//! Implements the ntor v3 key exchange, as described in proposal 332.

//!

//! The main difference between the ntor v3r handshake and the

//! original ntor handshake is that this this one allows each party to

//! encrypt data (without forward secrecy) after it sends the first

//! message.

// TODO:

//    Wrap this in an appropriate API, expanding the API as needed.

//    Remove the "allow" item for dead_code.

//    Make terminology and variable names consistent with spec.

// This module is still unused: so allow some dead code for now.

#![allow(dead_code)]

use super::{RelayHandshakeError, RelayHandshakeResult};

use crate::util::ct;

use crate::{Error, Result};

use tor_bytes::{Reader, Writeable, Writer};

use tor_llcrypto::d::{Sha3_256, Shake256};

use tor_llcrypto::pk::{curve25519, ed25519::Ed25519Identity};

use tor_llcrypto::util::rand_compat::RngCompatExt;

use cipher::{NewCipher, StreamCipher};

use generic_array::GenericArray;

use rand_core::{CryptoRng, RngCore};

use subtle::{Choice, ConstantTimeEq};

use tor_llcrypto::cipher::aes::Aes256Ctr;

use zeroize::Zeroizing;

/// The size of an encryption key in bytes.

const ENC_KEY_LEN: usize = 32;

/// The size of a MAC key in bytes.

const MAC_KEY_LEN: usize = 32;

/// The size of a curve25519 public key in bytes.

const PUB_KEY_LEN: usize = 32;

/// The size of a digest output in bytes.

const DIGEST_LEN: usize = 32;

/// The length of a MAC output in bytes.

const MAC_LEN: usize = 32;

/// The length of a node identity in bytes.

const ID_LEN: usize = 32;

/// The output of the digest, as an array.

type DigestVal = [u8; DIGEST_LEN];

/// The output of the MAC.

type MacVal = [u8; MAC_LEN];

/// A key for symmetric encryption or decryption.

type EncKey = [u8; ENC_KEY_LEN];

/// A key for message authentication codes.

type MacKey = [u8; MAC_KEY_LEN];

/// An encapsulated value for passing as input to a MAC, digest, or

/// KDF algorithm.

///

/// This corresponds to the ENCAP() function in proposal 332.

struct Encap<'a>(&'a [u8]);

impl<'a> Writeable for Encap<'a> {

}

impl<'a> Encap<'a> {

    /// Return the length of the underlying data in bytes.

    /// Return the underlying data

}

/// Helper to define a set of tweak values as instances of `Encap`.

macro_rules! define_tweaks {

    {

        $(#[$pid_meta:meta])*

        PROTOID = $protoid:expr;

        $( $(#[$meta:meta])* $name:ident <= $suffix:expr ; )*

    } => {

        $(#[$pid_meta])*

        const PROTOID: &'static [u8] = $protoid.as_bytes();

        $(

            $(#[$meta])*

            const $name : Encap<'static> =

                Encap(concat!($protoid, ":", $suffix).as_bytes());

        )*

    }

}

define_tweaks! {

    /// Protocol ID: concatenated with other things in the protocol to

    /// prevent hash confusion.

    PROTOID =  "ntor3-curve25519-sha3_256-1";

    /// Message MAC tweak: used to compute the MAC of an encrypted client

    /// message.

    T_MSGMAC <= "msg_mac";

    /// Message KDF tweak: used when deriving keys for encrypting and MACing

    /// client message.

    T_MSGKDF <= "kdf_phase1";

    /// Key seeding tweak: used to derive final KDF input from secret_input.

    T_KEY_SEED <= "key_seed";

    /// Verifying tweak: used to derive 'verify' value from secret_input.

    T_VERIFY <= "verify";

    /// Final KDF tweak: used to derive keys for encrypting relay message

    /// and for the actual tor circuit.

    T_FINAL <= "kdf_final";

    /// Authentication tweak: used to derive the final authentication

    /// value for the handshake.

    T_AUTH <= "auth_final";

}

/// Compute a tweaked hash.

/// Perform a symmetric encryption operation and return the encrypted data.

///

/// (This isn't safe to do more than once with the same key, but we never

/// do that in this protocol.)

/// Perform a symmetric decryption operation and return the encrypted data.

/// Wrapper around a Digest or ExtendedOutput object that lets us use it

/// as a tor_bytes::Writer.

struct DigestWriter<U>(U);

impl<U: digest::Update> tor_bytes::Writer for DigestWriter<U> {

}

impl<U> DigestWriter<U> {

    /// Consume this wrapper and return the underlying object.

}

/// Hash tweaked with T_KEY_SEED

/// Hash tweaked with T_VERIFY

/// Helper: compute the encryption key and mac_key for the client's

/// encrypted message.

///

/// Takes as inputs `xb` (the shared secret derived from

/// diffie-hellman as Bx or Xb), the relay's public key information,

/// the client's public key (B), and the shared verification string.

/*

/// TODO

pub(crate) struct NtorV3Client {

    message: Vec<u8>,

}

*/

/// Key information about a relay used for the ntor v3 handshake.

///

/// Contains a single curve25519 ntor onion key, and the relay's ed25519

/// identity.

pub(crate) struct NtorV3PublicKey {

    /// The relay's identity.

    id: Ed25519Identity,

    /// The relay's onion key.

    pk: curve25519::PublicKey,

}

/// Secret key information used by a relay for the ntor v3 handshake.

pub(crate) struct NtorV3SecretKey {

    /// The relay's public key information

    pk: NtorV3PublicKey,

    /// The secret onion key.

    sk: curve25519::StaticSecret,

}

impl NtorV3SecretKey {

    /// Checks whether `id` and `pk` match this secret key.

    ///

    /// Used to perform a constant-time secret key lookup.

}

/// Client state for the ntor v3 handshake.

///

/// The client needs to hold this state between when it sends its part

/// of the handshake and when it receives the relay's reply.

pub(crate) struct NtorV3HandshakeState {

    /// The public key of the relay we're communicating with.

    relay_public: NtorV3PublicKey, // B, ID.

    /// Our ephemeral secret key for this handshake.

    my_sk: curve25519::StaticSecret, // x

    /// Our ephemeral public key for this handshake.

    my_public: curve25519::PublicKey, // X

    /// The shared secret generated as Bx or Xb.

    shared_secret: curve25519::SharedSecret, // Bx

    /// The MAC of our original encrypted message.

    msg_mac: MacVal, // msg_mac

}

/*

///

pub(crate) struct NtorV3KeyGenerator {

    seed: SecretBytes,

}

*/

/// Client-side Ntor version 3 handshake, part one.

///

/// Given a secure `rng`, a relay's public key, a secret message to send,

/// and a shared verification string, generate a new handshake state

/// and a message to send to the relay.

/// As `client_handshake_ntor_v3`, but don't generate an ephemeral DH

/// key: instead take that key an arguments `my_sk`.

/// Trait for an object that handle and incoming client message and

/// return a server's reply.

///

// TODO(nickm): I wanted to use a closure here, but the lifetimes didn't work,

// and I couldn't figure out why.

pub(crate) trait MsgReply {

    /// Given a message received from a client, parse it and decide

    /// how (and whether) to reply.

    ///

    /// Return None if the handshake should fail.

    fn reply(&mut self, msg: &[u8]) -> Option<Vec<u8>>;

}

/// Complete an ntor v3 handshake as a server.

///

/// Use the provided `rng` to generate keys; use the provided

/// `reply_fn` to handle incoming client secret message and decide how

/// to reply.  The client's handshake is in `message`.  Our private

/// key(s) are in `keys`.  The `verification` string must match the

/// string provided by the client.

///

/// On success, return the server handshake message to send, and an XofReader

/// to use in generating circuit keys.

/// As `server_handshake_ntor_v3`, but take a secret key instead of an RNG.

    } else {

    };

    // See if we recognize the provided (id,requested_pk) pair.

    };

    } else {

    }

/// Finalize the handshake on the client side.

///

/// Called after we've received a message from the relay: try to

/// complete the handshake and verify its correctness.

///

/// On success, return the server's reply to our original encrypted message,

/// and an `XofReader` to use in generating circuit keys.

    } else {

    }

/*

impl super::ClientHandshake for NtorV3Client {

    type KeyType = NtorPublicKey;

    type StateType = NtorV3HandshakeState;

    type KeyGen = NtorV3KeyGenerator;

}

*/

#[cfg(test)]

#[allow(non_snake_case)] // to enable variable names matching the spec.

#[allow(clippy::many_single_char_names)] // ibid

#[allow(clippy::unwrap_used)]

mod test {

    use super::*;

    use hex_literal::hex;

    #[test]

    fn test_ntor3_roundtrip() {

        let b = curve25519::StaticSecret::new(rand::thread_rng().rng_compat());

        let mut rng = rand::thread_rng();

        let id = b"not identifier---but correct len";

        let B: curve25519::PublicKey = (&b).into();

        let relay_public = NtorV3PublicKey {

            pk: B,

            id: (*id).into(),

        };

        let relay_private = NtorV3SecretKey {

            pk: relay_public.clone(),

            sk: b,

        };

        let verification = &b"shared secret"[..];

        let client_message = &b"Hello. I am a client. Let's be friends!"[..];

        let relay_message = &b"Greetings, client. I am a robot. Beep boop."[..];

        let (c_state, c_handshake) =

            client_handshake_ntor_v3(&mut rng, &relay_public, client_message, verification);

        struct Rep(Vec<u8>, Vec<u8>);

        impl MsgReply for Rep {

            fn reply(&mut self, msg: &[u8]) -> Option<Vec<u8>> {

                self.0 = msg.to_vec();

                Some(self.1.clone())

            }

        }

        let mut rep = Rep(Vec::new(), relay_message.to_vec());

        let (s_handshake, mut s_keygen) = server_handshake_ntor_v3(

            &mut rng,

            &mut rep,

            &c_handshake,

            &[relay_private],

            verification,

        )

        .unwrap();

        let (s_msg, mut c_keygen) =

            client_handshake_ntor_v3_part2(&c_state, &s_handshake, verification).unwrap();

        assert_eq!(rep.0[..], client_message[..]);

        assert_eq!(s_msg[..], relay_message[..]);

        use digest::XofReader;

        let mut s_keys = [0_u8; 100];

        let mut c_keys = [0_u8; 1000];

        s_keygen.read(&mut s_keys);

        c_keygen.read(&mut c_keys);

        assert_eq!(s_keys[..], c_keys[..100]);

    }

    #[test]

    fn test_ntor3_testvec() {

        let b = hex!("4051daa5921cfa2a1c27b08451324919538e79e788a81b38cbed097a5dff454a");

        let id = hex!("9fad2af287ef942632833d21f946c6260c33fae6172b60006e86e4a6911753a2");

        let x = hex!("b825a3719147bcbe5fb1d0b0fcb9c09e51948048e2e3283d2ab7b45b5ef38b49");

        let y = hex!("4865a5b7689dafd978f529291c7171bc159be076b92186405d13220b80e2a053");

        let b: curve25519::StaticSecret = b.into();

        let B: curve25519::PublicKey = (&b).into();

        let id: Ed25519Identity = id.into();

        let x: curve25519::StaticSecret = x.into();

        //let X = (&x).into();

        let y: curve25519::StaticSecret = y.into();

        let client_message = hex!("68656c6c6f20776f726c64");

        let verification = hex!("78797a7a79");

        let server_message = hex!("486f6c61204d756e646f");

        let relay_public = NtorV3PublicKey { pk: B, id };

        let relay_private = NtorV3SecretKey {

            sk: b,

            pk: relay_public.clone(),

        };

        let (state, client_handshake) =

            client_handshake_ntor_v3_no_keygen(&relay_public, &client_message, &verification, x);

        assert_eq!(client_handshake[..], hex!("9fad2af287ef942632833d21f946c6260c33fae6172b60006e86e4a6911753a2f8307a2bc1870b00b828bb74dbb8fd88e632a6375ab3bcd1ae706aaa8b6cdd1d252fe9ae91264c91d4ecb8501f79d0387e34ad8ca0f7c995184f7d11d5da4f463bebd9151fd3b47c180abc9e044d53565f04d82bbb3bebed3d06cea65db8be9c72b68cd461942088502f67")[..]);

        struct Replier(Vec<u8>, Vec<u8>, bool);

        impl MsgReply for Replier {

            fn reply(&mut self, msg: &[u8]) -> Option<Vec<u8>> {

                assert_eq!(msg, &self.0);

                self.2 = true;

                Some(self.1.clone())

            }

        }

        let mut rep = Replier(client_message.to_vec(), server_message.to_vec(), false);

        let (server_handshake, mut server_keygen) = server_handshake_ntor_v3_no_keygen(

            &mut rep,

            &y,

            &client_handshake,

            &[relay_private],

            &verification,

        )

        .unwrap();

        assert!(rep.2);

        assert_eq!(server_handshake[..], hex!("4bf4814326fdab45ad5184f5518bd7fae25dc59374062698201a50a22954246d2fc5f8773ca824542bc6cf6f57c7c29bbf4e5476461ab130c5b18ab0a91276651202c3e1e87c0d32054c")[..]);

        let (server_msg_received, mut client_keygen) =

            client_handshake_ntor_v3_part2(&state, &server_handshake, &verification).unwrap();

        assert_eq!(&server_msg_received, &server_message);

        let (c_keys, s_keys) = {

            use digest::XofReader;

            let mut c = [0_u8; 256];

            let mut s = [0_u8; 256];

            client_keygen.read(&mut c);

            server_keygen.read(&mut s);

            (c, s)

        };

        assert_eq!(c_keys, s_keys);

        assert_eq!(c_keys[..], hex!("9c19b631fd94ed86a817e01f6c80b0743a43f5faebd39cfaa8b00fa8bcc65c3bfeaa403d91acbd68a821bf6ee8504602b094a254392a07737d5662768c7a9fb1b2814bb34780eaee6e867c773e28c212ead563e98a1cd5d5b4576f5ee61c59bde025ff2851bb19b721421694f263818e3531e43a9e4e3e2c661e2ad547d8984caa28ebecd3e4525452299be26b9185a20a90ce1eac20a91f2832d731b54502b09749b5a2a2949292f8cfcbeffb790c7790ed935a9d251e7e336148ea83b063a5618fcff674a44581585fd22077ca0e52c59a24347a38d1a1ceebddbf238541f226b8f88d0fb9c07a1bcd2ea764bbbb5dacdaf5312a14c0b9e4f06309b0333b4a")[..]);

    }

}