package crypto

import (
	"crypto/cipher"
	crand "crypto/rand"
	"crypto/sha256"
	"encoding/hex"
	"io"
	"sync"

	"golang.org/x/crypto/chacha20poly1305"

	. "github.com/tendermint/tendermint/libs/common"
)

// The randomness here is derived from xoring a chacha20 keystream with
// output from crypto/rand's OS Entropy Reader. (Due to fears of the OS'
// entropy being backdoored)
//
// For forward secrecy of produced randomness, the internal chacha key is hashed
// and thereby rotated after each call.
var gRandInfo *randInfo

func init() {
	gRandInfo = &randInfo{}
	gRandInfo.MixEntropy(randBytes(32)) // Init
}

// Mix additional bytes of randomness, e.g. from hardware, user-input, etc.
// It is OK to call it multiple times.  It does not diminish security.
func MixEntropy(seedBytes []byte) {
	gRandInfo.MixEntropy(seedBytes)
}

// This only uses the OS's randomness
func randBytes(numBytes int) []byte {
	b := make([]byte, numBytes)
	_, err := crand.Read(b)
	if err != nil {
		PanicCrisis(err)
	}
	return b
}

// This uses the OS and the Seed(s).
func CRandBytes(numBytes int) []byte {
	b := make([]byte, numBytes)
	_, err := gRandInfo.Read(b)
	if err != nil {
		PanicCrisis(err)
	}
	return b
}

// CRandHex returns a hex encoded string that's floor(numDigits/2) * 2 long.
//
// Note: CRandHex(24) gives 96 bits of randomness that
// are usually strong enough for most purposes.
func CRandHex(numDigits int) string {
	return hex.EncodeToString(CRandBytes(numDigits / 2))
}

// Returns a crand.Reader mixed with user-supplied entropy
func CReader() io.Reader {
	return gRandInfo
}

//--------------------------------------------------------------------------------

type randInfo struct {
	mtx       sync.Mutex
	seedBytes [chacha20poly1305.KeySize]byte
	chacha    cipher.AEAD
	reader    io.Reader
}

// You can call this as many times as you'd like.
// XXX TODO review
func (ri *randInfo) MixEntropy(seedBytes []byte) {
	ri.mtx.Lock()
	defer ri.mtx.Unlock()
	// Make new ri.seedBytes using passed seedBytes and current ri.seedBytes:
	// ri.seedBytes = sha256( seedBytes || ri.seedBytes )
	h := sha256.New()
	h.Write(seedBytes)
	h.Write(ri.seedBytes[:])
	hashBytes := h.Sum(nil)
	copy(ri.seedBytes[:], hashBytes)
	chacha, err := chacha20poly1305.New(ri.seedBytes[:])
	if err != nil {
		panic("Initializing chacha20 failed")
	}
	ri.chacha = chacha
	// Create new reader
	ri.reader = &cipher.StreamReader{S: ri, R: crand.Reader}
}

func (ri *randInfo) XORKeyStream(dst, src []byte) {
	// nonce being 0 is safe due to never re-using a key.
	emptyNonce := make([]byte, 12)
	tmpDst := ri.chacha.Seal([]byte{}, emptyNonce, src, []byte{0})
	// this removes the poly1305 tag as well, since chacha is a stream cipher
	// and we truncate at input length.
	copy(dst, tmpDst[:len(src)])
	// hash seedBytes for forward secrecy, and initialize new chacha instance
	newSeed := sha256.Sum256(ri.seedBytes[:])
	chacha, err := chacha20poly1305.New(newSeed[:])
	if err != nil {
		panic("Initializing chacha20 failed")
	}
	ri.chacha = chacha
}

func (ri *randInfo) Read(b []byte) (n int, err error) {
	ri.mtx.Lock()
	n, err = ri.reader.Read(b)
	ri.mtx.Unlock()
	return
}