1(function(nacl) { 2'use strict'; 3 4// Ported in 2014 by Dmitry Chestnykh and Devi Mandiri. 5// Public domain. 6// 7// Implementation derived from TweetNaCl version 20140427. 8// See for details: http://tweetnacl.cr.yp.to/ 9 10var gf = function(init) { 11 var i, r = new Float64Array(16); 12 if (init) for (i = 0; i < init.length; i++) r[i] = init[i]; 13 return r; 14}; 15 16// Pluggable, initialized in high-level API below. 17var randombytes = function(/* x, n */) { throw new Error('no PRNG'); }; 18 19var _0 = new Uint8Array(16); 20var _9 = new Uint8Array(32); _9[0] = 9; 21 22var gf0 = gf(), 23 gf1 = gf([1]), 24 _121665 = gf([0xdb41, 1]), 25 D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]), 26 D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]), 27 X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]), 28 Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]), 29 I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]); 30 31function ts64(x, i, h, l) { 32 x[i] = (h >> 24) & 0xff; 33 x[i+1] = (h >> 16) & 0xff; 34 x[i+2] = (h >> 8) & 0xff; 35 x[i+3] = h & 0xff; 36 x[i+4] = (l >> 24) & 0xff; 37 x[i+5] = (l >> 16) & 0xff; 38 x[i+6] = (l >> 8) & 0xff; 39 x[i+7] = l & 0xff; 40} 41 42function vn(x, xi, y, yi, n) { 43 var i,d = 0; 44 for (i = 0; i < n; i++) d |= x[xi+i]^y[yi+i]; 45 return (1 & ((d - 1) >>> 8)) - 1; 46} 47 48function crypto_verify_16(x, xi, y, yi) { 49 return vn(x,xi,y,yi,16); 50} 51 52function crypto_verify_32(x, xi, y, yi) { 53 return vn(x,xi,y,yi,32); 54} 55 56function core_salsa20(o, p, k, c) { 57 var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24, 58 j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24, 59 j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24, 60 j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24, 61 j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24, 62 j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24, 63 j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24, 64 j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24, 65 j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24, 66 j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24, 67 j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24, 68 j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24, 69 j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24, 70 j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24, 71 j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24, 72 j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24; 73 74 var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7, 75 x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14, 76 x15 = j15, u; 77 78 for (var i = 0; i < 20; i += 2) { 79 u = x0 + x12 | 0; 80 x4 ^= u<<7 | u>>>(32-7); 81 u = x4 + x0 | 0; 82 x8 ^= u<<9 | u>>>(32-9); 83 u = x8 + x4 | 0; 84 x12 ^= u<<13 | u>>>(32-13); 85 u = x12 + x8 | 0; 86 x0 ^= u<<18 | u>>>(32-18); 87 88 u = x5 + x1 | 0; 89 x9 ^= u<<7 | u>>>(32-7); 90 u = x9 + x5 | 0; 91 x13 ^= u<<9 | u>>>(32-9); 92 u = x13 + x9 | 0; 93 x1 ^= u<<13 | u>>>(32-13); 94 u = x1 + x13 | 0; 95 x5 ^= u<<18 | u>>>(32-18); 96 97 u = x10 + x6 | 0; 98 x14 ^= u<<7 | u>>>(32-7); 99 u = x14 + x10 | 0; 100 x2 ^= u<<9 | u>>>(32-9); 101 u = x2 + x14 | 0; 102 x6 ^= u<<13 | u>>>(32-13); 103 u = x6 + x2 | 0; 104 x10 ^= u<<18 | u>>>(32-18); 105 106 u = x15 + x11 | 0; 107 x3 ^= u<<7 | u>>>(32-7); 108 u = x3 + x15 | 0; 109 x7 ^= u<<9 | u>>>(32-9); 110 u = x7 + x3 | 0; 111 x11 ^= u<<13 | u>>>(32-13); 112 u = x11 + x7 | 0; 113 x15 ^= u<<18 | u>>>(32-18); 114 115 u = x0 + x3 | 0; 116 x1 ^= u<<7 | u>>>(32-7); 117 u = x1 + x0 | 0; 118 x2 ^= u<<9 | u>>>(32-9); 119 u = x2 + x1 | 0; 120 x3 ^= u<<13 | u>>>(32-13); 121 u = x3 + x2 | 0; 122 x0 ^= u<<18 | u>>>(32-18); 123 124 u = x5 + x4 | 0; 125 x6 ^= u<<7 | u>>>(32-7); 126 u = x6 + x5 | 0; 127 x7 ^= u<<9 | u>>>(32-9); 128 u = x7 + x6 | 0; 129 x4 ^= u<<13 | u>>>(32-13); 130 u = x4 + x7 | 0; 131 x5 ^= u<<18 | u>>>(32-18); 132 133 u = x10 + x9 | 0; 134 x11 ^= u<<7 | u>>>(32-7); 135 u = x11 + x10 | 0; 136 x8 ^= u<<9 | u>>>(32-9); 137 u = x8 + x11 | 0; 138 x9 ^= u<<13 | u>>>(32-13); 139 u = x9 + x8 | 0; 140 x10 ^= u<<18 | u>>>(32-18); 141 142 u = x15 + x14 | 0; 143 x12 ^= u<<7 | u>>>(32-7); 144 u = x12 + x15 | 0; 145 x13 ^= u<<9 | u>>>(32-9); 146 u = x13 + x12 | 0; 147 x14 ^= u<<13 | u>>>(32-13); 148 u = x14 + x13 | 0; 149 x15 ^= u<<18 | u>>>(32-18); 150 } 151 x0 = x0 + j0 | 0; 152 x1 = x1 + j1 | 0; 153 x2 = x2 + j2 | 0; 154 x3 = x3 + j3 | 0; 155 x4 = x4 + j4 | 0; 156 x5 = x5 + j5 | 0; 157 x6 = x6 + j6 | 0; 158 x7 = x7 + j7 | 0; 159 x8 = x8 + j8 | 0; 160 x9 = x9 + j9 | 0; 161 x10 = x10 + j10 | 0; 162 x11 = x11 + j11 | 0; 163 x12 = x12 + j12 | 0; 164 x13 = x13 + j13 | 0; 165 x14 = x14 + j14 | 0; 166 x15 = x15 + j15 | 0; 167 168 o[ 0] = x0 >>> 0 & 0xff; 169 o[ 1] = x0 >>> 8 & 0xff; 170 o[ 2] = x0 >>> 16 & 0xff; 171 o[ 3] = x0 >>> 24 & 0xff; 172 173 o[ 4] = x1 >>> 0 & 0xff; 174 o[ 5] = x1 >>> 8 & 0xff; 175 o[ 6] = x1 >>> 16 & 0xff; 176 o[ 7] = x1 >>> 24 & 0xff; 177 178 o[ 8] = x2 >>> 0 & 0xff; 179 o[ 9] = x2 >>> 8 & 0xff; 180 o[10] = x2 >>> 16 & 0xff; 181 o[11] = x2 >>> 24 & 0xff; 182 183 o[12] = x3 >>> 0 & 0xff; 184 o[13] = x3 >>> 8 & 0xff; 185 o[14] = x3 >>> 16 & 0xff; 186 o[15] = x3 >>> 24 & 0xff; 187 188 o[16] = x4 >>> 0 & 0xff; 189 o[17] = x4 >>> 8 & 0xff; 190 o[18] = x4 >>> 16 & 0xff; 191 o[19] = x4 >>> 24 & 0xff; 192 193 o[20] = x5 >>> 0 & 0xff; 194 o[21] = x5 >>> 8 & 0xff; 195 o[22] = x5 >>> 16 & 0xff; 196 o[23] = x5 >>> 24 & 0xff; 197 198 o[24] = x6 >>> 0 & 0xff; 199 o[25] = x6 >>> 8 & 0xff; 200 o[26] = x6 >>> 16 & 0xff; 201 o[27] = x6 >>> 24 & 0xff; 202 203 o[28] = x7 >>> 0 & 0xff; 204 o[29] = x7 >>> 8 & 0xff; 205 o[30] = x7 >>> 16 & 0xff; 206 o[31] = x7 >>> 24 & 0xff; 207 208 o[32] = x8 >>> 0 & 0xff; 209 o[33] = x8 >>> 8 & 0xff; 210 o[34] = x8 >>> 16 & 0xff; 211 o[35] = x8 >>> 24 & 0xff; 212 213 o[36] = x9 >>> 0 & 0xff; 214 o[37] = x9 >>> 8 & 0xff; 215 o[38] = x9 >>> 16 & 0xff; 216 o[39] = x9 >>> 24 & 0xff; 217 218 o[40] = x10 >>> 0 & 0xff; 219 o[41] = x10 >>> 8 & 0xff; 220 o[42] = x10 >>> 16 & 0xff; 221 o[43] = x10 >>> 24 & 0xff; 222 223 o[44] = x11 >>> 0 & 0xff; 224 o[45] = x11 >>> 8 & 0xff; 225 o[46] = x11 >>> 16 & 0xff; 226 o[47] = x11 >>> 24 & 0xff; 227 228 o[48] = x12 >>> 0 & 0xff; 229 o[49] = x12 >>> 8 & 0xff; 230 o[50] = x12 >>> 16 & 0xff; 231 o[51] = x12 >>> 24 & 0xff; 232 233 o[52] = x13 >>> 0 & 0xff; 234 o[53] = x13 >>> 8 & 0xff; 235 o[54] = x13 >>> 16 & 0xff; 236 o[55] = x13 >>> 24 & 0xff; 237 238 o[56] = x14 >>> 0 & 0xff; 239 o[57] = x14 >>> 8 & 0xff; 240 o[58] = x14 >>> 16 & 0xff; 241 o[59] = x14 >>> 24 & 0xff; 242 243 o[60] = x15 >>> 0 & 0xff; 244 o[61] = x15 >>> 8 & 0xff; 245 o[62] = x15 >>> 16 & 0xff; 246 o[63] = x15 >>> 24 & 0xff; 247} 248 249function core_hsalsa20(o,p,k,c) { 250 var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24, 251 j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24, 252 j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24, 253 j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24, 254 j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24, 255 j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24, 256 j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24, 257 j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24, 258 j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24, 259 j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24, 260 j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24, 261 j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24, 262 j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24, 263 j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24, 264 j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24, 265 j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24; 266 267 var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7, 268 x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14, 269 x15 = j15, u; 270 271 for (var i = 0; i < 20; i += 2) { 272 u = x0 + x12 | 0; 273 x4 ^= u<<7 | u>>>(32-7); 274 u = x4 + x0 | 0; 275 x8 ^= u<<9 | u>>>(32-9); 276 u = x8 + x4 | 0; 277 x12 ^= u<<13 | u>>>(32-13); 278 u = x12 + x8 | 0; 279 x0 ^= u<<18 | u>>>(32-18); 280 281 u = x5 + x1 | 0; 282 x9 ^= u<<7 | u>>>(32-7); 283 u = x9 + x5 | 0; 284 x13 ^= u<<9 | u>>>(32-9); 285 u = x13 + x9 | 0; 286 x1 ^= u<<13 | u>>>(32-13); 287 u = x1 + x13 | 0; 288 x5 ^= u<<18 | u>>>(32-18); 289 290 u = x10 + x6 | 0; 291 x14 ^= u<<7 | u>>>(32-7); 292 u = x14 + x10 | 0; 293 x2 ^= u<<9 | u>>>(32-9); 294 u = x2 + x14 | 0; 295 x6 ^= u<<13 | u>>>(32-13); 296 u = x6 + x2 | 0; 297 x10 ^= u<<18 | u>>>(32-18); 298 299 u = x15 + x11 | 0; 300 x3 ^= u<<7 | u>>>(32-7); 301 u = x3 + x15 | 0; 302 x7 ^= u<<9 | u>>>(32-9); 303 u = x7 + x3 | 0; 304 x11 ^= u<<13 | u>>>(32-13); 305 u = x11 + x7 | 0; 306 x15 ^= u<<18 | u>>>(32-18); 307 308 u = x0 + x3 | 0; 309 x1 ^= u<<7 | u>>>(32-7); 310 u = x1 + x0 | 0; 311 x2 ^= u<<9 | u>>>(32-9); 312 u = x2 + x1 | 0; 313 x3 ^= u<<13 | u>>>(32-13); 314 u = x3 + x2 | 0; 315 x0 ^= u<<18 | u>>>(32-18); 316 317 u = x5 + x4 | 0; 318 x6 ^= u<<7 | u>>>(32-7); 319 u = x6 + x5 | 0; 320 x7 ^= u<<9 | u>>>(32-9); 321 u = x7 + x6 | 0; 322 x4 ^= u<<13 | u>>>(32-13); 323 u = x4 + x7 | 0; 324 x5 ^= u<<18 | u>>>(32-18); 325 326 u = x10 + x9 | 0; 327 x11 ^= u<<7 | u>>>(32-7); 328 u = x11 + x10 | 0; 329 x8 ^= u<<9 | u>>>(32-9); 330 u = x8 + x11 | 0; 331 x9 ^= u<<13 | u>>>(32-13); 332 u = x9 + x8 | 0; 333 x10 ^= u<<18 | u>>>(32-18); 334 335 u = x15 + x14 | 0; 336 x12 ^= u<<7 | u>>>(32-7); 337 u = x12 + x15 | 0; 338 x13 ^= u<<9 | u>>>(32-9); 339 u = x13 + x12 | 0; 340 x14 ^= u<<13 | u>>>(32-13); 341 u = x14 + x13 | 0; 342 x15 ^= u<<18 | u>>>(32-18); 343 } 344 345 o[ 0] = x0 >>> 0 & 0xff; 346 o[ 1] = x0 >>> 8 & 0xff; 347 o[ 2] = x0 >>> 16 & 0xff; 348 o[ 3] = x0 >>> 24 & 0xff; 349 350 o[ 4] = x5 >>> 0 & 0xff; 351 o[ 5] = x5 >>> 8 & 0xff; 352 o[ 6] = x5 >>> 16 & 0xff; 353 o[ 7] = x5 >>> 24 & 0xff; 354 355 o[ 8] = x10 >>> 0 & 0xff; 356 o[ 9] = x10 >>> 8 & 0xff; 357 o[10] = x10 >>> 16 & 0xff; 358 o[11] = x10 >>> 24 & 0xff; 359 360 o[12] = x15 >>> 0 & 0xff; 361 o[13] = x15 >>> 8 & 0xff; 362 o[14] = x15 >>> 16 & 0xff; 363 o[15] = x15 >>> 24 & 0xff; 364 365 o[16] = x6 >>> 0 & 0xff; 366 o[17] = x6 >>> 8 & 0xff; 367 o[18] = x6 >>> 16 & 0xff; 368 o[19] = x6 >>> 24 & 0xff; 369 370 o[20] = x7 >>> 0 & 0xff; 371 o[21] = x7 >>> 8 & 0xff; 372 o[22] = x7 >>> 16 & 0xff; 373 o[23] = x7 >>> 24 & 0xff; 374 375 o[24] = x8 >>> 0 & 0xff; 376 o[25] = x8 >>> 8 & 0xff; 377 o[26] = x8 >>> 16 & 0xff; 378 o[27] = x8 >>> 24 & 0xff; 379 380 o[28] = x9 >>> 0 & 0xff; 381 o[29] = x9 >>> 8 & 0xff; 382 o[30] = x9 >>> 16 & 0xff; 383 o[31] = x9 >>> 24 & 0xff; 384} 385 386function crypto_core_salsa20(out,inp,k,c) { 387 core_salsa20(out,inp,k,c); 388} 389 390function crypto_core_hsalsa20(out,inp,k,c) { 391 core_hsalsa20(out,inp,k,c); 392} 393 394var sigma = new Uint8Array([101, 120, 112, 97, 110, 100, 32, 51, 50, 45, 98, 121, 116, 101, 32, 107]); 395 // "expand 32-byte k" 396 397function crypto_stream_salsa20_xor(c,cpos,m,mpos,b,n,k) { 398 var z = new Uint8Array(16), x = new Uint8Array(64); 399 var u, i; 400 for (i = 0; i < 16; i++) z[i] = 0; 401 for (i = 0; i < 8; i++) z[i] = n[i]; 402 while (b >= 64) { 403 crypto_core_salsa20(x,z,k,sigma); 404 for (i = 0; i < 64; i++) c[cpos+i] = m[mpos+i] ^ x[i]; 405 u = 1; 406 for (i = 8; i < 16; i++) { 407 u = u + (z[i] & 0xff) | 0; 408 z[i] = u & 0xff; 409 u >>>= 8; 410 } 411 b -= 64; 412 cpos += 64; 413 mpos += 64; 414 } 415 if (b > 0) { 416 crypto_core_salsa20(x,z,k,sigma); 417 for (i = 0; i < b; i++) c[cpos+i] = m[mpos+i] ^ x[i]; 418 } 419 return 0; 420} 421 422function crypto_stream_salsa20(c,cpos,b,n,k) { 423 var z = new Uint8Array(16), x = new Uint8Array(64); 424 var u, i; 425 for (i = 0; i < 16; i++) z[i] = 0; 426 for (i = 0; i < 8; i++) z[i] = n[i]; 427 while (b >= 64) { 428 crypto_core_salsa20(x,z,k,sigma); 429 for (i = 0; i < 64; i++) c[cpos+i] = x[i]; 430 u = 1; 431 for (i = 8; i < 16; i++) { 432 u = u + (z[i] & 0xff) | 0; 433 z[i] = u & 0xff; 434 u >>>= 8; 435 } 436 b -= 64; 437 cpos += 64; 438 } 439 if (b > 0) { 440 crypto_core_salsa20(x,z,k,sigma); 441 for (i = 0; i < b; i++) c[cpos+i] = x[i]; 442 } 443 return 0; 444} 445 446function crypto_stream(c,cpos,d,n,k) { 447 var s = new Uint8Array(32); 448 crypto_core_hsalsa20(s,n,k,sigma); 449 var sn = new Uint8Array(8); 450 for (var i = 0; i < 8; i++) sn[i] = n[i+16]; 451 return crypto_stream_salsa20(c,cpos,d,sn,s); 452} 453 454function crypto_stream_xor(c,cpos,m,mpos,d,n,k) { 455 var s = new Uint8Array(32); 456 crypto_core_hsalsa20(s,n,k,sigma); 457 var sn = new Uint8Array(8); 458 for (var i = 0; i < 8; i++) sn[i] = n[i+16]; 459 return crypto_stream_salsa20_xor(c,cpos,m,mpos,d,sn,s); 460} 461 462/* 463* Port of Andrew Moon's Poly1305-donna-16. Public domain. 464* https://github.com/floodyberry/poly1305-donna 465*/ 466 467var poly1305 = function(key) { 468 this.buffer = new Uint8Array(16); 469 this.r = new Uint16Array(10); 470 this.h = new Uint16Array(10); 471 this.pad = new Uint16Array(8); 472 this.leftover = 0; 473 this.fin = 0; 474 475 var t0, t1, t2, t3, t4, t5, t6, t7; 476 477 t0 = key[ 0] & 0xff | (key[ 1] & 0xff) << 8; this.r[0] = ( t0 ) & 0x1fff; 478 t1 = key[ 2] & 0xff | (key[ 3] & 0xff) << 8; this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; 479 t2 = key[ 4] & 0xff | (key[ 5] & 0xff) << 8; this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; 480 t3 = key[ 6] & 0xff | (key[ 7] & 0xff) << 8; this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; 481 t4 = key[ 8] & 0xff | (key[ 9] & 0xff) << 8; this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; 482 this.r[5] = ((t4 >>> 1)) & 0x1ffe; 483 t5 = key[10] & 0xff | (key[11] & 0xff) << 8; this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; 484 t6 = key[12] & 0xff | (key[13] & 0xff) << 8; this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; 485 t7 = key[14] & 0xff | (key[15] & 0xff) << 8; this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; 486 this.r[9] = ((t7 >>> 5)) & 0x007f; 487 488 this.pad[0] = key[16] & 0xff | (key[17] & 0xff) << 8; 489 this.pad[1] = key[18] & 0xff | (key[19] & 0xff) << 8; 490 this.pad[2] = key[20] & 0xff | (key[21] & 0xff) << 8; 491 this.pad[3] = key[22] & 0xff | (key[23] & 0xff) << 8; 492 this.pad[4] = key[24] & 0xff | (key[25] & 0xff) << 8; 493 this.pad[5] = key[26] & 0xff | (key[27] & 0xff) << 8; 494 this.pad[6] = key[28] & 0xff | (key[29] & 0xff) << 8; 495 this.pad[7] = key[30] & 0xff | (key[31] & 0xff) << 8; 496}; 497 498poly1305.prototype.blocks = function(m, mpos, bytes) { 499 var hibit = this.fin ? 0 : (1 << 11); 500 var t0, t1, t2, t3, t4, t5, t6, t7, c; 501 var d0, d1, d2, d3, d4, d5, d6, d7, d8, d9; 502 503 var h0 = this.h[0], 504 h1 = this.h[1], 505 h2 = this.h[2], 506 h3 = this.h[3], 507 h4 = this.h[4], 508 h5 = this.h[5], 509 h6 = this.h[6], 510 h7 = this.h[7], 511 h8 = this.h[8], 512 h9 = this.h[9]; 513 514 var r0 = this.r[0], 515 r1 = this.r[1], 516 r2 = this.r[2], 517 r3 = this.r[3], 518 r4 = this.r[4], 519 r5 = this.r[5], 520 r6 = this.r[6], 521 r7 = this.r[7], 522 r8 = this.r[8], 523 r9 = this.r[9]; 524 525 while (bytes >= 16) { 526 t0 = m[mpos+ 0] & 0xff | (m[mpos+ 1] & 0xff) << 8; h0 += ( t0 ) & 0x1fff; 527 t1 = m[mpos+ 2] & 0xff | (m[mpos+ 3] & 0xff) << 8; h1 += ((t0 >>> 13) | (t1 << 3)) & 0x1fff; 528 t2 = m[mpos+ 4] & 0xff | (m[mpos+ 5] & 0xff) << 8; h2 += ((t1 >>> 10) | (t2 << 6)) & 0x1fff; 529 t3 = m[mpos+ 6] & 0xff | (m[mpos+ 7] & 0xff) << 8; h3 += ((t2 >>> 7) | (t3 << 9)) & 0x1fff; 530 t4 = m[mpos+ 8] & 0xff | (m[mpos+ 9] & 0xff) << 8; h4 += ((t3 >>> 4) | (t4 << 12)) & 0x1fff; 531 h5 += ((t4 >>> 1)) & 0x1fff; 532 t5 = m[mpos+10] & 0xff | (m[mpos+11] & 0xff) << 8; h6 += ((t4 >>> 14) | (t5 << 2)) & 0x1fff; 533 t6 = m[mpos+12] & 0xff | (m[mpos+13] & 0xff) << 8; h7 += ((t5 >>> 11) | (t6 << 5)) & 0x1fff; 534 t7 = m[mpos+14] & 0xff | (m[mpos+15] & 0xff) << 8; h8 += ((t6 >>> 8) | (t7 << 8)) & 0x1fff; 535 h9 += ((t7 >>> 5)) | hibit; 536 537 c = 0; 538 539 d0 = c; 540 d0 += h0 * r0; 541 d0 += h1 * (5 * r9); 542 d0 += h2 * (5 * r8); 543 d0 += h3 * (5 * r7); 544 d0 += h4 * (5 * r6); 545 c = (d0 >>> 13); d0 &= 0x1fff; 546 d0 += h5 * (5 * r5); 547 d0 += h6 * (5 * r4); 548 d0 += h7 * (5 * r3); 549 d0 += h8 * (5 * r2); 550 d0 += h9 * (5 * r1); 551 c += (d0 >>> 13); d0 &= 0x1fff; 552 553 d1 = c; 554 d1 += h0 * r1; 555 d1 += h1 * r0; 556 d1 += h2 * (5 * r9); 557 d1 += h3 * (5 * r8); 558 d1 += h4 * (5 * r7); 559 c = (d1 >>> 13); d1 &= 0x1fff; 560 d1 += h5 * (5 * r6); 561 d1 += h6 * (5 * r5); 562 d1 += h7 * (5 * r4); 563 d1 += h8 * (5 * r3); 564 d1 += h9 * (5 * r2); 565 c += (d1 >>> 13); d1 &= 0x1fff; 566 567 d2 = c; 568 d2 += h0 * r2; 569 d2 += h1 * r1; 570 d2 += h2 * r0; 571 d2 += h3 * (5 * r9); 572 d2 += h4 * (5 * r8); 573 c = (d2 >>> 13); d2 &= 0x1fff; 574 d2 += h5 * (5 * r7); 575 d2 += h6 * (5 * r6); 576 d2 += h7 * (5 * r5); 577 d2 += h8 * (5 * r4); 578 d2 += h9 * (5 * r3); 579 c += (d2 >>> 13); d2 &= 0x1fff; 580 581 d3 = c; 582 d3 += h0 * r3; 583 d3 += h1 * r2; 584 d3 += h2 * r1; 585 d3 += h3 * r0; 586 d3 += h4 * (5 * r9); 587 c = (d3 >>> 13); d3 &= 0x1fff; 588 d3 += h5 * (5 * r8); 589 d3 += h6 * (5 * r7); 590 d3 += h7 * (5 * r6); 591 d3 += h8 * (5 * r5); 592 d3 += h9 * (5 * r4); 593 c += (d3 >>> 13); d3 &= 0x1fff; 594 595 d4 = c; 596 d4 += h0 * r4; 597 d4 += h1 * r3; 598 d4 += h2 * r2; 599 d4 += h3 * r1; 600 d4 += h4 * r0; 601 c = (d4 >>> 13); d4 &= 0x1fff; 602 d4 += h5 * (5 * r9); 603 d4 += h6 * (5 * r8); 604 d4 += h7 * (5 * r7); 605 d4 += h8 * (5 * r6); 606 d4 += h9 * (5 * r5); 607 c += (d4 >>> 13); d4 &= 0x1fff; 608 609 d5 = c; 610 d5 += h0 * r5; 611 d5 += h1 * r4; 612 d5 += h2 * r3; 613 d5 += h3 * r2; 614 d5 += h4 * r1; 615 c = (d5 >>> 13); d5 &= 0x1fff; 616 d5 += h5 * r0; 617 d5 += h6 * (5 * r9); 618 d5 += h7 * (5 * r8); 619 d5 += h8 * (5 * r7); 620 d5 += h9 * (5 * r6); 621 c += (d5 >>> 13); d5 &= 0x1fff; 622 623 d6 = c; 624 d6 += h0 * r6; 625 d6 += h1 * r5; 626 d6 += h2 * r4; 627 d6 += h3 * r3; 628 d6 += h4 * r2; 629 c = (d6 >>> 13); d6 &= 0x1fff; 630 d6 += h5 * r1; 631 d6 += h6 * r0; 632 d6 += h7 * (5 * r9); 633 d6 += h8 * (5 * r8); 634 d6 += h9 * (5 * r7); 635 c += (d6 >>> 13); d6 &= 0x1fff; 636 637 d7 = c; 638 d7 += h0 * r7; 639 d7 += h1 * r6; 640 d7 += h2 * r5; 641 d7 += h3 * r4; 642 d7 += h4 * r3; 643 c = (d7 >>> 13); d7 &= 0x1fff; 644 d7 += h5 * r2; 645 d7 += h6 * r1; 646 d7 += h7 * r0; 647 d7 += h8 * (5 * r9); 648 d7 += h9 * (5 * r8); 649 c += (d7 >>> 13); d7 &= 0x1fff; 650 651 d8 = c; 652 d8 += h0 * r8; 653 d8 += h1 * r7; 654 d8 += h2 * r6; 655 d8 += h3 * r5; 656 d8 += h4 * r4; 657 c = (d8 >>> 13); d8 &= 0x1fff; 658 d8 += h5 * r3; 659 d8 += h6 * r2; 660 d8 += h7 * r1; 661 d8 += h8 * r0; 662 d8 += h9 * (5 * r9); 663 c += (d8 >>> 13); d8 &= 0x1fff; 664 665 d9 = c; 666 d9 += h0 * r9; 667 d9 += h1 * r8; 668 d9 += h2 * r7; 669 d9 += h3 * r6; 670 d9 += h4 * r5; 671 c = (d9 >>> 13); d9 &= 0x1fff; 672 d9 += h5 * r4; 673 d9 += h6 * r3; 674 d9 += h7 * r2; 675 d9 += h8 * r1; 676 d9 += h9 * r0; 677 c += (d9 >>> 13); d9 &= 0x1fff; 678 679 c = (((c << 2) + c)) | 0; 680 c = (c + d0) | 0; 681 d0 = c & 0x1fff; 682 c = (c >>> 13); 683 d1 += c; 684 685 h0 = d0; 686 h1 = d1; 687 h2 = d2; 688 h3 = d3; 689 h4 = d4; 690 h5 = d5; 691 h6 = d6; 692 h7 = d7; 693 h8 = d8; 694 h9 = d9; 695 696 mpos += 16; 697 bytes -= 16; 698 } 699 this.h[0] = h0; 700 this.h[1] = h1; 701 this.h[2] = h2; 702 this.h[3] = h3; 703 this.h[4] = h4; 704 this.h[5] = h5; 705 this.h[6] = h6; 706 this.h[7] = h7; 707 this.h[8] = h8; 708 this.h[9] = h9; 709}; 710 711poly1305.prototype.finish = function(mac, macpos) { 712 var g = new Uint16Array(10); 713 var c, mask, f, i; 714 715 if (this.leftover) { 716 i = this.leftover; 717 this.buffer[i++] = 1; 718 for (; i < 16; i++) this.buffer[i] = 0; 719 this.fin = 1; 720 this.blocks(this.buffer, 0, 16); 721 } 722 723 c = this.h[1] >>> 13; 724 this.h[1] &= 0x1fff; 725 for (i = 2; i < 10; i++) { 726 this.h[i] += c; 727 c = this.h[i] >>> 13; 728 this.h[i] &= 0x1fff; 729 } 730 this.h[0] += (c * 5); 731 c = this.h[0] >>> 13; 732 this.h[0] &= 0x1fff; 733 this.h[1] += c; 734 c = this.h[1] >>> 13; 735 this.h[1] &= 0x1fff; 736 this.h[2] += c; 737 738 g[0] = this.h[0] + 5; 739 c = g[0] >>> 13; 740 g[0] &= 0x1fff; 741 for (i = 1; i < 10; i++) { 742 g[i] = this.h[i] + c; 743 c = g[i] >>> 13; 744 g[i] &= 0x1fff; 745 } 746 g[9] -= (1 << 13); 747 748 mask = (c ^ 1) - 1; 749 for (i = 0; i < 10; i++) g[i] &= mask; 750 mask = ~mask; 751 for (i = 0; i < 10; i++) this.h[i] = (this.h[i] & mask) | g[i]; 752 753 this.h[0] = ((this.h[0] ) | (this.h[1] << 13) ) & 0xffff; 754 this.h[1] = ((this.h[1] >>> 3) | (this.h[2] << 10) ) & 0xffff; 755 this.h[2] = ((this.h[2] >>> 6) | (this.h[3] << 7) ) & 0xffff; 756 this.h[3] = ((this.h[3] >>> 9) | (this.h[4] << 4) ) & 0xffff; 757 this.h[4] = ((this.h[4] >>> 12) | (this.h[5] << 1) | (this.h[6] << 14)) & 0xffff; 758 this.h[5] = ((this.h[6] >>> 2) | (this.h[7] << 11) ) & 0xffff; 759 this.h[6] = ((this.h[7] >>> 5) | (this.h[8] << 8) ) & 0xffff; 760 this.h[7] = ((this.h[8] >>> 8) | (this.h[9] << 5) ) & 0xffff; 761 762 f = this.h[0] + this.pad[0]; 763 this.h[0] = f & 0xffff; 764 for (i = 1; i < 8; i++) { 765 f = (((this.h[i] + this.pad[i]) | 0) + (f >>> 16)) | 0; 766 this.h[i] = f & 0xffff; 767 } 768 769 mac[macpos+ 0] = (this.h[0] >>> 0) & 0xff; 770 mac[macpos+ 1] = (this.h[0] >>> 8) & 0xff; 771 mac[macpos+ 2] = (this.h[1] >>> 0) & 0xff; 772 mac[macpos+ 3] = (this.h[1] >>> 8) & 0xff; 773 mac[macpos+ 4] = (this.h[2] >>> 0) & 0xff; 774 mac[macpos+ 5] = (this.h[2] >>> 8) & 0xff; 775 mac[macpos+ 6] = (this.h[3] >>> 0) & 0xff; 776 mac[macpos+ 7] = (this.h[3] >>> 8) & 0xff; 777 mac[macpos+ 8] = (this.h[4] >>> 0) & 0xff; 778 mac[macpos+ 9] = (this.h[4] >>> 8) & 0xff; 779 mac[macpos+10] = (this.h[5] >>> 0) & 0xff; 780 mac[macpos+11] = (this.h[5] >>> 8) & 0xff; 781 mac[macpos+12] = (this.h[6] >>> 0) & 0xff; 782 mac[macpos+13] = (this.h[6] >>> 8) & 0xff; 783 mac[macpos+14] = (this.h[7] >>> 0) & 0xff; 784 mac[macpos+15] = (this.h[7] >>> 8) & 0xff; 785}; 786 787poly1305.prototype.update = function(m, mpos, bytes) { 788 var i, want; 789 790 if (this.leftover) { 791 want = (16 - this.leftover); 792 if (want > bytes) 793 want = bytes; 794 for (i = 0; i < want; i++) 795 this.buffer[this.leftover + i] = m[mpos+i]; 796 bytes -= want; 797 mpos += want; 798 this.leftover += want; 799 if (this.leftover < 16) 800 return; 801 this.blocks(this.buffer, 0, 16); 802 this.leftover = 0; 803 } 804 805 if (bytes >= 16) { 806 want = bytes - (bytes % 16); 807 this.blocks(m, mpos, want); 808 mpos += want; 809 bytes -= want; 810 } 811 812 if (bytes) { 813 for (i = 0; i < bytes; i++) 814 this.buffer[this.leftover + i] = m[mpos+i]; 815 this.leftover += bytes; 816 } 817}; 818 819function crypto_onetimeauth(out, outpos, m, mpos, n, k) { 820 var s = new poly1305(k); 821 s.update(m, mpos, n); 822 s.finish(out, outpos); 823 return 0; 824} 825 826function crypto_onetimeauth_verify(h, hpos, m, mpos, n, k) { 827 var x = new Uint8Array(16); 828 crypto_onetimeauth(x,0,m,mpos,n,k); 829 return crypto_verify_16(h,hpos,x,0); 830} 831 832function crypto_secretbox(c,m,d,n,k) { 833 var i; 834 if (d < 32) return -1; 835 crypto_stream_xor(c,0,m,0,d,n,k); 836 crypto_onetimeauth(c, 16, c, 32, d - 32, c); 837 for (i = 0; i < 16; i++) c[i] = 0; 838 return 0; 839} 840 841function crypto_secretbox_open(m,c,d,n,k) { 842 var i; 843 var x = new Uint8Array(32); 844 if (d < 32) return -1; 845 crypto_stream(x,0,32,n,k); 846 if (crypto_onetimeauth_verify(c, 16,c, 32,d - 32,x) !== 0) return -1; 847 crypto_stream_xor(m,0,c,0,d,n,k); 848 for (i = 0; i < 32; i++) m[i] = 0; 849 return 0; 850} 851 852function set25519(r, a) { 853 var i; 854 for (i = 0; i < 16; i++) r[i] = a[i]|0; 855} 856 857function car25519(o) { 858 var i, v, c = 1; 859 for (i = 0; i < 16; i++) { 860 v = o[i] + c + 65535; 861 c = Math.floor(v / 65536); 862 o[i] = v - c * 65536; 863 } 864 o[0] += c-1 + 37 * (c-1); 865} 866 867function sel25519(p, q, b) { 868 var t, c = ~(b-1); 869 for (var i = 0; i < 16; i++) { 870 t = c & (p[i] ^ q[i]); 871 p[i] ^= t; 872 q[i] ^= t; 873 } 874} 875 876function pack25519(o, n) { 877 var i, j, b; 878 var m = gf(), t = gf(); 879 for (i = 0; i < 16; i++) t[i] = n[i]; 880 car25519(t); 881 car25519(t); 882 car25519(t); 883 for (j = 0; j < 2; j++) { 884 m[0] = t[0] - 0xffed; 885 for (i = 1; i < 15; i++) { 886 m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1); 887 m[i-1] &= 0xffff; 888 } 889 m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1); 890 b = (m[15]>>16) & 1; 891 m[14] &= 0xffff; 892 sel25519(t, m, 1-b); 893 } 894 for (i = 0; i < 16; i++) { 895 o[2*i] = t[i] & 0xff; 896 o[2*i+1] = t[i]>>8; 897 } 898} 899 900function neq25519(a, b) { 901 var c = new Uint8Array(32), d = new Uint8Array(32); 902 pack25519(c, a); 903 pack25519(d, b); 904 return crypto_verify_32(c, 0, d, 0); 905} 906 907function par25519(a) { 908 var d = new Uint8Array(32); 909 pack25519(d, a); 910 return d[0] & 1; 911} 912 913function unpack25519(o, n) { 914 var i; 915 for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8); 916 o[15] &= 0x7fff; 917} 918 919function A(o, a, b) { 920 for (var i = 0; i < 16; i++) o[i] = a[i] + b[i]; 921} 922 923function Z(o, a, b) { 924 for (var i = 0; i < 16; i++) o[i] = a[i] - b[i]; 925} 926 927function M(o, a, b) { 928 var v, c, 929 t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0, 930 t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0, 931 t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0, 932 t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0, 933 b0 = b[0], 934 b1 = b[1], 935 b2 = b[2], 936 b3 = b[3], 937 b4 = b[4], 938 b5 = b[5], 939 b6 = b[6], 940 b7 = b[7], 941 b8 = b[8], 942 b9 = b[9], 943 b10 = b[10], 944 b11 = b[11], 945 b12 = b[12], 946 b13 = b[13], 947 b14 = b[14], 948 b15 = b[15]; 949 950 v = a[0]; 951 t0 += v * b0; 952 t1 += v * b1; 953 t2 += v * b2; 954 t3 += v * b3; 955 t4 += v * b4; 956 t5 += v * b5; 957 t6 += v * b6; 958 t7 += v * b7; 959 t8 += v * b8; 960 t9 += v * b9; 961 t10 += v * b10; 962 t11 += v * b11; 963 t12 += v * b12; 964 t13 += v * b13; 965 t14 += v * b14; 966 t15 += v * b15; 967 v = a[1]; 968 t1 += v * b0; 969 t2 += v * b1; 970 t3 += v * b2; 971 t4 += v * b3; 972 t5 += v * b4; 973 t6 += v * b5; 974 t7 += v * b6; 975 t8 += v * b7; 976 t9 += v * b8; 977 t10 += v * b9; 978 t11 += v * b10; 979 t12 += v * b11; 980 t13 += v * b12; 981 t14 += v * b13; 982 t15 += v * b14; 983 t16 += v * b15; 984 v = a[2]; 985 t2 += v * b0; 986 t3 += v * b1; 987 t4 += v * b2; 988 t5 += v * b3; 989 t6 += v * b4; 990 t7 += v * b5; 991 t8 += v * b6; 992 t9 += v * b7; 993 t10 += v * b8; 994 t11 += v * b9; 995 t12 += v * b10; 996 t13 += v * b11; 997 t14 += v * b12; 998 t15 += v * b13; 999 t16 += v * b14; 1000 t17 += v * b15; 1001 v = a[3]; 1002 t3 += v * b0; 1003 t4 += v * b1; 1004 t5 += v * b2; 1005 t6 += v * b3; 1006 t7 += v * b4; 1007 t8 += v * b5; 1008 t9 += v * b6; 1009 t10 += v * b7; 1010 t11 += v * b8; 1011 t12 += v * b9; 1012 t13 += v * b10; 1013 t14 += v * b11; 1014 t15 += v * b12; 1015 t16 += v * b13; 1016 t17 += v * b14; 1017 t18 += v * b15; 1018 v = a[4]; 1019 t4 += v * b0; 1020 t5 += v * b1; 1021 t6 += v * b2; 1022 t7 += v * b3; 1023 t8 += v * b4; 1024 t9 += v * b5; 1025 t10 += v * b6; 1026 t11 += v * b7; 1027 t12 += v * b8; 1028 t13 += v * b9; 1029 t14 += v * b10; 1030 t15 += v * b11; 1031 t16 += v * b12; 1032 t17 += v * b13; 1033 t18 += v * b14; 1034 t19 += v * b15; 1035 v = a[5]; 1036 t5 += v * b0; 1037 t6 += v * b1; 1038 t7 += v * b2; 1039 t8 += v * b3; 1040 t9 += v * b4; 1041 t10 += v * b5; 1042 t11 += v * b6; 1043 t12 += v * b7; 1044 t13 += v * b8; 1045 t14 += v * b9; 1046 t15 += v * b10; 1047 t16 += v * b11; 1048 t17 += v * b12; 1049 t18 += v * b13; 1050 t19 += v * b14; 1051 t20 += v * b15; 1052 v = a[6]; 1053 t6 += v * b0; 1054 t7 += v * b1; 1055 t8 += v * b2; 1056 t9 += v * b3; 1057 t10 += v * b4; 1058 t11 += v * b5; 1059 t12 += v * b6; 1060 t13 += v * b7; 1061 t14 += v * b8; 1062 t15 += v * b9; 1063 t16 += v * b10; 1064 t17 += v * b11; 1065 t18 += v * b12; 1066 t19 += v * b13; 1067 t20 += v * b14; 1068 t21 += v * b15; 1069 v = a[7]; 1070 t7 += v * b0; 1071 t8 += v * b1; 1072 t9 += v * b2; 1073 t10 += v * b3; 1074 t11 += v * b4; 1075 t12 += v * b5; 1076 t13 += v * b6; 1077 t14 += v * b7; 1078 t15 += v * b8; 1079 t16 += v * b9; 1080 t17 += v * b10; 1081 t18 += v * b11; 1082 t19 += v * b12; 1083 t20 += v * b13; 1084 t21 += v * b14; 1085 t22 += v * b15; 1086 v = a[8]; 1087 t8 += v * b0; 1088 t9 += v * b1; 1089 t10 += v * b2; 1090 t11 += v * b3; 1091 t12 += v * b4; 1092 t13 += v * b5; 1093 t14 += v * b6; 1094 t15 += v * b7; 1095 t16 += v * b8; 1096 t17 += v * b9; 1097 t18 += v * b10; 1098 t19 += v * b11; 1099 t20 += v * b12; 1100 t21 += v * b13; 1101 t22 += v * b14; 1102 t23 += v * b15; 1103 v = a[9]; 1104 t9 += v * b0; 1105 t10 += v * b1; 1106 t11 += v * b2; 1107 t12 += v * b3; 1108 t13 += v * b4; 1109 t14 += v * b5; 1110 t15 += v * b6; 1111 t16 += v * b7; 1112 t17 += v * b8; 1113 t18 += v * b9; 1114 t19 += v * b10; 1115 t20 += v * b11; 1116 t21 += v * b12; 1117 t22 += v * b13; 1118 t23 += v * b14; 1119 t24 += v * b15; 1120 v = a[10]; 1121 t10 += v * b0; 1122 t11 += v * b1; 1123 t12 += v * b2; 1124 t13 += v * b3; 1125 t14 += v * b4; 1126 t15 += v * b5; 1127 t16 += v * b6; 1128 t17 += v * b7; 1129 t18 += v * b8; 1130 t19 += v * b9; 1131 t20 += v * b10; 1132 t21 += v * b11; 1133 t22 += v * b12; 1134 t23 += v * b13; 1135 t24 += v * b14; 1136 t25 += v * b15; 1137 v = a[11]; 1138 t11 += v * b0; 1139 t12 += v * b1; 1140 t13 += v * b2; 1141 t14 += v * b3; 1142 t15 += v * b4; 1143 t16 += v * b5; 1144 t17 += v * b6; 1145 t18 += v * b7; 1146 t19 += v * b8; 1147 t20 += v * b9; 1148 t21 += v * b10; 1149 t22 += v * b11; 1150 t23 += v * b12; 1151 t24 += v * b13; 1152 t25 += v * b14; 1153 t26 += v * b15; 1154 v = a[12]; 1155 t12 += v * b0; 1156 t13 += v * b1; 1157 t14 += v * b2; 1158 t15 += v * b3; 1159 t16 += v * b4; 1160 t17 += v * b5; 1161 t18 += v * b6; 1162 t19 += v * b7; 1163 t20 += v * b8; 1164 t21 += v * b9; 1165 t22 += v * b10; 1166 t23 += v * b11; 1167 t24 += v * b12; 1168 t25 += v * b13; 1169 t26 += v * b14; 1170 t27 += v * b15; 1171 v = a[13]; 1172 t13 += v * b0; 1173 t14 += v * b1; 1174 t15 += v * b2; 1175 t16 += v * b3; 1176 t17 += v * b4; 1177 t18 += v * b5; 1178 t19 += v * b6; 1179 t20 += v * b7; 1180 t21 += v * b8; 1181 t22 += v * b9; 1182 t23 += v * b10; 1183 t24 += v * b11; 1184 t25 += v * b12; 1185 t26 += v * b13; 1186 t27 += v * b14; 1187 t28 += v * b15; 1188 v = a[14]; 1189 t14 += v * b0; 1190 t15 += v * b1; 1191 t16 += v * b2; 1192 t17 += v * b3; 1193 t18 += v * b4; 1194 t19 += v * b5; 1195 t20 += v * b6; 1196 t21 += v * b7; 1197 t22 += v * b8; 1198 t23 += v * b9; 1199 t24 += v * b10; 1200 t25 += v * b11; 1201 t26 += v * b12; 1202 t27 += v * b13; 1203 t28 += v * b14; 1204 t29 += v * b15; 1205 v = a[15]; 1206 t15 += v * b0; 1207 t16 += v * b1; 1208 t17 += v * b2; 1209 t18 += v * b3; 1210 t19 += v * b4; 1211 t20 += v * b5; 1212 t21 += v * b6; 1213 t22 += v * b7; 1214 t23 += v * b8; 1215 t24 += v * b9; 1216 t25 += v * b10; 1217 t26 += v * b11; 1218 t27 += v * b12; 1219 t28 += v * b13; 1220 t29 += v * b14; 1221 t30 += v * b15; 1222 1223 t0 += 38 * t16; 1224 t1 += 38 * t17; 1225 t2 += 38 * t18; 1226 t3 += 38 * t19; 1227 t4 += 38 * t20; 1228 t5 += 38 * t21; 1229 t6 += 38 * t22; 1230 t7 += 38 * t23; 1231 t8 += 38 * t24; 1232 t9 += 38 * t25; 1233 t10 += 38 * t26; 1234 t11 += 38 * t27; 1235 t12 += 38 * t28; 1236 t13 += 38 * t29; 1237 t14 += 38 * t30; 1238 // t15 left as is 1239 1240 // first car 1241 c = 1; 1242 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536; 1243 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536; 1244 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536; 1245 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536; 1246 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536; 1247 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536; 1248 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536; 1249 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536; 1250 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536; 1251 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536; 1252 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536; 1253 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536; 1254 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536; 1255 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536; 1256 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536; 1257 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536; 1258 t0 += c-1 + 37 * (c-1); 1259 1260 // second car 1261 c = 1; 1262 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536; 1263 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536; 1264 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536; 1265 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536; 1266 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536; 1267 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536; 1268 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536; 1269 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536; 1270 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536; 1271 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536; 1272 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536; 1273 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536; 1274 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536; 1275 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536; 1276 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536; 1277 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536; 1278 t0 += c-1 + 37 * (c-1); 1279 1280 o[ 0] = t0; 1281 o[ 1] = t1; 1282 o[ 2] = t2; 1283 o[ 3] = t3; 1284 o[ 4] = t4; 1285 o[ 5] = t5; 1286 o[ 6] = t6; 1287 o[ 7] = t7; 1288 o[ 8] = t8; 1289 o[ 9] = t9; 1290 o[10] = t10; 1291 o[11] = t11; 1292 o[12] = t12; 1293 o[13] = t13; 1294 o[14] = t14; 1295 o[15] = t15; 1296} 1297 1298function S(o, a) { 1299 M(o, a, a); 1300} 1301 1302function inv25519(o, i) { 1303 var c = gf(); 1304 var a; 1305 for (a = 0; a < 16; a++) c[a] = i[a]; 1306 for (a = 253; a >= 0; a--) { 1307 S(c, c); 1308 if(a !== 2 && a !== 4) M(c, c, i); 1309 } 1310 for (a = 0; a < 16; a++) o[a] = c[a]; 1311} 1312 1313function pow2523(o, i) { 1314 var c = gf(); 1315 var a; 1316 for (a = 0; a < 16; a++) c[a] = i[a]; 1317 for (a = 250; a >= 0; a--) { 1318 S(c, c); 1319 if(a !== 1) M(c, c, i); 1320 } 1321 for (a = 0; a < 16; a++) o[a] = c[a]; 1322} 1323 1324function crypto_scalarmult(q, n, p) { 1325 var z = new Uint8Array(32); 1326 var x = new Float64Array(80), r, i; 1327 var a = gf(), b = gf(), c = gf(), 1328 d = gf(), e = gf(), f = gf(); 1329 for (i = 0; i < 31; i++) z[i] = n[i]; 1330 z[31]=(n[31]&127)|64; 1331 z[0]&=248; 1332 unpack25519(x,p); 1333 for (i = 0; i < 16; i++) { 1334 b[i]=x[i]; 1335 d[i]=a[i]=c[i]=0; 1336 } 1337 a[0]=d[0]=1; 1338 for (i=254; i>=0; --i) { 1339 r=(z[i>>>3]>>>(i&7))&1; 1340 sel25519(a,b,r); 1341 sel25519(c,d,r); 1342 A(e,a,c); 1343 Z(a,a,c); 1344 A(c,b,d); 1345 Z(b,b,d); 1346 S(d,e); 1347 S(f,a); 1348 M(a,c,a); 1349 M(c,b,e); 1350 A(e,a,c); 1351 Z(a,a,c); 1352 S(b,a); 1353 Z(c,d,f); 1354 M(a,c,_121665); 1355 A(a,a,d); 1356 M(c,c,a); 1357 M(a,d,f); 1358 M(d,b,x); 1359 S(b,e); 1360 sel25519(a,b,r); 1361 sel25519(c,d,r); 1362 } 1363 for (i = 0; i < 16; i++) { 1364 x[i+16]=a[i]; 1365 x[i+32]=c[i]; 1366 x[i+48]=b[i]; 1367 x[i+64]=d[i]; 1368 } 1369 var x32 = x.subarray(32); 1370 var x16 = x.subarray(16); 1371 inv25519(x32,x32); 1372 M(x16,x16,x32); 1373 pack25519(q,x16); 1374 return 0; 1375} 1376 1377function crypto_scalarmult_base(q, n) { 1378 return crypto_scalarmult(q, n, _9); 1379} 1380 1381function crypto_box_keypair(y, x) { 1382 randombytes(x, 32); 1383 return crypto_scalarmult_base(y, x); 1384} 1385 1386function crypto_box_beforenm(k, y, x) { 1387 var s = new Uint8Array(32); 1388 crypto_scalarmult(s, x, y); 1389 return crypto_core_hsalsa20(k, _0, s, sigma); 1390} 1391 1392var crypto_box_afternm = crypto_secretbox; 1393var crypto_box_open_afternm = crypto_secretbox_open; 1394 1395function crypto_box(c, m, d, n, y, x) { 1396 var k = new Uint8Array(32); 1397 crypto_box_beforenm(k, y, x); 1398 return crypto_box_afternm(c, m, d, n, k); 1399} 1400 1401function crypto_box_open(m, c, d, n, y, x) { 1402 var k = new Uint8Array(32); 1403 crypto_box_beforenm(k, y, x); 1404 return crypto_box_open_afternm(m, c, d, n, k); 1405} 1406 1407var K = [ 1408 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd, 1409 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc, 1410 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019, 1411 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118, 1412 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe, 1413 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2, 1414 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1, 1415 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694, 1416 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3, 1417 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65, 1418 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483, 1419 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5, 1420 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210, 1421 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4, 1422 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725, 1423 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70, 1424 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926, 1425 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df, 1426 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8, 1427 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b, 1428 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001, 1429 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30, 1430 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910, 1431 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8, 1432 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53, 1433 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8, 1434 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb, 1435 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3, 1436 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60, 1437 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec, 1438 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9, 1439 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b, 1440 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207, 1441 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178, 1442 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6, 1443 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b, 1444 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493, 1445 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c, 1446 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a, 1447 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817 1448]; 1449 1450function crypto_hashblocks_hl(hh, hl, m, n) { 1451 var wh = new Int32Array(16), wl = new Int32Array(16), 1452 bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7, 1453 bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7, 1454 th, tl, i, j, h, l, a, b, c, d; 1455 1456 var ah0 = hh[0], 1457 ah1 = hh[1], 1458 ah2 = hh[2], 1459 ah3 = hh[3], 1460 ah4 = hh[4], 1461 ah5 = hh[5], 1462 ah6 = hh[6], 1463 ah7 = hh[7], 1464 1465 al0 = hl[0], 1466 al1 = hl[1], 1467 al2 = hl[2], 1468 al3 = hl[3], 1469 al4 = hl[4], 1470 al5 = hl[5], 1471 al6 = hl[6], 1472 al7 = hl[7]; 1473 1474 var pos = 0; 1475 while (n >= 128) { 1476 for (i = 0; i < 16; i++) { 1477 j = 8 * i + pos; 1478 wh[i] = (m[j+0] << 24) | (m[j+1] << 16) | (m[j+2] << 8) | m[j+3]; 1479 wl[i] = (m[j+4] << 24) | (m[j+5] << 16) | (m[j+6] << 8) | m[j+7]; 1480 } 1481 for (i = 0; i < 80; i++) { 1482 bh0 = ah0; 1483 bh1 = ah1; 1484 bh2 = ah2; 1485 bh3 = ah3; 1486 bh4 = ah4; 1487 bh5 = ah5; 1488 bh6 = ah6; 1489 bh7 = ah7; 1490 1491 bl0 = al0; 1492 bl1 = al1; 1493 bl2 = al2; 1494 bl3 = al3; 1495 bl4 = al4; 1496 bl5 = al5; 1497 bl6 = al6; 1498 bl7 = al7; 1499 1500 // add 1501 h = ah7; 1502 l = al7; 1503 1504 a = l & 0xffff; b = l >>> 16; 1505 c = h & 0xffff; d = h >>> 16; 1506 1507 // Sigma1 1508 h = ((ah4 >>> 14) | (al4 << (32-14))) ^ ((ah4 >>> 18) | (al4 << (32-18))) ^ ((al4 >>> (41-32)) | (ah4 << (32-(41-32)))); 1509 l = ((al4 >>> 14) | (ah4 << (32-14))) ^ ((al4 >>> 18) | (ah4 << (32-18))) ^ ((ah4 >>> (41-32)) | (al4 << (32-(41-32)))); 1510 1511 a += l & 0xffff; b += l >>> 16; 1512 c += h & 0xffff; d += h >>> 16; 1513 1514 // Ch 1515 h = (ah4 & ah5) ^ (~ah4 & ah6); 1516 l = (al4 & al5) ^ (~al4 & al6); 1517 1518 a += l & 0xffff; b += l >>> 16; 1519 c += h & 0xffff; d += h >>> 16; 1520 1521 // K 1522 h = K[i*2]; 1523 l = K[i*2+1]; 1524 1525 a += l & 0xffff; b += l >>> 16; 1526 c += h & 0xffff; d += h >>> 16; 1527 1528 // w 1529 h = wh[i%16]; 1530 l = wl[i%16]; 1531 1532 a += l & 0xffff; b += l >>> 16; 1533 c += h & 0xffff; d += h >>> 16; 1534 1535 b += a >>> 16; 1536 c += b >>> 16; 1537 d += c >>> 16; 1538 1539 th = c & 0xffff | d << 16; 1540 tl = a & 0xffff | b << 16; 1541 1542 // add 1543 h = th; 1544 l = tl; 1545 1546 a = l & 0xffff; b = l >>> 16; 1547 c = h & 0xffff; d = h >>> 16; 1548 1549 // Sigma0 1550 h = ((ah0 >>> 28) | (al0 << (32-28))) ^ ((al0 >>> (34-32)) | (ah0 << (32-(34-32)))) ^ ((al0 >>> (39-32)) | (ah0 << (32-(39-32)))); 1551 l = ((al0 >>> 28) | (ah0 << (32-28))) ^ ((ah0 >>> (34-32)) | (al0 << (32-(34-32)))) ^ ((ah0 >>> (39-32)) | (al0 << (32-(39-32)))); 1552 1553 a += l & 0xffff; b += l >>> 16; 1554 c += h & 0xffff; d += h >>> 16; 1555 1556 // Maj 1557 h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2); 1558 l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2); 1559 1560 a += l & 0xffff; b += l >>> 16; 1561 c += h & 0xffff; d += h >>> 16; 1562 1563 b += a >>> 16; 1564 c += b >>> 16; 1565 d += c >>> 16; 1566 1567 bh7 = (c & 0xffff) | (d << 16); 1568 bl7 = (a & 0xffff) | (b << 16); 1569 1570 // add 1571 h = bh3; 1572 l = bl3; 1573 1574 a = l & 0xffff; b = l >>> 16; 1575 c = h & 0xffff; d = h >>> 16; 1576 1577 h = th; 1578 l = tl; 1579 1580 a += l & 0xffff; b += l >>> 16; 1581 c += h & 0xffff; d += h >>> 16; 1582 1583 b += a >>> 16; 1584 c += b >>> 16; 1585 d += c >>> 16; 1586 1587 bh3 = (c & 0xffff) | (d << 16); 1588 bl3 = (a & 0xffff) | (b << 16); 1589 1590 ah1 = bh0; 1591 ah2 = bh1; 1592 ah3 = bh2; 1593 ah4 = bh3; 1594 ah5 = bh4; 1595 ah6 = bh5; 1596 ah7 = bh6; 1597 ah0 = bh7; 1598 1599 al1 = bl0; 1600 al2 = bl1; 1601 al3 = bl2; 1602 al4 = bl3; 1603 al5 = bl4; 1604 al6 = bl5; 1605 al7 = bl6; 1606 al0 = bl7; 1607 1608 if (i%16 === 15) { 1609 for (j = 0; j < 16; j++) { 1610 // add 1611 h = wh[j]; 1612 l = wl[j]; 1613 1614 a = l & 0xffff; b = l >>> 16; 1615 c = h & 0xffff; d = h >>> 16; 1616 1617 h = wh[(j+9)%16]; 1618 l = wl[(j+9)%16]; 1619 1620 a += l & 0xffff; b += l >>> 16; 1621 c += h & 0xffff; d += h >>> 16; 1622 1623 // sigma0 1624 th = wh[(j+1)%16]; 1625 tl = wl[(j+1)%16]; 1626 h = ((th >>> 1) | (tl << (32-1))) ^ ((th >>> 8) | (tl << (32-8))) ^ (th >>> 7); 1627 l = ((tl >>> 1) | (th << (32-1))) ^ ((tl >>> 8) | (th << (32-8))) ^ ((tl >>> 7) | (th << (32-7))); 1628 1629 a += l & 0xffff; b += l >>> 16; 1630 c += h & 0xffff; d += h >>> 16; 1631 1632 // sigma1 1633 th = wh[(j+14)%16]; 1634 tl = wl[(j+14)%16]; 1635 h = ((th >>> 19) | (tl << (32-19))) ^ ((tl >>> (61-32)) | (th << (32-(61-32)))) ^ (th >>> 6); 1636 l = ((tl >>> 19) | (th << (32-19))) ^ ((th >>> (61-32)) | (tl << (32-(61-32)))) ^ ((tl >>> 6) | (th << (32-6))); 1637 1638 a += l & 0xffff; b += l >>> 16; 1639 c += h & 0xffff; d += h >>> 16; 1640 1641 b += a >>> 16; 1642 c += b >>> 16; 1643 d += c >>> 16; 1644 1645 wh[j] = (c & 0xffff) | (d << 16); 1646 wl[j] = (a & 0xffff) | (b << 16); 1647 } 1648 } 1649 } 1650 1651 // add 1652 h = ah0; 1653 l = al0; 1654 1655 a = l & 0xffff; b = l >>> 16; 1656 c = h & 0xffff; d = h >>> 16; 1657 1658 h = hh[0]; 1659 l = hl[0]; 1660 1661 a += l & 0xffff; b += l >>> 16; 1662 c += h & 0xffff; d += h >>> 16; 1663 1664 b += a >>> 16; 1665 c += b >>> 16; 1666 d += c >>> 16; 1667 1668 hh[0] = ah0 = (c & 0xffff) | (d << 16); 1669 hl[0] = al0 = (a & 0xffff) | (b << 16); 1670 1671 h = ah1; 1672 l = al1; 1673 1674 a = l & 0xffff; b = l >>> 16; 1675 c = h & 0xffff; d = h >>> 16; 1676 1677 h = hh[1]; 1678 l = hl[1]; 1679 1680 a += l & 0xffff; b += l >>> 16; 1681 c += h & 0xffff; d += h >>> 16; 1682 1683 b += a >>> 16; 1684 c += b >>> 16; 1685 d += c >>> 16; 1686 1687 hh[1] = ah1 = (c & 0xffff) | (d << 16); 1688 hl[1] = al1 = (a & 0xffff) | (b << 16); 1689 1690 h = ah2; 1691 l = al2; 1692 1693 a = l & 0xffff; b = l >>> 16; 1694 c = h & 0xffff; d = h >>> 16; 1695 1696 h = hh[2]; 1697 l = hl[2]; 1698 1699 a += l & 0xffff; b += l >>> 16; 1700 c += h & 0xffff; d += h >>> 16; 1701 1702 b += a >>> 16; 1703 c += b >>> 16; 1704 d += c >>> 16; 1705 1706 hh[2] = ah2 = (c & 0xffff) | (d << 16); 1707 hl[2] = al2 = (a & 0xffff) | (b << 16); 1708 1709 h = ah3; 1710 l = al3; 1711 1712 a = l & 0xffff; b = l >>> 16; 1713 c = h & 0xffff; d = h >>> 16; 1714 1715 h = hh[3]; 1716 l = hl[3]; 1717 1718 a += l & 0xffff; b += l >>> 16; 1719 c += h & 0xffff; d += h >>> 16; 1720 1721 b += a >>> 16; 1722 c += b >>> 16; 1723 d += c >>> 16; 1724 1725 hh[3] = ah3 = (c & 0xffff) | (d << 16); 1726 hl[3] = al3 = (a & 0xffff) | (b << 16); 1727 1728 h = ah4; 1729 l = al4; 1730 1731 a = l & 0xffff; b = l >>> 16; 1732 c = h & 0xffff; d = h >>> 16; 1733 1734 h = hh[4]; 1735 l = hl[4]; 1736 1737 a += l & 0xffff; b += l >>> 16; 1738 c += h & 0xffff; d += h >>> 16; 1739 1740 b += a >>> 16; 1741 c += b >>> 16; 1742 d += c >>> 16; 1743 1744 hh[4] = ah4 = (c & 0xffff) | (d << 16); 1745 hl[4] = al4 = (a & 0xffff) | (b << 16); 1746 1747 h = ah5; 1748 l = al5; 1749 1750 a = l & 0xffff; b = l >>> 16; 1751 c = h & 0xffff; d = h >>> 16; 1752 1753 h = hh[5]; 1754 l = hl[5]; 1755 1756 a += l & 0xffff; b += l >>> 16; 1757 c += h & 0xffff; d += h >>> 16; 1758 1759 b += a >>> 16; 1760 c += b >>> 16; 1761 d += c >>> 16; 1762 1763 hh[5] = ah5 = (c & 0xffff) | (d << 16); 1764 hl[5] = al5 = (a & 0xffff) | (b << 16); 1765 1766 h = ah6; 1767 l = al6; 1768 1769 a = l & 0xffff; b = l >>> 16; 1770 c = h & 0xffff; d = h >>> 16; 1771 1772 h = hh[6]; 1773 l = hl[6]; 1774 1775 a += l & 0xffff; b += l >>> 16; 1776 c += h & 0xffff; d += h >>> 16; 1777 1778 b += a >>> 16; 1779 c += b >>> 16; 1780 d += c >>> 16; 1781 1782 hh[6] = ah6 = (c & 0xffff) | (d << 16); 1783 hl[6] = al6 = (a & 0xffff) | (b << 16); 1784 1785 h = ah7; 1786 l = al7; 1787 1788 a = l & 0xffff; b = l >>> 16; 1789 c = h & 0xffff; d = h >>> 16; 1790 1791 h = hh[7]; 1792 l = hl[7]; 1793 1794 a += l & 0xffff; b += l >>> 16; 1795 c += h & 0xffff; d += h >>> 16; 1796 1797 b += a >>> 16; 1798 c += b >>> 16; 1799 d += c >>> 16; 1800 1801 hh[7] = ah7 = (c & 0xffff) | (d << 16); 1802 hl[7] = al7 = (a & 0xffff) | (b << 16); 1803 1804 pos += 128; 1805 n -= 128; 1806 } 1807 1808 return n; 1809} 1810 1811function crypto_hash(out, m, n) { 1812 var hh = new Int32Array(8), 1813 hl = new Int32Array(8), 1814 x = new Uint8Array(256), 1815 i, b = n; 1816 1817 hh[0] = 0x6a09e667; 1818 hh[1] = 0xbb67ae85; 1819 hh[2] = 0x3c6ef372; 1820 hh[3] = 0xa54ff53a; 1821 hh[4] = 0x510e527f; 1822 hh[5] = 0x9b05688c; 1823 hh[6] = 0x1f83d9ab; 1824 hh[7] = 0x5be0cd19; 1825 1826 hl[0] = 0xf3bcc908; 1827 hl[1] = 0x84caa73b; 1828 hl[2] = 0xfe94f82b; 1829 hl[3] = 0x5f1d36f1; 1830 hl[4] = 0xade682d1; 1831 hl[5] = 0x2b3e6c1f; 1832 hl[6] = 0xfb41bd6b; 1833 hl[7] = 0x137e2179; 1834 1835 crypto_hashblocks_hl(hh, hl, m, n); 1836 n %= 128; 1837 1838 for (i = 0; i < n; i++) x[i] = m[b-n+i]; 1839 x[n] = 128; 1840 1841 n = 256-128*(n<112?1:0); 1842 x[n-9] = 0; 1843 ts64(x, n-8, (b / 0x20000000) | 0, b << 3); 1844 crypto_hashblocks_hl(hh, hl, x, n); 1845 1846 for (i = 0; i < 8; i++) ts64(out, 8*i, hh[i], hl[i]); 1847 1848 return 0; 1849} 1850 1851function add(p, q) { 1852 var a = gf(), b = gf(), c = gf(), 1853 d = gf(), e = gf(), f = gf(), 1854 g = gf(), h = gf(), t = gf(); 1855 1856 Z(a, p[1], p[0]); 1857 Z(t, q[1], q[0]); 1858 M(a, a, t); 1859 A(b, p[0], p[1]); 1860 A(t, q[0], q[1]); 1861 M(b, b, t); 1862 M(c, p[3], q[3]); 1863 M(c, c, D2); 1864 M(d, p[2], q[2]); 1865 A(d, d, d); 1866 Z(e, b, a); 1867 Z(f, d, c); 1868 A(g, d, c); 1869 A(h, b, a); 1870 1871 M(p[0], e, f); 1872 M(p[1], h, g); 1873 M(p[2], g, f); 1874 M(p[3], e, h); 1875} 1876 1877function cswap(p, q, b) { 1878 var i; 1879 for (i = 0; i < 4; i++) { 1880 sel25519(p[i], q[i], b); 1881 } 1882} 1883 1884function pack(r, p) { 1885 var tx = gf(), ty = gf(), zi = gf(); 1886 inv25519(zi, p[2]); 1887 M(tx, p[0], zi); 1888 M(ty, p[1], zi); 1889 pack25519(r, ty); 1890 r[31] ^= par25519(tx) << 7; 1891} 1892 1893function scalarmult(p, q, s) { 1894 var b, i; 1895 set25519(p[0], gf0); 1896 set25519(p[1], gf1); 1897 set25519(p[2], gf1); 1898 set25519(p[3], gf0); 1899 for (i = 255; i >= 0; --i) { 1900 b = (s[(i/8)|0] >> (i&7)) & 1; 1901 cswap(p, q, b); 1902 add(q, p); 1903 add(p, p); 1904 cswap(p, q, b); 1905 } 1906} 1907 1908function scalarbase(p, s) { 1909 var q = [gf(), gf(), gf(), gf()]; 1910 set25519(q[0], X); 1911 set25519(q[1], Y); 1912 set25519(q[2], gf1); 1913 M(q[3], X, Y); 1914 scalarmult(p, q, s); 1915} 1916 1917function crypto_sign_keypair(pk, sk, seeded) { 1918 var d = new Uint8Array(64); 1919 var p = [gf(), gf(), gf(), gf()]; 1920 var i; 1921 1922 if (!seeded) randombytes(sk, 32); 1923 crypto_hash(d, sk, 32); 1924 d[0] &= 248; 1925 d[31] &= 127; 1926 d[31] |= 64; 1927 1928 scalarbase(p, d); 1929 pack(pk, p); 1930 1931 for (i = 0; i < 32; i++) sk[i+32] = pk[i]; 1932 return 0; 1933} 1934 1935var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]); 1936 1937function modL(r, x) { 1938 var carry, i, j, k; 1939 for (i = 63; i >= 32; --i) { 1940 carry = 0; 1941 for (j = i - 32, k = i - 12; j < k; ++j) { 1942 x[j] += carry - 16 * x[i] * L[j - (i - 32)]; 1943 carry = (x[j] + 128) >> 8; 1944 x[j] -= carry * 256; 1945 } 1946 x[j] += carry; 1947 x[i] = 0; 1948 } 1949 carry = 0; 1950 for (j = 0; j < 32; j++) { 1951 x[j] += carry - (x[31] >> 4) * L[j]; 1952 carry = x[j] >> 8; 1953 x[j] &= 255; 1954 } 1955 for (j = 0; j < 32; j++) x[j] -= carry * L[j]; 1956 for (i = 0; i < 32; i++) { 1957 x[i+1] += x[i] >> 8; 1958 r[i] = x[i] & 255; 1959 } 1960} 1961 1962function reduce(r) { 1963 var x = new Float64Array(64), i; 1964 for (i = 0; i < 64; i++) x[i] = r[i]; 1965 for (i = 0; i < 64; i++) r[i] = 0; 1966 modL(r, x); 1967} 1968 1969// Note: difference from C - smlen returned, not passed as argument. 1970function crypto_sign(sm, m, n, sk) { 1971 var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64); 1972 var i, j, x = new Float64Array(64); 1973 var p = [gf(), gf(), gf(), gf()]; 1974 1975 crypto_hash(d, sk, 32); 1976 d[0] &= 248; 1977 d[31] &= 127; 1978 d[31] |= 64; 1979 1980 var smlen = n + 64; 1981 for (i = 0; i < n; i++) sm[64 + i] = m[i]; 1982 for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i]; 1983 1984 crypto_hash(r, sm.subarray(32), n+32); 1985 reduce(r); 1986 scalarbase(p, r); 1987 pack(sm, p); 1988 1989 for (i = 32; i < 64; i++) sm[i] = sk[i]; 1990 crypto_hash(h, sm, n + 64); 1991 reduce(h); 1992 1993 for (i = 0; i < 64; i++) x[i] = 0; 1994 for (i = 0; i < 32; i++) x[i] = r[i]; 1995 for (i = 0; i < 32; i++) { 1996 for (j = 0; j < 32; j++) { 1997 x[i+j] += h[i] * d[j]; 1998 } 1999 } 2000 2001 modL(sm.subarray(32), x); 2002 return smlen; 2003} 2004 2005function unpackneg(r, p) { 2006 var t = gf(), chk = gf(), num = gf(), 2007 den = gf(), den2 = gf(), den4 = gf(), 2008 den6 = gf(); 2009 2010 set25519(r[2], gf1); 2011 unpack25519(r[1], p); 2012 S(num, r[1]); 2013 M(den, num, D); 2014 Z(num, num, r[2]); 2015 A(den, r[2], den); 2016 2017 S(den2, den); 2018 S(den4, den2); 2019 M(den6, den4, den2); 2020 M(t, den6, num); 2021 M(t, t, den); 2022 2023 pow2523(t, t); 2024 M(t, t, num); 2025 M(t, t, den); 2026 M(t, t, den); 2027 M(r[0], t, den); 2028 2029 S(chk, r[0]); 2030 M(chk, chk, den); 2031 if (neq25519(chk, num)) M(r[0], r[0], I); 2032 2033 S(chk, r[0]); 2034 M(chk, chk, den); 2035 if (neq25519(chk, num)) return -1; 2036 2037 if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]); 2038 2039 M(r[3], r[0], r[1]); 2040 return 0; 2041} 2042 2043function crypto_sign_open(m, sm, n, pk) { 2044 var i, mlen; 2045 var t = new Uint8Array(32), h = new Uint8Array(64); 2046 var p = [gf(), gf(), gf(), gf()], 2047 q = [gf(), gf(), gf(), gf()]; 2048 2049 mlen = -1; 2050 if (n < 64) return -1; 2051 2052 if (unpackneg(q, pk)) return -1; 2053 2054 for (i = 0; i < n; i++) m[i] = sm[i]; 2055 for (i = 0; i < 32; i++) m[i+32] = pk[i]; 2056 crypto_hash(h, m, n); 2057 reduce(h); 2058 scalarmult(p, q, h); 2059 2060 scalarbase(q, sm.subarray(32)); 2061 add(p, q); 2062 pack(t, p); 2063 2064 n -= 64; 2065 if (crypto_verify_32(sm, 0, t, 0)) { 2066 for (i = 0; i < n; i++) m[i] = 0; 2067 return -1; 2068 } 2069 2070 for (i = 0; i < n; i++) m[i] = sm[i + 64]; 2071 mlen = n; 2072 return mlen; 2073} 2074 2075var crypto_secretbox_KEYBYTES = 32, 2076 crypto_secretbox_NONCEBYTES = 24, 2077 crypto_secretbox_ZEROBYTES = 32, 2078 crypto_secretbox_BOXZEROBYTES = 16, 2079 crypto_scalarmult_BYTES = 32, 2080 crypto_scalarmult_SCALARBYTES = 32, 2081 crypto_box_PUBLICKEYBYTES = 32, 2082 crypto_box_SECRETKEYBYTES = 32, 2083 crypto_box_BEFORENMBYTES = 32, 2084 crypto_box_NONCEBYTES = crypto_secretbox_NONCEBYTES, 2085 crypto_box_ZEROBYTES = crypto_secretbox_ZEROBYTES, 2086 crypto_box_BOXZEROBYTES = crypto_secretbox_BOXZEROBYTES, 2087 crypto_sign_BYTES = 64, 2088 crypto_sign_PUBLICKEYBYTES = 32, 2089 crypto_sign_SECRETKEYBYTES = 64, 2090 crypto_sign_SEEDBYTES = 32, 2091 crypto_hash_BYTES = 64; 2092 2093nacl.lowlevel = { 2094 crypto_core_hsalsa20: crypto_core_hsalsa20, 2095 crypto_stream_xor: crypto_stream_xor, 2096 crypto_stream: crypto_stream, 2097 crypto_stream_salsa20_xor: crypto_stream_salsa20_xor, 2098 crypto_stream_salsa20: crypto_stream_salsa20, 2099 crypto_onetimeauth: crypto_onetimeauth, 2100 crypto_onetimeauth_verify: crypto_onetimeauth_verify, 2101 crypto_verify_16: crypto_verify_16, 2102 crypto_verify_32: crypto_verify_32, 2103 crypto_secretbox: crypto_secretbox, 2104 crypto_secretbox_open: crypto_secretbox_open, 2105 crypto_scalarmult: crypto_scalarmult, 2106 crypto_scalarmult_base: crypto_scalarmult_base, 2107 crypto_box_beforenm: crypto_box_beforenm, 2108 crypto_box_afternm: crypto_box_afternm, 2109 crypto_box: crypto_box, 2110 crypto_box_open: crypto_box_open, 2111 crypto_box_keypair: crypto_box_keypair, 2112 crypto_hash: crypto_hash, 2113 crypto_sign: crypto_sign, 2114 crypto_sign_keypair: crypto_sign_keypair, 2115 crypto_sign_open: crypto_sign_open, 2116 2117 crypto_secretbox_KEYBYTES: crypto_secretbox_KEYBYTES, 2118 crypto_secretbox_NONCEBYTES: crypto_secretbox_NONCEBYTES, 2119 crypto_secretbox_ZEROBYTES: crypto_secretbox_ZEROBYTES, 2120 crypto_secretbox_BOXZEROBYTES: crypto_secretbox_BOXZEROBYTES, 2121 crypto_scalarmult_BYTES: crypto_scalarmult_BYTES, 2122 crypto_scalarmult_SCALARBYTES: crypto_scalarmult_SCALARBYTES, 2123 crypto_box_PUBLICKEYBYTES: crypto_box_PUBLICKEYBYTES, 2124 crypto_box_SECRETKEYBYTES: crypto_box_SECRETKEYBYTES, 2125 crypto_box_BEFORENMBYTES: crypto_box_BEFORENMBYTES, 2126 crypto_box_NONCEBYTES: crypto_box_NONCEBYTES, 2127 crypto_box_ZEROBYTES: crypto_box_ZEROBYTES, 2128 crypto_box_BOXZEROBYTES: crypto_box_BOXZEROBYTES, 2129 crypto_sign_BYTES: crypto_sign_BYTES, 2130 crypto_sign_PUBLICKEYBYTES: crypto_sign_PUBLICKEYBYTES, 2131 crypto_sign_SECRETKEYBYTES: crypto_sign_SECRETKEYBYTES, 2132 crypto_sign_SEEDBYTES: crypto_sign_SEEDBYTES, 2133 crypto_hash_BYTES: crypto_hash_BYTES 2134}; 2135 2136/* High-level API */ 2137 2138function checkLengths(k, n) { 2139 if (k.length !== crypto_secretbox_KEYBYTES) throw new Error('bad key size'); 2140 if (n.length !== crypto_secretbox_NONCEBYTES) throw new Error('bad nonce size'); 2141} 2142 2143function checkBoxLengths(pk, sk) { 2144 if (pk.length !== crypto_box_PUBLICKEYBYTES) throw new Error('bad public key size'); 2145 if (sk.length !== crypto_box_SECRETKEYBYTES) throw new Error('bad secret key size'); 2146} 2147 2148function checkArrayTypes() { 2149 var t, i; 2150 for (i = 0; i < arguments.length; i++) { 2151 if ((t = Object.prototype.toString.call(arguments[i])) !== '[object Uint8Array]') 2152 throw new TypeError('unexpected type ' + t + ', use Uint8Array'); 2153 } 2154} 2155 2156function cleanup(arr) { 2157 for (var i = 0; i < arr.length; i++) arr[i] = 0; 2158} 2159 2160// TODO: Completely remove this in v0.15. 2161if (!nacl.util) { 2162 nacl.util = {}; 2163 nacl.util.decodeUTF8 = nacl.util.encodeUTF8 = nacl.util.encodeBase64 = nacl.util.decodeBase64 = function() { 2164 throw new Error('nacl.util moved into separate package: https://github.com/dchest/tweetnacl-util-js'); 2165 }; 2166} 2167 2168nacl.randomBytes = function(n) { 2169 var b = new Uint8Array(n); 2170 randombytes(b, n); 2171 return b; 2172}; 2173 2174nacl.secretbox = function(msg, nonce, key) { 2175 checkArrayTypes(msg, nonce, key); 2176 checkLengths(key, nonce); 2177 var m = new Uint8Array(crypto_secretbox_ZEROBYTES + msg.length); 2178 var c = new Uint8Array(m.length); 2179 for (var i = 0; i < msg.length; i++) m[i+crypto_secretbox_ZEROBYTES] = msg[i]; 2180 crypto_secretbox(c, m, m.length, nonce, key); 2181 return c.subarray(crypto_secretbox_BOXZEROBYTES); 2182}; 2183 2184nacl.secretbox.open = function(box, nonce, key) { 2185 checkArrayTypes(box, nonce, key); 2186 checkLengths(key, nonce); 2187 var c = new Uint8Array(crypto_secretbox_BOXZEROBYTES + box.length); 2188 var m = new Uint8Array(c.length); 2189 for (var i = 0; i < box.length; i++) c[i+crypto_secretbox_BOXZEROBYTES] = box[i]; 2190 if (c.length < 32) return false; 2191 if (crypto_secretbox_open(m, c, c.length, nonce, key) !== 0) return false; 2192 return m.subarray(crypto_secretbox_ZEROBYTES); 2193}; 2194 2195nacl.secretbox.keyLength = crypto_secretbox_KEYBYTES; 2196nacl.secretbox.nonceLength = crypto_secretbox_NONCEBYTES; 2197nacl.secretbox.overheadLength = crypto_secretbox_BOXZEROBYTES; 2198 2199nacl.scalarMult = function(n, p) { 2200 checkArrayTypes(n, p); 2201 if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size'); 2202 if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size'); 2203 var q = new Uint8Array(crypto_scalarmult_BYTES); 2204 crypto_scalarmult(q, n, p); 2205 return q; 2206}; 2207 2208nacl.scalarMult.base = function(n) { 2209 checkArrayTypes(n); 2210 if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size'); 2211 var q = new Uint8Array(crypto_scalarmult_BYTES); 2212 crypto_scalarmult_base(q, n); 2213 return q; 2214}; 2215 2216nacl.scalarMult.scalarLength = crypto_scalarmult_SCALARBYTES; 2217nacl.scalarMult.groupElementLength = crypto_scalarmult_BYTES; 2218 2219nacl.box = function(msg, nonce, publicKey, secretKey) { 2220 var k = nacl.box.before(publicKey, secretKey); 2221 return nacl.secretbox(msg, nonce, k); 2222}; 2223 2224nacl.box.before = function(publicKey, secretKey) { 2225 checkArrayTypes(publicKey, secretKey); 2226 checkBoxLengths(publicKey, secretKey); 2227 var k = new Uint8Array(crypto_box_BEFORENMBYTES); 2228 crypto_box_beforenm(k, publicKey, secretKey); 2229 return k; 2230}; 2231 2232nacl.box.after = nacl.secretbox; 2233 2234nacl.box.open = function(msg, nonce, publicKey, secretKey) { 2235 var k = nacl.box.before(publicKey, secretKey); 2236 return nacl.secretbox.open(msg, nonce, k); 2237}; 2238 2239nacl.box.open.after = nacl.secretbox.open; 2240 2241nacl.box.keyPair = function() { 2242 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES); 2243 var sk = new Uint8Array(crypto_box_SECRETKEYBYTES); 2244 crypto_box_keypair(pk, sk); 2245 return {publicKey: pk, secretKey: sk}; 2246}; 2247 2248nacl.box.keyPair.fromSecretKey = function(secretKey) { 2249 checkArrayTypes(secretKey); 2250 if (secretKey.length !== crypto_box_SECRETKEYBYTES) 2251 throw new Error('bad secret key size'); 2252 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES); 2253 crypto_scalarmult_base(pk, secretKey); 2254 return {publicKey: pk, secretKey: new Uint8Array(secretKey)}; 2255}; 2256 2257nacl.box.publicKeyLength = crypto_box_PUBLICKEYBYTES; 2258nacl.box.secretKeyLength = crypto_box_SECRETKEYBYTES; 2259nacl.box.sharedKeyLength = crypto_box_BEFORENMBYTES; 2260nacl.box.nonceLength = crypto_box_NONCEBYTES; 2261nacl.box.overheadLength = nacl.secretbox.overheadLength; 2262 2263nacl.sign = function(msg, secretKey) { 2264 checkArrayTypes(msg, secretKey); 2265 if (secretKey.length !== crypto_sign_SECRETKEYBYTES) 2266 throw new Error('bad secret key size'); 2267 var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length); 2268 crypto_sign(signedMsg, msg, msg.length, secretKey); 2269 return signedMsg; 2270}; 2271 2272nacl.sign.open = function(signedMsg, publicKey) { 2273 if (arguments.length !== 2) 2274 throw new Error('nacl.sign.open accepts 2 arguments; did you mean to use nacl.sign.detached.verify?'); 2275 checkArrayTypes(signedMsg, publicKey); 2276 if (publicKey.length !== crypto_sign_PUBLICKEYBYTES) 2277 throw new Error('bad public key size'); 2278 var tmp = new Uint8Array(signedMsg.length); 2279 var mlen = crypto_sign_open(tmp, signedMsg, signedMsg.length, publicKey); 2280 if (mlen < 0) return null; 2281 var m = new Uint8Array(mlen); 2282 for (var i = 0; i < m.length; i++) m[i] = tmp[i]; 2283 return m; 2284}; 2285 2286nacl.sign.detached = function(msg, secretKey) { 2287 var signedMsg = nacl.sign(msg, secretKey); 2288 var sig = new Uint8Array(crypto_sign_BYTES); 2289 for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i]; 2290 return sig; 2291}; 2292 2293nacl.sign.detached.verify = function(msg, sig, publicKey) { 2294 checkArrayTypes(msg, sig, publicKey); 2295 if (sig.length !== crypto_sign_BYTES) 2296 throw new Error('bad signature size'); 2297 if (publicKey.length !== crypto_sign_PUBLICKEYBYTES) 2298 throw new Error('bad public key size'); 2299 var sm = new Uint8Array(crypto_sign_BYTES + msg.length); 2300 var m = new Uint8Array(crypto_sign_BYTES + msg.length); 2301 var i; 2302 for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i]; 2303 for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i]; 2304 return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0); 2305}; 2306 2307nacl.sign.keyPair = function() { 2308 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES); 2309 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES); 2310 crypto_sign_keypair(pk, sk); 2311 return {publicKey: pk, secretKey: sk}; 2312}; 2313 2314nacl.sign.keyPair.fromSecretKey = function(secretKey) { 2315 checkArrayTypes(secretKey); 2316 if (secretKey.length !== crypto_sign_SECRETKEYBYTES) 2317 throw new Error('bad secret key size'); 2318 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES); 2319 for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i]; 2320 return {publicKey: pk, secretKey: new Uint8Array(secretKey)}; 2321}; 2322 2323nacl.sign.keyPair.fromSeed = function(seed) { 2324 checkArrayTypes(seed); 2325 if (seed.length !== crypto_sign_SEEDBYTES) 2326 throw new Error('bad seed size'); 2327 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES); 2328 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES); 2329 for (var i = 0; i < 32; i++) sk[i] = seed[i]; 2330 crypto_sign_keypair(pk, sk, true); 2331 return {publicKey: pk, secretKey: sk}; 2332}; 2333 2334nacl.sign.publicKeyLength = crypto_sign_PUBLICKEYBYTES; 2335nacl.sign.secretKeyLength = crypto_sign_SECRETKEYBYTES; 2336nacl.sign.seedLength = crypto_sign_SEEDBYTES; 2337nacl.sign.signatureLength = crypto_sign_BYTES; 2338 2339nacl.hash = function(msg) { 2340 checkArrayTypes(msg); 2341 var h = new Uint8Array(crypto_hash_BYTES); 2342 crypto_hash(h, msg, msg.length); 2343 return h; 2344}; 2345 2346nacl.hash.hashLength = crypto_hash_BYTES; 2347 2348nacl.verify = function(x, y) { 2349 checkArrayTypes(x, y); 2350 // Zero length arguments are considered not equal. 2351 if (x.length === 0 || y.length === 0) return false; 2352 if (x.length !== y.length) return false; 2353 return (vn(x, 0, y, 0, x.length) === 0) ? true : false; 2354}; 2355 2356nacl.setPRNG = function(fn) { 2357 randombytes = fn; 2358}; 2359 2360(function() { 2361 // Initialize PRNG if environment provides CSPRNG. 2362 // If not, methods calling randombytes will throw. 2363 var crypto = typeof self !== 'undefined' ? (self.crypto || self.msCrypto) : null; 2364 if (crypto && crypto.getRandomValues) { 2365 // Browsers. 2366 var QUOTA = 65536; 2367 nacl.setPRNG(function(x, n) { 2368 var i, v = new Uint8Array(n); 2369 for (i = 0; i < n; i += QUOTA) { 2370 crypto.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA))); 2371 } 2372 for (i = 0; i < n; i++) x[i] = v[i]; 2373 cleanup(v); 2374 }); 2375 } else if (typeof require !== 'undefined') { 2376 // Node.js. 2377 crypto = require('crypto'); 2378 if (crypto && crypto.randomBytes) { 2379 nacl.setPRNG(function(x, n) { 2380 var i, v = crypto.randomBytes(n); 2381 for (i = 0; i < n; i++) x[i] = v[i]; 2382 cleanup(v); 2383 }); 2384 } 2385 } 2386})(); 2387 2388})(typeof module !== 'undefined' && module.exports ? module.exports : (self.nacl = self.nacl || {})); 2389