#define hydro_secretbox_IVBYTES  20
#define hydro_secretbox_SIVBYTES 20
#define hydro_secretbox_MACBYTES 16

void
hydro_secretbox_keygen(uint8_t key[hydro_secretbox_KEYBYTES])
{
    hydro_random_buf(key, hydro_secretbox_KEYBYTES);
}

static void
hydro_secretbox_xor_enc(uint8_t buf[gimli_BLOCKBYTES], uint8_t *out, const uint8_t *in,
                        size_t inlen)
{
    size_t i;
    size_t leftover;

    for (i = 0; i < inlen / gimli_RATE; i++) {
        mem_xor2(&out[i * gimli_RATE], &in[i * gimli_RATE], buf, gimli_RATE);
        memcpy(buf, &out[i * gimli_RATE], gimli_RATE);
        gimli_core_u8(buf, gimli_TAG_PAYLOAD);
    }
    leftover = inlen % gimli_RATE;
    if (leftover != 0) {
        mem_xor2(&out[i * gimli_RATE], &in[i * gimli_RATE], buf, leftover);
        mem_cpy(buf, &out[i * gimli_RATE], leftover);
    }
    gimli_pad_u8(buf, leftover, gimli_DOMAIN_AEAD);
    gimli_core_u8(buf, gimli_TAG_PAYLOAD);
}

static void
hydro_secretbox_xor_dec(uint8_t buf[gimli_BLOCKBYTES], uint8_t *out, const uint8_t *in,
                        size_t inlen)
{
    size_t i;
    size_t leftover;

    for (i = 0; i < inlen / gimli_RATE; i++) {
        mem_xor2(&out[i * gimli_RATE], &in[i * gimli_RATE], buf, gimli_RATE);
        memcpy(buf, &in[i * gimli_RATE], gimli_RATE);
        gimli_core_u8(buf, gimli_TAG_PAYLOAD);
    }
    leftover = inlen % gimli_RATE;
    if (leftover != 0) {
        mem_xor2(&out[i * gimli_RATE], &in[i * gimli_RATE], buf, leftover);
        mem_cpy(buf, &in[i * gimli_RATE], leftover);
    }
    gimli_pad_u8(buf, leftover, gimli_DOMAIN_AEAD);
    gimli_core_u8(buf, gimli_TAG_PAYLOAD);
}

static void
hydro_secretbox_setup(uint8_t buf[gimli_BLOCKBYTES], uint64_t msg_id,
                      const char    ctx[hydro_secretbox_CONTEXTBYTES],
                      const uint8_t key[hydro_secretbox_KEYBYTES],
                      const uint8_t iv[hydro_secretbox_IVBYTES], uint8_t key_tag)
{
    static const uint8_t prefix[] = { 6, 's', 'b', 'x', '2', '5', '6', 8 };
    uint8_t              msg_id_le[8];

    mem_zero(buf, gimli_BLOCKBYTES);
    COMPILER_ASSERT(hydro_secretbox_CONTEXTBYTES == 8);
    COMPILER_ASSERT(sizeof prefix + hydro_secretbox_CONTEXTBYTES <= gimli_RATE);
    memcpy(buf, prefix, sizeof prefix);
    memcpy(buf + sizeof prefix, ctx, hydro_secretbox_CONTEXTBYTES);
    COMPILER_ASSERT(sizeof prefix + hydro_secretbox_CONTEXTBYTES == gimli_RATE);
    gimli_core_u8(buf, gimli_TAG_HEADER);

    COMPILER_ASSERT(hydro_secretbox_KEYBYTES == 2 * gimli_RATE);
    mem_xor(buf, key, gimli_RATE);
    gimli_core_u8(buf, key_tag);
    mem_xor(buf, key + gimli_RATE, gimli_RATE);
    gimli_core_u8(buf, key_tag);

    COMPILER_ASSERT(hydro_secretbox_IVBYTES < gimli_RATE * 2);
    buf[0] ^= hydro_secretbox_IVBYTES;
    mem_xor(&buf[1], iv, gimli_RATE - 1);
    gimli_core_u8(buf, gimli_TAG_HEADER);
    mem_xor(buf, iv + gimli_RATE - 1, hydro_secretbox_IVBYTES - (gimli_RATE - 1));
    STORE64_LE(msg_id_le, msg_id);
    COMPILER_ASSERT(hydro_secretbox_IVBYTES - gimli_RATE + 8 <= gimli_RATE);
    mem_xor(buf + hydro_secretbox_IVBYTES - gimli_RATE, msg_id_le, 8);
    gimli_core_u8(buf, gimli_TAG_HEADER);
}

static void
hydro_secretbox_final(uint8_t *buf, const uint8_t key[hydro_secretbox_KEYBYTES], uint8_t tag)
{
    COMPILER_ASSERT(hydro_secretbox_KEYBYTES == gimli_CAPACITY);
    mem_xor(buf + gimli_RATE, key, hydro_secretbox_KEYBYTES);
    gimli_core_u8(buf, tag);
    mem_xor(buf + gimli_RATE, key, hydro_secretbox_KEYBYTES);
    gimli_core_u8(buf, tag);
}

static int
hydro_secretbox_encrypt_iv(uint8_t *c, const void *m_, size_t mlen, uint64_t msg_id,
                           const char    ctx[hydro_secretbox_CONTEXTBYTES],
                           const uint8_t key[hydro_secretbox_KEYBYTES],
                           const uint8_t iv[hydro_secretbox_IVBYTES])
{
    _hydro_attr_aligned_(16) uint32_t state[gimli_BLOCKBYTES / 4];
    uint8_t                          *buf = (uint8_t *) (void *) state;
    const uint8_t                    *m   = (const uint8_t *) m_;
    uint8_t                          *siv = &c[0];
    uint8_t                          *mac = &c[hydro_secretbox_SIVBYTES];
    uint8_t                          *ct  = &c[hydro_secretbox_SIVBYTES + hydro_secretbox_MACBYTES];
    size_t                            i;
    size_t                            leftover;

    if (c == m) {
        memmove(c + hydro_secretbox_HEADERBYTES, m, mlen);
        m = c + hydro_secretbox_HEADERBYTES;
    }

    /* first pass: compute the SIV */

    hydro_secretbox_setup(buf, msg_id, ctx, key, iv, gimli_TAG_KEY0);
    for (i = 0; i < mlen / gimli_RATE; i++) {
        mem_xor(buf, &m[i * gimli_RATE], gimli_RATE);
        gimli_core_u8(buf, gimli_TAG_PAYLOAD);
    }
    leftover = mlen % gimli_RATE;
    if (leftover != 0) {
        mem_xor(buf, &m[i * gimli_RATE], leftover);
    }
    gimli_pad_u8(buf, leftover, gimli_DOMAIN_XOF);
    gimli_core_u8(buf, gimli_TAG_PAYLOAD);

    hydro_secretbox_final(buf, key, gimli_TAG_FINAL0);
    COMPILER_ASSERT(hydro_secretbox_SIVBYTES <= gimli_CAPACITY);
    memcpy(siv, buf + gimli_RATE, hydro_secretbox_SIVBYTES);

    /* second pass: encrypt the message, mix the key, squeeze an extra block for
     * the MAC */

    COMPILER_ASSERT(hydro_secretbox_SIVBYTES == hydro_secretbox_IVBYTES);
    hydro_secretbox_setup(buf, msg_id, ctx, key, siv, gimli_TAG_KEY);
    hydro_secretbox_xor_enc(buf, ct, m, mlen);

    hydro_secretbox_final(buf, key, gimli_TAG_FINAL);
    COMPILER_ASSERT(hydro_secretbox_MACBYTES <= gimli_CAPACITY);
    memcpy(mac, buf + gimli_RATE, hydro_secretbox_MACBYTES);

    return 0;
}

void
hydro_secretbox_probe_create(uint8_t probe[hydro_secretbox_PROBEBYTES], const uint8_t *c,
                             size_t c_len, const char ctx[hydro_secretbox_CONTEXTBYTES],
                             const uint8_t key[hydro_secretbox_KEYBYTES])
{
    const uint8_t *mac;

    if (c_len < hydro_secretbox_HEADERBYTES) {
        abort();
    }
    mac = &c[hydro_secretbox_SIVBYTES];
    COMPILER_ASSERT(hydro_secretbox_CONTEXTBYTES >= hydro_hash_CONTEXTBYTES);
    COMPILER_ASSERT(hydro_secretbox_KEYBYTES >= hydro_hash_KEYBYTES);
    hydro_hash_hash(probe, hydro_secretbox_PROBEBYTES, mac, hydro_secretbox_MACBYTES, ctx, key);
}

int
hydro_secretbox_probe_verify(const uint8_t probe[hydro_secretbox_PROBEBYTES], const uint8_t *c,
                             size_t c_len, const char ctx[hydro_secretbox_CONTEXTBYTES],
                             const uint8_t key[hydro_secretbox_KEYBYTES])
{
    uint8_t        computed_probe[hydro_secretbox_PROBEBYTES];
    const uint8_t *mac;

    if (c_len < hydro_secretbox_HEADERBYTES) {
        return -1;
    }
    mac = &c[hydro_secretbox_SIVBYTES];
    hydro_hash_hash(computed_probe, hydro_secretbox_PROBEBYTES, mac, hydro_secretbox_MACBYTES, ctx,
                    key);
    if (hydro_equal(computed_probe, probe, hydro_secretbox_PROBEBYTES) == 1) {
        return 0;
    }
    hydro_memzero(computed_probe, hydro_secretbox_PROBEBYTES);
    return -1;
}

int
hydro_secretbox_encrypt(uint8_t *c, const void *m_, size_t mlen, uint64_t msg_id,
                        const char    ctx[hydro_secretbox_CONTEXTBYTES],
                        const uint8_t key[hydro_secretbox_KEYBYTES])
{
    uint8_t iv[hydro_secretbox_IVBYTES];

    hydro_random_buf(iv, sizeof iv);

    return hydro_secretbox_encrypt_iv(c, m_, mlen, msg_id, ctx, key, iv);
}

int
hydro_secretbox_decrypt(void *m_, const uint8_t *c, size_t clen, uint64_t msg_id,
                        const char    ctx[hydro_secretbox_CONTEXTBYTES],
                        const uint8_t key[hydro_secretbox_KEYBYTES])
{
    _hydro_attr_aligned_(16) uint32_t state[gimli_BLOCKBYTES / 4];
    uint32_t                          pub_mac[hydro_secretbox_MACBYTES / 4];
    uint8_t                          *buf = (uint8_t *) (void *) state;
    const uint8_t                    *siv;
    const uint8_t                    *mac;
    const uint8_t                    *ct;
    uint8_t                          *m = (uint8_t *) m_;
    size_t                            mlen;
    uint32_t                          cv;

    if (clen < hydro_secretbox_HEADERBYTES) {
        return -1;
    }
    siv = &c[0];
    mac = &c[hydro_secretbox_SIVBYTES];
    ct  = &c[hydro_secretbox_SIVBYTES + hydro_secretbox_MACBYTES];

    mlen = clen - hydro_secretbox_HEADERBYTES;
    memcpy(pub_mac, mac, sizeof pub_mac);
    COMPILER_ASSERT(hydro_secretbox_SIVBYTES == hydro_secretbox_IVBYTES);
    hydro_secretbox_setup(buf, msg_id, ctx, key, siv, gimli_TAG_KEY);
    hydro_secretbox_xor_dec(buf, m, ct, mlen);

    hydro_secretbox_final(buf, key, gimli_TAG_FINAL);
    COMPILER_ASSERT(hydro_secretbox_MACBYTES <= gimli_CAPACITY);
    COMPILER_ASSERT(gimli_RATE % 4 == 0);
    cv = hydro_mem_ct_cmp_u32(state + gimli_RATE / 4, pub_mac, hydro_secretbox_MACBYTES / 4);
    hydro_mem_ct_zero_u32(state, gimli_BLOCKBYTES / 4);
    if (cv != 0) {
        mem_zero(m, mlen);
        return -1;
    }
    return 0;
}