JNI: add wrapper for wolfSSL_SNI_GetFromBuffer()

cconlon · cconlon · commit ff6cd1daeada · 2026-02-26T15:55:40.000-07:00
diff --git a/native/com_wolfssl_WolfSSL.c b/native/com_wolfssl_WolfSSL.c
@@ -2638,3 +2638,101 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getErrno
     return 0;
 #endif
 }
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getSNIFromBuffer
+  (JNIEnv* jenv, jclass jcl, jbyteArray clientHello, jbyte type, jbyteArray sni)
+{
+#ifdef HAVE_SNI
+    int ret = 0;
+    byte* clientHelloBuf = NULL;
+    byte* sniBuf = NULL;
+    unsigned int inOutSz = 0;
+    int helloSz = 0;
+    jclass excClass = NULL;
+    char errMsg[WOLFSSL_MAX_ERROR_SZ];
+    (void)jcl;
+
+    if (jenv == NULL || clientHello == NULL || sni == NULL) {
+        excClass = (*jenv)->FindClass(jenv,
+            "java/lang/IllegalArgumentException");
+        if ((*jenv)->ExceptionOccurred(jenv)) {
+            (*jenv)->ExceptionDescribe(jenv);
+            (*jenv)->ExceptionClear(jenv);
+            return (jint)BAD_FUNC_ARG;
+        }
+        (*jenv)->ThrowNew(jenv, excClass,
+            "clientHello and sni must be non-null");
+        return (jint)BAD_FUNC_ARG;
+    }
+
+    inOutSz = (unsigned int)(*jenv)->GetArrayLength(jenv, sni);
+    if (inOutSz == 0) {
+        return (jint)0;
+    }
+
+    helloSz = (*jenv)->GetArrayLength(jenv, clientHello);
+
+    clientHelloBuf = (byte*)(*jenv)->GetByteArrayElements(jenv,
+        clientHello, NULL);
+    if (clientHelloBuf == NULL) {
+        if ((*jenv)->ExceptionOccurred(jenv)) {
+            (*jenv)->ExceptionDescribe(jenv);
+            (*jenv)->ExceptionClear(jenv);
+        }
+        return (jint)MEMORY_E;
+    }
+
+    sniBuf = (byte*)(*jenv)->GetByteArrayElements(jenv, sni, NULL);
+    if (sniBuf == NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, clientHello,
+            (jbyte*)clientHelloBuf, JNI_ABORT);
+        if ((*jenv)->ExceptionOccurred(jenv)) {
+            (*jenv)->ExceptionDescribe(jenv);
+            (*jenv)->ExceptionClear(jenv);
+        }
+        return (jint)MEMORY_E;
+    }
+
+    ret = wolfSSL_SNI_GetFromBuffer(clientHelloBuf, (unsigned int)helloSz,
+        (byte)type, sniBuf, &inOutSz);
+
+    if (ret == WOLFSSL_SUCCESS) {
+        /* copy back SNI data to Java array */
+        (*jenv)->ReleaseByteArrayElements(jenv, sni, (jbyte*)sniBuf, 0);
+        (*jenv)->ReleaseByteArrayElements(jenv, clientHello,
+            (jbyte*)clientHelloBuf, JNI_ABORT);
+
+        return (jint)inOutSz;
+
+    } else {
+        /* discard, don't copy back */
+        (*jenv)->ReleaseByteArrayElements(jenv, sni, (jbyte*)sniBuf, JNI_ABORT);
+        (*jenv)->ReleaseByteArrayElements(jenv, clientHello,
+            (jbyte*)clientHelloBuf, JNI_ABORT);
+
+        if (ret < 0) {
+            XSNPRINTF(errMsg, sizeof(errMsg),
+                "wolfSSL_SNI_GetFromBuffer() failed: %d", ret);
+            excClass = (*jenv)->FindClass(jenv, "com/wolfssl/WolfSSLException");
+            if ((*jenv)->ExceptionOccurred(jenv)) {
+                (*jenv)->ExceptionDescribe(jenv);
+                (*jenv)->ExceptionClear(jenv);
+                return (jint)ret;
+            }
+            (*jenv)->ThrowNew(jenv, excClass, errMsg);
+            return (jint)ret;
+        }
+    }
+
+    /* ret == 0: no SNI found, not an error */
+    return (jint)0;
+
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)clientHello;
+    (void)type;
+    (void)sni;
+    return (jint)NOT_COMPILED_IN;
+#endif /* HAVE_SNI */
+}
diff --git a/native/com_wolfssl_WolfSSL.h b/native/com_wolfssl_WolfSSL.h
diff --git a/src/java/com/wolfssl/WolfSSL.java b/src/java/com/wolfssl/WolfSSL.java
@@ -1677,6 +1677,32 @@ public static native int getPkcs8TraditionalOffset(byte[] in, long idx,
      */
     public static native long getLibVersionHex();
 
+    /**
+     * Retrieves the Server Name Indication (SNI) from a raw ClientHello
+     * message buffer.
+     *
+     * This is a utility method that does not require an active SSL/TLS session
+     * or context. It can be used to inspect the SNI before setting up the
+     * TLS session, for example for SNI-based routing.
+     *
+     * Wraps native wolfSSL_SNI_GetFromBuffer().
+     *
+     * @param clientHello raw Client Hello message bytes
+     * @param type        SNI type to retrieve, typically
+     *                    {@link #WOLFSSL_SNI_HOST_NAME}
+     * @param sni         output buffer where SNI value will be written. On
+     *                    success, the SNI data will be placed at the beginning
+     *                    of this array.
+     *
+     * @return number of bytes written into sni on success, 0 if no SNI
+     *         extension was found in Client Hello, {@link #NOT_COMPILED_IN} if
+     *         native wolfSSL was compiled without SNI support, negative value
+     *         on error.
+     * @throws IllegalArgumentException if clientHello or sni is null
+     */
+    public static native int getSNIFromBuffer(byte[] clientHello, byte type,
+        byte[] sni);
+
     /**
      * Returns the enabled cipher suites for native wolfSSL.
      *
diff --git a/src/test/com/wolfssl/test/WolfSSLTest.java b/src/test/com/wolfssl/test/WolfSSLTest.java
@@ -25,6 +25,7 @@
 import org.junit.BeforeClass;
 import static org.junit.Assert.*;
 
+import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.List;
 
@@ -56,6 +57,7 @@ public void testWolfSSL() throws WolfSSLException {
         test_WolfSSL_Method_Allocators(lib);
         test_WolfSSL_getLibVersionHex();
         test_WolfSSL_getErrno();
+        test_WolfSSL_getSNIFromBuffer();
         testGetCiphersAvailableIana();
         test_isLibraryLoadSkippedReturnsFalseByDefault();
         test_SystemPropertyNotSetByDefault();
@@ -236,6 +238,143 @@ public void test_WolfSSL_getErrno() {
         System.out.println("\t\t\t... passed");
     }
 
+    public void test_WolfSSL_getSNIFromBuffer() {
+        System.out.print("\tgetSNIFromBuffer()");
+
+        /* Minimal TLS 1.2 ClientHello with SNI extension for "www.example.com".
+         * This is a hand crafted minimal valid ClientHello message. */
+        String hostname = "www.example.com";
+        byte[] hostBytes = hostname.getBytes(StandardCharsets.UTF_8);
+        int hostLen = hostBytes.length;
+
+        /* SNI extension: type(2) + len(2) + sni_list_len(2) + sni_type(1) +
+         * sni_len(2) + sni_data */
+        int sniExtLen = 2 + 2 + 2 + 1 + 2 + hostLen;
+        /* Extensions block: ext_len(2) + sni_ext */
+        int extBlockLen = 2 + sniExtLen;
+
+        /* ClientHello body:
+         *   version(2) + random(32) + sessId_len(1) + cipher_suites_len(2) +
+         *   one_suite(2) + comp_len(1) + comp_null(1) + extensions */
+        int chBodyLen = 2 + 32 + 1 + 2 + 2 + 1 + 1 + extBlockLen;
+
+        /* Handshake header: type(1) + length(3) */
+        int hsLen = 1 + 3 + chBodyLen;
+
+        /* TLS record: type(1) + version(2) + length(2) */
+        int totalLen = 1 + 2 + 2 + hsLen;
+
+        byte[] clientHello = new byte[totalLen];
+        int offset = 0;
+
+        /* TLS record header */
+        clientHello[offset++] = 0x16; /* handshake */
+        clientHello[offset++] = 0x03; /* TLS 1.0 */
+        clientHello[offset++] = 0x01;
+        clientHello[offset++] = (byte)((hsLen >> 8) & 0xFF);
+        clientHello[offset++] = (byte)(hsLen & 0xFF);
+
+        /* Handshake header */
+        clientHello[offset++] = 0x01; /* client_hello */
+        clientHello[offset++] = 0x00; /* length (3B) */
+        clientHello[offset++] = (byte)((chBodyLen >> 8) & 0xFF);
+        clientHello[offset++] = (byte)(chBodyLen & 0xFF);
+
+        /* ClientHello body */
+        clientHello[offset++] = 0x03; /* TLS 1.2 */
+        clientHello[offset++] = 0x03;
+
+        /* 32 bytes random (zeros for test) */
+        offset += 32;
+
+        /* Session ID length = 0 */
+        clientHello[offset++] = 0x00;
+
+        /* Cipher suites: length=2, one suite */
+        clientHello[offset++] = 0x00;
+        clientHello[offset++] = 0x02;
+        clientHello[offset++] = (byte)0xC0;
+        clientHello[offset++] = 0x2F;
+
+        /* Compression: length=1, null */
+        clientHello[offset++] = 0x01;
+        clientHello[offset++] = 0x00;
+
+        /* Extensions length */
+        int extTotalLen = sniExtLen;
+        clientHello[offset++] = (byte)((extTotalLen >> 8) & 0xFF);
+        clientHello[offset++] = (byte)(extTotalLen & 0xFF);
+
+        /* SNI extension type = 0x0000 */
+        clientHello[offset++] = 0x00;
+        clientHello[offset++] = 0x00;
+
+        /* SNI extension data length */
+        int sniDataLen = 2 + 1 + 2 + hostLen;
+        clientHello[offset++] = (byte)((sniDataLen >> 8) & 0xFF);
+        clientHello[offset++] = (byte)(sniDataLen & 0xFF);
+
+        /* SNI list length */
+        int sniListLen = 1 + 2 + hostLen;
+        clientHello[offset++] = (byte)((sniListLen >> 8) & 0xFF);
+        clientHello[offset++] = (byte)(sniListLen & 0xFF);
+
+        /* SNI type: host_name = 0 */
+        clientHello[offset++] = 0x00;
+
+        /* SNI host name length */
+        clientHello[offset++] = (byte)((hostLen >> 8) & 0xFF);
+        clientHello[offset++] = (byte)(hostLen & 0xFF);
+
+        /* SNI host name data */
+        System.arraycopy(hostBytes, 0, clientHello, offset, hostLen);
+        offset += hostLen;
+
+        byte[] sniOut = new byte[256];
+
+        int ret = WolfSSL.getSNIFromBuffer(clientHello,
+            (byte)WolfSSL.WOLFSSL_SNI_HOST_NAME, sniOut);
+
+        if (ret == WolfSSL.NOT_COMPILED_IN) {
+            System.out.println("\t\t... skipped");
+            return;
+        }
+
+        if (ret <= 0) {
+            System.out.println("\t\t... failed");
+            fail("getSNIFromBuffer() returned: " + ret);
+        }
+
+        String extracted = new String(sniOut, 0, ret, StandardCharsets.UTF_8);
+        if (!hostname.equals(extracted)) {
+            System.out.println("\t\t... failed");
+            fail("getSNIFromBuffer() expected [" + hostname + "] got [" +
+                extracted + "]");
+        }
+
+        /* Test null clientHello throws exception */
+        try {
+            WolfSSL.getSNIFromBuffer(null, (byte)WolfSSL.WOLFSSL_SNI_HOST_NAME,
+                sniOut);
+            System.out.println("\t\t... failed");
+            fail("Expected IllegalArgumentException for null clientHello");
+        } catch (IllegalArgumentException e) {
+            /* expected */
+        }
+
+        /* Test null sni output buffer throws exception */
+        try {
+            WolfSSL.getSNIFromBuffer(clientHello,
+                (byte)WolfSSL.WOLFSSL_SNI_HOST_NAME, null);
+            System.out.println("\t\t... failed");
+            fail("Expected IllegalArgumentException for null sni");
+        } catch (IllegalArgumentException e) {
+            /* expected */
+        }
+
+        System.out.println("\t\t... passed");
+    }
+
     public void test_isLibraryLoadSkippedReturnsFalseByDefault() {
 
         System.out.print(
