/*
 * cifra - embedded cryptography library
 * Written in 2014 by Joseph Birr-Pixton <jpixton@gmail.com>
 *
 * To the extent possible under law, the author(s) have dedicated all
 * copyright and related and neighboring rights to this software to the
 * public domain worldwide. This software is distributed without any
 * warranty.
 *
 * You should have received a copy of the CC0 Public Domain Dedication
 * along with this software. If not, see
 * <http://creativecommons.org/publicdomain/zero/1.0/>.
 */

#ifndef SHA3_H
#define SHA3_H

#include <stddef.h>
#include <stdint.h>

#include "chash.h"

/**
 * SHA3/Keccak
 * ===========
 * This implementation is compatible with FIPS 202,
 * rather than the original Keccak submission.
 *
 */

/* .. c:macro:: CF_SHA3_224_HASHSZ
 * The output size of SHA3-224: 28 bytes. */
#define CF_SHA3_224_HASHSZ 28

/* .. c:macro:: CF_SHA3_256_HASHSZ
 * The output size of SHA3-256: 32 bytes. */
#define CF_SHA3_256_HASHSZ 32

/* .. c:macro:: CF_SHA3_384_HASHSZ
 * The output size of SHA3-384: 48 bytes. */
#define CF_SHA3_384_HASHSZ 48

/* .. c:macro:: CF_SHA3_512_HASHSZ
 * The output size of SHA3-512: 64 bytes. */
#define CF_SHA3_512_HASHSZ 64

/* .. c:macro:: CF_SHA3_224_BLOCKSZ
 * The block size of SHA3-224. */
#define CF_SHA3_224_BLOCKSZ 144

/* .. c:macro:: CF_SHA3_256_BLOCKSZ
 * The block size of SHA3-256. */
#define CF_SHA3_256_BLOCKSZ 136

/* .. c:macro:: CF_SHA3_384_BLOCKSZ
 * The block size of SHA3-384. */
#define CF_SHA3_384_BLOCKSZ 104

/* .. c:macro:: CF_SHA3_512_BLOCKSZ
 * The block size of SHA3-512. */
#define CF_SHA3_512_BLOCKSZ 72

/* We use bit-interleaved internal representation.  This
 * stores a 64 bit quantity in two 32 bit words: one word
 * contains odd bits, the other even.  This means 64-bit rotations
 * are cheaper to compute. */
typedef struct
{
  uint32_t odd, evn;
} cf_sha3_bi;

/* .. c:type:: cf_sha3_context
 * Incremental SHA3 hashing context.
 *
 * .. c:member:: cf_sha3_context.A
 * Intermediate state.
 *
 * .. c:member:: cf_sha3_context.partial
 * Unprocessed input.
 *
 * .. c:member:: cf_sha3_context.npartial
 * Number of bytes of unprocessed input.
 *
 * .. c:member:: cf_sha3_context.rate
 * Sponge absorption rate.
 *
 * .. c:member:: cf_sha3_context.rate
 * Sponge capacity.
 */
typedef struct
{
  /* State is a 5x5 block of 64-bit values, for Keccak-f[1600]. */
  cf_sha3_bi A[5][5];
  uint8_t partial[CF_SHA3_224_BLOCKSZ];
  size_t npartial;
  uint16_t rate, capacity; /* rate and capacity, in bytes. */
} cf_sha3_context;


/* -- _init functions -- */

/* .. c:function:: $DECL */
extern void cf_sha3_224_init(cf_sha3_context *ctx);

/* .. c:function:: $DECL */
extern void cf_sha3_256_init(cf_sha3_context *ctx);

/* .. c:function:: $DECL */
extern void cf_sha3_384_init(cf_sha3_context *ctx);

/* .. c:function:: $DECL
 * Sets up `ctx` ready to hash a new message.
 */
extern void cf_sha3_512_init(cf_sha3_context *ctx);

/* -- _update functions -- */

/* .. c:function:: $DECL */
extern void cf_sha3_224_update(cf_sha3_context *ctx, const void *data, size_t nbytes);

/* .. c:function:: $DECL */
extern void cf_sha3_256_update(cf_sha3_context *ctx, const void *data, size_t nbytes);

/* .. c:function:: $DECL */
extern void cf_sha3_384_update(cf_sha3_context *ctx, const void *data, size_t nbytes);

/* .. c:function:: $DECL
 * Hashes `nbytes` at `data`.  Copies the data for processing later if there
 * isn't enough to make a full block.
 */
extern void cf_sha3_512_update(cf_sha3_context *ctx, const void *data, size_t nbytes);

/* -- _digest functions -- */

/* .. c:function:: $DECL */
extern void cf_sha3_224_digest(const cf_sha3_context *ctx, uint8_t hash[CF_SHA3_224_HASHSZ]);

/* .. c:function:: $DECL */
extern void cf_sha3_256_digest(const cf_sha3_context *ctx, uint8_t hash[CF_SHA3_256_HASHSZ]);

/* .. c:function:: $DECL */
extern void cf_sha3_384_digest(const cf_sha3_context *ctx, uint8_t hash[CF_SHA3_384_HASHSZ]);

/* .. c:function:: $DECL
 * Finishes the hashing operation, writing result to `hash`.
 *
 * This leaves `ctx` unchanged.
 */
extern void cf_sha3_512_digest(const cf_sha3_context *ctx, uint8_t hash[CF_SHA3_512_HASHSZ]);

/* -- _digest_final functions -- */

/* .. c:function:: $DECL */
extern void cf_sha3_224_digest_final(cf_sha3_context *ctx, uint8_t hash[CF_SHA3_224_HASHSZ]);

/* .. c:function:: $DECL */
extern void cf_sha3_256_digest_final(cf_sha3_context *ctx, uint8_t hash[CF_SHA3_256_HASHSZ]);

/* .. c:function:: $DECL */
extern void cf_sha3_384_digest_final(cf_sha3_context *ctx, uint8_t hash[CF_SHA3_384_HASHSZ]);

/* .. c:function:: $DECL
 * Finishes the hashing operation, writing result to `hash`.
 *
 * This destroys the contents of `ctx`.
 */
extern void cf_sha3_512_digest_final(cf_sha3_context *ctx, uint8_t hash[CF_SHA3_512_HASHSZ]);

/* .. c:var:: cf_sha3_224
 * .. c:var:: cf_sha3_256
 * .. c:var:: cf_sha3_384
 * .. c:var:: cf_sha3_512
 * Abstract interface to SHA3 functions.  See :c:type:`cf_chash` for more information.
 */
extern const cf_chash cf_sha3_224;
extern const cf_chash cf_sha3_256;
extern const cf_chash cf_sha3_384;
extern const cf_chash cf_sha3_512;

#endif