From 14d3554ff5cd2b16ab1505144f9d094fb0f1c59f Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 10 Mar 2022 18:36:37 +0100
Subject: [PATCH] ChaCha20 (PSA): Document that we only support 12-byte nonces

Support for 8-byte nonces may be added in the future:
https://github.com/ARMmbed/mbedtls/issues/5615

Support for a 16-byte IV for ChaCha20 consisting of a 12-byte nonce and a
4-byte initial counter value may be added in the future:
https://github.com/ARMmbed/mbedtls/issues/5616

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 include/psa/crypto_values.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 5a903f86ab..a81a014e46 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -489,8 +489,12 @@
  *
  * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539.
  *
- * Implementations must support 12-byte nonces, may support 8-byte nonces,
- * and should reject other sizes.
+ * \note For ChaCha20 and ChaCha20_Poly1305, Mbed TLS only supports
+ *       12-byte nonces.
+ *
+ * \note For ChaCha20, the initial counter value is 0. To encrypt or decrypt
+ *       with the initial counter value 1, you can process and discard a
+ *       64-byte block before the real data.
  */
 #define PSA_KEY_TYPE_CHACHA20                       ((psa_key_type_t)0x2004)