RFC 5649, "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm", September 2009Source of RFC: IETF - NON WORKING GROUP
See Also: RFC 5649 w/ inline errata
Errata ID: 6943
Publication Format(s) : TEXT
Reported By: Samuel Lee
Date Reported: 2022-04-25
Verifier Name: Roman Danyliw
Date Verified: 2022-04-25
Throughout the document, when it says:
plaintext length may be in range [1, 2^32]
It should say:
plaintext length may be in range [1, 2^32), or [1, 2^32-1]
The text is ambiguous about how to handle a plaintext of size 2^32 bytes. The text seems to suggest a plaintext of size 2^32 is permitted, but the description of generation/verification of the AIV does not handle this case.
As written different implementations could disagree on what constitutes a valid ciphertext.
I would suggest the simplest solution is to explicitly say the maximum plaintext length is 2^32-1 (which is still much larger than any intended use case, as this should be for encrypting keying material).