avoid glitch hardening false positive byte collision with small messages and adjust test case

JacobBarthelmeh · JacobBarthelmeh · commit 29f674e5b606 · 2026-04-24T01:08:00.000-06:00
diff --git a/src/internal.c b/src/internal.c
@@ -20682,9 +20682,10 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
             }
 
         #ifdef WOLFSSL_CIPHER_TEXT_CHECK
-            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
+                    sz >= sizeof(ssl->encrypt.sanityCheck)) {
                 XMEMCPY(ssl->encrypt.sanityCheck, input,
-                    min(sz, sizeof(ssl->encrypt.sanityCheck)));
+                    sizeof(ssl->encrypt.sanityCheck));
             }
         #endif
 
@@ -20771,8 +20772,9 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
         {
         #ifdef WOLFSSL_CIPHER_TEXT_CHECK
             if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
+                    sz >= sizeof(ssl->encrypt.sanityCheck) &&
                 XMEMCMP(out, ssl->encrypt.sanityCheck,
-                    min(sz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
+                    sizeof(ssl->encrypt.sanityCheck)) == 0) {
 
                 WOLFSSL_MSG("Encrypt sanity check failed! Glitch?");
                 WOLFSSL_ERROR_VERBOSE(ENCRYPT_ERROR);
diff --git a/src/tls13.c b/src/tls13.c
@@ -2639,9 +2639,9 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
 
         #ifdef WOLFSSL_CIPHER_TEXT_CHECK
             if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
-                    dataSz > 0) {
+                    dataSz >= sizeof(ssl->encrypt.sanityCheck)) {
                 XMEMCPY(ssl->encrypt.sanityCheck, input,
-                    min(dataSz, sizeof(ssl->encrypt.sanityCheck)));
+                    sizeof(ssl->encrypt.sanityCheck));
             }
         #endif
 
@@ -2825,9 +2825,9 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
 
         #ifdef WOLFSSL_CIPHER_TEXT_CHECK
             if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
-                    dataSz > 0 &&
+                    dataSz >= sizeof(ssl->encrypt.sanityCheck) &&
                 XMEMCMP(output, ssl->encrypt.sanityCheck,
-                    min(dataSz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
+                    sizeof(ssl->encrypt.sanityCheck)) == 0) {
 
                 WOLFSSL_MSG("EncryptTls13 sanity check failed! Glitch?");
                 return ENCRYPT_ERROR;
diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c
@@ -4590,7 +4590,7 @@ int test_tls13_empty_record_limit(void)
     struct test_memio_ctx test_ctx;
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
-    int recSz;
+    int recSz = 0;
     /* Send exactly WOLFSSL_MAX_EMPTY_RECORDS to pin the boundary check.
      * The Nth record increments the counter to N, and `N >= N` triggers
      * the error. Sending one more would let a `>=` -> `>` mutation survive
@@ -4608,16 +4608,18 @@ int test_tls13_empty_record_limit(void)
 
     ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
 
-    /* Consume any post-handshake messages (e.g. NewSessionTicket). */
-    wolfSSL_read(ssl_c, buf, sizeof(buf));
-    test_memio_clear_buffer(&test_ctx, 0);
-    test_memio_clear_buffer(&test_ctx, 1);
-
-    /* Get the size of an encrypted zero-length app data record. */
-    recSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 0,
-                              application_data, 0, 1, 0);
-    ExpectIntGT(recSz, 0);
-    ExpectIntLE(recSz, (int)sizeof(rec));
+    if (EXPECT_SUCCESS()) {
+        /* Consume any post-handshake messages (e.g. NewSessionTicket). */
+        wolfSSL_read(ssl_c, buf, sizeof(buf));
+        test_memio_clear_buffer(&test_ctx, 0);
+        test_memio_clear_buffer(&test_ctx, 1);
+
+        /* Get the size of an encrypted zero-length app data record. */
+        recSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 0,
+                                  application_data, 0, 1, 0);
+        ExpectIntGT(recSz, 0);
+        ExpectIntLE(recSz, (int)sizeof(rec));
+    }
 
     /* Build all empty records into one contiguous buffer. */
     if (EXPECT_SUCCESS()) {
@@ -4664,15 +4666,17 @@ int test_tls13_empty_record_limit(void)
 
     ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
 
-    wolfSSL_read(ssl_c, buf, sizeof(buf));
-    test_memio_clear_buffer(&test_ctx, 0);
-    test_memio_clear_buffer(&test_ctx, 1);
+    if (EXPECT_SUCCESS()) {
+        wolfSSL_read(ssl_c, buf, sizeof(buf));
+        test_memio_clear_buffer(&test_ctx, 0);
+        test_memio_clear_buffer(&test_ctx, 1);
 
-    recSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 0,
-                              application_data, 0, 1, 0);
-    ExpectIntGT(recSz, 0);
+        recSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 0,
+                                  application_data, 0, 1, 0);
+        ExpectIntGT(recSz, 0);
+    }
 
-    {
+    if (EXPECT_SUCCESS()) {
         int emptyBefore = WOLFSSL_MAX_EMPTY_RECORDS - 1;
         int emptyAfter = WOLFSSL_MAX_EMPTY_RECORDS - 1;
         int dataRecSz;
