Support for CTS?

[Firstyear]

Some standards like Kerberos like to use block modes that are really rare and uncommon. One of these is CTS which is referenced https://www.rfc-editor.org/rfc/rfc8009#section-1 and SP800-38+ in section 4.

However, almost nothing supports this. It would be great if it could be added to this this crate, since I'm certainly not a cryptographer and I am not confident to implement it myself. :)

[Firstyear]

I ended up digging into this pretty deeply to try to understand the problem space. I'm not sure it's possible in this crate?

The issue is that in CTS mode, the input isn't a multiple of block size. This ends up throwing off the interfaces of this crate which assume blocks will have been pre-padded if required.

The closest I could find that suits the behaviour here with CTS is actually https://docs.rs/aes-gcm/0.10.3/aes_gcm/type.Aes128Gcm.html since that user interface doesn't rely on a blocksize that is fixed. But of course, these traits are related to the AEAD traits which CTS doesn't satisfy. So awkwardly, this would probably actually mean for the CTS modes that a new trait for non-authenticated but also non-padded types are needed.

So perhaps that becomes too much to ask to add since that's a lot of additions (the traits for CipherTextStealing in addition to CBC-CS1, 2 and 3.)

[newpavlov]

CS2 and CS3 can be implemented generically over block modes (e.g. it will be useful for Belt modes). IIRC CS1 can be implemented only for CBC. We do not have suitable traits for them right now, but we can start with inherent methods.

I have a draft implementation, but it's not finished yet.