From f486e286948bb96fcaf746f440a1cf936ba048f2 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Thu, 4 Jun 2020 13:33:08 +0100
Subject: [PATCH] Document precondition of nonce-generating function in
 ssl_msg.c

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
---
 library/ssl_msg.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 32bbc97be..ae8d07653 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -565,6 +565,13 @@ static int ssl_transform_aead_dynamic_iv_is_explicit(
  *    This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
  *
  * See also the documentation of mbedtls_ssl_transform.
+ *
+ * This function has the precondition that
+ *
+ *     dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
+ *
+ * which has to be ensured by the caller. If this precondition
+ * violated, the behavior of this function is undefined.
  */
 static void ssl_build_record_nonce( unsigned char *dst_iv,
                                     size_t dst_iv_len,