JNI/JSSE: deregister native FIPS callback in cleanup() and setFIPSCb(NULL), guard NativeFIPSErrorCallback against invalid object refs

cconlon · cconlon · commit 1a2f8810829e · 2026-02-23T17:08:04.000-07:00
diff --git a/native/com_wolfssl_WolfSSL.c b/native/com_wolfssl_WolfSSL.c
@@ -1524,6 +1524,9 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_cleanup
     }
 
 #ifdef HAVE_FIPS
+    /* Deregister native FIPS callback from wolfCrypt before releasing */
+    wolfCrypt_SetCb_fips(NULL);
+
     /* release existing FIPS callback object if set */
     if (g_fipsCbIfaceObj != NULL) {
         (*jenv)->DeleteGlobalRef(jenv, g_fipsCbIfaceObj);
@@ -1696,7 +1699,6 @@ void NativeFIPSErrorCallback(const int ok, const int err,
 #ifdef HAVE_FIPS
     JNIEnv*   jenv;
     jint      vmret  = 0;
-    jclass    excClass;
     jclass    fipsCbClass;
     jmethodID errorMethod;
     jobjectRefType refcheck;
@@ -1717,70 +1719,53 @@ void NativeFIPSErrorCallback(const int ok, const int err,
         printf("Unable to get JNIEnv from JavaVM\n");
     }
 
-    /* find exception class */
-    excClass = (*jenv)->FindClass(jenv, "java/lang/Exception");
-    if ((*jenv)->ExceptionOccurred(jenv)) {
-        (*jenv)->ExceptionDescribe(jenv);
-        (*jenv)->ExceptionClear(jenv);
+    /* Just return if stored callback object reference is NULL/invalid */
+    if (g_fipsCbIfaceObj == NULL) {
         return;
     }
 
-    /* check if our stored object reference is valid */
     refcheck = (*jenv)->GetObjectRefType(jenv, g_fipsCbIfaceObj);
-    if (refcheck == JNIGlobalRefType) {
-
-        /* lookup WolfSSLLoggingCallback class from global object ref */
-        fipsCbClass = (*jenv)->GetObjectClass(jenv, g_fipsCbIfaceObj);
-        if (!fipsCbClass) {
-            if ((*jenv)->ExceptionOccurred(jenv)) {
-                (*jenv)->ExceptionDescribe(jenv);
-                (*jenv)->ExceptionClear(jenv);
-            }
-
-            (*jenv)->ThrowNew(jenv, excClass,
-                "Can't get native WolfSSLFIPSErrorCallback class reference");
-            return;
-        }
-
-        errorMethod = (*jenv)->GetMethodID(jenv, fipsCbClass,
-                                            "errorCallback",
-                                            "(IILjava/lang/String;)V");
-        if (errorMethod == 0) {
-            if ((*jenv)->ExceptionOccurred(jenv)) {
-                (*jenv)->ExceptionDescribe(jenv);
-                (*jenv)->ExceptionClear(jenv);
-            }
-            (*jenv)->ThrowNew(jenv, excClass,
-                "Error getting errorCallback method from JNI");
-            return;
+    if (refcheck != JNIGlobalRefType) {
+        if ((*jenv)->ExceptionOccurred(jenv)) {
+            (*jenv)->ExceptionDescribe(jenv);
+            (*jenv)->ExceptionClear(jenv);
         }
+        return;
+    }
 
-        /* create jstring from char* */
-        hashString = (*jenv)->NewStringUTF(jenv, hash);
-
-        (*jenv)->CallVoidMethod(jenv, g_fipsCbIfaceObj, errorMethod,
-                ok, err, hashString);
-
-        /* release local reference to jstring, since returning to native */
-        (*jenv)->DeleteLocalRef(jenv, hashString);
-
+    /* lookup WolfSSLFIPSErrorCallback class from global object ref */
+    fipsCbClass = (*jenv)->GetObjectClass(jenv, g_fipsCbIfaceObj);
+    if (!fipsCbClass) {
         if ((*jenv)->ExceptionOccurred(jenv)) {
             (*jenv)->ExceptionDescribe(jenv);
             (*jenv)->ExceptionClear(jenv);
-
-            (*jenv)->ThrowNew(jenv, excClass,
-                    "Error calling FIPS error callback from JNI");
-            return;
         }
+        return;
+    }
 
-    } else {
+    errorMethod = (*jenv)->GetMethodID(jenv, fipsCbClass,
+                                        "errorCallback",
+                                        "(IILjava/lang/String;)V");
+    if (errorMethod == 0) {
         if ((*jenv)->ExceptionOccurred(jenv)) {
             (*jenv)->ExceptionDescribe(jenv);
             (*jenv)->ExceptionClear(jenv);
         }
+        return;
+    }
+
+    /* create jstring from char* */
+    hashString = (*jenv)->NewStringUTF(jenv, hash);
+
+    (*jenv)->CallVoidMethod(jenv, g_fipsCbIfaceObj, errorMethod,
+            ok, err, hashString);
+
+    /* release local reference to jstring, since returning to native */
+    (*jenv)->DeleteLocalRef(jenv, hashString);
 
-        (*jenv)->ThrowNew(jenv, excClass,
-                "Object reference invalid in NativeFIPSErrorCallback");
+    if ((*jenv)->ExceptionOccurred(jenv)) {
+        (*jenv)->ExceptionDescribe(jenv);
+        (*jenv)->ExceptionClear(jenv);
     }
 #else
     (void)ok;
@@ -1820,6 +1805,11 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_setFIPSCb
             ret = SSL_SUCCESS;
         }
     }
+    else {
+        /* NULL callback, deregister native FIPS callback */
+        wolfCrypt_SetCb_fips(NULL);
+        ret = SSL_SUCCESS;
+    }
 #else
     (void)jenv;
     (void)callback;
