From ae97f8e9155151d74193c67f8870ef12d1b48217 Mon Sep 17 00:00:00 2001
From: Jonathan Gallimore <jon@jrg.me.uk>
Date: Mon, 30 Sep 2024 15:19:31 +0100
Subject: [PATCH] Add support for re-keying with TLS 1.3

---
 java/org/apache/tomcat/util/net/SecureNioChannel.java | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/SecureNioChannel.java b/java/org/apache/tomcat/util/net/SecureNioChannel.java
index 84e51bb25270..f4dbe80a19d2 100644
--- a/java/org/apache/tomcat/util/net/SecureNioChannel.java
+++ b/java/org/apache/tomcat/util/net/SecureNioChannel.java
@@ -46,6 +46,7 @@ public class SecureNioChannel extends NioChannel  {
     protected SSLEngine sslEngine;
 
     protected boolean handshakeComplete = false;
+    protected boolean needHandshakeWrap = false;
     protected HandshakeStatus handshakeStatus; //gets set by handshake
 
     protected boolean closed = false;
@@ -480,6 +481,14 @@ public int read(ByteBuffer dst) throws IOException {
                 //perform any tasks if needed
                 if (unwrap.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
                     tasks();
+                } else if (unwrap.getHandshakeStatus() == HandshakeStatus.NEED_WRAP) {
+                    if (getOutboundRemaining() == 0) {
+                        handshakeWrap(true);
+                    } else if (needHandshakeWrap) {
+                        throw new IOException(sm.getString("channel.nio.ssl.handshakeWrapPending"));
+                    } else {
+                        needHandshakeWrap = true;
+                    }
                 }
                 //if we need more network data, then bail out for now.
                 if (unwrap.getStatus() == Status.BUFFER_UNDERFLOW) {