On Wed, 30 Mar 2022 13:24:06 -0700 Jakub Kicinski wrote: > Noob question for crypto folks, ivsize for AES CCM is reported > as 16, but the real nonce size is 13 for TLS (q == 2, n == 13 > using NIST's variable names AFAICT). Are we required to zero out > the rest of the buffer? I guess we don't, set_msg_len() explicitly clears the tail of the buffer. Hopefully KASAN won't be upset about the uninit read in format_input(), since it memcpy()s the entire 16B of iv. > In particular I think I've seen transient crypto failures with > SM4 CCM in the past and zeroing the tail of the iv buffer seems > to make the tests pass reliably.