From de24220853bc41562eb3121abcd1e97d4a69bd18 Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Thu, 5 Mar 2026 09:10:47 +0000
Subject: [PATCH] ccm_finish: Updated to only accept lens set by
 ccm_set_lengths

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 library/ccm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/ccm.c b/library/ccm.c
index 8025409690..a6eed4a56c 100644
--- a/library/ccm.c
+++ b/library/ccm.c
@@ -488,11 +488,11 @@ int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
         return MBEDTLS_ERR_CCM_BAD_INPUT;
     }
 
-    /* Reject invalid tag lengths and mismatches with negotiated length (if set). */
-    if (tag_len != 0 && (tag_len < 4 || tag_len > 16 || (tag_len & 1) != 0)) {
+    if (!(ctx->state & CCM_STATE__LENGTHS_SET)) {
         return MBEDTLS_ERR_CCM_BAD_INPUT;
     }
-    if ((ctx->state & CCM_STATE__LENGTHS_SET) && tag_len != ctx->tag_len) {
+
+    if (tag_len != ctx->tag_len) {
         return MBEDTLS_ERR_CCM_BAD_INPUT;
     }