// Security library: Diffie-Hellman key exchange + XTEA-CTR cipher
// Targets 486-class hardware with 1024-bit DH (256-bit private exponent)
// and XTEA in CTR mode for symmetric encryption.

#ifndef SECURITY_H
#define SECURITY_H

#include <stdint.h>
#include <stdbool.h>

// Key sizes (bytes)
#define SEC_DH_KEY_SIZE         128 // 1024-bit DH public key
#define SEC_XTEA_KEY_SIZE        16 // 128-bit XTEA key

// Error codes
#define SEC_SUCCESS               0
#define SEC_ERR_PARAM            -1
#define SEC_ERR_NOT_READY        -2
#define SEC_ERR_ALLOC            -3

// Opaque types
typedef struct SecDhS SecDhT;
typedef struct SecCipherS SecCipherT;


// RNG — seed before generating keys. Hardware entropy is weak (~20 bits);
// callers should supplement with keyboard timing, mouse jitter, etc.
int  secRngGatherEntropy(uint8_t *buf, int len);
void secRngAddEntropy(const uint8_t *data, int len);
void secRngBytes(uint8_t *buf, int len);
void secRngSeed(const uint8_t *entropy, int len);

// Diffie-Hellman key exchange (1024-bit, RFC 2409 Group 2)
SecDhT *secDhCreate(void);
int     secDhComputeSecret(SecDhT *dh, const uint8_t *remotePub, int len);
int     secDhDeriveKey(SecDhT *dh, uint8_t *key, int keyLen);
void    secDhDestroy(SecDhT *dh);
int     secDhGenerateKeys(SecDhT *dh);
int     secDhGetPublicKey(SecDhT *dh, uint8_t *buf, int *len);

// XTEA cipher in CTR mode (encrypt and decrypt are the same operation)
SecCipherT *secCipherCreate(const uint8_t *key);
void        secCipherCrypt(SecCipherT *c, uint8_t *data, int len);
void        secCipherDestroy(SecCipherT *c);
void        secCipherSetNonce(SecCipherT *c, uint32_t nonceLo, uint32_t nonceHi);

#endif