/*
 * Copyright (c)2013-2021 ZeroTier, Inc.
 *
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2026-01-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
/****/

/*
 * The contents of ECC384.cpp are third party code and are licensed under
 * the BSD 2-clause license.
 *
 * The built-in implementation is easy-ecc by Kenneth MacKay and can be found
 * here: https://github.com/esxgx/easy-ecc
 *
 * Our copy is trimmed down with unused stuff removed and also contains a few
 * ZeroTier shims to implement these function interfaces. Otherwise it is
 * unmodified from the original. It's a nice and fairly fast portable
 * implementation that should build everywhere.
 *
 * For FIPS-compliant builds this will eventually link against FIPS-compliant
 * crypto libraries instead of using the built-in version.
 */

#ifndef ZT_ECC384_HPP
#define ZT_ECC384_HPP

#include "Constants.hpp"

/**
 * Size of a (point compressed) P-384 public key
 */
#define ZT_ECC384_PUBLIC_KEY_SIZE 49

/**
 * Size of a P-384 private key
 */
#define ZT_ECC384_PRIVATE_KEY_SIZE 48

/**
 * Size of the hash that should be signed using P-384
 */
#define ZT_ECC384_SIGNATURE_HASH_SIZE 48

/**
 * Size of a P-384 signature
 */
#define ZT_ECC384_SIGNATURE_SIZE 96

/**
 * Size of raw shared secret generated by ECDH key agreement
 */
#define ZT_ECC384_SHARED_SECRET_SIZE 48

namespace ZeroTier {

/**
 * Generate a NIST P-384 key pair
 *
 * @param pub Buffer to receive point compressed public key
 * @param priv Buffer to receiver private key
 */
void ECC384GenerateKey(uint8_t pub[ZT_ECC384_PUBLIC_KEY_SIZE], uint8_t priv[ZT_ECC384_PRIVATE_KEY_SIZE]);

/**
 * Sign a hash with a NIST P-384 private key
 *
 * The hash must be 48 bytes in size. If it's longer only the first 48
 * bytes are used.
 *
 * @param priv Private key
 * @param hash 48-byte hash
 * @param sig Buffer to receive signature
 */
void ECC384ECDSASign(const uint8_t priv[ZT_ECC384_PRIVATE_KEY_SIZE], const uint8_t hash[ZT_ECC384_SIGNATURE_HASH_SIZE], uint8_t sig[ZT_ECC384_SIGNATURE_SIZE]);

/**
 * Verify a signature
 *
 * @param pub Public key
 * @param hash 48-byte hash (usually first 48 bytes of SHA512(msg))
 * @param sig Signature to check
 * @return True if signature is valid
 */
bool ECC384ECDSAVerify(const uint8_t pub[ZT_ECC384_PUBLIC_KEY_SIZE], const uint8_t hash[ZT_ECC384_SIGNATURE_HASH_SIZE], const uint8_t sig[ZT_ECC384_SIGNATURE_SIZE]);

/**
 * Perform ECDH key agreement
 *
 * The secret generated here is the raw 48-byte result of ECDH.
 * It's typically hashed prior to use.
 *
 * @param theirPub Remote public key
 * @param ourPriv Local private key
 * @param secret Buffer to receive 48-byte secret
 */
bool ECC384ECDH(const uint8_t theirPub[ZT_ECC384_PUBLIC_KEY_SIZE], const uint8_t ourPriv[ZT_ECC384_PRIVATE_KEY_SIZE], uint8_t secret[ZT_ECC384_SHARED_SECRET_SIZE]);

}   // namespace ZeroTier

#endif