From 568c660bf5648a68db156d394b239ac6c4e41f3f Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 19:50:52 -0500 Subject: [PATCH] wolfcrypt/src/pkcs7.c: in wc_PKCS7_DecodeAuthEnvelopedData(), accommodate old FIPS using old authTagSz check. --- wolfcrypt/src/pkcs7.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index a12eb7e924..9f6b26e99b 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -15263,16 +15263,19 @@ authenv_atrbend: if (ret == 0 && (encOID == AES128GCMb || encOID == AES192GCMb || encOID == AES256GCMb)) { -#ifdef HAVE_AESGCM + #if (defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0)) || \ + defined(HAVE_SELFTEST) || !defined(HAVE_AESGCM) + if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + WOLFSSL_MSG("AuthEnvelopedData GCM authTag too small"); + ret = ASN_PARSE_E; + } + #else ret = wc_local_AesGcmCheckTagSz(authTagSz); if (ret != 0) { ret = ASN_PARSE_E; WOLFSSL_MSG("AuthEnvelopedData GCM authTag invalid size"); } -#else - ret = ASN_PARSE_E; - WOLFSSL_MSG("AuthEnvelopedData GCM with GCM not compiled in"); -#endif + #endif } if (ret == 0 && (encOID == AES128CCMb || encOID == AES192CCMb ||