On Tue, Jul 28, 2020 at 02:59:24PM +0300, Ard Biesheuvel wrote: > > How is it malformed? Between 16 and 31 bytes of input is perfectly > valid for cts(cbc(aes)), and splitting it up after the first chunk > should be as well, no? This is the whole point of final_chunksize. If you're going to do chaining then you must always withhold at least final_chunksize bytes until you're at the final chunk. If you disobey that then you get undefined results. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
