JNI: implement get/set session tickets

rlm2002 · rlm2002 · commit 899e232c3d83 · 2025-08-04T14:20:57.000-06:00
diff --git a/native/com_wolfssl_WolfSSLSession.c b/native/com_wolfssl_WolfSSLSession.c
@@ -43,6 +43,9 @@
     /* Default wolfSSL_peek() timeout for wolfSSL_get_session(), ms */
     #define WOLFSSL_JNI_DEFAULT_PEEK_TIMEOUT 2000
 #endif
+#ifndef WOLFSSL_MAX_SESSION_TICKET_LEN
+    #define WOLFSSL_MAX_SESSION_TICKET_LEN 2048
+#endif
 
 #include <wolfssl/ssl.h>
 #include <wolfssl/error-ssl.h>
@@ -4799,6 +4802,78 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_useSessionTicket
     return ret;
 }
 
+JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_WolfSSLSession_getSessionTicket
+  (JNIEnv* jenv, jobject jcl, jlong sslPtr)
+{
+    jbyteArray sessionTicket = NULL;
+#ifdef HAVE_SESSION_TICKET
+    int ret = SSL_FAILURE;
+    WOLFSSL* ssl = (WOLFSSL*)(uintptr_t)sslPtr;
+    word32 dataSz = WOLFSSL_MAX_SESSION_TICKET_LEN;
+    byte* dataBuf = NULL;
+
+    if (jenv == NULL || ssl == NULL) {
+        return NULL;
+    }
+
+    dataBuf = XMALLOC(dataSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (dataBuf != NULL){
+        /* get ticket data and ticket size */
+        ret = wolfSSL_get_SessionTicket(ssl, dataBuf, &dataSz);
+    }
+    if (ret == WOLFSSL_SUCCESS && dataSz > 0){
+        sessionTicket = (*jenv)->NewByteArray(jenv, dataSz);
+        (*jenv)->SetByteArrayRegion(jenv, sessionTicket, 0, dataSz,
+                                    (jbyte*)dataBuf);
+        XFREE(dataBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)sslPtr;
+    (void)dataSz;
+#endif /* HAVE_SESSION_TICKET */
+    return sessionTicket;
+}
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_setSessionTicket
+  (JNIEnv* jenv, jobject jcl, jlong sslPtr, jbyteArray dataBuf)
+{
+    int ret = SSL_FAILURE;
+#ifdef HAVE_SESSION_TICKET
+    WOLFSSL* ssl = (WOLFSSL*)(uintptr_t)sslPtr;
+    byte* data = NULL;
+    word32 dataSz = 0;
+
+    if (jenv == NULL || ssl == NULL || dataBuf == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    data = (byte*)(*jenv)->GetByteArrayElements(jenv, dataBuf, NULL);
+    dataSz = (*jenv)->GetArrayLength(jenv, dataBuf);
+
+    if (data != NULL && dataSz > 0) {
+        ret = wolfSSL_set_SessionTicket(ssl, data, dataSz);
+        if (ret != WOLFSSL_SUCCESS) {
+            (*jenv)->ThrowNew(jenv, jcl,
+                "failed to set session ticket!");
+        }
+    }
+    else {
+        ret = BAD_FUNC_ARG;
+    }
+    (*jenv)->ReleaseByteArrayElements(jenv, dataBuf,
+                                        (jbyte*)data, JNI_ABORT);
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)sslPtr;
+    (void)dataSz;
+    ret = NOT_COMPILED_IN;
+#endif /* HAVE_SESSION_TICKET */
+    return ret;
+}
+
 /* return 1 if last alert received was a close_notify alert, otherwise 0 */
 JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_gotCloseNotify
   (JNIEnv* jenv, jobject jcl, jlong sslPtr)
diff --git a/native/com_wolfssl_WolfSSLSession.h b/native/com_wolfssl_WolfSSLSession.h
diff --git a/src/java/com/wolfssl/WolfSSLSession.java b/src/java/com/wolfssl/WolfSSLSession.java
@@ -676,6 +676,8 @@ private native int setTlsHmacInner(long ssl, byte[] inner, long sz,
     private native int useSNI(long ssl, byte type, byte[] data);
     private native byte[] getSNIRequest(long ssl, byte type);
     private native int useSessionTicket(long ssl);
+    private native byte[] getSessionTicket(long ssl);
+    private native int setSessionTicket(long ssl, byte[] ticket);
     private native int gotCloseNotify(long ssl);
     private native int sslSetAlpnProtos(long ssl, byte[] alpnProtos);
     private native byte[] sslGet0AlpnSelected(long ssl);
@@ -5184,6 +5186,66 @@ public synchronized boolean sessionTicketsEnabled()
         return this.sessionTicketsEnabled;
     }
 
+    /** 
+     * Get session ticket for this session if session tickets are enabled.
+     * 
+     * @return session ticket as byte array, or null if not available.
+     * @throws IllegalStateException WolfSSLSession has been freed.
+     */
+    public synchronized byte[] getSessionTicket() throws IllegalStateException {
+        if (sessionTicketsEnabled()) {
+            byte[] sessionTicket = null;
+            confirmObjectIsActive();
+
+            synchronized (sslLock) {
+
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                    WolfSSLDebug.INFO, this.sslPtr,
+                    () -> "entered getSessionTicket()");
+
+                    sessionTicket = getSessionTicket(this.sslPtr);
+            }
+            return sessionTicket;
+        } else {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                WolfSSLDebug.INFO, this.sslPtr,
+                () -> "session tickets not enabled, returning null");
+            return null;
+        }
+    }
+
+    /**
+     * Set session ticket for this session.
+     * 
+     * @param sessionTicket session ticket to set for this session.
+     * @return WolfSSL.SSL_SUCCESS on success, otherwise negative.
+     * 
+     * @throws IllegalStateException WolfSSLSession has been freed
+     */
+    public int setSessionTicket(byte[] sessionTicket){
+        int ret = WolfSSL.SSL_SUCCESS;
+        if (sessionTicketsEnabled()){
+            confirmObjectIsActive();
+            synchronized (sslLock) {
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                    WolfSSLDebug.INFO, this.sslPtr,
+                    () -> "entered setSessionTicket()");
+                
+                if (sessionTicket != null && sessionTicket.length > 0) {
+                    ret = setSessionTicket(this.sslPtr, sessionTicket);
+                } else {
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                        WolfSSLDebug.INFO, this.sslPtr,
+                        () -> "session ticket is null, not setting");
+                    ret = WolfSSL.SSL_FAILURE;
+                }
+
+            }
+        }
+        
+        return ret;
+    }
+
     /**
      * Set ALPN extension protocol for this session from encoded byte array.
      * Calls SSL_set_alpn_protos() at native level. Format starts with
