From 9b7db7c3f34e40d2278a82b5bbb57d3539a3eea6 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Sun, 6 Aug 2017 19:11:19 +0200
Subject: [PATCH] Document crypto_aead_aes256gcm_*() limitations

---
 .../include/sodium/crypto_aead_aes256gcm.h     | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h
index 30bb7315..c3a98abc 100644
--- a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h
+++ b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h
@@ -1,6 +1,24 @@
 #ifndef crypto_aead_aes256gcm_H
 #define crypto_aead_aes256gcm_H
 
+/*
+ * WARNING: Despite being the most popular AEAD construction due to its
+ * use in TLS, safely using AES-GCM in a different context is tricky.
+ *
+ * No more than ~ 350 GB of input data should be encrypted with a given key.
+ * This is for ~ 16 KB messages -- Actual figures vary according to the
+ * message sizes.
+ *
+ * In addition, repeated nonces would totally destroy the security of this
+ * scheme. Nonces should thus come from atomic counters, which can be
+ * difficult to set up in a distributed environment.
+ *
+ * Unless you absolutely need AES-GCM, use crypto_aead_xchacha20poly1305_ietf_*()
+ * instead. It doesn't have any of these limitations.
+ * Or, if you don't need to authenticate additional data, just stick to
+ * crypto_secretbox().
+ */
+
 #include <stddef.h>
 #include "export.h"