Add regression tests

JeremiahM37 · JeremiahM37 · commit d10ee29df9f4 · 2026-04-28T16:08:15.000Z
diff --git a/src/test/com/wolfssl/provider/jsse/test/WolfSSLEngineTest.java b/src/test/com/wolfssl/provider/jsse/test/WolfSSLEngineTest.java
@@ -70,6 +70,7 @@
 import java.util.concurrent.CyclicBarrier;
 import java.util.concurrent.BrokenBarrierException;
 import java.util.concurrent.atomic.AtomicIntegerArray;
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.fail;
@@ -3347,5 +3348,76 @@ public void testWrapPartialDrainOffsetUpdate()
             fail("drained output does not match injected queue");
         }
     }
+
+    /* Regression: closeOutbound() before handshake must also close
+     * inbound, otherwise isInboundDone() never returns true. */
+    @Test
+    public void testCloseOutboundBeforeHandshake() throws Exception {
+        this.ctx = tf.createSSLContext("TLS", engineProvider);
+        SSLEngine e = this.ctx.createSSLEngine();
+        e.setUseClientMode(true);
+        e.closeOutbound();
+        assertTrue(e.isOutboundDone());
+        assertTrue(e.isInboundDone());
+    }
+
+    /* Regression for wrap(ByteBuffer[], ofst, len, out) when ofst > 0:
+     * pos[]/limit[] OOB and null-check loop bound. */
+    @Test
+    public void testWrapWithBufferArrayOffset() throws Exception {
+        this.ctx = tf.createSSLContext("TLS", engineProvider);
+        SSLEngine server = this.ctx.createSSLEngine();
+        SSLEngine client = this.ctx.createSSLEngine("wolfSSL test", 11111);
+        server.setUseClientMode(false);
+        client.setUseClientMode(true);
+        server.beginHandshake();
+        client.beginHandshake();
+        assertEquals(0, tf.testConnection(server, client, null, null, "x"));
+
+        byte[] payload = "real-payload".getBytes();
+        ByteBuffer[] in = {ByteBuffer.wrap("DECOY".getBytes()),
+            ByteBuffer.wrap(payload)};
+        ByteBuffer net = ByteBuffer.allocateDirect(
+            client.getSession().getPacketBufferSize());
+
+        SSLEngineResult r = client.wrap(in, 1, 1, net);
+        assertEquals(SSLEngineResult.Status.OK, r.getStatus());
+        assertEquals(0, in[0].position());
+        assertEquals(payload.length, in[1].position());
+
+        net.flip();
+        ByteBuffer plain = ByteBuffer.allocate(
+            server.getSession().getApplicationBufferSize());
+        assertEquals(SSLEngineResult.Status.OK,
+            server.unwrap(net, plain).getStatus());
+        plain.flip();
+        byte[] got = new byte[plain.remaining()];
+        plain.get(got);
+        assertArrayEquals(payload, got);
+    }
+
+    /* Direct regression: wrap() null-check must reach in[ofst+len-1]. */
+    @Test(expected = SSLException.class)
+    public void testWrapRejectsNullAtOffset() throws Exception {
+        this.ctx = tf.createSSLContext("TLS", engineProvider);
+        SSLEngine c = this.ctx.createSSLEngine("wolfSSL test", 11111);
+        c.setUseClientMode(true);
+        ByteBuffer[] in = {ByteBuffer.wrap("x".getBytes()), null};
+        c.wrap(in, 1, 1, ByteBuffer.allocateDirect(
+            c.getSession().getPacketBufferSize()));
+    }
+
+    /* Direct regression: unwrap() readOnly-check must reach
+     * out[ofst+length-1]. */
+    @Test(expected = java.nio.ReadOnlyBufferException.class)
+    public void testUnwrapRejectsReadOnlyAtOffset() throws Exception {
+        this.ctx = tf.createSSLContext("TLS", engineProvider);
+        SSLEngine s = this.ctx.createSSLEngine();
+        s.setUseClientMode(false);
+        ByteBuffer[] out = {ByteBuffer.allocate(64),
+            ByteBuffer.allocate(64).asReadOnlyBuffer()};
+        s.unwrap(ByteBuffer.allocateDirect(
+            s.getSession().getPacketBufferSize()), out, 1, 1);
+    }
 }
 
diff --git a/src/test/com/wolfssl/test/WolfSSLSessionTest.java b/src/test/com/wolfssl/test/WolfSSLSessionTest.java
@@ -4210,5 +4210,84 @@ public void test_WolfSSLSession_dtlsCidDataExchangeAfterHandshake()
             }
         }
     }
+
+    /* Regression: read(ByteBuffer) must honor arrayOffset() so a
+     * sliced array-backed buffer reads into backing[arrayOffset+pos),
+     * not backing[pos). */
+    @Test
+    public void test_WolfSSLSession_readSlicedByteBuffer() throws Exception {
+        final ServerSocket srvSocket = new ServerSocket(0);
+        final WolfSSLContext srvCtx = createAndSetupWolfSSLContext(
+            srvCert, srvKey, WolfSSL.SSL_FILETYPE_PEM, cliCert,
+            WolfSSL.SSLv23_ServerMethod());
+        WolfSSLContext cliCtx = createAndSetupWolfSSLContext(
+            cliCert, cliKey, WolfSSL.SSL_FILETYPE_PEM, caCert,
+            WolfSSL.SSLv23_ClientMethod());
+        final byte[] payload = "sliced-buf-payload".getBytes();
+
+        ExecutorService es = Executors.newSingleThreadExecutor();
+        Future<Void> srv = es.submit(() -> {
+            try (Socket s = srvSocket.accept()) {
+                WolfSSLSession ss = new WolfSSLSession(srvCtx);
+                ss.setFd(s);
+                int r, e;
+                do { r = ss.accept(); e = ss.getError(r); }
+                while (r != WolfSSL.SSL_SUCCESS &&
+                    (e == WolfSSL.SSL_ERROR_WANT_READ ||
+                     e == WolfSSL.SSL_ERROR_WANT_WRITE));
+                ss.write(payload, payload.length, 0);
+                ss.shutdownSSL();
+                ss.freeSSL();
+            }
+            return null;
+        });
+
+        Socket cliSock = null;
+        WolfSSLSession cliSes = null;
+        try {
+            cliSock = new Socket(InetAddress.getLocalHost(),
+                srvSocket.getLocalPort());
+            cliSes = new WolfSSLSession(cliCtx);
+            cliSes.setFd(cliSock);
+            int r, e;
+            do { r = cliSes.connect(); e = cliSes.getError(r); }
+            while (r != WolfSSL.SSL_SUCCESS &&
+                (e == WolfSSL.SSL_ERROR_WANT_READ ||
+                 e == WolfSSL.SSL_ERROR_WANT_WRITE));
+
+            int prefix = 64;
+            ByteBuffer parent = ByteBuffer.allocate(256);
+            byte[] backing = parent.array();
+            byte sentinel = (byte) 0xA5;
+            Arrays.fill(backing, sentinel);
+            parent.position(prefix);
+            ByteBuffer slice = parent.slice();
+            assertEquals(prefix, slice.arrayOffset());
+
+            int total = 0;
+            while (total < payload.length) {
+                int n = cliSes.read(slice, payload.length - total, 5000);
+                if (n > 0) total += n;
+            }
+
+            for (int i = 0; i < prefix; i++) {
+                assertEquals("backing[" + i + "] corrupted",
+                    sentinel, backing[i]);
+            }
+            assertArrayEquals(payload, Arrays.copyOfRange(backing,
+                prefix, prefix + payload.length));
+            assertEquals(payload.length, slice.position());
+
+            cliSes.shutdownSSL();
+        } finally {
+            srv.get(10, TimeUnit.SECONDS);
+            es.shutdown();
+            if (cliSes != null) cliSes.freeSSL();
+            if (cliSock != null) cliSock.close();
+            srvSocket.close();
+            cliCtx.free();
+            srvCtx.free();
+        }
+    }
 }
 
