Properly handle GCM's range of nonce sizes

Add comment to the effect that we cannot really check nonce size as the GCM spec allows almost arbitrarily large nonces. As a result of this, change the operation nonce over to an allocated buffer to avoid overflow situations. Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2026-01-06 11:41:12 +03:00 · 2021-05-20 18:24:07 +01:00
parent ee4ffe0079
commit 1a98acac1c
4 changed files with 27 additions and 5 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3429,6 +3429,12 @@ psa_status_t psa_aead_set_nonce( psa_aead_operation_t *operation,
        goto exit;
    }

+    /* Not checking nonce size here as GCM spec allows almost abitrarily large
+     * nonces. Please note that we do not generally recommend the usage of
+     * nonces of greater length than PSA_AEAD_NONCE_MAX_SIZE, as large nonces
+     * are hashed to a shorter size, which can then lead to collisions if you
+       encrypt a very large number of messages. */
+
    status = psa_driver_wrapper_aead_set_nonce( operation, nonce,
                                                nonce_length );