[u/mdw/catacomb] / cbc-def.h

/* -*-c-*-
 *
 * $Id: cbc-def.h,v 1.1 1999/12/10 23:16:39 mdw Exp $
 *
 * Definitions for cipher block chaining mode
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: cbc-def.h,v $
 * Revision 1.1  1999/12/10 23:16:39  mdw
 * Split mode macros into interface and implementation.
 *
 */

#ifndef CATACOMB_CBC_DEF_H
#define CATACOMB_CBC_DEF_H

#ifdef __cplusplus
  extern "C" {
#endif

/*----- Header files ------------------------------------------------------*/

#include <string.h>

#include <mLib/bits.h>
#include <mLib/sub.h>

#ifndef CATACOMB_BLKC_H
#  include "blkc.h"
#endif

#ifndef CATACOMB_GCIPHER_H
#  include "gcipher.h"
#endif

/*----- Macros ------------------------------------------------------------*/

/* --- @CBC_DEF@ --- *
 *
 * Arguments:	@PRE@, @pre@ = prefixes for the underlying block cipher
 *
 * Use:		Creates an implementation for CBC stealing mode.
 */

#define CBC_DEF(PRE, pre)						\
									\
/* --- @pre_cbcgetiv@ --- *						\
 *									\
 * Arguments:	@const pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@void *iv#@ = pointer to output data block		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Reads the currently set IV.  Reading and setting an IV	\
 *		is transparent to the CBC encryption or decryption	\
 *		process.						\
 */									\
									\
void pre##_cbcgetiv(const pre##_cbcctx *ctx, void *iv)			\
{									\
  BLKC_STORE(PRE, iv, ctx->iv);						\
}									\
									\
/* --- @pre_cbcsetiv@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@cnost void *iv@ = pointer to IV to set			\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Sets the IV to use for subsequent encryption.		\
 */									\
									\
void pre##_cbcsetiv(pre##_cbcctx *ctx, const void *iv)			\
{									\
  BLKC_LOAD(PRE, ctx->iv, iv);						\
}									\
									\
/* --- @pre_cbcsetkey@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@const pre_ctx *k@ = pointer to cipher context		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Sets the CBC context to use a different cipher key.	\
 */									\
									\
void pre##_cbcsetkey(pre##_cbcctx *ctx, const pre##_ctx *k)		\
{									\
  ctx->ctx = *k;							\
}									\
									\
/* --- @pre_cbcinit@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to cipher context		\
 *		@const void *key@ = pointer to the key buffer		\
 *		@size_t sz@ = size of the key				\
 *		@const void *iv@ = pointer to initialization vector	\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Initializes a CBC context ready for use.  The @iv@	\
 *		argument may be passed as a null pointer to set a zero	\
 *		IV.  Apart from that, this call is equivalent to calls	\
 *		to @pre_init@, @pre_cbcsetkey@ and @pre_cbcsetiv@.	\
 */									\
									\
void pre##_cbcinit(pre##_cbcctx *ctx,					\
		     const void *key, size_t sz,			\
		     const void *iv)					\
{									\
  static octet zero[PRE##_BLKSZ] = { 0 };				\
  pre##_init(&ctx->ctx, key, sz);					\
  BLKC_LOAD(PRE, ctx->iv, iv ? iv : zero);				\
}									\
									\
/* --- @pre_cbcencrypt@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@const void *src@ = pointer to source data		\
 *		@void *dest@ = pointer to destination data		\
 *		@size_t sz@ = size of block to be encrypted		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Encrypts a block with a block cipher in CBC mode, with	\
 *		ciphertext stealing and other clever tricks.		\
 *		Essentially, data can be encrypted in arbitrary sized	\
 *		chunks, although decryption must use the same chunks.	\
 */									\
									\
void pre##_cbcencrypt(pre##_cbcctx *ctx,				\
			const void *src, void *dest,			\
			size_t sz)					\
{									\
  const octet *s = src;							\
  octet *d = dest;							\
									\
  /* --- Empty blocks are trivial --- */				\
									\
  if (!sz)								\
    return;								\
									\
  /* --- Extra magical case for a short block --- *			\
   *									\
   * Encrypt the IV, then exclusive-or the plaintext with the octets	\
   * of the encrypted IV, shifting ciphertext octets in instead.  This	\
   * basically switches over to CFB.					\
   */									\
									\
  if (sz < PRE##_BLKSZ) {						\
    octet b[PRE##_BLKSZ];						\
    unsigned i;								\
									\
    pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv);				\
    BLKC_STORE(PRE, b, ctx->iv);					\
    for (i = 0; i < sz; i++)						\
      d[i] = b[i] ^ s[i];						\
    memmove(b, b + sz, PRE##_BLKSZ - sz);				\
    memcpy(b + PRE##_BLKSZ - sz, d, sz);				\
    BLKC_LOAD(PRE, ctx->iv, b);						\
    return;								\
  }									\
									\
  /* --- Do the main chunk of encryption --- *				\
   *									\
   * This will do the whole lot if it's a whole number of blocks.  For	\
   * each block, XOR it with the previous ciphertext in @iv@, encrypt,	\
   * and keep a copy of the ciphertext for the next block.		\
   */									\
									\
  while (sz >= 2 * PRE##_BLKSZ || sz == PRE##_BLKSZ) {			\
    BLKC_XLOAD(PRE, ctx->iv, s);					\
    pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv);				\
    BLKC_STORE(PRE, d, ctx->iv);					\
    s += PRE##_BLKSZ;							\
    d += PRE##_BLKSZ;							\
    sz -= PRE##_BLKSZ;							\
  }									\
									\
  /* --- Do the tail-end block and bit-left-over --- *			\
   *									\
   * This isn't very efficient.  That shouldn't matter much.		\
   */									\
									\
  if (sz) {								\
    octet b[PRE##_BLKSZ];						\
    unsigned i;								\
									\
    /* --- Let @sz@ be the size of the partial block --- */		\
									\
    sz -= PRE##_BLKSZ;							\
									\
    /* --- First stage --- *						\
     *									\
     * XOR the complete block with the current IV, and encrypt it.  The	\
     * first part of the result is the partial ciphertext block.  Don't	\
     * write that out yet, because I've not read the partial plaintext	\
     * block.								\
     */									\
									\
    BLKC_XLOAD(PRE, ctx->iv, s);					\
    pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv);				\
    BLKC_STORE(PRE, b, ctx->iv);					\
									\
    /* --- Second stage --- *						\
     *									\
     * Now XOR in the partial plaintext block, writing out the		\
     * ciphertext as I go.  Then encrypt, and write the complete	\
     * ciphertext block.						\
     */									\
									\
    s += PRE##_BLKSZ;							\
    d += PRE##_BLKSZ;							\
    for (i = 0; i < sz; i++) {						\
      register octet x = b[i];						\
      b[i] ^= s[i];							\
      d[i] = x;								\
    }									\
    BLKC_LOAD(PRE, ctx->iv, b);						\
    pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv);				\
    BLKC_STORE(PRE, d - PRE##_BLKSZ, ctx->iv);				\
  }									\
									\
  /* --- Done --- */							\
									\
  return;								\
}									\
									\
/* --- @pre_cbcdecrypt@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@const void *src@ = pointer to source data		\
 *		@void *dest@ = pointer to destination data		\
 *		@size_t sz@ = size of block to be encrypted		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Decrypts a block with a block cipher in CBC mode, with	\
 *		ciphertext stealing and other clever tricks.		\
 *		Essentially, data can be encrypted in arbitrary sized	\
 *		chunks, although decryption must use the same chunks.	\
 */									\
									\
void pre##_cbcdecrypt(pre##_cbcctx *ctx,				\
			const void *src, void *dest,			\
			size_t sz)					\
{									\
  const octet *s = src;							\
  octet *d = dest;							\
									\
  /* --- Empty blocks are trivial --- */				\
									\
  if (!sz)								\
    return;								\
									\
  /* --- Extra magical case for a short block --- *			\
   *									\
   * Encrypt the IV, then exclusive-or the ciphertext with the octets	\
   * of the encrypted IV, shifting ciphertext octets in instead.  This	\
   * basically switches over to CFB.					\
   */									\
									\
  if (sz < PRE##_BLKSZ) {						\
    octet b[PRE##_BLKSZ], c[PRE##_BLKSZ];				\
    unsigned i;								\
									\
    pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv);				\
    BLKC_STORE(PRE, b, ctx->iv);					\
    for (i = 0; i < sz; i++) {						\
      register octet x = s[i];						\
      d[i] = b[i] ^ x;							\
      c[i] = x;								\
    }									\
    memmove(b, b + sz, PRE##_BLKSZ - sz);				\
    memcpy(b + PRE##_BLKSZ - sz, c, sz);				\
    BLKC_LOAD(PRE, ctx->iv, b);						\
    return;								\
  }									\
									\
  /* --- Do the main chunk of decryption --- *				\
   *									\
   * This will do the whole lot if it's a whole number of blocks.  For	\
   * each block, decrypt, XOR it with the previous ciphertext in @iv@,	\
   * and keep a copy of the ciphertext for the next block.		\
   */									\
									\
  while (sz >= 2 * PRE##_BLKSZ || sz == PRE##_BLKSZ) {			\
    uint32 b[PRE##_BLKSZ / 4], niv[PRE##_BLKSZ / 4];			\
    BLKC_LOAD(PRE, niv, s);						\
    pre##_dblk(&ctx->ctx, niv, b);					\
    BLKC_XSTORE(PRE, d, b, ctx->iv);					\
    BLKC_MOVE(PRE, ctx->iv, niv);					\
    s += PRE##_BLKSZ;							\
    d += PRE##_BLKSZ;							\
    sz -= PRE##_BLKSZ;							\
  }									\
									\
  /* --- Do the tail-end block and bit-left-over --- *			\
   *									\
   * This isn't very efficient.  That shouldn't matter much.		\
   */									\
									\
  if (sz) {								\
    octet b[PRE##_BLKSZ];						\
    uint32 bk[PRE##_BLKSZ / 4], niv[PRE##_BLKSZ / 4];			\
    unsigned i;								\
									\
    /* --- Let @sz@ be the size of the partial block --- */		\
									\
    sz -= PRE##_BLKSZ;							\
									\
    /* --- First stage --- *						\
     *									\
     * Take the complete ciphertext block, and decrypt it.  This block	\
     * is carried over for the next encryption operation.		\
     */									\
									\
    BLKC_LOAD(PRE, niv, s);						\
    pre##_dblk(&ctx->ctx, niv, bk);					\
									\
    /* --- Second stage --- *						\
     *									\
     * XORing the first few bytes of this with the partial ciphertext	\
     * block recovers the partial plaintext block.  At the same time,	\
     * write the partial ciphertext block's contents in ready for stage	\
     * three.								\
     */									\
									\
    BLKC_STORE(PRE, b, bk);						\
    s += PRE##_BLKSZ;							\
    d += PRE##_BLKSZ;							\
    for (i = 0; i < sz; i++) {						\
      register octet x = s[i];						\
      d[i] = b[i] ^ x;							\
      b[i] = x;								\
    }									\
									\
    /* --- Third stage --- *						\
     *									\
     * Decrypt the block we've got left, and XOR with the initial IV to	\
     * recover the complete plaintext block.				\
     */									\
									\
    BLKC_LOAD(PRE, bk, b);						\
    pre##_dblk(&ctx->ctx, bk, bk);					\
    BLKC_XSTORE(PRE, d - PRE##_BLKSZ, bk, ctx->iv);			\
    BLKC_MOVE(PRE, ctx->iv, niv);					\
  }									\
									\
  /* --- Done --- */							\
									\
  return;								\
}									\
									\
/* --- Generic cipher interface --- */					\
									\
static const gcipher_ops gops;						\
									\
typedef struct gctx {							\
  gcipher c;								\
  pre##_cbcctx k;							\
} gctx;									\
									\
static gcipher *ginit(const void *k, size_t sz)				\
{									\
  gctx *g = CREATE(gctx);						\
  g->c.ops = &gops;							\
  pre##_cbcinit(&g->k, k, sz, 0);					\
  return (&g->c);							\
}									\
									\
static void gencrypt(gcipher *c, const void *s, void *t, size_t sz)	\
{									\
  gctx *g = (gctx *)c;							\
  pre##_cbcencrypt(&g->k, s, t, sz);					\
}									\
									\
static void gdecrypt(gcipher *c, const void *s, void *t, size_t sz)	\
{									\
  gctx *g = (gctx *)c;							\
  pre##_cbcdecrypt(&g->k, s, t, sz);					\
}									\
									\
static void gdestroy(gcipher *c)					\
{									\
  gctx *g = (gctx *)c;							\
  DESTROY(g);								\
}									\
									\
static void gsetiv(gcipher *c, const void *iv)				\
{									\
  gctx *g = (gctx *)c;							\
  pre##_cbcsetiv(&g->k, iv);						\
}									\
									\
static const gcipher_ops gops = {					\
  &pre##_cbc.b,								\
   gencrypt, gdecrypt, gdestroy, gsetiv, 0				\
};									\
									\
const gccipher pre##_cbc = {						\
  { #pre "-cbc", PRE##_KEYSZ, PRE##_BLKSZ },				\
  ginit									\
};									\
									\
CBC_TEST(PRE, pre)

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include <stdio.h>

#include "daftstory.h"

/* --- @CBC_TEST@ --- *
 *
 * Arguments:	@PRE@, @pre@ = prefixes for block cipher definitions
 *
 * Use:		Standard test rig for CBC functions.
 */

#define CBC_TEST(PRE, pre)						\
									\
/* --- Initial plaintext for the test --- */				\
									\
static const octet text[] = TEXT;					\
									\
/* --- Key and IV to use --- */						\
									\
static const octet key[] = KEY;						\
static const octet iv[] = IV;						\
									\
/* --- Buffers for encryption and decryption output --- */		\
									\
static octet ct[sizeof(text)];						\
static octet pt[sizeof(text)];						\
									\
static void hexdump(const octet *p, size_t sz)				\
{									\
  const octet *q = p + sz;						\
  for (sz = 0; p < q; p++, sz++) {					\
    printf("%02x", *p);							\
    if ((sz + 1) % PRE##_BLKSZ == 0)					\
      putchar(':');							\
  }									\
}									\
									\
int main(void)								\
{									\
  size_t sz = 0, rest;							\
  pre##_cbcctx ctx;							\
  pre##_ctx k;								\
  int status = 0;							\
  int done = 0;								\
									\
  size_t keysz = PRE##_KEYSZ ?						\
    PRE##_KEYSZ : strlen((const char *)key);				\
									\
  fputs(#pre "-cbc: ", stdout);						\
									\
  pre##_init(&k, key, keysz);						\
  pre##_cbcsetkey(&ctx, &k);						\
									\
  while (sz <= sizeof(text)) {						\
    rest = sizeof(text) - sz;						\
    memcpy(ct, text, sizeof(text));					\
    pre##_cbcsetiv(&ctx, iv);						\
    pre##_cbcencrypt(&ctx, ct, ct, sz);					\
    pre##_cbcencrypt(&ctx, ct + sz, ct + sz, rest);			\
    memcpy(pt, ct, sizeof(text));					\
    pre##_cbcsetiv(&ctx, iv);						\
    pre##_cbcdecrypt(&ctx, pt, pt, sz);					\
    pre##_cbcdecrypt(&ctx, pt + sz, pt + sz, rest);			\
    if (memcmp(pt, text, sizeof(text)) == 0) {				\
      done++;								\
      if (sizeof(text) < 40 || done % 8 == 0)				\
        fputc('.', stdout);						\
      if (done % 480 == 0)						\
        fputs("\n\t", stdout);						\
      fflush(stdout);							\
    } else {								\
      printf("\nError (sz = %lu)\n", (unsigned long)sz);		\
      status = 1;							\
      printf("\tplaintext      = "); hexdump(text, sz);			\
        printf(", "); hexdump(text + sz, rest);				\
        fputc('\n', stdout);						\
      printf("\tciphertext     = "); hexdump(ct, sz);			\
        printf(", "); hexdump(ct + sz, rest);				\
        fputc('\n', stdout);						\
      printf("\trecovered text = "); hexdump(pt, sz);			\
        printf(", "); hexdump(pt + sz, rest);				\
        fputc('\n', stdout);						\
      fputc('\n', stdout);						\
    }									\
    if (sz < 63)							\
      sz++;								\
    else								\
      sz += 9;								\
  }									\
									\
  fputs(status ? " failed\n" : " ok\n", stdout);			\
  return (status);							\
}

#else
#  define CBC_TEST(PRE, pre)
#endif

/*----- That's all, folks -------------------------------------------------*/

#ifdef __cplusplus
  }
#endif

#endif
Commit	Line	Data
79ba130c	1	/* --c--
	2	*
	3	* $Id: cbc-def.h,v 1.1 1999/12/10 23:16:39 mdw Exp $
	4	*
	5	* Definitions for cipher block chaining mode
	6	*
	7	* (c) 1999 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
	18	*
	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
	30	/----- Revision history --------------------------------------------------
	31	*
	32	* $Log: cbc-def.h,v $
	33	* Revision 1.1 1999/12/10 23:16:39 mdw
	34	* Split mode macros into interface and implementation.
	35	*
	36	*/
	37
	38	#ifndef CATACOMB_CBC_DEF_H
	39	#define CATACOMB_CBC_DEF_H
	40
	41	#ifdef __cplusplus
	42	extern "C" {
	43	#endif
	44
	45	/----- Header files ------------------------------------------------------/
	46
	47	#include <string.h>
	48
	49	#include <mLib/bits.h>
	50	#include <mLib/sub.h>
	51
	52	#ifndef CATACOMB_BLKC_H
	53	# include "blkc.h"
	54	#endif
	55
	56	#ifndef CATACOMB_GCIPHER_H
	57	# include "gcipher.h"
	58	#endif
	59
	60	/----- Macros ------------------------------------------------------------/
	61
	62	/* --- @CBC_DEF@ --- *
	63	*
	64	* Arguments: @PRE@, @pre@ = prefixes for the underlying block cipher
65	*
66	* Use: Creates an implementation for CBC stealing mode.
67	*/
68
69	#define CBC_DEF(PRE, pre) \
70	\
71	/* --- @pre_cbcgetiv@ --- * \
72	* \
73	* Arguments: @const pre_cbcctx *ctx@ = pointer to CBC context block \
74	* @void *iv#@ = pointer to output data block \
75	* \
76	* Returns: --- \
77	* \
78	* Use: Reads the currently set IV. Reading and setting an IV \
79	* is transparent to the CBC encryption or decryption \
80	* process. \
81	*/ \
82	\
83	void pre##_cbcgetiv(const pre##_cbcctx ctx, void iv) \
84	{ \
85	BLKC_STORE(PRE, iv, ctx->iv); \
86	} \
87	\
88	/* --- @pre_cbcsetiv@ --- * \
89	* \
90	* Arguments: @pre_cbcctx *ctx@ = pointer to CBC context block \
91	* @cnost void *iv@ = pointer to IV to set \
92	* \
93	* Returns: --- \
94	* \
95	* Use: Sets the IV to use for subsequent encryption. \
96	*/ \
97	\
98	void pre##_cbcsetiv(pre##_cbcctx ctx, const void iv) \
99	{ \
100	BLKC_LOAD(PRE, ctx->iv, iv); \
101	} \
102	\
103	/* --- @pre_cbcsetkey@ --- * \
104	* \
105	* Arguments: @pre_cbcctx *ctx@ = pointer to CBC context block \
106	* @const pre_ctx *k@ = pointer to cipher context \
107	* \
108	* Returns: --- \
109	* \
110	* Use: Sets the CBC context to use a different cipher key. \
111	*/ \
112	\
113	void pre##_cbcsetkey(pre##_cbcctx ctx, const pre##_ctx k) \
114	{ \
115	ctx->ctx = *k; \
116	} \
117	\
118	/* --- @pre_cbcinit@ --- * \
119	* \
120	* Arguments: @pre_cbcctx *ctx@ = pointer to cipher context \
121	* @const void *key@ = pointer to the key buffer \
122	* @size_t sz@ = size of the key \
123	* @const void *iv@ = pointer to initialization vector \
124	* \
125	* Returns: --- \
126	* \
127	* Use: Initializes a CBC context ready for use. The @iv@ \
128	* argument may be passed as a null pointer to set a zero \
129	* IV. Apart from that, this call is equivalent to calls \
130	* to @pre_init@, @pre_cbcsetkey@ and @pre_cbcsetiv@. \
131	*/ \
132	\
133	void pre##_cbcinit(pre##_cbcctx *ctx, \
134	const void *key, size_t sz, \
135	const void *iv) \
136	{ \
137	static octet zero[PRE##_BLKSZ] = { 0 }; \
138	pre##_init(&ctx->ctx, key, sz); \
139	BLKC_LOAD(PRE, ctx->iv, iv ? iv : zero); \
140	} \
141	\
142	/* --- @pre_cbcencrypt@ --- * \
143	* \
144	* Arguments: @pre_cbcctx *ctx@ = pointer to CBC context block \
145	* @const void *src@ = pointer to source data \
146	* @void *dest@ = pointer to destination data \
147	* @size_t sz@ = size of block to be encrypted \
148	* \
149	* Returns: --- \
150	* \
151	* Use: Encrypts a block with a block cipher in CBC mode, with \
152	* ciphertext stealing and other clever tricks. \
153	* Essentially, data can be encrypted in arbitrary sized \
154	* chunks, although decryption must use the same chunks. \
155	*/ \
156	\
157	void pre##_cbcencrypt(pre##_cbcctx *ctx, \
158	const void src, void dest, \
159	size_t sz) \
160	{ \
161	const octet *s = src; \
162	octet *d = dest; \
163	\
164	/* --- Empty blocks are trivial --- */ \
165	\
166	if (!sz) \
167	return; \
168	\
169	/* --- Extra magical case for a short block --- * \
170	* \
171	* Encrypt the IV, then exclusive-or the plaintext with the octets \
172	* of the encrypted IV, shifting ciphertext octets in instead. This \
173	* basically switches over to CFB. \
174	*/ \
175	\
176	if (sz < PRE##_BLKSZ) { \
177	octet b[PRE##_BLKSZ]; \
178	unsigned i; \
179	\
180	pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv); \
181	BLKC_STORE(PRE, b, ctx->iv); \
182	for (i = 0; i < sz; i++) \
183	d[i] = b[i] ^ s[i]; \
184	memmove(b, b + sz, PRE##_BLKSZ - sz); \
185	memcpy(b + PRE##_BLKSZ - sz, d, sz); \
186	BLKC_LOAD(PRE, ctx->iv, b); \
187	return; \
188	} \
189	\
190	/* --- Do the main chunk of encryption --- * \
191	* \
192	* This will do the whole lot if it's a whole number of blocks. For \
193	* each block, XOR it with the previous ciphertext in @iv@, encrypt, \
194	* and keep a copy of the ciphertext for the next block. \
195	*/ \
196	\
197	while (sz >= 2 * PRE##_BLKSZ \|\| sz == PRE##_BLKSZ) { \
198	BLKC_XLOAD(PRE, ctx->iv, s); \
199	pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv); \
200	BLKC_STORE(PRE, d, ctx->iv); \
201	s += PRE##_BLKSZ; \
202	d += PRE##_BLKSZ; \
203	sz -= PRE##_BLKSZ; \
204	} \
205	\
206	/* --- Do the tail-end block and bit-left-over --- * \
207	* \
208	* This isn't very efficient. That shouldn't matter much. \
209	*/ \
210	\
211	if (sz) { \
212	octet b[PRE##_BLKSZ]; \
213	unsigned i; \
214	\
215	/* --- Let @sz@ be the size of the partial block --- */ \
216	\
217	sz -= PRE##_BLKSZ; \
218	\
219	/* --- First stage --- * \
220	* \
221	* XOR the complete block with the current IV, and encrypt it. The \
222	* first part of the result is the partial ciphertext block. Don't \
223	* write that out yet, because I've not read the partial plaintext \
224	* block. \
225	*/ \
226	\
227	BLKC_XLOAD(PRE, ctx->iv, s); \
228	pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv); \
229	BLKC_STORE(PRE, b, ctx->iv); \
230	\
231	/* --- Second stage --- * \
232	* \
233	* Now XOR in the partial plaintext block, writing out the \
234	* ciphertext as I go. Then encrypt, and write the complete \
235	* ciphertext block. \
236	*/ \
237	\
238	s += PRE##_BLKSZ; \
239	d += PRE##_BLKSZ; \
240	for (i = 0; i < sz; i++) { \
241	register octet x = b[i]; \
242	b[i] ^= s[i]; \
243	d[i] = x; \
244	} \
245	BLKC_LOAD(PRE, ctx->iv, b); \
246	pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv); \
247	BLKC_STORE(PRE, d - PRE##_BLKSZ, ctx->iv); \
248	} \
249	\
250	/* --- Done --- */ \
251	\
252	return; \
253	} \
254	\
255	/* --- @pre_cbcdecrypt@ --- * \
256	* \
257	* Arguments: @pre_cbcctx *ctx@ = pointer to CBC context block \
258	* @const void *src@ = pointer to source data \
259	* @void *dest@ = pointer to destination data \
260	* @size_t sz@ = size of block to be encrypted \
261	* \
262	* Returns: --- \
263	* \
264	* Use: Decrypts a block with a block cipher in CBC mode, with \
265	* ciphertext stealing and other clever tricks. \
266	* Essentially, data can be encrypted in arbitrary sized \
267	* chunks, although decryption must use the same chunks. \
268	*/ \
269	\
270	void pre##_cbcdecrypt(pre##_cbcctx *ctx, \
271	const void src, void dest, \
272	size_t sz) \
273	{ \
274	const octet *s = src; \
275	octet *d = dest; \
276	\
277	/* --- Empty blocks are trivial --- */ \
278	\
279	if (!sz) \
280	return; \
281	\
282	/* --- Extra magical case for a short block --- * \
283	* \
284	* Encrypt the IV, then exclusive-or the ciphertext with the octets \
285	* of the encrypted IV, shifting ciphertext octets in instead. This \
286	* basically switches over to CFB. \
287	*/ \
288	\
289	if (sz < PRE##_BLKSZ) { \
290	octet b[PRE##_BLKSZ], c[PRE##_BLKSZ]; \
291	unsigned i; \
292	\
293	pre##_eblk(&ctx->ctx, ctx->iv, ctx->iv); \
294	BLKC_STORE(PRE, b, ctx->iv); \
295	for (i = 0; i < sz; i++) { \
296	register octet x = s[i]; \
297	d[i] = b[i] ^ x; \
298	c[i] = x; \
299	} \
300	memmove(b, b + sz, PRE##_BLKSZ - sz); \
301	memcpy(b + PRE##_BLKSZ - sz, c, sz); \
302	BLKC_LOAD(PRE, ctx->iv, b); \
303	return; \
304	} \
305	\
306	/* --- Do the main chunk of decryption --- * \
307	* \
308	* This will do the whole lot if it's a whole number of blocks. For \
309	* each block, decrypt, XOR it with the previous ciphertext in @iv@, \
310	* and keep a copy of the ciphertext for the next block. \
311	*/ \
312	\
313	while (sz >= 2 * PRE##_BLKSZ \|\| sz == PRE##_BLKSZ) { \
314	uint32 b[PRE##_BLKSZ / 4], niv[PRE##_BLKSZ / 4]; \
315	BLKC_LOAD(PRE, niv, s); \
316	pre##_dblk(&ctx->ctx, niv, b); \
317	BLKC_XSTORE(PRE, d, b, ctx->iv); \
318	BLKC_MOVE(PRE, ctx->iv, niv); \
319	s += PRE##_BLKSZ; \
320	d += PRE##_BLKSZ; \
321	sz -= PRE##_BLKSZ; \
322	} \
323	\
324	/* --- Do the tail-end block and bit-left-over --- * \
325	* \
326	* This isn't very efficient. That shouldn't matter much. \
327	*/ \
328	\
329	if (sz) { \
330	octet b[PRE##_BLKSZ]; \
331	uint32 bk[PRE##_BLKSZ / 4], niv[PRE##_BLKSZ / 4]; \
332	unsigned i; \
333	\
334	/* --- Let @sz@ be the size of the partial block --- */ \
335	\
336	sz -= PRE##_BLKSZ; \
337	\
338	/* --- First stage --- * \
339	* \
340	* Take the complete ciphertext block, and decrypt it. This block \
341	* is carried over for the next encryption operation. \
342	*/ \
343	\
344	BLKC_LOAD(PRE, niv, s); \
345	pre##_dblk(&ctx->ctx, niv, bk); \
346	\
347	/* --- Second stage --- * \
348	* \
349	* XORing the first few bytes of this with the partial ciphertext \
350	* block recovers the partial plaintext block. At the same time, \
351	* write the partial ciphertext block's contents in ready for stage \
352	* three. \
353	*/ \
354	\
355	BLKC_STORE(PRE, b, bk); \
356	s += PRE##_BLKSZ; \
357	d += PRE##_BLKSZ; \
358	for (i = 0; i < sz; i++) { \
359	register octet x = s[i]; \
360	d[i] = b[i] ^ x; \
361	b[i] = x; \
362	} \
363	\
364	/* --- Third stage --- * \
365	* \
366	* Decrypt the block we've got left, and XOR with the initial IV to \
367	* recover the complete plaintext block. \
368	*/ \
369	\
370	BLKC_LOAD(PRE, bk, b); \
371	pre##_dblk(&ctx->ctx, bk, bk); \
372	BLKC_XSTORE(PRE, d - PRE##_BLKSZ, bk, ctx->iv); \
373	BLKC_MOVE(PRE, ctx->iv, niv); \
374	} \
375	\
376	/* --- Done --- */ \
377	\
378	return; \
379	} \
380	\
381	/* --- Generic cipher interface --- */ \
382	\
383	static const gcipher_ops gops; \
384	\
385	typedef struct gctx { \
386	gcipher c; \
387	pre##_cbcctx k; \
388	} gctx; \
389	\
390	static gcipher ginit(const void k, size_t sz) \
391	{ \
392	gctx *g = CREATE(gctx); \
393	g->c.ops = &gops; \
394	pre##_cbcinit(&g->k, k, sz, 0); \
395	return (&g->c); \
396	} \
397	\
398	static void gencrypt(gcipher c, const void s, void *t, size_t sz) \
399	{ \
400	gctx g = (gctx )c; \
401	pre##_cbcencrypt(&g->k, s, t, sz); \
402	} \
403	\
404	static void gdecrypt(gcipher c, const void s, void *t, size_t sz) \
405	{ \
406	gctx g = (gctx )c; \
407	pre##_cbcdecrypt(&g->k, s, t, sz); \
408	} \
409	\
410	static void gdestroy(gcipher *c) \
411	{ \
412	gctx g = (gctx )c; \
413	DESTROY(g); \
414	} \
415	\
416	static void gsetiv(gcipher c, const void iv) \
417	{ \
418	gctx g = (gctx )c; \
419	pre##_cbcsetiv(&g->k, iv); \
420	} \
421	\
422	static const gcipher_ops gops = { \
423	&pre##_cbc.b, \
424	gencrypt, gdecrypt, gdestroy, gsetiv, 0 \
425	}; \
426	\
427	const gccipher pre##_cbc = { \
428	{ #pre "-cbc", PRE##_KEYSZ, PRE##_BLKSZ }, \
429	ginit \
430	}; \
431	\
432	CBC_TEST(PRE, pre)
433
434	/----- Test rig ----------------------------------------------------------/
435
436	#ifdef TEST_RIG
437
438	#include <stdio.h>
439
440	#include "daftstory.h"
441
442	/* --- @CBC_TEST@ --- *
443	*
444	* Arguments: @PRE@, @pre@ = prefixes for block cipher definitions
445	*
446	* Use: Standard test rig for CBC functions.
447	*/
448
449	#define CBC_TEST(PRE, pre) \
450	\
451	/* --- Initial plaintext for the test --- */ \
452	\
453	static const octet text[] = TEXT; \
454	\
455	/* --- Key and IV to use --- */ \
456	\
457	static const octet key[] = KEY; \
458	static const octet iv[] = IV; \
459	\
460	/* --- Buffers for encryption and decryption output --- */ \
461	\
462	static octet ct[sizeof(text)]; \
463	static octet pt[sizeof(text)]; \
464	\
465	static void hexdump(const octet *p, size_t sz) \
466	{ \
467	const octet *q = p + sz; \
468	for (sz = 0; p < q; p++, sz++) { \
469	printf("%02x", *p); \
470	if ((sz + 1) % PRE##_BLKSZ == 0) \
471	putchar(':'); \
472	} \
473	} \
474	\
475	int main(void) \
476	{ \
477	size_t sz = 0, rest; \
478	pre##_cbcctx ctx; \
479	pre##_ctx k; \
480	int status = 0; \
481	int done = 0; \
482	\
483	size_t keysz = PRE##_KEYSZ ? \
484	PRE##_KEYSZ : strlen((const char *)key); \
485	\
486	fputs(#pre "-cbc: ", stdout); \
487	\
488	pre##_init(&k, key, keysz); \
489	pre##_cbcsetkey(&ctx, &k); \
490	\
491	while (sz <= sizeof(text)) { \
492	rest = sizeof(text) - sz; \
493	memcpy(ct, text, sizeof(text)); \
494	pre##_cbcsetiv(&ctx, iv); \
495	pre##_cbcencrypt(&ctx, ct, ct, sz); \
496	pre##_cbcencrypt(&ctx, ct + sz, ct + sz, rest); \
497	memcpy(pt, ct, sizeof(text)); \
498	pre##_cbcsetiv(&ctx, iv); \
499	pre##_cbcdecrypt(&ctx, pt, pt, sz); \
500	pre##_cbcdecrypt(&ctx, pt + sz, pt + sz, rest); \
501	if (memcmp(pt, text, sizeof(text)) == 0) { \
502	done++; \
503	if (sizeof(text) < 40 \|\| done % 8 == 0) \
504	fputc('.', stdout); \
505	if (done % 480 == 0) \
506	fputs("\n\t", stdout); \
507	fflush(stdout); \
508	} else { \
509	printf("\nError (sz = %lu)\n", (unsigned long)sz); \
510	status = 1; \
511	printf("\tplaintext = "); hexdump(text, sz); \
512	printf(", "); hexdump(text + sz, rest); \
513	fputc('\n', stdout); \
514	printf("\tciphertext = "); hexdump(ct, sz); \
515	printf(", "); hexdump(ct + sz, rest); \
516	fputc('\n', stdout); \
517	printf("\trecovered text = "); hexdump(pt, sz); \
518	printf(", "); hexdump(pt + sz, rest); \
519	fputc('\n', stdout); \
520	fputc('\n', stdout); \
521	} \
522	if (sz < 63) \
523	sz++; \
524	else \
525	sz += 9; \
526	} \
527	\
528	fputs(status ? " failed\n" : " ok\n", stdout); \
529	return (status); \
530	}
531
532	#else
533	# define CBC_TEST(PRE, pre)
534	#endif
535
536	/----- That's all, folks -------------------------------------------------/
537
538	#ifdef __cplusplus
539	}
540	#endif
541
542	#endif