On Tue, 28 Jul 2020 at 14:53, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > > On Tue, Jul 28, 2020 at 02:05:58PM +0300, Ard Biesheuvel wrote: > > > > But isn't the final chunksize a function of cryptlen? What happens if > > i try to use cts(cbc(aes)) to encrypt 16 bytes with the MORE flag, and > > <16 additional bytes as the final chunk? > > The final chunksize is an attribute that the caller has to act on. > So for cts it tells the caller that it must withhold at least two > blocks (32 bytes) of data unless it is the final chunk. > > Of course the implementation should not crash when given malformed > input like the ones you suggested but the content of the output will > be undefined. > How is it malformed? Between 16 and 31 bytes of input is perfectly valid for cts(cbc(aes)), and splitting it up after the first chunk should be as well, no?
