[Bug]: In case of DTLS 1.3 when using NULL cipher the Nonce length seems to be calculated incorrectly #9757
Description
Contact Details
No response
Version
master branch, commit from 2026.02.06 (hash: 25db90...)
Description
I am using DTLS 1.3 with TLS_SHA384_SHA384 (integrity only, NULL cipher)
In this case when the BuildTls13Nonce gets executed, the seq_offset calculated as follows:
int seq_offset = AEAD_NONCE_SZ - SEQ_SZ;
According to my understanding, the seq_offset is variable and should depend on the size of the HMAC Nonce.
In wolfssl this is called HMAC_NONCE_SZ
Explanation:
According to Section 5.3 ("Per-Record Nonce") of RFC 8446 (https://www.rfc-editor.org/rfc/rfc8446#section-5.3):
"The resulting quantity (of length iv_length) is used as the
per-record nonce."
This means that the nonce has to be the same length as the IV.
According to Section 6 ("Key Schedule when Using Integrity-Only Cipher Suites") of RFC 9150 (https://www.rfc-editor.org/rfc/rfc9150.html#section-6), the IV length of TLS_SHA384_SHA384 is 48.
Therefore, these two combined mean that the nonce length in case of TLS_SHA384_SHA384 shall be 48.
The same issue seems appear in case of TLS 1.3 as well (not verified just found the same pattern in the code)
Reproduction steps
No response