Document crypto_aead_aes256gcm_*() limitations

2017-08-06 19:11:19 +02:00 · 2017-08-06 19:11:19 +02:00 · 9b7db7c3f3
commit 9b7db7c3f3
parent cde31281d1
1 changed files with 18 additions and 0 deletions
--- a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h
+++ b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h
@ -1,6 +1,24 @@
 #ifndef crypto_aead_aes256gcm_H
 #define crypto_aead_aes256gcm_H

+/*
+ * WARNING: Despite being the most popular AEAD construction due to its
+ * use in TLS, safely using AES-GCM in a different context is tricky.
+ *
+ * No more than ~ 350 GB of input data should be encrypted with a given key.
+ * This is for ~ 16 KB messages -- Actual figures vary according to the
+ * message sizes.
+ *
+ * In addition, repeated nonces would totally destroy the security of this
+ * scheme. Nonces should thus come from atomic counters, which can be
+ * difficult to set up in a distributed environment.
+ *
+ * Unless you absolutely need AES-GCM, use crypto_aead_xchacha20poly1305_ietf_*()
+ * instead. It doesn't have any of these limitations.
+ * Or, if you don't need to authenticate additional data, just stick to
+ * crypto_secretbox().
+ */
+
 #include <stddef.h>
 #include "export.h"