SSLEngine: correctly mark inbound and outbound closed when receiving alerts

2024-05-30 17:35:47 -06:00 · 2024-05-30 17:35:47 -06:00 · 5b31cf2306
parent 267a8d2c24
commit 5b31cf2306
3 changed files with 24 additions and 1 deletions
--- a/native/com_wolfssl_WolfSSL.h
+++ b/native/com_wolfssl_WolfSSL.h
@ -79,6 +79,8 @@ extern "C" {
 #define com_wolfssl_WolfSSL_SSL_ERROR_ZERO_RETURN 6L
 #undef com_wolfssl_WolfSSL_SSL_ERROR_SSL
 #define com_wolfssl_WolfSSL_SSL_ERROR_SSL 85L
+#undef com_wolfssl_WolfSSL_FATAL_ERROR
+#define com_wolfssl_WolfSSL_FATAL_ERROR -313L
 #undef com_wolfssl_WolfSSL_SSL_ERROR_SOCKET_PEER_CLOSED
 #define com_wolfssl_WolfSSL_SSL_ERROR_SOCKET_PEER_CLOSED -397L
 #undef com_wolfssl_WolfSSL_UNKNOWN_ALPN_PROTOCOL_NAME_E
--- a/src/java/com/wolfssl/WolfSSL.java
+++ b/src/java/com/wolfssl/WolfSSL.java
@ -172,6 +172,8 @@ public class WolfSSL {
    public static final int SSL_ERROR_ZERO_RETURN      =  6;
    /** Generatl SSL error */
    public static final int SSL_ERROR_SSL              = 85;
+    /** Received fatal alert error */
+    public static final int FATAL_ERROR                = -313;
    /** Peer closed socket */
    public static final int SSL_ERROR_SOCKET_PEER_CLOSED = -397;
    /** Unrecognized ALPN protocol name */
--- a/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java
+++ b/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java
@ -634,6 +634,14 @@ public class WolfSSLEngine extends SSLEngine {
            }
            produced += CopyOutPacket(out);
        }
+        else if ((produced > 0) && !inBoundOpen &&
+                 (!this.closeNotifySent && !this.closeNotifyReceived)) {
+            /* We had buffered data to send, but inbound was already closed.
+             * Most likely this is because we needed to send an alert to
+             * the peer. We should now mark outbound as closed since we
+             * won't be sending anything after the alert went out. */
+            this.outBoundOpen = false;
+        }
        else if (produced == 0) {
            /* continue handshake or application data */
            if (!this.handshakeFinished) {
@ -1076,6 +1084,16 @@ public class WolfSSLEngine extends SSLEngine {
                            ret + " : " + err);
                    }
                    else {
+                        /* Native wolfSSL threw an exception when unwrapping
+                         * data, close inbound since we can't receive more
+                         * data */
+                        this.inBoundOpen = false;
+                        if (err == WolfSSL.FATAL_ERROR) {
+                            /* If client side and we received fatal alert,
+                             * close outbound since we won't be receiving
+                             * any more data */
+                            this.outBoundOpen = false;
+                        }
                        throw new SSLException(
                            "wolfSSL error, ret:err = " + ret + " : " + err);
                    }
@ -1241,7 +1259,8 @@ public class WolfSSLEngine extends SSLEngine {
                            hs = SSLEngineResult.HandshakeStatus.NEED_WRAP;
                        }
                        else if (this.netData != null &&
-                                 this.netData.remaining() > 0) {
+                                 this.netData.remaining() > 0 &&
+                                 this.inBoundOpen == true) {
                            hs = SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
                        }
                        else if (err == WolfSSL.SSL_ERROR_WANT_READ) {