From 47cf8d066c6422279a8bcd11b7cbae17ca7a368f Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 16:09:57 -0500 Subject: [PATCH] wolfcrypt/src/pkcs7.c: in wc_PKCS7_DecodeAuthEnvelopedData(), accommodate AES*GCMb with !HAVE_AESGCM, and add AES-CCM authTagSz check. --- wolfcrypt/src/pkcs7.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 866dac4716..a12eb7e924 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -15263,11 +15263,23 @@ authenv_atrbend: if (ret == 0 && (encOID == AES128GCMb || encOID == AES192GCMb || encOID == AES256GCMb)) { +#ifdef HAVE_AESGCM ret = wc_local_AesGcmCheckTagSz(authTagSz); if (ret != 0) { ret = ASN_PARSE_E; WOLFSSL_MSG("AuthEnvelopedData GCM authTag invalid size"); } +#else + ret = ASN_PARSE_E; + WOLFSSL_MSG("AuthEnvelopedData GCM with GCM not compiled in"); +#endif + } + if (ret == 0 && + (encOID == AES128CCMb || encOID == AES192CCMb || + encOID == AES256CCMb) && + authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + WOLFSSL_MSG("AuthEnvelopedData CCM authTag too small"); + ret = ASN_PARSE_E; } #ifndef NO_PKCS7_STREAM