1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-20 02:25:14 -07:00

Document crypto_aead_aes256gcm_*() limitations

This commit is contained in:
Frank Denis 2017-08-06 19:11:19 +02:00
parent cde31281d1
commit 9b7db7c3f3

View File

@ -1,6 +1,24 @@
#ifndef crypto_aead_aes256gcm_H
#define crypto_aead_aes256gcm_H
/*
* WARNING: Despite being the most popular AEAD construction due to its
* use in TLS, safely using AES-GCM in a different context is tricky.
*
* No more than ~ 350 GB of input data should be encrypted with a given key.
* This is for ~ 16 KB messages -- Actual figures vary according to the
* message sizes.
*
* In addition, repeated nonces would totally destroy the security of this
* scheme. Nonces should thus come from atomic counters, which can be
* difficult to set up in a distributed environment.
*
* Unless you absolutely need AES-GCM, use crypto_aead_xchacha20poly1305_ietf_*()
* instead. It doesn't have any of these limitations.
* Or, if you don't need to authenticate additional data, just stick to
* crypto_secretbox().
*/
#include <stddef.h>
#include "export.h"