Bug 956866 - Added SSL alert callbacks.

New SSL_AlertReceivedCallback and SSL_AlertSentCallback functions
have been added to register callback functions which will be
invoked when NSS receives and sends SSL alerts, respectively.

https://bugzilla.mozilla.org/show_bug.cgi?id=956866

lib/ssl/ssl.def

@@ -227,3 +227,10 @@ SSL_SetSessionTicketKeyPair;
 ;+    local:
 ;+*;
 ;+};
+;+NSS_3.30.0.1 { # Additional symbols for NSS 3.30 release
+;+    global:
+SSL_AlertReceivedCallback;
+SSL_AlertSentCallback;
+;+    local:
+;+*;
+;+};

lib/ssl/ssl.h

@@ -819,6 +819,25 @@ SSL_IMPORT PRFileDesc *SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd);
  */
 SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a);
 
+/*
+** These are callbacks for dealing with SSL alerts.
+ */
+
+typedef PRUint8 SSLAlertLevel;
+typedef PRUint8 SSLAlertDescription;
+
+typedef struct {
+    SSLAlertLevel level;
+    SSLAlertDescription description;
+} SSLAlert;
+
+typedef void(PR_CALLBACK *SSLAlertCallback)(const PRFileDesc *fd, void *arg,
+                                            const SSLAlert *alert);
+
+SSL_IMPORT SECStatus SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb,
+                                               void *arg);
+SSL_IMPORT SECStatus SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb,
+                                           void *arg);
 /*
 ** This is a callback for dealing with server certs that are not authenticated
 ** by the client.  The client app can decide that it actually likes the

lib/ssl/ssl3con.c

@@ -3154,6 +3154,10 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
     if (needHsLock) {
         ssl_ReleaseSSL3HandshakeLock(ss);
     }
+    if (rv == SECSuccess && ss->alertSentCallback) {
+        SSLAlert alert = { level, desc };
+        ss->alertSentCallback(ss->fd, ss->alertSentCallbackArg, &alert);
+    }
     return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
 }
 
@@ -3266,6 +3270,11 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
     SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
                 SSL_GETPID(), ss->fd, level, desc));
 
+    if (ss->alertReceivedCallback) {
+        SSLAlert alert = { level, desc };
+        ss->alertReceivedCallback(ss->fd, ss->alertReceivedCallbackArg, &alert);
+    }
+
     switch (desc) {
         case close_notify:
             ss->recvdCloseNotify = 1;

lib/ssl/sslimpl.h

@@ -1134,6 +1134,10 @@ struct sslSocketStr {
     void *getClientAuthDataArg;
     SSLSNISocketConfig sniSocketConfig;
     void *sniSocketConfigArg;
+    SSLAlertCallback alertReceivedCallback;
+    void *alertReceivedCallbackArg;
+    SSLAlertCallback alertSentCallback;
+    void *alertSentCallbackArg;
     SSLBadCertHandler handleBadCert;
     void *badCertArg;
     SSLHandshakeCallback handshakeCallback;

lib/ssl/sslsecur.c

@@ -993,6 +993,42 @@ ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len)
     return ssl_SecureSend(ss, buf, len, 0);
 }
 
+SECStatus
+SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertReceivedCallback",
+                 SSL_GETPID(), fd));
+        return SECFailure;
+    }
+
+    ss->alertReceivedCallback = cb;
+    ss->alertReceivedCallbackArg = arg;
+
+    return SECSuccess;
+}
+
+SECStatus
+SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertSentCallback",
+                 SSL_GETPID(), fd));
+        return SECFailure;
+    }
+
+    ss->alertSentCallback = cb;
+    ss->alertSentCallbackArg = arg;
+
+    return SECSuccess;
+}
+
 SECStatus
 SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg)
 {

lib/ssl/sslsock.c

@@ -330,6 +330,10 @@ ssl_DupSocket(sslSocket *os)
         ss->getClientAuthDataArg = os->getClientAuthDataArg;
         ss->sniSocketConfig = os->sniSocketConfig;
         ss->sniSocketConfigArg = os->sniSocketConfigArg;
+        ss->alertReceivedCallback = os->alertReceivedCallback;
+        ss->alertReceivedCallbackArg = os->alertReceivedCallbackArg;
+        ss->alertSentCallback = os->alertSentCallback;
+        ss->alertSentCallbackArg = os->alertSentCallbackArg;
         ss->handleBadCert = os->handleBadCert;
         ss->badCertArg = os->badCertArg;
         ss->handshakeCallback = os->handshakeCallback;
@@ -2148,6 +2152,14 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
         ss->sniSocketConfig = sm->sniSocketConfig;
     if (sm->sniSocketConfigArg)
         ss->sniSocketConfigArg = sm->sniSocketConfigArg;
+    if (ss->alertReceivedCallback) {
+        ss->alertReceivedCallback = sm->alertReceivedCallback;
+        ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg;
+    }
+    if (ss->alertSentCallback) {
+        ss->alertSentCallback = sm->alertSentCallback;
+        ss->alertSentCallbackArg = sm->alertSentCallbackArg;
+    }
     if (sm->handleBadCert)
         ss->handleBadCert = sm->handleBadCert;
     if (sm->badCertArg)
@@ -3690,6 +3702,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
     ss->sniSocketConfig = NULL;
     ss->sniSocketConfigArg = NULL;
     ss->getClientAuthData = NULL;
+    ss->alertReceivedCallback = NULL;
+    ss->alertReceivedCallbackArg = NULL;
+    ss->alertSentCallback = NULL;
+    ss->alertSentCallbackArg = NULL;
     ss->handleBadCert = NULL;
     ss->badCertArg = NULL;
     ss->pkcs11PinArg = NULL;