evbogue.com / an
anproto -- authenticated non-networked protocol or another proto sha256 blobs signed with ed25519 keypairs anproto.com
ed25519 social protocols
fork atom

initial

Ev Bogue 9d0febb3

options
unified split
Changed files
+2552
README.md
a.js
ex.js
lib
base64.js
nacl-fast-es.js
+22
README.md
··· 1 + # AProto 2 + 3 + ed25519 keypairs sign ts + hash in base64 4 + 5 + ### code 6 + 7 + use Deno or your browser 8 + 9 + ``` 10 + import { a } from './a.js' 11 + 12 + console.log(await a.gen()) 13 + // NtrdkXob+epH2c/k3GVtdw8lnJzMt+eEWQQ5VYgaARc=XgGOj8lESOXzfmoN6tA5fca+c5fXukw1LJFJYVhf38U22t2Rehv56kfZz+TcZW13DyWcnMy354RZBDlViBoBFw== 14 + 15 + console.log(await a.hash('Hello World')) 16 + // pZGm1Av0IEBKARczz7exkNYsZb8LzaMrV7J32a2fFG4= 17 + 18 + console.log(await a.sig('Hello World', await a.gen())) 19 + // 6qEZt6kv82bBpDcN0KFMUd7Bhj9HM8pDmK/+AvoPuOGH/DxdBJyOf/wsIx/IyLJRDpSL4jbIKa7mNyUEfrSWDTE3NTUxOTI3NzkwMzhwWkdtMUF2MElFQktBUmN6ejdleGtOWXNaYjhMemFNclY3SjMyYTJmRkc0PQ== 20 + ``` 21 + --- 22 + MIT
+30
a.js
··· 1 + import nacl from "./lib/nacl-fast-es.js"; 2 + import { decode, encode } from "./lib/base64.js"; 3 + 4 + export const a = {}; 5 + 6 + a.gen = async () => { 7 + const g = await nacl.sign.keyPair(); 8 + const k = await encode(g.publicKey) + encode(g.secretKey); 9 + return k; 10 + }; 11 + 12 + a.hash = async (d) => { 13 + return encode( 14 + Array.from( 15 + new Uint8Array( 16 + await crypto.subtle.digest("SHA-256", new TextEncoder().encode(d)), 17 + ), 18 + ), 19 + ); 20 + }; 21 + 22 + a.sign = async (d, k) => { 23 + const ts = Date.now(); 24 + const h = await a.hash(d); 25 + const s = encode( 26 + nacl.sign(new TextEncoder().encode(ts + h), decode(k.substring(44))), 27 + ); 28 + 29 + return s; 30 + };
+8
ex.js
··· 1 + import { a } from "./a.js"; 2 + 3 + const m = "Hello World"; 4 + const k = await a.gen(); 5 + 6 + console.log(k); 7 + console.log(await a.hash(m)); 8 + console.log(await a.sign(m, k));
+119
lib/base64.js
··· 1 + // Copyright 2018-2022 the Deno authors. All rights reserved. MIT license. 2 + // This module is browser compatible. 3 + 4 + const base64abc = [ 5 + "A", 6 + "B", 7 + "C", 8 + "D", 9 + "E", 10 + "F", 11 + "G", 12 + "H", 13 + "I", 14 + "J", 15 + "K", 16 + "L", 17 + "M", 18 + "N", 19 + "O", 20 + "P", 21 + "Q", 22 + "R", 23 + "S", 24 + "T", 25 + "U", 26 + "V", 27 + "W", 28 + "X", 29 + "Y", 30 + "Z", 31 + "a", 32 + "b", 33 + "c", 34 + "d", 35 + "e", 36 + "f", 37 + "g", 38 + "h", 39 + "i", 40 + "j", 41 + "k", 42 + "l", 43 + "m", 44 + "n", 45 + "o", 46 + "p", 47 + "q", 48 + "r", 49 + "s", 50 + "t", 51 + "u", 52 + "v", 53 + "w", 54 + "x", 55 + "y", 56 + "z", 57 + "0", 58 + "1", 59 + "2", 60 + "3", 61 + "4", 62 + "5", 63 + "6", 64 + "7", 65 + "8", 66 + "9", 67 + "+", 68 + "/", 69 + ]; 70 + 71 + /** 72 + * CREDIT: https://gist.github.com/enepomnyaschih/72c423f727d395eeaa09697058238727 73 + * Encodes a given Uint8Array, ArrayBuffer or string into RFC4648 base64 representation 74 + * @param data 75 + */ 76 + export function encode(data) { 77 + const uint8 = typeof data === "string" 78 + ? new TextEncoder().encode(data) 79 + : data instanceof Uint8Array 80 + ? data 81 + : new Uint8Array(data); 82 + let result = "", 83 + i; 84 + const l = uint8.length; 85 + for (i = 2; i < l; i += 3) { 86 + result += base64abc[uint8[i - 2] >> 2]; 87 + result += base64abc[((uint8[i - 2] & 0x03) << 4) | (uint8[i - 1] >> 4)]; 88 + result += base64abc[((uint8[i - 1] & 0x0f) << 2) | (uint8[i] >> 6)]; 89 + result += base64abc[uint8[i] & 0x3f]; 90 + } 91 + if (i === l + 1) { 92 + // 1 octet yet to write 93 + result += base64abc[uint8[i - 2] >> 2]; 94 + result += base64abc[(uint8[i - 2] & 0x03) << 4]; 95 + result += "=="; 96 + } 97 + if (i === l) { 98 + // 2 octets yet to write 99 + result += base64abc[uint8[i - 2] >> 2]; 100 + result += base64abc[((uint8[i - 2] & 0x03) << 4) | (uint8[i - 1] >> 4)]; 101 + result += base64abc[(uint8[i - 1] & 0x0f) << 2]; 102 + result += "="; 103 + } 104 + return result; 105 + } 106 + 107 + /** 108 + * Decodes a given RFC4648 base64 encoded string 109 + * @param b64 110 + */ 111 + export function decode(b64) { 112 + const binString = atob(b64); 113 + const size = binString.length; 114 + const bytes = new Uint8Array(size); 115 + for (let i = 0; i < size; i++) { 116 + bytes[i] = binString.charCodeAt(i); 117 + } 118 + return bytes; 119 + }
+2373
lib/nacl-fast-es.js
··· 1 + const nacl = {}; 2 + export default nacl; 3 + 4 + // Ported in 2014 by Dmitry Chestnykh and Devi Mandiri. 5 + // Public domain. 6 + // 7 + // Implementation derived from TweetNaCl version 20140427. 8 + // See for details: http://tweetnacl.cr.yp.to/ 9 + 10 + var gf = function(init) { 11 + var i, r = new Float64Array(16); 12 + if (init) for (i = 0; i < init.length; i++) r[i] = init[i]; 13 + return r; 14 + }; 15 + 16 + // Pluggable, initialized in high-level API below. 17 + var randombytes = function(/* x, n */) { throw new Error('no PRNG'); }; 18 + 19 + var _0 = new Uint8Array(16); 20 + var _9 = new Uint8Array(32); _9[0] = 9; 21 + 22 + var gf0 = gf(), 23 + gf1 = gf([1]), 24 + _121665 = gf([0xdb41, 1]), 25 + D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]), 26 + D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]), 27 + X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]), 28 + Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]), 29 + I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]); 30 + 31 + function ts64(x, i, h, l) { 32 + x[i] = (h >> 24) & 0xff; 33 + x[i+1] = (h >> 16) & 0xff; 34 + x[i+2] = (h >> 8) & 0xff; 35 + x[i+3] = h & 0xff; 36 + x[i+4] = (l >> 24) & 0xff; 37 + x[i+5] = (l >> 16) & 0xff; 38 + x[i+6] = (l >> 8) & 0xff; 39 + x[i+7] = l & 0xff; 40 + } 41 + 42 + function vn(x, xi, y, yi, n) { 43 + var i,d = 0; 44 + for (i = 0; i < n; i++) d |= x[xi+i]^y[yi+i]; 45 + return (1 & ((d - 1) >>> 8)) - 1; 46 + } 47 + 48 + function crypto_verify_16(x, xi, y, yi) { 49 + return vn(x,xi,y,yi,16); 50 + } 51 + 52 + function crypto_verify_32(x, xi, y, yi) { 53 + return vn(x,xi,y,yi,32); 54 + } 55 + 56 + function core_salsa20(o, p, k, c) { 57 + var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24, 58 + j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24, 59 + j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24, 60 + j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24, 61 + j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24, 62 + j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24, 63 + j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24, 64 + j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24, 65 + j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24, 66 + j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24, 67 + j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24, 68 + j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24, 69 + j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24, 70 + j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24, 71 + j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24, 72 + j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24; 73 + 74 + var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7, 75 + x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14, 76 + x15 = j15, u; 77 + 78 + for (var i = 0; i < 20; i += 2) { 79 + u = x0 + x12 | 0; 80 + x4 ^= u<<7 | u>>>(32-7); 81 + u = x4 + x0 | 0; 82 + x8 ^= u<<9 | u>>>(32-9); 83 + u = x8 + x4 | 0; 84 + x12 ^= u<<13 | u>>>(32-13); 85 + u = x12 + x8 | 0; 86 + x0 ^= u<<18 | u>>>(32-18); 87 + 88 + u = x5 + x1 | 0; 89 + x9 ^= u<<7 | u>>>(32-7); 90 + u = x9 + x5 | 0; 91 + x13 ^= u<<9 | u>>>(32-9); 92 + u = x13 + x9 | 0; 93 + x1 ^= u<<13 | u>>>(32-13); 94 + u = x1 + x13 | 0; 95 + x5 ^= u<<18 | u>>>(32-18); 96 + 97 + u = x10 + x6 | 0; 98 + x14 ^= u<<7 | u>>>(32-7); 99 + u = x14 + x10 | 0; 100 + x2 ^= u<<9 | u>>>(32-9); 101 + u = x2 + x14 | 0; 102 + x6 ^= u<<13 | u>>>(32-13); 103 + u = x6 + x2 | 0; 104 + x10 ^= u<<18 | u>>>(32-18); 105 + 106 + u = x15 + x11 | 0; 107 + x3 ^= u<<7 | u>>>(32-7); 108 + u = x3 + x15 | 0; 109 + x7 ^= u<<9 | u>>>(32-9); 110 + u = x7 + x3 | 0; 111 + x11 ^= u<<13 | u>>>(32-13); 112 + u = x11 + x7 | 0; 113 + x15 ^= u<<18 | u>>>(32-18); 114 + 115 + u = x0 + x3 | 0; 116 + x1 ^= u<<7 | u>>>(32-7); 117 + u = x1 + x0 | 0; 118 + x2 ^= u<<9 | u>>>(32-9); 119 + u = x2 + x1 | 0; 120 + x3 ^= u<<13 | u>>>(32-13); 121 + u = x3 + x2 | 0; 122 + x0 ^= u<<18 | u>>>(32-18); 123 + 124 + u = x5 + x4 | 0; 125 + x6 ^= u<<7 | u>>>(32-7); 126 + u = x6 + x5 | 0; 127 + x7 ^= u<<9 | u>>>(32-9); 128 + u = x7 + x6 | 0; 129 + x4 ^= u<<13 | u>>>(32-13); 130 + u = x4 + x7 | 0; 131 + x5 ^= u<<18 | u>>>(32-18); 132 + 133 + u = x10 + x9 | 0; 134 + x11 ^= u<<7 | u>>>(32-7); 135 + u = x11 + x10 | 0; 136 + x8 ^= u<<9 | u>>>(32-9); 137 + u = x8 + x11 | 0; 138 + x9 ^= u<<13 | u>>>(32-13); 139 + u = x9 + x8 | 0; 140 + x10 ^= u<<18 | u>>>(32-18); 141 + 142 + u = x15 + x14 | 0; 143 + x12 ^= u<<7 | u>>>(32-7); 144 + u = x12 + x15 | 0; 145 + x13 ^= u<<9 | u>>>(32-9); 146 + u = x13 + x12 | 0; 147 + x14 ^= u<<13 | u>>>(32-13); 148 + u = x14 + x13 | 0; 149 + x15 ^= u<<18 | u>>>(32-18); 150 + } 151 + x0 = x0 + j0 | 0; 152 + x1 = x1 + j1 | 0; 153 + x2 = x2 + j2 | 0; 154 + x3 = x3 + j3 | 0; 155 + x4 = x4 + j4 | 0; 156 + x5 = x5 + j5 | 0; 157 + x6 = x6 + j6 | 0; 158 + x7 = x7 + j7 | 0; 159 + x8 = x8 + j8 | 0; 160 + x9 = x9 + j9 | 0; 161 + x10 = x10 + j10 | 0; 162 + x11 = x11 + j11 | 0; 163 + x12 = x12 + j12 | 0; 164 + x13 = x13 + j13 | 0; 165 + x14 = x14 + j14 | 0; 166 + x15 = x15 + j15 | 0; 167 + 168 + o[ 0] = x0 >>> 0 & 0xff; 169 + o[ 1] = x0 >>> 8 & 0xff; 170 + o[ 2] = x0 >>> 16 & 0xff; 171 + o[ 3] = x0 >>> 24 & 0xff; 172 + 173 + o[ 4] = x1 >>> 0 & 0xff; 174 + o[ 5] = x1 >>> 8 & 0xff; 175 + o[ 6] = x1 >>> 16 & 0xff; 176 + o[ 7] = x1 >>> 24 & 0xff; 177 + 178 + o[ 8] = x2 >>> 0 & 0xff; 179 + o[ 9] = x2 >>> 8 & 0xff; 180 + o[10] = x2 >>> 16 & 0xff; 181 + o[11] = x2 >>> 24 & 0xff; 182 + 183 + o[12] = x3 >>> 0 & 0xff; 184 + o[13] = x3 >>> 8 & 0xff; 185 + o[14] = x3 >>> 16 & 0xff; 186 + o[15] = x3 >>> 24 & 0xff; 187 + 188 + o[16] = x4 >>> 0 & 0xff; 189 + o[17] = x4 >>> 8 & 0xff; 190 + o[18] = x4 >>> 16 & 0xff; 191 + o[19] = x4 >>> 24 & 0xff; 192 + 193 + o[20] = x5 >>> 0 & 0xff; 194 + o[21] = x5 >>> 8 & 0xff; 195 + o[22] = x5 >>> 16 & 0xff; 196 + o[23] = x5 >>> 24 & 0xff; 197 + 198 + o[24] = x6 >>> 0 & 0xff; 199 + o[25] = x6 >>> 8 & 0xff; 200 + o[26] = x6 >>> 16 & 0xff; 201 + o[27] = x6 >>> 24 & 0xff; 202 + 203 + o[28] = x7 >>> 0 & 0xff; 204 + o[29] = x7 >>> 8 & 0xff; 205 + o[30] = x7 >>> 16 & 0xff; 206 + o[31] = x7 >>> 24 & 0xff; 207 + 208 + o[32] = x8 >>> 0 & 0xff; 209 + o[33] = x8 >>> 8 & 0xff; 210 + o[34] = x8 >>> 16 & 0xff; 211 + o[35] = x8 >>> 24 & 0xff; 212 + 213 + o[36] = x9 >>> 0 & 0xff; 214 + o[37] = x9 >>> 8 & 0xff; 215 + o[38] = x9 >>> 16 & 0xff; 216 + o[39] = x9 >>> 24 & 0xff; 217 + 218 + o[40] = x10 >>> 0 & 0xff; 219 + o[41] = x10 >>> 8 & 0xff; 220 + o[42] = x10 >>> 16 & 0xff; 221 + o[43] = x10 >>> 24 & 0xff; 222 + 223 + o[44] = x11 >>> 0 & 0xff; 224 + o[45] = x11 >>> 8 & 0xff; 225 + o[46] = x11 >>> 16 & 0xff; 226 + o[47] = x11 >>> 24 & 0xff; 227 + 228 + o[48] = x12 >>> 0 & 0xff; 229 + o[49] = x12 >>> 8 & 0xff; 230 + o[50] = x12 >>> 16 & 0xff; 231 + o[51] = x12 >>> 24 & 0xff; 232 + 233 + o[52] = x13 >>> 0 & 0xff; 234 + o[53] = x13 >>> 8 & 0xff; 235 + o[54] = x13 >>> 16 & 0xff; 236 + o[55] = x13 >>> 24 & 0xff; 237 + 238 + o[56] = x14 >>> 0 & 0xff; 239 + o[57] = x14 >>> 8 & 0xff; 240 + o[58] = x14 >>> 16 & 0xff; 241 + o[59] = x14 >>> 24 & 0xff; 242 + 243 + o[60] = x15 >>> 0 & 0xff; 244 + o[61] = x15 >>> 8 & 0xff; 245 + o[62] = x15 >>> 16 & 0xff; 246 + o[63] = x15 >>> 24 & 0xff; 247 + } 248 + 249 + function core_hsalsa20(o,p,k,c) { 250 + var j0 = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24, 251 + j1 = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24, 252 + j2 = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24, 253 + j3 = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24, 254 + j4 = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24, 255 + j5 = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24, 256 + j6 = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24, 257 + j7 = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24, 258 + j8 = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24, 259 + j9 = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24, 260 + j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24, 261 + j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24, 262 + j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24, 263 + j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24, 264 + j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24, 265 + j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24; 266 + 267 + var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7, 268 + x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14, 269 + x15 = j15, u; 270 + 271 + for (var i = 0; i < 20; i += 2) { 272 + u = x0 + x12 | 0; 273 + x4 ^= u<<7 | u>>>(32-7); 274 + u = x4 + x0 | 0; 275 + x8 ^= u<<9 | u>>>(32-9); 276 + u = x8 + x4 | 0; 277 + x12 ^= u<<13 | u>>>(32-13); 278 + u = x12 + x8 | 0; 279 + x0 ^= u<<18 | u>>>(32-18); 280 + 281 + u = x5 + x1 | 0; 282 + x9 ^= u<<7 | u>>>(32-7); 283 + u = x9 + x5 | 0; 284 + x13 ^= u<<9 | u>>>(32-9); 285 + u = x13 + x9 | 0; 286 + x1 ^= u<<13 | u>>>(32-13); 287 + u = x1 + x13 | 0; 288 + x5 ^= u<<18 | u>>>(32-18); 289 + 290 + u = x10 + x6 | 0; 291 + x14 ^= u<<7 | u>>>(32-7); 292 + u = x14 + x10 | 0; 293 + x2 ^= u<<9 | u>>>(32-9); 294 + u = x2 + x14 | 0; 295 + x6 ^= u<<13 | u>>>(32-13); 296 + u = x6 + x2 | 0; 297 + x10 ^= u<<18 | u>>>(32-18); 298 + 299 + u = x15 + x11 | 0; 300 + x3 ^= u<<7 | u>>>(32-7); 301 + u = x3 + x15 | 0; 302 + x7 ^= u<<9 | u>>>(32-9); 303 + u = x7 + x3 | 0; 304 + x11 ^= u<<13 | u>>>(32-13); 305 + u = x11 + x7 | 0; 306 + x15 ^= u<<18 | u>>>(32-18); 307 + 308 + u = x0 + x3 | 0; 309 + x1 ^= u<<7 | u>>>(32-7); 310 + u = x1 + x0 | 0; 311 + x2 ^= u<<9 | u>>>(32-9); 312 + u = x2 + x1 | 0; 313 + x3 ^= u<<13 | u>>>(32-13); 314 + u = x3 + x2 | 0; 315 + x0 ^= u<<18 | u>>>(32-18); 316 + 317 + u = x5 + x4 | 0; 318 + x6 ^= u<<7 | u>>>(32-7); 319 + u = x6 + x5 | 0; 320 + x7 ^= u<<9 | u>>>(32-9); 321 + u = x7 + x6 | 0; 322 + x4 ^= u<<13 | u>>>(32-13); 323 + u = x4 + x7 | 0; 324 + x5 ^= u<<18 | u>>>(32-18); 325 + 326 + u = x10 + x9 | 0; 327 + x11 ^= u<<7 | u>>>(32-7); 328 + u = x11 + x10 | 0; 329 + x8 ^= u<<9 | u>>>(32-9); 330 + u = x8 + x11 | 0; 331 + x9 ^= u<<13 | u>>>(32-13); 332 + u = x9 + x8 | 0; 333 + x10 ^= u<<18 | u>>>(32-18); 334 + 335 + u = x15 + x14 | 0; 336 + x12 ^= u<<7 | u>>>(32-7); 337 + u = x12 + x15 | 0; 338 + x13 ^= u<<9 | u>>>(32-9); 339 + u = x13 + x12 | 0; 340 + x14 ^= u<<13 | u>>>(32-13); 341 + u = x14 + x13 | 0; 342 + x15 ^= u<<18 | u>>>(32-18); 343 + } 344 + 345 + o[ 0] = x0 >>> 0 & 0xff; 346 + o[ 1] = x0 >>> 8 & 0xff; 347 + o[ 2] = x0 >>> 16 & 0xff; 348 + o[ 3] = x0 >>> 24 & 0xff; 349 + 350 + o[ 4] = x5 >>> 0 & 0xff; 351 + o[ 5] = x5 >>> 8 & 0xff; 352 + o[ 6] = x5 >>> 16 & 0xff; 353 + o[ 7] = x5 >>> 24 & 0xff; 354 + 355 + o[ 8] = x10 >>> 0 & 0xff; 356 + o[ 9] = x10 >>> 8 & 0xff; 357 + o[10] = x10 >>> 16 & 0xff; 358 + o[11] = x10 >>> 24 & 0xff; 359 + 360 + o[12] = x15 >>> 0 & 0xff; 361 + o[13] = x15 >>> 8 & 0xff; 362 + o[14] = x15 >>> 16 & 0xff; 363 + o[15] = x15 >>> 24 & 0xff; 364 + 365 + o[16] = x6 >>> 0 & 0xff; 366 + o[17] = x6 >>> 8 & 0xff; 367 + o[18] = x6 >>> 16 & 0xff; 368 + o[19] = x6 >>> 24 & 0xff; 369 + 370 + o[20] = x7 >>> 0 & 0xff; 371 + o[21] = x7 >>> 8 & 0xff; 372 + o[22] = x7 >>> 16 & 0xff; 373 + o[23] = x7 >>> 24 & 0xff; 374 + 375 + o[24] = x8 >>> 0 & 0xff; 376 + o[25] = x8 >>> 8 & 0xff; 377 + o[26] = x8 >>> 16 & 0xff; 378 + o[27] = x8 >>> 24 & 0xff; 379 + 380 + o[28] = x9 >>> 0 & 0xff; 381 + o[29] = x9 >>> 8 & 0xff; 382 + o[30] = x9 >>> 16 & 0xff; 383 + o[31] = x9 >>> 24 & 0xff; 384 + } 385 + 386 + function crypto_core_salsa20(out,inp,k,c) { 387 + core_salsa20(out,inp,k,c); 388 + } 389 + 390 + function crypto_core_hsalsa20(out,inp,k,c) { 391 + core_hsalsa20(out,inp,k,c); 392 + } 393 + 394 + var sigma = new Uint8Array([101, 120, 112, 97, 110, 100, 32, 51, 50, 45, 98, 121, 116, 101, 32, 107]); 395 + // "expand 32-byte k" 396 + 397 + function crypto_stream_salsa20_xor(c,cpos,m,mpos,b,n,k) { 398 + var z = new Uint8Array(16), x = new Uint8Array(64); 399 + var u, i; 400 + for (i = 0; i < 16; i++) z[i] = 0; 401 + for (i = 0; i < 8; i++) z[i] = n[i]; 402 + while (b >= 64) { 403 + crypto_core_salsa20(x,z,k,sigma); 404 + for (i = 0; i < 64; i++) c[cpos+i] = m[mpos+i] ^ x[i]; 405 + u = 1; 406 + for (i = 8; i < 16; i++) { 407 + u = u + (z[i] & 0xff) | 0; 408 + z[i] = u & 0xff; 409 + u >>>= 8; 410 + } 411 + b -= 64; 412 + cpos += 64; 413 + mpos += 64; 414 + } 415 + if (b > 0) { 416 + crypto_core_salsa20(x,z,k,sigma); 417 + for (i = 0; i < b; i++) c[cpos+i] = m[mpos+i] ^ x[i]; 418 + } 419 + return 0; 420 + } 421 + 422 + function crypto_stream_salsa20(c,cpos,b,n,k) { 423 + var z = new Uint8Array(16), x = new Uint8Array(64); 424 + var u, i; 425 + for (i = 0; i < 16; i++) z[i] = 0; 426 + for (i = 0; i < 8; i++) z[i] = n[i]; 427 + while (b >= 64) { 428 + crypto_core_salsa20(x,z,k,sigma); 429 + for (i = 0; i < 64; i++) c[cpos+i] = x[i]; 430 + u = 1; 431 + for (i = 8; i < 16; i++) { 432 + u = u + (z[i] & 0xff) | 0; 433 + z[i] = u & 0xff; 434 + u >>>= 8; 435 + } 436 + b -= 64; 437 + cpos += 64; 438 + } 439 + if (b > 0) { 440 + crypto_core_salsa20(x,z,k,sigma); 441 + for (i = 0; i < b; i++) c[cpos+i] = x[i]; 442 + } 443 + return 0; 444 + } 445 + 446 + function crypto_stream(c,cpos,d,n,k) { 447 + var s = new Uint8Array(32); 448 + crypto_core_hsalsa20(s,n,k,sigma); 449 + var sn = new Uint8Array(8); 450 + for (var i = 0; i < 8; i++) sn[i] = n[i+16]; 451 + return crypto_stream_salsa20(c,cpos,d,sn,s); 452 + } 453 + 454 + function crypto_stream_xor(c,cpos,m,mpos,d,n,k) { 455 + var s = new Uint8Array(32); 456 + crypto_core_hsalsa20(s,n,k,sigma); 457 + var sn = new Uint8Array(8); 458 + for (var i = 0; i < 8; i++) sn[i] = n[i+16]; 459 + return crypto_stream_salsa20_xor(c,cpos,m,mpos,d,sn,s); 460 + } 461 + 462 + /* 463 + * Port of Andrew Moon's Poly1305-donna-16. Public domain. 464 + * https://github.com/floodyberry/poly1305-donna 465 + */ 466 + 467 + var poly1305 = function(key) { 468 + this.buffer = new Uint8Array(16); 469 + this.r = new Uint16Array(10); 470 + this.h = new Uint16Array(10); 471 + this.pad = new Uint16Array(8); 472 + this.leftover = 0; 473 + this.fin = 0; 474 + 475 + var t0, t1, t2, t3, t4, t5, t6, t7; 476 + 477 + t0 = key[ 0] & 0xff | (key[ 1] & 0xff) << 8; this.r[0] = ( t0 ) & 0x1fff; 478 + t1 = key[ 2] & 0xff | (key[ 3] & 0xff) << 8; this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; 479 + t2 = key[ 4] & 0xff | (key[ 5] & 0xff) << 8; this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; 480 + t3 = key[ 6] & 0xff | (key[ 7] & 0xff) << 8; this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; 481 + t4 = key[ 8] & 0xff | (key[ 9] & 0xff) << 8; this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; 482 + this.r[5] = ((t4 >>> 1)) & 0x1ffe; 483 + t5 = key[10] & 0xff | (key[11] & 0xff) << 8; this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; 484 + t6 = key[12] & 0xff | (key[13] & 0xff) << 8; this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; 485 + t7 = key[14] & 0xff | (key[15] & 0xff) << 8; this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; 486 + this.r[9] = ((t7 >>> 5)) & 0x007f; 487 + 488 + this.pad[0] = key[16] & 0xff | (key[17] & 0xff) << 8; 489 + this.pad[1] = key[18] & 0xff | (key[19] & 0xff) << 8; 490 + this.pad[2] = key[20] & 0xff | (key[21] & 0xff) << 8; 491 + this.pad[3] = key[22] & 0xff | (key[23] & 0xff) << 8; 492 + this.pad[4] = key[24] & 0xff | (key[25] & 0xff) << 8; 493 + this.pad[5] = key[26] & 0xff | (key[27] & 0xff) << 8; 494 + this.pad[6] = key[28] & 0xff | (key[29] & 0xff) << 8; 495 + this.pad[7] = key[30] & 0xff | (key[31] & 0xff) << 8; 496 + }; 497 + 498 + poly1305.prototype.blocks = function(m, mpos, bytes) { 499 + var hibit = this.fin ? 0 : (1 << 11); 500 + var t0, t1, t2, t3, t4, t5, t6, t7, c; 501 + var d0, d1, d2, d3, d4, d5, d6, d7, d8, d9; 502 + 503 + var h0 = this.h[0], 504 + h1 = this.h[1], 505 + h2 = this.h[2], 506 + h3 = this.h[3], 507 + h4 = this.h[4], 508 + h5 = this.h[5], 509 + h6 = this.h[6], 510 + h7 = this.h[7], 511 + h8 = this.h[8], 512 + h9 = this.h[9]; 513 + 514 + var r0 = this.r[0], 515 + r1 = this.r[1], 516 + r2 = this.r[2], 517 + r3 = this.r[3], 518 + r4 = this.r[4], 519 + r5 = this.r[5], 520 + r6 = this.r[6], 521 + r7 = this.r[7], 522 + r8 = this.r[8], 523 + r9 = this.r[9]; 524 + 525 + while (bytes >= 16) { 526 + t0 = m[mpos+ 0] & 0xff | (m[mpos+ 1] & 0xff) << 8; h0 += ( t0 ) & 0x1fff; 527 + t1 = m[mpos+ 2] & 0xff | (m[mpos+ 3] & 0xff) << 8; h1 += ((t0 >>> 13) | (t1 << 3)) & 0x1fff; 528 + t2 = m[mpos+ 4] & 0xff | (m[mpos+ 5] & 0xff) << 8; h2 += ((t1 >>> 10) | (t2 << 6)) & 0x1fff; 529 + t3 = m[mpos+ 6] & 0xff | (m[mpos+ 7] & 0xff) << 8; h3 += ((t2 >>> 7) | (t3 << 9)) & 0x1fff; 530 + t4 = m[mpos+ 8] & 0xff | (m[mpos+ 9] & 0xff) << 8; h4 += ((t3 >>> 4) | (t4 << 12)) & 0x1fff; 531 + h5 += ((t4 >>> 1)) & 0x1fff; 532 + t5 = m[mpos+10] & 0xff | (m[mpos+11] & 0xff) << 8; h6 += ((t4 >>> 14) | (t5 << 2)) & 0x1fff; 533 + t6 = m[mpos+12] & 0xff | (m[mpos+13] & 0xff) << 8; h7 += ((t5 >>> 11) | (t6 << 5)) & 0x1fff; 534 + t7 = m[mpos+14] & 0xff | (m[mpos+15] & 0xff) << 8; h8 += ((t6 >>> 8) | (t7 << 8)) & 0x1fff; 535 + h9 += ((t7 >>> 5)) | hibit; 536 + 537 + c = 0; 538 + 539 + d0 = c; 540 + d0 += h0 * r0; 541 + d0 += h1 * (5 * r9); 542 + d0 += h2 * (5 * r8); 543 + d0 += h3 * (5 * r7); 544 + d0 += h4 * (5 * r6); 545 + c = (d0 >>> 13); d0 &= 0x1fff; 546 + d0 += h5 * (5 * r5); 547 + d0 += h6 * (5 * r4); 548 + d0 += h7 * (5 * r3); 549 + d0 += h8 * (5 * r2); 550 + d0 += h9 * (5 * r1); 551 + c += (d0 >>> 13); d0 &= 0x1fff; 552 + 553 + d1 = c; 554 + d1 += h0 * r1; 555 + d1 += h1 * r0; 556 + d1 += h2 * (5 * r9); 557 + d1 += h3 * (5 * r8); 558 + d1 += h4 * (5 * r7); 559 + c = (d1 >>> 13); d1 &= 0x1fff; 560 + d1 += h5 * (5 * r6); 561 + d1 += h6 * (5 * r5); 562 + d1 += h7 * (5 * r4); 563 + d1 += h8 * (5 * r3); 564 + d1 += h9 * (5 * r2); 565 + c += (d1 >>> 13); d1 &= 0x1fff; 566 + 567 + d2 = c; 568 + d2 += h0 * r2; 569 + d2 += h1 * r1; 570 + d2 += h2 * r0; 571 + d2 += h3 * (5 * r9); 572 + d2 += h4 * (5 * r8); 573 + c = (d2 >>> 13); d2 &= 0x1fff; 574 + d2 += h5 * (5 * r7); 575 + d2 += h6 * (5 * r6); 576 + d2 += h7 * (5 * r5); 577 + d2 += h8 * (5 * r4); 578 + d2 += h9 * (5 * r3); 579 + c += (d2 >>> 13); d2 &= 0x1fff; 580 + 581 + d3 = c; 582 + d3 += h0 * r3; 583 + d3 += h1 * r2; 584 + d3 += h2 * r1; 585 + d3 += h3 * r0; 586 + d3 += h4 * (5 * r9); 587 + c = (d3 >>> 13); d3 &= 0x1fff; 588 + d3 += h5 * (5 * r8); 589 + d3 += h6 * (5 * r7); 590 + d3 += h7 * (5 * r6); 591 + d3 += h8 * (5 * r5); 592 + d3 += h9 * (5 * r4); 593 + c += (d3 >>> 13); d3 &= 0x1fff; 594 + 595 + d4 = c; 596 + d4 += h0 * r4; 597 + d4 += h1 * r3; 598 + d4 += h2 * r2; 599 + d4 += h3 * r1; 600 + d4 += h4 * r0; 601 + c = (d4 >>> 13); d4 &= 0x1fff; 602 + d4 += h5 * (5 * r9); 603 + d4 += h6 * (5 * r8); 604 + d4 += h7 * (5 * r7); 605 + d4 += h8 * (5 * r6); 606 + d4 += h9 * (5 * r5); 607 + c += (d4 >>> 13); d4 &= 0x1fff; 608 + 609 + d5 = c; 610 + d5 += h0 * r5; 611 + d5 += h1 * r4; 612 + d5 += h2 * r3; 613 + d5 += h3 * r2; 614 + d5 += h4 * r1; 615 + c = (d5 >>> 13); d5 &= 0x1fff; 616 + d5 += h5 * r0; 617 + d5 += h6 * (5 * r9); 618 + d5 += h7 * (5 * r8); 619 + d5 += h8 * (5 * r7); 620 + d5 += h9 * (5 * r6); 621 + c += (d5 >>> 13); d5 &= 0x1fff; 622 + 623 + d6 = c; 624 + d6 += h0 * r6; 625 + d6 += h1 * r5; 626 + d6 += h2 * r4; 627 + d6 += h3 * r3; 628 + d6 += h4 * r2; 629 + c = (d6 >>> 13); d6 &= 0x1fff; 630 + d6 += h5 * r1; 631 + d6 += h6 * r0; 632 + d6 += h7 * (5 * r9); 633 + d6 += h8 * (5 * r8); 634 + d6 += h9 * (5 * r7); 635 + c += (d6 >>> 13); d6 &= 0x1fff; 636 + 637 + d7 = c; 638 + d7 += h0 * r7; 639 + d7 += h1 * r6; 640 + d7 += h2 * r5; 641 + d7 += h3 * r4; 642 + d7 += h4 * r3; 643 + c = (d7 >>> 13); d7 &= 0x1fff; 644 + d7 += h5 * r2; 645 + d7 += h6 * r1; 646 + d7 += h7 * r0; 647 + d7 += h8 * (5 * r9); 648 + d7 += h9 * (5 * r8); 649 + c += (d7 >>> 13); d7 &= 0x1fff; 650 + 651 + d8 = c; 652 + d8 += h0 * r8; 653 + d8 += h1 * r7; 654 + d8 += h2 * r6; 655 + d8 += h3 * r5; 656 + d8 += h4 * r4; 657 + c = (d8 >>> 13); d8 &= 0x1fff; 658 + d8 += h5 * r3; 659 + d8 += h6 * r2; 660 + d8 += h7 * r1; 661 + d8 += h8 * r0; 662 + d8 += h9 * (5 * r9); 663 + c += (d8 >>> 13); d8 &= 0x1fff; 664 + 665 + d9 = c; 666 + d9 += h0 * r9; 667 + d9 += h1 * r8; 668 + d9 += h2 * r7; 669 + d9 += h3 * r6; 670 + d9 += h4 * r5; 671 + c = (d9 >>> 13); d9 &= 0x1fff; 672 + d9 += h5 * r4; 673 + d9 += h6 * r3; 674 + d9 += h7 * r2; 675 + d9 += h8 * r1; 676 + d9 += h9 * r0; 677 + c += (d9 >>> 13); d9 &= 0x1fff; 678 + 679 + c = (((c << 2) + c)) | 0; 680 + c = (c + d0) | 0; 681 + d0 = c & 0x1fff; 682 + c = (c >>> 13); 683 + d1 += c; 684 + 685 + h0 = d0; 686 + h1 = d1; 687 + h2 = d2; 688 + h3 = d3; 689 + h4 = d4; 690 + h5 = d5; 691 + h6 = d6; 692 + h7 = d7; 693 + h8 = d8; 694 + h9 = d9; 695 + 696 + mpos += 16; 697 + bytes -= 16; 698 + } 699 + this.h[0] = h0; 700 + this.h[1] = h1; 701 + this.h[2] = h2; 702 + this.h[3] = h3; 703 + this.h[4] = h4; 704 + this.h[5] = h5; 705 + this.h[6] = h6; 706 + this.h[7] = h7; 707 + this.h[8] = h8; 708 + this.h[9] = h9; 709 + }; 710 + 711 + poly1305.prototype.finish = function(mac, macpos) { 712 + var g = new Uint16Array(10); 713 + var c, mask, f, i; 714 + 715 + if (this.leftover) { 716 + i = this.leftover; 717 + this.buffer[i++] = 1; 718 + for (; i < 16; i++) this.buffer[i] = 0; 719 + this.fin = 1; 720 + this.blocks(this.buffer, 0, 16); 721 + } 722 + 723 + c = this.h[1] >>> 13; 724 + this.h[1] &= 0x1fff; 725 + for (i = 2; i < 10; i++) { 726 + this.h[i] += c; 727 + c = this.h[i] >>> 13; 728 + this.h[i] &= 0x1fff; 729 + } 730 + this.h[0] += (c * 5); 731 + c = this.h[0] >>> 13; 732 + this.h[0] &= 0x1fff; 733 + this.h[1] += c; 734 + c = this.h[1] >>> 13; 735 + this.h[1] &= 0x1fff; 736 + this.h[2] += c; 737 + 738 + g[0] = this.h[0] + 5; 739 + c = g[0] >>> 13; 740 + g[0] &= 0x1fff; 741 + for (i = 1; i < 10; i++) { 742 + g[i] = this.h[i] + c; 743 + c = g[i] >>> 13; 744 + g[i] &= 0x1fff; 745 + } 746 + g[9] -= (1 << 13); 747 + 748 + mask = (c ^ 1) - 1; 749 + for (i = 0; i < 10; i++) g[i] &= mask; 750 + mask = ~mask; 751 + for (i = 0; i < 10; i++) this.h[i] = (this.h[i] & mask) | g[i]; 752 + 753 + this.h[0] = ((this.h[0] ) | (this.h[1] << 13) ) & 0xffff; 754 + this.h[1] = ((this.h[1] >>> 3) | (this.h[2] << 10) ) & 0xffff; 755 + this.h[2] = ((this.h[2] >>> 6) | (this.h[3] << 7) ) & 0xffff; 756 + this.h[3] = ((this.h[3] >>> 9) | (this.h[4] << 4) ) & 0xffff; 757 + this.h[4] = ((this.h[4] >>> 12) | (this.h[5] << 1) | (this.h[6] << 14)) & 0xffff; 758 + this.h[5] = ((this.h[6] >>> 2) | (this.h[7] << 11) ) & 0xffff; 759 + this.h[6] = ((this.h[7] >>> 5) | (this.h[8] << 8) ) & 0xffff; 760 + this.h[7] = ((this.h[8] >>> 8) | (this.h[9] << 5) ) & 0xffff; 761 + 762 + f = this.h[0] + this.pad[0]; 763 + this.h[0] = f & 0xffff; 764 + for (i = 1; i < 8; i++) { 765 + f = (((this.h[i] + this.pad[i]) | 0) + (f >>> 16)) | 0; 766 + this.h[i] = f & 0xffff; 767 + } 768 + 769 + mac[macpos+ 0] = (this.h[0] >>> 0) & 0xff; 770 + mac[macpos+ 1] = (this.h[0] >>> 8) & 0xff; 771 + mac[macpos+ 2] = (this.h[1] >>> 0) & 0xff; 772 + mac[macpos+ 3] = (this.h[1] >>> 8) & 0xff; 773 + mac[macpos+ 4] = (this.h[2] >>> 0) & 0xff; 774 + mac[macpos+ 5] = (this.h[2] >>> 8) & 0xff; 775 + mac[macpos+ 6] = (this.h[3] >>> 0) & 0xff; 776 + mac[macpos+ 7] = (this.h[3] >>> 8) & 0xff; 777 + mac[macpos+ 8] = (this.h[4] >>> 0) & 0xff; 778 + mac[macpos+ 9] = (this.h[4] >>> 8) & 0xff; 779 + mac[macpos+10] = (this.h[5] >>> 0) & 0xff; 780 + mac[macpos+11] = (this.h[5] >>> 8) & 0xff; 781 + mac[macpos+12] = (this.h[6] >>> 0) & 0xff; 782 + mac[macpos+13] = (this.h[6] >>> 8) & 0xff; 783 + mac[macpos+14] = (this.h[7] >>> 0) & 0xff; 784 + mac[macpos+15] = (this.h[7] >>> 8) & 0xff; 785 + }; 786 + 787 + poly1305.prototype.update = function(m, mpos, bytes) { 788 + var i, want; 789 + 790 + if (this.leftover) { 791 + want = (16 - this.leftover); 792 + if (want > bytes) 793 + want = bytes; 794 + for (i = 0; i < want; i++) 795 + this.buffer[this.leftover + i] = m[mpos+i]; 796 + bytes -= want; 797 + mpos += want; 798 + this.leftover += want; 799 + if (this.leftover < 16) 800 + return; 801 + this.blocks(this.buffer, 0, 16); 802 + this.leftover = 0; 803 + } 804 + 805 + if (bytes >= 16) { 806 + want = bytes - (bytes % 16); 807 + this.blocks(m, mpos, want); 808 + mpos += want; 809 + bytes -= want; 810 + } 811 + 812 + if (bytes) { 813 + for (i = 0; i < bytes; i++) 814 + this.buffer[this.leftover + i] = m[mpos+i]; 815 + this.leftover += bytes; 816 + } 817 + }; 818 + 819 + function crypto_onetimeauth(out, outpos, m, mpos, n, k) { 820 + var s = new poly1305(k); 821 + s.update(m, mpos, n); 822 + s.finish(out, outpos); 823 + return 0; 824 + } 825 + 826 + function crypto_onetimeauth_verify(h, hpos, m, mpos, n, k) { 827 + var x = new Uint8Array(16); 828 + crypto_onetimeauth(x,0,m,mpos,n,k); 829 + return crypto_verify_16(h,hpos,x,0); 830 + } 831 + 832 + function crypto_secretbox(c,m,d,n,k) { 833 + var i; 834 + if (d < 32) return -1; 835 + crypto_stream_xor(c,0,m,0,d,n,k); 836 + crypto_onetimeauth(c, 16, c, 32, d - 32, c); 837 + for (i = 0; i < 16; i++) c[i] = 0; 838 + return 0; 839 + } 840 + 841 + function crypto_secretbox_open(m,c,d,n,k) { 842 + var i; 843 + var x = new Uint8Array(32); 844 + if (d < 32) return -1; 845 + crypto_stream(x,0,32,n,k); 846 + if (crypto_onetimeauth_verify(c, 16,c, 32,d - 32,x) !== 0) return -1; 847 + crypto_stream_xor(m,0,c,0,d,n,k); 848 + for (i = 0; i < 32; i++) m[i] = 0; 849 + return 0; 850 + } 851 + 852 + function set25519(r, a) { 853 + var i; 854 + for (i = 0; i < 16; i++) r[i] = a[i]|0; 855 + } 856 + 857 + function car25519(o) { 858 + var i, v, c = 1; 859 + for (i = 0; i < 16; i++) { 860 + v = o[i] + c + 65535; 861 + c = Math.floor(v / 65536); 862 + o[i] = v - c * 65536; 863 + } 864 + o[0] += c-1 + 37 * (c-1); 865 + } 866 + 867 + function sel25519(p, q, b) { 868 + var t, c = ~(b-1); 869 + for (var i = 0; i < 16; i++) { 870 + t = c & (p[i] ^ q[i]); 871 + p[i] ^= t; 872 + q[i] ^= t; 873 + } 874 + } 875 + 876 + function pack25519(o, n) { 877 + var i, j, b; 878 + var m = gf(), t = gf(); 879 + for (i = 0; i < 16; i++) t[i] = n[i]; 880 + car25519(t); 881 + car25519(t); 882 + car25519(t); 883 + for (j = 0; j < 2; j++) { 884 + m[0] = t[0] - 0xffed; 885 + for (i = 1; i < 15; i++) { 886 + m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1); 887 + m[i-1] &= 0xffff; 888 + } 889 + m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1); 890 + b = (m[15]>>16) & 1; 891 + m[14] &= 0xffff; 892 + sel25519(t, m, 1-b); 893 + } 894 + for (i = 0; i < 16; i++) { 895 + o[2*i] = t[i] & 0xff; 896 + o[2*i+1] = t[i]>>8; 897 + } 898 + } 899 + 900 + function neq25519(a, b) { 901 + var c = new Uint8Array(32), d = new Uint8Array(32); 902 + pack25519(c, a); 903 + pack25519(d, b); 904 + return crypto_verify_32(c, 0, d, 0); 905 + } 906 + 907 + function par25519(a) { 908 + var d = new Uint8Array(32); 909 + pack25519(d, a); 910 + return d[0] & 1; 911 + } 912 + 913 + function unpack25519(o, n) { 914 + var i; 915 + for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8); 916 + o[15] &= 0x7fff; 917 + } 918 + 919 + function A(o, a, b) { 920 + for (var i = 0; i < 16; i++) o[i] = a[i] + b[i]; 921 + } 922 + 923 + function Z(o, a, b) { 924 + for (var i = 0; i < 16; i++) o[i] = a[i] - b[i]; 925 + } 926 + 927 + function M(o, a, b) { 928 + var v, c, 929 + t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0, 930 + t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0, 931 + t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0, 932 + t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0, 933 + b0 = b[0], 934 + b1 = b[1], 935 + b2 = b[2], 936 + b3 = b[3], 937 + b4 = b[4], 938 + b5 = b[5], 939 + b6 = b[6], 940 + b7 = b[7], 941 + b8 = b[8], 942 + b9 = b[9], 943 + b10 = b[10], 944 + b11 = b[11], 945 + b12 = b[12], 946 + b13 = b[13], 947 + b14 = b[14], 948 + b15 = b[15]; 949 + 950 + v = a[0]; 951 + t0 += v * b0; 952 + t1 += v * b1; 953 + t2 += v * b2; 954 + t3 += v * b3; 955 + t4 += v * b4; 956 + t5 += v * b5; 957 + t6 += v * b6; 958 + t7 += v * b7; 959 + t8 += v * b8; 960 + t9 += v * b9; 961 + t10 += v * b10; 962 + t11 += v * b11; 963 + t12 += v * b12; 964 + t13 += v * b13; 965 + t14 += v * b14; 966 + t15 += v * b15; 967 + v = a[1]; 968 + t1 += v * b0; 969 + t2 += v * b1; 970 + t3 += v * b2; 971 + t4 += v * b3; 972 + t5 += v * b4; 973 + t6 += v * b5; 974 + t7 += v * b6; 975 + t8 += v * b7; 976 + t9 += v * b8; 977 + t10 += v * b9; 978 + t11 += v * b10; 979 + t12 += v * b11; 980 + t13 += v * b12; 981 + t14 += v * b13; 982 + t15 += v * b14; 983 + t16 += v * b15; 984 + v = a[2]; 985 + t2 += v * b0; 986 + t3 += v * b1; 987 + t4 += v * b2; 988 + t5 += v * b3; 989 + t6 += v * b4; 990 + t7 += v * b5; 991 + t8 += v * b6; 992 + t9 += v * b7; 993 + t10 += v * b8; 994 + t11 += v * b9; 995 + t12 += v * b10; 996 + t13 += v * b11; 997 + t14 += v * b12; 998 + t15 += v * b13; 999 + t16 += v * b14; 1000 + t17 += v * b15; 1001 + v = a[3]; 1002 + t3 += v * b0; 1003 + t4 += v * b1; 1004 + t5 += v * b2; 1005 + t6 += v * b3; 1006 + t7 += v * b4; 1007 + t8 += v * b5; 1008 + t9 += v * b6; 1009 + t10 += v * b7; 1010 + t11 += v * b8; 1011 + t12 += v * b9; 1012 + t13 += v * b10; 1013 + t14 += v * b11; 1014 + t15 += v * b12; 1015 + t16 += v * b13; 1016 + t17 += v * b14; 1017 + t18 += v * b15; 1018 + v = a[4]; 1019 + t4 += v * b0; 1020 + t5 += v * b1; 1021 + t6 += v * b2; 1022 + t7 += v * b3; 1023 + t8 += v * b4; 1024 + t9 += v * b5; 1025 + t10 += v * b6; 1026 + t11 += v * b7; 1027 + t12 += v * b8; 1028 + t13 += v * b9; 1029 + t14 += v * b10; 1030 + t15 += v * b11; 1031 + t16 += v * b12; 1032 + t17 += v * b13; 1033 + t18 += v * b14; 1034 + t19 += v * b15; 1035 + v = a[5]; 1036 + t5 += v * b0; 1037 + t6 += v * b1; 1038 + t7 += v * b2; 1039 + t8 += v * b3; 1040 + t9 += v * b4; 1041 + t10 += v * b5; 1042 + t11 += v * b6; 1043 + t12 += v * b7; 1044 + t13 += v * b8; 1045 + t14 += v * b9; 1046 + t15 += v * b10; 1047 + t16 += v * b11; 1048 + t17 += v * b12; 1049 + t18 += v * b13; 1050 + t19 += v * b14; 1051 + t20 += v * b15; 1052 + v = a[6]; 1053 + t6 += v * b0; 1054 + t7 += v * b1; 1055 + t8 += v * b2; 1056 + t9 += v * b3; 1057 + t10 += v * b4; 1058 + t11 += v * b5; 1059 + t12 += v * b6; 1060 + t13 += v * b7; 1061 + t14 += v * b8; 1062 + t15 += v * b9; 1063 + t16 += v * b10; 1064 + t17 += v * b11; 1065 + t18 += v * b12; 1066 + t19 += v * b13; 1067 + t20 += v * b14; 1068 + t21 += v * b15; 1069 + v = a[7]; 1070 + t7 += v * b0; 1071 + t8 += v * b1; 1072 + t9 += v * b2; 1073 + t10 += v * b3; 1074 + t11 += v * b4; 1075 + t12 += v * b5; 1076 + t13 += v * b6; 1077 + t14 += v * b7; 1078 + t15 += v * b8; 1079 + t16 += v * b9; 1080 + t17 += v * b10; 1081 + t18 += v * b11; 1082 + t19 += v * b12; 1083 + t20 += v * b13; 1084 + t21 += v * b14; 1085 + t22 += v * b15; 1086 + v = a[8]; 1087 + t8 += v * b0; 1088 + t9 += v * b1; 1089 + t10 += v * b2; 1090 + t11 += v * b3; 1091 + t12 += v * b4; 1092 + t13 += v * b5; 1093 + t14 += v * b6; 1094 + t15 += v * b7; 1095 + t16 += v * b8; 1096 + t17 += v * b9; 1097 + t18 += v * b10; 1098 + t19 += v * b11; 1099 + t20 += v * b12; 1100 + t21 += v * b13; 1101 + t22 += v * b14; 1102 + t23 += v * b15; 1103 + v = a[9]; 1104 + t9 += v * b0; 1105 + t10 += v * b1; 1106 + t11 += v * b2; 1107 + t12 += v * b3; 1108 + t13 += v * b4; 1109 + t14 += v * b5; 1110 + t15 += v * b6; 1111 + t16 += v * b7; 1112 + t17 += v * b8; 1113 + t18 += v * b9; 1114 + t19 += v * b10; 1115 + t20 += v * b11; 1116 + t21 += v * b12; 1117 + t22 += v * b13; 1118 + t23 += v * b14; 1119 + t24 += v * b15; 1120 + v = a[10]; 1121 + t10 += v * b0; 1122 + t11 += v * b1; 1123 + t12 += v * b2; 1124 + t13 += v * b3; 1125 + t14 += v * b4; 1126 + t15 += v * b5; 1127 + t16 += v * b6; 1128 + t17 += v * b7; 1129 + t18 += v * b8; 1130 + t19 += v * b9; 1131 + t20 += v * b10; 1132 + t21 += v * b11; 1133 + t22 += v * b12; 1134 + t23 += v * b13; 1135 + t24 += v * b14; 1136 + t25 += v * b15; 1137 + v = a[11]; 1138 + t11 += v * b0; 1139 + t12 += v * b1; 1140 + t13 += v * b2; 1141 + t14 += v * b3; 1142 + t15 += v * b4; 1143 + t16 += v * b5; 1144 + t17 += v * b6; 1145 + t18 += v * b7; 1146 + t19 += v * b8; 1147 + t20 += v * b9; 1148 + t21 += v * b10; 1149 + t22 += v * b11; 1150 + t23 += v * b12; 1151 + t24 += v * b13; 1152 + t25 += v * b14; 1153 + t26 += v * b15; 1154 + v = a[12]; 1155 + t12 += v * b0; 1156 + t13 += v * b1; 1157 + t14 += v * b2; 1158 + t15 += v * b3; 1159 + t16 += v * b4; 1160 + t17 += v * b5; 1161 + t18 += v * b6; 1162 + t19 += v * b7; 1163 + t20 += v * b8; 1164 + t21 += v * b9; 1165 + t22 += v * b10; 1166 + t23 += v * b11; 1167 + t24 += v * b12; 1168 + t25 += v * b13; 1169 + t26 += v * b14; 1170 + t27 += v * b15; 1171 + v = a[13]; 1172 + t13 += v * b0; 1173 + t14 += v * b1; 1174 + t15 += v * b2; 1175 + t16 += v * b3; 1176 + t17 += v * b4; 1177 + t18 += v * b5; 1178 + t19 += v * b6; 1179 + t20 += v * b7; 1180 + t21 += v * b8; 1181 + t22 += v * b9; 1182 + t23 += v * b10; 1183 + t24 += v * b11; 1184 + t25 += v * b12; 1185 + t26 += v * b13; 1186 + t27 += v * b14; 1187 + t28 += v * b15; 1188 + v = a[14]; 1189 + t14 += v * b0; 1190 + t15 += v * b1; 1191 + t16 += v * b2; 1192 + t17 += v * b3; 1193 + t18 += v * b4; 1194 + t19 += v * b5; 1195 + t20 += v * b6; 1196 + t21 += v * b7; 1197 + t22 += v * b8; 1198 + t23 += v * b9; 1199 + t24 += v * b10; 1200 + t25 += v * b11; 1201 + t26 += v * b12; 1202 + t27 += v * b13; 1203 + t28 += v * b14; 1204 + t29 += v * b15; 1205 + v = a[15]; 1206 + t15 += v * b0; 1207 + t16 += v * b1; 1208 + t17 += v * b2; 1209 + t18 += v * b3; 1210 + t19 += v * b4; 1211 + t20 += v * b5; 1212 + t21 += v * b6; 1213 + t22 += v * b7; 1214 + t23 += v * b8; 1215 + t24 += v * b9; 1216 + t25 += v * b10; 1217 + t26 += v * b11; 1218 + t27 += v * b12; 1219 + t28 += v * b13; 1220 + t29 += v * b14; 1221 + t30 += v * b15; 1222 + 1223 + t0 += 38 * t16; 1224 + t1 += 38 * t17; 1225 + t2 += 38 * t18; 1226 + t3 += 38 * t19; 1227 + t4 += 38 * t20; 1228 + t5 += 38 * t21; 1229 + t6 += 38 * t22; 1230 + t7 += 38 * t23; 1231 + t8 += 38 * t24; 1232 + t9 += 38 * t25; 1233 + t10 += 38 * t26; 1234 + t11 += 38 * t27; 1235 + t12 += 38 * t28; 1236 + t13 += 38 * t29; 1237 + t14 += 38 * t30; 1238 + // t15 left as is 1239 + 1240 + // first car 1241 + c = 1; 1242 + v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536; 1243 + v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536; 1244 + v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536; 1245 + v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536; 1246 + v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536; 1247 + v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536; 1248 + v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536; 1249 + v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536; 1250 + v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536; 1251 + v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536; 1252 + v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536; 1253 + v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536; 1254 + v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536; 1255 + v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536; 1256 + v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536; 1257 + v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536; 1258 + t0 += c-1 + 37 * (c-1); 1259 + 1260 + // second car 1261 + c = 1; 1262 + v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536; 1263 + v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536; 1264 + v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536; 1265 + v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536; 1266 + v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536; 1267 + v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536; 1268 + v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536; 1269 + v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536; 1270 + v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536; 1271 + v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536; 1272 + v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536; 1273 + v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536; 1274 + v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536; 1275 + v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536; 1276 + v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536; 1277 + v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536; 1278 + t0 += c-1 + 37 * (c-1); 1279 + 1280 + o[ 0] = t0; 1281 + o[ 1] = t1; 1282 + o[ 2] = t2; 1283 + o[ 3] = t3; 1284 + o[ 4] = t4; 1285 + o[ 5] = t5; 1286 + o[ 6] = t6; 1287 + o[ 7] = t7; 1288 + o[ 8] = t8; 1289 + o[ 9] = t9; 1290 + o[10] = t10; 1291 + o[11] = t11; 1292 + o[12] = t12; 1293 + o[13] = t13; 1294 + o[14] = t14; 1295 + o[15] = t15; 1296 + } 1297 + 1298 + function S(o, a) { 1299 + M(o, a, a); 1300 + } 1301 + 1302 + function inv25519(o, i) { 1303 + var c = gf(); 1304 + var a; 1305 + for (a = 0; a < 16; a++) c[a] = i[a]; 1306 + for (a = 253; a >= 0; a--) { 1307 + S(c, c); 1308 + if(a !== 2 && a !== 4) M(c, c, i); 1309 + } 1310 + for (a = 0; a < 16; a++) o[a] = c[a]; 1311 + } 1312 + 1313 + function pow2523(o, i) { 1314 + var c = gf(); 1315 + var a; 1316 + for (a = 0; a < 16; a++) c[a] = i[a]; 1317 + for (a = 250; a >= 0; a--) { 1318 + S(c, c); 1319 + if(a !== 1) M(c, c, i); 1320 + } 1321 + for (a = 0; a < 16; a++) o[a] = c[a]; 1322 + } 1323 + 1324 + function crypto_scalarmult(q, n, p) { 1325 + var z = new Uint8Array(32); 1326 + var x = new Float64Array(80), r, i; 1327 + var a = gf(), b = gf(), c = gf(), 1328 + d = gf(), e = gf(), f = gf(); 1329 + for (i = 0; i < 31; i++) z[i] = n[i]; 1330 + z[31]=(n[31]&127)|64; 1331 + z[0]&=248; 1332 + unpack25519(x,p); 1333 + for (i = 0; i < 16; i++) { 1334 + b[i]=x[i]; 1335 + d[i]=a[i]=c[i]=0; 1336 + } 1337 + a[0]=d[0]=1; 1338 + for (i=254; i>=0; --i) { 1339 + r=(z[i>>>3]>>>(i&7))&1; 1340 + sel25519(a,b,r); 1341 + sel25519(c,d,r); 1342 + A(e,a,c); 1343 + Z(a,a,c); 1344 + A(c,b,d); 1345 + Z(b,b,d); 1346 + S(d,e); 1347 + S(f,a); 1348 + M(a,c,a); 1349 + M(c,b,e); 1350 + A(e,a,c); 1351 + Z(a,a,c); 1352 + S(b,a); 1353 + Z(c,d,f); 1354 + M(a,c,_121665); 1355 + A(a,a,d); 1356 + M(c,c,a); 1357 + M(a,d,f); 1358 + M(d,b,x); 1359 + S(b,e); 1360 + sel25519(a,b,r); 1361 + sel25519(c,d,r); 1362 + } 1363 + for (i = 0; i < 16; i++) { 1364 + x[i+16]=a[i]; 1365 + x[i+32]=c[i]; 1366 + x[i+48]=b[i]; 1367 + x[i+64]=d[i]; 1368 + } 1369 + var x32 = x.subarray(32); 1370 + var x16 = x.subarray(16); 1371 + inv25519(x32,x32); 1372 + M(x16,x16,x32); 1373 + pack25519(q,x16); 1374 + return 0; 1375 + } 1376 + 1377 + function crypto_scalarmult_base(q, n) { 1378 + return crypto_scalarmult(q, n, _9); 1379 + } 1380 + 1381 + function crypto_box_keypair(y, x) { 1382 + randombytes(x, 32); 1383 + return crypto_scalarmult_base(y, x); 1384 + } 1385 + 1386 + function crypto_box_beforenm(k, y, x) { 1387 + var s = new Uint8Array(32); 1388 + crypto_scalarmult(s, x, y); 1389 + return crypto_core_hsalsa20(k, _0, s, sigma); 1390 + } 1391 + 1392 + var crypto_box_afternm = crypto_secretbox; 1393 + var crypto_box_open_afternm = crypto_secretbox_open; 1394 + 1395 + function crypto_box(c, m, d, n, y, x) { 1396 + var k = new Uint8Array(32); 1397 + crypto_box_beforenm(k, y, x); 1398 + return crypto_box_afternm(c, m, d, n, k); 1399 + } 1400 + 1401 + function crypto_box_open(m, c, d, n, y, x) { 1402 + var k = new Uint8Array(32); 1403 + crypto_box_beforenm(k, y, x); 1404 + return crypto_box_open_afternm(m, c, d, n, k); 1405 + } 1406 + 1407 + var K = [ 1408 + 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd, 1409 + 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc, 1410 + 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019, 1411 + 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118, 1412 + 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe, 1413 + 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2, 1414 + 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1, 1415 + 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694, 1416 + 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3, 1417 + 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65, 1418 + 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483, 1419 + 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5, 1420 + 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210, 1421 + 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4, 1422 + 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725, 1423 + 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70, 1424 + 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926, 1425 + 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df, 1426 + 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8, 1427 + 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b, 1428 + 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001, 1429 + 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30, 1430 + 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910, 1431 + 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8, 1432 + 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53, 1433 + 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8, 1434 + 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb, 1435 + 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3, 1436 + 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60, 1437 + 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec, 1438 + 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9, 1439 + 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b, 1440 + 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207, 1441 + 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178, 1442 + 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6, 1443 + 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b, 1444 + 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493, 1445 + 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c, 1446 + 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a, 1447 + 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817 1448 + ]; 1449 + 1450 + function crypto_hashblocks_hl(hh, hl, m, n) { 1451 + var wh = new Int32Array(16), wl = new Int32Array(16), 1452 + bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7, 1453 + bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7, 1454 + th, tl, i, j, h, l, a, b, c, d; 1455 + 1456 + var ah0 = hh[0], 1457 + ah1 = hh[1], 1458 + ah2 = hh[2], 1459 + ah3 = hh[3], 1460 + ah4 = hh[4], 1461 + ah5 = hh[5], 1462 + ah6 = hh[6], 1463 + ah7 = hh[7], 1464 + 1465 + al0 = hl[0], 1466 + al1 = hl[1], 1467 + al2 = hl[2], 1468 + al3 = hl[3], 1469 + al4 = hl[4], 1470 + al5 = hl[5], 1471 + al6 = hl[6], 1472 + al7 = hl[7]; 1473 + 1474 + var pos = 0; 1475 + while (n >= 128) { 1476 + for (i = 0; i < 16; i++) { 1477 + j = 8 * i + pos; 1478 + wh[i] = (m[j+0] << 24) | (m[j+1] << 16) | (m[j+2] << 8) | m[j+3]; 1479 + wl[i] = (m[j+4] << 24) | (m[j+5] << 16) | (m[j+6] << 8) | m[j+7]; 1480 + } 1481 + for (i = 0; i < 80; i++) { 1482 + bh0 = ah0; 1483 + bh1 = ah1; 1484 + bh2 = ah2; 1485 + bh3 = ah3; 1486 + bh4 = ah4; 1487 + bh5 = ah5; 1488 + bh6 = ah6; 1489 + bh7 = ah7; 1490 + 1491 + bl0 = al0; 1492 + bl1 = al1; 1493 + bl2 = al2; 1494 + bl3 = al3; 1495 + bl4 = al4; 1496 + bl5 = al5; 1497 + bl6 = al6; 1498 + bl7 = al7; 1499 + 1500 + // add 1501 + h = ah7; 1502 + l = al7; 1503 + 1504 + a = l & 0xffff; b = l >>> 16; 1505 + c = h & 0xffff; d = h >>> 16; 1506 + 1507 + // Sigma1 1508 + h = ((ah4 >>> 14) | (al4 << (32-14))) ^ ((ah4 >>> 18) | (al4 << (32-18))) ^ ((al4 >>> (41-32)) | (ah4 << (32-(41-32)))); 1509 + l = ((al4 >>> 14) | (ah4 << (32-14))) ^ ((al4 >>> 18) | (ah4 << (32-18))) ^ ((ah4 >>> (41-32)) | (al4 << (32-(41-32)))); 1510 + 1511 + a += l & 0xffff; b += l >>> 16; 1512 + c += h & 0xffff; d += h >>> 16; 1513 + 1514 + // Ch 1515 + h = (ah4 & ah5) ^ (~ah4 & ah6); 1516 + l = (al4 & al5) ^ (~al4 & al6); 1517 + 1518 + a += l & 0xffff; b += l >>> 16; 1519 + c += h & 0xffff; d += h >>> 16; 1520 + 1521 + // K 1522 + h = K[i*2]; 1523 + l = K[i*2+1]; 1524 + 1525 + a += l & 0xffff; b += l >>> 16; 1526 + c += h & 0xffff; d += h >>> 16; 1527 + 1528 + // w 1529 + h = wh[i%16]; 1530 + l = wl[i%16]; 1531 + 1532 + a += l & 0xffff; b += l >>> 16; 1533 + c += h & 0xffff; d += h >>> 16; 1534 + 1535 + b += a >>> 16; 1536 + c += b >>> 16; 1537 + d += c >>> 16; 1538 + 1539 + th = c & 0xffff | d << 16; 1540 + tl = a & 0xffff | b << 16; 1541 + 1542 + // add 1543 + h = th; 1544 + l = tl; 1545 + 1546 + a = l & 0xffff; b = l >>> 16; 1547 + c = h & 0xffff; d = h >>> 16; 1548 + 1549 + // Sigma0 1550 + h = ((ah0 >>> 28) | (al0 << (32-28))) ^ ((al0 >>> (34-32)) | (ah0 << (32-(34-32)))) ^ ((al0 >>> (39-32)) | (ah0 << (32-(39-32)))); 1551 + l = ((al0 >>> 28) | (ah0 << (32-28))) ^ ((ah0 >>> (34-32)) | (al0 << (32-(34-32)))) ^ ((ah0 >>> (39-32)) | (al0 << (32-(39-32)))); 1552 + 1553 + a += l & 0xffff; b += l >>> 16; 1554 + c += h & 0xffff; d += h >>> 16; 1555 + 1556 + // Maj 1557 + h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2); 1558 + l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2); 1559 + 1560 + a += l & 0xffff; b += l >>> 16; 1561 + c += h & 0xffff; d += h >>> 16; 1562 + 1563 + b += a >>> 16; 1564 + c += b >>> 16; 1565 + d += c >>> 16; 1566 + 1567 + bh7 = (c & 0xffff) | (d << 16); 1568 + bl7 = (a & 0xffff) | (b << 16); 1569 + 1570 + // add 1571 + h = bh3; 1572 + l = bl3; 1573 + 1574 + a = l & 0xffff; b = l >>> 16; 1575 + c = h & 0xffff; d = h >>> 16; 1576 + 1577 + h = th; 1578 + l = tl; 1579 + 1580 + a += l & 0xffff; b += l >>> 16; 1581 + c += h & 0xffff; d += h >>> 16; 1582 + 1583 + b += a >>> 16; 1584 + c += b >>> 16; 1585 + d += c >>> 16; 1586 + 1587 + bh3 = (c & 0xffff) | (d << 16); 1588 + bl3 = (a & 0xffff) | (b << 16); 1589 + 1590 + ah1 = bh0; 1591 + ah2 = bh1; 1592 + ah3 = bh2; 1593 + ah4 = bh3; 1594 + ah5 = bh4; 1595 + ah6 = bh5; 1596 + ah7 = bh6; 1597 + ah0 = bh7; 1598 + 1599 + al1 = bl0; 1600 + al2 = bl1; 1601 + al3 = bl2; 1602 + al4 = bl3; 1603 + al5 = bl4; 1604 + al6 = bl5; 1605 + al7 = bl6; 1606 + al0 = bl7; 1607 + 1608 + if (i%16 === 15) { 1609 + for (j = 0; j < 16; j++) { 1610 + // add 1611 + h = wh[j]; 1612 + l = wl[j]; 1613 + 1614 + a = l & 0xffff; b = l >>> 16; 1615 + c = h & 0xffff; d = h >>> 16; 1616 + 1617 + h = wh[(j+9)%16]; 1618 + l = wl[(j+9)%16]; 1619 + 1620 + a += l & 0xffff; b += l >>> 16; 1621 + c += h & 0xffff; d += h >>> 16; 1622 + 1623 + // sigma0 1624 + th = wh[(j+1)%16]; 1625 + tl = wl[(j+1)%16]; 1626 + h = ((th >>> 1) | (tl << (32-1))) ^ ((th >>> 8) | (tl << (32-8))) ^ (th >>> 7); 1627 + l = ((tl >>> 1) | (th << (32-1))) ^ ((tl >>> 8) | (th << (32-8))) ^ ((tl >>> 7) | (th << (32-7))); 1628 + 1629 + a += l & 0xffff; b += l >>> 16; 1630 + c += h & 0xffff; d += h >>> 16; 1631 + 1632 + // sigma1 1633 + th = wh[(j+14)%16]; 1634 + tl = wl[(j+14)%16]; 1635 + h = ((th >>> 19) | (tl << (32-19))) ^ ((tl >>> (61-32)) | (th << (32-(61-32)))) ^ (th >>> 6); 1636 + l = ((tl >>> 19) | (th << (32-19))) ^ ((th >>> (61-32)) | (tl << (32-(61-32)))) ^ ((tl >>> 6) | (th << (32-6))); 1637 + 1638 + a += l & 0xffff; b += l >>> 16; 1639 + c += h & 0xffff; d += h >>> 16; 1640 + 1641 + b += a >>> 16; 1642 + c += b >>> 16; 1643 + d += c >>> 16; 1644 + 1645 + wh[j] = (c & 0xffff) | (d << 16); 1646 + wl[j] = (a & 0xffff) | (b << 16); 1647 + } 1648 + } 1649 + } 1650 + 1651 + // add 1652 + h = ah0; 1653 + l = al0; 1654 + 1655 + a = l & 0xffff; b = l >>> 16; 1656 + c = h & 0xffff; d = h >>> 16; 1657 + 1658 + h = hh[0]; 1659 + l = hl[0]; 1660 + 1661 + a += l & 0xffff; b += l >>> 16; 1662 + c += h & 0xffff; d += h >>> 16; 1663 + 1664 + b += a >>> 16; 1665 + c += b >>> 16; 1666 + d += c >>> 16; 1667 + 1668 + hh[0] = ah0 = (c & 0xffff) | (d << 16); 1669 + hl[0] = al0 = (a & 0xffff) | (b << 16); 1670 + 1671 + h = ah1; 1672 + l = al1; 1673 + 1674 + a = l & 0xffff; b = l >>> 16; 1675 + c = h & 0xffff; d = h >>> 16; 1676 + 1677 + h = hh[1]; 1678 + l = hl[1]; 1679 + 1680 + a += l & 0xffff; b += l >>> 16; 1681 + c += h & 0xffff; d += h >>> 16; 1682 + 1683 + b += a >>> 16; 1684 + c += b >>> 16; 1685 + d += c >>> 16; 1686 + 1687 + hh[1] = ah1 = (c & 0xffff) | (d << 16); 1688 + hl[1] = al1 = (a & 0xffff) | (b << 16); 1689 + 1690 + h = ah2; 1691 + l = al2; 1692 + 1693 + a = l & 0xffff; b = l >>> 16; 1694 + c = h & 0xffff; d = h >>> 16; 1695 + 1696 + h = hh[2]; 1697 + l = hl[2]; 1698 + 1699 + a += l & 0xffff; b += l >>> 16; 1700 + c += h & 0xffff; d += h >>> 16; 1701 + 1702 + b += a >>> 16; 1703 + c += b >>> 16; 1704 + d += c >>> 16; 1705 + 1706 + hh[2] = ah2 = (c & 0xffff) | (d << 16); 1707 + hl[2] = al2 = (a & 0xffff) | (b << 16); 1708 + 1709 + h = ah3; 1710 + l = al3; 1711 + 1712 + a = l & 0xffff; b = l >>> 16; 1713 + c = h & 0xffff; d = h >>> 16; 1714 + 1715 + h = hh[3]; 1716 + l = hl[3]; 1717 + 1718 + a += l & 0xffff; b += l >>> 16; 1719 + c += h & 0xffff; d += h >>> 16; 1720 + 1721 + b += a >>> 16; 1722 + c += b >>> 16; 1723 + d += c >>> 16; 1724 + 1725 + hh[3] = ah3 = (c & 0xffff) | (d << 16); 1726 + hl[3] = al3 = (a & 0xffff) | (b << 16); 1727 + 1728 + h = ah4; 1729 + l = al4; 1730 + 1731 + a = l & 0xffff; b = l >>> 16; 1732 + c = h & 0xffff; d = h >>> 16; 1733 + 1734 + h = hh[4]; 1735 + l = hl[4]; 1736 + 1737 + a += l & 0xffff; b += l >>> 16; 1738 + c += h & 0xffff; d += h >>> 16; 1739 + 1740 + b += a >>> 16; 1741 + c += b >>> 16; 1742 + d += c >>> 16; 1743 + 1744 + hh[4] = ah4 = (c & 0xffff) | (d << 16); 1745 + hl[4] = al4 = (a & 0xffff) | (b << 16); 1746 + 1747 + h = ah5; 1748 + l = al5; 1749 + 1750 + a = l & 0xffff; b = l >>> 16; 1751 + c = h & 0xffff; d = h >>> 16; 1752 + 1753 + h = hh[5]; 1754 + l = hl[5]; 1755 + 1756 + a += l & 0xffff; b += l >>> 16; 1757 + c += h & 0xffff; d += h >>> 16; 1758 + 1759 + b += a >>> 16; 1760 + c += b >>> 16; 1761 + d += c >>> 16; 1762 + 1763 + hh[5] = ah5 = (c & 0xffff) | (d << 16); 1764 + hl[5] = al5 = (a & 0xffff) | (b << 16); 1765 + 1766 + h = ah6; 1767 + l = al6; 1768 + 1769 + a = l & 0xffff; b = l >>> 16; 1770 + c = h & 0xffff; d = h >>> 16; 1771 + 1772 + h = hh[6]; 1773 + l = hl[6]; 1774 + 1775 + a += l & 0xffff; b += l >>> 16; 1776 + c += h & 0xffff; d += h >>> 16; 1777 + 1778 + b += a >>> 16; 1779 + c += b >>> 16; 1780 + d += c >>> 16; 1781 + 1782 + hh[6] = ah6 = (c & 0xffff) | (d << 16); 1783 + hl[6] = al6 = (a & 0xffff) | (b << 16); 1784 + 1785 + h = ah7; 1786 + l = al7; 1787 + 1788 + a = l & 0xffff; b = l >>> 16; 1789 + c = h & 0xffff; d = h >>> 16; 1790 + 1791 + h = hh[7]; 1792 + l = hl[7]; 1793 + 1794 + a += l & 0xffff; b += l >>> 16; 1795 + c += h & 0xffff; d += h >>> 16; 1796 + 1797 + b += a >>> 16; 1798 + c += b >>> 16; 1799 + d += c >>> 16; 1800 + 1801 + hh[7] = ah7 = (c & 0xffff) | (d << 16); 1802 + hl[7] = al7 = (a & 0xffff) | (b << 16); 1803 + 1804 + pos += 128; 1805 + n -= 128; 1806 + } 1807 + 1808 + return n; 1809 + } 1810 + 1811 + function crypto_hash(out, m, n) { 1812 + var hh = new Int32Array(8), 1813 + hl = new Int32Array(8), 1814 + x = new Uint8Array(256), 1815 + i, b = n; 1816 + 1817 + hh[0] = 0x6a09e667; 1818 + hh[1] = 0xbb67ae85; 1819 + hh[2] = 0x3c6ef372; 1820 + hh[3] = 0xa54ff53a; 1821 + hh[4] = 0x510e527f; 1822 + hh[5] = 0x9b05688c; 1823 + hh[6] = 0x1f83d9ab; 1824 + hh[7] = 0x5be0cd19; 1825 + 1826 + hl[0] = 0xf3bcc908; 1827 + hl[1] = 0x84caa73b; 1828 + hl[2] = 0xfe94f82b; 1829 + hl[3] = 0x5f1d36f1; 1830 + hl[4] = 0xade682d1; 1831 + hl[5] = 0x2b3e6c1f; 1832 + hl[6] = 0xfb41bd6b; 1833 + hl[7] = 0x137e2179; 1834 + 1835 + crypto_hashblocks_hl(hh, hl, m, n); 1836 + n %= 128; 1837 + 1838 + for (i = 0; i < n; i++) x[i] = m[b-n+i]; 1839 + x[n] = 128; 1840 + 1841 + n = 256-128*(n<112?1:0); 1842 + x[n-9] = 0; 1843 + ts64(x, n-8, (b / 0x20000000) | 0, b << 3); 1844 + crypto_hashblocks_hl(hh, hl, x, n); 1845 + 1846 + for (i = 0; i < 8; i++) ts64(out, 8*i, hh[i], hl[i]); 1847 + 1848 + return 0; 1849 + } 1850 + 1851 + function add(p, q) { 1852 + var a = gf(), b = gf(), c = gf(), 1853 + d = gf(), e = gf(), f = gf(), 1854 + g = gf(), h = gf(), t = gf(); 1855 + 1856 + Z(a, p[1], p[0]); 1857 + Z(t, q[1], q[0]); 1858 + M(a, a, t); 1859 + A(b, p[0], p[1]); 1860 + A(t, q[0], q[1]); 1861 + M(b, b, t); 1862 + M(c, p[3], q[3]); 1863 + M(c, c, D2); 1864 + M(d, p[2], q[2]); 1865 + A(d, d, d); 1866 + Z(e, b, a); 1867 + Z(f, d, c); 1868 + A(g, d, c); 1869 + A(h, b, a); 1870 + 1871 + M(p[0], e, f); 1872 + M(p[1], h, g); 1873 + M(p[2], g, f); 1874 + M(p[3], e, h); 1875 + } 1876 + 1877 + function cswap(p, q, b) { 1878 + var i; 1879 + for (i = 0; i < 4; i++) { 1880 + sel25519(p[i], q[i], b); 1881 + } 1882 + } 1883 + 1884 + function pack(r, p) { 1885 + var tx = gf(), ty = gf(), zi = gf(); 1886 + inv25519(zi, p[2]); 1887 + M(tx, p[0], zi); 1888 + M(ty, p[1], zi); 1889 + pack25519(r, ty); 1890 + r[31] ^= par25519(tx) << 7; 1891 + } 1892 + 1893 + function scalarmult(p, q, s) { 1894 + var b, i; 1895 + set25519(p[0], gf0); 1896 + set25519(p[1], gf1); 1897 + set25519(p[2], gf1); 1898 + set25519(p[3], gf0); 1899 + for (i = 255; i >= 0; --i) { 1900 + b = (s[(i/8)|0] >> (i&7)) & 1; 1901 + cswap(p, q, b); 1902 + add(q, p); 1903 + add(p, p); 1904 + cswap(p, q, b); 1905 + } 1906 + } 1907 + 1908 + function scalarbase(p, s) { 1909 + var q = [gf(), gf(), gf(), gf()]; 1910 + set25519(q[0], X); 1911 + set25519(q[1], Y); 1912 + set25519(q[2], gf1); 1913 + M(q[3], X, Y); 1914 + scalarmult(p, q, s); 1915 + } 1916 + 1917 + function crypto_sign_keypair(pk, sk, seeded) { 1918 + var d = new Uint8Array(64); 1919 + var p = [gf(), gf(), gf(), gf()]; 1920 + var i; 1921 + 1922 + if (!seeded) randombytes(sk, 32); 1923 + crypto_hash(d, sk, 32); 1924 + d[0] &= 248; 1925 + d[31] &= 127; 1926 + d[31] |= 64; 1927 + 1928 + scalarbase(p, d); 1929 + pack(pk, p); 1930 + 1931 + for (i = 0; i < 32; i++) sk[i+32] = pk[i]; 1932 + return 0; 1933 + } 1934 + 1935 + var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]); 1936 + 1937 + function modL(r, x) { 1938 + var carry, i, j, k; 1939 + for (i = 63; i >= 32; --i) { 1940 + carry = 0; 1941 + for (j = i - 32, k = i - 12; j < k; ++j) { 1942 + x[j] += carry - 16 * x[i] * L[j - (i - 32)]; 1943 + carry = (x[j] + 128) >> 8; 1944 + x[j] -= carry * 256; 1945 + } 1946 + x[j] += carry; 1947 + x[i] = 0; 1948 + } 1949 + carry = 0; 1950 + for (j = 0; j < 32; j++) { 1951 + x[j] += carry - (x[31] >> 4) * L[j]; 1952 + carry = x[j] >> 8; 1953 + x[j] &= 255; 1954 + } 1955 + for (j = 0; j < 32; j++) x[j] -= carry * L[j]; 1956 + for (i = 0; i < 32; i++) { 1957 + x[i+1] += x[i] >> 8; 1958 + r[i] = x[i] & 255; 1959 + } 1960 + } 1961 + 1962 + function reduce(r) { 1963 + var x = new Float64Array(64), i; 1964 + for (i = 0; i < 64; i++) x[i] = r[i]; 1965 + for (i = 0; i < 64; i++) r[i] = 0; 1966 + modL(r, x); 1967 + } 1968 + 1969 + // Note: difference from C - smlen returned, not passed as argument. 1970 + function crypto_sign(sm, m, n, sk) { 1971 + var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64); 1972 + var i, j, x = new Float64Array(64); 1973 + var p = [gf(), gf(), gf(), gf()]; 1974 + 1975 + crypto_hash(d, sk, 32); 1976 + d[0] &= 248; 1977 + d[31] &= 127; 1978 + d[31] |= 64; 1979 + 1980 + var smlen = n + 64; 1981 + for (i = 0; i < n; i++) sm[64 + i] = m[i]; 1982 + for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i]; 1983 + 1984 + crypto_hash(r, sm.subarray(32), n+32); 1985 + reduce(r); 1986 + scalarbase(p, r); 1987 + pack(sm, p); 1988 + 1989 + for (i = 32; i < 64; i++) sm[i] = sk[i]; 1990 + crypto_hash(h, sm, n + 64); 1991 + reduce(h); 1992 + 1993 + for (i = 0; i < 64; i++) x[i] = 0; 1994 + for (i = 0; i < 32; i++) x[i] = r[i]; 1995 + for (i = 0; i < 32; i++) { 1996 + for (j = 0; j < 32; j++) { 1997 + x[i+j] += h[i] * d[j]; 1998 + } 1999 + } 2000 + 2001 + modL(sm.subarray(32), x); 2002 + return smlen; 2003 + } 2004 + 2005 + function unpackneg(r, p) { 2006 + var t = gf(), chk = gf(), num = gf(), 2007 + den = gf(), den2 = gf(), den4 = gf(), 2008 + den6 = gf(); 2009 + 2010 + set25519(r[2], gf1); 2011 + unpack25519(r[1], p); 2012 + S(num, r[1]); 2013 + M(den, num, D); 2014 + Z(num, num, r[2]); 2015 + A(den, r[2], den); 2016 + 2017 + S(den2, den); 2018 + S(den4, den2); 2019 + M(den6, den4, den2); 2020 + M(t, den6, num); 2021 + M(t, t, den); 2022 + 2023 + pow2523(t, t); 2024 + M(t, t, num); 2025 + M(t, t, den); 2026 + M(t, t, den); 2027 + M(r[0], t, den); 2028 + 2029 + S(chk, r[0]); 2030 + M(chk, chk, den); 2031 + if (neq25519(chk, num)) M(r[0], r[0], I); 2032 + 2033 + S(chk, r[0]); 2034 + M(chk, chk, den); 2035 + if (neq25519(chk, num)) return -1; 2036 + 2037 + if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]); 2038 + 2039 + M(r[3], r[0], r[1]); 2040 + return 0; 2041 + } 2042 + 2043 + function crypto_sign_open(m, sm, n, pk) { 2044 + var i; 2045 + var t = new Uint8Array(32), h = new Uint8Array(64); 2046 + var p = [gf(), gf(), gf(), gf()], 2047 + q = [gf(), gf(), gf(), gf()]; 2048 + 2049 + if (n < 64) return -1; 2050 + 2051 + if (unpackneg(q, pk)) return -1; 2052 + 2053 + for (i = 0; i < n; i++) m[i] = sm[i]; 2054 + for (i = 0; i < 32; i++) m[i+32] = pk[i]; 2055 + crypto_hash(h, m, n); 2056 + reduce(h); 2057 + scalarmult(p, q, h); 2058 + 2059 + scalarbase(q, sm.subarray(32)); 2060 + add(p, q); 2061 + pack(t, p); 2062 + 2063 + n -= 64; 2064 + if (crypto_verify_32(sm, 0, t, 0)) { 2065 + for (i = 0; i < n; i++) m[i] = 0; 2066 + return -1; 2067 + } 2068 + 2069 + for (i = 0; i < n; i++) m[i] = sm[i + 64]; 2070 + return n; 2071 + } 2072 + 2073 + var crypto_secretbox_KEYBYTES = 32, 2074 + crypto_secretbox_NONCEBYTES = 24, 2075 + crypto_secretbox_ZEROBYTES = 32, 2076 + crypto_secretbox_BOXZEROBYTES = 16, 2077 + crypto_scalarmult_BYTES = 32, 2078 + crypto_scalarmult_SCALARBYTES = 32, 2079 + crypto_box_PUBLICKEYBYTES = 32, 2080 + crypto_box_SECRETKEYBYTES = 32, 2081 + crypto_box_BEFORENMBYTES = 32, 2082 + crypto_box_NONCEBYTES = crypto_secretbox_NONCEBYTES, 2083 + crypto_box_ZEROBYTES = crypto_secretbox_ZEROBYTES, 2084 + crypto_box_BOXZEROBYTES = crypto_secretbox_BOXZEROBYTES, 2085 + crypto_sign_BYTES = 64, 2086 + crypto_sign_PUBLICKEYBYTES = 32, 2087 + crypto_sign_SECRETKEYBYTES = 64, 2088 + crypto_sign_SEEDBYTES = 32, 2089 + crypto_hash_BYTES = 64; 2090 + 2091 + nacl.lowlevel = { 2092 + crypto_core_hsalsa20: crypto_core_hsalsa20, 2093 + crypto_stream_xor: crypto_stream_xor, 2094 + crypto_stream: crypto_stream, 2095 + crypto_stream_salsa20_xor: crypto_stream_salsa20_xor, 2096 + crypto_stream_salsa20: crypto_stream_salsa20, 2097 + crypto_onetimeauth: crypto_onetimeauth, 2098 + crypto_onetimeauth_verify: crypto_onetimeauth_verify, 2099 + crypto_verify_16: crypto_verify_16, 2100 + crypto_verify_32: crypto_verify_32, 2101 + crypto_secretbox: crypto_secretbox, 2102 + crypto_secretbox_open: crypto_secretbox_open, 2103 + crypto_scalarmult: crypto_scalarmult, 2104 + crypto_scalarmult_base: crypto_scalarmult_base, 2105 + crypto_box_beforenm: crypto_box_beforenm, 2106 + crypto_box_afternm: crypto_box_afternm, 2107 + crypto_box: crypto_box, 2108 + crypto_box_open: crypto_box_open, 2109 + crypto_box_keypair: crypto_box_keypair, 2110 + crypto_hash: crypto_hash, 2111 + crypto_sign: crypto_sign, 2112 + crypto_sign_keypair: crypto_sign_keypair, 2113 + crypto_sign_open: crypto_sign_open, 2114 + 2115 + crypto_secretbox_KEYBYTES: crypto_secretbox_KEYBYTES, 2116 + crypto_secretbox_NONCEBYTES: crypto_secretbox_NONCEBYTES, 2117 + crypto_secretbox_ZEROBYTES: crypto_secretbox_ZEROBYTES, 2118 + crypto_secretbox_BOXZEROBYTES: crypto_secretbox_BOXZEROBYTES, 2119 + crypto_scalarmult_BYTES: crypto_scalarmult_BYTES, 2120 + crypto_scalarmult_SCALARBYTES: crypto_scalarmult_SCALARBYTES, 2121 + crypto_box_PUBLICKEYBYTES: crypto_box_PUBLICKEYBYTES, 2122 + crypto_box_SECRETKEYBYTES: crypto_box_SECRETKEYBYTES, 2123 + crypto_box_BEFORENMBYTES: crypto_box_BEFORENMBYTES, 2124 + crypto_box_NONCEBYTES: crypto_box_NONCEBYTES, 2125 + crypto_box_ZEROBYTES: crypto_box_ZEROBYTES, 2126 + crypto_box_BOXZEROBYTES: crypto_box_BOXZEROBYTES, 2127 + crypto_sign_BYTES: crypto_sign_BYTES, 2128 + crypto_sign_PUBLICKEYBYTES: crypto_sign_PUBLICKEYBYTES, 2129 + crypto_sign_SECRETKEYBYTES: crypto_sign_SECRETKEYBYTES, 2130 + crypto_sign_SEEDBYTES: crypto_sign_SEEDBYTES, 2131 + crypto_hash_BYTES: crypto_hash_BYTES 2132 + }; 2133 + 2134 + /* High-level API */ 2135 + 2136 + function checkLengths(k, n) { 2137 + if (k.length !== crypto_secretbox_KEYBYTES) throw new Error('bad key size'); 2138 + if (n.length !== crypto_secretbox_NONCEBYTES) throw new Error('bad nonce size'); 2139 + } 2140 + 2141 + function checkBoxLengths(pk, sk) { 2142 + if (pk.length !== crypto_box_PUBLICKEYBYTES) throw new Error('bad public key size'); 2143 + if (sk.length !== crypto_box_SECRETKEYBYTES) throw new Error('bad secret key size'); 2144 + } 2145 + 2146 + function checkArrayTypes() { 2147 + for (var i = 0; i < arguments.length; i++) { 2148 + if (!(arguments[i] instanceof Uint8Array)) 2149 + throw new TypeError('unexpected type, use Uint8Array'); 2150 + } 2151 + } 2152 + 2153 + function cleanup(arr) { 2154 + for (var i = 0; i < arr.length; i++) arr[i] = 0; 2155 + } 2156 + 2157 + nacl.randomBytes = function(n) { 2158 + var b = new Uint8Array(n); 2159 + randombytes(b, n); 2160 + return b; 2161 + }; 2162 + 2163 + nacl.secretbox = function(msg, nonce, key) { 2164 + checkArrayTypes(msg, nonce, key); 2165 + checkLengths(key, nonce); 2166 + var m = new Uint8Array(crypto_secretbox_ZEROBYTES + msg.length); 2167 + var c = new Uint8Array(m.length); 2168 + for (var i = 0; i < msg.length; i++) m[i+crypto_secretbox_ZEROBYTES] = msg[i]; 2169 + crypto_secretbox(c, m, m.length, nonce, key); 2170 + return c.subarray(crypto_secretbox_BOXZEROBYTES); 2171 + }; 2172 + 2173 + nacl.secretbox.open = function(box, nonce, key) { 2174 + checkArrayTypes(box, nonce, key); 2175 + checkLengths(key, nonce); 2176 + var c = new Uint8Array(crypto_secretbox_BOXZEROBYTES + box.length); 2177 + var m = new Uint8Array(c.length); 2178 + for (var i = 0; i < box.length; i++) c[i+crypto_secretbox_BOXZEROBYTES] = box[i]; 2179 + if (c.length < 32) return null; 2180 + if (crypto_secretbox_open(m, c, c.length, nonce, key) !== 0) return null; 2181 + return m.subarray(crypto_secretbox_ZEROBYTES); 2182 + }; 2183 + 2184 + nacl.secretbox.keyLength = crypto_secretbox_KEYBYTES; 2185 + nacl.secretbox.nonceLength = crypto_secretbox_NONCEBYTES; 2186 + nacl.secretbox.overheadLength = crypto_secretbox_BOXZEROBYTES; 2187 + 2188 + nacl.scalarMult = function(n, p) { 2189 + checkArrayTypes(n, p); 2190 + if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size'); 2191 + if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size'); 2192 + var q = new Uint8Array(crypto_scalarmult_BYTES); 2193 + crypto_scalarmult(q, n, p); 2194 + return q; 2195 + }; 2196 + 2197 + nacl.scalarMult.base = function(n) { 2198 + checkArrayTypes(n); 2199 + if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size'); 2200 + var q = new Uint8Array(crypto_scalarmult_BYTES); 2201 + crypto_scalarmult_base(q, n); 2202 + return q; 2203 + }; 2204 + 2205 + nacl.scalarMult.scalarLength = crypto_scalarmult_SCALARBYTES; 2206 + nacl.scalarMult.groupElementLength = crypto_scalarmult_BYTES; 2207 + 2208 + nacl.box = function(msg, nonce, publicKey, secretKey) { 2209 + var k = nacl.box.before(publicKey, secretKey); 2210 + return nacl.secretbox(msg, nonce, k); 2211 + }; 2212 + 2213 + nacl.box.before = function(publicKey, secretKey) { 2214 + checkArrayTypes(publicKey, secretKey); 2215 + checkBoxLengths(publicKey, secretKey); 2216 + var k = new Uint8Array(crypto_box_BEFORENMBYTES); 2217 + crypto_box_beforenm(k, publicKey, secretKey); 2218 + return k; 2219 + }; 2220 + 2221 + nacl.box.after = nacl.secretbox; 2222 + 2223 + nacl.box.open = function(msg, nonce, publicKey, secretKey) { 2224 + var k = nacl.box.before(publicKey, secretKey); 2225 + return nacl.secretbox.open(msg, nonce, k); 2226 + }; 2227 + 2228 + nacl.box.open.after = nacl.secretbox.open; 2229 + 2230 + nacl.box.keyPair = function() { 2231 + var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES); 2232 + var sk = new Uint8Array(crypto_box_SECRETKEYBYTES); 2233 + crypto_box_keypair(pk, sk); 2234 + return {publicKey: pk, secretKey: sk}; 2235 + }; 2236 + 2237 + nacl.box.keyPair.fromSecretKey = function(secretKey) { 2238 + checkArrayTypes(secretKey); 2239 + if (secretKey.length !== crypto_box_SECRETKEYBYTES) 2240 + throw new Error('bad secret key size'); 2241 + var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES); 2242 + crypto_scalarmult_base(pk, secretKey); 2243 + return {publicKey: pk, secretKey: new Uint8Array(secretKey)}; 2244 + }; 2245 + 2246 + nacl.box.publicKeyLength = crypto_box_PUBLICKEYBYTES; 2247 + nacl.box.secretKeyLength = crypto_box_SECRETKEYBYTES; 2248 + nacl.box.sharedKeyLength = crypto_box_BEFORENMBYTES; 2249 + nacl.box.nonceLength = crypto_box_NONCEBYTES; 2250 + nacl.box.overheadLength = nacl.secretbox.overheadLength; 2251 + 2252 + nacl.sign = function(msg, secretKey) { 2253 + checkArrayTypes(msg, secretKey); 2254 + if (secretKey.length !== crypto_sign_SECRETKEYBYTES) 2255 + throw new Error('bad secret key size'); 2256 + var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length); 2257 + crypto_sign(signedMsg, msg, msg.length, secretKey); 2258 + return signedMsg; 2259 + }; 2260 + 2261 + nacl.sign.open = function(signedMsg, publicKey) { 2262 + checkArrayTypes(signedMsg, publicKey); 2263 + if (publicKey.length !== crypto_sign_PUBLICKEYBYTES) 2264 + throw new Error('bad public key size'); 2265 + var tmp = new Uint8Array(signedMsg.length); 2266 + var mlen = crypto_sign_open(tmp, signedMsg, signedMsg.length, publicKey); 2267 + if (mlen < 0) return null; 2268 + var m = new Uint8Array(mlen); 2269 + for (var i = 0; i < m.length; i++) m[i] = tmp[i]; 2270 + return m; 2271 + }; 2272 + 2273 + nacl.sign.detached = function(msg, secretKey) { 2274 + var signedMsg = nacl.sign(msg, secretKey); 2275 + var sig = new Uint8Array(crypto_sign_BYTES); 2276 + for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i]; 2277 + return sig; 2278 + }; 2279 + 2280 + nacl.sign.detached.verify = function(msg, sig, publicKey) { 2281 + checkArrayTypes(msg, sig, publicKey); 2282 + if (sig.length !== crypto_sign_BYTES) 2283 + throw new Error('bad signature size'); 2284 + if (publicKey.length !== crypto_sign_PUBLICKEYBYTES) 2285 + throw new Error('bad public key size'); 2286 + var sm = new Uint8Array(crypto_sign_BYTES + msg.length); 2287 + var m = new Uint8Array(crypto_sign_BYTES + msg.length); 2288 + var i; 2289 + for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i]; 2290 + for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i]; 2291 + return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0); 2292 + }; 2293 + 2294 + nacl.sign.keyPair = function() { 2295 + var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES); 2296 + var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES); 2297 + crypto_sign_keypair(pk, sk); 2298 + return {publicKey: pk, secretKey: sk}; 2299 + }; 2300 + 2301 + nacl.sign.keyPair.fromSecretKey = function(secretKey) { 2302 + checkArrayTypes(secretKey); 2303 + if (secretKey.length !== crypto_sign_SECRETKEYBYTES) 2304 + throw new Error('bad secret key size'); 2305 + var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES); 2306 + for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i]; 2307 + return {publicKey: pk, secretKey: new Uint8Array(secretKey)}; 2308 + }; 2309 + 2310 + nacl.sign.keyPair.fromSeed = function(seed) { 2311 + checkArrayTypes(seed); 2312 + if (seed.length !== crypto_sign_SEEDBYTES) 2313 + throw new Error('bad seed size'); 2314 + var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES); 2315 + var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES); 2316 + for (var i = 0; i < 32; i++) sk[i] = seed[i]; 2317 + crypto_sign_keypair(pk, sk, true); 2318 + return {publicKey: pk, secretKey: sk}; 2319 + }; 2320 + 2321 + nacl.sign.publicKeyLength = crypto_sign_PUBLICKEYBYTES; 2322 + nacl.sign.secretKeyLength = crypto_sign_SECRETKEYBYTES; 2323 + nacl.sign.seedLength = crypto_sign_SEEDBYTES; 2324 + nacl.sign.signatureLength = crypto_sign_BYTES; 2325 + 2326 + nacl.hash = function(msg) { 2327 + checkArrayTypes(msg); 2328 + var h = new Uint8Array(crypto_hash_BYTES); 2329 + crypto_hash(h, msg, msg.length); 2330 + return h; 2331 + }; 2332 + 2333 + nacl.hash.hashLength = crypto_hash_BYTES; 2334 + 2335 + nacl.verify = function(x, y) { 2336 + checkArrayTypes(x, y); 2337 + // Zero length arguments are considered not equal. 2338 + if (x.length === 0 || y.length === 0) return false; 2339 + if (x.length !== y.length) return false; 2340 + return (vn(x, 0, y, 0, x.length) === 0) ? true : false; 2341 + }; 2342 + 2343 + nacl.setPRNG = function(fn) { 2344 + randombytes = fn; 2345 + }; 2346 + 2347 + (function() { 2348 + // Initialize PRNG if environment provides CSPRNG. 2349 + // If not, methods calling randombytes will throw. 2350 + var crypto = typeof self !== 'undefined' ? (self.crypto || self.msCrypto) : null; 2351 + if (crypto && crypto.getRandomValues) { 2352 + // Browsers. 2353 + var QUOTA = 65536; 2354 + nacl.setPRNG(function(x, n) { 2355 + var i, v = new Uint8Array(n); 2356 + for (i = 0; i < n; i += QUOTA) { 2357 + crypto.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA))); 2358 + } 2359 + for (i = 0; i < n; i++) x[i] = v[i]; 2360 + cleanup(v); 2361 + }); 2362 + } else if (typeof require !== 'undefined') { 2363 + // Node.js. 2364 + crypto = require('crypto'); 2365 + if (crypto && crypto.randomBytes) { 2366 + nacl.setPRNG(function(x, n) { 2367 + var i, v = crypto.randomBytes(n); 2368 + for (i = 0; i < n; i++) x[i] = v[i]; 2369 + cleanup(v); 2370 + }); 2371 + } 2372 + } 2373 + })();