Fixes from review

Author: embhorn

src/tls13.c

@@ -2638,9 +2638,10 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
         #endif
 
         #ifdef WOLFSSL_CIPHER_TEXT_CHECK
-            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
+                    dataSz >= WOLFSSL_CIPHER_CHECK_SZ) {
                 XMEMCPY(ssl->encrypt.sanityCheck, input,
-                    min(dataSz, sizeof(ssl->encrypt.sanityCheck)));
+                    sizeof(ssl->encrypt.sanityCheck));
             }
         #endif
 
@@ -2824,8 +2825,9 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
 
         #ifdef WOLFSSL_CIPHER_TEXT_CHECK
             if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
+                    dataSz >= WOLFSSL_CIPHER_CHECK_SZ &&
                 XMEMCMP(output, ssl->encrypt.sanityCheck,
-                    min(dataSz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
+                    sizeof(ssl->encrypt.sanityCheck)) == 0) {
 
                 WOLFSSL_MSG("EncryptTls13 sanity check failed! Glitch?");
                 return ENCRYPT_ERROR;

tests/api/test_tls13.c

@@ -2927,28 +2927,28 @@ int test_tls13_duplicate_extension(void)
     (!defined(NO_RSA) || defined(HAVE_ECC))
 static int DupEchSend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 {
-	(void)ssl;
-	(void)buf;
-	(void)sz;
-	(void)ctx;
+    (void)ssl;
+    (void)buf;
+    (void)sz;
+    (void)ctx;
 
-	return sz;
+    return sz;
 }
 static int DupEchRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 {
-	WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx;
-	int len = (int)msg->length;
+    WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx;
+    int len = (int)msg->length;
 
-	(void)ssl;
-	(void)sz;
+    (void)ssl;
+    (void)sz;
 
-	if (len > sz)
-		len = sz;
-	XMEMCPY(buf, msg->buffer, len);
-	msg->buffer += len;
-	msg->length -= len;
+    if (len > sz)
+        len = sz;
+    XMEMCPY(buf, msg->buffer, len);
+    msg->buffer += len;
+    msg->length -= len;
 
-	return len;
+    return len;
 }
 #endif
 
@@ -2959,68 +2959,68 @@ static int DupEchRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
  */
 int test_tls13_duplicate_ech_extension(void)
 {
-	EXPECT_DECLS;
+    EXPECT_DECLS;
 #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && \
     !defined(NO_WOLFSSL_SERVER) && !defined(NO_FILESYSTEM) && \
     (!defined(NO_RSA) || defined(HAVE_ECC))
-	/* TLS 1.3 ClientHello with two ECH extensions (type 0xfe0d).
-	 * Extensions block contains: supported_versions + ECH + ECH (dup). */
-	const unsigned char clientHelloDupEch[] = {
-		0x16, 0x03, 0x03, 0x00, 0x40, 0x01, 0x00, 0x00,
-		0x3c, 0x03, 0x03, 0x01, 0x01, 0x01, 0x01, 0x01,
-		0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
-		0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
-		0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
-		0x01, 0x01, 0x01, 0x00, 0x00, 0x02, 0x13, 0x01,
-		0x01, 0x00, 0x00, 0x11, 0x00, 0x2b, 0x00, 0x03,
-		0x02, 0x03, 0x04, 0xfe, 0x0d, 0x00, 0x01, 0x00,
-		0xfe, 0x0d, 0x00, 0x01, 0x00
-	};
-	WOLFSSL_BUFFER_INFO msg;
-	const char* testCertFile;
-	const char* testKeyFile;
-	WOLFSSL_CTX *ctx = NULL;
-	WOLFSSL     *ssl = NULL;
+    /* TLS 1.3 ClientHello with two ECH extensions (type 0xfe0d).
+     * Extensions block contains: supported_versions + ECH + ECH (dup). */
+    const unsigned char clientHelloDupEch[] = {
+        0x16, 0x03, 0x03, 0x00, 0x40, 0x01, 0x00, 0x00,
+        0x3c, 0x03, 0x03, 0x01, 0x01, 0x01, 0x01, 0x01,
+        0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+        0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+        0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+        0x01, 0x01, 0x01, 0x00, 0x00, 0x02, 0x13, 0x01,
+        0x01, 0x00, 0x00, 0x11, 0x00, 0x2b, 0x00, 0x03,
+        0x02, 0x03, 0x04, 0xfe, 0x0d, 0x00, 0x01, 0x00,
+        0xfe, 0x0d, 0x00, 0x01, 0x00
+    };
+    WOLFSSL_BUFFER_INFO msg;
+    const char* testCertFile;
+    const char* testKeyFile;
+    WOLFSSL_CTX *ctx = NULL;
+    WOLFSSL     *ssl = NULL;
 
 #ifndef NO_RSA
-	testCertFile = svrCertFile;
-	testKeyFile = svrKeyFile;
+    testCertFile = svrCertFile;
+    testKeyFile = svrKeyFile;
 #elif defined(HAVE_ECC)
-	testCertFile = eccCertFile;
-	testKeyFile = eccKeyFile;
+    testCertFile = eccCertFile;
+    testKeyFile = eccKeyFile;
 #endif
 
-	ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
 
-	ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, testCertFile,
-		CERT_FILETYPE));
-	ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, testKeyFile,
-		CERT_FILETYPE));
+    ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, testCertFile,
+        CERT_FILETYPE));
+    ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, testKeyFile,
+        CERT_FILETYPE));
 
-	/* Read from 'msg'. */
-	wolfSSL_SetIORecv(ctx, DupEchRecv);
-	/* No where to send to - dummy sender. */
-	wolfSSL_SetIOSend(ctx, DupEchSend);
+    /* Read from 'msg'. */
+    wolfSSL_SetIORecv(ctx, DupEchRecv);
+    /* No where to send to - dummy sender. */
+    wolfSSL_SetIOSend(ctx, DupEchSend);
 
-	ssl = wolfSSL_new(ctx);
-	ExpectNotNull(ssl);
+    ssl = wolfSSL_new(ctx);
+    ExpectNotNull(ssl);
 
-	msg.buffer = (unsigned char*)clientHelloDupEch;
-	msg.length = (unsigned int)sizeof(clientHelloDupEch);
-	wolfSSL_SetIOReadCtx(ssl, &msg);
+    msg.buffer = (unsigned char*)clientHelloDupEch;
+    msg.length = (unsigned int)sizeof(clientHelloDupEch);
+    wolfSSL_SetIOReadCtx(ssl, &msg);
 
-	ExpectIntNE(wolfSSL_accept(ssl), WOLFSSL_SUCCESS);
-	/* Can return duplicate ext error or socket error if the peer closed
-	 * down while sending alert. */
-	if (wolfSSL_get_error(ssl, 0) != WC_NO_ERR_TRACE(SOCKET_ERROR_E)) {
-		ExpectIntEQ(wolfSSL_get_error(ssl, 0),
-			WC_NO_ERR_TRACE(DUPLICATE_TLS_EXT_E));
-	}
+    ExpectIntNE(wolfSSL_accept(ssl), WOLFSSL_SUCCESS);
+    /* Can return duplicate ext error or socket error if the peer closed
+     * down while sending alert. */
+    if (wolfSSL_get_error(ssl, 0) != WC_NO_ERR_TRACE(SOCKET_ERROR_E)) {
+        ExpectIntEQ(wolfSSL_get_error(ssl, 0),
+            WC_NO_ERR_TRACE(DUPLICATE_TLS_EXT_E));
+    }
 
-	wolfSSL_free(ssl);
-	wolfSSL_CTX_free(ctx);
+    wolfSSL_free(ssl);
+    wolfSSL_CTX_free(ctx);
 #endif
-	return EXPECT_RESULT();
+    return EXPECT_RESULT();
 }
 
 
@@ -3801,12 +3801,15 @@ int test_tls13_empty_record_limit(void)
         }
 
         /* Build 1 non-empty record */
-        XMEMSET(dataRec, 0, sizeof(dataRec));
-        XMEMCPY(dataRec + RECORD_HEADER_SZ, payload, sizeof(payload));
-        ExpectIntEQ(BuildTls13Message(ssl_c, dataRec, (int)sizeof(dataRec),
-                        dataRec + RECORD_HEADER_SZ, 1, application_data,
-                        0, 0, 0), dataRecSz);
-        XMEMCPY(allRecs + emptyBefore * recSz, dataRec, (size_t)dataRecSz);
+        if (EXPECT_SUCCESS()) {
+            XMEMSET(dataRec, 0, sizeof(dataRec));
+            XMEMCPY(dataRec + RECORD_HEADER_SZ, payload, sizeof(payload));
+            ExpectIntEQ(BuildTls13Message(ssl_c, dataRec, (int)sizeof(dataRec),
+                            dataRec + RECORD_HEADER_SZ, 1, application_data,
+                            0, 0, 0), dataRecSz);
+            XMEMCPY(allRecs + emptyBefore * recSz, dataRec,
+                     (size_t)dataRecSz);
+        }
 
         /* Build (limit - 1) more empty records */
         for (i = 0; i < emptyAfter && EXPECT_SUCCESS(); i++) {