On Tue, 28 Jul 2020 at 15:03, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > > On Tue, Jul 28, 2020 at 02:59:24PM +0300, Ard Biesheuvel wrote: > > > > How is it malformed? Between 16 and 31 bytes of input is perfectly > > valid for cts(cbc(aes)), and splitting it up after the first chunk > > should be as well, no? > > This is the whole point of final_chunksize. If you're going to > do chaining then you must always withhold at least final_chunksize > bytes until you're at the final chunk. > > If you disobey that then you get undefined results. > Ah ok, I'm with you now. So the contract is that using CRYPTO_TFM_REQ_MORE is only permitted if you take the final chunksize into account. If you don't use that flag, you can ignore it.
