From 03e259664f778ca55fe348afb5e6a43459ffbcce Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@golang.org>
Date: Mon, 27 Dec 2010 12:55:49 -0500
Subject: [PATCH] crypto/cipher: fix OCFB

I messed up when reading the OCFB spec.

TBR=rsc

R=rsc
CC=golang-dev
https://golang.org/cl/3739042
---
 src/pkg/crypto/cipher/ocfb.go | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/pkg/crypto/cipher/ocfb.go b/src/pkg/crypto/cipher/ocfb.go
index 08565dc5f8..43cb5a5310 100644
--- a/src/pkg/crypto/cipher/ocfb.go
+++ b/src/pkg/crypto/cipher/ocfb.go
@@ -6,7 +6,7 @@
 
 package cipher
 
-type ocfb struct {
+type ocfbEncrypter struct {
 	b       Block
 	fre     []byte
 	outUsed int
@@ -22,7 +22,7 @@ func NewOCFBEncrypter(block Block, randData []byte) (Stream, []byte) {
 		return nil, nil
 	}
 
-	x := &ocfb{
+	x := &ocfbEncrypter{
 		b:       block,
 		fre:     make([]byte, blockSize),
 		outUsed: 0,
@@ -42,6 +42,25 @@ func NewOCFBEncrypter(block Block, randData []byte) (Stream, []byte) {
 	return x, prefix
 }
 
+func (x *ocfbEncrypter) XORKeyStream(dst, src []byte) {
+	for i := 0; i < len(src); i++ {
+		if x.outUsed == len(x.fre) {
+			x.b.Encrypt(x.fre, x.fre)
+			x.outUsed = 0
+		}
+
+		x.fre[x.outUsed] ^= src[i]
+		dst[i] = x.fre[x.outUsed]
+		x.outUsed++
+	}
+}
+
+type ocfbDecrypter struct {
+	b       Block
+	fre     []byte
+	outUsed int
+}
+
 // NewOCFBDecrypter returns a Stream which decrypts data with OpenPGP's cipher
 // feedback mode using the given Block. Prefix must be the first blockSize + 2
 // bytes of the ciphertext, where blockSize is the Block's block size. If an
@@ -52,7 +71,7 @@ func NewOCFBDecrypter(block Block, prefix []byte) Stream {
 		return nil
 	}
 
-	x := &ocfb{
+	x := &ocfbDecrypter{
 		b:       block,
 		fre:     make([]byte, blockSize),
 		outUsed: 0,
@@ -78,14 +97,16 @@ func NewOCFBDecrypter(block Block, prefix []byte) Stream {
 	return x
 }
 
-func (x *ocfb) XORKeyStream(dst, src []byte) {
+func (x *ocfbDecrypter) XORKeyStream(dst, src []byte) {
 	for i := 0; i < len(src); i++ {
 		if x.outUsed == len(x.fre) {
 			x.b.Encrypt(x.fre, x.fre)
 			x.outUsed = 0
 		}
 
+		c := src[i]
 		dst[i] = x.fre[x.outUsed] ^ src[i]
+		x.fre[x.outUsed] = c
 		x.outUsed++
 	}
 }
-- 
2.50.0