ChaCha20 (PSA): Document that we only support 12-byte nonces

Support for 8-byte nonces may be added in the future: https://github.com/ARMmbed/mbedtls/issues/5615 Support for a 16-byte IV for ChaCha20 consisting of a 12-byte nonce and a 4-byte initial counter value may be added in the future: https://github.com/ARMmbed/mbedtls/issues/5616 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-25 18:39:54 +00:00 · 2022-03-10 18:36:37 +01:00 · 2022-03-10 18:36:37 +01:00 · 14d3554ff5
commit 14d3554ff5
parent 44311f5c98
1 changed files with 6 additions and 2 deletions
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@ -489,8 +489,12 @@
 *
 * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539.
 *
- * Implementations must support 12-byte nonces, may support 8-byte nonces,
- * and should reject other sizes.
+ * \note For ChaCha20 and ChaCha20_Poly1305, Mbed TLS only supports
+ *       12-byte nonces.
+ *
+ * \note For ChaCha20, the initial counter value is 0. To encrypt or decrypt
+ *       with the initial counter value 1, you can process and discard a
+ *       64-byte block before the real data.
 */
 #define PSA_KEY_TYPE_CHACHA20                       ((psa_key_type_t)0x2004)