From 8826823724543ded30d5b73493efcd3a94d95d8e Mon Sep 17 00:00:00 2001
From: kaleb-himes <kaleb@wolfssl.com>
Date: Mon, 12 Oct 2020 12:05:44 -0600
Subject: [PATCH] In ACVP testing NIST needs to see failed decryption output

---
 wolfcrypt/src/aes.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 0e5c6b906..11df25dd2 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -7459,7 +7459,12 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
         /* If the authTag check fails, don't keep the decrypted data.
          * Unfortunately, you need the decrypted data to calculate the
          * check value. */
-        XMEMSET(out, 0, inSz);
+        #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) && \
+            defined(ACVP_VECTOR_TESTING)
+            WOLFSSL_MSG("Preserve output for vector responses");
+        #else
+            XMEMSET(out, 0, inSz);
+        #endif
         result = AES_CCM_AUTH_E;
     }