wrap useClientSuites() in WolfSSLSession, modify logic in WolfSSLEngineHelper

Author: rlm2002

native/com_wolfssl_WolfSSLSession.c

@@ -5874,6 +5874,23 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_hasTicket
 #endif
 }
 
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_useClientSuites
+  (JNIEnv* jenv, jobject jcl, jlong sslPtr)
+{
+    (void)jcl;
+#if !defined(NO_WOLFSSL_CLIENT)
+    WOLFSSL* ssl = (WOLFSSL*)(uintptr_t)sslPtr;
+    if (jenv == NULL || ssl == NULL) {
+        return WOLFSSL_FAILURE;
+    }
+    return (jint)wolfSSL_UseClientSuites(ssl);
+#else
+    (void)jenv;
+    (void)sslPtr;
+    return (jint)NOT_COMPILED_IN;
+#endif
+}
+
 JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_interruptBlockedIO
   (JNIEnv* jenv, jobject jcl, jlong sslPtr)
 {

native/com_wolfssl_WolfSSLSession.h

@@ -693,6 +693,7 @@ private native int setTlsHmacInner(long ssl, byte[] inner, long sz,
     private native int useSupportedCurve(long ssl, int name);
     private native int disableExtendedMasterSecret(long ssl);
     private native int hasTicket(long session);
+    private native int useClientSuites(long ssl);
     private native int interruptBlockedIO(long ssl);
     private native int getThreadsBlockedInPoll(long ssl);
     private native int setMTU(long ssl, int mtu);
@@ -2476,6 +2477,28 @@ public long getTimeout() throws IllegalStateException {
         }
     }
 
+    /**
+     * 
+     * Set SSL session to use Client cipher suite order preference.
+     * 
+     * @return      <code>SSL_SUCCESS</code> upon success. <code>
+     *              SSL_FAILURE</code> upon failure.
+     * @throws IllegalStateException WolfSSLSession has been freed
+     *
+     */
+    public int useClientSuites() throws IllegalStateException {
+
+        confirmObjectIsActive();
+
+        synchronized (sslLock) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                WolfSSLDebug.INFO, this.sslPtr,
+                () -> "entered useClientSuites()");
+
+            return useClientSuites(this.sslPtr);
+        }
+    }
+
     /**
      * Sets the cipher suite list for a given SSL session.
      * The ciphers in the list should be sorted in order of preference from

src/java/com/wolfssl/WolfSSLSession.java

@@ -759,6 +759,11 @@ private void setLocalCiphers(String[] suites)
                 }
             }
 
+            if (this.ssl.getSide() == WolfSSL.WOLFSSL_SERVER_END &&
+                !this.params.getUseCipherSuitesOrder()) {
+                this.ssl.useClientSuites();
+            }
+
         } catch (IllegalStateException e) {
             throw new IllegalArgumentException(e);
         }

src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java

@@ -321,6 +321,93 @@ public void testGetSetEnabledCipherSuites()
         System.out.println("\t... passed");
     }
 
+    @Test
+    public void testServerUsesClientCipherSuitePreference() throws Exception {
+
+        System.out.print("\tTesting client suite preference");
+
+        this.ctx = tf.createSSLContext("TLS", "wolfJSSE");
+
+        String[] serverSuites = {
+            "TLS_AES_256_GCM_SHA384",
+            "TLS_AES_128_GCM_SHA256"
+        };
+
+        String[] clientSuites = {
+            "TLS_AES_128_GCM_SHA256",
+            "TLS_AES_256_GCM_SHA384"
+        };
+
+        /* --- Case 1: default (server order) --- */
+        SSLServerSocket ss1 = (SSLServerSocket)ctx.getServerSocketFactory()
+            .createServerSocket(0);
+        ss1.setEnabledCipherSuites(serverSuites);
+
+        SSLSocket cs1 = (SSLSocket)ctx.getSocketFactory().createSocket();
+        cs1.setEnabledCipherSuites(clientSuites);
+        cs1.connect(new InetSocketAddress(ss1.getLocalPort()));
+
+        final SSLSocket server1 = (SSLSocket)ss1.accept();
+
+        ExecutorService es = Executors.newSingleThreadExecutor();
+        Future<Void> f1 = es.submit(() -> {
+            server1.startHandshake();
+            return null;
+        });
+
+        cs1.startHandshake();
+        f1.get();
+
+        String chosen1 = cs1.getSession().getCipherSuite();
+        if (!"TLS_AES_256_GCM_SHA384".equals(chosen1)) {
+            System.out.println("\t... failed");
+            fail("Expected server preference cipher (AES_256), got "
+                  + chosen1);
+        }
+
+        cs1.close();
+        server1.close();
+        ss1.close();
+
+        /* --- Case 2: server honors client order --- */
+        SSLServerSocket ss2 = (SSLServerSocket)ctx.getServerSocketFactory()
+            .createServerSocket(0);
+        ss2.setEnabledCipherSuites(serverSuites);
+
+        /* Do not honor local cipher suites preference */
+        SSLParameters ss2Params = ss2.getSSLParameters();
+        ss2Params.setUseCipherSuitesOrder(false);
+        ss2.setSSLParameters(ss2Params);
+
+        SSLSocket cs2 = (SSLSocket)ctx.getSocketFactory().createSocket();
+        cs2.setEnabledCipherSuites(clientSuites);
+        cs2.connect(new InetSocketAddress(ss2.getLocalPort()));
+
+        final SSLSocket server2 = (SSLSocket)ss2.accept();
+
+        Future<Void> f2 = es.submit(() -> {
+            server2.startHandshake();
+            return null;
+        });
+
+        cs2.startHandshake();
+        f2.get();
+
+        String chosen2 = cs2.getSession().getCipherSuite();
+        if (!"TLS_AES_128_GCM_SHA256".equals(chosen2)) {
+            System.out.println("\t... failed");
+            fail("Expected client preference cipher (AES_128), got "
+                 + chosen2);
+        }
+
+        cs2.close();
+        server2.close();
+        ss2.close();
+        es.shutdown();
+
+        System.out.println("\t... passed");
+    }
+
     @Test
     public void testGetSupportedProtocols()
         throws NoSuchProviderException, NoSuchAlgorithmException {
@@ -3402,14 +3489,14 @@ public void testAutoSNIProperty() throws Exception {
     public void testSNIMatchers() throws Exception {
 
         System.out.print("\tTesting SNI Matchers");
-    
+
         /* create new CTX */
         this.ctx = tf.createSSLContext("TLS", ctxProvider);
-    
+
         /* create SSLServerSocket first to get ephemeral port */
         final SSLServerSocket ss = (SSLServerSocket)ctx.getServerSocketFactory()
             .createServerSocket(0);
-    
+
         /* Configure SNI matcher for server*/
         SNIMatcher matcher = SNIHostName.createSNIMatcher("www\\.example\\.com");
         Collection<SNIMatcher> matchers = new ArrayList<>();
@@ -3436,7 +3523,7 @@ public void testSNIMatchers() throws Exception {
             cs.setSSLParameters(cp);
 
             final SSLSocket serverMatched = (SSLSocket)ss.accept();
-        
+
             ExecutorService es = Executors.newSingleThreadExecutor();
             Future<Void> serverFuture = es.submit(new Callable<Void>() {
                 @Override
@@ -3451,10 +3538,10 @@ public Void call() throws Exception {
                     return null;
                 }
             });
-    
+
             cs.startHandshake();
             cs.close();
-    
+
             es.shutdown();
             serverFuture.get();
 
@@ -3473,7 +3560,7 @@ public Void call() throws Exception {
             cs.setSSLParameters(cp);
 
             final SSLSocket serverUnmatched = (SSLSocket)ss.accept();
-            
+
             es = Executors.newSingleThreadExecutor();
             serverFuture = es.submit(() -> {
                 try {