0),
+ expected_alert_sent_count_(0),
+ last_alert_sent_({0, 0}),
handshake_callback_called_(false),
error_code_(0),
send_ctr_(0),
@@ -165,6 +171,14 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc
EXPECT_EQ(SECSuccess, rv);
if (rv != SECSuccess) return false;
+ rv = SSL_AlertReceivedCallback(ssl_fd(), AlertReceivedCallback, this);
+ EXPECT_EQ(SECSuccess, rv);
+ if (rv != SECSuccess) return false;
+
+ rv = SSL_AlertSentCallback(ssl_fd(), AlertSentCallback, this);
+ EXPECT_EQ(SECSuccess, rv);
+ if (rv != SECSuccess) return false;
+
rv = SSL_HandshakeCallback(ssl_fd_, HandshakeCallback, this);
EXPECT_EQ(SECSuccess, rv);
if (rv != SECSuccess) return false;
@@ -578,6 +592,11 @@ void TlsAgent::CheckErrorCode(int32_t ex
<< PORT_ErrorToName(expected) << std::endl;
}
+void TlsAgent::CheckAlerts() const {
+ EXPECT_EQ(expected_alert_received_count_, alert_received_count_);
+ EXPECT_EQ(expected_alert_sent_count_, alert_sent_count_);
+}
+
void TlsAgent::WaitForErrorCode(int32_t expected, uint32_t delay) const {
ASSERT_EQ(0, error_code_);
WAIT_(error_code_ != 0, delay);
diff -up nss/gtests/ssl_gtest/tls_agent.h.alert-handler nss/gtests/ssl_gtest/tls_agent.h
--- nss/gtests/ssl_gtest/tls_agent.h.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/gtests/ssl_gtest/tls_agent.h 2017-03-14 11:01:42.564689693 +0100
@@ -139,6 +139,7 @@ class TlsAgent : public PollTarget {
void EnableSrtp();
void CheckSrtp() const;
void CheckErrorCode(int32_t expected) const;
+ void CheckAlerts() const;
void WaitForErrorCode(int32_t expected, uint32_t delay) const;
// Send data on the socket, encrypting it.
void SendData(size_t bytes, size_t blocksize = 1024);
@@ -239,6 +240,34 @@ class TlsAgent : public PollTarget {
sni_callback_ = sni_callback;
}
+ size_t alert_received_count() const { return alert_received_count_; }
+
+ void SetExpectedAlertReceivedCount(size_t count) {
+ expected_alert_received_count_ = count;
+ }
+
+ bool GetLastAlertReceived(SSLAlert* alert) const {
+ if (!alert_received_count_) {
+ return false;
+ }
+ *alert = last_alert_received_;
+ return true;
+ }
+
+ size_t alert_sent_count() const { return alert_sent_count_; }
+
+ void SetExpectedAlertSentCount(size_t count) {
+ expected_alert_sent_count_ = count;
+ }
+
+ bool GetLastAlertSent(SSLAlert* alert) const {
+ if (!alert_sent_count_) {
+ return false;
+ }
+ *alert = last_alert_sent_;
+ return true;
+ }
+
private:
const static char* states[];
@@ -320,6 +349,30 @@ class TlsAgent : public PollTarget {
return SECSuccess;
}
+ static void AlertReceivedCallback(const PRFileDesc* fd, void* arg,
+ const SSLAlert* alert) {
+ TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
+
+ std::cerr << agent->role_str()
+ << ": Alert received: level=" << static_cast<int>(alert->level)
+ << " desc=" << static_cast<int>(alert->description) << std::endl;
+
+ ++agent->alert_received_count_;
+ agent->last_alert_received_ = *alert;
+ }
+
+ static void AlertSentCallback(const PRFileDesc* fd, void* arg,
+ const SSLAlert* alert) {
+ TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
+
+ std::cerr << agent->role_str()
+ << ": Alert sent: level=" << static_cast<int>(alert->level)
+ << " desc=" << static_cast<int>(alert->description) << std::endl;
+
+ ++agent->alert_sent_count_;
+ agent->last_alert_sent_ = *alert;
+ }
+
static void HandshakeCallback(PRFileDesc* fd, void* arg) {
TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
agent->handshake_callback_called_ = true;
@@ -352,6 +405,12 @@ class TlsAgent : public PollTarget {
bool can_falsestart_hook_called_;
bool sni_hook_called_;
bool auth_certificate_hook_called_;
+ size_t alert_received_count_;
+ size_t expected_alert_received_count_;
+ SSLAlert last_alert_received_;
+ size_t alert_sent_count_;
+ size_t expected_alert_sent_count_;
+ SSLAlert last_alert_sent_;
bool handshake_callback_called_;
SSLChannelInfo info_;
SSLCipherSuiteInfo csinfo_;
diff -up nss/gtests/ssl_gtest/tls_connect.cc.alert-handler nss/gtests/ssl_gtest/tls_connect.cc
--- nss/gtests/ssl_gtest/tls_connect.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/gtests/ssl_gtest/tls_connect.cc 2017-03-14 11:01:42.564689693 +0100
@@ -309,6 +309,9 @@ void TlsConnectTestBase::CheckConnected(
CheckResumption(expected_resumption_mode_);
client_->CheckSecretsDestroyed();
server_->CheckSecretsDestroyed();
+
+ client_->CheckAlerts();
+ server_->CheckAlerts();
}
void TlsConnectTestBase::CheckKeys(SSLKEAType kea_type, SSLNamedGroup kea_group,
diff -up nss/lib/ssl/ssl3con.c.alert-handler nss/lib/ssl/ssl3con.c
--- nss/lib/ssl/ssl3con.c.alert-handler 2017-03-14 11:01:42.551690030 +0100
+++ nss/lib/ssl/ssl3con.c 2017-03-14 11:03:45.319510356 +0100
@@ -3143,6 +3143,10 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertL
}
ssl_ReleaseXmitBufLock(ss);
ssl_ReleaseSSL3HandshakeLock(ss);
+ if (rv == SECSuccess && ss->alertSentCallback) {
+ SSLAlert alert = { level, desc };
+ ss->alertSentCallback(ss->fd, ss->alertSentCallbackArg, &alert);
+ }
return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
}
@@ -3255,6 +3259,11 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe
SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
SSL_GETPID(), ss->fd, level, desc));
+ if (ss->alertReceivedCallback) {
+ SSLAlert alert = { level, desc };
+ ss->alertReceivedCallback(ss->fd, ss->alertReceivedCallbackArg, &alert);
+ }
+
switch (desc) {
case close_notify:
ss->recvdCloseNotify = 1;
diff -up nss/lib/ssl/ssl.def.alert-handler nss/lib/ssl/ssl.def
--- nss/lib/ssl/ssl.def.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/lib/ssl/ssl.def 2017-03-14 11:01:42.564689693 +0100
@@ -221,3 +221,10 @@ SSL_SignatureSchemePrefGet;
;+ local:
;+*;
;+};
+;+NSS_3.30.0.1 { # Additional symbols for NSS 3.30 release
+;+ global:
+SSL_AlertReceivedCallback;
+SSL_AlertSentCallback;
+;+ local:
+;+*;
+;+};
diff -up nss/lib/ssl/ssl.h.alert-handler nss/lib/ssl/ssl.h
--- nss/lib/ssl/ssl.h.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/lib/ssl/ssl.h 2017-03-14 11:01:42.564689693 +0100
@@ -820,6 +820,25 @@ SSL_IMPORT PRFileDesc *SSL_ReconfigFD(PR
SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a);
/*
+** These are callbacks for dealing with SSL alerts.
+ */
+
+typedef PRUint8 SSLAlertLevel;
+typedef PRUint8 SSLAlertDescription;
+
+typedef struct {
+ SSLAlertLevel level;
+ SSLAlertDescription description;
+} SSLAlert;
+
+typedef void(PR_CALLBACK *SSLAlertCallback)(const PRFileDesc *fd, void *arg,
+ const SSLAlert *alert);
+
+SSL_IMPORT SECStatus SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb,
+ void *arg);
+SSL_IMPORT SECStatus SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb,
+ void *arg);
+/*
** This is a callback for dealing with server certs that are not authenticated
** by the client. The client app can decide that it actually likes the
** cert by some external means and restart the connection.
diff -up nss/lib/ssl/sslimpl.h.alert-handler nss/lib/ssl/sslimpl.h
--- nss/lib/ssl/sslimpl.h.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/lib/ssl/sslimpl.h 2017-03-14 11:01:42.566689641 +0100
@@ -1121,6 +1121,10 @@ struct sslSocketStr {
void *getClientAuthDataArg;
SSLSNISocketConfig sniSocketConfig;
void *sniSocketConfigArg;
+ SSLAlertCallback alertReceivedCallback;
+ void *alertReceivedCallbackArg;
+ SSLAlertCallback alertSentCallback;
+ void *alertSentCallbackArg;
SSLBadCertHandler handleBadCert;
void *badCertArg;
SSLHandshakeCallback handshakeCallback;
diff -up nss/lib/ssl/sslsecur.c.alert-handler nss/lib/ssl/sslsecur.c
--- nss/lib/ssl/sslsecur.c.alert-handler 2017-02-17 14:20:06.000000000 +0100
+++ nss/lib/ssl/sslsecur.c 2017-03-14 11:01:42.566689641 +0100
@@ -994,6 +994,42 @@ ssl_SecureWrite(sslSocket *ss, const uns
}
SECStatus
+SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg)
+{
+ sslSocket *ss;
+
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertReceivedCallback",
+ SSL_GETPID(), fd));
+ return SECFailure;
+ }
+
+ ss->alertReceivedCallback = cb;
+ ss->alertReceivedCallbackArg = arg;
+
+ return SECSuccess;
+}
+
+SECStatus
+SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg)
+{
+ sslSocket *ss;
+
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertSentCallback",
+ SSL_GETPID(), fd));
+ return SECFailure;
+ }
+
+ ss->alertSentCallback = cb;
+ ss->alertSentCallbackArg = arg;
+
+ return SECSuccess;
+}
+
+SECStatus
SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg)
{
sslSocket *ss;
diff -up nss/lib/ssl/sslsock.c.alert-handler nss/lib/ssl/sslsock.c
--- nss/lib/ssl/sslsock.c.alert-handler 2017-03-14 11:01:42.538690367 +0100
+++ nss/lib/ssl/sslsock.c 2017-03-14 11:01:42.566689641 +0100
@@ -330,6 +330,10 @@ ssl_DupSocket(sslSocket *os)
ss->getClientAuthDataArg = os->getClientAuthDataArg;
ss->sniSocketConfig = os->sniSocketConfig;
ss->sniSocketConfigArg = os->sniSocketConfigArg;
+ ss->alertReceivedCallback = os->alertReceivedCallback;
+ ss->alertReceivedCallbackArg = os->alertReceivedCallbackArg;
+ ss->alertSentCallback = os->alertSentCallback;
+ ss->alertSentCallbackArg = os->alertSentCallbackArg;
ss->handleBadCert = os->handleBadCert;
ss->badCertArg = os->badCertArg;
ss->handshakeCallback = os->handshakeCallback;
@@ -2149,6 +2153,14 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
ss->sniSocketConfig = sm->sniSocketConfig;
if (sm->sniSocketConfigArg)
ss->sniSocketConfigArg = sm->sniSocketConfigArg;
+ if (ss->alertReceivedCallback) {
+ ss->alertReceivedCallback = sm->alertReceivedCallback;
+ ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg;
+ }
+ if (ss->alertSentCallback) {
+ ss->alertSentCallback = sm->alertSentCallback;
+ ss->alertSentCallbackArg = sm->alertSentCallbackArg;
+ }
if (sm->handleBadCert)
ss->handleBadCert = sm->handleBadCert;
if (sm->badCertArg)
@@ -3691,6 +3703,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
ss->sniSocketConfig = NULL;
ss->sniSocketConfigArg = NULL;
ss->getClientAuthData = NULL;
+ ss->alertReceivedCallback = NULL;
+ ss->alertReceivedCallbackArg = NULL;
+ ss->alertSentCallback = NULL;
+ ss->alertSentCallbackArg = NULL;
ss->handleBadCert = NULL;
ss->badCertArg = NULL;
ss->pkcs11PinArg = NULL;
# HG changeset patch
# User Kai Engert <kaie@kuix.de>
# Date 1493741561 -7200
# Tue May 02 18:12:41 2017 +0200
# Node ID 8804a0c65a08ee53096c07cc091536c7cf102b58
# Parent 769f9ae07b103494af809620478e60256a344adc
Bug 1360207, Fix incorrect if (ss->...) in SSL_ReconfigFD, Patch contributed by Ian Goldberg, r=ttaubert
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -2152,11 +2152,11 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
ss->sniSocketConfig = sm->sniSocketConfig;
if (sm->sniSocketConfigArg)
ss->sniSocketConfigArg = sm->sniSocketConfigArg;
- if (ss->alertReceivedCallback) {
+ if (sm->alertReceivedCallback) {
ss->alertReceivedCallback = sm->alertReceivedCallback;
ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg;
}
- if (ss->alertSentCallback) {
+ if (sm->alertSentCallback) {
ss->alertSentCallback = sm->alertSentCallback;
ss->alertSentCallbackArg = sm->alertSentCallbackArg;
}