[catacomb] / symm / cbc-def.h

/* -*-c-*-
 *
 * Definitions for cipher block chaining mode
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#ifndef CATACOMB_CBC_DEF_H
#define CATACOMB_CBC_DEF_H

#ifdef __cplusplus
  extern "C" {
#endif

/*----- Header files ------------------------------------------------------*/

#include <string.h>

#include <mLib/bits.h>
#include <mLib/sub.h>

#ifndef CATACOMB_ARENA_H
#  include "arena.h"
#endif

#ifndef CATACOMB_BLKC_H
#  include "blkc.h"
#endif

#ifndef CATACOMB_GCIPHER_H
#  include "gcipher.h"
#endif

#ifndef CATACOMB_PARANOIA_H
#  include "paranoia.h"
#endif

/*----- Macros ------------------------------------------------------------*/

/* --- @CBC_DEF@ --- *
 *
 * Arguments:	@PRE@, @pre@ = prefixes for the underlying block cipher
 *
 * Use:		Creates an implementation for CBC stealing mode.
 */

#define CBC_DEF(PRE, pre) CBC_DEFX(PRE, pre, #pre, #pre)

#define CBC_DEFX(PRE, pre, name, fname)					\
									\
/* --- @pre_cbcgetiv@ --- *						\
 *									\
 * Arguments:	@const pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@void *iv@ = pointer to output data block		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Reads the currently set IV.  Reading and setting an IV	\
 *		is transparent to the CBC encryption or decryption	\
 *		process.						\
 */									\
									\
void pre##_cbcgetiv(const pre##_cbcctx *ctx, void *iv)			\
  { BLKC_STORE(PRE, iv, ctx->a); }					\
									\
/* --- @pre_cbcsetiv@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@cnost void *iv@ = pointer to IV to set			\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Sets the IV to use for subsequent encryption.		\
 */									\
									\
void pre##_cbcsetiv(pre##_cbcctx *ctx, const void *iv)			\
  { BLKC_LOAD(PRE, ctx->a, iv); }					\
									\
/* --- @pre_cbcsetkey@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@const pre_ctx *k@ = pointer to cipher context		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Sets the CBC context to use a different cipher key.	\
 */									\
									\
void pre##_cbcsetkey(pre##_cbcctx *ctx, const pre##_ctx *k)		\
  { ctx->ctx = *k; }							\
									\
/* --- @pre_cbcinit@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to cipher context		\
 *		@const void *key@ = pointer to the key buffer		\
 *		@size_t sz@ = size of the key				\
 *		@const void *iv@ = pointer to initialization vector	\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Initializes a CBC context ready for use.  The @iv@	\
 *		argument may be passed as a null pointer to set a zero	\
 *		IV.  Apart from that, this call is equivalent to calls	\
 *		to @pre_init@, @pre_cbcsetkey@ and @pre_cbcsetiv@.	\
 */									\
									\
void pre##_cbcinit(pre##_cbcctx *ctx,					\
		   const void *key, size_t sz,				\
		   const void *iv)					\
{									\
  static const octet zero[PRE##_BLKSZ] = { 0 };				\
									\
  pre##_init(&ctx->ctx, key, sz);					\
  BLKC_LOAD(PRE, ctx->a, iv ? iv : zero);				\
}									\
									\
/* --- @pre_cbcencrypt@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@const void *src@ = pointer to source data		\
 *		@void *dest@ = pointer to destination data		\
 *		@size_t sz@ = size of block to be encrypted		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Encrypts a block with a block cipher in CBC mode, with	\
 *		ciphertext stealing and other clever tricks.		\
 *		Essentially, data can be encrypted in arbitrary sized	\
 *		chunks, although decryption must use the same chunks.	\
 */									\
									\
void pre##_cbcencrypt(pre##_cbcctx *ctx,				\
		      const void *src, void *dest,			\
		      size_t sz)					\
{									\
  const octet *s = src;							\
  octet *d = dest;							\
  octet b[PRE##_BLKSZ];							\
  octet y;								\
  unsigned i;								\
									\
  /* --- Empty blocks are trivial --- */				\
									\
  if (!sz) return;							\
									\
  /* --- Extra magical case for a short block --- *			\
   *									\
   * Encrypt the IV, then exclusive-or the plaintext with the octets	\
   * of the encrypted IV, shifting ciphertext octets in instead.  This	\
   * basically switches over to CFB.					\
   */									\
									\
  if (sz < PRE##_BLKSZ) {						\
    pre##_eblk(&ctx->ctx, ctx->a, ctx->a);				\
    BLKC_STORE(PRE, b, ctx->a);						\
    if (d) { for (i = 0; i < sz; i++) d[i] = b[i] ^ (s ? s[i] : 0); }	\
    memmove(b, b + sz, PRE##_BLKSZ - sz);				\
    memcpy(b + PRE##_BLKSZ - sz, d, sz);				\
    BLKC_LOAD(PRE, ctx->a, b);						\
    return;								\
  }									\
									\
  /* --- Do the main chunk of encryption --- *				\
   *									\
   * This will do the whole lot if it's a whole number of blocks.  For	\
   * each block, XOR it with the previous ciphertext in @iv@, encrypt,	\
   * and keep a copy of the ciphertext for the next block.		\
   */									\
									\
  while (sz >= 2*PRE##_BLKSZ || sz == PRE##_BLKSZ) {			\
    if (s) { BLKC_XLOAD(PRE, ctx->a, s); s += PRE##_BLKSZ; }		\
    pre##_eblk(&ctx->ctx, ctx->a, ctx->a);				\
    if (d) { BLKC_STORE(PRE, d, ctx->a); d += PRE##_BLKSZ; }		\
    sz -= PRE##_BLKSZ;							\
  }									\
									\
  /* --- Do the tail-end block and bit-left-over --- *			\
   *									\
   * This isn't very efficient.  That shouldn't matter much.		\
   */									\
									\
  if (sz) {								\
									\
    /* --- Let @sz@ be the size of the partial block --- */		\
									\
    sz -= PRE##_BLKSZ;							\
									\
    /* --- First stage --- *						\
     *									\
     * XOR the complete block with the current IV, and encrypt it.  The	\
     * first part of the result is the partial ciphertext block.  Don't	\
     * write that out yet, because I've not read the partial plaintext	\
     * block.								\
     */									\
									\
    if (s) BLKC_XLOAD(PRE, ctx->a, s);					\
    pre##_eblk(&ctx->ctx, ctx->a, ctx->a);				\
    BLKC_STORE(PRE, b, ctx->a);						\
									\
    /* --- Second stage --- *						\
     *									\
     * Now XOR in the partial plaintext block, writing out the		\
     * ciphertext as I go.  Then encrypt, and write the complete	\
     * ciphertext block.						\
     */									\
									\
    if (s) s += PRE##_BLKSZ;						\
    if (d) d += PRE##_BLKSZ;						\
    for (i = 0; i < sz; i++) {						\
      y = b[i];								\
      if (s) b[i] ^= s[i];						\
      if (d) d[i] = y;							\
    }									\
    BLKC_LOAD(PRE, ctx->a, b);						\
    pre##_eblk(&ctx->ctx, ctx->a, ctx->a);				\
    if (d) BLKC_STORE(PRE, d - PRE##_BLKSZ, ctx->a);			\
  }									\
									\
  /* --- Done --- */							\
									\
  return;								\
}									\
									\
/* --- @pre_cbcdecrypt@ --- *						\
 *									\
 * Arguments:	@pre_cbcctx *ctx@ = pointer to CBC context block	\
 *		@const void *src@ = pointer to source data		\
 *		@void *dest@ = pointer to destination data		\
 *		@size_t sz@ = size of block to be encrypted		\
 *									\
 * Returns:	---							\
 *									\
 * Use:		Decrypts a block with a block cipher in CBC mode, with	\
 *		ciphertext stealing and other clever tricks.		\
 *		Essentially, data can be encrypted in arbitrary sized	\
 *		chunks, although decryption must use the same chunks.	\
 */									\
									\
void pre##_cbcdecrypt(pre##_cbcctx *ctx,				\
		      const void *src, void *dest,			\
		      size_t sz)					\
{									\
  const octet *s = src;							\
  octet *d = dest;							\
  uint32 t[PRE##_BLKSZ/4], u[PRE##_BLKSZ/4];				\
  octet b[PRE##_BLKSZ], c[PRE##_BLKSZ];					\
  octet y;								\
  unsigned i;								\
									\
  /* --- Empty blocks are trivial --- */				\
									\
  if (!sz) return;							\
									\
  /* --- Extra magical case for a short block --- *			\
   *									\
   * Encrypt the IV, then exclusive-or the ciphertext with the octets	\
   * of the encrypted IV, shifting ciphertext octets in instead.  This	\
   * basically switches over to CFB.					\
   */									\
									\
  if (sz < PRE##_BLKSZ) {						\
    pre##_eblk(&ctx->ctx, ctx->a, ctx->a);				\
    BLKC_STORE(PRE, b, ctx->a);						\
    for (i = 0; i < sz; i++) { y = s[i]; d[i] = b[i] ^ y; c[i] = y; }	\
    memmove(b, b + sz, PRE##_BLKSZ - sz);				\
    memcpy(b + PRE##_BLKSZ - sz, c, sz);				\
    BLKC_LOAD(PRE, ctx->a, b);						\
    return;								\
  }									\
									\
  /* --- Do the main chunk of decryption --- *				\
   *									\
   * This will do the whole lot if it's a whole number of blocks.  For	\
   * each block, decrypt, XOR it with the previous ciphertext in @iv@,	\
   * and keep a copy of the ciphertext for the next block.		\
   */									\
									\
  while (sz >= 2*PRE##_BLKSZ || sz == PRE##_BLKSZ) {			\
    BLKC_LOAD(PRE, t, s); s += PRE##_BLKSZ;				\
    pre##_dblk(&ctx->ctx, t, u);					\
    BLKC_XSTORE(PRE, d, u, ctx->a); d += PRE##_BLKSZ;			\
    BLKC_MOVE(PRE, ctx->a, t);						\
    sz -= PRE##_BLKSZ;							\
  }									\
									\
  /* --- Do the tail-end block and bit-left-over --- *			\
   *									\
   * This isn't very efficient.  That shouldn't matter much.		\
   */									\
									\
  if (sz) {								\
									\
    /* --- Let @sz@ be the size of the partial block --- */		\
									\
    sz -= PRE##_BLKSZ;							\
									\
    /* --- First stage --- *						\
     *									\
     * Take the complete ciphertext block, and decrypt it.  This block	\
     * is carried over for the next encryption operation.		\
     */									\
									\
    BLKC_LOAD(PRE, t, s);						\
    pre##_dblk(&ctx->ctx, t, u);					\
									\
    /* --- Second stage --- *						\
     *									\
     * XORing the first few bytes of this with the partial ciphertext	\
     * block recovers the partial plaintext block.  At the same time,	\
     * write the partial ciphertext block's contents in ready for stage	\
     * three.								\
     */									\
									\
    BLKC_STORE(PRE, b, u);						\
    s += PRE##_BLKSZ;							\
    d += PRE##_BLKSZ;							\
    for (i = 0; i < sz; i++) { y = s[i]; d[i] = b[i] ^ y; b[i] = y; }	\
									\
    /* --- Third stage --- *						\
     *									\
     * Decrypt the block we've got left, and XOR with the initial IV to	\
     * recover the complete plaintext block.				\
     */									\
									\
    BLKC_LOAD(PRE, u, b);						\
    pre##_dblk(&ctx->ctx, u, u);					\
    BLKC_XSTORE(PRE, d - PRE##_BLKSZ, u, ctx->a);			\
    BLKC_MOVE(PRE, ctx->a, t);						\
  }									\
									\
  /* --- Done --- */							\
									\
  return;								\
}									\
									\
/* --- Generic cipher interface --- */					\
									\
static const gcipher_ops gops;						\
									\
typedef struct gctx {							\
  gcipher c;								\
  pre##_cbcctx k;							\
} gctx;									\
									\
static gcipher *ginit(const void *k, size_t sz)				\
{									\
  gctx *g = S_CREATE(gctx);						\
  g->c.ops = &gops;							\
  pre##_cbcinit(&g->k, k, sz, 0);					\
  return (&g->c);							\
}									\
									\
static void gencrypt(gcipher *c, const void *s, void *t, size_t sz)	\
  { gctx *g = (gctx *)c; pre##_cbcencrypt(&g->k, s, t, sz); }		\
									\
static void gdecrypt(gcipher *c, const void *s, void *t, size_t sz)	\
  { gctx *g = (gctx *)c; pre##_cbcdecrypt(&g->k, s, t, sz); }		\
									\
static void gdestroy(gcipher *c)					\
  { gctx *g = (gctx *)c; BURN(*g); S_DESTROY(g); }			\
									\
static void gsetiv(gcipher *c, const void *iv)				\
  { gctx *g = (gctx *)c; pre##_cbcsetiv(&g->k, iv); }			\
									\
static const gcipher_ops gops = {					\
  &pre##_cbc,								\
  gencrypt, gdecrypt, gdestroy, gsetiv, 0				\
};									\
									\
const gccipher pre##_cbc = {						\
  name "-cbc", pre##_keysz, PRE##_BLKSZ,				\
  ginit									\
};									\
									\
CBC_TESTX(PRE, pre, name, fname)

/*----- Test rig ----------------------------------------------------------*/

#define CBC_TEST(PRE, pre) CBC_TESTX(PRE, pre, #pre, #pre)

#ifdef TEST_RIG

#include "modes-test.h"

/* --- @CBC_TEST@ --- *
 *
 * Arguments:	@PRE@, @pre@ = prefixes for block cipher definitions
 *
 * Use:		Standard test rig for CBC functions.
 */

#define CBC_TESTX(PRE, pre, name, fname)				\
									\
static pre##_ctx key;							\
static pre##_cbcctx ctx;						\
									\
static void pre##_cbc_test_setup(const octet *k, size_t ksz)		\
  { pre##_init(&key, k, ksz); pre##_cbcsetkey(&ctx, &key); }		\
									\
static void pre##_cbc_test_reset(const octet *iv)			\
  { pre##_cbcsetiv(&ctx, iv); }						\
									\
static void pre##_cbc_test_enc(const octet *s, octet *d, size_t sz)	\
  { pre##_cbcencrypt(&ctx, s, d, sz); }					\
									\
static void pre##_cbc_test_dec(const octet *s, octet *d, size_t sz)	\
  { pre##_cbcdecrypt(&ctx, s, d, sz); }					\
									\
int main(int argc, char *argv[])					\
{									\
  return test_encmode(fname "-cbc", PRE##_KEYSZ, PRE##_BLKSZ,		\
		      1, TEMF_REFALIGN,					\
		      pre##_cbc_test_setup, pre##_cbc_test_reset,	\
		      pre##_cbc_test_enc, pre##_cbc_test_dec,		\
		      argc, argv);					\
}

#else
#  define CBC_TESTX(PRE, pre, name, fname)
#endif

/*----- That's all, folks -------------------------------------------------*/

#ifdef __cplusplus
  }
#endif

#endif
Commit	Line	Data
79ba130c	1	/* --c--
79ba130c	2	*
79ba130c	3	* Definitions for cipher block chaining mode
	4	*
	5	* (c) 1999 Straylight/Edgeware
	6	*/
	7
45c0fd36	8	/----- Licensing notice --------------------------------------------------
79ba130c	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
45c0fd36	16	*
79ba130c	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
45c0fd36	21	*
79ba130c	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
79ba130c	28	#ifndef CATACOMB_CBC_DEF_H
	29	#define CATACOMB_CBC_DEF_H
	30
	31	#ifdef __cplusplus
	32	extern "C" {
	33	#endif
	34
	35	/----- Header files ------------------------------------------------------/
	36
	37	#include <string.h>
	38
	39	#include <mLib/bits.h>
	40	#include <mLib/sub.h>
	41
99461409	42	#ifndef CATACOMB_ARENA_H
	43	# include "arena.h"
	44	#endif
	45
79ba130c	46	#ifndef CATACOMB_BLKC_H
	47	# include "blkc.h"
	48	#endif
	49
	50	#ifndef CATACOMB_GCIPHER_H
	51	# include "gcipher.h"
	52	#endif
	53
99461409	54	#ifndef CATACOMB_PARANOIA_H
	55	# include "paranoia.h"
	56	#endif
	57
79ba130c	58	/----- Macros ------------------------------------------------------------/
	59
	60	/* --- @CBC_DEF@ --- *
	61	*
	62	* Arguments: @PRE@, @pre@ = prefixes for the underlying block cipher
	63	*
	64	* Use: Creates an implementation for CBC stealing mode.
	65	*/
	66
aaae9cab MW	67	#define CBC_DEF(PRE, pre) CBC_DEFX(PRE, pre, #pre, #pre)
	68
	69	#define CBC_DEFX(PRE, pre, name, fname) \
79ba130c	70	\
	71	/* --- @pre_cbcgetiv@ --- * \
	72	* \
	73	* Arguments: @const pre_cbcctx *ctx@ = pointer to CBC context block \
4efe32ba	74	* @void *iv@ = pointer to output data block \
79ba130c	75	* \
	76	* Returns: --- \
	77	* \
	78	* Use: Reads the currently set IV. Reading and setting an IV \
	79	* is transparent to the CBC encryption or decryption \
	80	* process. \
	81	*/ \
	82	\
	83	void pre##_cbcgetiv(const pre##_cbcctx ctx, void iv) \
0fee61eb	84	{ BLKC_STORE(PRE, iv, ctx->a); } \
79ba130c	85	\
	86	/* --- @pre_cbcsetiv@ --- * \
	87	* \
	88	* Arguments: @pre_cbcctx *ctx@ = pointer to CBC context block \
	89	* @cnost void *iv@ = pointer to IV to set \
	90	* \
	91	* Returns: --- \
	92	* \
	93	* Use: Sets the IV to use for subsequent encryption. \
	94	*/ \
	95	\
	96	void pre##_cbcsetiv(pre##_cbcctx ctx, const void iv) \
0fee61eb	97	{ BLKC_LOAD(PRE, ctx->a, iv); } \
79ba130c	98	\
	99	/* --- @pre_cbcsetkey@ --- * \
	100	* \
	101	* Arguments: @pre_cbcctx *ctx@ = pointer to CBC context block \
	102	* @const pre_ctx *k@ = pointer to cipher context \
	103	* \
	104	* Returns: --- \
	105	* \
	106	* Use: Sets the CBC context to use a different cipher key. \
	107	*/ \
	108	\
	109	void pre##_cbcsetkey(pre##_cbcctx ctx, const pre##_ctx k) \
0fee61eb	110	{ ctx->ctx = *k; } \
79ba130c	111	\
	112	/* --- @pre_cbcinit@ --- * \
	113	* \
	114	* Arguments: @pre_cbcctx *ctx@ = pointer to cipher context \
	115	* @const void *key@ = pointer to the key buffer \
	116	* @size_t sz@ = size of the key \
	117	* @const void *iv@ = pointer to initialization vector \
	118	* \
	119	* Returns: --- \
	120	* \
	121	* Use: Initializes a CBC context ready for use. The @iv@ \
	122	* argument may be passed as a null pointer to set a zero \
	123	* IV. Apart from that, this call is equivalent to calls \
	124	* to @pre_init@, @pre_cbcsetkey@ and @pre_cbcsetiv@. \
	125	*/ \
	126	\
	127	void pre##_cbcinit(pre##_cbcctx *ctx, \
81b52866 MW	128	const void *key, size_t sz, \
81b52866 MW	129	const void *iv) \
79ba130c	130	{ \
4e66da02	131	static const octet zero[PRE##_BLKSZ] = { 0 }; \
0fee61eb	132	\
79ba130c	133	pre##_init(&ctx->ctx, key, sz); \
0fee61eb	134	BLKC_LOAD(PRE, ctx->a, iv ? iv : zero); \
79ba130c	135	} \
	136	\
	137	/* --- @pre_cbcencrypt@ --- * \
	138	* \
	139	* Arguments: @pre_cbcctx *ctx@ = pointer to CBC context block \
	140	* @const void *src@ = pointer to source data \
	141	* @void *dest@ = pointer to destination data \
	142	* @size_t sz@ = size of block to be encrypted \
	143	* \
	144	* Returns: --- \
	145	* \
	146	* Use: Encrypts a block with a block cipher in CBC mode, with \
	147	* ciphertext stealing and other clever tricks. \
	148	* Essentially, data can be encrypted in arbitrary sized \
	149	* chunks, although decryption must use the same chunks. \
	150	*/ \
	151	\
	152	void pre##_cbcencrypt(pre##_cbcctx *ctx, \
81b52866 MW	153	const void src, void dest, \
81b52866 MW	154	size_t sz) \
79ba130c	155	{ \
	156	const octet *s = src; \
	157	octet *d = dest; \
0fee61eb MW	158	octet b[PRE##_BLKSZ]; \
	159	octet y; \
	160	unsigned i; \
79ba130c	161	\
	162	/* --- Empty blocks are trivial --- */ \
	163	\
0fee61eb	164	if (!sz) return; \
79ba130c	165	\
	166	/* --- Extra magical case for a short block --- * \
	167	* \
	168	* Encrypt the IV, then exclusive-or the plaintext with the octets \
	169	* of the encrypted IV, shifting ciphertext octets in instead. This \
	170	* basically switches over to CFB. \
	171	*/ \
	172	\
	173	if (sz < PRE##_BLKSZ) { \
0fee61eb MW	174	pre##_eblk(&ctx->ctx, ctx->a, ctx->a); \
	175	BLKC_STORE(PRE, b, ctx->a); \
	176	if (d) { for (i = 0; i < sz; i++) d[i] = b[i] ^ (s ? s[i] : 0); } \
79ba130c	177	memmove(b, b + sz, PRE##_BLKSZ - sz); \
79ba130c	178	memcpy(b + PRE##_BLKSZ - sz, d, sz); \
0fee61eb	179	BLKC_LOAD(PRE, ctx->a, b); \
79ba130c	180	return; \
	181	} \
	182	\
	183	/* --- Do the main chunk of encryption --- * \
	184	* \
	185	* This will do the whole lot if it's a whole number of blocks. For \
	186	* each block, XOR it with the previous ciphertext in @iv@, encrypt, \
	187	* and keep a copy of the ciphertext for the next block. \
	188	*/ \
	189	\
0fee61eb MW	190	while (sz >= 2*PRE##_BLKSZ \|\| sz == PRE##_BLKSZ) { \
	191	if (s) { BLKC_XLOAD(PRE, ctx->a, s); s += PRE##_BLKSZ; } \
	192	pre##_eblk(&ctx->ctx, ctx->a, ctx->a); \
	193	if (d) { BLKC_STORE(PRE, d, ctx->a); d += PRE##_BLKSZ; } \
79ba130c	194	sz -= PRE##_BLKSZ; \
	195	} \
	196	\
	197	/* --- Do the tail-end block and bit-left-over --- * \
	198	* \
	199	* This isn't very efficient. That shouldn't matter much. \
	200	*/ \
	201	\
	202	if (sz) { \
79ba130c	203	\
	204	/* --- Let @sz@ be the size of the partial block --- */ \
	205	\
	206	sz -= PRE##_BLKSZ; \
	207	\
	208	/* --- First stage --- * \
	209	* \
	210	* XOR the complete block with the current IV, and encrypt it. The \
	211	* first part of the result is the partial ciphertext block. Don't \
	212	* write that out yet, because I've not read the partial plaintext \
	213	* block. \
	214	*/ \
	215	\
0fee61eb MW	216	if (s) BLKC_XLOAD(PRE, ctx->a, s); \
	217	pre##_eblk(&ctx->ctx, ctx->a, ctx->a); \
	218	BLKC_STORE(PRE, b, ctx->a); \
79ba130c	219	\
	220	/* --- Second stage --- * \
	221	* \
	222	* Now XOR in the partial plaintext block, writing out the \
	223	* ciphertext as I go. Then encrypt, and write the complete \
	224	* ciphertext block. \
	225	*/ \
	226	\
5c3f75ec	227	if (s) s += PRE##_BLKSZ; \
5c3f75ec	228	if (d) d += PRE##_BLKSZ; \
79ba130c	229	for (i = 0; i < sz; i++) { \
0fee61eb	230	y = b[i]; \
5c3f75ec	231	if (s) b[i] ^= s[i]; \
0fee61eb	232	if (d) d[i] = y; \
79ba130c	233	} \
0fee61eb MW	234	BLKC_LOAD(PRE, ctx->a, b); \
	235	pre##_eblk(&ctx->ctx, ctx->a, ctx->a); \
	236	if (d) BLKC_STORE(PRE, d - PRE##_BLKSZ, ctx->a); \
79ba130c	237	} \
	238	\
	239	/* --- Done --- */ \
	240	\
	241	return; \
	242	} \
	243	\
	244	/* --- @pre_cbcdecrypt@ --- * \
	245	* \
	246	* Arguments: @pre_cbcctx *ctx@ = pointer to CBC context block \
	247	* @const void *src@ = pointer to source data \
	248	* @void *dest@ = pointer to destination data \
	249	* @size_t sz@ = size of block to be encrypted \
	250	* \
	251	* Returns: --- \
	252	* \
	253	* Use: Decrypts a block with a block cipher in CBC mode, with \
	254	* ciphertext stealing and other clever tricks. \
	255	* Essentially, data can be encrypted in arbitrary sized \
	256	* chunks, although decryption must use the same chunks. \
	257	*/ \
	258	\
	259	void pre##_cbcdecrypt(pre##_cbcctx *ctx, \
81b52866 MW	260	const void src, void dest, \
81b52866 MW	261	size_t sz) \
79ba130c	262	{ \
	263	const octet *s = src; \
	264	octet *d = dest; \
0fee61eb MW	265	uint32 t[PRE##_BLKSZ/4], u[PRE##_BLKSZ/4]; \
	266	octet b[PRE##_BLKSZ], c[PRE##_BLKSZ]; \
	267	octet y; \
	268	unsigned i; \
79ba130c	269	\
	270	/* --- Empty blocks are trivial --- */ \
	271	\
0fee61eb	272	if (!sz) return; \
79ba130c	273	\
	274	/* --- Extra magical case for a short block --- * \
	275	* \
	276	* Encrypt the IV, then exclusive-or the ciphertext with the octets \
	277	* of the encrypted IV, shifting ciphertext octets in instead. This \
	278	* basically switches over to CFB. \
	279	*/ \
	280	\
	281	if (sz < PRE##_BLKSZ) { \
0fee61eb MW	282	pre##_eblk(&ctx->ctx, ctx->a, ctx->a); \
	283	BLKC_STORE(PRE, b, ctx->a); \
	284	for (i = 0; i < sz; i++) { y = s[i]; d[i] = b[i] ^ y; c[i] = y; } \
79ba130c	285	memmove(b, b + sz, PRE##_BLKSZ - sz); \
79ba130c	286	memcpy(b + PRE##_BLKSZ - sz, c, sz); \
0fee61eb	287	BLKC_LOAD(PRE, ctx->a, b); \
79ba130c	288	return; \
	289	} \
	290	\
	291	/* --- Do the main chunk of decryption --- * \
	292	* \
	293	* This will do the whole lot if it's a whole number of blocks. For \
	294	* each block, decrypt, XOR it with the previous ciphertext in @iv@, \
	295	* and keep a copy of the ciphertext for the next block. \
	296	*/ \
	297	\
0fee61eb MW	298	while (sz >= 2*PRE##_BLKSZ \|\| sz == PRE##_BLKSZ) { \
	299	BLKC_LOAD(PRE, t, s); s += PRE##_BLKSZ; \
	300	pre##_dblk(&ctx->ctx, t, u); \
	301	BLKC_XSTORE(PRE, d, u, ctx->a); d += PRE##_BLKSZ; \
	302	BLKC_MOVE(PRE, ctx->a, t); \
79ba130c	303	sz -= PRE##_BLKSZ; \
	304	} \
	305	\
	306	/* --- Do the tail-end block and bit-left-over --- * \
	307	* \
	308	* This isn't very efficient. That shouldn't matter much. \
	309	*/ \
	310	\
	311	if (sz) { \
79ba130c	312	\
	313	/* --- Let @sz@ be the size of the partial block --- */ \
	314	\
	315	sz -= PRE##_BLKSZ; \
	316	\
	317	/* --- First stage --- * \
	318	* \
	319	* Take the complete ciphertext block, and decrypt it. This block \
	320	* is carried over for the next encryption operation. \
	321	*/ \
	322	\
0fee61eb MW	323	BLKC_LOAD(PRE, t, s); \
0fee61eb MW	324	pre##_dblk(&ctx->ctx, t, u); \
79ba130c	325	\
	326	/* --- Second stage --- * \
	327	* \
	328	* XORing the first few bytes of this with the partial ciphertext \
	329	* block recovers the partial plaintext block. At the same time, \
	330	* write the partial ciphertext block's contents in ready for stage \
	331	* three. \
	332	*/ \
	333	\
0fee61eb	334	BLKC_STORE(PRE, b, u); \
79ba130c	335	s += PRE##_BLKSZ; \
79ba130c	336	d += PRE##_BLKSZ; \
0fee61eb	337	for (i = 0; i < sz; i++) { y = s[i]; d[i] = b[i] ^ y; b[i] = y; } \
79ba130c	338	\
	339	/* --- Third stage --- * \
	340	* \
	341	* Decrypt the block we've got left, and XOR with the initial IV to \
	342	* recover the complete plaintext block. \
	343	*/ \
	344	\
0fee61eb MW	345	BLKC_LOAD(PRE, u, b); \
	346	pre##_dblk(&ctx->ctx, u, u); \
	347	BLKC_XSTORE(PRE, d - PRE##_BLKSZ, u, ctx->a); \
	348	BLKC_MOVE(PRE, ctx->a, t); \
79ba130c	349	} \
	350	\
	351	/* --- Done --- */ \
	352	\
	353	return; \
	354	} \
	355	\
	356	/* --- Generic cipher interface --- */ \
	357	\
	358	static const gcipher_ops gops; \
	359	\
	360	typedef struct gctx { \
	361	gcipher c; \
	362	pre##_cbcctx k; \
	363	} gctx; \
	364	\
	365	static gcipher ginit(const void k, size_t sz) \
	366	{ \
99461409	367	gctx *g = S_CREATE(gctx); \
79ba130c	368	g->c.ops = &gops; \
	369	pre##_cbcinit(&g->k, k, sz, 0); \
	370	return (&g->c); \
	371	} \
	372	\
	373	static void gencrypt(gcipher c, const void s, void *t, size_t sz) \
0fee61eb	374	{ gctx g = (gctx )c; pre##_cbcencrypt(&g->k, s, t, sz); } \
79ba130c	375	\
79ba130c	376	static void gdecrypt(gcipher c, const void s, void *t, size_t sz) \
0fee61eb	377	{ gctx g = (gctx )c; pre##_cbcdecrypt(&g->k, s, t, sz); } \
79ba130c	378	\
79ba130c	379	static void gdestroy(gcipher *c) \
0fee61eb	380	{ gctx g = (gctx )c; BURN(*g); S_DESTROY(g); } \
79ba130c	381	\
79ba130c	382	static void gsetiv(gcipher c, const void iv) \
0fee61eb	383	{ gctx g = (gctx )c; pre##_cbcsetiv(&g->k, iv); } \
79ba130c	384	\
79ba130c	385	static const gcipher_ops gops = { \
99461409	386	&pre##_cbc, \
99461409	387	gencrypt, gdecrypt, gdestroy, gsetiv, 0 \
79ba130c	388	}; \
	389	\
	390	const gccipher pre##_cbc = { \
aaae9cab	391	name "-cbc", pre##_keysz, PRE##_BLKSZ, \
79ba130c	392	ginit \
	393	}; \
	394	\
aaae9cab	395	CBC_TESTX(PRE, pre, name, fname)
79ba130c	396
	397	/----- Test rig ----------------------------------------------------------/
	398
aaae9cab MW	399	#define CBC_TEST(PRE, pre) CBC_TESTX(PRE, pre, #pre, #pre)
aaae9cab MW	400
79ba130c	401	#ifdef TEST_RIG
79ba130c	402
57f459eb	403	#include "modes-test.h"
79ba130c	404
	405	/* --- @CBC_TEST@ --- *
	406	*
	407	* Arguments: @PRE@, @pre@ = prefixes for block cipher definitions
	408	*
	409	* Use: Standard test rig for CBC functions.
	410	*/
	411
aaae9cab	412	#define CBC_TESTX(PRE, pre, name, fname) \
79ba130c	413	\
57f459eb MW	414	static pre##_ctx key; \
57f459eb MW	415	static pre##_cbcctx ctx; \
79ba130c	416	\
57f459eb MW	417	static void pre##_cbc_test_setup(const octet *k, size_t ksz) \
57f459eb MW	418	{ pre##_init(&key, k, ksz); pre##_cbcsetkey(&ctx, &key); } \
79ba130c	419	\
57f459eb MW	420	static void pre##_cbc_test_reset(const octet *iv) \
57f459eb MW	421	{ pre##_cbcsetiv(&ctx, iv); } \
79ba130c	422	\
57f459eb MW	423	static void pre##_cbc_test_enc(const octet s, octet d, size_t sz) \
57f459eb MW	424	{ pre##_cbcencrypt(&ctx, s, d, sz); } \
79ba130c	425	\
57f459eb MW	426	static void pre##_cbc_test_dec(const octet s, octet d, size_t sz) \
57f459eb MW	427	{ pre##_cbcdecrypt(&ctx, s, d, sz); } \
79ba130c	428	\
57f459eb	429	int main(int argc, char *argv[]) \
79ba130c	430	{ \
57f459eb MW	431	return test_encmode(fname "-cbc", PRE##_KEYSZ, PRE##_BLKSZ, \
	432	1, TEMF_REFALIGN, \
	433	pre##_cbc_test_setup, pre##_cbc_test_reset, \
	434	pre##_cbc_test_enc, pre##_cbc_test_dec, \
	435	argc, argv); \
79ba130c	436	}
	437
	438	#else
aaae9cab	439	# define CBC_TESTX(PRE, pre, name, fname)
79ba130c	440	#endif
	441
	442	/----- That's all, folks -------------------------------------------------/
	443
	444	#ifdef __cplusplus
	445	}
	446	#endif
	447
	448	#endif