UNPKG

196 kBJavaScriptView Raw
1/*! proteus-hd v1.0.4 */
2var Proteus =
3/******/ (function(modules) { // webpackBootstrap
4/******/ // The module cache
5/******/ var installedModules = {};
6/******/
7/******/ // The require function
8/******/ function __webpack_require__(moduleId) {
9/******/
10/******/ // Check if module is in cache
11/******/ if(installedModules[moduleId]) {
12/******/ return installedModules[moduleId].exports;
13/******/ }
14/******/ // Create a new module (and put it into the cache)
15/******/ var module = installedModules[moduleId] = {
16/******/ i: moduleId,
17/******/ l: false,
18/******/ exports: {}
19/******/ };
20/******/
21/******/ // Execute the module function
22/******/ modules[moduleId].call(module.exports, module, module.exports, __webpack_require__);
23/******/
24/******/ // Flag the module as loaded
25/******/ module.l = true;
26/******/
27/******/ // Return the exports of the module
28/******/ return module.exports;
29/******/ }
30/******/
31/******/
32/******/ // expose the modules object (__webpack_modules__)
33/******/ __webpack_require__.m = modules;
34/******/
35/******/ // expose the module cache
36/******/ __webpack_require__.c = installedModules;
37/******/
38/******/ // define getter function for harmony exports
39/******/ __webpack_require__.d = function(exports, name, getter) {
40/******/ if(!__webpack_require__.o(exports, name)) {
41/******/ Object.defineProperty(exports, name, {
42/******/ configurable: false,
43/******/ enumerable: true,
44/******/ get: getter
45/******/ });
46/******/ }
47/******/ };
48/******/
49/******/ // getDefaultExport function for compatibility with non-harmony modules
50/******/ __webpack_require__.n = function(module) {
51/******/ var getter = module && module.__esModule ?
52/******/ function getDefault() { return module['default']; } :
53/******/ function getModuleExports() { return module; };
54/******/ __webpack_require__.d(getter, 'a', getter);
55/******/ return getter;
56/******/ };
57/******/
58/******/ // Object.prototype.hasOwnProperty.call
59/******/ __webpack_require__.o = function(object, property) { return Object.prototype.hasOwnProperty.call(object, property); };
60/******/
61/******/ // __webpack_public_path__
62/******/ __webpack_require__.p = "";
63/******/
64/******/ // Load entry module and return exports
65/******/ return __webpack_require__(__webpack_require__.s = 33);
66/******/ })
67/************************************************************************/
68/******/ ([
69/* 0 */
70/***/ (function(module, exports, __webpack_require__) {
71
72"use strict";
73/*
74 * Wire
75 * Copyright (C) 2016 Wire Swiss GmbH
76 *
77 * This program is free software: you can redistribute it and/or modify
78 * it under the terms of the GNU General Public License as published by
79 * the Free Software Foundation, either version 3 of the License, or
80 * (at your option) any later version.
81 *
82 * This program is distributed in the hope that it will be useful,
83 * but WITHOUT ANY WARRANTY; without even the implied warranty of
84 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
85 * GNU General Public License for more details.
86 *
87 * You should have received a copy of the GNU General Public License
88 * along with this program. If not, see http://www.gnu.org/licenses/.
89 *
90 */
91
92
93
94const ProteusError = __webpack_require__(6);
95
96/** @module errors */
97
98const _extend = function(child, parent) {
99 for (let key in parent) {
100 if ({}.hasOwnProperty.call(parent, key)) child[key] = parent[key];
101 }
102 const ctor = function() {
103 this.constructor = child;
104 };
105 ctor.prototype = parent.prototype;
106 child.prototype = new ctor();
107 child.__super__ = parent.prototype;
108 return child;
109};
110
111/**
112 * @class DontCallConstructor
113 * @extends Error
114 * @returns {DontCallConstructor} - `this`
115 */
116const DontCallConstructor = (function(superClass) {
117 _extend(func, superClass);
118
119 function func(_instance) {
120 this._instance = _instance;
121 func.__super__.constructor.call(this,
122 `Instead of 'new {this._instance.constructor.name}', use '${this._instance.constructor.name}.new'.`
123 );
124 }
125
126 return func;
127})(ProteusError);
128
129module.exports = DontCallConstructor;
130
131
132/***/ }),
133/* 1 */
134/***/ (function(module, exports, __webpack_require__) {
135
136"use strict";
137/*
138 * Wire
139 * Copyright (C) 2016 Wire Swiss GmbH
140 *
141 * This program is free software: you can redistribute it and/or modify
142 * it under the terms of the GNU General Public License as published by
143 * the Free Software Foundation, either version 3 of the License, or
144 * (at your option) any later version.
145 *
146 * This program is distributed in the hope that it will be useful,
147 * but WITHOUT ANY WARRANTY; without even the implied warranty of
148 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
149 * GNU General Public License for more details.
150 *
151 * You should have received a copy of the GNU General Public License
152 * along with this program. If not, see http://www.gnu.org/licenses/.
153 *
154 */
155
156
157
158const InputError = __webpack_require__(20);
159
160/** @module util */
161
162const TypeUtil = {
163 /**
164 * @param {*} classes
165 * @param {*} inst
166 * @returns {void}
167 * @throws {errors.InputError.TypeError}
168 */
169 assert_is_instance(classes, inst) {
170 if (!Array.isArray(classes)) {
171 classes = [classes];
172 }
173 if (classes.some((k) => inst instanceof k || (inst && inst.prototype instanceof k))) {
174 return;
175 }
176 const valid_types = classes.map((k) => `'${k.name}'`).join(' or ');
177 if (inst) {
178 throw new InputError.TypeError(`Expected one of ${valid_types}, got '${inst.constructor.name}'.`, InputError.CODE.CASE_401);
179 }
180 throw new InputError.TypeError(`Expected one of ${valid_types}, got '${String(inst)}'.`, InputError.CODE.CASE_402);
181 },
182 /**
183 * @param {*} inst
184 * @returns {boolean}
185 * @throws {errors.InputError.TypeError}
186 */
187 assert_is_integer(inst) {
188 if (Number.isInteger(inst)) {
189 return true;
190 }
191 if (inst) {
192 throw new InputError.TypeError(`Expected integer, got '${inst.constructor.name}'.`, InputError.CODE.CASE_403);
193 }
194 throw new InputError.TypeError(`Expected integer, got '${String(inst)}'.`, InputError.CODE.CASE_404);
195 },
196};
197
198module.exports = TypeUtil;
199
200
201/***/ }),
202/* 2 */
203/***/ (function(module, exports) {
204
205module.exports = CBOR;
206
207/***/ }),
208/* 3 */
209/***/ (function(module, exports, __webpack_require__) {
210
211"use strict";
212/*
213 * Wire
214 * Copyright (C) 2016 Wire Swiss GmbH
215 *
216 * This program is free software: you can redistribute it and/or modify
217 * it under the terms of the GNU General Public License as published by
218 * the Free Software Foundation, either version 3 of the License, or
219 * (at your option) any later version.
220 *
221 * This program is distributed in the hope that it will be useful,
222 * but WITHOUT ANY WARRANTY; without even the implied warranty of
223 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
224 * GNU General Public License for more details.
225 *
226 * You should have received a copy of the GNU General Public License
227 * along with this program. If not, see http://www.gnu.org/licenses/.
228 *
229 */
230
231
232
233const DontCallConstructor = __webpack_require__(0);
234
235/** @module util */
236
237const ClassUtil = {
238 /**
239 * @param {*} klass
240 * @returns {Function}
241 */
242 new_instance(klass) {
243 try {
244 return new klass();
245 } catch (e) {
246 if (!(e instanceof DontCallConstructor)) {
247 throw e;
248 }
249 return e._instance;
250 }
251 },
252};
253
254module.exports = ClassUtil;
255
256
257/***/ }),
258/* 4 */
259/***/ (function(module, exports, __webpack_require__) {
260
261"use strict";
262/*
263 * Wire
264 * Copyright (C) 2016 Wire Swiss GmbH
265 *
266 * This program is free software: you can redistribute it and/or modify
267 * it under the terms of the GNU General Public License as published by
268 * the Free Software Foundation, either version 3 of the License, or
269 * (at your option) any later version.
270 *
271 * This program is distributed in the hope that it will be useful,
272 * but WITHOUT ANY WARRANTY; without even the implied warranty of
273 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
274 * GNU General Public License for more details.
275 *
276 * You should have received a copy of the GNU General Public License
277 * along with this program. If not, see http://www.gnu.org/licenses/.
278 *
279 */
280
281
282
283const CBOR = __webpack_require__(2);
284const ed2curve = __webpack_require__(21);
285const sodium = __webpack_require__(5);
286
287const ClassUtil = __webpack_require__(3);
288const DontCallConstructor = __webpack_require__(0);
289const TypeUtil = __webpack_require__(1);
290
291/** @module keys */
292
293/**
294 * @class PublicKey
295 * @throws {DontCallConstructor}
296 */
297class PublicKey {
298 constructor() {
299 throw new DontCallConstructor(this);
300 }
301
302 /**
303 * @param {!Uint8Array} pub_edward
304 * @param {!Uint8Array} pub_curve
305 * @returns {PublicKey} - `this`
306 */
307 static new(pub_edward, pub_curve) {
308 TypeUtil.assert_is_instance(Uint8Array, pub_edward);
309 TypeUtil.assert_is_instance(Uint8Array, pub_curve);
310
311 /** @type {PublicKey} */
312 const pk = ClassUtil.new_instance(PublicKey);
313
314 /** @type {Uint8Array} */
315 pk.pub_edward = pub_edward;
316 /** @type {Uint8Array} */
317 pk.pub_curve = pub_curve;
318 return pk;
319 }
320
321 /**
322 * This function can be used to verify a message signature.
323 *
324 * @param {!Uint8Array} signature - The signature to verify
325 * @param {!string} message - The message from which the signature was computed.
326 * @returns {boolean} - `true` if the signature is valid, `false` otherwise.
327 */
328 verify(signature, message) {
329 TypeUtil.assert_is_instance(Uint8Array, signature);
330 return sodium.crypto_sign_verify_detached(signature, message, this.pub_edward);
331 }
332
333 /** @returns {string} */
334 fingerprint() {
335 return sodium.to_hex(this.pub_edward);
336 }
337
338 /**
339 * @param {!CBOR.Encoder} e
340 * @returns {CBOR.Encoder}
341 */
342 encode(e) {
343 e.object(1);
344 e.u8(0);
345 return e.bytes(this.pub_edward);
346 }
347
348 /**
349 * @param {!CBOR.Decoder} d
350 * @returns {PublicKey}
351 */
352 static decode(d) {
353 TypeUtil.assert_is_instance(CBOR.Decoder, d);
354
355 const self = ClassUtil.new_instance(PublicKey);
356
357 const nprops = d.object();
358 for (let i = 0; i <= nprops - 1; i++) {
359 switch (d.u8()) {
360 case 0:
361 self.pub_edward = new Uint8Array(d.bytes());
362 break;
363 default:
364 d.skip();
365 }
366 }
367
368 TypeUtil.assert_is_instance(Uint8Array, self.pub_edward);
369
370 self.pub_curve = ed2curve.convertPublicKey(self.pub_edward);
371 return self;
372 }
373}
374
375module.exports = PublicKey;
376
377
378/***/ }),
379/* 5 */
380/***/ (function(module, exports) {
381
382module.exports = sodium;
383
384/***/ }),
385/* 6 */
386/***/ (function(module, exports, __webpack_require__) {
387
388"use strict";
389/*
390 * Wire
391 * Copyright (C) 2016 Wire Swiss GmbH
392 *
393 * This program is free software: you can redistribute it and/or modify
394 * it under the terms of the GNU General Public License as published by
395 * the Free Software Foundation, either version 3 of the License, or
396 * (at your option) any later version.
397 *
398 * This program is distributed in the hope that it will be useful,
399 * but WITHOUT ANY WARRANTY; without even the implied warranty of
400 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
401 * GNU General Public License for more details.
402 *
403 * You should have received a copy of the GNU General Public License
404 * along with this program. If not, see http://www.gnu.org/licenses/.
405 *
406 */
407
408
409
410/** @module errors */
411
412/**
413 * @class ProteusError
414 * @param {!string} message
415 * @param {string} [code]
416 * @extends Error
417 * @returns {ProteusError} - `this`
418 */
419const ProteusError = (function() {
420 const func = function(message, code = 1) {
421 this.code = code;
422 this.message = message;
423 this.name = this.constructor.name;
424 this.stack = (new Error).stack;
425 };
426
427 func.prototype = new Error;
428 func.prototype.constructor = func;
429 func.prototype.CODE = {
430 CASE_100: 100,
431 CASE_101: 101,
432 CASE_102: 102,
433 CASE_103: 103,
434 CASE_104: 104,
435 };
436
437 return func;
438})();
439
440module.exports = ProteusError;
441
442
443/***/ }),
444/* 7 */
445/***/ (function(module, exports, __webpack_require__) {
446
447"use strict";
448/*
449 * Wire
450 * Copyright (C) 2016 Wire Swiss GmbH
451 *
452 * This program is free software: you can redistribute it and/or modify
453 * it under the terms of the GNU General Public License as published by
454 * the Free Software Foundation, either version 3 of the License, or
455 * (at your option) any later version.
456 *
457 * This program is distributed in the hope that it will be useful,
458 * but WITHOUT ANY WARRANTY; without even the implied warranty of
459 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
460 * GNU General Public License for more details.
461 *
462 * You should have received a copy of the GNU General Public License
463 * along with this program. If not, see http://www.gnu.org/licenses/.
464 *
465 */
466
467
468
469const CBOR = __webpack_require__(2);
470const ed2curve = __webpack_require__(21);
471const sodium = __webpack_require__(5);
472
473const ClassUtil = __webpack_require__(3);
474const DontCallConstructor = __webpack_require__(0);
475const TypeUtil = __webpack_require__(1);
476
477const PublicKey = __webpack_require__(4);
478const SecretKey = __webpack_require__(22);
479
480/** @module keys */
481
482/**
483 * Construct an ephemeral key pair.
484 * @class KeyPair
485 * @throws {DontCallConstructor}
486 */
487class KeyPair {
488 constructor() {
489 throw new DontCallConstructor(this);
490 }
491
492 /** @returns {KeyPair} - `this` */
493 static new() {
494 const ed25519_key_pair = sodium.crypto_sign_keypair();
495
496 const kp = ClassUtil.new_instance(KeyPair);
497 kp.secret_key = KeyPair.prototype._construct_private_key(ed25519_key_pair);
498 kp.public_key = KeyPair.prototype._construct_public_key(ed25519_key_pair);
499
500 return kp;
501 }
502
503 /**
504 * @description Ed25519 keys can be converted to Curve25519 keys, so that the same key pair can be
505 * used both for authenticated encryption (crypto_box) and for signatures (crypto_sign).
506 * @param {!Uint8Array} ed25519_key_pair - Key pair based on Edwards-curve (Ed25519)
507 * @returns {keys.SecretKey} - Constructed private key
508 * @private
509 * @see https://download.libsodium.org/doc/advanced/ed25519-curve25519.html
510 */
511 _construct_private_key(ed25519_key_pair) {
512 const sk_ed25519 = ed25519_key_pair.privateKey;
513 const sk_curve25519 = ed2curve.convertSecretKey(sk_ed25519);
514 return SecretKey.new(sk_ed25519, sk_curve25519);
515 }
516
517 /**
518 * @typedef {Object} libsodium_keypair
519 * @param {!Uint8Array} publicKey
520 * @param {!Uint8Array} privateKey
521 * @param {!string} keyType
522 */
523 /**
524 * @param {!libsodium_keypair} ed25519_key_pair - Key pair based on Edwards-curve (Ed25519)
525 * @private
526 * @returns {keys.PublicKey} - Constructed public key
527 */
528 _construct_public_key(ed25519_key_pair) {
529 const pk_ed25519 = ed25519_key_pair.publicKey;
530 const pk_curve25519 = ed2curve.convertPublicKey(pk_ed25519);
531 return PublicKey.new(pk_ed25519, pk_curve25519);
532 }
533
534 /**
535 * @param {!CBOR.Encoder} e
536 * @returns {CBOR.Encoder}
537 */
538 encode(e) {
539 e.object(2);
540
541 e.u8(0);
542 this.secret_key.encode(e);
543
544 e.u8(1);
545 return this.public_key.encode(e);
546 }
547
548 /**
549 * @param {!CBOR.Decoder} d
550 * @returns {KeyPair}
551 */
552 static decode(d) {
553 TypeUtil.assert_is_instance(CBOR.Decoder, d);
554
555 const self = ClassUtil.new_instance(KeyPair);
556
557 const nprops = d.object();
558 for (let i = 0; i <= nprops - 1; i++) {
559 switch (d.u8()) {
560 case 0:
561 self.secret_key = SecretKey.decode(d);
562 break;
563 case 1:
564 self.public_key = PublicKey.decode(d);
565 break;
566 default:
567 d.skip();
568 }
569 }
570
571 TypeUtil.assert_is_instance(SecretKey, self.secret_key);
572 TypeUtil.assert_is_instance(PublicKey, self.public_key);
573
574 return self;
575 }
576}
577
578module.exports = KeyPair;
579
580
581/***/ }),
582/* 8 */
583/***/ (function(module, exports, __webpack_require__) {
584
585"use strict";
586/*
587 * Wire
588 * Copyright (C) 2016 Wire Swiss GmbH
589 *
590 * This program is free software: you can redistribute it and/or modify
591 * it under the terms of the GNU General Public License as published by
592 * the Free Software Foundation, either version 3 of the License, or
593 * (at your option) any later version.
594 *
595 * This program is distributed in the hope that it will be useful,
596 * but WITHOUT ANY WARRANTY; without even the implied warranty of
597 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
598 * GNU General Public License for more details.
599 *
600 * You should have received a copy of the GNU General Public License
601 * along with this program. If not, see http://www.gnu.org/licenses/.
602 *
603 */
604
605
606
607const CBOR = __webpack_require__(2);
608const sodium = __webpack_require__(5);
609
610const ClassUtil = __webpack_require__(3);
611const DontCallConstructor = __webpack_require__(0);
612const TypeUtil = __webpack_require__(1);
613
614const PublicKey = __webpack_require__(4);
615
616/** @module keys */
617
618/**
619 * Construct a long-term identity key pair.
620 * @classdesc Every client has a long-term identity key pair.
621 * Long-term identity keys are used to initialise "sessions" with other clients (triple DH).
622 * @throws {DontCallConstructor}
623 */
624class IdentityKey {
625 constructor() {
626 throw new DontCallConstructor(this);
627 }
628
629 /**
630 * @param {!PublicKey} public_key
631 * @returns {IdentityKey} - `this`
632 */
633 static new(public_key) {
634 TypeUtil.assert_is_instance(PublicKey, public_key);
635
636 const key = ClassUtil.new_instance(IdentityKey);
637 key.public_key = public_key;
638 return key;
639 }
640
641 /** @returns {string} */
642 fingerprint() {
643 return this.public_key.fingerprint();
644 }
645
646 /** @returns {string} */
647 toString() {
648 return sodium.to_hex(this.public_key);
649 }
650
651 /**
652 * @param {!CBOR.Encoder} e
653 * @returns {CBOR.Encoder}
654 */
655 encode(e) {
656 e.object(1);
657 e.u8(0);
658 return this.public_key.encode(e);
659 }
660
661 /**
662 * @param {!CBOR.Decoder} d
663 * @returns {IdentityKey}
664 */
665 static decode(d) {
666 TypeUtil.assert_is_instance(CBOR.Decoder, d);
667
668 let public_key = null;
669
670 const nprops = d.object();
671 for (let i = 0; i <= nprops - 1; i++) {
672 switch (d.u8()) {
673 case 0:
674 public_key = PublicKey.decode(d);
675 break;
676 default:
677 d.skip();
678 }
679 }
680
681 return IdentityKey.new(public_key);
682 }
683}
684
685module.exports = IdentityKey;
686
687
688/***/ }),
689/* 9 */
690/***/ (function(module, exports, __webpack_require__) {
691
692"use strict";
693/*
694 * Wire
695 * Copyright (C) 2016 Wire Swiss GmbH
696 *
697 * This program is free software: you can redistribute it and/or modify
698 * it under the terms of the GNU General Public License as published by
699 * the Free Software Foundation, either version 3 of the License, or
700 * (at your option) any later version.
701 *
702 * This program is distributed in the hope that it will be useful,
703 * but WITHOUT ANY WARRANTY; without even the implied warranty of
704 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
705 * GNU General Public License for more details.
706 *
707 * You should have received a copy of the GNU General Public License
708 * along with this program. If not, see http://www.gnu.org/licenses/.
709 *
710 */
711
712
713
714const CBOR = __webpack_require__(2);
715
716const ClassUtil = __webpack_require__(3);
717const DontCallConstructor = __webpack_require__(0);
718const TypeUtil = __webpack_require__(1);
719
720const Message = __webpack_require__(12);
721
722/** @module message */
723
724/**
725 * @extends Message
726 * @throws {DontCallConstructor}
727 */
728class HeaderMessage extends Message {
729 constructor() {
730 super();
731 throw new DontCallConstructor(this);
732 }
733
734 /**
735 * @param {!Uint8Array} encrypted_header - encrypted header
736 * @param {!Uint8Array} cipher_text
737 * @returns {HeaderMessage} - `this`
738 */
739 static new(encrypted_header, cipher_text) {
740 TypeUtil.assert_is_instance(Uint8Array, encrypted_header);
741 TypeUtil.assert_is_instance(Uint8Array, cipher_text);
742
743 const hm = ClassUtil.new_instance(HeaderMessage);
744
745 hm.header = encrypted_header;
746 hm.cipher_text = cipher_text;
747
748 Object.freeze(hm);
749 return hm;
750 }
751
752 /**
753 * @param {!CBOR.Encoder} e
754 * @returns {CBOR.Encoder}
755 */
756 encode(e) {
757 e.object(2);
758
759 e.u8(0);
760 e.object(1);
761 e.u8(0);
762 e.bytes(this.header);
763
764 e.u8(1);
765 return e.bytes(this.cipher_text);
766 }
767
768 /**
769 * @param {!CBOR.Decoder} d
770 * @returns {HeaderMessage}
771 */
772 static decode(d) {
773 TypeUtil.assert_is_instance(CBOR.Decoder, d);
774
775 let header = null;
776 let cipher_text = null;
777
778 const nprops = d.object();
779 for (let i = 0; i <= nprops - 1; i++) {
780 switch (d.u8()) {
781 case 0: {
782 const nprops_mac = d.object();
783 for (let j = 0; j <= nprops_mac - 1; j++) {
784 switch (d.u8()) {
785 case 0:
786 header = new Uint8Array(d.bytes());
787 break;
788 default:
789 d.skip();
790 }
791 }
792 break;
793 }
794 case 1: {
795 cipher_text = new Uint8Array(d.bytes());
796 break;
797 }
798 default: {
799 d.skip();
800 }
801 }
802 }
803
804 return HeaderMessage.new(header, cipher_text);
805 }
806}
807
808module.exports = HeaderMessage;
809
810
811/***/ }),
812/* 10 */
813/***/ (function(module, exports, __webpack_require__) {
814
815"use strict";
816/*
817 * Wire
818 * Copyright (C) 2016 Wire Swiss GmbH
819 *
820 * This program is free software: you can redistribute it and/or modify
821 * it under the terms of the GNU General Public License as published by
822 * the Free Software Foundation, either version 3 of the License, or
823 * (at your option) any later version.
824 *
825 * This program is distributed in the hope that it will be useful,
826 * but WITHOUT ANY WARRANTY; without even the implied warranty of
827 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
828 * GNU General Public License for more details.
829 *
830 * You should have received a copy of the GNU General Public License
831 * along with this program. If not, see http://www.gnu.org/licenses/.
832 *
833 */
834
835
836
837const ProteusError = __webpack_require__(6);
838
839/** @module errors */
840
841/**
842 * @extends ProteusError
843 * @param {string} [message]
844 * @param {string} [code]
845 */
846class DecryptError extends ProteusError {
847 constructor(message = 'Unknown decryption error', code = 2) {
848 super(message, code);
849 }
850
851 static get CODE() {
852 return {
853 CASE_200: 200,
854 CASE_201: 201,
855 CASE_202: 202,
856 CASE_203: 203,
857 CASE_204: 204,
858 CASE_205: 205,
859 CASE_206: 206,
860 CASE_207: 207,
861 CASE_208: 208,
862 CASE_209: 209,
863 CASE_210: 210,
864 CASE_211: 211,
865 CASE_212: 212,
866 CASE_213: 213,
867 CASE_214: 214,
868 CASE_215: 215,
869 CASE_216: 216,
870 };
871 }
872}
873
874/**
875 * @extends DecryptError
876 * @param {string} [message]
877 * @param {string} [code]
878 */
879class RemoteIdentityChanged extends DecryptError {
880 constructor(message = 'Remote identity changed', code) {
881 super(message, code);
882 }
883}
884
885/**
886 * @extends DecryptError
887 * @param {string} [message]
888 * @param {string} [code]
889 */
890class InvalidSignature extends DecryptError {
891 constructor(message = 'Invalid signature', code) {
892 super(message, code);
893 }
894}
895
896/**
897 * @extends DecryptError
898 * @param {string} [message]
899 * @param {string} [code]
900 */
901class InvalidMessage extends DecryptError {
902 constructor(message = 'Invalid message', code) {
903 super(message, code);
904 }
905}
906
907/**
908 * @extends DecryptError
909 * @param {string} [message]
910 * @param {string} [code]
911 */
912class DuplicateMessage extends DecryptError {
913 constructor(message = 'Duplicate message', code) {
914 super(message, code);
915 }
916}
917
918/**
919 * @extends DecryptError
920 * @param {string} [message]
921 * @param {string} [code]
922 */
923class TooDistantFuture extends DecryptError {
924 constructor(message = 'Message is from too distant in the future', code) {
925 super(message, code);
926 }
927}
928
929/**
930 * @extends DecryptError
931 * @param {string} [message]
932 * @param {string} [code]
933 */
934class OutdatedMessage extends DecryptError {
935 constructor(message = 'Outdated message', code) {
936 super(message, code);
937 }
938}
939
940/**
941 * @extends DecryptError
942 * @param {string} [message]
943 * @param {string} [code]
944 */
945class PrekeyNotFound extends DecryptError {
946 constructor(message = 'Pre-key not found', code) {
947 super(message, code);
948 }
949}
950
951/**
952 * @extends DecryptError
953 * @param {string} [message]
954 * @param {string} [code]
955 */
956class HeaderDecryptionFailed extends DecryptError {
957 constructor(message = 'Header descryption failed', code) {
958 super(message, code);
959 }
960}
961
962/**
963 * @extends DecryptError
964 * @param {string} [message]
965 * @param {string} [code]
966 */
967class InvalidHeader extends DecryptError {
968 constructor(message = 'Invalid header', code) {
969 super(message, code);
970 }
971}
972
973Object.assign(DecryptError, {
974 RemoteIdentityChanged,
975 InvalidSignature,
976 InvalidMessage,
977 DuplicateMessage,
978 TooDistantFuture,
979 OutdatedMessage,
980 PrekeyNotFound,
981 HeaderDecryptionFailed,
982 InvalidHeader,
983});
984
985module.exports = ProteusError.DecryptError = DecryptError;
986
987
988/***/ }),
989/* 11 */
990/***/ (function(module, exports, __webpack_require__) {
991
992"use strict";
993/*
994 * Wire
995 * Copyright (C) 2016 Wire Swiss GmbH
996 *
997 * This program is free software: you can redistribute it and/or modify
998 * it under the terms of the GNU General Public License as published by
999 * the Free Software Foundation, either version 3 of the License, or
1000 * (at your option) any later version.
1001 *
1002 * This program is distributed in the hope that it will be useful,
1003 * but WITHOUT ANY WARRANTY; without even the implied warranty of
1004 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1005 * GNU General Public License for more details.
1006 *
1007 * You should have received a copy of the GNU General Public License
1008 * along with this program. If not, see http://www.gnu.org/licenses/.
1009 *
1010 */
1011
1012
1013
1014const CBOR = __webpack_require__(2);
1015
1016const ClassUtil = __webpack_require__(3);
1017const DontCallConstructor = __webpack_require__(0);
1018const TypeUtil = __webpack_require__(1);
1019
1020const IdentityKey = __webpack_require__(8);
1021const KeyPair = __webpack_require__(7);
1022const SecretKey = __webpack_require__(22);
1023
1024/** @module keys */
1025
1026/**
1027 * @class IdentityKeyPair
1028 * @throws {DontCallConstructor}
1029 */
1030class IdentityKeyPair {
1031 constructor() {
1032 throw new DontCallConstructor(this);
1033 }
1034
1035 /** @returns {IdentityKeyPair} - `this` */
1036 static new() {
1037 const key_pair = KeyPair.new();
1038
1039 /** @type {IdentityKeyPair} */
1040 const ikp = ClassUtil.new_instance(IdentityKeyPair);
1041 ikp.version = 1;
1042 ikp.secret_key = key_pair.secret_key;
1043 ikp.public_key = IdentityKey.new(key_pair.public_key);
1044
1045 return ikp;
1046 }
1047
1048 /** @returns {ArrayBuffer} */
1049 serialise() {
1050 const e = new CBOR.Encoder();
1051 this.encode(e);
1052 return e.get_buffer();
1053 }
1054
1055 /**
1056 * @param {!ArrayBuffer} buf
1057 * @returns {IdentityKeyPair}
1058 */
1059 static deserialise(buf) {
1060 TypeUtil.assert_is_instance(ArrayBuffer, buf);
1061
1062 const d = new CBOR.Decoder(buf);
1063 return IdentityKeyPair.decode(d);
1064 }
1065
1066 /**
1067 * @param {!CBOR.Encoder} e
1068 * @returns {CBOR.Encoder}
1069 */
1070 encode(e) {
1071 e.object(3);
1072 e.u8(0);
1073 e.u8(this.version);
1074 e.u8(1);
1075 this.secret_key.encode(e);
1076 e.u8(2);
1077 return this.public_key.encode(e);
1078 }
1079
1080 /**
1081 * @param {!CBOR.Decoder} d
1082 * @returns {IdentityKeyPair}
1083 */
1084 static decode(d) {
1085 TypeUtil.assert_is_instance(CBOR.Decoder, d);
1086
1087 const self = ClassUtil.new_instance(IdentityKeyPair);
1088
1089 const nprops = d.object();
1090 for (let i = 0; i <= nprops - 1; i++) {
1091 switch (d.u8()) {
1092 case 0:
1093 self.version = d.u8();
1094 break;
1095 case 1:
1096 self.secret_key = SecretKey.decode(d);
1097 break;
1098 case 2:
1099 self.public_key = IdentityKey.decode(d);
1100 break;
1101 default:
1102 d.skip();
1103 }
1104 }
1105
1106 TypeUtil.assert_is_integer(self.version);
1107 TypeUtil.assert_is_instance(SecretKey, self.secret_key);
1108 TypeUtil.assert_is_instance(IdentityKey, self.public_key);
1109
1110 return self;
1111 }
1112}
1113
1114module.exports = IdentityKeyPair;
1115
1116
1117/***/ }),
1118/* 12 */
1119/***/ (function(module, exports, __webpack_require__) {
1120
1121"use strict";
1122/*
1123 * Wire
1124 * Copyright (C) 2016 Wire Swiss GmbH
1125 *
1126 * This program is free software: you can redistribute it and/or modify
1127 * it under the terms of the GNU General Public License as published by
1128 * the Free Software Foundation, either version 3 of the License, or
1129 * (at your option) any later version.
1130 *
1131 * This program is distributed in the hope that it will be useful,
1132 * but WITHOUT ANY WARRANTY; without even the implied warranty of
1133 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1134 * GNU General Public License for more details.
1135 *
1136 * You should have received a copy of the GNU General Public License
1137 * along with this program. If not, see http://www.gnu.org/licenses/.
1138 *
1139 */
1140
1141
1142
1143const CBOR = __webpack_require__(2);
1144
1145const DontCallConstructor = __webpack_require__(0);
1146const TypeUtil = __webpack_require__(1);
1147
1148const DecodeError = __webpack_require__(19);
1149
1150/** @module message */
1151
1152/**
1153 * @class Message
1154 * @throws {DontCallConstructor}
1155 */
1156class Message {
1157 constructor() {
1158 throw new DontCallConstructor(this);
1159 }
1160
1161 /** @returns {ArrayBuffer} */
1162 serialise() {
1163 const e = new CBOR.Encoder();
1164 if (this instanceof HeaderMessage) {
1165 e.u8(1);
1166 } else if (this instanceof PreKeyMessage) {
1167 e.u8(2);
1168 } else {
1169 throw new TypeError('Unexpected message type', 9);
1170 }
1171
1172 this.encode(e);
1173 return e.get_buffer();
1174 }
1175
1176 /**
1177 * @param {!ArrayBuffer} buf
1178 * @returns {message.HeaderMessage|message.PreKeyMessage}
1179 */
1180 static deserialise(buf) {
1181 TypeUtil.assert_is_instance(ArrayBuffer, buf);
1182
1183 const d = new CBOR.Decoder(buf);
1184
1185 switch (d.u8()) {
1186 case 1:
1187 return HeaderMessage.decode(d);
1188 case 2:
1189 return PreKeyMessage.decode(d);
1190 default:
1191 throw new DecodeError.InvalidType('Unrecognised message type', DecodeError.CODE.CASE_302);
1192 }
1193 }
1194}
1195
1196module.exports = Message;
1197
1198// these require lines have to come after the Message definition because otherwise
1199// it creates a circular dependency with the message subtypes
1200const HeaderMessage = __webpack_require__(9);
1201const PreKeyMessage = __webpack_require__(13);
1202
1203
1204/***/ }),
1205/* 13 */
1206/***/ (function(module, exports, __webpack_require__) {
1207
1208"use strict";
1209/*
1210 * Wire
1211 * Copyright (C) 2016 Wire Swiss GmbH
1212 *
1213 * This program is free software: you can redistribute it and/or modify
1214 * it under the terms of the GNU General Public License as published by
1215 * the Free Software Foundation, either version 3 of the License, or
1216 * (at your option) any later version.
1217 *
1218 * This program is distributed in the hope that it will be useful,
1219 * but WITHOUT ANY WARRANTY; without even the implied warranty of
1220 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1221 * GNU General Public License for more details.
1222 *
1223 * You should have received a copy of the GNU General Public License
1224 * along with this program. If not, see http://www.gnu.org/licenses/.
1225 *
1226 */
1227
1228
1229
1230const CBOR = __webpack_require__(2);
1231
1232const ClassUtil = __webpack_require__(3);
1233const DontCallConstructor = __webpack_require__(0);
1234const TypeUtil = __webpack_require__(1);
1235
1236const IdentityKey = __webpack_require__(8);
1237const PublicKey = __webpack_require__(4);
1238
1239const HeaderMessage = __webpack_require__(9);
1240const Message = __webpack_require__(12);
1241
1242/** @module message */
1243
1244/**
1245 * @extends Message
1246 * @throws {DontCallConstructor}
1247 */
1248class PreKeyMessage extends Message {
1249 constructor() {
1250 super();
1251 throw new DontCallConstructor(this);
1252 }
1253
1254 /**
1255 * @param {!number} prekey_id
1256 * @param {!keys.PublicKey} base_key
1257 * @param {!keys.IdentityKey} identity_key
1258 * @param {!message.HeaderMessage} message
1259 * @returns {PreKeyMessage}
1260 */
1261 static new(prekey_id, base_key, identity_key, message) {
1262 TypeUtil.assert_is_integer(prekey_id);
1263 TypeUtil.assert_is_instance(PublicKey, base_key);
1264 TypeUtil.assert_is_instance(IdentityKey, identity_key);
1265 TypeUtil.assert_is_instance(HeaderMessage, message);
1266
1267 const pkm = ClassUtil.new_instance(PreKeyMessage);
1268
1269 pkm.prekey_id = prekey_id;
1270 pkm.base_key = base_key;
1271 pkm.identity_key = identity_key;
1272 pkm.message = message;
1273
1274 Object.freeze(pkm);
1275 return pkm;
1276 }
1277
1278 /**
1279 * @param {!CBOR.Encoder} e
1280 * @returns {CBOR.Encoder}
1281 */
1282 encode(e) {
1283 e.object(4);
1284 e.u8(0);
1285 e.u16(this.prekey_id);
1286 e.u8(1);
1287 this.base_key.encode(e);
1288 e.u8(2);
1289 this.identity_key.encode(e);
1290 e.u8(3);
1291 return this.message.encode(e);
1292 }
1293
1294 /**
1295 * @param {!CBOR.Decoder} d
1296 * @returns {PreKeyMessage}
1297 */
1298 static decode(d) {
1299 TypeUtil.assert_is_instance(CBOR.Decoder, d);
1300
1301 let prekey_id = null;
1302 let base_key = null;
1303 let identity_key = null;
1304 let message = null;
1305
1306 const nprops = d.object();
1307 for (let i = 0; i <= nprops - 1; i++) {
1308 switch (d.u8()) {
1309 case 0:
1310 prekey_id = d.u16();
1311 break;
1312 case 1:
1313 base_key = PublicKey.decode(d);
1314 break;
1315 case 2:
1316 identity_key = IdentityKey.decode(d);
1317 break;
1318 case 3:
1319 message = HeaderMessage.decode(d);
1320 break;
1321 default:
1322 d.skip();
1323 }
1324 }
1325
1326 // checks for missing variables happens in constructor
1327 return PreKeyMessage.new(prekey_id, base_key, identity_key, message);
1328 }
1329}
1330
1331module.exports = PreKeyMessage;
1332
1333
1334/***/ }),
1335/* 14 */
1336/***/ (function(module, exports, __webpack_require__) {
1337
1338"use strict";
1339/*
1340 * Wire
1341 * Copyright (C) 2016 Wire Swiss GmbH
1342 *
1343 * This program is free software: you can redistribute it and/or modify
1344 * it under the terms of the GNU General Public License as published by
1345 * the Free Software Foundation, either version 3 of the License, or
1346 * (at your option) any later version.
1347 *
1348 * This program is distributed in the hope that it will be useful,
1349 * but WITHOUT ANY WARRANTY; without even the implied warranty of
1350 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1351 * GNU General Public License for more details.
1352 *
1353 * You should have received a copy of the GNU General Public License
1354 * along with this program. If not, see http://www.gnu.org/licenses/.
1355 *
1356 */
1357
1358
1359
1360const CBOR = __webpack_require__(2);
1361
1362const ClassUtil = __webpack_require__(3);
1363const DontCallConstructor = __webpack_require__(0);
1364const TypeUtil = __webpack_require__(1);
1365
1366const MacKey = __webpack_require__(15);
1367const Message = __webpack_require__(12);
1368
1369/** @module message */
1370
1371/**
1372 * @class Envelope
1373 * @throws {DontCallConstructor}
1374 */
1375class Envelope {
1376 constructor() {
1377 throw new DontCallConstructor(this);
1378 }
1379
1380 /**
1381 * @param {!derived.MacKey} mac_key MacKey generated by derived secrets
1382 * @param {!message.Message} message
1383 * @returns {Envelope}
1384 */
1385 static new(mac_key, message) {
1386 TypeUtil.assert_is_instance(MacKey, mac_key);
1387 TypeUtil.assert_is_instance(Message, message);
1388
1389 const serialized_message = new Uint8Array(message.serialise());
1390
1391 const env = ClassUtil.new_instance(Envelope);
1392
1393 env.version = 1;
1394 env.mac = mac_key.sign(serialized_message);
1395 env.message = message;
1396 env._message_enc = serialized_message;
1397
1398 Object.freeze(env);
1399 return env;
1400 }
1401
1402 /**
1403 * @param {!derived.MacKey} mac_key The remote party's MacKey
1404 * @returns {boolean}
1405 */
1406 verify(mac_key) {
1407 TypeUtil.assert_is_instance(MacKey, mac_key);
1408 return mac_key.verify(this.mac, this._message_enc);
1409 }
1410
1411 /** @returns {ArrayBuffer} - The serialized message envelope */
1412 serialise() {
1413 const e = new CBOR.Encoder();
1414 this.encode(e);
1415 return e.get_buffer();
1416 }
1417
1418 /**
1419 * @param {!ArrayBuffer} buf
1420 * @returns {Envelope}
1421 */
1422 static deserialise(buf) {
1423 TypeUtil.assert_is_instance(ArrayBuffer, buf);
1424
1425 const d = new CBOR.Decoder(buf);
1426 return Envelope.decode(d);
1427 }
1428
1429 /**
1430 * @param {!CBOR.Encoder} e
1431 * @returns {CBOR.Encoder}
1432 */
1433 encode(e) {
1434 e.object(3);
1435 e.u8(0);
1436 e.u8(this.version);
1437
1438 e.u8(1);
1439 e.object(1);
1440 e.u8(0);
1441 e.bytes(this.mac);
1442
1443 e.u8(2);
1444 return e.bytes(this._message_enc);
1445 }
1446
1447 /**
1448 * @param {!CBOR.Decoder} d
1449 * @returns {Envelope}
1450 */
1451 static decode(d) {
1452 TypeUtil.assert_is_instance(CBOR.Decoder, d);
1453
1454 const env = ClassUtil.new_instance(Envelope);
1455
1456 const nprops = d.object();
1457 for (let i = 0; i <= nprops - 1; i++) {
1458 switch (d.u8()) {
1459 case 0: {
1460 env.version = d.u8();
1461 break;
1462 }
1463 case 1: {
1464 const nprops_mac = d.object();
1465 for (let j = 0; j <= nprops_mac - 1; j++) {
1466 switch (d.u8()) {
1467 case 0:
1468 env.mac = new Uint8Array(d.bytes());
1469 break;
1470 default:
1471 d.skip();
1472 }
1473 }
1474 break;
1475 }
1476 case 2: {
1477 env._message_enc = new Uint8Array(d.bytes());
1478 break;
1479 }
1480 default: {
1481 d.skip();
1482 }
1483 }
1484 }
1485
1486 TypeUtil.assert_is_integer(env.version);
1487 TypeUtil.assert_is_instance(Uint8Array, env.mac);
1488
1489 env.message = Message.deserialise(env._message_enc.buffer);
1490
1491 Object.freeze(env);
1492 return env;
1493 }
1494}
1495
1496module.exports = Envelope;
1497
1498
1499/***/ }),
1500/* 15 */
1501/***/ (function(module, exports, __webpack_require__) {
1502
1503"use strict";
1504/*
1505 * Wire
1506 * Copyright (C) 2016 Wire Swiss GmbH
1507 *
1508 * This program is free software: you can redistribute it and/or modify
1509 * it under the terms of the GNU General Public License as published by
1510 * the Free Software Foundation, either version 3 of the License, or
1511 * (at your option) any later version.
1512 *
1513 * This program is distributed in the hope that it will be useful,
1514 * but WITHOUT ANY WARRANTY; without even the implied warranty of
1515 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1516 * GNU General Public License for more details.
1517 *
1518 * You should have received a copy of the GNU General Public License
1519 * along with this program. If not, see http://www.gnu.org/licenses/.
1520 *
1521 */
1522
1523
1524
1525const CBOR = __webpack_require__(2);
1526const sodium = __webpack_require__(5);
1527
1528const ClassUtil = __webpack_require__(3);
1529const DontCallConstructor = __webpack_require__(0);
1530const TypeUtil = __webpack_require__(1);
1531
1532/** @module derived */
1533
1534/**
1535 * @class MacKey
1536 * @throws {DontCallConstructor}
1537 */
1538class MacKey {
1539 constructor() {
1540 throw new DontCallConstructor(this);
1541 }
1542
1543 /**
1544 * @param {!Uint8Array} key - Mac Key in byte array format generated by derived secrets
1545 * @returns {MacKey} - `this`
1546 */
1547 static new(key) {
1548 TypeUtil.assert_is_instance(Uint8Array, key);
1549
1550 const mk = ClassUtil.new_instance(MacKey);
1551 /** @type {Uint8Array} */
1552 mk.key = key;
1553 return mk;
1554 }
1555
1556 /**
1557 * Hash-based message authentication code
1558 * @param {!(string|Uint8Array)} msg
1559 * @returns {Uint8Array}
1560 */
1561 sign(msg) {
1562 return sodium.crypto_auth_hmacsha256(msg, this.key);
1563 }
1564
1565 /**
1566 * Verifies the signature of a given message by resigning it.
1567 * @param {!Uint8Array} signature Mac signature (HMAC) which needs to get verified
1568 * @param {!Uint8Array} msg Unsigned message
1569 * @returns {boolean}
1570 */
1571 verify(signature, msg) {
1572 return sodium.crypto_auth_hmacsha256_verify(signature, msg, this.key);
1573 }
1574
1575 /**
1576 * @param {!CBOR.Encoder} e
1577 * @returns {CBOR.Encoder}
1578 */
1579 encode(e) {
1580 e.object(1);
1581 e.u8(0);
1582 return e.bytes(this.key);
1583 }
1584
1585 /**
1586 * @param {!CBOR.Decoder} d
1587 * @returns {MacKey}
1588 */
1589 static decode(d) {
1590 TypeUtil.assert_is_instance(CBOR.Decoder, d);
1591
1592 let key_bytes = null;
1593
1594 const nprops = d.object();
1595 for (let i = 0; i <= nprops - 1; i++) {
1596 switch (d.u8()) {
1597 case 0:
1598 key_bytes = new Uint8Array(d.bytes());
1599 break;
1600 default:
1601 d.skip();
1602 }
1603 }
1604
1605 return MacKey.new(key_bytes);
1606 }
1607}
1608
1609module.exports = MacKey;
1610
1611
1612/***/ }),
1613/* 16 */
1614/***/ (function(module, exports, __webpack_require__) {
1615
1616"use strict";
1617/*
1618 * Wire
1619 * Copyright (C) 2016 Wire Swiss GmbH
1620 *
1621 * This program is free software: you can redistribute it and/or modify
1622 * it under the terms of the GNU General Public License as published by
1623 * the Free Software Foundation, either version 3 of the License, or
1624 * (at your option) any later version.
1625 *
1626 * This program is distributed in the hope that it will be useful,
1627 * but WITHOUT ANY WARRANTY; without even the implied warranty of
1628 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1629 * GNU General Public License for more details.
1630 *
1631 * You should have received a copy of the GNU General Public License
1632 * along with this program. If not, see http://www.gnu.org/licenses/.
1633 *
1634 */
1635
1636
1637
1638const sodium = __webpack_require__(5);
1639
1640/** @module util */
1641
1642const MemoryUtil = {
1643 /**
1644 * @param {!(Uint8Array|ArrayBuffer|Object)} object
1645 * @returns {void}
1646 */
1647 zeroize(object) {
1648 if (object instanceof Uint8Array) {
1649 sodium.memzero(object);
1650 } else if (object instanceof ArrayBuffer) {
1651 sodium.memzero(new Uint8Array(object));
1652 } else if (typeof object === 'object') {
1653 Object.keys(object).map((key) => object[key]).forEach((val) => this.zeroize(val));
1654 }
1655 },
1656};
1657
1658module.exports = MemoryUtil;
1659
1660
1661/***/ }),
1662/* 17 */
1663/***/ (function(module, exports, __webpack_require__) {
1664
1665"use strict";
1666/*
1667 * Wire
1668 * Copyright (C) 2016 Wire Swiss GmbH
1669 *
1670 * This program is free software: you can redistribute it and/or modify
1671 * it under the terms of the GNU General Public License as published by
1672 * the Free Software Foundation, either version 3 of the License, or
1673 * (at your option) any later version.
1674 *
1675 * This program is distributed in the hope that it will be useful,
1676 * but WITHOUT ANY WARRANTY; without even the implied warranty of
1677 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1678 * GNU General Public License for more details.
1679 *
1680 * You should have received a copy of the GNU General Public License
1681 * along with this program. If not, see http://www.gnu.org/licenses/.
1682 *
1683 */
1684
1685
1686
1687const CBOR = __webpack_require__(2);
1688const sodium = __webpack_require__(5);
1689
1690const ClassUtil = __webpack_require__(3);
1691const DontCallConstructor = __webpack_require__(0);
1692const TypeUtil = __webpack_require__(1);
1693
1694/** @module derived */
1695
1696/**
1697 * @class HeadKey
1698 * @throws {DontCallConstructor}
1699 */
1700class HeadKey {
1701 constructor() {
1702 throw new DontCallConstructor(this);
1703 }
1704
1705 /**
1706 * @param {!Uint8Array} key
1707 * @returns {HeadKey} - `this`
1708 */
1709 static new(key) {
1710 TypeUtil.assert_is_instance(Uint8Array, key);
1711
1712 const hk = ClassUtil.new_instance(HeadKey);
1713 /** @type {Uint8Array} */
1714 hk.key = key;
1715 return hk;
1716 }
1717
1718 /**
1719 * @param {!number} idx
1720 * @returns {Uint8Array}
1721 */
1722 static index_as_nonce(idx) {
1723 const nonce = new ArrayBuffer(8);
1724 new DataView(nonce).setUint32(0, idx);
1725 return new Uint8Array(nonce);
1726 }
1727
1728 /**
1729 * @param {!ArrayBuffer} header - The serialized header to encrypt
1730 * @param {!Uint8Array} nonce
1731 * @returns {Uint8Array} - Encrypted payload
1732 */
1733 encrypt(header, nonce) {
1734 header = new Uint8Array(header);
1735
1736 return sodium.crypto_stream_chacha20_xor(header, nonce, this.key, 'uint8array');
1737 }
1738
1739 /**
1740 * @param {!Uint8Array} encrypted_header
1741 * @param {!Uint8Array} nonce
1742 * @returns {Uint8Array}
1743 */
1744 decrypt(encrypted_header, nonce) {
1745 return this.encrypt(encrypted_header, nonce);
1746 }
1747
1748 /**
1749 * @param {!CBOR.Encoder} e
1750 * @returns {CBOR.Encoder}
1751 */
1752 encode(e) {
1753 e.object(1);
1754 e.u8(0);
1755 return e.bytes(this.key);
1756 }
1757
1758 /**
1759 * @param {!CBOR.Encoder} d
1760 * @returns {HeadKey}
1761 */
1762 static decode(d) {
1763 TypeUtil.assert_is_instance(CBOR.Decoder, d);
1764
1765 let key_bytes = null;
1766
1767 const nprops = d.object();
1768 for (let i = 0; i <= nprops - 1; i++) {
1769 switch (d.u8()) {
1770 case 0:
1771 key_bytes = new Uint8Array(d.bytes());
1772 break;
1773 default:
1774 d.skip();
1775 }
1776 }
1777 return HeadKey.new(key_bytes);
1778 }
1779}
1780
1781module.exports = HeadKey;
1782
1783
1784/***/ }),
1785/* 18 */
1786/***/ (function(module, exports, __webpack_require__) {
1787
1788"use strict";
1789/*
1790 * Wire
1791 * Copyright (C) 2016 Wire Swiss GmbH
1792 *
1793 * This program is free software: you can redistribute it and/or modify
1794 * it under the terms of the GNU General Public License as published by
1795 * the Free Software Foundation, either version 3 of the License, or
1796 * (at your option) any later version.
1797 *
1798 * This program is distributed in the hope that it will be useful,
1799 * but WITHOUT ANY WARRANTY; without even the implied warranty of
1800 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1801 * GNU General Public License for more details.
1802 *
1803 * You should have received a copy of the GNU General Public License
1804 * along with this program. If not, see http://www.gnu.org/licenses/.
1805 *
1806 */
1807
1808
1809
1810const CBOR = __webpack_require__(2);
1811
1812const ClassUtil = __webpack_require__(3);
1813const DontCallConstructor = __webpack_require__(0);
1814const TypeUtil = __webpack_require__(1);
1815
1816const DerivedSecrets = __webpack_require__(26);
1817const MacKey = __webpack_require__(15);
1818const MessageKeys = __webpack_require__(32);
1819
1820/** @module session */
1821
1822/**
1823 * @class ChainKey
1824 * @throws {DontCallConstructor}
1825 */
1826class ChainKey {
1827 constructor() {
1828 throw new DontCallConstructor(this);
1829 }
1830
1831 /**
1832 * @param {!derived.MacKey} key - Mac Key generated by derived secrets
1833 * @param {!number} counter
1834 * @returns {ChainKey}
1835 */
1836 static from_mac_key(key, counter) {
1837 TypeUtil.assert_is_instance(MacKey, key);
1838 TypeUtil.assert_is_integer(counter);
1839
1840 const ck = ClassUtil.new_instance(ChainKey);
1841 ck.key = key;
1842 ck.idx = counter;
1843 return ck;
1844 }
1845
1846 /** @returns {ChainKey} */
1847 next() {
1848 const ck = ClassUtil.new_instance(ChainKey);
1849 ck.key = MacKey.new(this.key.sign('1'));
1850 ck.idx = this.idx + 1;
1851 return ck;
1852 }
1853
1854 /** @returns {session.MessageKeys} */
1855 message_keys() {
1856 const base = this.key.sign('0');
1857 const derived_secrets = DerivedSecrets.kdf_without_salt(base, 'hash_ratchet');
1858 return MessageKeys.new(derived_secrets.cipher_key, derived_secrets.mac_key, this.idx);
1859 }
1860
1861 /**
1862 * @param {!CBOR.Encoder} e
1863 * @returns {CBOR.Encoder}
1864 */
1865 encode(e) {
1866 e.object(2);
1867 e.u8(0);
1868 this.key.encode(e);
1869 e.u8(1);
1870 return e.u32(this.idx);
1871 }
1872
1873 /**
1874 * @param {!CBOR.Decoder} d
1875 * @returns {ChainKey}
1876 */
1877 static decode(d) {
1878 TypeUtil.assert_is_instance(CBOR.Decoder, d);
1879
1880 const self = ClassUtil.new_instance(ChainKey);
1881
1882 const nprops = d.object();
1883 for (let i = 0; i <= nprops - 1; i++) {
1884 switch (d.u8()) {
1885 case 0:
1886 self.key = MacKey.decode(d);
1887 break;
1888 case 1:
1889 self.idx = d.u32();
1890 break;
1891 default:
1892 d.skip();
1893 }
1894 }
1895
1896 TypeUtil.assert_is_instance(MacKey, self.key);
1897 TypeUtil.assert_is_integer(self.idx);
1898
1899 return self;
1900 }
1901}
1902
1903module.exports = ChainKey;
1904
1905
1906/***/ }),
1907/* 19 */
1908/***/ (function(module, exports, __webpack_require__) {
1909
1910"use strict";
1911/*
1912 * Wire
1913 * Copyright (C) 2016 Wire Swiss GmbH
1914 *
1915 * This program is free software: you can redistribute it and/or modify
1916 * it under the terms of the GNU General Public License as published by
1917 * the Free Software Foundation, either version 3 of the License, or
1918 * (at your option) any later version.
1919 *
1920 * This program is distributed in the hope that it will be useful,
1921 * but WITHOUT ANY WARRANTY; without even the implied warranty of
1922 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1923 * GNU General Public License for more details.
1924 *
1925 * You should have received a copy of the GNU General Public License
1926 * along with this program. If not, see http://www.gnu.org/licenses/.
1927 *
1928 */
1929
1930/* eslint no-unused-vars: "off" */
1931
1932
1933
1934const ProteusError = __webpack_require__(6);
1935
1936/** @module errors */
1937
1938/**
1939 * @extends ProteusError
1940 * @param {string} [message]
1941 * @param {string} [code]
1942 * @returns {string}
1943 */
1944class DecodeError extends ProteusError {
1945 constructor(message = 'Unknown decoding error', code = 3) {
1946 super(message, code);
1947 }
1948
1949 static get CODE() {
1950 return {
1951 CASE_300: 300,
1952 CASE_301: 301,
1953 CASE_302: 302,
1954 CASE_303: 303,
1955 };
1956 }
1957}
1958
1959/**
1960 * @extends DecodeError
1961 * @param {string} [message]
1962 * @param {string} [code]
1963 * @returns {string}
1964 */
1965class InvalidType extends DecodeError {
1966 constructor(message = 'Invalid type', code) {
1967 super(message, code);
1968 }
1969}
1970
1971/**
1972 * @extends DecodeError
1973 * @param {string} [message]
1974 * @param {string} [code]
1975 * @returns {string}
1976 */
1977class InvalidArrayLen extends DecodeError {
1978 constructor(message = 'Invalid array length', code) {
1979 super(message, code);
1980 }
1981}
1982
1983/**
1984 * @extends DecodeError
1985 * @param {string} [message]
1986 * @param {string} [code]
1987 * @returns {string}
1988 */
1989class LocalIdentityChanged extends DecodeError {
1990 constructor(message = 'Local identity changed', code) {
1991 super(message, code);
1992 }
1993}
1994
1995Object.assign(DecodeError, {
1996 InvalidType,
1997 InvalidArrayLen,
1998 LocalIdentityChanged,
1999});
2000
2001module.exports = ProteusError.DecodeError = DecodeError;
2002
2003
2004/***/ }),
2005/* 20 */
2006/***/ (function(module, exports, __webpack_require__) {
2007
2008"use strict";
2009/*
2010 * Wire
2011 * Copyright (C) 2017 Wire Swiss GmbH
2012 *
2013 * This program is free software: you can redistribute it and/or modify
2014 * it under the terms of the GNU General Public License as published by
2015 * the Free Software Foundation, either version 3 of the License, or
2016 * (at your option) any later version.
2017 *
2018 * This program is distributed in the hope that it will be useful,
2019 * but WITHOUT ANY WARRANTY; without even the implied warranty of
2020 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
2021 * GNU General Public License for more details.
2022 *
2023 * You should have received a copy of the GNU General Public License
2024 * along with this program. If not, see http://www.gnu.org/licenses/.
2025 *
2026 */
2027
2028
2029
2030const ProteusError = __webpack_require__(6);
2031
2032/** @module errors */
2033
2034/**
2035 * @extends ProteusError
2036 * @param {string} [message]
2037 * @param {string} [code]
2038 * @returns {string}
2039 */
2040class InputError extends ProteusError {
2041 constructor(message = 'Invalid input', code = 4) {
2042 super(message, code);
2043 }
2044
2045 static get CODE() {
2046 return {
2047 CASE_400: 400,
2048 CASE_401: 401,
2049 CASE_402: 402,
2050 CASE_403: 403,
2051 CASE_404: 404,
2052 };
2053 }
2054}
2055
2056/**
2057 * @extends InputError
2058 * @param {string} [message]
2059 * @param {string} [code]
2060 * @returns {string}
2061 */
2062class RangeError extends InputError {
2063 constructor(message = 'Invalid type', code) {
2064 super(message, code);
2065 }
2066}
2067
2068/**
2069 * @extends InputError
2070 * @param {string} [message]
2071 * @param {string} [code]
2072 * @returns {string}
2073 */
2074class TypeError extends InputError {
2075 constructor(message = 'Invalid array length', code) {
2076 super(message, code);
2077 }
2078}
2079
2080Object.assign(InputError, {
2081 RangeError,
2082 TypeError,
2083});
2084
2085module.exports = ProteusError.InputError = InputError;
2086
2087
2088/***/ }),
2089/* 21 */
2090/***/ (function(module, exports, __webpack_require__) {
2091
2092/*
2093 * ed2curve: convert Ed25519 signing key pair into Curve25519
2094 * key pair suitable for Diffie-Hellman key exchange.
2095 *
2096 * Written by Dmitry Chestnykh in 2014. Public domain.
2097 */
2098/* jshint newcap: false */
2099(function(root, f) {
2100 'use strict';
2101 if (typeof module !== 'undefined' && module.exports) module.exports = f(__webpack_require__(34));
2102 else root.ed2curve = f(root.nacl);
2103}(this, function(nacl) {
2104 'use strict';
2105 if (!nacl) throw new Error('tweetnacl not loaded');
2106
2107 // -- Operations copied from TweetNaCl.js. --
2108
2109 var gf = function(init) {
2110 var i, r = new Float64Array(16);
2111 if (init) for (i = 0; i < init.length; i++) r[i] = init[i];
2112 return r;
2113 };
2114
2115 var gf0 = gf(),
2116 gf1 = gf([1]),
2117 D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),
2118 I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);
2119
2120
2121
2122 function car25519(o) {
2123 var c;
2124 var i;
2125 for (i = 0; i < 16; i++) {
2126 o[i] += 65536;
2127 c = Math.floor(o[i] / 65536);
2128 o[(i+1)*(i<15?1:0)] += c - 1 + 37 * (c-1) * (i===15?1:0);
2129 o[i] -= (c * 65536);
2130 }
2131 }
2132
2133 function sel25519(p, q, b) {
2134 var t, c = ~(b-1);
2135 for (var i = 0; i < 16; i++) {
2136 t = c & (p[i] ^ q[i]);
2137 p[i] ^= t;
2138 q[i] ^= t;
2139 }
2140 }
2141
2142 function unpack25519(o, n) {
2143 var i;
2144 for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8);
2145 o[15] &= 0x7fff;
2146 }
2147
2148 // addition
2149 function A(o, a, b) {
2150 var i;
2151 for (i = 0; i < 16; i++) o[i] = (a[i] + b[i])|0;
2152 }
2153
2154 // subtraction
2155 function Z(o, a, b) {
2156 var i;
2157 for (i = 0; i < 16; i++) o[i] = (a[i] - b[i])|0;
2158 }
2159
2160 // multiplication
2161 function M(o, a, b) {
2162 var i, j, t = new Float64Array(31);
2163 for (i = 0; i < 31; i++) t[i] = 0;
2164 for (i = 0; i < 16; i++) {
2165 for (j = 0; j < 16; j++) {
2166 t[i+j] += a[i] * b[j];
2167 }
2168 }
2169 for (i = 0; i < 15; i++) {
2170 t[i] += 38 * t[i+16];
2171 }
2172 for (i = 0; i < 16; i++) o[i] = t[i];
2173 car25519(o);
2174 car25519(o);
2175 }
2176
2177 // squaring
2178 function S(o, a) {
2179 M(o, a, a);
2180 }
2181
2182 // inversion
2183 function inv25519(o, i) {
2184 var c = gf();
2185 var a;
2186 for (a = 0; a < 16; a++) c[a] = i[a];
2187 for (a = 253; a >= 0; a--) {
2188 S(c, c);
2189 if(a !== 2 && a !== 4) M(c, c, i);
2190 }
2191 for (a = 0; a < 16; a++) o[a] = c[a];
2192 }
2193
2194 function pack25519(o, n) {
2195 var i, j, b;
2196 var m = gf(), t = gf();
2197 for (i = 0; i < 16; i++) t[i] = n[i];
2198 car25519(t);
2199 car25519(t);
2200 car25519(t);
2201 for (j = 0; j < 2; j++) {
2202 m[0] = t[0] - 0xffed;
2203 for (i = 1; i < 15; i++) {
2204 m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);
2205 m[i-1] &= 0xffff;
2206 }
2207 m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);
2208 b = (m[15]>>16) & 1;
2209 m[14] &= 0xffff;
2210 sel25519(t, m, 1-b);
2211 }
2212 for (i = 0; i < 16; i++) {
2213 o[2*i] = t[i] & 0xff;
2214 o[2*i+1] = t[i] >> 8;
2215 }
2216 }
2217
2218
2219 function par25519(a) {
2220 var d = new Uint8Array(32);
2221 pack25519(d, a);
2222 return d[0] & 1;
2223 }
2224
2225
2226
2227 function vn(x, xi, y, yi, n) {
2228 var i, d = 0;
2229 for (i = 0; i < n; i++) d |= x[xi + i] ^ y[yi + i];
2230 return (1 & ((d - 1) >>> 8)) - 1;
2231 }
2232
2233
2234 function crypto_verify_32(x, xi, y, yi) {
2235 return vn(x, xi, y, yi, 32);
2236 }
2237
2238 function neq25519(a, b) {
2239 var c = new Uint8Array(32), d = new Uint8Array(32);
2240 pack25519(c, a);
2241 pack25519(d, b);
2242 return crypto_verify_32(c, 0, d, 0);
2243 }
2244
2245
2246 function pow2523(o, i) {
2247 var c = gf();
2248 var a;
2249 for (a = 0; a < 16; a++) c[a] = i[a];
2250 for (a = 250; a >= 0; a--) {
2251 S(c, c);
2252 if (a !== 1) M(c, c, i);
2253 }
2254 for (a = 0; a < 16; a++) o[a] = c[a];
2255 }
2256
2257 function set25519(r, a) {
2258 var i;
2259 for (i = 0; i < 16; i++) r[i] = a[i] | 0;
2260 }
2261
2262 function unpackneg(r, p) {
2263 var t = gf(), chk = gf(), num = gf(),
2264 den = gf(), den2 = gf(), den4 = gf(),
2265 den6 = gf();
2266
2267 set25519(r[2], gf1);
2268 unpack25519(r[1], p);
2269 S(num, r[1]);
2270 M(den, num, D);
2271 Z(num, num, r[2]);
2272 A(den, r[2], den);
2273
2274 S(den2, den);
2275 S(den4, den2);
2276 M(den6, den4, den2);
2277 M(t, den6, num);
2278 M(t, t, den);
2279
2280 pow2523(t, t);
2281 M(t, t, num);
2282 M(t, t, den);
2283 M(t, t, den);
2284 M(r[0], t, den);
2285
2286 S(chk, r[0]);
2287 M(chk, chk, den);
2288 if (neq25519(chk, num)) M(r[0], r[0], I);
2289
2290 S(chk, r[0]);
2291 M(chk, chk, den);
2292 if (neq25519(chk, num)) return -1;
2293
2294 if (par25519(r[0]) === (p[31] >> 7)) Z(r[0], gf0, r[0]);
2295
2296 M(r[3], r[0], r[1]);
2297 return 0;
2298 }
2299
2300 // ----
2301
2302 // Converts Ed25519 public key to Curve25519 public key.
2303 // montgomeryX = (edwardsY + 1)*inverse(1 - edwardsY) mod p
2304 function convertPublicKey(pk) {
2305 var z = new Uint8Array(32),
2306 q = [gf(), gf(), gf(), gf()],
2307 a = gf(), b = gf();
2308
2309 if (unpackneg(q, pk)) return null; // reject invalid key
2310
2311 var y = q[1];
2312
2313 A(a, gf1, y);
2314 Z(b, gf1, y);
2315 inv25519(b, b);
2316 M(a, a, b);
2317
2318 pack25519(z, a);
2319 return z;
2320 }
2321
2322 // Converts Ed25519 secret key to Curve25519 secret key.
2323 function convertSecretKey(sk) {
2324 var d = new Uint8Array(64), o = new Uint8Array(32), i;
2325 nacl.lowlevel.crypto_hash(d, sk, 32);
2326 d[0] &= 248;
2327 d[31] &= 127;
2328 d[31] |= 64;
2329 for (i = 0; i < 32; i++) o[i] = d[i];
2330 for (i = 0; i < 64; i++) d[i] = 0;
2331 return o;
2332 }
2333
2334 function convertKeyPair(edKeyPair) {
2335 var publicKey = convertPublicKey(edKeyPair.publicKey);
2336 if (!publicKey) return null;
2337 return {
2338 publicKey: publicKey,
2339 secretKey: convertSecretKey(edKeyPair.secretKey)
2340 };
2341 }
2342
2343 return {
2344 convertPublicKey: convertPublicKey,
2345 convertSecretKey: convertSecretKey,
2346 convertKeyPair: convertKeyPair,
2347 };
2348
2349}));
2350
2351
2352/***/ }),
2353/* 22 */
2354/***/ (function(module, exports, __webpack_require__) {
2355
2356"use strict";
2357/*
2358 * Wire
2359 * Copyright (C) 2016 Wire Swiss GmbH
2360 *
2361 * This program is free software: you can redistribute it and/or modify
2362 * it under the terms of the GNU General Public License as published by
2363 * the Free Software Foundation, either version 3 of the License, or
2364 * (at your option) any later version.
2365 *
2366 * This program is distributed in the hope that it will be useful,
2367 * but WITHOUT ANY WARRANTY; without even the implied warranty of
2368 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
2369 * GNU General Public License for more details.
2370 *
2371 * You should have received a copy of the GNU General Public License
2372 * along with this program. If not, see http://www.gnu.org/licenses/.
2373 *
2374 */
2375
2376
2377
2378const CBOR = __webpack_require__(2);
2379const ed2curve = __webpack_require__(21);
2380const sodium = __webpack_require__(5);
2381
2382const ClassUtil = __webpack_require__(3);
2383const DontCallConstructor = __webpack_require__(0);
2384const PublicKey = __webpack_require__(4);
2385const TypeUtil = __webpack_require__(1);
2386
2387/** @module keys */
2388
2389/**
2390 * @class SecretKey
2391 * @throws {DontCallConstructor}
2392 */
2393class SecretKey {
2394 constructor() {
2395 throw new DontCallConstructor(this);
2396 }
2397
2398 /**
2399 * @param {!Uint8Array} sec_edward
2400 * @param {!Uint8Array} sec_curve
2401 * @returns {SecretKey} - `this`
2402 */
2403 static new(sec_edward, sec_curve) {
2404 TypeUtil.assert_is_instance(Uint8Array, sec_edward);
2405 TypeUtil.assert_is_instance(Uint8Array, sec_curve);
2406
2407 const sk = ClassUtil.new_instance(SecretKey);
2408
2409 /** @type {Uint8Array} */
2410 sk.sec_edward = sec_edward;
2411 /** @type {Uint8Array} */
2412 sk.sec_curve = sec_curve;
2413 return sk;
2414 }
2415
2416 /**
2417 * This function can be used to compute a message signature.
2418 * @param {!string} message - Message to be signed
2419 * @returns {Uint8Array} - A message signature
2420 */
2421 sign(message) {
2422 return sodium.crypto_sign_detached(message, this.sec_edward);
2423 }
2424
2425 /**
2426 * This function can be used to compute a shared secret given a user's secret key and another
2427 * user's public key.
2428 * @param {!keys.PublicKey} public_key - Another user's public key
2429 * @returns {Uint8Array} - Array buffer view of the computed shared secret
2430 */
2431 shared_secret(public_key) {
2432 TypeUtil.assert_is_instance(PublicKey, public_key);
2433
2434 return sodium.crypto_scalarmult(this.sec_curve, public_key.pub_curve);
2435 }
2436
2437 /**
2438 * @param {!CBOR.Encoder} e
2439 * @returns {CBOR.Encoder}
2440 */
2441 encode(e) {
2442 e.object(1);
2443 e.u8(0);
2444 return e.bytes(this.sec_edward);
2445 }
2446
2447 /**
2448 * @param {!CBOR.Decoder} d
2449 * @returns {SecretKey}
2450 */
2451 static decode(d) {
2452 TypeUtil.assert_is_instance(CBOR.Decoder, d);
2453
2454 const self = ClassUtil.new_instance(SecretKey);
2455
2456 const nprops = d.object();
2457 for (let i = 0; i <= nprops - 1; i++) {
2458 switch (d.u8()) {
2459 case 0:
2460 self.sec_edward = new Uint8Array(d.bytes());
2461 break;
2462 default:
2463 d.skip();
2464 }
2465 }
2466
2467 TypeUtil.assert_is_instance(Uint8Array, self.sec_edward);
2468
2469 self.sec_curve = ed2curve.convertSecretKey(self.sec_edward);
2470 return self;
2471 }
2472}
2473
2474module.exports = SecretKey;
2475
2476
2477/***/ }),
2478/* 23 */
2479/***/ (function(module, exports, __webpack_require__) {
2480
2481"use strict";
2482/*
2483 * Wire
2484 * Copyright (C) 2016 Wire Swiss GmbH
2485 *
2486 * This program is free software: you can redistribute it and/or modify
2487 * it under the terms of the GNU General Public License as published by
2488 * the Free Software Foundation, either version 3 of the License, or
2489 * (at your option) any later version.
2490 *
2491 * This program is distributed in the hope that it will be useful,
2492 * but WITHOUT ANY WARRANTY; without even the implied warranty of
2493 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
2494 * GNU General Public License for more details.
2495 *
2496 * You should have received a copy of the GNU General Public License
2497 * along with this program. If not, see http://www.gnu.org/licenses/.
2498 *
2499 */
2500
2501
2502
2503const CBOR = __webpack_require__(2);
2504const sodium = __webpack_require__(5);
2505
2506const ClassUtil = __webpack_require__(3);
2507const DontCallConstructor = __webpack_require__(0);
2508const TypeUtil = __webpack_require__(1);
2509
2510const IdentityKey = __webpack_require__(8);
2511const IdentityKeyPair = __webpack_require__(11);
2512const PreKey = __webpack_require__(24);
2513const PreKeyAuth = __webpack_require__(28);
2514const PublicKey = __webpack_require__(4);
2515
2516/** @module keys */
2517
2518/**
2519 * @class PreKeyBundle
2520 * @throws {DontCallConstructor}
2521 */
2522class PreKeyBundle {
2523 constructor() {
2524 throw new DontCallConstructor(this);
2525 }
2526
2527 /**
2528 * @param {!keys.IdentityKey} public_identity_key
2529 * @param {!keys.PreKey} prekey
2530 * @returns {PreKeyBundle} - `this`
2531 */
2532 static new(public_identity_key, prekey) {
2533 TypeUtil.assert_is_instance(IdentityKey, public_identity_key);
2534 TypeUtil.assert_is_instance(PreKey, prekey);
2535
2536 /** @type {keys.PreyKeyBundle} */
2537 const bundle = ClassUtil.new_instance(PreKeyBundle);
2538
2539 bundle.version = 1;
2540 bundle.prekey_id = prekey.key_id;
2541 bundle.public_key = prekey.key_pair.public_key;
2542 bundle.identity_key = public_identity_key;
2543 bundle.signature = null;
2544
2545 return bundle;
2546 }
2547
2548 /**
2549 * @param {!keys.IdentityKeyPair} identity_pair
2550 * @param {!keys.PreKey} prekey
2551 * @returns {PreKeyBundle}
2552 */
2553 static signed(identity_pair, prekey) {
2554 TypeUtil.assert_is_instance(IdentityKeyPair, identity_pair);
2555 TypeUtil.assert_is_instance(PreKey, prekey);
2556
2557 /** @type {keys.PublicKey} */
2558 const ratchet_key = prekey.key_pair.public_key;
2559 /** @type {Uint8Array} */
2560 const signature = identity_pair.secret_key.sign(ratchet_key.pub_edward);
2561
2562 /** @type {keys.PreyKeyBundle} */
2563 const bundle = ClassUtil.new_instance(PreKeyBundle);
2564
2565 bundle.version = 1;
2566 bundle.prekey_id = prekey.key_id;
2567 bundle.public_key = ratchet_key;
2568 bundle.identity_key = identity_pair.public_key;
2569 bundle.signature = signature;
2570
2571 return bundle;
2572 }
2573
2574 /** @returns {keys.PreKeyAuth} */
2575 verify() {
2576 if (!this.signature) {
2577 return PreKeyAuth.UNKNOWN;
2578 }
2579
2580 if (this.identity_key.public_key.verify(this.signature, this.public_key.pub_edward)) {
2581 return PreKeyAuth.VALID;
2582 }
2583 return PreKeyAuth.INVALID;
2584 }
2585
2586 /** @returns {ArrayBuffer} */
2587 serialise() {
2588 const e = new CBOR.Encoder();
2589 this.encode(e);
2590 return e.get_buffer();
2591 }
2592
2593 /**
2594 * @typedef {Object} type_serialised_json
2595 * @property {number} id
2596 * @property {string} key
2597 */
2598 /** @returns {type_serialised_json} */
2599 serialised_json() {
2600 return {
2601 'id': this.prekey_id,
2602 'key': sodium.to_base64(new Uint8Array(this.serialise()), true),
2603 };
2604 }
2605
2606 /**
2607 * @param {!ArrayBuffer} buf
2608 * @returns {PreKeyBundle}
2609 */
2610 static deserialise(buf) {
2611 TypeUtil.assert_is_instance(ArrayBuffer, buf);
2612 return PreKeyBundle.decode(new CBOR.Decoder(buf));
2613 }
2614
2615 /**
2616 * @param {!CBOR.Encoder} e
2617 * @returns {CBOR.Encoder}
2618 */
2619 encode(e) {
2620 TypeUtil.assert_is_instance(CBOR.Encoder, e);
2621
2622 e.object(5);
2623 e.u8(0);
2624 e.u8(this.version);
2625 e.u8(1);
2626 e.u16(this.prekey_id);
2627 e.u8(2);
2628 this.public_key.encode(e);
2629 e.u8(3);
2630 this.identity_key.encode(e);
2631
2632 e.u8(4);
2633 if (!this.signature) {
2634 return e.null();
2635 } else {
2636 return e.bytes(this.signature);
2637 }
2638 }
2639
2640 /**
2641 * @param {!CBOR.Decoder} d
2642 * @returns {PreKeyBundle}
2643 */
2644 static decode(d) {
2645 TypeUtil.assert_is_instance(CBOR.Decoder, d);
2646
2647 const self = ClassUtil.new_instance(PreKeyBundle);
2648
2649 const nprops = d.object();
2650 for (let i = 0; i <= nprops - 1; i++) {
2651 switch (d.u8()) {
2652 case 0:
2653 self.version = d.u8();
2654 break;
2655 case 1:
2656 self.prekey_id = d.u16();
2657 break;
2658 case 2:
2659 self.public_key = PublicKey.decode(d);
2660 break;
2661 case 3:
2662 self.identity_key = IdentityKey.decode(d);
2663 break;
2664 case 4:
2665 self.signature = d.optional(() => new Uint8Array(d.bytes()));
2666 break;
2667 default:
2668 d.skip();
2669 }
2670 }
2671
2672 TypeUtil.assert_is_integer(self.version);
2673 TypeUtil.assert_is_integer(self.prekey_id);
2674 TypeUtil.assert_is_instance(PublicKey, self.public_key);
2675 TypeUtil.assert_is_instance(IdentityKey, self.identity_key);
2676
2677 return self;
2678 }
2679}
2680
2681module.exports = PreKeyBundle;
2682
2683
2684/***/ }),
2685/* 24 */
2686/***/ (function(module, exports, __webpack_require__) {
2687
2688"use strict";
2689/*
2690 * Wire
2691 * Copyright (C) 2016 Wire Swiss GmbH
2692 *
2693 * This program is free software: you can redistribute it and/or modify
2694 * it under the terms of the GNU General Public License as published by
2695 * the Free Software Foundation, either version 3 of the License, or
2696 * (at your option) any later version.
2697 *
2698 * This program is distributed in the hope that it will be useful,
2699 * but WITHOUT ANY WARRANTY; without even the implied warranty of
2700 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
2701 * GNU General Public License for more details.
2702 *
2703 * You should have received a copy of the GNU General Public License
2704 * along with this program. If not, see http://www.gnu.org/licenses/.
2705 *
2706 */
2707
2708
2709
2710const CBOR = __webpack_require__(2);
2711
2712const ClassUtil = __webpack_require__(3);
2713const DontCallConstructor = __webpack_require__(0);
2714const InputError = __webpack_require__(20);
2715const TypeUtil = __webpack_require__(1);
2716
2717const KeyPair = __webpack_require__(7);
2718
2719/** @module keys **/
2720
2721/**
2722 * @class PreKey
2723 * @classdesc Pre-generated (and regularly refreshed) pre-keys.
2724 * A Pre-Shared Key contains the public long-term identity and ephemeral handshake keys for the initial triple DH.
2725 * @throws {DontCallConstructor}
2726 */
2727class PreKey {
2728 constructor() {
2729 throw new DontCallConstructor(this);
2730 }
2731
2732 /** @type {number} */
2733 static get MAX_PREKEY_ID() {
2734 return 0xFFFF;
2735 }
2736
2737 /**
2738 * @param {!number} pre_key_id
2739 * @returns {PreKey} - `this`
2740 * @throws {errors.InputError.RangeError}
2741 */
2742 static new(pre_key_id) {
2743 this.validate_pre_key_id(pre_key_id);
2744
2745 const pk = ClassUtil.new_instance(PreKey);
2746
2747 pk.version = 1;
2748 pk.key_id = pre_key_id;
2749 pk.key_pair = KeyPair.new();
2750 return pk;
2751 }
2752
2753 static validate_pre_key_id(pre_key_id) {
2754 TypeUtil.assert_is_integer(pre_key_id);
2755
2756 if (pre_key_id < 0 || pre_key_id > PreKey.MAX_PREKEY_ID) {
2757 const message = `PreKey ID (${pre_key_id}) must be between or equal to 0 and ${PreKey.MAX_PREKEY_ID}.`;
2758 throw new InputError.RangeError(message, InputError.CODE.CASE_400);
2759 }
2760 }
2761
2762 /** @returns {PreKey} */
2763 static last_resort() {
2764 return PreKey.new(PreKey.MAX_PREKEY_ID);
2765 }
2766
2767 /**
2768 * @param {!number} start
2769 * @param {!number} size
2770 * @returns {Array<PreKey>}
2771 * @throws {errors.InputError.RangeError}
2772 */
2773 static generate_prekeys(start, size) {
2774 this.validate_pre_key_id(start);
2775 this.validate_pre_key_id(size);
2776
2777 if (size === 0) {
2778 return [];
2779 }
2780
2781 return [...Array(size).keys()].map((x) => PreKey.new((start + x) % PreKey.MAX_PREKEY_ID));
2782 }
2783
2784 /** @returns {ArrayBuffer} */
2785 serialise() {
2786 const e = new CBOR.Encoder();
2787 this.encode(e);
2788 return e.get_buffer();
2789 }
2790
2791 /**
2792 * @param {!ArrayBuffer} buf
2793 * @returns {PreKey}
2794 */
2795 static deserialise(buf) {
2796 TypeUtil.assert_is_instance(ArrayBuffer, buf);
2797 return PreKey.decode(new CBOR.Decoder(buf));
2798 }
2799
2800 /**
2801 * @param {!CBOR.Encoder} e
2802 * @returns {CBOR.Encoder}
2803 */
2804 encode(e) {
2805 TypeUtil.assert_is_instance(CBOR.Encoder, e);
2806 e.object(3);
2807 e.u8(0);
2808 e.u8(this.version);
2809 e.u8(1);
2810 e.u16(this.key_id);
2811 e.u8(2);
2812 return this.key_pair.encode(e);
2813 }
2814
2815 /**
2816 * @param {!CBOR.Decoder} d
2817 * @returns {PreKey}
2818 */
2819 static decode(d) {
2820 TypeUtil.assert_is_instance(CBOR.Decoder, d);
2821
2822 const self = ClassUtil.new_instance(PreKey);
2823
2824 const nprops = d.object();
2825 for (let i = 0; i <= nprops - 1; i++) {
2826 switch (d.u8()) {
2827 case 0:
2828 self.version = d.u8();
2829 break;
2830 case 1:
2831 self.key_id = d.u16();
2832 break;
2833 case 2:
2834 self.key_pair = KeyPair.decode(d);
2835 break;
2836 default:
2837 d.skip();
2838 }
2839 }
2840
2841 TypeUtil.assert_is_integer(self.version);
2842 TypeUtil.assert_is_integer(self.key_id);
2843 TypeUtil.assert_is_instance(KeyPair, self.key_pair);
2844
2845 return self;
2846 }
2847}
2848
2849module.exports = PreKey;
2850
2851
2852/***/ }),
2853/* 25 */
2854/***/ (function(module, exports, __webpack_require__) {
2855
2856"use strict";
2857/*
2858 * Wire
2859 * Copyright (C) 2016 Wire Swiss GmbH
2860 *
2861 * This program is free software: you can redistribute it and/or modify
2862 * it under the terms of the GNU General Public License as published by
2863 * the Free Software Foundation, either version 3 of the License, or
2864 * (at your option) any later version.
2865 *
2866 * This program is distributed in the hope that it will be useful,
2867 * but WITHOUT ANY WARRANTY; without even the implied warranty of
2868 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
2869 * GNU General Public License for more details.
2870 *
2871 * You should have received a copy of the GNU General Public License
2872 * along with this program. If not, see http://www.gnu.org/licenses/.
2873 *
2874 */
2875
2876
2877
2878const CBOR = __webpack_require__(2);
2879
2880const ClassUtil = __webpack_require__(3);
2881const DontCallConstructor = __webpack_require__(0);
2882const TypeUtil = __webpack_require__(1);
2883
2884const PublicKey = __webpack_require__(4);
2885
2886/** @module message */
2887
2888/**
2889 * @class Header
2890 * @throws {DontCallConstructor}
2891 */
2892class Header {
2893 constructor() {
2894 throw new DontCallConstructor(this);
2895 }
2896
2897 /**
2898 * @param {!number} counter
2899 * @param {!number} prev_counter
2900 * @param {!keys.PublicKey} ratchet_key
2901 * @returns {Header} - `this`
2902 */
2903 static new(counter, prev_counter, ratchet_key) {
2904 TypeUtil.assert_is_integer(counter);
2905 TypeUtil.assert_is_integer(prev_counter);
2906 TypeUtil.assert_is_instance(PublicKey, ratchet_key);
2907
2908 const hd = ClassUtil.new_instance(Header);
2909
2910 hd.counter = counter;
2911 hd.prev_counter = prev_counter;
2912 hd.ratchet_key = ratchet_key;
2913
2914 Object.freeze(hd);
2915 return hd;
2916 }
2917
2918 /** @returns {ArrayBuffer} - The serialized header */
2919 serialise() {
2920 const e = new CBOR.Encoder();
2921 this.encode(e);
2922 return e.get_buffer();
2923 }
2924
2925 /**
2926 * @param {!ArrayBuffer} buf
2927 * @returns {Header}
2928 */
2929 static deserialise(buf) {
2930 TypeUtil.assert_is_instance(ArrayBuffer, buf);
2931
2932 const d = new CBOR.Decoder(buf);
2933 return Header.decode(d);
2934 }
2935
2936 /**
2937 * @param {!CBOR.Encoder} e
2938 * @returns {CBOR.Encoder}
2939 */
2940 encode(e) {
2941 e.object(3);
2942 e.u8(0);
2943 e.u32(this.counter);
2944 e.u8(1);
2945 e.u32(this.prev_counter);
2946 e.u8(2);
2947 return this.ratchet_key.encode(e);
2948 }
2949
2950 /**
2951 * @param {!CBOR.Decoder} d
2952 * @returns {Header}
2953 */
2954 static decode(d) {
2955 TypeUtil.assert_is_instance(CBOR.Decoder, d);
2956
2957 let counter = null;
2958 let prev_counter = null;
2959 let ratchet_key = null;
2960
2961 const nprops = d.object();
2962 for (let i = 0; i <= nprops - 1; i++) {
2963 switch (d.u8()) {
2964 case 0:
2965 counter = d.u32();
2966 break;
2967 case 1:
2968 prev_counter = d.u32();
2969 break;
2970 case 2:
2971 ratchet_key = PublicKey.decode(d);
2972 break;
2973
2974 default:
2975 d.skip();
2976 }
2977 }
2978
2979 return Header.new(counter, prev_counter, ratchet_key);
2980 }
2981}
2982
2983module.exports = Header;
2984
2985
2986/***/ }),
2987/* 26 */
2988/***/ (function(module, exports, __webpack_require__) {
2989
2990"use strict";
2991/*
2992 * Wire
2993 * Copyright (C) 2016 Wire Swiss GmbH
2994 *
2995 * This program is free software: you can redistribute it and/or modify
2996 * it under the terms of the GNU General Public License as published by
2997 * the Free Software Foundation, either version 3 of the License, or
2998 * (at your option) any later version.
2999 *
3000 * This program is distributed in the hope that it will be useful,
3001 * but WITHOUT ANY WARRANTY; without even the implied warranty of
3002 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3003 * GNU General Public License for more details.
3004 *
3005 * You should have received a copy of the GNU General Public License
3006 * along with this program. If not, see http://www.gnu.org/licenses/.
3007 *
3008 */
3009
3010
3011
3012const ClassUtil = __webpack_require__(3);
3013const DontCallConstructor = __webpack_require__(0);
3014const KeyDerivationUtil = __webpack_require__(37);
3015const MemoryUtil = __webpack_require__(16);
3016
3017const CipherKey = __webpack_require__(27);
3018const MacKey = __webpack_require__(15);
3019const HeadKey = __webpack_require__(17);
3020
3021/** @module derived */
3022
3023/**
3024 * @class DerivedSecrets
3025 * @throws {DontCallConstructor}
3026 */
3027class DerivedSecrets {
3028 constructor() {
3029 throw new DontCallConstructor(this);
3030 }
3031
3032 /**
3033 * @param {!Array<number>} input
3034 * @param {!Uint8Array} salt
3035 * @param {!string} info
3036 * @returns {DerivedSecrets} - `this`
3037 */
3038 static kdf_init(input, salt, info) {
3039 const byte_length = 128;
3040
3041 const output_key_material = KeyDerivationUtil.hkdf(salt, input, info, byte_length);
3042
3043 const cipher_key = new Uint8Array(output_key_material.buffer.slice(0, 32));
3044 const mac_key = new Uint8Array(output_key_material.buffer.slice(32, 64));
3045 const head_key = new Uint8Array(output_key_material.buffer.slice(64, 96));
3046 const next_head_key = new Uint8Array(output_key_material.buffer.slice(96, 128));
3047
3048 MemoryUtil.zeroize(output_key_material.buffer);
3049
3050 const ds = ClassUtil.new_instance(DerivedSecrets);
3051 /** @type {derived.CipherKey} */
3052 ds.cipher_key = CipherKey.new(cipher_key);
3053 /** @type {derived.MacKey} */
3054 ds.mac_key = MacKey.new(mac_key);
3055 /** @type {derived.HeadKey} */
3056 ds.head_key_alice = HeadKey.new(head_key);
3057 /** @type {derived.HeadKey} */
3058 ds.next_head_key_bob = HeadKey.new(next_head_key);
3059 return ds;
3060 }
3061
3062 /**
3063 * @param {!Array<number>} input
3064 * @param {!Uint8Array} salt
3065 * @param {!string} info
3066 * @returns {DerivedSecrets} - `this`
3067 */
3068 static kdf(input, salt, info) {
3069 const byte_length = 96;
3070
3071 const output_key_material = KeyDerivationUtil.hkdf(salt, input, info, byte_length);
3072
3073 const cipher_key = new Uint8Array(output_key_material.buffer.slice(0, 32));
3074 const mac_key = new Uint8Array(output_key_material.buffer.slice(32, 64));
3075 const next_head_key = new Uint8Array(output_key_material.buffer.slice(64, 96));
3076
3077 MemoryUtil.zeroize(output_key_material.buffer);
3078
3079 const ds = ClassUtil.new_instance(DerivedSecrets);
3080 /** @type {derived.CipherKey} */
3081 ds.cipher_key = CipherKey.new(cipher_key);
3082 /** @type {derived.MacKey} */
3083 ds.mac_key = MacKey.new(mac_key);
3084 /** @type {derived.HeadKey} */
3085 ds.next_head_key = HeadKey.new(next_head_key);
3086 return ds;
3087 }
3088
3089 /**
3090 * @param {!Array<number>} input - Initial key material (usually the Master Key) in byte array format
3091 * @param {!string} info - Key Derivation Data
3092 * @returns {DerivedSecrets}
3093 */
3094 static kdf_without_salt(input, info) {
3095 return this.kdf_init(input, new Uint8Array(0), info);
3096 }
3097}
3098
3099module.exports = DerivedSecrets;
3100
3101
3102/***/ }),
3103/* 27 */
3104/***/ (function(module, exports, __webpack_require__) {
3105
3106"use strict";
3107/*
3108 * Wire
3109 * Copyright (C) 2016 Wire Swiss GmbH
3110 *
3111 * This program is free software: you can redistribute it and/or modify
3112 * it under the terms of the GNU General Public License as published by
3113 * the Free Software Foundation, either version 3 of the License, or
3114 * (at your option) any later version.
3115 *
3116 * This program is distributed in the hope that it will be useful,
3117 * but WITHOUT ANY WARRANTY; without even the implied warranty of
3118 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3119 * GNU General Public License for more details.
3120 *
3121 * You should have received a copy of the GNU General Public License
3122 * along with this program. If not, see http://www.gnu.org/licenses/.
3123 *
3124 */
3125
3126
3127
3128const CBOR = __webpack_require__(2);
3129const sodium = __webpack_require__(5);
3130
3131const ClassUtil = __webpack_require__(3);
3132const DontCallConstructor = __webpack_require__(0);
3133const TypeUtil = __webpack_require__(1);
3134
3135/** @module derived */
3136
3137/**
3138 * @class CipherKey
3139 * @throws {DontCallConstructor}
3140 */
3141class CipherKey {
3142 constructor() {
3143 throw new DontCallConstructor(this);
3144 }
3145
3146 /**
3147 * @param {!Uint8Array} key
3148 * @returns {CipherKey} - `this`
3149 */
3150 static new(key) {
3151 TypeUtil.assert_is_instance(Uint8Array, key);
3152
3153 const ck = ClassUtil.new_instance(CipherKey);
3154 /** @type {Uint8Array} */
3155 ck.key = key;
3156 return ck;
3157 }
3158
3159 /**
3160 * @param {!(ArrayBuffer|string|Uint8Array)} plaintext - The text to encrypt
3161 * @param {!Uint8Array} nonce - Counter as nonce
3162 * @returns {Uint8Array} - Encrypted payload
3163 */
3164 encrypt(plaintext, nonce) {
3165 // @todo Re-validate if the ArrayBuffer check is needed (Prerequisite: Integration tests)
3166 if (plaintext instanceof ArrayBuffer && plaintext.byteLength !== undefined) {
3167 plaintext = new Uint8Array(plaintext);
3168 }
3169
3170 return sodium.crypto_stream_chacha20_xor(plaintext, nonce, this.key, 'uint8array');
3171 }
3172
3173 /**
3174 * @param {!Uint8Array} ciphertext
3175 * @param {!Uint8Array} nonce
3176 * @returns {Uint8Array}
3177 */
3178 decrypt(ciphertext, nonce) {
3179 return this.encrypt(ciphertext, nonce);
3180 }
3181
3182 /**
3183 * @param {!CBOR.Encoder} e
3184 * @returns {CBOR.Encoder}
3185 */
3186 encode(e) {
3187 e.object(1);
3188 e.u8(0);
3189 return e.bytes(this.key);
3190 }
3191
3192 /**
3193 * @param {!CBOR.Encoder} d
3194 * @returns {CipherKey}
3195 */
3196 static decode(d) {
3197 TypeUtil.assert_is_instance(CBOR.Decoder, d);
3198
3199 let key_bytes = null;
3200
3201 const nprops = d.object();
3202 for (let i = 0; i <= nprops - 1; i++) {
3203 switch (d.u8()) {
3204 case 0:
3205 key_bytes = new Uint8Array(d.bytes());
3206 break;
3207 default:
3208 d.skip();
3209 }
3210 }
3211 return CipherKey.new(key_bytes);
3212 }
3213}
3214
3215module.exports = CipherKey;
3216
3217
3218/***/ }),
3219/* 28 */
3220/***/ (function(module, exports, __webpack_require__) {
3221
3222"use strict";
3223/*
3224 * Wire
3225 * Copyright (C) 2016 Wire Swiss GmbH
3226 *
3227 * This program is free software: you can redistribute it and/or modify
3228 * it under the terms of the GNU General Public License as published by
3229 * the Free Software Foundation, either version 3 of the License, or
3230 * (at your option) any later version.
3231 *
3232 * This program is distributed in the hope that it will be useful,
3233 * but WITHOUT ANY WARRANTY; without even the implied warranty of
3234 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3235 * GNU General Public License for more details.
3236 *
3237 * You should have received a copy of the GNU General Public License
3238 * along with this program. If not, see http://www.gnu.org/licenses/.
3239 *
3240 */
3241
3242
3243
3244/** @module keys */
3245
3246/** @class PreKeyAuth */
3247class PreKeyAuth {
3248
3249 /** @type {string} */
3250 static get INVALID() {
3251 return 'Invalid';
3252 }
3253
3254 /** @type {string} */
3255 static get UNKNOWN() {
3256 return 'Unknown';
3257 }
3258
3259 /** @type {string} */
3260 static get VALID() {
3261 return 'Valid';
3262 }
3263}
3264
3265module.exports = PreKeyAuth;
3266
3267
3268/***/ }),
3269/* 29 */
3270/***/ (function(module, exports, __webpack_require__) {
3271
3272"use strict";
3273/*
3274 * Wire
3275 * Copyright (C) 2016 Wire Swiss GmbH
3276 *
3277 * This program is free software: you can redistribute it and/or modify
3278 * it under the terms of the GNU General Public License as published by
3279 * the Free Software Foundation, either version 3 of the License, or
3280 * (at your option) any later version.
3281 *
3282 * This program is distributed in the hope that it will be useful,
3283 * but WITHOUT ANY WARRANTY; without even the implied warranty of
3284 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3285 * GNU General Public License for more details.
3286 *
3287 * You should have received a copy of the GNU General Public License
3288 * along with this program. If not, see http://www.gnu.org/licenses/.
3289 *
3290 */
3291
3292
3293
3294/** @module session */
3295
3296/** @class PreKeyStore */
3297function PreKeyStore() {
3298}
3299
3300/** @type {Array<number>} */
3301PreKeyStore.prekeys = [];
3302
3303/**
3304 * @param {!number} prekey_id
3305 * @returns {void}
3306 * @throws {Error}
3307 */
3308PreKeyStore.prototype.get_prekey = function (prekey_id) {
3309 throw Error('Virtual function unimplemented');
3310};
3311
3312/**
3313 * @param {!number} prekey_id
3314 * @returns {void}
3315 * @throws {Error}
3316 */
3317PreKeyStore.prototype.remove = function (prekey_id) {
3318 throw Error('Virtual function unimplemented');
3319};
3320
3321module.exports = PreKeyStore;
3322
3323
3324/***/ }),
3325/* 30 */
3326/***/ (function(module, exports, __webpack_require__) {
3327
3328"use strict";
3329/*
3330 * Wire
3331 * Copyright (C) 2016 Wire Swiss GmbH
3332 *
3333 * This program is free software: you can redistribute it and/or modify
3334 * it under the terms of the GNU General Public License as published by
3335 * the Free Software Foundation, either version 3 of the License, or
3336 * (at your option) any later version.
3337 *
3338 * This program is distributed in the hope that it will be useful,
3339 * but WITHOUT ANY WARRANTY; without even the implied warranty of
3340 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3341 * GNU General Public License for more details.
3342 *
3343 * You should have received a copy of the GNU General Public License
3344 * along with this program. If not, see http://www.gnu.org/licenses/.
3345 *
3346 */
3347
3348
3349
3350const CBOR = __webpack_require__(2);
3351
3352const ClassUtil = __webpack_require__(3);
3353const DontCallConstructor = __webpack_require__(0);
3354const MemoryUtil = __webpack_require__(16);
3355const TypeUtil = __webpack_require__(1);
3356
3357const DecodeError = __webpack_require__(19);
3358const DecryptError = __webpack_require__(10);
3359const ProteusError = __webpack_require__(6);
3360
3361const IdentityKey = __webpack_require__(8);
3362const IdentityKeyPair = __webpack_require__(11);
3363const KeyPair = __webpack_require__(7);
3364const PreKey = __webpack_require__(24);
3365const PreKeyBundle = __webpack_require__(23);
3366const PublicKey = __webpack_require__(4);
3367
3368const HeaderMessage = __webpack_require__(9);
3369const Envelope = __webpack_require__(14);
3370const PreKeyMessage = __webpack_require__(13);
3371
3372const PreKeyStore = __webpack_require__(29);
3373
3374/** @module session */
3375
3376/**
3377 * @class Session
3378 * @throws {DontCallConstructor}
3379 */
3380class Session {
3381 constructor() {
3382 this.local_identity = null;
3383 this.pending_prekey = null;
3384 this.remote_identity = null;
3385 this.session_states = [];
3386 this.version = 1;
3387
3388 throw new DontCallConstructor(this);
3389 }
3390
3391 /** @type {number} */
3392 static get MAX_RECV_CHAINS() {
3393 return 5;
3394 }
3395
3396 /** @type {number} */
3397 static get MAX_SESSION_STATES() {
3398 return 100;
3399 }
3400
3401 /**
3402 * @param {!keys.IdentityKeyPair} local_identity - Alice's Identity Key Pair
3403 * @param {!keys.PreKeyBundle} remote_pkbundle - Bob's Pre-Key Bundle
3404 * @returns {Promise<Session>}
3405 */
3406 static init_from_prekey(local_identity, remote_pkbundle) {
3407 return new Promise((resolve) => {
3408 TypeUtil.assert_is_instance(IdentityKeyPair, local_identity);
3409 TypeUtil.assert_is_instance(PreKeyBundle, remote_pkbundle);
3410
3411 const alice_base = KeyPair.new();
3412
3413 const state = SessionState.init_as_alice(local_identity, alice_base, remote_pkbundle);
3414
3415 const session = ClassUtil.new_instance(this);
3416 session.local_identity = local_identity;
3417 session.remote_identity = remote_pkbundle.identity_key;
3418 session.pending_prekey = [remote_pkbundle.prekey_id, alice_base.public_key];
3419 session.session_states = [];
3420
3421 session._insert_session_state(state);
3422 return resolve(session);
3423 });
3424 }
3425
3426 /**
3427 * @param {!keys.IdentityKeyPair} our_identity
3428 * @param {!session.PreKeyStore} prekey_store
3429 * @param {!message.Envelope} envelope
3430 * @returns {Promise<Array<Session|Uint8Array>>}
3431 * @throws {errors.DecryptError.InvalidMessage}
3432 * @throws {errors.DecryptError.PrekeyNotFound}
3433 */
3434 static init_from_message(our_identity, prekey_store, envelope) {
3435 return new Promise((resolve, reject) => {
3436 TypeUtil.assert_is_instance(IdentityKeyPair, our_identity);
3437 TypeUtil.assert_is_instance(PreKeyStore, prekey_store);
3438 TypeUtil.assert_is_instance(Envelope, envelope);
3439
3440 const pkmsg = (() => {
3441 if (envelope.message instanceof HeaderMessage) {
3442 throw new DecryptError.InvalidMessage(
3443 'Can\'t initialise a session from a HeaderMessage.', DecryptError.CODE.CASE_201
3444 );
3445 } else if (envelope.message instanceof PreKeyMessage) {
3446 return envelope.message;
3447 } else {
3448 throw new DecryptError.InvalidMessage(
3449 'Unknown message format: The message is neither a "HeaderMessage" nor a "PreKeyMessage".', DecryptError.CODE.CASE_202
3450 );
3451 }
3452 })();
3453
3454 const session = ClassUtil.new_instance(Session);
3455 session.local_identity = our_identity;
3456 session.remote_identity = pkmsg.identity_key;
3457 session.pending_prekey = null;
3458 session.session_states = [];
3459
3460 return session._new_state(prekey_store, pkmsg).then((state) => {
3461 const plain = state.decrypt(envelope, pkmsg.message);
3462 session._insert_session_state(state);
3463
3464 if (pkmsg.prekey_id < PreKey.MAX_PREKEY_ID) {
3465 MemoryUtil.zeroize(prekey_store.prekeys[pkmsg.prekey_id]);
3466 return prekey_store.remove(pkmsg.prekey_id).then(() => resolve([session, plain])).catch((error) => {
3467 reject(new DecryptError.PrekeyNotFound(`Could not delete PreKey: ${error.message}`, DecryptError.CODE.CASE_203));
3468 });
3469 } else {
3470 return resolve([session, plain]);
3471 }
3472 }).catch(reject);
3473 });
3474 }
3475
3476 /**
3477 * @param {!session.PreKeyStore} pre_key_store
3478 * @param {!message.PreKeyMessage} pre_key_message
3479 * @returns {Promise<session.SessionState>}
3480 * @private
3481 * @throws {errors.ProteusError}
3482 */
3483 _new_state(pre_key_store, pre_key_message) {
3484 return pre_key_store.get_prekey(pre_key_message.prekey_id).then((pre_key) => {
3485 if (pre_key) {
3486 return SessionState.init_as_bob(
3487 this.local_identity,
3488 pre_key.key_pair,
3489 pre_key_message.identity_key,
3490 pre_key_message.base_key
3491 );
3492 }
3493 throw new ProteusError('Unable to get PreKey from PreKey store.', ProteusError.prototype.CODE.CASE_101);
3494 });
3495 }
3496
3497 /**
3498 * @param {!session.SessionState} state
3499 * @returns {boolean}
3500 * @private
3501 */
3502 _insert_session_state(state) {
3503 this.session_states.unshift(state);
3504
3505 const size = this.session_states.length;
3506 if (size < Session.MAX_SESSION_STATES) {
3507 return true;
3508 }
3509
3510 // if we get here, it means that we have more than MAX_SESSION_STATES and
3511 // we need to evict the oldest one.
3512 return delete this.session_states[size - 1];
3513 }
3514
3515 /** @returns {keys.PublicKey} */
3516 get_local_identity() {
3517 return this.local_identity.public_key;
3518 }
3519
3520 /**
3521 * @param {!(string|Uint8Array)} plaintext - The plaintext which needs to be encrypted
3522 * @param {number} confuse_pre_key_id - Use to create confused pre-key message
3523 * @return {Promise<message.Envelope>} Encrypted message
3524 */
3525 encrypt(plaintext, confuse_pre_key_id) {
3526 return new Promise((resolve, reject) => {
3527 const state = this.session_states[0];
3528
3529 if (!state) {
3530 return reject(new ProteusError(
3531 'Could not find session.', ProteusError.prototype.CODE.CASE_102
3532 ));
3533 }
3534
3535 return resolve(state.encrypt(
3536 this.local_identity.public_key,
3537 this.pending_prekey,
3538 plaintext,
3539 confuse_pre_key_id
3540 ));
3541 });
3542 }
3543
3544 /**
3545 * @param {!session.PreKeyStore} prekey_store
3546 * @param {!message.Envelope} envelope
3547 * @returns {Promise<Uint8Array>}
3548 * @throws {errors.DecryptError}
3549 */
3550 decrypt(prekey_store, envelope) {
3551 return new Promise((resolve) => {
3552 TypeUtil.assert_is_instance(PreKeyStore, prekey_store);
3553 TypeUtil.assert_is_instance(Envelope, envelope);
3554
3555 const msg = envelope.message;
3556 if (msg instanceof HeaderMessage) {
3557 return resolve(this._try_decrypt_header_message(envelope, msg, 0));
3558 } else if (msg instanceof PreKeyMessage) {
3559 const actual_fingerprint = msg.identity_key.fingerprint();
3560 const expected_fingerprint = this.remote_identity.fingerprint();
3561 if (actual_fingerprint !== expected_fingerprint) {
3562 const message = `Fingerprints do not match: We expected '${expected_fingerprint}', but received '${actual_fingerprint}'.`;
3563 throw new DecryptError.RemoteIdentityChanged(message, DecryptError.CODE.CASE_204);
3564 }
3565 return resolve(this._decrypt_prekey_message(envelope, msg, prekey_store));
3566 } else {
3567 throw new DecryptError('Unknown message type.', DecryptError.CODE.CASE_200);
3568 }
3569 });
3570 }
3571
3572 /**
3573 * @param {!message.Envelope} envelope
3574 * @param {!message.Message} msg
3575 * @param {!session.PreKeyStore} prekey_store
3576 * @private
3577 * @returns {Promise<Uint8Array>}
3578 * @throws {errors.DecryptError}
3579 */
3580 _decrypt_prekey_message(envelope, msg, prekey_store) {
3581 return Promise.resolve().then(() => this._decrypt_header_message(envelope, msg.message)).catch((error) => {
3582 const try_create_new_state_and_decrypt = () => {
3583 return this._new_state(prekey_store, msg).then((state) => {
3584 const plaintext = state.decrypt(envelope, msg.message);
3585 if (msg.prekey_id !== PreKey.MAX_PREKEY_ID) {
3586 MemoryUtil.zeroize(prekey_store.prekeys[msg.prekey_id]);
3587 prekey_store.remove(msg.prekey_id);
3588 }
3589
3590 this._insert_session_state(state);
3591 this.pending_prekey = null;
3592
3593 return plaintext;
3594 });
3595 };
3596
3597 if (error instanceof DecryptError.InvalidMessage) {
3598 // session state not exist
3599 try_create_new_state_and_decrypt();
3600 }
3601
3602 if (error instanceof DecryptError.HeaderDecryptionFailed) {
3603 // we had tried it once already
3604 let fail_counter = 1;
3605 const state_size = this.session_states.length;
3606 if (state_size === fail_counter) {
3607 return try_create_new_state_and_decrypt();
3608 }
3609 // start from index 1
3610 return this._try_decrypt_header_message(envelope, msg.message, 1)
3611 .catch((err) => {
3612 if (err instanceof DecryptError.HeaderDecryptionFailed) {
3613 return try_create_new_state_and_decrypt();
3614 } else {
3615 throw err;
3616 }
3617 });
3618 }
3619
3620 throw error;
3621 });
3622 }
3623
3624 /**
3625 * @param {!message.Envelope} envelope
3626 * @param {!message.Message} message
3627 * @param {!number} start
3628 * @private
3629 * @returns {Promise<Uint8Array>}
3630 */
3631 _try_decrypt_header_message(envelope, message, start) {
3632 return new Promise((resolve, reject) => {
3633 let fail_counter = start;
3634 const state_size = this.session_states.length;
3635 const HeaderDecryptionFailed = DecryptError.HeaderDecryptionFailed;
3636
3637 const try_decrypt_header_message = () => this._decrypt_header_message(envelope, message, fail_counter);
3638 const handle_error = (err) => {
3639 if (err instanceof HeaderDecryptionFailed) {
3640 fail_counter++;
3641 if (fail_counter === state_size) {
3642 reject(new HeaderDecryptionFailed('All states failed', DecryptError.CODE.CASE_216));
3643 }
3644 Promise.resolve()
3645 .then(try_decrypt_header_message)
3646 .then(resolve)
3647 .catch(handle_error);
3648 } else {
3649 // if we get here, it means that we had decrypted header, but something else has gone wrong
3650 reject(err);
3651 }
3652 };
3653
3654 Promise.resolve()
3655 .then(try_decrypt_header_message)
3656 .then(resolve)
3657 .catch(handle_error);
3658 });
3659 }
3660
3661 /**
3662 * @param {!message.Envelope} envelope
3663 * @param {!message.Message} msg
3664 * @param {number} state_index
3665 * @private
3666 * @returns {Uint8Array}
3667 */
3668 _decrypt_header_message(envelope, msg, state_index = 0) {
3669 let state = this.session_states[state_index];
3670 if (!state) {
3671 throw new DecryptError.InvalidMessage('Local session not found.', DecryptError.CODE.CASE_205);
3672 }
3673
3674 // serialise and de-serialise for a deep clone
3675 // THIS IS IMPORTANT, DO NOT MUTATE THE SESSION STATE IN-PLACE
3676 // mutating in-place can lead to undefined behavior and undefined state in edge cases
3677 state = SessionState.deserialise(state.serialise());
3678
3679 const plaintext = state.decrypt(envelope, msg);
3680
3681 this.pending_prekey = null;
3682
3683 // Avoid `unshift` operation when possible
3684 if (state_index === 0) {
3685 this.session_states[0] = state;
3686 } else {
3687 this.session_states.splice(state_index, 1);
3688 this._insert_session_state(state);
3689 }
3690
3691 return plaintext;
3692 }
3693
3694 /**
3695 * @returns {ArrayBuffer}
3696 */
3697 serialise() {
3698 const e = new CBOR.Encoder();
3699 this.encode(e);
3700 return e.get_buffer();
3701 }
3702
3703 /**
3704 * @param {!keys.IdentityKeyPair} local_identity
3705 * @param {!ArrayBuffer} buf
3706 * @returns {Session}
3707 */
3708 static deserialise(local_identity, buf) {
3709 TypeUtil.assert_is_instance(IdentityKeyPair, local_identity);
3710 TypeUtil.assert_is_instance(ArrayBuffer, buf);
3711
3712 const d = new CBOR.Decoder(buf);
3713 return this.decode(local_identity, d);
3714 }
3715
3716 /**
3717 * @param {!CBOR.Encoder} e
3718 * @returns {void}
3719 */
3720 encode(e) {
3721 e.object(5);
3722 e.u8(0);
3723 e.u8(this.version);
3724 e.u8(1);
3725 this.local_identity.public_key.encode(e);
3726 e.u8(2);
3727 this.remote_identity.encode(e);
3728
3729 e.u8(3);
3730 if (this.pending_prekey) {
3731 e.object(2);
3732 e.u8(0);
3733 e.u16(this.pending_prekey[0]);
3734 e.u8(1);
3735 this.pending_prekey[1].encode(e);
3736 } else {
3737 e.null();
3738 }
3739
3740 e.u8(4);
3741 e.array(this.session_states.length);
3742 this.session_states.map((session_state) => session_state.encode(e));
3743 }
3744
3745 /**
3746 * @param {!keys.IdentityKeyPair} local_identity
3747 * @param {!CBOR.Decoder} d
3748 * @returns {Session}
3749 */
3750 static decode(local_identity, d) {
3751 TypeUtil.assert_is_instance(IdentityKeyPair, local_identity);
3752 TypeUtil.assert_is_instance(CBOR.Decoder, d);
3753
3754 const self = ClassUtil.new_instance(this);
3755
3756 const nprops = d.object();
3757 for (let n = 0; n <= nprops - 1; n++) {
3758 switch (d.u8()) {
3759 case 0: {
3760 self.version = d.u8();
3761 break;
3762 }
3763 case 1: {
3764 const ik = IdentityKey.decode(d);
3765 if (local_identity.public_key.fingerprint() !== ik.fingerprint()) {
3766 throw new DecodeError.LocalIdentityChanged(null, DecodeError.CODE.CASE_300);
3767 }
3768 self.local_identity = local_identity;
3769 break;
3770 }
3771 case 2: {
3772 self.remote_identity = IdentityKey.decode(d);
3773 break;
3774 }
3775 case 3: {
3776 switch (d.optional(() => d.object())) {
3777 case null:
3778 self.pending_prekey = null;
3779 break;
3780 case 2:
3781 self.pending_prekey = [null, null];
3782 for (let k = 0; k <= 1; ++k) {
3783 switch (d.u8()) {
3784 case 0:
3785 self.pending_prekey[0] = d.u16();
3786 break;
3787 case 1:
3788 self.pending_prekey[1] = PublicKey.decode(d);
3789 }
3790 }
3791 break;
3792 default:
3793 throw new DecodeError.InvalidType(null, DecodeError.CODE.CASE_301);
3794 }
3795 break;
3796 }
3797 case 4: {
3798 self.session_states = [];
3799 let len = d.array();
3800 while (len--) {
3801 self.session_states.push(SessionState.decode(d));
3802 }
3803 break;
3804 }
3805 default: {
3806 d.skip();
3807 }
3808 }
3809 }
3810
3811 TypeUtil.assert_is_integer(self.version);
3812 TypeUtil.assert_is_instance(IdentityKeyPair, self.local_identity);
3813 TypeUtil.assert_is_instance(IdentityKey, self.remote_identity);
3814 TypeUtil.assert_is_instance(Array, self.session_states);
3815
3816 return self;
3817 }
3818}
3819
3820module.exports = Session;
3821
3822const SessionState = __webpack_require__(36);
3823
3824
3825/***/ }),
3826/* 31 */
3827/***/ (function(module, exports, __webpack_require__) {
3828
3829"use strict";
3830/*
3831 * Wire
3832 * Copyright (C) 2016 Wire Swiss GmbH
3833 *
3834 * This program is free software: you can redistribute it and/or modify
3835 * it under the terms of the GNU General Public License as published by
3836 * the Free Software Foundation, either version 3 of the License, or
3837 * (at your option) any later version.
3838 *
3839 * This program is distributed in the hope that it will be useful,
3840 * but WITHOUT ANY WARRANTY; without even the implied warranty of
3841 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3842 * GNU General Public License for more details.
3843 *
3844 * You should have received a copy of the GNU General Public License
3845 * along with this program. If not, see http://www.gnu.org/licenses/.
3846 *
3847 */
3848
3849
3850
3851const ProteusError = __webpack_require__(6);
3852const TypeUtil = __webpack_require__(1);
3853
3854/** @module util */
3855
3856/**
3857 * Concatenates array buffers (usually 8-bit unsigned).
3858 */
3859const ArrayUtil = {
3860 /**
3861 * @param {!Array<ArrayBuffer>} buffers
3862 * @returns {Array<ArrayBuffer>}
3863 */
3864 concatenate_array_buffers(buffers) {
3865 TypeUtil.assert_is_instance(Array, buffers);
3866
3867 return buffers.reduce((a, b) => {
3868 const buf = new a.constructor(a.byteLength + b.byteLength);
3869 buf.set(a, 0);
3870 buf.set(b, a.byteLength);
3871 return buf;
3872 });
3873 },
3874
3875 /**
3876 * @param {!(Array<number>|Uint8Array)} array
3877 * @returns {void}
3878 * @throws {errors.ProteusError}
3879 */
3880 assert_is_not_zeros(array) {
3881 let only_zeroes = true;
3882 for (let val in array) {
3883 if (val > 0) {
3884 only_zeroes = false;
3885 break;
3886 }
3887 }
3888
3889 if (only_zeroes === true) {
3890 throw new ProteusError('Array consists only of zeroes.', ProteusError.prototype.CODE.CASE_100);
3891 }
3892 },
3893};
3894
3895module.exports = ArrayUtil;
3896
3897
3898/***/ }),
3899/* 32 */
3900/***/ (function(module, exports, __webpack_require__) {
3901
3902"use strict";
3903/*
3904 * Wire
3905 * Copyright (C) 2016 Wire Swiss GmbH
3906 *
3907 * This program is free software: you can redistribute it and/or modify
3908 * it under the terms of the GNU General Public License as published by
3909 * the Free Software Foundation, either version 3 of the License, or
3910 * (at your option) any later version.
3911 *
3912 * This program is distributed in the hope that it will be useful,
3913 * but WITHOUT ANY WARRANTY; without even the implied warranty of
3914 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3915 * GNU General Public License for more details.
3916 *
3917 * You should have received a copy of the GNU General Public License
3918 * along with this program. If not, see http://www.gnu.org/licenses/.
3919 *
3920 */
3921
3922
3923
3924const CBOR = __webpack_require__(2);
3925
3926const ClassUtil = __webpack_require__(3);
3927const DontCallConstructor = __webpack_require__(0);
3928const TypeUtil = __webpack_require__(1);
3929
3930const CipherKey = __webpack_require__(27);
3931const MacKey = __webpack_require__(15);
3932
3933/** @module session */
3934
3935/**
3936 * @class MessageKeys
3937 * @throws {DontCallConstructor}
3938 */
3939class MessageKeys {
3940 constructor() {
3941 throw new DontCallConstructor(this);
3942 }
3943
3944 /**
3945 * @param {!derived.CipherKey} cipher_key
3946 * @param {!derived.MacKey} mac_key
3947 * @param {!number} counter
3948 * @returns {MessageKeys} - `this`
3949 */
3950 static new(cipher_key, mac_key, counter) {
3951 TypeUtil.assert_is_instance(CipherKey, cipher_key);
3952 TypeUtil.assert_is_instance(MacKey, mac_key);
3953 TypeUtil.assert_is_integer(counter);
3954
3955 const mk = ClassUtil.new_instance(MessageKeys);
3956 mk.cipher_key = cipher_key;
3957 mk.mac_key = mac_key;
3958 mk.counter = counter;
3959 return mk;
3960 }
3961
3962 /**
3963 * @returns {Uint8Array}
3964 * @private
3965 */
3966 _counter_as_nonce() {
3967 const nonce = new ArrayBuffer(8);
3968 new DataView(nonce).setUint32(0, this.counter);
3969 return new Uint8Array(nonce);
3970 }
3971
3972 /**
3973 * @param {!(string|Uint8Array)} plaintext
3974 * @returns {Uint8Array}
3975 */
3976 encrypt(plaintext) {
3977 return this.cipher_key.encrypt(plaintext, this._counter_as_nonce());
3978 }
3979
3980 /**
3981 * @param {!Uint8Array} ciphertext
3982 * @returns {Uint8Array}
3983 */
3984 decrypt(ciphertext) {
3985 return this.cipher_key.decrypt(ciphertext, this._counter_as_nonce());
3986 }
3987
3988 /**
3989 * @param {!CBOR.Encoder} e
3990 * @returns {CBOR.Encoder}
3991 */
3992 encode(e) {
3993 e.object(3);
3994 e.u8(0);
3995 this.cipher_key.encode(e);
3996 e.u8(1);
3997 this.mac_key.encode(e);
3998 e.u8(2);
3999 return e.u32(this.counter);
4000 }
4001
4002 /**
4003 * @param {!CBOR.Decoder} d
4004 * @returns {MessageKeys}
4005 */
4006 static decode(d) {
4007 TypeUtil.assert_is_instance(CBOR.Decoder, d);
4008
4009 const self = ClassUtil.new_instance(MessageKeys);
4010
4011 const nprops = d.object();
4012 for (let i = 0; i <= nprops - 1; i++) {
4013 switch (d.u8()) {
4014 case 0:
4015 self.cipher_key = CipherKey.decode(d);
4016 break;
4017 case 1:
4018 self.mac_key = MacKey.decode(d);
4019 break;
4020 case 2:
4021 self.counter = d.u32();
4022 break;
4023 default:
4024 d.skip();
4025 }
4026 }
4027
4028 TypeUtil.assert_is_instance(CipherKey, self.cipher_key);
4029 TypeUtil.assert_is_instance(MacKey, self.mac_key);
4030 TypeUtil.assert_is_integer(self.counter);
4031
4032 return self;
4033 }
4034}
4035
4036module.exports = MessageKeys;
4037
4038
4039/***/ }),
4040/* 33 */
4041/***/ (function(module, exports, __webpack_require__) {
4042
4043"use strict";
4044/*
4045 * Wire
4046 * Copyright (C) 2016 Wire Swiss GmbH
4047 *
4048 * This program is free software: you can redistribute it and/or modify
4049 * it under the terms of the GNU General Public License as published by
4050 * the Free Software Foundation, either version 3 of the License, or
4051 * (at your option) any later version.
4052 *
4053 * This program is distributed in the hope that it will be useful,
4054 * but WITHOUT ANY WARRANTY; without even the implied warranty of
4055 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
4056 * GNU General Public License for more details.
4057 *
4058 * You should have received a copy of the GNU General Public License
4059 * along with this program. If not, see http://www.gnu.org/licenses/.
4060 *
4061 */
4062
4063
4064
4065module.exports = {
4066 errors: {
4067 ProteusError: __webpack_require__(6),
4068 DecodeError: __webpack_require__(19),
4069 DecryptError: __webpack_require__(10),
4070 InputError: __webpack_require__(20),
4071 },
4072
4073 keys: {
4074 IdentityKey: __webpack_require__(8),
4075 IdentityKeyPair: __webpack_require__(11),
4076 KeyPair: __webpack_require__(7),
4077 PreKeyAuth: __webpack_require__(28),
4078 PreKeyBundle: __webpack_require__(23),
4079 PreKey: __webpack_require__(24),
4080 PublicKey: __webpack_require__(4),
4081 SecretKey: __webpack_require__(22),
4082 },
4083
4084 message: {
4085 Message: __webpack_require__(12),
4086 PreKeyMessage: __webpack_require__(13),
4087 Envelope: __webpack_require__(14),
4088 Header: __webpack_require__(25),
4089 HeaderMessage: __webpack_require__(9),
4090 },
4091
4092 session: {
4093 PreKeyStore: __webpack_require__(29),
4094 Session: __webpack_require__(30),
4095 },
4096};
4097
4098
4099/***/ }),
4100/* 34 */
4101/***/ (function(module, exports, __webpack_require__) {
4102
4103(function(nacl) {
4104'use strict';
4105
4106// Ported in 2014 by Dmitry Chestnykh and Devi Mandiri.
4107// Public domain.
4108//
4109// Implementation derived from TweetNaCl version 20140427.
4110// See for details: http://tweetnacl.cr.yp.to/
4111
4112var gf = function(init) {
4113 var i, r = new Float64Array(16);
4114 if (init) for (i = 0; i < init.length; i++) r[i] = init[i];
4115 return r;
4116};
4117
4118// Pluggable, initialized in high-level API below.
4119var randombytes = function(/* x, n */) { throw new Error('no PRNG'); };
4120
4121var _0 = new Uint8Array(16);
4122var _9 = new Uint8Array(32); _9[0] = 9;
4123
4124var gf0 = gf(),
4125 gf1 = gf([1]),
4126 _121665 = gf([0xdb41, 1]),
4127 D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),
4128 D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]),
4129 X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]),
4130 Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]),
4131 I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);
4132
4133function ts64(x, i, h, l) {
4134 x[i] = (h >> 24) & 0xff;
4135 x[i+1] = (h >> 16) & 0xff;
4136 x[i+2] = (h >> 8) & 0xff;
4137 x[i+3] = h & 0xff;
4138 x[i+4] = (l >> 24) & 0xff;
4139 x[i+5] = (l >> 16) & 0xff;
4140 x[i+6] = (l >> 8) & 0xff;
4141 x[i+7] = l & 0xff;
4142}
4143
4144function vn(x, xi, y, yi, n) {
4145 var i,d = 0;
4146 for (i = 0; i < n; i++) d |= x[xi+i]^y[yi+i];
4147 return (1 & ((d - 1) >>> 8)) - 1;
4148}
4149
4150function crypto_verify_16(x, xi, y, yi) {
4151 return vn(x,xi,y,yi,16);
4152}
4153
4154function crypto_verify_32(x, xi, y, yi) {
4155 return vn(x,xi,y,yi,32);
4156}
4157
4158function core_salsa20(o, p, k, c) {
4159 var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
4160 j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
4161 j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
4162 j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
4163 j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
4164 j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
4165 j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
4166 j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
4167 j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
4168 j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
4169 j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
4170 j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
4171 j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
4172 j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
4173 j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
4174 j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
4175
4176 var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
4177 x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
4178 x15 = j15, u;
4179
4180 for (var i = 0; i < 20; i += 2) {
4181 u = x0 + x12 | 0;
4182 x4 ^= u<<7 | u>>>(32-7);
4183 u = x4 + x0 | 0;
4184 x8 ^= u<<9 | u>>>(32-9);
4185 u = x8 + x4 | 0;
4186 x12 ^= u<<13 | u>>>(32-13);
4187 u = x12 + x8 | 0;
4188 x0 ^= u<<18 | u>>>(32-18);
4189
4190 u = x5 + x1 | 0;
4191 x9 ^= u<<7 | u>>>(32-7);
4192 u = x9 + x5 | 0;
4193 x13 ^= u<<9 | u>>>(32-9);
4194 u = x13 + x9 | 0;
4195 x1 ^= u<<13 | u>>>(32-13);
4196 u = x1 + x13 | 0;
4197 x5 ^= u<<18 | u>>>(32-18);
4198
4199 u = x10 + x6 | 0;
4200 x14 ^= u<<7 | u>>>(32-7);
4201 u = x14 + x10 | 0;
4202 x2 ^= u<<9 | u>>>(32-9);
4203 u = x2 + x14 | 0;
4204 x6 ^= u<<13 | u>>>(32-13);
4205 u = x6 + x2 | 0;
4206 x10 ^= u<<18 | u>>>(32-18);
4207
4208 u = x15 + x11 | 0;
4209 x3 ^= u<<7 | u>>>(32-7);
4210 u = x3 + x15 | 0;
4211 x7 ^= u<<9 | u>>>(32-9);
4212 u = x7 + x3 | 0;
4213 x11 ^= u<<13 | u>>>(32-13);
4214 u = x11 + x7 | 0;
4215 x15 ^= u<<18 | u>>>(32-18);
4216
4217 u = x0 + x3 | 0;
4218 x1 ^= u<<7 | u>>>(32-7);
4219 u = x1 + x0 | 0;
4220 x2 ^= u<<9 | u>>>(32-9);
4221 u = x2 + x1 | 0;
4222 x3 ^= u<<13 | u>>>(32-13);
4223 u = x3 + x2 | 0;
4224 x0 ^= u<<18 | u>>>(32-18);
4225
4226 u = x5 + x4 | 0;
4227 x6 ^= u<<7 | u>>>(32-7);
4228 u = x6 + x5 | 0;
4229 x7 ^= u<<9 | u>>>(32-9);
4230 u = x7 + x6 | 0;
4231 x4 ^= u<<13 | u>>>(32-13);
4232 u = x4 + x7 | 0;
4233 x5 ^= u<<18 | u>>>(32-18);
4234
4235 u = x10 + x9 | 0;
4236 x11 ^= u<<7 | u>>>(32-7);
4237 u = x11 + x10 | 0;
4238 x8 ^= u<<9 | u>>>(32-9);
4239 u = x8 + x11 | 0;
4240 x9 ^= u<<13 | u>>>(32-13);
4241 u = x9 + x8 | 0;
4242 x10 ^= u<<18 | u>>>(32-18);
4243
4244 u = x15 + x14 | 0;
4245 x12 ^= u<<7 | u>>>(32-7);
4246 u = x12 + x15 | 0;
4247 x13 ^= u<<9 | u>>>(32-9);
4248 u = x13 + x12 | 0;
4249 x14 ^= u<<13 | u>>>(32-13);
4250 u = x14 + x13 | 0;
4251 x15 ^= u<<18 | u>>>(32-18);
4252 }
4253 x0 = x0 + j0 | 0;
4254 x1 = x1 + j1 | 0;
4255 x2 = x2 + j2 | 0;
4256 x3 = x3 + j3 | 0;
4257 x4 = x4 + j4 | 0;
4258 x5 = x5 + j5 | 0;
4259 x6 = x6 + j6 | 0;
4260 x7 = x7 + j7 | 0;
4261 x8 = x8 + j8 | 0;
4262 x9 = x9 + j9 | 0;
4263 x10 = x10 + j10 | 0;
4264 x11 = x11 + j11 | 0;
4265 x12 = x12 + j12 | 0;
4266 x13 = x13 + j13 | 0;
4267 x14 = x14 + j14 | 0;
4268 x15 = x15 + j15 | 0;
4269
4270 o[ 0] = x0 >>> 0 & 0xff;
4271 o[ 1] = x0 >>> 8 & 0xff;
4272 o[ 2] = x0 >>> 16 & 0xff;
4273 o[ 3] = x0 >>> 24 & 0xff;
4274
4275 o[ 4] = x1 >>> 0 & 0xff;
4276 o[ 5] = x1 >>> 8 & 0xff;
4277 o[ 6] = x1 >>> 16 & 0xff;
4278 o[ 7] = x1 >>> 24 & 0xff;
4279
4280 o[ 8] = x2 >>> 0 & 0xff;
4281 o[ 9] = x2 >>> 8 & 0xff;
4282 o[10] = x2 >>> 16 & 0xff;
4283 o[11] = x2 >>> 24 & 0xff;
4284
4285 o[12] = x3 >>> 0 & 0xff;
4286 o[13] = x3 >>> 8 & 0xff;
4287 o[14] = x3 >>> 16 & 0xff;
4288 o[15] = x3 >>> 24 & 0xff;
4289
4290 o[16] = x4 >>> 0 & 0xff;
4291 o[17] = x4 >>> 8 & 0xff;
4292 o[18] = x4 >>> 16 & 0xff;
4293 o[19] = x4 >>> 24 & 0xff;
4294
4295 o[20] = x5 >>> 0 & 0xff;
4296 o[21] = x5 >>> 8 & 0xff;
4297 o[22] = x5 >>> 16 & 0xff;
4298 o[23] = x5 >>> 24 & 0xff;
4299
4300 o[24] = x6 >>> 0 & 0xff;
4301 o[25] = x6 >>> 8 & 0xff;
4302 o[26] = x6 >>> 16 & 0xff;
4303 o[27] = x6 >>> 24 & 0xff;
4304
4305 o[28] = x7 >>> 0 & 0xff;
4306 o[29] = x7 >>> 8 & 0xff;
4307 o[30] = x7 >>> 16 & 0xff;
4308 o[31] = x7 >>> 24 & 0xff;
4309
4310 o[32] = x8 >>> 0 & 0xff;
4311 o[33] = x8 >>> 8 & 0xff;
4312 o[34] = x8 >>> 16 & 0xff;
4313 o[35] = x8 >>> 24 & 0xff;
4314
4315 o[36] = x9 >>> 0 & 0xff;
4316 o[37] = x9 >>> 8 & 0xff;
4317 o[38] = x9 >>> 16 & 0xff;
4318 o[39] = x9 >>> 24 & 0xff;
4319
4320 o[40] = x10 >>> 0 & 0xff;
4321 o[41] = x10 >>> 8 & 0xff;
4322 o[42] = x10 >>> 16 & 0xff;
4323 o[43] = x10 >>> 24 & 0xff;
4324
4325 o[44] = x11 >>> 0 & 0xff;
4326 o[45] = x11 >>> 8 & 0xff;
4327 o[46] = x11 >>> 16 & 0xff;
4328 o[47] = x11 >>> 24 & 0xff;
4329
4330 o[48] = x12 >>> 0 & 0xff;
4331 o[49] = x12 >>> 8 & 0xff;
4332 o[50] = x12 >>> 16 & 0xff;
4333 o[51] = x12 >>> 24 & 0xff;
4334
4335 o[52] = x13 >>> 0 & 0xff;
4336 o[53] = x13 >>> 8 & 0xff;
4337 o[54] = x13 >>> 16 & 0xff;
4338 o[55] = x13 >>> 24 & 0xff;
4339
4340 o[56] = x14 >>> 0 & 0xff;
4341 o[57] = x14 >>> 8 & 0xff;
4342 o[58] = x14 >>> 16 & 0xff;
4343 o[59] = x14 >>> 24 & 0xff;
4344
4345 o[60] = x15 >>> 0 & 0xff;
4346 o[61] = x15 >>> 8 & 0xff;
4347 o[62] = x15 >>> 16 & 0xff;
4348 o[63] = x15 >>> 24 & 0xff;
4349}
4350
4351function core_hsalsa20(o,p,k,c) {
4352 var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
4353 j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
4354 j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
4355 j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
4356 j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
4357 j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
4358 j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
4359 j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
4360 j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
4361 j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
4362 j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
4363 j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
4364 j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
4365 j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
4366 j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
4367 j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
4368
4369 var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
4370 x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
4371 x15 = j15, u;
4372
4373 for (var i = 0; i < 20; i += 2) {
4374 u = x0 + x12 | 0;
4375 x4 ^= u<<7 | u>>>(32-7);
4376 u = x4 + x0 | 0;
4377 x8 ^= u<<9 | u>>>(32-9);
4378 u = x8 + x4 | 0;
4379 x12 ^= u<<13 | u>>>(32-13);
4380 u = x12 + x8 | 0;
4381 x0 ^= u<<18 | u>>>(32-18);
4382
4383 u = x5 + x1 | 0;
4384 x9 ^= u<<7 | u>>>(32-7);
4385 u = x9 + x5 | 0;
4386 x13 ^= u<<9 | u>>>(32-9);
4387 u = x13 + x9 | 0;
4388 x1 ^= u<<13 | u>>>(32-13);
4389 u = x1 + x13 | 0;
4390 x5 ^= u<<18 | u>>>(32-18);
4391
4392 u = x10 + x6 | 0;
4393 x14 ^= u<<7 | u>>>(32-7);
4394 u = x14 + x10 | 0;
4395 x2 ^= u<<9 | u>>>(32-9);
4396 u = x2 + x14 | 0;
4397 x6 ^= u<<13 | u>>>(32-13);
4398 u = x6 + x2 | 0;
4399 x10 ^= u<<18 | u>>>(32-18);
4400
4401 u = x15 + x11 | 0;
4402 x3 ^= u<<7 | u>>>(32-7);
4403 u = x3 + x15 | 0;
4404 x7 ^= u<<9 | u>>>(32-9);
4405 u = x7 + x3 | 0;
4406 x11 ^= u<<13 | u>>>(32-13);
4407 u = x11 + x7 | 0;
4408 x15 ^= u<<18 | u>>>(32-18);
4409
4410 u = x0 + x3 | 0;
4411 x1 ^= u<<7 | u>>>(32-7);
4412 u = x1 + x0 | 0;
4413 x2 ^= u<<9 | u>>>(32-9);
4414 u = x2 + x1 | 0;
4415 x3 ^= u<<13 | u>>>(32-13);
4416 u = x3 + x2 | 0;
4417 x0 ^= u<<18 | u>>>(32-18);
4418
4419 u = x5 + x4 | 0;
4420 x6 ^= u<<7 | u>>>(32-7);
4421 u = x6 + x5 | 0;
4422 x7 ^= u<<9 | u>>>(32-9);
4423 u = x7 + x6 | 0;
4424 x4 ^= u<<13 | u>>>(32-13);
4425 u = x4 + x7 | 0;
4426 x5 ^= u<<18 | u>>>(32-18);
4427
4428 u = x10 + x9 | 0;
4429 x11 ^= u<<7 | u>>>(32-7);
4430 u = x11 + x10 | 0;
4431 x8 ^= u<<9 | u>>>(32-9);
4432 u = x8 + x11 | 0;
4433 x9 ^= u<<13 | u>>>(32-13);
4434 u = x9 + x8 | 0;
4435 x10 ^= u<<18 | u>>>(32-18);
4436
4437 u = x15 + x14 | 0;
4438 x12 ^= u<<7 | u>>>(32-7);
4439 u = x12 + x15 | 0;
4440 x13 ^= u<<9 | u>>>(32-9);
4441 u = x13 + x12 | 0;
4442 x14 ^= u<<13 | u>>>(32-13);
4443 u = x14 + x13 | 0;
4444 x15 ^= u<<18 | u>>>(32-18);
4445 }
4446
4447 o[ 0] = x0 >>> 0 & 0xff;
4448 o[ 1] = x0 >>> 8 & 0xff;
4449 o[ 2] = x0 >>> 16 & 0xff;
4450 o[ 3] = x0 >>> 24 & 0xff;
4451
4452 o[ 4] = x5 >>> 0 & 0xff;
4453 o[ 5] = x5 >>> 8 & 0xff;
4454 o[ 6] = x5 >>> 16 & 0xff;
4455 o[ 7] = x5 >>> 24 & 0xff;
4456
4457 o[ 8] = x10 >>> 0 & 0xff;
4458 o[ 9] = x10 >>> 8 & 0xff;
4459 o[10] = x10 >>> 16 & 0xff;
4460 o[11] = x10 >>> 24 & 0xff;
4461
4462 o[12] = x15 >>> 0 & 0xff;
4463 o[13] = x15 >>> 8 & 0xff;
4464 o[14] = x15 >>> 16 & 0xff;
4465 o[15] = x15 >>> 24 & 0xff;
4466
4467 o[16] = x6 >>> 0 & 0xff;
4468 o[17] = x6 >>> 8 & 0xff;
4469 o[18] = x6 >>> 16 & 0xff;
4470 o[19] = x6 >>> 24 & 0xff;
4471
4472 o[20] = x7 >>> 0 & 0xff;
4473 o[21] = x7 >>> 8 & 0xff;
4474 o[22] = x7 >>> 16 & 0xff;
4475 o[23] = x7 >>> 24 & 0xff;
4476
4477 o[24] = x8 >>> 0 & 0xff;
4478 o[25] = x8 >>> 8 & 0xff;
4479 o[26] = x8 >>> 16 & 0xff;
4480 o[27] = x8 >>> 24 & 0xff;
4481
4482 o[28] = x9 >>> 0 & 0xff;
4483 o[29] = x9 >>> 8 & 0xff;
4484 o[30] = x9 >>> 16 & 0xff;
4485 o[31] = x9 >>> 24 & 0xff;
4486}
4487
4488function crypto_core_salsa20(out,inp,k,c) {
4489 core_salsa20(out,inp,k,c);
4490}
4491
4492function crypto_core_hsalsa20(out,inp,k,c) {
4493 core_hsalsa20(out,inp,k,c);
4494}
4495
4496var sigma = new Uint8Array([101, 120, 112, 97, 110, 100, 32, 51, 50, 45, 98, 121, 116, 101, 32, 107]);
4497 // "expand 32-byte k"
4498
4499function crypto_stream_salsa20_xor(c,cpos,m,mpos,b,n,k) {
4500 var z = new Uint8Array(16), x = new Uint8Array(64);
4501 var u, i;
4502 for (i = 0; i < 16; i++) z[i] = 0;
4503 for (i = 0; i < 8; i++) z[i] = n[i];
4504 while (b >= 64) {
4505 crypto_core_salsa20(x,z,k,sigma);
4506 for (i = 0; i < 64; i++) c[cpos+i] = m[mpos+i] ^ x[i];
4507 u = 1;
4508 for (i = 8; i < 16; i++) {
4509 u = u + (z[i] & 0xff) | 0;
4510 z[i] = u & 0xff;
4511 u >>>= 8;
4512 }
4513 b -= 64;
4514 cpos += 64;
4515 mpos += 64;
4516 }
4517 if (b > 0) {
4518 crypto_core_salsa20(x,z,k,sigma);
4519 for (i = 0; i < b; i++) c[cpos+i] = m[mpos+i] ^ x[i];
4520 }
4521 return 0;
4522}
4523
4524function crypto_stream_salsa20(c,cpos,b,n,k) {
4525 var z = new Uint8Array(16), x = new Uint8Array(64);
4526 var u, i;
4527 for (i = 0; i < 16; i++) z[i] = 0;
4528 for (i = 0; i < 8; i++) z[i] = n[i];
4529 while (b >= 64) {
4530 crypto_core_salsa20(x,z,k,sigma);
4531 for (i = 0; i < 64; i++) c[cpos+i] = x[i];
4532 u = 1;
4533 for (i = 8; i < 16; i++) {
4534 u = u + (z[i] & 0xff) | 0;
4535 z[i] = u & 0xff;
4536 u >>>= 8;
4537 }
4538 b -= 64;
4539 cpos += 64;
4540 }
4541 if (b > 0) {
4542 crypto_core_salsa20(x,z,k,sigma);
4543 for (i = 0; i < b; i++) c[cpos+i] = x[i];
4544 }
4545 return 0;
4546}
4547
4548function crypto_stream(c,cpos,d,n,k) {
4549 var s = new Uint8Array(32);
4550 crypto_core_hsalsa20(s,n,k,sigma);
4551 var sn = new Uint8Array(8);
4552 for (var i = 0; i < 8; i++) sn[i] = n[i+16];
4553 return crypto_stream_salsa20(c,cpos,d,sn,s);
4554}
4555
4556function crypto_stream_xor(c,cpos,m,mpos,d,n,k) {
4557 var s = new Uint8Array(32);
4558 crypto_core_hsalsa20(s,n,k,sigma);
4559 var sn = new Uint8Array(8);
4560 for (var i = 0; i < 8; i++) sn[i] = n[i+16];
4561 return crypto_stream_salsa20_xor(c,cpos,m,mpos,d,sn,s);
4562}
4563
4564/*
4565* Port of Andrew Moon's Poly1305-donna-16. Public domain.
4566* https://github.com/floodyberry/poly1305-donna
4567*/
4568
4569var poly1305 = function(key) {
4570 this.buffer = new Uint8Array(16);
4571 this.r = new Uint16Array(10);
4572 this.h = new Uint16Array(10);
4573 this.pad = new Uint16Array(8);
4574 this.leftover = 0;
4575 this.fin = 0;
4576
4577 var t0, t1, t2, t3, t4, t5, t6, t7;
4578
4579 t0 = key[ 0] & 0xff | (key[ 1] & 0xff) << 8; this.r[0] = ( t0 ) & 0x1fff;
4580 t1 = key[ 2] & 0xff | (key[ 3] & 0xff) << 8; this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
4581 t2 = key[ 4] & 0xff | (key[ 5] & 0xff) << 8; this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
4582 t3 = key[ 6] & 0xff | (key[ 7] & 0xff) << 8; this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
4583 t4 = key[ 8] & 0xff | (key[ 9] & 0xff) << 8; this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
4584 this.r[5] = ((t4 >>> 1)) & 0x1ffe;
4585 t5 = key[10] & 0xff | (key[11] & 0xff) << 8; this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
4586 t6 = key[12] & 0xff | (key[13] & 0xff) << 8; this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
4587 t7 = key[14] & 0xff | (key[15] & 0xff) << 8; this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
4588 this.r[9] = ((t7 >>> 5)) & 0x007f;
4589
4590 this.pad[0] = key[16] & 0xff | (key[17] & 0xff) << 8;
4591 this.pad[1] = key[18] & 0xff | (key[19] & 0xff) << 8;
4592 this.pad[2] = key[20] & 0xff | (key[21] & 0xff) << 8;
4593 this.pad[3] = key[22] & 0xff | (key[23] & 0xff) << 8;
4594 this.pad[4] = key[24] & 0xff | (key[25] & 0xff) << 8;
4595 this.pad[5] = key[26] & 0xff | (key[27] & 0xff) << 8;
4596 this.pad[6] = key[28] & 0xff | (key[29] & 0xff) << 8;
4597 this.pad[7] = key[30] & 0xff | (key[31] & 0xff) << 8;
4598};
4599
4600poly1305.prototype.blocks = function(m, mpos, bytes) {
4601 var hibit = this.fin ? 0 : (1 << 11);
4602 var t0, t1, t2, t3, t4, t5, t6, t7, c;
4603 var d0, d1, d2, d3, d4, d5, d6, d7, d8, d9;
4604
4605 var h0 = this.h[0],
4606 h1 = this.h[1],
4607 h2 = this.h[2],
4608 h3 = this.h[3],
4609 h4 = this.h[4],
4610 h5 = this.h[5],
4611 h6 = this.h[6],
4612 h7 = this.h[7],
4613 h8 = this.h[8],
4614 h9 = this.h[9];
4615
4616 var r0 = this.r[0],
4617 r1 = this.r[1],
4618 r2 = this.r[2],
4619 r3 = this.r[3],
4620 r4 = this.r[4],
4621 r5 = this.r[5],
4622 r6 = this.r[6],
4623 r7 = this.r[7],
4624 r8 = this.r[8],
4625 r9 = this.r[9];
4626
4627 while (bytes >= 16) {
4628 t0 = m[mpos+ 0] & 0xff | (m[mpos+ 1] & 0xff) << 8; h0 += ( t0 ) & 0x1fff;
4629 t1 = m[mpos+ 2] & 0xff | (m[mpos+ 3] & 0xff) << 8; h1 += ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
4630 t2 = m[mpos+ 4] & 0xff | (m[mpos+ 5] & 0xff) << 8; h2 += ((t1 >>> 10) | (t2 << 6)) & 0x1fff;
4631 t3 = m[mpos+ 6] & 0xff | (m[mpos+ 7] & 0xff) << 8; h3 += ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
4632 t4 = m[mpos+ 8] & 0xff | (m[mpos+ 9] & 0xff) << 8; h4 += ((t3 >>> 4) | (t4 << 12)) & 0x1fff;
4633 h5 += ((t4 >>> 1)) & 0x1fff;
4634 t5 = m[mpos+10] & 0xff | (m[mpos+11] & 0xff) << 8; h6 += ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
4635 t6 = m[mpos+12] & 0xff | (m[mpos+13] & 0xff) << 8; h7 += ((t5 >>> 11) | (t6 << 5)) & 0x1fff;
4636 t7 = m[mpos+14] & 0xff | (m[mpos+15] & 0xff) << 8; h8 += ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
4637 h9 += ((t7 >>> 5)) | hibit;
4638
4639 c = 0;
4640
4641 d0 = c;
4642 d0 += h0 * r0;
4643 d0 += h1 * (5 * r9);
4644 d0 += h2 * (5 * r8);
4645 d0 += h3 * (5 * r7);
4646 d0 += h4 * (5 * r6);
4647 c = (d0 >>> 13); d0 &= 0x1fff;
4648 d0 += h5 * (5 * r5);
4649 d0 += h6 * (5 * r4);
4650 d0 += h7 * (5 * r3);
4651 d0 += h8 * (5 * r2);
4652 d0 += h9 * (5 * r1);
4653 c += (d0 >>> 13); d0 &= 0x1fff;
4654
4655 d1 = c;
4656 d1 += h0 * r1;
4657 d1 += h1 * r0;
4658 d1 += h2 * (5 * r9);
4659 d1 += h3 * (5 * r8);
4660 d1 += h4 * (5 * r7);
4661 c = (d1 >>> 13); d1 &= 0x1fff;
4662 d1 += h5 * (5 * r6);
4663 d1 += h6 * (5 * r5);
4664 d1 += h7 * (5 * r4);
4665 d1 += h8 * (5 * r3);
4666 d1 += h9 * (5 * r2);
4667 c += (d1 >>> 13); d1 &= 0x1fff;
4668
4669 d2 = c;
4670 d2 += h0 * r2;
4671 d2 += h1 * r1;
4672 d2 += h2 * r0;
4673 d2 += h3 * (5 * r9);
4674 d2 += h4 * (5 * r8);
4675 c = (d2 >>> 13); d2 &= 0x1fff;
4676 d2 += h5 * (5 * r7);
4677 d2 += h6 * (5 * r6);
4678 d2 += h7 * (5 * r5);
4679 d2 += h8 * (5 * r4);
4680 d2 += h9 * (5 * r3);
4681 c += (d2 >>> 13); d2 &= 0x1fff;
4682
4683 d3 = c;
4684 d3 += h0 * r3;
4685 d3 += h1 * r2;
4686 d3 += h2 * r1;
4687 d3 += h3 * r0;
4688 d3 += h4 * (5 * r9);
4689 c = (d3 >>> 13); d3 &= 0x1fff;
4690 d3 += h5 * (5 * r8);
4691 d3 += h6 * (5 * r7);
4692 d3 += h7 * (5 * r6);
4693 d3 += h8 * (5 * r5);
4694 d3 += h9 * (5 * r4);
4695 c += (d3 >>> 13); d3 &= 0x1fff;
4696
4697 d4 = c;
4698 d4 += h0 * r4;
4699 d4 += h1 * r3;
4700 d4 += h2 * r2;
4701 d4 += h3 * r1;
4702 d4 += h4 * r0;
4703 c = (d4 >>> 13); d4 &= 0x1fff;
4704 d4 += h5 * (5 * r9);
4705 d4 += h6 * (5 * r8);
4706 d4 += h7 * (5 * r7);
4707 d4 += h8 * (5 * r6);
4708 d4 += h9 * (5 * r5);
4709 c += (d4 >>> 13); d4 &= 0x1fff;
4710
4711 d5 = c;
4712 d5 += h0 * r5;
4713 d5 += h1 * r4;
4714 d5 += h2 * r3;
4715 d5 += h3 * r2;
4716 d5 += h4 * r1;
4717 c = (d5 >>> 13); d5 &= 0x1fff;
4718 d5 += h5 * r0;
4719 d5 += h6 * (5 * r9);
4720 d5 += h7 * (5 * r8);
4721 d5 += h8 * (5 * r7);
4722 d5 += h9 * (5 * r6);
4723 c += (d5 >>> 13); d5 &= 0x1fff;
4724
4725 d6 = c;
4726 d6 += h0 * r6;
4727 d6 += h1 * r5;
4728 d6 += h2 * r4;
4729 d6 += h3 * r3;
4730 d6 += h4 * r2;
4731 c = (d6 >>> 13); d6 &= 0x1fff;
4732 d6 += h5 * r1;
4733 d6 += h6 * r0;
4734 d6 += h7 * (5 * r9);
4735 d6 += h8 * (5 * r8);
4736 d6 += h9 * (5 * r7);
4737 c += (d6 >>> 13); d6 &= 0x1fff;
4738
4739 d7 = c;
4740 d7 += h0 * r7;
4741 d7 += h1 * r6;
4742 d7 += h2 * r5;
4743 d7 += h3 * r4;
4744 d7 += h4 * r3;
4745 c = (d7 >>> 13); d7 &= 0x1fff;
4746 d7 += h5 * r2;
4747 d7 += h6 * r1;
4748 d7 += h7 * r0;
4749 d7 += h8 * (5 * r9);
4750 d7 += h9 * (5 * r8);
4751 c += (d7 >>> 13); d7 &= 0x1fff;
4752
4753 d8 = c;
4754 d8 += h0 * r8;
4755 d8 += h1 * r7;
4756 d8 += h2 * r6;
4757 d8 += h3 * r5;
4758 d8 += h4 * r4;
4759 c = (d8 >>> 13); d8 &= 0x1fff;
4760 d8 += h5 * r3;
4761 d8 += h6 * r2;
4762 d8 += h7 * r1;
4763 d8 += h8 * r0;
4764 d8 += h9 * (5 * r9);
4765 c += (d8 >>> 13); d8 &= 0x1fff;
4766
4767 d9 = c;
4768 d9 += h0 * r9;
4769 d9 += h1 * r8;
4770 d9 += h2 * r7;
4771 d9 += h3 * r6;
4772 d9 += h4 * r5;
4773 c = (d9 >>> 13); d9 &= 0x1fff;
4774 d9 += h5 * r4;
4775 d9 += h6 * r3;
4776 d9 += h7 * r2;
4777 d9 += h8 * r1;
4778 d9 += h9 * r0;
4779 c += (d9 >>> 13); d9 &= 0x1fff;
4780
4781 c = (((c << 2) + c)) | 0;
4782 c = (c + d0) | 0;
4783 d0 = c & 0x1fff;
4784 c = (c >>> 13);
4785 d1 += c;
4786
4787 h0 = d0;
4788 h1 = d1;
4789 h2 = d2;
4790 h3 = d3;
4791 h4 = d4;
4792 h5 = d5;
4793 h6 = d6;
4794 h7 = d7;
4795 h8 = d8;
4796 h9 = d9;
4797
4798 mpos += 16;
4799 bytes -= 16;
4800 }
4801 this.h[0] = h0;
4802 this.h[1] = h1;
4803 this.h[2] = h2;
4804 this.h[3] = h3;
4805 this.h[4] = h4;
4806 this.h[5] = h5;
4807 this.h[6] = h6;
4808 this.h[7] = h7;
4809 this.h[8] = h8;
4810 this.h[9] = h9;
4811};
4812
4813poly1305.prototype.finish = function(mac, macpos) {
4814 var g = new Uint16Array(10);
4815 var c, mask, f, i;
4816
4817 if (this.leftover) {
4818 i = this.leftover;
4819 this.buffer[i++] = 1;
4820 for (; i < 16; i++) this.buffer[i] = 0;
4821 this.fin = 1;
4822 this.blocks(this.buffer, 0, 16);
4823 }
4824
4825 c = this.h[1] >>> 13;
4826 this.h[1] &= 0x1fff;
4827 for (i = 2; i < 10; i++) {
4828 this.h[i] += c;
4829 c = this.h[i] >>> 13;
4830 this.h[i] &= 0x1fff;
4831 }
4832 this.h[0] += (c * 5);
4833 c = this.h[0] >>> 13;
4834 this.h[0] &= 0x1fff;
4835 this.h[1] += c;
4836 c = this.h[1] >>> 13;
4837 this.h[1] &= 0x1fff;
4838 this.h[2] += c;
4839
4840 g[0] = this.h[0] + 5;
4841 c = g[0] >>> 13;
4842 g[0] &= 0x1fff;
4843 for (i = 1; i < 10; i++) {
4844 g[i] = this.h[i] + c;
4845 c = g[i] >>> 13;
4846 g[i] &= 0x1fff;
4847 }
4848 g[9] -= (1 << 13);
4849
4850 mask = (c ^ 1) - 1;
4851 for (i = 0; i < 10; i++) g[i] &= mask;
4852 mask = ~mask;
4853 for (i = 0; i < 10; i++) this.h[i] = (this.h[i] & mask) | g[i];
4854
4855 this.h[0] = ((this.h[0] ) | (this.h[1] << 13) ) & 0xffff;
4856 this.h[1] = ((this.h[1] >>> 3) | (this.h[2] << 10) ) & 0xffff;
4857 this.h[2] = ((this.h[2] >>> 6) | (this.h[3] << 7) ) & 0xffff;
4858 this.h[3] = ((this.h[3] >>> 9) | (this.h[4] << 4) ) & 0xffff;
4859 this.h[4] = ((this.h[4] >>> 12) | (this.h[5] << 1) | (this.h[6] << 14)) & 0xffff;
4860 this.h[5] = ((this.h[6] >>> 2) | (this.h[7] << 11) ) & 0xffff;
4861 this.h[6] = ((this.h[7] >>> 5) | (this.h[8] << 8) ) & 0xffff;
4862 this.h[7] = ((this.h[8] >>> 8) | (this.h[9] << 5) ) & 0xffff;
4863
4864 f = this.h[0] + this.pad[0];
4865 this.h[0] = f & 0xffff;
4866 for (i = 1; i < 8; i++) {
4867 f = (((this.h[i] + this.pad[i]) | 0) + (f >>> 16)) | 0;
4868 this.h[i] = f & 0xffff;
4869 }
4870
4871 mac[macpos+ 0] = (this.h[0] >>> 0) & 0xff;
4872 mac[macpos+ 1] = (this.h[0] >>> 8) & 0xff;
4873 mac[macpos+ 2] = (this.h[1] >>> 0) & 0xff;
4874 mac[macpos+ 3] = (this.h[1] >>> 8) & 0xff;
4875 mac[macpos+ 4] = (this.h[2] >>> 0) & 0xff;
4876 mac[macpos+ 5] = (this.h[2] >>> 8) & 0xff;
4877 mac[macpos+ 6] = (this.h[3] >>> 0) & 0xff;
4878 mac[macpos+ 7] = (this.h[3] >>> 8) & 0xff;
4879 mac[macpos+ 8] = (this.h[4] >>> 0) & 0xff;
4880 mac[macpos+ 9] = (this.h[4] >>> 8) & 0xff;
4881 mac[macpos+10] = (this.h[5] >>> 0) & 0xff;
4882 mac[macpos+11] = (this.h[5] >>> 8) & 0xff;
4883 mac[macpos+12] = (this.h[6] >>> 0) & 0xff;
4884 mac[macpos+13] = (this.h[6] >>> 8) & 0xff;
4885 mac[macpos+14] = (this.h[7] >>> 0) & 0xff;
4886 mac[macpos+15] = (this.h[7] >>> 8) & 0xff;
4887};
4888
4889poly1305.prototype.update = function(m, mpos, bytes) {
4890 var i, want;
4891
4892 if (this.leftover) {
4893 want = (16 - this.leftover);
4894 if (want > bytes)
4895 want = bytes;
4896 for (i = 0; i < want; i++)
4897 this.buffer[this.leftover + i] = m[mpos+i];
4898 bytes -= want;
4899 mpos += want;
4900 this.leftover += want;
4901 if (this.leftover < 16)
4902 return;
4903 this.blocks(this.buffer, 0, 16);
4904 this.leftover = 0;
4905 }
4906
4907 if (bytes >= 16) {
4908 want = bytes - (bytes % 16);
4909 this.blocks(m, mpos, want);
4910 mpos += want;
4911 bytes -= want;
4912 }
4913
4914 if (bytes) {
4915 for (i = 0; i < bytes; i++)
4916 this.buffer[this.leftover + i] = m[mpos+i];
4917 this.leftover += bytes;
4918 }
4919};
4920
4921function crypto_onetimeauth(out, outpos, m, mpos, n, k) {
4922 var s = new poly1305(k);
4923 s.update(m, mpos, n);
4924 s.finish(out, outpos);
4925 return 0;
4926}
4927
4928function crypto_onetimeauth_verify(h, hpos, m, mpos, n, k) {
4929 var x = new Uint8Array(16);
4930 crypto_onetimeauth(x,0,m,mpos,n,k);
4931 return crypto_verify_16(h,hpos,x,0);
4932}
4933
4934function crypto_secretbox(c,m,d,n,k) {
4935 var i;
4936 if (d < 32) return -1;
4937 crypto_stream_xor(c,0,m,0,d,n,k);
4938 crypto_onetimeauth(c, 16, c, 32, d - 32, c);
4939 for (i = 0; i < 16; i++) c[i] = 0;
4940 return 0;
4941}
4942
4943function crypto_secretbox_open(m,c,d,n,k) {
4944 var i;
4945 var x = new Uint8Array(32);
4946 if (d < 32) return -1;
4947 crypto_stream(x,0,32,n,k);
4948 if (crypto_onetimeauth_verify(c, 16,c, 32,d - 32,x) !== 0) return -1;
4949 crypto_stream_xor(m,0,c,0,d,n,k);
4950 for (i = 0; i < 32; i++) m[i] = 0;
4951 return 0;
4952}
4953
4954function set25519(r, a) {
4955 var i;
4956 for (i = 0; i < 16; i++) r[i] = a[i]|0;
4957}
4958
4959function car25519(o) {
4960 var i, v, c = 1;
4961 for (i = 0; i < 16; i++) {
4962 v = o[i] + c + 65535;
4963 c = Math.floor(v / 65536);
4964 o[i] = v - c * 65536;
4965 }
4966 o[0] += c-1 + 37 * (c-1);
4967}
4968
4969function sel25519(p, q, b) {
4970 var t, c = ~(b-1);
4971 for (var i = 0; i < 16; i++) {
4972 t = c & (p[i] ^ q[i]);
4973 p[i] ^= t;
4974 q[i] ^= t;
4975 }
4976}
4977
4978function pack25519(o, n) {
4979 var i, j, b;
4980 var m = gf(), t = gf();
4981 for (i = 0; i < 16; i++) t[i] = n[i];
4982 car25519(t);
4983 car25519(t);
4984 car25519(t);
4985 for (j = 0; j < 2; j++) {
4986 m[0] = t[0] - 0xffed;
4987 for (i = 1; i < 15; i++) {
4988 m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);
4989 m[i-1] &= 0xffff;
4990 }
4991 m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);
4992 b = (m[15]>>16) & 1;
4993 m[14] &= 0xffff;
4994 sel25519(t, m, 1-b);
4995 }
4996 for (i = 0; i < 16; i++) {
4997 o[2*i] = t[i] & 0xff;
4998 o[2*i+1] = t[i]>>8;
4999 }
5000}
5001
5002function neq25519(a, b) {
5003 var c = new Uint8Array(32), d = new Uint8Array(32);
5004 pack25519(c, a);
5005 pack25519(d, b);
5006 return crypto_verify_32(c, 0, d, 0);
5007}
5008
5009function par25519(a) {
5010 var d = new Uint8Array(32);
5011 pack25519(d, a);
5012 return d[0] & 1;
5013}
5014
5015function unpack25519(o, n) {
5016 var i;
5017 for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8);
5018 o[15] &= 0x7fff;
5019}
5020
5021function A(o, a, b) {
5022 for (var i = 0; i < 16; i++) o[i] = a[i] + b[i];
5023}
5024
5025function Z(o, a, b) {
5026 for (var i = 0; i < 16; i++) o[i] = a[i] - b[i];
5027}
5028
5029function M(o, a, b) {
5030 var v, c,
5031 t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0,
5032 t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0,
5033 t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0,
5034 t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0,
5035 b0 = b[0],
5036 b1 = b[1],
5037 b2 = b[2],
5038 b3 = b[3],
5039 b4 = b[4],
5040 b5 = b[5],
5041 b6 = b[6],
5042 b7 = b[7],
5043 b8 = b[8],
5044 b9 = b[9],
5045 b10 = b[10],
5046 b11 = b[11],
5047 b12 = b[12],
5048 b13 = b[13],
5049 b14 = b[14],
5050 b15 = b[15];
5051
5052 v = a[0];
5053 t0 += v * b0;
5054 t1 += v * b1;
5055 t2 += v * b2;
5056 t3 += v * b3;
5057 t4 += v * b4;
5058 t5 += v * b5;
5059 t6 += v * b6;
5060 t7 += v * b7;
5061 t8 += v * b8;
5062 t9 += v * b9;
5063 t10 += v * b10;
5064 t11 += v * b11;
5065 t12 += v * b12;
5066 t13 += v * b13;
5067 t14 += v * b14;
5068 t15 += v * b15;
5069 v = a[1];
5070 t1 += v * b0;
5071 t2 += v * b1;
5072 t3 += v * b2;
5073 t4 += v * b3;
5074 t5 += v * b4;
5075 t6 += v * b5;
5076 t7 += v * b6;
5077 t8 += v * b7;
5078 t9 += v * b8;
5079 t10 += v * b9;
5080 t11 += v * b10;
5081 t12 += v * b11;
5082 t13 += v * b12;
5083 t14 += v * b13;
5084 t15 += v * b14;
5085 t16 += v * b15;
5086 v = a[2];
5087 t2 += v * b0;
5088 t3 += v * b1;
5089 t4 += v * b2;
5090 t5 += v * b3;
5091 t6 += v * b4;
5092 t7 += v * b5;
5093 t8 += v * b6;
5094 t9 += v * b7;
5095 t10 += v * b8;
5096 t11 += v * b9;
5097 t12 += v * b10;
5098 t13 += v * b11;
5099 t14 += v * b12;
5100 t15 += v * b13;
5101 t16 += v * b14;
5102 t17 += v * b15;
5103 v = a[3];
5104 t3 += v * b0;
5105 t4 += v * b1;
5106 t5 += v * b2;
5107 t6 += v * b3;
5108 t7 += v * b4;
5109 t8 += v * b5;
5110 t9 += v * b6;
5111 t10 += v * b7;
5112 t11 += v * b8;
5113 t12 += v * b9;
5114 t13 += v * b10;
5115 t14 += v * b11;
5116 t15 += v * b12;
5117 t16 += v * b13;
5118 t17 += v * b14;
5119 t18 += v * b15;
5120 v = a[4];
5121 t4 += v * b0;
5122 t5 += v * b1;
5123 t6 += v * b2;
5124 t7 += v * b3;
5125 t8 += v * b4;
5126 t9 += v * b5;
5127 t10 += v * b6;
5128 t11 += v * b7;
5129 t12 += v * b8;
5130 t13 += v * b9;
5131 t14 += v * b10;
5132 t15 += v * b11;
5133 t16 += v * b12;
5134 t17 += v * b13;
5135 t18 += v * b14;
5136 t19 += v * b15;
5137 v = a[5];
5138 t5 += v * b0;
5139 t6 += v * b1;
5140 t7 += v * b2;
5141 t8 += v * b3;
5142 t9 += v * b4;
5143 t10 += v * b5;
5144 t11 += v * b6;
5145 t12 += v * b7;
5146 t13 += v * b8;
5147 t14 += v * b9;
5148 t15 += v * b10;
5149 t16 += v * b11;
5150 t17 += v * b12;
5151 t18 += v * b13;
5152 t19 += v * b14;
5153 t20 += v * b15;
5154 v = a[6];
5155 t6 += v * b0;
5156 t7 += v * b1;
5157 t8 += v * b2;
5158 t9 += v * b3;
5159 t10 += v * b4;
5160 t11 += v * b5;
5161 t12 += v * b6;
5162 t13 += v * b7;
5163 t14 += v * b8;
5164 t15 += v * b9;
5165 t16 += v * b10;
5166 t17 += v * b11;
5167 t18 += v * b12;
5168 t19 += v * b13;
5169 t20 += v * b14;
5170 t21 += v * b15;
5171 v = a[7];
5172 t7 += v * b0;
5173 t8 += v * b1;
5174 t9 += v * b2;
5175 t10 += v * b3;
5176 t11 += v * b4;
5177 t12 += v * b5;
5178 t13 += v * b6;
5179 t14 += v * b7;
5180 t15 += v * b8;
5181 t16 += v * b9;
5182 t17 += v * b10;
5183 t18 += v * b11;
5184 t19 += v * b12;
5185 t20 += v * b13;
5186 t21 += v * b14;
5187 t22 += v * b15;
5188 v = a[8];
5189 t8 += v * b0;
5190 t9 += v * b1;
5191 t10 += v * b2;
5192 t11 += v * b3;
5193 t12 += v * b4;
5194 t13 += v * b5;
5195 t14 += v * b6;
5196 t15 += v * b7;
5197 t16 += v * b8;
5198 t17 += v * b9;
5199 t18 += v * b10;
5200 t19 += v * b11;
5201 t20 += v * b12;
5202 t21 += v * b13;
5203 t22 += v * b14;
5204 t23 += v * b15;
5205 v = a[9];
5206 t9 += v * b0;
5207 t10 += v * b1;
5208 t11 += v * b2;
5209 t12 += v * b3;
5210 t13 += v * b4;
5211 t14 += v * b5;
5212 t15 += v * b6;
5213 t16 += v * b7;
5214 t17 += v * b8;
5215 t18 += v * b9;
5216 t19 += v * b10;
5217 t20 += v * b11;
5218 t21 += v * b12;
5219 t22 += v * b13;
5220 t23 += v * b14;
5221 t24 += v * b15;
5222 v = a[10];
5223 t10 += v * b0;
5224 t11 += v * b1;
5225 t12 += v * b2;
5226 t13 += v * b3;
5227 t14 += v * b4;
5228 t15 += v * b5;
5229 t16 += v * b6;
5230 t17 += v * b7;
5231 t18 += v * b8;
5232 t19 += v * b9;
5233 t20 += v * b10;
5234 t21 += v * b11;
5235 t22 += v * b12;
5236 t23 += v * b13;
5237 t24 += v * b14;
5238 t25 += v * b15;
5239 v = a[11];
5240 t11 += v * b0;
5241 t12 += v * b1;
5242 t13 += v * b2;
5243 t14 += v * b3;
5244 t15 += v * b4;
5245 t16 += v * b5;
5246 t17 += v * b6;
5247 t18 += v * b7;
5248 t19 += v * b8;
5249 t20 += v * b9;
5250 t21 += v * b10;
5251 t22 += v * b11;
5252 t23 += v * b12;
5253 t24 += v * b13;
5254 t25 += v * b14;
5255 t26 += v * b15;
5256 v = a[12];
5257 t12 += v * b0;
5258 t13 += v * b1;
5259 t14 += v * b2;
5260 t15 += v * b3;
5261 t16 += v * b4;
5262 t17 += v * b5;
5263 t18 += v * b6;
5264 t19 += v * b7;
5265 t20 += v * b8;
5266 t21 += v * b9;
5267 t22 += v * b10;
5268 t23 += v * b11;
5269 t24 += v * b12;
5270 t25 += v * b13;
5271 t26 += v * b14;
5272 t27 += v * b15;
5273 v = a[13];
5274 t13 += v * b0;
5275 t14 += v * b1;
5276 t15 += v * b2;
5277 t16 += v * b3;
5278 t17 += v * b4;
5279 t18 += v * b5;
5280 t19 += v * b6;
5281 t20 += v * b7;
5282 t21 += v * b8;
5283 t22 += v * b9;
5284 t23 += v * b10;
5285 t24 += v * b11;
5286 t25 += v * b12;
5287 t26 += v * b13;
5288 t27 += v * b14;
5289 t28 += v * b15;
5290 v = a[14];
5291 t14 += v * b0;
5292 t15 += v * b1;
5293 t16 += v * b2;
5294 t17 += v * b3;
5295 t18 += v * b4;
5296 t19 += v * b5;
5297 t20 += v * b6;
5298 t21 += v * b7;
5299 t22 += v * b8;
5300 t23 += v * b9;
5301 t24 += v * b10;
5302 t25 += v * b11;
5303 t26 += v * b12;
5304 t27 += v * b13;
5305 t28 += v * b14;
5306 t29 += v * b15;
5307 v = a[15];
5308 t15 += v * b0;
5309 t16 += v * b1;
5310 t17 += v * b2;
5311 t18 += v * b3;
5312 t19 += v * b4;
5313 t20 += v * b5;
5314 t21 += v * b6;
5315 t22 += v * b7;
5316 t23 += v * b8;
5317 t24 += v * b9;
5318 t25 += v * b10;
5319 t26 += v * b11;
5320 t27 += v * b12;
5321 t28 += v * b13;
5322 t29 += v * b14;
5323 t30 += v * b15;
5324
5325 t0 += 38 * t16;
5326 t1 += 38 * t17;
5327 t2 += 38 * t18;
5328 t3 += 38 * t19;
5329 t4 += 38 * t20;
5330 t5 += 38 * t21;
5331 t6 += 38 * t22;
5332 t7 += 38 * t23;
5333 t8 += 38 * t24;
5334 t9 += 38 * t25;
5335 t10 += 38 * t26;
5336 t11 += 38 * t27;
5337 t12 += 38 * t28;
5338 t13 += 38 * t29;
5339 t14 += 38 * t30;
5340 // t15 left as is
5341
5342 // first car
5343 c = 1;
5344 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
5345 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
5346 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
5347 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
5348 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
5349 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
5350 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
5351 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
5352 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
5353 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
5354 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
5355 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
5356 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
5357 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
5358 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
5359 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
5360 t0 += c-1 + 37 * (c-1);
5361
5362 // second car
5363 c = 1;
5364 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
5365 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
5366 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
5367 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
5368 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
5369 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
5370 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
5371 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
5372 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
5373 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
5374 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
5375 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
5376 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
5377 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
5378 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
5379 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
5380 t0 += c-1 + 37 * (c-1);
5381
5382 o[ 0] = t0;
5383 o[ 1] = t1;
5384 o[ 2] = t2;
5385 o[ 3] = t3;
5386 o[ 4] = t4;
5387 o[ 5] = t5;
5388 o[ 6] = t6;
5389 o[ 7] = t7;
5390 o[ 8] = t8;
5391 o[ 9] = t9;
5392 o[10] = t10;
5393 o[11] = t11;
5394 o[12] = t12;
5395 o[13] = t13;
5396 o[14] = t14;
5397 o[15] = t15;
5398}
5399
5400function S(o, a) {
5401 M(o, a, a);
5402}
5403
5404function inv25519(o, i) {
5405 var c = gf();
5406 var a;
5407 for (a = 0; a < 16; a++) c[a] = i[a];
5408 for (a = 253; a >= 0; a--) {
5409 S(c, c);
5410 if(a !== 2 && a !== 4) M(c, c, i);
5411 }
5412 for (a = 0; a < 16; a++) o[a] = c[a];
5413}
5414
5415function pow2523(o, i) {
5416 var c = gf();
5417 var a;
5418 for (a = 0; a < 16; a++) c[a] = i[a];
5419 for (a = 250; a >= 0; a--) {
5420 S(c, c);
5421 if(a !== 1) M(c, c, i);
5422 }
5423 for (a = 0; a < 16; a++) o[a] = c[a];
5424}
5425
5426function crypto_scalarmult(q, n, p) {
5427 var z = new Uint8Array(32);
5428 var x = new Float64Array(80), r, i;
5429 var a = gf(), b = gf(), c = gf(),
5430 d = gf(), e = gf(), f = gf();
5431 for (i = 0; i < 31; i++) z[i] = n[i];
5432 z[31]=(n[31]&127)|64;
5433 z[0]&=248;
5434 unpack25519(x,p);
5435 for (i = 0; i < 16; i++) {
5436 b[i]=x[i];
5437 d[i]=a[i]=c[i]=0;
5438 }
5439 a[0]=d[0]=1;
5440 for (i=254; i>=0; --i) {
5441 r=(z[i>>>3]>>>(i&7))&1;
5442 sel25519(a,b,r);
5443 sel25519(c,d,r);
5444 A(e,a,c);
5445 Z(a,a,c);
5446 A(c,b,d);
5447 Z(b,b,d);
5448 S(d,e);
5449 S(f,a);
5450 M(a,c,a);
5451 M(c,b,e);
5452 A(e,a,c);
5453 Z(a,a,c);
5454 S(b,a);
5455 Z(c,d,f);
5456 M(a,c,_121665);
5457 A(a,a,d);
5458 M(c,c,a);
5459 M(a,d,f);
5460 M(d,b,x);
5461 S(b,e);
5462 sel25519(a,b,r);
5463 sel25519(c,d,r);
5464 }
5465 for (i = 0; i < 16; i++) {
5466 x[i+16]=a[i];
5467 x[i+32]=c[i];
5468 x[i+48]=b[i];
5469 x[i+64]=d[i];
5470 }
5471 var x32 = x.subarray(32);
5472 var x16 = x.subarray(16);
5473 inv25519(x32,x32);
5474 M(x16,x16,x32);
5475 pack25519(q,x16);
5476 return 0;
5477}
5478
5479function crypto_scalarmult_base(q, n) {
5480 return crypto_scalarmult(q, n, _9);
5481}
5482
5483function crypto_box_keypair(y, x) {
5484 randombytes(x, 32);
5485 return crypto_scalarmult_base(y, x);
5486}
5487
5488function crypto_box_beforenm(k, y, x) {
5489 var s = new Uint8Array(32);
5490 crypto_scalarmult(s, x, y);
5491 return crypto_core_hsalsa20(k, _0, s, sigma);
5492}
5493
5494var crypto_box_afternm = crypto_secretbox;
5495var crypto_box_open_afternm = crypto_secretbox_open;
5496
5497function crypto_box(c, m, d, n, y, x) {
5498 var k = new Uint8Array(32);
5499 crypto_box_beforenm(k, y, x);
5500 return crypto_box_afternm(c, m, d, n, k);
5501}
5502
5503function crypto_box_open(m, c, d, n, y, x) {
5504 var k = new Uint8Array(32);
5505 crypto_box_beforenm(k, y, x);
5506 return crypto_box_open_afternm(m, c, d, n, k);
5507}
5508
5509var K = [
5510 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd,
5511 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc,
5512 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019,
5513 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118,
5514 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe,
5515 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2,
5516 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1,
5517 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694,
5518 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3,
5519 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65,
5520 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483,
5521 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5,
5522 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210,
5523 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4,
5524 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725,
5525 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70,
5526 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926,
5527 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df,
5528 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8,
5529 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b,
5530 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001,
5531 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30,
5532 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910,
5533 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8,
5534 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53,
5535 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8,
5536 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb,
5537 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3,
5538 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60,
5539 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec,
5540 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9,
5541 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b,
5542 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207,
5543 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178,
5544 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6,
5545 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b,
5546 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493,
5547 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c,
5548 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a,
5549 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817
5550];
5551
5552function crypto_hashblocks_hl(hh, hl, m, n) {
5553 var wh = new Int32Array(16), wl = new Int32Array(16),
5554 bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7,
5555 bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7,
5556 th, tl, i, j, h, l, a, b, c, d;
5557
5558 var ah0 = hh[0],
5559 ah1 = hh[1],
5560 ah2 = hh[2],
5561 ah3 = hh[3],
5562 ah4 = hh[4],
5563 ah5 = hh[5],
5564 ah6 = hh[6],
5565 ah7 = hh[7],
5566
5567 al0 = hl[0],
5568 al1 = hl[1],
5569 al2 = hl[2],
5570 al3 = hl[3],
5571 al4 = hl[4],
5572 al5 = hl[5],
5573 al6 = hl[6],
5574 al7 = hl[7];
5575
5576 var pos = 0;
5577 while (n >= 128) {
5578 for (i = 0; i < 16; i++) {
5579 j = 8 * i + pos;
5580 wh[i] = (m[j+0] << 24) | (m[j+1] << 16) | (m[j+2] << 8) | m[j+3];
5581 wl[i] = (m[j+4] << 24) | (m[j+5] << 16) | (m[j+6] << 8) | m[j+7];
5582 }
5583 for (i = 0; i < 80; i++) {
5584 bh0 = ah0;
5585 bh1 = ah1;
5586 bh2 = ah2;
5587 bh3 = ah3;
5588 bh4 = ah4;
5589 bh5 = ah5;
5590 bh6 = ah6;
5591 bh7 = ah7;
5592
5593 bl0 = al0;
5594 bl1 = al1;
5595 bl2 = al2;
5596 bl3 = al3;
5597 bl4 = al4;
5598 bl5 = al5;
5599 bl6 = al6;
5600 bl7 = al7;
5601
5602 // add
5603 h = ah7;
5604 l = al7;
5605
5606 a = l & 0xffff; b = l >>> 16;
5607 c = h & 0xffff; d = h >>> 16;
5608
5609 // Sigma1
5610 h = ((ah4 >>> 14) | (al4 << (32-14))) ^ ((ah4 >>> 18) | (al4 << (32-18))) ^ ((al4 >>> (41-32)) | (ah4 << (32-(41-32))));
5611 l = ((al4 >>> 14) | (ah4 << (32-14))) ^ ((al4 >>> 18) | (ah4 << (32-18))) ^ ((ah4 >>> (41-32)) | (al4 << (32-(41-32))));
5612
5613 a += l & 0xffff; b += l >>> 16;
5614 c += h & 0xffff; d += h >>> 16;
5615
5616 // Ch
5617 h = (ah4 & ah5) ^ (~ah4 & ah6);
5618 l = (al4 & al5) ^ (~al4 & al6);
5619
5620 a += l & 0xffff; b += l >>> 16;
5621 c += h & 0xffff; d += h >>> 16;
5622
5623 // K
5624 h = K[i*2];
5625 l = K[i*2+1];
5626
5627 a += l & 0xffff; b += l >>> 16;
5628 c += h & 0xffff; d += h >>> 16;
5629
5630 // w
5631 h = wh[i%16];
5632 l = wl[i%16];
5633
5634 a += l & 0xffff; b += l >>> 16;
5635 c += h & 0xffff; d += h >>> 16;
5636
5637 b += a >>> 16;
5638 c += b >>> 16;
5639 d += c >>> 16;
5640
5641 th = c & 0xffff | d << 16;
5642 tl = a & 0xffff | b << 16;
5643
5644 // add
5645 h = th;
5646 l = tl;
5647
5648 a = l & 0xffff; b = l >>> 16;
5649 c = h & 0xffff; d = h >>> 16;
5650
5651 // Sigma0
5652 h = ((ah0 >>> 28) | (al0 << (32-28))) ^ ((al0 >>> (34-32)) | (ah0 << (32-(34-32)))) ^ ((al0 >>> (39-32)) | (ah0 << (32-(39-32))));
5653 l = ((al0 >>> 28) | (ah0 << (32-28))) ^ ((ah0 >>> (34-32)) | (al0 << (32-(34-32)))) ^ ((ah0 >>> (39-32)) | (al0 << (32-(39-32))));
5654
5655 a += l & 0xffff; b += l >>> 16;
5656 c += h & 0xffff; d += h >>> 16;
5657
5658 // Maj
5659 h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2);
5660 l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2);
5661
5662 a += l & 0xffff; b += l >>> 16;
5663 c += h & 0xffff; d += h >>> 16;
5664
5665 b += a >>> 16;
5666 c += b >>> 16;
5667 d += c >>> 16;
5668
5669 bh7 = (c & 0xffff) | (d << 16);
5670 bl7 = (a & 0xffff) | (b << 16);
5671
5672 // add
5673 h = bh3;
5674 l = bl3;
5675
5676 a = l & 0xffff; b = l >>> 16;
5677 c = h & 0xffff; d = h >>> 16;
5678
5679 h = th;
5680 l = tl;
5681
5682 a += l & 0xffff; b += l >>> 16;
5683 c += h & 0xffff; d += h >>> 16;
5684
5685 b += a >>> 16;
5686 c += b >>> 16;
5687 d += c >>> 16;
5688
5689 bh3 = (c & 0xffff) | (d << 16);
5690 bl3 = (a & 0xffff) | (b << 16);
5691
5692 ah1 = bh0;
5693 ah2 = bh1;
5694 ah3 = bh2;
5695 ah4 = bh3;
5696 ah5 = bh4;
5697 ah6 = bh5;
5698 ah7 = bh6;
5699 ah0 = bh7;
5700
5701 al1 = bl0;
5702 al2 = bl1;
5703 al3 = bl2;
5704 al4 = bl3;
5705 al5 = bl4;
5706 al6 = bl5;
5707 al7 = bl6;
5708 al0 = bl7;
5709
5710 if (i%16 === 15) {
5711 for (j = 0; j < 16; j++) {
5712 // add
5713 h = wh[j];
5714 l = wl[j];
5715
5716 a = l & 0xffff; b = l >>> 16;
5717 c = h & 0xffff; d = h >>> 16;
5718
5719 h = wh[(j+9)%16];
5720 l = wl[(j+9)%16];
5721
5722 a += l & 0xffff; b += l >>> 16;
5723 c += h & 0xffff; d += h >>> 16;
5724
5725 // sigma0
5726 th = wh[(j+1)%16];
5727 tl = wl[(j+1)%16];
5728 h = ((th >>> 1) | (tl << (32-1))) ^ ((th >>> 8) | (tl << (32-8))) ^ (th >>> 7);
5729 l = ((tl >>> 1) | (th << (32-1))) ^ ((tl >>> 8) | (th << (32-8))) ^ ((tl >>> 7) | (th << (32-7)));
5730
5731 a += l & 0xffff; b += l >>> 16;
5732 c += h & 0xffff; d += h >>> 16;
5733
5734 // sigma1
5735 th = wh[(j+14)%16];
5736 tl = wl[(j+14)%16];
5737 h = ((th >>> 19) | (tl << (32-19))) ^ ((tl >>> (61-32)) | (th << (32-(61-32)))) ^ (th >>> 6);
5738 l = ((tl >>> 19) | (th << (32-19))) ^ ((th >>> (61-32)) | (tl << (32-(61-32)))) ^ ((tl >>> 6) | (th << (32-6)));
5739
5740 a += l & 0xffff; b += l >>> 16;
5741 c += h & 0xffff; d += h >>> 16;
5742
5743 b += a >>> 16;
5744 c += b >>> 16;
5745 d += c >>> 16;
5746
5747 wh[j] = (c & 0xffff) | (d << 16);
5748 wl[j] = (a & 0xffff) | (b << 16);
5749 }
5750 }
5751 }
5752
5753 // add
5754 h = ah0;
5755 l = al0;
5756
5757 a = l & 0xffff; b = l >>> 16;
5758 c = h & 0xffff; d = h >>> 16;
5759
5760 h = hh[0];
5761 l = hl[0];
5762
5763 a += l & 0xffff; b += l >>> 16;
5764 c += h & 0xffff; d += h >>> 16;
5765
5766 b += a >>> 16;
5767 c += b >>> 16;
5768 d += c >>> 16;
5769
5770 hh[0] = ah0 = (c & 0xffff) | (d << 16);
5771 hl[0] = al0 = (a & 0xffff) | (b << 16);
5772
5773 h = ah1;
5774 l = al1;
5775
5776 a = l & 0xffff; b = l >>> 16;
5777 c = h & 0xffff; d = h >>> 16;
5778
5779 h = hh[1];
5780 l = hl[1];
5781
5782 a += l & 0xffff; b += l >>> 16;
5783 c += h & 0xffff; d += h >>> 16;
5784
5785 b += a >>> 16;
5786 c += b >>> 16;
5787 d += c >>> 16;
5788
5789 hh[1] = ah1 = (c & 0xffff) | (d << 16);
5790 hl[1] = al1 = (a & 0xffff) | (b << 16);
5791
5792 h = ah2;
5793 l = al2;
5794
5795 a = l & 0xffff; b = l >>> 16;
5796 c = h & 0xffff; d = h >>> 16;
5797
5798 h = hh[2];
5799 l = hl[2];
5800
5801 a += l & 0xffff; b += l >>> 16;
5802 c += h & 0xffff; d += h >>> 16;
5803
5804 b += a >>> 16;
5805 c += b >>> 16;
5806 d += c >>> 16;
5807
5808 hh[2] = ah2 = (c & 0xffff) | (d << 16);
5809 hl[2] = al2 = (a & 0xffff) | (b << 16);
5810
5811 h = ah3;
5812 l = al3;
5813
5814 a = l & 0xffff; b = l >>> 16;
5815 c = h & 0xffff; d = h >>> 16;
5816
5817 h = hh[3];
5818 l = hl[3];
5819
5820 a += l & 0xffff; b += l >>> 16;
5821 c += h & 0xffff; d += h >>> 16;
5822
5823 b += a >>> 16;
5824 c += b >>> 16;
5825 d += c >>> 16;
5826
5827 hh[3] = ah3 = (c & 0xffff) | (d << 16);
5828 hl[3] = al3 = (a & 0xffff) | (b << 16);
5829
5830 h = ah4;
5831 l = al4;
5832
5833 a = l & 0xffff; b = l >>> 16;
5834 c = h & 0xffff; d = h >>> 16;
5835
5836 h = hh[4];
5837 l = hl[4];
5838
5839 a += l & 0xffff; b += l >>> 16;
5840 c += h & 0xffff; d += h >>> 16;
5841
5842 b += a >>> 16;
5843 c += b >>> 16;
5844 d += c >>> 16;
5845
5846 hh[4] = ah4 = (c & 0xffff) | (d << 16);
5847 hl[4] = al4 = (a & 0xffff) | (b << 16);
5848
5849 h = ah5;
5850 l = al5;
5851
5852 a = l & 0xffff; b = l >>> 16;
5853 c = h & 0xffff; d = h >>> 16;
5854
5855 h = hh[5];
5856 l = hl[5];
5857
5858 a += l & 0xffff; b += l >>> 16;
5859 c += h & 0xffff; d += h >>> 16;
5860
5861 b += a >>> 16;
5862 c += b >>> 16;
5863 d += c >>> 16;
5864
5865 hh[5] = ah5 = (c & 0xffff) | (d << 16);
5866 hl[5] = al5 = (a & 0xffff) | (b << 16);
5867
5868 h = ah6;
5869 l = al6;
5870
5871 a = l & 0xffff; b = l >>> 16;
5872 c = h & 0xffff; d = h >>> 16;
5873
5874 h = hh[6];
5875 l = hl[6];
5876
5877 a += l & 0xffff; b += l >>> 16;
5878 c += h & 0xffff; d += h >>> 16;
5879
5880 b += a >>> 16;
5881 c += b >>> 16;
5882 d += c >>> 16;
5883
5884 hh[6] = ah6 = (c & 0xffff) | (d << 16);
5885 hl[6] = al6 = (a & 0xffff) | (b << 16);
5886
5887 h = ah7;
5888 l = al7;
5889
5890 a = l & 0xffff; b = l >>> 16;
5891 c = h & 0xffff; d = h >>> 16;
5892
5893 h = hh[7];
5894 l = hl[7];
5895
5896 a += l & 0xffff; b += l >>> 16;
5897 c += h & 0xffff; d += h >>> 16;
5898
5899 b += a >>> 16;
5900 c += b >>> 16;
5901 d += c >>> 16;
5902
5903 hh[7] = ah7 = (c & 0xffff) | (d << 16);
5904 hl[7] = al7 = (a & 0xffff) | (b << 16);
5905
5906 pos += 128;
5907 n -= 128;
5908 }
5909
5910 return n;
5911}
5912
5913function crypto_hash(out, m, n) {
5914 var hh = new Int32Array(8),
5915 hl = new Int32Array(8),
5916 x = new Uint8Array(256),
5917 i, b = n;
5918
5919 hh[0] = 0x6a09e667;
5920 hh[1] = 0xbb67ae85;
5921 hh[2] = 0x3c6ef372;
5922 hh[3] = 0xa54ff53a;
5923 hh[4] = 0x510e527f;
5924 hh[5] = 0x9b05688c;
5925 hh[6] = 0x1f83d9ab;
5926 hh[7] = 0x5be0cd19;
5927
5928 hl[0] = 0xf3bcc908;
5929 hl[1] = 0x84caa73b;
5930 hl[2] = 0xfe94f82b;
5931 hl[3] = 0x5f1d36f1;
5932 hl[4] = 0xade682d1;
5933 hl[5] = 0x2b3e6c1f;
5934 hl[6] = 0xfb41bd6b;
5935 hl[7] = 0x137e2179;
5936
5937 crypto_hashblocks_hl(hh, hl, m, n);
5938 n %= 128;
5939
5940 for (i = 0; i < n; i++) x[i] = m[b-n+i];
5941 x[n] = 128;
5942
5943 n = 256-128*(n<112?1:0);
5944 x[n-9] = 0;
5945 ts64(x, n-8, (b / 0x20000000) | 0, b << 3);
5946 crypto_hashblocks_hl(hh, hl, x, n);
5947
5948 for (i = 0; i < 8; i++) ts64(out, 8*i, hh[i], hl[i]);
5949
5950 return 0;
5951}
5952
5953function add(p, q) {
5954 var a = gf(), b = gf(), c = gf(),
5955 d = gf(), e = gf(), f = gf(),
5956 g = gf(), h = gf(), t = gf();
5957
5958 Z(a, p[1], p[0]);
5959 Z(t, q[1], q[0]);
5960 M(a, a, t);
5961 A(b, p[0], p[1]);
5962 A(t, q[0], q[1]);
5963 M(b, b, t);
5964 M(c, p[3], q[3]);
5965 M(c, c, D2);
5966 M(d, p[2], q[2]);
5967 A(d, d, d);
5968 Z(e, b, a);
5969 Z(f, d, c);
5970 A(g, d, c);
5971 A(h, b, a);
5972
5973 M(p[0], e, f);
5974 M(p[1], h, g);
5975 M(p[2], g, f);
5976 M(p[3], e, h);
5977}
5978
5979function cswap(p, q, b) {
5980 var i;
5981 for (i = 0; i < 4; i++) {
5982 sel25519(p[i], q[i], b);
5983 }
5984}
5985
5986function pack(r, p) {
5987 var tx = gf(), ty = gf(), zi = gf();
5988 inv25519(zi, p[2]);
5989 M(tx, p[0], zi);
5990 M(ty, p[1], zi);
5991 pack25519(r, ty);
5992 r[31] ^= par25519(tx) << 7;
5993}
5994
5995function scalarmult(p, q, s) {
5996 var b, i;
5997 set25519(p[0], gf0);
5998 set25519(p[1], gf1);
5999 set25519(p[2], gf1);
6000 set25519(p[3], gf0);
6001 for (i = 255; i >= 0; --i) {
6002 b = (s[(i/8)|0] >> (i&7)) & 1;
6003 cswap(p, q, b);
6004 add(q, p);
6005 add(p, p);
6006 cswap(p, q, b);
6007 }
6008}
6009
6010function scalarbase(p, s) {
6011 var q = [gf(), gf(), gf(), gf()];
6012 set25519(q[0], X);
6013 set25519(q[1], Y);
6014 set25519(q[2], gf1);
6015 M(q[3], X, Y);
6016 scalarmult(p, q, s);
6017}
6018
6019function crypto_sign_keypair(pk, sk, seeded) {
6020 var d = new Uint8Array(64);
6021 var p = [gf(), gf(), gf(), gf()];
6022 var i;
6023
6024 if (!seeded) randombytes(sk, 32);
6025 crypto_hash(d, sk, 32);
6026 d[0] &= 248;
6027 d[31] &= 127;
6028 d[31] |= 64;
6029
6030 scalarbase(p, d);
6031 pack(pk, p);
6032
6033 for (i = 0; i < 32; i++) sk[i+32] = pk[i];
6034 return 0;
6035}
6036
6037var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]);
6038
6039function modL(r, x) {
6040 var carry, i, j, k;
6041 for (i = 63; i >= 32; --i) {
6042 carry = 0;
6043 for (j = i - 32, k = i - 12; j < k; ++j) {
6044 x[j] += carry - 16 * x[i] * L[j - (i - 32)];
6045 carry = (x[j] + 128) >> 8;
6046 x[j] -= carry * 256;
6047 }
6048 x[j] += carry;
6049 x[i] = 0;
6050 }
6051 carry = 0;
6052 for (j = 0; j < 32; j++) {
6053 x[j] += carry - (x[31] >> 4) * L[j];
6054 carry = x[j] >> 8;
6055 x[j] &= 255;
6056 }
6057 for (j = 0; j < 32; j++) x[j] -= carry * L[j];
6058 for (i = 0; i < 32; i++) {
6059 x[i+1] += x[i] >> 8;
6060 r[i] = x[i] & 255;
6061 }
6062}
6063
6064function reduce(r) {
6065 var x = new Float64Array(64), i;
6066 for (i = 0; i < 64; i++) x[i] = r[i];
6067 for (i = 0; i < 64; i++) r[i] = 0;
6068 modL(r, x);
6069}
6070
6071// Note: difference from C - smlen returned, not passed as argument.
6072function crypto_sign(sm, m, n, sk) {
6073 var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64);
6074 var i, j, x = new Float64Array(64);
6075 var p = [gf(), gf(), gf(), gf()];
6076
6077 crypto_hash(d, sk, 32);
6078 d[0] &= 248;
6079 d[31] &= 127;
6080 d[31] |= 64;
6081
6082 var smlen = n + 64;
6083 for (i = 0; i < n; i++) sm[64 + i] = m[i];
6084 for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i];
6085
6086 crypto_hash(r, sm.subarray(32), n+32);
6087 reduce(r);
6088 scalarbase(p, r);
6089 pack(sm, p);
6090
6091 for (i = 32; i < 64; i++) sm[i] = sk[i];
6092 crypto_hash(h, sm, n + 64);
6093 reduce(h);
6094
6095 for (i = 0; i < 64; i++) x[i] = 0;
6096 for (i = 0; i < 32; i++) x[i] = r[i];
6097 for (i = 0; i < 32; i++) {
6098 for (j = 0; j < 32; j++) {
6099 x[i+j] += h[i] * d[j];
6100 }
6101 }
6102
6103 modL(sm.subarray(32), x);
6104 return smlen;
6105}
6106
6107function unpackneg(r, p) {
6108 var t = gf(), chk = gf(), num = gf(),
6109 den = gf(), den2 = gf(), den4 = gf(),
6110 den6 = gf();
6111
6112 set25519(r[2], gf1);
6113 unpack25519(r[1], p);
6114 S(num, r[1]);
6115 M(den, num, D);
6116 Z(num, num, r[2]);
6117 A(den, r[2], den);
6118
6119 S(den2, den);
6120 S(den4, den2);
6121 M(den6, den4, den2);
6122 M(t, den6, num);
6123 M(t, t, den);
6124
6125 pow2523(t, t);
6126 M(t, t, num);
6127 M(t, t, den);
6128 M(t, t, den);
6129 M(r[0], t, den);
6130
6131 S(chk, r[0]);
6132 M(chk, chk, den);
6133 if (neq25519(chk, num)) M(r[0], r[0], I);
6134
6135 S(chk, r[0]);
6136 M(chk, chk, den);
6137 if (neq25519(chk, num)) return -1;
6138
6139 if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]);
6140
6141 M(r[3], r[0], r[1]);
6142 return 0;
6143}
6144
6145function crypto_sign_open(m, sm, n, pk) {
6146 var i, mlen;
6147 var t = new Uint8Array(32), h = new Uint8Array(64);
6148 var p = [gf(), gf(), gf(), gf()],
6149 q = [gf(), gf(), gf(), gf()];
6150
6151 mlen = -1;
6152 if (n < 64) return -1;
6153
6154 if (unpackneg(q, pk)) return -1;
6155
6156 for (i = 0; i < n; i++) m[i] = sm[i];
6157 for (i = 0; i < 32; i++) m[i+32] = pk[i];
6158 crypto_hash(h, m, n);
6159 reduce(h);
6160 scalarmult(p, q, h);
6161
6162 scalarbase(q, sm.subarray(32));
6163 add(p, q);
6164 pack(t, p);
6165
6166 n -= 64;
6167 if (crypto_verify_32(sm, 0, t, 0)) {
6168 for (i = 0; i < n; i++) m[i] = 0;
6169 return -1;
6170 }
6171
6172 for (i = 0; i < n; i++) m[i] = sm[i + 64];
6173 mlen = n;
6174 return mlen;
6175}
6176
6177var crypto_secretbox_KEYBYTES = 32,
6178 crypto_secretbox_NONCEBYTES = 24,
6179 crypto_secretbox_ZEROBYTES = 32,
6180 crypto_secretbox_BOXZEROBYTES = 16,
6181 crypto_scalarmult_BYTES = 32,
6182 crypto_scalarmult_SCALARBYTES = 32,
6183 crypto_box_PUBLICKEYBYTES = 32,
6184 crypto_box_SECRETKEYBYTES = 32,
6185 crypto_box_BEFORENMBYTES = 32,
6186 crypto_box_NONCEBYTES = crypto_secretbox_NONCEBYTES,
6187 crypto_box_ZEROBYTES = crypto_secretbox_ZEROBYTES,
6188 crypto_box_BOXZEROBYTES = crypto_secretbox_BOXZEROBYTES,
6189 crypto_sign_BYTES = 64,
6190 crypto_sign_PUBLICKEYBYTES = 32,
6191 crypto_sign_SECRETKEYBYTES = 64,
6192 crypto_sign_SEEDBYTES = 32,
6193 crypto_hash_BYTES = 64;
6194
6195nacl.lowlevel = {
6196 crypto_core_hsalsa20: crypto_core_hsalsa20,
6197 crypto_stream_xor: crypto_stream_xor,
6198 crypto_stream: crypto_stream,
6199 crypto_stream_salsa20_xor: crypto_stream_salsa20_xor,
6200 crypto_stream_salsa20: crypto_stream_salsa20,
6201 crypto_onetimeauth: crypto_onetimeauth,
6202 crypto_onetimeauth_verify: crypto_onetimeauth_verify,
6203 crypto_verify_16: crypto_verify_16,
6204 crypto_verify_32: crypto_verify_32,
6205 crypto_secretbox: crypto_secretbox,
6206 crypto_secretbox_open: crypto_secretbox_open,
6207 crypto_scalarmult: crypto_scalarmult,
6208 crypto_scalarmult_base: crypto_scalarmult_base,
6209 crypto_box_beforenm: crypto_box_beforenm,
6210 crypto_box_afternm: crypto_box_afternm,
6211 crypto_box: crypto_box,
6212 crypto_box_open: crypto_box_open,
6213 crypto_box_keypair: crypto_box_keypair,
6214 crypto_hash: crypto_hash,
6215 crypto_sign: crypto_sign,
6216 crypto_sign_keypair: crypto_sign_keypair,
6217 crypto_sign_open: crypto_sign_open,
6218
6219 crypto_secretbox_KEYBYTES: crypto_secretbox_KEYBYTES,
6220 crypto_secretbox_NONCEBYTES: crypto_secretbox_NONCEBYTES,
6221 crypto_secretbox_ZEROBYTES: crypto_secretbox_ZEROBYTES,
6222 crypto_secretbox_BOXZEROBYTES: crypto_secretbox_BOXZEROBYTES,
6223 crypto_scalarmult_BYTES: crypto_scalarmult_BYTES,
6224 crypto_scalarmult_SCALARBYTES: crypto_scalarmult_SCALARBYTES,
6225 crypto_box_PUBLICKEYBYTES: crypto_box_PUBLICKEYBYTES,
6226 crypto_box_SECRETKEYBYTES: crypto_box_SECRETKEYBYTES,
6227 crypto_box_BEFORENMBYTES: crypto_box_BEFORENMBYTES,
6228 crypto_box_NONCEBYTES: crypto_box_NONCEBYTES,
6229 crypto_box_ZEROBYTES: crypto_box_ZEROBYTES,
6230 crypto_box_BOXZEROBYTES: crypto_box_BOXZEROBYTES,
6231 crypto_sign_BYTES: crypto_sign_BYTES,
6232 crypto_sign_PUBLICKEYBYTES: crypto_sign_PUBLICKEYBYTES,
6233 crypto_sign_SECRETKEYBYTES: crypto_sign_SECRETKEYBYTES,
6234 crypto_sign_SEEDBYTES: crypto_sign_SEEDBYTES,
6235 crypto_hash_BYTES: crypto_hash_BYTES
6236};
6237
6238/* High-level API */
6239
6240function checkLengths(k, n) {
6241 if (k.length !== crypto_secretbox_KEYBYTES) throw new Error('bad key size');
6242 if (n.length !== crypto_secretbox_NONCEBYTES) throw new Error('bad nonce size');
6243}
6244
6245function checkBoxLengths(pk, sk) {
6246 if (pk.length !== crypto_box_PUBLICKEYBYTES) throw new Error('bad public key size');
6247 if (sk.length !== crypto_box_SECRETKEYBYTES) throw new Error('bad secret key size');
6248}
6249
6250function checkArrayTypes() {
6251 var t, i;
6252 for (i = 0; i < arguments.length; i++) {
6253 if ((t = Object.prototype.toString.call(arguments[i])) !== '[object Uint8Array]')
6254 throw new TypeError('unexpected type ' + t + ', use Uint8Array');
6255 }
6256}
6257
6258function cleanup(arr) {
6259 for (var i = 0; i < arr.length; i++) arr[i] = 0;
6260}
6261
6262// TODO: Completely remove this in v0.15.
6263if (!nacl.util) {
6264 nacl.util = {};
6265 nacl.util.decodeUTF8 = nacl.util.encodeUTF8 = nacl.util.encodeBase64 = nacl.util.decodeBase64 = function() {
6266 throw new Error('nacl.util moved into separate package: https://github.com/dchest/tweetnacl-util-js');
6267 };
6268}
6269
6270nacl.randomBytes = function(n) {
6271 var b = new Uint8Array(n);
6272 randombytes(b, n);
6273 return b;
6274};
6275
6276nacl.secretbox = function(msg, nonce, key) {
6277 checkArrayTypes(msg, nonce, key);
6278 checkLengths(key, nonce);
6279 var m = new Uint8Array(crypto_secretbox_ZEROBYTES + msg.length);
6280 var c = new Uint8Array(m.length);
6281 for (var i = 0; i < msg.length; i++) m[i+crypto_secretbox_ZEROBYTES] = msg[i];
6282 crypto_secretbox(c, m, m.length, nonce, key);
6283 return c.subarray(crypto_secretbox_BOXZEROBYTES);
6284};
6285
6286nacl.secretbox.open = function(box, nonce, key) {
6287 checkArrayTypes(box, nonce, key);
6288 checkLengths(key, nonce);
6289 var c = new Uint8Array(crypto_secretbox_BOXZEROBYTES + box.length);
6290 var m = new Uint8Array(c.length);
6291 for (var i = 0; i < box.length; i++) c[i+crypto_secretbox_BOXZEROBYTES] = box[i];
6292 if (c.length < 32) return false;
6293 if (crypto_secretbox_open(m, c, c.length, nonce, key) !== 0) return false;
6294 return m.subarray(crypto_secretbox_ZEROBYTES);
6295};
6296
6297nacl.secretbox.keyLength = crypto_secretbox_KEYBYTES;
6298nacl.secretbox.nonceLength = crypto_secretbox_NONCEBYTES;
6299nacl.secretbox.overheadLength = crypto_secretbox_BOXZEROBYTES;
6300
6301nacl.scalarMult = function(n, p) {
6302 checkArrayTypes(n, p);
6303 if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
6304 if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size');
6305 var q = new Uint8Array(crypto_scalarmult_BYTES);
6306 crypto_scalarmult(q, n, p);
6307 return q;
6308};
6309
6310nacl.scalarMult.base = function(n) {
6311 checkArrayTypes(n);
6312 if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
6313 var q = new Uint8Array(crypto_scalarmult_BYTES);
6314 crypto_scalarmult_base(q, n);
6315 return q;
6316};
6317
6318nacl.scalarMult.scalarLength = crypto_scalarmult_SCALARBYTES;
6319nacl.scalarMult.groupElementLength = crypto_scalarmult_BYTES;
6320
6321nacl.box = function(msg, nonce, publicKey, secretKey) {
6322 var k = nacl.box.before(publicKey, secretKey);
6323 return nacl.secretbox(msg, nonce, k);
6324};
6325
6326nacl.box.before = function(publicKey, secretKey) {
6327 checkArrayTypes(publicKey, secretKey);
6328 checkBoxLengths(publicKey, secretKey);
6329 var k = new Uint8Array(crypto_box_BEFORENMBYTES);
6330 crypto_box_beforenm(k, publicKey, secretKey);
6331 return k;
6332};
6333
6334nacl.box.after = nacl.secretbox;
6335
6336nacl.box.open = function(msg, nonce, publicKey, secretKey) {
6337 var k = nacl.box.before(publicKey, secretKey);
6338 return nacl.secretbox.open(msg, nonce, k);
6339};
6340
6341nacl.box.open.after = nacl.secretbox.open;
6342
6343nacl.box.keyPair = function() {
6344 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
6345 var sk = new Uint8Array(crypto_box_SECRETKEYBYTES);
6346 crypto_box_keypair(pk, sk);
6347 return {publicKey: pk, secretKey: sk};
6348};
6349
6350nacl.box.keyPair.fromSecretKey = function(secretKey) {
6351 checkArrayTypes(secretKey);
6352 if (secretKey.length !== crypto_box_SECRETKEYBYTES)
6353 throw new Error('bad secret key size');
6354 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
6355 crypto_scalarmult_base(pk, secretKey);
6356 return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
6357};
6358
6359nacl.box.publicKeyLength = crypto_box_PUBLICKEYBYTES;
6360nacl.box.secretKeyLength = crypto_box_SECRETKEYBYTES;
6361nacl.box.sharedKeyLength = crypto_box_BEFORENMBYTES;
6362nacl.box.nonceLength = crypto_box_NONCEBYTES;
6363nacl.box.overheadLength = nacl.secretbox.overheadLength;
6364
6365nacl.sign = function(msg, secretKey) {
6366 checkArrayTypes(msg, secretKey);
6367 if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
6368 throw new Error('bad secret key size');
6369 var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length);
6370 crypto_sign(signedMsg, msg, msg.length, secretKey);
6371 return signedMsg;
6372};
6373
6374nacl.sign.open = function(signedMsg, publicKey) {
6375 if (arguments.length !== 2)
6376 throw new Error('nacl.sign.open accepts 2 arguments; did you mean to use nacl.sign.detached.verify?');
6377 checkArrayTypes(signedMsg, publicKey);
6378 if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
6379 throw new Error('bad public key size');
6380 var tmp = new Uint8Array(signedMsg.length);
6381 var mlen = crypto_sign_open(tmp, signedMsg, signedMsg.length, publicKey);
6382 if (mlen < 0) return null;
6383 var m = new Uint8Array(mlen);
6384 for (var i = 0; i < m.length; i++) m[i] = tmp[i];
6385 return m;
6386};
6387
6388nacl.sign.detached = function(msg, secretKey) {
6389 var signedMsg = nacl.sign(msg, secretKey);
6390 var sig = new Uint8Array(crypto_sign_BYTES);
6391 for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i];
6392 return sig;
6393};
6394
6395nacl.sign.detached.verify = function(msg, sig, publicKey) {
6396 checkArrayTypes(msg, sig, publicKey);
6397 if (sig.length !== crypto_sign_BYTES)
6398 throw new Error('bad signature size');
6399 if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
6400 throw new Error('bad public key size');
6401 var sm = new Uint8Array(crypto_sign_BYTES + msg.length);
6402 var m = new Uint8Array(crypto_sign_BYTES + msg.length);
6403 var i;
6404 for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i];
6405 for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i];
6406 return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0);
6407};
6408
6409nacl.sign.keyPair = function() {
6410 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
6411 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
6412 crypto_sign_keypair(pk, sk);
6413 return {publicKey: pk, secretKey: sk};
6414};
6415
6416nacl.sign.keyPair.fromSecretKey = function(secretKey) {
6417 checkArrayTypes(secretKey);
6418 if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
6419 throw new Error('bad secret key size');
6420 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
6421 for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i];
6422 return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
6423};
6424
6425nacl.sign.keyPair.fromSeed = function(seed) {
6426 checkArrayTypes(seed);
6427 if (seed.length !== crypto_sign_SEEDBYTES)
6428 throw new Error('bad seed size');
6429 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
6430 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
6431 for (var i = 0; i < 32; i++) sk[i] = seed[i];
6432 crypto_sign_keypair(pk, sk, true);
6433 return {publicKey: pk, secretKey: sk};
6434};
6435
6436nacl.sign.publicKeyLength = crypto_sign_PUBLICKEYBYTES;
6437nacl.sign.secretKeyLength = crypto_sign_SECRETKEYBYTES;
6438nacl.sign.seedLength = crypto_sign_SEEDBYTES;
6439nacl.sign.signatureLength = crypto_sign_BYTES;
6440
6441nacl.hash = function(msg) {
6442 checkArrayTypes(msg);
6443 var h = new Uint8Array(crypto_hash_BYTES);
6444 crypto_hash(h, msg, msg.length);
6445 return h;
6446};
6447
6448nacl.hash.hashLength = crypto_hash_BYTES;
6449
6450nacl.verify = function(x, y) {
6451 checkArrayTypes(x, y);
6452 // Zero length arguments are considered not equal.
6453 if (x.length === 0 || y.length === 0) return false;
6454 if (x.length !== y.length) return false;
6455 return (vn(x, 0, y, 0, x.length) === 0) ? true : false;
6456};
6457
6458nacl.setPRNG = function(fn) {
6459 randombytes = fn;
6460};
6461
6462(function() {
6463 // Initialize PRNG if environment provides CSPRNG.
6464 // If not, methods calling randombytes will throw.
6465 var crypto = typeof self !== 'undefined' ? (self.crypto || self.msCrypto) : null;
6466 if (crypto && crypto.getRandomValues) {
6467 // Browsers.
6468 var QUOTA = 65536;
6469 nacl.setPRNG(function(x, n) {
6470 var i, v = new Uint8Array(n);
6471 for (i = 0; i < n; i += QUOTA) {
6472 crypto.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
6473 }
6474 for (i = 0; i < n; i++) x[i] = v[i];
6475 cleanup(v);
6476 });
6477 } else if (true) {
6478 // Node.js.
6479 crypto = __webpack_require__(35);
6480 if (crypto && crypto.randomBytes) {
6481 nacl.setPRNG(function(x, n) {
6482 var i, v = crypto.randomBytes(n);
6483 for (i = 0; i < n; i++) x[i] = v[i];
6484 cleanup(v);
6485 });
6486 }
6487 }
6488})();
6489
6490})(typeof module !== 'undefined' && module.exports ? module.exports : (self.nacl = self.nacl || {}));
6491
6492
6493/***/ }),
6494/* 35 */
6495/***/ (function(module, exports) {
6496
6497/* (ignored) */
6498
6499/***/ }),
6500/* 36 */
6501/***/ (function(module, exports, __webpack_require__) {
6502
6503"use strict";
6504/*
6505 * Wire
6506 * Copyright (C) 2016 Wire Swiss GmbH
6507 *
6508 * This program is free software: you can redistribute it and/or modify
6509 * it under the terms of the GNU General Public License as published by
6510 * the Free Software Foundation, either version 3 of the License, or
6511 * (at your option) any later version.
6512 *
6513 * This program is distributed in the hope that it will be useful,
6514 * but WITHOUT ANY WARRANTY; without even the implied warranty of
6515 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
6516 * GNU General Public License for more details.
6517 *
6518 * You should have received a copy of the GNU General Public License
6519 * along with this program. If not, see http://www.gnu.org/licenses/.
6520 *
6521 */
6522
6523
6524
6525const CBOR = __webpack_require__(2);
6526
6527const ArrayUtil = __webpack_require__(31);
6528const ClassUtil = __webpack_require__(3);
6529const DontCallConstructor = __webpack_require__(0);
6530const MemoryUtil = __webpack_require__(16);
6531const TypeUtil = __webpack_require__(1);
6532
6533const DecryptError = __webpack_require__(10);
6534
6535const DerivedSecrets = __webpack_require__(26);
6536const HeadKey = __webpack_require__(17);
6537
6538const IdentityKey = __webpack_require__(8);
6539const IdentityKeyPair = __webpack_require__(11);
6540const KeyPair = __webpack_require__(7);
6541const PreKeyBundle = __webpack_require__(23);
6542const PublicKey = __webpack_require__(4);
6543
6544const Header = __webpack_require__(25);
6545const HeaderMessage = __webpack_require__(9);
6546const Envelope = __webpack_require__(14);
6547const PreKeyMessage = __webpack_require__(13);
6548
6549const ChainKey = __webpack_require__(18);
6550const RecvChain = __webpack_require__(38);
6551const RootKey = __webpack_require__(39);
6552const SendChain = __webpack_require__(40);
6553const Session = __webpack_require__(30);
6554
6555/** @module session */
6556
6557/** @class SessionState */
6558class SessionState {
6559 constructor() {
6560 this.recv_chains = [];
6561 this.send_chain = null;
6562 this.root_key = null;
6563 this.prev_counter = null;
6564 this.next_send_head_key = null;
6565 this.next_recv_head_key = null;
6566
6567 throw new DontCallConstructor(this);
6568 }
6569
6570 /**
6571 * @param {!keys.IdentityKeyPair} alice_identity_pair
6572 * @param {!keys.PublicKey} alice_base
6573 * @param {!keys.PreKeyBundle} bob_pkbundle
6574 * @returns {SessionState}
6575 */
6576 static init_as_alice(alice_identity_pair, alice_base, bob_pkbundle) {
6577 TypeUtil.assert_is_instance(IdentityKeyPair, alice_identity_pair);
6578 TypeUtil.assert_is_instance(KeyPair, alice_base);
6579 TypeUtil.assert_is_instance(PreKeyBundle, bob_pkbundle);
6580
6581 const master_key = ArrayUtil.concatenate_array_buffers([
6582 alice_identity_pair.secret_key.shared_secret(bob_pkbundle.public_key),
6583 alice_base.secret_key.shared_secret(bob_pkbundle.identity_key.public_key),
6584 alice_base.secret_key.shared_secret(bob_pkbundle.public_key),
6585 ]);
6586
6587 const derived_secrets = DerivedSecrets.kdf_without_salt(master_key, 'handshake');
6588 MemoryUtil.zeroize(master_key);
6589
6590 const rootkey = RootKey.from_cipher_key(derived_secrets.cipher_key);
6591 const chainkey = ChainKey.from_mac_key(derived_secrets.mac_key, 0);
6592 const head_key_alice = derived_secrets.head_key_alice;
6593 const next_head_key_Bob = derived_secrets.next_head_key_bob;
6594
6595 const send_ratchet = KeyPair.new();
6596 const [rok, chk, nextHeadKey] = rootkey.dh_ratchet(send_ratchet, bob_pkbundle.public_key);
6597 const recv_chains = [RecvChain.new(chainkey, bob_pkbundle.public_key, next_head_key_Bob)];
6598 const send_chain = SendChain.new(chk, send_ratchet, head_key_alice);
6599
6600 const state = ClassUtil.new_instance(SessionState);
6601 state.next_send_head_key = nextHeadKey;
6602 state.recv_chains = recv_chains;
6603 state.next_recv_head_key = next_head_key_Bob;
6604 state.send_chain = send_chain;
6605 state.root_key = rok;
6606 state.prev_counter = 0;
6607 return state;
6608 }
6609
6610 /**
6611 * @param {!keys.IdentityKeyPair} bob_ident
6612 * @param {!keys.KeyPair} bob_prekey
6613 * @param {!keys.IdentityKey} alice_ident
6614 * @param {!keys.PublicKey} alice_base
6615 * @returns {SessionState}
6616 */
6617 static init_as_bob(bob_ident, bob_prekey, alice_ident, alice_base) {
6618 TypeUtil.assert_is_instance(IdentityKeyPair, bob_ident);
6619 TypeUtil.assert_is_instance(KeyPair, bob_prekey);
6620 TypeUtil.assert_is_instance(IdentityKey, alice_ident);
6621 TypeUtil.assert_is_instance(PublicKey, alice_base);
6622
6623 const master_key = ArrayUtil.concatenate_array_buffers([
6624 bob_prekey.secret_key.shared_secret(alice_ident.public_key),
6625 bob_ident.secret_key.shared_secret(alice_base),
6626 bob_prekey.secret_key.shared_secret(alice_base),
6627 ]);
6628
6629 const derived_secrets = DerivedSecrets.kdf_without_salt(master_key, 'handshake');
6630 MemoryUtil.zeroize(master_key);
6631
6632 const rootkey = RootKey.from_cipher_key(derived_secrets.cipher_key);
6633 const chainkey = ChainKey.from_mac_key(derived_secrets.mac_key, 0);
6634 const head_key_alice = derived_secrets.head_key_alice;
6635 const next_head_key_bob = derived_secrets.next_head_key_bob;
6636 const send_chain = SendChain.new(chainkey, bob_prekey, next_head_key_bob);
6637
6638 const state = ClassUtil.new_instance(SessionState);
6639 state.next_send_head_key = next_head_key_bob;
6640 state.next_recv_head_key = head_key_alice;
6641 state.send_chain = send_chain;
6642 state.root_key = rootkey;
6643 state.prev_counter = 0;
6644 return state;
6645 }
6646
6647 /**
6648 * @param {!keys.KeyPair} ratchet_key
6649 * @param {!number} prev_counter
6650 * @returns {void}
6651 */
6652 ratchet(ratchet_key, prev_counter) {
6653 const new_ratchet = KeyPair.new();
6654
6655 const [recv_root_key, recv_chain_key, next_recv_head_key] =
6656 this.root_key.dh_ratchet(this.send_chain.ratchet_key, ratchet_key);
6657
6658 const [send_root_key, send_chain_key, next_send_head_key] =
6659 recv_root_key.dh_ratchet(new_ratchet, ratchet_key);
6660
6661 const recv_chain = RecvChain.new(recv_chain_key, ratchet_key, this.next_recv_head_key);
6662 const send_chain = SendChain.new(send_chain_key, new_ratchet, this.next_send_head_key);
6663
6664 this.root_key = send_root_key;
6665 this.prev_counter = this.send_chain.chain_key.idx;
6666 this.send_chain = send_chain;
6667 this.next_send_head_key = next_send_head_key;
6668 this.next_recv_head_key = next_recv_head_key;
6669
6670 // save last chains counter
6671 const last_chain = this.recv_chains[0];
6672 if (last_chain) {
6673 last_chain.final_count = prev_counter;
6674 }
6675 this.recv_chains.unshift(recv_chain);
6676
6677 if (this.recv_chains.length > Session.MAX_RECV_CHAINS) {
6678 for (let index = Session.MAX_RECV_CHAINS; index < this.recv_chains.length; index++) {
6679 MemoryUtil.zeroize(this.recv_chains[index]);
6680 }
6681
6682 this.recv_chains = this.recv_chains.slice(0, Session.MAX_RECV_CHAINS);
6683 }
6684 }
6685
6686 /**
6687 * @param {!keys.IdentityKey} identity_key - Public identity key of the local identity key pair
6688 * @param {!Array<number|keys.PublicKey>} pending - Pending pre-key
6689 * @param {!(string|Uint8Array)} plaintext - The plaintext to encrypt
6690 * @param {number} confuse_pre_key_id - Use to create confused pre-key message
6691 * @returns {message.Envelope}
6692 */
6693 encrypt(identity_key, pending, plaintext, confuse_pre_key_id) {
6694 if (pending) {
6695 TypeUtil.assert_is_integer(pending[0]);
6696 TypeUtil.assert_is_instance(PublicKey, pending[1]);
6697 }
6698 TypeUtil.assert_is_instance(IdentityKey, identity_key);
6699
6700 const message_index = this.send_chain.chain_key.idx;
6701 const msgkeys = this.send_chain.chain_key.message_keys();
6702 const head_key = this.send_chain.head_key;
6703
6704 const header = Header.new(
6705 message_index,
6706 this.prev_counter,
6707 this.send_chain.ratchet_key.public_key
6708 ).serialise();
6709
6710 let message = HeaderMessage.new(
6711 head_key.encrypt(header, HeadKey.index_as_nonce(message_index)),
6712 msgkeys.encrypt(plaintext)
6713 );
6714
6715 if (pending) {
6716 message = PreKeyMessage.new(pending[0], pending[1], identity_key, message);
6717 } else if (confuse_pre_key_id !== undefined) {
6718 // create a confused pre-key message
6719 message = PreKeyMessage.new(confuse_pre_key_id, KeyPair.new().public_key, identity_key, message);
6720 }
6721
6722 const env = Envelope.new(msgkeys.mac_key, message);
6723 this.send_chain.chain_key = this.send_chain.chain_key.next();
6724 return env;
6725 }
6726
6727 /**
6728 * @param {!message.Envelope} envelope
6729 * @param {!message.HeaderMessage} msg
6730 * @returns {Uint8Array}
6731 */
6732 decrypt(envelope, msg) {
6733 TypeUtil.assert_is_instance(Envelope, envelope);
6734 TypeUtil.assert_is_instance(HeaderMessage, msg);
6735
6736 const encrypted_header = msg.header;
6737
6738 const [header, recv_chain] = (() => {
6739 // Try next_head_key first, run a DH-ratchet step and create a new receiving chain if it succeeded.
6740 try {
6741 return [RecvChain.try_next_head_key(encrypted_header, this.next_recv_head_key), null];
6742 } catch (err) {
6743 handleHeaderDecryptionError(err);
6744 }
6745
6746 // Otherwise, try old receving chains.
6747 const recv_chains_length = this.recv_chains.length;
6748 let idx = 0;
6749 for (; idx < recv_chains_length; idx++) {
6750 const _recv_chain = this.recv_chains[idx];
6751 try {
6752 return [_recv_chain.try_head_key(encrypted_header), _recv_chain];
6753 } catch (err) {
6754 handleHeaderDecryptionError(err);
6755 }
6756 }
6757
6758 return [null, null];
6759
6760 function handleHeaderDecryptionError(err) {
6761 if (!(err instanceof DecryptError.HeaderDecryptionFailed)) {
6762 throw err;
6763 }
6764 }
6765 })();
6766
6767 if (!header) {
6768 throw new DecryptError.HeaderDecryptionFailed('All chains failed', DecryptError.CODE.CASE_215);
6769 }
6770
6771 const rc = (() => {
6772 if (!recv_chain) {
6773 this.ratchet(header.ratchet_key, header.prev_counter);
6774 return this.recv_chains[0];
6775 }
6776 return recv_chain;
6777 })();
6778
6779 const cipher_text = msg.cipher_text;
6780 const counter = header.counter;
6781 const recv_chain_index = rc.chain_key.idx;
6782 if (counter < recv_chain_index) {
6783 return rc.try_message_keys(envelope, header, cipher_text);
6784 } else if (counter == recv_chain_index) {
6785 const mks = rc.chain_key.message_keys();
6786
6787 if (!envelope.verify(mks.mac_key)) {
6788 throw new DecryptError.InvalidSignature(`Envelope verification failed for message with counters in sync at '${counter}'`, DecryptError.CODE.CASE_206);
6789 }
6790
6791 const plain = mks.decrypt(cipher_text);
6792 rc.chain_key = rc.chain_key.next();
6793 return plain;
6794
6795 } else if (counter > recv_chain_index) {
6796 const [chk, mk, mks] = rc.stage_message_keys(header);
6797
6798 if (!envelope.verify(mk.mac_key)) {
6799 throw new DecryptError.InvalidSignature(`Envelope verification failed for message with counter ahead. Message index is '${counter}' while receive chain index is '${recv_chain_index}'.`, DecryptError.CODE.CASE_207);
6800 }
6801
6802 const plain = mk.decrypt(cipher_text);
6803
6804 rc.chain_key = chk.next();
6805 rc.commit_message_keys(mks);
6806
6807 return plain;
6808 }
6809 }
6810
6811 /** @returns {ArrayBuffer} */
6812 serialise() {
6813 const e = new CBOR.Encoder();
6814 this.encode(e);
6815 return e.get_buffer();
6816 }
6817
6818 static deserialise(buf) {
6819 TypeUtil.assert_is_instance(ArrayBuffer, buf);
6820 return SessionState.decode(new CBOR.Decoder(buf));
6821 }
6822
6823 /**
6824 * @param {!CBOR.Encoder} e
6825 * @returns {CBOR.Encoder}
6826 */
6827 encode(e) {
6828 e.object(6);
6829 e.u8(0);
6830 this.next_send_head_key.encode(e);
6831 e.u8(1);
6832 this.next_recv_head_key.encode(e);
6833 e.u8(2);
6834 e.array(this.recv_chains.length);
6835 this.recv_chains.map((rch) => rch.encode(e));
6836 e.u8(3);
6837 this.send_chain.encode(e);
6838 e.u8(4);
6839 this.root_key.encode(e);
6840 e.u8(5);
6841 return e.u32(this.prev_counter);
6842 }
6843
6844 /**
6845 * @param {!CBOR.Decoder} d
6846 * @returns {SessionState}
6847 */
6848 static decode(d) {
6849 TypeUtil.assert_is_instance(CBOR.Decoder, d);
6850
6851 const self = ClassUtil.new_instance(SessionState);
6852
6853 const nprops = d.object();
6854 for (let i = 0; i <= nprops - 1; i++) {
6855 switch (d.u8()) {
6856 case 0: {
6857 self.next_send_head_key = HeadKey.decode(d);
6858 break;
6859 }
6860 case 1: {
6861 self.next_recv_head_key = HeadKey.decode(d);
6862 break;
6863 }
6864 case 2: {
6865 self.recv_chains = [];
6866 let len = d.array();
6867 while (len--) {
6868 self.recv_chains.push(RecvChain.decode(d));
6869 }
6870 break;
6871 }
6872 case 3: {
6873 self.send_chain = SendChain.decode(d);
6874 break;
6875 }
6876 case 4: {
6877 self.root_key = RootKey.decode(d);
6878 break;
6879 }
6880 case 5: {
6881 self.prev_counter = d.u32();
6882 break;
6883 }
6884 default: {
6885 d.skip();
6886 }
6887 }
6888 }
6889
6890 TypeUtil.assert_is_instance(HeadKey, self.next_send_head_key);
6891 TypeUtil.assert_is_instance(HeadKey, self.next_recv_head_key);
6892 TypeUtil.assert_is_instance(SendChain, self.send_chain);
6893 TypeUtil.assert_is_instance(Array, self.recv_chains);
6894 TypeUtil.assert_is_instance(RootKey, self.root_key);
6895 TypeUtil.assert_is_integer(self.prev_counter);
6896
6897 return self;
6898 }
6899}
6900
6901module.exports = SessionState;
6902
6903
6904/***/ }),
6905/* 37 */
6906/***/ (function(module, exports, __webpack_require__) {
6907
6908"use strict";
6909/*
6910 * Wire
6911 * Copyright (C) 2016 Wire Swiss GmbH
6912 *
6913 * This program is free software: you can redistribute it and/or modify
6914 * it under the terms of the GNU General Public License as published by
6915 * the Free Software Foundation, either version 3 of the License, or
6916 * (at your option) any later version.
6917 *
6918 * This program is distributed in the hope that it will be useful,
6919 * but WITHOUT ANY WARRANTY; without even the implied warranty of
6920 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
6921 * GNU General Public License for more details.
6922 *
6923 * You should have received a copy of the GNU General Public License
6924 * along with this program. If not, see http://www.gnu.org/licenses/.
6925 *
6926 */
6927
6928
6929
6930const sodium = __webpack_require__(5);
6931
6932const ArrayUtil = __webpack_require__(31);
6933const MemoryUtil = __webpack_require__(16);
6934const TypeUtil = __webpack_require__(1);
6935
6936/** @module util */
6937
6938const KeyDerivationUtil = {
6939 /**
6940 * HMAC-based Key Derivation Function
6941 *
6942 * @param {!(Uint8Array|string)} salt
6943 * @param {!(Uint8Array|string)} input - Initial Keying Material (IKM)
6944 * @param {!(Uint8Array|string)} info - Key Derivation Data (Info)
6945 * @param {!number} length - Length of the derived key in bytes (L)
6946 * @returns {Uint8Array} - Output Keying Material (OKM)
6947 */
6948 hkdf(salt, input, info, length) {
6949 const convert_type = (value) => {
6950 if (typeof value === 'string') {
6951 return sodium.from_string(value);
6952 }
6953 TypeUtil.assert_is_instance(Uint8Array, value);
6954 return value;
6955 };
6956
6957 salt = convert_type(salt);
6958 input = convert_type(input);
6959 info = convert_type(info);
6960
6961 TypeUtil.assert_is_integer(length);
6962
6963 const HASH_LEN = 32;
6964
6965 /**
6966 * @param {*} received_salt
6967 * @returns {Uint8Array}
6968 */
6969 const salt_to_key = (received_salt) => {
6970 const keybytes = sodium.crypto_auth_hmacsha256_KEYBYTES;
6971 if (received_salt.length > keybytes) {
6972 return sodium.crypto_hash_sha256(received_salt);
6973 }
6974
6975 const key = new Uint8Array(keybytes);
6976 key.set(received_salt);
6977 return key;
6978 };
6979
6980 /**
6981 * @param {*} received_salt
6982 * @param {*} received_input
6983 * @returns {*}
6984 */
6985 const extract = (received_salt, received_input) => {
6986 return sodium.crypto_auth_hmacsha256(received_input, salt_to_key(received_salt));
6987 };
6988
6989 /**
6990 * @param {*} tag
6991 * @param {*} received_info
6992 * @param {!number} received_length
6993 * @returns {Uint8Array}
6994 */
6995 const expand = (tag, received_info, received_length) => {
6996 let num_blocks = Math.ceil(received_length / HASH_LEN);
6997 let hmac = new Uint8Array(0);
6998 let result = new Uint8Array(0);
6999
7000 for (let i = 0; i <= num_blocks - 1; i++) {
7001 const buf = ArrayUtil.concatenate_array_buffers([hmac, received_info, new Uint8Array([i + 1])]);
7002 hmac = sodium.crypto_auth_hmacsha256(buf, tag);
7003 result = ArrayUtil.concatenate_array_buffers([result, hmac]);
7004 }
7005
7006 return new Uint8Array(result.buffer.slice(0, received_length));
7007 };
7008
7009 const key = extract(salt, input);
7010
7011 MemoryUtil.zeroize(input);
7012 MemoryUtil.zeroize(salt);
7013
7014 return expand(key, info, length);
7015 },
7016};
7017
7018module.exports = KeyDerivationUtil;
7019
7020
7021/***/ }),
7022/* 38 */
7023/***/ (function(module, exports, __webpack_require__) {
7024
7025"use strict";
7026/*
7027 * Wire
7028 * Copyright (C) 2016 Wire Swiss GmbH
7029 *
7030 * This program is free software: you can redistribute it and/or modify
7031 * it under the terms of the GNU General Public License as published by
7032 * the Free Software Foundation, either version 3 of the License, or
7033 * (at your option) any later version.
7034 *
7035 * This program is distributed in the hope that it will be useful,
7036 * but WITHOUT ANY WARRANTY; without even the implied warranty of
7037 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7038 * GNU General Public License for more details.
7039 *
7040 * You should have received a copy of the GNU General Public License
7041 * along with this program. If not, see http://www.gnu.org/licenses/.
7042 *
7043 */
7044
7045
7046
7047const CBOR = __webpack_require__(2);
7048
7049const ClassUtil = __webpack_require__(3);
7050const DontCallConstructor = __webpack_require__(0);
7051const TypeUtil = __webpack_require__(1);
7052
7053const PublicKey = __webpack_require__(4);
7054
7055const DecryptError = __webpack_require__(10);
7056const ProteusError = __webpack_require__(6);
7057
7058const Header = __webpack_require__(25);
7059const Envelope = __webpack_require__(14);
7060
7061const ChainKey = __webpack_require__(18);
7062const HeadKey = __webpack_require__(17);
7063const MessageKeys = __webpack_require__(32);
7064
7065/** @module session */
7066
7067/**
7068 * @class RecvChain
7069 * @throws {DontCallConstructor}
7070 */
7071class RecvChain {
7072 constructor() {
7073 throw new DontCallConstructor(this);
7074 }
7075
7076 /**
7077 * @param {!session.ChainKey} chain_key
7078 * @param {!keys.PublicKey} public_key
7079 * @param {!derived.HeadKey} head_key
7080 * @returns {RecvChain}
7081 */
7082 static new(chain_key, public_key, head_key) {
7083 TypeUtil.assert_is_instance(ChainKey, chain_key);
7084 TypeUtil.assert_is_instance(PublicKey, public_key);
7085
7086 const rc = ClassUtil.new_instance(RecvChain);
7087 rc.chain_key = chain_key;
7088 rc.ratchet_key = public_key;
7089 rc.head_key = head_key;
7090 rc.final_count = null;
7091 rc.message_keys = [];
7092 return rc;
7093 }
7094
7095 /**
7096 * @param {!number} start_index
7097 * @param {!number} end_index
7098 * @param {!Uint8Array} encrypted_header - encrypted header
7099 * @param {!derived.HeadKey} head_key
7100 * @returns {message.Header}
7101 * @private
7102 */
7103 static _try_head_key(start_index, end_index, encrypted_header, head_key) {
7104 const [header, index] = (() => {
7105 for (let i = start_index; i <= end_index; i++) {
7106 try {
7107 const header_typed_array = head_key.decrypt(encrypted_header, HeadKey.index_as_nonce(i));
7108 return [Header.deserialise(header_typed_array.buffer), i];
7109 } catch (err) {
7110 // noop
7111 }
7112 }
7113 return [null, 0];
7114 })();
7115
7116 if (!header) {
7117 throw new DecryptError.HeaderDecryptionFailed('Head key not match', DecryptError.CODE.CASE_213);
7118 }
7119
7120 if (header.counter !== index) {
7121 throw new DecryptError.InvalidHeader('Invalid header', DecryptError.CODE.CASE_214);
7122 }
7123
7124 return header;
7125 }
7126
7127 /**
7128 * @param {!Uint8Array} encrypted_header - encrypted header
7129 * @param {!derived.HeadKey} next_head_key
7130 * @returns {message.Header}
7131 */
7132 static try_next_head_key(encrypted_header, next_head_key) {
7133
7134 return RecvChain._try_head_key(0, RecvChain.MAX_COUNTER_GAP, encrypted_header, next_head_key);
7135 }
7136
7137 /**
7138 * @param {!Uint8Array} encrypted_header - encrypted header
7139 * @returns {message.Header}
7140 */
7141 try_head_key(encrypted_header) {
7142 const final_count = this.final_count;
7143
7144 const start_index = this.message_keys.length > 0
7145 ? this.message_keys[0].counter
7146 : this.chain_key.idx;
7147 const end_index = final_count !== null
7148 ? final_count - 1
7149 : start_index + RecvChain.MAX_COUNTER_GAP;
7150
7151 return RecvChain._try_head_key(start_index, end_index, encrypted_header, this.head_key);
7152 }
7153
7154 /**
7155 * @param {!message.Envelope} envelope
7156 * @param {!message.Header} header
7157 * @param {!Uint8Array} cipher_text
7158 * @returns {Uint8Array}
7159 */
7160 try_message_keys(envelope, header, cipher_text) {
7161 TypeUtil.assert_is_instance(Envelope, envelope);
7162 TypeUtil.assert_is_instance(Header, header);
7163 TypeUtil.assert_is_instance(Uint8Array, cipher_text);
7164
7165 if (this.message_keys[0] && this.message_keys[0].counter > header.counter) {
7166 const message = `Message too old. Counter for oldest staged chain key is '${this.message_keys[0].counter}' while message counter is '${header.counter}'.`;
7167 throw new DecryptError.OutdatedMessage(message, DecryptError.CODE.CASE_208);
7168 }
7169
7170 const idx = this.message_keys.findIndex((mk) => {
7171 return mk.counter === header.counter;
7172 });
7173
7174 if (idx === -1) {
7175 throw new DecryptError.DuplicateMessage(null, DecryptError.CODE.CASE_209);
7176 }
7177
7178 const mk = this.message_keys.splice(idx, 1)[0];
7179 if (!envelope.verify(mk.mac_key)) {
7180 const message = `Envelope verification failed for message with counter behind. Message index is '${header.counter}' while receive chain index is '${this.chain_key.idx}'.`;
7181 throw new DecryptError.InvalidSignature(message, DecryptError.CODE.CASE_210);
7182 }
7183
7184 return mk.decrypt(cipher_text);
7185 }
7186
7187 /**
7188 * @param {!message.Header} header
7189 * @returns {Array<session.ChainKey>|session.MessageKeys}
7190 */
7191 stage_message_keys(header) {
7192 TypeUtil.assert_is_instance(Header, header);
7193
7194 const num = header.counter - this.chain_key.idx;
7195 if (num > RecvChain.MAX_COUNTER_GAP) {
7196 if (this.chain_key.idx === 0) {
7197 throw new DecryptError.TooDistantFuture('Skipped too many message at the beginning of a receive chain.', DecryptError.CODE.CASE_211);
7198 }
7199 throw new DecryptError.TooDistantFuture(`Skipped too many message within a used receive chain. Receive chain counter is '${this.chain_key.idx}'`, DecryptError.CODE.CASE_212);
7200 }
7201
7202 let keys = [];
7203 let chk = this.chain_key;
7204
7205 for (let i = 0; i <= num - 1; i++) {
7206 keys.push(chk.message_keys());
7207 chk = chk.next();
7208 }
7209
7210 const mk = chk.message_keys();
7211 return [chk, mk, keys];
7212 }
7213
7214 /**
7215 * @param {!Array<session.MessageKeys>} keys
7216 * @returns {void}
7217 */
7218 commit_message_keys(keys) {
7219 TypeUtil.assert_is_instance(Array, keys);
7220 keys.map((k) => TypeUtil.assert_is_instance(MessageKeys, k));
7221
7222 if (keys.length > RecvChain.MAX_COUNTER_GAP) {
7223 throw new ProteusError(`Number of message keys (${keys.length}) exceed message chain counter gap (${RecvChain.MAX_COUNTER_GAP}).`, ProteusError.prototype.CODE.CASE_103);
7224 }
7225
7226 const excess = this.message_keys.length + keys.length - RecvChain.MAX_COUNTER_GAP;
7227
7228 for (let i = 0; i <= excess - 1; i++) {
7229 this.message_keys.shift();
7230 }
7231
7232 keys.map((k) => this.message_keys.push(k));
7233
7234 if (keys.length > RecvChain.MAX_COUNTER_GAP) {
7235 throw new ProteusError(`Skipped message keys which exceed the message chain counter gap (${RecvChain.MAX_COUNTER_GAP}).`, ProteusError.prototype.CODE.CASE_104);
7236 }
7237 }
7238
7239 /**
7240 * @param {!CBOR.Encoder} e
7241 * @returns {Array<CBOR.Encoder>}
7242 */
7243 encode(e) {
7244 e.object(5);
7245 e.u8(0);
7246 this.chain_key.encode(e);
7247 e.u8(1);
7248 this.ratchet_key.encode(e);
7249 e.u8(2);
7250 this.head_key.encode(e);
7251 e.u8(3);
7252 if (this.final_count !== null) {
7253 e.u32(this.final_count);
7254 } else {
7255 e.null();
7256 }
7257
7258 e.u8(4);
7259 e.array(this.message_keys.length);
7260 return this.message_keys.map((k) => k.encode(e));
7261 }
7262
7263 /**
7264 * @param {!CBOR.Decoder} d
7265 * @returns {RecvChain}
7266 */
7267 static decode(d) {
7268 TypeUtil.assert_is_instance(CBOR.Decoder, d);
7269
7270 const self = ClassUtil.new_instance(RecvChain);
7271
7272 const nprops = d.object();
7273 for (let i = 0; i <= nprops - 1; i++) {
7274 switch (d.u8()) {
7275 case 0: {
7276 self.chain_key = ChainKey.decode(d);
7277 break;
7278 }
7279 case 1: {
7280 self.ratchet_key = PublicKey.decode(d);
7281 break;
7282 }
7283 case 2: {
7284 self.head_key = HeadKey.decode(d);
7285 break;
7286 }
7287 case 3: {
7288 self.final_count = d.optional(() => d.u32());
7289 break;
7290 }
7291 case 4: {
7292 self.message_keys = [];
7293
7294 let len = d.array();
7295 while (len--) {
7296 self.message_keys.push(MessageKeys.decode(d));
7297 }
7298 break;
7299 }
7300 default: {
7301 d.skip();
7302 }
7303 }
7304 }
7305
7306 TypeUtil.assert_is_instance(ChainKey, self.chain_key);
7307 TypeUtil.assert_is_instance(PublicKey, self.ratchet_key);
7308 TypeUtil.assert_is_instance(HeadKey, self.head_key);
7309 TypeUtil.assert_is_instance(Array, self.message_keys);
7310
7311 return self;
7312 }
7313}
7314
7315/** @type {number} */
7316RecvChain.MAX_COUNTER_GAP = 1000;
7317
7318module.exports = RecvChain;
7319
7320
7321/***/ }),
7322/* 39 */
7323/***/ (function(module, exports, __webpack_require__) {
7324
7325"use strict";
7326/*
7327 * Wire
7328 * Copyright (C) 2016 Wire Swiss GmbH
7329 *
7330 * This program is free software: you can redistribute it and/or modify
7331 * it under the terms of the GNU General Public License as published by
7332 * the Free Software Foundation, either version 3 of the License, or
7333 * (at your option) any later version.
7334 *
7335 * This program is distributed in the hope that it will be useful,
7336 * but WITHOUT ANY WARRANTY; without even the implied warranty of
7337 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7338 * GNU General Public License for more details.
7339 *
7340 * You should have received a copy of the GNU General Public License
7341 * along with this program. If not, see http://www.gnu.org/licenses/.
7342 *
7343 */
7344
7345
7346
7347const CBOR = __webpack_require__(2);
7348
7349const ClassUtil = __webpack_require__(3);
7350const DontCallConstructor = __webpack_require__(0);
7351const TypeUtil = __webpack_require__(1);
7352
7353const ChainKey = __webpack_require__(18);
7354const CipherKey = __webpack_require__(27);
7355const DerivedSecrets = __webpack_require__(26);
7356const KeyPair = __webpack_require__(7);
7357const PublicKey = __webpack_require__(4);
7358
7359/** @module session */
7360
7361/**
7362 * @class RootKey
7363 * @throws {DontCallConstructor}
7364 */
7365class RootKey {
7366 constructor() {
7367 throw new DontCallConstructor(this);
7368 }
7369
7370 /**
7371 * @param {!derived.CipherKey} cipher_key - Cipher key generated by derived secrets
7372 * @returns {RootKey}
7373 */
7374 static from_cipher_key(cipher_key) {
7375 TypeUtil.assert_is_instance(CipherKey, cipher_key);
7376
7377 const rk = ClassUtil.new_instance(RootKey);
7378 rk.key = cipher_key;
7379 return rk;
7380 }
7381
7382 /**
7383 * @param {!keys.KeyPair} ours - Our key pair
7384 * @param {!keys.PublicKey} theirs - Their public key
7385 * @returns {Array<RootKey|session.ChainKey|derived.HeadKey>}
7386 */
7387 dh_ratchet(ours, theirs) {
7388 TypeUtil.assert_is_instance(KeyPair, ours);
7389 TypeUtil.assert_is_instance(PublicKey, theirs);
7390
7391 const secret = ours.secret_key.shared_secret(theirs);
7392 const derived_secrets = DerivedSecrets.kdf(secret, this.key.key, 'dh_ratchet');
7393
7394 return [
7395 RootKey.from_cipher_key(derived_secrets.cipher_key),
7396 ChainKey.from_mac_key(derived_secrets.mac_key, 0),
7397 derived_secrets.next_head_key,
7398 ];
7399 }
7400
7401 /**
7402 * @param {!CBOR.Encoder} e
7403 * @returns {CBOR.Encoder}
7404 */
7405 encode(e) {
7406 e.object(1);
7407 e.u8(0);
7408 return this.key.encode(e);
7409 }
7410
7411 /**
7412 * @param {!CBOR.Decoder} d
7413 * @returns {RootKey}
7414 */
7415 static decode(d) {
7416 TypeUtil.assert_is_instance(CBOR.Decoder, d);
7417
7418 let cipher_key = null;
7419
7420 const nprops = d.object();
7421 for (let i = 0; i <= nprops - 1; i++) {
7422 switch (d.u8()) {
7423 case 0:
7424 cipher_key = CipherKey.decode(d);
7425 break;
7426 default:
7427 d.skip();
7428 }
7429 }
7430 return RootKey.from_cipher_key(cipher_key);
7431 }
7432}
7433
7434module.exports = RootKey;
7435
7436
7437/***/ }),
7438/* 40 */
7439/***/ (function(module, exports, __webpack_require__) {
7440
7441"use strict";
7442/*
7443 * Wire
7444 * Copyright (C) 2016 Wire Swiss GmbH
7445 *
7446 * This program is free software: you can redistribute it and/or modify
7447 * it under the terms of the GNU General Public License as published by
7448 * the Free Software Foundation, either version 3 of the License, or
7449 * (at your option) any later version.
7450 *
7451 * This program is distributed in the hope that it will be useful,
7452 * but WITHOUT ANY WARRANTY; without even the implied warranty of
7453 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7454 * GNU General Public License for more details.
7455 *
7456 * You should have received a copy of the GNU General Public License
7457 * along with this program. If not, see http://www.gnu.org/licenses/.
7458 *
7459 */
7460
7461
7462
7463const CBOR = __webpack_require__(2);
7464
7465const ClassUtil = __webpack_require__(3);
7466const DontCallConstructor = __webpack_require__(0);
7467const TypeUtil = __webpack_require__(1);
7468
7469const ChainKey = __webpack_require__(18);
7470const HeadKey = __webpack_require__(17);
7471const KeyPair = __webpack_require__(7);
7472
7473/** @module session */
7474
7475/**
7476 * @class SendChain
7477 * @throws {DontCallConstructor}
7478 */
7479class SendChain {
7480 constructor() {
7481 throw new DontCallConstructor(this);
7482 }
7483
7484 /**
7485 * @param {!session.ChainKey} chain_key
7486 * @param {!keys.KeyPair} keypair
7487 * @param {!derived.HeadKey} head_key
7488 * @returns {session.SendChain}
7489 */
7490 static new(chain_key, keypair, head_key) {
7491 TypeUtil.assert_is_instance(ChainKey, chain_key);
7492 TypeUtil.assert_is_instance(KeyPair, keypair);
7493 TypeUtil.assert_is_instance(HeadKey, head_key);
7494
7495 const sc = ClassUtil.new_instance(SendChain);
7496 sc.chain_key = chain_key;
7497 sc.ratchet_key = keypair;
7498 sc.head_key = head_key;
7499 return sc;
7500 }
7501
7502 /**
7503 * @param {!CBOR.Encoder} e
7504 * @returns {CBOR.Encoder}
7505 */
7506 encode(e) {
7507 e.object(3);
7508 e.u8(0);
7509 this.chain_key.encode(e);
7510 e.u8(1);
7511 this.ratchet_key.encode(e);
7512 e.u8(2);
7513 return this.head_key.encode(e);
7514 }
7515
7516 /**
7517 * @param {!CBOR.Decoder} d
7518 * @returns {SendChain}
7519 */
7520 static decode(d) {
7521 TypeUtil.assert_is_instance(CBOR.Decoder, d);
7522 const self = ClassUtil.new_instance(SendChain);
7523 const nprops = d.object();
7524 for (let i = 0; i <= nprops - 1; i++) {
7525 switch (d.u8()) {
7526 case 0:
7527 self.chain_key = ChainKey.decode(d);
7528 break;
7529 case 1:
7530 self.ratchet_key = KeyPair.decode(d);
7531 break;
7532 case 2:
7533 self.head_key = HeadKey.decode(d);
7534 break;
7535 default:
7536 d.skip();
7537 }
7538 }
7539 TypeUtil.assert_is_instance(ChainKey, self.chain_key);
7540 TypeUtil.assert_is_instance(KeyPair, self.ratchet_key);
7541 TypeUtil.assert_is_instance(HeadKey, self.head_key);
7542 return self;
7543 }
7544}
7545
7546module.exports = SendChain;
7547
7548
7549/***/ })
7550/******/ ]);
7551//# sourceMappingURL=proteus.js.map
\No newline at end of file