Separate the DES encrypt and decrypt operations into separate functions,

since they have almost no code in common.

* f_cbc.c (krb5int_des_cbc_encrypt, krb5int_des_cbc_decrypt): New functions
broken out from mit_des_cbc_encrypt.
(mit_des_cbc_encrypt): Call them.
* d3_cbc.c (krb5int_des3_cbc_encrypt, krb5int_des3_cbc_decrypt):  New functions
broken out from mit_des3_cbc_encrypt.
(mit_des3_cbc_encrypt): Call them.
* des_int.h (krb5int_des_cbc_encrypt, krb5int_des_cbc_decrypt,
krb5int_des3_cbc_encrypt, krb5int_des3_cbc_decrypt): Declare.
(mit_des_cbc_encrypt, mit_des3_cbc_encrypt): New macros.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15692 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 361 insertions, 254 deletions

diff --git a/src/lib/crypto/des/ChangeLog b/src/lib/crypto/des/ChangeLog
index 18bdd7d24a..4a4cc7ec62 100644
--- a/src/lib/crypto/des/ChangeLog
+++ b/src/lib/crypto/des/ChangeLog
@@ -1,5 +1,15 @@
 2003-07-17  Ken Raeburn  <raeburn@mit.edu>
 
+	* f_cbc.c (krb5int_des_cbc_encrypt, krb5int_des_cbc_decrypt): New
+	functions broken out from mit_des_cbc_encrypt.
+	(mit_des_cbc_encrypt): Call them.
+	* d3_cbc.c (krb5int_des3_cbc_encrypt, krb5int_des3_cbc_decrypt):
+	New functions broken out from mit_des3_cbc_encrypt.
+	(mit_des3_cbc_encrypt): Call them.
+	* des_int.h (krb5int_des_cbc_encrypt, krb5int_des_cbc_decrypt,
+	krb5int_des3_cbc_encrypt, krb5int_des3_cbc_decrypt): Declare.
+	(mit_des_cbc_encrypt, mit_des3_cbc_encrypt): New macros.
+
 	* Makefile.in (LIBNAME) [##WIN16##]: Don't define.
 
 2003-03-06  Alexandra Ellwood  <lxs@mit.edu>
diff --git a/src/lib/crypto/des/d3_cbc.c b/src/lib/crypto/des/d3_cbc.c
index 22192cec85..450b013e11 100644
--- a/src/lib/crypto/des/d3_cbc.c
+++ b/src/lib/crypto/des/d3_cbc.c
@@ -27,6 +27,7 @@
  * Triple-DES CBC encryption mode.
  */
 
+#undef mit_des3_cbc_encrypt
 int
 mit_des3_cbc_encrypt(in, out, length, ks1, ks2, ks3, ivec, enc)
 	const mit_des_cblock *in;
@@ -36,6 +37,22 @@ mit_des3_cbc_encrypt(in, out, length, ks1, ks2, ks3, ivec, enc)
 	const mit_des_cblock ivec;
 	int enc;
 {
+    if (enc)
+	krb5int_des3_cbc_encrypt(in, out, length, ks1, ks2, ks3, ivec);
+    else
+	krb5int_des3_cbc_decrypt(in, out, length, ks1, ks2, ks3, ivec);
+    return 0;
+}
+
+void
+krb5int_des3_cbc_encrypt(const mit_des_cblock *in,
+			 mit_des_cblock *out,
+			 unsigned long length,
+			 const mit_des_key_schedule ks1,
+			 const mit_des_key_schedule ks2,
+			 const mit_des_key_schedule ks3,
+			 const mit_des_cblock ivec)
+{
     register unsigned DES_INT32 left, right;
     register unsigned DES_INT32 temp;
     const unsigned DES_INT32 *kp1, *kp2, *kp3;
@@ -50,151 +67,164 @@ mit_des3_cbc_encrypt(in, out, length, ks1, ks2, ks3, ivec, enc)
     kp3 = (const unsigned DES_INT32 *)ks3;
 
     /*
-     * Deal with encryption and decryption separately.
+     * Initialize left and right with the contents of the initial
+     * vector.
      */
-    if (enc) {
-	/*
-	 * Initialize left and right with the contents of the initial
-	 * vector.
-	 */
-	ip = ivec;
-	GET_HALF_BLOCK(left, ip);
-	GET_HALF_BLOCK(right, ip);
+    ip = ivec;
+    GET_HALF_BLOCK(left, ip);
+    GET_HALF_BLOCK(right, ip);
 
+    /*
+     * Suitably initialized, now work the length down 8 bytes
+     * at a time.
+     */
+    ip = *in;
+    op = *out;
+    while (length > 0) {
 	/*
-	 * Suitably initialized, now work the length down 8 bytes
-	 * at a time.
+	 * Get more input, xor it in.  If the length is
+	 * greater than or equal to 8 this is straight
+	 * forward.  Otherwise we have to fart around.
 	 */
-	ip = *in;
-	op = *out;
-	while (length > 0) {
+	if (length >= 8) {
+	    left  ^= ((*ip++) & FF_UINT32) << 24;
+	    left  ^= ((*ip++) & FF_UINT32) << 16;
+	    left  ^= ((*ip++) & FF_UINT32) <<  8;
+	    left  ^=  (*ip++) & FF_UINT32;
+	    right ^= ((*ip++) & FF_UINT32) << 24;
+	    right ^= ((*ip++) & FF_UINT32) << 16;
+	    right ^= ((*ip++) & FF_UINT32) <<  8;
+	    right ^=  (*ip++) & FF_UINT32;
+	    length -= 8;
+	} else {
 	    /*
-	     * Get more input, xor it in.  If the length is
-	     * greater than or equal to 8 this is straight
-	     * forward.  Otherwise we have to fart around.
+	     * Oh, shoot.  We need to pad the
+	     * end with zeroes.  Work backwards
+	     * to do this.
 	     */
-	    if (length >= 8) {
-		left  ^= ((*ip++) & FF_UINT32) << 24;
-		left  ^= ((*ip++) & FF_UINT32) << 16;
-		left  ^= ((*ip++) & FF_UINT32) <<  8;
-		left  ^=  (*ip++) & FF_UINT32;
-		right ^= ((*ip++) & FF_UINT32) << 24;
-		right ^= ((*ip++) & FF_UINT32) << 16;
-		right ^= ((*ip++) & FF_UINT32) <<  8;
-		right ^=  (*ip++) & FF_UINT32;
-		length -= 8;
-	    } else {
-		/*
-		 * Oh, shoot.  We need to pad the
-		 * end with zeroes.  Work backwards
-		 * to do this.
-		 */
-		ip += (int) length;
-		switch(length) {
-		case 7:	right ^= (*(--ip) & FF_UINT32) <<  8;
-		case 6:	right ^= (*(--ip) & FF_UINT32) << 16;
-		case 5:	right ^= (*(--ip) & FF_UINT32) << 24;
-		case 4:	left  ^=  *(--ip) & FF_UINT32;
-		case 3:	left  ^= (*(--ip) & FF_UINT32) <<  8;
-		case 2:	left  ^= (*(--ip) & FF_UINT32) << 16;
-		case 1:	left  ^= (*(--ip) & FF_UINT32) << 24;
-
-		}
-		length = 0;
+	    ip += (int) length;
+	    switch(length) {
+	    case 7:	right ^= (*(--ip) & FF_UINT32) <<  8;
+	    case 6:	right ^= (*(--ip) & FF_UINT32) << 16;
+	    case 5:	right ^= (*(--ip) & FF_UINT32) << 24;
+	    case 4:	left  ^=  *(--ip) & FF_UINT32;
+	    case 3:	left  ^= (*(--ip) & FF_UINT32) <<  8;
+	    case 2:	left  ^= (*(--ip) & FF_UINT32) << 16;
+	    case 1:	left  ^= (*(--ip) & FF_UINT32) << 24;
+
 	    }
+	    length = 0;
+	}
 
-	    /*
-	     * Encrypt what we have
-	     */
-	    DES_DO_ENCRYPT(left, right, temp, kp1);
-	    DES_DO_DECRYPT(left, right, temp, kp2);
-	    DES_DO_ENCRYPT(left, right, temp, kp3);
+	/*
+	 * Encrypt what we have
+	 */
+	DES_DO_ENCRYPT(left, right, temp, kp1);
+	DES_DO_DECRYPT(left, right, temp, kp2);
+	DES_DO_ENCRYPT(left, right, temp, kp3);
 
-	    /*
-	     * Copy the results out
-	     */
-	    PUT_HALF_BLOCK(left, op);
-	    PUT_HALF_BLOCK(right, op);
-	}
-    } else {
 	/*
-	 * Decrypting is harder than encrypting because of
-	 * the necessity of remembering a lot more things.
-	 * Should think about this a little more...
+	 * Copy the results out
 	 */
-	unsigned DES_INT32 ocipherl, ocipherr;
-	unsigned DES_INT32 cipherl, cipherr;
+	PUT_HALF_BLOCK(left, op);
+	PUT_HALF_BLOCK(right, op);
+    }
+}
+
+void
+krb5int_des3_cbc_decrypt(const mit_des_cblock *in,
+			 mit_des_cblock *out,
+			 unsigned long length,
+			 const mit_des_key_schedule ks1,
+			 const mit_des_key_schedule ks2,
+			 const mit_des_key_schedule ks3,
+			 const mit_des_cblock ivec)
+{
+    register unsigned DES_INT32 left, right;
+    register unsigned DES_INT32 temp;
+    const unsigned DES_INT32 *kp1, *kp2, *kp3;
+    const unsigned char *ip;
+    unsigned char *op;
 
-	if (length <= 0)
-	    return 0;
+    /*
+     * Get key pointer here.  This won't need to be reinitialized
+     */
+    kp1 = (const unsigned DES_INT32 *)ks1;
+    kp2 = (const unsigned DES_INT32 *)ks2;
+    kp3 = (const unsigned DES_INT32 *)ks3;
 
+    /*
+     * Decrypting is harder than encrypting because of
+     * the necessity of remembering a lot more things.
+     * Should think about this a little more...
+     */
+    unsigned DES_INT32 ocipherl, ocipherr;
+    unsigned DES_INT32 cipherl, cipherr;
+
+    if (length <= 0)
+	return;
+
+    /*
+     * Prime the old cipher with ivec.
+     */
+    ip = ivec;
+    GET_HALF_BLOCK(ocipherl, ip);
+    GET_HALF_BLOCK(ocipherr, ip);
+
+    /*
+     * Now do this in earnest until we run out of length.
+     */
+    ip = *in;
+    op = *out;
+    for (;;) {		/* check done inside loop */
 	/*
-	 * Prime the old cipher with ivec.
+	 * Read a block from the input into left and
+	 * right.  Save this cipher block for later.
 	 */
-	ip = ivec;
-	GET_HALF_BLOCK(ocipherl, ip);
-	GET_HALF_BLOCK(ocipherr, ip);
+	GET_HALF_BLOCK(left, ip);
+	GET_HALF_BLOCK(right, ip);
+	cipherl = left;
+	cipherr = right;
 
 	/*
-	 * Now do this in earnest until we run out of length.
+	 * Decrypt this.
 	 */
-	ip = *in;
-	op = *out;
-	for (;;) {		/* check done inside loop */
-	    /*
-	     * Read a block from the input into left and
-	     * right.  Save this cipher block for later.
-	     */
-	    GET_HALF_BLOCK(left, ip);
-	    GET_HALF_BLOCK(right, ip);
-	    cipherl = left;
-	    cipherr = right;
+	DES_DO_DECRYPT(left, right, temp, kp3);
+	DES_DO_ENCRYPT(left, right, temp, kp2);
+	DES_DO_DECRYPT(left, right, temp, kp1);
 
+	/*
+	 * Xor with the old cipher to get plain
+	 * text.  Output 8 or less bytes of this.
+	 */
+	left ^= ocipherl;
+	right ^= ocipherr;
+	if (length > 8) {
+	    length -= 8;
+	    PUT_HALF_BLOCK(left, op);
+	    PUT_HALF_BLOCK(right, op);
 	    /*
-	     * Decrypt this.
+	     * Save current cipher block here
 	     */
-	    DES_DO_DECRYPT(left, right, temp, kp3);
-	    DES_DO_ENCRYPT(left, right, temp, kp2);
-	    DES_DO_DECRYPT(left, right, temp, kp1);
-
+	    ocipherl = cipherl;
+	    ocipherr = cipherr;
+	} else {
 	    /*
-	     * Xor with the old cipher to get plain
-	     * text.  Output 8 or less bytes of this.
+	     * Trouble here.  Start at end of output,
+	     * work backwards.
 	     */
-	    left ^= ocipherl;
-	    right ^= ocipherr;
-	    if (length > 8) {
-		length -= 8;
-		PUT_HALF_BLOCK(left, op);
-		PUT_HALF_BLOCK(right, op);
-		/*
-		 * Save current cipher block here
-		 */
-		ocipherl = cipherl;
-		ocipherr = cipherr;
-	    } else {
-		/*
-		 * Trouble here.  Start at end of output,
-		 * work backwards.
-		 */
-		op += (int) length;
-		switch(length) {
-		case 8: *(--op) = (unsigned char) (right & 0xff);
-		case 7: *(--op) = (unsigned char) ((right >> 8) & 0xff);
-		case 6: *(--op) = (unsigned char) ((right >> 16) & 0xff);
-		case 5: *(--op) = (unsigned char) ((right >> 24) & 0xff);
-		case 4: *(--op) = (unsigned char) (left & 0xff);
-		case 3: *(--op) = (unsigned char) ((left >> 8) & 0xff);
-		case 2: *(--op) = (unsigned char) ((left >> 16) & 0xff);
-		case 1: *(--op) = (unsigned char) ((left >> 24) & 0xff);
-		}
-		break;		/* we're done */
+	    op += (int) length;
+	    switch(length) {
+	    case 8: *(--op) = (unsigned char) (right & 0xff);
+	    case 7: *(--op) = (unsigned char) ((right >> 8) & 0xff);
+	    case 6: *(--op) = (unsigned char) ((right >> 16) & 0xff);
+	    case 5: *(--op) = (unsigned char) ((right >> 24) & 0xff);
+	    case 4: *(--op) = (unsigned char) (left & 0xff);
+	    case 3: *(--op) = (unsigned char) ((left >> 8) & 0xff);
+	    case 2: *(--op) = (unsigned char) ((left >> 16) & 0xff);
+	    case 1: *(--op) = (unsigned char) ((left >> 24) & 0xff);
 	    }
+	    break;		/* we're done */
 	}
     }
-
-    /*
-     * Done, return nothing.
-     */
-    return 0;
 }
diff --git a/src/lib/crypto/des/des_int.h b/src/lib/crypto/des/des_int.h
index 266db7b374..55f0c241f3 100644
--- a/src/lib/crypto/des/des_int.h
+++ b/src/lib/crypto/des/des_int.h
@@ -220,6 +220,46 @@ extern int mit_des3_cbc_encrypt
 	 const mit_des_cblock ivec,
 	 int enc);
 
+void
+krb5int_des3_cbc_encrypt(const mit_des_cblock *in,
+			 mit_des_cblock *out,
+			 unsigned long length,
+			 const mit_des_key_schedule ks1,
+			 const mit_des_key_schedule ks2,
+			 const mit_des_key_schedule ks3,
+			 const mit_des_cblock ivec);
+void
+krb5int_des3_cbc_decrypt(const mit_des_cblock *in,
+			 mit_des_cblock *out,
+			 unsigned long length,
+			 const mit_des_key_schedule ks1,
+			 const mit_des_key_schedule ks2,
+			 const mit_des_key_schedule ks3,
+			 const mit_des_cblock ivec);
+
+
+#define mit_des3_cbc_encrypt(in,out,length,ks1,ks2,ks3,ivec,enc) \
+    ((enc ? krb5int_des3_cbc_encrypt : krb5int_des3_cbc_decrypt) \
+     (in, out, length, ks1, ks2, ks3, ivec), 0)
+
+void
+krb5int_des_cbc_encrypt(const mit_des_cblock *in,
+			mit_des_cblock *out,
+			unsigned long length,
+			const mit_des_key_schedule schedule,
+			const mit_des_cblock ivec);
+void
+krb5int_des_cbc_decrypt(const mit_des_cblock *in,
+			mit_des_cblock *out,
+			unsigned long length,
+			const mit_des_key_schedule schedule,
+			const mit_des_cblock ivec);
+
+#define mit_des_cbc_encrypt(in,out,length,schedule,ivec,enc) \
+    ((enc ? krb5int_des_cbc_encrypt : krb5int_des_cbc_decrypt) \
+     (in, out, length, schedule, ivec), 0)
+
+
 /* d3_procky.c */
 extern krb5_error_code mit_des3_process_key
 	(krb5_encrypt_block * eblock,
diff --git a/src/lib/crypto/des/f_cbc.c b/src/lib/crypto/des/f_cbc.c
index 87f64f4dbd..bb17871a23 100644
--- a/src/lib/crypto/des/f_cbc.c
+++ b/src/lib/crypto/des/f_cbc.c
@@ -36,6 +36,7 @@
  * cleartext.
  */
 
+#undef mit_des_cbc_encrypt
 int
 mit_des_cbc_encrypt(in, out, length, schedule, ivec, enc)
 	const mit_des_cblock *in;
@@ -45,6 +46,23 @@ mit_des_cbc_encrypt(in, out, length, schedule, ivec, enc)
 	const mit_des_cblock ivec;
 	int enc;
 {
+    /*
+     * Deal with encryption and decryption separately.
+     */
+    if (enc)
+	krb5int_des_cbc_encrypt(in, out, length, schedule, ivec);
+    else
+	krb5int_des_cbc_decrypt(in, out, length, schedule, ivec);
+    return 0;
+}
+
+void
+krb5int_des_cbc_encrypt(const mit_des_cblock *in,
+			mit_des_cblock *out,
+			unsigned long length,
+			const mit_des_key_schedule schedule,
+			const mit_des_cblock ivec)
+{
 	register unsigned DES_INT32 left, right;
 	register unsigned DES_INT32 temp;
 	const unsigned DES_INT32 *kp;
@@ -57,163 +75,172 @@ mit_des_cbc_encrypt(in, out, length, schedule, ivec, enc)
 	kp = (const unsigned DES_INT32 *)schedule;
 
 	/*
-	 * Deal with encryption and decryption separately.
+	 * Initialize left and right with the contents of the initial
+	 * vector.
 	 */
-	if (enc) {
-		/*
-		 * Initialize left and right with the contents of the initial
-		 * vector.
-		 */
-		ip = ivec;
-		GET_HALF_BLOCK(left, ip);
-		GET_HALF_BLOCK(right, ip);
+	ip = ivec;
+	GET_HALF_BLOCK(left, ip);
+	GET_HALF_BLOCK(right, ip);
 
+	/*
+	 * Suitably initialized, now work the length down 8 bytes
+	 * at a time.
+	 */
+	ip = *in;
+	op = *out;
+	while (length > 0) {
 		/*
-		 * Suitably initialized, now work the length down 8 bytes
-		 * at a time.
+		 * Get more input, xor it in.  If the length is
+		 * greater than or equal to 8 this is straight
+		 * forward.  Otherwise we have to fart around.
 		 */
-		ip = *in;
-		op = *out;
-		while (length > 0) {
+		if (length >= 8) {
+			left  ^= ((*ip++) & FF_UINT32) << 24;
+			left  ^= ((*ip++) & FF_UINT32) << 16;
+			left  ^= ((*ip++) & FF_UINT32) <<  8;
+			left  ^=  (*ip++) & FF_UINT32;
+			right ^= ((*ip++) & FF_UINT32) << 24;
+			right ^= ((*ip++) & FF_UINT32) << 16;
+			right ^= ((*ip++) & FF_UINT32) <<  8;
+			right ^=  (*ip++) & FF_UINT32;
+			length -= 8;
+		} else {
 			/*
-			 * Get more input, xor it in.  If the length is
-			 * greater than or equal to 8 this is straight
-			 * forward.  Otherwise we have to fart around.
+			 * Oh, shoot.  We need to pad the
+			 * end with zeroes.  Work backwards
+			 * to do this.
 			 */
-			if (length >= 8) {
-				left  ^= ((*ip++) & FF_UINT32) << 24;
-				left  ^= ((*ip++) & FF_UINT32) << 16;
-				left  ^= ((*ip++) & FF_UINT32) <<  8;
-				left  ^=  (*ip++) & FF_UINT32;
-				right ^= ((*ip++) & FF_UINT32) << 24;
-				right ^= ((*ip++) & FF_UINT32) << 16;
-				right ^= ((*ip++) & FF_UINT32) <<  8;
-				right ^=  (*ip++) & FF_UINT32;
-				length -= 8;
-			} else {
-				/*
-				 * Oh, shoot.  We need to pad the
-				 * end with zeroes.  Work backwards
-				 * to do this.
-				 */
-				ip += (int) length;
-				switch(length) {
-				case 7:
-					right ^= (*(--ip) & FF_UINT32) <<  8;
-				case 6:
-					right ^= (*(--ip) & FF_UINT32) << 16;
-				case 5:
-					right ^= (*(--ip) & FF_UINT32) << 24;
-				case 4:
-					left  ^=  *(--ip) & FF_UINT32;
-				case 3:
-					left  ^= (*(--ip) & FF_UINT32) <<  8;
-				case 2:
-					left  ^= (*(--ip) & FF_UINT32) << 16;
-				case 1:
-					left  ^= (*(--ip) & FF_UINT32) << 24;
-					break;
-				}
-				length = 0;
+			ip += (int) length;
+			switch(length) {
+			case 7:
+				right ^= (*(--ip) & FF_UINT32) <<  8;
+			case 6:
+				right ^= (*(--ip) & FF_UINT32) << 16;
+			case 5:
+				right ^= (*(--ip) & FF_UINT32) << 24;
+			case 4:
+				left  ^=  *(--ip) & FF_UINT32;
+			case 3:
+				left  ^= (*(--ip) & FF_UINT32) <<  8;
+			case 2:
+				left  ^= (*(--ip) & FF_UINT32) << 16;
+			case 1:
+				left  ^= (*(--ip) & FF_UINT32) << 24;
+				break;
 			}
+			length = 0;
+		}
 
-			/*
-			 * Encrypt what we have
-			 */
-			DES_DO_ENCRYPT(left, right, temp, kp);
+		/*
+		 * Encrypt what we have
+		 */
+		DES_DO_ENCRYPT(left, right, temp, kp);
 
-			/*
-			 * Copy the results out
-			 */
-			PUT_HALF_BLOCK(left, op);
-			PUT_HALF_BLOCK(right, op);
-		}
-	} else {
 		/*
-		 * Decrypting is harder than encrypting because of
-		 * the necessity of remembering a lot more things.
-		 * Should think about this a little more...
+		 * Copy the results out
 		 */
-		unsigned DES_INT32 ocipherl, ocipherr;
-		unsigned DES_INT32 cipherl, cipherr;
+		PUT_HALF_BLOCK(left, op);
+		PUT_HALF_BLOCK(right, op);
+	}
+}
 
-		if (length <= 0)
-			return 0;
+void
+krb5int_des_cbc_decrypt(const mit_des_cblock *in,
+			mit_des_cblock *out,
+			unsigned long length,
+			const mit_des_key_schedule schedule,
+			const mit_des_cblock ivec)
+{
+	register unsigned DES_INT32 left, right;
+	register unsigned DES_INT32 temp;
+	const unsigned DES_INT32 *kp;
+	const unsigned char *ip;
+	unsigned char *op;
 
+	/*
+	 * Get key pointer here.  This won't need to be reinitialized
+	 */
+	kp = (const unsigned DES_INT32 *)schedule;
+
+	/*
+	 * Decrypting is harder than encrypting because of
+	 * the necessity of remembering a lot more things.
+	 * Should think about this a little more...
+	 */
+	unsigned DES_INT32 ocipherl, ocipherr;
+	unsigned DES_INT32 cipherl, cipherr;
+
+	if (length <= 0)
+		return;
+
+	/*
+	 * Prime the old cipher with ivec.
+	 */
+	ip = ivec;
+	GET_HALF_BLOCK(ocipherl, ip);
+	GET_HALF_BLOCK(ocipherr, ip);
+
+	/*
+	 * Now do this in earnest until we run out of length.
+	 */
+	ip = *in;
+	op = *out;
+	for (;;) {		/* check done inside loop */
 		/*
-		 * Prime the old cipher with ivec.
+		 * Read a block from the input into left and
+		 * right.  Save this cipher block for later.
 		 */
-		ip = ivec;
-		GET_HALF_BLOCK(ocipherl, ip);
-		GET_HALF_BLOCK(ocipherr, ip);
+		GET_HALF_BLOCK(left, ip);
+		GET_HALF_BLOCK(right, ip);
+		cipherl = left;
+		cipherr = right;
 
 		/*
-		 * Now do this in earnest until we run out of length.
+		 * Decrypt this.
 		 */
-		ip = *in;
-		op = *out;
-		for (;;) {		/* check done inside loop */
-			/*
-			 * Read a block from the input into left and
-			 * right.  Save this cipher block for later.
-			 */
-			GET_HALF_BLOCK(left, ip);
-			GET_HALF_BLOCK(right, ip);
-			cipherl = left;
-			cipherr = right;
+		DES_DO_DECRYPT(left, right, temp, kp);
 
+		/*
+		 * Xor with the old cipher to get plain
+		 * text.  Output 8 or less bytes of this.
+		 */
+		left ^= ocipherl;
+		right ^= ocipherr;
+		if (length > 8) {
+			length -= 8;
+			PUT_HALF_BLOCK(left, op);
+			PUT_HALF_BLOCK(right, op);
 			/*
-			 * Decrypt this.
+			 * Save current cipher block here
 			 */
-			DES_DO_DECRYPT(left, right, temp, kp);
-
+			ocipherl = cipherl;
+			ocipherr = cipherr;
+		} else {
 			/*
-			 * Xor with the old cipher to get plain
-			 * text.  Output 8 or less bytes of this.
+			 * Trouble here.  Start at end of output,
+			 * work backwards.
 			 */
-			left ^= ocipherl;
-			right ^= ocipherr;
-			if (length > 8) {
-				length -= 8;
-				PUT_HALF_BLOCK(left, op);
-				PUT_HALF_BLOCK(right, op);
-				/*
-				 * Save current cipher block here
-				 */
-				ocipherl = cipherl;
-				ocipherr = cipherr;
-			} else {
-				/*
-				 * Trouble here.  Start at end of output,
-				 * work backwards.
-				 */
-				op += (int) length;
-				switch(length) {
-				case 8:
-					*(--op) = (unsigned char) (right & 0xff);
-				case 7:
-					*(--op) = (unsigned char) ((right >> 8) & 0xff);
-				case 6:
-					*(--op) = (unsigned char) ((right >> 16) & 0xff);
-				case 5:
-					*(--op) = (unsigned char) ((right >> 24) & 0xff);
-				case 4:
-					*(--op) = (unsigned char) (left & 0xff);
-				case 3:
-					*(--op) = (unsigned char) ((left >> 8) & 0xff);
-				case 2:
-					*(--op) = (unsigned char) ((left >> 16) & 0xff);
-				case 1:
-					*(--op) = (unsigned char) ((left >> 24) & 0xff);
-					break;
-				}
-				break;		/* we're done */
+			op += (int) length;
+			switch(length) {
+			case 8:
+				*(--op) = (unsigned char) (right & 0xff);
+			case 7:
+				*(--op) = (unsigned char) ((right >> 8) & 0xff);
+			case 6:
+				*(--op) = (unsigned char) ((right >> 16) & 0xff);
+			case 5:
+				*(--op) = (unsigned char) ((right >> 24) & 0xff);
+			case 4:
+				*(--op) = (unsigned char) (left & 0xff);
+			case 3:
+				*(--op) = (unsigned char) ((left >> 8) & 0xff);
+			case 2:
+				*(--op) = (unsigned char) ((left >> 16) & 0xff);
+			case 1:
+				*(--op) = (unsigned char) ((left >> 24) & 0xff);
+				break;
 			}
+			break;		/* we're done */
 		}
 	}
-
-	/*
-	 * Done, return nothing.
-	 */
-	return 0;
 }