// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// OFB (Output Feedback) Mode.

package cipher

import (
	
	
	
)

type ofb struct {
	b       Block
	cipher  []byte
	out     []byte
	outUsed int
}

// NewOFB returns a [Stream] that encrypts or decrypts using the block cipher b
// in output feedback mode. The initialization vector iv's length must be equal
// to b's block size.
//
// Deprecated: OFB mode is not authenticated, which generally enables active
// attacks to manipulate and recover the plaintext. It is recommended that
// applications use [AEAD] modes instead. The standard library implementation of
// OFB is also unoptimized and not validated as part of the FIPS 140-3 module.
// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
func ( Block,  []byte) Stream {
	if fips140only.Enabled {
		panic("crypto/cipher: use of OFB is not allowed in FIPS 140-only mode")
	}

	 := .BlockSize()
	if len() !=  {
		panic("cipher.NewOFB: IV length must equal block size")
	}
	 := streamBufferSize
	if  <  {
		 = 
	}
	 := &ofb{
		b:       ,
		cipher:  make([]byte, ),
		out:     make([]byte, 0, ),
		outUsed: 0,
	}

	copy(.cipher, )
	return 
}

func ( *ofb) () {
	 := .b.BlockSize()
	 := len(.out) - .outUsed
	if  > .outUsed {
		return
	}
	copy(.out, .out[.outUsed:])
	.out = .out[:cap(.out)]
	for  < len(.out)- {
		.b.Encrypt(.cipher, .cipher)
		copy(.out[:], .cipher)
		 += 
	}
	.out = .out[:]
	.outUsed = 0
}

func ( *ofb) (,  []byte) {
	if len() < len() {
		panic("crypto/cipher: output smaller than input")
	}
	if alias.InexactOverlap([:len()], ) {
		panic("crypto/cipher: invalid buffer overlap")
	}
	for len() > 0 {
		if .outUsed >= len(.out)-.b.BlockSize() {
			.refill()
		}
		 := subtle.XORBytes(, , .out[.outUsed:])
		 = [:]
		 = [:]
		.outUsed += 
	}
}