From 948ba6ec10c92be9be7e25eafbac8ea83400c096 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:29:06 -0500 Subject: [PATCH] * add hard compile-time assert in settings.h for FIPS v7+ asserting that WOLFSSL_MIN_AUTH_TAG_SZ meets SP 800-38D Rev 1 requirements. --- wolfssl/wolfcrypt/settings.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index a3ac739be5..8293226b3d 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3558,6 +3558,12 @@ #error WOLFSSL_MIN_AUTH_TAG_SZ must be at least 1 #endif +#if defined(HAVE_FIPS) && FIPS_VERSION3_GE(7, 0, 0) + /* No short (<96 bit) tags per SP 800-38D 2026 revision in process. */ + #if WOLFSSL_MIN_AUTH_TAG_SZ < 12 + #error WOLFSSL_MIN_AUTH_TAG_SZ must be >= 12 per SP 800-38D Rev 1 + #endif +#endif /* sniffer requires: * static RSA cipher suites