/* --- Derive the key sizes --- *
*
* Must ensure that we have non-empty keys. This isn't ideal, but it
- * provides a handy sanity check.
+ * provides a handy sanity check. Also must be based on a 64- or 128-bit
+ * block cipher or we can't do the data expiry properly.
*/
a->hashsz = a->h->hashsz;
if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
return ("no key size found for MAC");
+ /* --- Derive the data limit --- */
+
+ if (a->c->blksz < 16) a->expsz = MEG(64);
+ else a->expsz = MEG(2048);
+
/* --- Ensure that the tag size is sane --- */
if (a->tagsz > a->m->hashsz) return ("tag length too large");