Merge pull request wolfSSL#347 from JeremiahM37/fenrir-fixes-2

cconlon · web-flow · commit 633b2cca3c77 · 2026-03-31T12:18:10.000-06:00
Fenrir fixes
diff --git a/native/com_wolfssl_WolfSSL.c b/native/com_wolfssl_WolfSSL.c
@@ -2027,7 +2027,12 @@ JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_WolfSSL_x509_1getDer
 
     derCert = wolfSSL_X509_get_der(x509, &outSz);
 
-    if (outSz >= 0) {
+    if (outSz >= 0 && derCert != NULL) {
+
+        out = (*jenv)->NewByteArray(jenv, outSz);
+        if (out == NULL) {
+            return NULL;
+        }
 
         (*jenv)->SetByteArrayRegion(jenv, out, 0, outSz, (jbyte*)derCert);
         if ((*jenv)->ExceptionOccurred(jenv)) {
diff --git a/native/com_wolfssl_WolfSSLCRL.c b/native/com_wolfssl_WolfSSLCRL.c
@@ -174,7 +174,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1set_1lastUpdate
         }
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, time, (jbyte*)timeBuf, JNI_ABORT);
+    if (timeBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, time,
+            (jbyte*)timeBuf, JNI_ABORT);
+    }
 
     return (jint)ret;
 #else
@@ -230,7 +233,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1set_1nextUpdate
         }
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, time, (jbyte*)timeBuf, JNI_ABORT);
+    if (timeBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, time,
+            (jbyte*)timeBuf, JNI_ABORT);
+    }
 
     return (jint)ret;
 #else
@@ -285,8 +291,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1add_1revoked
         }
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, serial, (jbyte*)serialBuf,
-        JNI_ABORT);
+    if (serialBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, serial,
+            (jbyte*)serialBuf, JNI_ABORT);
+    }
     if (serialInt != NULL) {
         wolfSSL_ASN1_INTEGER_free(serialInt);
     }
@@ -329,8 +337,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1add_1revoked_1cert
         ret = wolfSSL_X509_CRL_add_revoked_cert(crl, certBuf, certSz);
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, certDer, (jbyte*)certBuf,
-        JNI_ABORT);
+    if (certBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, certDer,
+            (jbyte*)certBuf, JNI_ABORT);
+    }
 
     return ret;
 #else
diff --git a/native/com_wolfssl_WolfSSLCertManager.c b/native/com_wolfssl_WolfSSLCertManager.c
@@ -119,9 +119,14 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertManager_CertManagerLoadCABuff
     buff = (byte*)(*jenv)->GetByteArrayElements(jenv, in, NULL);
     buffSz = (*jenv)->GetArrayLength(jenv, in);
 
-    ret = wolfSSL_CertManagerLoadCABuffer(cm, buff, buffSz, format);
-
-    (*jenv)->ReleaseByteArrayElements(jenv, in, (jbyte*)buff, JNI_ABORT);
+    if (buff != NULL) {
+        ret = wolfSSL_CertManagerLoadCABuffer(cm, buff, buffSz, format);
+        (*jenv)->ReleaseByteArrayElements(jenv, in,
+            (jbyte*)buff, JNI_ABORT);
+    }
+    else {
+        ret = BAD_FUNC_ARG;
+    }
 
     return (jint)ret;
 }
diff --git a/native/com_wolfssl_WolfSSLCertRequest.c b/native/com_wolfssl_WolfSSLCertRequest.c
@@ -136,7 +136,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertRequest_X509_1REQ_1add1_1attr
                 attr, attrSz);
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, attrBytes, (jbyte*)attr, JNI_ABORT);
+    if (attr != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, attrBytes,
+            (jbyte*)attr, JNI_ABORT);
+    }
 
     return (jint)ret;
 #else
@@ -338,8 +341,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertRequest_X509_1REQ_1sign
         XMEMSET(derBuf, 0, derSz);
         XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     }
-    (*jenv)->ReleaseByteArrayElements(jenv, keyBytes, (jbyte*)keyBuf,
-                                      JNI_ABORT);
+    if (keyBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, keyBytes,
+            (jbyte*)keyBuf, JNI_ABORT);
+    }
     if (mdName != NULL) {
         (*jenv)->ReleaseStringUTFChars(jenv, digestAlg, mdName);
     }
@@ -447,8 +452,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertRequest_X509_1REQ_1set_1pubke
         XMEMSET(derBuf, 0, derSz);
         XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     }
-    (*jenv)->ReleaseByteArrayElements(jenv, fileBytes, (jbyte*)fileBuf,
-                                      JNI_ABORT);
+    if (fileBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, fileBytes,
+            (jbyte*)fileBuf, JNI_ABORT);
+    }
 
     return (jint)ret;
 #else
diff --git a/native/com_wolfssl_WolfSSLCertificate.c b/native/com_wolfssl_WolfSSLCertificate.c
@@ -156,7 +156,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1set_1issuer_1na
         wolfSSL_X509_free(x509In);
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, certDer, (jbyte*)der, JNI_ABORT);
+    if (der != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, certDer,
+            (jbyte*)der, JNI_ABORT);
+    }
 
     return ret;
 #else
@@ -260,8 +263,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1set_1pubkey_1na
         XMEMSET(derBuf, 0, derSz);
         XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     }
-    (*jenv)->ReleaseByteArrayElements(jenv, fileBytes, (jbyte*)fileBuf,
-                                      JNI_ABORT);
+    if (fileBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, fileBytes,
+            (jbyte*)fileBuf, JNI_ABORT);
+    }
 
     return (jint)ret;
 #else
@@ -562,6 +567,11 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1set_1serialNumb
         if (serial == NULL) {
             ret = WOLFSSL_FAILURE;
         }
+        else if (serialSz > (int)(serial->dataMax - 2)) {
+            wolfSSL_ASN1_INTEGER_free(serial);
+            serial = NULL;
+            ret = WOLFSSL_FAILURE;
+        }
         else {
             serial->data[0] = ASN_INTEGER;
             serial->data[1] = serialSz;
@@ -579,8 +589,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1set_1serialNumb
         wolfSSL_ASN1_INTEGER_free(serial);
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, serialBytes, (jbyte*)serialBuf,
-                                      JNI_ABORT);
+    if (serialBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, serialBytes,
+            (jbyte*)serialBuf, JNI_ABORT);
+    }
 
     return ret;
 #else
@@ -621,7 +633,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1set_1subject_1k
         ret = wolfSSL_X509_set_subject_key_id(x509, skidBuf, skidSz);
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, skid, (jbyte*)skidBuf, JNI_ABORT);
+    if (skidBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, skid,
+            (jbyte*)skidBuf, JNI_ABORT);
+    }
 
     return (jint)ret;
 #else
@@ -693,7 +708,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1set_1authority_
         ret = wolfSSL_X509_set_authority_key_id(x509, akidBuf, akidSz);
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, akid, (jbyte*)akidBuf, JNI_ABORT);
+    if (akidBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, akid,
+            (jbyte*)akidBuf, JNI_ABORT);
+    }
 
     return (jint)ret;
 #else
@@ -767,7 +785,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1CRL_1set_1dist_
         ret = wolfSSL_X509_CRL_set_dist_points(x509, derBuf, derSz);
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, der, (jbyte*)derBuf, JNI_ABORT);
+    if (derBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, der,
+            (jbyte*)derBuf, JNI_ABORT);
+    }
 
     return (jint)ret;
 #else
@@ -968,8 +989,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1sign
         XMEMSET(derBuf, 0, derSz);
         XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     }
-    (*jenv)->ReleaseByteArrayElements(jenv, fileBytes, (jbyte*)fileBuf,
-                                      JNI_ABORT);
+    if (fileBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, fileBytes,
+            (jbyte*)fileBuf, JNI_ABORT);
+    }
     if (mdName != NULL) {
         (*jenv)->ReleaseStringUTFChars(jenv, digestAlg, mdName);
     }
@@ -1008,7 +1031,10 @@ JNIEXPORT jlong JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1load_1certific
     }
 
     /* release array, don't copy back contents */
-    (*jenv)->ReleaseByteArrayElements(jenv, in, (jbyte*)certBuf, JNI_ABORT);
+    if (certBuf != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, in,
+            (jbyte*)certBuf, JNI_ABORT);
+    }
 
     return (jlong)(uintptr_t)x509;
 }
diff --git a/native/com_wolfssl_WolfSSLContext.c b/native/com_wolfssl_WolfSSLContext.c
@@ -558,6 +558,7 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
     JNIEnv*   jenv;
     jint      vmret  = 0;
     jint      retval = -1;
+    int       needsDetach = 0;
     jclass    excClass = NULL;
     jclass    verifyClass = NULL;
     jmethodID verifyMethod = NULL;
@@ -579,6 +580,7 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
         if (vmret) {
             return -101;    /* failed to attach JNIEnv to thread */
         }
+        needsDetach = 1;
     } else if (vmret != JNI_OK) {
         return -102;        /* unable to get JNIEnv from JavaVM */
     }
@@ -588,6 +590,8 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
     if( (*jenv)->ExceptionOccurred(jenv)) {
         (*jenv)->ExceptionDescribe(jenv);
         (*jenv)->ExceptionClear(jenv);
+        if (needsDetach)
+            (*g_vm)->DetachCurrentThread(g_vm);
         return -103;
     }
 
@@ -605,6 +609,8 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
 
             (*jenv)->ThrowNew(jenv, excClass,
                 "Can't get native WolfSSLVerifyCallback class reference");
+            if (needsDetach)
+                (*g_vm)->DetachCurrentThread(g_vm);
             return -104;
         }
 
@@ -618,6 +624,8 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
 
             (*jenv)->ThrowNew(jenv, excClass,
                 "Error getting verifyCallback method from JNI");
+            if (needsDetach)
+                (*g_vm)->DetachCurrentThread(g_vm);
             return -105;
         }
 
@@ -628,6 +636,8 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
             /* exception occurred on the Java side during method call */
             (*jenv)->ExceptionDescribe(jenv);
             (*jenv)->ExceptionClear(jenv);
+            if (needsDetach)
+                (*g_vm)->DetachCurrentThread(g_vm);
             return -106;
         }
 
@@ -639,9 +649,14 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
 
         (*jenv)->ThrowNew(jenv, excClass,
                 "Object reference invalid in NativeVerifyCallback");
+        if (needsDetach)
+            (*g_vm)->DetachCurrentThread(g_vm);
         return -1;
     }
 
+    if (needsDetach)
+        (*g_vm)->DetachCurrentThread(g_vm);
+
     return retval;
 }
 
diff --git a/native/com_wolfssl_WolfSSLSession.c b/native/com_wolfssl_WolfSSLSession.c
@@ -105,6 +105,7 @@ int NativeSSLVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
     JNIEnv*   jenv;
     jint      vmret  = 0;
     jint      retval = -1;
+    int       needsDetach = 0;
     jobjectRefType refcheck;
     SSLAppData* appData;            /* WOLFSSL app data, stored verify cb obj */
     jobject* g_verifySSLCbIfaceObj;  /* Global jobject, stored in app data */
@@ -125,6 +126,7 @@ int NativeSSLVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
         if (vmret) {
             return -101;    /* failed to attach JNIEnv to thread */
         }
+        needsDetach = 1;
     } else if (vmret != JNI_OK) {
         return -102;        /* unable to get JNIEnv from JavaVM */
     }
@@ -134,13 +136,17 @@ int NativeSSLVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
                 wolfSSL_X509_STORE_CTX_get_ex_data(store, 0));
     if (appData == NULL) {
         printf("Error getting app data from WOLFSSL\n");
+        if (needsDetach)
+            (*g_vm)->DetachCurrentThread(g_vm);
         return -105;
     }
 
     /* get global Java verify callback object */
     g_verifySSLCbIfaceObj = appData->g_verifySSLCbIfaceObj;
     if (g_verifySSLCbIfaceObj == NULL || *g_verifySSLCbIfaceObj == NULL) {
         printf("Error getting g_verifySSLCbIfaceObj from appData\n");
+        if (needsDetach)
+            (*g_vm)->DetachCurrentThread(g_vm);
         return -106;
     }
 
@@ -156,6 +162,8 @@ int NativeSSLVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
 
             throwWolfSSLJNIException(jenv,
                 "verifyCallback method ID is null in NativeSSLVerifyCallback");
+            if (needsDetach)
+                (*g_vm)->DetachCurrentThread(g_vm);
             return -107;
         }
 
@@ -167,6 +175,8 @@ int NativeSSLVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
             /* exception occurred on the Java side during method call */
             (*jenv)->ExceptionDescribe(jenv);
             (*jenv)->ExceptionClear(jenv);
+            if (needsDetach)
+                (*g_vm)->DetachCurrentThread(g_vm);
             return -109;
         }
 
@@ -178,9 +188,14 @@ int NativeSSLVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
 
         throwWolfSSLJNIException(jenv,
                 "Object reference invalid in NativeSSLVerifyCallback");
+        if (needsDetach)
+            (*g_vm)->DetachCurrentThread(g_vm);
         return -1;
     }
 
+    if (needsDetach)
+        (*g_vm)->DetachCurrentThread(g_vm);
+
     return retval;
 }
 
diff --git a/native/com_wolfssl_WolfSSLX509Name.c b/native/com_wolfssl_WolfSSLX509Name.c
@@ -106,8 +106,13 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLX509Name_X509_1NAME_1add_1entry_1
                 entry, len, (int)loc, (int)set);
     }
 
-    (*jenv)->ReleaseByteArrayElements(jenv, entryArr, (jbyte*)entry, JNI_ABORT);
-    (*jenv)->ReleaseStringUTFChars(jenv, fieldStr, field);
+    if (entry != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, entryArr,
+            (jbyte*)entry, JNI_ABORT);
+    }
+    if (field != NULL) {
+        (*jenv)->ReleaseStringUTFChars(jenv, fieldStr, field);
+    }
 
     return (jint)ret;
 #else
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java b/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java
@@ -284,7 +284,7 @@ protected void resizeCache(int sz, int side) {
 
         /* @TODO check for side server/client, currently a resize is for all */
         synchronized (storeLock) {
-            store.putAll(newStore);
+            newStore.putAll(store);
             store = newStore;
         }
     }
diff --git a/src/test/com/wolfssl/provider/jsse/test/WolfSSLSessionContextTest.java b/src/test/com/wolfssl/provider/jsse/test/WolfSSLSessionContextTest.java

Original file line number	Diff line number	Diff line change
`@@ -174,7 +174,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1set_1lastUpdate`
`174`	`174`	`}`
`175`	`175`	`}`
`176`	`176`
`177`		`- (jenv)->ReleaseByteArrayElements(jenv, time, (jbyte)timeBuf, JNI_ABORT);`
	`177`	`+ if (timeBuf != NULL) {`
	`178`	`+ (*jenv)->ReleaseByteArrayElements(jenv, time,`
	`179`	`+ (jbyte*)timeBuf, JNI_ABORT);`
	`180`	`+ }`
`178`	`181`
`179`	`182`	`return (jint)ret;`
`180`	`183`	`#else`
`@@ -230,7 +233,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1set_1nextUpdate`
`230`	`233`	`}`
`231`	`234`	`}`
`232`	`235`
`233`		`- (jenv)->ReleaseByteArrayElements(jenv, time, (jbyte)timeBuf, JNI_ABORT);`
	`236`	`+ if (timeBuf != NULL) {`
	`237`	`+ (*jenv)->ReleaseByteArrayElements(jenv, time,`
	`238`	`+ (jbyte*)timeBuf, JNI_ABORT);`
	`239`	`+ }`
`234`	`240`
`235`	`241`	`return (jint)ret;`
`236`	`242`	`#else`
`@@ -285,8 +291,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1add_1revoked`
`285`	`291`	`}`
`286`	`292`	`}`
`287`	`293`
`288`		`- (jenv)->ReleaseByteArrayElements(jenv, serial, (jbyte)serialBuf,`
`289`		`- JNI_ABORT);`
	`294`	`+ if (serialBuf != NULL) {`
	`295`	`+ (*jenv)->ReleaseByteArrayElements(jenv, serial,`
	`296`	`+ (jbyte*)serialBuf, JNI_ABORT);`
	`297`	`+ }`
`290`	`298`	`if (serialInt != NULL) {`
`291`	`299`	`wolfSSL_ASN1_INTEGER_free(serialInt);`
`292`	`300`	`}`
`@@ -329,8 +337,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1add_1revoked_1cert`
`329`	`337`	`ret = wolfSSL_X509_CRL_add_revoked_cert(crl, certBuf, certSz);`
`330`	`338`	`}`
`331`	`339`
`332`		`- (jenv)->ReleaseByteArrayElements(jenv, certDer, (jbyte)certBuf,`
`333`		`- JNI_ABORT);`
	`340`	`+ if (certBuf != NULL) {`
	`341`	`+ (*jenv)->ReleaseByteArrayElements(jenv, certDer,`
	`342`	`+ (jbyte*)certBuf, JNI_ABORT);`
	`343`	`+ }`
`334`	`344`
`335`	`345`	`return ret;`
`336`	`346`	`#else`
Original file line number	Diff line number	Diff line change
`@@ -284,7 +284,7 @@ protected void resizeCache(int sz, int side) {`
`284`	`284`
`285`	`285`	`/* @TODO check for side server/client, currently a resize is for all */`
`286`	`286`	`synchronized (storeLock) {`
`287`		`- store.putAll(newStore);`
	`287`	`+ newStore.putAll(store);`
`288`	`288`	`store = newStore;`
`289`	`289`	`}`
`290`	`290`	`}`