*
* * @enc@ is called to encrypt a source buffer @s@ and write
* the ciphertext to a destination @d@; @sz@ is the common
- * size of these buffers.
+ * size of these buffers. @d@ might be null, to discard
+ * output; @s@ might be null, to process all-zero input.
*
* * @dec@ is called to decrypt a source buffer @s@ and write
* the recovered plaintext to a destination @d@; @sz@ is the
sz2 = TEXTSZ - sz1 - sz0;
ok = 1;
- /* Encrypt the three fragments. */
+ /* Encrypt the last fragment first, to check discarding behaviour. */
+ if (sz2) {
+ reset(iv);
+ enc(text, 0, sz0);
+ enc(text + sz0, 0, sz1);
+ enc(text + sz0 + sz1, ct + sz0 + sz1, sz2);
+ }
+
+ /* Encrypt the first two fragments. */
reset(iv);
enc(text, ct, sz0);
if (sz1) {
memcpy(ct + sz0, text + sz0, sz1);
enc(ct + sz0, ct + sz0, sz1);
}
- if (sz2)
- enc(text + sz0 + sz1, ct + sz0 + sz1, sz2);
/* Try to check consistency. We can't do this if (a) the mode is
* non-resumable and the fragments sizes are misaligned, or (b) this is