ocb3: improve handling of L values #765
Description
Right now we pre-compute L values during cipher initialization. Size of the table is regulated by the const generic parameter and the mode instance can not process messages which require larger tables. Arguably, it's a quite leaky API especially considering somewhat subpar handling of default constants/types in Rust. The cached table can also significantly increase size of the mode struct.
Computation of one L value is just a relatively cheap DBL operation, so I think improve handling in one of the following ways:
- Re-compute the L table on each encrypt/decrypt call with table size computed at runtime depending on the message/AAD size. Since we don't have alloca in Rust, we can allocate a sufficiently large array on stack and initialize it only partially.
- Pre-compute a small table (e.g. sufficient for 1 MiB) and compute additional values at runtime if necessary by copying cached values to stack-based array and re-computing the rest.
- Pre-compute a small table and re-compute additional values on the fly if necessary from the last cached value.