Document that the minimum truncated MAC length is implementation-defined

2025-11-03 12:11:27 -05:00 · 2018-08-21 14:55:08 +02:00 · 2018-08-21 14:55:08 +02:00 · 6d72ff9e79
commit 6d72ff9e79
parent e1f2d7d1ac
2 changed files with 8 additions and 2 deletions
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@ -788,6 +788,10 @@ typedef uint32_t psa_algorithm_t;
 *                      is true). This may be a truncated or untruncated
 *                      MAC algorithm.
 * \param mac_length    Desired length of the truncated MAC in bytes.
+ *                      This must be at most the full length of the MAC
+ *                      and must be at least an implementation-specified
+ *                      minimum. The implementation-specified minimum
+ *                      shall not be zero.
 *
 * \return              The corresponding MAC algorithm with the specified
 *                      length.
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -1600,8 +1600,10 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
    }
    else if( truncated < 4 )
    {
-        /* Too small to make any sense. Reject. 4 bytes is too small for
-         * security but ancient protocols with 32-bit MACs do exist. */
+        /* A very short MAC is too short for security since it can be
+         * brute-forced. Ancient protocols with 32-bit MACs do exist,
+         * so we make this our minimum, even though 32 bits is still
+         * too small for security. */
        status = PSA_ERROR_NOT_SUPPORTED;
    }
    else if( truncated > operation->mac_size )