wolfSSL · gasbytes · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/src/test/unit/unit.c b/src/test/unit/unit.c
@@ -227,7 +227,7 @@ Suite *wolf_suite(void)
     tcase_add_test(tc_utils, test_sock_setsockopt_recvttl);
     tcase_add_test(tc_utils, test_sock_setsockopt_invalid_socket);
     tcase_add_test(tc_utils, test_sock_setsockopt_recvttl_invalid_params);
-    tcase_add_test(tc_utils, test_sock_getsockopt_recvttl_value);
+    tcase_add_test(tc_utils, test_sock_getsockopt_recvttl_enabled_state);
     tcase_add_test(tc_utils, test_sock_getsockopt_invalid_socket);
     tcase_add_test(tc_utils, test_sock_can_read_write_paths);
     tcase_add_test(tc_utils, test_sock_getsockopt_recvttl_invalid_params);
@@ -309,11 +309,16 @@ Suite *wolf_suite(void)
     tcase_add_test(tc_utils, test_tcp_persist_cb_stops_when_window_reopens);
     tcase_add_test(tc_utils, test_poll_tcp_arp_request_on_miss);
     tcase_add_test(tc_utils, test_poll_udp_send_on_arp_hit);
+    tcase_add_test(tc_utils, test_poll_udp_send_on_arp_miss_requests_arp_and_retains_queue);
     tcase_add_test(tc_utils, test_poll_icmp_send_on_arp_hit);
+    tcase_add_test(tc_utils, test_poll_icmp_send_on_arp_miss_requests_arp_and_retains_queue);
     tcase_add_test(tc_utils, test_dhcp_timer_cb_paths);
+    tcase_add_test(tc_utils, test_dhcp_timer_cb_send_failure_does_not_consume_retry_budget);
     tcase_add_test(tc_utils, test_dhcp_client_init_and_bound);
     tcase_add_test(tc_utils, test_dhcp_send_request_renewing_sets_ciaddr_and_rebind_deadline);
     tcase_add_test(tc_utils, test_dhcp_send_request_rebinding_broadcasts_to_lease_expiry);
+    tcase_add_test(tc_utils, test_dhcp_send_request_send_failure_retries_next_tick);
+    tcase_add_test(tc_utils, test_dhcp_send_discover_send_failure_retries_next_tick);
     tcase_add_test(tc_utils, test_dhcp_poll_offer_and_ack);
     tcase_add_test(tc_utils, test_dhcp_poll_renewing_ack_binds_client);
     tcase_add_test(tc_utils, test_dhcp_poll_rebinding_ack_binds_client);
@@ -370,6 +375,8 @@ Suite *wolf_suite(void)
     tcase_add_test(tc_utils, test_ll_send_frame_drops_oversize);
     tcase_add_test(tc_utils, test_ll_helpers_invalid_inputs);
     tcase_add_test(tc_utils, test_non_ethernet_recv_oversize_dropped);
+    tcase_add_test(tc_utils, test_non_ethernet_recv_wrapper_delivers_udp_and_skips_eth_filter);
+    tcase_add_test(tc_utils, test_non_ethernet_recv_ex_wrapper_delivers_udp_on_second_if);
 #endif
     tcase_add_test(tc_utils, test_dns_format_ptr_name);
     tcase_add_test(tc_utils, test_dns_skip_and_copy_name);
@@ -378,6 +385,7 @@ Suite *wolf_suite(void)
     tcase_add_test(tc_utils, test_dns_schedule_timer_initial_jitter_and_cancel);
     tcase_add_test(tc_utils, test_dns_schedule_timer_caps_large_retry_shift);
     tcase_add_test(tc_utils, test_dns_send_query_schedules_timeout);
+    tcase_add_test(tc_utils, test_dns_send_query_send_failure_clears_outstanding_state);
     tcase_add_test(tc_utils, test_dns_resend_query_uses_stored_query_buffer);
     tcase_add_test(tc_utils, test_dns_resend_query_fails_without_valid_socket);
     tcase_add_test(tc_utils, test_dns_resend_query_fails_without_cached_query_buffer);

diff --git a/src/test/unit/unit_esp.c b/src/test/unit/unit_esp.c
@@ -129,12 +129,62 @@ static uint32_t build_ip_packet(uint8_t *buf, size_t buf_size,
     return frame_len;
 }
 
+static uint32_t build_udp_ip_packet(uint8_t *buf, size_t buf_size,
+                                    uint32_t src_ip, uint32_t dst_ip,
+                                    uint16_t src_port, uint16_t dst_port,
+                                    const uint8_t *payload, uint16_t payload_len)
+{
+    struct wolfIP_ip_packet *ip;
+    struct wolfIP_udp_datagram *udp;
+    uint32_t frame_len;
+    uint16_t udp_len = (uint16_t)(UDP_HEADER_LEN + payload_len);
+
+    frame_len = build_ip_packet(buf, buf_size, WI_IPPROTO_UDP, NULL, udp_len);
+    ip = (struct wolfIP_ip_packet *)buf;
+    udp = (struct wolfIP_udp_datagram *)ip;
+
+    ip->src = ee32(src_ip);
+    ip->dst = ee32(dst_ip);
+    udp->src_port = ee16(src_port);
+    udp->dst_port = ee16(dst_port);
+    udp->len = ee16(udp_len);
+    udp->csum = 0;
+    if (payload_len > 0U) {
+        memcpy(udp->data, payload, payload_len);
+    }
+    ip->csum = 0;
+    iphdr_set_checksum(ip);
+
+    return frame_len;
+}
+
 static void esp_setup(void)
 {
     int ret = wolfIP_esp_init();
     ck_assert_int_eq(ret, 0);
 }
 
+static void esp_add_cbc_test_sas(void)
+{
+    int ret;
+
+    ret = wolfIP_esp_sa_new_cbc_hmac(0, (uint8_t *)spi_rt,
+                                     atoip4(T_SRC), atoip4(T_DST),
+                                     (uint8_t *)k_aes128, sizeof(k_aes128),
+                                     ESP_AUTH_SHA256_RFC4868,
+                                     (uint8_t *)k_auth16, sizeof(k_auth16),
+                                     ESP_ICVLEN_HMAC_128);
+    ck_assert_int_eq(ret, 0);
+
+    ret = wolfIP_esp_sa_new_cbc_hmac(1, (uint8_t *)spi_rt,
+                                     atoip4(T_SRC), atoip4(T_DST),
+                                     (uint8_t *)k_aes128, sizeof(k_aes128),
+                                     ESP_AUTH_SHA256_RFC4868,
+                                     (uint8_t *)k_auth16, sizeof(k_auth16),
+                                     ESP_ICVLEN_HMAC_128);
+    ck_assert_int_eq(ret, 0);
+}
+
 /* Creating an HMAC-only SA with valid params must succeed. */
 START_TEST(test_sa_hmac_good)
 {
@@ -1278,6 +1328,105 @@ START_TEST(test_wrap_rejects_ip_len_below_header)
 }
 END_TEST
 
+START_TEST(test_ip_recv_esp_transport_delivers_udp_payload)
+{
+    static uint8_t buf[LINK_MTU + 256];
+    struct wolfIP s;
+    struct wolfIP_ip_packet *ip = (struct wolfIP_ip_packet *)buf;
+    struct wolfIP_sockaddr_in sin;
+    uint8_t payload[] = { 'e', 's', 'p', '!' };
+    uint8_t rxbuf[sizeof(payload)] = {0};
+    uint32_t frame_len;
+    uint16_t ip_len;
+    int udp_sd;
+    int ret;
+
+    wolfIP_init(&s);
+    esp_setup();
+    esp_add_cbc_test_sas();
+    wolfIP_ipconfig_set(&s, atoip4(T_DST), 0xFFFFFF00U, 0);
+
+    udp_sd = wolfIP_sock_socket(&s, AF_INET, IPSTACK_SOCK_DGRAM, WI_IPPROTO_UDP);
+    ck_assert_int_gt(udp_sd, 0);
+
+    memset(&sin, 0, sizeof(sin));
+    sin.sin_family = AF_INET;
+    sin.sin_port = ee16(1234);
+    sin.sin_addr.s_addr = ee32(atoip4(T_DST));
+    ck_assert_int_eq(wolfIP_sock_bind(&s, udp_sd, (struct wolfIP_sockaddr *)&sin, sizeof(sin)), 0);
+
+    frame_len = build_udp_ip_packet(buf, sizeof(buf), atoip4(T_SRC), atoip4(T_DST),
+                                    4321, 1234, payload, sizeof(payload));
+    ip_len = (uint16_t)(frame_len - ETH_HEADER_LEN);
+
+    ret = esp_transport_wrap(ip, &ip_len);
+    ck_assert_int_eq(ret, 0);
+
+    frame_len = (uint32_t)ip_len + ETH_HEADER_LEN;
+    ip->proto = 0x32U;
+    ip->len = ee16(ip_len);
+    ip->csum = 0U;
+    iphdr_set_checksum(ip);
+
+    ip_recv(&s, 0, ip, frame_len);
+
+    ret = wolfIP_sock_recvfrom(&s, udp_sd, rxbuf, sizeof(rxbuf), 0, NULL, NULL);
+    ck_assert_int_eq(ret, (int)sizeof(payload));
+    ck_assert_mem_eq(rxbuf, payload, sizeof(payload));
+}
+END_TEST
+
+START_TEST(test_ip_recv_esp_transport_unwrap_failure_drops_packet)
+{
+    static uint8_t buf[LINK_MTU + 256];
+    struct wolfIP s;
+    struct wolfIP_ip_packet *ip = (struct wolfIP_ip_packet *)buf;
+    struct wolfIP_sockaddr_in sin;
+    uint8_t payload[] = { 'b', 'a', 'd', '!' };
+    uint8_t rxbuf[sizeof(payload)] = {0};
+    uint32_t frame_len;
+    uint16_t ip_len;
+    uint32_t esp_len;
+    int udp_sd;
+    int ret;
+
+    wolfIP_init(&s);
+    esp_setup();
+    esp_add_cbc_test_sas();
+    wolfIP_ipconfig_set(&s, atoip4(T_DST), 0xFFFFFF00U, 0);
+
+    udp_sd = wolfIP_sock_socket(&s, AF_INET, IPSTACK_SOCK_DGRAM, WI_IPPROTO_UDP);
+    ck_assert_int_gt(udp_sd, 0);
+
+    memset(&sin, 0, sizeof(sin));
+    sin.sin_family = AF_INET;
+    sin.sin_port = ee16(1234);
+    sin.sin_addr.s_addr = ee32(atoip4(T_DST));
+    ck_assert_int_eq(wolfIP_sock_bind(&s, udp_sd, (struct wolfIP_sockaddr *)&sin, sizeof(sin)), 0);
+
+    frame_len = build_udp_ip_packet(buf, sizeof(buf), atoip4(T_SRC), atoip4(T_DST),
+                                    4321, 1234, payload, sizeof(payload));
+    ip_len = (uint16_t)(frame_len - ETH_HEADER_LEN);
+
+    ret = esp_transport_wrap(ip, &ip_len);
+    ck_assert_int_eq(ret, 0);
+
+    frame_len = (uint32_t)ip_len + ETH_HEADER_LEN;
+    ip->proto = 0x32U;
+    ip->len = ee16(ip_len);
+    ip->csum = 0U;
+    iphdr_set_checksum(ip);
+
+    esp_len = frame_len - ETH_HEADER_LEN - IP_HEADER_LEN;
+    ip->data[esp_len - 1U] ^= 0xFFU;
+
+    ip_recv(&s, 0, ip, frame_len);
+
+    ret = wolfIP_sock_recvfrom(&s, udp_sd, rxbuf, sizeof(rxbuf), 0, NULL, NULL);
+    ck_assert_int_eq(ret, -WOLFIP_EAGAIN);
+}
+END_TEST
+
 static Suite *esp_suite(void)
 {
     Suite *s;
@@ -1352,6 +1501,11 @@ static Suite *esp_suite(void)
     tcase_add_test(tc, test_ciphertext_tamper_cbc_sha256);
     suite_add_tcase(s, tc);
 
+    tc = tcase_create("ip_recv");
+    tcase_add_test(tc, test_ip_recv_esp_transport_delivers_udp_payload);
+    tcase_add_test(tc, test_ip_recv_esp_transport_unwrap_failure_drops_packet);
+    suite_add_tcase(s, tc);
+
     /* No-SA outbound path */
     tc = tcase_create("no_sa");
     tcase_add_test(tc, test_wrap_no_matching_sa);

diff --git a/src/test/unit/unit_tests_api.c b/src/test/unit/unit_tests_api.c
@@ -3358,7 +3358,7 @@ START_TEST(test_sock_setsockopt_invalid_socket)
 }
 END_TEST
 
-START_TEST(test_sock_getsockopt_recvttl_value)
+START_TEST(test_sock_getsockopt_recvttl_enabled_state)
 {
     struct wolfIP s;
     int udp_sd;
@@ -3374,7 +3374,7 @@ START_TEST(test_sock_getsockopt_recvttl_value)
     s.udpsockets[SOCKET_UNMARK(udp_sd)].last_pkt_ttl = 77;
 
     ck_assert_int_eq(wolfIP_sock_getsockopt(&s, udp_sd, WOLFIP_SOL_IP, WOLFIP_IP_RECVTTL, &value, &len), 0);
-    ck_assert_int_eq(value, 77);
+    ck_assert_int_eq(value, 1);
 }
 END_TEST