// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Counter (CTR) mode.

// CTR converts a block cipher into a stream cipher by
// repeatedly encrypting an incrementing counter and
// xoring the resulting stream of data with the input.

// See NIST SP 800-38A, pp 13-15

package cipher

import (
	
	
	
)

type ctr struct {
	b       Block
	ctr     []byte
	out     []byte
	outUsed int
}

const streamBufferSize = 512

// ctrAble is an interface implemented by ciphers that have a specific optimized
// implementation of CTR, like crypto/aes. NewCTR will check for this interface
// and return the specific Stream if found.
type ctrAble interface {
	NewCTR(iv []byte) Stream
}

// NewCTR returns a [Stream] which encrypts/decrypts using the given [Block] in
// counter mode. The length of iv must be the same as the [Block]'s block size.
func ( Block,  []byte) Stream {
	if ,  := .(ctrAble);  {
		return .NewCTR()
	}
	if len() != .BlockSize() {
		panic("cipher.NewCTR: IV length must equal block size")
	}
	 := streamBufferSize
	if  < .BlockSize() {
		 = .BlockSize()
	}
	return &ctr{
		b:       ,
		ctr:     bytes.Clone(),
		out:     make([]byte, 0, ),
		outUsed: 0,
	}
}

func ( *ctr) () {
	 := len(.out) - .outUsed
	copy(.out, .out[.outUsed:])
	.out = .out[:cap(.out)]
	 := .b.BlockSize()
	for  <= len(.out)- {
		.b.Encrypt(.out[:], .ctr)
		 += 

		// Increment counter
		for  := len(.ctr) - 1;  >= 0; -- {
			.ctr[]++
			if .ctr[] != 0 {
				break
			}
		}
	}
	.out = .out[:]
	.outUsed = 0
}

func ( *ctr) (,  []byte) {
	if len() < len() {
		panic("crypto/cipher: output smaller than input")
	}
	if alias.InexactOverlap([:len()], ) {
		panic("crypto/cipher: invalid buffer overlap")
	}
	for len() > 0 {
		if .outUsed >= len(.out)-.b.BlockSize() {
			.refill()
		}
		 := subtle.XORBytes(, , .out[.outUsed:])
		 = [:]
		 = [:]
		.outUsed += 
	}
}