#include <stdbool.h>
#include <stdint.h>
#include <string.h>

#include "cipher.h"
#include "lilliput-ae.h"


/* Most-significant nibbles for tweak values */
#define TWEAK_AD                 0x2
#define TWEAK_AD_PADDING         0x6
#define TWEAK_MESSAGE            0x0
#define TWEAK_MESSAGE_NO_PADDING 0x1
#define TWEAK_MESSAGE_PADDING    0x5


static void _lilliput_tbc(const uint8_t key[KEY_BYTES],
                          const uint8_t tweak[TWEAK_BYTES],
                          const uint8_t message[BLOCK_BYTES],
                          uint8_t ciphertext[BLOCK_BYTES])
{
    lilliput_tbc_encrypt(key, tweak, message, ciphertext, NULL);
}

static void _xor_into(uint8_t dest[BLOCK_BYTES], uint8_t src[BLOCK_BYTES])
{
    for (size_t i=0; i<BLOCK_BYTES; i++)
        dest[i] ^= src[i];
}

static void _pad10(size_t len, const uint8_t buf[len], uint8_t padded[BLOCK_BYTES])
{
    /* Assume that len<BLOCK_BYTES. */
    memcpy(padded, buf, len);
    padded[len] = 0x80;

    if (len+1 < BLOCK_BYTES)
    {
        memset(padded+len+1, 0, BLOCK_BYTES-len-1);
    }
}

static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEAK_BYTES])
{
    /* The 128-bit tweak is filled as follows:
     *
     * - bits 127-124: constant 4-bit prefix
     * - bits 123-0:   block number
     *     - bits 123-64: 0-padding
     *     - bits 63-0:   actual 64-bit block number
     */

    for (size_t i=0; i<sizeof(block_nb); i++)
    {
        uint64_t mask = (uint64_t)0xff << 8*i;
        uint8_t b = (mask & block_nb) >> 8*i;

        tweak[0] = b;
    }

    /* Assume bytes 8 to 15 have already been memset to 0. */

    tweak[TWEAK_BYTES-1] ^= prefix << 4;
}

static void _process_associated_data(
    const uint8_t key[KEY_BYTES],
    size_t A_len, const uint8_t A[A_len],
    uint8_t Auth[BLOCK_BYTES]
)
{
    uint8_t Ek_Ai[BLOCK_BYTES];
    uint8_t tweak[TWEAK_BYTES];

    memset(tweak, 0, TWEAK_BYTES);
    memset(Auth, 0, BLOCK_BYTES);

    size_t l_a = A_len / BLOCK_BYTES;
    size_t rest = A_len % BLOCK_BYTES;

    for (size_t i=0; i<l_a; i++)
    {
        _fill_ad_tweak(TWEAK_AD, i, tweak);
        _lilliput_tbc(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
        _xor_into(Auth, Ek_Ai);
    }

    if (rest != 0)
    {
        uint8_t A_rest[BLOCK_BYTES];
        _pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
        _fill_ad_tweak(TWEAK_AD_PADDING, l_a, tweak);
        _lilliput_tbc(key, tweak, A_rest, Ek_Ai);
        _xor_into(Auth, Ek_Ai);
    }
}

static void _encrypt_message(
    const uint8_t key[KEY_BYTES],
    size_t message_len, const uint8_t message[message_len],
    const uint8_t nonce[NONCE_BYTES],

    size_t *ciphertext_len, uint8_t ciphertext[message_len+BLOCK_BYTES],
    uint8_t final[BLOCK_BYTES]
)
{
}

static void _decrypt_message(
    const uint8_t key[KEY_BYTES],
    size_t ciphertext_len, const uint8_t ciphertext[ciphertext_len],
    const uint8_t nonce[NONCE_BYTES],

    size_t *message_len, uint8_t message[ciphertext_len],
    uint8_t final[BLOCK_BYTES]
)
{
}

static void _generate_tag(
    const uint8_t final[BLOCK_BYTES],
    const uint8_t auth[BLOCK_BYTES],
    uint8_t tag[TAG_BYTES]
)
{
}


void lilliput_ae_encrypt(
    size_t message_len,    const uint8_t message[message_len],
    size_t  auth_data_len, const uint8_t auth_data[auth_data_len],
    const uint8_t key[KEY_BYTES],
    const uint8_t nonce[NONCE_BYTES],

    size_t *ciphertext_len, uint8_t ciphertext[message_len+BLOCK_BYTES],
    uint8_t tag[TAG_BYTES]
)
{
    uint8_t auth[BLOCK_BYTES];
    _process_associated_data(key, auth_data_len, auth_data, auth);

    uint8_t final[BLOCK_BYTES];
    _encrypt_message(key, message_len, message, nonce,
                     ciphertext_len, ciphertext, final);

    _generate_tag(final, auth, tag);
}

bool lilliput_ae_decrypt(
    size_t ciphertext_len, const uint8_t ciphertext[ciphertext_len],
    size_t auth_data_len,  const uint8_t auth_data[auth_data_len],
    const uint8_t key[KEY_BYTES],
    const uint8_t nonce[NONCE_BYTES],
    const uint8_t tag[TAG_BYTES],

    size_t *message_len, uint8_t message[ciphertext_len]
)
{
    uint8_t auth[BLOCK_BYTES];
    _process_associated_data(key, auth_data_len, auth_data, auth);

    uint8_t final[BLOCK_BYTES];
    _decrypt_message(key, ciphertext_len, ciphertext, nonce,
                     message_len, message, final);

    uint8_t effective_tag[TAG_BYTES];
    _generate_tag(final, auth, effective_tag);

    return memcmp(tag, effective_tag, TAG_BYTES) == 0;
}