add support for SSLEngine.getApplicationProtocol

Author: cconlon

native/com_wolfssl_WolfSSL.h

@@ -3676,7 +3676,9 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_sslSetAlpnProtos
   (JNIEnv* jenv, jobject jcl, jlong sslPtr, jbyteArray alpnProtos)
 {
     int ret = SSL_FAILURE;
-#ifdef HAVE_ALPN
+    (void)jcl;
+#if defined(HAVE_ALPN) && (LIBWOLFSSL_VERSION_HEX >= 0x04002000)
+    /* wolfSSL_set_alpn_protos() added as of wolfSSL 4.2.0 */
     byte* buff = NULL;
     word32 buffSz = 0;
     WOLFSSL* ssl = (WOLFSSL*)(uintptr_t)sslPtr;
@@ -3753,6 +3755,35 @@ JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_WolfSSLSession_sslGet0AlpnSelected
 #endif
 }
 
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_useALPN
+  (JNIEnv* jenv, jobject jcl, jlong ssl, jstring protocols, jint options)
+{
+    int ret = SSL_FAILURE;
+    (void)jcl;
+#ifdef HAVE_ALPN
+    const char* protoList;
+
+    if (jenv == NULL || ssl == 0 || protocols == NULL || options < 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    protoList = (*jenv)->GetStringUTFChars(jenv, protocols, 0);
+
+    ret = (jint) wolfSSL_UseALPN((WOLFSSL*)(uintptr_t)ssl, (char*)protoList,
+            XSTRLEN(protoList), (int)options);
+
+    (*jenv)->ReleaseStringUTFChars(jenv, protocols, protoList);
+#else
+    (void)jenv;
+    (void)ssl;
+    (void)protocols;
+    (void)options;
+    ret = NOT_COMPILED_IN;
+#endif
+
+    return ret;
+}
+
 JNIEXPORT void JNICALL Java_com_wolfssl_WolfSSLSession_setSSLIORecv
     (JNIEnv* jenv, jobject jcl, jlong sslPtr)
 {

native/com_wolfssl_WolfSSLSession.c

@@ -186,6 +186,12 @@ public static enum TLS_VERSION {
     /** CertManager: disable sending OCSP nonce */
     public final static int WOLFSSL_OCSP_NO_NONCE     = 2;
 
+    /* ALPN definitions from ssl.h */
+    public final static int WOLFSSL_ALPN_NO_MATCH = 0;
+    public final static int WOLFSSL_ALPN_MATCH    = 1;
+    public final static int WOLFSSL_ALPN_CONTINUE_ON_MISMATCH = 2;
+    public final static int WOLFSSL_ALPN_FAILED_ON_MISMATCH   = 4;
+
     /* I/O callback default errors, pulled from wolfssl/ssl.h IOerrors */
     /** I/O callback error: general error */
     public final static int WOLFSSL_CBIO_ERR_GENERAL    = -1;

native/com_wolfssl_WolfSSLSession.h

@@ -25,6 +25,8 @@
 import java.net.Socket;
 import java.net.DatagramSocket;
 import java.net.SocketTimeoutException;
+import java.lang.StringBuilder;
+import java.nio.charset.StandardCharsets;
 
 import com.wolfssl.WolfSSLException;
 import com.wolfssl.WolfSSLJNIException;
@@ -276,6 +278,7 @@ private native int setTlsHmacInner(long ssl, byte[] inner, long sz,
     private native int gotCloseNotify(long ssl);
     private native int sslSetAlpnProtos(long ssl, byte[] alpnProtos);
     private native byte[] sslGet0AlpnSelected(long ssl);
+    private native int useALPN(long ssl, String protocols, int options);
 
     /* ------------------- session-specific methods --------------------- */
 
@@ -2753,28 +2756,69 @@ public boolean sessionTicketsEnabled() throws IllegalStateException {
     }
 
     /**
-     * Set ALPN extension protocol for this session.
-     * Calls native SSL_set_alpn_protos() at native level. Format starts with
+     * Set ALPN extension protocol for this session from encoded byte array.
+     * Calls SSL_set_alpn_protos() at native level. Format starts with
      * length, where length does not include length byte itself. Example format:
      *
      * byte[] p = "http/1.1".getBytes();
      *
+     * Unless this input format is explicitly needed, useALPN(String[], int)
+     * will likely be easier to use.
+     *
      * @param alpnProtos ALPN protocols, encoded as byte array vector
-     * @return WolfSSL.SSL_SUCCESS on success, otherwise negative.
+     * @return WolfSSL.SSL_SUCCESS on success, otherwise negative on error.
      */
-    public int setAlpnProtos(byte[] alpnProtos) throws IllegalStateException {
+    public int useALPN(byte[] alpnProtos) throws IllegalStateException {
 
         if (this.active == false)
             throw new IllegalStateException("Object has been freed");
 
         return sslSetAlpnProtos(getSessionPtr(), alpnProtos);
     }
 
+    /**
+     * Set ALPN extension protocol for this session from String array.
+     * Calls native wolfSSL_useALPN(), where protocols should be a String
+     * array of ALPN protocols. At the native JNI level, this is converted to
+     * a comma-delimited list of prototocls and passed to native wolfSSL.
+     *
+     * This method is similar to useALPN(byte[]), but accepts a String array
+     * and calls a different native wolfSSL API for ALPN use.
+     *
+     * @param protocols Array of ALPN protocol Strings
+     * @param options Options to control behavior of ALPN failure mode.
+     *                Possible options include:
+     *                    WolfSSL.WOLFSSL_ALPN_CONTINUE_ON_MISMATCH
+     *                    WolfSSL.WOLFSSL_ALPN_FAILED_ON_MISMATCH
+     * @return WolfSSL.SSL_SUCCESS on success, otherwise negative on error.
+     *
+     */
+    public int useALPN(String[] protocols, int options) {
+
+        /* all protocols, comma delimited */
+        StringBuilder allProtocols = new StringBuilder();
+
+        if (this.active == false)
+            throw new IllegalStateException("Object has been freed");
+
+        if (protocols == null) {
+            return WolfSSL.BAD_FUNC_ARG;
+        }
+
+        for (int i = 0; i < protocols.length; i++) {
+            if (i != 0) {
+                allProtocols.append(",");
+            }
+            allProtocols.append(protocols[i]);
+        }
+
+        return useALPN(getSessionPtr(), allProtocols.toString(), options);
+    }
+
     /**
      * Get the ALPN protocol selected by the client/server for this session.
      *
-     * @return byte array representation of selected protocol, starting with
-     *         length byte. Length does not include length byte itself.
+     * @return byte array representation of selected protocol.
      * @throws IllegalStateException WolfSSLSession has been freed
      */
     public byte[] getAlpnSelected() throws IllegalStateException {
@@ -2785,6 +2829,23 @@ public byte[] getAlpnSelected() throws IllegalStateException {
         return sslGet0AlpnSelected(getSessionPtr());
     }
 
+    /**
+     * Get the ALPN protocol selected by the client/server for this session.
+     *
+     * Same behavior as getAlpnSelected(), but returns a String instead of a
+     * byte array.
+     *
+     * @return String of the selected ALPN protocol
+     * @throws IllegalStateException WolfSSLSession has been freed
+     */
+    public String getAlpnSelectedString() throws IllegalStateException {
+
+        if (this.active == false)
+            throw new IllegalStateException("Object has been freed");
+
+        return new String(getAlpnSelected(), StandardCharsets.UTF_8);
+    }
+
     /**
      * Getter function to tell if shutdown has been sent or received
      * @return WolfSSL.SSL_SENT_SHUTDOWN or WolfSSL.SSL_RECEIVED_SHUTDOWN

src/java/com/wolfssl/WolfSSL.java

@@ -545,6 +545,10 @@ public boolean getEnableSessionCreation() {
         return EngineHelper.getEnableSessionCreation();
     }
 
+    public String getApplicationProtocol() {
+        return EngineHelper.getAlpnSelectedProtocolString();
+    }
+
     /**
      * Set the SSLParameters for this SSLSocket.
      *

src/java/com/wolfssl/WolfSSLSession.java

@@ -358,6 +358,8 @@ protected void setAlpnProtocols(byte[] alpnProtos) {
     /**
      * Get selected ALPN protocol
      *
+     * Used by some versions of Android, non-standard ALPN API.
+     *
      * @return encoded byte array for selected ALPN protocol or null if
      *         handshake has not finished
      */
@@ -368,6 +370,18 @@ protected byte[] getAlpnSelectedProtocol() {
         return null;
     }
 
+    protected String getAlpnSelectedProtocolString() {
+        if (ssl.handshakeDone()) {
+            String proto = ssl.getAlpnSelectedString();
+
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                "selected ALPN protocol = " + proto);
+
+            return proto;
+        }
+        return null;
+    }
+
     /********** Calls to transfer over parameter to wolfSSL before connection */
 
     /*transfer over cipher suites right before establishing a connection */
@@ -577,13 +591,51 @@ private void setLocalSessionTicket() {
 
     /* Set the ALPN to be used for this session */
     private void setLocalAlpnProtocols() {
+
+        /* ALPN protocol list could be stored in either of the following,
+         * depending on what platform/JDK we are being used on:
+         *     this.params.getAlpnProtos() or
+         *     this.params.getApplicationProtocols()
+         * For example, Conscrypt consumers on older Android versions with
+         * JDK 7 will be in params.getAlpnProtos(). JDK versions > 8, with
+         * support for params.getApplicationProtocols() will likely use that
+         * instead. */
+
+        int i;
         byte[] alpnProtos = this.params.getAlpnProtos();
+        String[] applicationProtocols = this.params.getApplicationProtocols();
 
-        if (alpnProtos != null) {
+        if ((alpnProtos != null && alpnProtos.length > 0) &&
+            (applicationProtocols != null && applicationProtocols.length > 0)) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
-                "Setting ALPN protocols for WOLFSSL session");
-            this.ssl.setAlpnProtos(alpnProtos);
-        } else {
+                "ALPN protocols found in both params.getAlpnProtos() and " +
+                "params.getApplicationProtocols()");
+        }
+
+        /* try to set from byte[] first, then overwrite with String[] if
+         * both have been set */
+        if (alpnProtos != null && alpnProtos.length > 0) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                "Setting ALPN protocols for WOLFSSL session from byte[" +
+                alpnProtos.length + "]");
+            this.ssl.useALPN(alpnProtos);
+        }
+
+        if (applicationProtocols != null && applicationProtocols.length > 0) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                "Setting Application Protocols for WOLFSSL session " +
+                "from String[]:");
+            for (i = 0; i < applicationProtocols.length; i++) {
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                    "\t" + i + ": " + applicationProtocols[i]);
+            }
+
+            /* continue on mismatch */
+            this.ssl.useALPN(applicationProtocols,
+                             WolfSSL.WOLFSSL_ALPN_CONTINUE_ON_MISMATCH);
+        }
+
+        if (alpnProtos == null && applicationProtocols == null) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                 "No ALPN protocols set, not setting for this WOLFSSL session");
         }

src/java/com/wolfssl/provider/jsse/WolfSSLEngine.java

@@ -33,6 +33,8 @@ public class WolfSSLParametersHelper
 {
     private static Method getServerNames = null;
     private static Method setServerNames = null;
+    private static Method getApplicationProtocols = null;
+    private static Method setApplicationProtocols = null;
 
     /** Default WolfSSLParametersHelper constructor */
     public WolfSSLParametersHelper() { }
@@ -59,6 +61,12 @@ public Object run() {
                             case "setServerNames":
                                 setServerNames = m;
                                 continue;
+                            case "getApplicationProtocols":
+                                getApplicationProtocols = m;
+                                continue;
+                            case "setApplicationProtocols":
+                                setApplicationProtocols = m;
+                                continue;
                             default:
                                 continue;
                         }
@@ -100,7 +108,7 @@ protected static SSLParameters decoupleParams(WolfSSLParameters in) {
         /* Methods added as of JDK 1.8, older JDKs will not have them. Using
          * Java reflection to detect availability. */
 
-        if (setServerNames != null) {
+        if (setServerNames != null || setApplicationProtocols != null) {
 
             try {
                 /* load WolfSSLJDK8Helper at runtime, not compiled on older JDKs */
@@ -110,9 +118,16 @@ protected static SSLParameters decoupleParams(WolfSSLParameters in) {
                 paramList[0] = javax.net.ssl.SSLParameters.class;
                 paramList[1] = java.lang.reflect.Method.class;
                 paramList[2] = com.wolfssl.provider.jsse.WolfSSLParameters.class;
+                Method mth = null;
 
-                Method mth = cls.getDeclaredMethod("setServerNames", paramList);
-                mth.invoke(obj, ret, setServerNames, in);
+                if (setServerNames != null) {
+                    mth = cls.getDeclaredMethod("setServerNames", paramList);
+                    mth.invoke(obj, ret, setServerNames, in);
+                }
+                if (setApplicationProtocols != null) {
+                    mth = cls.getDeclaredMethod("setApplicationProtocols", paramList);
+                    mth.invoke(obj, ret, setServerNames, in);
+                }
 
             } catch (Exception e) {
                 /* ignore, class not found */
@@ -124,7 +139,6 @@ protected static SSLParameters decoupleParams(WolfSSLParameters in) {
          * with newer versions of SSLParameters, but will need to be added
          * conditionally to wolfJSSE when supported. */
         /*ret.setAlgorithmConstraints(in.getAlgorithmConstraints());
-        ret.setApplicationProtocols(in.getApplicationProtocols());
         ret.setEnableRetransmissions(in.getEnableRetransmissions());
         ret.setEndpointIdentificationAlgorithm(
             in.getEndpointIdentificationAlgorithm());
@@ -170,17 +184,24 @@ protected static void importParams(SSLParameters in,
         /* Methods added as of JDK 1.8, older JDKs will not have them. Using
          * Java reflection to detect availability. */
 
-        if (getServerNames != null) {
+        if (getServerNames != null || getApplicationProtocols != null) {
             try {
                 /* load WolfSSLJDK8Helper at runtime, not compiled on older JDKs */
                 Class<?> cls = Class.forName("com.wolfssl.provider.jsse.WolfSSLJDK8Helper");
                 Object obj = cls.getConstructor().newInstance();
                 Class[] paramList = new Class[2];
                 paramList[0] = javax.net.ssl.SSLParameters.class;
                 paramList[1] = com.wolfssl.provider.jsse.WolfSSLParameters.class;
+                Method mth = null;
 
-                Method mth = cls.getDeclaredMethod("getServerNames", paramList);
-                mth.invoke(obj, in, out);
+                if (getServerNames != null) {
+                    mth = cls.getDeclaredMethod("getServerNames", paramList);
+                    mth.invoke(obj, in, out);
+                }
+                if (getApplicationProtocols != null) {
+                    mth = cls.getDeclaredMethod("getApplicationProtocols", paramList);
+                    mth.invoke(obj, in, out);
+                }
 
             } catch (Exception e) {
                 /* ignore, class not found */
@@ -192,7 +213,6 @@ protected static void importParams(SSLParameters in,
          * with newer versions of SSLParameters, but will need to be added
          * conditionally to wolfJSSE when supported. */
         /*out.setAlgorithmConstraints(in.getAlgorithmConstraints());
-        out.setApplicationProtocols(in.getApplicationProtocols());
         out.setEnableRetransmissions(in.getEnableRetransmissions());
         out.setEndpointIdentificationAlgorithm(
             in.getEndpointIdentificationAlgorithm());