wolfcrypt/src/pkcs7.c: in wc_PKCS7_DecodeAuthEnvelopedData(), accommodate old FIPS using old authTagSz check.

This commit is contained in:
Daniel Pouzzner
2026-06-27 19:50:52 -05:00
parent d69d49cc68
commit 568c660bf5
+8 -5
View File
@@ -15263,16 +15263,19 @@ authenv_atrbend:
if (ret == 0 &&
(encOID == AES128GCMb || encOID == AES192GCMb ||
encOID == AES256GCMb)) {
#ifdef HAVE_AESGCM
#if (defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0)) || \
defined(HAVE_SELFTEST) || !defined(HAVE_AESGCM)
if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) {
WOLFSSL_MSG("AuthEnvelopedData GCM authTag too small");
ret = ASN_PARSE_E;
}
#else
ret = wc_local_AesGcmCheckTagSz(authTagSz);
if (ret != 0) {
ret = ASN_PARSE_E;
WOLFSSL_MSG("AuthEnvelopedData GCM authTag invalid size");
}
#else
ret = ASN_PARSE_E;
WOLFSSL_MSG("AuthEnvelopedData GCM with GCM not compiled in");
#endif
#endif
}
if (ret == 0 &&
(encOID == AES128CCMb || encOID == AES192CCMb ||