diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 3caa725b7..e89dba5e1 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -7985,9 +7985,9 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
     const word32 wordSz = (word32)sizeof(word32);
 
     /* sanity check on arguments */
-    if (aes == NULL || (inSz != 0 && (in == NULL || out == NULL)) || nonce == NULL
-            || authTag == NULL || nonceSz < 7 || nonceSz > 13 ||
-            authTagSz > AES_BLOCK_SIZE)
+    if (aes == NULL || (inSz != 0 && (in == NULL || out == NULL)) ||
+        nonce == NULL || authTag == NULL || nonceSz < 7 || nonceSz > 13 ||
+        authTagSz > AES_BLOCK_SIZE)
         return BAD_FUNC_ARG;
 
     /* sanity check on tag size */
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 44ac7ee83..7f997873c 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -10350,8 +10350,30 @@ WOLFSSL_TEST_SUBROUTINE int aesccm_test(void)
     if (XMEMCMP(pl, pl2, sizeof(pl2)))
         ERROR_OUT(-6520, out);
 
-    /* test empty message as null input and output --
-     * must work, or fail early with BAD_FUNC_ARG.
+    /* test empty message as null input or output with nonzero inSz. */
+    result = wc_AesCcmEncrypt(enc, pl2 /* out */, NULL /* in */, 1 /* inSz */,
+                              iv, sizeof(iv), t_empty2, sizeof(t_empty2),
+                              a, sizeof(a));
+    if (result != BAD_FUNC_ARG)
+        ERROR_OUT(-6527, out);
+    result = wc_AesCcmEncrypt(enc, NULL /* out */, (const byte *)"" /* in */, 1 /* inSz */,
+                              iv, sizeof(iv), t_empty2, sizeof(t_empty2),
+                              a, sizeof(a));
+    if (result != BAD_FUNC_ARG)
+        ERROR_OUT(-6528, out);
+    result = wc_AesCcmDecrypt(enc, pl2, NULL /* in */, 1 /* inSz */,
+                              iv, sizeof(iv), t_empty2, sizeof(t_empty2), a,
+                              sizeof(a));
+    if (result != BAD_FUNC_ARG)
+        ERROR_OUT(-6529, out);
+    result = wc_AesCcmDecrypt(enc, NULL /* out */, (const byte *)"" /* in */, 1 /* inSz */,
+                              iv, sizeof(iv), t_empty2, sizeof(t_empty2), a,
+                              sizeof(a));
+    if (result != BAD_FUNC_ARG)
+        ERROR_OUT(-6530, out);
+
+    /* test empty message as null input and output with zero inSz --
+     * must either succeed, or fail early with BAD_FUNC_ARG.
      */
     result = wc_AesCcmEncrypt(enc, NULL /* out */, NULL /* in */, 0 /* inSz */,
                               iv, sizeof(iv), t_empty2, sizeof(t_empty2),