From 4efba8f437a93a451d57fd35a2c659f9817d8551 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Mon, 31 Oct 2022 09:00:57 +1000
Subject: [PATCH] ForceZero fix: encryption fail and not EtM

Zeroizing of plaintext on encryption failure will use wrong size when
not using Encrypt-then-MAC. Size may go negative and cast to unsigned.
---
 src/internal.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 4d4d28353b..3c030a5e9a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -20813,8 +20813,16 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
             #endif
                 {
                     /* Zeroize plaintext. */
-                    ForceZero(output + args->headerSz,
-                        (word16)(args->size - args->digestSz));
+            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
+                    if (ssl->options.startedETMWrite) {
+                        ForceZero(output + args->headerSz,
+                            (word16)(args->size - args->digestSz));
+                    }
+                    else
+            #endif
+                    {
+                        ForceZero(output + args->headerSz, (word16)args->size);
+                    }
                 }
                 goto exit_buildmsg;
             }