/* Based on org.bouncycastle.crypto.engines.TwofishEngine
 * originally licensed under these terms:
 *
 * Copyright (c) 2000 - 2012 The Legion Of The Bouncy Castle
 * (http://www.bouncycastle.org)
 *
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation files
 * (the "Software"), to deal in the Software without restriction,
 * including without limitation the rights to use, copy, modify, merge,
 * publish, distribute, sublicense, and/or sell copies of the Software,
 * and to permit persons to whom the Software is furnished to do so,
 * subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
/*global CryptoJS:true */
(function () {
    'use strict';

    // Shortcuts
    var C = CryptoJS,
        C_lib = C.lib,
        BlockCipher = C_lib.BlockCipher,
        C_algo = C.algo,
        P = [
            [ // p0
            0xA9, 0x67, 0xB3, 0xE8,
            0x04, 0xFD, 0xA3, 0x76,
            0x9A, 0x92, 0x80, 0x78,
            0xE4, 0xDD, 0xD1, 0x38,
            0x0D, 0xC6, 0x35, 0x98,
            0x18, 0xF7, 0xEC, 0x6C,
            0x43, 0x75, 0x37, 0x26,
            0xFA, 0x13, 0x94, 0x48,
            0xF2, 0xD0, 0x8B, 0x30,
            0x84, 0x54, 0xDF, 0x23,
            0x19, 0x5B, 0x3D, 0x59,
            0xF3, 0xAE, 0xA2, 0x82,
            0x63, 0x01, 0x83, 0x2E,
            0xD9, 0x51, 0x9B, 0x7C,
            0xA6, 0xEB, 0xA5, 0xBE,
            0x16, 0x0C, 0xE3, 0x61,
            0xC0, 0x8C, 0x3A, 0xF5,
            0x73, 0x2C, 0x25, 0x0B,
            0xBB, 0x4E, 0x89, 0x6B,
            0x53, 0x6A, 0xB4, 0xF1,
            0xE1, 0xE6, 0xBD, 0x45,
            0xE2, 0xF4, 0xB6, 0x66,
            0xCC, 0x95, 0x03, 0x56,
            0xD4, 0x1C, 0x1E, 0xD7,
            0xFB, 0xC3, 0x8E, 0xB5,
            0xE9, 0xCF, 0xBF, 0xBA,
            0xEA, 0x77, 0x39, 0xAF,
            0x33, 0xC9, 0x62, 0x71,
            0x81, 0x79, 0x09, 0xAD,
            0x24, 0xCD, 0xF9, 0xD8,
            0xE5, 0xC5, 0xB9, 0x4D,
            0x44, 0x08, 0x86, 0xE7,
            0xA1, 0x1D, 0xAA, 0xED,
            0x06, 0x70, 0xB2, 0xD2,
            0x41, 0x7B, 0xA0, 0x11,
            0x31, 0xC2, 0x27, 0x90,
            0x20, 0xF6, 0x60, 0xFF,
            0x96, 0x5C, 0xB1, 0xAB,
            0x9E, 0x9C, 0x52, 0x1B,
            0x5F, 0x93, 0x0A, 0xEF,
            0x91, 0x85, 0x49, 0xEE,
            0x2D, 0x4F, 0x8F, 0x3B,
            0x47, 0x87, 0x6D, 0x46,
            0xD6, 0x3E, 0x69, 0x64,
            0x2A, 0xCE, 0xCB, 0x2F,
            0xFC, 0x97, 0x05, 0x7A,
            0xAC, 0x7F, 0xD5, 0x1A,
            0x4B, 0x0E, 0xA7, 0x5A,
            0x28, 0x14, 0x3F, 0x29,
            0x88, 0x3C, 0x4C, 0x02,
            0xB8, 0xDA, 0xB0, 0x17,
            0x55, 0x1F, 0x8A, 0x7D,
            0x57, 0xC7, 0x8D, 0x74,
            0xB7, 0xC4, 0x9F, 0x72,
            0x7E, 0x15, 0x22, 0x12,
            0x58, 0x07, 0x99, 0x34,
            0x6E, 0x50, 0xDE, 0x68,
            0x65, 0xBC, 0xDB, 0xF8,
            0xC8, 0xA8, 0x2B, 0x40,
            0xDC, 0xFE, 0x32, 0xA4,
            0xCA, 0x10, 0x21, 0xF0,
            0xD3, 0x5D, 0x0F, 0x00,
            0x6F, 0x9D, 0x36, 0x42,
            0x4A, 0x5E, 0xC1, 0xE0],
            [ // p1
            0x75, 0xF3, 0xC6, 0xF4,
            0xDB, 0x7B, 0xFB, 0xC8,
            0x4A, 0xD3, 0xE6, 0x6B,
            0x45, 0x7D, 0xE8, 0x4B,
            0xD6, 0x32, 0xD8, 0xFD,
            0x37, 0x71, 0xF1, 0xE1,
            0x30, 0x0F, 0xF8, 0x1B,
            0x87, 0xFA, 0x06, 0x3F,
            0x5E, 0xBA, 0xAE, 0x5B,
            0x8A, 0x00, 0xBC, 0x9D,
            0x6D, 0xC1, 0xB1, 0x0E,
            0x80, 0x5D, 0xD2, 0xD5,
            0xA0, 0x84, 0x07, 0x14,
            0xB5, 0x90, 0x2C, 0xA3,
            0xB2, 0x73, 0x4C, 0x54,
            0x92, 0x74, 0x36, 0x51,
            0x38, 0xB0, 0xBD, 0x5A,
            0xFC, 0x60, 0x62, 0x96,
            0x6C, 0x42, 0xF7, 0x10,
            0x7C, 0x28, 0x27, 0x8C,
            0x13, 0x95, 0x9C, 0xC7,
            0x24, 0x46, 0x3B, 0x70,
            0xCA, 0xE3, 0x85, 0xCB,
            0x11, 0xD0, 0x93, 0xB8,
            0xA6, 0x83, 0x20, 0xFF,
            0x9F, 0x77, 0xC3, 0xCC,
            0x03, 0x6F, 0x08, 0xBF,
            0x40, 0xE7, 0x2B, 0xE2,
            0x79, 0x0C, 0xAA, 0x82,
            0x41, 0x3A, 0xEA, 0xB9,
            0xE4, 0x9A, 0xA4, 0x97,
            0x7E, 0xDA, 0x7A, 0x17,
            0x66, 0x94, 0xA1, 0x1D,
            0x3D, 0xF0, 0xDE, 0xB3,
            0x0B, 0x72, 0xA7, 0x1C,
            0xEF, 0xD1, 0x53, 0x3E,
            0x8F, 0x33, 0x26, 0x5F,
            0xEC, 0x76, 0x2A, 0x49,
            0x81, 0x88, 0xEE, 0x21,
            0xC4, 0x1A, 0xEB, 0xD9,
            0xC5, 0x39, 0x99, 0xCD,
            0xAD, 0x31, 0x8B, 0x01,
            0x18, 0x23, 0xDD, 0x1F,
            0x4E, 0x2D, 0xF9, 0x48,
            0x4F, 0xF2, 0x65, 0x8E,
            0x78, 0x5C, 0x58, 0x19,
            0x8D, 0xE5, 0x98, 0x57,
            0x67, 0x7F, 0x05, 0x64,
            0xAF, 0x63, 0xB6, 0xFE,
            0xF5, 0xB7, 0x3C, 0xA5,
            0xCE, 0xE9, 0x68, 0x44,
            0xE0, 0x4D, 0x43, 0x69,
            0x29, 0x2E, 0xAC, 0x15,
            0x59, 0xA8, 0x0A, 0x9E,
            0x6E, 0x47, 0xDF, 0x34,
            0x35, 0x6A, 0xCF, 0xDC,
            0x22, 0xC9, 0xC0, 0x9B,
            0x89, 0xD4, 0xED, 0xAB,
            0x12, 0xA2, 0x0D, 0x52,
            0xBB, 0x02, 0x2F, 0xA9,
            0xD7, 0x61, 0x1E, 0xB4,
            0x50, 0x04, 0xF6, 0xC2,
            0x16, 0x25, 0x86, 0x56,
            0x55, 0x09, 0xBE, 0x91]
        ],
        P_00 = 1,
        P_01 = 0,
        P_02 = 0,
        P_03 = 1,
        P_04 = 1,
        P_10 = 0,
        P_11 = 0,
        P_12 = 1,
        P_13 = 1,
        P_14 = 0,
        P_20 = 1,
        P_21 = 1,
        P_22 = 0,
        P_23 = 0,
        P_24 = 0,
        P_30 = 0,
        P_31 = 1,
        P_32 = 1,
        P_33 = 0,
        P_34 = 1,

        /* Primitive polynomial for GF(256) */
        GF256_FDBK = 0x169,
        GF256_FDBK_2 = GF256_FDBK / 2,
        GF256_FDBK_4 = GF256_FDBK / 4,

        RS_GF_FDBK = 0x14D,
        SK_STEP = 0x02020202,
        SK_BUMP = 0x01010101,
        SK_ROTL = 9, // field generator
        gMDS0 = [],
        gMDS1 = [],
        gMDS2 = [],
        gMDS3 = [],
        gSubKeys = [],
        gSBox = [],
        k64Cnt = 0,
        getByte = function (x, n) {
	    return (x >>> (n * 8)) & 0xFF;
        },
        switchEndianness = function (word) {
            return ((word & 0xff) << 24) | (((word >> 8) & 0xff) << 16) | (((word >> 16) & 0xff) << 8) | ((word >> 24) & 0xff);
        },
        LFSR1 = function (x) {
            return (x >> 1) ^ (((x & 0x01) !== 0) ? GF256_FDBK_2 : 0);
        },
        LFSR2 = function (x) {
            return (x >> 2) ^ (((x & 0x02) !== 0) ? GF256_FDBK_2 : 0) ^ (((x & 0x01) !== 0) ? GF256_FDBK_4 : 0);
        },
        Mx_X = function (x) {
            return x ^ LFSR2(x);
        }, // 5B
        Mx_Y = function (x) {
            return x ^ LFSR1(x) ^ LFSR2(x);
        }, // EF
        RS_rem = function (x) {
            var b = (x >>> 24) & 0xff,
                g2 = ((b << 1) ^ ((b & 0x80) !== 0 ? RS_GF_FDBK : 0)) & 0xff,
                g3 = ((b >>> 1) ^ ((b & 0x01) !== 0 ? (RS_GF_FDBK >>> 1) : 0)) ^ g2;
            return ((x << 8) ^ (g3 << 24) ^ (g2 << 16) ^ (g3 << 8) ^ b);
        },
        RS_MDS_Encode = function (k0, k1) {
            var r = k1,
                i;
            for (i = 0; i < 4; i += 1) // shift 1 byte at a time
            {
                r = RS_rem(r);
            }
            r ^= k0;
            for (i = 0; i < 4; i += 1) {
                r = RS_rem(r);
            }

            return r;
        },
        F32 = function (x, k32) {
            var b0 = getByte(x, 0),
                b1 = getByte(x, 1),
                b2 = getByte(x, 2),
                b3 = getByte(x, 3),
                k0 = k32[0],
                k1 = k32[1],
                k2 = k32[2],
                k3 = k32[3],
                result = 0;

            switch (k64Cnt & 3) {
            case 1:
                result = gMDS0[(P[P_01][b0] & 0xff) ^ getByte(k0, 0)] ^ gMDS1[(P[P_11][b1] & 0xff) ^ getByte(k0, 1)] ^ gMDS2[(P[P_21][b2] & 0xff) ^ getByte(k0, 2)] ^ gMDS3[(P[P_31][b3] & 0xff) ^ getByte(k0, 3)];
                break;
            case 0:
                /* 256 bits of key */
                b0 = (P[P_04][b0] & 0xff) ^ getByte(k3, 0);
                b1 = (P[P_14][b1] & 0xff) ^ getByte(k3, 1);
                b2 = (P[P_24][b2] & 0xff) ^ getByte(k3, 2);
                b3 = (P[P_34][b3] & 0xff) ^ getByte(k3, 3);
            case 3:
                b0 = (P[P_03][b0] & 0xff) ^ getByte(k2, 0);
                b1 = (P[P_13][b1] & 0xff) ^ getByte(k2, 1);
                b2 = (P[P_23][b2] & 0xff) ^ getByte(k2, 2);
                b3 = (P[P_33][b3] & 0xff) ^ getByte(k2, 3);
            case 2:
                result = gMDS0[(P[P_01][(P[P_02][b0] & 0xff) ^ getByte(k1, 0)] & 0xff) ^ getByte(k0, 0)] ^ gMDS1[(P[P_11][(P[P_12][b1] & 0xff) ^ getByte(k1, 1)] & 0xff) ^ getByte(k0, 1)] ^ gMDS2[(P[P_21][(P[P_22][b2] & 0xff) ^ getByte(k1, 2)] & 0xff) ^ getByte(k0, 2)] ^ gMDS3[(P[P_31][(P[P_32][b3] & 0xff) ^ getByte(k1, 3)] & 0xff) ^ getByte(k0, 3)];
                break;
            }
            return result;
        },
        Fe32_0 = function (x) {
            return gSBox[0x000 + 2 * (x & 0xff)] ^ gSBox[0x001 + 2 * ((x >>> 8) & 0xff)] ^ gSBox[0x200 + 2 * ((x >>> 16) & 0xff)] ^ gSBox[0x201 + 2 * ((x >>> 24) & 0xff)];
        },
        Fe32_3 = function (x) {
            return gSBox[0x000 + 2 * ((x >>> 24) & 0xff)] ^ gSBox[0x001 + 2 * (x & 0xff)] ^ gSBox[0x200 + 2 * ((x >>> 8) & 0xff)] ^ gSBox[0x201 + 2 * ((x >>> 16) & 0xff)];
        },
        TwoFish = C_algo.TwoFish = BlockCipher.extend({
            _doReset: function () {
                var k32e = [],
                    k32o = [],
                    sBoxKeys = [],
                    i, p, q, A, B, k0, k1, k2, k3,
                    b0, b1, b2, b3, m1 = [],
                    mX = [],
                    mY = [],
                    j;
                k64Cnt = this._key.sigBytes / 8;

                // calculate the MDS matrix

                for (i = 0; i < 256; i += 1) {
                    j = P[0][i] & 0xff;
                    m1[0] = j;
                    mX[0] = Mx_X(j) & 0xff;
                    mY[0] = Mx_Y(j) & 0xff;

                    j = P[1][i] & 0xff;
                    m1[1] = j;
                    mX[1] = Mx_X(j) & 0xff;
                    mY[1] = Mx_Y(j) & 0xff;

                    gMDS0[i] = m1[P_00] | mX[P_00] << 8 | mY[P_00] << 16 | mY[P_00] << 24;

                    gMDS1[i] = mY[P_10] | mY[P_10] << 8 | mX[P_10] << 16 | m1[P_10] << 24;

                    gMDS2[i] = mX[P_20] | mY[P_20] << 8 | m1[P_20] << 16 | mY[P_20] << 24;

                    gMDS3[i] = mX[P_30] | m1[P_30] << 8 | mY[P_30] << 16 | mX[P_30] << 24;
                }

                if (k64Cnt < 1) {
                    throw "Key size less than 64 bits";
                }

                if (k64Cnt > 4) {
                    throw "Key size larger than 256 bits";
                }

                /*
                 * k64Cnt is the number of 8 byte blocks (64 chunks)
                 * that are in the input key.  The input key is a
                 * maximum of 32 bytes (256 bits), so the range
                 * for k64Cnt is 1..4
                 */
                for (i = 0; i < k64Cnt; i++) {
                    p = i * 2;

                    // to BE
                    k32e[i] = switchEndianness(this._key.words[p]);
                    k32o[i] = switchEndianness(this._key.words[p + 1]);

                    sBoxKeys[k64Cnt - 1 - i] = RS_MDS_Encode(k32e[i], k32o[i]);
                }

                for (i = 0; i < 40 / 2; i++) {
                    q = i * SK_STEP;
                    A = F32(q, k32e);
                    B = F32(q + SK_BUMP, k32o);
                    B = B << 8 | B >>> 24;
                    A += B;
                    gSubKeys[i * 2] = A;
                    A += B;
                    gSubKeys[i * 2 + 1] = A << SK_ROTL | A >>> (32 - SK_ROTL);
                }

                /*
                 * fully expand the table for speed
                 */
                k0 = sBoxKeys[0];
                k1 = sBoxKeys[1];
                k2 = sBoxKeys[2];
                k3 = sBoxKeys[3];
                gSBox = [];
                for (i = 0; i < 256; i++) {
                    b0 = b1 = b2 = b3 = i;
                    switch (k64Cnt & 3) {
                    case 1:
                        gSBox[i * 2] = gMDS0[(P[P_01][b0] & 0xff) ^ getByte(k0, 0)];
                        gSBox[i * 2 + 1] = gMDS1[(P[P_11][b1] & 0xff) ^ getByte(k0, 1)];
                        gSBox[i * 2 + 0x200] = gMDS2[(P[P_21][b2] & 0xff) ^ getByte(k0, 2)];
                        gSBox[i * 2 + 0x201] = gMDS3[(P[P_31][b3] & 0xff) ^ getByte(k0, 3)];
                        break;
                    case 0:
                        /* 256 bits of key */
                        b0 = (P[P_04][b0] & 0xff) ^ getByte(k3, 0);
                        b1 = (P[P_14][b1] & 0xff) ^ getByte(k3, 1);
                        b2 = (P[P_24][b2] & 0xff) ^ getByte(k3, 2);
                        b3 = (P[P_34][b3] & 0xff) ^ getByte(k3, 3);
                    case 3:
                        b0 = (P[P_03][b0] & 0xff) ^ getByte(k2, 0);
                        b1 = (P[P_13][b1] & 0xff) ^ getByte(k2, 1);
                        b2 = (P[P_23][b2] & 0xff) ^ getByte(k2, 2);
                        b3 = (P[P_33][b3] & 0xff) ^ getByte(k2, 3);
                    case 2:
                        gSBox[i * 2] = gMDS0[(P[P_01]
                        [(P[P_02][b0] & 0xff) ^ getByte(k1, 0)] & 0xff) ^ getByte(k0, 0)];
                        gSBox[i * 2 + 1] = gMDS1[(P[P_11]
                        [(P[P_12][b1] & 0xff) ^ getByte(k1, 1)] & 0xff) ^ getByte(k0, 1)];
                        gSBox[i * 2 + 0x200] = gMDS2[(P[P_21]
                        [(P[P_22][b2] & 0xff) ^ getByte(k1, 2)] & 0xff) ^ getByte(k0, 2)];
                        gSBox[i * 2 + 0x201] = gMDS3[(P[P_31]
                        [(P[P_32][b3] & 0xff) ^ getByte(k1, 3)] & 0xff) ^ getByte(k0, 3)];
                        break;
                    }
                }
                return;
            },
            decryptBlock: function (M, offset) {
                var x2 = switchEndianness(M[offset]) ^ gSubKeys[4],
                    x3 = switchEndianness(M[offset + 1]) ^ gSubKeys[5],
                    x0 = switchEndianness(M[offset + 2]) ^ gSubKeys[6],
                    x1 = switchEndianness(M[offset + 3]) ^ gSubKeys[7],
                    k = 8 + 2 * 16 - 1,
                    t0, t1, r;
                for (r = 0; r < 16; r += 2) {
                    t0 = Fe32_0(x2);
                    t1 = Fe32_3(x3);
                    x1 ^= t0 + 2 * t1 + gSubKeys[k--];
                    x0 = (x0 << 1 | x0 >>> 31) ^ (t0 + t1 + gSubKeys[k--]);
                    x1 = x1 >>> 1 | x1 << 31;

                    t0 = Fe32_0(x0);
                    t1 = Fe32_3(x1);
                    x3 ^= t0 + 2 * t1 + gSubKeys[k--];
                    x2 = (x2 << 1 | x2 >>> 31) ^ (t0 + t1 + gSubKeys[k--]);
                    x3 = x3 >>> 1 | x3 << 31;
                }

                M[offset] = switchEndianness(x0 ^ gSubKeys[0]);
                M[offset + 1] = switchEndianness(x1 ^ gSubKeys[1]);
                M[offset + 2] = switchEndianness(x2 ^ gSubKeys[2]);
                M[offset + 3] = switchEndianness(x3 ^ gSubKeys[3]);
            },
            encryptBlock: function (M, offset) {
                var x0 = switchEndianness(M[offset]) ^ gSubKeys[0],
                    x1 = switchEndianness(M[offset + 1]) ^ gSubKeys[1],
                    x2 = switchEndianness(M[offset + 2]) ^ gSubKeys[2],
                    x3 = switchEndianness(M[offset + 3]) ^ gSubKeys[3],
                    k = 8,
                    t0, t1, r;
                for (r = 0; r < 16; r += 2) {
                    t0 = Fe32_0(x0);
                    t1 = Fe32_3(x1);
                    x2 ^= t0 + t1 + gSubKeys[k++];
                    x2 = x2 >>> 1 | x2 << 31;
                    x3 = (x3 << 1 | x3 >>> 31) ^ (t0 + 2 * t1 + gSubKeys[k++]);

                    t0 = Fe32_0(x2);
                    t1 = Fe32_3(x3);
                    x0 ^= t0 + t1 + gSubKeys[k++];
                    x0 = x0 >>> 1 | x0 << 31;
                    x1 = (x1 << 1 | x1 >>> 31) ^ (t0 + 2 * t1 + gSubKeys[k++]);
                }

                M[offset] = switchEndianness(x2 ^ gSubKeys[4]);
                M[offset + 1] = switchEndianness(x3 ^ gSubKeys[5]);
                M[offset + 2] = switchEndianness(x0 ^ gSubKeys[6]);
                M[offset + 3] = switchEndianness(x1 ^ gSubKeys[7]);
            }
        });

    /**
     * Shortcut functions to the cipher's object interface.
     *
     * @example
     *
     *     var ciphertext = CryptoJS.TwoFish.encrypt(message, key, cfg);
     *     var plaintext  = CryptoJS.TwoFish.decrypt(ciphertext, key, cfg);
     */
    C.TwoFish = BlockCipher._createHelper(TwoFish);

}());