From afc774cffbeb9807882b053f21def5e3757a9133 Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Thu, 29 Aug 2019 17:02:26 +0700
Subject: CCM: only enforce the tag length restrictions for encryption

---
 crypto/src/crypto/modes/CcmBlockCipher.cs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/src/crypto/modes/CcmBlockCipher.cs b/crypto/src/crypto/modes/CcmBlockCipher.cs
index 0e4bb7fc9..2981fdcb2 100644
--- a/crypto/src/crypto/modes/CcmBlockCipher.cs
+++ b/crypto/src/crypto/modes/CcmBlockCipher.cs
@@ -68,7 +68,7 @@ namespace Org.BouncyCastle.Crypto.Modes
 
                 nonce = param.GetNonce();
                 initialAssociatedText = param.GetAssociatedText();
-                macSize = GetMacSize(param.MacSize);
+                macSize = GetMacSize(forEncryption, param.MacSize);
                 cipherParameters = param.Key;
             }
             else if (parameters is ParametersWithIV)
@@ -77,7 +77,7 @@ namespace Org.BouncyCastle.Crypto.Modes
 
                 nonce = param.GetIV();
                 initialAssociatedText = null;
-                macSize = GetMacSize(64);
+                macSize = GetMacSize(forEncryption, 64);
                 cipherParameters = param.Parameters;
             }
             else
@@ -434,9 +434,9 @@ namespace Org.BouncyCastle.Crypto.Modes
             return cMac.DoFinal(macBlock, 0);
         }
 
-        private int GetMacSize(int requestedMacBits)
+        private int GetMacSize(bool forEncryption, int requestedMacBits)
         {
-            if (requestedMacBits < 32 || requestedMacBits > 128 || 0 != (requestedMacBits & 15))
+            if (forEncryption && (requestedMacBits < 32 || requestedMacBits > 128 || 0 != (requestedMacBits & 15)))
                 throw new ArgumentException("tag length in octets must be one of {4,6,8,10,12,14,16}");
 
             return requestedMacBits >> 3;
-- 
cgit 1.4.1