#! /usr/bin/env tclsh

# Yea, another password manager. "Password--" it's called, because it's entirely stateless.
# Just takes a master password, a protocol, and a site, and spits out a password.

# 
# This file is part of the password--, version 2 distribution
# (https://gist.github.com/janicez/88a94def545f0447d63b2c5e1244d301).
# Copyright (c) 2016 Ellenor Malik, legal name "Jack Dennis Johnson". All rights reserved.
# 
# This file is free software - you may distribute it under the M.I.T. license.
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.

package require Expect
package require base64
package require aes
package require sha256

proc pad {origlen {mult 16}} {
 set next [expr $origlen/$mult+1]
 set nextl [expr ${next}*${mult}]
 set padlen [expr ${nextl}-${origlen}]
 return $padlen
}

proc encrypt {site pass} {
 set inited [::aes::Init ecb [::sha2::sha256 -bin -- [join [list $site $pass] ":"]] "aaaaaaaaaaaaaaaa"]
 set padout [pad [string length $site]]
 append site [string repeat \0 $padout]
 set encd [::aes::Encrypt $inited [::sha2::sha256 -bin -- $pass]]
 ::aes::Final $inited
 return [encrypt-v1 $site $encd]
}

proc encrypt-v1 {site pass} {
 set inited [::aes::Init ecb [::sha2::sha256 -bin -- $pass] "aaaaaaaaaaaaaaaa"]
 set padout [pad [string length $site]]
 append site [string repeat \0 $padout]
 set encd [::aes::Encrypt $inited $site]
 ::aes::Final $inited
 return $encd
}

puts stdout "Welcome to passwordmm."
flush stdout

proc exppw {questionString} {
 puts -nonewline stdout $questionString
 flush stdout
 stty -echo
 gets stdin out
 stty echo
 puts stdout ""
 return $out
}

proc rdlin {questionString} {
 puts -nonewline stdout $questionString
 flush stdout
 gets stdin out
 return $out
}

proc mkpw {pass site} {
 return [string map {/ - + _ = {}} [::base64::encode -maxlen 0 -wrapchar "" [encrypt-v1 $site $pass]]]
}

proc mkpw2 {pass site} {
 return [string map {/ - + _ = {}} [::base64::encode -maxlen 0 -wrapchar "" [encrypt $site $pass]]]
}

set done 0

while {!$done} {
 set reqcmd [split [rdlin "pwmm> "] " "]
 switch -nocase -- [format ":%s" [lindex $reqcmd 0]] {
  ":p" - ":sp" - ":pass" - ":sitepass" {
   if {[llength $reqcmd] < 2} {
    puts stdout "Error: insufficient arguments."
    flush stdout
    puts stdout [format "usage: %s site ?proto? ?username? \[ignored...\]" [lindex $reqcmd 0]]
    flush stdout
    puts stdout "Asks password off command line with stty echo off."
    flush stdout
    puts stdout "Statelessly derives a fairly secure (but not excellent) password from a master password and site, protocol and username."
    flush stdout
    continue
   }
   switch -- [llength $reqcmd] {
    "2" {set site [lindex $reqcmd 1]}
    "3" {set site [lindex $reqcmd 1]; append site ":";append site [lindex $reqcmd 2]}
    "4" - default {set site [lindex $reqcmd 1]; append site ":";append site [lindex $reqcmd 2]; append site ":";append site [lindex $reqcmd 3]}
   }
   set pw [mkpw [exppw "master password?> "] $site]
   puts stdout [format "site password: %s" $pw]
   flush stdout
   set pw ""
  }
  ":t" - ":tp" - ":tsp" - ":truncpass" - ":truncsitepass" {
   if {[llength $reqcmd] < 3} {
    puts stdout "Error: insufficient arguments."
    flush stdout
    puts stdout [format "usage: %s length site ?proto? ?username? \[ignored...\]" [lindex $reqcmd 0]]
    flush stdout
    puts stdout "Asks password off command line with stty echo off."
    flush stdout
    puts stdout "Statelessly derives a fairly secure (but not excellent) password from a master password and site, protocol and username."
    flush stdout
    continue
   }
   set maxlength [lindex $reqcmd 1]
   switch -- [llength $reqcmd] {
    "2" {set site [lindex $reqcmd 2]}
    "3" {set site [lindex $reqcmd 2]; append site ":";append site [lindex $reqcmd 3]}
    "4" - default {set site [lindex $reqcmd 2]; append site ":";append site [lindex $reqcmd 3]; append site ":";append site [lindex $reqcmd 4]}
   }
   set pw [mkpw2 [exppw "master password?> "] $site]
   switch -- $maxlength {
    i - in - inf - infi - infin - infini - infinit - infinity - infinite {
     puts stdout [format "site password: %s" $pw]
    }
    default {
     puts stdout [format "site password: %s" [string range $pw 0 [expr {$maxlength - 1}] ]]
    }
   }
   flush stdout
   set pw ""
  }
  :q - :qu - :qui - :quit {puts stdout "Ja mata!"; exit}
  default {
   puts stdout "The only command is “p”, “sp”, “pass”, or “sitepass”. “quit” or shortenings thereof exit. “tp”, “tsp”, “truncpass”, “truncsitepass” truncate."
   puts stdout "usage: p site ?proto? ?username?"
   puts stdout "Asks password off command line with stty echo off."
   puts stdout "Statelessly derives a fairly secure (but not excellent) password from a master password and site, protocol and username. Uses the old algorithm."
   puts stdout "usage: tp length site ?proto? ?username?"
   puts stdout "Asks password off command line with stty echo off."
   puts stdout "Statelessly derives a fairly secure (but not excellent) password from a master password and site, protocol and username. Supports maximum length (which can be 'inf' for no maximum) and uses the new algorithm."
   flush stdout
  }
 }
}