Merge pull request wolfSSL#305 from cconlon/alpnGrease

rlm2002 · web-flow · commit 0e9a858eb1b6 · 2025-12-18T09:35:24.000-07:00
Fix ALPN to support non-ASCII protocol names
diff --git a/native/com_wolfssl_WolfSSLSession.c b/native/com_wolfssl_WolfSSLSession.c
@@ -5451,29 +5451,91 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_useALPN
   (JNIEnv* jenv, jobject jcl, jlong sslPtr, jstring protocols, jint options)
 {
     int ret = SSL_FAILURE;
+#ifdef HAVE_ALPN
+    WOLFSSL* ssl = (WOLFSSL*)(uintptr_t)sslPtr;
+    char* protoList = NULL;
+    jsize protocolsCharLen = 0;
+    jsize protocolsUtfLen = 0;
+    (void)jcl;
+
+    if (jenv == NULL || ssl == NULL || protocols == NULL || options < 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* GetStringLength returns character count (Unicode code units),
+     * GetStringUTFLength returns byte count in modified UTF-8 encoding.
+     * For non-ASCII characters (> 127), UTF-8 uses multiple bytes per char.
+     * GetStringUTFRegion expects character count, not byte count. */
+    protocolsCharLen = (*jenv)->GetStringLength(jenv, protocols);
+    protocolsUtfLen = (*jenv)->GetStringUTFLength(jenv, protocols);
+    if (protocolsCharLen == 0 || protocolsUtfLen == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Allocate UTF-8 byte size + 1 to guarantee null terminated */
+    protoList = (char*)XMALLOC(protocolsUtfLen + 1, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER);
+    if (protoList == NULL) {
+        return MEMORY_E;
+    }
+
+    /* GetStringUTFRegion() does not need to be freed/released.
+     * Third param is start index, fourth is character count (not bytes). */
+    (*jenv)->GetStringUTFRegion(jenv, protocols, 0, protocolsCharLen,
+        protoList);
+    if ((*jenv)->ExceptionCheck(jenv)) {
+        XFREE(protoList, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        return SSL_FAILURE;
+    }
+    protoList[protocolsUtfLen] = '\0';
+
+    ret = wolfSSL_UseALPN(ssl, protoList, protocolsUtfLen, (int)options);
+
+    XFREE(protoList, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)sslPtr;
+    (void)protocols;
+    (void)options;
+    ret = NOT_COMPILED_IN;
+#endif
+
+    return (jint)ret;
+}
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_useALPNByteArray
+  (JNIEnv* jenv, jobject jcl, jlong sslPtr, jbyteArray protocols, jint options)
+{
+    int ret = SSL_FAILURE;
 #ifdef HAVE_ALPN
     WOLFSSL* ssl = (WOLFSSL*)(uintptr_t)sslPtr;
     char* protoList = NULL;
     jsize protocolsLen = 0;
     (void)jcl;
 
-    if (jenv == NULL || ssl == 0 || protocols == NULL || options < 0) {
+    if (jenv == NULL || ssl == NULL || protocols == NULL || options < 0) {
         return BAD_FUNC_ARG;
     }
 
-    protocolsLen = (*jenv)->GetStringUTFLength(jenv, protocols);
+    protocolsLen = (*jenv)->GetArrayLength(jenv, protocols);
     if (protocolsLen == 0) {
         return BAD_FUNC_ARG;
     }
 
-    /* Allocate size + 1 to guarantee we are null terminated */
+    /* Allocate size + 1 to guarantee null terminated */
     protoList = (char*)XMALLOC(protocolsLen + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (protoList == NULL) {
         return MEMORY_E;
     }
 
-    /* GetStringUTFRegion() does not need to be freed/released */
-    (*jenv)->GetStringUTFRegion(jenv, protocols, 0, protocolsLen, protoList);
+    /* Copy byte array directly */
+    (*jenv)->GetByteArrayRegion(jenv, protocols, 0, protocolsLen,
+        (jbyte*)protoList);
+    if ((*jenv)->ExceptionCheck(jenv)) {
+        XFREE(protoList, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        return SSL_FAILURE;
+    }
     protoList[protocolsLen] = '\0';
 
     ret = wolfSSL_UseALPN(ssl, protoList, protocolsLen, (int)options);
diff --git a/native/com_wolfssl_WolfSSLSession.h b/native/com_wolfssl_WolfSSLSession.h
diff --git a/src/java/com/wolfssl/WolfSSLSession.java b/src/java/com/wolfssl/WolfSSLSession.java
@@ -694,6 +694,8 @@ private native int setTlsHmacInner(long ssl, byte[] inner, long sz,
     private native int sslSetAlpnProtos(long ssl, byte[] alpnProtos);
     private native byte[] sslGet0AlpnSelected(long ssl);
     private native int useALPN(long ssl, String protocols, int options);
+    private native int useALPNByteArray(long ssl, byte[] protocols,
+            int options);
     private native int setALPNSelectCb(long ssl);
     private native int setTls13SecretCb(long ssl);
     private native int setSessionTicketCb(long ssl);
@@ -5504,8 +5506,11 @@ public int useALPN(byte[] alpnProtos) throws IllegalStateException {
      */
     public int useALPN(String[] protocols, int options) {
 
-        /* all protocols, comma delimited */
-        StringBuilder allProtocols = new StringBuilder();
+        int i;
+        int totalLen = 0;
+        byte[][] protoBytes = null;
+        byte[] allProtocols = null;
+        int offset = 0;
 
         confirmObjectIsActive();
 
@@ -5515,19 +5520,38 @@ public int useALPN(String[] protocols, int options) {
                 () -> "entered useALPN(String[], int)");
         }
 
-        if (protocols == null) {
+        if (protocols == null || protocols.length == 0) {
             return WolfSSL.BAD_FUNC_ARG;
         }
 
-        for (int i = 0; i < protocols.length; i++) {
-            if (i != 0) {
-                allProtocols.append(",");
+        /* Convert each protocol String to bytes using ISO-8859-1 (Latin-1).
+         * This preserves byte values 0-255, which is required for ALPN
+         * protocol names that contain non-ASCII bytes (eg GREASE values). */
+        protoBytes = new byte[protocols.length][];
+        for (i = 0; i < protocols.length; i++) {
+            if (protocols[i] == null) {
+                return WolfSSL.BAD_FUNC_ARG;
             }
-            allProtocols.append(protocols[i]);
+            protoBytes[i] = protocols[i].getBytes(StandardCharsets.ISO_8859_1);
+            totalLen += protoBytes[i].length;
+            if (i > 0) {
+                totalLen += 1; /* comma separator */
+            }
+        }
+
+        /* Build comma-delimited byte array of all protocols */
+        allProtocols = new byte[totalLen];
+        for (i = 0; i < protoBytes.length; i++) {
+            if (i > 0) {
+                allProtocols[offset++] = (byte)',';
+            }
+            System.arraycopy(protoBytes[i], 0, allProtocols, offset,
+                protoBytes[i].length);
+            offset += protoBytes[i].length;
         }
 
         synchronized (sslLock) {
-            return useALPN(this.sslPtr, allProtocols.toString(), options);
+            return useALPNByteArray(this.sslPtr, allProtocols, options);
         }
     }
 
@@ -5574,7 +5598,11 @@ public String getAlpnSelectedString() throws IllegalStateException {
         alpnSelectedBytes = getAlpnSelected();
 
         if (alpnSelectedBytes != null) {
-            return new String(alpnSelectedBytes, StandardCharsets.UTF_8);
+            /* Use ISO-8859-1 (Latin-1) to preserve raw byte values 0-255.
+             * This is needed for ALPN protocol names containing non-ASCII
+             * bytes (eg GREASE values). UTF-8 would corrupt bytes > 127 that
+             * are not valid UTF-8 sequences. */
+            return new String(alpnSelectedBytes, StandardCharsets.ISO_8859_1);
         } else {
             return null;
         }
diff --git a/src/test/com/wolfssl/provider/jsse/test/WolfSSLSocketTest.java b/src/test/com/wolfssl/provider/jsse/test/WolfSSLSocketTest.java
@@ -43,6 +43,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.StringWriter;
 import java.io.PrintWriter;
+import java.nio.charset.StandardCharsets;
 import java.net.Socket;
 import java.net.ServerSocket;
 import java.net.SocketAddress;
@@ -967,6 +968,26 @@ public void testClientServerThreadedAlpnSelectCallback() throws Exception {
         cArgs.setAlpnList(new String[] {"h2", "http/1.1"});
         alpnClientServerRunner(sArgs, cArgs, true);
 
+        /* Successful test:
+         * ALPN with GREASE bytes (RFC 8701) containing non-ASCII values.
+         * Tests that bytes > 127 are preserved correctly through useALPN()
+         * and getAlpnSelectedString(). */
+        byte[] greaseBytes = new byte[] {
+            (byte)0x0A, (byte)0x1A, (byte)0x2A, (byte)0x3A,
+            (byte)0x4A, (byte)0x5A, (byte)0x6A, (byte)0x7A,
+            (byte)0x8A, (byte)0x9A, (byte)0xAA, (byte)0xBA,
+            (byte)0xCA, (byte)0xDA, (byte)0xEA, (byte)0xFA
+        };
+        String greaseString = new String(greaseBytes,
+            StandardCharsets.ISO_8859_1);
+        sArgs = new TestArgs(null, null, true, true, true, null);
+        sArgs.setAlpnList(new String[] {greaseString});
+        sArgs.setExpectedAlpn(greaseString);
+        cArgs = new TestArgs(null, null, false, false, true, null);
+        cArgs.setAlpnList(new String[] {greaseString});
+        cArgs.setExpectedAlpn(greaseString);
+        alpnClientServerRunner(sArgs, cArgs, false);
+
         System.out.println("\t... passed");
     }
 
diff --git a/src/test/com/wolfssl/test/WolfSSLSessionTest.java b/src/test/com/wolfssl/test/WolfSSLSessionTest.java
@@ -44,6 +44,7 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.CountDownLatch;
 import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
 import java.security.Security;
 
 import com.wolfssl.WolfSSL;
@@ -886,6 +887,60 @@ public void test_WolfSSLSession_useALPN()
         System.out.println("\t\t\t... passed");
     }
 
+    /**
+     * Test useALPN() with non-ASCII GREASE byte values.
+     *
+     * GREASE (Generate Random Extensions And Sustain Extensibility) values
+     * include high bytes (greater than 127) which would be corrupted by UTF-8
+     * encoding. This test verifies that ALPN protocol names are encoded using
+     * ISO-8859-1 to preserve raw byte values through the JNI layer.
+     */
+    @Test
+    public void test_WolfSSLSession_useALPN_GREASE()
+        throws WolfSSLException, WolfSSLJNIException {
+
+        int ret;
+        WolfSSLSession ssl = null;
+        String greaseString;
+        String[] alpnProtos;
+
+        /* GREASE bytes per RFC 8701. Values > 127 would be corrupted by UTF-8
+         * encoding, so ISO-8859-1 must be used to preserve raw byte values. */
+        byte[] greaseBytes = new byte[] {
+            (byte)0x0A, (byte)0x1A, (byte)0x2A, (byte)0x3A,
+            (byte)0x4A, (byte)0x5A, (byte)0x6A, (byte)0x7A,
+            (byte)0x8A, (byte)0x9A, (byte)0xAA, (byte)0xBA,
+            (byte)0xCA, (byte)0xDA, (byte)0xEA, (byte)0xFA
+        };
+
+        System.out.print("\tuseALPN() GREASE");
+
+        /* Create String from bytes using ISO-8859-1 to preserve byte values */
+        greaseString = new String(greaseBytes, StandardCharsets.ISO_8859_1);
+        alpnProtos = new String[] { greaseString };
+
+        ssl = new WolfSSLSession(ctx);
+
+        try {
+            ret = ssl.useALPN(alpnProtos,
+                WolfSSL.WOLFSSL_ALPN_CONTINUE_ON_MISMATCH);
+
+            if (ret == WolfSSL.NOT_COMPILED_IN) {
+                System.out.println("\t\t... skipped");
+                return;
+
+            } else if (ret != WolfSSL.SSL_SUCCESS) {
+                System.out.println("\t\t... failed");
+                fail("Failed useALPN GREASE test, ret = " + ret);
+            }
+
+        } finally {
+            ssl.freeSSL();
+        }
+
+        System.out.println("\t\t... passed");
+    }
+
     @Test
     public void test_WolfSSLSession_freeSSL()
         throws WolfSSLJNIException, WolfSSLException {
