Document that the minimum truncated MAC length is implementation-defined

commit: 6d72ff9e7935dc1861c1fbfd25a847456289bcef [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Tue Aug 21 14:55:08 2018 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Wed Oct 17 13:54:47 2018 +0200
tree: a8a660a6f314527b2bb60da0f10bff4591416239
parent: e1f2d7d1ac985df3c5330fe33479e77fff58cca6 [diff] [blame]
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 4486242..0aa19cf 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c

@@ -1600,8 +1600,10 @@
     }
     else if( truncated < 4 )
     {
-        /* Too small to make any sense. Reject. 4 bytes is too small for
-         * security but ancient protocols with 32-bit MACs do exist. */
+        /* A very short MAC is too short for security since it can be
+         * brute-forced. Ancient protocols with 32-bit MACs do exist,
+         * so we make this our minimum, even though 32 bits is still
+         * too small for security. */
         status = PSA_ERROR_NOT_SUPPORTED;
     }
     else if( truncated > operation->mac_size )
commit	6d72ff9e7935dc1861c1fbfd25a847456289bcef	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Tue Aug 21 14:55:08 2018 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Oct 17 13:54:47 2018 +0200
tree	a8a660a6f314527b2bb60da0f10bff4591416239
parent	e1f2d7d1ac985df3c5330fe33479e77fff58cca6 [diff] [blame]