[crypto/gcm] Check tag length

siemen11 · nasahlpa · commit 2dbfb168d236 · 2026-04-17T14:32:09.000+02:00
When performing a redundant calculation on the tag, we create a copy
buffer. That buffer is maximally 128 bits. The input tag length should
follow suit to be checked as maximally 128 bits.

Signed-off-by: Siemen Dhooghe &lt;sdhooghe@google.com&gt;
diff --git a/sw/device/lib/crypto/impl/aes_gcm/aes_gcm.c b/sw/device/lib/crypto/impl/aes_gcm/aes_gcm.c
@@ -678,7 +678,7 @@ status_t aes_gcm_decrypt_final(aes_gcm_context_t *ctx, size_t tag_len,
                                const uint32_t *tag, size_t *output_len,
                                uint8_t *output, hardened_bool_t *success) {
   // Get the expected authentication tag.
-  uint32_t expected_tag[tag_len];
+  uint32_t expected_tag[kAesBlockNumWords];
   size_t bytes_written;
   HARDENED_TRY(
       aes_gcm_final(ctx, tag_len, expected_tag, &bytes_written, output));
