JNI/JSSE: fix global ref lifecycle for verify and missing-CRL callbacks

Author: cconlon

native/com_wolfssl_WolfSSL.c

@@ -71,6 +71,10 @@ jmethodID g_bufferArrayOffsetMethodId = NULL;
 jmethodID g_bufferSetPositionMethodId = NULL;
 jmethodID g_verifyCallbackMethodId = NULL;
 
+/* WOLFSSL_CTX ex_data slot for per-context verify callback jobject.
+ * -1 means not allocated. Populated in Java_com_wolfssl_WolfSSL_init(). */
+int g_verifyCbCtxExDataIdx = -1;
+
 #ifdef HAVE_FIPS
 /* global object ref for FIPS error callback */
 static jobject g_fipsCbIfaceObj;
@@ -230,6 +234,10 @@ JNIEXPORT void JNICALL JNI_OnUnload(JavaVM* vm, void* reserved)
         return;
     }
 
+    /* Release process global jobject refs at CTX and session levels */
+    NativeWolfSSLContextCleanup(env);
+    NativeWolfSSLSessionCleanup(env);
+
     /* Clear cached method ID */
     g_sslIORecvMethodId = NULL;
     g_sslIORecvMethodId_BB = NULL;
@@ -431,7 +439,18 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_init
 #endif /* HAVE_FIPS && HAVE_FIPS_VERSION == 5 */
 
     if (ret == 0) {
-        return (jint)wolfSSL_Init();
+        ret = (int)wolfSSL_Init();
+        if (ret == WOLFSSL_SUCCESS && g_verifyCbCtxExDataIdx < 0) {
+            /* Allocate WOLFSSL_CTX ex_data slot for per-context verify
+             * callback jobject. Done once at library init so index is shared
+             * by all WolfSSLContext instances. If allocation fails,
+             * setVerify() will return an error. */
+            int idx = wolfSSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+            if (idx >= 0) {
+                g_verifyCbCtxExDataIdx = idx;
+            }
+        }
+        return (jint)ret;
     } else {
         return (jint)WOLFSSL_FAILURE;
     }

native/com_wolfssl_WolfSSLContext.c

@@ -35,9 +35,9 @@
 #include "com_wolfssl_globals.h"
 #include "com_wolfssl_WolfSSLContext.h"
 
-/* global object refs for verify, CRL callbacks */
-static jobject g_verifyCbIfaceObj;
-
+/* The CTX-level missing-CRL callback below is process-global. wolfSSL
+ * CbMissingCRL signature has no SSL/CTX pointer, so native wolfSSL cannot
+ * route per instance. */
 #ifdef HAVE_CRL
 static jobject g_crlCtxCbIfaceObj;
 #endif
@@ -498,26 +498,36 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLContext_useCertificateChainFile
 #endif
 }
 
-JNIEXPORT void JNICALL Java_com_wolfssl_WolfSSLContext_freeContext
-  (JNIEnv* jenv, jobject jcl, jlong ctxPtr)
+/* Release process-global CRL ctx callback ref. Called from JNI_OnUnload() */
+void NativeWolfSSLContextCleanup(JNIEnv* jenv)
 {
-    WOLFSSL_CTX* ctx = (WOLFSSL_CTX*)(uintptr_t)ctxPtr;
-    (void)jenv;
-    (void)jcl;
-
-    /* release verify callback object if set */
-    if (g_verifyCbIfaceObj != NULL) {
-        (*jenv)->DeleteGlobalRef(jenv, g_verifyCbIfaceObj);
-        g_verifyCbIfaceObj = NULL;
+    if (jenv == NULL) {
+        return;
     }
-
 #ifdef HAVE_CRL
-    /* release global CRL callback object if set */
     if (g_crlCtxCbIfaceObj != NULL) {
         (*jenv)->DeleteGlobalRef(jenv, g_crlCtxCbIfaceObj);
         g_crlCtxCbIfaceObj = NULL;
     }
-#endif /* HAVE_CRL */
+#endif
+}
+
+JNIEXPORT void JNICALL Java_com_wolfssl_WolfSSLContext_freeContext
+  (JNIEnv* jenv, jobject jcl, jlong ctxPtr)
+{
+    WOLFSSL_CTX* ctx = (WOLFSSL_CTX*)(uintptr_t)ctxPtr;
+    jobject verifyCb = NULL;
+    (void)jcl;
+
+    /* release per-context verify callback jobject if set */
+    if (ctx != NULL && jenv != NULL && g_verifyCbCtxExDataIdx >= 0) {
+        verifyCb = (jobject)wolfSSL_CTX_get_ex_data(ctx,
+            g_verifyCbCtxExDataIdx);
+        if (verifyCb != NULL) {
+            (*jenv)->DeleteGlobalRef(jenv, verifyCb);
+            (void)wolfSSL_CTX_set_ex_data(ctx, g_verifyCbCtxExDataIdx, NULL);
+        }
+    }
 
     /* wolfSSL checks for null pointer */
     wolfSSL_CTX_free(ctx);
@@ -527,31 +537,60 @@ JNIEXPORT void JNICALL Java_com_wolfssl_WolfSSLContext_setVerify(JNIEnv* jenv,
     jobject jcl, jlong ctxPtr, jint mode, jobject callbackIface)
 {
     WOLFSSL_CTX* ctx = (WOLFSSL_CTX*)(uintptr_t)ctxPtr;
+    jobject prior = NULL;
+    jobject newRef = NULL;
     (void)jcl;
 
-    if (jenv == NULL) {
+    if (jenv == NULL || ctx == NULL) {
         return;
     }
 
-    /* release verify callback object if set before */
-    if (g_verifyCbIfaceObj != NULL) {
-        (*jenv)->DeleteGlobalRef(jenv, g_verifyCbIfaceObj);
-        g_verifyCbIfaceObj = NULL;
+    if (g_verifyCbCtxExDataIdx < 0) {
+        /* ex_data slot was not allocated at init, cannot store per-CTX cb */
+        throwWolfSSLJNIException(jenv,
+            "Verify callback ex_data slot not allocated");
+        return;
     }
 
+    /* Capture the prior per-CTX verify callback jobject for release after
+     * the new state is fully installed. The slot is only cleared/replaced
+     * once the new state is committed, so a concurrent handshake firing
+     * NativeVerifyCallback never sees a transient NULL. */
+    prior = (jobject)wolfSSL_CTX_get_ex_data(ctx, g_verifyCbCtxExDataIdx);
+
     if (!callbackIface) {
+        /* Unhook the native verify callback first so wolfSSL stops routing
+         * handshakes through it, then clear the ex_data slot. */
         wolfSSL_CTX_set_verify(ctx, mode, NULL);
+        (void)wolfSSL_CTX_set_ex_data(ctx, g_verifyCbCtxExDataIdx, NULL);
     }
     else {
-        /* store Java verify Interface object */
-        g_verifyCbIfaceObj = (*jenv)->NewGlobalRef(jenv, callbackIface);
-        if (g_verifyCbIfaceObj == NULL) {
-            printf("error storing global callback interface\n");
+        /* Store Java verify Interface object as a per-CTX global ref. */
+        newRef = (*jenv)->NewGlobalRef(jenv, callbackIface);
+        if (newRef == NULL) {
+            throwWolfSSLJNIException(jenv,
+                "Error storing verify callback global reference");
+            return;
+        }
+        /* Atomically swap the ex_data slot from prior to newRef. */
+        if (wolfSSL_CTX_set_ex_data(ctx, g_verifyCbCtxExDataIdx, newRef)
+                != WOLFSSL_SUCCESS) {
+            (*jenv)->DeleteGlobalRef(jenv, newRef);
+            throwWolfSSLJNIException(jenv,
+                "Error storing verify callback in ctx ex_data");
+            return;
         }
 
-        /* set verify mode, register Java callback with wolfSSL */
+        /* Ensure the native verify callback is registered. */
         wolfSSL_CTX_set_verify(ctx, mode, NativeVerifyCallback);
     }
+
+    /* Release the prior global ref last. A concurrent handshake that read
+     * 'prior' from ex_data before the update above will still complete with
+     * that ref valid for the duration of its callback. */
+    if (prior != NULL) {
+        (*jenv)->DeleteGlobalRef(jenv, prior);
+    }
 }
 
 int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
@@ -564,6 +603,9 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
     jclass    verifyClass = NULL;
     jmethodID verifyMethod = NULL;
     jobjectRefType refcheck;
+    WOLFSSL*     ssl = NULL;
+    WOLFSSL_CTX* ctx = NULL;
+    jobject      verifyCbObj = NULL;
 
     if (!g_vm) {
         /* we can't throw an exception yet, so just return 0 (failure) */
@@ -596,12 +638,38 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
         return -103;
     }
 
+    /* Locate the per-context verify callback jobject via
+     * store->ssl->ctx->ex_data. The jobject is owned by the WOLFSSL_CTX
+     * that produced this handshake, so each context fires its own user
+     * callback. Done after JNIEnv attach so we can throw an exception
+     * if the slot is unexpectedly empty. */
+    if (g_verifyCbCtxExDataIdx >= 0 && store != NULL) {
+        ssl = (WOLFSSL*)wolfSSL_X509_STORE_CTX_get_ex_data(store,
+            wolfSSL_get_ex_data_X509_STORE_CTX_idx());
+        if (ssl != NULL) {
+            ctx = wolfSSL_get_SSL_CTX(ssl);
+        }
+        if (ctx != NULL) {
+            verifyCbObj = (jobject)wolfSSL_CTX_get_ex_data(ctx,
+                g_verifyCbCtxExDataIdx);
+        }
+    }
+    if (verifyCbObj == NULL) {
+        (*jenv)->ThrowNew(jenv, excClass,
+            "No Java verify callback registered for WOLFSSL_CTX in "
+            "NativeVerifyCallback");
+        if (needsDetach) {
+            (*g_vm)->DetachCurrentThread(g_vm);
+        }
+        return -1;
+    }
+
     /* check if our stored object reference is valid */
-    refcheck = (*jenv)->GetObjectRefType(jenv, g_verifyCbIfaceObj);
+    refcheck = (*jenv)->GetObjectRefType(jenv, verifyCbObj);
     if (refcheck == 2) {
 
         /* lookup WolfSSLVerifyCallback class from global object ref */
-        verifyClass = (*jenv)->GetObjectClass(jenv, g_verifyCbIfaceObj);
+        verifyClass = (*jenv)->GetObjectClass(jenv, verifyCbObj);
         if (!verifyClass) {
             if ((*jenv)->ExceptionOccurred(jenv)) {
                 (*jenv)->ExceptionDescribe(jenv);
@@ -630,7 +698,7 @@ int NativeVerifyCallback(int preverify_ok, WOLFSSL_X509_STORE_CTX* store)
             return -105;
         }
 
-        retval = (*jenv)->CallIntMethod(jenv, g_verifyCbIfaceObj,
+        retval = (*jenv)->CallIntMethod(jenv, verifyCbObj,
                 verifyMethod, preverify_ok, (jlong)(uintptr_t)store);
 
         if ((*jenv)->ExceptionOccurred(jenv)) {

native/com_wolfssl_WolfSSLSession.c

@@ -73,7 +73,9 @@ int NativeSessionTicketCb(WOLFSSL *ssl, const unsigned char* ticket,
 #endif
 
 #ifdef HAVE_CRL
-/* global object refs for CRL callback */
+/* Process-global jobject for the missing-CRL callback registered via
+ * Java_com_wolfssl_WolfSSLSession_setCRLCb(). wolfSSL CbMissingCRL has no
+ * SSL/CTX pointer, so native wolfSSL cannot route per-instance. */
 static jobject g_crlCbIfaceObj;
 #endif
 
@@ -1756,6 +1758,22 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_accept
     return ret;
 }
 
+/* Release process-global session-level missing-CRL callback ref. Called
+ * from JNI_OnUnload() in com_wolfssl_WolfSSL.c so the global is torn
+ * down at native library unload. */
+void NativeWolfSSLSessionCleanup(JNIEnv* jenv)
+{
+    if (jenv == NULL) {
+        return;
+    }
+#ifdef HAVE_CRL
+    if (g_crlCbIfaceObj != NULL) {
+        (*jenv)->DeleteGlobalRef(jenv, g_crlCbIfaceObj);
+        g_crlCbIfaceObj = NULL;
+    }
+#endif
+}
+
 JNIEXPORT void JNICALL Java_com_wolfssl_WolfSSLSession_freeSSL
   (JNIEnv* jenv, jobject jcl, jlong sslPtr)
 {
@@ -1857,14 +1875,6 @@ JNIEXPORT void JNICALL Java_com_wolfssl_WolfSSLSession_freeSSL
         return;
     }
 
-#ifdef HAVE_CRL
-    /* release global CRL callback ref if registered */
-    if (g_crlCbIfaceObj != NULL) {
-        (*jenv)->DeleteGlobalRef(jenv, g_crlCbIfaceObj);
-        g_crlCbIfaceObj = NULL;
-    }
-#endif
-
 #if defined(HAVE_PK_CALLBACKS)
     #ifdef HAVE_ECC
         /* free ECC sign callback CTX global reference if set */

native/com_wolfssl_globals.h

@@ -46,6 +46,12 @@ extern jmethodID g_bufferArrayOffsetMethodId;     /* ByteBuffer.arrayOffset() */
 extern jmethodID g_bufferSetPositionMethodId;      /* ByteBuffer.position(int) */
 extern jmethodID g_verifyCallbackMethodId;         /* WolfSSLVerifyCallback.verifyCallback */
 
+/* WOLFSSL_CTX ex_data index used to store the per-WolfSSLContext jobject ref
+ * to the user WolfSSLVerifyCallback. Allocated once in
+ * Java_com_wolfssl_WolfSSL_init via wolfSSL_CTX_get_ex_new_index(). A
+ * negative value means the slot has not yet been allocated. */
+extern int g_verifyCbCtxExDataIdx;
+
 /* struct to hold I/O class, object refs */
 typedef struct {
     int active;
@@ -61,4 +67,8 @@ unsigned int NativePskServerCb(WOLFSSL* ssl, const char* identity,
 void throwWolfSSLJNIException(JNIEnv* jenv, const char* msg);
 void throwWolfSSLException(JNIEnv* jenv, const char* msg);
 
+/* Release process-global jobject refs. Called from JNI_OnUnload() */
+void NativeWolfSSLContextCleanup(JNIEnv* jenv);
+void NativeWolfSSLSessionCleanup(JNIEnv* jenv);
+
 #endif