// Copyright 2017 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package blake2b

import (
	
	
	
)

// XOF defines the interface to hash functions that
// support arbitrary-length output.
//
// New callers should prefer the standard library [hash.XOF].
type XOF interface {
	// Write absorbs more data into the hash's state. It panics if called
	// after Read.
	io.Writer

	// Read reads more output from the hash. It returns io.EOF if the limit
	// has been reached.
	io.Reader

	// Clone returns a copy of the XOF in its current state.
	Clone() XOF

	// Reset resets the XOF to its initial state.
	Reset()
}

// OutputLengthUnknown can be used as the size argument to NewXOF to indicate
// the length of the output is not known in advance.
const OutputLengthUnknown = 0

// magicUnknownOutputLength is a magic value for the output size that indicates
// an unknown number of output bytes.
const magicUnknownOutputLength = (1 << 32) - 1

// maxOutputLength is the absolute maximum number of bytes to produce when the
// number of output bytes is unknown.
const maxOutputLength = (1 << 32) * 64

// NewXOF creates a new variable-output-length hash. The hash either produce a
// known number of bytes (1 <= size < 2**32-1), or an unknown number of bytes
// (size == OutputLengthUnknown). In the latter case, an absolute limit of
// 256GiB applies.
//
// A non-nil key turns the hash into a MAC. The key must between
// zero and 32 bytes long.
//
// The result can be safely interface-upgraded to [hash.XOF].
func ( uint32,  []byte) (XOF, error) {
	if len() > Size {
		return nil, errKeySize
	}
	if  == magicUnknownOutputLength {
		// 2^32-1 indicates an unknown number of bytes and thus isn't a
		// valid length.
		return nil, errors.New("blake2b: XOF length too large")
	}
	if  == OutputLengthUnknown {
		 = magicUnknownOutputLength
	}
	 := &xof{
		d: digest{
			size:   Size,
			keyLen: len(),
		},
		length: ,
	}
	copy(.d.key[:], )
	.Reset()
	return , nil
}

type xof struct {
	d                digest
	length           uint32
	remaining        uint64
	cfg, root, block [Size]byte
	offset           int
	nodeOffset       uint32
	readMode         bool
}

func ( *xof) ( []byte) ( int,  error) {
	if .readMode {
		panic("blake2b: write to XOF after read")
	}
	return .d.Write()
}

func ( *xof) () XOF {
	 := *
	return &
}

func ( *xof) () int {
	return .d.BlockSize()
}

func ( *xof) () {
	.cfg[0] = byte(Size)
	binary.LittleEndian.PutUint32(.cfg[4:], uint32(Size)) // leaf length
	binary.LittleEndian.PutUint32(.cfg[12:], .length)    // XOF length
	.cfg[17] = byte(Size)                                 // inner hash size

	.d.Reset()
	.d.h[1] ^= uint64(.length) << 32

	.remaining = uint64(.length)
	if .remaining == magicUnknownOutputLength {
		.remaining = maxOutputLength
	}
	.offset, .nodeOffset = 0, 0
	.readMode = false
}

func ( *xof) ( []byte) ( int,  error) {
	if !.readMode {
		.d.finalize(&.root)
		.readMode = true
	}

	if .remaining == 0 {
		return 0, io.EOF
	}

	 = len()
	if uint64() > .remaining {
		 = int(.remaining)
		 = [:]
	}

	if .offset > 0 {
		 := Size - .offset
		if  <  {
			.offset += copy(, .block[.offset:])
			.remaining -= uint64()
			return
		}
		copy(, .block[.offset:])
		 = [:]
		.offset = 0
		.remaining -= uint64()
	}

	for len() >= Size {
		binary.LittleEndian.PutUint32(.cfg[8:], .nodeOffset)
		.nodeOffset++

		.d.initConfig(&.cfg)
		.d.Write(.root[:])
		.d.finalize(&.block)

		copy(, .block[:])
		 = [Size:]
		.remaining -= uint64(Size)
	}

	if  := len();  > 0 {
		if .remaining < uint64(Size) {
			.cfg[0] = byte(.remaining)
		}
		binary.LittleEndian.PutUint32(.cfg[8:], .nodeOffset)
		.nodeOffset++

		.d.initConfig(&.cfg)
		.d.Write(.root[:])
		.d.finalize(&.block)

		.offset = copy(, .block[:])
		.remaining -= uint64()
	}
	return
}

func ( *digest) ( *[Size]byte) {
	.offset, .c[0], .c[1] = 0, 0, 0
	for  := range .h {
		.h[] = iv[] ^ binary.LittleEndian.Uint64([*8:])
	}
}