diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 4fbf3ef15..165382b06 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -7305,10 +7305,7 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
         return BAD_FUNC_ARG;
 
     /* sanity check on tag size */
-    if (authTagSz != 4 && authTagSz != 6 && authTagSz != 8 &&
-            authTagSz != 10 && authTagSz != 12 && authTagSz != 14 &&
-            authTagSz != 16) {
-        WOLFSSL_MSG("Bad auth tag size AES-CCM");
+    if (wc_AesCcmCheckTagSize(authTagSz) != 0) {
         return BAD_FUNC_ARG;
     }
 
diff --git a/wolfcrypt/src/port/arm/armv8-aes.c b/wolfcrypt/src/port/arm/armv8-aes.c
index ad5cfa873..8999a6f74 100644
--- a/wolfcrypt/src/port/arm/armv8-aes.c
+++ b/wolfcrypt/src/port/arm/armv8-aes.c
@@ -4510,6 +4510,10 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
             || authTag == NULL || nonceSz < 7 || nonceSz > 13)
         return BAD_FUNC_ARG;
 
+    if (wc_AesCcmCheckTagSize(authTagSz) != 0) {
+        return BAD_FUNC_ARG;
+    }
+
     o = out;
     oSz = inSz;
     XMEMCPY(B+1, nonce, nonceSz);
diff --git a/wolfcrypt/src/port/caam/caam_aes.c b/wolfcrypt/src/port/caam/caam_aes.c
index dad970ccc..c83e6c931 100644
--- a/wolfcrypt/src/port/caam/caam_aes.c
+++ b/wolfcrypt/src/port/caam/caam_aes.c
@@ -580,6 +580,10 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out,
         authTagSz > AES_BLOCK_SIZE)
         return BAD_FUNC_ARG;
 
+    if (wc_AesCcmCheckTagSize(authTagSz) != 0) {
+        return BAD_FUNC_ARG;
+    }
+
     if (wc_AesGetKeySize(aes, &keySz) != 0) {
          return BAD_FUNC_ARG;
     }