Properly handle GCM's range of nonce sizes Add comment to the effect that we cannot really check nonce size as the GCM spec allows almost arbitrarily large nonces. As a result of this, change the operation nonce over to an allocated buffer to avoid overflow situations. Signed-off-by: Paul Elliott <paul.elliott@arm.com>

commit: 1a98acac1c6a31507f81164ba2b30e6357d6e44e [log] [tgz]
author: Paul Elliott <paul.elliott@arm.com> Thu May 20 18:24:07 2021 +0100
committer: Paul Elliott <paul.elliott@arm.com> Thu May 20 18:39:58 2021 +0100
tree: 97a35aa7cc452ccaacec0b41459e212790c9ffda
parent: ee4ffe00798af7d5364fd7543db593bca4e26cca [diff] [blame]
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index c53020a..fcc22e1 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c

@@ -3429,6 +3429,12 @@
         goto exit;
     }
 
+    /* Not checking nonce size here as GCM spec allows almost abitrarily large
+     * nonces. Please note that we do not generally recommend the usage of
+     * nonces of greater length than PSA_AEAD_NONCE_MAX_SIZE, as large nonces
+     * are hashed to a shorter size, which can then lead to collisions if you
+       encrypt a very large number of messages. */
+
     status = psa_driver_wrapper_aead_set_nonce( operation, nonce,
                                                 nonce_length );
commit	1a98acac1c6a31507f81164ba2b30e6357d6e44e	[log] [tgz]
author	Paul Elliott <paul.elliott@arm.com>	Thu May 20 18:24:07 2021 +0100
committer	Paul Elliott <paul.elliott@arm.com>	Thu May 20 18:39:58 2021 +0100
tree	97a35aa7cc452ccaacec0b41459e212790c9ffda
parent	ee4ffe00798af7d5364fd7543db593bca4e26cca [diff] [blame]