[u/mdw/catacomb] / counter-def.h

/* -*-c-*-
 *
 * $Id: counter-def.h,v 1.4 2004/04/08 01:36:15 mdw Exp $
 *
 * Block cipher counter mode (or long cycle mode)
 *
 * (c) 2000 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#ifndef CATACOMB_COUNTER_DEF_H
#define CATACOMB_COUNTER_DEF_H

#ifdef __cplusplus
  extern "C" {
#endif

/*----- Header files ------------------------------------------------------*/

#include <stdarg.h>
#include <string.h>

#include <mLib/bits.h>
#include <mLib/sub.h>

#ifndef CATACOMB_ARENA_H
#  include "arena.h"
#endif

#ifndef CATACOMB_BLKC_H
#  include "blkc.h"
#endif

#ifndef CATACOMB_GCIPHER_H
#  include "gcipher.h"
#endif

#ifndef CATACOMB_PARANOIA_H
#  include "paranoia.h"
#endif

/*----- Macros ------------------------------------------------------------*/

/* --- @COUNTER_DEF@ --- *
 *
 * Arguments:	@PRE@, @pre@ = prefixes for the underlying block cipher
 *
 * Use:		Creates definitions for counter mode.
 */

#define COUNTER_DEF(PRE, pre)						\
									\
/* --- @pre_countergetiv@ --- *						\
 *									\
 * Arguments:	@const pre_counterctx *ctx@ = pointer to counter	\
 *			context						\
 *		@void *iv@ = pointer to output data block		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Reads the currently set IV.  Reading and setting an IV	\
 *		is not transparent to the cipher.  It will add a `step'	\
 *		which must be matched by a similar operation during	\
 *		decryption.						\
 */									\
									\
void pre##_countergetiv(const pre##_counterctx *ctx, void *iv)		\
{									\
  BLKC_STORE(PRE, iv, ctx->n);						\
}									\
									\
/* --- @pre_countersetiv@ --- *						\
 *									\
 * Arguments:	@pre_counterctx *ctx@ = pointer to counter context	\
 *		@cnost void *iv@ = pointer to IV to set			\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Sets the IV to use for subsequent encryption.		\
 */									\
									\
void pre##_countersetiv(pre##_counterctx *ctx, const void *iv)		\
{									\
  BLKC_LOAD(PRE, ctx->n, iv);						\
  ctx->off = PRE##_BLKSZ;						\
}									\
									\
/* --- @pre_counterbdry@ --- *						\
 *									\
 * Arguments:	@pre_counterctx *ctx@ = pointer to counter context	\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Inserts a boundary during encryption.  Successful	\
 *		decryption must place a similar boundary.		\
 */									\
									\
void pre##_counterbdry(pre##_counterctx *ctx)				\
{									\
  BLKC_STEP(PRE, ctx->n);						\
  ctx->off = PRE##_BLKSZ;						\
}									\
									\
/* --- @pre_countersetkey@ --- *					\
 *									\
 * Arguments:	@pre_counterctx *ctx@ = pointer to counter context	\
 *		@const pre_ctx *k@ = pointer to cipher context		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Sets the counter context to use a different cipher key.	\
 */									\
									\
void pre##_countersetkey(pre##_counterctx *ctx, const pre##_ctx *k)	\
{									\
  ctx->ctx = *k;							\
}									\
									\
/* --- @pre_counterinit@ --- *						\
 *									\
 * Arguments:	@pre_counterctx *ctx@ = pointer to cipher context	\
 *		@const void *key@ = pointer to the key buffer		\
 *		@size_t sz@ = size of the key				\
 *		@const void *iv@ = pointer to initialization vector	\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Initializes a counter context ready for use.  You	\
 *		should ensure that the IV chosen is unique: reusing an	\
 *		IV will compromise the security of the entire		\
 *		plaintext.  This is equivalent to calls to @pre_init@,	\
 *		@pre_countersetkey@ and @pre_countersetiv@.		\
 */									\
									\
void pre##_counterinit(pre##_counterctx *ctx,				\
		       const void *key, size_t sz,			\
		       const void *iv)					\
{									\
  static const octet zero[PRE##_BLKSZ] = { 0 };				\
  pre##_init(&ctx->ctx, key, sz);					\
  pre##_countersetiv(ctx, iv ? iv : zero);				\
}									\
									\
/* --- @pre_counterencrypt@ --- *					\
 *									\
 * Arguments:	@pre_counterctx *ctx@ = pointer to counter context	\
 *		@const void *src@ = pointer to source data		\
 *		@void *dest@ = pointer to destination data		\
 *		@size_t sz@ = size of block to be encrypted		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Encrypts or decrypts a block with a block cipher in	\
 *		counter mode: encryption and decryption are the same in	\
 *		counter.  The destination may be null to just churn the	\
 *		feedback round for a bit.  The source may be null to	\
 *		use the cipher as a random data generator.		\
 */									\
									\
void pre##_counterencrypt(pre##_counterctx *ctx,			\
			  const void *src, void *dest,			\
			  size_t sz)					\
{									\
  const octet *s = src;							\
  octet *d = dest;							\
  unsigned off = ctx->off;						\
									\
  /* --- Empty blocks are trivial --- */				\
									\
  if (!sz)								\
    return;								\
									\
  /* --- If I can deal with the block from my buffer, do that --- */	\
									\
  if (sz < PRE##_BLKSZ - off)						\
    goto small;								\
									\
  /* --- Finish off what's left in my buffer --- */			\
									\
  if (!d)								\
    sz -= PRE##_BLKSZ - off;						\
  else {								\
    while (off < PRE##_BLKSZ) {						\
      register octet x = s ? *s++ : 0;					\
      *d++ = ctx->buf[off++] ^ x;					\
      sz--;								\
    }									\
  }									\
									\
  /* --- Main encryption loop --- */					\
									\
  {									\
    uint32 n[PRE##_BLKSZ / 4];						\
									\
    for (;;) {  							\
      pre##_eblk(&ctx->ctx, ctx->n, n);					\
      BLKC_STEP(PRE, ctx->n);						\
      if (sz < PRE##_BLKSZ)						\
	break;								\
      if (d) {								\
	if (!s)								\
	  BLKC_STORE(PRE, d, n);					\
	else {								\
	  uint32 x[PRE##_BLKSZ / 4];					\
	  BLKC_LOAD(PRE, x, s);						\
	  BLKC_XSTORE(PRE, d, n, x);					\
	  s += PRE##_BLKSZ;						\
	}								\
	d += PRE##_BLKSZ;						\
      }									\
      sz -= PRE##_BLKSZ;						\
    }									\
									\
    BLKC_STORE(PRE, ctx->buf, n);					\
    off = 0;								\
  }									\
									\
  /* --- Tidying up the tail end --- */					\
									\
  if (sz) {								\
  small:								\
    if (!d)								\
      off += sz;							\
    else do {								\
      register octet x = s ? *s++ : 0;					\
      *d++ = ctx->buf[off++] ^ x;					\
      sz--;								\
    } while (sz);							\
  }									\
									\
  /* --- Done --- */							\
									\
  ctx->off = off;							\
  return;								\
}									\
									\
/* --- Generic cipher interface --- */					\
									\
static const gcipher_ops gops;						\
									\
typedef struct gctx {							\
  gcipher c;								\
  pre##_counterctx k;							\
} gctx;									\
									\
static gcipher *ginit(const void *k, size_t sz)				\
{									\
  gctx *g = S_CREATE(gctx);						\
  g->c.ops = &gops;							\
  pre##_counterinit(&g->k, k, sz, 0);					\
  return (&g->c);							\
}									\
									\
static void gencrypt(gcipher *c, const void *s, void *t, size_t sz)	\
{									\
  gctx *g = (gctx *)c;							\
  pre##_counterencrypt(&g->k, s, t, sz);				\
}									\
									\
static void gdestroy(gcipher *c)					\
{									\
  gctx *g = (gctx *)c;							\
  BURN(*g);								\
  S_DESTROY(g);								\
}									\
									\
static void gsetiv(gcipher *c, const void *iv)				\
{									\
  gctx *g = (gctx *)c;							\
  pre##_countersetiv(&g->k, iv);					\
}									\
									\
static void gbdry(gcipher *c)						\
{									\
  gctx *g = (gctx *)c;							\
  pre##_counterbdry(&g->k);						\
}									\
									\
static const gcipher_ops gops = {					\
  &pre##_counter,							\
  gencrypt, gencrypt, gdestroy, gsetiv, gbdry				\
};									\
									\
const gccipher pre##_counter = {					\
  #pre "-counter", pre##_keysz, PRE##_BLKSZ,				\
  ginit									\
};									\
									\
/* --- Generic random number generator interface --- */			\
									\
typedef struct grctx {							\
  grand r;								\
  pre##_counterctx k;							\
} grctx;								\
									\
static void grdestroy(grand *r)						\
{									\
  grctx *g = (grctx *)r;						\
  BURN(*g);								\
  S_DESTROY(g);								\
}									\
									\
static int grmisc(grand *r, unsigned op, ...)				\
{									\
  grctx *g = (grctx *)r;						\
  va_list ap;								\
  int rc = 0;								\
  octet buf[PRE##_BLKSZ];						\
  va_start(ap, op);							\
									\
  switch (op) {								\
    case GRAND_CHECK:							\
      switch (va_arg(ap, unsigned)) {					\
	case GRAND_CHECK:						\
	case GRAND_SEEDINT:						\
	case GRAND_SEEDUINT32:						\
	case GRAND_SEEDBLOCK:						\
	case GRAND_SEEDRAND:						\
	  rc = 1;							\
	  break;							\
	default:							\
	  rc = 0;							\
	  break;							\
      }									\
      break;								\
    case GRAND_SEEDINT:							\
      BLKC_SET(PRE, g->k.n, va_arg(ap, unsigned));			\
      g->k.off = PRE##_BLKSZ;						\
      break;								\
    case GRAND_SEEDUINT32:						\
      BLKC_SET(PRE, g->k.n, va_arg(ap, uint32));			\
      g->k.off = PRE##_BLKSZ;						\
      break;								\
    case GRAND_SEEDBLOCK: {						\
      const void *p = va_arg(ap, const void *);				\
      size_t sz = va_arg(ap, size_t);					\
      if (sz < sizeof(buf)) {						\
	memset(buf, 0, sizeof(buf));					\
	memcpy(buf, p, sz);						\
	p = buf;							\
      }									\
      pre##_countersetiv(&g->k, p);					\
    } break;								\
    case GRAND_SEEDRAND: {						\
      grand *rr = va_arg(ap, grand *);					\
      rr->ops->fill(rr, buf, sizeof(buf));				\
      pre##_countersetiv(&g->k, buf);					\
    } break;								\
    default:								\
      GRAND_BADOP;							\
      break;								\
  }									\
									\
  va_end(ap);								\
  return (rc);								\
}									\
									\
static octet grbyte(grand *r)						\
{									\
  grctx *g = (grctx *)r;						\
  octet o;								\
  pre##_counterencrypt(&g->k, 0, &o, 1);				\
  return (o);								\
}									\
									\
static uint32 grword(grand *r)						\
{									\
  grctx *g = (grctx *)r;						\
  octet b[4];								\
  pre##_counterencrypt(&g->k, 0, b, sizeof(b));				\
  return (LOAD32(b));							\
}									\
									\
static void grfill(grand *r, void *p, size_t sz)			\
{									\
  grctx *g = (grctx *)r;						\
  pre##_counterencrypt(&g->k, 0, p, sz);				\
}									\
									\
static const grand_ops grops = {					\
  #pre "-counter",							\
  GRAND_CRYPTO, 0,							\
  grmisc, grdestroy,							\
  grword, grbyte, grword, grand_range, grfill				\
};									\
									\
/* --- @pre_counterrand@ --- *						\
 *									\
 * Arguments:	@const void *k@ = pointer to key material		\
 *		@size_t sz@ = size of key material			\
 *									\
 * Returns:	Pointer to generic random number generator interface.	\
 *									\
 * Use:		Creates a random number interface wrapper around an	\
 *		counter-mode block cipher.				\
 */									\
									\
grand *pre##_counterrand(const void *k, size_t sz)			\
{									\
  grctx *g = S_CREATE(grctx);						\
  g->r.ops = &grops;							\
  pre##_counterinit(&g->k, k, sz, 0);					\
  return (&g->r);							\
}									\
									\
COUNTER_TEST(PRE, pre)

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include <stdio.h>

#include "daftstory.h"

/* --- @COUNTER_TEST@ --- *
 *
 * Arguments:	@PRE@, @pre@ = prefixes for block cipher definitions
 *
 * Use:		Standard test rig for counter functions.
 */

#define COUNTER_TEST(PRE, pre)						\
									\
/* --- Initial plaintext for the test --- */				\
									\
static const octet text[] = TEXT;					\
									\
/* --- Key and IV to use --- */						\
									\
static const octet key[] = KEY;						\
static const octet iv[] = IV;						\
									\
/* --- Buffers for encryption and decryption output --- */		\
									\
static octet ct[sizeof(text)];						\
static octet pt[sizeof(text)];						\
									\
static void hexdump(const octet *p, size_t sz)				\
{									\
  const octet *q = p + sz;						\
  for (sz = 0; p < q; p++, sz++) {					\
    printf("%02x", *p);							\
    if ((sz + 1) % PRE##_BLKSZ == 0)					\
      putchar(':');							\
  }									\
}									\
									\
int main(void)								\
{									\
  size_t sz = 0, rest;							\
  pre##_counterctx ctx;							\
  int status = 0;							\
  int done = 0;								\
  pre##_ctx k;								\
									\
  size_t keysz = PRE##_KEYSZ ?						\
    PRE##_KEYSZ : strlen((const char *)key);				\
									\
  fputs(#pre "-counter: ", stdout);					\
									\
  pre##_init(&k, key, keysz);						\
  pre##_countersetkey(&ctx, &k);					\
									\
  while (sz <= sizeof(text)) {						\
    rest = sizeof(text) - sz;						\
    memcpy(ct, text, sizeof(text));					\
    pre##_countersetiv(&ctx, iv);					\
    pre##_counterencrypt(&ctx, ct, ct, sz);				\
    pre##_counterencrypt(&ctx, ct + sz, ct + sz, rest);			\
    memcpy(pt, ct, sizeof(text));					\
    pre##_countersetiv(&ctx, iv);					\
    pre##_counterencrypt(&ctx, pt, pt, rest);				\
    pre##_counterencrypt(&ctx, pt + rest, pt + rest, sz);		\
    if (memcmp(pt, text, sizeof(text)) == 0) {				\
      done++;								\
      if (sizeof(text) < 40 || done % 8 == 0)				\
        fputc('.', stdout);						\
      if (done % 480 == 0)						\
        fputs("\n\t", stdout);						\
      fflush(stdout);							\
    } else {								\
      printf("\nError (sz = %lu)\n", (unsigned long)sz);		\
      status = 1;							\
      printf("\tplaintext      = "); hexdump(text, sz);			\
        printf(", "); hexdump(text + sz, rest);				\
        fputc('\n', stdout);						\
      printf("\tciphertext     = "); hexdump(ct, sz);			\
        printf(", "); hexdump(ct + sz, rest);				\
        fputc('\n', stdout);						\
      printf("\trecovered text = "); hexdump(pt, sz);			\
        printf(", "); hexdump(pt + sz, rest);				\
        fputc('\n', stdout);						\
      fputc('\n', stdout);						\
    }									\
    if (sz < 63)							\
      sz++;								\
    else								\
      sz += 9;								\
  }									\
									\
  fputs(status ? " failed\n" : " ok\n", stdout);			\
  return (status);							\
}

#else
#  define COUNTER_TEST(PRE, pre)
#endif

/*----- That's all, folks -------------------------------------------------*/

#ifdef __cplusplus
  }
#endif

#endif
Commit	Line	Data
35d66180	1	/* --c--
35d66180	2	*
b817bfc6	3	* $Id: counter-def.h,v 1.4 2004/04/08 01:36:15 mdw Exp $
35d66180	4	*
	5	* Block cipher counter mode (or long cycle mode)
	6	*
	7	* (c) 2000 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
	18	*
	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
35d66180	30	#ifndef CATACOMB_COUNTER_DEF_H
	31	#define CATACOMB_COUNTER_DEF_H
	32
	33	#ifdef __cplusplus
	34	extern "C" {
	35	#endif
	36
	37	/----- Header files ------------------------------------------------------/
	38
	39	#include <stdarg.h>
	40	#include <string.h>
	41
	42	#include <mLib/bits.h>
	43	#include <mLib/sub.h>
	44
	45	#ifndef CATACOMB_ARENA_H
	46	# include "arena.h"
	47	#endif
	48
	49	#ifndef CATACOMB_BLKC_H
	50	# include "blkc.h"
	51	#endif
	52
	53	#ifndef CATACOMB_GCIPHER_H
	54	# include "gcipher.h"
	55	#endif
	56
	57	#ifndef CATACOMB_PARANOIA_H
	58	# include "paranoia.h"
	59	#endif
	60
	61	/----- Macros ------------------------------------------------------------/
	62
	63	/* --- @COUNTER_DEF@ --- *
	64	*
	65	* Arguments: @PRE@, @pre@ = prefixes for the underlying block cipher
	66	*
	67	* Use: Creates definitions for counter mode.
	68	*/
	69
	70	#define COUNTER_DEF(PRE, pre) \
	71	\
	72	/* --- @pre_countergetiv@ --- * \
	73	* \
	74	* Arguments: @const pre_counterctx *ctx@ = pointer to counter \
	75	* context \
4efe32ba	76	* @void *iv@ = pointer to output data block \
35d66180	77	* \
	78	* Returns: --- \
	79	* \
	80	* Use: Reads the currently set IV. Reading and setting an IV \
	81	* is not transparent to the cipher. It will add a `step' \
	82	* which must be matched by a similar operation during \
	83	* decryption. \
	84	*/ \
	85	\
	86	void pre##_countergetiv(const pre##_counterctx ctx, void iv) \
	87	{ \
	88	BLKC_STORE(PRE, iv, ctx->n); \
	89	} \
	90	\
	91	/* --- @pre_countersetiv@ --- * \
	92	* \
	93	* Arguments: @pre_counterctx *ctx@ = pointer to counter context \
	94	* @cnost void *iv@ = pointer to IV to set \
	95	* \
	96	* Returns: --- \
	97	* \
	98	* Use: Sets the IV to use for subsequent encryption. \
	99	*/ \
	100	\
	101	void pre##_countersetiv(pre##_counterctx ctx, const void iv) \
	102	{ \
	103	BLKC_LOAD(PRE, ctx->n, iv); \
	104	ctx->off = PRE##_BLKSZ; \
	105	} \
	106	\
	107	/* --- @pre_counterbdry@ --- * \
	108	* \
	109	* Arguments: @pre_counterctx *ctx@ = pointer to counter context \
	110	* \
	111	* Returns: --- \
	112	* \
	113	* Use: Inserts a boundary during encryption. Successful \
	114	* decryption must place a similar boundary. \
	115	*/ \
	116	\
	117	void pre##_counterbdry(pre##_counterctx *ctx) \
	118	{ \
	119	BLKC_STEP(PRE, ctx->n); \
	120	ctx->off = PRE##_BLKSZ; \
	121	} \
	122	\
	123	/* --- @pre_countersetkey@ --- * \
	124	* \
	125	* Arguments: @pre_counterctx *ctx@ = pointer to counter context \
	126	* @const pre_ctx *k@ = pointer to cipher context \
	127	* \
	128	* Returns: --- \
	129	* \
	130	* Use: Sets the counter context to use a different cipher key. \
	131	*/ \
	132	\
	133	void pre##_countersetkey(pre##_counterctx ctx, const pre##_ctx k) \
	134	{ \
	135	ctx->ctx = *k; \
	136	} \
	137	\
	138	/* --- @pre_counterinit@ --- * \
	139	* \
	140	* Arguments: @pre_counterctx *ctx@ = pointer to cipher context \
141	* @const void *key@ = pointer to the key buffer \
142	* @size_t sz@ = size of the key \
143	* @const void *iv@ = pointer to initialization vector \
144	* \
145	* Returns: --- \
146	* \
147	* Use: Initializes a counter context ready for use. You \
148	* should ensure that the IV chosen is unique: reusing an \
149	* IV will compromise the security of the entire \
150	* plaintext. This is equivalent to calls to @pre_init@, \
151	* @pre_countersetkey@ and @pre_countersetiv@. \
152	*/ \
153	\
154	void pre##_counterinit(pre##_counterctx *ctx, \
155	const void *key, size_t sz, \
156	const void *iv) \
157	{ \
4e66da02	158	static const octet zero[PRE##_BLKSZ] = { 0 }; \
35d66180	159	pre##_init(&ctx->ctx, key, sz); \
	160	pre##_countersetiv(ctx, iv ? iv : zero); \
	161	} \
	162	\
	163	/* --- @pre_counterencrypt@ --- * \
	164	* \
	165	* Arguments: @pre_counterctx *ctx@ = pointer to counter context \
	166	* @const void *src@ = pointer to source data \
	167	* @void *dest@ = pointer to destination data \
	168	* @size_t sz@ = size of block to be encrypted \
	169	* \
	170	* Returns: --- \
	171	* \
	172	* Use: Encrypts or decrypts a block with a block cipher in \
	173	* counter mode: encryption and decryption are the same in \
	174	* counter. The destination may be null to just churn the \
	175	* feedback round for a bit. The source may be null to \
	176	* use the cipher as a random data generator. \
	177	*/ \
	178	\
	179	void pre##_counterencrypt(pre##_counterctx *ctx, \
	180	const void src, void dest, \
	181	size_t sz) \
	182	{ \
	183	const octet *s = src; \
	184	octet *d = dest; \
	185	unsigned off = ctx->off; \
	186	\
	187	/* --- Empty blocks are trivial --- */ \
	188	\
	189	if (!sz) \
	190	return; \
	191	\
	192	/* --- If I can deal with the block from my buffer, do that --- */ \
	193	\
	194	if (sz < PRE##_BLKSZ - off) \
	195	goto small; \
	196	\
	197	/* --- Finish off what's left in my buffer --- */ \
	198	\
	199	if (!d) \
	200	sz -= PRE##_BLKSZ - off; \
	201	else { \
	202	while (off < PRE##_BLKSZ) { \
	203	register octet x = s ? *s++ : 0; \
	204	*d++ = ctx->buf[off++] ^ x; \
	205	sz--; \
	206	} \
	207	} \
	208	\
	209	/* --- Main encryption loop --- */ \
	210	\
	211	{ \
	212	uint32 n[PRE##_BLKSZ / 4]; \
	213	\
	214	for (;;) { \
	215	pre##_eblk(&ctx->ctx, ctx->n, n); \
	216	BLKC_STEP(PRE, ctx->n); \
	217	if (sz < PRE##_BLKSZ) \
	218	break; \
	219	if (d) { \
	220	if (!s) \
	221	BLKC_STORE(PRE, d, n); \
	222	else { \
223	uint32 x[PRE##_BLKSZ / 4]; \
224	BLKC_LOAD(PRE, x, s); \
225	BLKC_XSTORE(PRE, d, n, x); \
226	s += PRE##_BLKSZ; \
227	} \
228	d += PRE##_BLKSZ; \
229	} \
230	sz -= PRE##_BLKSZ; \
231	} \
232	\
233	BLKC_STORE(PRE, ctx->buf, n); \
234	off = 0; \
235	} \
236	\
237	/* --- Tidying up the tail end --- */ \
238	\
239	if (sz) { \
240	small: \
241	if (!d) \
242	off += sz; \
243	else do { \
244	register octet x = s ? *s++ : 0; \
245	*d++ = ctx->buf[off++] ^ x; \
246	sz--; \
247	} while (sz); \
248	} \
249	\
250	/* --- Done --- */ \
251	\
252	ctx->off = off; \
253	return; \
254	} \
255	\
256	/* --- Generic cipher interface --- */ \
257	\
258	static const gcipher_ops gops; \
259	\
260	typedef struct gctx { \
261	gcipher c; \
262	pre##_counterctx k; \
263	} gctx; \
264	\
265	static gcipher ginit(const void k, size_t sz) \
266	{ \
267	gctx *g = S_CREATE(gctx); \
268	g->c.ops = &gops; \
269	pre##_counterinit(&g->k, k, sz, 0); \
270	return (&g->c); \
271	} \
272	\
273	static void gencrypt(gcipher c, const void s, void *t, size_t sz) \
274	{ \
275	gctx g = (gctx )c; \
276	pre##_counterencrypt(&g->k, s, t, sz); \
277	} \
278	\
279	static void gdestroy(gcipher *c) \
280	{ \
281	gctx g = (gctx )c; \
282	BURN(*g); \
283	S_DESTROY(g); \
284	} \
285	\
286	static void gsetiv(gcipher c, const void iv) \
287	{ \
288	gctx g = (gctx )c; \
289	pre##_countersetiv(&g->k, iv); \
290	} \
291	\
292	static void gbdry(gcipher *c) \
293	{ \
294	gctx g = (gctx )c; \
295	pre##_counterbdry(&g->k); \
296	} \
297	\
298	static const gcipher_ops gops = { \
299	&pre##_counter, \
300	gencrypt, gencrypt, gdestroy, gsetiv, gbdry \
301	}; \
302	\
303	const gccipher pre##_counter = { \
304	#pre "-counter", pre##_keysz, PRE##_BLKSZ, \
305	ginit \
306	}; \
307	\
308	/* --- Generic random number generator interface --- */ \
309	\
310	typedef struct grctx { \
311	grand r; \
312	pre##_counterctx k; \
313	} grctx; \
314	\
315	static void grdestroy(grand *r) \
316	{ \
317	grctx g = (grctx )r; \
318	BURN(*g); \
319	S_DESTROY(g); \
320	} \
321	\
322	static int grmisc(grand *r, unsigned op, ...) \
323	{ \
324	grctx g = (grctx )r; \
325	va_list ap; \
326	int rc = 0; \
327	octet buf[PRE##_BLKSZ]; \
328	va_start(ap, op); \
329	\
330	switch (op) { \
331	case GRAND_CHECK: \
332	switch (va_arg(ap, unsigned)) { \
333	case GRAND_CHECK: \
334	case GRAND_SEEDINT: \
335	case GRAND_SEEDUINT32: \
336	case GRAND_SEEDBLOCK: \
337	case GRAND_SEEDRAND: \
338	rc = 1; \
339	break; \
340	default: \
341	rc = 0; \
342	break; \
343	} \
344	break; \
345	case GRAND_SEEDINT: \
346	BLKC_SET(PRE, g->k.n, va_arg(ap, unsigned)); \
347	g->k.off = PRE##_BLKSZ; \
348	break; \
349	case GRAND_SEEDUINT32: \
350	BLKC_SET(PRE, g->k.n, va_arg(ap, uint32)); \
351	g->k.off = PRE##_BLKSZ; \
352	break; \
353	case GRAND_SEEDBLOCK: { \
354	const void p = va_arg(ap, const void ); \
355	size_t sz = va_arg(ap, size_t); \
356	if (sz < sizeof(buf)) { \
357	memset(buf, 0, sizeof(buf)); \
358	memcpy(buf, p, sz); \
359	p = buf; \
360	} \
361	pre##_countersetiv(&g->k, p); \
362	} break; \
363	case GRAND_SEEDRAND: { \
364	grand rr = va_arg(ap, grand ); \
365	rr->ops->fill(rr, buf, sizeof(buf)); \
366	pre##_countersetiv(&g->k, buf); \
367	} break; \
368	default: \
369	GRAND_BADOP; \
370	break; \
371	} \
372	\
373	va_end(ap); \
374	return (rc); \
375	} \
376	\
377	static octet grbyte(grand *r) \
378	{ \
379	grctx g = (grctx )r; \
380	octet o; \
381	pre##_counterencrypt(&g->k, 0, &o, 1); \
382	return (o); \
383	} \
384	\
385	static uint32 grword(grand *r) \
386	{ \
387	grctx g = (grctx )r; \
388	octet b[4]; \
389	pre##_counterencrypt(&g->k, 0, b, sizeof(b)); \
390	return (LOAD32(b)); \
391	} \
392	\
393	static void grfill(grand r, void p, size_t sz) \
394	{ \
395	grctx g = (grctx )r; \
396	pre##_counterencrypt(&g->k, 0, p, sz); \
397	} \
398	\
399	static const grand_ops grops = { \
400	#pre "-counter", \
401	GRAND_CRYPTO, 0, \
402	grmisc, grdestroy, \
403	grword, grbyte, grword, grand_range, grfill \
404	}; \
405	\
406	/* --- @pre_counterrand@ --- * \
407	* \
408	* Arguments: @const void *k@ = pointer to key material \
409	* @size_t sz@ = size of key material \
410	* \
411	* Returns: Pointer to generic random number generator interface. \
412	* \
413	* Use: Creates a random number interface wrapper around an \
414	* counter-mode block cipher. \
415	*/ \
416	\
417	grand pre##_counterrand(const void k, size_t sz) \
418	{ \
419	grctx *g = S_CREATE(grctx); \
420	g->r.ops = &grops; \
421	pre##_counterinit(&g->k, k, sz, 0); \
422	return (&g->r); \
423	} \
424	\
425	COUNTER_TEST(PRE, pre)
426
427	/----- Test rig ----------------------------------------------------------/
428
429	#ifdef TEST_RIG
430
431	#include <stdio.h>
432
433	#include "daftstory.h"
434
435	/* --- @COUNTER_TEST@ --- *
436	*
437	* Arguments: @PRE@, @pre@ = prefixes for block cipher definitions
438	*
439	* Use: Standard test rig for counter functions.
440	*/
441
442	#define COUNTER_TEST(PRE, pre) \
443	\
444	/* --- Initial plaintext for the test --- */ \
445	\
446	static const octet text[] = TEXT; \
447	\
448	/* --- Key and IV to use --- */ \
449	\
450	static const octet key[] = KEY; \
451	static const octet iv[] = IV; \
452	\
453	/* --- Buffers for encryption and decryption output --- */ \
454	\
455	static octet ct[sizeof(text)]; \
456	static octet pt[sizeof(text)]; \
457	\
458	static void hexdump(const octet *p, size_t sz) \
459	{ \
460	const octet *q = p + sz; \
461	for (sz = 0; p < q; p++, sz++) { \
462	printf("%02x", *p); \
463	if ((sz + 1) % PRE##_BLKSZ == 0) \
464	putchar(':'); \
465	} \
466	} \
467	\
468	int main(void) \
469	{ \
470	size_t sz = 0, rest; \
471	pre##_counterctx ctx; \
472	int status = 0; \
473	int done = 0; \
474	pre##_ctx k; \
475	\
476	size_t keysz = PRE##_KEYSZ ? \
477	PRE##_KEYSZ : strlen((const char *)key); \
478	\
479	fputs(#pre "-counter: ", stdout); \
480	\
481	pre##_init(&k, key, keysz); \
482	pre##_countersetkey(&ctx, &k); \
483	\
484	while (sz <= sizeof(text)) { \
485	rest = sizeof(text) - sz; \
486	memcpy(ct, text, sizeof(text)); \
487	pre##_countersetiv(&ctx, iv); \
488	pre##_counterencrypt(&ctx, ct, ct, sz); \
489	pre##_counterencrypt(&ctx, ct + sz, ct + sz, rest); \
490	memcpy(pt, ct, sizeof(text)); \
491	pre##_countersetiv(&ctx, iv); \
492	pre##_counterencrypt(&ctx, pt, pt, rest); \
493	pre##_counterencrypt(&ctx, pt + rest, pt + rest, sz); \
494	if (memcmp(pt, text, sizeof(text)) == 0) { \
495	done++; \
496	if (sizeof(text) < 40 \|\| done % 8 == 0) \
497	fputc('.', stdout); \
498	if (done % 480 == 0) \
499	fputs("\n\t", stdout); \
500	fflush(stdout); \
501	} else { \
502	printf("\nError (sz = %lu)\n", (unsigned long)sz); \
503	status = 1; \
504	printf("\tplaintext = "); hexdump(text, sz); \
505	printf(", "); hexdump(text + sz, rest); \
506	fputc('\n', stdout); \
507	printf("\tciphertext = "); hexdump(ct, sz); \
508	printf(", "); hexdump(ct + sz, rest); \
509	fputc('\n', stdout); \
510	printf("\trecovered text = "); hexdump(pt, sz); \
511	printf(", "); hexdump(pt + sz, rest); \
512	fputc('\n', stdout); \
513	fputc('\n', stdout); \
514	} \
515	if (sz < 63) \
516	sz++; \
517	else \
518	sz += 9; \
519	} \
520	\
521	fputs(status ? " failed\n" : " ok\n", stdout); \
522	return (status); \
523	}
524
525	#else
526	# define COUNTER_TEST(PRE, pre)
527	#endif
528
529	/----- That's all, folks -------------------------------------------------/
530
531	#ifdef __cplusplus
532	}
533	#endif
534
535	#endif