Document that the minimum truncated MAC length is implementation-defined
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 3d99933..48c9713 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -788,6 +788,10 @@
* is true). This may be a truncated or untruncated
* MAC algorithm.
* \param mac_length Desired length of the truncated MAC in bytes.
+ * This must be at most the full length of the MAC
+ * and must be at least an implementation-specified
+ * minimum. The implementation-specified minimum
+ * shall not be zero.
*
* \return The corresponding MAC algorithm with the specified
* length.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 4486242..0aa19cf 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1600,8 +1600,10 @@
}
else if( truncated < 4 )
{
- /* Too small to make any sense. Reject. 4 bytes is too small for
- * security but ancient protocols with 32-bit MACs do exist. */
+ /* A very short MAC is too short for security since it can be
+ * brute-forced. Ancient protocols with 32-bit MACs do exist,
+ * so we make this our minimum, even though 32 bits is still
+ * too small for security. */
status = PSA_ERROR_NOT_SUPPORTED;
}
else if( truncated > operation->mac_size )
