1 |
|
2 | var Proteus =
|
3 | (function(modules) {
|
4 |
|
5 | var installedModules = {};
|
6 |
|
7 |
|
8 | function __webpack_require__(moduleId) {
|
9 |
|
10 |
|
11 | if(installedModules[moduleId]) {
|
12 | return installedModules[moduleId].exports;
|
13 | }
|
14 |
|
15 | var module = installedModules[moduleId] = {
|
16 | i: moduleId,
|
17 | l: false,
|
18 | exports: {}
|
19 | };
|
20 |
|
21 |
|
22 | modules[moduleId].call(module.exports, module, module.exports, __webpack_require__);
|
23 |
|
24 |
|
25 | module.l = true;
|
26 |
|
27 |
|
28 | return module.exports;
|
29 | }
|
30 |
|
31 |
|
32 |
|
33 | __webpack_require__.m = modules;
|
34 |
|
35 |
|
36 | __webpack_require__.c = installedModules;
|
37 |
|
38 |
|
39 | __webpack_require__.d = function(exports, name, getter) {
|
40 | if(!__webpack_require__.o(exports, name)) {
|
41 | Object.defineProperty(exports, name, {
|
42 | configurable: false,
|
43 | enumerable: true,
|
44 | get: getter
|
45 | /******/ });
|
46 | /******/ }
|
47 | /******/ };
|
48 | /******/
|
49 | /******/ // getDefaultExport function for compatibility with non-harmony modules
|
50 | /******/ __webpack_require__.n = function(module) {
|
51 | var getter = module && module.__esModule ?
|
52 | function getDefault() { return module['default']; } :
|
53 | function getModuleExports() { return module; };
|
54 | __webpack_require__.d(getter, 'a', getter);
|
55 | return getter;
|
56 | };
|
57 |
|
58 |
|
59 | __webpack_require__.o = function(object, property) { return Object.prototype.hasOwnProperty.call(object, property); };
|
60 |
|
61 |
|
62 | __webpack_require__.p = "";
|
63 |
|
64 |
|
65 | return __webpack_require__(__webpack_require__.s = 33);
|
66 | })
|
67 |
|
68 | ([
|
69 |
|
70 | (function(module, exports, __webpack_require__) {
|
71 |
|
72 | "use strict";
|
73 |
|
74 |
|
75 |
|
76 |
|
77 |
|
78 |
|
79 |
|
80 |
|
81 |
|
82 |
|
83 |
|
84 |
|
85 |
|
86 |
|
87 |
|
88 |
|
89 |
|
90 |
|
91 |
|
92 |
|
93 |
|
94 | const ProteusError = __webpack_require__(6);
|
95 |
|
96 |
|
97 |
|
98 | const _extend = function(child, parent) {
|
99 | for (let key in parent) {
|
100 | if ({}.hasOwnProperty.call(parent, key)) child[key] = parent[key];
|
101 | }
|
102 | const ctor = function() {
|
103 | this.constructor = child;
|
104 | };
|
105 | ctor.prototype = parent.prototype;
|
106 | child.prototype = new ctor();
|
107 | child.__super__ = parent.prototype;
|
108 | return child;
|
109 | };
|
110 |
|
111 |
|
112 |
|
113 |
|
114 |
|
115 |
|
116 | const DontCallConstructor = (function(superClass) {
|
117 | _extend(func, superClass);
|
118 |
|
119 | function func(_instance) {
|
120 | this._instance = _instance;
|
121 | func.__super__.constructor.call(this,
|
122 | `Instead of 'new {this._instance.constructor.name}', use '${this._instance.constructor.name}.new'.`
|
123 | );
|
124 | }
|
125 |
|
126 | return func;
|
127 | })(ProteusError);
|
128 |
|
129 | module.exports = DontCallConstructor;
|
130 |
|
131 |
|
132 | }),
|
133 |
|
134 | (function(module, exports, __webpack_require__) {
|
135 |
|
136 | "use strict";
|
137 |
|
138 |
|
139 |
|
140 |
|
141 |
|
142 |
|
143 |
|
144 |
|
145 |
|
146 |
|
147 |
|
148 |
|
149 |
|
150 |
|
151 |
|
152 |
|
153 |
|
154 |
|
155 |
|
156 |
|
157 |
|
158 | const InputError = __webpack_require__(20);
|
159 |
|
160 |
|
161 |
|
162 | const TypeUtil = {
|
163 | |
164 |
|
165 |
|
166 |
|
167 |
|
168 |
|
169 | assert_is_instance(classes, inst) {
|
170 | if (!Array.isArray(classes)) {
|
171 | classes = [classes];
|
172 | }
|
173 | if (classes.some((k) => inst instanceof k || (inst && inst.prototype instanceof k))) {
|
174 | return;
|
175 | }
|
176 | const valid_types = classes.map((k) => `'${k.name}'`).join(' or ');
|
177 | if (inst) {
|
178 | throw new InputError.TypeError(`Expected one of ${valid_types}, got '${inst.constructor.name}'.`, InputError.CODE.CASE_401);
|
179 | }
|
180 | throw new InputError.TypeError(`Expected one of ${valid_types}, got '${String(inst)}'.`, InputError.CODE.CASE_402);
|
181 | },
|
182 | |
183 |
|
184 |
|
185 |
|
186 |
|
187 | assert_is_integer(inst) {
|
188 | if (Number.isInteger(inst)) {
|
189 | return true;
|
190 | }
|
191 | if (inst) {
|
192 | throw new InputError.TypeError(`Expected integer, got '${inst.constructor.name}'.`, InputError.CODE.CASE_403);
|
193 | }
|
194 | throw new InputError.TypeError(`Expected integer, got '${String(inst)}'.`, InputError.CODE.CASE_404);
|
195 | },
|
196 | };
|
197 |
|
198 | module.exports = TypeUtil;
|
199 |
|
200 |
|
201 | }),
|
202 |
|
203 | (function(module, exports) {
|
204 |
|
205 | module.exports = CBOR;
|
206 |
|
207 | }),
|
208 |
|
209 | (function(module, exports, __webpack_require__) {
|
210 |
|
211 | "use strict";
|
212 |
|
213 |
|
214 |
|
215 |
|
216 |
|
217 |
|
218 |
|
219 |
|
220 |
|
221 |
|
222 |
|
223 |
|
224 |
|
225 |
|
226 |
|
227 |
|
228 |
|
229 |
|
230 |
|
231 |
|
232 |
|
233 | const DontCallConstructor = __webpack_require__(0);
|
234 |
|
235 |
|
236 |
|
237 | const ClassUtil = {
|
238 | |
239 |
|
240 |
|
241 |
|
242 | new_instance(klass) {
|
243 | try {
|
244 | return new klass();
|
245 | } catch (e) {
|
246 | if (!(e instanceof DontCallConstructor)) {
|
247 | throw e;
|
248 | }
|
249 | return e._instance;
|
250 | }
|
251 | },
|
252 | };
|
253 |
|
254 | module.exports = ClassUtil;
|
255 |
|
256 |
|
257 | }),
|
258 |
|
259 | (function(module, exports, __webpack_require__) {
|
260 |
|
261 | "use strict";
|
262 |
|
263 |
|
264 |
|
265 |
|
266 |
|
267 |
|
268 |
|
269 |
|
270 |
|
271 |
|
272 |
|
273 |
|
274 |
|
275 |
|
276 |
|
277 |
|
278 |
|
279 |
|
280 |
|
281 |
|
282 |
|
283 | const CBOR = __webpack_require__(2);
|
284 | const ed2curve = __webpack_require__(21);
|
285 | const sodium = __webpack_require__(5);
|
286 |
|
287 | const ClassUtil = __webpack_require__(3);
|
288 | const DontCallConstructor = __webpack_require__(0);
|
289 | const TypeUtil = __webpack_require__(1);
|
290 |
|
291 |
|
292 |
|
293 |
|
294 |
|
295 |
|
296 |
|
297 | class PublicKey {
|
298 | constructor() {
|
299 | throw new DontCallConstructor(this);
|
300 | }
|
301 |
|
302 | |
303 |
|
304 |
|
305 |
|
306 |
|
307 | static new(pub_edward, pub_curve) {
|
308 | TypeUtil.assert_is_instance(Uint8Array, pub_edward);
|
309 | TypeUtil.assert_is_instance(Uint8Array, pub_curve);
|
310 |
|
311 |
|
312 | const pk = ClassUtil.new_instance(PublicKey);
|
313 |
|
314 |
|
315 | pk.pub_edward = pub_edward;
|
316 |
|
317 | pk.pub_curve = pub_curve;
|
318 | return pk;
|
319 | }
|
320 |
|
321 | |
322 |
|
323 |
|
324 |
|
325 |
|
326 |
|
327 |
|
328 | verify(signature, message) {
|
329 | TypeUtil.assert_is_instance(Uint8Array, signature);
|
330 | return sodium.crypto_sign_verify_detached(signature, message, this.pub_edward);
|
331 | }
|
332 |
|
333 |
|
334 | fingerprint() {
|
335 | return sodium.to_hex(this.pub_edward);
|
336 | }
|
337 |
|
338 | |
339 |
|
340 |
|
341 |
|
342 | encode(e) {
|
343 | e.object(1);
|
344 | e.u8(0);
|
345 | return e.bytes(this.pub_edward);
|
346 | }
|
347 |
|
348 | |
349 |
|
350 |
|
351 |
|
352 | static decode(d) {
|
353 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
354 |
|
355 | const self = ClassUtil.new_instance(PublicKey);
|
356 |
|
357 | const nprops = d.object();
|
358 | for (let i = 0; i <= nprops - 1; i++) {
|
359 | switch (d.u8()) {
|
360 | case 0:
|
361 | self.pub_edward = new Uint8Array(d.bytes());
|
362 | break;
|
363 | default:
|
364 | d.skip();
|
365 | }
|
366 | }
|
367 |
|
368 | TypeUtil.assert_is_instance(Uint8Array, self.pub_edward);
|
369 |
|
370 | self.pub_curve = ed2curve.convertPublicKey(self.pub_edward);
|
371 | return self;
|
372 | }
|
373 | }
|
374 |
|
375 | module.exports = PublicKey;
|
376 |
|
377 |
|
378 | }),
|
379 |
|
380 | (function(module, exports) {
|
381 |
|
382 | module.exports = sodium;
|
383 |
|
384 | }),
|
385 |
|
386 | (function(module, exports, __webpack_require__) {
|
387 |
|
388 | "use strict";
|
389 |
|
390 |
|
391 |
|
392 |
|
393 |
|
394 |
|
395 |
|
396 |
|
397 |
|
398 |
|
399 |
|
400 |
|
401 |
|
402 |
|
403 |
|
404 |
|
405 |
|
406 |
|
407 |
|
408 |
|
409 |
|
410 |
|
411 |
|
412 |
|
413 |
|
414 |
|
415 |
|
416 |
|
417 |
|
418 |
|
419 | const ProteusError = (function() {
|
420 | const func = function(message, code = 1) {
|
421 | this.code = code;
|
422 | this.message = message;
|
423 | this.name = this.constructor.name;
|
424 | this.stack = (new Error).stack;
|
425 | };
|
426 |
|
427 | func.prototype = new Error;
|
428 | func.prototype.constructor = func;
|
429 | func.prototype.CODE = {
|
430 | CASE_100: 100,
|
431 | CASE_101: 101,
|
432 | CASE_102: 102,
|
433 | CASE_103: 103,
|
434 | CASE_104: 104,
|
435 | };
|
436 |
|
437 | return func;
|
438 | })();
|
439 |
|
440 | module.exports = ProteusError;
|
441 |
|
442 |
|
443 | }),
|
444 |
|
445 | (function(module, exports, __webpack_require__) {
|
446 |
|
447 | "use strict";
|
448 |
|
449 |
|
450 |
|
451 |
|
452 |
|
453 |
|
454 |
|
455 |
|
456 |
|
457 |
|
458 |
|
459 |
|
460 |
|
461 |
|
462 |
|
463 |
|
464 |
|
465 |
|
466 |
|
467 |
|
468 |
|
469 | const CBOR = __webpack_require__(2);
|
470 | const ed2curve = __webpack_require__(21);
|
471 | const sodium = __webpack_require__(5);
|
472 |
|
473 | const ClassUtil = __webpack_require__(3);
|
474 | const DontCallConstructor = __webpack_require__(0);
|
475 | const TypeUtil = __webpack_require__(1);
|
476 |
|
477 | const PublicKey = __webpack_require__(4);
|
478 | const SecretKey = __webpack_require__(22);
|
479 |
|
480 |
|
481 |
|
482 |
|
483 |
|
484 |
|
485 |
|
486 |
|
487 | class KeyPair {
|
488 | constructor() {
|
489 | throw new DontCallConstructor(this);
|
490 | }
|
491 |
|
492 |
|
493 | static new() {
|
494 | const ed25519_key_pair = sodium.crypto_sign_keypair();
|
495 |
|
496 | const kp = ClassUtil.new_instance(KeyPair);
|
497 | kp.secret_key = KeyPair.prototype._construct_private_key(ed25519_key_pair);
|
498 | kp.public_key = KeyPair.prototype._construct_public_key(ed25519_key_pair);
|
499 |
|
500 | return kp;
|
501 | }
|
502 |
|
503 | |
504 |
|
505 |
|
506 |
|
507 |
|
508 |
|
509 |
|
510 |
|
511 | _construct_private_key(ed25519_key_pair) {
|
512 | const sk_ed25519 = ed25519_key_pair.privateKey;
|
513 | const sk_curve25519 = ed2curve.convertSecretKey(sk_ed25519);
|
514 | return SecretKey.new(sk_ed25519, sk_curve25519);
|
515 | }
|
516 |
|
517 | |
518 |
|
519 |
|
520 |
|
521 |
|
522 |
|
523 | |
524 |
|
525 |
|
526 |
|
527 |
|
528 | _construct_public_key(ed25519_key_pair) {
|
529 | const pk_ed25519 = ed25519_key_pair.publicKey;
|
530 | const pk_curve25519 = ed2curve.convertPublicKey(pk_ed25519);
|
531 | return PublicKey.new(pk_ed25519, pk_curve25519);
|
532 | }
|
533 |
|
534 | |
535 |
|
536 |
|
537 |
|
538 | encode(e) {
|
539 | e.object(2);
|
540 |
|
541 | e.u8(0);
|
542 | this.secret_key.encode(e);
|
543 |
|
544 | e.u8(1);
|
545 | return this.public_key.encode(e);
|
546 | }
|
547 |
|
548 | |
549 |
|
550 |
|
551 |
|
552 | static decode(d) {
|
553 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
554 |
|
555 | const self = ClassUtil.new_instance(KeyPair);
|
556 |
|
557 | const nprops = d.object();
|
558 | for (let i = 0; i <= nprops - 1; i++) {
|
559 | switch (d.u8()) {
|
560 | case 0:
|
561 | self.secret_key = SecretKey.decode(d);
|
562 | break;
|
563 | case 1:
|
564 | self.public_key = PublicKey.decode(d);
|
565 | break;
|
566 | default:
|
567 | d.skip();
|
568 | }
|
569 | }
|
570 |
|
571 | TypeUtil.assert_is_instance(SecretKey, self.secret_key);
|
572 | TypeUtil.assert_is_instance(PublicKey, self.public_key);
|
573 |
|
574 | return self;
|
575 | }
|
576 | }
|
577 |
|
578 | module.exports = KeyPair;
|
579 |
|
580 |
|
581 | }),
|
582 |
|
583 | (function(module, exports, __webpack_require__) {
|
584 |
|
585 | "use strict";
|
586 |
|
587 |
|
588 |
|
589 |
|
590 |
|
591 |
|
592 |
|
593 |
|
594 |
|
595 |
|
596 |
|
597 |
|
598 |
|
599 |
|
600 |
|
601 |
|
602 |
|
603 |
|
604 |
|
605 |
|
606 |
|
607 | const CBOR = __webpack_require__(2);
|
608 | const sodium = __webpack_require__(5);
|
609 |
|
610 | const ClassUtil = __webpack_require__(3);
|
611 | const DontCallConstructor = __webpack_require__(0);
|
612 | const TypeUtil = __webpack_require__(1);
|
613 |
|
614 | const PublicKey = __webpack_require__(4);
|
615 |
|
616 |
|
617 |
|
618 |
|
619 |
|
620 |
|
621 |
|
622 |
|
623 |
|
624 | class IdentityKey {
|
625 | constructor() {
|
626 | throw new DontCallConstructor(this);
|
627 | }
|
628 |
|
629 | |
630 |
|
631 |
|
632 |
|
633 | static new(public_key) {
|
634 | TypeUtil.assert_is_instance(PublicKey, public_key);
|
635 |
|
636 | const key = ClassUtil.new_instance(IdentityKey);
|
637 | key.public_key = public_key;
|
638 | return key;
|
639 | }
|
640 |
|
641 |
|
642 | fingerprint() {
|
643 | return this.public_key.fingerprint();
|
644 | }
|
645 |
|
646 |
|
647 | toString() {
|
648 | return sodium.to_hex(this.public_key);
|
649 | }
|
650 |
|
651 | |
652 |
|
653 |
|
654 |
|
655 | encode(e) {
|
656 | e.object(1);
|
657 | e.u8(0);
|
658 | return this.public_key.encode(e);
|
659 | }
|
660 |
|
661 | |
662 |
|
663 |
|
664 |
|
665 | static decode(d) {
|
666 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
667 |
|
668 | let public_key = null;
|
669 |
|
670 | const nprops = d.object();
|
671 | for (let i = 0; i <= nprops - 1; i++) {
|
672 | switch (d.u8()) {
|
673 | case 0:
|
674 | public_key = PublicKey.decode(d);
|
675 | break;
|
676 | default:
|
677 | d.skip();
|
678 | }
|
679 | }
|
680 |
|
681 | return IdentityKey.new(public_key);
|
682 | }
|
683 | }
|
684 |
|
685 | module.exports = IdentityKey;
|
686 |
|
687 |
|
688 | }),
|
689 |
|
690 | (function(module, exports, __webpack_require__) {
|
691 |
|
692 | "use strict";
|
693 |
|
694 |
|
695 |
|
696 |
|
697 |
|
698 |
|
699 |
|
700 |
|
701 |
|
702 |
|
703 |
|
704 |
|
705 |
|
706 |
|
707 |
|
708 |
|
709 |
|
710 |
|
711 |
|
712 |
|
713 |
|
714 | const CBOR = __webpack_require__(2);
|
715 |
|
716 | const ClassUtil = __webpack_require__(3);
|
717 | const DontCallConstructor = __webpack_require__(0);
|
718 | const TypeUtil = __webpack_require__(1);
|
719 |
|
720 | const Message = __webpack_require__(12);
|
721 |
|
722 |
|
723 |
|
724 |
|
725 |
|
726 |
|
727 |
|
728 | class HeaderMessage extends Message {
|
729 | constructor() {
|
730 | super();
|
731 | throw new DontCallConstructor(this);
|
732 | }
|
733 |
|
734 | |
735 |
|
736 |
|
737 |
|
738 |
|
739 | static new(encrypted_header, cipher_text) {
|
740 | TypeUtil.assert_is_instance(Uint8Array, encrypted_header);
|
741 | TypeUtil.assert_is_instance(Uint8Array, cipher_text);
|
742 |
|
743 | const hm = ClassUtil.new_instance(HeaderMessage);
|
744 |
|
745 | hm.header = encrypted_header;
|
746 | hm.cipher_text = cipher_text;
|
747 |
|
748 | Object.freeze(hm);
|
749 | return hm;
|
750 | }
|
751 |
|
752 | |
753 |
|
754 |
|
755 |
|
756 | encode(e) {
|
757 | e.object(2);
|
758 |
|
759 | e.u8(0);
|
760 | e.object(1);
|
761 | e.u8(0);
|
762 | e.bytes(this.header);
|
763 |
|
764 | e.u8(1);
|
765 | return e.bytes(this.cipher_text);
|
766 | }
|
767 |
|
768 | |
769 |
|
770 |
|
771 |
|
772 | static decode(d) {
|
773 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
774 |
|
775 | let header = null;
|
776 | let cipher_text = null;
|
777 |
|
778 | const nprops = d.object();
|
779 | for (let i = 0; i <= nprops - 1; i++) {
|
780 | switch (d.u8()) {
|
781 | case 0: {
|
782 | const nprops_mac = d.object();
|
783 | for (let j = 0; j <= nprops_mac - 1; j++) {
|
784 | switch (d.u8()) {
|
785 | case 0:
|
786 | header = new Uint8Array(d.bytes());
|
787 | break;
|
788 | default:
|
789 | d.skip();
|
790 | }
|
791 | }
|
792 | break;
|
793 | }
|
794 | case 1: {
|
795 | cipher_text = new Uint8Array(d.bytes());
|
796 | break;
|
797 | }
|
798 | default: {
|
799 | d.skip();
|
800 | }
|
801 | }
|
802 | }
|
803 |
|
804 | return HeaderMessage.new(header, cipher_text);
|
805 | }
|
806 | }
|
807 |
|
808 | module.exports = HeaderMessage;
|
809 |
|
810 |
|
811 | }),
|
812 |
|
813 | (function(module, exports, __webpack_require__) {
|
814 |
|
815 | "use strict";
|
816 |
|
817 |
|
818 |
|
819 |
|
820 |
|
821 |
|
822 |
|
823 |
|
824 |
|
825 |
|
826 |
|
827 |
|
828 |
|
829 |
|
830 |
|
831 |
|
832 |
|
833 |
|
834 |
|
835 |
|
836 |
|
837 | const ProteusError = __webpack_require__(6);
|
838 |
|
839 |
|
840 |
|
841 |
|
842 |
|
843 |
|
844 |
|
845 |
|
846 | class DecryptError extends ProteusError {
|
847 | constructor(message = 'Unknown decryption error', code = 2) {
|
848 | super(message, code);
|
849 | }
|
850 |
|
851 | static get CODE() {
|
852 | return {
|
853 | CASE_200: 200,
|
854 | CASE_201: 201,
|
855 | CASE_202: 202,
|
856 | CASE_203: 203,
|
857 | CASE_204: 204,
|
858 | CASE_205: 205,
|
859 | CASE_206: 206,
|
860 | CASE_207: 207,
|
861 | CASE_208: 208,
|
862 | CASE_209: 209,
|
863 | CASE_210: 210,
|
864 | CASE_211: 211,
|
865 | CASE_212: 212,
|
866 | CASE_213: 213,
|
867 | CASE_214: 214,
|
868 | CASE_215: 215,
|
869 | CASE_216: 216,
|
870 | };
|
871 | }
|
872 | }
|
873 |
|
874 |
|
875 |
|
876 |
|
877 |
|
878 |
|
879 | class RemoteIdentityChanged extends DecryptError {
|
880 | constructor(message = 'Remote identity changed', code) {
|
881 | super(message, code);
|
882 | }
|
883 | }
|
884 |
|
885 |
|
886 |
|
887 |
|
888 |
|
889 |
|
890 | class InvalidSignature extends DecryptError {
|
891 | constructor(message = 'Invalid signature', code) {
|
892 | super(message, code);
|
893 | }
|
894 | }
|
895 |
|
896 |
|
897 |
|
898 |
|
899 |
|
900 |
|
901 | class InvalidMessage extends DecryptError {
|
902 | constructor(message = 'Invalid message', code) {
|
903 | super(message, code);
|
904 | }
|
905 | }
|
906 |
|
907 |
|
908 |
|
909 |
|
910 |
|
911 |
|
912 | class DuplicateMessage extends DecryptError {
|
913 | constructor(message = 'Duplicate message', code) {
|
914 | super(message, code);
|
915 | }
|
916 | }
|
917 |
|
918 |
|
919 |
|
920 |
|
921 |
|
922 |
|
923 | class TooDistantFuture extends DecryptError {
|
924 | constructor(message = 'Message is from too distant in the future', code) {
|
925 | super(message, code);
|
926 | }
|
927 | }
|
928 |
|
929 |
|
930 |
|
931 |
|
932 |
|
933 |
|
934 | class OutdatedMessage extends DecryptError {
|
935 | constructor(message = 'Outdated message', code) {
|
936 | super(message, code);
|
937 | }
|
938 | }
|
939 |
|
940 |
|
941 |
|
942 |
|
943 |
|
944 |
|
945 | class PrekeyNotFound extends DecryptError {
|
946 | constructor(message = 'Pre-key not found', code) {
|
947 | super(message, code);
|
948 | }
|
949 | }
|
950 |
|
951 |
|
952 |
|
953 |
|
954 |
|
955 |
|
956 | class HeaderDecryptionFailed extends DecryptError {
|
957 | constructor(message = 'Header descryption failed', code) {
|
958 | super(message, code);
|
959 | }
|
960 | }
|
961 |
|
962 |
|
963 |
|
964 |
|
965 |
|
966 |
|
967 | class InvalidHeader extends DecryptError {
|
968 | constructor(message = 'Invalid header', code) {
|
969 | super(message, code);
|
970 | }
|
971 | }
|
972 |
|
973 | Object.assign(DecryptError, {
|
974 | RemoteIdentityChanged,
|
975 | InvalidSignature,
|
976 | InvalidMessage,
|
977 | DuplicateMessage,
|
978 | TooDistantFuture,
|
979 | OutdatedMessage,
|
980 | PrekeyNotFound,
|
981 | HeaderDecryptionFailed,
|
982 | InvalidHeader,
|
983 | });
|
984 |
|
985 | module.exports = ProteusError.DecryptError = DecryptError;
|
986 |
|
987 |
|
988 | }),
|
989 |
|
990 | (function(module, exports, __webpack_require__) {
|
991 |
|
992 | "use strict";
|
993 |
|
994 |
|
995 |
|
996 |
|
997 |
|
998 |
|
999 |
|
1000 |
|
1001 |
|
1002 |
|
1003 |
|
1004 |
|
1005 |
|
1006 |
|
1007 |
|
1008 |
|
1009 |
|
1010 |
|
1011 |
|
1012 |
|
1013 |
|
1014 | const CBOR = __webpack_require__(2);
|
1015 |
|
1016 | const ClassUtil = __webpack_require__(3);
|
1017 | const DontCallConstructor = __webpack_require__(0);
|
1018 | const TypeUtil = __webpack_require__(1);
|
1019 |
|
1020 | const IdentityKey = __webpack_require__(8);
|
1021 | const KeyPair = __webpack_require__(7);
|
1022 | const SecretKey = __webpack_require__(22);
|
1023 |
|
1024 |
|
1025 |
|
1026 |
|
1027 |
|
1028 |
|
1029 |
|
1030 | class IdentityKeyPair {
|
1031 | constructor() {
|
1032 | throw new DontCallConstructor(this);
|
1033 | }
|
1034 |
|
1035 |
|
1036 | static new() {
|
1037 | const key_pair = KeyPair.new();
|
1038 |
|
1039 |
|
1040 | const ikp = ClassUtil.new_instance(IdentityKeyPair);
|
1041 | ikp.version = 1;
|
1042 | ikp.secret_key = key_pair.secret_key;
|
1043 | ikp.public_key = IdentityKey.new(key_pair.public_key);
|
1044 |
|
1045 | return ikp;
|
1046 | }
|
1047 |
|
1048 |
|
1049 | serialise() {
|
1050 | const e = new CBOR.Encoder();
|
1051 | this.encode(e);
|
1052 | return e.get_buffer();
|
1053 | }
|
1054 |
|
1055 | |
1056 |
|
1057 |
|
1058 |
|
1059 | static deserialise(buf) {
|
1060 | TypeUtil.assert_is_instance(ArrayBuffer, buf);
|
1061 |
|
1062 | const d = new CBOR.Decoder(buf);
|
1063 | return IdentityKeyPair.decode(d);
|
1064 | }
|
1065 |
|
1066 | |
1067 |
|
1068 |
|
1069 |
|
1070 | encode(e) {
|
1071 | e.object(3);
|
1072 | e.u8(0);
|
1073 | e.u8(this.version);
|
1074 | e.u8(1);
|
1075 | this.secret_key.encode(e);
|
1076 | e.u8(2);
|
1077 | return this.public_key.encode(e);
|
1078 | }
|
1079 |
|
1080 | |
1081 |
|
1082 |
|
1083 |
|
1084 | static decode(d) {
|
1085 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
1086 |
|
1087 | const self = ClassUtil.new_instance(IdentityKeyPair);
|
1088 |
|
1089 | const nprops = d.object();
|
1090 | for (let i = 0; i <= nprops - 1; i++) {
|
1091 | switch (d.u8()) {
|
1092 | case 0:
|
1093 | self.version = d.u8();
|
1094 | break;
|
1095 | case 1:
|
1096 | self.secret_key = SecretKey.decode(d);
|
1097 | break;
|
1098 | case 2:
|
1099 | self.public_key = IdentityKey.decode(d);
|
1100 | break;
|
1101 | default:
|
1102 | d.skip();
|
1103 | }
|
1104 | }
|
1105 |
|
1106 | TypeUtil.assert_is_integer(self.version);
|
1107 | TypeUtil.assert_is_instance(SecretKey, self.secret_key);
|
1108 | TypeUtil.assert_is_instance(IdentityKey, self.public_key);
|
1109 |
|
1110 | return self;
|
1111 | }
|
1112 | }
|
1113 |
|
1114 | module.exports = IdentityKeyPair;
|
1115 |
|
1116 |
|
1117 | }),
|
1118 |
|
1119 | (function(module, exports, __webpack_require__) {
|
1120 |
|
1121 | "use strict";
|
1122 |
|
1123 |
|
1124 |
|
1125 |
|
1126 |
|
1127 |
|
1128 |
|
1129 |
|
1130 |
|
1131 |
|
1132 |
|
1133 |
|
1134 |
|
1135 |
|
1136 |
|
1137 |
|
1138 |
|
1139 |
|
1140 |
|
1141 |
|
1142 |
|
1143 | const CBOR = __webpack_require__(2);
|
1144 |
|
1145 | const DontCallConstructor = __webpack_require__(0);
|
1146 | const TypeUtil = __webpack_require__(1);
|
1147 |
|
1148 | const DecodeError = __webpack_require__(19);
|
1149 |
|
1150 |
|
1151 |
|
1152 |
|
1153 |
|
1154 |
|
1155 |
|
1156 | class Message {
|
1157 | constructor() {
|
1158 | throw new DontCallConstructor(this);
|
1159 | }
|
1160 |
|
1161 |
|
1162 | serialise() {
|
1163 | const e = new CBOR.Encoder();
|
1164 | if (this instanceof HeaderMessage) {
|
1165 | e.u8(1);
|
1166 | } else if (this instanceof PreKeyMessage) {
|
1167 | e.u8(2);
|
1168 | } else {
|
1169 | throw new TypeError('Unexpected message type', 9);
|
1170 | }
|
1171 |
|
1172 | this.encode(e);
|
1173 | return e.get_buffer();
|
1174 | }
|
1175 |
|
1176 | |
1177 |
|
1178 |
|
1179 |
|
1180 | static deserialise(buf) {
|
1181 | TypeUtil.assert_is_instance(ArrayBuffer, buf);
|
1182 |
|
1183 | const d = new CBOR.Decoder(buf);
|
1184 |
|
1185 | switch (d.u8()) {
|
1186 | case 1:
|
1187 | return HeaderMessage.decode(d);
|
1188 | case 2:
|
1189 | return PreKeyMessage.decode(d);
|
1190 | default:
|
1191 | throw new DecodeError.InvalidType('Unrecognised message type', DecodeError.CODE.CASE_302);
|
1192 | }
|
1193 | }
|
1194 | }
|
1195 |
|
1196 | module.exports = Message;
|
1197 |
|
1198 |
|
1199 |
|
1200 | const HeaderMessage = __webpack_require__(9);
|
1201 | const PreKeyMessage = __webpack_require__(13);
|
1202 |
|
1203 |
|
1204 | }),
|
1205 |
|
1206 | (function(module, exports, __webpack_require__) {
|
1207 |
|
1208 | "use strict";
|
1209 |
|
1210 |
|
1211 |
|
1212 |
|
1213 |
|
1214 |
|
1215 |
|
1216 |
|
1217 |
|
1218 |
|
1219 |
|
1220 |
|
1221 |
|
1222 |
|
1223 |
|
1224 |
|
1225 |
|
1226 |
|
1227 |
|
1228 |
|
1229 |
|
1230 | const CBOR = __webpack_require__(2);
|
1231 |
|
1232 | const ClassUtil = __webpack_require__(3);
|
1233 | const DontCallConstructor = __webpack_require__(0);
|
1234 | const TypeUtil = __webpack_require__(1);
|
1235 |
|
1236 | const IdentityKey = __webpack_require__(8);
|
1237 | const PublicKey = __webpack_require__(4);
|
1238 |
|
1239 | const HeaderMessage = __webpack_require__(9);
|
1240 | const Message = __webpack_require__(12);
|
1241 |
|
1242 |
|
1243 |
|
1244 |
|
1245 |
|
1246 |
|
1247 |
|
1248 | class PreKeyMessage extends Message {
|
1249 | constructor() {
|
1250 | super();
|
1251 | throw new DontCallConstructor(this);
|
1252 | }
|
1253 |
|
1254 | |
1255 |
|
1256 |
|
1257 |
|
1258 |
|
1259 |
|
1260 |
|
1261 | static new(prekey_id, base_key, identity_key, message) {
|
1262 | TypeUtil.assert_is_integer(prekey_id);
|
1263 | TypeUtil.assert_is_instance(PublicKey, base_key);
|
1264 | TypeUtil.assert_is_instance(IdentityKey, identity_key);
|
1265 | TypeUtil.assert_is_instance(HeaderMessage, message);
|
1266 |
|
1267 | const pkm = ClassUtil.new_instance(PreKeyMessage);
|
1268 |
|
1269 | pkm.prekey_id = prekey_id;
|
1270 | pkm.base_key = base_key;
|
1271 | pkm.identity_key = identity_key;
|
1272 | pkm.message = message;
|
1273 |
|
1274 | Object.freeze(pkm);
|
1275 | return pkm;
|
1276 | }
|
1277 |
|
1278 | |
1279 |
|
1280 |
|
1281 |
|
1282 | encode(e) {
|
1283 | e.object(4);
|
1284 | e.u8(0);
|
1285 | e.u16(this.prekey_id);
|
1286 | e.u8(1);
|
1287 | this.base_key.encode(e);
|
1288 | e.u8(2);
|
1289 | this.identity_key.encode(e);
|
1290 | e.u8(3);
|
1291 | return this.message.encode(e);
|
1292 | }
|
1293 |
|
1294 | |
1295 |
|
1296 |
|
1297 |
|
1298 | static decode(d) {
|
1299 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
1300 |
|
1301 | let prekey_id = null;
|
1302 | let base_key = null;
|
1303 | let identity_key = null;
|
1304 | let message = null;
|
1305 |
|
1306 | const nprops = d.object();
|
1307 | for (let i = 0; i <= nprops - 1; i++) {
|
1308 | switch (d.u8()) {
|
1309 | case 0:
|
1310 | prekey_id = d.u16();
|
1311 | break;
|
1312 | case 1:
|
1313 | base_key = PublicKey.decode(d);
|
1314 | break;
|
1315 | case 2:
|
1316 | identity_key = IdentityKey.decode(d);
|
1317 | break;
|
1318 | case 3:
|
1319 | message = HeaderMessage.decode(d);
|
1320 | break;
|
1321 | default:
|
1322 | d.skip();
|
1323 | }
|
1324 | }
|
1325 |
|
1326 |
|
1327 | return PreKeyMessage.new(prekey_id, base_key, identity_key, message);
|
1328 | }
|
1329 | }
|
1330 |
|
1331 | module.exports = PreKeyMessage;
|
1332 |
|
1333 |
|
1334 | }),
|
1335 |
|
1336 | (function(module, exports, __webpack_require__) {
|
1337 |
|
1338 | "use strict";
|
1339 |
|
1340 |
|
1341 |
|
1342 |
|
1343 |
|
1344 |
|
1345 |
|
1346 |
|
1347 |
|
1348 |
|
1349 |
|
1350 |
|
1351 |
|
1352 |
|
1353 |
|
1354 |
|
1355 |
|
1356 |
|
1357 |
|
1358 |
|
1359 |
|
1360 | const CBOR = __webpack_require__(2);
|
1361 |
|
1362 | const ClassUtil = __webpack_require__(3);
|
1363 | const DontCallConstructor = __webpack_require__(0);
|
1364 | const TypeUtil = __webpack_require__(1);
|
1365 |
|
1366 | const MacKey = __webpack_require__(15);
|
1367 | const Message = __webpack_require__(12);
|
1368 |
|
1369 |
|
1370 |
|
1371 |
|
1372 |
|
1373 |
|
1374 |
|
1375 | class Envelope {
|
1376 | constructor() {
|
1377 | throw new DontCallConstructor(this);
|
1378 | }
|
1379 |
|
1380 | |
1381 |
|
1382 |
|
1383 |
|
1384 |
|
1385 | static new(mac_key, message) {
|
1386 | TypeUtil.assert_is_instance(MacKey, mac_key);
|
1387 | TypeUtil.assert_is_instance(Message, message);
|
1388 |
|
1389 | const serialized_message = new Uint8Array(message.serialise());
|
1390 |
|
1391 | const env = ClassUtil.new_instance(Envelope);
|
1392 |
|
1393 | env.version = 1;
|
1394 | env.mac = mac_key.sign(serialized_message);
|
1395 | env.message = message;
|
1396 | env._message_enc = serialized_message;
|
1397 |
|
1398 | Object.freeze(env);
|
1399 | return env;
|
1400 | }
|
1401 |
|
1402 | |
1403 |
|
1404 |
|
1405 |
|
1406 | verify(mac_key) {
|
1407 | TypeUtil.assert_is_instance(MacKey, mac_key);
|
1408 | return mac_key.verify(this.mac, this._message_enc);
|
1409 | }
|
1410 |
|
1411 |
|
1412 | serialise() {
|
1413 | const e = new CBOR.Encoder();
|
1414 | this.encode(e);
|
1415 | return e.get_buffer();
|
1416 | }
|
1417 |
|
1418 | |
1419 |
|
1420 |
|
1421 |
|
1422 | static deserialise(buf) {
|
1423 | TypeUtil.assert_is_instance(ArrayBuffer, buf);
|
1424 |
|
1425 | const d = new CBOR.Decoder(buf);
|
1426 | return Envelope.decode(d);
|
1427 | }
|
1428 |
|
1429 | |
1430 |
|
1431 |
|
1432 |
|
1433 | encode(e) {
|
1434 | e.object(3);
|
1435 | e.u8(0);
|
1436 | e.u8(this.version);
|
1437 |
|
1438 | e.u8(1);
|
1439 | e.object(1);
|
1440 | e.u8(0);
|
1441 | e.bytes(this.mac);
|
1442 |
|
1443 | e.u8(2);
|
1444 | return e.bytes(this._message_enc);
|
1445 | }
|
1446 |
|
1447 | |
1448 |
|
1449 |
|
1450 |
|
1451 | static decode(d) {
|
1452 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
1453 |
|
1454 | const env = ClassUtil.new_instance(Envelope);
|
1455 |
|
1456 | const nprops = d.object();
|
1457 | for (let i = 0; i <= nprops - 1; i++) {
|
1458 | switch (d.u8()) {
|
1459 | case 0: {
|
1460 | env.version = d.u8();
|
1461 | break;
|
1462 | }
|
1463 | case 1: {
|
1464 | const nprops_mac = d.object();
|
1465 | for (let j = 0; j <= nprops_mac - 1; j++) {
|
1466 | switch (d.u8()) {
|
1467 | case 0:
|
1468 | env.mac = new Uint8Array(d.bytes());
|
1469 | break;
|
1470 | default:
|
1471 | d.skip();
|
1472 | }
|
1473 | }
|
1474 | break;
|
1475 | }
|
1476 | case 2: {
|
1477 | env._message_enc = new Uint8Array(d.bytes());
|
1478 | break;
|
1479 | }
|
1480 | default: {
|
1481 | d.skip();
|
1482 | }
|
1483 | }
|
1484 | }
|
1485 |
|
1486 | TypeUtil.assert_is_integer(env.version);
|
1487 | TypeUtil.assert_is_instance(Uint8Array, env.mac);
|
1488 |
|
1489 | env.message = Message.deserialise(env._message_enc.buffer);
|
1490 |
|
1491 | Object.freeze(env);
|
1492 | return env;
|
1493 | }
|
1494 | }
|
1495 |
|
1496 | module.exports = Envelope;
|
1497 |
|
1498 |
|
1499 | }),
|
1500 |
|
1501 | (function(module, exports, __webpack_require__) {
|
1502 |
|
1503 | "use strict";
|
1504 |
|
1505 |
|
1506 |
|
1507 |
|
1508 |
|
1509 |
|
1510 |
|
1511 |
|
1512 |
|
1513 |
|
1514 |
|
1515 |
|
1516 |
|
1517 |
|
1518 |
|
1519 |
|
1520 |
|
1521 |
|
1522 |
|
1523 |
|
1524 |
|
1525 | const CBOR = __webpack_require__(2);
|
1526 | const sodium = __webpack_require__(5);
|
1527 |
|
1528 | const ClassUtil = __webpack_require__(3);
|
1529 | const DontCallConstructor = __webpack_require__(0);
|
1530 | const TypeUtil = __webpack_require__(1);
|
1531 |
|
1532 |
|
1533 |
|
1534 |
|
1535 |
|
1536 |
|
1537 |
|
1538 | class MacKey {
|
1539 | constructor() {
|
1540 | throw new DontCallConstructor(this);
|
1541 | }
|
1542 |
|
1543 | |
1544 |
|
1545 |
|
1546 |
|
1547 | static new(key) {
|
1548 | TypeUtil.assert_is_instance(Uint8Array, key);
|
1549 |
|
1550 | const mk = ClassUtil.new_instance(MacKey);
|
1551 |
|
1552 | mk.key = key;
|
1553 | return mk;
|
1554 | }
|
1555 |
|
1556 | |
1557 |
|
1558 |
|
1559 |
|
1560 |
|
1561 | sign(msg) {
|
1562 | return sodium.crypto_auth_hmacsha256(msg, this.key);
|
1563 | }
|
1564 |
|
1565 | |
1566 |
|
1567 |
|
1568 |
|
1569 |
|
1570 |
|
1571 | verify(signature, msg) {
|
1572 | return sodium.crypto_auth_hmacsha256_verify(signature, msg, this.key);
|
1573 | }
|
1574 |
|
1575 | |
1576 |
|
1577 |
|
1578 |
|
1579 | encode(e) {
|
1580 | e.object(1);
|
1581 | e.u8(0);
|
1582 | return e.bytes(this.key);
|
1583 | }
|
1584 |
|
1585 | |
1586 |
|
1587 |
|
1588 |
|
1589 | static decode(d) {
|
1590 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
1591 |
|
1592 | let key_bytes = null;
|
1593 |
|
1594 | const nprops = d.object();
|
1595 | for (let i = 0; i <= nprops - 1; i++) {
|
1596 | switch (d.u8()) {
|
1597 | case 0:
|
1598 | key_bytes = new Uint8Array(d.bytes());
|
1599 | break;
|
1600 | default:
|
1601 | d.skip();
|
1602 | }
|
1603 | }
|
1604 |
|
1605 | return MacKey.new(key_bytes);
|
1606 | }
|
1607 | }
|
1608 |
|
1609 | module.exports = MacKey;
|
1610 |
|
1611 |
|
1612 | }),
|
1613 |
|
1614 | (function(module, exports, __webpack_require__) {
|
1615 |
|
1616 | "use strict";
|
1617 |
|
1618 |
|
1619 |
|
1620 |
|
1621 |
|
1622 |
|
1623 |
|
1624 |
|
1625 |
|
1626 |
|
1627 |
|
1628 |
|
1629 |
|
1630 |
|
1631 |
|
1632 |
|
1633 |
|
1634 |
|
1635 |
|
1636 |
|
1637 |
|
1638 | const sodium = __webpack_require__(5);
|
1639 |
|
1640 |
|
1641 |
|
1642 | const MemoryUtil = {
|
1643 | |
1644 |
|
1645 |
|
1646 |
|
1647 | zeroize(object) {
|
1648 | if (object instanceof Uint8Array) {
|
1649 | sodium.memzero(object);
|
1650 | } else if (object instanceof ArrayBuffer) {
|
1651 | sodium.memzero(new Uint8Array(object));
|
1652 | } else if (typeof object === 'object') {
|
1653 | Object.keys(object).map((key) => object[key]).forEach((val) => this.zeroize(val));
|
1654 | }
|
1655 | },
|
1656 | };
|
1657 |
|
1658 | module.exports = MemoryUtil;
|
1659 |
|
1660 |
|
1661 | }),
|
1662 |
|
1663 | (function(module, exports, __webpack_require__) {
|
1664 |
|
1665 | "use strict";
|
1666 |
|
1667 |
|
1668 |
|
1669 |
|
1670 |
|
1671 |
|
1672 |
|
1673 |
|
1674 |
|
1675 |
|
1676 |
|
1677 |
|
1678 |
|
1679 |
|
1680 |
|
1681 |
|
1682 |
|
1683 |
|
1684 |
|
1685 |
|
1686 |
|
1687 | const CBOR = __webpack_require__(2);
|
1688 | const sodium = __webpack_require__(5);
|
1689 |
|
1690 | const ClassUtil = __webpack_require__(3);
|
1691 | const DontCallConstructor = __webpack_require__(0);
|
1692 | const TypeUtil = __webpack_require__(1);
|
1693 |
|
1694 |
|
1695 |
|
1696 |
|
1697 |
|
1698 |
|
1699 |
|
1700 | class HeadKey {
|
1701 | constructor() {
|
1702 | throw new DontCallConstructor(this);
|
1703 | }
|
1704 |
|
1705 | |
1706 |
|
1707 |
|
1708 |
|
1709 | static new(key) {
|
1710 | TypeUtil.assert_is_instance(Uint8Array, key);
|
1711 |
|
1712 | const hk = ClassUtil.new_instance(HeadKey);
|
1713 |
|
1714 | hk.key = key;
|
1715 | return hk;
|
1716 | }
|
1717 |
|
1718 | |
1719 |
|
1720 |
|
1721 |
|
1722 | static index_as_nonce(idx) {
|
1723 | const nonce = new ArrayBuffer(8);
|
1724 | new DataView(nonce).setUint32(0, idx);
|
1725 | return new Uint8Array(nonce);
|
1726 | }
|
1727 |
|
1728 | |
1729 |
|
1730 |
|
1731 |
|
1732 |
|
1733 | encrypt(header, nonce) {
|
1734 | header = new Uint8Array(header);
|
1735 |
|
1736 | return sodium.crypto_stream_chacha20_xor(header, nonce, this.key, 'uint8array');
|
1737 | }
|
1738 |
|
1739 | |
1740 |
|
1741 |
|
1742 |
|
1743 |
|
1744 | decrypt(encrypted_header, nonce) {
|
1745 | return this.encrypt(encrypted_header, nonce);
|
1746 | }
|
1747 |
|
1748 | |
1749 |
|
1750 |
|
1751 |
|
1752 | encode(e) {
|
1753 | e.object(1);
|
1754 | e.u8(0);
|
1755 | return e.bytes(this.key);
|
1756 | }
|
1757 |
|
1758 | |
1759 |
|
1760 |
|
1761 |
|
1762 | static decode(d) {
|
1763 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
1764 |
|
1765 | let key_bytes = null;
|
1766 |
|
1767 | const nprops = d.object();
|
1768 | for (let i = 0; i <= nprops - 1; i++) {
|
1769 | switch (d.u8()) {
|
1770 | case 0:
|
1771 | key_bytes = new Uint8Array(d.bytes());
|
1772 | break;
|
1773 | default:
|
1774 | d.skip();
|
1775 | }
|
1776 | }
|
1777 | return HeadKey.new(key_bytes);
|
1778 | }
|
1779 | }
|
1780 |
|
1781 | module.exports = HeadKey;
|
1782 |
|
1783 |
|
1784 | }),
|
1785 |
|
1786 | (function(module, exports, __webpack_require__) {
|
1787 |
|
1788 | "use strict";
|
1789 |
|
1790 |
|
1791 |
|
1792 |
|
1793 |
|
1794 |
|
1795 |
|
1796 |
|
1797 |
|
1798 |
|
1799 |
|
1800 |
|
1801 |
|
1802 |
|
1803 |
|
1804 |
|
1805 |
|
1806 |
|
1807 |
|
1808 |
|
1809 |
|
1810 | const CBOR = __webpack_require__(2);
|
1811 |
|
1812 | const ClassUtil = __webpack_require__(3);
|
1813 | const DontCallConstructor = __webpack_require__(0);
|
1814 | const TypeUtil = __webpack_require__(1);
|
1815 |
|
1816 | const DerivedSecrets = __webpack_require__(26);
|
1817 | const MacKey = __webpack_require__(15);
|
1818 | const MessageKeys = __webpack_require__(32);
|
1819 |
|
1820 |
|
1821 |
|
1822 |
|
1823 |
|
1824 |
|
1825 |
|
1826 | class ChainKey {
|
1827 | constructor() {
|
1828 | throw new DontCallConstructor(this);
|
1829 | }
|
1830 |
|
1831 | |
1832 |
|
1833 |
|
1834 |
|
1835 |
|
1836 | static from_mac_key(key, counter) {
|
1837 | TypeUtil.assert_is_instance(MacKey, key);
|
1838 | TypeUtil.assert_is_integer(counter);
|
1839 |
|
1840 | const ck = ClassUtil.new_instance(ChainKey);
|
1841 | ck.key = key;
|
1842 | ck.idx = counter;
|
1843 | return ck;
|
1844 | }
|
1845 |
|
1846 |
|
1847 | next() {
|
1848 | const ck = ClassUtil.new_instance(ChainKey);
|
1849 | ck.key = MacKey.new(this.key.sign('1'));
|
1850 | ck.idx = this.idx + 1;
|
1851 | return ck;
|
1852 | }
|
1853 |
|
1854 |
|
1855 | message_keys() {
|
1856 | const base = this.key.sign('0');
|
1857 | const derived_secrets = DerivedSecrets.kdf_without_salt(base, 'hash_ratchet');
|
1858 | return MessageKeys.new(derived_secrets.cipher_key, derived_secrets.mac_key, this.idx);
|
1859 | }
|
1860 |
|
1861 | |
1862 |
|
1863 |
|
1864 |
|
1865 | encode(e) {
|
1866 | e.object(2);
|
1867 | e.u8(0);
|
1868 | this.key.encode(e);
|
1869 | e.u8(1);
|
1870 | return e.u32(this.idx);
|
1871 | }
|
1872 |
|
1873 | |
1874 |
|
1875 |
|
1876 |
|
1877 | static decode(d) {
|
1878 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
1879 |
|
1880 | const self = ClassUtil.new_instance(ChainKey);
|
1881 |
|
1882 | const nprops = d.object();
|
1883 | for (let i = 0; i <= nprops - 1; i++) {
|
1884 | switch (d.u8()) {
|
1885 | case 0:
|
1886 | self.key = MacKey.decode(d);
|
1887 | break;
|
1888 | case 1:
|
1889 | self.idx = d.u32();
|
1890 | break;
|
1891 | default:
|
1892 | d.skip();
|
1893 | }
|
1894 | }
|
1895 |
|
1896 | TypeUtil.assert_is_instance(MacKey, self.key);
|
1897 | TypeUtil.assert_is_integer(self.idx);
|
1898 |
|
1899 | return self;
|
1900 | }
|
1901 | }
|
1902 |
|
1903 | module.exports = ChainKey;
|
1904 |
|
1905 |
|
1906 | }),
|
1907 |
|
1908 | (function(module, exports, __webpack_require__) {
|
1909 |
|
1910 | "use strict";
|
1911 |
|
1912 |
|
1913 |
|
1914 |
|
1915 |
|
1916 |
|
1917 |
|
1918 |
|
1919 |
|
1920 |
|
1921 |
|
1922 |
|
1923 |
|
1924 |
|
1925 |
|
1926 |
|
1927 |
|
1928 |
|
1929 |
|
1930 |
|
1931 |
|
1932 |
|
1933 |
|
1934 | const ProteusError = __webpack_require__(6);
|
1935 |
|
1936 |
|
1937 |
|
1938 |
|
1939 |
|
1940 |
|
1941 |
|
1942 |
|
1943 |
|
1944 | class DecodeError extends ProteusError {
|
1945 | constructor(message = 'Unknown decoding error', code = 3) {
|
1946 | super(message, code);
|
1947 | }
|
1948 |
|
1949 | static get CODE() {
|
1950 | return {
|
1951 | CASE_300: 300,
|
1952 | CASE_301: 301,
|
1953 | CASE_302: 302,
|
1954 | CASE_303: 303,
|
1955 | };
|
1956 | }
|
1957 | }
|
1958 |
|
1959 |
|
1960 |
|
1961 |
|
1962 |
|
1963 |
|
1964 |
|
1965 | class InvalidType extends DecodeError {
|
1966 | constructor(message = 'Invalid type', code) {
|
1967 | super(message, code);
|
1968 | }
|
1969 | }
|
1970 |
|
1971 |
|
1972 |
|
1973 |
|
1974 |
|
1975 |
|
1976 |
|
1977 | class InvalidArrayLen extends DecodeError {
|
1978 | constructor(message = 'Invalid array length', code) {
|
1979 | super(message, code);
|
1980 | }
|
1981 | }
|
1982 |
|
1983 |
|
1984 |
|
1985 |
|
1986 |
|
1987 |
|
1988 |
|
1989 | class LocalIdentityChanged extends DecodeError {
|
1990 | constructor(message = 'Local identity changed', code) {
|
1991 | super(message, code);
|
1992 | }
|
1993 | }
|
1994 |
|
1995 | Object.assign(DecodeError, {
|
1996 | InvalidType,
|
1997 | InvalidArrayLen,
|
1998 | LocalIdentityChanged,
|
1999 | });
|
2000 |
|
2001 | module.exports = ProteusError.DecodeError = DecodeError;
|
2002 |
|
2003 |
|
2004 | }),
|
2005 |
|
2006 | (function(module, exports, __webpack_require__) {
|
2007 |
|
2008 | "use strict";
|
2009 |
|
2010 |
|
2011 |
|
2012 |
|
2013 |
|
2014 |
|
2015 |
|
2016 |
|
2017 |
|
2018 |
|
2019 |
|
2020 |
|
2021 |
|
2022 |
|
2023 |
|
2024 |
|
2025 |
|
2026 |
|
2027 |
|
2028 |
|
2029 |
|
2030 | const ProteusError = __webpack_require__(6);
|
2031 |
|
2032 |
|
2033 |
|
2034 |
|
2035 |
|
2036 |
|
2037 |
|
2038 |
|
2039 |
|
2040 | class InputError extends ProteusError {
|
2041 | constructor(message = 'Invalid input', code = 4) {
|
2042 | super(message, code);
|
2043 | }
|
2044 |
|
2045 | static get CODE() {
|
2046 | return {
|
2047 | CASE_400: 400,
|
2048 | CASE_401: 401,
|
2049 | CASE_402: 402,
|
2050 | CASE_403: 403,
|
2051 | CASE_404: 404,
|
2052 | };
|
2053 | }
|
2054 | }
|
2055 |
|
2056 |
|
2057 |
|
2058 |
|
2059 |
|
2060 |
|
2061 |
|
2062 | class RangeError extends InputError {
|
2063 | constructor(message = 'Invalid type', code) {
|
2064 | super(message, code);
|
2065 | }
|
2066 | }
|
2067 |
|
2068 |
|
2069 |
|
2070 |
|
2071 |
|
2072 |
|
2073 |
|
2074 | class TypeError extends InputError {
|
2075 | constructor(message = 'Invalid array length', code) {
|
2076 | super(message, code);
|
2077 | }
|
2078 | }
|
2079 |
|
2080 | Object.assign(InputError, {
|
2081 | RangeError,
|
2082 | TypeError,
|
2083 | });
|
2084 |
|
2085 | module.exports = ProteusError.InputError = InputError;
|
2086 |
|
2087 |
|
2088 | }),
|
2089 |
|
2090 | (function(module, exports, __webpack_require__) {
|
2091 |
|
2092 |
|
2093 |
|
2094 |
|
2095 |
|
2096 |
|
2097 |
|
2098 |
|
2099 | (function(root, f) {
|
2100 | 'use strict';
|
2101 | if (typeof module !== 'undefined' && module.exports) module.exports = f(__webpack_require__(34));
|
2102 | else root.ed2curve = f(root.nacl);
|
2103 | }(this, function(nacl) {
|
2104 | 'use strict';
|
2105 | if (!nacl) throw new Error('tweetnacl not loaded');
|
2106 |
|
2107 |
|
2108 |
|
2109 | var gf = function(init) {
|
2110 | var i, r = new Float64Array(16);
|
2111 | if (init) for (i = 0; i < init.length; i++) r[i] = init[i];
|
2112 | return r;
|
2113 | };
|
2114 |
|
2115 | var gf0 = gf(),
|
2116 | gf1 = gf([1]),
|
2117 | D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),
|
2118 | I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);
|
2119 |
|
2120 |
|
2121 |
|
2122 | function car25519(o) {
|
2123 | var c;
|
2124 | var i;
|
2125 | for (i = 0; i < 16; i++) {
|
2126 | o[i] += 65536;
|
2127 | c = Math.floor(o[i] / 65536);
|
2128 | o[(i+1)*(i<15?1:0)] += c - 1 + 37 * (c-1) * (i===15?1:0);
|
2129 | o[i] -= (c * 65536);
|
2130 | }
|
2131 | }
|
2132 |
|
2133 | function sel25519(p, q, b) {
|
2134 | var t, c = ~(b-1);
|
2135 | for (var i = 0; i < 16; i++) {
|
2136 | t = c & (p[i] ^ q[i]);
|
2137 | p[i] ^= t;
|
2138 | q[i] ^= t;
|
2139 | }
|
2140 | }
|
2141 |
|
2142 | function unpack25519(o, n) {
|
2143 | var i;
|
2144 | for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8);
|
2145 | o[15] &= 0x7fff;
|
2146 | }
|
2147 |
|
2148 |
|
2149 | function A(o, a, b) {
|
2150 | var i;
|
2151 | for (i = 0; i < 16; i++) o[i] = (a[i] + b[i])|0;
|
2152 | }
|
2153 |
|
2154 |
|
2155 | function Z(o, a, b) {
|
2156 | var i;
|
2157 | for (i = 0; i < 16; i++) o[i] = (a[i] - b[i])|0;
|
2158 | }
|
2159 |
|
2160 |
|
2161 | function M(o, a, b) {
|
2162 | var i, j, t = new Float64Array(31);
|
2163 | for (i = 0; i < 31; i++) t[i] = 0;
|
2164 | for (i = 0; i < 16; i++) {
|
2165 | for (j = 0; j < 16; j++) {
|
2166 | t[i+j] += a[i] * b[j];
|
2167 | }
|
2168 | }
|
2169 | for (i = 0; i < 15; i++) {
|
2170 | t[i] += 38 * t[i+16];
|
2171 | }
|
2172 | for (i = 0; i < 16; i++) o[i] = t[i];
|
2173 | car25519(o);
|
2174 | car25519(o);
|
2175 | }
|
2176 |
|
2177 |
|
2178 | function S(o, a) {
|
2179 | M(o, a, a);
|
2180 | }
|
2181 |
|
2182 |
|
2183 | function inv25519(o, i) {
|
2184 | var c = gf();
|
2185 | var a;
|
2186 | for (a = 0; a < 16; a++) c[a] = i[a];
|
2187 | for (a = 253; a >= 0; a--) {
|
2188 | S(c, c);
|
2189 | if(a !== 2 && a !== 4) M(c, c, i);
|
2190 | }
|
2191 | for (a = 0; a < 16; a++) o[a] = c[a];
|
2192 | }
|
2193 |
|
2194 | function pack25519(o, n) {
|
2195 | var i, j, b;
|
2196 | var m = gf(), t = gf();
|
2197 | for (i = 0; i < 16; i++) t[i] = n[i];
|
2198 | car25519(t);
|
2199 | car25519(t);
|
2200 | car25519(t);
|
2201 | for (j = 0; j < 2; j++) {
|
2202 | m[0] = t[0] - 0xffed;
|
2203 | for (i = 1; i < 15; i++) {
|
2204 | m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);
|
2205 | m[i-1] &= 0xffff;
|
2206 | }
|
2207 | m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);
|
2208 | b = (m[15]>>16) & 1;
|
2209 | m[14] &= 0xffff;
|
2210 | sel25519(t, m, 1-b);
|
2211 | }
|
2212 | for (i = 0; i < 16; i++) {
|
2213 | o[2*i] = t[i] & 0xff;
|
2214 | o[2*i+1] = t[i] >> 8;
|
2215 | }
|
2216 | }
|
2217 |
|
2218 |
|
2219 | function par25519(a) {
|
2220 | var d = new Uint8Array(32);
|
2221 | pack25519(d, a);
|
2222 | return d[0] & 1;
|
2223 | }
|
2224 |
|
2225 |
|
2226 |
|
2227 | function vn(x, xi, y, yi, n) {
|
2228 | var i, d = 0;
|
2229 | for (i = 0; i < n; i++) d |= x[xi + i] ^ y[yi + i];
|
2230 | return (1 & ((d - 1) >>> 8)) - 1;
|
2231 | }
|
2232 |
|
2233 |
|
2234 | function crypto_verify_32(x, xi, y, yi) {
|
2235 | return vn(x, xi, y, yi, 32);
|
2236 | }
|
2237 |
|
2238 | function neq25519(a, b) {
|
2239 | var c = new Uint8Array(32), d = new Uint8Array(32);
|
2240 | pack25519(c, a);
|
2241 | pack25519(d, b);
|
2242 | return crypto_verify_32(c, 0, d, 0);
|
2243 | }
|
2244 |
|
2245 |
|
2246 | function pow2523(o, i) {
|
2247 | var c = gf();
|
2248 | var a;
|
2249 | for (a = 0; a < 16; a++) c[a] = i[a];
|
2250 | for (a = 250; a >= 0; a--) {
|
2251 | S(c, c);
|
2252 | if (a !== 1) M(c, c, i);
|
2253 | }
|
2254 | for (a = 0; a < 16; a++) o[a] = c[a];
|
2255 | }
|
2256 |
|
2257 | function set25519(r, a) {
|
2258 | var i;
|
2259 | for (i = 0; i < 16; i++) r[i] = a[i] | 0;
|
2260 | }
|
2261 |
|
2262 | function unpackneg(r, p) {
|
2263 | var t = gf(), chk = gf(), num = gf(),
|
2264 | den = gf(), den2 = gf(), den4 = gf(),
|
2265 | den6 = gf();
|
2266 |
|
2267 | set25519(r[2], gf1);
|
2268 | unpack25519(r[1], p);
|
2269 | S(num, r[1]);
|
2270 | M(den, num, D);
|
2271 | Z(num, num, r[2]);
|
2272 | A(den, r[2], den);
|
2273 |
|
2274 | S(den2, den);
|
2275 | S(den4, den2);
|
2276 | M(den6, den4, den2);
|
2277 | M(t, den6, num);
|
2278 | M(t, t, den);
|
2279 |
|
2280 | pow2523(t, t);
|
2281 | M(t, t, num);
|
2282 | M(t, t, den);
|
2283 | M(t, t, den);
|
2284 | M(r[0], t, den);
|
2285 |
|
2286 | S(chk, r[0]);
|
2287 | M(chk, chk, den);
|
2288 | if (neq25519(chk, num)) M(r[0], r[0], I);
|
2289 |
|
2290 | S(chk, r[0]);
|
2291 | M(chk, chk, den);
|
2292 | if (neq25519(chk, num)) return -1;
|
2293 |
|
2294 | if (par25519(r[0]) === (p[31] >> 7)) Z(r[0], gf0, r[0]);
|
2295 |
|
2296 | M(r[3], r[0], r[1]);
|
2297 | return 0;
|
2298 | }
|
2299 |
|
2300 |
|
2301 |
|
2302 |
|
2303 |
|
2304 | function convertPublicKey(pk) {
|
2305 | var z = new Uint8Array(32),
|
2306 | q = [gf(), gf(), gf(), gf()],
|
2307 | a = gf(), b = gf();
|
2308 |
|
2309 | if (unpackneg(q, pk)) return null;
|
2310 |
|
2311 | var y = q[1];
|
2312 |
|
2313 | A(a, gf1, y);
|
2314 | Z(b, gf1, y);
|
2315 | inv25519(b, b);
|
2316 | M(a, a, b);
|
2317 |
|
2318 | pack25519(z, a);
|
2319 | return z;
|
2320 | }
|
2321 |
|
2322 |
|
2323 | function convertSecretKey(sk) {
|
2324 | var d = new Uint8Array(64), o = new Uint8Array(32), i;
|
2325 | nacl.lowlevel.crypto_hash(d, sk, 32);
|
2326 | d[0] &= 248;
|
2327 | d[31] &= 127;
|
2328 | d[31] |= 64;
|
2329 | for (i = 0; i < 32; i++) o[i] = d[i];
|
2330 | for (i = 0; i < 64; i++) d[i] = 0;
|
2331 | return o;
|
2332 | }
|
2333 |
|
2334 | function convertKeyPair(edKeyPair) {
|
2335 | var publicKey = convertPublicKey(edKeyPair.publicKey);
|
2336 | if (!publicKey) return null;
|
2337 | return {
|
2338 | publicKey: publicKey,
|
2339 | secretKey: convertSecretKey(edKeyPair.secretKey)
|
2340 | };
|
2341 | }
|
2342 |
|
2343 | return {
|
2344 | convertPublicKey: convertPublicKey,
|
2345 | convertSecretKey: convertSecretKey,
|
2346 | convertKeyPair: convertKeyPair,
|
2347 | };
|
2348 |
|
2349 | }));
|
2350 |
|
2351 |
|
2352 | }),
|
2353 |
|
2354 | (function(module, exports, __webpack_require__) {
|
2355 |
|
2356 | "use strict";
|
2357 |
|
2358 |
|
2359 |
|
2360 |
|
2361 |
|
2362 |
|
2363 |
|
2364 |
|
2365 |
|
2366 |
|
2367 |
|
2368 |
|
2369 |
|
2370 |
|
2371 |
|
2372 |
|
2373 |
|
2374 |
|
2375 |
|
2376 |
|
2377 |
|
2378 | const CBOR = __webpack_require__(2);
|
2379 | const ed2curve = __webpack_require__(21);
|
2380 | const sodium = __webpack_require__(5);
|
2381 |
|
2382 | const ClassUtil = __webpack_require__(3);
|
2383 | const DontCallConstructor = __webpack_require__(0);
|
2384 | const PublicKey = __webpack_require__(4);
|
2385 | const TypeUtil = __webpack_require__(1);
|
2386 |
|
2387 |
|
2388 |
|
2389 |
|
2390 |
|
2391 |
|
2392 |
|
2393 | class SecretKey {
|
2394 | constructor() {
|
2395 | throw new DontCallConstructor(this);
|
2396 | }
|
2397 |
|
2398 | |
2399 |
|
2400 |
|
2401 |
|
2402 |
|
2403 | static new(sec_edward, sec_curve) {
|
2404 | TypeUtil.assert_is_instance(Uint8Array, sec_edward);
|
2405 | TypeUtil.assert_is_instance(Uint8Array, sec_curve);
|
2406 |
|
2407 | const sk = ClassUtil.new_instance(SecretKey);
|
2408 |
|
2409 |
|
2410 | sk.sec_edward = sec_edward;
|
2411 |
|
2412 | sk.sec_curve = sec_curve;
|
2413 | return sk;
|
2414 | }
|
2415 |
|
2416 | |
2417 |
|
2418 |
|
2419 |
|
2420 |
|
2421 | sign(message) {
|
2422 | return sodium.crypto_sign_detached(message, this.sec_edward);
|
2423 | }
|
2424 |
|
2425 | |
2426 |
|
2427 |
|
2428 |
|
2429 |
|
2430 |
|
2431 | shared_secret(public_key) {
|
2432 | TypeUtil.assert_is_instance(PublicKey, public_key);
|
2433 |
|
2434 | return sodium.crypto_scalarmult(this.sec_curve, public_key.pub_curve);
|
2435 | }
|
2436 |
|
2437 | |
2438 |
|
2439 |
|
2440 |
|
2441 | encode(e) {
|
2442 | e.object(1);
|
2443 | e.u8(0);
|
2444 | return e.bytes(this.sec_edward);
|
2445 | }
|
2446 |
|
2447 | |
2448 |
|
2449 |
|
2450 |
|
2451 | static decode(d) {
|
2452 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
2453 |
|
2454 | const self = ClassUtil.new_instance(SecretKey);
|
2455 |
|
2456 | const nprops = d.object();
|
2457 | for (let i = 0; i <= nprops - 1; i++) {
|
2458 | switch (d.u8()) {
|
2459 | case 0:
|
2460 | self.sec_edward = new Uint8Array(d.bytes());
|
2461 | break;
|
2462 | default:
|
2463 | d.skip();
|
2464 | }
|
2465 | }
|
2466 |
|
2467 | TypeUtil.assert_is_instance(Uint8Array, self.sec_edward);
|
2468 |
|
2469 | self.sec_curve = ed2curve.convertSecretKey(self.sec_edward);
|
2470 | return self;
|
2471 | }
|
2472 | }
|
2473 |
|
2474 | module.exports = SecretKey;
|
2475 |
|
2476 |
|
2477 | }),
|
2478 |
|
2479 | (function(module, exports, __webpack_require__) {
|
2480 |
|
2481 | "use strict";
|
2482 |
|
2483 |
|
2484 |
|
2485 |
|
2486 |
|
2487 |
|
2488 |
|
2489 |
|
2490 |
|
2491 |
|
2492 |
|
2493 |
|
2494 |
|
2495 |
|
2496 |
|
2497 |
|
2498 |
|
2499 |
|
2500 |
|
2501 |
|
2502 |
|
2503 | const CBOR = __webpack_require__(2);
|
2504 | const sodium = __webpack_require__(5);
|
2505 |
|
2506 | const ClassUtil = __webpack_require__(3);
|
2507 | const DontCallConstructor = __webpack_require__(0);
|
2508 | const TypeUtil = __webpack_require__(1);
|
2509 |
|
2510 | const IdentityKey = __webpack_require__(8);
|
2511 | const IdentityKeyPair = __webpack_require__(11);
|
2512 | const PreKey = __webpack_require__(24);
|
2513 | const PreKeyAuth = __webpack_require__(28);
|
2514 | const PublicKey = __webpack_require__(4);
|
2515 |
|
2516 |
|
2517 |
|
2518 |
|
2519 |
|
2520 |
|
2521 |
|
2522 | class PreKeyBundle {
|
2523 | constructor() {
|
2524 | throw new DontCallConstructor(this);
|
2525 | }
|
2526 |
|
2527 | |
2528 |
|
2529 |
|
2530 |
|
2531 |
|
2532 | static new(public_identity_key, prekey) {
|
2533 | TypeUtil.assert_is_instance(IdentityKey, public_identity_key);
|
2534 | TypeUtil.assert_is_instance(PreKey, prekey);
|
2535 |
|
2536 |
|
2537 | const bundle = ClassUtil.new_instance(PreKeyBundle);
|
2538 |
|
2539 | bundle.version = 1;
|
2540 | bundle.prekey_id = prekey.key_id;
|
2541 | bundle.public_key = prekey.key_pair.public_key;
|
2542 | bundle.identity_key = public_identity_key;
|
2543 | bundle.signature = null;
|
2544 |
|
2545 | return bundle;
|
2546 | }
|
2547 |
|
2548 | |
2549 |
|
2550 |
|
2551 |
|
2552 |
|
2553 | static signed(identity_pair, prekey) {
|
2554 | TypeUtil.assert_is_instance(IdentityKeyPair, identity_pair);
|
2555 | TypeUtil.assert_is_instance(PreKey, prekey);
|
2556 |
|
2557 |
|
2558 | const ratchet_key = prekey.key_pair.public_key;
|
2559 |
|
2560 | const signature = identity_pair.secret_key.sign(ratchet_key.pub_edward);
|
2561 |
|
2562 |
|
2563 | const bundle = ClassUtil.new_instance(PreKeyBundle);
|
2564 |
|
2565 | bundle.version = 1;
|
2566 | bundle.prekey_id = prekey.key_id;
|
2567 | bundle.public_key = ratchet_key;
|
2568 | bundle.identity_key = identity_pair.public_key;
|
2569 | bundle.signature = signature;
|
2570 |
|
2571 | return bundle;
|
2572 | }
|
2573 |
|
2574 |
|
2575 | verify() {
|
2576 | if (!this.signature) {
|
2577 | return PreKeyAuth.UNKNOWN;
|
2578 | }
|
2579 |
|
2580 | if (this.identity_key.public_key.verify(this.signature, this.public_key.pub_edward)) {
|
2581 | return PreKeyAuth.VALID;
|
2582 | }
|
2583 | return PreKeyAuth.INVALID;
|
2584 | }
|
2585 |
|
2586 |
|
2587 | serialise() {
|
2588 | const e = new CBOR.Encoder();
|
2589 | this.encode(e);
|
2590 | return e.get_buffer();
|
2591 | }
|
2592 |
|
2593 | |
2594 |
|
2595 |
|
2596 |
|
2597 |
|
2598 |
|
2599 | serialised_json() {
|
2600 | return {
|
2601 | 'id': this.prekey_id,
|
2602 | 'key': sodium.to_base64(new Uint8Array(this.serialise()), true),
|
2603 | };
|
2604 | }
|
2605 |
|
2606 | |
2607 |
|
2608 |
|
2609 |
|
2610 | static deserialise(buf) {
|
2611 | TypeUtil.assert_is_instance(ArrayBuffer, buf);
|
2612 | return PreKeyBundle.decode(new CBOR.Decoder(buf));
|
2613 | }
|
2614 |
|
2615 | |
2616 |
|
2617 |
|
2618 |
|
2619 | encode(e) {
|
2620 | TypeUtil.assert_is_instance(CBOR.Encoder, e);
|
2621 |
|
2622 | e.object(5);
|
2623 | e.u8(0);
|
2624 | e.u8(this.version);
|
2625 | e.u8(1);
|
2626 | e.u16(this.prekey_id);
|
2627 | e.u8(2);
|
2628 | this.public_key.encode(e);
|
2629 | e.u8(3);
|
2630 | this.identity_key.encode(e);
|
2631 |
|
2632 | e.u8(4);
|
2633 | if (!this.signature) {
|
2634 | return e.null();
|
2635 | } else {
|
2636 | return e.bytes(this.signature);
|
2637 | }
|
2638 | }
|
2639 |
|
2640 | |
2641 |
|
2642 |
|
2643 |
|
2644 | static decode(d) {
|
2645 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
2646 |
|
2647 | const self = ClassUtil.new_instance(PreKeyBundle);
|
2648 |
|
2649 | const nprops = d.object();
|
2650 | for (let i = 0; i <= nprops - 1; i++) {
|
2651 | switch (d.u8()) {
|
2652 | case 0:
|
2653 | self.version = d.u8();
|
2654 | break;
|
2655 | case 1:
|
2656 | self.prekey_id = d.u16();
|
2657 | break;
|
2658 | case 2:
|
2659 | self.public_key = PublicKey.decode(d);
|
2660 | break;
|
2661 | case 3:
|
2662 | self.identity_key = IdentityKey.decode(d);
|
2663 | break;
|
2664 | case 4:
|
2665 | self.signature = d.optional(() => new Uint8Array(d.bytes()));
|
2666 | break;
|
2667 | default:
|
2668 | d.skip();
|
2669 | }
|
2670 | }
|
2671 |
|
2672 | TypeUtil.assert_is_integer(self.version);
|
2673 | TypeUtil.assert_is_integer(self.prekey_id);
|
2674 | TypeUtil.assert_is_instance(PublicKey, self.public_key);
|
2675 | TypeUtil.assert_is_instance(IdentityKey, self.identity_key);
|
2676 |
|
2677 | return self;
|
2678 | }
|
2679 | }
|
2680 |
|
2681 | module.exports = PreKeyBundle;
|
2682 |
|
2683 |
|
2684 | }),
|
2685 |
|
2686 | (function(module, exports, __webpack_require__) {
|
2687 |
|
2688 | "use strict";
|
2689 |
|
2690 |
|
2691 |
|
2692 |
|
2693 |
|
2694 |
|
2695 |
|
2696 |
|
2697 |
|
2698 |
|
2699 |
|
2700 |
|
2701 |
|
2702 |
|
2703 |
|
2704 |
|
2705 |
|
2706 |
|
2707 |
|
2708 |
|
2709 |
|
2710 | const CBOR = __webpack_require__(2);
|
2711 |
|
2712 | const ClassUtil = __webpack_require__(3);
|
2713 | const DontCallConstructor = __webpack_require__(0);
|
2714 | const InputError = __webpack_require__(20);
|
2715 | const TypeUtil = __webpack_require__(1);
|
2716 |
|
2717 | const KeyPair = __webpack_require__(7);
|
2718 |
|
2719 |
|
2720 |
|
2721 |
|
2722 |
|
2723 |
|
2724 |
|
2725 |
|
2726 |
|
2727 | class PreKey {
|
2728 | constructor() {
|
2729 | throw new DontCallConstructor(this);
|
2730 | }
|
2731 |
|
2732 |
|
2733 | static get MAX_PREKEY_ID() {
|
2734 | return 0xFFFF;
|
2735 | }
|
2736 |
|
2737 | |
2738 |
|
2739 |
|
2740 |
|
2741 |
|
2742 | static new(pre_key_id) {
|
2743 | this.validate_pre_key_id(pre_key_id);
|
2744 |
|
2745 | const pk = ClassUtil.new_instance(PreKey);
|
2746 |
|
2747 | pk.version = 1;
|
2748 | pk.key_id = pre_key_id;
|
2749 | pk.key_pair = KeyPair.new();
|
2750 | return pk;
|
2751 | }
|
2752 |
|
2753 | static validate_pre_key_id(pre_key_id) {
|
2754 | TypeUtil.assert_is_integer(pre_key_id);
|
2755 |
|
2756 | if (pre_key_id < 0 || pre_key_id > PreKey.MAX_PREKEY_ID) {
|
2757 | const message = `PreKey ID (${pre_key_id}) must be between or equal to 0 and ${PreKey.MAX_PREKEY_ID}.`;
|
2758 | throw new InputError.RangeError(message, InputError.CODE.CASE_400);
|
2759 | }
|
2760 | }
|
2761 |
|
2762 |
|
2763 | static last_resort() {
|
2764 | return PreKey.new(PreKey.MAX_PREKEY_ID);
|
2765 | }
|
2766 |
|
2767 | |
2768 |
|
2769 |
|
2770 |
|
2771 |
|
2772 |
|
2773 | static generate_prekeys(start, size) {
|
2774 | this.validate_pre_key_id(start);
|
2775 | this.validate_pre_key_id(size);
|
2776 |
|
2777 | if (size === 0) {
|
2778 | return [];
|
2779 | }
|
2780 |
|
2781 | return [...Array(size).keys()].map((x) => PreKey.new((start + x) % PreKey.MAX_PREKEY_ID));
|
2782 | }
|
2783 |
|
2784 |
|
2785 | serialise() {
|
2786 | const e = new CBOR.Encoder();
|
2787 | this.encode(e);
|
2788 | return e.get_buffer();
|
2789 | }
|
2790 |
|
2791 | |
2792 |
|
2793 |
|
2794 |
|
2795 | static deserialise(buf) {
|
2796 | TypeUtil.assert_is_instance(ArrayBuffer, buf);
|
2797 | return PreKey.decode(new CBOR.Decoder(buf));
|
2798 | }
|
2799 |
|
2800 | |
2801 |
|
2802 |
|
2803 |
|
2804 | encode(e) {
|
2805 | TypeUtil.assert_is_instance(CBOR.Encoder, e);
|
2806 | e.object(3);
|
2807 | e.u8(0);
|
2808 | e.u8(this.version);
|
2809 | e.u8(1);
|
2810 | e.u16(this.key_id);
|
2811 | e.u8(2);
|
2812 | return this.key_pair.encode(e);
|
2813 | }
|
2814 |
|
2815 | |
2816 |
|
2817 |
|
2818 |
|
2819 | static decode(d) {
|
2820 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
2821 |
|
2822 | const self = ClassUtil.new_instance(PreKey);
|
2823 |
|
2824 | const nprops = d.object();
|
2825 | for (let i = 0; i <= nprops - 1; i++) {
|
2826 | switch (d.u8()) {
|
2827 | case 0:
|
2828 | self.version = d.u8();
|
2829 | break;
|
2830 | case 1:
|
2831 | self.key_id = d.u16();
|
2832 | break;
|
2833 | case 2:
|
2834 | self.key_pair = KeyPair.decode(d);
|
2835 | break;
|
2836 | default:
|
2837 | d.skip();
|
2838 | }
|
2839 | }
|
2840 |
|
2841 | TypeUtil.assert_is_integer(self.version);
|
2842 | TypeUtil.assert_is_integer(self.key_id);
|
2843 | TypeUtil.assert_is_instance(KeyPair, self.key_pair);
|
2844 |
|
2845 | return self;
|
2846 | }
|
2847 | }
|
2848 |
|
2849 | module.exports = PreKey;
|
2850 |
|
2851 |
|
2852 | }),
|
2853 |
|
2854 | (function(module, exports, __webpack_require__) {
|
2855 |
|
2856 | "use strict";
|
2857 |
|
2858 |
|
2859 |
|
2860 |
|
2861 |
|
2862 |
|
2863 |
|
2864 |
|
2865 |
|
2866 |
|
2867 |
|
2868 |
|
2869 |
|
2870 |
|
2871 |
|
2872 |
|
2873 |
|
2874 |
|
2875 |
|
2876 |
|
2877 |
|
2878 | const CBOR = __webpack_require__(2);
|
2879 |
|
2880 | const ClassUtil = __webpack_require__(3);
|
2881 | const DontCallConstructor = __webpack_require__(0);
|
2882 | const TypeUtil = __webpack_require__(1);
|
2883 |
|
2884 | const PublicKey = __webpack_require__(4);
|
2885 |
|
2886 |
|
2887 |
|
2888 |
|
2889 |
|
2890 |
|
2891 |
|
2892 | class Header {
|
2893 | constructor() {
|
2894 | throw new DontCallConstructor(this);
|
2895 | }
|
2896 |
|
2897 | |
2898 |
|
2899 |
|
2900 |
|
2901 |
|
2902 |
|
2903 | static new(counter, prev_counter, ratchet_key) {
|
2904 | TypeUtil.assert_is_integer(counter);
|
2905 | TypeUtil.assert_is_integer(prev_counter);
|
2906 | TypeUtil.assert_is_instance(PublicKey, ratchet_key);
|
2907 |
|
2908 | const hd = ClassUtil.new_instance(Header);
|
2909 |
|
2910 | hd.counter = counter;
|
2911 | hd.prev_counter = prev_counter;
|
2912 | hd.ratchet_key = ratchet_key;
|
2913 |
|
2914 | Object.freeze(hd);
|
2915 | return hd;
|
2916 | }
|
2917 |
|
2918 |
|
2919 | serialise() {
|
2920 | const e = new CBOR.Encoder();
|
2921 | this.encode(e);
|
2922 | return e.get_buffer();
|
2923 | }
|
2924 |
|
2925 | |
2926 |
|
2927 |
|
2928 |
|
2929 | static deserialise(buf) {
|
2930 | TypeUtil.assert_is_instance(ArrayBuffer, buf);
|
2931 |
|
2932 | const d = new CBOR.Decoder(buf);
|
2933 | return Header.decode(d);
|
2934 | }
|
2935 |
|
2936 | |
2937 |
|
2938 |
|
2939 |
|
2940 | encode(e) {
|
2941 | e.object(3);
|
2942 | e.u8(0);
|
2943 | e.u32(this.counter);
|
2944 | e.u8(1);
|
2945 | e.u32(this.prev_counter);
|
2946 | e.u8(2);
|
2947 | return this.ratchet_key.encode(e);
|
2948 | }
|
2949 |
|
2950 | |
2951 |
|
2952 |
|
2953 |
|
2954 | static decode(d) {
|
2955 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
2956 |
|
2957 | let counter = null;
|
2958 | let prev_counter = null;
|
2959 | let ratchet_key = null;
|
2960 |
|
2961 | const nprops = d.object();
|
2962 | for (let i = 0; i <= nprops - 1; i++) {
|
2963 | switch (d.u8()) {
|
2964 | case 0:
|
2965 | counter = d.u32();
|
2966 | break;
|
2967 | case 1:
|
2968 | prev_counter = d.u32();
|
2969 | break;
|
2970 | case 2:
|
2971 | ratchet_key = PublicKey.decode(d);
|
2972 | break;
|
2973 |
|
2974 | default:
|
2975 | d.skip();
|
2976 | }
|
2977 | }
|
2978 |
|
2979 | return Header.new(counter, prev_counter, ratchet_key);
|
2980 | }
|
2981 | }
|
2982 |
|
2983 | module.exports = Header;
|
2984 |
|
2985 |
|
2986 | }),
|
2987 |
|
2988 | (function(module, exports, __webpack_require__) {
|
2989 |
|
2990 | "use strict";
|
2991 |
|
2992 |
|
2993 |
|
2994 |
|
2995 |
|
2996 |
|
2997 |
|
2998 |
|
2999 |
|
3000 |
|
3001 |
|
3002 |
|
3003 |
|
3004 |
|
3005 |
|
3006 |
|
3007 |
|
3008 |
|
3009 |
|
3010 |
|
3011 |
|
3012 | const ClassUtil = __webpack_require__(3);
|
3013 | const DontCallConstructor = __webpack_require__(0);
|
3014 | const KeyDerivationUtil = __webpack_require__(37);
|
3015 | const MemoryUtil = __webpack_require__(16);
|
3016 |
|
3017 | const CipherKey = __webpack_require__(27);
|
3018 | const MacKey = __webpack_require__(15);
|
3019 | const HeadKey = __webpack_require__(17);
|
3020 |
|
3021 |
|
3022 |
|
3023 |
|
3024 |
|
3025 |
|
3026 |
|
3027 | class DerivedSecrets {
|
3028 | constructor() {
|
3029 | throw new DontCallConstructor(this);
|
3030 | }
|
3031 |
|
3032 | |
3033 |
|
3034 |
|
3035 |
|
3036 |
|
3037 |
|
3038 | static kdf_init(input, salt, info) {
|
3039 | const byte_length = 128;
|
3040 |
|
3041 | const output_key_material = KeyDerivationUtil.hkdf(salt, input, info, byte_length);
|
3042 |
|
3043 | const cipher_key = new Uint8Array(output_key_material.buffer.slice(0, 32));
|
3044 | const mac_key = new Uint8Array(output_key_material.buffer.slice(32, 64));
|
3045 | const head_key = new Uint8Array(output_key_material.buffer.slice(64, 96));
|
3046 | const next_head_key = new Uint8Array(output_key_material.buffer.slice(96, 128));
|
3047 |
|
3048 | MemoryUtil.zeroize(output_key_material.buffer);
|
3049 |
|
3050 | const ds = ClassUtil.new_instance(DerivedSecrets);
|
3051 |
|
3052 | ds.cipher_key = CipherKey.new(cipher_key);
|
3053 |
|
3054 | ds.mac_key = MacKey.new(mac_key);
|
3055 |
|
3056 | ds.head_key_alice = HeadKey.new(head_key);
|
3057 |
|
3058 | ds.next_head_key_bob = HeadKey.new(next_head_key);
|
3059 | return ds;
|
3060 | }
|
3061 |
|
3062 | |
3063 |
|
3064 |
|
3065 |
|
3066 |
|
3067 |
|
3068 | static kdf(input, salt, info) {
|
3069 | const byte_length = 96;
|
3070 |
|
3071 | const output_key_material = KeyDerivationUtil.hkdf(salt, input, info, byte_length);
|
3072 |
|
3073 | const cipher_key = new Uint8Array(output_key_material.buffer.slice(0, 32));
|
3074 | const mac_key = new Uint8Array(output_key_material.buffer.slice(32, 64));
|
3075 | const next_head_key = new Uint8Array(output_key_material.buffer.slice(64, 96));
|
3076 |
|
3077 | MemoryUtil.zeroize(output_key_material.buffer);
|
3078 |
|
3079 | const ds = ClassUtil.new_instance(DerivedSecrets);
|
3080 |
|
3081 | ds.cipher_key = CipherKey.new(cipher_key);
|
3082 |
|
3083 | ds.mac_key = MacKey.new(mac_key);
|
3084 |
|
3085 | ds.next_head_key = HeadKey.new(next_head_key);
|
3086 | return ds;
|
3087 | }
|
3088 |
|
3089 | |
3090 |
|
3091 |
|
3092 |
|
3093 |
|
3094 | static kdf_without_salt(input, info) {
|
3095 | return this.kdf_init(input, new Uint8Array(0), info);
|
3096 | }
|
3097 | }
|
3098 |
|
3099 | module.exports = DerivedSecrets;
|
3100 |
|
3101 |
|
3102 | }),
|
3103 |
|
3104 | (function(module, exports, __webpack_require__) {
|
3105 |
|
3106 | "use strict";
|
3107 |
|
3108 |
|
3109 |
|
3110 |
|
3111 |
|
3112 |
|
3113 |
|
3114 |
|
3115 |
|
3116 |
|
3117 |
|
3118 |
|
3119 |
|
3120 |
|
3121 |
|
3122 |
|
3123 |
|
3124 |
|
3125 |
|
3126 |
|
3127 |
|
3128 | const CBOR = __webpack_require__(2);
|
3129 | const sodium = __webpack_require__(5);
|
3130 |
|
3131 | const ClassUtil = __webpack_require__(3);
|
3132 | const DontCallConstructor = __webpack_require__(0);
|
3133 | const TypeUtil = __webpack_require__(1);
|
3134 |
|
3135 |
|
3136 |
|
3137 |
|
3138 |
|
3139 |
|
3140 |
|
3141 | class CipherKey {
|
3142 | constructor() {
|
3143 | throw new DontCallConstructor(this);
|
3144 | }
|
3145 |
|
3146 | |
3147 |
|
3148 |
|
3149 |
|
3150 | static new(key) {
|
3151 | TypeUtil.assert_is_instance(Uint8Array, key);
|
3152 |
|
3153 | const ck = ClassUtil.new_instance(CipherKey);
|
3154 |
|
3155 | ck.key = key;
|
3156 | return ck;
|
3157 | }
|
3158 |
|
3159 | |
3160 |
|
3161 |
|
3162 |
|
3163 |
|
3164 | encrypt(plaintext, nonce) {
|
3165 |
|
3166 | if (plaintext instanceof ArrayBuffer && plaintext.byteLength !== undefined) {
|
3167 | plaintext = new Uint8Array(plaintext);
|
3168 | }
|
3169 |
|
3170 | return sodium.crypto_stream_chacha20_xor(plaintext, nonce, this.key, 'uint8array');
|
3171 | }
|
3172 |
|
3173 | |
3174 |
|
3175 |
|
3176 |
|
3177 |
|
3178 | decrypt(ciphertext, nonce) {
|
3179 | return this.encrypt(ciphertext, nonce);
|
3180 | }
|
3181 |
|
3182 | |
3183 |
|
3184 |
|
3185 |
|
3186 | encode(e) {
|
3187 | e.object(1);
|
3188 | e.u8(0);
|
3189 | return e.bytes(this.key);
|
3190 | }
|
3191 |
|
3192 | |
3193 |
|
3194 |
|
3195 |
|
3196 | static decode(d) {
|
3197 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
3198 |
|
3199 | let key_bytes = null;
|
3200 |
|
3201 | const nprops = d.object();
|
3202 | for (let i = 0; i <= nprops - 1; i++) {
|
3203 | switch (d.u8()) {
|
3204 | case 0:
|
3205 | key_bytes = new Uint8Array(d.bytes());
|
3206 | break;
|
3207 | default:
|
3208 | d.skip();
|
3209 | }
|
3210 | }
|
3211 | return CipherKey.new(key_bytes);
|
3212 | }
|
3213 | }
|
3214 |
|
3215 | module.exports = CipherKey;
|
3216 |
|
3217 |
|
3218 | }),
|
3219 |
|
3220 | (function(module, exports, __webpack_require__) {
|
3221 |
|
3222 | "use strict";
|
3223 |
|
3224 |
|
3225 |
|
3226 |
|
3227 |
|
3228 |
|
3229 |
|
3230 |
|
3231 |
|
3232 |
|
3233 |
|
3234 |
|
3235 |
|
3236 |
|
3237 |
|
3238 |
|
3239 |
|
3240 |
|
3241 |
|
3242 |
|
3243 |
|
3244 |
|
3245 |
|
3246 |
|
3247 | class PreKeyAuth {
|
3248 |
|
3249 |
|
3250 | static get INVALID() {
|
3251 | return 'Invalid';
|
3252 | }
|
3253 |
|
3254 |
|
3255 | static get UNKNOWN() {
|
3256 | return 'Unknown';
|
3257 | }
|
3258 |
|
3259 |
|
3260 | static get VALID() {
|
3261 | return 'Valid';
|
3262 | }
|
3263 | }
|
3264 |
|
3265 | module.exports = PreKeyAuth;
|
3266 |
|
3267 |
|
3268 | }),
|
3269 |
|
3270 | (function(module, exports, __webpack_require__) {
|
3271 |
|
3272 | "use strict";
|
3273 |
|
3274 |
|
3275 |
|
3276 |
|
3277 |
|
3278 |
|
3279 |
|
3280 |
|
3281 |
|
3282 |
|
3283 |
|
3284 |
|
3285 |
|
3286 |
|
3287 |
|
3288 |
|
3289 |
|
3290 |
|
3291 |
|
3292 |
|
3293 |
|
3294 |
|
3295 |
|
3296 |
|
3297 | function PreKeyStore() {
|
3298 | }
|
3299 |
|
3300 |
|
3301 | PreKeyStore.prekeys = [];
|
3302 |
|
3303 |
|
3304 |
|
3305 |
|
3306 |
|
3307 |
|
3308 | PreKeyStore.prototype.get_prekey = function (prekey_id) {
|
3309 | throw Error('Virtual function unimplemented');
|
3310 | };
|
3311 |
|
3312 |
|
3313 |
|
3314 |
|
3315 |
|
3316 |
|
3317 | PreKeyStore.prototype.remove = function (prekey_id) {
|
3318 | throw Error('Virtual function unimplemented');
|
3319 | };
|
3320 |
|
3321 | module.exports = PreKeyStore;
|
3322 |
|
3323 |
|
3324 | }),
|
3325 |
|
3326 | (function(module, exports, __webpack_require__) {
|
3327 |
|
3328 | "use strict";
|
3329 |
|
3330 |
|
3331 |
|
3332 |
|
3333 |
|
3334 |
|
3335 |
|
3336 |
|
3337 |
|
3338 |
|
3339 |
|
3340 |
|
3341 |
|
3342 |
|
3343 |
|
3344 |
|
3345 |
|
3346 |
|
3347 |
|
3348 |
|
3349 |
|
3350 | const CBOR = __webpack_require__(2);
|
3351 |
|
3352 | const ClassUtil = __webpack_require__(3);
|
3353 | const DontCallConstructor = __webpack_require__(0);
|
3354 | const MemoryUtil = __webpack_require__(16);
|
3355 | const TypeUtil = __webpack_require__(1);
|
3356 |
|
3357 | const DecodeError = __webpack_require__(19);
|
3358 | const DecryptError = __webpack_require__(10);
|
3359 | const ProteusError = __webpack_require__(6);
|
3360 |
|
3361 | const IdentityKey = __webpack_require__(8);
|
3362 | const IdentityKeyPair = __webpack_require__(11);
|
3363 | const KeyPair = __webpack_require__(7);
|
3364 | const PreKey = __webpack_require__(24);
|
3365 | const PreKeyBundle = __webpack_require__(23);
|
3366 | const PublicKey = __webpack_require__(4);
|
3367 |
|
3368 | const HeaderMessage = __webpack_require__(9);
|
3369 | const Envelope = __webpack_require__(14);
|
3370 | const PreKeyMessage = __webpack_require__(13);
|
3371 |
|
3372 | const PreKeyStore = __webpack_require__(29);
|
3373 |
|
3374 |
|
3375 |
|
3376 |
|
3377 |
|
3378 |
|
3379 |
|
3380 | class Session {
|
3381 | constructor() {
|
3382 | this.local_identity = null;
|
3383 | this.pending_prekey = null;
|
3384 | this.remote_identity = null;
|
3385 | this.session_states = [];
|
3386 | this.version = 1;
|
3387 |
|
3388 | throw new DontCallConstructor(this);
|
3389 | }
|
3390 |
|
3391 |
|
3392 | static get MAX_RECV_CHAINS() {
|
3393 | return 5;
|
3394 | }
|
3395 |
|
3396 |
|
3397 | static get MAX_SESSION_STATES() {
|
3398 | return 100;
|
3399 | }
|
3400 |
|
3401 | |
3402 |
|
3403 |
|
3404 |
|
3405 |
|
3406 | static init_from_prekey(local_identity, remote_pkbundle) {
|
3407 | return new Promise((resolve) => {
|
3408 | TypeUtil.assert_is_instance(IdentityKeyPair, local_identity);
|
3409 | TypeUtil.assert_is_instance(PreKeyBundle, remote_pkbundle);
|
3410 |
|
3411 | const alice_base = KeyPair.new();
|
3412 |
|
3413 | const state = SessionState.init_as_alice(local_identity, alice_base, remote_pkbundle);
|
3414 |
|
3415 | const session = ClassUtil.new_instance(this);
|
3416 | session.local_identity = local_identity;
|
3417 | session.remote_identity = remote_pkbundle.identity_key;
|
3418 | session.pending_prekey = [remote_pkbundle.prekey_id, alice_base.public_key];
|
3419 | session.session_states = [];
|
3420 |
|
3421 | session._insert_session_state(state);
|
3422 | return resolve(session);
|
3423 | });
|
3424 | }
|
3425 |
|
3426 | |
3427 |
|
3428 |
|
3429 |
|
3430 |
|
3431 |
|
3432 |
|
3433 |
|
3434 | static init_from_message(our_identity, prekey_store, envelope) {
|
3435 | return new Promise((resolve, reject) => {
|
3436 | TypeUtil.assert_is_instance(IdentityKeyPair, our_identity);
|
3437 | TypeUtil.assert_is_instance(PreKeyStore, prekey_store);
|
3438 | TypeUtil.assert_is_instance(Envelope, envelope);
|
3439 |
|
3440 | const pkmsg = (() => {
|
3441 | if (envelope.message instanceof HeaderMessage) {
|
3442 | throw new DecryptError.InvalidMessage(
|
3443 | 'Can\'t initialise a session from a HeaderMessage.', DecryptError.CODE.CASE_201
|
3444 | );
|
3445 | } else if (envelope.message instanceof PreKeyMessage) {
|
3446 | return envelope.message;
|
3447 | } else {
|
3448 | throw new DecryptError.InvalidMessage(
|
3449 | 'Unknown message format: The message is neither a "HeaderMessage" nor a "PreKeyMessage".', DecryptError.CODE.CASE_202
|
3450 | );
|
3451 | }
|
3452 | })();
|
3453 |
|
3454 | const session = ClassUtil.new_instance(Session);
|
3455 | session.local_identity = our_identity;
|
3456 | session.remote_identity = pkmsg.identity_key;
|
3457 | session.pending_prekey = null;
|
3458 | session.session_states = [];
|
3459 |
|
3460 | return session._new_state(prekey_store, pkmsg).then((state) => {
|
3461 | const plain = state.decrypt(envelope, pkmsg.message);
|
3462 | session._insert_session_state(state);
|
3463 |
|
3464 | if (pkmsg.prekey_id < PreKey.MAX_PREKEY_ID) {
|
3465 | MemoryUtil.zeroize(prekey_store.prekeys[pkmsg.prekey_id]);
|
3466 | return prekey_store.remove(pkmsg.prekey_id).then(() => resolve([session, plain])).catch((error) => {
|
3467 | reject(new DecryptError.PrekeyNotFound(`Could not delete PreKey: ${error.message}`, DecryptError.CODE.CASE_203));
|
3468 | });
|
3469 | } else {
|
3470 | return resolve([session, plain]);
|
3471 | }
|
3472 | }).catch(reject);
|
3473 | });
|
3474 | }
|
3475 |
|
3476 | |
3477 |
|
3478 |
|
3479 |
|
3480 |
|
3481 |
|
3482 |
|
3483 | _new_state(pre_key_store, pre_key_message) {
|
3484 | return pre_key_store.get_prekey(pre_key_message.prekey_id).then((pre_key) => {
|
3485 | if (pre_key) {
|
3486 | return SessionState.init_as_bob(
|
3487 | this.local_identity,
|
3488 | pre_key.key_pair,
|
3489 | pre_key_message.identity_key,
|
3490 | pre_key_message.base_key
|
3491 | );
|
3492 | }
|
3493 | throw new ProteusError('Unable to get PreKey from PreKey store.', ProteusError.prototype.CODE.CASE_101);
|
3494 | });
|
3495 | }
|
3496 |
|
3497 | |
3498 |
|
3499 |
|
3500 |
|
3501 |
|
3502 | _insert_session_state(state) {
|
3503 | this.session_states.unshift(state);
|
3504 |
|
3505 | const size = this.session_states.length;
|
3506 | if (size < Session.MAX_SESSION_STATES) {
|
3507 | return true;
|
3508 | }
|
3509 |
|
3510 |
|
3511 |
|
3512 | return delete this.session_states[size - 1];
|
3513 | }
|
3514 |
|
3515 |
|
3516 | get_local_identity() {
|
3517 | return this.local_identity.public_key;
|
3518 | }
|
3519 |
|
3520 | |
3521 |
|
3522 |
|
3523 |
|
3524 |
|
3525 | encrypt(plaintext, confuse_pre_key_id) {
|
3526 | return new Promise((resolve, reject) => {
|
3527 | const state = this.session_states[0];
|
3528 |
|
3529 | if (!state) {
|
3530 | return reject(new ProteusError(
|
3531 | 'Could not find session.', ProteusError.prototype.CODE.CASE_102
|
3532 | ));
|
3533 | }
|
3534 |
|
3535 | return resolve(state.encrypt(
|
3536 | this.local_identity.public_key,
|
3537 | this.pending_prekey,
|
3538 | plaintext,
|
3539 | confuse_pre_key_id
|
3540 | ));
|
3541 | });
|
3542 | }
|
3543 |
|
3544 | |
3545 |
|
3546 |
|
3547 |
|
3548 |
|
3549 |
|
3550 | decrypt(prekey_store, envelope) {
|
3551 | return new Promise((resolve) => {
|
3552 | TypeUtil.assert_is_instance(PreKeyStore, prekey_store);
|
3553 | TypeUtil.assert_is_instance(Envelope, envelope);
|
3554 |
|
3555 | const msg = envelope.message;
|
3556 | if (msg instanceof HeaderMessage) {
|
3557 | return resolve(this._try_decrypt_header_message(envelope, msg, 0));
|
3558 | } else if (msg instanceof PreKeyMessage) {
|
3559 | const actual_fingerprint = msg.identity_key.fingerprint();
|
3560 | const expected_fingerprint = this.remote_identity.fingerprint();
|
3561 | if (actual_fingerprint !== expected_fingerprint) {
|
3562 | const message = `Fingerprints do not match: We expected '${expected_fingerprint}', but received '${actual_fingerprint}'.`;
|
3563 | throw new DecryptError.RemoteIdentityChanged(message, DecryptError.CODE.CASE_204);
|
3564 | }
|
3565 | return resolve(this._decrypt_prekey_message(envelope, msg, prekey_store));
|
3566 | } else {
|
3567 | throw new DecryptError('Unknown message type.', DecryptError.CODE.CASE_200);
|
3568 | }
|
3569 | });
|
3570 | }
|
3571 |
|
3572 | |
3573 |
|
3574 |
|
3575 |
|
3576 |
|
3577 |
|
3578 |
|
3579 |
|
3580 | _decrypt_prekey_message(envelope, msg, prekey_store) {
|
3581 | return Promise.resolve().then(() => this._decrypt_header_message(envelope, msg.message)).catch((error) => {
|
3582 | const try_create_new_state_and_decrypt = () => {
|
3583 | return this._new_state(prekey_store, msg).then((state) => {
|
3584 | const plaintext = state.decrypt(envelope, msg.message);
|
3585 | if (msg.prekey_id !== PreKey.MAX_PREKEY_ID) {
|
3586 | MemoryUtil.zeroize(prekey_store.prekeys[msg.prekey_id]);
|
3587 | prekey_store.remove(msg.prekey_id);
|
3588 | }
|
3589 |
|
3590 | this._insert_session_state(state);
|
3591 | this.pending_prekey = null;
|
3592 |
|
3593 | return plaintext;
|
3594 | });
|
3595 | };
|
3596 |
|
3597 | if (error instanceof DecryptError.InvalidMessage) {
|
3598 |
|
3599 | try_create_new_state_and_decrypt();
|
3600 | }
|
3601 |
|
3602 | if (error instanceof DecryptError.HeaderDecryptionFailed) {
|
3603 |
|
3604 | let fail_counter = 1;
|
3605 | const state_size = this.session_states.length;
|
3606 | if (state_size === fail_counter) {
|
3607 | return try_create_new_state_and_decrypt();
|
3608 | }
|
3609 |
|
3610 | return this._try_decrypt_header_message(envelope, msg.message, 1)
|
3611 | .catch((err) => {
|
3612 | if (err instanceof DecryptError.HeaderDecryptionFailed) {
|
3613 | return try_create_new_state_and_decrypt();
|
3614 | } else {
|
3615 | throw err;
|
3616 | }
|
3617 | });
|
3618 | }
|
3619 |
|
3620 | throw error;
|
3621 | });
|
3622 | }
|
3623 |
|
3624 | |
3625 |
|
3626 |
|
3627 |
|
3628 |
|
3629 |
|
3630 |
|
3631 | _try_decrypt_header_message(envelope, message, start) {
|
3632 | return new Promise((resolve, reject) => {
|
3633 | let fail_counter = start;
|
3634 | const state_size = this.session_states.length;
|
3635 | const HeaderDecryptionFailed = DecryptError.HeaderDecryptionFailed;
|
3636 |
|
3637 | const try_decrypt_header_message = () => this._decrypt_header_message(envelope, message, fail_counter);
|
3638 | const handle_error = (err) => {
|
3639 | if (err instanceof HeaderDecryptionFailed) {
|
3640 | fail_counter++;
|
3641 | if (fail_counter === state_size) {
|
3642 | reject(new HeaderDecryptionFailed('All states failed', DecryptError.CODE.CASE_216));
|
3643 | }
|
3644 | Promise.resolve()
|
3645 | .then(try_decrypt_header_message)
|
3646 | .then(resolve)
|
3647 | .catch(handle_error);
|
3648 | } else {
|
3649 |
|
3650 | reject(err);
|
3651 | }
|
3652 | };
|
3653 |
|
3654 | Promise.resolve()
|
3655 | .then(try_decrypt_header_message)
|
3656 | .then(resolve)
|
3657 | .catch(handle_error);
|
3658 | });
|
3659 | }
|
3660 |
|
3661 | |
3662 |
|
3663 |
|
3664 |
|
3665 |
|
3666 |
|
3667 |
|
3668 | _decrypt_header_message(envelope, msg, state_index = 0) {
|
3669 | let state = this.session_states[state_index];
|
3670 | if (!state) {
|
3671 | throw new DecryptError.InvalidMessage('Local session not found.', DecryptError.CODE.CASE_205);
|
3672 | }
|
3673 |
|
3674 |
|
3675 |
|
3676 |
|
3677 | state = SessionState.deserialise(state.serialise());
|
3678 |
|
3679 | const plaintext = state.decrypt(envelope, msg);
|
3680 |
|
3681 | this.pending_prekey = null;
|
3682 |
|
3683 |
|
3684 | if (state_index === 0) {
|
3685 | this.session_states[0] = state;
|
3686 | } else {
|
3687 | this.session_states.splice(state_index, 1);
|
3688 | this._insert_session_state(state);
|
3689 | }
|
3690 |
|
3691 | return plaintext;
|
3692 | }
|
3693 |
|
3694 | |
3695 |
|
3696 |
|
3697 | serialise() {
|
3698 | const e = new CBOR.Encoder();
|
3699 | this.encode(e);
|
3700 | return e.get_buffer();
|
3701 | }
|
3702 |
|
3703 | |
3704 |
|
3705 |
|
3706 |
|
3707 |
|
3708 | static deserialise(local_identity, buf) {
|
3709 | TypeUtil.assert_is_instance(IdentityKeyPair, local_identity);
|
3710 | TypeUtil.assert_is_instance(ArrayBuffer, buf);
|
3711 |
|
3712 | const d = new CBOR.Decoder(buf);
|
3713 | return this.decode(local_identity, d);
|
3714 | }
|
3715 |
|
3716 | |
3717 |
|
3718 |
|
3719 |
|
3720 | encode(e) {
|
3721 | e.object(5);
|
3722 | e.u8(0);
|
3723 | e.u8(this.version);
|
3724 | e.u8(1);
|
3725 | this.local_identity.public_key.encode(e);
|
3726 | e.u8(2);
|
3727 | this.remote_identity.encode(e);
|
3728 |
|
3729 | e.u8(3);
|
3730 | if (this.pending_prekey) {
|
3731 | e.object(2);
|
3732 | e.u8(0);
|
3733 | e.u16(this.pending_prekey[0]);
|
3734 | e.u8(1);
|
3735 | this.pending_prekey[1].encode(e);
|
3736 | } else {
|
3737 | e.null();
|
3738 | }
|
3739 |
|
3740 | e.u8(4);
|
3741 | e.array(this.session_states.length);
|
3742 | this.session_states.map((session_state) => session_state.encode(e));
|
3743 | }
|
3744 |
|
3745 | |
3746 |
|
3747 |
|
3748 |
|
3749 |
|
3750 | static decode(local_identity, d) {
|
3751 | TypeUtil.assert_is_instance(IdentityKeyPair, local_identity);
|
3752 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
3753 |
|
3754 | const self = ClassUtil.new_instance(this);
|
3755 |
|
3756 | const nprops = d.object();
|
3757 | for (let n = 0; n <= nprops - 1; n++) {
|
3758 | switch (d.u8()) {
|
3759 | case 0: {
|
3760 | self.version = d.u8();
|
3761 | break;
|
3762 | }
|
3763 | case 1: {
|
3764 | const ik = IdentityKey.decode(d);
|
3765 | if (local_identity.public_key.fingerprint() !== ik.fingerprint()) {
|
3766 | throw new DecodeError.LocalIdentityChanged(null, DecodeError.CODE.CASE_300);
|
3767 | }
|
3768 | self.local_identity = local_identity;
|
3769 | break;
|
3770 | }
|
3771 | case 2: {
|
3772 | self.remote_identity = IdentityKey.decode(d);
|
3773 | break;
|
3774 | }
|
3775 | case 3: {
|
3776 | switch (d.optional(() => d.object())) {
|
3777 | case null:
|
3778 | self.pending_prekey = null;
|
3779 | break;
|
3780 | case 2:
|
3781 | self.pending_prekey = [null, null];
|
3782 | for (let k = 0; k <= 1; ++k) {
|
3783 | switch (d.u8()) {
|
3784 | case 0:
|
3785 | self.pending_prekey[0] = d.u16();
|
3786 | break;
|
3787 | case 1:
|
3788 | self.pending_prekey[1] = PublicKey.decode(d);
|
3789 | }
|
3790 | }
|
3791 | break;
|
3792 | default:
|
3793 | throw new DecodeError.InvalidType(null, DecodeError.CODE.CASE_301);
|
3794 | }
|
3795 | break;
|
3796 | }
|
3797 | case 4: {
|
3798 | self.session_states = [];
|
3799 | let len = d.array();
|
3800 | while (len--) {
|
3801 | self.session_states.push(SessionState.decode(d));
|
3802 | }
|
3803 | break;
|
3804 | }
|
3805 | default: {
|
3806 | d.skip();
|
3807 | }
|
3808 | }
|
3809 | }
|
3810 |
|
3811 | TypeUtil.assert_is_integer(self.version);
|
3812 | TypeUtil.assert_is_instance(IdentityKeyPair, self.local_identity);
|
3813 | TypeUtil.assert_is_instance(IdentityKey, self.remote_identity);
|
3814 | TypeUtil.assert_is_instance(Array, self.session_states);
|
3815 |
|
3816 | return self;
|
3817 | }
|
3818 | }
|
3819 |
|
3820 | module.exports = Session;
|
3821 |
|
3822 | const SessionState = __webpack_require__(36);
|
3823 |
|
3824 |
|
3825 | }),
|
3826 |
|
3827 | (function(module, exports, __webpack_require__) {
|
3828 |
|
3829 | "use strict";
|
3830 |
|
3831 |
|
3832 |
|
3833 |
|
3834 |
|
3835 |
|
3836 |
|
3837 |
|
3838 |
|
3839 |
|
3840 |
|
3841 |
|
3842 |
|
3843 |
|
3844 |
|
3845 |
|
3846 |
|
3847 |
|
3848 |
|
3849 |
|
3850 |
|
3851 | const ProteusError = __webpack_require__(6);
|
3852 | const TypeUtil = __webpack_require__(1);
|
3853 |
|
3854 |
|
3855 |
|
3856 |
|
3857 |
|
3858 |
|
3859 | const ArrayUtil = {
|
3860 | |
3861 |
|
3862 |
|
3863 |
|
3864 | concatenate_array_buffers(buffers) {
|
3865 | TypeUtil.assert_is_instance(Array, buffers);
|
3866 |
|
3867 | return buffers.reduce((a, b) => {
|
3868 | const buf = new a.constructor(a.byteLength + b.byteLength);
|
3869 | buf.set(a, 0);
|
3870 | buf.set(b, a.byteLength);
|
3871 | return buf;
|
3872 | });
|
3873 | },
|
3874 |
|
3875 | |
3876 |
|
3877 |
|
3878 |
|
3879 |
|
3880 | assert_is_not_zeros(array) {
|
3881 | let only_zeroes = true;
|
3882 | for (let val in array) {
|
3883 | if (val > 0) {
|
3884 | only_zeroes = false;
|
3885 | break;
|
3886 | }
|
3887 | }
|
3888 |
|
3889 | if (only_zeroes === true) {
|
3890 | throw new ProteusError('Array consists only of zeroes.', ProteusError.prototype.CODE.CASE_100);
|
3891 | }
|
3892 | },
|
3893 | };
|
3894 |
|
3895 | module.exports = ArrayUtil;
|
3896 |
|
3897 |
|
3898 | }),
|
3899 |
|
3900 | (function(module, exports, __webpack_require__) {
|
3901 |
|
3902 | "use strict";
|
3903 |
|
3904 |
|
3905 |
|
3906 |
|
3907 |
|
3908 |
|
3909 |
|
3910 |
|
3911 |
|
3912 |
|
3913 |
|
3914 |
|
3915 |
|
3916 |
|
3917 |
|
3918 |
|
3919 |
|
3920 |
|
3921 |
|
3922 |
|
3923 |
|
3924 | const CBOR = __webpack_require__(2);
|
3925 |
|
3926 | const ClassUtil = __webpack_require__(3);
|
3927 | const DontCallConstructor = __webpack_require__(0);
|
3928 | const TypeUtil = __webpack_require__(1);
|
3929 |
|
3930 | const CipherKey = __webpack_require__(27);
|
3931 | const MacKey = __webpack_require__(15);
|
3932 |
|
3933 |
|
3934 |
|
3935 |
|
3936 |
|
3937 |
|
3938 |
|
3939 | class MessageKeys {
|
3940 | constructor() {
|
3941 | throw new DontCallConstructor(this);
|
3942 | }
|
3943 |
|
3944 | |
3945 |
|
3946 |
|
3947 |
|
3948 |
|
3949 |
|
3950 | static new(cipher_key, mac_key, counter) {
|
3951 | TypeUtil.assert_is_instance(CipherKey, cipher_key);
|
3952 | TypeUtil.assert_is_instance(MacKey, mac_key);
|
3953 | TypeUtil.assert_is_integer(counter);
|
3954 |
|
3955 | const mk = ClassUtil.new_instance(MessageKeys);
|
3956 | mk.cipher_key = cipher_key;
|
3957 | mk.mac_key = mac_key;
|
3958 | mk.counter = counter;
|
3959 | return mk;
|
3960 | }
|
3961 |
|
3962 | |
3963 |
|
3964 |
|
3965 |
|
3966 | _counter_as_nonce() {
|
3967 | const nonce = new ArrayBuffer(8);
|
3968 | new DataView(nonce).setUint32(0, this.counter);
|
3969 | return new Uint8Array(nonce);
|
3970 | }
|
3971 |
|
3972 | |
3973 |
|
3974 |
|
3975 |
|
3976 | encrypt(plaintext) {
|
3977 | return this.cipher_key.encrypt(plaintext, this._counter_as_nonce());
|
3978 | }
|
3979 |
|
3980 | |
3981 |
|
3982 |
|
3983 |
|
3984 | decrypt(ciphertext) {
|
3985 | return this.cipher_key.decrypt(ciphertext, this._counter_as_nonce());
|
3986 | }
|
3987 |
|
3988 | |
3989 |
|
3990 |
|
3991 |
|
3992 | encode(e) {
|
3993 | e.object(3);
|
3994 | e.u8(0);
|
3995 | this.cipher_key.encode(e);
|
3996 | e.u8(1);
|
3997 | this.mac_key.encode(e);
|
3998 | e.u8(2);
|
3999 | return e.u32(this.counter);
|
4000 | }
|
4001 |
|
4002 | |
4003 |
|
4004 |
|
4005 |
|
4006 | static decode(d) {
|
4007 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
4008 |
|
4009 | const self = ClassUtil.new_instance(MessageKeys);
|
4010 |
|
4011 | const nprops = d.object();
|
4012 | for (let i = 0; i <= nprops - 1; i++) {
|
4013 | switch (d.u8()) {
|
4014 | case 0:
|
4015 | self.cipher_key = CipherKey.decode(d);
|
4016 | break;
|
4017 | case 1:
|
4018 | self.mac_key = MacKey.decode(d);
|
4019 | break;
|
4020 | case 2:
|
4021 | self.counter = d.u32();
|
4022 | break;
|
4023 | default:
|
4024 | d.skip();
|
4025 | }
|
4026 | }
|
4027 |
|
4028 | TypeUtil.assert_is_instance(CipherKey, self.cipher_key);
|
4029 | TypeUtil.assert_is_instance(MacKey, self.mac_key);
|
4030 | TypeUtil.assert_is_integer(self.counter);
|
4031 |
|
4032 | return self;
|
4033 | }
|
4034 | }
|
4035 |
|
4036 | module.exports = MessageKeys;
|
4037 |
|
4038 |
|
4039 | }),
|
4040 |
|
4041 | (function(module, exports, __webpack_require__) {
|
4042 |
|
4043 | "use strict";
|
4044 |
|
4045 |
|
4046 |
|
4047 |
|
4048 |
|
4049 |
|
4050 |
|
4051 |
|
4052 |
|
4053 |
|
4054 |
|
4055 |
|
4056 |
|
4057 |
|
4058 |
|
4059 |
|
4060 |
|
4061 |
|
4062 |
|
4063 |
|
4064 |
|
4065 | module.exports = {
|
4066 | errors: {
|
4067 | ProteusError: __webpack_require__(6),
|
4068 | DecodeError: __webpack_require__(19),
|
4069 | DecryptError: __webpack_require__(10),
|
4070 | InputError: __webpack_require__(20),
|
4071 | },
|
4072 |
|
4073 | keys: {
|
4074 | IdentityKey: __webpack_require__(8),
|
4075 | IdentityKeyPair: __webpack_require__(11),
|
4076 | KeyPair: __webpack_require__(7),
|
4077 | PreKeyAuth: __webpack_require__(28),
|
4078 | PreKeyBundle: __webpack_require__(23),
|
4079 | PreKey: __webpack_require__(24),
|
4080 | PublicKey: __webpack_require__(4),
|
4081 | SecretKey: __webpack_require__(22),
|
4082 | },
|
4083 |
|
4084 | message: {
|
4085 | Message: __webpack_require__(12),
|
4086 | PreKeyMessage: __webpack_require__(13),
|
4087 | Envelope: __webpack_require__(14),
|
4088 | Header: __webpack_require__(25),
|
4089 | HeaderMessage: __webpack_require__(9),
|
4090 | },
|
4091 |
|
4092 | session: {
|
4093 | PreKeyStore: __webpack_require__(29),
|
4094 | Session: __webpack_require__(30),
|
4095 | },
|
4096 | };
|
4097 |
|
4098 |
|
4099 | }),
|
4100 |
|
4101 | (function(module, exports, __webpack_require__) {
|
4102 |
|
4103 | (function(nacl) {
|
4104 | 'use strict';
|
4105 |
|
4106 |
|
4107 |
|
4108 |
|
4109 |
|
4110 |
|
4111 |
|
4112 | var gf = function(init) {
|
4113 | var i, r = new Float64Array(16);
|
4114 | if (init) for (i = 0; i < init.length; i++) r[i] = init[i];
|
4115 | return r;
|
4116 | };
|
4117 |
|
4118 |
|
4119 | var randombytes = function(/* x, n */) { throw new Error('no PRNG'); };
|
4120 |
|
4121 | var _0 = new Uint8Array(16);
|
4122 | var _9 = new Uint8Array(32); _9[0] = 9;
|
4123 |
|
4124 | var gf0 = gf(),
|
4125 | gf1 = gf([1]),
|
4126 | _121665 = gf([0xdb41, 1]),
|
4127 | D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),
|
4128 | D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]),
|
4129 | X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]),
|
4130 | Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]),
|
4131 | I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);
|
4132 |
|
4133 | function ts64(x, i, h, l) {
|
4134 | x[i] = (h >> 24) & 0xff;
|
4135 | x[i+1] = (h >> 16) & 0xff;
|
4136 | x[i+2] = (h >> 8) & 0xff;
|
4137 | x[i+3] = h & 0xff;
|
4138 | x[i+4] = (l >> 24) & 0xff;
|
4139 | x[i+5] = (l >> 16) & 0xff;
|
4140 | x[i+6] = (l >> 8) & 0xff;
|
4141 | x[i+7] = l & 0xff;
|
4142 | }
|
4143 |
|
4144 | function vn(x, xi, y, yi, n) {
|
4145 | var i,d = 0;
|
4146 | for (i = 0; i < n; i++) d |= x[xi+i]^y[yi+i];
|
4147 | return (1 & ((d - 1) >>> 8)) - 1;
|
4148 | }
|
4149 |
|
4150 | function crypto_verify_16(x, xi, y, yi) {
|
4151 | return vn(x,xi,y,yi,16);
|
4152 | }
|
4153 |
|
4154 | function crypto_verify_32(x, xi, y, yi) {
|
4155 | return vn(x,xi,y,yi,32);
|
4156 | }
|
4157 |
|
4158 | function core_salsa20(o, p, k, c) {
|
4159 | var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
|
4160 | j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
|
4161 | j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
|
4162 | j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
|
4163 | j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
|
4164 | j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
|
4165 | j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
|
4166 | j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
|
4167 | j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
|
4168 | j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
|
4169 | j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
|
4170 | j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
|
4171 | j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
|
4172 | j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
|
4173 | j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
|
4174 | j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
|
4175 |
|
4176 | var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
|
4177 | x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
|
4178 | x15 = j15, u;
|
4179 |
|
4180 | for (var i = 0; i < 20; i += 2) {
|
4181 | u = x0 + x12 | 0;
|
4182 | x4 ^= u<<7 | u>>>(32-7);
|
4183 | u = x4 + x0 | 0;
|
4184 | x8 ^= u<<9 | u>>>(32-9);
|
4185 | u = x8 + x4 | 0;
|
4186 | x12 ^= u<<13 | u>>>(32-13);
|
4187 | u = x12 + x8 | 0;
|
4188 | x0 ^= u<<18 | u>>>(32-18);
|
4189 |
|
4190 | u = x5 + x1 | 0;
|
4191 | x9 ^= u<<7 | u>>>(32-7);
|
4192 | u = x9 + x5 | 0;
|
4193 | x13 ^= u<<9 | u>>>(32-9);
|
4194 | u = x13 + x9 | 0;
|
4195 | x1 ^= u<<13 | u>>>(32-13);
|
4196 | u = x1 + x13 | 0;
|
4197 | x5 ^= u<<18 | u>>>(32-18);
|
4198 |
|
4199 | u = x10 + x6 | 0;
|
4200 | x14 ^= u<<7 | u>>>(32-7);
|
4201 | u = x14 + x10 | 0;
|
4202 | x2 ^= u<<9 | u>>>(32-9);
|
4203 | u = x2 + x14 | 0;
|
4204 | x6 ^= u<<13 | u>>>(32-13);
|
4205 | u = x6 + x2 | 0;
|
4206 | x10 ^= u<<18 | u>>>(32-18);
|
4207 |
|
4208 | u = x15 + x11 | 0;
|
4209 | x3 ^= u<<7 | u>>>(32-7);
|
4210 | u = x3 + x15 | 0;
|
4211 | x7 ^= u<<9 | u>>>(32-9);
|
4212 | u = x7 + x3 | 0;
|
4213 | x11 ^= u<<13 | u>>>(32-13);
|
4214 | u = x11 + x7 | 0;
|
4215 | x15 ^= u<<18 | u>>>(32-18);
|
4216 |
|
4217 | u = x0 + x3 | 0;
|
4218 | x1 ^= u<<7 | u>>>(32-7);
|
4219 | u = x1 + x0 | 0;
|
4220 | x2 ^= u<<9 | u>>>(32-9);
|
4221 | u = x2 + x1 | 0;
|
4222 | x3 ^= u<<13 | u>>>(32-13);
|
4223 | u = x3 + x2 | 0;
|
4224 | x0 ^= u<<18 | u>>>(32-18);
|
4225 |
|
4226 | u = x5 + x4 | 0;
|
4227 | x6 ^= u<<7 | u>>>(32-7);
|
4228 | u = x6 + x5 | 0;
|
4229 | x7 ^= u<<9 | u>>>(32-9);
|
4230 | u = x7 + x6 | 0;
|
4231 | x4 ^= u<<13 | u>>>(32-13);
|
4232 | u = x4 + x7 | 0;
|
4233 | x5 ^= u<<18 | u>>>(32-18);
|
4234 |
|
4235 | u = x10 + x9 | 0;
|
4236 | x11 ^= u<<7 | u>>>(32-7);
|
4237 | u = x11 + x10 | 0;
|
4238 | x8 ^= u<<9 | u>>>(32-9);
|
4239 | u = x8 + x11 | 0;
|
4240 | x9 ^= u<<13 | u>>>(32-13);
|
4241 | u = x9 + x8 | 0;
|
4242 | x10 ^= u<<18 | u>>>(32-18);
|
4243 |
|
4244 | u = x15 + x14 | 0;
|
4245 | x12 ^= u<<7 | u>>>(32-7);
|
4246 | u = x12 + x15 | 0;
|
4247 | x13 ^= u<<9 | u>>>(32-9);
|
4248 | u = x13 + x12 | 0;
|
4249 | x14 ^= u<<13 | u>>>(32-13);
|
4250 | u = x14 + x13 | 0;
|
4251 | x15 ^= u<<18 | u>>>(32-18);
|
4252 | }
|
4253 | x0 = x0 + j0 | 0;
|
4254 | x1 = x1 + j1 | 0;
|
4255 | x2 = x2 + j2 | 0;
|
4256 | x3 = x3 + j3 | 0;
|
4257 | x4 = x4 + j4 | 0;
|
4258 | x5 = x5 + j5 | 0;
|
4259 | x6 = x6 + j6 | 0;
|
4260 | x7 = x7 + j7 | 0;
|
4261 | x8 = x8 + j8 | 0;
|
4262 | x9 = x9 + j9 | 0;
|
4263 | x10 = x10 + j10 | 0;
|
4264 | x11 = x11 + j11 | 0;
|
4265 | x12 = x12 + j12 | 0;
|
4266 | x13 = x13 + j13 | 0;
|
4267 | x14 = x14 + j14 | 0;
|
4268 | x15 = x15 + j15 | 0;
|
4269 |
|
4270 | o[ 0] = x0 >>> 0 & 0xff;
|
4271 | o[ 1] = x0 >>> 8 & 0xff;
|
4272 | o[ 2] = x0 >>> 16 & 0xff;
|
4273 | o[ 3] = x0 >>> 24 & 0xff;
|
4274 |
|
4275 | o[ 4] = x1 >>> 0 & 0xff;
|
4276 | o[ 5] = x1 >>> 8 & 0xff;
|
4277 | o[ 6] = x1 >>> 16 & 0xff;
|
4278 | o[ 7] = x1 >>> 24 & 0xff;
|
4279 |
|
4280 | o[ 8] = x2 >>> 0 & 0xff;
|
4281 | o[ 9] = x2 >>> 8 & 0xff;
|
4282 | o[10] = x2 >>> 16 & 0xff;
|
4283 | o[11] = x2 >>> 24 & 0xff;
|
4284 |
|
4285 | o[12] = x3 >>> 0 & 0xff;
|
4286 | o[13] = x3 >>> 8 & 0xff;
|
4287 | o[14] = x3 >>> 16 & 0xff;
|
4288 | o[15] = x3 >>> 24 & 0xff;
|
4289 |
|
4290 | o[16] = x4 >>> 0 & 0xff;
|
4291 | o[17] = x4 >>> 8 & 0xff;
|
4292 | o[18] = x4 >>> 16 & 0xff;
|
4293 | o[19] = x4 >>> 24 & 0xff;
|
4294 |
|
4295 | o[20] = x5 >>> 0 & 0xff;
|
4296 | o[21] = x5 >>> 8 & 0xff;
|
4297 | o[22] = x5 >>> 16 & 0xff;
|
4298 | o[23] = x5 >>> 24 & 0xff;
|
4299 |
|
4300 | o[24] = x6 >>> 0 & 0xff;
|
4301 | o[25] = x6 >>> 8 & 0xff;
|
4302 | o[26] = x6 >>> 16 & 0xff;
|
4303 | o[27] = x6 >>> 24 & 0xff;
|
4304 |
|
4305 | o[28] = x7 >>> 0 & 0xff;
|
4306 | o[29] = x7 >>> 8 & 0xff;
|
4307 | o[30] = x7 >>> 16 & 0xff;
|
4308 | o[31] = x7 >>> 24 & 0xff;
|
4309 |
|
4310 | o[32] = x8 >>> 0 & 0xff;
|
4311 | o[33] = x8 >>> 8 & 0xff;
|
4312 | o[34] = x8 >>> 16 & 0xff;
|
4313 | o[35] = x8 >>> 24 & 0xff;
|
4314 |
|
4315 | o[36] = x9 >>> 0 & 0xff;
|
4316 | o[37] = x9 >>> 8 & 0xff;
|
4317 | o[38] = x9 >>> 16 & 0xff;
|
4318 | o[39] = x9 >>> 24 & 0xff;
|
4319 |
|
4320 | o[40] = x10 >>> 0 & 0xff;
|
4321 | o[41] = x10 >>> 8 & 0xff;
|
4322 | o[42] = x10 >>> 16 & 0xff;
|
4323 | o[43] = x10 >>> 24 & 0xff;
|
4324 |
|
4325 | o[44] = x11 >>> 0 & 0xff;
|
4326 | o[45] = x11 >>> 8 & 0xff;
|
4327 | o[46] = x11 >>> 16 & 0xff;
|
4328 | o[47] = x11 >>> 24 & 0xff;
|
4329 |
|
4330 | o[48] = x12 >>> 0 & 0xff;
|
4331 | o[49] = x12 >>> 8 & 0xff;
|
4332 | o[50] = x12 >>> 16 & 0xff;
|
4333 | o[51] = x12 >>> 24 & 0xff;
|
4334 |
|
4335 | o[52] = x13 >>> 0 & 0xff;
|
4336 | o[53] = x13 >>> 8 & 0xff;
|
4337 | o[54] = x13 >>> 16 & 0xff;
|
4338 | o[55] = x13 >>> 24 & 0xff;
|
4339 |
|
4340 | o[56] = x14 >>> 0 & 0xff;
|
4341 | o[57] = x14 >>> 8 & 0xff;
|
4342 | o[58] = x14 >>> 16 & 0xff;
|
4343 | o[59] = x14 >>> 24 & 0xff;
|
4344 |
|
4345 | o[60] = x15 >>> 0 & 0xff;
|
4346 | o[61] = x15 >>> 8 & 0xff;
|
4347 | o[62] = x15 >>> 16 & 0xff;
|
4348 | o[63] = x15 >>> 24 & 0xff;
|
4349 | }
|
4350 |
|
4351 | function core_hsalsa20(o,p,k,c) {
|
4352 | var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
|
4353 | j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
|
4354 | j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
|
4355 | j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
|
4356 | j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
|
4357 | j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
|
4358 | j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
|
4359 | j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
|
4360 | j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
|
4361 | j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
|
4362 | j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
|
4363 | j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
|
4364 | j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
|
4365 | j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
|
4366 | j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
|
4367 | j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
|
4368 |
|
4369 | var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
|
4370 | x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
|
4371 | x15 = j15, u;
|
4372 |
|
4373 | for (var i = 0; i < 20; i += 2) {
|
4374 | u = x0 + x12 | 0;
|
4375 | x4 ^= u<<7 | u>>>(32-7);
|
4376 | u = x4 + x0 | 0;
|
4377 | x8 ^= u<<9 | u>>>(32-9);
|
4378 | u = x8 + x4 | 0;
|
4379 | x12 ^= u<<13 | u>>>(32-13);
|
4380 | u = x12 + x8 | 0;
|
4381 | x0 ^= u<<18 | u>>>(32-18);
|
4382 |
|
4383 | u = x5 + x1 | 0;
|
4384 | x9 ^= u<<7 | u>>>(32-7);
|
4385 | u = x9 + x5 | 0;
|
4386 | x13 ^= u<<9 | u>>>(32-9);
|
4387 | u = x13 + x9 | 0;
|
4388 | x1 ^= u<<13 | u>>>(32-13);
|
4389 | u = x1 + x13 | 0;
|
4390 | x5 ^= u<<18 | u>>>(32-18);
|
4391 |
|
4392 | u = x10 + x6 | 0;
|
4393 | x14 ^= u<<7 | u>>>(32-7);
|
4394 | u = x14 + x10 | 0;
|
4395 | x2 ^= u<<9 | u>>>(32-9);
|
4396 | u = x2 + x14 | 0;
|
4397 | x6 ^= u<<13 | u>>>(32-13);
|
4398 | u = x6 + x2 | 0;
|
4399 | x10 ^= u<<18 | u>>>(32-18);
|
4400 |
|
4401 | u = x15 + x11 | 0;
|
4402 | x3 ^= u<<7 | u>>>(32-7);
|
4403 | u = x3 + x15 | 0;
|
4404 | x7 ^= u<<9 | u>>>(32-9);
|
4405 | u = x7 + x3 | 0;
|
4406 | x11 ^= u<<13 | u>>>(32-13);
|
4407 | u = x11 + x7 | 0;
|
4408 | x15 ^= u<<18 | u>>>(32-18);
|
4409 |
|
4410 | u = x0 + x3 | 0;
|
4411 | x1 ^= u<<7 | u>>>(32-7);
|
4412 | u = x1 + x0 | 0;
|
4413 | x2 ^= u<<9 | u>>>(32-9);
|
4414 | u = x2 + x1 | 0;
|
4415 | x3 ^= u<<13 | u>>>(32-13);
|
4416 | u = x3 + x2 | 0;
|
4417 | x0 ^= u<<18 | u>>>(32-18);
|
4418 |
|
4419 | u = x5 + x4 | 0;
|
4420 | x6 ^= u<<7 | u>>>(32-7);
|
4421 | u = x6 + x5 | 0;
|
4422 | x7 ^= u<<9 | u>>>(32-9);
|
4423 | u = x7 + x6 | 0;
|
4424 | x4 ^= u<<13 | u>>>(32-13);
|
4425 | u = x4 + x7 | 0;
|
4426 | x5 ^= u<<18 | u>>>(32-18);
|
4427 |
|
4428 | u = x10 + x9 | 0;
|
4429 | x11 ^= u<<7 | u>>>(32-7);
|
4430 | u = x11 + x10 | 0;
|
4431 | x8 ^= u<<9 | u>>>(32-9);
|
4432 | u = x8 + x11 | 0;
|
4433 | x9 ^= u<<13 | u>>>(32-13);
|
4434 | u = x9 + x8 | 0;
|
4435 | x10 ^= u<<18 | u>>>(32-18);
|
4436 |
|
4437 | u = x15 + x14 | 0;
|
4438 | x12 ^= u<<7 | u>>>(32-7);
|
4439 | u = x12 + x15 | 0;
|
4440 | x13 ^= u<<9 | u>>>(32-9);
|
4441 | u = x13 + x12 | 0;
|
4442 | x14 ^= u<<13 | u>>>(32-13);
|
4443 | u = x14 + x13 | 0;
|
4444 | x15 ^= u<<18 | u>>>(32-18);
|
4445 | }
|
4446 |
|
4447 | o[ 0] = x0 >>> 0 & 0xff;
|
4448 | o[ 1] = x0 >>> 8 & 0xff;
|
4449 | o[ 2] = x0 >>> 16 & 0xff;
|
4450 | o[ 3] = x0 >>> 24 & 0xff;
|
4451 |
|
4452 | o[ 4] = x5 >>> 0 & 0xff;
|
4453 | o[ 5] = x5 >>> 8 & 0xff;
|
4454 | o[ 6] = x5 >>> 16 & 0xff;
|
4455 | o[ 7] = x5 >>> 24 & 0xff;
|
4456 |
|
4457 | o[ 8] = x10 >>> 0 & 0xff;
|
4458 | o[ 9] = x10 >>> 8 & 0xff;
|
4459 | o[10] = x10 >>> 16 & 0xff;
|
4460 | o[11] = x10 >>> 24 & 0xff;
|
4461 |
|
4462 | o[12] = x15 >>> 0 & 0xff;
|
4463 | o[13] = x15 >>> 8 & 0xff;
|
4464 | o[14] = x15 >>> 16 & 0xff;
|
4465 | o[15] = x15 >>> 24 & 0xff;
|
4466 |
|
4467 | o[16] = x6 >>> 0 & 0xff;
|
4468 | o[17] = x6 >>> 8 & 0xff;
|
4469 | o[18] = x6 >>> 16 & 0xff;
|
4470 | o[19] = x6 >>> 24 & 0xff;
|
4471 |
|
4472 | o[20] = x7 >>> 0 & 0xff;
|
4473 | o[21] = x7 >>> 8 & 0xff;
|
4474 | o[22] = x7 >>> 16 & 0xff;
|
4475 | o[23] = x7 >>> 24 & 0xff;
|
4476 |
|
4477 | o[24] = x8 >>> 0 & 0xff;
|
4478 | o[25] = x8 >>> 8 & 0xff;
|
4479 | o[26] = x8 >>> 16 & 0xff;
|
4480 | o[27] = x8 >>> 24 & 0xff;
|
4481 |
|
4482 | o[28] = x9 >>> 0 & 0xff;
|
4483 | o[29] = x9 >>> 8 & 0xff;
|
4484 | o[30] = x9 >>> 16 & 0xff;
|
4485 | o[31] = x9 >>> 24 & 0xff;
|
4486 | }
|
4487 |
|
4488 | function crypto_core_salsa20(out,inp,k,c) {
|
4489 | core_salsa20(out,inp,k,c);
|
4490 | }
|
4491 |
|
4492 | function crypto_core_hsalsa20(out,inp,k,c) {
|
4493 | core_hsalsa20(out,inp,k,c);
|
4494 | }
|
4495 |
|
4496 | var sigma = new Uint8Array([101, 120, 112, 97, 110, 100, 32, 51, 50, 45, 98, 121, 116, 101, 32, 107]);
|
4497 |
|
4498 |
|
4499 | function crypto_stream_salsa20_xor(c,cpos,m,mpos,b,n,k) {
|
4500 | var z = new Uint8Array(16), x = new Uint8Array(64);
|
4501 | var u, i;
|
4502 | for (i = 0; i < 16; i++) z[i] = 0;
|
4503 | for (i = 0; i < 8; i++) z[i] = n[i];
|
4504 | while (b >= 64) {
|
4505 | crypto_core_salsa20(x,z,k,sigma);
|
4506 | for (i = 0; i < 64; i++) c[cpos+i] = m[mpos+i] ^ x[i];
|
4507 | u = 1;
|
4508 | for (i = 8; i < 16; i++) {
|
4509 | u = u + (z[i] & 0xff) | 0;
|
4510 | z[i] = u & 0xff;
|
4511 | u >>>= 8;
|
4512 | }
|
4513 | b -= 64;
|
4514 | cpos += 64;
|
4515 | mpos += 64;
|
4516 | }
|
4517 | if (b > 0) {
|
4518 | crypto_core_salsa20(x,z,k,sigma);
|
4519 | for (i = 0; i < b; i++) c[cpos+i] = m[mpos+i] ^ x[i];
|
4520 | }
|
4521 | return 0;
|
4522 | }
|
4523 |
|
4524 | function crypto_stream_salsa20(c,cpos,b,n,k) {
|
4525 | var z = new Uint8Array(16), x = new Uint8Array(64);
|
4526 | var u, i;
|
4527 | for (i = 0; i < 16; i++) z[i] = 0;
|
4528 | for (i = 0; i < 8; i++) z[i] = n[i];
|
4529 | while (b >= 64) {
|
4530 | crypto_core_salsa20(x,z,k,sigma);
|
4531 | for (i = 0; i < 64; i++) c[cpos+i] = x[i];
|
4532 | u = 1;
|
4533 | for (i = 8; i < 16; i++) {
|
4534 | u = u + (z[i] & 0xff) | 0;
|
4535 | z[i] = u & 0xff;
|
4536 | u >>>= 8;
|
4537 | }
|
4538 | b -= 64;
|
4539 | cpos += 64;
|
4540 | }
|
4541 | if (b > 0) {
|
4542 | crypto_core_salsa20(x,z,k,sigma);
|
4543 | for (i = 0; i < b; i++) c[cpos+i] = x[i];
|
4544 | }
|
4545 | return 0;
|
4546 | }
|
4547 |
|
4548 | function crypto_stream(c,cpos,d,n,k) {
|
4549 | var s = new Uint8Array(32);
|
4550 | crypto_core_hsalsa20(s,n,k,sigma);
|
4551 | var sn = new Uint8Array(8);
|
4552 | for (var i = 0; i < 8; i++) sn[i] = n[i+16];
|
4553 | return crypto_stream_salsa20(c,cpos,d,sn,s);
|
4554 | }
|
4555 |
|
4556 | function crypto_stream_xor(c,cpos,m,mpos,d,n,k) {
|
4557 | var s = new Uint8Array(32);
|
4558 | crypto_core_hsalsa20(s,n,k,sigma);
|
4559 | var sn = new Uint8Array(8);
|
4560 | for (var i = 0; i < 8; i++) sn[i] = n[i+16];
|
4561 | return crypto_stream_salsa20_xor(c,cpos,m,mpos,d,sn,s);
|
4562 | }
|
4563 |
|
4564 |
|
4565 |
|
4566 |
|
4567 |
|
4568 |
|
4569 | var poly1305 = function(key) {
|
4570 | this.buffer = new Uint8Array(16);
|
4571 | this.r = new Uint16Array(10);
|
4572 | this.h = new Uint16Array(10);
|
4573 | this.pad = new Uint16Array(8);
|
4574 | this.leftover = 0;
|
4575 | this.fin = 0;
|
4576 |
|
4577 | var t0, t1, t2, t3, t4, t5, t6, t7;
|
4578 |
|
4579 | t0 = key[ 0] & 0xff | (key[ 1] & 0xff) << 8; this.r[0] = ( t0 ) & 0x1fff;
|
4580 | t1 = key[ 2] & 0xff | (key[ 3] & 0xff) << 8; this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
|
4581 | t2 = key[ 4] & 0xff | (key[ 5] & 0xff) << 8; this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
|
4582 | t3 = key[ 6] & 0xff | (key[ 7] & 0xff) << 8; this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
|
4583 | t4 = key[ 8] & 0xff | (key[ 9] & 0xff) << 8; this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
|
4584 | this.r[5] = ((t4 >>> 1)) & 0x1ffe;
|
4585 | t5 = key[10] & 0xff | (key[11] & 0xff) << 8; this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
|
4586 | t6 = key[12] & 0xff | (key[13] & 0xff) << 8; this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
|
4587 | t7 = key[14] & 0xff | (key[15] & 0xff) << 8; this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
|
4588 | this.r[9] = ((t7 >>> 5)) & 0x007f;
|
4589 |
|
4590 | this.pad[0] = key[16] & 0xff | (key[17] & 0xff) << 8;
|
4591 | this.pad[1] = key[18] & 0xff | (key[19] & 0xff) << 8;
|
4592 | this.pad[2] = key[20] & 0xff | (key[21] & 0xff) << 8;
|
4593 | this.pad[3] = key[22] & 0xff | (key[23] & 0xff) << 8;
|
4594 | this.pad[4] = key[24] & 0xff | (key[25] & 0xff) << 8;
|
4595 | this.pad[5] = key[26] & 0xff | (key[27] & 0xff) << 8;
|
4596 | this.pad[6] = key[28] & 0xff | (key[29] & 0xff) << 8;
|
4597 | this.pad[7] = key[30] & 0xff | (key[31] & 0xff) << 8;
|
4598 | };
|
4599 |
|
4600 | poly1305.prototype.blocks = function(m, mpos, bytes) {
|
4601 | var hibit = this.fin ? 0 : (1 << 11);
|
4602 | var t0, t1, t2, t3, t4, t5, t6, t7, c;
|
4603 | var d0, d1, d2, d3, d4, d5, d6, d7, d8, d9;
|
4604 |
|
4605 | var h0 = this.h[0],
|
4606 | h1 = this.h[1],
|
4607 | h2 = this.h[2],
|
4608 | h3 = this.h[3],
|
4609 | h4 = this.h[4],
|
4610 | h5 = this.h[5],
|
4611 | h6 = this.h[6],
|
4612 | h7 = this.h[7],
|
4613 | h8 = this.h[8],
|
4614 | h9 = this.h[9];
|
4615 |
|
4616 | var r0 = this.r[0],
|
4617 | r1 = this.r[1],
|
4618 | r2 = this.r[2],
|
4619 | r3 = this.r[3],
|
4620 | r4 = this.r[4],
|
4621 | r5 = this.r[5],
|
4622 | r6 = this.r[6],
|
4623 | r7 = this.r[7],
|
4624 | r8 = this.r[8],
|
4625 | r9 = this.r[9];
|
4626 |
|
4627 | while (bytes >= 16) {
|
4628 | t0 = m[mpos+ 0] & 0xff | (m[mpos+ 1] & 0xff) << 8; h0 += ( t0 ) & 0x1fff;
|
4629 | t1 = m[mpos+ 2] & 0xff | (m[mpos+ 3] & 0xff) << 8; h1 += ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
|
4630 | t2 = m[mpos+ 4] & 0xff | (m[mpos+ 5] & 0xff) << 8; h2 += ((t1 >>> 10) | (t2 << 6)) & 0x1fff;
|
4631 | t3 = m[mpos+ 6] & 0xff | (m[mpos+ 7] & 0xff) << 8; h3 += ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
|
4632 | t4 = m[mpos+ 8] & 0xff | (m[mpos+ 9] & 0xff) << 8; h4 += ((t3 >>> 4) | (t4 << 12)) & 0x1fff;
|
4633 | h5 += ((t4 >>> 1)) & 0x1fff;
|
4634 | t5 = m[mpos+10] & 0xff | (m[mpos+11] & 0xff) << 8; h6 += ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
|
4635 | t6 = m[mpos+12] & 0xff | (m[mpos+13] & 0xff) << 8; h7 += ((t5 >>> 11) | (t6 << 5)) & 0x1fff;
|
4636 | t7 = m[mpos+14] & 0xff | (m[mpos+15] & 0xff) << 8; h8 += ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
|
4637 | h9 += ((t7 >>> 5)) | hibit;
|
4638 |
|
4639 | c = 0;
|
4640 |
|
4641 | d0 = c;
|
4642 | d0 += h0 * r0;
|
4643 | d0 += h1 * (5 * r9);
|
4644 | d0 += h2 * (5 * r8);
|
4645 | d0 += h3 * (5 * r7);
|
4646 | d0 += h4 * (5 * r6);
|
4647 | c = (d0 >>> 13); d0 &= 0x1fff;
|
4648 | d0 += h5 * (5 * r5);
|
4649 | d0 += h6 * (5 * r4);
|
4650 | d0 += h7 * (5 * r3);
|
4651 | d0 += h8 * (5 * r2);
|
4652 | d0 += h9 * (5 * r1);
|
4653 | c += (d0 >>> 13); d0 &= 0x1fff;
|
4654 |
|
4655 | d1 = c;
|
4656 | d1 += h0 * r1;
|
4657 | d1 += h1 * r0;
|
4658 | d1 += h2 * (5 * r9);
|
4659 | d1 += h3 * (5 * r8);
|
4660 | d1 += h4 * (5 * r7);
|
4661 | c = (d1 >>> 13); d1 &= 0x1fff;
|
4662 | d1 += h5 * (5 * r6);
|
4663 | d1 += h6 * (5 * r5);
|
4664 | d1 += h7 * (5 * r4);
|
4665 | d1 += h8 * (5 * r3);
|
4666 | d1 += h9 * (5 * r2);
|
4667 | c += (d1 >>> 13); d1 &= 0x1fff;
|
4668 |
|
4669 | d2 = c;
|
4670 | d2 += h0 * r2;
|
4671 | d2 += h1 * r1;
|
4672 | d2 += h2 * r0;
|
4673 | d2 += h3 * (5 * r9);
|
4674 | d2 += h4 * (5 * r8);
|
4675 | c = (d2 >>> 13); d2 &= 0x1fff;
|
4676 | d2 += h5 * (5 * r7);
|
4677 | d2 += h6 * (5 * r6);
|
4678 | d2 += h7 * (5 * r5);
|
4679 | d2 += h8 * (5 * r4);
|
4680 | d2 += h9 * (5 * r3);
|
4681 | c += (d2 >>> 13); d2 &= 0x1fff;
|
4682 |
|
4683 | d3 = c;
|
4684 | d3 += h0 * r3;
|
4685 | d3 += h1 * r2;
|
4686 | d3 += h2 * r1;
|
4687 | d3 += h3 * r0;
|
4688 | d3 += h4 * (5 * r9);
|
4689 | c = (d3 >>> 13); d3 &= 0x1fff;
|
4690 | d3 += h5 * (5 * r8);
|
4691 | d3 += h6 * (5 * r7);
|
4692 | d3 += h7 * (5 * r6);
|
4693 | d3 += h8 * (5 * r5);
|
4694 | d3 += h9 * (5 * r4);
|
4695 | c += (d3 >>> 13); d3 &= 0x1fff;
|
4696 |
|
4697 | d4 = c;
|
4698 | d4 += h0 * r4;
|
4699 | d4 += h1 * r3;
|
4700 | d4 += h2 * r2;
|
4701 | d4 += h3 * r1;
|
4702 | d4 += h4 * r0;
|
4703 | c = (d4 >>> 13); d4 &= 0x1fff;
|
4704 | d4 += h5 * (5 * r9);
|
4705 | d4 += h6 * (5 * r8);
|
4706 | d4 += h7 * (5 * r7);
|
4707 | d4 += h8 * (5 * r6);
|
4708 | d4 += h9 * (5 * r5);
|
4709 | c += (d4 >>> 13); d4 &= 0x1fff;
|
4710 |
|
4711 | d5 = c;
|
4712 | d5 += h0 * r5;
|
4713 | d5 += h1 * r4;
|
4714 | d5 += h2 * r3;
|
4715 | d5 += h3 * r2;
|
4716 | d5 += h4 * r1;
|
4717 | c = (d5 >>> 13); d5 &= 0x1fff;
|
4718 | d5 += h5 * r0;
|
4719 | d5 += h6 * (5 * r9);
|
4720 | d5 += h7 * (5 * r8);
|
4721 | d5 += h8 * (5 * r7);
|
4722 | d5 += h9 * (5 * r6);
|
4723 | c += (d5 >>> 13); d5 &= 0x1fff;
|
4724 |
|
4725 | d6 = c;
|
4726 | d6 += h0 * r6;
|
4727 | d6 += h1 * r5;
|
4728 | d6 += h2 * r4;
|
4729 | d6 += h3 * r3;
|
4730 | d6 += h4 * r2;
|
4731 | c = (d6 >>> 13); d6 &= 0x1fff;
|
4732 | d6 += h5 * r1;
|
4733 | d6 += h6 * r0;
|
4734 | d6 += h7 * (5 * r9);
|
4735 | d6 += h8 * (5 * r8);
|
4736 | d6 += h9 * (5 * r7);
|
4737 | c += (d6 >>> 13); d6 &= 0x1fff;
|
4738 |
|
4739 | d7 = c;
|
4740 | d7 += h0 * r7;
|
4741 | d7 += h1 * r6;
|
4742 | d7 += h2 * r5;
|
4743 | d7 += h3 * r4;
|
4744 | d7 += h4 * r3;
|
4745 | c = (d7 >>> 13); d7 &= 0x1fff;
|
4746 | d7 += h5 * r2;
|
4747 | d7 += h6 * r1;
|
4748 | d7 += h7 * r0;
|
4749 | d7 += h8 * (5 * r9);
|
4750 | d7 += h9 * (5 * r8);
|
4751 | c += (d7 >>> 13); d7 &= 0x1fff;
|
4752 |
|
4753 | d8 = c;
|
4754 | d8 += h0 * r8;
|
4755 | d8 += h1 * r7;
|
4756 | d8 += h2 * r6;
|
4757 | d8 += h3 * r5;
|
4758 | d8 += h4 * r4;
|
4759 | c = (d8 >>> 13); d8 &= 0x1fff;
|
4760 | d8 += h5 * r3;
|
4761 | d8 += h6 * r2;
|
4762 | d8 += h7 * r1;
|
4763 | d8 += h8 * r0;
|
4764 | d8 += h9 * (5 * r9);
|
4765 | c += (d8 >>> 13); d8 &= 0x1fff;
|
4766 |
|
4767 | d9 = c;
|
4768 | d9 += h0 * r9;
|
4769 | d9 += h1 * r8;
|
4770 | d9 += h2 * r7;
|
4771 | d9 += h3 * r6;
|
4772 | d9 += h4 * r5;
|
4773 | c = (d9 >>> 13); d9 &= 0x1fff;
|
4774 | d9 += h5 * r4;
|
4775 | d9 += h6 * r3;
|
4776 | d9 += h7 * r2;
|
4777 | d9 += h8 * r1;
|
4778 | d9 += h9 * r0;
|
4779 | c += (d9 >>> 13); d9 &= 0x1fff;
|
4780 |
|
4781 | c = (((c << 2) + c)) | 0;
|
4782 | c = (c + d0) | 0;
|
4783 | d0 = c & 0x1fff;
|
4784 | c = (c >>> 13);
|
4785 | d1 += c;
|
4786 |
|
4787 | h0 = d0;
|
4788 | h1 = d1;
|
4789 | h2 = d2;
|
4790 | h3 = d3;
|
4791 | h4 = d4;
|
4792 | h5 = d5;
|
4793 | h6 = d6;
|
4794 | h7 = d7;
|
4795 | h8 = d8;
|
4796 | h9 = d9;
|
4797 |
|
4798 | mpos += 16;
|
4799 | bytes -= 16;
|
4800 | }
|
4801 | this.h[0] = h0;
|
4802 | this.h[1] = h1;
|
4803 | this.h[2] = h2;
|
4804 | this.h[3] = h3;
|
4805 | this.h[4] = h4;
|
4806 | this.h[5] = h5;
|
4807 | this.h[6] = h6;
|
4808 | this.h[7] = h7;
|
4809 | this.h[8] = h8;
|
4810 | this.h[9] = h9;
|
4811 | };
|
4812 |
|
4813 | poly1305.prototype.finish = function(mac, macpos) {
|
4814 | var g = new Uint16Array(10);
|
4815 | var c, mask, f, i;
|
4816 |
|
4817 | if (this.leftover) {
|
4818 | i = this.leftover;
|
4819 | this.buffer[i++] = 1;
|
4820 | for (; i < 16; i++) this.buffer[i] = 0;
|
4821 | this.fin = 1;
|
4822 | this.blocks(this.buffer, 0, 16);
|
4823 | }
|
4824 |
|
4825 | c = this.h[1] >>> 13;
|
4826 | this.h[1] &= 0x1fff;
|
4827 | for (i = 2; i < 10; i++) {
|
4828 | this.h[i] += c;
|
4829 | c = this.h[i] >>> 13;
|
4830 | this.h[i] &= 0x1fff;
|
4831 | }
|
4832 | this.h[0] += (c * 5);
|
4833 | c = this.h[0] >>> 13;
|
4834 | this.h[0] &= 0x1fff;
|
4835 | this.h[1] += c;
|
4836 | c = this.h[1] >>> 13;
|
4837 | this.h[1] &= 0x1fff;
|
4838 | this.h[2] += c;
|
4839 |
|
4840 | g[0] = this.h[0] + 5;
|
4841 | c = g[0] >>> 13;
|
4842 | g[0] &= 0x1fff;
|
4843 | for (i = 1; i < 10; i++) {
|
4844 | g[i] = this.h[i] + c;
|
4845 | c = g[i] >>> 13;
|
4846 | g[i] &= 0x1fff;
|
4847 | }
|
4848 | g[9] -= (1 << 13);
|
4849 |
|
4850 | mask = (c ^ 1) - 1;
|
4851 | for (i = 0; i < 10; i++) g[i] &= mask;
|
4852 | mask = ~mask;
|
4853 | for (i = 0; i < 10; i++) this.h[i] = (this.h[i] & mask) | g[i];
|
4854 |
|
4855 | this.h[0] = ((this.h[0] ) | (this.h[1] << 13) ) & 0xffff;
|
4856 | this.h[1] = ((this.h[1] >>> 3) | (this.h[2] << 10) ) & 0xffff;
|
4857 | this.h[2] = ((this.h[2] >>> 6) | (this.h[3] << 7) ) & 0xffff;
|
4858 | this.h[3] = ((this.h[3] >>> 9) | (this.h[4] << 4) ) & 0xffff;
|
4859 | this.h[4] = ((this.h[4] >>> 12) | (this.h[5] << 1) | (this.h[6] << 14)) & 0xffff;
|
4860 | this.h[5] = ((this.h[6] >>> 2) | (this.h[7] << 11) ) & 0xffff;
|
4861 | this.h[6] = ((this.h[7] >>> 5) | (this.h[8] << 8) ) & 0xffff;
|
4862 | this.h[7] = ((this.h[8] >>> 8) | (this.h[9] << 5) ) & 0xffff;
|
4863 |
|
4864 | f = this.h[0] + this.pad[0];
|
4865 | this.h[0] = f & 0xffff;
|
4866 | for (i = 1; i < 8; i++) {
|
4867 | f = (((this.h[i] + this.pad[i]) | 0) + (f >>> 16)) | 0;
|
4868 | this.h[i] = f & 0xffff;
|
4869 | }
|
4870 |
|
4871 | mac[macpos+ 0] = (this.h[0] >>> 0) & 0xff;
|
4872 | mac[macpos+ 1] = (this.h[0] >>> 8) & 0xff;
|
4873 | mac[macpos+ 2] = (this.h[1] >>> 0) & 0xff;
|
4874 | mac[macpos+ 3] = (this.h[1] >>> 8) & 0xff;
|
4875 | mac[macpos+ 4] = (this.h[2] >>> 0) & 0xff;
|
4876 | mac[macpos+ 5] = (this.h[2] >>> 8) & 0xff;
|
4877 | mac[macpos+ 6] = (this.h[3] >>> 0) & 0xff;
|
4878 | mac[macpos+ 7] = (this.h[3] >>> 8) & 0xff;
|
4879 | mac[macpos+ 8] = (this.h[4] >>> 0) & 0xff;
|
4880 | mac[macpos+ 9] = (this.h[4] >>> 8) & 0xff;
|
4881 | mac[macpos+10] = (this.h[5] >>> 0) & 0xff;
|
4882 | mac[macpos+11] = (this.h[5] >>> 8) & 0xff;
|
4883 | mac[macpos+12] = (this.h[6] >>> 0) & 0xff;
|
4884 | mac[macpos+13] = (this.h[6] >>> 8) & 0xff;
|
4885 | mac[macpos+14] = (this.h[7] >>> 0) & 0xff;
|
4886 | mac[macpos+15] = (this.h[7] >>> 8) & 0xff;
|
4887 | };
|
4888 |
|
4889 | poly1305.prototype.update = function(m, mpos, bytes) {
|
4890 | var i, want;
|
4891 |
|
4892 | if (this.leftover) {
|
4893 | want = (16 - this.leftover);
|
4894 | if (want > bytes)
|
4895 | want = bytes;
|
4896 | for (i = 0; i < want; i++)
|
4897 | this.buffer[this.leftover + i] = m[mpos+i];
|
4898 | bytes -= want;
|
4899 | mpos += want;
|
4900 | this.leftover += want;
|
4901 | if (this.leftover < 16)
|
4902 | return;
|
4903 | this.blocks(this.buffer, 0, 16);
|
4904 | this.leftover = 0;
|
4905 | }
|
4906 |
|
4907 | if (bytes >= 16) {
|
4908 | want = bytes - (bytes % 16);
|
4909 | this.blocks(m, mpos, want);
|
4910 | mpos += want;
|
4911 | bytes -= want;
|
4912 | }
|
4913 |
|
4914 | if (bytes) {
|
4915 | for (i = 0; i < bytes; i++)
|
4916 | this.buffer[this.leftover + i] = m[mpos+i];
|
4917 | this.leftover += bytes;
|
4918 | }
|
4919 | };
|
4920 |
|
4921 | function crypto_onetimeauth(out, outpos, m, mpos, n, k) {
|
4922 | var s = new poly1305(k);
|
4923 | s.update(m, mpos, n);
|
4924 | s.finish(out, outpos);
|
4925 | return 0;
|
4926 | }
|
4927 |
|
4928 | function crypto_onetimeauth_verify(h, hpos, m, mpos, n, k) {
|
4929 | var x = new Uint8Array(16);
|
4930 | crypto_onetimeauth(x,0,m,mpos,n,k);
|
4931 | return crypto_verify_16(h,hpos,x,0);
|
4932 | }
|
4933 |
|
4934 | function crypto_secretbox(c,m,d,n,k) {
|
4935 | var i;
|
4936 | if (d < 32) return -1;
|
4937 | crypto_stream_xor(c,0,m,0,d,n,k);
|
4938 | crypto_onetimeauth(c, 16, c, 32, d - 32, c);
|
4939 | for (i = 0; i < 16; i++) c[i] = 0;
|
4940 | return 0;
|
4941 | }
|
4942 |
|
4943 | function crypto_secretbox_open(m,c,d,n,k) {
|
4944 | var i;
|
4945 | var x = new Uint8Array(32);
|
4946 | if (d < 32) return -1;
|
4947 | crypto_stream(x,0,32,n,k);
|
4948 | if (crypto_onetimeauth_verify(c, 16,c, 32,d - 32,x) !== 0) return -1;
|
4949 | crypto_stream_xor(m,0,c,0,d,n,k);
|
4950 | for (i = 0; i < 32; i++) m[i] = 0;
|
4951 | return 0;
|
4952 | }
|
4953 |
|
4954 | function set25519(r, a) {
|
4955 | var i;
|
4956 | for (i = 0; i < 16; i++) r[i] = a[i]|0;
|
4957 | }
|
4958 |
|
4959 | function car25519(o) {
|
4960 | var i, v, c = 1;
|
4961 | for (i = 0; i < 16; i++) {
|
4962 | v = o[i] + c + 65535;
|
4963 | c = Math.floor(v / 65536);
|
4964 | o[i] = v - c * 65536;
|
4965 | }
|
4966 | o[0] += c-1 + 37 * (c-1);
|
4967 | }
|
4968 |
|
4969 | function sel25519(p, q, b) {
|
4970 | var t, c = ~(b-1);
|
4971 | for (var i = 0; i < 16; i++) {
|
4972 | t = c & (p[i] ^ q[i]);
|
4973 | p[i] ^= t;
|
4974 | q[i] ^= t;
|
4975 | }
|
4976 | }
|
4977 |
|
4978 | function pack25519(o, n) {
|
4979 | var i, j, b;
|
4980 | var m = gf(), t = gf();
|
4981 | for (i = 0; i < 16; i++) t[i] = n[i];
|
4982 | car25519(t);
|
4983 | car25519(t);
|
4984 | car25519(t);
|
4985 | for (j = 0; j < 2; j++) {
|
4986 | m[0] = t[0] - 0xffed;
|
4987 | for (i = 1; i < 15; i++) {
|
4988 | m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);
|
4989 | m[i-1] &= 0xffff;
|
4990 | }
|
4991 | m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);
|
4992 | b = (m[15]>>16) & 1;
|
4993 | m[14] &= 0xffff;
|
4994 | sel25519(t, m, 1-b);
|
4995 | }
|
4996 | for (i = 0; i < 16; i++) {
|
4997 | o[2*i] = t[i] & 0xff;
|
4998 | o[2*i+1] = t[i]>>8;
|
4999 | }
|
5000 | }
|
5001 |
|
5002 | function neq25519(a, b) {
|
5003 | var c = new Uint8Array(32), d = new Uint8Array(32);
|
5004 | pack25519(c, a);
|
5005 | pack25519(d, b);
|
5006 | return crypto_verify_32(c, 0, d, 0);
|
5007 | }
|
5008 |
|
5009 | function par25519(a) {
|
5010 | var d = new Uint8Array(32);
|
5011 | pack25519(d, a);
|
5012 | return d[0] & 1;
|
5013 | }
|
5014 |
|
5015 | function unpack25519(o, n) {
|
5016 | var i;
|
5017 | for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8);
|
5018 | o[15] &= 0x7fff;
|
5019 | }
|
5020 |
|
5021 | function A(o, a, b) {
|
5022 | for (var i = 0; i < 16; i++) o[i] = a[i] + b[i];
|
5023 | }
|
5024 |
|
5025 | function Z(o, a, b) {
|
5026 | for (var i = 0; i < 16; i++) o[i] = a[i] - b[i];
|
5027 | }
|
5028 |
|
5029 | function M(o, a, b) {
|
5030 | var v, c,
|
5031 | t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0,
|
5032 | t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0,
|
5033 | t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0,
|
5034 | t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0,
|
5035 | b0 = b[0],
|
5036 | b1 = b[1],
|
5037 | b2 = b[2],
|
5038 | b3 = b[3],
|
5039 | b4 = b[4],
|
5040 | b5 = b[5],
|
5041 | b6 = b[6],
|
5042 | b7 = b[7],
|
5043 | b8 = b[8],
|
5044 | b9 = b[9],
|
5045 | b10 = b[10],
|
5046 | b11 = b[11],
|
5047 | b12 = b[12],
|
5048 | b13 = b[13],
|
5049 | b14 = b[14],
|
5050 | b15 = b[15];
|
5051 |
|
5052 | v = a[0];
|
5053 | t0 += v * b0;
|
5054 | t1 += v * b1;
|
5055 | t2 += v * b2;
|
5056 | t3 += v * b3;
|
5057 | t4 += v * b4;
|
5058 | t5 += v * b5;
|
5059 | t6 += v * b6;
|
5060 | t7 += v * b7;
|
5061 | t8 += v * b8;
|
5062 | t9 += v * b9;
|
5063 | t10 += v * b10;
|
5064 | t11 += v * b11;
|
5065 | t12 += v * b12;
|
5066 | t13 += v * b13;
|
5067 | t14 += v * b14;
|
5068 | t15 += v * b15;
|
5069 | v = a[1];
|
5070 | t1 += v * b0;
|
5071 | t2 += v * b1;
|
5072 | t3 += v * b2;
|
5073 | t4 += v * b3;
|
5074 | t5 += v * b4;
|
5075 | t6 += v * b5;
|
5076 | t7 += v * b6;
|
5077 | t8 += v * b7;
|
5078 | t9 += v * b8;
|
5079 | t10 += v * b9;
|
5080 | t11 += v * b10;
|
5081 | t12 += v * b11;
|
5082 | t13 += v * b12;
|
5083 | t14 += v * b13;
|
5084 | t15 += v * b14;
|
5085 | t16 += v * b15;
|
5086 | v = a[2];
|
5087 | t2 += v * b0;
|
5088 | t3 += v * b1;
|
5089 | t4 += v * b2;
|
5090 | t5 += v * b3;
|
5091 | t6 += v * b4;
|
5092 | t7 += v * b5;
|
5093 | t8 += v * b6;
|
5094 | t9 += v * b7;
|
5095 | t10 += v * b8;
|
5096 | t11 += v * b9;
|
5097 | t12 += v * b10;
|
5098 | t13 += v * b11;
|
5099 | t14 += v * b12;
|
5100 | t15 += v * b13;
|
5101 | t16 += v * b14;
|
5102 | t17 += v * b15;
|
5103 | v = a[3];
|
5104 | t3 += v * b0;
|
5105 | t4 += v * b1;
|
5106 | t5 += v * b2;
|
5107 | t6 += v * b3;
|
5108 | t7 += v * b4;
|
5109 | t8 += v * b5;
|
5110 | t9 += v * b6;
|
5111 | t10 += v * b7;
|
5112 | t11 += v * b8;
|
5113 | t12 += v * b9;
|
5114 | t13 += v * b10;
|
5115 | t14 += v * b11;
|
5116 | t15 += v * b12;
|
5117 | t16 += v * b13;
|
5118 | t17 += v * b14;
|
5119 | t18 += v * b15;
|
5120 | v = a[4];
|
5121 | t4 += v * b0;
|
5122 | t5 += v * b1;
|
5123 | t6 += v * b2;
|
5124 | t7 += v * b3;
|
5125 | t8 += v * b4;
|
5126 | t9 += v * b5;
|
5127 | t10 += v * b6;
|
5128 | t11 += v * b7;
|
5129 | t12 += v * b8;
|
5130 | t13 += v * b9;
|
5131 | t14 += v * b10;
|
5132 | t15 += v * b11;
|
5133 | t16 += v * b12;
|
5134 | t17 += v * b13;
|
5135 | t18 += v * b14;
|
5136 | t19 += v * b15;
|
5137 | v = a[5];
|
5138 | t5 += v * b0;
|
5139 | t6 += v * b1;
|
5140 | t7 += v * b2;
|
5141 | t8 += v * b3;
|
5142 | t9 += v * b4;
|
5143 | t10 += v * b5;
|
5144 | t11 += v * b6;
|
5145 | t12 += v * b7;
|
5146 | t13 += v * b8;
|
5147 | t14 += v * b9;
|
5148 | t15 += v * b10;
|
5149 | t16 += v * b11;
|
5150 | t17 += v * b12;
|
5151 | t18 += v * b13;
|
5152 | t19 += v * b14;
|
5153 | t20 += v * b15;
|
5154 | v = a[6];
|
5155 | t6 += v * b0;
|
5156 | t7 += v * b1;
|
5157 | t8 += v * b2;
|
5158 | t9 += v * b3;
|
5159 | t10 += v * b4;
|
5160 | t11 += v * b5;
|
5161 | t12 += v * b6;
|
5162 | t13 += v * b7;
|
5163 | t14 += v * b8;
|
5164 | t15 += v * b9;
|
5165 | t16 += v * b10;
|
5166 | t17 += v * b11;
|
5167 | t18 += v * b12;
|
5168 | t19 += v * b13;
|
5169 | t20 += v * b14;
|
5170 | t21 += v * b15;
|
5171 | v = a[7];
|
5172 | t7 += v * b0;
|
5173 | t8 += v * b1;
|
5174 | t9 += v * b2;
|
5175 | t10 += v * b3;
|
5176 | t11 += v * b4;
|
5177 | t12 += v * b5;
|
5178 | t13 += v * b6;
|
5179 | t14 += v * b7;
|
5180 | t15 += v * b8;
|
5181 | t16 += v * b9;
|
5182 | t17 += v * b10;
|
5183 | t18 += v * b11;
|
5184 | t19 += v * b12;
|
5185 | t20 += v * b13;
|
5186 | t21 += v * b14;
|
5187 | t22 += v * b15;
|
5188 | v = a[8];
|
5189 | t8 += v * b0;
|
5190 | t9 += v * b1;
|
5191 | t10 += v * b2;
|
5192 | t11 += v * b3;
|
5193 | t12 += v * b4;
|
5194 | t13 += v * b5;
|
5195 | t14 += v * b6;
|
5196 | t15 += v * b7;
|
5197 | t16 += v * b8;
|
5198 | t17 += v * b9;
|
5199 | t18 += v * b10;
|
5200 | t19 += v * b11;
|
5201 | t20 += v * b12;
|
5202 | t21 += v * b13;
|
5203 | t22 += v * b14;
|
5204 | t23 += v * b15;
|
5205 | v = a[9];
|
5206 | t9 += v * b0;
|
5207 | t10 += v * b1;
|
5208 | t11 += v * b2;
|
5209 | t12 += v * b3;
|
5210 | t13 += v * b4;
|
5211 | t14 += v * b5;
|
5212 | t15 += v * b6;
|
5213 | t16 += v * b7;
|
5214 | t17 += v * b8;
|
5215 | t18 += v * b9;
|
5216 | t19 += v * b10;
|
5217 | t20 += v * b11;
|
5218 | t21 += v * b12;
|
5219 | t22 += v * b13;
|
5220 | t23 += v * b14;
|
5221 | t24 += v * b15;
|
5222 | v = a[10];
|
5223 | t10 += v * b0;
|
5224 | t11 += v * b1;
|
5225 | t12 += v * b2;
|
5226 | t13 += v * b3;
|
5227 | t14 += v * b4;
|
5228 | t15 += v * b5;
|
5229 | t16 += v * b6;
|
5230 | t17 += v * b7;
|
5231 | t18 += v * b8;
|
5232 | t19 += v * b9;
|
5233 | t20 += v * b10;
|
5234 | t21 += v * b11;
|
5235 | t22 += v * b12;
|
5236 | t23 += v * b13;
|
5237 | t24 += v * b14;
|
5238 | t25 += v * b15;
|
5239 | v = a[11];
|
5240 | t11 += v * b0;
|
5241 | t12 += v * b1;
|
5242 | t13 += v * b2;
|
5243 | t14 += v * b3;
|
5244 | t15 += v * b4;
|
5245 | t16 += v * b5;
|
5246 | t17 += v * b6;
|
5247 | t18 += v * b7;
|
5248 | t19 += v * b8;
|
5249 | t20 += v * b9;
|
5250 | t21 += v * b10;
|
5251 | t22 += v * b11;
|
5252 | t23 += v * b12;
|
5253 | t24 += v * b13;
|
5254 | t25 += v * b14;
|
5255 | t26 += v * b15;
|
5256 | v = a[12];
|
5257 | t12 += v * b0;
|
5258 | t13 += v * b1;
|
5259 | t14 += v * b2;
|
5260 | t15 += v * b3;
|
5261 | t16 += v * b4;
|
5262 | t17 += v * b5;
|
5263 | t18 += v * b6;
|
5264 | t19 += v * b7;
|
5265 | t20 += v * b8;
|
5266 | t21 += v * b9;
|
5267 | t22 += v * b10;
|
5268 | t23 += v * b11;
|
5269 | t24 += v * b12;
|
5270 | t25 += v * b13;
|
5271 | t26 += v * b14;
|
5272 | t27 += v * b15;
|
5273 | v = a[13];
|
5274 | t13 += v * b0;
|
5275 | t14 += v * b1;
|
5276 | t15 += v * b2;
|
5277 | t16 += v * b3;
|
5278 | t17 += v * b4;
|
5279 | t18 += v * b5;
|
5280 | t19 += v * b6;
|
5281 | t20 += v * b7;
|
5282 | t21 += v * b8;
|
5283 | t22 += v * b9;
|
5284 | t23 += v * b10;
|
5285 | t24 += v * b11;
|
5286 | t25 += v * b12;
|
5287 | t26 += v * b13;
|
5288 | t27 += v * b14;
|
5289 | t28 += v * b15;
|
5290 | v = a[14];
|
5291 | t14 += v * b0;
|
5292 | t15 += v * b1;
|
5293 | t16 += v * b2;
|
5294 | t17 += v * b3;
|
5295 | t18 += v * b4;
|
5296 | t19 += v * b5;
|
5297 | t20 += v * b6;
|
5298 | t21 += v * b7;
|
5299 | t22 += v * b8;
|
5300 | t23 += v * b9;
|
5301 | t24 += v * b10;
|
5302 | t25 += v * b11;
|
5303 | t26 += v * b12;
|
5304 | t27 += v * b13;
|
5305 | t28 += v * b14;
|
5306 | t29 += v * b15;
|
5307 | v = a[15];
|
5308 | t15 += v * b0;
|
5309 | t16 += v * b1;
|
5310 | t17 += v * b2;
|
5311 | t18 += v * b3;
|
5312 | t19 += v * b4;
|
5313 | t20 += v * b5;
|
5314 | t21 += v * b6;
|
5315 | t22 += v * b7;
|
5316 | t23 += v * b8;
|
5317 | t24 += v * b9;
|
5318 | t25 += v * b10;
|
5319 | t26 += v * b11;
|
5320 | t27 += v * b12;
|
5321 | t28 += v * b13;
|
5322 | t29 += v * b14;
|
5323 | t30 += v * b15;
|
5324 |
|
5325 | t0 += 38 * t16;
|
5326 | t1 += 38 * t17;
|
5327 | t2 += 38 * t18;
|
5328 | t3 += 38 * t19;
|
5329 | t4 += 38 * t20;
|
5330 | t5 += 38 * t21;
|
5331 | t6 += 38 * t22;
|
5332 | t7 += 38 * t23;
|
5333 | t8 += 38 * t24;
|
5334 | t9 += 38 * t25;
|
5335 | t10 += 38 * t26;
|
5336 | t11 += 38 * t27;
|
5337 | t12 += 38 * t28;
|
5338 | t13 += 38 * t29;
|
5339 | t14 += 38 * t30;
|
5340 |
|
5341 |
|
5342 |
|
5343 | c = 1;
|
5344 | v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
|
5345 | v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
|
5346 | v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
|
5347 | v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
|
5348 | v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
|
5349 | v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
|
5350 | v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
|
5351 | v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
|
5352 | v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
|
5353 | v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
|
5354 | v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
|
5355 | v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
|
5356 | v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
|
5357 | v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
|
5358 | v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
|
5359 | v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
|
5360 | t0 += c-1 + 37 * (c-1);
|
5361 |
|
5362 |
|
5363 | c = 1;
|
5364 | v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
|
5365 | v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
|
5366 | v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
|
5367 | v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
|
5368 | v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
|
5369 | v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
|
5370 | v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
|
5371 | v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
|
5372 | v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
|
5373 | v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
|
5374 | v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
|
5375 | v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
|
5376 | v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
|
5377 | v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
|
5378 | v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
|
5379 | v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
|
5380 | t0 += c-1 + 37 * (c-1);
|
5381 |
|
5382 | o[ 0] = t0;
|
5383 | o[ 1] = t1;
|
5384 | o[ 2] = t2;
|
5385 | o[ 3] = t3;
|
5386 | o[ 4] = t4;
|
5387 | o[ 5] = t5;
|
5388 | o[ 6] = t6;
|
5389 | o[ 7] = t7;
|
5390 | o[ 8] = t8;
|
5391 | o[ 9] = t9;
|
5392 | o[10] = t10;
|
5393 | o[11] = t11;
|
5394 | o[12] = t12;
|
5395 | o[13] = t13;
|
5396 | o[14] = t14;
|
5397 | o[15] = t15;
|
5398 | }
|
5399 |
|
5400 | function S(o, a) {
|
5401 | M(o, a, a);
|
5402 | }
|
5403 |
|
5404 | function inv25519(o, i) {
|
5405 | var c = gf();
|
5406 | var a;
|
5407 | for (a = 0; a < 16; a++) c[a] = i[a];
|
5408 | for (a = 253; a >= 0; a--) {
|
5409 | S(c, c);
|
5410 | if(a !== 2 && a !== 4) M(c, c, i);
|
5411 | }
|
5412 | for (a = 0; a < 16; a++) o[a] = c[a];
|
5413 | }
|
5414 |
|
5415 | function pow2523(o, i) {
|
5416 | var c = gf();
|
5417 | var a;
|
5418 | for (a = 0; a < 16; a++) c[a] = i[a];
|
5419 | for (a = 250; a >= 0; a--) {
|
5420 | S(c, c);
|
5421 | if(a !== 1) M(c, c, i);
|
5422 | }
|
5423 | for (a = 0; a < 16; a++) o[a] = c[a];
|
5424 | }
|
5425 |
|
5426 | function crypto_scalarmult(q, n, p) {
|
5427 | var z = new Uint8Array(32);
|
5428 | var x = new Float64Array(80), r, i;
|
5429 | var a = gf(), b = gf(), c = gf(),
|
5430 | d = gf(), e = gf(), f = gf();
|
5431 | for (i = 0; i < 31; i++) z[i] = n[i];
|
5432 | z[31]=(n[31]&127)|64;
|
5433 | z[0]&=248;
|
5434 | unpack25519(x,p);
|
5435 | for (i = 0; i < 16; i++) {
|
5436 | b[i]=x[i];
|
5437 | d[i]=a[i]=c[i]=0;
|
5438 | }
|
5439 | a[0]=d[0]=1;
|
5440 | for (i=254; i>=0; --i) {
|
5441 | r=(z[i>>>3]>>>(i&7))&1;
|
5442 | sel25519(a,b,r);
|
5443 | sel25519(c,d,r);
|
5444 | A(e,a,c);
|
5445 | Z(a,a,c);
|
5446 | A(c,b,d);
|
5447 | Z(b,b,d);
|
5448 | S(d,e);
|
5449 | S(f,a);
|
5450 | M(a,c,a);
|
5451 | M(c,b,e);
|
5452 | A(e,a,c);
|
5453 | Z(a,a,c);
|
5454 | S(b,a);
|
5455 | Z(c,d,f);
|
5456 | M(a,c,_121665);
|
5457 | A(a,a,d);
|
5458 | M(c,c,a);
|
5459 | M(a,d,f);
|
5460 | M(d,b,x);
|
5461 | S(b,e);
|
5462 | sel25519(a,b,r);
|
5463 | sel25519(c,d,r);
|
5464 | }
|
5465 | for (i = 0; i < 16; i++) {
|
5466 | x[i+16]=a[i];
|
5467 | x[i+32]=c[i];
|
5468 | x[i+48]=b[i];
|
5469 | x[i+64]=d[i];
|
5470 | }
|
5471 | var x32 = x.subarray(32);
|
5472 | var x16 = x.subarray(16);
|
5473 | inv25519(x32,x32);
|
5474 | M(x16,x16,x32);
|
5475 | pack25519(q,x16);
|
5476 | return 0;
|
5477 | }
|
5478 |
|
5479 | function crypto_scalarmult_base(q, n) {
|
5480 | return crypto_scalarmult(q, n, _9);
|
5481 | }
|
5482 |
|
5483 | function crypto_box_keypair(y, x) {
|
5484 | randombytes(x, 32);
|
5485 | return crypto_scalarmult_base(y, x);
|
5486 | }
|
5487 |
|
5488 | function crypto_box_beforenm(k, y, x) {
|
5489 | var s = new Uint8Array(32);
|
5490 | crypto_scalarmult(s, x, y);
|
5491 | return crypto_core_hsalsa20(k, _0, s, sigma);
|
5492 | }
|
5493 |
|
5494 | var crypto_box_afternm = crypto_secretbox;
|
5495 | var crypto_box_open_afternm = crypto_secretbox_open;
|
5496 |
|
5497 | function crypto_box(c, m, d, n, y, x) {
|
5498 | var k = new Uint8Array(32);
|
5499 | crypto_box_beforenm(k, y, x);
|
5500 | return crypto_box_afternm(c, m, d, n, k);
|
5501 | }
|
5502 |
|
5503 | function crypto_box_open(m, c, d, n, y, x) {
|
5504 | var k = new Uint8Array(32);
|
5505 | crypto_box_beforenm(k, y, x);
|
5506 | return crypto_box_open_afternm(m, c, d, n, k);
|
5507 | }
|
5508 |
|
5509 | var K = [
|
5510 | 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd,
|
5511 | 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc,
|
5512 | 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019,
|
5513 | 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118,
|
5514 | 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe,
|
5515 | 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2,
|
5516 | 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1,
|
5517 | 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694,
|
5518 | 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3,
|
5519 | 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65,
|
5520 | 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483,
|
5521 | 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5,
|
5522 | 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210,
|
5523 | 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4,
|
5524 | 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725,
|
5525 | 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70,
|
5526 | 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926,
|
5527 | 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df,
|
5528 | 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8,
|
5529 | 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b,
|
5530 | 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001,
|
5531 | 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30,
|
5532 | 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910,
|
5533 | 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8,
|
5534 | 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53,
|
5535 | 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8,
|
5536 | 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb,
|
5537 | 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3,
|
5538 | 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60,
|
5539 | 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec,
|
5540 | 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9,
|
5541 | 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b,
|
5542 | 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207,
|
5543 | 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178,
|
5544 | 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6,
|
5545 | 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b,
|
5546 | 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493,
|
5547 | 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c,
|
5548 | 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a,
|
5549 | 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817
|
5550 | ];
|
5551 |
|
5552 | function crypto_hashblocks_hl(hh, hl, m, n) {
|
5553 | var wh = new Int32Array(16), wl = new Int32Array(16),
|
5554 | bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7,
|
5555 | bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7,
|
5556 | th, tl, i, j, h, l, a, b, c, d;
|
5557 |
|
5558 | var ah0 = hh[0],
|
5559 | ah1 = hh[1],
|
5560 | ah2 = hh[2],
|
5561 | ah3 = hh[3],
|
5562 | ah4 = hh[4],
|
5563 | ah5 = hh[5],
|
5564 | ah6 = hh[6],
|
5565 | ah7 = hh[7],
|
5566 |
|
5567 | al0 = hl[0],
|
5568 | al1 = hl[1],
|
5569 | al2 = hl[2],
|
5570 | al3 = hl[3],
|
5571 | al4 = hl[4],
|
5572 | al5 = hl[5],
|
5573 | al6 = hl[6],
|
5574 | al7 = hl[7];
|
5575 |
|
5576 | var pos = 0;
|
5577 | while (n >= 128) {
|
5578 | for (i = 0; i < 16; i++) {
|
5579 | j = 8 * i + pos;
|
5580 | wh[i] = (m[j+0] << 24) | (m[j+1] << 16) | (m[j+2] << 8) | m[j+3];
|
5581 | wl[i] = (m[j+4] << 24) | (m[j+5] << 16) | (m[j+6] << 8) | m[j+7];
|
5582 | }
|
5583 | for (i = 0; i < 80; i++) {
|
5584 | bh0 = ah0;
|
5585 | bh1 = ah1;
|
5586 | bh2 = ah2;
|
5587 | bh3 = ah3;
|
5588 | bh4 = ah4;
|
5589 | bh5 = ah5;
|
5590 | bh6 = ah6;
|
5591 | bh7 = ah7;
|
5592 |
|
5593 | bl0 = al0;
|
5594 | bl1 = al1;
|
5595 | bl2 = al2;
|
5596 | bl3 = al3;
|
5597 | bl4 = al4;
|
5598 | bl5 = al5;
|
5599 | bl6 = al6;
|
5600 | bl7 = al7;
|
5601 |
|
5602 |
|
5603 | h = ah7;
|
5604 | l = al7;
|
5605 |
|
5606 | a = l & 0xffff; b = l >>> 16;
|
5607 | c = h & 0xffff; d = h >>> 16;
|
5608 |
|
5609 |
|
5610 | h = ((ah4 >>> 14) | (al4 << (32-14))) ^ ((ah4 >>> 18) | (al4 << (32-18))) ^ ((al4 >>> (41-32)) | (ah4 << (32-(41-32))));
|
5611 | l = ((al4 >>> 14) | (ah4 << (32-14))) ^ ((al4 >>> 18) | (ah4 << (32-18))) ^ ((ah4 >>> (41-32)) | (al4 << (32-(41-32))));
|
5612 |
|
5613 | a += l & 0xffff; b += l >>> 16;
|
5614 | c += h & 0xffff; d += h >>> 16;
|
5615 |
|
5616 |
|
5617 | h = (ah4 & ah5) ^ (~ah4 & ah6);
|
5618 | l = (al4 & al5) ^ (~al4 & al6);
|
5619 |
|
5620 | a += l & 0xffff; b += l >>> 16;
|
5621 | c += h & 0xffff; d += h >>> 16;
|
5622 |
|
5623 |
|
5624 | h = K[i*2];
|
5625 | l = K[i*2+1];
|
5626 |
|
5627 | a += l & 0xffff; b += l >>> 16;
|
5628 | c += h & 0xffff; d += h >>> 16;
|
5629 |
|
5630 |
|
5631 | h = wh[i%16];
|
5632 | l = wl[i%16];
|
5633 |
|
5634 | a += l & 0xffff; b += l >>> 16;
|
5635 | c += h & 0xffff; d += h >>> 16;
|
5636 |
|
5637 | b += a >>> 16;
|
5638 | c += b >>> 16;
|
5639 | d += c >>> 16;
|
5640 |
|
5641 | th = c & 0xffff | d << 16;
|
5642 | tl = a & 0xffff | b << 16;
|
5643 |
|
5644 |
|
5645 | h = th;
|
5646 | l = tl;
|
5647 |
|
5648 | a = l & 0xffff; b = l >>> 16;
|
5649 | c = h & 0xffff; d = h >>> 16;
|
5650 |
|
5651 |
|
5652 | h = ((ah0 >>> 28) | (al0 << (32-28))) ^ ((al0 >>> (34-32)) | (ah0 << (32-(34-32)))) ^ ((al0 >>> (39-32)) | (ah0 << (32-(39-32))));
|
5653 | l = ((al0 >>> 28) | (ah0 << (32-28))) ^ ((ah0 >>> (34-32)) | (al0 << (32-(34-32)))) ^ ((ah0 >>> (39-32)) | (al0 << (32-(39-32))));
|
5654 |
|
5655 | a += l & 0xffff; b += l >>> 16;
|
5656 | c += h & 0xffff; d += h >>> 16;
|
5657 |
|
5658 |
|
5659 | h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2);
|
5660 | l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2);
|
5661 |
|
5662 | a += l & 0xffff; b += l >>> 16;
|
5663 | c += h & 0xffff; d += h >>> 16;
|
5664 |
|
5665 | b += a >>> 16;
|
5666 | c += b >>> 16;
|
5667 | d += c >>> 16;
|
5668 |
|
5669 | bh7 = (c & 0xffff) | (d << 16);
|
5670 | bl7 = (a & 0xffff) | (b << 16);
|
5671 |
|
5672 |
|
5673 | h = bh3;
|
5674 | l = bl3;
|
5675 |
|
5676 | a = l & 0xffff; b = l >>> 16;
|
5677 | c = h & 0xffff; d = h >>> 16;
|
5678 |
|
5679 | h = th;
|
5680 | l = tl;
|
5681 |
|
5682 | a += l & 0xffff; b += l >>> 16;
|
5683 | c += h & 0xffff; d += h >>> 16;
|
5684 |
|
5685 | b += a >>> 16;
|
5686 | c += b >>> 16;
|
5687 | d += c >>> 16;
|
5688 |
|
5689 | bh3 = (c & 0xffff) | (d << 16);
|
5690 | bl3 = (a & 0xffff) | (b << 16);
|
5691 |
|
5692 | ah1 = bh0;
|
5693 | ah2 = bh1;
|
5694 | ah3 = bh2;
|
5695 | ah4 = bh3;
|
5696 | ah5 = bh4;
|
5697 | ah6 = bh5;
|
5698 | ah7 = bh6;
|
5699 | ah0 = bh7;
|
5700 |
|
5701 | al1 = bl0;
|
5702 | al2 = bl1;
|
5703 | al3 = bl2;
|
5704 | al4 = bl3;
|
5705 | al5 = bl4;
|
5706 | al6 = bl5;
|
5707 | al7 = bl6;
|
5708 | al0 = bl7;
|
5709 |
|
5710 | if (i%16 === 15) {
|
5711 | for (j = 0; j < 16; j++) {
|
5712 |
|
5713 | h = wh[j];
|
5714 | l = wl[j];
|
5715 |
|
5716 | a = l & 0xffff; b = l >>> 16;
|
5717 | c = h & 0xffff; d = h >>> 16;
|
5718 |
|
5719 | h = wh[(j+9)%16];
|
5720 | l = wl[(j+9)%16];
|
5721 |
|
5722 | a += l & 0xffff; b += l >>> 16;
|
5723 | c += h & 0xffff; d += h >>> 16;
|
5724 |
|
5725 |
|
5726 | th = wh[(j+1)%16];
|
5727 | tl = wl[(j+1)%16];
|
5728 | h = ((th >>> 1) | (tl << (32-1))) ^ ((th >>> 8) | (tl << (32-8))) ^ (th >>> 7);
|
5729 | l = ((tl >>> 1) | (th << (32-1))) ^ ((tl >>> 8) | (th << (32-8))) ^ ((tl >>> 7) | (th << (32-7)));
|
5730 |
|
5731 | a += l & 0xffff; b += l >>> 16;
|
5732 | c += h & 0xffff; d += h >>> 16;
|
5733 |
|
5734 |
|
5735 | th = wh[(j+14)%16];
|
5736 | tl = wl[(j+14)%16];
|
5737 | h = ((th >>> 19) | (tl << (32-19))) ^ ((tl >>> (61-32)) | (th << (32-(61-32)))) ^ (th >>> 6);
|
5738 | l = ((tl >>> 19) | (th << (32-19))) ^ ((th >>> (61-32)) | (tl << (32-(61-32)))) ^ ((tl >>> 6) | (th << (32-6)));
|
5739 |
|
5740 | a += l & 0xffff; b += l >>> 16;
|
5741 | c += h & 0xffff; d += h >>> 16;
|
5742 |
|
5743 | b += a >>> 16;
|
5744 | c += b >>> 16;
|
5745 | d += c >>> 16;
|
5746 |
|
5747 | wh[j] = (c & 0xffff) | (d << 16);
|
5748 | wl[j] = (a & 0xffff) | (b << 16);
|
5749 | }
|
5750 | }
|
5751 | }
|
5752 |
|
5753 |
|
5754 | h = ah0;
|
5755 | l = al0;
|
5756 |
|
5757 | a = l & 0xffff; b = l >>> 16;
|
5758 | c = h & 0xffff; d = h >>> 16;
|
5759 |
|
5760 | h = hh[0];
|
5761 | l = hl[0];
|
5762 |
|
5763 | a += l & 0xffff; b += l >>> 16;
|
5764 | c += h & 0xffff; d += h >>> 16;
|
5765 |
|
5766 | b += a >>> 16;
|
5767 | c += b >>> 16;
|
5768 | d += c >>> 16;
|
5769 |
|
5770 | hh[0] = ah0 = (c & 0xffff) | (d << 16);
|
5771 | hl[0] = al0 = (a & 0xffff) | (b << 16);
|
5772 |
|
5773 | h = ah1;
|
5774 | l = al1;
|
5775 |
|
5776 | a = l & 0xffff; b = l >>> 16;
|
5777 | c = h & 0xffff; d = h >>> 16;
|
5778 |
|
5779 | h = hh[1];
|
5780 | l = hl[1];
|
5781 |
|
5782 | a += l & 0xffff; b += l >>> 16;
|
5783 | c += h & 0xffff; d += h >>> 16;
|
5784 |
|
5785 | b += a >>> 16;
|
5786 | c += b >>> 16;
|
5787 | d += c >>> 16;
|
5788 |
|
5789 | hh[1] = ah1 = (c & 0xffff) | (d << 16);
|
5790 | hl[1] = al1 = (a & 0xffff) | (b << 16);
|
5791 |
|
5792 | h = ah2;
|
5793 | l = al2;
|
5794 |
|
5795 | a = l & 0xffff; b = l >>> 16;
|
5796 | c = h & 0xffff; d = h >>> 16;
|
5797 |
|
5798 | h = hh[2];
|
5799 | l = hl[2];
|
5800 |
|
5801 | a += l & 0xffff; b += l >>> 16;
|
5802 | c += h & 0xffff; d += h >>> 16;
|
5803 |
|
5804 | b += a >>> 16;
|
5805 | c += b >>> 16;
|
5806 | d += c >>> 16;
|
5807 |
|
5808 | hh[2] = ah2 = (c & 0xffff) | (d << 16);
|
5809 | hl[2] = al2 = (a & 0xffff) | (b << 16);
|
5810 |
|
5811 | h = ah3;
|
5812 | l = al3;
|
5813 |
|
5814 | a = l & 0xffff; b = l >>> 16;
|
5815 | c = h & 0xffff; d = h >>> 16;
|
5816 |
|
5817 | h = hh[3];
|
5818 | l = hl[3];
|
5819 |
|
5820 | a += l & 0xffff; b += l >>> 16;
|
5821 | c += h & 0xffff; d += h >>> 16;
|
5822 |
|
5823 | b += a >>> 16;
|
5824 | c += b >>> 16;
|
5825 | d += c >>> 16;
|
5826 |
|
5827 | hh[3] = ah3 = (c & 0xffff) | (d << 16);
|
5828 | hl[3] = al3 = (a & 0xffff) | (b << 16);
|
5829 |
|
5830 | h = ah4;
|
5831 | l = al4;
|
5832 |
|
5833 | a = l & 0xffff; b = l >>> 16;
|
5834 | c = h & 0xffff; d = h >>> 16;
|
5835 |
|
5836 | h = hh[4];
|
5837 | l = hl[4];
|
5838 |
|
5839 | a += l & 0xffff; b += l >>> 16;
|
5840 | c += h & 0xffff; d += h >>> 16;
|
5841 |
|
5842 | b += a >>> 16;
|
5843 | c += b >>> 16;
|
5844 | d += c >>> 16;
|
5845 |
|
5846 | hh[4] = ah4 = (c & 0xffff) | (d << 16);
|
5847 | hl[4] = al4 = (a & 0xffff) | (b << 16);
|
5848 |
|
5849 | h = ah5;
|
5850 | l = al5;
|
5851 |
|
5852 | a = l & 0xffff; b = l >>> 16;
|
5853 | c = h & 0xffff; d = h >>> 16;
|
5854 |
|
5855 | h = hh[5];
|
5856 | l = hl[5];
|
5857 |
|
5858 | a += l & 0xffff; b += l >>> 16;
|
5859 | c += h & 0xffff; d += h >>> 16;
|
5860 |
|
5861 | b += a >>> 16;
|
5862 | c += b >>> 16;
|
5863 | d += c >>> 16;
|
5864 |
|
5865 | hh[5] = ah5 = (c & 0xffff) | (d << 16);
|
5866 | hl[5] = al5 = (a & 0xffff) | (b << 16);
|
5867 |
|
5868 | h = ah6;
|
5869 | l = al6;
|
5870 |
|
5871 | a = l & 0xffff; b = l >>> 16;
|
5872 | c = h & 0xffff; d = h >>> 16;
|
5873 |
|
5874 | h = hh[6];
|
5875 | l = hl[6];
|
5876 |
|
5877 | a += l & 0xffff; b += l >>> 16;
|
5878 | c += h & 0xffff; d += h >>> 16;
|
5879 |
|
5880 | b += a >>> 16;
|
5881 | c += b >>> 16;
|
5882 | d += c >>> 16;
|
5883 |
|
5884 | hh[6] = ah6 = (c & 0xffff) | (d << 16);
|
5885 | hl[6] = al6 = (a & 0xffff) | (b << 16);
|
5886 |
|
5887 | h = ah7;
|
5888 | l = al7;
|
5889 |
|
5890 | a = l & 0xffff; b = l >>> 16;
|
5891 | c = h & 0xffff; d = h >>> 16;
|
5892 |
|
5893 | h = hh[7];
|
5894 | l = hl[7];
|
5895 |
|
5896 | a += l & 0xffff; b += l >>> 16;
|
5897 | c += h & 0xffff; d += h >>> 16;
|
5898 |
|
5899 | b += a >>> 16;
|
5900 | c += b >>> 16;
|
5901 | d += c >>> 16;
|
5902 |
|
5903 | hh[7] = ah7 = (c & 0xffff) | (d << 16);
|
5904 | hl[7] = al7 = (a & 0xffff) | (b << 16);
|
5905 |
|
5906 | pos += 128;
|
5907 | n -= 128;
|
5908 | }
|
5909 |
|
5910 | return n;
|
5911 | }
|
5912 |
|
5913 | function crypto_hash(out, m, n) {
|
5914 | var hh = new Int32Array(8),
|
5915 | hl = new Int32Array(8),
|
5916 | x = new Uint8Array(256),
|
5917 | i, b = n;
|
5918 |
|
5919 | hh[0] = 0x6a09e667;
|
5920 | hh[1] = 0xbb67ae85;
|
5921 | hh[2] = 0x3c6ef372;
|
5922 | hh[3] = 0xa54ff53a;
|
5923 | hh[4] = 0x510e527f;
|
5924 | hh[5] = 0x9b05688c;
|
5925 | hh[6] = 0x1f83d9ab;
|
5926 | hh[7] = 0x5be0cd19;
|
5927 |
|
5928 | hl[0] = 0xf3bcc908;
|
5929 | hl[1] = 0x84caa73b;
|
5930 | hl[2] = 0xfe94f82b;
|
5931 | hl[3] = 0x5f1d36f1;
|
5932 | hl[4] = 0xade682d1;
|
5933 | hl[5] = 0x2b3e6c1f;
|
5934 | hl[6] = 0xfb41bd6b;
|
5935 | hl[7] = 0x137e2179;
|
5936 |
|
5937 | crypto_hashblocks_hl(hh, hl, m, n);
|
5938 | n %= 128;
|
5939 |
|
5940 | for (i = 0; i < n; i++) x[i] = m[b-n+i];
|
5941 | x[n] = 128;
|
5942 |
|
5943 | n = 256-128*(n<112?1:0);
|
5944 | x[n-9] = 0;
|
5945 | ts64(x, n-8, (b / 0x20000000) | 0, b << 3);
|
5946 | crypto_hashblocks_hl(hh, hl, x, n);
|
5947 |
|
5948 | for (i = 0; i < 8; i++) ts64(out, 8*i, hh[i], hl[i]);
|
5949 |
|
5950 | return 0;
|
5951 | }
|
5952 |
|
5953 | function add(p, q) {
|
5954 | var a = gf(), b = gf(), c = gf(),
|
5955 | d = gf(), e = gf(), f = gf(),
|
5956 | g = gf(), h = gf(), t = gf();
|
5957 |
|
5958 | Z(a, p[1], p[0]);
|
5959 | Z(t, q[1], q[0]);
|
5960 | M(a, a, t);
|
5961 | A(b, p[0], p[1]);
|
5962 | A(t, q[0], q[1]);
|
5963 | M(b, b, t);
|
5964 | M(c, p[3], q[3]);
|
5965 | M(c, c, D2);
|
5966 | M(d, p[2], q[2]);
|
5967 | A(d, d, d);
|
5968 | Z(e, b, a);
|
5969 | Z(f, d, c);
|
5970 | A(g, d, c);
|
5971 | A(h, b, a);
|
5972 |
|
5973 | M(p[0], e, f);
|
5974 | M(p[1], h, g);
|
5975 | M(p[2], g, f);
|
5976 | M(p[3], e, h);
|
5977 | }
|
5978 |
|
5979 | function cswap(p, q, b) {
|
5980 | var i;
|
5981 | for (i = 0; i < 4; i++) {
|
5982 | sel25519(p[i], q[i], b);
|
5983 | }
|
5984 | }
|
5985 |
|
5986 | function pack(r, p) {
|
5987 | var tx = gf(), ty = gf(), zi = gf();
|
5988 | inv25519(zi, p[2]);
|
5989 | M(tx, p[0], zi);
|
5990 | M(ty, p[1], zi);
|
5991 | pack25519(r, ty);
|
5992 | r[31] ^= par25519(tx) << 7;
|
5993 | }
|
5994 |
|
5995 | function scalarmult(p, q, s) {
|
5996 | var b, i;
|
5997 | set25519(p[0], gf0);
|
5998 | set25519(p[1], gf1);
|
5999 | set25519(p[2], gf1);
|
6000 | set25519(p[3], gf0);
|
6001 | for (i = 255; i >= 0; --i) {
|
6002 | b = (s[(i/8)|0] >> (i&7)) & 1;
|
6003 | cswap(p, q, b);
|
6004 | add(q, p);
|
6005 | add(p, p);
|
6006 | cswap(p, q, b);
|
6007 | }
|
6008 | }
|
6009 |
|
6010 | function scalarbase(p, s) {
|
6011 | var q = [gf(), gf(), gf(), gf()];
|
6012 | set25519(q[0], X);
|
6013 | set25519(q[1], Y);
|
6014 | set25519(q[2], gf1);
|
6015 | M(q[3], X, Y);
|
6016 | scalarmult(p, q, s);
|
6017 | }
|
6018 |
|
6019 | function crypto_sign_keypair(pk, sk, seeded) {
|
6020 | var d = new Uint8Array(64);
|
6021 | var p = [gf(), gf(), gf(), gf()];
|
6022 | var i;
|
6023 |
|
6024 | if (!seeded) randombytes(sk, 32);
|
6025 | crypto_hash(d, sk, 32);
|
6026 | d[0] &= 248;
|
6027 | d[31] &= 127;
|
6028 | d[31] |= 64;
|
6029 |
|
6030 | scalarbase(p, d);
|
6031 | pack(pk, p);
|
6032 |
|
6033 | for (i = 0; i < 32; i++) sk[i+32] = pk[i];
|
6034 | return 0;
|
6035 | }
|
6036 |
|
6037 | var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]);
|
6038 |
|
6039 | function modL(r, x) {
|
6040 | var carry, i, j, k;
|
6041 | for (i = 63; i >= 32; --i) {
|
6042 | carry = 0;
|
6043 | for (j = i - 32, k = i - 12; j < k; ++j) {
|
6044 | x[j] += carry - 16 * x[i] * L[j - (i - 32)];
|
6045 | carry = (x[j] + 128) >> 8;
|
6046 | x[j] -= carry * 256;
|
6047 | }
|
6048 | x[j] += carry;
|
6049 | x[i] = 0;
|
6050 | }
|
6051 | carry = 0;
|
6052 | for (j = 0; j < 32; j++) {
|
6053 | x[j] += carry - (x[31] >> 4) * L[j];
|
6054 | carry = x[j] >> 8;
|
6055 | x[j] &= 255;
|
6056 | }
|
6057 | for (j = 0; j < 32; j++) x[j] -= carry * L[j];
|
6058 | for (i = 0; i < 32; i++) {
|
6059 | x[i+1] += x[i] >> 8;
|
6060 | r[i] = x[i] & 255;
|
6061 | }
|
6062 | }
|
6063 |
|
6064 | function reduce(r) {
|
6065 | var x = new Float64Array(64), i;
|
6066 | for (i = 0; i < 64; i++) x[i] = r[i];
|
6067 | for (i = 0; i < 64; i++) r[i] = 0;
|
6068 | modL(r, x);
|
6069 | }
|
6070 |
|
6071 |
|
6072 | function crypto_sign(sm, m, n, sk) {
|
6073 | var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64);
|
6074 | var i, j, x = new Float64Array(64);
|
6075 | var p = [gf(), gf(), gf(), gf()];
|
6076 |
|
6077 | crypto_hash(d, sk, 32);
|
6078 | d[0] &= 248;
|
6079 | d[31] &= 127;
|
6080 | d[31] |= 64;
|
6081 |
|
6082 | var smlen = n + 64;
|
6083 | for (i = 0; i < n; i++) sm[64 + i] = m[i];
|
6084 | for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i];
|
6085 |
|
6086 | crypto_hash(r, sm.subarray(32), n+32);
|
6087 | reduce(r);
|
6088 | scalarbase(p, r);
|
6089 | pack(sm, p);
|
6090 |
|
6091 | for (i = 32; i < 64; i++) sm[i] = sk[i];
|
6092 | crypto_hash(h, sm, n + 64);
|
6093 | reduce(h);
|
6094 |
|
6095 | for (i = 0; i < 64; i++) x[i] = 0;
|
6096 | for (i = 0; i < 32; i++) x[i] = r[i];
|
6097 | for (i = 0; i < 32; i++) {
|
6098 | for (j = 0; j < 32; j++) {
|
6099 | x[i+j] += h[i] * d[j];
|
6100 | }
|
6101 | }
|
6102 |
|
6103 | modL(sm.subarray(32), x);
|
6104 | return smlen;
|
6105 | }
|
6106 |
|
6107 | function unpackneg(r, p) {
|
6108 | var t = gf(), chk = gf(), num = gf(),
|
6109 | den = gf(), den2 = gf(), den4 = gf(),
|
6110 | den6 = gf();
|
6111 |
|
6112 | set25519(r[2], gf1);
|
6113 | unpack25519(r[1], p);
|
6114 | S(num, r[1]);
|
6115 | M(den, num, D);
|
6116 | Z(num, num, r[2]);
|
6117 | A(den, r[2], den);
|
6118 |
|
6119 | S(den2, den);
|
6120 | S(den4, den2);
|
6121 | M(den6, den4, den2);
|
6122 | M(t, den6, num);
|
6123 | M(t, t, den);
|
6124 |
|
6125 | pow2523(t, t);
|
6126 | M(t, t, num);
|
6127 | M(t, t, den);
|
6128 | M(t, t, den);
|
6129 | M(r[0], t, den);
|
6130 |
|
6131 | S(chk, r[0]);
|
6132 | M(chk, chk, den);
|
6133 | if (neq25519(chk, num)) M(r[0], r[0], I);
|
6134 |
|
6135 | S(chk, r[0]);
|
6136 | M(chk, chk, den);
|
6137 | if (neq25519(chk, num)) return -1;
|
6138 |
|
6139 | if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]);
|
6140 |
|
6141 | M(r[3], r[0], r[1]);
|
6142 | return 0;
|
6143 | }
|
6144 |
|
6145 | function crypto_sign_open(m, sm, n, pk) {
|
6146 | var i, mlen;
|
6147 | var t = new Uint8Array(32), h = new Uint8Array(64);
|
6148 | var p = [gf(), gf(), gf(), gf()],
|
6149 | q = [gf(), gf(), gf(), gf()];
|
6150 |
|
6151 | mlen = -1;
|
6152 | if (n < 64) return -1;
|
6153 |
|
6154 | if (unpackneg(q, pk)) return -1;
|
6155 |
|
6156 | for (i = 0; i < n; i++) m[i] = sm[i];
|
6157 | for (i = 0; i < 32; i++) m[i+32] = pk[i];
|
6158 | crypto_hash(h, m, n);
|
6159 | reduce(h);
|
6160 | scalarmult(p, q, h);
|
6161 |
|
6162 | scalarbase(q, sm.subarray(32));
|
6163 | add(p, q);
|
6164 | pack(t, p);
|
6165 |
|
6166 | n -= 64;
|
6167 | if (crypto_verify_32(sm, 0, t, 0)) {
|
6168 | for (i = 0; i < n; i++) m[i] = 0;
|
6169 | return -1;
|
6170 | }
|
6171 |
|
6172 | for (i = 0; i < n; i++) m[i] = sm[i + 64];
|
6173 | mlen = n;
|
6174 | return mlen;
|
6175 | }
|
6176 |
|
6177 | var crypto_secretbox_KEYBYTES = 32,
|
6178 | crypto_secretbox_NONCEBYTES = 24,
|
6179 | crypto_secretbox_ZEROBYTES = 32,
|
6180 | crypto_secretbox_BOXZEROBYTES = 16,
|
6181 | crypto_scalarmult_BYTES = 32,
|
6182 | crypto_scalarmult_SCALARBYTES = 32,
|
6183 | crypto_box_PUBLICKEYBYTES = 32,
|
6184 | crypto_box_SECRETKEYBYTES = 32,
|
6185 | crypto_box_BEFORENMBYTES = 32,
|
6186 | crypto_box_NONCEBYTES = crypto_secretbox_NONCEBYTES,
|
6187 | crypto_box_ZEROBYTES = crypto_secretbox_ZEROBYTES,
|
6188 | crypto_box_BOXZEROBYTES = crypto_secretbox_BOXZEROBYTES,
|
6189 | crypto_sign_BYTES = 64,
|
6190 | crypto_sign_PUBLICKEYBYTES = 32,
|
6191 | crypto_sign_SECRETKEYBYTES = 64,
|
6192 | crypto_sign_SEEDBYTES = 32,
|
6193 | crypto_hash_BYTES = 64;
|
6194 |
|
6195 | nacl.lowlevel = {
|
6196 | crypto_core_hsalsa20: crypto_core_hsalsa20,
|
6197 | crypto_stream_xor: crypto_stream_xor,
|
6198 | crypto_stream: crypto_stream,
|
6199 | crypto_stream_salsa20_xor: crypto_stream_salsa20_xor,
|
6200 | crypto_stream_salsa20: crypto_stream_salsa20,
|
6201 | crypto_onetimeauth: crypto_onetimeauth,
|
6202 | crypto_onetimeauth_verify: crypto_onetimeauth_verify,
|
6203 | crypto_verify_16: crypto_verify_16,
|
6204 | crypto_verify_32: crypto_verify_32,
|
6205 | crypto_secretbox: crypto_secretbox,
|
6206 | crypto_secretbox_open: crypto_secretbox_open,
|
6207 | crypto_scalarmult: crypto_scalarmult,
|
6208 | crypto_scalarmult_base: crypto_scalarmult_base,
|
6209 | crypto_box_beforenm: crypto_box_beforenm,
|
6210 | crypto_box_afternm: crypto_box_afternm,
|
6211 | crypto_box: crypto_box,
|
6212 | crypto_box_open: crypto_box_open,
|
6213 | crypto_box_keypair: crypto_box_keypair,
|
6214 | crypto_hash: crypto_hash,
|
6215 | crypto_sign: crypto_sign,
|
6216 | crypto_sign_keypair: crypto_sign_keypair,
|
6217 | crypto_sign_open: crypto_sign_open,
|
6218 |
|
6219 | crypto_secretbox_KEYBYTES: crypto_secretbox_KEYBYTES,
|
6220 | crypto_secretbox_NONCEBYTES: crypto_secretbox_NONCEBYTES,
|
6221 | crypto_secretbox_ZEROBYTES: crypto_secretbox_ZEROBYTES,
|
6222 | crypto_secretbox_BOXZEROBYTES: crypto_secretbox_BOXZEROBYTES,
|
6223 | crypto_scalarmult_BYTES: crypto_scalarmult_BYTES,
|
6224 | crypto_scalarmult_SCALARBYTES: crypto_scalarmult_SCALARBYTES,
|
6225 | crypto_box_PUBLICKEYBYTES: crypto_box_PUBLICKEYBYTES,
|
6226 | crypto_box_SECRETKEYBYTES: crypto_box_SECRETKEYBYTES,
|
6227 | crypto_box_BEFORENMBYTES: crypto_box_BEFORENMBYTES,
|
6228 | crypto_box_NONCEBYTES: crypto_box_NONCEBYTES,
|
6229 | crypto_box_ZEROBYTES: crypto_box_ZEROBYTES,
|
6230 | crypto_box_BOXZEROBYTES: crypto_box_BOXZEROBYTES,
|
6231 | crypto_sign_BYTES: crypto_sign_BYTES,
|
6232 | crypto_sign_PUBLICKEYBYTES: crypto_sign_PUBLICKEYBYTES,
|
6233 | crypto_sign_SECRETKEYBYTES: crypto_sign_SECRETKEYBYTES,
|
6234 | crypto_sign_SEEDBYTES: crypto_sign_SEEDBYTES,
|
6235 | crypto_hash_BYTES: crypto_hash_BYTES
|
6236 | };
|
6237 |
|
6238 |
|
6239 |
|
6240 | function checkLengths(k, n) {
|
6241 | if (k.length !== crypto_secretbox_KEYBYTES) throw new Error('bad key size');
|
6242 | if (n.length !== crypto_secretbox_NONCEBYTES) throw new Error('bad nonce size');
|
6243 | }
|
6244 |
|
6245 | function checkBoxLengths(pk, sk) {
|
6246 | if (pk.length !== crypto_box_PUBLICKEYBYTES) throw new Error('bad public key size');
|
6247 | if (sk.length !== crypto_box_SECRETKEYBYTES) throw new Error('bad secret key size');
|
6248 | }
|
6249 |
|
6250 | function checkArrayTypes() {
|
6251 | var t, i;
|
6252 | for (i = 0; i < arguments.length; i++) {
|
6253 | if ((t = Object.prototype.toString.call(arguments[i])) !== '[object Uint8Array]')
|
6254 | throw new TypeError('unexpected type ' + t + ', use Uint8Array');
|
6255 | }
|
6256 | }
|
6257 |
|
6258 | function cleanup(arr) {
|
6259 | for (var i = 0; i < arr.length; i++) arr[i] = 0;
|
6260 | }
|
6261 |
|
6262 |
|
6263 | if (!nacl.util) {
|
6264 | nacl.util = {};
|
6265 | nacl.util.decodeUTF8 = nacl.util.encodeUTF8 = nacl.util.encodeBase64 = nacl.util.decodeBase64 = function() {
|
6266 | throw new Error('nacl.util moved into separate package: https://github.com/dchest/tweetnacl-util-js');
|
6267 | };
|
6268 | }
|
6269 |
|
6270 | nacl.randomBytes = function(n) {
|
6271 | var b = new Uint8Array(n);
|
6272 | randombytes(b, n);
|
6273 | return b;
|
6274 | };
|
6275 |
|
6276 | nacl.secretbox = function(msg, nonce, key) {
|
6277 | checkArrayTypes(msg, nonce, key);
|
6278 | checkLengths(key, nonce);
|
6279 | var m = new Uint8Array(crypto_secretbox_ZEROBYTES + msg.length);
|
6280 | var c = new Uint8Array(m.length);
|
6281 | for (var i = 0; i < msg.length; i++) m[i+crypto_secretbox_ZEROBYTES] = msg[i];
|
6282 | crypto_secretbox(c, m, m.length, nonce, key);
|
6283 | return c.subarray(crypto_secretbox_BOXZEROBYTES);
|
6284 | };
|
6285 |
|
6286 | nacl.secretbox.open = function(box, nonce, key) {
|
6287 | checkArrayTypes(box, nonce, key);
|
6288 | checkLengths(key, nonce);
|
6289 | var c = new Uint8Array(crypto_secretbox_BOXZEROBYTES + box.length);
|
6290 | var m = new Uint8Array(c.length);
|
6291 | for (var i = 0; i < box.length; i++) c[i+crypto_secretbox_BOXZEROBYTES] = box[i];
|
6292 | if (c.length < 32) return false;
|
6293 | if (crypto_secretbox_open(m, c, c.length, nonce, key) !== 0) return false;
|
6294 | return m.subarray(crypto_secretbox_ZEROBYTES);
|
6295 | };
|
6296 |
|
6297 | nacl.secretbox.keyLength = crypto_secretbox_KEYBYTES;
|
6298 | nacl.secretbox.nonceLength = crypto_secretbox_NONCEBYTES;
|
6299 | nacl.secretbox.overheadLength = crypto_secretbox_BOXZEROBYTES;
|
6300 |
|
6301 | nacl.scalarMult = function(n, p) {
|
6302 | checkArrayTypes(n, p);
|
6303 | if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
|
6304 | if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size');
|
6305 | var q = new Uint8Array(crypto_scalarmult_BYTES);
|
6306 | crypto_scalarmult(q, n, p);
|
6307 | return q;
|
6308 | };
|
6309 |
|
6310 | nacl.scalarMult.base = function(n) {
|
6311 | checkArrayTypes(n);
|
6312 | if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
|
6313 | var q = new Uint8Array(crypto_scalarmult_BYTES);
|
6314 | crypto_scalarmult_base(q, n);
|
6315 | return q;
|
6316 | };
|
6317 |
|
6318 | nacl.scalarMult.scalarLength = crypto_scalarmult_SCALARBYTES;
|
6319 | nacl.scalarMult.groupElementLength = crypto_scalarmult_BYTES;
|
6320 |
|
6321 | nacl.box = function(msg, nonce, publicKey, secretKey) {
|
6322 | var k = nacl.box.before(publicKey, secretKey);
|
6323 | return nacl.secretbox(msg, nonce, k);
|
6324 | };
|
6325 |
|
6326 | nacl.box.before = function(publicKey, secretKey) {
|
6327 | checkArrayTypes(publicKey, secretKey);
|
6328 | checkBoxLengths(publicKey, secretKey);
|
6329 | var k = new Uint8Array(crypto_box_BEFORENMBYTES);
|
6330 | crypto_box_beforenm(k, publicKey, secretKey);
|
6331 | return k;
|
6332 | };
|
6333 |
|
6334 | nacl.box.after = nacl.secretbox;
|
6335 |
|
6336 | nacl.box.open = function(msg, nonce, publicKey, secretKey) {
|
6337 | var k = nacl.box.before(publicKey, secretKey);
|
6338 | return nacl.secretbox.open(msg, nonce, k);
|
6339 | };
|
6340 |
|
6341 | nacl.box.open.after = nacl.secretbox.open;
|
6342 |
|
6343 | nacl.box.keyPair = function() {
|
6344 | var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
|
6345 | var sk = new Uint8Array(crypto_box_SECRETKEYBYTES);
|
6346 | crypto_box_keypair(pk, sk);
|
6347 | return {publicKey: pk, secretKey: sk};
|
6348 | };
|
6349 |
|
6350 | nacl.box.keyPair.fromSecretKey = function(secretKey) {
|
6351 | checkArrayTypes(secretKey);
|
6352 | if (secretKey.length !== crypto_box_SECRETKEYBYTES)
|
6353 | throw new Error('bad secret key size');
|
6354 | var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
|
6355 | crypto_scalarmult_base(pk, secretKey);
|
6356 | return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
|
6357 | };
|
6358 |
|
6359 | nacl.box.publicKeyLength = crypto_box_PUBLICKEYBYTES;
|
6360 | nacl.box.secretKeyLength = crypto_box_SECRETKEYBYTES;
|
6361 | nacl.box.sharedKeyLength = crypto_box_BEFORENMBYTES;
|
6362 | nacl.box.nonceLength = crypto_box_NONCEBYTES;
|
6363 | nacl.box.overheadLength = nacl.secretbox.overheadLength;
|
6364 |
|
6365 | nacl.sign = function(msg, secretKey) {
|
6366 | checkArrayTypes(msg, secretKey);
|
6367 | if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
|
6368 | throw new Error('bad secret key size');
|
6369 | var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length);
|
6370 | crypto_sign(signedMsg, msg, msg.length, secretKey);
|
6371 | return signedMsg;
|
6372 | };
|
6373 |
|
6374 | nacl.sign.open = function(signedMsg, publicKey) {
|
6375 | if (arguments.length !== 2)
|
6376 | throw new Error('nacl.sign.open accepts 2 arguments; did you mean to use nacl.sign.detached.verify?');
|
6377 | checkArrayTypes(signedMsg, publicKey);
|
6378 | if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
|
6379 | throw new Error('bad public key size');
|
6380 | var tmp = new Uint8Array(signedMsg.length);
|
6381 | var mlen = crypto_sign_open(tmp, signedMsg, signedMsg.length, publicKey);
|
6382 | if (mlen < 0) return null;
|
6383 | var m = new Uint8Array(mlen);
|
6384 | for (var i = 0; i < m.length; i++) m[i] = tmp[i];
|
6385 | return m;
|
6386 | };
|
6387 |
|
6388 | nacl.sign.detached = function(msg, secretKey) {
|
6389 | var signedMsg = nacl.sign(msg, secretKey);
|
6390 | var sig = new Uint8Array(crypto_sign_BYTES);
|
6391 | for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i];
|
6392 | return sig;
|
6393 | };
|
6394 |
|
6395 | nacl.sign.detached.verify = function(msg, sig, publicKey) {
|
6396 | checkArrayTypes(msg, sig, publicKey);
|
6397 | if (sig.length !== crypto_sign_BYTES)
|
6398 | throw new Error('bad signature size');
|
6399 | if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
|
6400 | throw new Error('bad public key size');
|
6401 | var sm = new Uint8Array(crypto_sign_BYTES + msg.length);
|
6402 | var m = new Uint8Array(crypto_sign_BYTES + msg.length);
|
6403 | var i;
|
6404 | for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i];
|
6405 | for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i];
|
6406 | return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0);
|
6407 | };
|
6408 |
|
6409 | nacl.sign.keyPair = function() {
|
6410 | var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
|
6411 | var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
|
6412 | crypto_sign_keypair(pk, sk);
|
6413 | return {publicKey: pk, secretKey: sk};
|
6414 | };
|
6415 |
|
6416 | nacl.sign.keyPair.fromSecretKey = function(secretKey) {
|
6417 | checkArrayTypes(secretKey);
|
6418 | if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
|
6419 | throw new Error('bad secret key size');
|
6420 | var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
|
6421 | for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i];
|
6422 | return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
|
6423 | };
|
6424 |
|
6425 | nacl.sign.keyPair.fromSeed = function(seed) {
|
6426 | checkArrayTypes(seed);
|
6427 | if (seed.length !== crypto_sign_SEEDBYTES)
|
6428 | throw new Error('bad seed size');
|
6429 | var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
|
6430 | var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
|
6431 | for (var i = 0; i < 32; i++) sk[i] = seed[i];
|
6432 | crypto_sign_keypair(pk, sk, true);
|
6433 | return {publicKey: pk, secretKey: sk};
|
6434 | };
|
6435 |
|
6436 | nacl.sign.publicKeyLength = crypto_sign_PUBLICKEYBYTES;
|
6437 | nacl.sign.secretKeyLength = crypto_sign_SECRETKEYBYTES;
|
6438 | nacl.sign.seedLength = crypto_sign_SEEDBYTES;
|
6439 | nacl.sign.signatureLength = crypto_sign_BYTES;
|
6440 |
|
6441 | nacl.hash = function(msg) {
|
6442 | checkArrayTypes(msg);
|
6443 | var h = new Uint8Array(crypto_hash_BYTES);
|
6444 | crypto_hash(h, msg, msg.length);
|
6445 | return h;
|
6446 | };
|
6447 |
|
6448 | nacl.hash.hashLength = crypto_hash_BYTES;
|
6449 |
|
6450 | nacl.verify = function(x, y) {
|
6451 | checkArrayTypes(x, y);
|
6452 |
|
6453 | if (x.length === 0 || y.length === 0) return false;
|
6454 | if (x.length !== y.length) return false;
|
6455 | return (vn(x, 0, y, 0, x.length) === 0) ? true : false;
|
6456 | };
|
6457 |
|
6458 | nacl.setPRNG = function(fn) {
|
6459 | randombytes = fn;
|
6460 | };
|
6461 |
|
6462 | (function() {
|
6463 |
|
6464 |
|
6465 | var crypto = typeof self !== 'undefined' ? (self.crypto || self.msCrypto) : null;
|
6466 | if (crypto && crypto.getRandomValues) {
|
6467 |
|
6468 | var QUOTA = 65536;
|
6469 | nacl.setPRNG(function(x, n) {
|
6470 | var i, v = new Uint8Array(n);
|
6471 | for (i = 0; i < n; i += QUOTA) {
|
6472 | crypto.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
|
6473 | }
|
6474 | for (i = 0; i < n; i++) x[i] = v[i];
|
6475 | cleanup(v);
|
6476 | });
|
6477 | } else if (true) {
|
6478 |
|
6479 | crypto = __webpack_require__(35);
|
6480 | if (crypto && crypto.randomBytes) {
|
6481 | nacl.setPRNG(function(x, n) {
|
6482 | var i, v = crypto.randomBytes(n);
|
6483 | for (i = 0; i < n; i++) x[i] = v[i];
|
6484 | cleanup(v);
|
6485 | });
|
6486 | }
|
6487 | }
|
6488 | })();
|
6489 |
|
6490 | })(typeof module !== 'undefined' && module.exports ? module.exports : (self.nacl = self.nacl || {}));
|
6491 |
|
6492 |
|
6493 | }),
|
6494 |
|
6495 | (function(module, exports) {
|
6496 |
|
6497 |
|
6498 |
|
6499 | }),
|
6500 |
|
6501 | (function(module, exports, __webpack_require__) {
|
6502 |
|
6503 | "use strict";
|
6504 |
|
6505 |
|
6506 |
|
6507 |
|
6508 |
|
6509 |
|
6510 |
|
6511 |
|
6512 |
|
6513 |
|
6514 |
|
6515 |
|
6516 |
|
6517 |
|
6518 |
|
6519 |
|
6520 |
|
6521 |
|
6522 |
|
6523 |
|
6524 |
|
6525 | const CBOR = __webpack_require__(2);
|
6526 |
|
6527 | const ArrayUtil = __webpack_require__(31);
|
6528 | const ClassUtil = __webpack_require__(3);
|
6529 | const DontCallConstructor = __webpack_require__(0);
|
6530 | const MemoryUtil = __webpack_require__(16);
|
6531 | const TypeUtil = __webpack_require__(1);
|
6532 |
|
6533 | const DecryptError = __webpack_require__(10);
|
6534 |
|
6535 | const DerivedSecrets = __webpack_require__(26);
|
6536 | const HeadKey = __webpack_require__(17);
|
6537 |
|
6538 | const IdentityKey = __webpack_require__(8);
|
6539 | const IdentityKeyPair = __webpack_require__(11);
|
6540 | const KeyPair = __webpack_require__(7);
|
6541 | const PreKeyBundle = __webpack_require__(23);
|
6542 | const PublicKey = __webpack_require__(4);
|
6543 |
|
6544 | const Header = __webpack_require__(25);
|
6545 | const HeaderMessage = __webpack_require__(9);
|
6546 | const Envelope = __webpack_require__(14);
|
6547 | const PreKeyMessage = __webpack_require__(13);
|
6548 |
|
6549 | const ChainKey = __webpack_require__(18);
|
6550 | const RecvChain = __webpack_require__(38);
|
6551 | const RootKey = __webpack_require__(39);
|
6552 | const SendChain = __webpack_require__(40);
|
6553 | const Session = __webpack_require__(30);
|
6554 |
|
6555 |
|
6556 |
|
6557 |
|
6558 | class SessionState {
|
6559 | constructor() {
|
6560 | this.recv_chains = [];
|
6561 | this.send_chain = null;
|
6562 | this.root_key = null;
|
6563 | this.prev_counter = null;
|
6564 | this.next_send_head_key = null;
|
6565 | this.next_recv_head_key = null;
|
6566 |
|
6567 | throw new DontCallConstructor(this);
|
6568 | }
|
6569 |
|
6570 | |
6571 |
|
6572 |
|
6573 |
|
6574 |
|
6575 |
|
6576 | static init_as_alice(alice_identity_pair, alice_base, bob_pkbundle) {
|
6577 | TypeUtil.assert_is_instance(IdentityKeyPair, alice_identity_pair);
|
6578 | TypeUtil.assert_is_instance(KeyPair, alice_base);
|
6579 | TypeUtil.assert_is_instance(PreKeyBundle, bob_pkbundle);
|
6580 |
|
6581 | const master_key = ArrayUtil.concatenate_array_buffers([
|
6582 | alice_identity_pair.secret_key.shared_secret(bob_pkbundle.public_key),
|
6583 | alice_base.secret_key.shared_secret(bob_pkbundle.identity_key.public_key),
|
6584 | alice_base.secret_key.shared_secret(bob_pkbundle.public_key),
|
6585 | ]);
|
6586 |
|
6587 | const derived_secrets = DerivedSecrets.kdf_without_salt(master_key, 'handshake');
|
6588 | MemoryUtil.zeroize(master_key);
|
6589 |
|
6590 | const rootkey = RootKey.from_cipher_key(derived_secrets.cipher_key);
|
6591 | const chainkey = ChainKey.from_mac_key(derived_secrets.mac_key, 0);
|
6592 | const head_key_alice = derived_secrets.head_key_alice;
|
6593 | const next_head_key_Bob = derived_secrets.next_head_key_bob;
|
6594 |
|
6595 | const send_ratchet = KeyPair.new();
|
6596 | const [rok, chk, nextHeadKey] = rootkey.dh_ratchet(send_ratchet, bob_pkbundle.public_key);
|
6597 | const recv_chains = [RecvChain.new(chainkey, bob_pkbundle.public_key, next_head_key_Bob)];
|
6598 | const send_chain = SendChain.new(chk, send_ratchet, head_key_alice);
|
6599 |
|
6600 | const state = ClassUtil.new_instance(SessionState);
|
6601 | state.next_send_head_key = nextHeadKey;
|
6602 | state.recv_chains = recv_chains;
|
6603 | state.next_recv_head_key = next_head_key_Bob;
|
6604 | state.send_chain = send_chain;
|
6605 | state.root_key = rok;
|
6606 | state.prev_counter = 0;
|
6607 | return state;
|
6608 | }
|
6609 |
|
6610 | |
6611 |
|
6612 |
|
6613 |
|
6614 |
|
6615 |
|
6616 |
|
6617 | static init_as_bob(bob_ident, bob_prekey, alice_ident, alice_base) {
|
6618 | TypeUtil.assert_is_instance(IdentityKeyPair, bob_ident);
|
6619 | TypeUtil.assert_is_instance(KeyPair, bob_prekey);
|
6620 | TypeUtil.assert_is_instance(IdentityKey, alice_ident);
|
6621 | TypeUtil.assert_is_instance(PublicKey, alice_base);
|
6622 |
|
6623 | const master_key = ArrayUtil.concatenate_array_buffers([
|
6624 | bob_prekey.secret_key.shared_secret(alice_ident.public_key),
|
6625 | bob_ident.secret_key.shared_secret(alice_base),
|
6626 | bob_prekey.secret_key.shared_secret(alice_base),
|
6627 | ]);
|
6628 |
|
6629 | const derived_secrets = DerivedSecrets.kdf_without_salt(master_key, 'handshake');
|
6630 | MemoryUtil.zeroize(master_key);
|
6631 |
|
6632 | const rootkey = RootKey.from_cipher_key(derived_secrets.cipher_key);
|
6633 | const chainkey = ChainKey.from_mac_key(derived_secrets.mac_key, 0);
|
6634 | const head_key_alice = derived_secrets.head_key_alice;
|
6635 | const next_head_key_bob = derived_secrets.next_head_key_bob;
|
6636 | const send_chain = SendChain.new(chainkey, bob_prekey, next_head_key_bob);
|
6637 |
|
6638 | const state = ClassUtil.new_instance(SessionState);
|
6639 | state.next_send_head_key = next_head_key_bob;
|
6640 | state.next_recv_head_key = head_key_alice;
|
6641 | state.send_chain = send_chain;
|
6642 | state.root_key = rootkey;
|
6643 | state.prev_counter = 0;
|
6644 | return state;
|
6645 | }
|
6646 |
|
6647 | |
6648 |
|
6649 |
|
6650 |
|
6651 |
|
6652 | ratchet(ratchet_key, prev_counter) {
|
6653 | const new_ratchet = KeyPair.new();
|
6654 |
|
6655 | const [recv_root_key, recv_chain_key, next_recv_head_key] =
|
6656 | this.root_key.dh_ratchet(this.send_chain.ratchet_key, ratchet_key);
|
6657 |
|
6658 | const [send_root_key, send_chain_key, next_send_head_key] =
|
6659 | recv_root_key.dh_ratchet(new_ratchet, ratchet_key);
|
6660 |
|
6661 | const recv_chain = RecvChain.new(recv_chain_key, ratchet_key, this.next_recv_head_key);
|
6662 | const send_chain = SendChain.new(send_chain_key, new_ratchet, this.next_send_head_key);
|
6663 |
|
6664 | this.root_key = send_root_key;
|
6665 | this.prev_counter = this.send_chain.chain_key.idx;
|
6666 | this.send_chain = send_chain;
|
6667 | this.next_send_head_key = next_send_head_key;
|
6668 | this.next_recv_head_key = next_recv_head_key;
|
6669 |
|
6670 |
|
6671 | const last_chain = this.recv_chains[0];
|
6672 | if (last_chain) {
|
6673 | last_chain.final_count = prev_counter;
|
6674 | }
|
6675 | this.recv_chains.unshift(recv_chain);
|
6676 |
|
6677 | if (this.recv_chains.length > Session.MAX_RECV_CHAINS) {
|
6678 | for (let index = Session.MAX_RECV_CHAINS; index < this.recv_chains.length; index++) {
|
6679 | MemoryUtil.zeroize(this.recv_chains[index]);
|
6680 | }
|
6681 |
|
6682 | this.recv_chains = this.recv_chains.slice(0, Session.MAX_RECV_CHAINS);
|
6683 | }
|
6684 | }
|
6685 |
|
6686 | |
6687 |
|
6688 |
|
6689 |
|
6690 |
|
6691 |
|
6692 |
|
6693 | encrypt(identity_key, pending, plaintext, confuse_pre_key_id) {
|
6694 | if (pending) {
|
6695 | TypeUtil.assert_is_integer(pending[0]);
|
6696 | TypeUtil.assert_is_instance(PublicKey, pending[1]);
|
6697 | }
|
6698 | TypeUtil.assert_is_instance(IdentityKey, identity_key);
|
6699 |
|
6700 | const message_index = this.send_chain.chain_key.idx;
|
6701 | const msgkeys = this.send_chain.chain_key.message_keys();
|
6702 | const head_key = this.send_chain.head_key;
|
6703 |
|
6704 | const header = Header.new(
|
6705 | message_index,
|
6706 | this.prev_counter,
|
6707 | this.send_chain.ratchet_key.public_key
|
6708 | ).serialise();
|
6709 |
|
6710 | let message = HeaderMessage.new(
|
6711 | head_key.encrypt(header, HeadKey.index_as_nonce(message_index)),
|
6712 | msgkeys.encrypt(plaintext)
|
6713 | );
|
6714 |
|
6715 | if (pending) {
|
6716 | message = PreKeyMessage.new(pending[0], pending[1], identity_key, message);
|
6717 | } else if (confuse_pre_key_id !== undefined) {
|
6718 |
|
6719 | message = PreKeyMessage.new(confuse_pre_key_id, KeyPair.new().public_key, identity_key, message);
|
6720 | }
|
6721 |
|
6722 | const env = Envelope.new(msgkeys.mac_key, message);
|
6723 | this.send_chain.chain_key = this.send_chain.chain_key.next();
|
6724 | return env;
|
6725 | }
|
6726 |
|
6727 | |
6728 |
|
6729 |
|
6730 |
|
6731 |
|
6732 | decrypt(envelope, msg) {
|
6733 | TypeUtil.assert_is_instance(Envelope, envelope);
|
6734 | TypeUtil.assert_is_instance(HeaderMessage, msg);
|
6735 |
|
6736 | const encrypted_header = msg.header;
|
6737 |
|
6738 | const [header, recv_chain] = (() => {
|
6739 |
|
6740 | try {
|
6741 | return [RecvChain.try_next_head_key(encrypted_header, this.next_recv_head_key), null];
|
6742 | } catch (err) {
|
6743 | handleHeaderDecryptionError(err);
|
6744 | }
|
6745 |
|
6746 |
|
6747 | const recv_chains_length = this.recv_chains.length;
|
6748 | let idx = 0;
|
6749 | for (; idx < recv_chains_length; idx++) {
|
6750 | const _recv_chain = this.recv_chains[idx];
|
6751 | try {
|
6752 | return [_recv_chain.try_head_key(encrypted_header), _recv_chain];
|
6753 | } catch (err) {
|
6754 | handleHeaderDecryptionError(err);
|
6755 | }
|
6756 | }
|
6757 |
|
6758 | return [null, null];
|
6759 |
|
6760 | function handleHeaderDecryptionError(err) {
|
6761 | if (!(err instanceof DecryptError.HeaderDecryptionFailed)) {
|
6762 | throw err;
|
6763 | }
|
6764 | }
|
6765 | })();
|
6766 |
|
6767 | if (!header) {
|
6768 | throw new DecryptError.HeaderDecryptionFailed('All chains failed', DecryptError.CODE.CASE_215);
|
6769 | }
|
6770 |
|
6771 | const rc = (() => {
|
6772 | if (!recv_chain) {
|
6773 | this.ratchet(header.ratchet_key, header.prev_counter);
|
6774 | return this.recv_chains[0];
|
6775 | }
|
6776 | return recv_chain;
|
6777 | })();
|
6778 |
|
6779 | const cipher_text = msg.cipher_text;
|
6780 | const counter = header.counter;
|
6781 | const recv_chain_index = rc.chain_key.idx;
|
6782 | if (counter < recv_chain_index) {
|
6783 | return rc.try_message_keys(envelope, header, cipher_text);
|
6784 | } else if (counter == recv_chain_index) {
|
6785 | const mks = rc.chain_key.message_keys();
|
6786 |
|
6787 | if (!envelope.verify(mks.mac_key)) {
|
6788 | throw new DecryptError.InvalidSignature(`Envelope verification failed for message with counters in sync at '${counter}'`, DecryptError.CODE.CASE_206);
|
6789 | }
|
6790 |
|
6791 | const plain = mks.decrypt(cipher_text);
|
6792 | rc.chain_key = rc.chain_key.next();
|
6793 | return plain;
|
6794 |
|
6795 | } else if (counter > recv_chain_index) {
|
6796 | const [chk, mk, mks] = rc.stage_message_keys(header);
|
6797 |
|
6798 | if (!envelope.verify(mk.mac_key)) {
|
6799 | throw new DecryptError.InvalidSignature(`Envelope verification failed for message with counter ahead. Message index is '${counter}' while receive chain index is '${recv_chain_index}'.`, DecryptError.CODE.CASE_207);
|
6800 | }
|
6801 |
|
6802 | const plain = mk.decrypt(cipher_text);
|
6803 |
|
6804 | rc.chain_key = chk.next();
|
6805 | rc.commit_message_keys(mks);
|
6806 |
|
6807 | return plain;
|
6808 | }
|
6809 | }
|
6810 |
|
6811 |
|
6812 | serialise() {
|
6813 | const e = new CBOR.Encoder();
|
6814 | this.encode(e);
|
6815 | return e.get_buffer();
|
6816 | }
|
6817 |
|
6818 | static deserialise(buf) {
|
6819 | TypeUtil.assert_is_instance(ArrayBuffer, buf);
|
6820 | return SessionState.decode(new CBOR.Decoder(buf));
|
6821 | }
|
6822 |
|
6823 | |
6824 |
|
6825 |
|
6826 |
|
6827 | encode(e) {
|
6828 | e.object(6);
|
6829 | e.u8(0);
|
6830 | this.next_send_head_key.encode(e);
|
6831 | e.u8(1);
|
6832 | this.next_recv_head_key.encode(e);
|
6833 | e.u8(2);
|
6834 | e.array(this.recv_chains.length);
|
6835 | this.recv_chains.map((rch) => rch.encode(e));
|
6836 | e.u8(3);
|
6837 | this.send_chain.encode(e);
|
6838 | e.u8(4);
|
6839 | this.root_key.encode(e);
|
6840 | e.u8(5);
|
6841 | return e.u32(this.prev_counter);
|
6842 | }
|
6843 |
|
6844 | |
6845 |
|
6846 |
|
6847 |
|
6848 | static decode(d) {
|
6849 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
6850 |
|
6851 | const self = ClassUtil.new_instance(SessionState);
|
6852 |
|
6853 | const nprops = d.object();
|
6854 | for (let i = 0; i <= nprops - 1; i++) {
|
6855 | switch (d.u8()) {
|
6856 | case 0: {
|
6857 | self.next_send_head_key = HeadKey.decode(d);
|
6858 | break;
|
6859 | }
|
6860 | case 1: {
|
6861 | self.next_recv_head_key = HeadKey.decode(d);
|
6862 | break;
|
6863 | }
|
6864 | case 2: {
|
6865 | self.recv_chains = [];
|
6866 | let len = d.array();
|
6867 | while (len--) {
|
6868 | self.recv_chains.push(RecvChain.decode(d));
|
6869 | }
|
6870 | break;
|
6871 | }
|
6872 | case 3: {
|
6873 | self.send_chain = SendChain.decode(d);
|
6874 | break;
|
6875 | }
|
6876 | case 4: {
|
6877 | self.root_key = RootKey.decode(d);
|
6878 | break;
|
6879 | }
|
6880 | case 5: {
|
6881 | self.prev_counter = d.u32();
|
6882 | break;
|
6883 | }
|
6884 | default: {
|
6885 | d.skip();
|
6886 | }
|
6887 | }
|
6888 | }
|
6889 |
|
6890 | TypeUtil.assert_is_instance(HeadKey, self.next_send_head_key);
|
6891 | TypeUtil.assert_is_instance(HeadKey, self.next_recv_head_key);
|
6892 | TypeUtil.assert_is_instance(SendChain, self.send_chain);
|
6893 | TypeUtil.assert_is_instance(Array, self.recv_chains);
|
6894 | TypeUtil.assert_is_instance(RootKey, self.root_key);
|
6895 | TypeUtil.assert_is_integer(self.prev_counter);
|
6896 |
|
6897 | return self;
|
6898 | }
|
6899 | }
|
6900 |
|
6901 | module.exports = SessionState;
|
6902 |
|
6903 |
|
6904 | }),
|
6905 |
|
6906 | (function(module, exports, __webpack_require__) {
|
6907 |
|
6908 | "use strict";
|
6909 |
|
6910 |
|
6911 |
|
6912 |
|
6913 |
|
6914 |
|
6915 |
|
6916 |
|
6917 |
|
6918 |
|
6919 |
|
6920 |
|
6921 |
|
6922 |
|
6923 |
|
6924 |
|
6925 |
|
6926 |
|
6927 |
|
6928 |
|
6929 |
|
6930 | const sodium = __webpack_require__(5);
|
6931 |
|
6932 | const ArrayUtil = __webpack_require__(31);
|
6933 | const MemoryUtil = __webpack_require__(16);
|
6934 | const TypeUtil = __webpack_require__(1);
|
6935 |
|
6936 |
|
6937 |
|
6938 | const KeyDerivationUtil = {
|
6939 | |
6940 |
|
6941 |
|
6942 |
|
6943 |
|
6944 |
|
6945 |
|
6946 |
|
6947 |
|
6948 | hkdf(salt, input, info, length) {
|
6949 | const convert_type = (value) => {
|
6950 | if (typeof value === 'string') {
|
6951 | return sodium.from_string(value);
|
6952 | }
|
6953 | TypeUtil.assert_is_instance(Uint8Array, value);
|
6954 | return value;
|
6955 | };
|
6956 |
|
6957 | salt = convert_type(salt);
|
6958 | input = convert_type(input);
|
6959 | info = convert_type(info);
|
6960 |
|
6961 | TypeUtil.assert_is_integer(length);
|
6962 |
|
6963 | const HASH_LEN = 32;
|
6964 |
|
6965 | |
6966 |
|
6967 |
|
6968 |
|
6969 | const salt_to_key = (received_salt) => {
|
6970 | const keybytes = sodium.crypto_auth_hmacsha256_KEYBYTES;
|
6971 | if (received_salt.length > keybytes) {
|
6972 | return sodium.crypto_hash_sha256(received_salt);
|
6973 | }
|
6974 |
|
6975 | const key = new Uint8Array(keybytes);
|
6976 | key.set(received_salt);
|
6977 | return key;
|
6978 | };
|
6979 |
|
6980 | |
6981 |
|
6982 |
|
6983 |
|
6984 |
|
6985 | const extract = (received_salt, received_input) => {
|
6986 | return sodium.crypto_auth_hmacsha256(received_input, salt_to_key(received_salt));
|
6987 | };
|
6988 |
|
6989 | |
6990 |
|
6991 |
|
6992 |
|
6993 |
|
6994 |
|
6995 | const expand = (tag, received_info, received_length) => {
|
6996 | let num_blocks = Math.ceil(received_length / HASH_LEN);
|
6997 | let hmac = new Uint8Array(0);
|
6998 | let result = new Uint8Array(0);
|
6999 |
|
7000 | for (let i = 0; i <= num_blocks - 1; i++) {
|
7001 | const buf = ArrayUtil.concatenate_array_buffers([hmac, received_info, new Uint8Array([i + 1])]);
|
7002 | hmac = sodium.crypto_auth_hmacsha256(buf, tag);
|
7003 | result = ArrayUtil.concatenate_array_buffers([result, hmac]);
|
7004 | }
|
7005 |
|
7006 | return new Uint8Array(result.buffer.slice(0, received_length));
|
7007 | };
|
7008 |
|
7009 | const key = extract(salt, input);
|
7010 |
|
7011 | MemoryUtil.zeroize(input);
|
7012 | MemoryUtil.zeroize(salt);
|
7013 |
|
7014 | return expand(key, info, length);
|
7015 | },
|
7016 | };
|
7017 |
|
7018 | module.exports = KeyDerivationUtil;
|
7019 |
|
7020 |
|
7021 | }),
|
7022 |
|
7023 | (function(module, exports, __webpack_require__) {
|
7024 |
|
7025 | "use strict";
|
7026 |
|
7027 |
|
7028 |
|
7029 |
|
7030 |
|
7031 |
|
7032 |
|
7033 |
|
7034 |
|
7035 |
|
7036 |
|
7037 |
|
7038 |
|
7039 |
|
7040 |
|
7041 |
|
7042 |
|
7043 |
|
7044 |
|
7045 |
|
7046 |
|
7047 | const CBOR = __webpack_require__(2);
|
7048 |
|
7049 | const ClassUtil = __webpack_require__(3);
|
7050 | const DontCallConstructor = __webpack_require__(0);
|
7051 | const TypeUtil = __webpack_require__(1);
|
7052 |
|
7053 | const PublicKey = __webpack_require__(4);
|
7054 |
|
7055 | const DecryptError = __webpack_require__(10);
|
7056 | const ProteusError = __webpack_require__(6);
|
7057 |
|
7058 | const Header = __webpack_require__(25);
|
7059 | const Envelope = __webpack_require__(14);
|
7060 |
|
7061 | const ChainKey = __webpack_require__(18);
|
7062 | const HeadKey = __webpack_require__(17);
|
7063 | const MessageKeys = __webpack_require__(32);
|
7064 |
|
7065 |
|
7066 |
|
7067 |
|
7068 |
|
7069 |
|
7070 |
|
7071 | class RecvChain {
|
7072 | constructor() {
|
7073 | throw new DontCallConstructor(this);
|
7074 | }
|
7075 |
|
7076 | |
7077 |
|
7078 |
|
7079 |
|
7080 |
|
7081 |
|
7082 | static new(chain_key, public_key, head_key) {
|
7083 | TypeUtil.assert_is_instance(ChainKey, chain_key);
|
7084 | TypeUtil.assert_is_instance(PublicKey, public_key);
|
7085 |
|
7086 | const rc = ClassUtil.new_instance(RecvChain);
|
7087 | rc.chain_key = chain_key;
|
7088 | rc.ratchet_key = public_key;
|
7089 | rc.head_key = head_key;
|
7090 | rc.final_count = null;
|
7091 | rc.message_keys = [];
|
7092 | return rc;
|
7093 | }
|
7094 |
|
7095 | |
7096 |
|
7097 |
|
7098 |
|
7099 |
|
7100 |
|
7101 |
|
7102 |
|
7103 | static _try_head_key(start_index, end_index, encrypted_header, head_key) {
|
7104 | const [header, index] = (() => {
|
7105 | for (let i = start_index; i <= end_index; i++) {
|
7106 | try {
|
7107 | const header_typed_array = head_key.decrypt(encrypted_header, HeadKey.index_as_nonce(i));
|
7108 | return [Header.deserialise(header_typed_array.buffer), i];
|
7109 | } catch (err) {
|
7110 |
|
7111 | }
|
7112 | }
|
7113 | return [null, 0];
|
7114 | })();
|
7115 |
|
7116 | if (!header) {
|
7117 | throw new DecryptError.HeaderDecryptionFailed('Head key not match', DecryptError.CODE.CASE_213);
|
7118 | }
|
7119 |
|
7120 | if (header.counter !== index) {
|
7121 | throw new DecryptError.InvalidHeader('Invalid header', DecryptError.CODE.CASE_214);
|
7122 | }
|
7123 |
|
7124 | return header;
|
7125 | }
|
7126 |
|
7127 | |
7128 |
|
7129 |
|
7130 |
|
7131 |
|
7132 | static try_next_head_key(encrypted_header, next_head_key) {
|
7133 |
|
7134 | return RecvChain._try_head_key(0, RecvChain.MAX_COUNTER_GAP, encrypted_header, next_head_key);
|
7135 | }
|
7136 |
|
7137 | |
7138 |
|
7139 |
|
7140 |
|
7141 | try_head_key(encrypted_header) {
|
7142 | const final_count = this.final_count;
|
7143 |
|
7144 | const start_index = this.message_keys.length > 0
|
7145 | ? this.message_keys[0].counter
|
7146 | : this.chain_key.idx;
|
7147 | const end_index = final_count !== null
|
7148 | ? final_count - 1
|
7149 | : start_index + RecvChain.MAX_COUNTER_GAP;
|
7150 |
|
7151 | return RecvChain._try_head_key(start_index, end_index, encrypted_header, this.head_key);
|
7152 | }
|
7153 |
|
7154 | |
7155 |
|
7156 |
|
7157 |
|
7158 |
|
7159 |
|
7160 | try_message_keys(envelope, header, cipher_text) {
|
7161 | TypeUtil.assert_is_instance(Envelope, envelope);
|
7162 | TypeUtil.assert_is_instance(Header, header);
|
7163 | TypeUtil.assert_is_instance(Uint8Array, cipher_text);
|
7164 |
|
7165 | if (this.message_keys[0] && this.message_keys[0].counter > header.counter) {
|
7166 | const message = `Message too old. Counter for oldest staged chain key is '${this.message_keys[0].counter}' while message counter is '${header.counter}'.`;
|
7167 | throw new DecryptError.OutdatedMessage(message, DecryptError.CODE.CASE_208);
|
7168 | }
|
7169 |
|
7170 | const idx = this.message_keys.findIndex((mk) => {
|
7171 | return mk.counter === header.counter;
|
7172 | });
|
7173 |
|
7174 | if (idx === -1) {
|
7175 | throw new DecryptError.DuplicateMessage(null, DecryptError.CODE.CASE_209);
|
7176 | }
|
7177 |
|
7178 | const mk = this.message_keys.splice(idx, 1)[0];
|
7179 | if (!envelope.verify(mk.mac_key)) {
|
7180 | const message = `Envelope verification failed for message with counter behind. Message index is '${header.counter}' while receive chain index is '${this.chain_key.idx}'.`;
|
7181 | throw new DecryptError.InvalidSignature(message, DecryptError.CODE.CASE_210);
|
7182 | }
|
7183 |
|
7184 | return mk.decrypt(cipher_text);
|
7185 | }
|
7186 |
|
7187 | |
7188 |
|
7189 |
|
7190 |
|
7191 | stage_message_keys(header) {
|
7192 | TypeUtil.assert_is_instance(Header, header);
|
7193 |
|
7194 | const num = header.counter - this.chain_key.idx;
|
7195 | if (num > RecvChain.MAX_COUNTER_GAP) {
|
7196 | if (this.chain_key.idx === 0) {
|
7197 | throw new DecryptError.TooDistantFuture('Skipped too many message at the beginning of a receive chain.', DecryptError.CODE.CASE_211);
|
7198 | }
|
7199 | throw new DecryptError.TooDistantFuture(`Skipped too many message within a used receive chain. Receive chain counter is '${this.chain_key.idx}'`, DecryptError.CODE.CASE_212);
|
7200 | }
|
7201 |
|
7202 | let keys = [];
|
7203 | let chk = this.chain_key;
|
7204 |
|
7205 | for (let i = 0; i <= num - 1; i++) {
|
7206 | keys.push(chk.message_keys());
|
7207 | chk = chk.next();
|
7208 | }
|
7209 |
|
7210 | const mk = chk.message_keys();
|
7211 | return [chk, mk, keys];
|
7212 | }
|
7213 |
|
7214 | |
7215 |
|
7216 |
|
7217 |
|
7218 | commit_message_keys(keys) {
|
7219 | TypeUtil.assert_is_instance(Array, keys);
|
7220 | keys.map((k) => TypeUtil.assert_is_instance(MessageKeys, k));
|
7221 |
|
7222 | if (keys.length > RecvChain.MAX_COUNTER_GAP) {
|
7223 | throw new ProteusError(`Number of message keys (${keys.length}) exceed message chain counter gap (${RecvChain.MAX_COUNTER_GAP}).`, ProteusError.prototype.CODE.CASE_103);
|
7224 | }
|
7225 |
|
7226 | const excess = this.message_keys.length + keys.length - RecvChain.MAX_COUNTER_GAP;
|
7227 |
|
7228 | for (let i = 0; i <= excess - 1; i++) {
|
7229 | this.message_keys.shift();
|
7230 | }
|
7231 |
|
7232 | keys.map((k) => this.message_keys.push(k));
|
7233 |
|
7234 | if (keys.length > RecvChain.MAX_COUNTER_GAP) {
|
7235 | throw new ProteusError(`Skipped message keys which exceed the message chain counter gap (${RecvChain.MAX_COUNTER_GAP}).`, ProteusError.prototype.CODE.CASE_104);
|
7236 | }
|
7237 | }
|
7238 |
|
7239 | |
7240 |
|
7241 |
|
7242 |
|
7243 | encode(e) {
|
7244 | e.object(5);
|
7245 | e.u8(0);
|
7246 | this.chain_key.encode(e);
|
7247 | e.u8(1);
|
7248 | this.ratchet_key.encode(e);
|
7249 | e.u8(2);
|
7250 | this.head_key.encode(e);
|
7251 | e.u8(3);
|
7252 | if (this.final_count !== null) {
|
7253 | e.u32(this.final_count);
|
7254 | } else {
|
7255 | e.null();
|
7256 | }
|
7257 |
|
7258 | e.u8(4);
|
7259 | e.array(this.message_keys.length);
|
7260 | return this.message_keys.map((k) => k.encode(e));
|
7261 | }
|
7262 |
|
7263 | |
7264 |
|
7265 |
|
7266 |
|
7267 | static decode(d) {
|
7268 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
7269 |
|
7270 | const self = ClassUtil.new_instance(RecvChain);
|
7271 |
|
7272 | const nprops = d.object();
|
7273 | for (let i = 0; i <= nprops - 1; i++) {
|
7274 | switch (d.u8()) {
|
7275 | case 0: {
|
7276 | self.chain_key = ChainKey.decode(d);
|
7277 | break;
|
7278 | }
|
7279 | case 1: {
|
7280 | self.ratchet_key = PublicKey.decode(d);
|
7281 | break;
|
7282 | }
|
7283 | case 2: {
|
7284 | self.head_key = HeadKey.decode(d);
|
7285 | break;
|
7286 | }
|
7287 | case 3: {
|
7288 | self.final_count = d.optional(() => d.u32());
|
7289 | break;
|
7290 | }
|
7291 | case 4: {
|
7292 | self.message_keys = [];
|
7293 |
|
7294 | let len = d.array();
|
7295 | while (len--) {
|
7296 | self.message_keys.push(MessageKeys.decode(d));
|
7297 | }
|
7298 | break;
|
7299 | }
|
7300 | default: {
|
7301 | d.skip();
|
7302 | }
|
7303 | }
|
7304 | }
|
7305 |
|
7306 | TypeUtil.assert_is_instance(ChainKey, self.chain_key);
|
7307 | TypeUtil.assert_is_instance(PublicKey, self.ratchet_key);
|
7308 | TypeUtil.assert_is_instance(HeadKey, self.head_key);
|
7309 | TypeUtil.assert_is_instance(Array, self.message_keys);
|
7310 |
|
7311 | return self;
|
7312 | }
|
7313 | }
|
7314 |
|
7315 |
|
7316 | RecvChain.MAX_COUNTER_GAP = 1000;
|
7317 |
|
7318 | module.exports = RecvChain;
|
7319 |
|
7320 |
|
7321 | }),
|
7322 |
|
7323 | (function(module, exports, __webpack_require__) {
|
7324 |
|
7325 | "use strict";
|
7326 |
|
7327 |
|
7328 |
|
7329 |
|
7330 |
|
7331 |
|
7332 |
|
7333 |
|
7334 |
|
7335 |
|
7336 |
|
7337 |
|
7338 |
|
7339 |
|
7340 |
|
7341 |
|
7342 |
|
7343 |
|
7344 |
|
7345 |
|
7346 |
|
7347 | const CBOR = __webpack_require__(2);
|
7348 |
|
7349 | const ClassUtil = __webpack_require__(3);
|
7350 | const DontCallConstructor = __webpack_require__(0);
|
7351 | const TypeUtil = __webpack_require__(1);
|
7352 |
|
7353 | const ChainKey = __webpack_require__(18);
|
7354 | const CipherKey = __webpack_require__(27);
|
7355 | const DerivedSecrets = __webpack_require__(26);
|
7356 | const KeyPair = __webpack_require__(7);
|
7357 | const PublicKey = __webpack_require__(4);
|
7358 |
|
7359 |
|
7360 |
|
7361 |
|
7362 |
|
7363 |
|
7364 |
|
7365 | class RootKey {
|
7366 | constructor() {
|
7367 | throw new DontCallConstructor(this);
|
7368 | }
|
7369 |
|
7370 | |
7371 |
|
7372 |
|
7373 |
|
7374 | static from_cipher_key(cipher_key) {
|
7375 | TypeUtil.assert_is_instance(CipherKey, cipher_key);
|
7376 |
|
7377 | const rk = ClassUtil.new_instance(RootKey);
|
7378 | rk.key = cipher_key;
|
7379 | return rk;
|
7380 | }
|
7381 |
|
7382 | |
7383 |
|
7384 |
|
7385 |
|
7386 |
|
7387 | dh_ratchet(ours, theirs) {
|
7388 | TypeUtil.assert_is_instance(KeyPair, ours);
|
7389 | TypeUtil.assert_is_instance(PublicKey, theirs);
|
7390 |
|
7391 | const secret = ours.secret_key.shared_secret(theirs);
|
7392 | const derived_secrets = DerivedSecrets.kdf(secret, this.key.key, 'dh_ratchet');
|
7393 |
|
7394 | return [
|
7395 | RootKey.from_cipher_key(derived_secrets.cipher_key),
|
7396 | ChainKey.from_mac_key(derived_secrets.mac_key, 0),
|
7397 | derived_secrets.next_head_key,
|
7398 | ];
|
7399 | }
|
7400 |
|
7401 | |
7402 |
|
7403 |
|
7404 |
|
7405 | encode(e) {
|
7406 | e.object(1);
|
7407 | e.u8(0);
|
7408 | return this.key.encode(e);
|
7409 | }
|
7410 |
|
7411 | |
7412 |
|
7413 |
|
7414 |
|
7415 | static decode(d) {
|
7416 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
7417 |
|
7418 | let cipher_key = null;
|
7419 |
|
7420 | const nprops = d.object();
|
7421 | for (let i = 0; i <= nprops - 1; i++) {
|
7422 | switch (d.u8()) {
|
7423 | case 0:
|
7424 | cipher_key = CipherKey.decode(d);
|
7425 | break;
|
7426 | default:
|
7427 | d.skip();
|
7428 | }
|
7429 | }
|
7430 | return RootKey.from_cipher_key(cipher_key);
|
7431 | }
|
7432 | }
|
7433 |
|
7434 | module.exports = RootKey;
|
7435 |
|
7436 |
|
7437 | }),
|
7438 |
|
7439 | (function(module, exports, __webpack_require__) {
|
7440 |
|
7441 | "use strict";
|
7442 |
|
7443 |
|
7444 |
|
7445 |
|
7446 |
|
7447 |
|
7448 |
|
7449 |
|
7450 |
|
7451 |
|
7452 |
|
7453 |
|
7454 |
|
7455 |
|
7456 |
|
7457 |
|
7458 |
|
7459 |
|
7460 |
|
7461 |
|
7462 |
|
7463 | const CBOR = __webpack_require__(2);
|
7464 |
|
7465 | const ClassUtil = __webpack_require__(3);
|
7466 | const DontCallConstructor = __webpack_require__(0);
|
7467 | const TypeUtil = __webpack_require__(1);
|
7468 |
|
7469 | const ChainKey = __webpack_require__(18);
|
7470 | const HeadKey = __webpack_require__(17);
|
7471 | const KeyPair = __webpack_require__(7);
|
7472 |
|
7473 |
|
7474 |
|
7475 |
|
7476 |
|
7477 |
|
7478 |
|
7479 | class SendChain {
|
7480 | constructor() {
|
7481 | throw new DontCallConstructor(this);
|
7482 | }
|
7483 |
|
7484 | |
7485 |
|
7486 |
|
7487 |
|
7488 |
|
7489 |
|
7490 | static new(chain_key, keypair, head_key) {
|
7491 | TypeUtil.assert_is_instance(ChainKey, chain_key);
|
7492 | TypeUtil.assert_is_instance(KeyPair, keypair);
|
7493 | TypeUtil.assert_is_instance(HeadKey, head_key);
|
7494 |
|
7495 | const sc = ClassUtil.new_instance(SendChain);
|
7496 | sc.chain_key = chain_key;
|
7497 | sc.ratchet_key = keypair;
|
7498 | sc.head_key = head_key;
|
7499 | return sc;
|
7500 | }
|
7501 |
|
7502 | |
7503 |
|
7504 |
|
7505 |
|
7506 | encode(e) {
|
7507 | e.object(3);
|
7508 | e.u8(0);
|
7509 | this.chain_key.encode(e);
|
7510 | e.u8(1);
|
7511 | this.ratchet_key.encode(e);
|
7512 | e.u8(2);
|
7513 | return this.head_key.encode(e);
|
7514 | }
|
7515 |
|
7516 | |
7517 |
|
7518 |
|
7519 |
|
7520 | static decode(d) {
|
7521 | TypeUtil.assert_is_instance(CBOR.Decoder, d);
|
7522 | const self = ClassUtil.new_instance(SendChain);
|
7523 | const nprops = d.object();
|
7524 | for (let i = 0; i <= nprops - 1; i++) {
|
7525 | switch (d.u8()) {
|
7526 | case 0:
|
7527 | self.chain_key = ChainKey.decode(d);
|
7528 | break;
|
7529 | case 1:
|
7530 | self.ratchet_key = KeyPair.decode(d);
|
7531 | break;
|
7532 | case 2:
|
7533 | self.head_key = HeadKey.decode(d);
|
7534 | break;
|
7535 | default:
|
7536 | d.skip();
|
7537 | }
|
7538 | }
|
7539 | TypeUtil.assert_is_instance(ChainKey, self.chain_key);
|
7540 | TypeUtil.assert_is_instance(KeyPair, self.ratchet_key);
|
7541 | TypeUtil.assert_is_instance(HeadKey, self.head_key);
|
7542 | return self;
|
7543 | }
|
7544 | }
|
7545 |
|
7546 | module.exports = SendChain;
|
7547 |
|
7548 |
|
7549 | })
|
7550 | ]);
|
7551 |
|
\ | No newline at end of file |