From 5b31cf23064db609cb679fb6e25d7358b9e73890 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 30 May 2024 17:35:47 -0600 Subject: [PATCH] SSLEngine: correctly mark inbound and outbound closed when receiving alerts --- native/com_wolfssl_WolfSSL.h | 2 ++ src/java/com/wolfssl/WolfSSL.java | 2 ++ .../wolfssl/provider/jsse/WolfSSLEngine.java | 21 ++++++++++++++++++- 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/native/com_wolfssl_WolfSSL.h b/native/com_wolfssl_WolfSSL.h index 23a2c3e..2c6fadd 100644 --- a/native/com_wolfssl_WolfSSL.h +++ b/native/com_wolfssl_WolfSSL.h @@ -79,6 +79,8 @@ extern "C" { #define com_wolfssl_WolfSSL_SSL_ERROR_ZERO_RETURN 6L #undef com_wolfssl_WolfSSL_SSL_ERROR_SSL #define com_wolfssl_WolfSSL_SSL_ERROR_SSL 85L +#undef com_wolfssl_WolfSSL_FATAL_ERROR +#define com_wolfssl_WolfSSL_FATAL_ERROR -313L #undef com_wolfssl_WolfSSL_SSL_ERROR_SOCKET_PEER_CLOSED #define com_wolfssl_WolfSSL_SSL_ERROR_SOCKET_PEER_CLOSED -397L #undef com_wolfssl_WolfSSL_UNKNOWN_ALPN_PROTOCOL_NAME_E diff --git a/src/java/com/wolfssl/WolfSSL.java b/src/java/com/wolfssl/WolfSSL.java index 4f983dc..1d0fcf6 100644 --- a/src/java/com/wolfssl/WolfSSL.java +++ b/src/java/com/wolfssl/WolfSSL.java @@ -172,6 +172,8 @@ public class WolfSSL { public static final int SSL_ERROR_ZERO_RETURN = 6; /** Generatl SSL error */ public static final int SSL_ERROR_SSL = 85; + /** Received fatal alert error */ + public static final int FATAL_ERROR = -313; /** Peer closed socket */ public static final int SSL_ERROR_SOCKET_PEER_CLOSED = -397; /** Unrecognized ALPN protocol name */ diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java b/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java index 9d55ff8..8373eab 100644 --- a/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java +++ b/src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java @@ -634,6 +634,14 @@ public class WolfSSLEngine extends SSLEngine { } produced += CopyOutPacket(out); } + else if ((produced > 0) && !inBoundOpen && + (!this.closeNotifySent && !this.closeNotifyReceived)) { + /* We had buffered data to send, but inbound was already closed. + * Most likely this is because we needed to send an alert to + * the peer. We should now mark outbound as closed since we + * won't be sending anything after the alert went out. */ + this.outBoundOpen = false; + } else if (produced == 0) { /* continue handshake or application data */ if (!this.handshakeFinished) { @@ -1076,6 +1084,16 @@ public class WolfSSLEngine extends SSLEngine { ret + " : " + err); } else { + /* Native wolfSSL threw an exception when unwrapping + * data, close inbound since we can't receive more + * data */ + this.inBoundOpen = false; + if (err == WolfSSL.FATAL_ERROR) { + /* If client side and we received fatal alert, + * close outbound since we won't be receiving + * any more data */ + this.outBoundOpen = false; + } throw new SSLException( "wolfSSL error, ret:err = " + ret + " : " + err); } @@ -1241,7 +1259,8 @@ public class WolfSSLEngine extends SSLEngine { hs = SSLEngineResult.HandshakeStatus.NEED_WRAP; } else if (this.netData != null && - this.netData.remaining() > 0) { + this.netData.remaining() > 0 && + this.inBoundOpen == true) { hs = SSLEngineResult.HandshakeStatus.NEED_UNWRAP; } else if (err == WolfSSL.SSL_ERROR_WANT_READ) {