wolfcrypt/src/port/kcapi/kcapi_aes.c: add backward-compat code paths for authTagSz validation on old FIPS.

This commit is contained in:
Daniel Pouzzner
2026-07-01 12:48:02 -05:00
parent 41daf899b3
commit bb7b4ccc77
+18 -4
View File
@@ -240,14 +240,21 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
ret = BAD_FUNC_ARG;
}
if ((ret == 0) && ((ivSz != WC_SYSTEM_AESGCM_IV) ||
(authTagSz > WOLFSSL_MAX_AUTH_TAG_SZ))) {
if ((ret == 0) && ((ivSz != WC_SYSTEM_AESGCM_IV)
#if defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0)
|| (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ)
|| (authTagSz > WOLFSSL_MAX_AUTH_TAG_SZ)
#endif
))
{
WOLFSSL_MSG("IV/AAD size not supported on system");
ret = BAD_FUNC_ARG;
}
#if !defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)
if (ret == 0)
ret = wc_local_AesGcmCheckTagSz(authTagSz);
#endif
if (ret == 0) {
ret = kcapi_aead_init(&aes->handle, WC_NAME_AESGCM, 0);
@@ -353,14 +360,21 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
ret = BAD_FUNC_ARG;
}
if ((ret == 0) && ((ivSz != WC_SYSTEM_AESGCM_IV) ||
(authTagSz > WOLFSSL_MAX_AUTH_TAG_SZ))) {
if ((ret == 0) && ((ivSz != WC_SYSTEM_AESGCM_IV)
#if defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0)
|| (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ)
|| (authTagSz > WOLFSSL_MAX_AUTH_TAG_SZ)
#endif
))
{
WOLFSSL_MSG("IV/AAD size not supported on system");
ret = BAD_FUNC_ARG;
}
#if !defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)
if (ret == 0)
ret = wc_local_AesGcmCheckTagSz(authTagSz);
#endif
if (ret == 0) {
ret = kcapi_aead_init(&aes->handle, WC_NAME_AESGCM, 0);