// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Electronic codebook (ECB) mode.
// ECB is a fancy name for ``encrypt and decrypt each block separately.''
// It's a pretty bad thing to do for any large amount of data (more than one block),
// because the individual blocks can still be identified, duplicated, and reordered.
// The ECB implementation exists mainly to provide buffering for
// the other modes, which wrap it by providing modified Ciphers.

// See NIST SP 800-38A, pp 9-10

package block

import (
	"io"
	"os"
	"strconv"
)

type ecbDecrypter struct {
	c         Cipher
	r         io.Reader
	blockSize int // block size

	// Buffered data.
	// The buffer buf is used as storage for both
	// plain or crypt; at least one of those is nil at any given time.
	buf   []byte
	plain []byte // plain text waiting to be read
	crypt []byte // ciphertext waiting to be decrypted
}

// Read into x.crypt until it has a full block or EOF or an error happens.
func (x *ecbDecrypter) fillCrypt() os.Error {
	var err os.Error
	for len(x.crypt) < x.blockSize {
		off := len(x.crypt)
		var m int
		m, err = x.r.Read(x.crypt[off:x.blockSize])
		x.crypt = x.crypt[0 : off+m]
		if m == 0 {
			break
		}

		// If an error happened but we got enough
		// data to do some decryption, we can decrypt
		// first and report the error (with some data) later.
		// But if we don't have enough to decrypt,
		// have to stop now.
		if err != nil && len(x.crypt) < x.blockSize {
			break
		}
	}
	return err
}

// Read from plain text buffer into p.
func (x *ecbDecrypter) readPlain(p []byte) int {
	n := len(x.plain)
	if n > len(p) {
		n = len(p)
	}
	for i := 0; i < n; i++ {
		p[i] = x.plain[i]
	}
	if n < len(x.plain) {
		x.plain = x.plain[n:]
	} else {
		x.plain = nil
	}
	return n
}

type ecbFragmentError int

func (n ecbFragmentError) String() string {
	return "crypto/block: " + strconv.Itoa(int(n)) + "-byte fragment at EOF"
}

func (x *ecbDecrypter) Read(p []byte) (n int, err os.Error) {
	if len(p) == 0 {
		return
	}

	// If there's no plaintext waiting and p is not big enough
	// to hold a whole cipher block, we'll have to work in the
	// cipher text buffer.  Set it to non-nil so that the
	// code below will fill it.
	if x.plain == nil && len(p) < x.blockSize && x.crypt == nil {
		x.crypt = x.buf[0:0]
	}

	// If there is a leftover cipher text buffer,
	// try to accumulate a full block.
	if x.crypt != nil {
		err = x.fillCrypt()
		if err != nil || len(x.crypt) == 0 {
			return
		}
		x.c.Decrypt(x.crypt, x.crypt)
		x.plain = x.crypt
		x.crypt = nil
	}

	// If there is a leftover plain text buffer, read from it.
	if x.plain != nil {
		n = x.readPlain(p)
		return
	}

	// Read and decrypt directly in caller's buffer.
	n, err = io.ReadAtLeast(x.r, p, x.blockSize)
	if err == os.EOF && n > 0 {
		// EOF is only okay on block boundary
		err = os.ErrorString("block fragment at EOF during decryption")
		return
	}
	var i int
	for i = 0; i+x.blockSize <= n; i += x.blockSize {
		a := p[i : i+x.blockSize]
		x.c.Decrypt(a, a)
	}

	// There might be an encrypted fringe remaining.
	// Save it for next time.
	if i < n {
		p = p[i:n]
		for j, v := range p {
			x.buf[j] = v
		}
		x.crypt = x.buf[0:len(p)]
		n = i
	}

	return
}

// NewECBDecrypter returns a reader that reads data from r and decrypts it using c.
// It decrypts by calling c.Decrypt on each block in sequence;
// this mode is known as electronic codebook mode, or ECB.
// The returned Reader does not buffer or read ahead except
// as required by the cipher's block size.
func NewECBDecrypter(c Cipher, r io.Reader) io.Reader {
	x := new(ecbDecrypter)
	x.c = c
	x.r = r
	x.blockSize = c.BlockSize()
	x.buf = make([]byte, x.blockSize)
	return x
}

type ecbEncrypter struct {
	c         Cipher
	w         io.Writer
	blockSize int

	// Buffered data.
	// The buffer buf is used as storage for both
	// plain or crypt.  If both are non-nil, plain
	// follows crypt in buf.
	buf   []byte
	plain []byte // plain text waiting to be encrypted
	crypt []byte // encrypted text waiting to be written
}

// Flush the x.crypt buffer to x.w.
func (x *ecbEncrypter) flushCrypt() os.Error {
	if len(x.crypt) == 0 {
		return nil
	}
	n, err := x.w.Write(x.crypt)
	if n < len(x.crypt) {
		x.crypt = x.crypt[n:]
		if err == nil {
			err = io.ErrShortWrite
		}
	}
	if err != nil {
		return err
	}
	x.crypt = nil
	return nil
}

// Slide x.plain down to the beginning of x.buf.
// Plain is known to have less than one block of data,
// so this is cheap enough.
func (x *ecbEncrypter) slidePlain() {
	if len(x.plain) == 0 {
		x.plain = x.buf[0:0]
	} else if cap(x.plain) < cap(x.buf) {
		// plain and buf share same data,
		// but buf is before plain, so forward loop is correct
		for i := 0; i < len(x.plain); i++ {
			x.buf[i] = x.plain[i]
		}
		x.plain = x.buf[0:len(x.plain)]
	}
}

// Fill x.plain from the data in p.
// Return the number of bytes copied.
func (x *ecbEncrypter) fillPlain(p []byte) int {
	off := len(x.plain)
	n := len(p)
	if max := cap(x.plain) - off; n > max {
		n = max
	}
	x.plain = x.plain[0 : off+n]
	for i := 0; i < n; i++ {
		x.plain[off+i] = p[i]
	}
	return n
}

// Encrypt x.plain; record encrypted range as x.crypt.
func (x *ecbEncrypter) encrypt() {
	var i int
	n := len(x.plain)
	for i = 0; i+x.blockSize <= n; i += x.blockSize {
		a := x.plain[i : i+x.blockSize]
		x.c.Encrypt(a, a)
	}
	x.crypt = x.plain[0:i]
	x.plain = x.plain[i:n]
}

func (x *ecbEncrypter) Write(p []byte) (n int, err os.Error) {
	for {
		// If there is data waiting to be written, write it.
		// This can happen on the first iteration
		// if a write failed in an earlier call.
		if err = x.flushCrypt(); err != nil {
			return
		}

		// Now that encrypted data is gone (flush ran),
		// perhaps we need to slide the plaintext down.
		x.slidePlain()

		// Fill plaintext buffer from p.
		m := x.fillPlain(p)
		if m == 0 {
			break
		}
		n += m
		p = p[m:]

		// Encrypt, adjusting crypt and plain.
		x.encrypt()

		// Write x.crypt.
		if err = x.flushCrypt(); err != nil {
			break
		}
	}
	return
}

// NewECBEncrypter returns a writer that encrypts data using c and writes it to w.
// It encrypts by calling c.Encrypt on each block in sequence;
// this mode is known as electronic codebook mode, or ECB.
// The returned Writer does no buffering except as required
// by the cipher's block size, so there is no need for a Flush method.
func NewECBEncrypter(c Cipher, w io.Writer) io.Writer {
	x := new(ecbEncrypter)
	x.c = c
	x.w = w
	x.blockSize = c.BlockSize()

	// Create a buffer that is an integral number of blocks.
	x.buf = make([]byte, 8192/x.blockSize*x.blockSize)
	return x
}