/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
 * or http://forgerock.org/license/CDDLv1.0.html.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at legal-notices/CDDLv1_0.txt.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Copyright 2008 Sun Microsystems, Inc.
 *      Portions Copyright 2015 ForgeRock AS
 */
/*
 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*      Copyright (c) 1984,1988 AT&T */
/*        All Rights Reserved   */
package org.opends.server.util;

import java.util.Arrays;

/**
 * UNIX Crypt cipher, ported from the Sun OpenSolaris project.
 */
@org.opends.server.types.PublicAPI(
     stability=org.opends.server.types.StabilityLevel.VOLATILE,
     mayInstantiate=true,
     mayExtend=false,
     mayInvoke=true)
public final class Crypt
{

  /* LINTLIBRARY */
  /*
   * This program implements the Proposed Federal Information Processing Data
   * Encryption Standard. See Federal Register, March 17, 1975 (40FR12134)
   */

  /*
   * Initial permutation,
   */
  private static final byte IP[]     =
                       { 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20,
      12, 4, 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57,
      49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37,
      29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7, };

  /*
   * Final permutation, FP = IP^(-1)
   */
  private static final byte FP[]     =
                       { 40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23,
      63, 31, 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, 36,
      4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10,
      50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25, };

  /*
   * Permuted-choice 1 from the key bits to yield C and D. Note that bits
   * 8,16... are left out: They are intended for a parity check.
   */
  private static final byte PC1_C[]  =
                       { 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
      10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, };

  private static final byte PC1_D[]  =
                       { 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
      14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4, };

  /*
   * Sequence of shifts used for the key schedule.
   */
  private static final byte shifts[] =
                       { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1, };

  /*
   * Permuted-choice 2, to pick out the bits from the CD array that generate the
   * key schedule.
   */
  private static final int  PC2_C[]  =
                       { 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19,
      12, 4, 26, 8, 16, 7, 27, 20, 13, 2, };

  private static final byte PC2_D[]  =
                       { 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44,
      49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32, };

  /**
   * Container for many variables altered throughout the encryption process.
   */
  private static class SubCrypt
  {
    /*
     * The C and D arrays used to calculate the key schedule.
     */
    int _C[]      = new int[28];

    int _D[]      = new int[28];

    /*
     * The key schedule. Generated from the key.
     */
    int _KS[][]   = new int[16][48];

    /*
     * The E bit-selection table.
     */
    int _E[]      = new int[48];

    /*
     * The current block, divided into 2 halves.
     */
    int _L[]      = new int[32];

    int _R[]      = new int[32];

    int _tempL[]  = new int[32];

    int _f[]      = new int[32];

    /*
     * The combination of the key and the input, before selection.
     */
    int _preS[]   = new int[48];

    /*
     * Temps for crypt
     */
    int _ablock[] = new int[66];

    int _iobuf[]  = new int[16];
  }

  private final SubCrypt _crypt;

  /**
   * Constructor.
   */
  public Crypt() {
    _crypt = new SubCrypt();

    copy(e, _crypt._E);
  }

  private void copy(byte[] src, int[] dest) {
    for (int i = 0; i < dest.length; i++) {
      dest[i] = src[i];
    }
  }

  /**
   * Sets up the key schedule from the key.
   */
  private void setkey(int[] key)
  {
    SubCrypt _c = _crypt;

    /*
     * if (_c == null) { _cryptinit(); _c = __crypt; }
     */
    /*
     * First, generate C and D by permuting the key. The low order bit of each
     * 8-bit char is not used, so C and D are only 28 bits apiece.
     */
    for (int i = 0; i < 28; i++)
    {
      _c._C[i] = key[PC1_C[i] - 1];
      _c._D[i] = key[PC1_D[i] - 1];
    }
    /*
     * To generate Ki, rotate C and D according to schedule and pick up a
     * permutation using PC2.
     */
    for (int i = 0; i < 16; i++)
    {
      /*
       * rotate.
       */
      for (int k = 0; k < shifts[i]; k++)
      {
        rotate(_c._C);
        rotate(_c._D);
      }
      /*
       * get Ki. Note C and D are concatenated.
       */
      for (int j = 0; j < 24; j++)
      {
        _c._KS[i][j] = _c._C[PC2_C[j] - 1];
        _c._KS[i][j + 24] = _c._D[PC2_D[j] - 28 - 1];
      }
    }
  }

  private void rotate(int[] array)
  {
    int t = array[0];
    System.arraycopy(array, 1, array, 0, 28 - 1);
    array[27] = t;
  }

  /*
   * The E bit-selection table.
   */
  private static final byte e[]   =
                    { 32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8, 9, 10, 11, 12,
      13, 12, 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24,
      25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1, };

  /*
   * The 8 selection functions. For some reason, they give a 0-origin index,
   * unlike everything else.
   */
  private static final int  S[][] =
    {
      { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14,
      2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12,
      9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 },

      {
      15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, 7, 15, 2,
      8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12,
      6, 9, 3, 2, 15, 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 },

      {
      10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, 9, 3, 4,
      6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2,
      12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 },

      {
      7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, 5, 6,
      15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, 11, 7, 13, 15, 1,
      3, 14, 5, 2, 8, 4, 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 },

      {
      2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, 12, 4,
      7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12,
      5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 },

      {
      12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, 2, 7,
      12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4,
      10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 },

      {
      4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, 7, 4, 9,
      1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6,
      8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 },

      {
      13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, 8, 10,
      3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10,
      13, 15, 3, 5, 8, 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 }
    };

  /*
   * P is a permutation on the selected combination of the current L and key.
   */
  private static final int  P[]   =
                    { 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31,
      10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25, };

  /**
   * Encrypts a block in place.
   */
  private final void encrypt(int block[], int edflag)
  {
    SubCrypt _c = _crypt;

    /*
     * First, permute the bits in the input
     */
    for (int j = 0; j < 64; j++)
    {
      int a = IP[j] - 1;
      int b = block[a];
      if (j <= 31)
      {
        _c._L[j] = b;
      }
      else
      {
        _c._R[j - 32] = b;
      }
    }
    /*
     * Perform an encryption operation 16 times.
     */
    for (int ii = 0; ii < 16; ii++)
    {
      /*
       * Set direction
       */
      int i;
      if (edflag != 0)
      {
        i = 15 - ii;
      }
      else
      {
        i = ii;
      }
      /*
       * Save the R array, which will be the new L.
       */
      System.arraycopy(_c._R, 0, _c._tempL, 0, 32);
      /*
       * Expand R to 48 bits using the E selector; exclusive-or with the current
       * key bits.
       */
      for (int j = 0; j < 48; j++)
      {
        _c._preS[j] = _c._R[_c._E[j] - 1] ^ _c._KS[i][j];
      }
      /*
       * The pre-select bits are now considered in 8 groups of 6 bits each. The
       * 8 selection functions map these 6-bit quantities into 4-bit quantities
       * and the results permuted to make an f(R, K). The indexing into the
       * selection functions is peculiar; it could be simplified by rewriting
       * the tables.
       */
      for (int j = 0; j < 8; j++)
      {
        int t = 6 * j;
        int k = S[j][(_c._preS[t + 0] << 5) + (_c._preS[t + 1] << 3)
            + (_c._preS[t + 2] << 2) + (_c._preS[t + 3] << 1)
            + (_c._preS[t + 4] << 0) + (_c._preS[t + 5] << 4)];
        t = 4 * j;
        _c._f[t + 0] = (k >> 3) & 01;
        _c._f[t + 1] = (k >> 2) & 01;
        _c._f[t + 2] = (k >> 1) & 01;
        _c._f[t + 3] = (k >> 0) & 01;
      }
      /*
       * The new R is L ^ f(R, K). The f here has to be permuted first, though.
       */
      for (int j = 0; j < 32; j++)
      {
        _c._R[j] = _c._L[j] ^ _c._f[P[j] - 1];
      }
      /*
       * Finally, the new L (the original R) is copied back.
       */
      System.arraycopy(_c._tempL, 0, _c._L, 0, 32);
    }
    /*
     * The output L and R are reversed.
     */
    for (int j = 0; j < 32; j++)
    {
      // swap
      int t = _c._L[j];
      _c._L[j] = _c._R[j];
      _c._R[j] = t;
    }
    /*
     * The final output gets the inverse permutation of the very original.
     */
    for (int j = 0; j < 64; j++)
    {
      int iv = FP[j] - 1;
      int a = (iv <= 31) ? _c._L[iv] : _c._R[iv - 32];
      block[j] = a;
    }
  }

  private Object digestLock = new Object();

  /**
   * Encode the supplied password in unix crypt form with the provided
   * salt.
   *
   * @param pw A password to encode.
   * @param salt A salt array of any size, of which only the first
   * 2 bytes will be considered.
   * @return A trimmed array
   */
  public byte[] crypt(byte[] pw, byte[] salt)
  {
    int[] r;
    synchronized (digestLock)
    {
      r = _crypt(pw, salt);
    }

    //TODO: crypt always returns same size array?  So don't mess
    // around calculating the number of zeros at the end.

    // The _crypt algorithm pads the result block with zeros;
    // we need to copy the array into a byte string,
    // but without these zeros.
    int zeroCount = 0;
    for (int i = r.length - 1; i >= 0; --i)
    {
      if (r[i] != 0)
      {
        // Zeros can only occur at the end of the block.
        break;
      }
      ++zeroCount;
    }

    // Convert to byte
    byte[] b = new byte[r.length - zeroCount];
    for (int i = 0; i < b.length; ++i)
    {
      b[i] = (byte) r[i];
    }
    return b;
  }

  private int[] _crypt(byte[] pw, byte[] salt)
  {
    SubCrypt _c = _crypt;

    Arrays.fill(_c._ablock, 0);

    for (int i = 0, n = 0; n < pw.length && i < 64; n++)
    {
      int c = pw[n];
      for (int j = 0; j < 7; j++, i++)
      {
        _c._ablock[i] = (c >> (6 - j)) & 01;
      }
      i++;
    }

    setkey(_c._ablock);

    Arrays.fill(_c._ablock, 0);

    copy(e, _c._E);

    for (int i = 0; i < 2; i++)
    {
      int c = salt[i];
      _c._iobuf[i] = c;
      if (c > 'Z')
      {
        c -= 6;
      }
      if (c > '9')
      {
        c -= 7;
      }
      c -= '.';
      for (int j = 0; j < 6; j++)
      {
        if (((c >> j) & 01) != 0)
        {
          int temp = _c._E[6 * i + j];
          _c._E[6 * i + j] = _c._E[6 * i + j + 24];
          _c._E[6 * i + j + 24] = temp;
        }
      }
    }

    for (int i = 0; i < 25; i++)
    {
      encrypt(_c._ablock, 0);
    }

    int i;
    for (i = 0; i < 11; i++)
    {
      int c = 0;
      for (int j = 0; j < 6; j++)
      {
        c <<= 1;
        c |= _c._ablock[6 * i + j];
      }
      c += '.';
      if (c > '9')
      {
        c += 7;
      }
      if (c > 'Z')
      {
        c += 6;
      }
      _c._iobuf[i + 2] = c;
    }
    _c._iobuf[i + 2] = 0;
    if (_c._iobuf[1] == 0)
    {
      _c._iobuf[1] = _c._iobuf[0];
    }
    return _c._iobuf;
  }
}