wolfSSL
diff --git a/‎src/test/com/wolfssl/provider/jsse/test/WolfSSLEngineTest.java‎
Lines changed: 227 additions & 0 deletions b/‎src/test/com/wolfssl/provider/jsse/test/WolfSSLEngineTest.java‎
Lines changed: 227 additions & 0 deletions
@@ -3253,4 +3253,231 @@ public void testBufferOverflowSmallOutput()
 
         pass("\t\t... passed");
     }
+
+    @Test
+    public void testCloseOutboundBeforeHandshake()
+        throws NoSuchProviderException, NoSuchAlgorithmException,
+               KeyManagementException, KeyStoreException,
+               CertificateException, IOException,
+               UnrecoverableKeyException {
+
+        /* Regression: closeOutbound() before handshake started must
+         * also close inbound, otherwise isInboundDone() never returns
+         * true and callers loop forever. */
+        System.out.print("\tcloseOutbound() pre-handshake");
+
+        this.ctx = tf.createSSLContext("TLS", engineProvider);
+        SSLEngine engine = this.ctx.createSSLEngine();
+        engine.setUseClientMode(true);
+
+        /* Do not call beginHandshake() — needInit stays true. */
+        engine.closeOutbound();
+
+        if (!engine.isOutboundDone()) {
+            error("\t\t... failed");
+            fail("isOutboundDone() should be true after closeOutbound()");
+        }
+
+        if (!engine.isInboundDone()) {
+            error("\t\t... failed");
+            fail("isInboundDone() should be true after closeOutbound() " +
+                 "before handshake (was leaving inBound open)");
+        }
+
+        pass("\t\t... passed");
+    }
+
+    @Test
+    public void testWrapWithBufferArrayOffset()
+        throws NoSuchProviderException, NoSuchAlgorithmException,
+               KeyManagementException, KeyStoreException,
+               CertificateException, IOException,
+               UnrecoverableKeyException {
+
+        /* Regression for wrap(ByteBuffer[], ofst, len, out) and
+         * SendAppData() when ofst > 0. Previously triggered AIOOBE
+         * because pos[]/limit[] were sized [len] but indexed by i
+         * starting at ofst, and the null-check loop iterated
+         * i < len instead of i < ofst + len. */
+        System.out.print("\twrap() with ofst > 0");
+
+        this.ctx = tf.createSSLContext("TLS", engineProvider);
+        SSLEngine server = this.ctx.createSSLEngine();
+        SSLEngine client = this.ctx.createSSLEngine("wolfSSL test", 11111);
+
+        server.setUseClientMode(false);
+        server.setNeedClientAuth(false);
+        client.setUseClientMode(true);
+
+        server.beginHandshake();
+        client.beginHandshake();
+
+        int ret = tf.testConnection(server, client, null, null,
+            "wrap ofst test");
+        if (ret != 0) {
+            error("\t\t... failed");
+            fail("failed to create connection");
+        }
+
+        /* Build a 2-element ByteBuffer[] and wrap with ofst=1, len=1
+         * so the null check, pos/limit recording, and gather loops
+         * all index past the [len] boundary. The buffer at index 0
+         * intentionally contains data that must NOT be sent. */
+        byte[] decoy = "DECOY-MUST-NOT-BE-SENT".getBytes();
+        byte[] payload = "real-payload-bytes".getBytes();
+
+        ByteBuffer[] inBufs = new ByteBuffer[2];
+        inBufs[0] = ByteBuffer.wrap(decoy);
+        inBufs[1] = ByteBuffer.wrap(payload);
+
+        ByteBuffer netOut = ByteBuffer.allocateDirect(
+            client.getSession().getPacketBufferSize());
+
+        SSLEngineResult result = client.wrap(inBufs, 1, 1, netOut);
+        if (result.getStatus() != SSLEngineResult.Status.OK) {
+            error("\t\t... failed");
+            fail("wrap with ofst=1 failed: " + result.getStatus());
+        }
+
+        /* Decoy must be untouched, payload fully consumed. */
+        if (inBufs[0].position() != 0) {
+            error("\t\t... failed");
+            fail("decoy buffer at index 0 was advanced: pos=" +
+                 inBufs[0].position());
+        }
+        if (inBufs[1].position() != payload.length) {
+            error("\t\t... failed");
+            fail("payload buffer not fully consumed: pos=" +
+                 inBufs[1].position());
+        }
+
+        /* Decrypt on server side and verify content is the payload. */
+        netOut.flip();
+        ByteBuffer plain = ByteBuffer.allocate(
+            server.getSession().getApplicationBufferSize());
+        result = server.unwrap(netOut, plain);
+        if (result.getStatus() != SSLEngineResult.Status.OK) {
+            error("\t\t... failed");
+            fail("server unwrap failed: " + result.getStatus());
+        }
+
+        plain.flip();
+        byte[] received = new byte[plain.remaining()];
+        plain.get(received);
+        if (!java.util.Arrays.equals(received, payload)) {
+            error("\t\t... failed");
+            fail("received data does not match payload");
+        }
+
+        pass("\t\t... passed");
+    }
+
+    @Test
+    public void testUnwrapWithBufferArrayOffset()
+        throws NoSuchProviderException, NoSuchAlgorithmException,
+               KeyManagementException, KeyStoreException,
+               CertificateException, IOException,
+               UnrecoverableKeyException {
+
+        /* Regression for unwrap(in, ByteBuffer[], ofst, length) with
+         * ofst > 0. Previously the null/readOnly-check loop iterated
+         * i < length instead of i < ofst + length, skipping the
+         * actually-targeted output buffers. */
+        System.out.print("\tunwrap() with ofst > 0");
+
+        this.ctx = tf.createSSLContext("TLS", engineProvider);
+        SSLEngine server = this.ctx.createSSLEngine();
+        SSLEngine client = this.ctx.createSSLEngine("wolfSSL test", 11111);
+
+        server.setUseClientMode(false);
+        server.setNeedClientAuth(false);
+        client.setUseClientMode(true);
+
+        server.beginHandshake();
+        client.beginHandshake();
+
+        int ret = tf.testConnection(server, client, null, null,
+            "unwrap ofst test");
+        if (ret != 0) {
+            error("\t\t... failed");
+            fail("failed to create connection");
+        }
+
+        byte[] payload = "unwrap-target-bytes".getBytes();
+
+        /* Client wraps payload, server will unwrap into ByteBuffer[]
+         * at ofst=1. */
+        ByteBuffer appBuf = ByteBuffer.wrap(payload);
+        ByteBuffer netBuf = ByteBuffer.allocateDirect(
+            client.getSession().getPacketBufferSize());
+
+        SSLEngineResult result = client.wrap(appBuf, netBuf);
+        if (result.getStatus() != SSLEngineResult.Status.OK) {
+            error("\t\t... failed");
+            fail("client wrap failed: " + result.getStatus());
+        }
+        netBuf.flip();
+
+        /* Build 2-element output array, ofst=1 so index 0 must stay
+         * untouched and decrypted bytes land at index 1. */
+        int appBufSize = server.getSession().getApplicationBufferSize();
+        ByteBuffer[] outBufs = new ByteBuffer[2];
+        outBufs[0] = ByteBuffer.allocate(appBufSize);
+        outBufs[1] = ByteBuffer.allocate(appBufSize);
+
+        result = server.unwrap(netBuf, outBufs, 1, 1);
+        if (result.getStatus() != SSLEngineResult.Status.OK) {
+            error("\t\t... failed");
+            fail("server unwrap with ofst=1 failed: " + result.getStatus());
+        }
+
+        if (outBufs[0].position() != 0) {
+            error("\t\t... failed");
+            fail("output buffer at index 0 was written: pos=" +
+                 outBufs[0].position());
+        }
+
+        outBufs[1].flip();
+        byte[] received = new byte[outBufs[1].remaining()];
+        outBufs[1].get(received);
+        if (!java.util.Arrays.equals(received, payload)) {
+            error("\t\t... failed");
+            fail("received data does not match payload");
+        }
+
+        pass("\t\t... passed");
+    }
+
+    @Test
+    public void testWrapRejectsNullAtOffset() throws Exception {
+        System.out.print("\twrap() rejects null at ofst+len-1");
+        this.ctx = tf.createSSLContext("TLS", engineProvider);
+        SSLEngine c = this.ctx.createSSLEngine("wolfSSL test", 11111);
+        c.setUseClientMode(true);
+        ByteBuffer[] in = {ByteBuffer.wrap("x".getBytes()), null};
+        ByteBuffer out = ByteBuffer.allocateDirect(
+            c.getSession().getPacketBufferSize());
+        try {
+            c.wrap(in, 1, 1, out);
+            fail("expected SSLException for null at ofst=1");
+        } catch (SSLException e) { /* expected */ }
+        pass("\t... passed");
+    }
+
+    @Test
+    public void testUnwrapRejectsReadOnlyAtOffset() throws Exception {
+        System.out.print("\tunwrap() rejects readOnly at ofst+length-1");
+        this.ctx = tf.createSSLContext("TLS", engineProvider);
+        SSLEngine s = this.ctx.createSSLEngine();
+        s.setUseClientMode(false);
+        ByteBuffer in = ByteBuffer.allocateDirect(
+            s.getSession().getPacketBufferSize());
+        ByteBuffer[] out = {ByteBuffer.allocate(64),
+            ByteBuffer.allocate(64).asReadOnlyBuffer()};
+        try {
+            s.unwrap(in, out, 1, 1);
+            fail("expected ReadOnlyBufferException at ofst=1");
+        } catch (java.nio.ReadOnlyBufferException e) { /* expected */ }
+        pass("\t... passed");
+    }
 }