UNPKG

62.3 kBJavaScriptView Raw
1(function(nacl) {
2'use strict';
3
4// Ported in 2014 by Dmitry Chestnykh and Devi Mandiri.
5// Public domain.
6//
7// Implementation derived from TweetNaCl version 20140427.
8// See for details: http://tweetnacl.cr.yp.to/
9
10var gf = function(init) {
11 var i, r = new Float64Array(16);
12 if (init) for (i = 0; i < init.length; i++) r[i] = init[i];
13 return r;
14};
15
16// Pluggable, initialized in high-level API below.
17var randombytes = function(/* x, n */) { throw new Error('no PRNG'); };
18
19var _0 = new Uint8Array(16);
20var _9 = new Uint8Array(32); _9[0] = 9;
21
22var gf0 = gf(),
23 gf1 = gf([1]),
24 _121665 = gf([0xdb41, 1]),
25 D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),
26 D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]),
27 X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]),
28 Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]),
29 I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);
30
31function ts64(x, i, h, l) {
32 x[i] = (h >> 24) & 0xff;
33 x[i+1] = (h >> 16) & 0xff;
34 x[i+2] = (h >> 8) & 0xff;
35 x[i+3] = h & 0xff;
36 x[i+4] = (l >> 24) & 0xff;
37 x[i+5] = (l >> 16) & 0xff;
38 x[i+6] = (l >> 8) & 0xff;
39 x[i+7] = l & 0xff;
40}
41
42function vn(x, xi, y, yi, n) {
43 var i,d = 0;
44 for (i = 0; i < n; i++) d |= x[xi+i]^y[yi+i];
45 return (1 & ((d - 1) >>> 8)) - 1;
46}
47
48function crypto_verify_16(x, xi, y, yi) {
49 return vn(x,xi,y,yi,16);
50}
51
52function crypto_verify_32(x, xi, y, yi) {
53 return vn(x,xi,y,yi,32);
54}
55
56function core_salsa20(o, p, k, c) {
57 var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
58 j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
59 j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
60 j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
61 j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
62 j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
63 j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
64 j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
65 j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
66 j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
67 j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
68 j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
69 j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
70 j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
71 j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
72 j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
73
74 var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
75 x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
76 x15 = j15, u;
77
78 for (var i = 0; i < 20; i += 2) {
79 u = x0 + x12 | 0;
80 x4 ^= u<<7 | u>>>(32-7);
81 u = x4 + x0 | 0;
82 x8 ^= u<<9 | u>>>(32-9);
83 u = x8 + x4 | 0;
84 x12 ^= u<<13 | u>>>(32-13);
85 u = x12 + x8 | 0;
86 x0 ^= u<<18 | u>>>(32-18);
87
88 u = x5 + x1 | 0;
89 x9 ^= u<<7 | u>>>(32-7);
90 u = x9 + x5 | 0;
91 x13 ^= u<<9 | u>>>(32-9);
92 u = x13 + x9 | 0;
93 x1 ^= u<<13 | u>>>(32-13);
94 u = x1 + x13 | 0;
95 x5 ^= u<<18 | u>>>(32-18);
96
97 u = x10 + x6 | 0;
98 x14 ^= u<<7 | u>>>(32-7);
99 u = x14 + x10 | 0;
100 x2 ^= u<<9 | u>>>(32-9);
101 u = x2 + x14 | 0;
102 x6 ^= u<<13 | u>>>(32-13);
103 u = x6 + x2 | 0;
104 x10 ^= u<<18 | u>>>(32-18);
105
106 u = x15 + x11 | 0;
107 x3 ^= u<<7 | u>>>(32-7);
108 u = x3 + x15 | 0;
109 x7 ^= u<<9 | u>>>(32-9);
110 u = x7 + x3 | 0;
111 x11 ^= u<<13 | u>>>(32-13);
112 u = x11 + x7 | 0;
113 x15 ^= u<<18 | u>>>(32-18);
114
115 u = x0 + x3 | 0;
116 x1 ^= u<<7 | u>>>(32-7);
117 u = x1 + x0 | 0;
118 x2 ^= u<<9 | u>>>(32-9);
119 u = x2 + x1 | 0;
120 x3 ^= u<<13 | u>>>(32-13);
121 u = x3 + x2 | 0;
122 x0 ^= u<<18 | u>>>(32-18);
123
124 u = x5 + x4 | 0;
125 x6 ^= u<<7 | u>>>(32-7);
126 u = x6 + x5 | 0;
127 x7 ^= u<<9 | u>>>(32-9);
128 u = x7 + x6 | 0;
129 x4 ^= u<<13 | u>>>(32-13);
130 u = x4 + x7 | 0;
131 x5 ^= u<<18 | u>>>(32-18);
132
133 u = x10 + x9 | 0;
134 x11 ^= u<<7 | u>>>(32-7);
135 u = x11 + x10 | 0;
136 x8 ^= u<<9 | u>>>(32-9);
137 u = x8 + x11 | 0;
138 x9 ^= u<<13 | u>>>(32-13);
139 u = x9 + x8 | 0;
140 x10 ^= u<<18 | u>>>(32-18);
141
142 u = x15 + x14 | 0;
143 x12 ^= u<<7 | u>>>(32-7);
144 u = x12 + x15 | 0;
145 x13 ^= u<<9 | u>>>(32-9);
146 u = x13 + x12 | 0;
147 x14 ^= u<<13 | u>>>(32-13);
148 u = x14 + x13 | 0;
149 x15 ^= u<<18 | u>>>(32-18);
150 }
151 x0 = x0 + j0 | 0;
152 x1 = x1 + j1 | 0;
153 x2 = x2 + j2 | 0;
154 x3 = x3 + j3 | 0;
155 x4 = x4 + j4 | 0;
156 x5 = x5 + j5 | 0;
157 x6 = x6 + j6 | 0;
158 x7 = x7 + j7 | 0;
159 x8 = x8 + j8 | 0;
160 x9 = x9 + j9 | 0;
161 x10 = x10 + j10 | 0;
162 x11 = x11 + j11 | 0;
163 x12 = x12 + j12 | 0;
164 x13 = x13 + j13 | 0;
165 x14 = x14 + j14 | 0;
166 x15 = x15 + j15 | 0;
167
168 o[ 0] = x0 >>> 0 & 0xff;
169 o[ 1] = x0 >>> 8 & 0xff;
170 o[ 2] = x0 >>> 16 & 0xff;
171 o[ 3] = x0 >>> 24 & 0xff;
172
173 o[ 4] = x1 >>> 0 & 0xff;
174 o[ 5] = x1 >>> 8 & 0xff;
175 o[ 6] = x1 >>> 16 & 0xff;
176 o[ 7] = x1 >>> 24 & 0xff;
177
178 o[ 8] = x2 >>> 0 & 0xff;
179 o[ 9] = x2 >>> 8 & 0xff;
180 o[10] = x2 >>> 16 & 0xff;
181 o[11] = x2 >>> 24 & 0xff;
182
183 o[12] = x3 >>> 0 & 0xff;
184 o[13] = x3 >>> 8 & 0xff;
185 o[14] = x3 >>> 16 & 0xff;
186 o[15] = x3 >>> 24 & 0xff;
187
188 o[16] = x4 >>> 0 & 0xff;
189 o[17] = x4 >>> 8 & 0xff;
190 o[18] = x4 >>> 16 & 0xff;
191 o[19] = x4 >>> 24 & 0xff;
192
193 o[20] = x5 >>> 0 & 0xff;
194 o[21] = x5 >>> 8 & 0xff;
195 o[22] = x5 >>> 16 & 0xff;
196 o[23] = x5 >>> 24 & 0xff;
197
198 o[24] = x6 >>> 0 & 0xff;
199 o[25] = x6 >>> 8 & 0xff;
200 o[26] = x6 >>> 16 & 0xff;
201 o[27] = x6 >>> 24 & 0xff;
202
203 o[28] = x7 >>> 0 & 0xff;
204 o[29] = x7 >>> 8 & 0xff;
205 o[30] = x7 >>> 16 & 0xff;
206 o[31] = x7 >>> 24 & 0xff;
207
208 o[32] = x8 >>> 0 & 0xff;
209 o[33] = x8 >>> 8 & 0xff;
210 o[34] = x8 >>> 16 & 0xff;
211 o[35] = x8 >>> 24 & 0xff;
212
213 o[36] = x9 >>> 0 & 0xff;
214 o[37] = x9 >>> 8 & 0xff;
215 o[38] = x9 >>> 16 & 0xff;
216 o[39] = x9 >>> 24 & 0xff;
217
218 o[40] = x10 >>> 0 & 0xff;
219 o[41] = x10 >>> 8 & 0xff;
220 o[42] = x10 >>> 16 & 0xff;
221 o[43] = x10 >>> 24 & 0xff;
222
223 o[44] = x11 >>> 0 & 0xff;
224 o[45] = x11 >>> 8 & 0xff;
225 o[46] = x11 >>> 16 & 0xff;
226 o[47] = x11 >>> 24 & 0xff;
227
228 o[48] = x12 >>> 0 & 0xff;
229 o[49] = x12 >>> 8 & 0xff;
230 o[50] = x12 >>> 16 & 0xff;
231 o[51] = x12 >>> 24 & 0xff;
232
233 o[52] = x13 >>> 0 & 0xff;
234 o[53] = x13 >>> 8 & 0xff;
235 o[54] = x13 >>> 16 & 0xff;
236 o[55] = x13 >>> 24 & 0xff;
237
238 o[56] = x14 >>> 0 & 0xff;
239 o[57] = x14 >>> 8 & 0xff;
240 o[58] = x14 >>> 16 & 0xff;
241 o[59] = x14 >>> 24 & 0xff;
242
243 o[60] = x15 >>> 0 & 0xff;
244 o[61] = x15 >>> 8 & 0xff;
245 o[62] = x15 >>> 16 & 0xff;
246 o[63] = x15 >>> 24 & 0xff;
247}
248
249function core_hsalsa20(o,p,k,c) {
250 var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
251 j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
252 j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
253 j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
254 j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
255 j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
256 j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
257 j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
258 j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
259 j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
260 j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
261 j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
262 j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
263 j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
264 j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
265 j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
266
267 var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
268 x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
269 x15 = j15, u;
270
271 for (var i = 0; i < 20; i += 2) {
272 u = x0 + x12 | 0;
273 x4 ^= u<<7 | u>>>(32-7);
274 u = x4 + x0 | 0;
275 x8 ^= u<<9 | u>>>(32-9);
276 u = x8 + x4 | 0;
277 x12 ^= u<<13 | u>>>(32-13);
278 u = x12 + x8 | 0;
279 x0 ^= u<<18 | u>>>(32-18);
280
281 u = x5 + x1 | 0;
282 x9 ^= u<<7 | u>>>(32-7);
283 u = x9 + x5 | 0;
284 x13 ^= u<<9 | u>>>(32-9);
285 u = x13 + x9 | 0;
286 x1 ^= u<<13 | u>>>(32-13);
287 u = x1 + x13 | 0;
288 x5 ^= u<<18 | u>>>(32-18);
289
290 u = x10 + x6 | 0;
291 x14 ^= u<<7 | u>>>(32-7);
292 u = x14 + x10 | 0;
293 x2 ^= u<<9 | u>>>(32-9);
294 u = x2 + x14 | 0;
295 x6 ^= u<<13 | u>>>(32-13);
296 u = x6 + x2 | 0;
297 x10 ^= u<<18 | u>>>(32-18);
298
299 u = x15 + x11 | 0;
300 x3 ^= u<<7 | u>>>(32-7);
301 u = x3 + x15 | 0;
302 x7 ^= u<<9 | u>>>(32-9);
303 u = x7 + x3 | 0;
304 x11 ^= u<<13 | u>>>(32-13);
305 u = x11 + x7 | 0;
306 x15 ^= u<<18 | u>>>(32-18);
307
308 u = x0 + x3 | 0;
309 x1 ^= u<<7 | u>>>(32-7);
310 u = x1 + x0 | 0;
311 x2 ^= u<<9 | u>>>(32-9);
312 u = x2 + x1 | 0;
313 x3 ^= u<<13 | u>>>(32-13);
314 u = x3 + x2 | 0;
315 x0 ^= u<<18 | u>>>(32-18);
316
317 u = x5 + x4 | 0;
318 x6 ^= u<<7 | u>>>(32-7);
319 u = x6 + x5 | 0;
320 x7 ^= u<<9 | u>>>(32-9);
321 u = x7 + x6 | 0;
322 x4 ^= u<<13 | u>>>(32-13);
323 u = x4 + x7 | 0;
324 x5 ^= u<<18 | u>>>(32-18);
325
326 u = x10 + x9 | 0;
327 x11 ^= u<<7 | u>>>(32-7);
328 u = x11 + x10 | 0;
329 x8 ^= u<<9 | u>>>(32-9);
330 u = x8 + x11 | 0;
331 x9 ^= u<<13 | u>>>(32-13);
332 u = x9 + x8 | 0;
333 x10 ^= u<<18 | u>>>(32-18);
334
335 u = x15 + x14 | 0;
336 x12 ^= u<<7 | u>>>(32-7);
337 u = x12 + x15 | 0;
338 x13 ^= u<<9 | u>>>(32-9);
339 u = x13 + x12 | 0;
340 x14 ^= u<<13 | u>>>(32-13);
341 u = x14 + x13 | 0;
342 x15 ^= u<<18 | u>>>(32-18);
343 }
344
345 o[ 0] = x0 >>> 0 & 0xff;
346 o[ 1] = x0 >>> 8 & 0xff;
347 o[ 2] = x0 >>> 16 & 0xff;
348 o[ 3] = x0 >>> 24 & 0xff;
349
350 o[ 4] = x5 >>> 0 & 0xff;
351 o[ 5] = x5 >>> 8 & 0xff;
352 o[ 6] = x5 >>> 16 & 0xff;
353 o[ 7] = x5 >>> 24 & 0xff;
354
355 o[ 8] = x10 >>> 0 & 0xff;
356 o[ 9] = x10 >>> 8 & 0xff;
357 o[10] = x10 >>> 16 & 0xff;
358 o[11] = x10 >>> 24 & 0xff;
359
360 o[12] = x15 >>> 0 & 0xff;
361 o[13] = x15 >>> 8 & 0xff;
362 o[14] = x15 >>> 16 & 0xff;
363 o[15] = x15 >>> 24 & 0xff;
364
365 o[16] = x6 >>> 0 & 0xff;
366 o[17] = x6 >>> 8 & 0xff;
367 o[18] = x6 >>> 16 & 0xff;
368 o[19] = x6 >>> 24 & 0xff;
369
370 o[20] = x7 >>> 0 & 0xff;
371 o[21] = x7 >>> 8 & 0xff;
372 o[22] = x7 >>> 16 & 0xff;
373 o[23] = x7 >>> 24 & 0xff;
374
375 o[24] = x8 >>> 0 & 0xff;
376 o[25] = x8 >>> 8 & 0xff;
377 o[26] = x8 >>> 16 & 0xff;
378 o[27] = x8 >>> 24 & 0xff;
379
380 o[28] = x9 >>> 0 & 0xff;
381 o[29] = x9 >>> 8 & 0xff;
382 o[30] = x9 >>> 16 & 0xff;
383 o[31] = x9 >>> 24 & 0xff;
384}
385
386function crypto_core_salsa20(out,inp,k,c) {
387 core_salsa20(out,inp,k,c);
388}
389
390function crypto_core_hsalsa20(out,inp,k,c) {
391 core_hsalsa20(out,inp,k,c);
392}
393
394var sigma = new Uint8Array([101, 120, 112, 97, 110, 100, 32, 51, 50, 45, 98, 121, 116, 101, 32, 107]);
395 // "expand 32-byte k"
396
397function crypto_stream_salsa20_xor(c,cpos,m,mpos,b,n,k) {
398 var z = new Uint8Array(16), x = new Uint8Array(64);
399 var u, i;
400 for (i = 0; i < 16; i++) z[i] = 0;
401 for (i = 0; i < 8; i++) z[i] = n[i];
402 while (b >= 64) {
403 crypto_core_salsa20(x,z,k,sigma);
404 for (i = 0; i < 64; i++) c[cpos+i] = m[mpos+i] ^ x[i];
405 u = 1;
406 for (i = 8; i < 16; i++) {
407 u = u + (z[i] & 0xff) | 0;
408 z[i] = u & 0xff;
409 u >>>= 8;
410 }
411 b -= 64;
412 cpos += 64;
413 mpos += 64;
414 }
415 if (b > 0) {
416 crypto_core_salsa20(x,z,k,sigma);
417 for (i = 0; i < b; i++) c[cpos+i] = m[mpos+i] ^ x[i];
418 }
419 return 0;
420}
421
422function crypto_stream_salsa20(c,cpos,b,n,k) {
423 var z = new Uint8Array(16), x = new Uint8Array(64);
424 var u, i;
425 for (i = 0; i < 16; i++) z[i] = 0;
426 for (i = 0; i < 8; i++) z[i] = n[i];
427 while (b >= 64) {
428 crypto_core_salsa20(x,z,k,sigma);
429 for (i = 0; i < 64; i++) c[cpos+i] = x[i];
430 u = 1;
431 for (i = 8; i < 16; i++) {
432 u = u + (z[i] & 0xff) | 0;
433 z[i] = u & 0xff;
434 u >>>= 8;
435 }
436 b -= 64;
437 cpos += 64;
438 }
439 if (b > 0) {
440 crypto_core_salsa20(x,z,k,sigma);
441 for (i = 0; i < b; i++) c[cpos+i] = x[i];
442 }
443 return 0;
444}
445
446function crypto_stream(c,cpos,d,n,k) {
447 var s = new Uint8Array(32);
448 crypto_core_hsalsa20(s,n,k,sigma);
449 var sn = new Uint8Array(8);
450 for (var i = 0; i < 8; i++) sn[i] = n[i+16];
451 return crypto_stream_salsa20(c,cpos,d,sn,s);
452}
453
454function crypto_stream_xor(c,cpos,m,mpos,d,n,k) {
455 var s = new Uint8Array(32);
456 crypto_core_hsalsa20(s,n,k,sigma);
457 var sn = new Uint8Array(8);
458 for (var i = 0; i < 8; i++) sn[i] = n[i+16];
459 return crypto_stream_salsa20_xor(c,cpos,m,mpos,d,sn,s);
460}
461
462/*
463* Port of Andrew Moon's Poly1305-donna-16. Public domain.
464* https://github.com/floodyberry/poly1305-donna
465*/
466
467var poly1305 = function(key) {
468 this.buffer = new Uint8Array(16);
469 this.r = new Uint16Array(10);
470 this.h = new Uint16Array(10);
471 this.pad = new Uint16Array(8);
472 this.leftover = 0;
473 this.fin = 0;
474
475 var t0, t1, t2, t3, t4, t5, t6, t7;
476
477 t0 = key[ 0] & 0xff | (key[ 1] & 0xff) << 8; this.r[0] = ( t0 ) & 0x1fff;
478 t1 = key[ 2] & 0xff | (key[ 3] & 0xff) << 8; this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
479 t2 = key[ 4] & 0xff | (key[ 5] & 0xff) << 8; this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
480 t3 = key[ 6] & 0xff | (key[ 7] & 0xff) << 8; this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
481 t4 = key[ 8] & 0xff | (key[ 9] & 0xff) << 8; this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
482 this.r[5] = ((t4 >>> 1)) & 0x1ffe;
483 t5 = key[10] & 0xff | (key[11] & 0xff) << 8; this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
484 t6 = key[12] & 0xff | (key[13] & 0xff) << 8; this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
485 t7 = key[14] & 0xff | (key[15] & 0xff) << 8; this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
486 this.r[9] = ((t7 >>> 5)) & 0x007f;
487
488 this.pad[0] = key[16] & 0xff | (key[17] & 0xff) << 8;
489 this.pad[1] = key[18] & 0xff | (key[19] & 0xff) << 8;
490 this.pad[2] = key[20] & 0xff | (key[21] & 0xff) << 8;
491 this.pad[3] = key[22] & 0xff | (key[23] & 0xff) << 8;
492 this.pad[4] = key[24] & 0xff | (key[25] & 0xff) << 8;
493 this.pad[5] = key[26] & 0xff | (key[27] & 0xff) << 8;
494 this.pad[6] = key[28] & 0xff | (key[29] & 0xff) << 8;
495 this.pad[7] = key[30] & 0xff | (key[31] & 0xff) << 8;
496};
497
498poly1305.prototype.blocks = function(m, mpos, bytes) {
499 var hibit = this.fin ? 0 : (1 << 11);
500 var t0, t1, t2, t3, t4, t5, t6, t7, c;
501 var d0, d1, d2, d3, d4, d5, d6, d7, d8, d9;
502
503 var h0 = this.h[0],
504 h1 = this.h[1],
505 h2 = this.h[2],
506 h3 = this.h[3],
507 h4 = this.h[4],
508 h5 = this.h[5],
509 h6 = this.h[6],
510 h7 = this.h[7],
511 h8 = this.h[8],
512 h9 = this.h[9];
513
514 var r0 = this.r[0],
515 r1 = this.r[1],
516 r2 = this.r[2],
517 r3 = this.r[3],
518 r4 = this.r[4],
519 r5 = this.r[5],
520 r6 = this.r[6],
521 r7 = this.r[7],
522 r8 = this.r[8],
523 r9 = this.r[9];
524
525 while (bytes >= 16) {
526 t0 = m[mpos+ 0] & 0xff | (m[mpos+ 1] & 0xff) << 8; h0 += ( t0 ) & 0x1fff;
527 t1 = m[mpos+ 2] & 0xff | (m[mpos+ 3] & 0xff) << 8; h1 += ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
528 t2 = m[mpos+ 4] & 0xff | (m[mpos+ 5] & 0xff) << 8; h2 += ((t1 >>> 10) | (t2 << 6)) & 0x1fff;
529 t3 = m[mpos+ 6] & 0xff | (m[mpos+ 7] & 0xff) << 8; h3 += ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
530 t4 = m[mpos+ 8] & 0xff | (m[mpos+ 9] & 0xff) << 8; h4 += ((t3 >>> 4) | (t4 << 12)) & 0x1fff;
531 h5 += ((t4 >>> 1)) & 0x1fff;
532 t5 = m[mpos+10] & 0xff | (m[mpos+11] & 0xff) << 8; h6 += ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
533 t6 = m[mpos+12] & 0xff | (m[mpos+13] & 0xff) << 8; h7 += ((t5 >>> 11) | (t6 << 5)) & 0x1fff;
534 t7 = m[mpos+14] & 0xff | (m[mpos+15] & 0xff) << 8; h8 += ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
535 h9 += ((t7 >>> 5)) | hibit;
536
537 c = 0;
538
539 d0 = c;
540 d0 += h0 * r0;
541 d0 += h1 * (5 * r9);
542 d0 += h2 * (5 * r8);
543 d0 += h3 * (5 * r7);
544 d0 += h4 * (5 * r6);
545 c = (d0 >>> 13); d0 &= 0x1fff;
546 d0 += h5 * (5 * r5);
547 d0 += h6 * (5 * r4);
548 d0 += h7 * (5 * r3);
549 d0 += h8 * (5 * r2);
550 d0 += h9 * (5 * r1);
551 c += (d0 >>> 13); d0 &= 0x1fff;
552
553 d1 = c;
554 d1 += h0 * r1;
555 d1 += h1 * r0;
556 d1 += h2 * (5 * r9);
557 d1 += h3 * (5 * r8);
558 d1 += h4 * (5 * r7);
559 c = (d1 >>> 13); d1 &= 0x1fff;
560 d1 += h5 * (5 * r6);
561 d1 += h6 * (5 * r5);
562 d1 += h7 * (5 * r4);
563 d1 += h8 * (5 * r3);
564 d1 += h9 * (5 * r2);
565 c += (d1 >>> 13); d1 &= 0x1fff;
566
567 d2 = c;
568 d2 += h0 * r2;
569 d2 += h1 * r1;
570 d2 += h2 * r0;
571 d2 += h3 * (5 * r9);
572 d2 += h4 * (5 * r8);
573 c = (d2 >>> 13); d2 &= 0x1fff;
574 d2 += h5 * (5 * r7);
575 d2 += h6 * (5 * r6);
576 d2 += h7 * (5 * r5);
577 d2 += h8 * (5 * r4);
578 d2 += h9 * (5 * r3);
579 c += (d2 >>> 13); d2 &= 0x1fff;
580
581 d3 = c;
582 d3 += h0 * r3;
583 d3 += h1 * r2;
584 d3 += h2 * r1;
585 d3 += h3 * r0;
586 d3 += h4 * (5 * r9);
587 c = (d3 >>> 13); d3 &= 0x1fff;
588 d3 += h5 * (5 * r8);
589 d3 += h6 * (5 * r7);
590 d3 += h7 * (5 * r6);
591 d3 += h8 * (5 * r5);
592 d3 += h9 * (5 * r4);
593 c += (d3 >>> 13); d3 &= 0x1fff;
594
595 d4 = c;
596 d4 += h0 * r4;
597 d4 += h1 * r3;
598 d4 += h2 * r2;
599 d4 += h3 * r1;
600 d4 += h4 * r0;
601 c = (d4 >>> 13); d4 &= 0x1fff;
602 d4 += h5 * (5 * r9);
603 d4 += h6 * (5 * r8);
604 d4 += h7 * (5 * r7);
605 d4 += h8 * (5 * r6);
606 d4 += h9 * (5 * r5);
607 c += (d4 >>> 13); d4 &= 0x1fff;
608
609 d5 = c;
610 d5 += h0 * r5;
611 d5 += h1 * r4;
612 d5 += h2 * r3;
613 d5 += h3 * r2;
614 d5 += h4 * r1;
615 c = (d5 >>> 13); d5 &= 0x1fff;
616 d5 += h5 * r0;
617 d5 += h6 * (5 * r9);
618 d5 += h7 * (5 * r8);
619 d5 += h8 * (5 * r7);
620 d5 += h9 * (5 * r6);
621 c += (d5 >>> 13); d5 &= 0x1fff;
622
623 d6 = c;
624 d6 += h0 * r6;
625 d6 += h1 * r5;
626 d6 += h2 * r4;
627 d6 += h3 * r3;
628 d6 += h4 * r2;
629 c = (d6 >>> 13); d6 &= 0x1fff;
630 d6 += h5 * r1;
631 d6 += h6 * r0;
632 d6 += h7 * (5 * r9);
633 d6 += h8 * (5 * r8);
634 d6 += h9 * (5 * r7);
635 c += (d6 >>> 13); d6 &= 0x1fff;
636
637 d7 = c;
638 d7 += h0 * r7;
639 d7 += h1 * r6;
640 d7 += h2 * r5;
641 d7 += h3 * r4;
642 d7 += h4 * r3;
643 c = (d7 >>> 13); d7 &= 0x1fff;
644 d7 += h5 * r2;
645 d7 += h6 * r1;
646 d7 += h7 * r0;
647 d7 += h8 * (5 * r9);
648 d7 += h9 * (5 * r8);
649 c += (d7 >>> 13); d7 &= 0x1fff;
650
651 d8 = c;
652 d8 += h0 * r8;
653 d8 += h1 * r7;
654 d8 += h2 * r6;
655 d8 += h3 * r5;
656 d8 += h4 * r4;
657 c = (d8 >>> 13); d8 &= 0x1fff;
658 d8 += h5 * r3;
659 d8 += h6 * r2;
660 d8 += h7 * r1;
661 d8 += h8 * r0;
662 d8 += h9 * (5 * r9);
663 c += (d8 >>> 13); d8 &= 0x1fff;
664
665 d9 = c;
666 d9 += h0 * r9;
667 d9 += h1 * r8;
668 d9 += h2 * r7;
669 d9 += h3 * r6;
670 d9 += h4 * r5;
671 c = (d9 >>> 13); d9 &= 0x1fff;
672 d9 += h5 * r4;
673 d9 += h6 * r3;
674 d9 += h7 * r2;
675 d9 += h8 * r1;
676 d9 += h9 * r0;
677 c += (d9 >>> 13); d9 &= 0x1fff;
678
679 c = (((c << 2) + c)) | 0;
680 c = (c + d0) | 0;
681 d0 = c & 0x1fff;
682 c = (c >>> 13);
683 d1 += c;
684
685 h0 = d0;
686 h1 = d1;
687 h2 = d2;
688 h3 = d3;
689 h4 = d4;
690 h5 = d5;
691 h6 = d6;
692 h7 = d7;
693 h8 = d8;
694 h9 = d9;
695
696 mpos += 16;
697 bytes -= 16;
698 }
699 this.h[0] = h0;
700 this.h[1] = h1;
701 this.h[2] = h2;
702 this.h[3] = h3;
703 this.h[4] = h4;
704 this.h[5] = h5;
705 this.h[6] = h6;
706 this.h[7] = h7;
707 this.h[8] = h8;
708 this.h[9] = h9;
709};
710
711poly1305.prototype.finish = function(mac, macpos) {
712 var g = new Uint16Array(10);
713 var c, mask, f, i;
714
715 if (this.leftover) {
716 i = this.leftover;
717 this.buffer[i++] = 1;
718 for (; i < 16; i++) this.buffer[i] = 0;
719 this.fin = 1;
720 this.blocks(this.buffer, 0, 16);
721 }
722
723 c = this.h[1] >>> 13;
724 this.h[1] &= 0x1fff;
725 for (i = 2; i < 10; i++) {
726 this.h[i] += c;
727 c = this.h[i] >>> 13;
728 this.h[i] &= 0x1fff;
729 }
730 this.h[0] += (c * 5);
731 c = this.h[0] >>> 13;
732 this.h[0] &= 0x1fff;
733 this.h[1] += c;
734 c = this.h[1] >>> 13;
735 this.h[1] &= 0x1fff;
736 this.h[2] += c;
737
738 g[0] = this.h[0] + 5;
739 c = g[0] >>> 13;
740 g[0] &= 0x1fff;
741 for (i = 1; i < 10; i++) {
742 g[i] = this.h[i] + c;
743 c = g[i] >>> 13;
744 g[i] &= 0x1fff;
745 }
746 g[9] -= (1 << 13);
747
748 mask = (c ^ 1) - 1;
749 for (i = 0; i < 10; i++) g[i] &= mask;
750 mask = ~mask;
751 for (i = 0; i < 10; i++) this.h[i] = (this.h[i] & mask) | g[i];
752
753 this.h[0] = ((this.h[0] ) | (this.h[1] << 13) ) & 0xffff;
754 this.h[1] = ((this.h[1] >>> 3) | (this.h[2] << 10) ) & 0xffff;
755 this.h[2] = ((this.h[2] >>> 6) | (this.h[3] << 7) ) & 0xffff;
756 this.h[3] = ((this.h[3] >>> 9) | (this.h[4] << 4) ) & 0xffff;
757 this.h[4] = ((this.h[4] >>> 12) | (this.h[5] << 1) | (this.h[6] << 14)) & 0xffff;
758 this.h[5] = ((this.h[6] >>> 2) | (this.h[7] << 11) ) & 0xffff;
759 this.h[6] = ((this.h[7] >>> 5) | (this.h[8] << 8) ) & 0xffff;
760 this.h[7] = ((this.h[8] >>> 8) | (this.h[9] << 5) ) & 0xffff;
761
762 f = this.h[0] + this.pad[0];
763 this.h[0] = f & 0xffff;
764 for (i = 1; i < 8; i++) {
765 f = (((this.h[i] + this.pad[i]) | 0) + (f >>> 16)) | 0;
766 this.h[i] = f & 0xffff;
767 }
768
769 mac[macpos+ 0] = (this.h[0] >>> 0) & 0xff;
770 mac[macpos+ 1] = (this.h[0] >>> 8) & 0xff;
771 mac[macpos+ 2] = (this.h[1] >>> 0) & 0xff;
772 mac[macpos+ 3] = (this.h[1] >>> 8) & 0xff;
773 mac[macpos+ 4] = (this.h[2] >>> 0) & 0xff;
774 mac[macpos+ 5] = (this.h[2] >>> 8) & 0xff;
775 mac[macpos+ 6] = (this.h[3] >>> 0) & 0xff;
776 mac[macpos+ 7] = (this.h[3] >>> 8) & 0xff;
777 mac[macpos+ 8] = (this.h[4] >>> 0) & 0xff;
778 mac[macpos+ 9] = (this.h[4] >>> 8) & 0xff;
779 mac[macpos+10] = (this.h[5] >>> 0) & 0xff;
780 mac[macpos+11] = (this.h[5] >>> 8) & 0xff;
781 mac[macpos+12] = (this.h[6] >>> 0) & 0xff;
782 mac[macpos+13] = (this.h[6] >>> 8) & 0xff;
783 mac[macpos+14] = (this.h[7] >>> 0) & 0xff;
784 mac[macpos+15] = (this.h[7] >>> 8) & 0xff;
785};
786
787poly1305.prototype.update = function(m, mpos, bytes) {
788 var i, want;
789
790 if (this.leftover) {
791 want = (16 - this.leftover);
792 if (want > bytes)
793 want = bytes;
794 for (i = 0; i < want; i++)
795 this.buffer[this.leftover + i] = m[mpos+i];
796 bytes -= want;
797 mpos += want;
798 this.leftover += want;
799 if (this.leftover < 16)
800 return;
801 this.blocks(this.buffer, 0, 16);
802 this.leftover = 0;
803 }
804
805 if (bytes >= 16) {
806 want = bytes - (bytes % 16);
807 this.blocks(m, mpos, want);
808 mpos += want;
809 bytes -= want;
810 }
811
812 if (bytes) {
813 for (i = 0; i < bytes; i++)
814 this.buffer[this.leftover + i] = m[mpos+i];
815 this.leftover += bytes;
816 }
817};
818
819function crypto_onetimeauth(out, outpos, m, mpos, n, k) {
820 var s = new poly1305(k);
821 s.update(m, mpos, n);
822 s.finish(out, outpos);
823 return 0;
824}
825
826function crypto_onetimeauth_verify(h, hpos, m, mpos, n, k) {
827 var x = new Uint8Array(16);
828 crypto_onetimeauth(x,0,m,mpos,n,k);
829 return crypto_verify_16(h,hpos,x,0);
830}
831
832function crypto_secretbox(c,m,d,n,k) {
833 var i;
834 if (d < 32) return -1;
835 crypto_stream_xor(c,0,m,0,d,n,k);
836 crypto_onetimeauth(c, 16, c, 32, d - 32, c);
837 for (i = 0; i < 16; i++) c[i] = 0;
838 return 0;
839}
840
841function crypto_secretbox_open(m,c,d,n,k) {
842 var i;
843 var x = new Uint8Array(32);
844 if (d < 32) return -1;
845 crypto_stream(x,0,32,n,k);
846 if (crypto_onetimeauth_verify(c, 16,c, 32,d - 32,x) !== 0) return -1;
847 crypto_stream_xor(m,0,c,0,d,n,k);
848 for (i = 0; i < 32; i++) m[i] = 0;
849 return 0;
850}
851
852function set25519(r, a) {
853 var i;
854 for (i = 0; i < 16; i++) r[i] = a[i]|0;
855}
856
857function car25519(o) {
858 var i, v, c = 1;
859 for (i = 0; i < 16; i++) {
860 v = o[i] + c + 65535;
861 c = Math.floor(v / 65536);
862 o[i] = v - c * 65536;
863 }
864 o[0] += c-1 + 37 * (c-1);
865}
866
867function sel25519(p, q, b) {
868 var t, c = ~(b-1);
869 for (var i = 0; i < 16; i++) {
870 t = c & (p[i] ^ q[i]);
871 p[i] ^= t;
872 q[i] ^= t;
873 }
874}
875
876function pack25519(o, n) {
877 var i, j, b;
878 var m = gf(), t = gf();
879 for (i = 0; i < 16; i++) t[i] = n[i];
880 car25519(t);
881 car25519(t);
882 car25519(t);
883 for (j = 0; j < 2; j++) {
884 m[0] = t[0] - 0xffed;
885 for (i = 1; i < 15; i++) {
886 m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);
887 m[i-1] &= 0xffff;
888 }
889 m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);
890 b = (m[15]>>16) & 1;
891 m[14] &= 0xffff;
892 sel25519(t, m, 1-b);
893 }
894 for (i = 0; i < 16; i++) {
895 o[2*i] = t[i] & 0xff;
896 o[2*i+1] = t[i]>>8;
897 }
898}
899
900function neq25519(a, b) {
901 var c = new Uint8Array(32), d = new Uint8Array(32);
902 pack25519(c, a);
903 pack25519(d, b);
904 return crypto_verify_32(c, 0, d, 0);
905}
906
907function par25519(a) {
908 var d = new Uint8Array(32);
909 pack25519(d, a);
910 return d[0] & 1;
911}
912
913function unpack25519(o, n) {
914 var i;
915 for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8);
916 o[15] &= 0x7fff;
917}
918
919function A(o, a, b) {
920 for (var i = 0; i < 16; i++) o[i] = a[i] + b[i];
921}
922
923function Z(o, a, b) {
924 for (var i = 0; i < 16; i++) o[i] = a[i] - b[i];
925}
926
927function M(o, a, b) {
928 var v, c,
929 t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0,
930 t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0,
931 t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0,
932 t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0,
933 b0 = b[0],
934 b1 = b[1],
935 b2 = b[2],
936 b3 = b[3],
937 b4 = b[4],
938 b5 = b[5],
939 b6 = b[6],
940 b7 = b[7],
941 b8 = b[8],
942 b9 = b[9],
943 b10 = b[10],
944 b11 = b[11],
945 b12 = b[12],
946 b13 = b[13],
947 b14 = b[14],
948 b15 = b[15];
949
950 v = a[0];
951 t0 += v * b0;
952 t1 += v * b1;
953 t2 += v * b2;
954 t3 += v * b3;
955 t4 += v * b4;
956 t5 += v * b5;
957 t6 += v * b6;
958 t7 += v * b7;
959 t8 += v * b8;
960 t9 += v * b9;
961 t10 += v * b10;
962 t11 += v * b11;
963 t12 += v * b12;
964 t13 += v * b13;
965 t14 += v * b14;
966 t15 += v * b15;
967 v = a[1];
968 t1 += v * b0;
969 t2 += v * b1;
970 t3 += v * b2;
971 t4 += v * b3;
972 t5 += v * b4;
973 t6 += v * b5;
974 t7 += v * b6;
975 t8 += v * b7;
976 t9 += v * b8;
977 t10 += v * b9;
978 t11 += v * b10;
979 t12 += v * b11;
980 t13 += v * b12;
981 t14 += v * b13;
982 t15 += v * b14;
983 t16 += v * b15;
984 v = a[2];
985 t2 += v * b0;
986 t3 += v * b1;
987 t4 += v * b2;
988 t5 += v * b3;
989 t6 += v * b4;
990 t7 += v * b5;
991 t8 += v * b6;
992 t9 += v * b7;
993 t10 += v * b8;
994 t11 += v * b9;
995 t12 += v * b10;
996 t13 += v * b11;
997 t14 += v * b12;
998 t15 += v * b13;
999 t16 += v * b14;
1000 t17 += v * b15;
1001 v = a[3];
1002 t3 += v * b0;
1003 t4 += v * b1;
1004 t5 += v * b2;
1005 t6 += v * b3;
1006 t7 += v * b4;
1007 t8 += v * b5;
1008 t9 += v * b6;
1009 t10 += v * b7;
1010 t11 += v * b8;
1011 t12 += v * b9;
1012 t13 += v * b10;
1013 t14 += v * b11;
1014 t15 += v * b12;
1015 t16 += v * b13;
1016 t17 += v * b14;
1017 t18 += v * b15;
1018 v = a[4];
1019 t4 += v * b0;
1020 t5 += v * b1;
1021 t6 += v * b2;
1022 t7 += v * b3;
1023 t8 += v * b4;
1024 t9 += v * b5;
1025 t10 += v * b6;
1026 t11 += v * b7;
1027 t12 += v * b8;
1028 t13 += v * b9;
1029 t14 += v * b10;
1030 t15 += v * b11;
1031 t16 += v * b12;
1032 t17 += v * b13;
1033 t18 += v * b14;
1034 t19 += v * b15;
1035 v = a[5];
1036 t5 += v * b0;
1037 t6 += v * b1;
1038 t7 += v * b2;
1039 t8 += v * b3;
1040 t9 += v * b4;
1041 t10 += v * b5;
1042 t11 += v * b6;
1043 t12 += v * b7;
1044 t13 += v * b8;
1045 t14 += v * b9;
1046 t15 += v * b10;
1047 t16 += v * b11;
1048 t17 += v * b12;
1049 t18 += v * b13;
1050 t19 += v * b14;
1051 t20 += v * b15;
1052 v = a[6];
1053 t6 += v * b0;
1054 t7 += v * b1;
1055 t8 += v * b2;
1056 t9 += v * b3;
1057 t10 += v * b4;
1058 t11 += v * b5;
1059 t12 += v * b6;
1060 t13 += v * b7;
1061 t14 += v * b8;
1062 t15 += v * b9;
1063 t16 += v * b10;
1064 t17 += v * b11;
1065 t18 += v * b12;
1066 t19 += v * b13;
1067 t20 += v * b14;
1068 t21 += v * b15;
1069 v = a[7];
1070 t7 += v * b0;
1071 t8 += v * b1;
1072 t9 += v * b2;
1073 t10 += v * b3;
1074 t11 += v * b4;
1075 t12 += v * b5;
1076 t13 += v * b6;
1077 t14 += v * b7;
1078 t15 += v * b8;
1079 t16 += v * b9;
1080 t17 += v * b10;
1081 t18 += v * b11;
1082 t19 += v * b12;
1083 t20 += v * b13;
1084 t21 += v * b14;
1085 t22 += v * b15;
1086 v = a[8];
1087 t8 += v * b0;
1088 t9 += v * b1;
1089 t10 += v * b2;
1090 t11 += v * b3;
1091 t12 += v * b4;
1092 t13 += v * b5;
1093 t14 += v * b6;
1094 t15 += v * b7;
1095 t16 += v * b8;
1096 t17 += v * b9;
1097 t18 += v * b10;
1098 t19 += v * b11;
1099 t20 += v * b12;
1100 t21 += v * b13;
1101 t22 += v * b14;
1102 t23 += v * b15;
1103 v = a[9];
1104 t9 += v * b0;
1105 t10 += v * b1;
1106 t11 += v * b2;
1107 t12 += v * b3;
1108 t13 += v * b4;
1109 t14 += v * b5;
1110 t15 += v * b6;
1111 t16 += v * b7;
1112 t17 += v * b8;
1113 t18 += v * b9;
1114 t19 += v * b10;
1115 t20 += v * b11;
1116 t21 += v * b12;
1117 t22 += v * b13;
1118 t23 += v * b14;
1119 t24 += v * b15;
1120 v = a[10];
1121 t10 += v * b0;
1122 t11 += v * b1;
1123 t12 += v * b2;
1124 t13 += v * b3;
1125 t14 += v * b4;
1126 t15 += v * b5;
1127 t16 += v * b6;
1128 t17 += v * b7;
1129 t18 += v * b8;
1130 t19 += v * b9;
1131 t20 += v * b10;
1132 t21 += v * b11;
1133 t22 += v * b12;
1134 t23 += v * b13;
1135 t24 += v * b14;
1136 t25 += v * b15;
1137 v = a[11];
1138 t11 += v * b0;
1139 t12 += v * b1;
1140 t13 += v * b2;
1141 t14 += v * b3;
1142 t15 += v * b4;
1143 t16 += v * b5;
1144 t17 += v * b6;
1145 t18 += v * b7;
1146 t19 += v * b8;
1147 t20 += v * b9;
1148 t21 += v * b10;
1149 t22 += v * b11;
1150 t23 += v * b12;
1151 t24 += v * b13;
1152 t25 += v * b14;
1153 t26 += v * b15;
1154 v = a[12];
1155 t12 += v * b0;
1156 t13 += v * b1;
1157 t14 += v * b2;
1158 t15 += v * b3;
1159 t16 += v * b4;
1160 t17 += v * b5;
1161 t18 += v * b6;
1162 t19 += v * b7;
1163 t20 += v * b8;
1164 t21 += v * b9;
1165 t22 += v * b10;
1166 t23 += v * b11;
1167 t24 += v * b12;
1168 t25 += v * b13;
1169 t26 += v * b14;
1170 t27 += v * b15;
1171 v = a[13];
1172 t13 += v * b0;
1173 t14 += v * b1;
1174 t15 += v * b2;
1175 t16 += v * b3;
1176 t17 += v * b4;
1177 t18 += v * b5;
1178 t19 += v * b6;
1179 t20 += v * b7;
1180 t21 += v * b8;
1181 t22 += v * b9;
1182 t23 += v * b10;
1183 t24 += v * b11;
1184 t25 += v * b12;
1185 t26 += v * b13;
1186 t27 += v * b14;
1187 t28 += v * b15;
1188 v = a[14];
1189 t14 += v * b0;
1190 t15 += v * b1;
1191 t16 += v * b2;
1192 t17 += v * b3;
1193 t18 += v * b4;
1194 t19 += v * b5;
1195 t20 += v * b6;
1196 t21 += v * b7;
1197 t22 += v * b8;
1198 t23 += v * b9;
1199 t24 += v * b10;
1200 t25 += v * b11;
1201 t26 += v * b12;
1202 t27 += v * b13;
1203 t28 += v * b14;
1204 t29 += v * b15;
1205 v = a[15];
1206 t15 += v * b0;
1207 t16 += v * b1;
1208 t17 += v * b2;
1209 t18 += v * b3;
1210 t19 += v * b4;
1211 t20 += v * b5;
1212 t21 += v * b6;
1213 t22 += v * b7;
1214 t23 += v * b8;
1215 t24 += v * b9;
1216 t25 += v * b10;
1217 t26 += v * b11;
1218 t27 += v * b12;
1219 t28 += v * b13;
1220 t29 += v * b14;
1221 t30 += v * b15;
1222
1223 t0 += 38 * t16;
1224 t1 += 38 * t17;
1225 t2 += 38 * t18;
1226 t3 += 38 * t19;
1227 t4 += 38 * t20;
1228 t5 += 38 * t21;
1229 t6 += 38 * t22;
1230 t7 += 38 * t23;
1231 t8 += 38 * t24;
1232 t9 += 38 * t25;
1233 t10 += 38 * t26;
1234 t11 += 38 * t27;
1235 t12 += 38 * t28;
1236 t13 += 38 * t29;
1237 t14 += 38 * t30;
1238 // t15 left as is
1239
1240 // first car
1241 c = 1;
1242 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
1243 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
1244 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
1245 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
1246 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
1247 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
1248 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
1249 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
1250 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
1251 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
1252 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
1253 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
1254 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
1255 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
1256 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
1257 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
1258 t0 += c-1 + 37 * (c-1);
1259
1260 // second car
1261 c = 1;
1262 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
1263 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
1264 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
1265 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
1266 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
1267 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
1268 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
1269 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
1270 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
1271 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
1272 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
1273 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
1274 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
1275 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
1276 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
1277 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
1278 t0 += c-1 + 37 * (c-1);
1279
1280 o[ 0] = t0;
1281 o[ 1] = t1;
1282 o[ 2] = t2;
1283 o[ 3] = t3;
1284 o[ 4] = t4;
1285 o[ 5] = t5;
1286 o[ 6] = t6;
1287 o[ 7] = t7;
1288 o[ 8] = t8;
1289 o[ 9] = t9;
1290 o[10] = t10;
1291 o[11] = t11;
1292 o[12] = t12;
1293 o[13] = t13;
1294 o[14] = t14;
1295 o[15] = t15;
1296}
1297
1298function S(o, a) {
1299 M(o, a, a);
1300}
1301
1302function inv25519(o, i) {
1303 var c = gf();
1304 var a;
1305 for (a = 0; a < 16; a++) c[a] = i[a];
1306 for (a = 253; a >= 0; a--) {
1307 S(c, c);
1308 if(a !== 2 && a !== 4) M(c, c, i);
1309 }
1310 for (a = 0; a < 16; a++) o[a] = c[a];
1311}
1312
1313function pow2523(o, i) {
1314 var c = gf();
1315 var a;
1316 for (a = 0; a < 16; a++) c[a] = i[a];
1317 for (a = 250; a >= 0; a--) {
1318 S(c, c);
1319 if(a !== 1) M(c, c, i);
1320 }
1321 for (a = 0; a < 16; a++) o[a] = c[a];
1322}
1323
1324function crypto_scalarmult(q, n, p) {
1325 var z = new Uint8Array(32);
1326 var x = new Float64Array(80), r, i;
1327 var a = gf(), b = gf(), c = gf(),
1328 d = gf(), e = gf(), f = gf();
1329 for (i = 0; i < 31; i++) z[i] = n[i];
1330 z[31]=(n[31]&127)|64;
1331 z[0]&=248;
1332 unpack25519(x,p);
1333 for (i = 0; i < 16; i++) {
1334 b[i]=x[i];
1335 d[i]=a[i]=c[i]=0;
1336 }
1337 a[0]=d[0]=1;
1338 for (i=254; i>=0; --i) {
1339 r=(z[i>>>3]>>>(i&7))&1;
1340 sel25519(a,b,r);
1341 sel25519(c,d,r);
1342 A(e,a,c);
1343 Z(a,a,c);
1344 A(c,b,d);
1345 Z(b,b,d);
1346 S(d,e);
1347 S(f,a);
1348 M(a,c,a);
1349 M(c,b,e);
1350 A(e,a,c);
1351 Z(a,a,c);
1352 S(b,a);
1353 Z(c,d,f);
1354 M(a,c,_121665);
1355 A(a,a,d);
1356 M(c,c,a);
1357 M(a,d,f);
1358 M(d,b,x);
1359 S(b,e);
1360 sel25519(a,b,r);
1361 sel25519(c,d,r);
1362 }
1363 for (i = 0; i < 16; i++) {
1364 x[i+16]=a[i];
1365 x[i+32]=c[i];
1366 x[i+48]=b[i];
1367 x[i+64]=d[i];
1368 }
1369 var x32 = x.subarray(32);
1370 var x16 = x.subarray(16);
1371 inv25519(x32,x32);
1372 M(x16,x16,x32);
1373 pack25519(q,x16);
1374 return 0;
1375}
1376
1377function crypto_scalarmult_base(q, n) {
1378 return crypto_scalarmult(q, n, _9);
1379}
1380
1381function crypto_box_keypair(y, x) {
1382 randombytes(x, 32);
1383 return crypto_scalarmult_base(y, x);
1384}
1385
1386function crypto_box_beforenm(k, y, x) {
1387 var s = new Uint8Array(32);
1388 crypto_scalarmult(s, x, y);
1389 return crypto_core_hsalsa20(k, _0, s, sigma);
1390}
1391
1392var crypto_box_afternm = crypto_secretbox;
1393var crypto_box_open_afternm = crypto_secretbox_open;
1394
1395function crypto_box(c, m, d, n, y, x) {
1396 var k = new Uint8Array(32);
1397 crypto_box_beforenm(k, y, x);
1398 return crypto_box_afternm(c, m, d, n, k);
1399}
1400
1401function crypto_box_open(m, c, d, n, y, x) {
1402 var k = new Uint8Array(32);
1403 crypto_box_beforenm(k, y, x);
1404 return crypto_box_open_afternm(m, c, d, n, k);
1405}
1406
1407var K = [
1408 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd,
1409 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc,
1410 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019,
1411 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118,
1412 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe,
1413 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2,
1414 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1,
1415 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694,
1416 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3,
1417 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65,
1418 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483,
1419 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5,
1420 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210,
1421 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4,
1422 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725,
1423 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70,
1424 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926,
1425 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df,
1426 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8,
1427 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b,
1428 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001,
1429 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30,
1430 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910,
1431 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8,
1432 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53,
1433 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8,
1434 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb,
1435 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3,
1436 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60,
1437 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec,
1438 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9,
1439 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b,
1440 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207,
1441 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178,
1442 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6,
1443 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b,
1444 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493,
1445 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c,
1446 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a,
1447 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817
1448];
1449
1450function crypto_hashblocks_hl(hh, hl, m, n) {
1451 var wh = new Int32Array(16), wl = new Int32Array(16),
1452 bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7,
1453 bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7,
1454 th, tl, i, j, h, l, a, b, c, d;
1455
1456 var ah0 = hh[0],
1457 ah1 = hh[1],
1458 ah2 = hh[2],
1459 ah3 = hh[3],
1460 ah4 = hh[4],
1461 ah5 = hh[5],
1462 ah6 = hh[6],
1463 ah7 = hh[7],
1464
1465 al0 = hl[0],
1466 al1 = hl[1],
1467 al2 = hl[2],
1468 al3 = hl[3],
1469 al4 = hl[4],
1470 al5 = hl[5],
1471 al6 = hl[6],
1472 al7 = hl[7];
1473
1474 var pos = 0;
1475 while (n >= 128) {
1476 for (i = 0; i < 16; i++) {
1477 j = 8 * i + pos;
1478 wh[i] = (m[j+0] << 24) | (m[j+1] << 16) | (m[j+2] << 8) | m[j+3];
1479 wl[i] = (m[j+4] << 24) | (m[j+5] << 16) | (m[j+6] << 8) | m[j+7];
1480 }
1481 for (i = 0; i < 80; i++) {
1482 bh0 = ah0;
1483 bh1 = ah1;
1484 bh2 = ah2;
1485 bh3 = ah3;
1486 bh4 = ah4;
1487 bh5 = ah5;
1488 bh6 = ah6;
1489 bh7 = ah7;
1490
1491 bl0 = al0;
1492 bl1 = al1;
1493 bl2 = al2;
1494 bl3 = al3;
1495 bl4 = al4;
1496 bl5 = al5;
1497 bl6 = al6;
1498 bl7 = al7;
1499
1500 // add
1501 h = ah7;
1502 l = al7;
1503
1504 a = l & 0xffff; b = l >>> 16;
1505 c = h & 0xffff; d = h >>> 16;
1506
1507 // Sigma1
1508 h = ((ah4 >>> 14) | (al4 << (32-14))) ^ ((ah4 >>> 18) | (al4 << (32-18))) ^ ((al4 >>> (41-32)) | (ah4 << (32-(41-32))));
1509 l = ((al4 >>> 14) | (ah4 << (32-14))) ^ ((al4 >>> 18) | (ah4 << (32-18))) ^ ((ah4 >>> (41-32)) | (al4 << (32-(41-32))));
1510
1511 a += l & 0xffff; b += l >>> 16;
1512 c += h & 0xffff; d += h >>> 16;
1513
1514 // Ch
1515 h = (ah4 & ah5) ^ (~ah4 & ah6);
1516 l = (al4 & al5) ^ (~al4 & al6);
1517
1518 a += l & 0xffff; b += l >>> 16;
1519 c += h & 0xffff; d += h >>> 16;
1520
1521 // K
1522 h = K[i*2];
1523 l = K[i*2+1];
1524
1525 a += l & 0xffff; b += l >>> 16;
1526 c += h & 0xffff; d += h >>> 16;
1527
1528 // w
1529 h = wh[i%16];
1530 l = wl[i%16];
1531
1532 a += l & 0xffff; b += l >>> 16;
1533 c += h & 0xffff; d += h >>> 16;
1534
1535 b += a >>> 16;
1536 c += b >>> 16;
1537 d += c >>> 16;
1538
1539 th = c & 0xffff | d << 16;
1540 tl = a & 0xffff | b << 16;
1541
1542 // add
1543 h = th;
1544 l = tl;
1545
1546 a = l & 0xffff; b = l >>> 16;
1547 c = h & 0xffff; d = h >>> 16;
1548
1549 // Sigma0
1550 h = ((ah0 >>> 28) | (al0 << (32-28))) ^ ((al0 >>> (34-32)) | (ah0 << (32-(34-32)))) ^ ((al0 >>> (39-32)) | (ah0 << (32-(39-32))));
1551 l = ((al0 >>> 28) | (ah0 << (32-28))) ^ ((ah0 >>> (34-32)) | (al0 << (32-(34-32)))) ^ ((ah0 >>> (39-32)) | (al0 << (32-(39-32))));
1552
1553 a += l & 0xffff; b += l >>> 16;
1554 c += h & 0xffff; d += h >>> 16;
1555
1556 // Maj
1557 h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2);
1558 l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2);
1559
1560 a += l & 0xffff; b += l >>> 16;
1561 c += h & 0xffff; d += h >>> 16;
1562
1563 b += a >>> 16;
1564 c += b >>> 16;
1565 d += c >>> 16;
1566
1567 bh7 = (c & 0xffff) | (d << 16);
1568 bl7 = (a & 0xffff) | (b << 16);
1569
1570 // add
1571 h = bh3;
1572 l = bl3;
1573
1574 a = l & 0xffff; b = l >>> 16;
1575 c = h & 0xffff; d = h >>> 16;
1576
1577 h = th;
1578 l = tl;
1579
1580 a += l & 0xffff; b += l >>> 16;
1581 c += h & 0xffff; d += h >>> 16;
1582
1583 b += a >>> 16;
1584 c += b >>> 16;
1585 d += c >>> 16;
1586
1587 bh3 = (c & 0xffff) | (d << 16);
1588 bl3 = (a & 0xffff) | (b << 16);
1589
1590 ah1 = bh0;
1591 ah2 = bh1;
1592 ah3 = bh2;
1593 ah4 = bh3;
1594 ah5 = bh4;
1595 ah6 = bh5;
1596 ah7 = bh6;
1597 ah0 = bh7;
1598
1599 al1 = bl0;
1600 al2 = bl1;
1601 al3 = bl2;
1602 al4 = bl3;
1603 al5 = bl4;
1604 al6 = bl5;
1605 al7 = bl6;
1606 al0 = bl7;
1607
1608 if (i%16 === 15) {
1609 for (j = 0; j < 16; j++) {
1610 // add
1611 h = wh[j];
1612 l = wl[j];
1613
1614 a = l & 0xffff; b = l >>> 16;
1615 c = h & 0xffff; d = h >>> 16;
1616
1617 h = wh[(j+9)%16];
1618 l = wl[(j+9)%16];
1619
1620 a += l & 0xffff; b += l >>> 16;
1621 c += h & 0xffff; d += h >>> 16;
1622
1623 // sigma0
1624 th = wh[(j+1)%16];
1625 tl = wl[(j+1)%16];
1626 h = ((th >>> 1) | (tl << (32-1))) ^ ((th >>> 8) | (tl << (32-8))) ^ (th >>> 7);
1627 l = ((tl >>> 1) | (th << (32-1))) ^ ((tl >>> 8) | (th << (32-8))) ^ ((tl >>> 7) | (th << (32-7)));
1628
1629 a += l & 0xffff; b += l >>> 16;
1630 c += h & 0xffff; d += h >>> 16;
1631
1632 // sigma1
1633 th = wh[(j+14)%16];
1634 tl = wl[(j+14)%16];
1635 h = ((th >>> 19) | (tl << (32-19))) ^ ((tl >>> (61-32)) | (th << (32-(61-32)))) ^ (th >>> 6);
1636 l = ((tl >>> 19) | (th << (32-19))) ^ ((th >>> (61-32)) | (tl << (32-(61-32)))) ^ ((tl >>> 6) | (th << (32-6)));
1637
1638 a += l & 0xffff; b += l >>> 16;
1639 c += h & 0xffff; d += h >>> 16;
1640
1641 b += a >>> 16;
1642 c += b >>> 16;
1643 d += c >>> 16;
1644
1645 wh[j] = (c & 0xffff) | (d << 16);
1646 wl[j] = (a & 0xffff) | (b << 16);
1647 }
1648 }
1649 }
1650
1651 // add
1652 h = ah0;
1653 l = al0;
1654
1655 a = l & 0xffff; b = l >>> 16;
1656 c = h & 0xffff; d = h >>> 16;
1657
1658 h = hh[0];
1659 l = hl[0];
1660
1661 a += l & 0xffff; b += l >>> 16;
1662 c += h & 0xffff; d += h >>> 16;
1663
1664 b += a >>> 16;
1665 c += b >>> 16;
1666 d += c >>> 16;
1667
1668 hh[0] = ah0 = (c & 0xffff) | (d << 16);
1669 hl[0] = al0 = (a & 0xffff) | (b << 16);
1670
1671 h = ah1;
1672 l = al1;
1673
1674 a = l & 0xffff; b = l >>> 16;
1675 c = h & 0xffff; d = h >>> 16;
1676
1677 h = hh[1];
1678 l = hl[1];
1679
1680 a += l & 0xffff; b += l >>> 16;
1681 c += h & 0xffff; d += h >>> 16;
1682
1683 b += a >>> 16;
1684 c += b >>> 16;
1685 d += c >>> 16;
1686
1687 hh[1] = ah1 = (c & 0xffff) | (d << 16);
1688 hl[1] = al1 = (a & 0xffff) | (b << 16);
1689
1690 h = ah2;
1691 l = al2;
1692
1693 a = l & 0xffff; b = l >>> 16;
1694 c = h & 0xffff; d = h >>> 16;
1695
1696 h = hh[2];
1697 l = hl[2];
1698
1699 a += l & 0xffff; b += l >>> 16;
1700 c += h & 0xffff; d += h >>> 16;
1701
1702 b += a >>> 16;
1703 c += b >>> 16;
1704 d += c >>> 16;
1705
1706 hh[2] = ah2 = (c & 0xffff) | (d << 16);
1707 hl[2] = al2 = (a & 0xffff) | (b << 16);
1708
1709 h = ah3;
1710 l = al3;
1711
1712 a = l & 0xffff; b = l >>> 16;
1713 c = h & 0xffff; d = h >>> 16;
1714
1715 h = hh[3];
1716 l = hl[3];
1717
1718 a += l & 0xffff; b += l >>> 16;
1719 c += h & 0xffff; d += h >>> 16;
1720
1721 b += a >>> 16;
1722 c += b >>> 16;
1723 d += c >>> 16;
1724
1725 hh[3] = ah3 = (c & 0xffff) | (d << 16);
1726 hl[3] = al3 = (a & 0xffff) | (b << 16);
1727
1728 h = ah4;
1729 l = al4;
1730
1731 a = l & 0xffff; b = l >>> 16;
1732 c = h & 0xffff; d = h >>> 16;
1733
1734 h = hh[4];
1735 l = hl[4];
1736
1737 a += l & 0xffff; b += l >>> 16;
1738 c += h & 0xffff; d += h >>> 16;
1739
1740 b += a >>> 16;
1741 c += b >>> 16;
1742 d += c >>> 16;
1743
1744 hh[4] = ah4 = (c & 0xffff) | (d << 16);
1745 hl[4] = al4 = (a & 0xffff) | (b << 16);
1746
1747 h = ah5;
1748 l = al5;
1749
1750 a = l & 0xffff; b = l >>> 16;
1751 c = h & 0xffff; d = h >>> 16;
1752
1753 h = hh[5];
1754 l = hl[5];
1755
1756 a += l & 0xffff; b += l >>> 16;
1757 c += h & 0xffff; d += h >>> 16;
1758
1759 b += a >>> 16;
1760 c += b >>> 16;
1761 d += c >>> 16;
1762
1763 hh[5] = ah5 = (c & 0xffff) | (d << 16);
1764 hl[5] = al5 = (a & 0xffff) | (b << 16);
1765
1766 h = ah6;
1767 l = al6;
1768
1769 a = l & 0xffff; b = l >>> 16;
1770 c = h & 0xffff; d = h >>> 16;
1771
1772 h = hh[6];
1773 l = hl[6];
1774
1775 a += l & 0xffff; b += l >>> 16;
1776 c += h & 0xffff; d += h >>> 16;
1777
1778 b += a >>> 16;
1779 c += b >>> 16;
1780 d += c >>> 16;
1781
1782 hh[6] = ah6 = (c & 0xffff) | (d << 16);
1783 hl[6] = al6 = (a & 0xffff) | (b << 16);
1784
1785 h = ah7;
1786 l = al7;
1787
1788 a = l & 0xffff; b = l >>> 16;
1789 c = h & 0xffff; d = h >>> 16;
1790
1791 h = hh[7];
1792 l = hl[7];
1793
1794 a += l & 0xffff; b += l >>> 16;
1795 c += h & 0xffff; d += h >>> 16;
1796
1797 b += a >>> 16;
1798 c += b >>> 16;
1799 d += c >>> 16;
1800
1801 hh[7] = ah7 = (c & 0xffff) | (d << 16);
1802 hl[7] = al7 = (a & 0xffff) | (b << 16);
1803
1804 pos += 128;
1805 n -= 128;
1806 }
1807
1808 return n;
1809}
1810
1811function crypto_hash(out, m, n) {
1812 var hh = new Int32Array(8),
1813 hl = new Int32Array(8),
1814 x = new Uint8Array(256),
1815 i, b = n;
1816
1817 hh[0] = 0x6a09e667;
1818 hh[1] = 0xbb67ae85;
1819 hh[2] = 0x3c6ef372;
1820 hh[3] = 0xa54ff53a;
1821 hh[4] = 0x510e527f;
1822 hh[5] = 0x9b05688c;
1823 hh[6] = 0x1f83d9ab;
1824 hh[7] = 0x5be0cd19;
1825
1826 hl[0] = 0xf3bcc908;
1827 hl[1] = 0x84caa73b;
1828 hl[2] = 0xfe94f82b;
1829 hl[3] = 0x5f1d36f1;
1830 hl[4] = 0xade682d1;
1831 hl[5] = 0x2b3e6c1f;
1832 hl[6] = 0xfb41bd6b;
1833 hl[7] = 0x137e2179;
1834
1835 crypto_hashblocks_hl(hh, hl, m, n);
1836 n %= 128;
1837
1838 for (i = 0; i < n; i++) x[i] = m[b-n+i];
1839 x[n] = 128;
1840
1841 n = 256-128*(n<112?1:0);
1842 x[n-9] = 0;
1843 ts64(x, n-8, (b / 0x20000000) | 0, b << 3);
1844 crypto_hashblocks_hl(hh, hl, x, n);
1845
1846 for (i = 0; i < 8; i++) ts64(out, 8*i, hh[i], hl[i]);
1847
1848 return 0;
1849}
1850
1851function add(p, q) {
1852 var a = gf(), b = gf(), c = gf(),
1853 d = gf(), e = gf(), f = gf(),
1854 g = gf(), h = gf(), t = gf();
1855
1856 Z(a, p[1], p[0]);
1857 Z(t, q[1], q[0]);
1858 M(a, a, t);
1859 A(b, p[0], p[1]);
1860 A(t, q[0], q[1]);
1861 M(b, b, t);
1862 M(c, p[3], q[3]);
1863 M(c, c, D2);
1864 M(d, p[2], q[2]);
1865 A(d, d, d);
1866 Z(e, b, a);
1867 Z(f, d, c);
1868 A(g, d, c);
1869 A(h, b, a);
1870
1871 M(p[0], e, f);
1872 M(p[1], h, g);
1873 M(p[2], g, f);
1874 M(p[3], e, h);
1875}
1876
1877function cswap(p, q, b) {
1878 var i;
1879 for (i = 0; i < 4; i++) {
1880 sel25519(p[i], q[i], b);
1881 }
1882}
1883
1884function pack(r, p) {
1885 var tx = gf(), ty = gf(), zi = gf();
1886 inv25519(zi, p[2]);
1887 M(tx, p[0], zi);
1888 M(ty, p[1], zi);
1889 pack25519(r, ty);
1890 r[31] ^= par25519(tx) << 7;
1891}
1892
1893function scalarmult(p, q, s) {
1894 var b, i;
1895 set25519(p[0], gf0);
1896 set25519(p[1], gf1);
1897 set25519(p[2], gf1);
1898 set25519(p[3], gf0);
1899 for (i = 255; i >= 0; --i) {
1900 b = (s[(i/8)|0] >> (i&7)) & 1;
1901 cswap(p, q, b);
1902 add(q, p);
1903 add(p, p);
1904 cswap(p, q, b);
1905 }
1906}
1907
1908function scalarbase(p, s) {
1909 var q = [gf(), gf(), gf(), gf()];
1910 set25519(q[0], X);
1911 set25519(q[1], Y);
1912 set25519(q[2], gf1);
1913 M(q[3], X, Y);
1914 scalarmult(p, q, s);
1915}
1916
1917function crypto_sign_keypair(pk, sk, seeded) {
1918 var d = new Uint8Array(64);
1919 var p = [gf(), gf(), gf(), gf()];
1920 var i;
1921
1922 if (!seeded) randombytes(sk, 32);
1923 crypto_hash(d, sk, 32);
1924 d[0] &= 248;
1925 d[31] &= 127;
1926 d[31] |= 64;
1927
1928 scalarbase(p, d);
1929 pack(pk, p);
1930
1931 for (i = 0; i < 32; i++) sk[i+32] = pk[i];
1932 return 0;
1933}
1934
1935var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]);
1936
1937function modL(r, x) {
1938 var carry, i, j, k;
1939 for (i = 63; i >= 32; --i) {
1940 carry = 0;
1941 for (j = i - 32, k = i - 12; j < k; ++j) {
1942 x[j] += carry - 16 * x[i] * L[j - (i - 32)];
1943 carry = (x[j] + 128) >> 8;
1944 x[j] -= carry * 256;
1945 }
1946 x[j] += carry;
1947 x[i] = 0;
1948 }
1949 carry = 0;
1950 for (j = 0; j < 32; j++) {
1951 x[j] += carry - (x[31] >> 4) * L[j];
1952 carry = x[j] >> 8;
1953 x[j] &= 255;
1954 }
1955 for (j = 0; j < 32; j++) x[j] -= carry * L[j];
1956 for (i = 0; i < 32; i++) {
1957 x[i+1] += x[i] >> 8;
1958 r[i] = x[i] & 255;
1959 }
1960}
1961
1962function reduce(r) {
1963 var x = new Float64Array(64), i;
1964 for (i = 0; i < 64; i++) x[i] = r[i];
1965 for (i = 0; i < 64; i++) r[i] = 0;
1966 modL(r, x);
1967}
1968
1969// Note: difference from C - smlen returned, not passed as argument.
1970function crypto_sign(sm, m, n, sk) {
1971 var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64);
1972 var i, j, x = new Float64Array(64);
1973 var p = [gf(), gf(), gf(), gf()];
1974
1975 crypto_hash(d, sk, 32);
1976 d[0] &= 248;
1977 d[31] &= 127;
1978 d[31] |= 64;
1979
1980 var smlen = n + 64;
1981 for (i = 0; i < n; i++) sm[64 + i] = m[i];
1982 for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i];
1983
1984 crypto_hash(r, sm.subarray(32), n+32);
1985 reduce(r);
1986 scalarbase(p, r);
1987 pack(sm, p);
1988
1989 for (i = 32; i < 64; i++) sm[i] = sk[i];
1990 crypto_hash(h, sm, n + 64);
1991 reduce(h);
1992
1993 for (i = 0; i < 64; i++) x[i] = 0;
1994 for (i = 0; i < 32; i++) x[i] = r[i];
1995 for (i = 0; i < 32; i++) {
1996 for (j = 0; j < 32; j++) {
1997 x[i+j] += h[i] * d[j];
1998 }
1999 }
2000
2001 modL(sm.subarray(32), x);
2002 return smlen;
2003}
2004
2005function unpackneg(r, p) {
2006 var t = gf(), chk = gf(), num = gf(),
2007 den = gf(), den2 = gf(), den4 = gf(),
2008 den6 = gf();
2009
2010 set25519(r[2], gf1);
2011 unpack25519(r[1], p);
2012 S(num, r[1]);
2013 M(den, num, D);
2014 Z(num, num, r[2]);
2015 A(den, r[2], den);
2016
2017 S(den2, den);
2018 S(den4, den2);
2019 M(den6, den4, den2);
2020 M(t, den6, num);
2021 M(t, t, den);
2022
2023 pow2523(t, t);
2024 M(t, t, num);
2025 M(t, t, den);
2026 M(t, t, den);
2027 M(r[0], t, den);
2028
2029 S(chk, r[0]);
2030 M(chk, chk, den);
2031 if (neq25519(chk, num)) M(r[0], r[0], I);
2032
2033 S(chk, r[0]);
2034 M(chk, chk, den);
2035 if (neq25519(chk, num)) return -1;
2036
2037 if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]);
2038
2039 M(r[3], r[0], r[1]);
2040 return 0;
2041}
2042
2043function crypto_sign_open(m, sm, n, pk) {
2044 var i, mlen;
2045 var t = new Uint8Array(32), h = new Uint8Array(64);
2046 var p = [gf(), gf(), gf(), gf()],
2047 q = [gf(), gf(), gf(), gf()];
2048
2049 mlen = -1;
2050 if (n < 64) return -1;
2051
2052 if (unpackneg(q, pk)) return -1;
2053
2054 for (i = 0; i < n; i++) m[i] = sm[i];
2055 for (i = 0; i < 32; i++) m[i+32] = pk[i];
2056 crypto_hash(h, m, n);
2057 reduce(h);
2058 scalarmult(p, q, h);
2059
2060 scalarbase(q, sm.subarray(32));
2061 add(p, q);
2062 pack(t, p);
2063
2064 n -= 64;
2065 if (crypto_verify_32(sm, 0, t, 0)) {
2066 for (i = 0; i < n; i++) m[i] = 0;
2067 return -1;
2068 }
2069
2070 for (i = 0; i < n; i++) m[i] = sm[i + 64];
2071 mlen = n;
2072 return mlen;
2073}
2074
2075var crypto_secretbox_KEYBYTES = 32,
2076 crypto_secretbox_NONCEBYTES = 24,
2077 crypto_secretbox_ZEROBYTES = 32,
2078 crypto_secretbox_BOXZEROBYTES = 16,
2079 crypto_scalarmult_BYTES = 32,
2080 crypto_scalarmult_SCALARBYTES = 32,
2081 crypto_box_PUBLICKEYBYTES = 32,
2082 crypto_box_SECRETKEYBYTES = 32,
2083 crypto_box_BEFORENMBYTES = 32,
2084 crypto_box_NONCEBYTES = crypto_secretbox_NONCEBYTES,
2085 crypto_box_ZEROBYTES = crypto_secretbox_ZEROBYTES,
2086 crypto_box_BOXZEROBYTES = crypto_secretbox_BOXZEROBYTES,
2087 crypto_sign_BYTES = 64,
2088 crypto_sign_PUBLICKEYBYTES = 32,
2089 crypto_sign_SECRETKEYBYTES = 64,
2090 crypto_sign_SEEDBYTES = 32,
2091 crypto_hash_BYTES = 64;
2092
2093nacl.lowlevel = {
2094 crypto_core_hsalsa20: crypto_core_hsalsa20,
2095 crypto_stream_xor: crypto_stream_xor,
2096 crypto_stream: crypto_stream,
2097 crypto_stream_salsa20_xor: crypto_stream_salsa20_xor,
2098 crypto_stream_salsa20: crypto_stream_salsa20,
2099 crypto_onetimeauth: crypto_onetimeauth,
2100 crypto_onetimeauth_verify: crypto_onetimeauth_verify,
2101 crypto_verify_16: crypto_verify_16,
2102 crypto_verify_32: crypto_verify_32,
2103 crypto_secretbox: crypto_secretbox,
2104 crypto_secretbox_open: crypto_secretbox_open,
2105 crypto_scalarmult: crypto_scalarmult,
2106 crypto_scalarmult_base: crypto_scalarmult_base,
2107 crypto_box_beforenm: crypto_box_beforenm,
2108 crypto_box_afternm: crypto_box_afternm,
2109 crypto_box: crypto_box,
2110 crypto_box_open: crypto_box_open,
2111 crypto_box_keypair: crypto_box_keypair,
2112 crypto_hash: crypto_hash,
2113 crypto_sign: crypto_sign,
2114 crypto_sign_keypair: crypto_sign_keypair,
2115 crypto_sign_open: crypto_sign_open,
2116
2117 crypto_secretbox_KEYBYTES: crypto_secretbox_KEYBYTES,
2118 crypto_secretbox_NONCEBYTES: crypto_secretbox_NONCEBYTES,
2119 crypto_secretbox_ZEROBYTES: crypto_secretbox_ZEROBYTES,
2120 crypto_secretbox_BOXZEROBYTES: crypto_secretbox_BOXZEROBYTES,
2121 crypto_scalarmult_BYTES: crypto_scalarmult_BYTES,
2122 crypto_scalarmult_SCALARBYTES: crypto_scalarmult_SCALARBYTES,
2123 crypto_box_PUBLICKEYBYTES: crypto_box_PUBLICKEYBYTES,
2124 crypto_box_SECRETKEYBYTES: crypto_box_SECRETKEYBYTES,
2125 crypto_box_BEFORENMBYTES: crypto_box_BEFORENMBYTES,
2126 crypto_box_NONCEBYTES: crypto_box_NONCEBYTES,
2127 crypto_box_ZEROBYTES: crypto_box_ZEROBYTES,
2128 crypto_box_BOXZEROBYTES: crypto_box_BOXZEROBYTES,
2129 crypto_sign_BYTES: crypto_sign_BYTES,
2130 crypto_sign_PUBLICKEYBYTES: crypto_sign_PUBLICKEYBYTES,
2131 crypto_sign_SECRETKEYBYTES: crypto_sign_SECRETKEYBYTES,
2132 crypto_sign_SEEDBYTES: crypto_sign_SEEDBYTES,
2133 crypto_hash_BYTES: crypto_hash_BYTES
2134};
2135
2136/* High-level API */
2137
2138function checkLengths(k, n) {
2139 if (k.length !== crypto_secretbox_KEYBYTES) throw new Error('bad key size');
2140 if (n.length !== crypto_secretbox_NONCEBYTES) throw new Error('bad nonce size');
2141}
2142
2143function checkBoxLengths(pk, sk) {
2144 if (pk.length !== crypto_box_PUBLICKEYBYTES) throw new Error('bad public key size');
2145 if (sk.length !== crypto_box_SECRETKEYBYTES) throw new Error('bad secret key size');
2146}
2147
2148function checkArrayTypes() {
2149 var t, i;
2150 for (i = 0; i < arguments.length; i++) {
2151 if ((t = Object.prototype.toString.call(arguments[i])) !== '[object Uint8Array]')
2152 throw new TypeError('unexpected type ' + t + ', use Uint8Array');
2153 }
2154}
2155
2156function cleanup(arr) {
2157 for (var i = 0; i < arr.length; i++) arr[i] = 0;
2158}
2159
2160// TODO: Completely remove this in v0.15.
2161if (!nacl.util) {
2162 nacl.util = {};
2163 nacl.util.decodeUTF8 = nacl.util.encodeUTF8 = nacl.util.encodeBase64 = nacl.util.decodeBase64 = function() {
2164 throw new Error('nacl.util moved into separate package: https://github.com/dchest/tweetnacl-util-js');
2165 };
2166}
2167
2168nacl.randomBytes = function(n) {
2169 var b = new Uint8Array(n);
2170 randombytes(b, n);
2171 return b;
2172};
2173
2174nacl.secretbox = function(msg, nonce, key) {
2175 checkArrayTypes(msg, nonce, key);
2176 checkLengths(key, nonce);
2177 var m = new Uint8Array(crypto_secretbox_ZEROBYTES + msg.length);
2178 var c = new Uint8Array(m.length);
2179 for (var i = 0; i < msg.length; i++) m[i+crypto_secretbox_ZEROBYTES] = msg[i];
2180 crypto_secretbox(c, m, m.length, nonce, key);
2181 return c.subarray(crypto_secretbox_BOXZEROBYTES);
2182};
2183
2184nacl.secretbox.open = function(box, nonce, key) {
2185 checkArrayTypes(box, nonce, key);
2186 checkLengths(key, nonce);
2187 var c = new Uint8Array(crypto_secretbox_BOXZEROBYTES + box.length);
2188 var m = new Uint8Array(c.length);
2189 for (var i = 0; i < box.length; i++) c[i+crypto_secretbox_BOXZEROBYTES] = box[i];
2190 if (c.length < 32) return false;
2191 if (crypto_secretbox_open(m, c, c.length, nonce, key) !== 0) return false;
2192 return m.subarray(crypto_secretbox_ZEROBYTES);
2193};
2194
2195nacl.secretbox.keyLength = crypto_secretbox_KEYBYTES;
2196nacl.secretbox.nonceLength = crypto_secretbox_NONCEBYTES;
2197nacl.secretbox.overheadLength = crypto_secretbox_BOXZEROBYTES;
2198
2199nacl.scalarMult = function(n, p) {
2200 checkArrayTypes(n, p);
2201 if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
2202 if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size');
2203 var q = new Uint8Array(crypto_scalarmult_BYTES);
2204 crypto_scalarmult(q, n, p);
2205 return q;
2206};
2207
2208nacl.scalarMult.base = function(n) {
2209 checkArrayTypes(n);
2210 if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
2211 var q = new Uint8Array(crypto_scalarmult_BYTES);
2212 crypto_scalarmult_base(q, n);
2213 return q;
2214};
2215
2216nacl.scalarMult.scalarLength = crypto_scalarmult_SCALARBYTES;
2217nacl.scalarMult.groupElementLength = crypto_scalarmult_BYTES;
2218
2219nacl.box = function(msg, nonce, publicKey, secretKey) {
2220 var k = nacl.box.before(publicKey, secretKey);
2221 return nacl.secretbox(msg, nonce, k);
2222};
2223
2224nacl.box.before = function(publicKey, secretKey) {
2225 checkArrayTypes(publicKey, secretKey);
2226 checkBoxLengths(publicKey, secretKey);
2227 var k = new Uint8Array(crypto_box_BEFORENMBYTES);
2228 crypto_box_beforenm(k, publicKey, secretKey);
2229 return k;
2230};
2231
2232nacl.box.after = nacl.secretbox;
2233
2234nacl.box.open = function(msg, nonce, publicKey, secretKey) {
2235 var k = nacl.box.before(publicKey, secretKey);
2236 return nacl.secretbox.open(msg, nonce, k);
2237};
2238
2239nacl.box.open.after = nacl.secretbox.open;
2240
2241nacl.box.keyPair = function() {
2242 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
2243 var sk = new Uint8Array(crypto_box_SECRETKEYBYTES);
2244 crypto_box_keypair(pk, sk);
2245 return {publicKey: pk, secretKey: sk};
2246};
2247
2248nacl.box.keyPair.fromSecretKey = function(secretKey) {
2249 checkArrayTypes(secretKey);
2250 if (secretKey.length !== crypto_box_SECRETKEYBYTES)
2251 throw new Error('bad secret key size');
2252 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
2253 crypto_scalarmult_base(pk, secretKey);
2254 return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
2255};
2256
2257nacl.box.publicKeyLength = crypto_box_PUBLICKEYBYTES;
2258nacl.box.secretKeyLength = crypto_box_SECRETKEYBYTES;
2259nacl.box.sharedKeyLength = crypto_box_BEFORENMBYTES;
2260nacl.box.nonceLength = crypto_box_NONCEBYTES;
2261nacl.box.overheadLength = nacl.secretbox.overheadLength;
2262
2263nacl.sign = function(msg, secretKey) {
2264 checkArrayTypes(msg, secretKey);
2265 if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
2266 throw new Error('bad secret key size');
2267 var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length);
2268 crypto_sign(signedMsg, msg, msg.length, secretKey);
2269 return signedMsg;
2270};
2271
2272nacl.sign.open = function(signedMsg, publicKey) {
2273 if (arguments.length !== 2)
2274 throw new Error('nacl.sign.open accepts 2 arguments; did you mean to use nacl.sign.detached.verify?');
2275 checkArrayTypes(signedMsg, publicKey);
2276 if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
2277 throw new Error('bad public key size');
2278 var tmp = new Uint8Array(signedMsg.length);
2279 var mlen = crypto_sign_open(tmp, signedMsg, signedMsg.length, publicKey);
2280 if (mlen < 0) return null;
2281 var m = new Uint8Array(mlen);
2282 for (var i = 0; i < m.length; i++) m[i] = tmp[i];
2283 return m;
2284};
2285
2286nacl.sign.detached = function(msg, secretKey) {
2287 var signedMsg = nacl.sign(msg, secretKey);
2288 var sig = new Uint8Array(crypto_sign_BYTES);
2289 for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i];
2290 return sig;
2291};
2292
2293nacl.sign.detached.verify = function(msg, sig, publicKey) {
2294 checkArrayTypes(msg, sig, publicKey);
2295 if (sig.length !== crypto_sign_BYTES)
2296 throw new Error('bad signature size');
2297 if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
2298 throw new Error('bad public key size');
2299 var sm = new Uint8Array(crypto_sign_BYTES + msg.length);
2300 var m = new Uint8Array(crypto_sign_BYTES + msg.length);
2301 var i;
2302 for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i];
2303 for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i];
2304 return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0);
2305};
2306
2307nacl.sign.keyPair = function() {
2308 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
2309 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
2310 crypto_sign_keypair(pk, sk);
2311 return {publicKey: pk, secretKey: sk};
2312};
2313
2314nacl.sign.keyPair.fromSecretKey = function(secretKey) {
2315 checkArrayTypes(secretKey);
2316 if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
2317 throw new Error('bad secret key size');
2318 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
2319 for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i];
2320 return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
2321};
2322
2323nacl.sign.keyPair.fromSeed = function(seed) {
2324 checkArrayTypes(seed);
2325 if (seed.length !== crypto_sign_SEEDBYTES)
2326 throw new Error('bad seed size');
2327 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
2328 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
2329 for (var i = 0; i < 32; i++) sk[i] = seed[i];
2330 crypto_sign_keypair(pk, sk, true);
2331 return {publicKey: pk, secretKey: sk};
2332};
2333
2334nacl.sign.publicKeyLength = crypto_sign_PUBLICKEYBYTES;
2335nacl.sign.secretKeyLength = crypto_sign_SECRETKEYBYTES;
2336nacl.sign.seedLength = crypto_sign_SEEDBYTES;
2337nacl.sign.signatureLength = crypto_sign_BYTES;
2338
2339nacl.hash = function(msg) {
2340 checkArrayTypes(msg);
2341 var h = new Uint8Array(crypto_hash_BYTES);
2342 crypto_hash(h, msg, msg.length);
2343 return h;
2344};
2345
2346nacl.hash.hashLength = crypto_hash_BYTES;
2347
2348nacl.verify = function(x, y) {
2349 checkArrayTypes(x, y);
2350 // Zero length arguments are considered not equal.
2351 if (x.length === 0 || y.length === 0) return false;
2352 if (x.length !== y.length) return false;
2353 return (vn(x, 0, y, 0, x.length) === 0) ? true : false;
2354};
2355
2356nacl.setPRNG = function(fn) {
2357 randombytes = fn;
2358};
2359
2360(function() {
2361 // Initialize PRNG if environment provides CSPRNG.
2362 // If not, methods calling randombytes will throw.
2363 var crypto = typeof self !== 'undefined' ? (self.crypto || self.msCrypto) : null;
2364 if (crypto && crypto.getRandomValues) {
2365 // Browsers.
2366 var QUOTA = 65536;
2367 nacl.setPRNG(function(x, n) {
2368 var i, v = new Uint8Array(n);
2369 for (i = 0; i < n; i += QUOTA) {
2370 crypto.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
2371 }
2372 for (i = 0; i < n; i++) x[i] = v[i];
2373 cleanup(v);
2374 });
2375 } else if (typeof require !== 'undefined') {
2376 // Node.js.
2377 crypto = require('crypto');
2378 if (crypto && crypto.randomBytes) {
2379 nacl.setPRNG(function(x, n) {
2380 var i, v = crypto.randomBytes(n);
2381 for (i = 0; i < n; i++) x[i] = v[i];
2382 cleanup(v);
2383 });
2384 }
2385 }
2386})();
2387
2388})(typeof module !== 'undefined' && module.exports ? module.exports : (self.nacl = self.nacl || {}));