4 // Ported in 2014 by Dmitry Chestnykh and Devi Mandiri.
7 // Implementation derived from TweetNaCl version 20140427.
8 // See for details: http://tweetnacl.cr.yp.to/
10 var gf = function(init) {
11 var i, r = new Float64Array(16);
12 if (init) for (i = 0; i < init.length; i++) r[i] = init[i];
16 // Pluggable, initialized in high-level API below.
17 var randombytes = function(/* x, n */) { throw new Error('no PRNG'); };
19 var _0 = new Uint8Array(16);
20 var _9 = new Uint8Array(32); _9[0] = 9;
24 _121665 = gf([0xdb41, 1]),
25 D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),
26 D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]),
27 X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]),
28 Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]),
29 I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);
31 function ts64(x, i, h, l) {
32 x[i] = (h >> 24) & 0xff;
33 x[i+1] = (h >> 16) & 0xff;
34 x[i+2] = (h >> 8) & 0xff;
36 x[i+4] = (l >> 24) & 0xff;
37 x[i+5] = (l >> 16) & 0xff;
38 x[i+6] = (l >> 8) & 0xff;
42 function vn(x, xi, y, yi, n) {
44 for (i = 0; i < n; i++) d |= x[xi+i]^y[yi+i];
45 return (1 & ((d - 1) >>> 8)) - 1;
48 function crypto_verify_16(x, xi, y, yi) {
49 return vn(x,xi,y,yi,16);
52 function crypto_verify_32(x, xi, y, yi) {
53 return vn(x,xi,y,yi,32);
56 function core_salsa20(o, p, k, c) {
57 var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
58 j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
59 j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
60 j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
61 j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
62 j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
63 j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
64 j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
65 j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
66 j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
67 j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
68 j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
69 j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
70 j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
71 j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
72 j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
74 var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
75 x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
78 for (var i = 0; i < 20; i += 2) {
80 x4 ^= u<<7 | u>>>(32-7);
82 x8 ^= u<<9 | u>>>(32-9);
84 x12 ^= u<<13 | u>>>(32-13);
86 x0 ^= u<<18 | u>>>(32-18);
89 x9 ^= u<<7 | u>>>(32-7);
91 x13 ^= u<<9 | u>>>(32-9);
93 x1 ^= u<<13 | u>>>(32-13);
95 x5 ^= u<<18 | u>>>(32-18);
98 x14 ^= u<<7 | u>>>(32-7);
100 x2 ^= u<<9 | u>>>(32-9);
102 x6 ^= u<<13 | u>>>(32-13);
104 x10 ^= u<<18 | u>>>(32-18);
107 x3 ^= u<<7 | u>>>(32-7);
109 x7 ^= u<<9 | u>>>(32-9);
111 x11 ^= u<<13 | u>>>(32-13);
113 x15 ^= u<<18 | u>>>(32-18);
116 x1 ^= u<<7 | u>>>(32-7);
118 x2 ^= u<<9 | u>>>(32-9);
120 x3 ^= u<<13 | u>>>(32-13);
122 x0 ^= u<<18 | u>>>(32-18);
125 x6 ^= u<<7 | u>>>(32-7);
127 x7 ^= u<<9 | u>>>(32-9);
129 x4 ^= u<<13 | u>>>(32-13);
131 x5 ^= u<<18 | u>>>(32-18);
134 x11 ^= u<<7 | u>>>(32-7);
136 x8 ^= u<<9 | u>>>(32-9);
138 x9 ^= u<<13 | u>>>(32-13);
140 x10 ^= u<<18 | u>>>(32-18);
143 x12 ^= u<<7 | u>>>(32-7);
145 x13 ^= u<<9 | u>>>(32-9);
147 x14 ^= u<<13 | u>>>(32-13);
149 x15 ^= u<<18 | u>>>(32-18);
168 o[ 0] = x0 >>> 0 & 0xff;
169 o[ 1] = x0 >>> 8 & 0xff;
170 o[ 2] = x0 >>> 16 & 0xff;
171 o[ 3] = x0 >>> 24 & 0xff;
173 o[ 4] = x1 >>> 0 & 0xff;
174 o[ 5] = x1 >>> 8 & 0xff;
175 o[ 6] = x1 >>> 16 & 0xff;
176 o[ 7] = x1 >>> 24 & 0xff;
178 o[ 8] = x2 >>> 0 & 0xff;
179 o[ 9] = x2 >>> 8 & 0xff;
180 o[10] = x2 >>> 16 & 0xff;
181 o[11] = x2 >>> 24 & 0xff;
183 o[12] = x3 >>> 0 & 0xff;
184 o[13] = x3 >>> 8 & 0xff;
185 o[14] = x3 >>> 16 & 0xff;
186 o[15] = x3 >>> 24 & 0xff;
188 o[16] = x4 >>> 0 & 0xff;
189 o[17] = x4 >>> 8 & 0xff;
190 o[18] = x4 >>> 16 & 0xff;
191 o[19] = x4 >>> 24 & 0xff;
193 o[20] = x5 >>> 0 & 0xff;
194 o[21] = x5 >>> 8 & 0xff;
195 o[22] = x5 >>> 16 & 0xff;
196 o[23] = x5 >>> 24 & 0xff;
198 o[24] = x6 >>> 0 & 0xff;
199 o[25] = x6 >>> 8 & 0xff;
200 o[26] = x6 >>> 16 & 0xff;
201 o[27] = x6 >>> 24 & 0xff;
203 o[28] = x7 >>> 0 & 0xff;
204 o[29] = x7 >>> 8 & 0xff;
205 o[30] = x7 >>> 16 & 0xff;
206 o[31] = x7 >>> 24 & 0xff;
208 o[32] = x8 >>> 0 & 0xff;
209 o[33] = x8 >>> 8 & 0xff;
210 o[34] = x8 >>> 16 & 0xff;
211 o[35] = x8 >>> 24 & 0xff;
213 o[36] = x9 >>> 0 & 0xff;
214 o[37] = x9 >>> 8 & 0xff;
215 o[38] = x9 >>> 16 & 0xff;
216 o[39] = x9 >>> 24 & 0xff;
218 o[40] = x10 >>> 0 & 0xff;
219 o[41] = x10 >>> 8 & 0xff;
220 o[42] = x10 >>> 16 & 0xff;
221 o[43] = x10 >>> 24 & 0xff;
223 o[44] = x11 >>> 0 & 0xff;
224 o[45] = x11 >>> 8 & 0xff;
225 o[46] = x11 >>> 16 & 0xff;
226 o[47] = x11 >>> 24 & 0xff;
228 o[48] = x12 >>> 0 & 0xff;
229 o[49] = x12 >>> 8 & 0xff;
230 o[50] = x12 >>> 16 & 0xff;
231 o[51] = x12 >>> 24 & 0xff;
233 o[52] = x13 >>> 0 & 0xff;
234 o[53] = x13 >>> 8 & 0xff;
235 o[54] = x13 >>> 16 & 0xff;
236 o[55] = x13 >>> 24 & 0xff;
238 o[56] = x14 >>> 0 & 0xff;
239 o[57] = x14 >>> 8 & 0xff;
240 o[58] = x14 >>> 16 & 0xff;
241 o[59] = x14 >>> 24 & 0xff;
243 o[60] = x15 >>> 0 & 0xff;
244 o[61] = x15 >>> 8 & 0xff;
245 o[62] = x15 >>> 16 & 0xff;
246 o[63] = x15 >>> 24 & 0xff;
249 function core_hsalsa20(o,p,k,c) {
250 var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
251 j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
252 j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
253 j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
254 j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
255 j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
256 j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
257 j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
258 j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
259 j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
260 j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
261 j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
262 j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
263 j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
264 j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
265 j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
267 var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
268 x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
271 for (var i = 0; i < 20; i += 2) {
273 x4 ^= u<<7 | u>>>(32-7);
275 x8 ^= u<<9 | u>>>(32-9);
277 x12 ^= u<<13 | u>>>(32-13);
279 x0 ^= u<<18 | u>>>(32-18);
282 x9 ^= u<<7 | u>>>(32-7);
284 x13 ^= u<<9 | u>>>(32-9);
286 x1 ^= u<<13 | u>>>(32-13);
288 x5 ^= u<<18 | u>>>(32-18);
291 x14 ^= u<<7 | u>>>(32-7);
293 x2 ^= u<<9 | u>>>(32-9);
295 x6 ^= u<<13 | u>>>(32-13);
297 x10 ^= u<<18 | u>>>(32-18);
300 x3 ^= u<<7 | u>>>(32-7);
302 x7 ^= u<<9 | u>>>(32-9);
304 x11 ^= u<<13 | u>>>(32-13);
306 x15 ^= u<<18 | u>>>(32-18);
309 x1 ^= u<<7 | u>>>(32-7);
311 x2 ^= u<<9 | u>>>(32-9);
313 x3 ^= u<<13 | u>>>(32-13);
315 x0 ^= u<<18 | u>>>(32-18);
318 x6 ^= u<<7 | u>>>(32-7);
320 x7 ^= u<<9 | u>>>(32-9);
322 x4 ^= u<<13 | u>>>(32-13);
324 x5 ^= u<<18 | u>>>(32-18);
327 x11 ^= u<<7 | u>>>(32-7);
329 x8 ^= u<<9 | u>>>(32-9);
331 x9 ^= u<<13 | u>>>(32-13);
333 x10 ^= u<<18 | u>>>(32-18);
336 x12 ^= u<<7 | u>>>(32-7);
338 x13 ^= u<<9 | u>>>(32-9);
340 x14 ^= u<<13 | u>>>(32-13);
342 x15 ^= u<<18 | u>>>(32-18);
345 o[ 0] = x0 >>> 0 & 0xff;
346 o[ 1] = x0 >>> 8 & 0xff;
347 o[ 2] = x0 >>> 16 & 0xff;
348 o[ 3] = x0 >>> 24 & 0xff;
350 o[ 4] = x5 >>> 0 & 0xff;
351 o[ 5] = x5 >>> 8 & 0xff;
352 o[ 6] = x5 >>> 16 & 0xff;
353 o[ 7] = x5 >>> 24 & 0xff;
355 o[ 8] = x10 >>> 0 & 0xff;
356 o[ 9] = x10 >>> 8 & 0xff;
357 o[10] = x10 >>> 16 & 0xff;
358 o[11] = x10 >>> 24 & 0xff;
360 o[12] = x15 >>> 0 & 0xff;
361 o[13] = x15 >>> 8 & 0xff;
362 o[14] = x15 >>> 16 & 0xff;
363 o[15] = x15 >>> 24 & 0xff;
365 o[16] = x6 >>> 0 & 0xff;
366 o[17] = x6 >>> 8 & 0xff;
367 o[18] = x6 >>> 16 & 0xff;
368 o[19] = x6 >>> 24 & 0xff;
370 o[20] = x7 >>> 0 & 0xff;
371 o[21] = x7 >>> 8 & 0xff;
372 o[22] = x7 >>> 16 & 0xff;
373 o[23] = x7 >>> 24 & 0xff;
375 o[24] = x8 >>> 0 & 0xff;
376 o[25] = x8 >>> 8 & 0xff;
377 o[26] = x8 >>> 16 & 0xff;
378 o[27] = x8 >>> 24 & 0xff;
380 o[28] = x9 >>> 0 & 0xff;
381 o[29] = x9 >>> 8 & 0xff;
382 o[30] = x9 >>> 16 & 0xff;
383 o[31] = x9 >>> 24 & 0xff;
386 function crypto_core_salsa20(out,inp,k,c) {
387 core_salsa20(out,inp,k,c);
390 function crypto_core_hsalsa20(out,inp,k,c) {
391 core_hsalsa20(out,inp,k,c);
394 var sigma = new Uint8Array([101, 120, 112, 97, 110, 100, 32, 51, 50, 45, 98, 121, 116, 101, 32, 107]);
395 // "expand 32-byte k"
397 function crypto_stream_salsa20_xor(c,cpos,m,mpos,b,n,k) {
398 var z = new Uint8Array(16), x = new Uint8Array(64);
400 for (i = 0; i < 16; i++) z[i] = 0;
401 for (i = 0; i < 8; i++) z[i] = n[i];
403 crypto_core_salsa20(x,z,k,sigma);
404 for (i = 0; i < 64; i++) c[cpos+i] = m[mpos+i] ^ x[i];
406 for (i = 8; i < 16; i++) {
407 u = u + (z[i] & 0xff) | 0;
416 crypto_core_salsa20(x,z,k,sigma);
417 for (i = 0; i < b; i++) c[cpos+i] = m[mpos+i] ^ x[i];
422 function crypto_stream_salsa20(c,cpos,b,n,k) {
423 var z = new Uint8Array(16), x = new Uint8Array(64);
425 for (i = 0; i < 16; i++) z[i] = 0;
426 for (i = 0; i < 8; i++) z[i] = n[i];
428 crypto_core_salsa20(x,z,k,sigma);
429 for (i = 0; i < 64; i++) c[cpos+i] = x[i];
431 for (i = 8; i < 16; i++) {
432 u = u + (z[i] & 0xff) | 0;
440 crypto_core_salsa20(x,z,k,sigma);
441 for (i = 0; i < b; i++) c[cpos+i] = x[i];
446 function crypto_stream(c,cpos,d,n,k) {
447 var s = new Uint8Array(32);
448 crypto_core_hsalsa20(s,n,k,sigma);
449 var sn = new Uint8Array(8);
450 for (var i = 0; i < 8; i++) sn[i] = n[i+16];
451 return crypto_stream_salsa20(c,cpos,d,sn,s);
454 function crypto_stream_xor(c,cpos,m,mpos,d,n,k) {
455 var s = new Uint8Array(32);
456 crypto_core_hsalsa20(s,n,k,sigma);
457 var sn = new Uint8Array(8);
458 for (var i = 0; i < 8; i++) sn[i] = n[i+16];
459 return crypto_stream_salsa20_xor(c,cpos,m,mpos,d,sn,s);
463 * Port of Andrew Moon's Poly1305-donna-16. Public domain.
464 * https://github.com/floodyberry/poly1305-donna
467 var poly1305 = function(key) {
468 this.buffer = new Uint8Array(16);
469 this.r = new Uint16Array(10);
470 this.h = new Uint16Array(10);
471 this.pad = new Uint16Array(8);
475 var t0, t1, t2, t3, t4, t5, t6, t7;
477 t0 = key[ 0] & 0xff | (key[ 1] & 0xff) << 8; this.r[0] = ( t0 ) & 0x1fff;
478 t1 = key[ 2] & 0xff | (key[ 3] & 0xff) << 8; this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
479 t2 = key[ 4] & 0xff | (key[ 5] & 0xff) << 8; this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
480 t3 = key[ 6] & 0xff | (key[ 7] & 0xff) << 8; this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
481 t4 = key[ 8] & 0xff | (key[ 9] & 0xff) << 8; this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
482 this.r[5] = ((t4 >>> 1)) & 0x1ffe;
483 t5 = key[10] & 0xff | (key[11] & 0xff) << 8; this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
484 t6 = key[12] & 0xff | (key[13] & 0xff) << 8; this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
485 t7 = key[14] & 0xff | (key[15] & 0xff) << 8; this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
486 this.r[9] = ((t7 >>> 5)) & 0x007f;
488 this.pad[0] = key[16] & 0xff | (key[17] & 0xff) << 8;
489 this.pad[1] = key[18] & 0xff | (key[19] & 0xff) << 8;
490 this.pad[2] = key[20] & 0xff | (key[21] & 0xff) << 8;
491 this.pad[3] = key[22] & 0xff | (key[23] & 0xff) << 8;
492 this.pad[4] = key[24] & 0xff | (key[25] & 0xff) << 8;
493 this.pad[5] = key[26] & 0xff | (key[27] & 0xff) << 8;
494 this.pad[6] = key[28] & 0xff | (key[29] & 0xff) << 8;
495 this.pad[7] = key[30] & 0xff | (key[31] & 0xff) << 8;
498 poly1305.prototype.blocks = function(m, mpos, bytes) {
499 var hibit = this.fin ? 0 : (1 << 11);
500 var t0, t1, t2, t3, t4, t5, t6, t7, c;
501 var d0, d1, d2, d3, d4, d5, d6, d7, d8, d9;
525 while (bytes >= 16) {
526 t0 = m[mpos+ 0] & 0xff | (m[mpos+ 1] & 0xff) << 8; h0 += ( t0 ) & 0x1fff;
527 t1 = m[mpos+ 2] & 0xff | (m[mpos+ 3] & 0xff) << 8; h1 += ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
528 t2 = m[mpos+ 4] & 0xff | (m[mpos+ 5] & 0xff) << 8; h2 += ((t1 >>> 10) | (t2 << 6)) & 0x1fff;
529 t3 = m[mpos+ 6] & 0xff | (m[mpos+ 7] & 0xff) << 8; h3 += ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
530 t4 = m[mpos+ 8] & 0xff | (m[mpos+ 9] & 0xff) << 8; h4 += ((t3 >>> 4) | (t4 << 12)) & 0x1fff;
531 h5 += ((t4 >>> 1)) & 0x1fff;
532 t5 = m[mpos+10] & 0xff | (m[mpos+11] & 0xff) << 8; h6 += ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
533 t6 = m[mpos+12] & 0xff | (m[mpos+13] & 0xff) << 8; h7 += ((t5 >>> 11) | (t6 << 5)) & 0x1fff;
534 t7 = m[mpos+14] & 0xff | (m[mpos+15] & 0xff) << 8; h8 += ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
535 h9 += ((t7 >>> 5)) | hibit;
545 c = (d0 >>> 13); d0 &= 0x1fff;
551 c += (d0 >>> 13); d0 &= 0x1fff;
559 c = (d1 >>> 13); d1 &= 0x1fff;
565 c += (d1 >>> 13); d1 &= 0x1fff;
573 c = (d2 >>> 13); d2 &= 0x1fff;
579 c += (d2 >>> 13); d2 &= 0x1fff;
587 c = (d3 >>> 13); d3 &= 0x1fff;
593 c += (d3 >>> 13); d3 &= 0x1fff;
601 c = (d4 >>> 13); d4 &= 0x1fff;
607 c += (d4 >>> 13); d4 &= 0x1fff;
615 c = (d5 >>> 13); d5 &= 0x1fff;
621 c += (d5 >>> 13); d5 &= 0x1fff;
629 c = (d6 >>> 13); d6 &= 0x1fff;
635 c += (d6 >>> 13); d6 &= 0x1fff;
643 c = (d7 >>> 13); d7 &= 0x1fff;
649 c += (d7 >>> 13); d7 &= 0x1fff;
657 c = (d8 >>> 13); d8 &= 0x1fff;
663 c += (d8 >>> 13); d8 &= 0x1fff;
671 c = (d9 >>> 13); d9 &= 0x1fff;
677 c += (d9 >>> 13); d9 &= 0x1fff;
679 c = (((c << 2) + c)) | 0;
711 poly1305.prototype.finish = function(mac, macpos) {
712 var g = new Uint16Array(10);
717 this.buffer[i++] = 1;
718 for (; i < 16; i++) this.buffer[i] = 0;
720 this.blocks(this.buffer, 0, 16);
723 c = this.h[1] >>> 13;
725 for (i = 2; i < 10; i++) {
727 c = this.h[i] >>> 13;
730 this.h[0] += (c * 5);
731 c = this.h[0] >>> 13;
734 c = this.h[1] >>> 13;
738 g[0] = this.h[0] + 5;
741 for (i = 1; i < 10; i++) {
742 g[i] = this.h[i] + c;
748 mask = (g[9] >>> ((2 * 8) - 1)) - 1;
749 for (i = 0; i < 10; i++) g[i] &= mask;
751 for (i = 0; i < 10; i++) this.h[i] = (this.h[i] & mask) | g[i];
753 this.h[0] = ((this.h[0] ) | (this.h[1] << 13) ) & 0xffff;
754 this.h[1] = ((this.h[1] >>> 3) | (this.h[2] << 10) ) & 0xffff;
755 this.h[2] = ((this.h[2] >>> 6) | (this.h[3] << 7) ) & 0xffff;
756 this.h[3] = ((this.h[3] >>> 9) | (this.h[4] << 4) ) & 0xffff;
757 this.h[4] = ((this.h[4] >>> 12) | (this.h[5] << 1) | (this.h[6] << 14)) & 0xffff;
758 this.h[5] = ((this.h[6] >>> 2) | (this.h[7] << 11) ) & 0xffff;
759 this.h[6] = ((this.h[7] >>> 5) | (this.h[8] << 8) ) & 0xffff;
760 this.h[7] = ((this.h[8] >>> 8) | (this.h[9] << 5) ) & 0xffff;
762 f = this.h[0] + this.pad[0];
763 this.h[0] = f & 0xffff;
764 for (i = 1; i < 8; i++) {
765 f = (((this.h[i] + this.pad[i]) | 0) + (f >>> 16)) | 0;
766 this.h[i] = f & 0xffff;
769 mac[macpos+ 0] = (this.h[0] >>> 0) & 0xff;
770 mac[macpos+ 1] = (this.h[0] >>> 8) & 0xff;
771 mac[macpos+ 2] = (this.h[1] >>> 0) & 0xff;
772 mac[macpos+ 3] = (this.h[1] >>> 8) & 0xff;
773 mac[macpos+ 4] = (this.h[2] >>> 0) & 0xff;
774 mac[macpos+ 5] = (this.h[2] >>> 8) & 0xff;
775 mac[macpos+ 6] = (this.h[3] >>> 0) & 0xff;
776 mac[macpos+ 7] = (this.h[3] >>> 8) & 0xff;
777 mac[macpos+ 8] = (this.h[4] >>> 0) & 0xff;
778 mac[macpos+ 9] = (this.h[4] >>> 8) & 0xff;
779 mac[macpos+10] = (this.h[5] >>> 0) & 0xff;
780 mac[macpos+11] = (this.h[5] >>> 8) & 0xff;
781 mac[macpos+12] = (this.h[6] >>> 0) & 0xff;
782 mac[macpos+13] = (this.h[6] >>> 8) & 0xff;
783 mac[macpos+14] = (this.h[7] >>> 0) & 0xff;
784 mac[macpos+15] = (this.h[7] >>> 8) & 0xff;
787 poly1305.prototype.update = function(m, mpos, bytes) {
791 want = (16 - this.leftover);
794 for (i = 0; i < want; i++)
795 this.buffer[this.leftover + i] = m[mpos+i];
798 this.leftover += want;
799 if (this.leftover < 16)
801 this.blocks(this.buffer, 0, 16);
806 want = bytes - (bytes % 16);
807 this.blocks(m, mpos, want);
813 for (i = 0; i < bytes; i++)
814 this.buffer[this.leftover + i] = m[mpos+i];
815 this.leftover += bytes;
819 function crypto_onetimeauth(out, outpos, m, mpos, n, k) {
820 var s = new poly1305(k);
821 s.update(m, mpos, n);
822 s.finish(out, outpos);
826 function crypto_onetimeauth_verify(h, hpos, m, mpos, n, k) {
827 var x = new Uint8Array(16);
828 crypto_onetimeauth(x,0,m,mpos,n,k);
829 return crypto_verify_16(h,hpos,x,0);
832 function crypto_secretbox(c,m,d,n,k) {
834 if (d < 32) return -1;
835 crypto_stream_xor(c,0,m,0,d,n,k);
836 crypto_onetimeauth(c, 16, c, 32, d - 32, c);
837 for (i = 0; i < 16; i++) c[i] = 0;
841 function crypto_secretbox_open(m,c,d,n,k) {
843 var x = new Uint8Array(32);
844 if (d < 32) return -1;
845 crypto_stream(x,0,32,n,k);
846 if (crypto_onetimeauth_verify(c, 16,c, 32,d - 32,x) !== 0) return -1;
847 crypto_stream_xor(m,0,c,0,d,n,k);
848 for (i = 0; i < 32; i++) m[i] = 0;
852 function set25519(r, a) {
854 for (i = 0; i < 16; i++) r[i] = a[i]|0;
857 function car25519(o) {
859 for (i = 0; i < 16; i++) {
860 v = o[i] + c + 65535;
861 c = Math.floor(v / 65536);
862 o[i] = v - c * 65536;
864 o[0] += c-1 + 37 * (c-1);
867 function sel25519(p, q, b) {
869 for (var i = 0; i < 16; i++) {
870 t = c & (p[i] ^ q[i]);
876 function pack25519(o, n) {
878 var m = gf(), t = gf();
879 for (i = 0; i < 16; i++) t[i] = n[i];
883 for (j = 0; j < 2; j++) {
884 m[0] = t[0] - 0xffed;
885 for (i = 1; i < 15; i++) {
886 m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);
889 m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);
894 for (i = 0; i < 16; i++) {
895 o[2*i] = t[i] & 0xff;
900 function neq25519(a, b) {
901 var c = new Uint8Array(32), d = new Uint8Array(32);
904 return crypto_verify_32(c, 0, d, 0);
907 function par25519(a) {
908 var d = new Uint8Array(32);
913 function unpack25519(o, n) {
915 for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8);
919 function A(o, a, b) {
920 for (var i = 0; i < 16; i++) o[i] = a[i] + b[i];
923 function Z(o, a, b) {
924 for (var i = 0; i < 16; i++) o[i] = a[i] - b[i];
927 function M(o, a, b) {
929 t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0,
930 t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0,
931 t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0,
932 t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0,
1242 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
1243 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
1244 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
1245 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
1246 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
1247 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
1248 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
1249 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
1250 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
1251 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
1252 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
1253 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
1254 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
1255 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
1256 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
1257 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
1258 t0 += c-1 + 37 * (c-1);
1262 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
1263 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
1264 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
1265 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
1266 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
1267 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
1268 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
1269 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
1270 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
1271 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
1272 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
1273 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
1274 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
1275 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
1276 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
1277 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
1278 t0 += c-1 + 37 * (c-1);
1302 function inv25519(o, i) {
1305 for (a = 0; a < 16; a++) c[a] = i[a];
1306 for (a = 253; a >= 0; a--) {
1308 if(a !== 2 && a !== 4) M(c, c, i);
1310 for (a = 0; a < 16; a++) o[a] = c[a];
1313 function pow2523(o, i) {
1316 for (a = 0; a < 16; a++) c[a] = i[a];
1317 for (a = 250; a >= 0; a--) {
1319 if(a !== 1) M(c, c, i);
1321 for (a = 0; a < 16; a++) o[a] = c[a];
1324 function crypto_scalarmult(q, n, p) {
1325 var z = new Uint8Array(32);
1326 var x = new Float64Array(80), r, i;
1327 var a = gf(), b = gf(), c = gf(),
1328 d = gf(), e = gf(), f = gf();
1329 for (i = 0; i < 31; i++) z[i] = n[i];
1330 z[31]=(n[31]&127)|64;
1333 for (i = 0; i < 16; i++) {
1338 for (i=254; i>=0; --i) {
1339 r=(z[i>>>3]>>>(i&7))&1;
1363 for (i = 0; i < 16; i++) {
1369 var x32 = x.subarray(32);
1370 var x16 = x.subarray(16);
1377 function crypto_scalarmult_base(q, n) {
1378 return crypto_scalarmult(q, n, _9);
1381 function crypto_box_keypair(y, x) {
1383 return crypto_scalarmult_base(y, x);
1386 function crypto_box_beforenm(k, y, x) {
1387 var s = new Uint8Array(32);
1388 crypto_scalarmult(s, x, y);
1389 return crypto_core_hsalsa20(k, _0, s, sigma);
1392 var crypto_box_afternm = crypto_secretbox;
1393 var crypto_box_open_afternm = crypto_secretbox_open;
1395 function crypto_box(c, m, d, n, y, x) {
1396 var k = new Uint8Array(32);
1397 crypto_box_beforenm(k, y, x);
1398 return crypto_box_afternm(c, m, d, n, k);
1401 function crypto_box_open(m, c, d, n, y, x) {
1402 var k = new Uint8Array(32);
1403 crypto_box_beforenm(k, y, x);
1404 return crypto_box_open_afternm(m, c, d, n, k);
1408 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd,
1409 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc,
1410 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019,
1411 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118,
1412 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe,
1413 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2,
1414 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1,
1415 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694,
1416 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3,
1417 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65,
1418 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483,
1419 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5,
1420 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210,
1421 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4,
1422 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725,
1423 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70,
1424 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926,
1425 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df,
1426 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8,
1427 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b,
1428 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001,
1429 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30,
1430 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910,
1431 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8,
1432 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53,
1433 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8,
1434 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb,
1435 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3,
1436 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60,
1437 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec,
1438 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9,
1439 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b,
1440 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207,
1441 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178,
1442 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6,
1443 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b,
1444 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493,
1445 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c,
1446 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a,
1447 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817
1450 function crypto_hashblocks_hl(hh, hl, m, n) {
1451 var wh = new Int32Array(16), wl = new Int32Array(16),
1452 bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7,
1453 bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7,
1454 th, tl, i, j, h, l, a, b, c, d;
1476 for (i = 0; i < 16; i++) {
1478 wh[i] = (m[j+0] << 24) | (m[j+1] << 16) | (m[j+2] << 8) | m[j+3];
1479 wl[i] = (m[j+4] << 24) | (m[j+5] << 16) | (m[j+6] << 8) | m[j+7];
1481 for (i = 0; i < 80; i++) {
1504 a = l & 0xffff; b = l >>> 16;
1505 c = h & 0xffff; d = h >>> 16;
1508 h = ((ah4 >>> 14) | (al4 << (32-14))) ^ ((ah4 >>> 18) | (al4 << (32-18))) ^ ((al4 >>> (41-32)) | (ah4 << (32-(41-32))));
1509 l = ((al4 >>> 14) | (ah4 << (32-14))) ^ ((al4 >>> 18) | (ah4 << (32-18))) ^ ((ah4 >>> (41-32)) | (al4 << (32-(41-32))));
1511 a += l & 0xffff; b += l >>> 16;
1512 c += h & 0xffff; d += h >>> 16;
1515 h = (ah4 & ah5) ^ (~ah4 & ah6);
1516 l = (al4 & al5) ^ (~al4 & al6);
1518 a += l & 0xffff; b += l >>> 16;
1519 c += h & 0xffff; d += h >>> 16;
1525 a += l & 0xffff; b += l >>> 16;
1526 c += h & 0xffff; d += h >>> 16;
1532 a += l & 0xffff; b += l >>> 16;
1533 c += h & 0xffff; d += h >>> 16;
1539 th = c & 0xffff | d << 16;
1540 tl = a & 0xffff | b << 16;
1546 a = l & 0xffff; b = l >>> 16;
1547 c = h & 0xffff; d = h >>> 16;
1550 h = ((ah0 >>> 28) | (al0 << (32-28))) ^ ((al0 >>> (34-32)) | (ah0 << (32-(34-32)))) ^ ((al0 >>> (39-32)) | (ah0 << (32-(39-32))));
1551 l = ((al0 >>> 28) | (ah0 << (32-28))) ^ ((ah0 >>> (34-32)) | (al0 << (32-(34-32)))) ^ ((ah0 >>> (39-32)) | (al0 << (32-(39-32))));
1553 a += l & 0xffff; b += l >>> 16;
1554 c += h & 0xffff; d += h >>> 16;
1557 h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2);
1558 l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2);
1560 a += l & 0xffff; b += l >>> 16;
1561 c += h & 0xffff; d += h >>> 16;
1567 bh7 = (c & 0xffff) | (d << 16);
1568 bl7 = (a & 0xffff) | (b << 16);
1574 a = l & 0xffff; b = l >>> 16;
1575 c = h & 0xffff; d = h >>> 16;
1580 a += l & 0xffff; b += l >>> 16;
1581 c += h & 0xffff; d += h >>> 16;
1587 bh3 = (c & 0xffff) | (d << 16);
1588 bl3 = (a & 0xffff) | (b << 16);
1609 for (j = 0; j < 16; j++) {
1614 a = l & 0xffff; b = l >>> 16;
1615 c = h & 0xffff; d = h >>> 16;
1620 a += l & 0xffff; b += l >>> 16;
1621 c += h & 0xffff; d += h >>> 16;
1626 h = ((th >>> 1) | (tl << (32-1))) ^ ((th >>> 8) | (tl << (32-8))) ^ (th >>> 7);
1627 l = ((tl >>> 1) | (th << (32-1))) ^ ((tl >>> 8) | (th << (32-8))) ^ ((tl >>> 7) | (th << (32-7)));
1629 a += l & 0xffff; b += l >>> 16;
1630 c += h & 0xffff; d += h >>> 16;
1635 h = ((th >>> 19) | (tl << (32-19))) ^ ((tl >>> (61-32)) | (th << (32-(61-32)))) ^ (th >>> 6);
1636 l = ((tl >>> 19) | (th << (32-19))) ^ ((th >>> (61-32)) | (tl << (32-(61-32)))) ^ ((tl >>> 6) | (th << (32-6)));
1638 a += l & 0xffff; b += l >>> 16;
1639 c += h & 0xffff; d += h >>> 16;
1645 wh[j] = (c & 0xffff) | (d << 16);
1646 wl[j] = (a & 0xffff) | (b << 16);
1655 a = l & 0xffff; b = l >>> 16;
1656 c = h & 0xffff; d = h >>> 16;
1661 a += l & 0xffff; b += l >>> 16;
1662 c += h & 0xffff; d += h >>> 16;
1668 hh[0] = ah0 = (c & 0xffff) | (d << 16);
1669 hl[0] = al0 = (a & 0xffff) | (b << 16);
1674 a = l & 0xffff; b = l >>> 16;
1675 c = h & 0xffff; d = h >>> 16;
1680 a += l & 0xffff; b += l >>> 16;
1681 c += h & 0xffff; d += h >>> 16;
1687 hh[1] = ah1 = (c & 0xffff) | (d << 16);
1688 hl[1] = al1 = (a & 0xffff) | (b << 16);
1693 a = l & 0xffff; b = l >>> 16;
1694 c = h & 0xffff; d = h >>> 16;
1699 a += l & 0xffff; b += l >>> 16;
1700 c += h & 0xffff; d += h >>> 16;
1706 hh[2] = ah2 = (c & 0xffff) | (d << 16);
1707 hl[2] = al2 = (a & 0xffff) | (b << 16);
1712 a = l & 0xffff; b = l >>> 16;
1713 c = h & 0xffff; d = h >>> 16;
1718 a += l & 0xffff; b += l >>> 16;
1719 c += h & 0xffff; d += h >>> 16;
1725 hh[3] = ah3 = (c & 0xffff) | (d << 16);
1726 hl[3] = al3 = (a & 0xffff) | (b << 16);
1731 a = l & 0xffff; b = l >>> 16;
1732 c = h & 0xffff; d = h >>> 16;
1737 a += l & 0xffff; b += l >>> 16;
1738 c += h & 0xffff; d += h >>> 16;
1744 hh[4] = ah4 = (c & 0xffff) | (d << 16);
1745 hl[4] = al4 = (a & 0xffff) | (b << 16);
1750 a = l & 0xffff; b = l >>> 16;
1751 c = h & 0xffff; d = h >>> 16;
1756 a += l & 0xffff; b += l >>> 16;
1757 c += h & 0xffff; d += h >>> 16;
1763 hh[5] = ah5 = (c & 0xffff) | (d << 16);
1764 hl[5] = al5 = (a & 0xffff) | (b << 16);
1769 a = l & 0xffff; b = l >>> 16;
1770 c = h & 0xffff; d = h >>> 16;
1775 a += l & 0xffff; b += l >>> 16;
1776 c += h & 0xffff; d += h >>> 16;
1782 hh[6] = ah6 = (c & 0xffff) | (d << 16);
1783 hl[6] = al6 = (a & 0xffff) | (b << 16);
1788 a = l & 0xffff; b = l >>> 16;
1789 c = h & 0xffff; d = h >>> 16;
1794 a += l & 0xffff; b += l >>> 16;
1795 c += h & 0xffff; d += h >>> 16;
1801 hh[7] = ah7 = (c & 0xffff) | (d << 16);
1802 hl[7] = al7 = (a & 0xffff) | (b << 16);
1811 function crypto_hash(out, m, n) {
1812 var hh = new Int32Array(8),
1813 hl = new Int32Array(8),
1814 x = new Uint8Array(256),
1835 crypto_hashblocks_hl(hh, hl, m, n);
1838 for (i = 0; i < n; i++) x[i] = m[b-n+i];
1841 n = 256-128*(n<112?1:0);
1843 ts64(x, n-8, (b / 0x20000000) | 0, b << 3);
1844 crypto_hashblocks_hl(hh, hl, x, n);
1846 for (i = 0; i < 8; i++) ts64(out, 8*i, hh[i], hl[i]);
1851 function add(p, q) {
1852 var a = gf(), b = gf(), c = gf(),
1853 d = gf(), e = gf(), f = gf(),
1854 g = gf(), h = gf(), t = gf();
1877 function cswap(p, q, b) {
1879 for (i = 0; i < 4; i++) {
1880 sel25519(p[i], q[i], b);
1884 function pack(r, p) {
1885 var tx = gf(), ty = gf(), zi = gf();
1890 r[31] ^= par25519(tx) << 7;
1893 function scalarmult(p, q, s) {
1895 set25519(p[0], gf0);
1896 set25519(p[1], gf1);
1897 set25519(p[2], gf1);
1898 set25519(p[3], gf0);
1899 for (i = 255; i >= 0; --i) {
1900 b = (s[(i/8)|0] >> (i&7)) & 1;
1908 function scalarbase(p, s) {
1909 var q = [gf(), gf(), gf(), gf()];
1912 set25519(q[2], gf1);
1914 scalarmult(p, q, s);
1917 function crypto_sign_keypair(pk, sk, seeded) {
1918 var d = new Uint8Array(64);
1919 var p = [gf(), gf(), gf(), gf()];
1922 if (!seeded) randombytes(sk, 32);
1923 crypto_hash(d, sk, 32);
1931 for (i = 0; i < 32; i++) sk[i+32] = pk[i];
1935 var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]);
1937 function modL(r, x) {
1939 for (i = 63; i >= 32; --i) {
1941 for (j = i - 32, k = i - 12; j < k; ++j) {
1942 x[j] += carry - 16 * x[i] * L[j - (i - 32)];
1943 carry = (x[j] + 128) >> 8;
1944 x[j] -= carry * 256;
1950 for (j = 0; j < 32; j++) {
1951 x[j] += carry - (x[31] >> 4) * L[j];
1955 for (j = 0; j < 32; j++) x[j] -= carry * L[j];
1956 for (i = 0; i < 32; i++) {
1957 x[i+1] += x[i] >> 8;
1962 function reduce(r) {
1963 var x = new Float64Array(64), i;
1964 for (i = 0; i < 64; i++) x[i] = r[i];
1965 for (i = 0; i < 64; i++) r[i] = 0;
1969 // Note: difference from C - smlen returned, not passed as argument.
1970 function crypto_sign(sm, m, n, sk) {
1971 var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64);
1972 var i, j, x = new Float64Array(64);
1973 var p = [gf(), gf(), gf(), gf()];
1975 crypto_hash(d, sk, 32);
1981 for (i = 0; i < n; i++) sm[64 + i] = m[i];
1982 for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i];
1984 crypto_hash(r, sm.subarray(32), n+32);
1989 for (i = 32; i < 64; i++) sm[i] = sk[i];
1990 crypto_hash(h, sm, n + 64);
1993 for (i = 0; i < 64; i++) x[i] = 0;
1994 for (i = 0; i < 32; i++) x[i] = r[i];
1995 for (i = 0; i < 32; i++) {
1996 for (j = 0; j < 32; j++) {
1997 x[i+j] += h[i] * d[j];
2001 modL(sm.subarray(32), x);
2005 function unpackneg(r, p) {
2006 var t = gf(), chk = gf(), num = gf(),
2007 den = gf(), den2 = gf(), den4 = gf(),
2010 set25519(r[2], gf1);
2011 unpack25519(r[1], p);
2019 M(den6, den4, den2);
2031 if (neq25519(chk, num)) M(r[0], r[0], I);
2035 if (neq25519(chk, num)) return -1;
2037 if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]);
2039 M(r[3], r[0], r[1]);
2043 function crypto_sign_open(m, sm, n, pk) {
2045 var t = new Uint8Array(32), h = new Uint8Array(64);
2046 var p = [gf(), gf(), gf(), gf()],
2047 q = [gf(), gf(), gf(), gf()];
2050 if (n < 64) return -1;
2052 if (unpackneg(q, pk)) return -1;
2054 for (i = 0; i < n; i++) m[i] = sm[i];
2055 for (i = 0; i < 32; i++) m[i+32] = pk[i];
2056 crypto_hash(h, m, n);
2058 scalarmult(p, q, h);
2060 scalarbase(q, sm.subarray(32));
2065 if (crypto_verify_32(sm, 0, t, 0)) {
2066 for (i = 0; i < n; i++) m[i] = 0;
2070 for (i = 0; i < n; i++) m[i] = sm[i + 64];
2075 var crypto_secretbox_KEYBYTES = 32,
2076 crypto_secretbox_NONCEBYTES = 24,
2077 crypto_secretbox_ZEROBYTES = 32,
2078 crypto_secretbox_BOXZEROBYTES = 16,
2079 crypto_scalarmult_BYTES = 32,
2080 crypto_scalarmult_SCALARBYTES = 32,
2081 crypto_box_PUBLICKEYBYTES = 32,
2082 crypto_box_SECRETKEYBYTES = 32,
2083 crypto_box_BEFORENMBYTES = 32,
2084 crypto_box_NONCEBYTES = crypto_secretbox_NONCEBYTES,
2085 crypto_box_ZEROBYTES = crypto_secretbox_ZEROBYTES,
2086 crypto_box_BOXZEROBYTES = crypto_secretbox_BOXZEROBYTES,
2087 crypto_sign_BYTES = 64,
2088 crypto_sign_PUBLICKEYBYTES = 32,
2089 crypto_sign_SECRETKEYBYTES = 64,
2090 crypto_sign_SEEDBYTES = 32,
2091 crypto_hash_BYTES = 64;
2094 crypto_core_hsalsa20: crypto_core_hsalsa20,
2095 crypto_stream_xor: crypto_stream_xor,
2096 crypto_stream: crypto_stream,
2097 crypto_stream_salsa20_xor: crypto_stream_salsa20_xor,
2098 crypto_stream_salsa20: crypto_stream_salsa20,
2099 crypto_onetimeauth: crypto_onetimeauth,
2100 crypto_onetimeauth_verify: crypto_onetimeauth_verify,
2101 crypto_verify_16: crypto_verify_16,
2102 crypto_verify_32: crypto_verify_32,
2103 crypto_secretbox: crypto_secretbox,
2104 crypto_secretbox_open: crypto_secretbox_open,
2105 crypto_scalarmult: crypto_scalarmult,
2106 crypto_scalarmult_base: crypto_scalarmult_base,
2107 crypto_box_beforenm: crypto_box_beforenm,
2108 crypto_box_afternm: crypto_box_afternm,
2109 crypto_box: crypto_box,
2110 crypto_box_open: crypto_box_open,
2111 crypto_box_keypair: crypto_box_keypair,
2112 crypto_hash: crypto_hash,
2113 crypto_sign: crypto_sign,
2114 crypto_sign_keypair: crypto_sign_keypair,
2115 crypto_sign_open: crypto_sign_open,
2117 crypto_secretbox_KEYBYTES: crypto_secretbox_KEYBYTES,
2118 crypto_secretbox_NONCEBYTES: crypto_secretbox_NONCEBYTES,
2119 crypto_secretbox_ZEROBYTES: crypto_secretbox_ZEROBYTES,
2120 crypto_secretbox_BOXZEROBYTES: crypto_secretbox_BOXZEROBYTES,
2121 crypto_scalarmult_BYTES: crypto_scalarmult_BYTES,
2122 crypto_scalarmult_SCALARBYTES: crypto_scalarmult_SCALARBYTES,
2123 crypto_box_PUBLICKEYBYTES: crypto_box_PUBLICKEYBYTES,
2124 crypto_box_SECRETKEYBYTES: crypto_box_SECRETKEYBYTES,
2125 crypto_box_BEFORENMBYTES: crypto_box_BEFORENMBYTES,
2126 crypto_box_NONCEBYTES: crypto_box_NONCEBYTES,
2127 crypto_box_ZEROBYTES: crypto_box_ZEROBYTES,
2128 crypto_box_BOXZEROBYTES: crypto_box_BOXZEROBYTES,
2129 crypto_sign_BYTES: crypto_sign_BYTES,
2130 crypto_sign_PUBLICKEYBYTES: crypto_sign_PUBLICKEYBYTES,
2131 crypto_sign_SECRETKEYBYTES: crypto_sign_SECRETKEYBYTES,
2132 crypto_sign_SEEDBYTES: crypto_sign_SEEDBYTES,
2133 crypto_hash_BYTES: crypto_hash_BYTES
2136 /* High-level API */
2138 function checkLengths(k, n) {
2139 if (k.length !== crypto_secretbox_KEYBYTES) throw new Error('bad key size');
2140 if (n.length !== crypto_secretbox_NONCEBYTES) throw new Error('bad nonce size');
2143 function checkBoxLengths(pk, sk) {
2144 if (pk.length !== crypto_box_PUBLICKEYBYTES) throw new Error('bad public key size');
2145 if (sk.length !== crypto_box_SECRETKEYBYTES) throw new Error('bad secret key size');
2148 function checkArrayTypes() {
2150 for (i = 0; i < arguments.length; i++) {
2151 if ((t = Object.prototype.toString.call(arguments[i])) !== '[object Uint8Array]')
2152 throw new TypeError('unexpected type ' + t + ', use Uint8Array');
2156 function cleanup(arr) {
2157 for (var i = 0; i < arr.length; i++) arr[i] = 0;
2162 nacl.util.decodeUTF8 = function(s) {
2163 var i, d = unescape(encodeURIComponent(s)), b = new Uint8Array(d.length);
2164 for (i = 0; i < d.length; i++) b[i] = d.charCodeAt(i);
2168 nacl.util.encodeUTF8 = function(arr) {
2170 for (i = 0; i < arr.length; i++) s.push(String.fromCharCode(arr[i]));
2171 return decodeURIComponent(escape(s.join('')));
2174 nacl.util.encodeBase64 = function(arr) {
2175 if (typeof btoa === 'undefined') {
2176 return (new Buffer(arr)).toString('base64');
2178 var i, s = [], len = arr.length;
2179 for (i = 0; i < len; i++) s.push(String.fromCharCode(arr[i]));
2180 return btoa(s.join(''));
2184 nacl.util.decodeBase64 = function(s) {
2185 if (typeof atob === 'undefined') {
2186 return new Uint8Array(Array.prototype.slice.call(new Buffer(s, 'base64'), 0));
2188 var i, d = atob(s), b = new Uint8Array(d.length);
2189 for (i = 0; i < d.length; i++) b[i] = d.charCodeAt(i);
2194 nacl.randomBytes = function(n) {
2195 var b = new Uint8Array(n);
2200 nacl.secretbox = function(msg, nonce, key) {
2201 checkArrayTypes(msg, nonce, key);
2202 checkLengths(key, nonce);
2203 var m = new Uint8Array(crypto_secretbox_ZEROBYTES + msg.length);
2204 var c = new Uint8Array(m.length);
2205 for (var i = 0; i < msg.length; i++) m[i+crypto_secretbox_ZEROBYTES] = msg[i];
2206 crypto_secretbox(c, m, m.length, nonce, key);
2207 return c.subarray(crypto_secretbox_BOXZEROBYTES);
2210 nacl.secretbox.open = function(box, nonce, key) {
2211 checkArrayTypes(box, nonce, key);
2212 checkLengths(key, nonce);
2213 var c = new Uint8Array(crypto_secretbox_BOXZEROBYTES + box.length);
2214 var m = new Uint8Array(c.length);
2215 for (var i = 0; i < box.length; i++) c[i+crypto_secretbox_BOXZEROBYTES] = box[i];
2216 if (c.length < 32) return false;
2217 if (crypto_secretbox_open(m, c, c.length, nonce, key) !== 0) return false;
2218 return m.subarray(crypto_secretbox_ZEROBYTES);
2221 nacl.secretbox.keyLength = crypto_secretbox_KEYBYTES;
2222 nacl.secretbox.nonceLength = crypto_secretbox_NONCEBYTES;
2223 nacl.secretbox.overheadLength = crypto_secretbox_BOXZEROBYTES;
2225 nacl.scalarMult = function(n, p) {
2226 checkArrayTypes(n, p);
2227 if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
2228 if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size');
2229 var q = new Uint8Array(crypto_scalarmult_BYTES);
2230 crypto_scalarmult(q, n, p);
2234 nacl.scalarMult.base = function(n) {
2236 if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
2237 var q = new Uint8Array(crypto_scalarmult_BYTES);
2238 crypto_scalarmult_base(q, n);
2242 nacl.scalarMult.scalarLength = crypto_scalarmult_SCALARBYTES;
2243 nacl.scalarMult.groupElementLength = crypto_scalarmult_BYTES;
2245 nacl.box = function(msg, nonce, publicKey, secretKey) {
2246 var k = nacl.box.before(publicKey, secretKey);
2247 return nacl.secretbox(msg, nonce, k);
2250 nacl.box.before = function(publicKey, secretKey) {
2251 checkArrayTypes(publicKey, secretKey);
2252 checkBoxLengths(publicKey, secretKey);
2253 var k = new Uint8Array(crypto_box_BEFORENMBYTES);
2254 crypto_box_beforenm(k, publicKey, secretKey);
2258 nacl.box.after = nacl.secretbox;
2260 nacl.box.open = function(msg, nonce, publicKey, secretKey) {
2261 var k = nacl.box.before(publicKey, secretKey);
2262 return nacl.secretbox.open(msg, nonce, k);
2265 nacl.box.open.after = nacl.secretbox.open;
2267 nacl.box.keyPair = function() {
2268 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
2269 var sk = new Uint8Array(crypto_box_SECRETKEYBYTES);
2270 crypto_box_keypair(pk, sk);
2271 return {publicKey: pk, secretKey: sk};
2274 nacl.box.keyPair.fromSecretKey = function(secretKey) {
2275 checkArrayTypes(secretKey);
2276 if (secretKey.length !== crypto_box_SECRETKEYBYTES)
2277 throw new Error('bad secret key size');
2278 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
2279 crypto_scalarmult_base(pk, secretKey);
2280 return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
2283 nacl.box.publicKeyLength = crypto_box_PUBLICKEYBYTES;
2284 nacl.box.secretKeyLength = crypto_box_SECRETKEYBYTES;
2285 nacl.box.sharedKeyLength = crypto_box_BEFORENMBYTES;
2286 nacl.box.nonceLength = crypto_box_NONCEBYTES;
2287 nacl.box.overheadLength = nacl.secretbox.overheadLength;
2289 nacl.sign = function(msg, secretKey) {
2290 checkArrayTypes(msg, secretKey);
2291 if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
2292 throw new Error('bad secret key size');
2293 var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length);
2294 crypto_sign(signedMsg, msg, msg.length, secretKey);
2298 nacl.sign.open = function(signedMsg, publicKey) {
2299 if (arguments.length !== 2)
2300 throw new Error('nacl.sign.open accepts 2 arguments; did you mean to use nacl.sign.detached.verify?');
2301 checkArrayTypes(signedMsg, publicKey);
2302 if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
2303 throw new Error('bad public key size');
2304 var tmp = new Uint8Array(signedMsg.length);
2305 var mlen = crypto_sign_open(tmp, signedMsg, signedMsg.length, publicKey);
2306 if (mlen < 0) return null;
2307 var m = new Uint8Array(mlen);
2308 for (var i = 0; i < m.length; i++) m[i] = tmp[i];
2312 nacl.sign.detached = function(msg, secretKey) {
2313 var signedMsg = nacl.sign(msg, secretKey);
2314 var sig = new Uint8Array(crypto_sign_BYTES);
2315 for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i];
2319 nacl.sign.detached.verify = function(msg, sig, publicKey) {
2320 checkArrayTypes(msg, sig, publicKey);
2321 if (sig.length !== crypto_sign_BYTES)
2322 throw new Error('bad signature size');
2323 if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
2324 throw new Error('bad public key size');
2325 var sm = new Uint8Array(crypto_sign_BYTES + msg.length);
2326 var m = new Uint8Array(crypto_sign_BYTES + msg.length);
2328 for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i];
2329 for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i];
2330 return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0);
2333 nacl.sign.keyPair = function() {
2334 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
2335 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
2336 crypto_sign_keypair(pk, sk);
2337 return {publicKey: pk, secretKey: sk};
2340 nacl.sign.keyPair.fromSecretKey = function(secretKey) {
2341 checkArrayTypes(secretKey);
2342 if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
2343 throw new Error('bad secret key size');
2344 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
2345 for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i];
2346 return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
2349 nacl.sign.keyPair.fromSeed = function(seed) {
2350 checkArrayTypes(seed);
2351 if (seed.length !== crypto_sign_SEEDBYTES)
2352 throw new Error('bad seed size');
2353 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
2354 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
2355 for (var i = 0; i < 32; i++) sk[i] = seed[i];
2356 crypto_sign_keypair(pk, sk, true);
2357 return {publicKey: pk, secretKey: sk};
2360 nacl.sign.publicKeyLength = crypto_sign_PUBLICKEYBYTES;
2361 nacl.sign.secretKeyLength = crypto_sign_SECRETKEYBYTES;
2362 nacl.sign.seedLength = crypto_sign_SEEDBYTES;
2363 nacl.sign.signatureLength = crypto_sign_BYTES;
2365 nacl.hash = function(msg) {
2366 checkArrayTypes(msg);
2367 var h = new Uint8Array(crypto_hash_BYTES);
2368 crypto_hash(h, msg, msg.length);
2372 nacl.hash.hashLength = crypto_hash_BYTES;
2374 nacl.verify = function(x, y) {
2375 checkArrayTypes(x, y);
2376 // Zero length arguments are considered not equal.
2377 if (x.length === 0 || y.length === 0) return false;
2378 if (x.length !== y.length) return false;
2379 return (vn(x, 0, y, 0, x.length) === 0) ? true : false;
2382 nacl.setPRNG = function(fn) {
2387 // Initialize PRNG if environment provides CSPRNG.
2388 // If not, methods calling randombytes will throw.
2390 if (typeof window !== 'undefined') {
2392 if (window.crypto && window.crypto.getRandomValues) {
2393 crypto = window.crypto; // Standard
2394 } else if (window.msCrypto && window.msCrypto.getRandomValues) {
2395 crypto = window.msCrypto; // Internet Explorer 11+
2398 nacl.setPRNG(function(x, n) {
2399 var i, v = new Uint8Array(n);
2400 crypto.getRandomValues(v);
2401 for (i = 0; i < n; i++) x[i] = v[i];
2405 } else if (typeof require !== 'undefined') {
2407 crypto = require('crypto');
2409 nacl.setPRNG(function(x, n) {
2410 var i, v = crypto.randomBytes(n);
2411 for (i = 0; i < n; i++) x[i] = v[i];
2418 })(typeof module !== 'undefined' && module.exports ? module.exports : (window.nacl = window.nacl || {}));