From 6fc0960d3ff997a7b7f781c14b3e64e2568437f3 Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 14:35:30 +0800 Subject: [PATCH 01/13] Run `npm run build` --- package-lock.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 6a6b48b..8b89578 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@noble/ciphers", - "version": "0.4.1", + "version": "0.5.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@noble/ciphers", - "version": "0.4.1", + "version": "0.5.1", "license": "MIT", "devDependencies": { "@scure/base": "1.1.3", From 722531bc0c83c4f23e1fa819896ce23422f6a30d Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 14:36:17 +0800 Subject: [PATCH 02/13] add all built js files --- _arx.js | 171 +++++++++++++ _assert.js | 50 ++++ _micro.js | 295 +++++++++++++++++++++ _poly1305.js | 268 ++++++++++++++++++++ _polyval.js | 221 ++++++++++++++++ aes.js | 633 ++++++++++++++++++++++++++++++++++++++++++++++ chacha.js | 323 +++++++++++++++++++++++ crypto.js | 17 ++ cryptoNode.js | 22 ++ esm/_arx.js | 166 ++++++++++++ esm/_assert.js | 41 +++ esm/_micro.js | 287 +++++++++++++++++++++ esm/_poly1305.js | 264 +++++++++++++++++++ esm/_polyval.js | 217 ++++++++++++++++ esm/aes.js | 628 +++++++++++++++++++++++++++++++++++++++++++++ esm/chacha.js | 318 +++++++++++++++++++++++ esm/crypto.js | 12 + esm/cryptoNode.js | 17 ++ esm/ff1.js | 149 +++++++++++ esm/index.js | 3 + esm/salsa.js | 205 +++++++++++++++ esm/utils.js | 182 +++++++++++++ esm/webcrypto.js | 96 +++++++ ff1.js | 154 +++++++++++ index.js | 3 + salsa.js | 210 +++++++++++++++ utils.js | 206 +++++++++++++++ webcrypto.js | 98 +++++++ 28 files changed, 5256 insertions(+) create mode 100644 _arx.js create mode 100644 _assert.js create mode 100644 _micro.js create mode 100644 _poly1305.js create mode 100644 _polyval.js create mode 100644 aes.js create mode 100644 chacha.js create mode 100644 crypto.js create mode 100644 cryptoNode.js create mode 100644 esm/_arx.js create mode 100644 esm/_assert.js create mode 100644 esm/_micro.js create mode 100644 esm/_poly1305.js create mode 100644 esm/_polyval.js create mode 100644 esm/aes.js create mode 100644 esm/chacha.js create mode 100644 esm/crypto.js create mode 100644 esm/cryptoNode.js create mode 100644 esm/ff1.js create mode 100644 esm/index.js create mode 100644 esm/salsa.js create mode 100644 esm/utils.js create mode 100644 esm/webcrypto.js create mode 100644 ff1.js create mode 100644 index.js create mode 100644 salsa.js create mode 100644 utils.js create mode 100644 webcrypto.js diff --git a/_arx.js b/_arx.js new file mode 100644 index 0000000..4c8e20d --- /dev/null +++ b/_arx.js @@ -0,0 +1,171 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.createCipher = exports.rotl = void 0; +// Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers. +const _assert_js_1 = require("./_assert.js"); +const utils_js_1 = require("./utils.js"); +/* +RFC8439 requires multi-step cipher stream, where +authKey starts with counter: 0, actual msg with counter: 1. + +For this, we need a way to re-use nonce / counter: + + const counter = new Uint8Array(4); + chacha(..., counter, ...); // counter is now 1 + chacha(..., counter, ...); // counter is now 2 + +This is complicated: + +- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB +- Original papers don't allow mutating counters +- Counter overflow is undefined [^1] +- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it +- Caveat: Cannot be re-used through all cases: +- * chacha has (counter | nonce) +- * xchacha has (nonce16 | counter | nonce16) +- Idea B: separate nonce / counter and provide separate API for counter re-use +- Caveat: there are different counter sizes depending on an algorithm. +- salsa & chacha also differ in structures of key & sigma: + salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3] + chacha: s(4) | k(8) | ctr(1) | nonce(3) + chacha20orig: s(4) | k(8) | ctr(2) | nonce(2) +- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)` +- Caveat: we can't re-use counter array + +xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal +(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce). + +[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/ +[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2 +*/ +const sigma16 = (0, utils_js_1.utf8ToBytes)('expand 16-byte k'); +const sigma32 = (0, utils_js_1.utf8ToBytes)('expand 32-byte k'); +const sigma16_32 = (0, utils_js_1.u32)(sigma16); +const sigma32_32 = (0, utils_js_1.u32)(sigma32); +function rotl(a, b) { + return (a << b) | (a >>> (32 - b)); +} +exports.rotl = rotl; +// Is byte array aligned to 4 byte offset (u32)? +function isAligned32(b) { + return b.byteOffset % 4 === 0; +} +// Salsa and Chacha block length is always 512-bit +const BLOCK_LEN = 64; +const BLOCK_LEN32 = 16; +// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ] +// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ] +const MAX_COUNTER = 2 ** 32 - 1; +const U32_EMPTY = new Uint32Array(); +function runCipher(core, sigma, key, nonce, data, output, counter, rounds) { + const len = data.length; + const block = new Uint8Array(BLOCK_LEN); + const b32 = (0, utils_js_1.u32)(block); + // Make sure that buffers aligned to 4 bytes + const isAligned = isAligned32(data) && isAligned32(output); + const d32 = isAligned ? (0, utils_js_1.u32)(data) : U32_EMPTY; + const o32 = isAligned ? (0, utils_js_1.u32)(output) : U32_EMPTY; + for (let pos = 0; pos < len; counter++) { + core(sigma, key, nonce, b32, counter, rounds); + if (counter >= MAX_COUNTER) + throw new Error('arx: counter overflow'); + const take = Math.min(BLOCK_LEN, len - pos); + // aligned to 4 bytes + if (isAligned && take === BLOCK_LEN) { + const pos32 = pos / 4; + if (pos % 4 !== 0) + throw new Error('arx: invalid block position'); + for (let j = 0, posj; j < BLOCK_LEN32; j++) { + posj = pos32 + j; + o32[posj] = d32[posj] ^ b32[j]; + } + pos += BLOCK_LEN; + continue; + } + for (let j = 0, posj; j < take; j++) { + posj = pos + j; + output[posj] = data[posj] ^ block[j]; + } + pos += take; + } +} +function createCipher(core, opts) { + const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = (0, utils_js_1.checkOpts)({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); + if (typeof core !== 'function') + throw new Error('core must be a function'); + (0, _assert_js_1.number)(counterLength); + (0, _assert_js_1.number)(rounds); + (0, _assert_js_1.bool)(counterRight); + (0, _assert_js_1.bool)(allowShortKeys); + return (key, nonce, data, output, counter = 0) => { + (0, _assert_js_1.bytes)(key); + (0, _assert_js_1.bytes)(nonce); + (0, _assert_js_1.bytes)(data); + const len = data.length; + if (!output) + output = new Uint8Array(len); + (0, _assert_js_1.bytes)(output); + (0, _assert_js_1.number)(counter); + if (counter < 0 || counter >= MAX_COUNTER) + throw new Error('arx: counter overflow'); + if (output.length < len) + throw new Error(`arx: output (${output.length}) is shorter than data (${len})`); + const toClean = []; + // Key & sigma + // key=16 -> sigma16, k=key|key + // key=32 -> sigma32, k=key + let l = key.length, k, sigma; + if (l === 32) { + k = key.slice(); + toClean.push(k); + sigma = sigma32_32; + } + else if (l === 16 && allowShortKeys) { + k = new Uint8Array(32); + k.set(key); + k.set(key, 16); + sigma = sigma16_32; + toClean.push(k); + } + else { + throw new Error(`arx: invalid 32-byte key, got length=${l}`); + } + // Nonce + // salsa20: 8 (8-byte counter) + // chacha20orig: 8 (8-byte counter) + // chacha20: 12 (4-byte counter) + // xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce) + // xchacha20: 24 (16 -> hchacha, 8 -> old nonce) + // Align nonce to 4 bytes + if (!isAligned32(nonce)) { + nonce = nonce.slice(); + toClean.push(nonce); + } + const k32 = (0, utils_js_1.u32)(k); + // hsalsa & hchacha: handle extended nonce + if (extendNonceFn) { + if (nonce.length !== 24) + throw new Error(`arx: extended nonce must be 24 bytes`); + extendNonceFn(sigma, k32, (0, utils_js_1.u32)(nonce.subarray(0, 16)), k32); + nonce = nonce.subarray(16); + } + // Handle nonce counter + const nonceNcLen = 16 - counterLength; + if (nonceNcLen !== nonce.length) + throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); + // Pad counter when nonce is 64 bit + if (nonceNcLen !== 12) { + const nc = new Uint8Array(12); + nc.set(nonce, counterRight ? 0 : 12 - nonce.length); + nonce = nc; + toClean.push(nonce); + } + const n32 = (0, utils_js_1.u32)(nonce); + runCipher(core, sigma, k32, n32, data, output, counter, rounds); + while (toClean.length > 0) + toClean.pop().fill(0); + return output; + }; +} +exports.createCipher = createCipher; +//# sourceMappingURL=_arx.js.map \ No newline at end of file diff --git a/_assert.js b/_assert.js new file mode 100644 index 0000000..83ace83 --- /dev/null +++ b/_assert.js @@ -0,0 +1,50 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.output = exports.exists = exports.hash = exports.bytes = exports.bool = exports.number = exports.isBytes = void 0; +function number(n) { + if (!Number.isSafeInteger(n) || n < 0) + throw new Error(`positive integer expected, not ${n}`); +} +exports.number = number; +function bool(b) { + if (typeof b !== 'boolean') + throw new Error(`boolean expected, not ${b}`); +} +exports.bool = bool; +function isBytes(a) { + return (a instanceof Uint8Array || + (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')); +} +exports.isBytes = isBytes; +function bytes(b, ...lengths) { + if (!isBytes(b)) + throw new Error('Uint8Array expected'); + if (lengths.length > 0 && !lengths.includes(b.length)) + throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); +} +exports.bytes = bytes; +function hash(hash) { + if (typeof hash !== 'function' || typeof hash.create !== 'function') + throw new Error('hash must be wrapped by utils.wrapConstructor'); + number(hash.outputLen); + number(hash.blockLen); +} +exports.hash = hash; +function exists(instance, checkFinished = true) { + if (instance.destroyed) + throw new Error('Hash instance has been destroyed'); + if (checkFinished && instance.finished) + throw new Error('Hash#digest() has already been called'); +} +exports.exists = exists; +function output(out, instance) { + bytes(out); + const min = instance.outputLen; + if (out.length < min) { + throw new Error(`digestInto() expects output buffer of length at least ${min}`); + } +} +exports.output = output; +const assert = { number, bool, bytes, hash, exists, output }; +exports.default = assert; +//# sourceMappingURL=_assert.js.map \ No newline at end of file diff --git a/_micro.js b/_micro.js new file mode 100644 index 0000000..523065c --- /dev/null +++ b/_micro.js @@ -0,0 +1,295 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.secretbox = exports.xsalsa20poly1305 = exports.poly1305 = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = exports.xsalsa20 = exports.salsa20 = exports.hchacha = exports.hsalsa = void 0; +/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ +// prettier-ignore +const utils_js_1 = require("./utils.js"); +const _arx_js_1 = require("./_arx.js"); +const _assert_js_1 = require("./_assert.js"); +/* +noble-ciphers-micro: more auditable, but slower version of salsa20, chacha & poly1305. +Implements the same algorithms that are present in other files, but without +unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling). +*/ +function bytesToNumberLE(bytes) { + return (0, utils_js_1.hexToNumber)((0, utils_js_1.bytesToHex)(Uint8Array.from(bytes).reverse())); +} +function numberToBytesLE(n, len) { + return (0, utils_js_1.numberToBytesBE)(n, len).reverse(); +} +function salsaQR(x, a, b, c, d) { + x[b] ^= (0, _arx_js_1.rotl)((x[a] + x[d]) | 0, 7); + x[c] ^= (0, _arx_js_1.rotl)((x[b] + x[a]) | 0, 9); + x[d] ^= (0, _arx_js_1.rotl)((x[c] + x[b]) | 0, 13); + x[a] ^= (0, _arx_js_1.rotl)((x[d] + x[c]) | 0, 18); +} +// prettier-ignore +function chachaQR(x, a, b, c, d) { + x[a] = (x[a] + x[b]) | 0; + x[d] = (0, _arx_js_1.rotl)(x[d] ^ x[a], 16); + x[c] = (x[c] + x[d]) | 0; + x[b] = (0, _arx_js_1.rotl)(x[b] ^ x[c], 12); + x[a] = (x[a] + x[b]) | 0; + x[d] = (0, _arx_js_1.rotl)(x[d] ^ x[a], 8); + x[c] = (x[c] + x[d]) | 0; + x[b] = (0, _arx_js_1.rotl)(x[b] ^ x[c], 7); +} +function salsaRound(x, rounds = 20) { + for (let r = 0; r < rounds; r += 2) { + salsaQR(x, 0, 4, 8, 12); + salsaQR(x, 5, 9, 13, 1); + salsaQR(x, 10, 14, 2, 6); + salsaQR(x, 15, 3, 7, 11); + salsaQR(x, 0, 1, 2, 3); + salsaQR(x, 5, 6, 7, 4); + salsaQR(x, 10, 11, 8, 9); + salsaQR(x, 15, 12, 13, 14); + } +} +function chachaRound(x, rounds = 20) { + for (let r = 0; r < rounds; r += 2) { + chachaQR(x, 0, 4, 8, 12); + chachaQR(x, 1, 5, 9, 13); + chachaQR(x, 2, 6, 10, 14); + chachaQR(x, 3, 7, 11, 15); + chachaQR(x, 0, 5, 10, 15); + chachaQR(x, 1, 6, 11, 12); + chachaQR(x, 2, 7, 8, 13); + chachaQR(x, 3, 4, 9, 14); + } +} +function salsaCore(s, k, n, out, cnt, rounds = 20) { + // prettier-ignore + const y = new Uint32Array([ + s[0], k[0], k[1], k[2], // "expa" Key Key Key + k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce + cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key + k[5], k[6], k[7], s[3], // Key Key Key "te k" + ]); + const x = y.slice(); + salsaRound(x, rounds); + for (let i = 0; i < 16; i++) + out[i] = (y[i] + x[i]) | 0; +} +// prettier-ignore +function hsalsa(s, k, i, o32) { + const x = new Uint32Array([ + s[0], k[0], k[1], k[2], + k[3], s[1], i[0], i[1], + i[2], i[3], s[2], k[4], + k[5], k[6], k[7], s[3] + ]); + salsaRound(x, 20); + let oi = 0; + o32[oi++] = x[0]; + o32[oi++] = x[5]; + o32[oi++] = x[10]; + o32[oi++] = x[15]; + o32[oi++] = x[6]; + o32[oi++] = x[7]; + o32[oi++] = x[8]; + o32[oi++] = x[9]; +} +exports.hsalsa = hsalsa; +function chachaCore(s, k, n, out, cnt, rounds = 20) { + // prettier-ignore + const y = new Uint32Array([ + s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k" + k[0], k[1], k[2], k[3], // Key Key Key Key + k[4], k[5], k[6], k[7], // Key Key Key Key + cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce + ]); + const x = y.slice(); + chachaRound(x, rounds); + for (let i = 0; i < 16; i++) + out[i] = (y[i] + x[i]) | 0; +} +// prettier-ignore +function hchacha(s, k, i, o32) { + const x = new Uint32Array([ + s[0], s[1], s[2], s[3], + k[0], k[1], k[2], k[3], + k[4], k[5], k[6], k[7], + i[0], i[1], i[2], i[3], + ]); + chachaRound(x, 20); + let oi = 0; + o32[oi++] = x[0]; + o32[oi++] = x[1]; + o32[oi++] = x[2]; + o32[oi++] = x[3]; + o32[oi++] = x[12]; + o32[oi++] = x[13]; + o32[oi++] = x[14]; + o32[oi++] = x[15]; +} +exports.hchacha = hchacha; +/** + * salsa20, 12-byte nonce. + */ +exports.salsa20 = (0, _arx_js_1.createCipher)(salsaCore, { + allowShortKeys: true, + counterRight: true, +}); +/** + * xsalsa20, 24-byte nonce. + */ +exports.xsalsa20 = (0, _arx_js_1.createCipher)(salsaCore, { + counterRight: true, + extendNonceFn: hsalsa, +}); +/** + * chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. + */ +exports.chacha20orig = (0, _arx_js_1.createCipher)(chachaCore, { + allowShortKeys: true, + counterRight: false, + counterLength: 8, +}); +/** + * chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. + */ +exports.chacha20 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, +}); +/** + * xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + */ +exports.xchacha20 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 8, + extendNonceFn: hchacha, +}); +/** + * 8-round chacha from the original paper. + */ +exports.chacha8 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 8, +}); +/** + * 12-round chacha from the original paper. + */ +exports.chacha12 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 12, +}); +const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5); +const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1); +const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff'); +const _0 = BigInt(0); +const _1 = BigInt(1); +// Can be speed-up using BigUint64Array, but would be more complicated +function poly1305(msg, key) { + (0, _assert_js_1.bytes)(msg); + (0, _assert_js_1.bytes)(key); + let acc = _0; + const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R; + const s = bytesToNumberLE(key.subarray(16)); + // Process by 16 byte chunks + for (let i = 0; i < msg.length; i += 16) { + const m = msg.subarray(i, i + 16); + const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length)); + acc = ((acc + n) * r) % POW_2_130_5; + } + const res = (acc + s) & POW_2_128_1; + return numberToBytesLE(res, 16); +} +exports.poly1305 = poly1305; +function computeTag(fn, key, nonce, ciphertext, AAD) { + const res = []; + if (AAD) { + res.push(AAD); + const leftover = AAD.length % 16; + if (leftover > 0) + res.push(new Uint8Array(16 - leftover)); + } + res.push(ciphertext); + const leftover = ciphertext.length % 16; + if (leftover > 0) + res.push(new Uint8Array(16 - leftover)); + // Lengths + const num = new Uint8Array(16); + const view = (0, utils_js_1.createView)(num); + (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD ? AAD.length : 0), true); + (0, utils_js_1.setBigUint64)(view, 8, BigInt(ciphertext.length), true); + res.push(num); + const authKey = fn(key, nonce, new Uint8Array(32)); + return poly1305((0, utils_js_1.concatBytes)(...res), authKey); +} +/** + * xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. + */ +exports.xsalsa20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsa20poly1305(key, nonce) { + (0, _assert_js_1.bytes)(key); + (0, _assert_js_1.bytes)(nonce); + return { + encrypt: (plaintext) => { + (0, _assert_js_1.bytes)(plaintext); + const m = (0, utils_js_1.concatBytes)(new Uint8Array(32), plaintext); + const c = (0, exports.xsalsa20)(key, nonce, m); + const authKey = c.subarray(0, 32); + const data = c.subarray(32); + const tag = poly1305(data, authKey); + return (0, utils_js_1.concatBytes)(tag, data); + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + if (ciphertext.length < 16) + throw new Error('encrypted data must be at least 16 bytes'); + const c = (0, utils_js_1.concatBytes)(new Uint8Array(16), ciphertext); + const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32)); + const tag = poly1305(c.subarray(32), authKey); + if (!(0, utils_js_1.equalBytes)(c.subarray(16, 32), tag)) + throw new Error('invalid poly1305 tag'); + return (0, exports.xsalsa20)(key, nonce, c).subarray(32); + }, + }; +}); +/** + * Alias to xsalsa20-poly1305 + */ +function secretbox(key, nonce) { + const xs = (0, exports.xsalsa20poly1305)(key, nonce); + return { seal: xs.encrypt, open: xs.decrypt }; +} +exports.secretbox = secretbox; +const _poly1305_aead = (fn) => (key, nonce, AAD) => { + const tagLength = 16; + const keyLength = 32; + (0, _assert_js_1.bytes)(key, keyLength); + (0, _assert_js_1.bytes)(nonce); + return { + encrypt: (plaintext) => { + (0, _assert_js_1.bytes)(plaintext); + const res = fn(key, nonce, plaintext, undefined, 1); + const tag = computeTag(fn, key, nonce, res, AAD); + return (0, utils_js_1.concatBytes)(res, tag); + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + if (ciphertext.length < tagLength) + throw new Error(`encrypted data must be at least ${tagLength} bytes`); + const passedTag = ciphertext.subarray(-tagLength); + const data = ciphertext.subarray(0, -tagLength); + const tag = computeTag(fn, key, nonce, data, AAD); + if (!(0, utils_js_1.equalBytes)(passedTag, tag)) + throw new Error('invalid poly1305 tag'); + return fn(key, nonce, data, undefined, 1); + }, + }; +}; +exports._poly1305_aead = _poly1305_aead; +/** + * chacha20-poly1305 12-byte-nonce chacha. + */ +exports.chacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20)); +/** + * xchacha20-poly1305 eXtended-nonce (24 bytes) chacha. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +exports.xchacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20)); +//# sourceMappingURL=_micro.js.map \ No newline at end of file diff --git a/_poly1305.js b/_poly1305.js new file mode 100644 index 0000000..0652e24 --- /dev/null +++ b/_poly1305.js @@ -0,0 +1,268 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.poly1305 = exports.wrapConstructorWithKey = void 0; +const _assert_js_1 = require("./_assert.js"); +const utils_js_1 = require("./utils.js"); +// Poly1305 is a fast and parallel secret-key message-authentication code. +// https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf +// https://datatracker.ietf.org/doc/html/rfc8439 +// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna +const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8); +class Poly1305 { + constructor(key) { + this.blockLen = 16; + this.outputLen = 16; + this.buffer = new Uint8Array(16); + this.r = new Uint16Array(10); + this.h = new Uint16Array(10); + this.pad = new Uint16Array(8); + this.pos = 0; + this.finished = false; + key = (0, utils_js_1.toBytes)(key); + (0, _assert_js_1.bytes)(key, 32); + const t0 = u8to16(key, 0); + const t1 = u8to16(key, 2); + const t2 = u8to16(key, 4); + const t3 = u8to16(key, 6); + const t4 = u8to16(key, 8); + const t5 = u8to16(key, 10); + const t6 = u8to16(key, 12); + const t7 = u8to16(key, 14); + // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47 + this.r[0] = t0 & 0x1fff; + this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; + this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; + this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; + this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; + this.r[5] = (t4 >>> 1) & 0x1ffe; + this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; + this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; + this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; + this.r[9] = (t7 >>> 5) & 0x007f; + for (let i = 0; i < 8; i++) + this.pad[i] = u8to16(key, 16 + 2 * i); + } + process(data, offset, isLast = false) { + const hibit = isLast ? 0 : 1 << 11; + const { h, r } = this; + const r0 = r[0]; + const r1 = r[1]; + const r2 = r[2]; + const r3 = r[3]; + const r4 = r[4]; + const r5 = r[5]; + const r6 = r[6]; + const r7 = r[7]; + const r8 = r[8]; + const r9 = r[9]; + const t0 = u8to16(data, offset + 0); + const t1 = u8to16(data, offset + 2); + const t2 = u8to16(data, offset + 4); + const t3 = u8to16(data, offset + 6); + const t4 = u8to16(data, offset + 8); + const t5 = u8to16(data, offset + 10); + const t6 = u8to16(data, offset + 12); + const t7 = u8to16(data, offset + 14); + let h0 = h[0] + (t0 & 0x1fff); + let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff); + let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff); + let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff); + let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff); + let h5 = h[5] + ((t4 >>> 1) & 0x1fff); + let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff); + let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff); + let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff); + let h9 = h[9] + ((t7 >>> 5) | hibit); + let c = 0; + let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); + c = d0 >>> 13; + d0 &= 0x1fff; + d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); + c += d0 >>> 13; + d0 &= 0x1fff; + let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); + c = d1 >>> 13; + d1 &= 0x1fff; + d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); + c += d1 >>> 13; + d1 &= 0x1fff; + let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); + c = d2 >>> 13; + d2 &= 0x1fff; + d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); + c += d2 >>> 13; + d2 &= 0x1fff; + let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); + c = d3 >>> 13; + d3 &= 0x1fff; + d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); + c += d3 >>> 13; + d3 &= 0x1fff; + let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; + c = d4 >>> 13; + d4 &= 0x1fff; + d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); + c += d4 >>> 13; + d4 &= 0x1fff; + let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; + c = d5 >>> 13; + d5 &= 0x1fff; + d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); + c += d5 >>> 13; + d5 &= 0x1fff; + let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; + c = d6 >>> 13; + d6 &= 0x1fff; + d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); + c += d6 >>> 13; + d6 &= 0x1fff; + let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; + c = d7 >>> 13; + d7 &= 0x1fff; + d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); + c += d7 >>> 13; + d7 &= 0x1fff; + let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; + c = d8 >>> 13; + d8 &= 0x1fff; + d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); + c += d8 >>> 13; + d8 &= 0x1fff; + let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; + c = d9 >>> 13; + d9 &= 0x1fff; + d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; + c += d9 >>> 13; + d9 &= 0x1fff; + c = ((c << 2) + c) | 0; + c = (c + d0) | 0; + d0 = c & 0x1fff; + c = c >>> 13; + d1 += c; + h[0] = d0; + h[1] = d1; + h[2] = d2; + h[3] = d3; + h[4] = d4; + h[5] = d5; + h[6] = d6; + h[7] = d7; + h[8] = d8; + h[9] = d9; + } + finalize() { + const { h, pad } = this; + const g = new Uint16Array(10); + let c = h[1] >>> 13; + h[1] &= 0x1fff; + for (let i = 2; i < 10; i++) { + h[i] += c; + c = h[i] >>> 13; + h[i] &= 0x1fff; + } + h[0] += c * 5; + c = h[0] >>> 13; + h[0] &= 0x1fff; + h[1] += c; + c = h[1] >>> 13; + h[1] &= 0x1fff; + h[2] += c; + g[0] = h[0] + 5; + c = g[0] >>> 13; + g[0] &= 0x1fff; + for (let i = 1; i < 10; i++) { + g[i] = h[i] + c; + c = g[i] >>> 13; + g[i] &= 0x1fff; + } + g[9] -= 1 << 13; + let mask = (c ^ 1) - 1; + for (let i = 0; i < 10; i++) + g[i] &= mask; + mask = ~mask; + for (let i = 0; i < 10; i++) + h[i] = (h[i] & mask) | g[i]; + h[0] = (h[0] | (h[1] << 13)) & 0xffff; + h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff; + h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff; + h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff; + h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff; + h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff; + h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff; + h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff; + let f = h[0] + pad[0]; + h[0] = f & 0xffff; + for (let i = 1; i < 8; i++) { + f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0; + h[i] = f & 0xffff; + } + } + update(data) { + (0, _assert_js_1.exists)(this); + const { buffer, blockLen } = this; + data = (0, utils_js_1.toBytes)(data); + const len = data.length; + for (let pos = 0; pos < len;) { + const take = Math.min(blockLen - this.pos, len - pos); + // Fast path: we have at least one block in input + if (take === blockLen) { + for (; blockLen <= len - pos; pos += blockLen) + this.process(data, pos); + continue; + } + buffer.set(data.subarray(pos, pos + take), this.pos); + this.pos += take; + pos += take; + if (this.pos === blockLen) { + this.process(buffer, 0, false); + this.pos = 0; + } + } + return this; + } + destroy() { + this.h.fill(0); + this.r.fill(0); + this.buffer.fill(0); + this.pad.fill(0); + } + digestInto(out) { + (0, _assert_js_1.exists)(this); + (0, _assert_js_1.output)(out, this); + this.finished = true; + const { buffer, h } = this; + let { pos } = this; + if (pos) { + buffer[pos++] = 1; + // buffer.subarray(pos).fill(0); + for (; pos < 16; pos++) + buffer[pos] = 0; + this.process(buffer, 0, true); + } + this.finalize(); + let opos = 0; + for (let i = 0; i < 8; i++) { + out[opos++] = h[i] >>> 0; + out[opos++] = h[i] >>> 8; + } + return out; + } + digest() { + const { buffer, outputLen } = this; + this.digestInto(buffer); + const res = buffer.slice(0, outputLen); + this.destroy(); + return res; + } +} +function wrapConstructorWithKey(hashCons) { + const hashC = (msg, key) => hashCons(key).update((0, utils_js_1.toBytes)(msg)).digest(); + const tmp = hashCons(new Uint8Array(32)); + hashC.outputLen = tmp.outputLen; + hashC.blockLen = tmp.blockLen; + hashC.create = (key) => hashCons(key); + return hashC; +} +exports.wrapConstructorWithKey = wrapConstructorWithKey; +exports.poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); +//# sourceMappingURL=_poly1305.js.map \ No newline at end of file diff --git a/_polyval.js b/_polyval.js new file mode 100644 index 0000000..7183fc9 --- /dev/null +++ b/_polyval.js @@ -0,0 +1,221 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.polyval = exports.ghash = exports._toGHASHKey = void 0; +const utils_js_1 = require("./utils.js"); +const _assert_js_1 = require("./_assert.js"); +// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV. +// Implemented in terms of GHash with conversion function for keys +// GCM GHASH from NIST SP800-38d, SIV from RFC 8452. +// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf +// GHASH modulo: x^128 + x^7 + x^2 + x + 1 +// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1 +const BLOCK_SIZE = 16; +// TODO: rewrite +// temporary padding buffer +const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); +const ZEROS32 = (0, utils_js_1.u32)(ZEROS16); +const POLY = 0xe1; // v = 2*v % POLY +// v = 2*v % POLY +// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x +// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor) +const mul2 = (s0, s1, s2, s3) => { + const hiBit = s3 & 1; + return { + s3: (s2 << 31) | (s3 >>> 1), + s2: (s1 << 31) | (s2 >>> 1), + s1: (s0 << 31) | (s1 >>> 1), + s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly + }; +}; +const swapLE = (n) => (((n >>> 0) & 0xff) << 24) | + (((n >>> 8) & 0xff) << 16) | + (((n >>> 16) & 0xff) << 8) | + ((n >>> 24) & 0xff) | + 0; +/** + * `mulX_POLYVAL(ByteReverse(H))` from spec + * @param k mutated in place + */ +function _toGHASHKey(k) { + k.reverse(); + const hiBit = k[15] & 1; + // k >>= 1 + let carry = 0; + for (let i = 0; i < k.length; i++) { + const t = k[i]; + k[i] = (t >>> 1) | carry; + carry = (t & 1) << 7; + } + k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000; + return k; +} +exports._toGHASHKey = _toGHASHKey; +const estimateWindow = (bytes) => { + if (bytes > 64 * 1024) + return 8; + if (bytes > 1024) + return 4; + return 2; +}; +class GHASH { + // We select bits per window adaptively based on expectedLength + constructor(key, expectedLength) { + this.blockLen = BLOCK_SIZE; + this.outputLen = BLOCK_SIZE; + this.s0 = 0; + this.s1 = 0; + this.s2 = 0; + this.s3 = 0; + this.finished = false; + key = (0, utils_js_1.toBytes)(key); + (0, _assert_js_1.bytes)(key, 16); + const kView = (0, utils_js_1.createView)(key); + let k0 = kView.getUint32(0, false); + let k1 = kView.getUint32(4, false); + let k2 = kView.getUint32(8, false); + let k3 = kView.getUint32(12, false); + // generate table of doubled keys (half of montgomery ladder) + const doubles = []; + for (let i = 0; i < 128; i++) { + doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) }); + ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3)); + } + const W = estimateWindow(expectedLength || 1024); + if (![1, 2, 4, 8].includes(W)) + throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`); + this.W = W; + const bits = 128; // always 128 bits; + const windows = bits / W; + const windowSize = (this.windowSize = 2 ** W); + const items = []; + // Create precompute table for window of W bits + for (let w = 0; w < windows; w++) { + // truth table: 00, 01, 10, 11 + for (let byte = 0; byte < windowSize; byte++) { + // prettier-ignore + let s0 = 0, s1 = 0, s2 = 0, s3 = 0; + for (let j = 0; j < W; j++) { + const bit = (byte >>> (W - j - 1)) & 1; + if (!bit) + continue; + const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j]; + (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3); + } + items.push({ s0, s1, s2, s3 }); + } + } + this.t = items; + } + _updateBlock(s0, s1, s2, s3) { + (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3); + const { W, t, windowSize } = this; + // prettier-ignore + let o0 = 0, o1 = 0, o2 = 0, o3 = 0; + const mask = (1 << W) - 1; // 2**W will kill performance. + let w = 0; + for (const num of [s0, s1, s2, s3]) { + for (let bytePos = 0; bytePos < 4; bytePos++) { + const byte = (num >>> (8 * bytePos)) & 0xff; + for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) { + const bit = (byte >>> (W * bitPos)) & mask; + const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit]; + (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3); + w += 1; + } + } + } + this.s0 = o0; + this.s1 = o1; + this.s2 = o2; + this.s3 = o3; + } + update(data) { + data = (0, utils_js_1.toBytes)(data); + (0, _assert_js_1.exists)(this); + const b32 = (0, utils_js_1.u32)(data); + const blocks = Math.floor(data.length / BLOCK_SIZE); + const left = data.length % BLOCK_SIZE; + for (let i = 0; i < blocks; i++) { + this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]); + } + if (left) { + ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); + this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]); + ZEROS32.fill(0); // clean tmp buffer + } + return this; + } + destroy() { + const { t } = this; + // clean precompute table + for (const elm of t) { + (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0); + } + } + digestInto(out) { + (0, _assert_js_1.exists)(this); + (0, _assert_js_1.output)(out, this); + this.finished = true; + const { s0, s1, s2, s3 } = this; + const o32 = (0, utils_js_1.u32)(out); + o32[0] = s0; + o32[1] = s1; + o32[2] = s2; + o32[3] = s3; + return out; + } + digest() { + const res = new Uint8Array(BLOCK_SIZE); + this.digestInto(res); + this.destroy(); + return res; + } +} +class Polyval extends GHASH { + constructor(key, expectedLength) { + key = (0, utils_js_1.toBytes)(key); + const ghKey = _toGHASHKey(key.slice()); + super(ghKey, expectedLength); + ghKey.fill(0); + } + update(data) { + data = (0, utils_js_1.toBytes)(data); + (0, _assert_js_1.exists)(this); + const b32 = (0, utils_js_1.u32)(data); + const left = data.length % BLOCK_SIZE; + const blocks = Math.floor(data.length / BLOCK_SIZE); + for (let i = 0; i < blocks; i++) { + this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0])); + } + if (left) { + ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); + this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0])); + ZEROS32.fill(0); // clean tmp buffer + } + return this; + } + digestInto(out) { + (0, _assert_js_1.exists)(this); + (0, _assert_js_1.output)(out, this); + this.finished = true; + // tmp ugly hack + const { s0, s1, s2, s3 } = this; + const o32 = (0, utils_js_1.u32)(out); + o32[0] = s0; + o32[1] = s1; + o32[2] = s2; + o32[3] = s3; + return out.reverse(); + } +} +function wrapConstructorWithKey(hashCons) { + const hashC = (msg, key) => hashCons(key, msg.length).update((0, utils_js_1.toBytes)(msg)).digest(); + const tmp = hashCons(new Uint8Array(16), 0); + hashC.outputLen = tmp.outputLen; + hashC.blockLen = tmp.blockLen; + hashC.create = (key, expectedLength) => hashCons(key, expectedLength); + return hashC; +} +exports.ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength)); +exports.polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength)); +//# sourceMappingURL=_polyval.js.map \ No newline at end of file diff --git a/aes.js b/aes.js new file mode 100644 index 0000000..2147b0a --- /dev/null +++ b/aes.js @@ -0,0 +1,633 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.unsafe = exports.siv = exports.gcm = exports.cbc = exports.ecb = exports.ctr = exports.expandKeyDecLE = exports.expandKeyLE = void 0; +// prettier-ignore +const utils_js_1 = require("./utils.js"); +const _polyval_js_1 = require("./_polyval.js"); +const _assert_js_1 = require("./_assert.js"); +/* +AES (Advanced Encryption Standard) aka Rijndael block cipher. + +Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round: +1. **S-box**, table substitution +2. **Shift rows**, cyclic shift left of all rows of data array +3. **Mix columns**, multiplying every column by fixed polynomial +4. **Add round key**, round_key xor i-th column of array + +Resources: +- FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf +- Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf +*/ +const BLOCK_SIZE = 16; +const BLOCK_SIZE32 = 4; +const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE); +const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8 +// TODO: remove multiplication, binary ops only +function mul2(n) { + return (n << 1) ^ (POLY & -(n >> 7)); +} +function mul(a, b) { + let res = 0; + for (; b > 0; b >>= 1) { + // Montgomery ladder + res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time). + a = mul2(a); // a = 2*a + } + return res; +} +// AES S-box is generated using finite field inversion, +// an affine transform, and xor of a constant 0x63. +const sbox = /* @__PURE__ */ (() => { + let t = new Uint8Array(256); + for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x)) + t[i] = x; + const box = new Uint8Array(256); + box[0] = 0x63; // first elm + for (let i = 0; i < 255; i++) { + let x = t[255 - i]; + x |= x << 8; + box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff; + } + return box; +})(); +// Inverted S-box +const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j)); +// Rotate u32 by 8 +const rotr32_8 = (n) => (n << 24) | (n >>> 8); +const rotl32_8 = (n) => (n << 8) | (n >>> 24); +// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes: +// - LE instead of BE +// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23; +// so index is u16, instead of u8. This speeds up things, unexpectedly +function genTtable(sbox, fn) { + if (sbox.length !== 256) + throw new Error('Wrong sbox length'); + const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j])); + const T1 = T0.map(rotl32_8); + const T2 = T1.map(rotl32_8); + const T3 = T2.map(rotl32_8); + const T01 = new Uint32Array(256 * 256); + const T23 = new Uint32Array(256 * 256); + const sbox2 = new Uint16Array(256 * 256); + for (let i = 0; i < 256; i++) { + for (let j = 0; j < 256; j++) { + const idx = i * 256 + j; + T01[idx] = T0[i] ^ T1[j]; + T23[idx] = T2[i] ^ T3[j]; + sbox2[idx] = (sbox[i] << 8) | sbox[j]; + } + } + return { sbox, sbox2, T0, T1, T2, T3, T01, T23 }; +} +const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2)); +const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14)); +const xPowers = /* @__PURE__ */ (() => { + const p = new Uint8Array(16); + for (let i = 0, x = 1; i < 16; i++, x = mul2(x)) + p[i] = x; + return p; +})(); +function expandKeyLE(key) { + (0, _assert_js_1.bytes)(key); + const len = key.length; + if (![16, 24, 32].includes(len)) + throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`); + const { sbox2 } = tableEncoding; + const k32 = (0, utils_js_1.u32)(key); + const Nk = k32.length; + const subByte = (n) => applySbox(sbox2, n, n, n, n); + const xk = new Uint32Array(len + 28); // expanded key + xk.set(k32); + // 4.3.1 Key expansion + for (let i = Nk; i < xk.length; i++) { + let t = xk[i - 1]; + if (i % Nk === 0) + t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1]; + else if (Nk > 6 && i % Nk === 4) + t = subByte(t); + xk[i] = xk[i - Nk] ^ t; + } + return xk; +} +exports.expandKeyLE = expandKeyLE; +function expandKeyDecLE(key) { + const encKey = expandKeyLE(key); + const xk = encKey.slice(); + const Nk = encKey.length; + const { sbox2 } = tableEncoding; + const { T0, T1, T2, T3 } = tableDecoding; + // Inverse key by chunks of 4 (rounds) + for (let i = 0; i < Nk; i += 4) { + for (let j = 0; j < 4; j++) + xk[i + j] = encKey[Nk - i - 4 + j]; + } + encKey.fill(0); + // apply InvMixColumn except first & last round + for (let i = 4; i < Nk - 4; i++) { + const x = xk[i]; + const w = applySbox(sbox2, x, x, x, x); + xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24]; + } + return xk; +} +exports.expandKeyDecLE = expandKeyDecLE; +// Apply tables +function apply0123(T01, T23, s0, s1, s2, s3) { + return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^ + T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]); +} +function applySbox(sbox2, s0, s1, s2, s3) { + return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] | + (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16)); +} +function encrypt(xk, s0, s1, s2, s3) { + const { sbox2, T01, T23 } = tableEncoding; + let k = 0; + (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); + const rounds = xk.length / 4 - 2; + for (let i = 0; i < rounds; i++) { + const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3); + const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0); + const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1); + const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2); + (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); + } + // last round (without mixcolumns, so using SBOX2 table) + const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3); + const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0); + const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1); + const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2); + return { s0: t0, s1: t1, s2: t2, s3: t3 }; +} +function decrypt(xk, s0, s1, s2, s3) { + const { sbox2, T01, T23 } = tableDecoding; + let k = 0; + (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); + const rounds = xk.length / 4 - 2; + for (let i = 0; i < rounds; i++) { + const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1); + const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2); + const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3); + const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0); + (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); + } + // Last round + const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1); + const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2); + const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3); + const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0); + return { s0: t0, s1: t1, s2: t2, s3: t3 }; +} +function getDst(len, dst) { + if (!dst) + return new Uint8Array(len); + (0, _assert_js_1.bytes)(dst); + if (dst.length < len) + throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`); + return dst; +} +// TODO: investigate merging with ctr32 +function ctrCounter(xk, nonce, src, dst) { + (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); + (0, _assert_js_1.bytes)(src); + const srcLen = src.length; + dst = getDst(srcLen, dst); + const ctr = nonce; + const c32 = (0, utils_js_1.u32)(ctr); + // Fill block (empty, ctr=0) + let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); + const src32 = (0, utils_js_1.u32)(src); + const dst32 = (0, utils_js_1.u32)(dst); + // process blocks + for (let i = 0; i + 4 <= src32.length; i += 4) { + dst32[i + 0] = src32[i + 0] ^ s0; + dst32[i + 1] = src32[i + 1] ^ s1; + dst32[i + 2] = src32[i + 2] ^ s2; + dst32[i + 3] = src32[i + 3] ^ s3; + // Full 128 bit counter with wrap around + let carry = 1; + for (let i = ctr.length - 1; i >= 0; i--) { + carry = (carry + (ctr[i] & 0xff)) | 0; + ctr[i] = carry & 0xff; + carry >>>= 8; + } + ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); + } + // leftovers (less than block) + // It's possible to handle > u32 fast, but is it worth it? + const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); + if (start < srcLen) { + const b32 = new Uint32Array([s0, s1, s2, s3]); + const buf = (0, utils_js_1.u8)(b32); + for (let i = start, pos = 0; i < srcLen; i++, pos++) + dst[i] = src[i] ^ buf[pos]; + } + return dst; +} +// AES CTR with overflowing 32 bit counter +// It's possible to do 32le significantly simpler (and probably faster) by using u32. +// But, we need both, and perf bottleneck is in ghash anyway. +function ctr32(xk, isLE, nonce, src, dst) { + (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); + (0, _assert_js_1.bytes)(src); + dst = getDst(src.length, dst); + const ctr = nonce; // write new value to nonce, so it can be re-used + const c32 = (0, utils_js_1.u32)(ctr); + const view = (0, utils_js_1.createView)(ctr); + const src32 = (0, utils_js_1.u32)(src); + const dst32 = (0, utils_js_1.u32)(dst); + const ctrPos = isLE ? 0 : 12; + const srcLen = src.length; + // Fill block (empty, ctr=0) + let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value + let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); + // process blocks + for (let i = 0; i + 4 <= src32.length; i += 4) { + dst32[i + 0] = src32[i + 0] ^ s0; + dst32[i + 1] = src32[i + 1] ^ s1; + dst32[i + 2] = src32[i + 2] ^ s2; + dst32[i + 3] = src32[i + 3] ^ s3; + ctrNum = (ctrNum + 1) >>> 0; // u32 wrap + view.setUint32(ctrPos, ctrNum, isLE); + ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); + } + // leftovers (less than a block) + const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); + if (start < srcLen) { + const b32 = new Uint32Array([s0, s1, s2, s3]); + const buf = (0, utils_js_1.u8)(b32); + for (let i = start, pos = 0; i < srcLen; i++, pos++) + dst[i] = src[i] ^ buf[pos]; + } + return dst; +} +/** + * CTR: counter mode. Creates stream cipher. + * Requires good IV. Parallelizable. OK, but no MAC. + */ +exports.ctr = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) { + (0, _assert_js_1.bytes)(key); + (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); + function processCtr(buf, dst) { + const xk = expandKeyLE(key); + const n = nonce.slice(); + const out = ctrCounter(xk, n, buf, dst); + xk.fill(0); + n.fill(0); + return out; + } + return { + encrypt: (plaintext, dst) => processCtr(plaintext, dst), + decrypt: (ciphertext, dst) => processCtr(ciphertext, dst), + }; +}); +function validateBlockDecrypt(data) { + (0, _assert_js_1.bytes)(data); + if (data.length % BLOCK_SIZE !== 0) { + throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`); + } +} +function validateBlockEncrypt(plaintext, pcks5, dst) { + let outLen = plaintext.length; + const remaining = outLen % BLOCK_SIZE; + if (!pcks5 && remaining !== 0) + throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding'); + const b = (0, utils_js_1.u32)(plaintext); + if (pcks5) { + let left = BLOCK_SIZE - remaining; + if (!left) + left = BLOCK_SIZE; // if no bytes left, create empty padding block + outLen = outLen + left; + } + const out = getDst(outLen, dst); + const o = (0, utils_js_1.u32)(out); + return { b, o, out }; +} +function validatePCKS(data, pcks5) { + if (!pcks5) + return data; + const len = data.length; + if (!len) + throw new Error(`aes/pcks5: empty ciphertext not allowed`); + const lastByte = data[len - 1]; + if (lastByte <= 0 || lastByte > 16) + throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`); + const out = data.subarray(0, -lastByte); + for (let i = 0; i < lastByte; i++) + if (data[len - i - 1] !== lastByte) + throw new Error(`aes/pcks5: wrong padding`); + return out; +} +function padPCKS(left) { + const tmp = new Uint8Array(16); + const tmp32 = (0, utils_js_1.u32)(tmp); + tmp.set(left); + const paddingByte = BLOCK_SIZE - left.length; + for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++) + tmp[i] = paddingByte; + return tmp32; +} +/** + * ECB: Electronic CodeBook. Simple deterministic replacement. + * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/). + */ +exports.ecb = (0, utils_js_1.wrapCipher)({ blockSize: 16 }, function ecb(key, opts = {}) { + (0, _assert_js_1.bytes)(key); + const pcks5 = !opts.disablePadding; + return { + encrypt: (plaintext, dst) => { + (0, _assert_js_1.bytes)(plaintext); + const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); + const xk = expandKeyLE(key); + let i = 0; + for (; i + 4 <= b.length;) { + const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + if (pcks5) { + const tmp32 = padPCKS(plaintext.subarray(i * 4)); + const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return _out; + }, + decrypt: (ciphertext, dst) => { + validateBlockDecrypt(ciphertext); + const xk = expandKeyDecLE(key); + const out = getDst(ciphertext.length, dst); + const b = (0, utils_js_1.u32)(ciphertext); + const o = (0, utils_js_1.u32)(out); + for (let i = 0; i + 4 <= b.length;) { + const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return validatePCKS(out, pcks5); + }, + }; +}); +/** + * CBC: Cipher-Block-Chaining. Key is previous round’s block. + * Fragile: needs proper padding. Unauthenticated: needs MAC. + */ +exports.cbc = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) { + (0, _assert_js_1.bytes)(key); + (0, _assert_js_1.bytes)(iv, 16); + const pcks5 = !opts.disablePadding; + return { + encrypt: (plaintext, dst) => { + const xk = expandKeyLE(key); + const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); + const n32 = (0, utils_js_1.u32)(iv); + // prettier-ignore + let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; + let i = 0; + for (; i + 4 <= b.length;) { + (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]); + ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + if (pcks5) { + const tmp32 = padPCKS(plaintext.subarray(i * 4)); + (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]); + ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return _out; + }, + decrypt: (ciphertext, dst) => { + validateBlockDecrypt(ciphertext); + const xk = expandKeyDecLE(key); + const n32 = (0, utils_js_1.u32)(iv); + const out = getDst(ciphertext.length, dst); + const b = (0, utils_js_1.u32)(ciphertext); + const o = (0, utils_js_1.u32)(out); + // prettier-ignore + let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; + for (let i = 0; i + 4 <= b.length;) { + // prettier-ignore + const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3; + (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]); + const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3); + (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3); + } + xk.fill(0); + return validatePCKS(out, pcks5); + }, + }; +}); +// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen +function computeTag(fn, isLE, key, data, AAD) { + const h = fn.create(key, data.length + (AAD?.length || 0)); + if (AAD) + h.update(AAD); + h.update(data); + const num = new Uint8Array(16); + const view = (0, utils_js_1.createView)(num); + if (AAD) + (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD.length * 8), isLE); + (0, utils_js_1.setBigUint64)(view, 8, BigInt(data.length * 8), isLE); + h.update(num); + return h.digest(); +} +/** + * GCM: Galois/Counter Mode. + * Good, modern version of CTR, parallel, with MAC. + * Be careful: MACs can be forged. + */ +exports.gcm = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) { + (0, _assert_js_1.bytes)(nonce); + // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure. + if (nonce.length === 0) + throw new Error('aes/gcm: empty nonce'); + const tagLength = 16; + function _computeTag(authKey, tagMask, data) { + const tag = computeTag(_polyval_js_1.ghash, false, authKey, data, AAD); + for (let i = 0; i < tagMask.length; i++) + tag[i] ^= tagMask[i]; + return tag; + } + function deriveKeys() { + const xk = expandKeyLE(key); + const authKey = EMPTY_BLOCK.slice(); + const counter = EMPTY_BLOCK.slice(); + ctr32(xk, false, counter, counter, authKey); + if (nonce.length === 12) { + counter.set(nonce); + } + else { + // Spec (NIST 800-38d) supports variable size nonce. + // Not supported for now, but can be useful. + const nonceLen = EMPTY_BLOCK.slice(); + const view = (0, utils_js_1.createView)(nonceLen); + (0, utils_js_1.setBigUint64)(view, 8, BigInt(nonce.length * 8), false); + // ghash(nonce || u64be(0) || u64be(nonceLen*8)) + _polyval_js_1.ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter); + } + const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK); + return { xk, authKey, counter, tagMask }; + } + return { + encrypt: (plaintext) => { + (0, _assert_js_1.bytes)(plaintext); + const { xk, authKey, counter, tagMask } = deriveKeys(); + const out = new Uint8Array(plaintext.length + tagLength); + ctr32(xk, false, counter, plaintext, out); + const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength)); + out.set(tag, plaintext.length); + xk.fill(0); + return out; + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + if (ciphertext.length < tagLength) + throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`); + const { xk, authKey, counter, tagMask } = deriveKeys(); + const data = ciphertext.subarray(0, -tagLength); + const passedTag = ciphertext.subarray(-tagLength); + const tag = _computeTag(authKey, tagMask, data); + if (!(0, utils_js_1.equalBytes)(tag, passedTag)) + throw new Error('aes/gcm: invalid ghash tag'); + const out = ctr32(xk, false, counter, data); + authKey.fill(0); + tagMask.fill(0); + xk.fill(0); + return out; + }, + }; +}); +const limit = (name, min, max) => (value) => { + if (!Number.isSafeInteger(value) || min > value || value > max) + throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`); +}; +/** + * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance. + * Guarantees that, when a nonce is repeated, the only security loss is that identical + * plaintexts will produce identical ciphertexts. + * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452 + */ +exports.siv = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) { + const tagLength = 16; + // From RFC 8452: Section 6 + const AAD_LIMIT = limit('AAD', 0, 2 ** 36); + const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36); + const NONCE_LIMIT = limit('nonce', 12, 12); + const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16); + (0, _assert_js_1.bytes)(nonce); + NONCE_LIMIT(nonce.length); + if (AAD) { + (0, _assert_js_1.bytes)(AAD); + AAD_LIMIT(AAD.length); + } + function deriveKeys() { + const len = key.length; + if (len !== 16 && len !== 24 && len !== 32) + throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`); + const xk = expandKeyLE(key); + const encKey = new Uint8Array(len); + const authKey = new Uint8Array(16); + const n32 = (0, utils_js_1.u32)(nonce); + // prettier-ignore + let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2]; + let counter = 0; + for (const derivedKey of [authKey, encKey].map(utils_js_1.u32)) { + const d32 = (0, utils_js_1.u32)(derivedKey); + for (let i = 0; i < d32.length; i += 2) { + // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ... + const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3); + d32[i + 0] = o0; + d32[i + 1] = o1; + s0 = ++counter; // increment counter inside state + } + } + xk.fill(0); + return { authKey, encKey: expandKeyLE(encKey) }; + } + function _computeTag(encKey, authKey, data) { + const tag = computeTag(_polyval_js_1.polyval, true, authKey, data, AAD); + // Compute the expected tag by XORing S_s and the nonce, clearing the + // most significant bit of the last byte and encrypting with the + // message-encryption key. + for (let i = 0; i < 12; i++) + tag[i] ^= nonce[i]; + tag[15] &= 0x7f; // Clear the highest bit + // encrypt tag as block + const t32 = (0, utils_js_1.u32)(tag); + // prettier-ignore + let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3]; + ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3)); + (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3); + return tag; + } + // actual decrypt/encrypt of message. + function processSiv(encKey, tag, input) { + let block = tag.slice(); + block[15] |= 0x80; // Force highest bit + return ctr32(encKey, true, block, input); + } + return { + encrypt: (plaintext) => { + (0, _assert_js_1.bytes)(plaintext); + PLAIN_LIMIT(plaintext.length); + const { encKey, authKey } = deriveKeys(); + const tag = _computeTag(encKey, authKey, plaintext); + const out = new Uint8Array(plaintext.length + tagLength); + out.set(tag, plaintext.length); + out.set(processSiv(encKey, tag, plaintext)); + encKey.fill(0); + authKey.fill(0); + return out; + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + CIPHER_LIMIT(ciphertext.length); + const tag = ciphertext.subarray(-tagLength); + const { encKey, authKey } = deriveKeys(); + const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength)); + const expectedTag = _computeTag(encKey, authKey, plaintext); + encKey.fill(0); + authKey.fill(0); + if (!(0, utils_js_1.equalBytes)(tag, expectedTag)) + throw new Error('invalid polyval tag'); + return plaintext; + }, + }; +}); +function isBytes32(a) { + return (a != null && + typeof a === 'object' && + (a instanceof Uint32Array || a.constructor.name === 'Uint32Array')); +} +function encryptBlock(xk, block) { + (0, _assert_js_1.bytes)(block, 16); + if (!isBytes32(xk)) + throw new Error('_encryptBlock accepts result of expandKeyLE'); + const b32 = (0, utils_js_1.u32)(block); + let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]); + (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); + return block; +} +function decryptBlock(xk, block) { + (0, _assert_js_1.bytes)(block, 16); + if (!isBytes32(xk)) + throw new Error('_decryptBlock accepts result of expandKeyLE'); + const b32 = (0, utils_js_1.u32)(block); + let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]); + (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); + return block; +} +// Highly unsafe private functions for implementing new modes or ciphers based on AES +// Can change at any time, no API guarantees +exports.unsafe = { + expandKeyLE, + expandKeyDecLE, + encrypt, + decrypt, + encryptBlock, + decryptBlock, + ctrCounter, + ctr32, +}; +//# sourceMappingURL=aes.js.map \ No newline at end of file diff --git a/chacha.js b/chacha.js new file mode 100644 index 0000000..a10250d --- /dev/null +++ b/chacha.js @@ -0,0 +1,323 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = exports.hchacha = void 0; +// prettier-ignore +const utils_js_1 = require("./utils.js"); +const _poly1305_js_1 = require("./_poly1305.js"); +const _arx_js_1 = require("./_arx.js"); +const _assert_js_1 = require("./_assert.js"); +// ChaCha20 stream cipher was released in 2008. ChaCha aims to increase +// the diffusion per round, but had slightly less cryptanalysis. +// https://cr.yp.to/chacha.html, http://cr.yp.to/chacha/chacha-20080128.pdf +/** + * ChaCha core function. + */ +// prettier-ignore +function chachaCore(s, k, n, out, cnt, rounds = 20) { + let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k" + y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key + y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key + y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce + // Save state to temporary variables + let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; + for (let r = 0; r < rounds; r += 2) { + x00 = (x00 + x04) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 16); + x08 = (x08 + x12) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 12); + x00 = (x00 + x04) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 8); + x08 = (x08 + x12) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 7); + x01 = (x01 + x05) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 16); + x09 = (x09 + x13) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 12); + x01 = (x01 + x05) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 8); + x09 = (x09 + x13) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 7); + x02 = (x02 + x06) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 16); + x10 = (x10 + x14) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 12); + x02 = (x02 + x06) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 8); + x10 = (x10 + x14) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 7); + x03 = (x03 + x07) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 16); + x11 = (x11 + x15) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 12); + x03 = (x03 + x07) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 8); + x11 = (x11 + x15) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 7); + x00 = (x00 + x05) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 16); + x10 = (x10 + x15) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 12); + x00 = (x00 + x05) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 8); + x10 = (x10 + x15) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 7); + x01 = (x01 + x06) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 16); + x11 = (x11 + x12) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 12); + x01 = (x01 + x06) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 8); + x11 = (x11 + x12) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 7); + x02 = (x02 + x07) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 16); + x08 = (x08 + x13) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 12); + x02 = (x02 + x07) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 8); + x08 = (x08 + x13) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 7); + x03 = (x03 + x04) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 16); + x09 = (x09 + x14) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 12); + x03 = (x03 + x04) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 8); + x09 = (x09 + x14) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 7); + } + // Write output + let oi = 0; + out[oi++] = (y00 + x00) | 0; + out[oi++] = (y01 + x01) | 0; + out[oi++] = (y02 + x02) | 0; + out[oi++] = (y03 + x03) | 0; + out[oi++] = (y04 + x04) | 0; + out[oi++] = (y05 + x05) | 0; + out[oi++] = (y06 + x06) | 0; + out[oi++] = (y07 + x07) | 0; + out[oi++] = (y08 + x08) | 0; + out[oi++] = (y09 + x09) | 0; + out[oi++] = (y10 + x10) | 0; + out[oi++] = (y11 + x11) | 0; + out[oi++] = (y12 + x12) | 0; + out[oi++] = (y13 + x13) | 0; + out[oi++] = (y14 + x14) | 0; + out[oi++] = (y15 + x15) | 0; +} +/** + * hchacha helper method, used primarily in xchacha, to hash + * key and nonce into key' and nonce'. + * Same as chachaCore, but there doesn't seem to be a way to move the block + * out without 25% performance hit. + */ +// prettier-ignore +function hchacha(s, k, i, o32) { + let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; + for (let r = 0; r < 20; r += 2) { + x00 = (x00 + x04) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 16); + x08 = (x08 + x12) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 12); + x00 = (x00 + x04) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 8); + x08 = (x08 + x12) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 7); + x01 = (x01 + x05) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 16); + x09 = (x09 + x13) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 12); + x01 = (x01 + x05) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 8); + x09 = (x09 + x13) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 7); + x02 = (x02 + x06) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 16); + x10 = (x10 + x14) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 12); + x02 = (x02 + x06) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 8); + x10 = (x10 + x14) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 7); + x03 = (x03 + x07) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 16); + x11 = (x11 + x15) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 12); + x03 = (x03 + x07) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 8); + x11 = (x11 + x15) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 7); + x00 = (x00 + x05) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 16); + x10 = (x10 + x15) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 12); + x00 = (x00 + x05) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 8); + x10 = (x10 + x15) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 7); + x01 = (x01 + x06) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 16); + x11 = (x11 + x12) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 12); + x01 = (x01 + x06) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 8); + x11 = (x11 + x12) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 7); + x02 = (x02 + x07) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 16); + x08 = (x08 + x13) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 12); + x02 = (x02 + x07) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 8); + x08 = (x08 + x13) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 7); + x03 = (x03 + x04) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 16); + x09 = (x09 + x14) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 12); + x03 = (x03 + x04) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 8); + x09 = (x09 + x14) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 7); + } + let oi = 0; + o32[oi++] = x00; + o32[oi++] = x01; + o32[oi++] = x02; + o32[oi++] = x03; + o32[oi++] = x12; + o32[oi++] = x13; + o32[oi++] = x14; + o32[oi++] = x15; +} +exports.hchacha = hchacha; +/** + * Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter. + */ +exports.chacha20orig = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 8, + allowShortKeys: true, +}); +/** + * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +exports.chacha20 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + allowShortKeys: false, +}); +/** + * XChaCha eXtended-nonce ChaCha. 24-byte nonce. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + */ +exports.xchacha20 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 8, + extendNonceFn: hchacha, + allowShortKeys: false, +}); +/** + * Reduced 8-round chacha, described in original paper. + */ +exports.chacha8 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 8, +}); +/** + * Reduced 12-round chacha, described in original paper. + */ +exports.chacha12 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 12, +}); +const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); +// Pad to digest size with zeros +const updatePadded = (h, msg) => { + h.update(msg); + const left = msg.length % 16; + if (left) + h.update(ZEROS16.subarray(left)); +}; +const ZEROS32 = /* @__PURE__ */ new Uint8Array(32); +function computeTag(fn, key, nonce, data, AAD) { + const authKey = fn(key, nonce, ZEROS32); + const h = _poly1305_js_1.poly1305.create(authKey); + if (AAD) + updatePadded(h, AAD); + updatePadded(h, data); + const num = new Uint8Array(16); + const view = (0, utils_js_1.createView)(num); + (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD ? AAD.length : 0), true); + (0, utils_js_1.setBigUint64)(view, 8, BigInt(data.length), true); + h.update(num); + const res = h.digest(); + authKey.fill(0); + return res; +} +/** + * AEAD algorithm from RFC 8439. + * Salsa20 and chacha (RFC 8439) use poly1305 differently. + * We could have composed them similar to: + * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250 + * But it's hard because of authKey: + * In salsa20, authKey changes position in salsa stream. + * In chacha, authKey can't be computed inside computeTag, it modifies the counter. + */ +const _poly1305_aead = (xorStream) => (key, nonce, AAD) => { + const tagLength = 16; + (0, _assert_js_1.bytes)(key, 32); + (0, _assert_js_1.bytes)(nonce); + return { + encrypt: (plaintext, output) => { + const plength = plaintext.length; + const clength = plength + tagLength; + if (output) { + (0, _assert_js_1.bytes)(output, clength); + } + else { + output = new Uint8Array(clength); + } + xorStream(key, nonce, plaintext, output, 1); + const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD); + output.set(tag, plength); // append tag + return output; + }, + decrypt: (ciphertext, output) => { + const clength = ciphertext.length; + const plength = clength - tagLength; + if (clength < tagLength) + throw new Error(`encrypted data must be at least ${tagLength} bytes`); + if (output) { + (0, _assert_js_1.bytes)(output, plength); + } + else { + output = new Uint8Array(plength); + } + const data = ciphertext.subarray(0, -tagLength); + const passedTag = ciphertext.subarray(-tagLength); + const tag = computeTag(xorStream, key, nonce, data, AAD); + if (!(0, utils_js_1.equalBytes)(passedTag, tag)) + throw new Error('invalid tag'); + xorStream(key, nonce, data, output, 1); + return output; + }, + }; +}; +exports._poly1305_aead = _poly1305_aead; +/** + * ChaCha20-Poly1305 from RFC 8439. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +exports.chacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20)); +/** + * XChaCha20-Poly1305 extended-nonce chacha. + * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +exports.xchacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20)); +//# sourceMappingURL=chacha.js.map \ No newline at end of file diff --git a/crypto.js b/crypto.js new file mode 100644 index 0000000..e166f22 --- /dev/null +++ b/crypto.js @@ -0,0 +1,17 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.getWebcryptoSubtle = exports.randomBytes = void 0; +const cr = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined; +function randomBytes(bytesLength = 32) { + if (cr && typeof cr.getRandomValues === 'function') + return cr.getRandomValues(new Uint8Array(bytesLength)); + throw new Error('crypto.getRandomValues must be defined'); +} +exports.randomBytes = randomBytes; +function getWebcryptoSubtle() { + if (cr && typeof cr.subtle === 'object' && cr.subtle != null) + return cr.subtle; + throw new Error('crypto.subtle must be defined'); +} +exports.getWebcryptoSubtle = getWebcryptoSubtle; +//# sourceMappingURL=crypto.js.map \ No newline at end of file diff --git a/cryptoNode.js b/cryptoNode.js new file mode 100644 index 0000000..ac61d9d --- /dev/null +++ b/cryptoNode.js @@ -0,0 +1,22 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.getWebcryptoSubtle = exports.randomBytes = void 0; +// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. +// See utils.ts for details. +// The file will throw on node.js 14 and earlier. +// @ts-ignore +const nc = require("node:crypto"); +const cr = nc && typeof nc === 'object' && 'webcrypto' in nc ? nc.webcrypto : undefined; +function randomBytes(bytesLength = 32) { + if (cr && typeof cr.getRandomValues === 'function') + return cr.getRandomValues(new Uint8Array(bytesLength)); + throw new Error('crypto.getRandomValues must be defined'); +} +exports.randomBytes = randomBytes; +function getWebcryptoSubtle() { + if (cr && typeof cr.subtle === 'object' && cr.subtle != null) + return cr.subtle; + throw new Error('crypto.subtle must be defined'); +} +exports.getWebcryptoSubtle = getWebcryptoSubtle; +//# sourceMappingURL=cryptoNode.js.map \ No newline at end of file diff --git a/esm/_arx.js b/esm/_arx.js new file mode 100644 index 0000000..b949f4d --- /dev/null +++ b/esm/_arx.js @@ -0,0 +1,166 @@ +// Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers. +import { number as anumber, bytes as abytes, bool as abool } from './_assert.js'; +import { checkOpts, u32, utf8ToBytes } from './utils.js'; +/* +RFC8439 requires multi-step cipher stream, where +authKey starts with counter: 0, actual msg with counter: 1. + +For this, we need a way to re-use nonce / counter: + + const counter = new Uint8Array(4); + chacha(..., counter, ...); // counter is now 1 + chacha(..., counter, ...); // counter is now 2 + +This is complicated: + +- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB +- Original papers don't allow mutating counters +- Counter overflow is undefined [^1] +- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it +- Caveat: Cannot be re-used through all cases: +- * chacha has (counter | nonce) +- * xchacha has (nonce16 | counter | nonce16) +- Idea B: separate nonce / counter and provide separate API for counter re-use +- Caveat: there are different counter sizes depending on an algorithm. +- salsa & chacha also differ in structures of key & sigma: + salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3] + chacha: s(4) | k(8) | ctr(1) | nonce(3) + chacha20orig: s(4) | k(8) | ctr(2) | nonce(2) +- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)` +- Caveat: we can't re-use counter array + +xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal +(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce). + +[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/ +[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2 +*/ +const sigma16 = utf8ToBytes('expand 16-byte k'); +const sigma32 = utf8ToBytes('expand 32-byte k'); +const sigma16_32 = u32(sigma16); +const sigma32_32 = u32(sigma32); +export function rotl(a, b) { + return (a << b) | (a >>> (32 - b)); +} +// Is byte array aligned to 4 byte offset (u32)? +function isAligned32(b) { + return b.byteOffset % 4 === 0; +} +// Salsa and Chacha block length is always 512-bit +const BLOCK_LEN = 64; +const BLOCK_LEN32 = 16; +// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ] +// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ] +const MAX_COUNTER = 2 ** 32 - 1; +const U32_EMPTY = new Uint32Array(); +function runCipher(core, sigma, key, nonce, data, output, counter, rounds) { + const len = data.length; + const block = new Uint8Array(BLOCK_LEN); + const b32 = u32(block); + // Make sure that buffers aligned to 4 bytes + const isAligned = isAligned32(data) && isAligned32(output); + const d32 = isAligned ? u32(data) : U32_EMPTY; + const o32 = isAligned ? u32(output) : U32_EMPTY; + for (let pos = 0; pos < len; counter++) { + core(sigma, key, nonce, b32, counter, rounds); + if (counter >= MAX_COUNTER) + throw new Error('arx: counter overflow'); + const take = Math.min(BLOCK_LEN, len - pos); + // aligned to 4 bytes + if (isAligned && take === BLOCK_LEN) { + const pos32 = pos / 4; + if (pos % 4 !== 0) + throw new Error('arx: invalid block position'); + for (let j = 0, posj; j < BLOCK_LEN32; j++) { + posj = pos32 + j; + o32[posj] = d32[posj] ^ b32[j]; + } + pos += BLOCK_LEN; + continue; + } + for (let j = 0, posj; j < take; j++) { + posj = pos + j; + output[posj] = data[posj] ^ block[j]; + } + pos += take; + } +} +export function createCipher(core, opts) { + const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); + if (typeof core !== 'function') + throw new Error('core must be a function'); + anumber(counterLength); + anumber(rounds); + abool(counterRight); + abool(allowShortKeys); + return (key, nonce, data, output, counter = 0) => { + abytes(key); + abytes(nonce); + abytes(data); + const len = data.length; + if (!output) + output = new Uint8Array(len); + abytes(output); + anumber(counter); + if (counter < 0 || counter >= MAX_COUNTER) + throw new Error('arx: counter overflow'); + if (output.length < len) + throw new Error(`arx: output (${output.length}) is shorter than data (${len})`); + const toClean = []; + // Key & sigma + // key=16 -> sigma16, k=key|key + // key=32 -> sigma32, k=key + let l = key.length, k, sigma; + if (l === 32) { + k = key.slice(); + toClean.push(k); + sigma = sigma32_32; + } + else if (l === 16 && allowShortKeys) { + k = new Uint8Array(32); + k.set(key); + k.set(key, 16); + sigma = sigma16_32; + toClean.push(k); + } + else { + throw new Error(`arx: invalid 32-byte key, got length=${l}`); + } + // Nonce + // salsa20: 8 (8-byte counter) + // chacha20orig: 8 (8-byte counter) + // chacha20: 12 (4-byte counter) + // xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce) + // xchacha20: 24 (16 -> hchacha, 8 -> old nonce) + // Align nonce to 4 bytes + if (!isAligned32(nonce)) { + nonce = nonce.slice(); + toClean.push(nonce); + } + const k32 = u32(k); + // hsalsa & hchacha: handle extended nonce + if (extendNonceFn) { + if (nonce.length !== 24) + throw new Error(`arx: extended nonce must be 24 bytes`); + extendNonceFn(sigma, k32, u32(nonce.subarray(0, 16)), k32); + nonce = nonce.subarray(16); + } + // Handle nonce counter + const nonceNcLen = 16 - counterLength; + if (nonceNcLen !== nonce.length) + throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); + // Pad counter when nonce is 64 bit + if (nonceNcLen !== 12) { + const nc = new Uint8Array(12); + nc.set(nonce, counterRight ? 0 : 12 - nonce.length); + nonce = nc; + toClean.push(nonce); + } + const n32 = u32(nonce); + runCipher(core, sigma, k32, n32, data, output, counter, rounds); + while (toClean.length > 0) + toClean.pop().fill(0); + return output; + }; +} +//# sourceMappingURL=_arx.js.map \ No newline at end of file diff --git a/esm/_assert.js b/esm/_assert.js new file mode 100644 index 0000000..330fa25 --- /dev/null +++ b/esm/_assert.js @@ -0,0 +1,41 @@ +function number(n) { + if (!Number.isSafeInteger(n) || n < 0) + throw new Error(`positive integer expected, not ${n}`); +} +function bool(b) { + if (typeof b !== 'boolean') + throw new Error(`boolean expected, not ${b}`); +} +export function isBytes(a) { + return (a instanceof Uint8Array || + (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')); +} +function bytes(b, ...lengths) { + if (!isBytes(b)) + throw new Error('Uint8Array expected'); + if (lengths.length > 0 && !lengths.includes(b.length)) + throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); +} +function hash(hash) { + if (typeof hash !== 'function' || typeof hash.create !== 'function') + throw new Error('hash must be wrapped by utils.wrapConstructor'); + number(hash.outputLen); + number(hash.blockLen); +} +function exists(instance, checkFinished = true) { + if (instance.destroyed) + throw new Error('Hash instance has been destroyed'); + if (checkFinished && instance.finished) + throw new Error('Hash#digest() has already been called'); +} +function output(out, instance) { + bytes(out); + const min = instance.outputLen; + if (out.length < min) { + throw new Error(`digestInto() expects output buffer of length at least ${min}`); + } +} +export { number, bool, bytes, hash, exists, output }; +const assert = { number, bool, bytes, hash, exists, output }; +export default assert; +//# sourceMappingURL=_assert.js.map \ No newline at end of file diff --git a/esm/_micro.js b/esm/_micro.js new file mode 100644 index 0000000..fae5252 --- /dev/null +++ b/esm/_micro.js @@ -0,0 +1,287 @@ +/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ +// prettier-ignore +import { createView, setBigUint64, wrapCipher, bytesToHex, concatBytes, equalBytes, hexToNumber, numberToBytesBE, } from './utils.js'; +import { createCipher, rotl } from './_arx.js'; +import { bytes as abytes } from './_assert.js'; +/* +noble-ciphers-micro: more auditable, but slower version of salsa20, chacha & poly1305. +Implements the same algorithms that are present in other files, but without +unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling). +*/ +function bytesToNumberLE(bytes) { + return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse())); +} +function numberToBytesLE(n, len) { + return numberToBytesBE(n, len).reverse(); +} +function salsaQR(x, a, b, c, d) { + x[b] ^= rotl((x[a] + x[d]) | 0, 7); + x[c] ^= rotl((x[b] + x[a]) | 0, 9); + x[d] ^= rotl((x[c] + x[b]) | 0, 13); + x[a] ^= rotl((x[d] + x[c]) | 0, 18); +} +// prettier-ignore +function chachaQR(x, a, b, c, d) { + x[a] = (x[a] + x[b]) | 0; + x[d] = rotl(x[d] ^ x[a], 16); + x[c] = (x[c] + x[d]) | 0; + x[b] = rotl(x[b] ^ x[c], 12); + x[a] = (x[a] + x[b]) | 0; + x[d] = rotl(x[d] ^ x[a], 8); + x[c] = (x[c] + x[d]) | 0; + x[b] = rotl(x[b] ^ x[c], 7); +} +function salsaRound(x, rounds = 20) { + for (let r = 0; r < rounds; r += 2) { + salsaQR(x, 0, 4, 8, 12); + salsaQR(x, 5, 9, 13, 1); + salsaQR(x, 10, 14, 2, 6); + salsaQR(x, 15, 3, 7, 11); + salsaQR(x, 0, 1, 2, 3); + salsaQR(x, 5, 6, 7, 4); + salsaQR(x, 10, 11, 8, 9); + salsaQR(x, 15, 12, 13, 14); + } +} +function chachaRound(x, rounds = 20) { + for (let r = 0; r < rounds; r += 2) { + chachaQR(x, 0, 4, 8, 12); + chachaQR(x, 1, 5, 9, 13); + chachaQR(x, 2, 6, 10, 14); + chachaQR(x, 3, 7, 11, 15); + chachaQR(x, 0, 5, 10, 15); + chachaQR(x, 1, 6, 11, 12); + chachaQR(x, 2, 7, 8, 13); + chachaQR(x, 3, 4, 9, 14); + } +} +function salsaCore(s, k, n, out, cnt, rounds = 20) { + // prettier-ignore + const y = new Uint32Array([ + s[0], k[0], k[1], k[2], // "expa" Key Key Key + k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce + cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key + k[5], k[6], k[7], s[3], // Key Key Key "te k" + ]); + const x = y.slice(); + salsaRound(x, rounds); + for (let i = 0; i < 16; i++) + out[i] = (y[i] + x[i]) | 0; +} +// prettier-ignore +export function hsalsa(s, k, i, o32) { + const x = new Uint32Array([ + s[0], k[0], k[1], k[2], + k[3], s[1], i[0], i[1], + i[2], i[3], s[2], k[4], + k[5], k[6], k[7], s[3] + ]); + salsaRound(x, 20); + let oi = 0; + o32[oi++] = x[0]; + o32[oi++] = x[5]; + o32[oi++] = x[10]; + o32[oi++] = x[15]; + o32[oi++] = x[6]; + o32[oi++] = x[7]; + o32[oi++] = x[8]; + o32[oi++] = x[9]; +} +function chachaCore(s, k, n, out, cnt, rounds = 20) { + // prettier-ignore + const y = new Uint32Array([ + s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k" + k[0], k[1], k[2], k[3], // Key Key Key Key + k[4], k[5], k[6], k[7], // Key Key Key Key + cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce + ]); + const x = y.slice(); + chachaRound(x, rounds); + for (let i = 0; i < 16; i++) + out[i] = (y[i] + x[i]) | 0; +} +// prettier-ignore +export function hchacha(s, k, i, o32) { + const x = new Uint32Array([ + s[0], s[1], s[2], s[3], + k[0], k[1], k[2], k[3], + k[4], k[5], k[6], k[7], + i[0], i[1], i[2], i[3], + ]); + chachaRound(x, 20); + let oi = 0; + o32[oi++] = x[0]; + o32[oi++] = x[1]; + o32[oi++] = x[2]; + o32[oi++] = x[3]; + o32[oi++] = x[12]; + o32[oi++] = x[13]; + o32[oi++] = x[14]; + o32[oi++] = x[15]; +} +/** + * salsa20, 12-byte nonce. + */ +export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, { + allowShortKeys: true, + counterRight: true, +}); +/** + * xsalsa20, 24-byte nonce. + */ +export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, { + counterRight: true, + extendNonceFn: hsalsa, +}); +/** + * chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. + */ +export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, { + allowShortKeys: true, + counterRight: false, + counterLength: 8, +}); +/** + * chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. + */ +export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, +}); +/** + * xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + */ +export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 8, + extendNonceFn: hchacha, +}); +/** + * 8-round chacha from the original paper. + */ +export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 8, +}); +/** + * 12-round chacha from the original paper. + */ +export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 12, +}); +const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5); +const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1); +const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff'); +const _0 = BigInt(0); +const _1 = BigInt(1); +// Can be speed-up using BigUint64Array, but would be more complicated +export function poly1305(msg, key) { + abytes(msg); + abytes(key); + let acc = _0; + const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R; + const s = bytesToNumberLE(key.subarray(16)); + // Process by 16 byte chunks + for (let i = 0; i < msg.length; i += 16) { + const m = msg.subarray(i, i + 16); + const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length)); + acc = ((acc + n) * r) % POW_2_130_5; + } + const res = (acc + s) & POW_2_128_1; + return numberToBytesLE(res, 16); +} +function computeTag(fn, key, nonce, ciphertext, AAD) { + const res = []; + if (AAD) { + res.push(AAD); + const leftover = AAD.length % 16; + if (leftover > 0) + res.push(new Uint8Array(16 - leftover)); + } + res.push(ciphertext); + const leftover = ciphertext.length % 16; + if (leftover > 0) + res.push(new Uint8Array(16 - leftover)); + // Lengths + const num = new Uint8Array(16); + const view = createView(num); + setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); + setBigUint64(view, 8, BigInt(ciphertext.length), true); + res.push(num); + const authKey = fn(key, nonce, new Uint8Array(32)); + return poly1305(concatBytes(...res), authKey); +} +/** + * xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. + */ +export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsa20poly1305(key, nonce) { + abytes(key); + abytes(nonce); + return { + encrypt: (plaintext) => { + abytes(plaintext); + const m = concatBytes(new Uint8Array(32), plaintext); + const c = xsalsa20(key, nonce, m); + const authKey = c.subarray(0, 32); + const data = c.subarray(32); + const tag = poly1305(data, authKey); + return concatBytes(tag, data); + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + if (ciphertext.length < 16) + throw new Error('encrypted data must be at least 16 bytes'); + const c = concatBytes(new Uint8Array(16), ciphertext); + const authKey = xsalsa20(key, nonce, new Uint8Array(32)); + const tag = poly1305(c.subarray(32), authKey); + if (!equalBytes(c.subarray(16, 32), tag)) + throw new Error('invalid poly1305 tag'); + return xsalsa20(key, nonce, c).subarray(32); + }, + }; +}); +/** + * Alias to xsalsa20-poly1305 + */ +export function secretbox(key, nonce) { + const xs = xsalsa20poly1305(key, nonce); + return { seal: xs.encrypt, open: xs.decrypt }; +} +export const _poly1305_aead = (fn) => (key, nonce, AAD) => { + const tagLength = 16; + const keyLength = 32; + abytes(key, keyLength); + abytes(nonce); + return { + encrypt: (plaintext) => { + abytes(plaintext); + const res = fn(key, nonce, plaintext, undefined, 1); + const tag = computeTag(fn, key, nonce, res, AAD); + return concatBytes(res, tag); + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + if (ciphertext.length < tagLength) + throw new Error(`encrypted data must be at least ${tagLength} bytes`); + const passedTag = ciphertext.subarray(-tagLength); + const data = ciphertext.subarray(0, -tagLength); + const tag = computeTag(fn, key, nonce, data, AAD); + if (!equalBytes(passedTag, tag)) + throw new Error('invalid poly1305 tag'); + return fn(key, nonce, data, undefined, 1); + }, + }; +}; +/** + * chacha20-poly1305 12-byte-nonce chacha. + */ +export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); +/** + * xchacha20-poly1305 eXtended-nonce (24 bytes) chacha. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); +//# sourceMappingURL=_micro.js.map \ No newline at end of file diff --git a/esm/_poly1305.js b/esm/_poly1305.js new file mode 100644 index 0000000..883c3a5 --- /dev/null +++ b/esm/_poly1305.js @@ -0,0 +1,264 @@ +import { exists as aexists, bytes as abytes, output as aoutput } from './_assert.js'; +import { toBytes } from './utils.js'; +// Poly1305 is a fast and parallel secret-key message-authentication code. +// https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf +// https://datatracker.ietf.org/doc/html/rfc8439 +// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna +const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8); +class Poly1305 { + constructor(key) { + this.blockLen = 16; + this.outputLen = 16; + this.buffer = new Uint8Array(16); + this.r = new Uint16Array(10); + this.h = new Uint16Array(10); + this.pad = new Uint16Array(8); + this.pos = 0; + this.finished = false; + key = toBytes(key); + abytes(key, 32); + const t0 = u8to16(key, 0); + const t1 = u8to16(key, 2); + const t2 = u8to16(key, 4); + const t3 = u8to16(key, 6); + const t4 = u8to16(key, 8); + const t5 = u8to16(key, 10); + const t6 = u8to16(key, 12); + const t7 = u8to16(key, 14); + // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47 + this.r[0] = t0 & 0x1fff; + this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; + this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; + this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; + this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; + this.r[5] = (t4 >>> 1) & 0x1ffe; + this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; + this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; + this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; + this.r[9] = (t7 >>> 5) & 0x007f; + for (let i = 0; i < 8; i++) + this.pad[i] = u8to16(key, 16 + 2 * i); + } + process(data, offset, isLast = false) { + const hibit = isLast ? 0 : 1 << 11; + const { h, r } = this; + const r0 = r[0]; + const r1 = r[1]; + const r2 = r[2]; + const r3 = r[3]; + const r4 = r[4]; + const r5 = r[5]; + const r6 = r[6]; + const r7 = r[7]; + const r8 = r[8]; + const r9 = r[9]; + const t0 = u8to16(data, offset + 0); + const t1 = u8to16(data, offset + 2); + const t2 = u8to16(data, offset + 4); + const t3 = u8to16(data, offset + 6); + const t4 = u8to16(data, offset + 8); + const t5 = u8to16(data, offset + 10); + const t6 = u8to16(data, offset + 12); + const t7 = u8to16(data, offset + 14); + let h0 = h[0] + (t0 & 0x1fff); + let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff); + let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff); + let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff); + let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff); + let h5 = h[5] + ((t4 >>> 1) & 0x1fff); + let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff); + let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff); + let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff); + let h9 = h[9] + ((t7 >>> 5) | hibit); + let c = 0; + let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); + c = d0 >>> 13; + d0 &= 0x1fff; + d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); + c += d0 >>> 13; + d0 &= 0x1fff; + let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); + c = d1 >>> 13; + d1 &= 0x1fff; + d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); + c += d1 >>> 13; + d1 &= 0x1fff; + let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); + c = d2 >>> 13; + d2 &= 0x1fff; + d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); + c += d2 >>> 13; + d2 &= 0x1fff; + let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); + c = d3 >>> 13; + d3 &= 0x1fff; + d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); + c += d3 >>> 13; + d3 &= 0x1fff; + let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; + c = d4 >>> 13; + d4 &= 0x1fff; + d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); + c += d4 >>> 13; + d4 &= 0x1fff; + let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; + c = d5 >>> 13; + d5 &= 0x1fff; + d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); + c += d5 >>> 13; + d5 &= 0x1fff; + let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; + c = d6 >>> 13; + d6 &= 0x1fff; + d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); + c += d6 >>> 13; + d6 &= 0x1fff; + let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; + c = d7 >>> 13; + d7 &= 0x1fff; + d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); + c += d7 >>> 13; + d7 &= 0x1fff; + let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; + c = d8 >>> 13; + d8 &= 0x1fff; + d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); + c += d8 >>> 13; + d8 &= 0x1fff; + let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; + c = d9 >>> 13; + d9 &= 0x1fff; + d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; + c += d9 >>> 13; + d9 &= 0x1fff; + c = ((c << 2) + c) | 0; + c = (c + d0) | 0; + d0 = c & 0x1fff; + c = c >>> 13; + d1 += c; + h[0] = d0; + h[1] = d1; + h[2] = d2; + h[3] = d3; + h[4] = d4; + h[5] = d5; + h[6] = d6; + h[7] = d7; + h[8] = d8; + h[9] = d9; + } + finalize() { + const { h, pad } = this; + const g = new Uint16Array(10); + let c = h[1] >>> 13; + h[1] &= 0x1fff; + for (let i = 2; i < 10; i++) { + h[i] += c; + c = h[i] >>> 13; + h[i] &= 0x1fff; + } + h[0] += c * 5; + c = h[0] >>> 13; + h[0] &= 0x1fff; + h[1] += c; + c = h[1] >>> 13; + h[1] &= 0x1fff; + h[2] += c; + g[0] = h[0] + 5; + c = g[0] >>> 13; + g[0] &= 0x1fff; + for (let i = 1; i < 10; i++) { + g[i] = h[i] + c; + c = g[i] >>> 13; + g[i] &= 0x1fff; + } + g[9] -= 1 << 13; + let mask = (c ^ 1) - 1; + for (let i = 0; i < 10; i++) + g[i] &= mask; + mask = ~mask; + for (let i = 0; i < 10; i++) + h[i] = (h[i] & mask) | g[i]; + h[0] = (h[0] | (h[1] << 13)) & 0xffff; + h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff; + h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff; + h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff; + h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff; + h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff; + h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff; + h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff; + let f = h[0] + pad[0]; + h[0] = f & 0xffff; + for (let i = 1; i < 8; i++) { + f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0; + h[i] = f & 0xffff; + } + } + update(data) { + aexists(this); + const { buffer, blockLen } = this; + data = toBytes(data); + const len = data.length; + for (let pos = 0; pos < len;) { + const take = Math.min(blockLen - this.pos, len - pos); + // Fast path: we have at least one block in input + if (take === blockLen) { + for (; blockLen <= len - pos; pos += blockLen) + this.process(data, pos); + continue; + } + buffer.set(data.subarray(pos, pos + take), this.pos); + this.pos += take; + pos += take; + if (this.pos === blockLen) { + this.process(buffer, 0, false); + this.pos = 0; + } + } + return this; + } + destroy() { + this.h.fill(0); + this.r.fill(0); + this.buffer.fill(0); + this.pad.fill(0); + } + digestInto(out) { + aexists(this); + aoutput(out, this); + this.finished = true; + const { buffer, h } = this; + let { pos } = this; + if (pos) { + buffer[pos++] = 1; + // buffer.subarray(pos).fill(0); + for (; pos < 16; pos++) + buffer[pos] = 0; + this.process(buffer, 0, true); + } + this.finalize(); + let opos = 0; + for (let i = 0; i < 8; i++) { + out[opos++] = h[i] >>> 0; + out[opos++] = h[i] >>> 8; + } + return out; + } + digest() { + const { buffer, outputLen } = this; + this.digestInto(buffer); + const res = buffer.slice(0, outputLen); + this.destroy(); + return res; + } +} +export function wrapConstructorWithKey(hashCons) { + const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest(); + const tmp = hashCons(new Uint8Array(32)); + hashC.outputLen = tmp.outputLen; + hashC.blockLen = tmp.blockLen; + hashC.create = (key) => hashCons(key); + return hashC; +} +export const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); +//# sourceMappingURL=_poly1305.js.map \ No newline at end of file diff --git a/esm/_polyval.js b/esm/_polyval.js new file mode 100644 index 0000000..4c64930 --- /dev/null +++ b/esm/_polyval.js @@ -0,0 +1,217 @@ +import { createView, toBytes, u32 } from './utils.js'; +import { bytes as abytes, exists as aexists, output as aoutput } from './_assert.js'; +// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV. +// Implemented in terms of GHash with conversion function for keys +// GCM GHASH from NIST SP800-38d, SIV from RFC 8452. +// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf +// GHASH modulo: x^128 + x^7 + x^2 + x + 1 +// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1 +const BLOCK_SIZE = 16; +// TODO: rewrite +// temporary padding buffer +const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); +const ZEROS32 = u32(ZEROS16); +const POLY = 0xe1; // v = 2*v % POLY +// v = 2*v % POLY +// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x +// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor) +const mul2 = (s0, s1, s2, s3) => { + const hiBit = s3 & 1; + return { + s3: (s2 << 31) | (s3 >>> 1), + s2: (s1 << 31) | (s2 >>> 1), + s1: (s0 << 31) | (s1 >>> 1), + s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly + }; +}; +const swapLE = (n) => (((n >>> 0) & 0xff) << 24) | + (((n >>> 8) & 0xff) << 16) | + (((n >>> 16) & 0xff) << 8) | + ((n >>> 24) & 0xff) | + 0; +/** + * `mulX_POLYVAL(ByteReverse(H))` from spec + * @param k mutated in place + */ +export function _toGHASHKey(k) { + k.reverse(); + const hiBit = k[15] & 1; + // k >>= 1 + let carry = 0; + for (let i = 0; i < k.length; i++) { + const t = k[i]; + k[i] = (t >>> 1) | carry; + carry = (t & 1) << 7; + } + k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000; + return k; +} +const estimateWindow = (bytes) => { + if (bytes > 64 * 1024) + return 8; + if (bytes > 1024) + return 4; + return 2; +}; +class GHASH { + // We select bits per window adaptively based on expectedLength + constructor(key, expectedLength) { + this.blockLen = BLOCK_SIZE; + this.outputLen = BLOCK_SIZE; + this.s0 = 0; + this.s1 = 0; + this.s2 = 0; + this.s3 = 0; + this.finished = false; + key = toBytes(key); + abytes(key, 16); + const kView = createView(key); + let k0 = kView.getUint32(0, false); + let k1 = kView.getUint32(4, false); + let k2 = kView.getUint32(8, false); + let k3 = kView.getUint32(12, false); + // generate table of doubled keys (half of montgomery ladder) + const doubles = []; + for (let i = 0; i < 128; i++) { + doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) }); + ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3)); + } + const W = estimateWindow(expectedLength || 1024); + if (![1, 2, 4, 8].includes(W)) + throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`); + this.W = W; + const bits = 128; // always 128 bits; + const windows = bits / W; + const windowSize = (this.windowSize = 2 ** W); + const items = []; + // Create precompute table for window of W bits + for (let w = 0; w < windows; w++) { + // truth table: 00, 01, 10, 11 + for (let byte = 0; byte < windowSize; byte++) { + // prettier-ignore + let s0 = 0, s1 = 0, s2 = 0, s3 = 0; + for (let j = 0; j < W; j++) { + const bit = (byte >>> (W - j - 1)) & 1; + if (!bit) + continue; + const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j]; + (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3); + } + items.push({ s0, s1, s2, s3 }); + } + } + this.t = items; + } + _updateBlock(s0, s1, s2, s3) { + (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3); + const { W, t, windowSize } = this; + // prettier-ignore + let o0 = 0, o1 = 0, o2 = 0, o3 = 0; + const mask = (1 << W) - 1; // 2**W will kill performance. + let w = 0; + for (const num of [s0, s1, s2, s3]) { + for (let bytePos = 0; bytePos < 4; bytePos++) { + const byte = (num >>> (8 * bytePos)) & 0xff; + for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) { + const bit = (byte >>> (W * bitPos)) & mask; + const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit]; + (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3); + w += 1; + } + } + } + this.s0 = o0; + this.s1 = o1; + this.s2 = o2; + this.s3 = o3; + } + update(data) { + data = toBytes(data); + aexists(this); + const b32 = u32(data); + const blocks = Math.floor(data.length / BLOCK_SIZE); + const left = data.length % BLOCK_SIZE; + for (let i = 0; i < blocks; i++) { + this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]); + } + if (left) { + ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); + this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]); + ZEROS32.fill(0); // clean tmp buffer + } + return this; + } + destroy() { + const { t } = this; + // clean precompute table + for (const elm of t) { + (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0); + } + } + digestInto(out) { + aexists(this); + aoutput(out, this); + this.finished = true; + const { s0, s1, s2, s3 } = this; + const o32 = u32(out); + o32[0] = s0; + o32[1] = s1; + o32[2] = s2; + o32[3] = s3; + return out; + } + digest() { + const res = new Uint8Array(BLOCK_SIZE); + this.digestInto(res); + this.destroy(); + return res; + } +} +class Polyval extends GHASH { + constructor(key, expectedLength) { + key = toBytes(key); + const ghKey = _toGHASHKey(key.slice()); + super(ghKey, expectedLength); + ghKey.fill(0); + } + update(data) { + data = toBytes(data); + aexists(this); + const b32 = u32(data); + const left = data.length % BLOCK_SIZE; + const blocks = Math.floor(data.length / BLOCK_SIZE); + for (let i = 0; i < blocks; i++) { + this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0])); + } + if (left) { + ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); + this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0])); + ZEROS32.fill(0); // clean tmp buffer + } + return this; + } + digestInto(out) { + aexists(this); + aoutput(out, this); + this.finished = true; + // tmp ugly hack + const { s0, s1, s2, s3 } = this; + const o32 = u32(out); + o32[0] = s0; + o32[1] = s1; + o32[2] = s2; + o32[3] = s3; + return out.reverse(); + } +} +function wrapConstructorWithKey(hashCons) { + const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes(msg)).digest(); + const tmp = hashCons(new Uint8Array(16), 0); + hashC.outputLen = tmp.outputLen; + hashC.blockLen = tmp.blockLen; + hashC.create = (key, expectedLength) => hashCons(key, expectedLength); + return hashC; +} +export const ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength)); +export const polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength)); +//# sourceMappingURL=_polyval.js.map \ No newline at end of file diff --git a/esm/aes.js b/esm/aes.js new file mode 100644 index 0000000..a26e498 --- /dev/null +++ b/esm/aes.js @@ -0,0 +1,628 @@ +// prettier-ignore +import { wrapCipher, createView, setBigUint64, equalBytes, u32, u8, } from './utils.js'; +import { ghash, polyval } from './_polyval.js'; +import { bytes as abytes } from './_assert.js'; +/* +AES (Advanced Encryption Standard) aka Rijndael block cipher. + +Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round: +1. **S-box**, table substitution +2. **Shift rows**, cyclic shift left of all rows of data array +3. **Mix columns**, multiplying every column by fixed polynomial +4. **Add round key**, round_key xor i-th column of array + +Resources: +- FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf +- Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf +*/ +const BLOCK_SIZE = 16; +const BLOCK_SIZE32 = 4; +const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE); +const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8 +// TODO: remove multiplication, binary ops only +function mul2(n) { + return (n << 1) ^ (POLY & -(n >> 7)); +} +function mul(a, b) { + let res = 0; + for (; b > 0; b >>= 1) { + // Montgomery ladder + res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time). + a = mul2(a); // a = 2*a + } + return res; +} +// AES S-box is generated using finite field inversion, +// an affine transform, and xor of a constant 0x63. +const sbox = /* @__PURE__ */ (() => { + let t = new Uint8Array(256); + for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x)) + t[i] = x; + const box = new Uint8Array(256); + box[0] = 0x63; // first elm + for (let i = 0; i < 255; i++) { + let x = t[255 - i]; + x |= x << 8; + box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff; + } + return box; +})(); +// Inverted S-box +const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j)); +// Rotate u32 by 8 +const rotr32_8 = (n) => (n << 24) | (n >>> 8); +const rotl32_8 = (n) => (n << 8) | (n >>> 24); +// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes: +// - LE instead of BE +// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23; +// so index is u16, instead of u8. This speeds up things, unexpectedly +function genTtable(sbox, fn) { + if (sbox.length !== 256) + throw new Error('Wrong sbox length'); + const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j])); + const T1 = T0.map(rotl32_8); + const T2 = T1.map(rotl32_8); + const T3 = T2.map(rotl32_8); + const T01 = new Uint32Array(256 * 256); + const T23 = new Uint32Array(256 * 256); + const sbox2 = new Uint16Array(256 * 256); + for (let i = 0; i < 256; i++) { + for (let j = 0; j < 256; j++) { + const idx = i * 256 + j; + T01[idx] = T0[i] ^ T1[j]; + T23[idx] = T2[i] ^ T3[j]; + sbox2[idx] = (sbox[i] << 8) | sbox[j]; + } + } + return { sbox, sbox2, T0, T1, T2, T3, T01, T23 }; +} +const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2)); +const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14)); +const xPowers = /* @__PURE__ */ (() => { + const p = new Uint8Array(16); + for (let i = 0, x = 1; i < 16; i++, x = mul2(x)) + p[i] = x; + return p; +})(); +export function expandKeyLE(key) { + abytes(key); + const len = key.length; + if (![16, 24, 32].includes(len)) + throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`); + const { sbox2 } = tableEncoding; + const k32 = u32(key); + const Nk = k32.length; + const subByte = (n) => applySbox(sbox2, n, n, n, n); + const xk = new Uint32Array(len + 28); // expanded key + xk.set(k32); + // 4.3.1 Key expansion + for (let i = Nk; i < xk.length; i++) { + let t = xk[i - 1]; + if (i % Nk === 0) + t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1]; + else if (Nk > 6 && i % Nk === 4) + t = subByte(t); + xk[i] = xk[i - Nk] ^ t; + } + return xk; +} +export function expandKeyDecLE(key) { + const encKey = expandKeyLE(key); + const xk = encKey.slice(); + const Nk = encKey.length; + const { sbox2 } = tableEncoding; + const { T0, T1, T2, T3 } = tableDecoding; + // Inverse key by chunks of 4 (rounds) + for (let i = 0; i < Nk; i += 4) { + for (let j = 0; j < 4; j++) + xk[i + j] = encKey[Nk - i - 4 + j]; + } + encKey.fill(0); + // apply InvMixColumn except first & last round + for (let i = 4; i < Nk - 4; i++) { + const x = xk[i]; + const w = applySbox(sbox2, x, x, x, x); + xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24]; + } + return xk; +} +// Apply tables +function apply0123(T01, T23, s0, s1, s2, s3) { + return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^ + T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]); +} +function applySbox(sbox2, s0, s1, s2, s3) { + return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] | + (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16)); +} +function encrypt(xk, s0, s1, s2, s3) { + const { sbox2, T01, T23 } = tableEncoding; + let k = 0; + (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); + const rounds = xk.length / 4 - 2; + for (let i = 0; i < rounds; i++) { + const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3); + const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0); + const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1); + const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2); + (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); + } + // last round (without mixcolumns, so using SBOX2 table) + const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3); + const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0); + const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1); + const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2); + return { s0: t0, s1: t1, s2: t2, s3: t3 }; +} +function decrypt(xk, s0, s1, s2, s3) { + const { sbox2, T01, T23 } = tableDecoding; + let k = 0; + (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); + const rounds = xk.length / 4 - 2; + for (let i = 0; i < rounds; i++) { + const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1); + const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2); + const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3); + const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0); + (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); + } + // Last round + const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1); + const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2); + const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3); + const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0); + return { s0: t0, s1: t1, s2: t2, s3: t3 }; +} +function getDst(len, dst) { + if (!dst) + return new Uint8Array(len); + abytes(dst); + if (dst.length < len) + throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`); + return dst; +} +// TODO: investigate merging with ctr32 +function ctrCounter(xk, nonce, src, dst) { + abytes(nonce, BLOCK_SIZE); + abytes(src); + const srcLen = src.length; + dst = getDst(srcLen, dst); + const ctr = nonce; + const c32 = u32(ctr); + // Fill block (empty, ctr=0) + let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); + const src32 = u32(src); + const dst32 = u32(dst); + // process blocks + for (let i = 0; i + 4 <= src32.length; i += 4) { + dst32[i + 0] = src32[i + 0] ^ s0; + dst32[i + 1] = src32[i + 1] ^ s1; + dst32[i + 2] = src32[i + 2] ^ s2; + dst32[i + 3] = src32[i + 3] ^ s3; + // Full 128 bit counter with wrap around + let carry = 1; + for (let i = ctr.length - 1; i >= 0; i--) { + carry = (carry + (ctr[i] & 0xff)) | 0; + ctr[i] = carry & 0xff; + carry >>>= 8; + } + ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); + } + // leftovers (less than block) + // It's possible to handle > u32 fast, but is it worth it? + const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); + if (start < srcLen) { + const b32 = new Uint32Array([s0, s1, s2, s3]); + const buf = u8(b32); + for (let i = start, pos = 0; i < srcLen; i++, pos++) + dst[i] = src[i] ^ buf[pos]; + } + return dst; +} +// AES CTR with overflowing 32 bit counter +// It's possible to do 32le significantly simpler (and probably faster) by using u32. +// But, we need both, and perf bottleneck is in ghash anyway. +function ctr32(xk, isLE, nonce, src, dst) { + abytes(nonce, BLOCK_SIZE); + abytes(src); + dst = getDst(src.length, dst); + const ctr = nonce; // write new value to nonce, so it can be re-used + const c32 = u32(ctr); + const view = createView(ctr); + const src32 = u32(src); + const dst32 = u32(dst); + const ctrPos = isLE ? 0 : 12; + const srcLen = src.length; + // Fill block (empty, ctr=0) + let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value + let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); + // process blocks + for (let i = 0; i + 4 <= src32.length; i += 4) { + dst32[i + 0] = src32[i + 0] ^ s0; + dst32[i + 1] = src32[i + 1] ^ s1; + dst32[i + 2] = src32[i + 2] ^ s2; + dst32[i + 3] = src32[i + 3] ^ s3; + ctrNum = (ctrNum + 1) >>> 0; // u32 wrap + view.setUint32(ctrPos, ctrNum, isLE); + ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); + } + // leftovers (less than a block) + const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); + if (start < srcLen) { + const b32 = new Uint32Array([s0, s1, s2, s3]); + const buf = u8(b32); + for (let i = start, pos = 0; i < srcLen; i++, pos++) + dst[i] = src[i] ^ buf[pos]; + } + return dst; +} +/** + * CTR: counter mode. Creates stream cipher. + * Requires good IV. Parallelizable. OK, but no MAC. + */ +export const ctr = wrapCipher({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) { + abytes(key); + abytes(nonce, BLOCK_SIZE); + function processCtr(buf, dst) { + const xk = expandKeyLE(key); + const n = nonce.slice(); + const out = ctrCounter(xk, n, buf, dst); + xk.fill(0); + n.fill(0); + return out; + } + return { + encrypt: (plaintext, dst) => processCtr(plaintext, dst), + decrypt: (ciphertext, dst) => processCtr(ciphertext, dst), + }; +}); +function validateBlockDecrypt(data) { + abytes(data); + if (data.length % BLOCK_SIZE !== 0) { + throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`); + } +} +function validateBlockEncrypt(plaintext, pcks5, dst) { + let outLen = plaintext.length; + const remaining = outLen % BLOCK_SIZE; + if (!pcks5 && remaining !== 0) + throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding'); + const b = u32(plaintext); + if (pcks5) { + let left = BLOCK_SIZE - remaining; + if (!left) + left = BLOCK_SIZE; // if no bytes left, create empty padding block + outLen = outLen + left; + } + const out = getDst(outLen, dst); + const o = u32(out); + return { b, o, out }; +} +function validatePCKS(data, pcks5) { + if (!pcks5) + return data; + const len = data.length; + if (!len) + throw new Error(`aes/pcks5: empty ciphertext not allowed`); + const lastByte = data[len - 1]; + if (lastByte <= 0 || lastByte > 16) + throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`); + const out = data.subarray(0, -lastByte); + for (let i = 0; i < lastByte; i++) + if (data[len - i - 1] !== lastByte) + throw new Error(`aes/pcks5: wrong padding`); + return out; +} +function padPCKS(left) { + const tmp = new Uint8Array(16); + const tmp32 = u32(tmp); + tmp.set(left); + const paddingByte = BLOCK_SIZE - left.length; + for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++) + tmp[i] = paddingByte; + return tmp32; +} +/** + * ECB: Electronic CodeBook. Simple deterministic replacement. + * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/). + */ +export const ecb = wrapCipher({ blockSize: 16 }, function ecb(key, opts = {}) { + abytes(key); + const pcks5 = !opts.disablePadding; + return { + encrypt: (plaintext, dst) => { + abytes(plaintext); + const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); + const xk = expandKeyLE(key); + let i = 0; + for (; i + 4 <= b.length;) { + const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + if (pcks5) { + const tmp32 = padPCKS(plaintext.subarray(i * 4)); + const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return _out; + }, + decrypt: (ciphertext, dst) => { + validateBlockDecrypt(ciphertext); + const xk = expandKeyDecLE(key); + const out = getDst(ciphertext.length, dst); + const b = u32(ciphertext); + const o = u32(out); + for (let i = 0; i + 4 <= b.length;) { + const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return validatePCKS(out, pcks5); + }, + }; +}); +/** + * CBC: Cipher-Block-Chaining. Key is previous round’s block. + * Fragile: needs proper padding. Unauthenticated: needs MAC. + */ +export const cbc = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) { + abytes(key); + abytes(iv, 16); + const pcks5 = !opts.disablePadding; + return { + encrypt: (plaintext, dst) => { + const xk = expandKeyLE(key); + const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); + const n32 = u32(iv); + // prettier-ignore + let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; + let i = 0; + for (; i + 4 <= b.length;) { + (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]); + ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + if (pcks5) { + const tmp32 = padPCKS(plaintext.subarray(i * 4)); + (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]); + ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return _out; + }, + decrypt: (ciphertext, dst) => { + validateBlockDecrypt(ciphertext); + const xk = expandKeyDecLE(key); + const n32 = u32(iv); + const out = getDst(ciphertext.length, dst); + const b = u32(ciphertext); + const o = u32(out); + // prettier-ignore + let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; + for (let i = 0; i + 4 <= b.length;) { + // prettier-ignore + const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3; + (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]); + const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3); + (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3); + } + xk.fill(0); + return validatePCKS(out, pcks5); + }, + }; +}); +// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen +function computeTag(fn, isLE, key, data, AAD) { + const h = fn.create(key, data.length + (AAD?.length || 0)); + if (AAD) + h.update(AAD); + h.update(data); + const num = new Uint8Array(16); + const view = createView(num); + if (AAD) + setBigUint64(view, 0, BigInt(AAD.length * 8), isLE); + setBigUint64(view, 8, BigInt(data.length * 8), isLE); + h.update(num); + return h.digest(); +} +/** + * GCM: Galois/Counter Mode. + * Good, modern version of CTR, parallel, with MAC. + * Be careful: MACs can be forged. + */ +export const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) { + abytes(nonce); + // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure. + if (nonce.length === 0) + throw new Error('aes/gcm: empty nonce'); + const tagLength = 16; + function _computeTag(authKey, tagMask, data) { + const tag = computeTag(ghash, false, authKey, data, AAD); + for (let i = 0; i < tagMask.length; i++) + tag[i] ^= tagMask[i]; + return tag; + } + function deriveKeys() { + const xk = expandKeyLE(key); + const authKey = EMPTY_BLOCK.slice(); + const counter = EMPTY_BLOCK.slice(); + ctr32(xk, false, counter, counter, authKey); + if (nonce.length === 12) { + counter.set(nonce); + } + else { + // Spec (NIST 800-38d) supports variable size nonce. + // Not supported for now, but can be useful. + const nonceLen = EMPTY_BLOCK.slice(); + const view = createView(nonceLen); + setBigUint64(view, 8, BigInt(nonce.length * 8), false); + // ghash(nonce || u64be(0) || u64be(nonceLen*8)) + ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter); + } + const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK); + return { xk, authKey, counter, tagMask }; + } + return { + encrypt: (plaintext) => { + abytes(plaintext); + const { xk, authKey, counter, tagMask } = deriveKeys(); + const out = new Uint8Array(plaintext.length + tagLength); + ctr32(xk, false, counter, plaintext, out); + const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength)); + out.set(tag, plaintext.length); + xk.fill(0); + return out; + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + if (ciphertext.length < tagLength) + throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`); + const { xk, authKey, counter, tagMask } = deriveKeys(); + const data = ciphertext.subarray(0, -tagLength); + const passedTag = ciphertext.subarray(-tagLength); + const tag = _computeTag(authKey, tagMask, data); + if (!equalBytes(tag, passedTag)) + throw new Error('aes/gcm: invalid ghash tag'); + const out = ctr32(xk, false, counter, data); + authKey.fill(0); + tagMask.fill(0); + xk.fill(0); + return out; + }, + }; +}); +const limit = (name, min, max) => (value) => { + if (!Number.isSafeInteger(value) || min > value || value > max) + throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`); +}; +/** + * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance. + * Guarantees that, when a nonce is repeated, the only security loss is that identical + * plaintexts will produce identical ciphertexts. + * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452 + */ +export const siv = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) { + const tagLength = 16; + // From RFC 8452: Section 6 + const AAD_LIMIT = limit('AAD', 0, 2 ** 36); + const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36); + const NONCE_LIMIT = limit('nonce', 12, 12); + const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16); + abytes(nonce); + NONCE_LIMIT(nonce.length); + if (AAD) { + abytes(AAD); + AAD_LIMIT(AAD.length); + } + function deriveKeys() { + const len = key.length; + if (len !== 16 && len !== 24 && len !== 32) + throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`); + const xk = expandKeyLE(key); + const encKey = new Uint8Array(len); + const authKey = new Uint8Array(16); + const n32 = u32(nonce); + // prettier-ignore + let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2]; + let counter = 0; + for (const derivedKey of [authKey, encKey].map(u32)) { + const d32 = u32(derivedKey); + for (let i = 0; i < d32.length; i += 2) { + // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ... + const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3); + d32[i + 0] = o0; + d32[i + 1] = o1; + s0 = ++counter; // increment counter inside state + } + } + xk.fill(0); + return { authKey, encKey: expandKeyLE(encKey) }; + } + function _computeTag(encKey, authKey, data) { + const tag = computeTag(polyval, true, authKey, data, AAD); + // Compute the expected tag by XORing S_s and the nonce, clearing the + // most significant bit of the last byte and encrypting with the + // message-encryption key. + for (let i = 0; i < 12; i++) + tag[i] ^= nonce[i]; + tag[15] &= 0x7f; // Clear the highest bit + // encrypt tag as block + const t32 = u32(tag); + // prettier-ignore + let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3]; + ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3)); + (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3); + return tag; + } + // actual decrypt/encrypt of message. + function processSiv(encKey, tag, input) { + let block = tag.slice(); + block[15] |= 0x80; // Force highest bit + return ctr32(encKey, true, block, input); + } + return { + encrypt: (plaintext) => { + abytes(plaintext); + PLAIN_LIMIT(plaintext.length); + const { encKey, authKey } = deriveKeys(); + const tag = _computeTag(encKey, authKey, plaintext); + const out = new Uint8Array(plaintext.length + tagLength); + out.set(tag, plaintext.length); + out.set(processSiv(encKey, tag, plaintext)); + encKey.fill(0); + authKey.fill(0); + return out; + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + CIPHER_LIMIT(ciphertext.length); + const tag = ciphertext.subarray(-tagLength); + const { encKey, authKey } = deriveKeys(); + const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength)); + const expectedTag = _computeTag(encKey, authKey, plaintext); + encKey.fill(0); + authKey.fill(0); + if (!equalBytes(tag, expectedTag)) + throw new Error('invalid polyval tag'); + return plaintext; + }, + }; +}); +function isBytes32(a) { + return (a != null && + typeof a === 'object' && + (a instanceof Uint32Array || a.constructor.name === 'Uint32Array')); +} +function encryptBlock(xk, block) { + abytes(block, 16); + if (!isBytes32(xk)) + throw new Error('_encryptBlock accepts result of expandKeyLE'); + const b32 = u32(block); + let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]); + (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); + return block; +} +function decryptBlock(xk, block) { + abytes(block, 16); + if (!isBytes32(xk)) + throw new Error('_decryptBlock accepts result of expandKeyLE'); + const b32 = u32(block); + let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]); + (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); + return block; +} +// Highly unsafe private functions for implementing new modes or ciphers based on AES +// Can change at any time, no API guarantees +export const unsafe = { + expandKeyLE, + expandKeyDecLE, + encrypt, + decrypt, + encryptBlock, + decryptBlock, + ctrCounter, + ctr32, +}; +//# sourceMappingURL=aes.js.map \ No newline at end of file diff --git a/esm/chacha.js b/esm/chacha.js new file mode 100644 index 0000000..e23fcce --- /dev/null +++ b/esm/chacha.js @@ -0,0 +1,318 @@ +// prettier-ignore +import { wrapCipher, createView, equalBytes, setBigUint64, } from './utils.js'; +import { poly1305 } from './_poly1305.js'; +import { createCipher, rotl } from './_arx.js'; +import { bytes as abytes } from './_assert.js'; +// ChaCha20 stream cipher was released in 2008. ChaCha aims to increase +// the diffusion per round, but had slightly less cryptanalysis. +// https://cr.yp.to/chacha.html, http://cr.yp.to/chacha/chacha-20080128.pdf +/** + * ChaCha core function. + */ +// prettier-ignore +function chachaCore(s, k, n, out, cnt, rounds = 20) { + let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k" + y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key + y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key + y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce + // Save state to temporary variables + let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; + for (let r = 0; r < rounds; r += 2) { + x00 = (x00 + x04) | 0; + x12 = rotl(x12 ^ x00, 16); + x08 = (x08 + x12) | 0; + x04 = rotl(x04 ^ x08, 12); + x00 = (x00 + x04) | 0; + x12 = rotl(x12 ^ x00, 8); + x08 = (x08 + x12) | 0; + x04 = rotl(x04 ^ x08, 7); + x01 = (x01 + x05) | 0; + x13 = rotl(x13 ^ x01, 16); + x09 = (x09 + x13) | 0; + x05 = rotl(x05 ^ x09, 12); + x01 = (x01 + x05) | 0; + x13 = rotl(x13 ^ x01, 8); + x09 = (x09 + x13) | 0; + x05 = rotl(x05 ^ x09, 7); + x02 = (x02 + x06) | 0; + x14 = rotl(x14 ^ x02, 16); + x10 = (x10 + x14) | 0; + x06 = rotl(x06 ^ x10, 12); + x02 = (x02 + x06) | 0; + x14 = rotl(x14 ^ x02, 8); + x10 = (x10 + x14) | 0; + x06 = rotl(x06 ^ x10, 7); + x03 = (x03 + x07) | 0; + x15 = rotl(x15 ^ x03, 16); + x11 = (x11 + x15) | 0; + x07 = rotl(x07 ^ x11, 12); + x03 = (x03 + x07) | 0; + x15 = rotl(x15 ^ x03, 8); + x11 = (x11 + x15) | 0; + x07 = rotl(x07 ^ x11, 7); + x00 = (x00 + x05) | 0; + x15 = rotl(x15 ^ x00, 16); + x10 = (x10 + x15) | 0; + x05 = rotl(x05 ^ x10, 12); + x00 = (x00 + x05) | 0; + x15 = rotl(x15 ^ x00, 8); + x10 = (x10 + x15) | 0; + x05 = rotl(x05 ^ x10, 7); + x01 = (x01 + x06) | 0; + x12 = rotl(x12 ^ x01, 16); + x11 = (x11 + x12) | 0; + x06 = rotl(x06 ^ x11, 12); + x01 = (x01 + x06) | 0; + x12 = rotl(x12 ^ x01, 8); + x11 = (x11 + x12) | 0; + x06 = rotl(x06 ^ x11, 7); + x02 = (x02 + x07) | 0; + x13 = rotl(x13 ^ x02, 16); + x08 = (x08 + x13) | 0; + x07 = rotl(x07 ^ x08, 12); + x02 = (x02 + x07) | 0; + x13 = rotl(x13 ^ x02, 8); + x08 = (x08 + x13) | 0; + x07 = rotl(x07 ^ x08, 7); + x03 = (x03 + x04) | 0; + x14 = rotl(x14 ^ x03, 16); + x09 = (x09 + x14) | 0; + x04 = rotl(x04 ^ x09, 12); + x03 = (x03 + x04) | 0; + x14 = rotl(x14 ^ x03, 8); + x09 = (x09 + x14) | 0; + x04 = rotl(x04 ^ x09, 7); + } + // Write output + let oi = 0; + out[oi++] = (y00 + x00) | 0; + out[oi++] = (y01 + x01) | 0; + out[oi++] = (y02 + x02) | 0; + out[oi++] = (y03 + x03) | 0; + out[oi++] = (y04 + x04) | 0; + out[oi++] = (y05 + x05) | 0; + out[oi++] = (y06 + x06) | 0; + out[oi++] = (y07 + x07) | 0; + out[oi++] = (y08 + x08) | 0; + out[oi++] = (y09 + x09) | 0; + out[oi++] = (y10 + x10) | 0; + out[oi++] = (y11 + x11) | 0; + out[oi++] = (y12 + x12) | 0; + out[oi++] = (y13 + x13) | 0; + out[oi++] = (y14 + x14) | 0; + out[oi++] = (y15 + x15) | 0; +} +/** + * hchacha helper method, used primarily in xchacha, to hash + * key and nonce into key' and nonce'. + * Same as chachaCore, but there doesn't seem to be a way to move the block + * out without 25% performance hit. + */ +// prettier-ignore +export function hchacha(s, k, i, o32) { + let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; + for (let r = 0; r < 20; r += 2) { + x00 = (x00 + x04) | 0; + x12 = rotl(x12 ^ x00, 16); + x08 = (x08 + x12) | 0; + x04 = rotl(x04 ^ x08, 12); + x00 = (x00 + x04) | 0; + x12 = rotl(x12 ^ x00, 8); + x08 = (x08 + x12) | 0; + x04 = rotl(x04 ^ x08, 7); + x01 = (x01 + x05) | 0; + x13 = rotl(x13 ^ x01, 16); + x09 = (x09 + x13) | 0; + x05 = rotl(x05 ^ x09, 12); + x01 = (x01 + x05) | 0; + x13 = rotl(x13 ^ x01, 8); + x09 = (x09 + x13) | 0; + x05 = rotl(x05 ^ x09, 7); + x02 = (x02 + x06) | 0; + x14 = rotl(x14 ^ x02, 16); + x10 = (x10 + x14) | 0; + x06 = rotl(x06 ^ x10, 12); + x02 = (x02 + x06) | 0; + x14 = rotl(x14 ^ x02, 8); + x10 = (x10 + x14) | 0; + x06 = rotl(x06 ^ x10, 7); + x03 = (x03 + x07) | 0; + x15 = rotl(x15 ^ x03, 16); + x11 = (x11 + x15) | 0; + x07 = rotl(x07 ^ x11, 12); + x03 = (x03 + x07) | 0; + x15 = rotl(x15 ^ x03, 8); + x11 = (x11 + x15) | 0; + x07 = rotl(x07 ^ x11, 7); + x00 = (x00 + x05) | 0; + x15 = rotl(x15 ^ x00, 16); + x10 = (x10 + x15) | 0; + x05 = rotl(x05 ^ x10, 12); + x00 = (x00 + x05) | 0; + x15 = rotl(x15 ^ x00, 8); + x10 = (x10 + x15) | 0; + x05 = rotl(x05 ^ x10, 7); + x01 = (x01 + x06) | 0; + x12 = rotl(x12 ^ x01, 16); + x11 = (x11 + x12) | 0; + x06 = rotl(x06 ^ x11, 12); + x01 = (x01 + x06) | 0; + x12 = rotl(x12 ^ x01, 8); + x11 = (x11 + x12) | 0; + x06 = rotl(x06 ^ x11, 7); + x02 = (x02 + x07) | 0; + x13 = rotl(x13 ^ x02, 16); + x08 = (x08 + x13) | 0; + x07 = rotl(x07 ^ x08, 12); + x02 = (x02 + x07) | 0; + x13 = rotl(x13 ^ x02, 8); + x08 = (x08 + x13) | 0; + x07 = rotl(x07 ^ x08, 7); + x03 = (x03 + x04) | 0; + x14 = rotl(x14 ^ x03, 16); + x09 = (x09 + x14) | 0; + x04 = rotl(x04 ^ x09, 12); + x03 = (x03 + x04) | 0; + x14 = rotl(x14 ^ x03, 8); + x09 = (x09 + x14) | 0; + x04 = rotl(x04 ^ x09, 7); + } + let oi = 0; + o32[oi++] = x00; + o32[oi++] = x01; + o32[oi++] = x02; + o32[oi++] = x03; + o32[oi++] = x12; + o32[oi++] = x13; + o32[oi++] = x14; + o32[oi++] = x15; +} +/** + * Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter. + */ +export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 8, + allowShortKeys: true, +}); +/** + * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + allowShortKeys: false, +}); +/** + * XChaCha eXtended-nonce ChaCha. 24-byte nonce. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + */ +export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 8, + extendNonceFn: hchacha, + allowShortKeys: false, +}); +/** + * Reduced 8-round chacha, described in original paper. + */ +export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 8, +}); +/** + * Reduced 12-round chacha, described in original paper. + */ +export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 12, +}); +const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); +// Pad to digest size with zeros +const updatePadded = (h, msg) => { + h.update(msg); + const left = msg.length % 16; + if (left) + h.update(ZEROS16.subarray(left)); +}; +const ZEROS32 = /* @__PURE__ */ new Uint8Array(32); +function computeTag(fn, key, nonce, data, AAD) { + const authKey = fn(key, nonce, ZEROS32); + const h = poly1305.create(authKey); + if (AAD) + updatePadded(h, AAD); + updatePadded(h, data); + const num = new Uint8Array(16); + const view = createView(num); + setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); + setBigUint64(view, 8, BigInt(data.length), true); + h.update(num); + const res = h.digest(); + authKey.fill(0); + return res; +} +/** + * AEAD algorithm from RFC 8439. + * Salsa20 and chacha (RFC 8439) use poly1305 differently. + * We could have composed them similar to: + * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250 + * But it's hard because of authKey: + * In salsa20, authKey changes position in salsa stream. + * In chacha, authKey can't be computed inside computeTag, it modifies the counter. + */ +export const _poly1305_aead = (xorStream) => (key, nonce, AAD) => { + const tagLength = 16; + abytes(key, 32); + abytes(nonce); + return { + encrypt: (plaintext, output) => { + const plength = plaintext.length; + const clength = plength + tagLength; + if (output) { + abytes(output, clength); + } + else { + output = new Uint8Array(clength); + } + xorStream(key, nonce, plaintext, output, 1); + const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD); + output.set(tag, plength); // append tag + return output; + }, + decrypt: (ciphertext, output) => { + const clength = ciphertext.length; + const plength = clength - tagLength; + if (clength < tagLength) + throw new Error(`encrypted data must be at least ${tagLength} bytes`); + if (output) { + abytes(output, plength); + } + else { + output = new Uint8Array(plength); + } + const data = ciphertext.subarray(0, -tagLength); + const passedTag = ciphertext.subarray(-tagLength); + const tag = computeTag(xorStream, key, nonce, data, AAD); + if (!equalBytes(passedTag, tag)) + throw new Error('invalid tag'); + xorStream(key, nonce, data, output, 1); + return output; + }, + }; +}; +/** + * ChaCha20-Poly1305 from RFC 8439. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); +/** + * XChaCha20-Poly1305 extended-nonce chacha. + * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); +//# sourceMappingURL=chacha.js.map \ No newline at end of file diff --git a/esm/crypto.js b/esm/crypto.js new file mode 100644 index 0000000..63bf63e --- /dev/null +++ b/esm/crypto.js @@ -0,0 +1,12 @@ +const cr = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined; +export function randomBytes(bytesLength = 32) { + if (cr && typeof cr.getRandomValues === 'function') + return cr.getRandomValues(new Uint8Array(bytesLength)); + throw new Error('crypto.getRandomValues must be defined'); +} +export function getWebcryptoSubtle() { + if (cr && typeof cr.subtle === 'object' && cr.subtle != null) + return cr.subtle; + throw new Error('crypto.subtle must be defined'); +} +//# sourceMappingURL=crypto.js.map \ No newline at end of file diff --git a/esm/cryptoNode.js b/esm/cryptoNode.js new file mode 100644 index 0000000..956ce1b --- /dev/null +++ b/esm/cryptoNode.js @@ -0,0 +1,17 @@ +// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. +// See utils.ts for details. +// The file will throw on node.js 14 and earlier. +// @ts-ignore +import * as nc from 'node:crypto'; +const cr = nc && typeof nc === 'object' && 'webcrypto' in nc ? nc.webcrypto : undefined; +export function randomBytes(bytesLength = 32) { + if (cr && typeof cr.getRandomValues === 'function') + return cr.getRandomValues(new Uint8Array(bytesLength)); + throw new Error('crypto.getRandomValues must be defined'); +} +export function getWebcryptoSubtle() { + if (cr && typeof cr.subtle === 'object' && cr.subtle != null) + return cr.subtle; + throw new Error('crypto.subtle must be defined'); +} +//# sourceMappingURL=cryptoNode.js.map \ No newline at end of file diff --git a/esm/ff1.js b/esm/ff1.js new file mode 100644 index 0000000..33907e1 --- /dev/null +++ b/esm/ff1.js @@ -0,0 +1,149 @@ +import { bytesToNumberBE, numberToBytesBE } from './utils.js'; +import { unsafe } from './aes.js'; +// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow +const { expandKeyLE, encryptBlock } = unsafe; +// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G. +// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf +const BLOCK_LEN = 16; +function mod(a, b) { + const result = a % b; + return result >= 0 ? result : b + result; +} +function NUMradix(radix, data) { + let res = BigInt(0); + for (let i of data) + res = res * BigInt(radix) + BigInt(i); + return res; +} +function getRound(radix, key, tweak, x) { + if (radix > 2 ** 16 - 1) + throw new Error(`Invalid radix: ${radix}`); + // radix**minlen ≥ 100 + const minLen = Math.ceil(Math.log(100) / Math.log(radix)); + const maxLen = 2 ** 32 - 1; + // 2 ≤ minlen ≤ maxlen < 2**32 + if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32) + throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32'); + if (x.length < minLen || x.length > maxLen) + throw new Error('X is outside minLen..maxLen bounds'); + const u = Math.floor(x.length / 2); + const v = x.length - u; + const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8); + const d = 4 * Math.ceil(b / 4) + 4; + const padding = mod(-tweak.length - b - 1, 16); + // P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4. + const P = new Uint8Array([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]); + const view = new DataView(P.buffer); + view.setUint16(4, radix, false); + view.setUint32(8, x.length, false); + view.setUint32(12, tweak.length, false); + // Q = T || [0](−t−b−1) mod 16 || [i]1 || [NUMradix(B)]b. + const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b); + PQ.set(P); + P.fill(0); + PQ.set(tweak, P.length); + const xk = expandKeyLE(key); + const round = (A, B, i, decrypt = false) => { + // Q = ... || [i]1 || [NUMradix(B)]b. + PQ[PQ.length - b - 1] = i; + if (b) + PQ.set(numberToBytesBE(NUMradix(radix, B), b), PQ.length - b); + // PRF + let r = new Uint8Array(16); + for (let j = 0; j < PQ.length / BLOCK_LEN; j++) { + for (let i = 0; i < BLOCK_LEN; i++) + r[i] ^= PQ[j * BLOCK_LEN + i]; + encryptBlock(xk, r); + } + // Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: + // R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ – 1]16). + let s = Array.from(r); + for (let j = 1; s.length < d; j++) { + const block = numberToBytesBE(BigInt(j), 16); + for (let k = 0; k < BLOCK_LEN; k++) + block[k] ^= r[k]; + s.push(...Array.from(encryptBlock(xk, block))); + } + let y = bytesToNumberBE(Uint8Array.from(s.slice(0, d))); + s.fill(0); + if (decrypt) + y = -y; + const m = i % 2 === 0 ? u : v; + let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m)); + // STR(radix, m, c) + const C = Array(m).fill(0); + for (let i = 0; i < m; i++, c /= BigInt(radix)) + C[m - 1 - i] = Number(c % BigInt(radix)); + A.fill(0); + A = B; + B = C; + return [A, B]; + }; + const destroy = () => { + xk.fill(0); + PQ.fill(0); + }; + return { u, round, destroy }; +} +const EMPTY_BUF = new Uint8Array([]); +export function FF1(radix, key, tweak = EMPTY_BUF) { + const PQ = getRound.bind(null, radix, key, tweak); + return { + encrypt(x) { + const { u, round, destroy } = PQ(x); + let [A, B] = [x.slice(0, u), x.slice(u)]; + for (let i = 0; i < 10; i++) + [A, B] = round(A, B, i); + destroy(); + const res = A.concat(B); + A.fill(0); + B.fill(0); + return res; + }, + decrypt(x) { + const { u, round, destroy } = PQ(x); + // The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm; + // the differences are in Step 6, where: + // 1) the order of the indices is reversed, + // 2) the roles of A and B are swapped + // 3) modular addition is replaced by modular subtraction, in Step 6vi. + let [B, A] = [x.slice(0, u), x.slice(u)]; + for (let i = 9; i >= 0; i--) + [A, B] = round(A, B, i, true); + destroy(); + const res = B.concat(A); + A.fill(0); + B.fill(0); + return res; + }, + }; +} +// Binary string which encodes each byte in little-endian byte order +const binLE = { + encode(bytes) { + const x = []; + for (let i = 0; i < bytes.length; i++) { + for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1) + x.push(tmp & 1); + } + return x; + }, + decode(b) { + if (b.length % 8) + throw new Error('Invalid binary string'); + const res = new Uint8Array(b.length / 8); + for (let i = 0, j = 0; i < res.length; i++) { + res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3); + res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7); + } + return res; + }, +}; +export function BinaryFF1(key, tweak = EMPTY_BUF) { + const ff1 = FF1(2, key, tweak); + return { + encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))), + decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))), + }; +} +//# sourceMappingURL=ff1.js.map \ No newline at end of file diff --git a/esm/index.js b/esm/index.js new file mode 100644 index 0000000..5a9cbf1 --- /dev/null +++ b/esm/index.js @@ -0,0 +1,3 @@ +"use strict"; +throw new Error('noble-ciphers have no entry-point: consult README for usage'); +//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/esm/salsa.js b/esm/salsa.js new file mode 100644 index 0000000..a956d46 --- /dev/null +++ b/esm/salsa.js @@ -0,0 +1,205 @@ +import { bytes as abytes } from './_assert.js'; +import { createCipher, rotl } from './_arx.js'; +import { poly1305 } from './_poly1305.js'; +import { wrapCipher, equalBytes } from './utils.js'; +// Salsa20 stream cipher was released in 2005. +// Salsa's goal was to implement AES replacement that does not rely on S-Boxes, +// which are hard to implement in a constant-time manner. +// https://cr.yp.to/snuffle.html, https://cr.yp.to/snuffle/salsafamily-20071225.pdf +/** + * Salsa20 core function. + */ +// prettier-ignore +function salsaCore(s, k, n, out, cnt, rounds = 20) { + // Based on https://cr.yp.to/salsa20.html + let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key + y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce + y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key + y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k" + // Save state to temporary variables + let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; + for (let r = 0; r < rounds; r += 2) { + x04 ^= rotl(x00 + x12 | 0, 7); + x08 ^= rotl(x04 + x00 | 0, 9); + x12 ^= rotl(x08 + x04 | 0, 13); + x00 ^= rotl(x12 + x08 | 0, 18); + x09 ^= rotl(x05 + x01 | 0, 7); + x13 ^= rotl(x09 + x05 | 0, 9); + x01 ^= rotl(x13 + x09 | 0, 13); + x05 ^= rotl(x01 + x13 | 0, 18); + x14 ^= rotl(x10 + x06 | 0, 7); + x02 ^= rotl(x14 + x10 | 0, 9); + x06 ^= rotl(x02 + x14 | 0, 13); + x10 ^= rotl(x06 + x02 | 0, 18); + x03 ^= rotl(x15 + x11 | 0, 7); + x07 ^= rotl(x03 + x15 | 0, 9); + x11 ^= rotl(x07 + x03 | 0, 13); + x15 ^= rotl(x11 + x07 | 0, 18); + x01 ^= rotl(x00 + x03 | 0, 7); + x02 ^= rotl(x01 + x00 | 0, 9); + x03 ^= rotl(x02 + x01 | 0, 13); + x00 ^= rotl(x03 + x02 | 0, 18); + x06 ^= rotl(x05 + x04 | 0, 7); + x07 ^= rotl(x06 + x05 | 0, 9); + x04 ^= rotl(x07 + x06 | 0, 13); + x05 ^= rotl(x04 + x07 | 0, 18); + x11 ^= rotl(x10 + x09 | 0, 7); + x08 ^= rotl(x11 + x10 | 0, 9); + x09 ^= rotl(x08 + x11 | 0, 13); + x10 ^= rotl(x09 + x08 | 0, 18); + x12 ^= rotl(x15 + x14 | 0, 7); + x13 ^= rotl(x12 + x15 | 0, 9); + x14 ^= rotl(x13 + x12 | 0, 13); + x15 ^= rotl(x14 + x13 | 0, 18); + } + // Write output + let oi = 0; + out[oi++] = (y00 + x00) | 0; + out[oi++] = (y01 + x01) | 0; + out[oi++] = (y02 + x02) | 0; + out[oi++] = (y03 + x03) | 0; + out[oi++] = (y04 + x04) | 0; + out[oi++] = (y05 + x05) | 0; + out[oi++] = (y06 + x06) | 0; + out[oi++] = (y07 + x07) | 0; + out[oi++] = (y08 + x08) | 0; + out[oi++] = (y09 + x09) | 0; + out[oi++] = (y10 + x10) | 0; + out[oi++] = (y11 + x11) | 0; + out[oi++] = (y12 + x12) | 0; + out[oi++] = (y13 + x13) | 0; + out[oi++] = (y14 + x14) | 0; + out[oi++] = (y15 + x15) | 0; +} +/** + * hsalsa hashing function, used primarily in xsalsa, to hash + * key and nonce into key' and nonce'. + * Same as salsaCore, but there doesn't seem to be a way to move the block + * out without 25% performance hit. + */ +// prettier-ignore +export function hsalsa(s, k, i, o32) { + let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3]; + for (let r = 0; r < 20; r += 2) { + x04 ^= rotl(x00 + x12 | 0, 7); + x08 ^= rotl(x04 + x00 | 0, 9); + x12 ^= rotl(x08 + x04 | 0, 13); + x00 ^= rotl(x12 + x08 | 0, 18); + x09 ^= rotl(x05 + x01 | 0, 7); + x13 ^= rotl(x09 + x05 | 0, 9); + x01 ^= rotl(x13 + x09 | 0, 13); + x05 ^= rotl(x01 + x13 | 0, 18); + x14 ^= rotl(x10 + x06 | 0, 7); + x02 ^= rotl(x14 + x10 | 0, 9); + x06 ^= rotl(x02 + x14 | 0, 13); + x10 ^= rotl(x06 + x02 | 0, 18); + x03 ^= rotl(x15 + x11 | 0, 7); + x07 ^= rotl(x03 + x15 | 0, 9); + x11 ^= rotl(x07 + x03 | 0, 13); + x15 ^= rotl(x11 + x07 | 0, 18); + x01 ^= rotl(x00 + x03 | 0, 7); + x02 ^= rotl(x01 + x00 | 0, 9); + x03 ^= rotl(x02 + x01 | 0, 13); + x00 ^= rotl(x03 + x02 | 0, 18); + x06 ^= rotl(x05 + x04 | 0, 7); + x07 ^= rotl(x06 + x05 | 0, 9); + x04 ^= rotl(x07 + x06 | 0, 13); + x05 ^= rotl(x04 + x07 | 0, 18); + x11 ^= rotl(x10 + x09 | 0, 7); + x08 ^= rotl(x11 + x10 | 0, 9); + x09 ^= rotl(x08 + x11 | 0, 13); + x10 ^= rotl(x09 + x08 | 0, 18); + x12 ^= rotl(x15 + x14 | 0, 7); + x13 ^= rotl(x12 + x15 | 0, 9); + x14 ^= rotl(x13 + x12 | 0, 13); + x15 ^= rotl(x14 + x13 | 0, 18); + } + let oi = 0; + o32[oi++] = x00; + o32[oi++] = x05; + o32[oi++] = x10; + o32[oi++] = x15; + o32[oi++] = x06; + o32[oi++] = x07; + o32[oi++] = x08; + o32[oi++] = x09; +} +/** + * Salsa20 from original paper. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, { + allowShortKeys: true, + counterRight: true, +}); +/** + * xsalsa20 eXtended-nonce salsa. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, { + counterRight: true, + extendNonceFn: hsalsa, +}); +/** + * xsalsa20-poly1305 eXtended-nonce salsa. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + * Also known as secretbox from libsodium / nacl. + */ +export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => { + const tagLength = 16; + abytes(key, 32); + abytes(nonce, 24); + return { + encrypt: (plaintext, output) => { + abytes(plaintext); + // This is small optimization (calculate auth key with same call as encryption itself) makes it hard + // to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte) + const clength = plaintext.length + 32; + if (output) { + abytes(output, clength); + } + else { + output = new Uint8Array(clength); + } + output.set(plaintext, 32); + xsalsa20(key, nonce, output, output); + const authKey = output.subarray(0, 32); + const tag = poly1305(output.subarray(32), authKey); + // Clean auth key, even though JS provides no guarantees about memory cleaning + output.set(tag, tagLength); + output.subarray(0, tagLength).fill(0); + return output.subarray(tagLength); + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + const clength = ciphertext.length; + if (clength < tagLength) + throw new Error('encrypted data should be at least 16 bytes'); + // Create new ciphertext array: + // auth tag auth tag from ciphertext ciphertext + // [bytes 0..16] [bytes 16..32] [bytes 32..] + // 16 instead of 32, because we already have 16 byte tag + const ciphertext_ = new Uint8Array(clength + tagLength); // alloc + ciphertext_.set(ciphertext, tagLength); + // Each xsalsa20 calls to hsalsa to calculate key, but seems not much perf difference + // Separate call to calculate authkey, since first bytes contains tag + const authKey = xsalsa20(key, nonce, new Uint8Array(32)); // alloc(32) + const tag = poly1305(ciphertext_.subarray(32), authKey); + if (!equalBytes(ciphertext_.subarray(16, 32), tag)) + throw new Error('invalid tag'); + const plaintext = xsalsa20(key, nonce, ciphertext_); // alloc + // Clean auth key, even though JS provides no guarantees about memory cleaning + plaintext.subarray(0, 32).fill(0); + authKey.fill(0); + return plaintext.subarray(32); + }, + }; +}); +/** + * Alias to xsalsa20poly1305, for compatibility with libsodium / nacl + */ +export function secretbox(key, nonce) { + const xs = xsalsa20poly1305(key, nonce); + return { seal: xs.encrypt, open: xs.decrypt }; +} +//# sourceMappingURL=salsa.js.map \ No newline at end of file diff --git a/esm/utils.js b/esm/utils.js new file mode 100644 index 0000000..90ceb2e --- /dev/null +++ b/esm/utils.js @@ -0,0 +1,182 @@ +/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ +import { bytes as abytes, isBytes } from './_assert.js'; +// Cast array to different type +export const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength); +export const u16 = (arr) => new Uint16Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 2)); +export const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); +// Cast array to view +export const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); +// big-endian hardware is rare. Just in case someone still decides to run ciphers: +// early-throw an error because we don't support BE yet. +export const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44; +if (!isLE) + throw new Error('Non little-endian hardware is not supported'); +// Array where index 0xf0 (240) is mapped to string 'f0' +const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0')); +/** + * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123' + */ +export function bytesToHex(bytes) { + abytes(bytes); + // pre-caching improves the speed 6x + let hex = ''; + for (let i = 0; i < bytes.length; i++) { + hex += hexes[bytes[i]]; + } + return hex; +} +// We use optimized technique to convert hex string to byte array +const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; +function asciiToBase16(char) { + if (char >= asciis._0 && char <= asciis._9) + return char - asciis._0; + if (char >= asciis._A && char <= asciis._F) + return char - (asciis._A - 10); + if (char >= asciis._a && char <= asciis._f) + return char - (asciis._a - 10); + return; +} +/** + * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23]) + */ +export function hexToBytes(hex) { + if (typeof hex !== 'string') + throw new Error('hex string expected, got ' + typeof hex); + const hl = hex.length; + const al = hl / 2; + if (hl % 2) + throw new Error('padded hex string expected, got unpadded hex of length ' + hl); + const array = new Uint8Array(al); + for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { + const n1 = asciiToBase16(hex.charCodeAt(hi)); + const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); + if (n1 === undefined || n2 === undefined) { + const char = hex[hi] + hex[hi + 1]; + throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); + } + array[ai] = n1 * 16 + n2; + } + return array; +} +export function hexToNumber(hex) { + if (typeof hex !== 'string') + throw new Error('hex string expected, got ' + typeof hex); + // Big Endian + return BigInt(hex === '' ? '0' : `0x${hex}`); +} +// BE: Big Endian, LE: Little Endian +export function bytesToNumberBE(bytes) { + return hexToNumber(bytesToHex(bytes)); +} +export function numberToBytesBE(n, len) { + return hexToBytes(n.toString(16).padStart(len * 2, '0')); +} +// There is no setImmediate in browser and setTimeout is slow. +// call of async fn will return Promise, which will be fullfiled only on +// next scheduler queue processing step and this is exactly what we need. +export const nextTick = async () => { }; +// Returns control to thread each 'tick' ms to avoid blocking +export async function asyncLoop(iters, tick, cb) { + let ts = Date.now(); + for (let i = 0; i < iters; i++) { + cb(i); + // Date.now() is not monotonic, so in case if clock goes backwards we return return control too + const diff = Date.now() - ts; + if (diff >= 0 && diff < tick) + continue; + await nextTick(); + ts += diff; + } +} +/** + * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99]) + */ +export function utf8ToBytes(str) { + if (typeof str !== 'string') + throw new Error(`string expected, got ${typeof str}`); + return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809 +} +/** + * @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc' + */ +export function bytesToUtf8(bytes) { + return new TextDecoder().decode(bytes); +} +/** + * Normalizes (non-hex) string or Uint8Array to Uint8Array. + * Warning: when Uint8Array is passed, it would NOT get copied. + * Keep in mind for future mutable operations. + */ +export function toBytes(data) { + if (typeof data === 'string') + data = utf8ToBytes(data); + else if (isBytes(data)) + data = data.slice(); + else + throw new Error(`Uint8Array expected, got ${typeof data}`); + return data; +} +/** + * Copies several Uint8Arrays into one. + */ +export function concatBytes(...arrays) { + let sum = 0; + for (let i = 0; i < arrays.length; i++) { + const a = arrays[i]; + abytes(a); + sum += a.length; + } + const res = new Uint8Array(sum); + for (let i = 0, pad = 0; i < arrays.length; i++) { + const a = arrays[i]; + res.set(a, pad); + pad += a.length; + } + return res; +} +export function checkOpts(defaults, opts) { + if (opts == null || typeof opts !== 'object') + throw new Error('options must be defined'); + const merged = Object.assign(defaults, opts); + return merged; +} +// Compares 2 u8a-s in kinda constant time +export function equalBytes(a, b) { + if (a.length !== b.length) + return false; + let diff = 0; + for (let i = 0; i < a.length; i++) + diff |= a[i] ^ b[i]; + return diff === 0; +} +// For runtime check if class implements interface +export class Hash { +} +/** + * @__NO_SIDE_EFFECTS__ + */ +export const wrapCipher = (params, c) => { + Object.assign(c, params); + return c; +}; +// Polyfill for Safari 14 +export function setBigUint64(view, byteOffset, value, isLE) { + if (typeof view.setBigUint64 === 'function') + return view.setBigUint64(byteOffset, value, isLE); + const _32n = BigInt(32); + const _u32_max = BigInt(0xffffffff); + const wh = Number((value >> _32n) & _u32_max); + const wl = Number(value & _u32_max); + const h = isLE ? 4 : 0; + const l = isLE ? 0 : 4; + view.setUint32(byteOffset + h, wh, isLE); + view.setUint32(byteOffset + l, wl, isLE); +} +export function u64Lengths(ciphertext, AAD) { + const num = new Uint8Array(16); + const view = createView(num); + setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); + setBigUint64(view, 8, BigInt(ciphertext.length), true); + return num; +} +//# sourceMappingURL=utils.js.map \ No newline at end of file diff --git a/esm/webcrypto.js b/esm/webcrypto.js new file mode 100644 index 0000000..b067413 --- /dev/null +++ b/esm/webcrypto.js @@ -0,0 +1,96 @@ +// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. +// node.js versions earlier than v19 don't declare it in global scope. +// For node.js, package.js on#exports field mapping rewrites import +// from `crypto` to `cryptoNode`, which imports native module. +// Makes the utils un-importable in browsers without a bundler. +// Once node.js 18 is deprecated, we can just drop the import. +import { randomBytes, getWebcryptoSubtle } from '@noble/ciphers/crypto'; +import { concatBytes } from './utils.js'; +import { number } from './_assert.js'; +import { bytes as abytes } from './_assert.js'; +/** + * Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS. + */ +export { randomBytes, getWebcryptoSubtle }; +// Uses CSPRG for nonce, nonce injected in ciphertext +export function managedNonce(fn) { + number(fn.nonceLength); + return ((key, ...args) => ({ + encrypt: (plaintext, ...argsEnc) => { + const { nonceLength } = fn; + const nonce = randomBytes(nonceLength); + const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc); + const out = concatBytes(nonce, ciphertext); + ciphertext.fill(0); + return out; + }, + decrypt: (ciphertext, ...argsDec) => { + const { nonceLength } = fn; + const nonce = ciphertext.subarray(0, nonceLength); + const data = ciphertext.subarray(nonceLength); + return fn(key, nonce, ...args).decrypt(data, ...argsDec); + }, + })); +} +// Overridable +export const utils = { + async encrypt(key, keyParams, cryptParams, plaintext) { + const cr = getWebcryptoSubtle(); + const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']); + const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext); + return new Uint8Array(ciphertext); + }, + async decrypt(key, keyParams, cryptParams, ciphertext) { + const cr = getWebcryptoSubtle(); + const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']); + const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext); + return new Uint8Array(plaintext); + }, +}; +function getCryptParams(algo, nonce, AAD) { + if (algo === "AES-CBC" /* BlockMode.CBC */) + return { name: "AES-CBC" /* BlockMode.CBC */, iv: nonce }; + if (algo === "AES-CTR" /* BlockMode.CTR */) + return { name: "AES-CTR" /* BlockMode.CTR */, counter: nonce, length: 64 }; + if (algo === "AES-GCM" /* BlockMode.GCM */) + return { name: "AES-GCM" /* BlockMode.GCM */, iv: nonce, additionalData: AAD }; + throw new Error('unknown aes block mode'); +} +function generate(algo) { + return (key, nonce, AAD) => { + abytes(key); + abytes(nonce); + // const keyLength = key.length; + const keyParams = { name: algo, length: key.length * 8 }; + const cryptParams = getCryptParams(algo, nonce, AAD); + return { + // keyLength, + encrypt(plaintext) { + abytes(plaintext); + return utils.encrypt(key, keyParams, cryptParams, plaintext); + }, + decrypt(ciphertext) { + abytes(ciphertext); + return utils.decrypt(key, keyParams, cryptParams, ciphertext); + }, + }; + }; +} +export const cbc = generate("AES-CBC" /* BlockMode.CBC */); +export const ctr = generate("AES-CTR" /* BlockMode.CTR */); +export const gcm = generate("AES-GCM" /* BlockMode.GCM */); +// // Type tests +// import { siv, gcm, ctr, ecb, cbc } from '../aes.js'; +// import { xsalsa20poly1305 } from '../salsa.js'; +// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.js'; +// const wsiv = managedNonce(siv); +// const wgcm = managedNonce(gcm); +// const wctr = managedNonce(ctr); +// const wcbc = managedNonce(cbc); +// const wsalsapoly = managedNonce(xsalsa20poly1305); +// const wchacha = managedNonce(chacha20poly1305); +// const wxchacha = managedNonce(xchacha20poly1305); +// // should fail +// const wcbc2 = managedNonce(managedNonce(cbc)); +// const wecb = managedNonce(ecb); +//# sourceMappingURL=webcrypto.js.map \ No newline at end of file diff --git a/ff1.js b/ff1.js new file mode 100644 index 0000000..38018e7 --- /dev/null +++ b/ff1.js @@ -0,0 +1,154 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.BinaryFF1 = exports.FF1 = void 0; +const utils_js_1 = require("./utils.js"); +const aes_js_1 = require("./aes.js"); +// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow +const { expandKeyLE, encryptBlock } = aes_js_1.unsafe; +// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G. +// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf +const BLOCK_LEN = 16; +function mod(a, b) { + const result = a % b; + return result >= 0 ? result : b + result; +} +function NUMradix(radix, data) { + let res = BigInt(0); + for (let i of data) + res = res * BigInt(radix) + BigInt(i); + return res; +} +function getRound(radix, key, tweak, x) { + if (radix > 2 ** 16 - 1) + throw new Error(`Invalid radix: ${radix}`); + // radix**minlen ≥ 100 + const minLen = Math.ceil(Math.log(100) / Math.log(radix)); + const maxLen = 2 ** 32 - 1; + // 2 ≤ minlen ≤ maxlen < 2**32 + if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32) + throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32'); + if (x.length < minLen || x.length > maxLen) + throw new Error('X is outside minLen..maxLen bounds'); + const u = Math.floor(x.length / 2); + const v = x.length - u; + const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8); + const d = 4 * Math.ceil(b / 4) + 4; + const padding = mod(-tweak.length - b - 1, 16); + // P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4. + const P = new Uint8Array([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]); + const view = new DataView(P.buffer); + view.setUint16(4, radix, false); + view.setUint32(8, x.length, false); + view.setUint32(12, tweak.length, false); + // Q = T || [0](−t−b−1) mod 16 || [i]1 || [NUMradix(B)]b. + const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b); + PQ.set(P); + P.fill(0); + PQ.set(tweak, P.length); + const xk = expandKeyLE(key); + const round = (A, B, i, decrypt = false) => { + // Q = ... || [i]1 || [NUMradix(B)]b. + PQ[PQ.length - b - 1] = i; + if (b) + PQ.set((0, utils_js_1.numberToBytesBE)(NUMradix(radix, B), b), PQ.length - b); + // PRF + let r = new Uint8Array(16); + for (let j = 0; j < PQ.length / BLOCK_LEN; j++) { + for (let i = 0; i < BLOCK_LEN; i++) + r[i] ^= PQ[j * BLOCK_LEN + i]; + encryptBlock(xk, r); + } + // Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: + // R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ – 1]16). + let s = Array.from(r); + for (let j = 1; s.length < d; j++) { + const block = (0, utils_js_1.numberToBytesBE)(BigInt(j), 16); + for (let k = 0; k < BLOCK_LEN; k++) + block[k] ^= r[k]; + s.push(...Array.from(encryptBlock(xk, block))); + } + let y = (0, utils_js_1.bytesToNumberBE)(Uint8Array.from(s.slice(0, d))); + s.fill(0); + if (decrypt) + y = -y; + const m = i % 2 === 0 ? u : v; + let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m)); + // STR(radix, m, c) + const C = Array(m).fill(0); + for (let i = 0; i < m; i++, c /= BigInt(radix)) + C[m - 1 - i] = Number(c % BigInt(radix)); + A.fill(0); + A = B; + B = C; + return [A, B]; + }; + const destroy = () => { + xk.fill(0); + PQ.fill(0); + }; + return { u, round, destroy }; +} +const EMPTY_BUF = new Uint8Array([]); +function FF1(radix, key, tweak = EMPTY_BUF) { + const PQ = getRound.bind(null, radix, key, tweak); + return { + encrypt(x) { + const { u, round, destroy } = PQ(x); + let [A, B] = [x.slice(0, u), x.slice(u)]; + for (let i = 0; i < 10; i++) + [A, B] = round(A, B, i); + destroy(); + const res = A.concat(B); + A.fill(0); + B.fill(0); + return res; + }, + decrypt(x) { + const { u, round, destroy } = PQ(x); + // The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm; + // the differences are in Step 6, where: + // 1) the order of the indices is reversed, + // 2) the roles of A and B are swapped + // 3) modular addition is replaced by modular subtraction, in Step 6vi. + let [B, A] = [x.slice(0, u), x.slice(u)]; + for (let i = 9; i >= 0; i--) + [A, B] = round(A, B, i, true); + destroy(); + const res = B.concat(A); + A.fill(0); + B.fill(0); + return res; + }, + }; +} +exports.FF1 = FF1; +// Binary string which encodes each byte in little-endian byte order +const binLE = { + encode(bytes) { + const x = []; + for (let i = 0; i < bytes.length; i++) { + for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1) + x.push(tmp & 1); + } + return x; + }, + decode(b) { + if (b.length % 8) + throw new Error('Invalid binary string'); + const res = new Uint8Array(b.length / 8); + for (let i = 0, j = 0; i < res.length; i++) { + res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3); + res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7); + } + return res; + }, +}; +function BinaryFF1(key, tweak = EMPTY_BUF) { + const ff1 = FF1(2, key, tweak); + return { + encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))), + decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))), + }; +} +exports.BinaryFF1 = BinaryFF1; +//# sourceMappingURL=ff1.js.map \ No newline at end of file diff --git a/index.js b/index.js new file mode 100644 index 0000000..5a9cbf1 --- /dev/null +++ b/index.js @@ -0,0 +1,3 @@ +"use strict"; +throw new Error('noble-ciphers have no entry-point: consult README for usage'); +//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/salsa.js b/salsa.js new file mode 100644 index 0000000..7e151ce --- /dev/null +++ b/salsa.js @@ -0,0 +1,210 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.secretbox = exports.xsalsa20poly1305 = exports.xsalsa20 = exports.salsa20 = exports.hsalsa = void 0; +const _assert_js_1 = require("./_assert.js"); +const _arx_js_1 = require("./_arx.js"); +const _poly1305_js_1 = require("./_poly1305.js"); +const utils_js_1 = require("./utils.js"); +// Salsa20 stream cipher was released in 2005. +// Salsa's goal was to implement AES replacement that does not rely on S-Boxes, +// which are hard to implement in a constant-time manner. +// https://cr.yp.to/snuffle.html, https://cr.yp.to/snuffle/salsafamily-20071225.pdf +/** + * Salsa20 core function. + */ +// prettier-ignore +function salsaCore(s, k, n, out, cnt, rounds = 20) { + // Based on https://cr.yp.to/salsa20.html + let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key + y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce + y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key + y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k" + // Save state to temporary variables + let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; + for (let r = 0; r < rounds; r += 2) { + x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7); + x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9); + x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13); + x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18); + x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7); + x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9); + x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13); + x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18); + x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7); + x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9); + x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13); + x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18); + x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7); + x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9); + x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13); + x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18); + x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7); + x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9); + x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13); + x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18); + x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7); + x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9); + x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13); + x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18); + x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7); + x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9); + x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13); + x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18); + x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7); + x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9); + x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13); + x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18); + } + // Write output + let oi = 0; + out[oi++] = (y00 + x00) | 0; + out[oi++] = (y01 + x01) | 0; + out[oi++] = (y02 + x02) | 0; + out[oi++] = (y03 + x03) | 0; + out[oi++] = (y04 + x04) | 0; + out[oi++] = (y05 + x05) | 0; + out[oi++] = (y06 + x06) | 0; + out[oi++] = (y07 + x07) | 0; + out[oi++] = (y08 + x08) | 0; + out[oi++] = (y09 + x09) | 0; + out[oi++] = (y10 + x10) | 0; + out[oi++] = (y11 + x11) | 0; + out[oi++] = (y12 + x12) | 0; + out[oi++] = (y13 + x13) | 0; + out[oi++] = (y14 + x14) | 0; + out[oi++] = (y15 + x15) | 0; +} +/** + * hsalsa hashing function, used primarily in xsalsa, to hash + * key and nonce into key' and nonce'. + * Same as salsaCore, but there doesn't seem to be a way to move the block + * out without 25% performance hit. + */ +// prettier-ignore +function hsalsa(s, k, i, o32) { + let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3]; + for (let r = 0; r < 20; r += 2) { + x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7); + x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9); + x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13); + x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18); + x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7); + x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9); + x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13); + x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18); + x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7); + x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9); + x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13); + x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18); + x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7); + x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9); + x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13); + x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18); + x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7); + x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9); + x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13); + x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18); + x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7); + x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9); + x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13); + x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18); + x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7); + x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9); + x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13); + x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18); + x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7); + x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9); + x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13); + x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18); + } + let oi = 0; + o32[oi++] = x00; + o32[oi++] = x05; + o32[oi++] = x10; + o32[oi++] = x15; + o32[oi++] = x06; + o32[oi++] = x07; + o32[oi++] = x08; + o32[oi++] = x09; +} +exports.hsalsa = hsalsa; +/** + * Salsa20 from original paper. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +exports.salsa20 = (0, _arx_js_1.createCipher)(salsaCore, { + allowShortKeys: true, + counterRight: true, +}); +/** + * xsalsa20 eXtended-nonce salsa. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +exports.xsalsa20 = (0, _arx_js_1.createCipher)(salsaCore, { + counterRight: true, + extendNonceFn: hsalsa, +}); +/** + * xsalsa20-poly1305 eXtended-nonce salsa. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + * Also known as secretbox from libsodium / nacl. + */ +exports.xsalsa20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => { + const tagLength = 16; + (0, _assert_js_1.bytes)(key, 32); + (0, _assert_js_1.bytes)(nonce, 24); + return { + encrypt: (plaintext, output) => { + (0, _assert_js_1.bytes)(plaintext); + // This is small optimization (calculate auth key with same call as encryption itself) makes it hard + // to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte) + const clength = plaintext.length + 32; + if (output) { + (0, _assert_js_1.bytes)(output, clength); + } + else { + output = new Uint8Array(clength); + } + output.set(plaintext, 32); + (0, exports.xsalsa20)(key, nonce, output, output); + const authKey = output.subarray(0, 32); + const tag = (0, _poly1305_js_1.poly1305)(output.subarray(32), authKey); + // Clean auth key, even though JS provides no guarantees about memory cleaning + output.set(tag, tagLength); + output.subarray(0, tagLength).fill(0); + return output.subarray(tagLength); + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + const clength = ciphertext.length; + if (clength < tagLength) + throw new Error('encrypted data should be at least 16 bytes'); + // Create new ciphertext array: + // auth tag auth tag from ciphertext ciphertext + // [bytes 0..16] [bytes 16..32] [bytes 32..] + // 16 instead of 32, because we already have 16 byte tag + const ciphertext_ = new Uint8Array(clength + tagLength); // alloc + ciphertext_.set(ciphertext, tagLength); + // Each xsalsa20 calls to hsalsa to calculate key, but seems not much perf difference + // Separate call to calculate authkey, since first bytes contains tag + const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32)); // alloc(32) + const tag = (0, _poly1305_js_1.poly1305)(ciphertext_.subarray(32), authKey); + if (!(0, utils_js_1.equalBytes)(ciphertext_.subarray(16, 32), tag)) + throw new Error('invalid tag'); + const plaintext = (0, exports.xsalsa20)(key, nonce, ciphertext_); // alloc + // Clean auth key, even though JS provides no guarantees about memory cleaning + plaintext.subarray(0, 32).fill(0); + authKey.fill(0); + return plaintext.subarray(32); + }, + }; +}); +/** + * Alias to xsalsa20poly1305, for compatibility with libsodium / nacl + */ +function secretbox(key, nonce) { + const xs = (0, exports.xsalsa20poly1305)(key, nonce); + return { seal: xs.encrypt, open: xs.decrypt }; +} +exports.secretbox = secretbox; +//# sourceMappingURL=salsa.js.map \ No newline at end of file diff --git a/utils.js b/utils.js new file mode 100644 index 0000000..00cb4c2 --- /dev/null +++ b/utils.js @@ -0,0 +1,206 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.u64Lengths = exports.setBigUint64 = exports.wrapCipher = exports.Hash = exports.equalBytes = exports.checkOpts = exports.concatBytes = exports.toBytes = exports.bytesToUtf8 = exports.utf8ToBytes = exports.asyncLoop = exports.nextTick = exports.numberToBytesBE = exports.bytesToNumberBE = exports.hexToNumber = exports.hexToBytes = exports.bytesToHex = exports.isLE = exports.createView = exports.u32 = exports.u16 = exports.u8 = void 0; +/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ +const _assert_js_1 = require("./_assert.js"); +// Cast array to different type +const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength); +exports.u8 = u8; +const u16 = (arr) => new Uint16Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 2)); +exports.u16 = u16; +const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); +exports.u32 = u32; +// Cast array to view +const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); +exports.createView = createView; +// big-endian hardware is rare. Just in case someone still decides to run ciphers: +// early-throw an error because we don't support BE yet. +exports.isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44; +if (!exports.isLE) + throw new Error('Non little-endian hardware is not supported'); +// Array where index 0xf0 (240) is mapped to string 'f0' +const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0')); +/** + * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123' + */ +function bytesToHex(bytes) { + (0, _assert_js_1.bytes)(bytes); + // pre-caching improves the speed 6x + let hex = ''; + for (let i = 0; i < bytes.length; i++) { + hex += hexes[bytes[i]]; + } + return hex; +} +exports.bytesToHex = bytesToHex; +// We use optimized technique to convert hex string to byte array +const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; +function asciiToBase16(char) { + if (char >= asciis._0 && char <= asciis._9) + return char - asciis._0; + if (char >= asciis._A && char <= asciis._F) + return char - (asciis._A - 10); + if (char >= asciis._a && char <= asciis._f) + return char - (asciis._a - 10); + return; +} +/** + * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23]) + */ +function hexToBytes(hex) { + if (typeof hex !== 'string') + throw new Error('hex string expected, got ' + typeof hex); + const hl = hex.length; + const al = hl / 2; + if (hl % 2) + throw new Error('padded hex string expected, got unpadded hex of length ' + hl); + const array = new Uint8Array(al); + for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { + const n1 = asciiToBase16(hex.charCodeAt(hi)); + const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); + if (n1 === undefined || n2 === undefined) { + const char = hex[hi] + hex[hi + 1]; + throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); + } + array[ai] = n1 * 16 + n2; + } + return array; +} +exports.hexToBytes = hexToBytes; +function hexToNumber(hex) { + if (typeof hex !== 'string') + throw new Error('hex string expected, got ' + typeof hex); + // Big Endian + return BigInt(hex === '' ? '0' : `0x${hex}`); +} +exports.hexToNumber = hexToNumber; +// BE: Big Endian, LE: Little Endian +function bytesToNumberBE(bytes) { + return hexToNumber(bytesToHex(bytes)); +} +exports.bytesToNumberBE = bytesToNumberBE; +function numberToBytesBE(n, len) { + return hexToBytes(n.toString(16).padStart(len * 2, '0')); +} +exports.numberToBytesBE = numberToBytesBE; +// There is no setImmediate in browser and setTimeout is slow. +// call of async fn will return Promise, which will be fullfiled only on +// next scheduler queue processing step and this is exactly what we need. +const nextTick = async () => { }; +exports.nextTick = nextTick; +// Returns control to thread each 'tick' ms to avoid blocking +async function asyncLoop(iters, tick, cb) { + let ts = Date.now(); + for (let i = 0; i < iters; i++) { + cb(i); + // Date.now() is not monotonic, so in case if clock goes backwards we return return control too + const diff = Date.now() - ts; + if (diff >= 0 && diff < tick) + continue; + await (0, exports.nextTick)(); + ts += diff; + } +} +exports.asyncLoop = asyncLoop; +/** + * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99]) + */ +function utf8ToBytes(str) { + if (typeof str !== 'string') + throw new Error(`string expected, got ${typeof str}`); + return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809 +} +exports.utf8ToBytes = utf8ToBytes; +/** + * @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc' + */ +function bytesToUtf8(bytes) { + return new TextDecoder().decode(bytes); +} +exports.bytesToUtf8 = bytesToUtf8; +/** + * Normalizes (non-hex) string or Uint8Array to Uint8Array. + * Warning: when Uint8Array is passed, it would NOT get copied. + * Keep in mind for future mutable operations. + */ +function toBytes(data) { + if (typeof data === 'string') + data = utf8ToBytes(data); + else if ((0, _assert_js_1.isBytes)(data)) + data = data.slice(); + else + throw new Error(`Uint8Array expected, got ${typeof data}`); + return data; +} +exports.toBytes = toBytes; +/** + * Copies several Uint8Arrays into one. + */ +function concatBytes(...arrays) { + let sum = 0; + for (let i = 0; i < arrays.length; i++) { + const a = arrays[i]; + (0, _assert_js_1.bytes)(a); + sum += a.length; + } + const res = new Uint8Array(sum); + for (let i = 0, pad = 0; i < arrays.length; i++) { + const a = arrays[i]; + res.set(a, pad); + pad += a.length; + } + return res; +} +exports.concatBytes = concatBytes; +function checkOpts(defaults, opts) { + if (opts == null || typeof opts !== 'object') + throw new Error('options must be defined'); + const merged = Object.assign(defaults, opts); + return merged; +} +exports.checkOpts = checkOpts; +// Compares 2 u8a-s in kinda constant time +function equalBytes(a, b) { + if (a.length !== b.length) + return false; + let diff = 0; + for (let i = 0; i < a.length; i++) + diff |= a[i] ^ b[i]; + return diff === 0; +} +exports.equalBytes = equalBytes; +// For runtime check if class implements interface +class Hash { +} +exports.Hash = Hash; +/** + * @__NO_SIDE_EFFECTS__ + */ +const wrapCipher = (params, c) => { + Object.assign(c, params); + return c; +}; +exports.wrapCipher = wrapCipher; +// Polyfill for Safari 14 +function setBigUint64(view, byteOffset, value, isLE) { + if (typeof view.setBigUint64 === 'function') + return view.setBigUint64(byteOffset, value, isLE); + const _32n = BigInt(32); + const _u32_max = BigInt(0xffffffff); + const wh = Number((value >> _32n) & _u32_max); + const wl = Number(value & _u32_max); + const h = isLE ? 4 : 0; + const l = isLE ? 0 : 4; + view.setUint32(byteOffset + h, wh, isLE); + view.setUint32(byteOffset + l, wl, isLE); +} +exports.setBigUint64 = setBigUint64; +function u64Lengths(ciphertext, AAD) { + const num = new Uint8Array(16); + const view = (0, exports.createView)(num); + setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); + setBigUint64(view, 8, BigInt(ciphertext.length), true); + return num; +} +exports.u64Lengths = u64Lengths; +//# sourceMappingURL=utils.js.map \ No newline at end of file diff --git a/webcrypto.js b/webcrypto.js new file mode 100644 index 0000000..c77690b --- /dev/null +++ b/webcrypto.js @@ -0,0 +1,98 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.gcm = exports.ctr = exports.cbc = exports.utils = exports.managedNonce = exports.getWebcryptoSubtle = exports.randomBytes = void 0; +// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. +// node.js versions earlier than v19 don't declare it in global scope. +// For node.js, package.js on#exports field mapping rewrites import +// from `crypto` to `cryptoNode`, which imports native module. +// Makes the utils un-importable in browsers without a bundler. +// Once node.js 18 is deprecated, we can just drop the import. +const crypto_1 = require("@noble/ciphers/crypto"); +Object.defineProperty(exports, "randomBytes", { enumerable: true, get: function () { return crypto_1.randomBytes; } }); +Object.defineProperty(exports, "getWebcryptoSubtle", { enumerable: true, get: function () { return crypto_1.getWebcryptoSubtle; } }); +const utils_js_1 = require("./utils.js"); +const _assert_js_1 = require("./_assert.js"); +const _assert_js_2 = require("./_assert.js"); +// Uses CSPRG for nonce, nonce injected in ciphertext +function managedNonce(fn) { + (0, _assert_js_1.number)(fn.nonceLength); + return ((key, ...args) => ({ + encrypt: (plaintext, ...argsEnc) => { + const { nonceLength } = fn; + const nonce = (0, crypto_1.randomBytes)(nonceLength); + const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc); + const out = (0, utils_js_1.concatBytes)(nonce, ciphertext); + ciphertext.fill(0); + return out; + }, + decrypt: (ciphertext, ...argsDec) => { + const { nonceLength } = fn; + const nonce = ciphertext.subarray(0, nonceLength); + const data = ciphertext.subarray(nonceLength); + return fn(key, nonce, ...args).decrypt(data, ...argsDec); + }, + })); +} +exports.managedNonce = managedNonce; +// Overridable +exports.utils = { + async encrypt(key, keyParams, cryptParams, plaintext) { + const cr = (0, crypto_1.getWebcryptoSubtle)(); + const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']); + const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext); + return new Uint8Array(ciphertext); + }, + async decrypt(key, keyParams, cryptParams, ciphertext) { + const cr = (0, crypto_1.getWebcryptoSubtle)(); + const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']); + const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext); + return new Uint8Array(plaintext); + }, +}; +function getCryptParams(algo, nonce, AAD) { + if (algo === "AES-CBC" /* BlockMode.CBC */) + return { name: "AES-CBC" /* BlockMode.CBC */, iv: nonce }; + if (algo === "AES-CTR" /* BlockMode.CTR */) + return { name: "AES-CTR" /* BlockMode.CTR */, counter: nonce, length: 64 }; + if (algo === "AES-GCM" /* BlockMode.GCM */) + return { name: "AES-GCM" /* BlockMode.GCM */, iv: nonce, additionalData: AAD }; + throw new Error('unknown aes block mode'); +} +function generate(algo) { + return (key, nonce, AAD) => { + (0, _assert_js_2.bytes)(key); + (0, _assert_js_2.bytes)(nonce); + // const keyLength = key.length; + const keyParams = { name: algo, length: key.length * 8 }; + const cryptParams = getCryptParams(algo, nonce, AAD); + return { + // keyLength, + encrypt(plaintext) { + (0, _assert_js_2.bytes)(plaintext); + return exports.utils.encrypt(key, keyParams, cryptParams, plaintext); + }, + decrypt(ciphertext) { + (0, _assert_js_2.bytes)(ciphertext); + return exports.utils.decrypt(key, keyParams, cryptParams, ciphertext); + }, + }; + }; +} +exports.cbc = generate("AES-CBC" /* BlockMode.CBC */); +exports.ctr = generate("AES-CTR" /* BlockMode.CTR */); +exports.gcm = generate("AES-GCM" /* BlockMode.GCM */); +// // Type tests +// import { siv, gcm, ctr, ecb, cbc } from '../aes.js'; +// import { xsalsa20poly1305 } from '../salsa.js'; +// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.js'; +// const wsiv = managedNonce(siv); +// const wgcm = managedNonce(gcm); +// const wctr = managedNonce(ctr); +// const wcbc = managedNonce(cbc); +// const wsalsapoly = managedNonce(xsalsa20poly1305); +// const wchacha = managedNonce(chacha20poly1305); +// const wxchacha = managedNonce(xchacha20poly1305); +// // should fail +// const wcbc2 = managedNonce(managedNonce(cbc)); +// const wecb = managedNonce(ecb); +//# sourceMappingURL=webcrypto.js.map \ No newline at end of file From 234450a9384fd67c49e7cb16a27761e324083d92 Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 14:37:09 +0800 Subject: [PATCH 03/13] update tsconfig --- src/package.json | 3 +++ tsconfig.esm.json | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 src/package.json diff --git a/src/package.json b/src/package.json new file mode 100644 index 0000000..3dbc1ca --- /dev/null +++ b/src/package.json @@ -0,0 +1,3 @@ +{ + "type": "module" +} diff --git a/tsconfig.esm.json b/tsconfig.esm.json index 7726d8b..a5b771e 100644 --- a/tsconfig.esm.json +++ b/tsconfig.esm.json @@ -16,9 +16,9 @@ "paths": { "@noble/ciphers/crypto": ["src/crypto"] }, - "module": "es2020", + "module": "Node16", "outDir": "esm", - "moduleResolution": "bundler" + "moduleResolution": "Node16" }, "include": ["src"], "exclude": ["node_modules", "lib"] From 14a81d1ec45918909b4c5179a7895c6cc316abea Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 14:40:04 +0800 Subject: [PATCH 04/13] fix crypto import --- src/webcrypto.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/webcrypto.ts b/src/webcrypto.ts index d8bd40c..db85c53 100644 --- a/src/webcrypto.ts +++ b/src/webcrypto.ts @@ -4,7 +4,7 @@ // from `crypto` to `cryptoNode`, which imports native module. // Makes the utils un-importable in browsers without a bundler. // Once node.js 18 is deprecated, we can just drop the import. -import { randomBytes, getWebcryptoSubtle } from '@noble/ciphers/crypto'; +import { randomBytes, getWebcryptoSubtle } from './crypto.js'; import { Cipher, concatBytes } from './utils.js'; import { number } from './_assert.js'; import { AsyncCipher } from './utils.js'; From 3865a4b58c0bd8cdfaba6fbaafda9f5c1df31c6d Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 14:45:46 +0800 Subject: [PATCH 05/13] update crypto.js export --- esm/package.json | 1 + 1 file changed, 1 insertion(+) diff --git a/esm/package.json b/esm/package.json index cf1903a..cfdc1a5 100644 --- a/esm/package.json +++ b/esm/package.json @@ -4,6 +4,7 @@ "node:crypto": false }, "node": { + "./crypto.js": "./esm/cryptoNode.js", "./crypto": "./esm/cryptoNode.js" } } From aca57d285649fd7525d3002da7774a394e3d4d58 Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 14:46:55 +0800 Subject: [PATCH 06/13] update all built js files --- esm/index.js | 2 +- esm/webcrypto.js | 2 +- webcrypto.js | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/esm/index.js b/esm/index.js index 5a9cbf1..9a9d7ac 100644 --- a/esm/index.js +++ b/esm/index.js @@ -1,3 +1,3 @@ -"use strict"; throw new Error('noble-ciphers have no entry-point: consult README for usage'); +export {}; //# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/esm/webcrypto.js b/esm/webcrypto.js index b067413..b7b9388 100644 --- a/esm/webcrypto.js +++ b/esm/webcrypto.js @@ -4,7 +4,7 @@ // from `crypto` to `cryptoNode`, which imports native module. // Makes the utils un-importable in browsers without a bundler. // Once node.js 18 is deprecated, we can just drop the import. -import { randomBytes, getWebcryptoSubtle } from '@noble/ciphers/crypto'; +import { randomBytes, getWebcryptoSubtle } from './crypto.js'; import { concatBytes } from './utils.js'; import { number } from './_assert.js'; import { bytes as abytes } from './_assert.js'; diff --git a/webcrypto.js b/webcrypto.js index c77690b..228c620 100644 --- a/webcrypto.js +++ b/webcrypto.js @@ -7,9 +7,9 @@ exports.gcm = exports.ctr = exports.cbc = exports.utils = exports.managedNonce = // from `crypto` to `cryptoNode`, which imports native module. // Makes the utils un-importable in browsers without a bundler. // Once node.js 18 is deprecated, we can just drop the import. -const crypto_1 = require("@noble/ciphers/crypto"); -Object.defineProperty(exports, "randomBytes", { enumerable: true, get: function () { return crypto_1.randomBytes; } }); -Object.defineProperty(exports, "getWebcryptoSubtle", { enumerable: true, get: function () { return crypto_1.getWebcryptoSubtle; } }); +const crypto_js_1 = require("./crypto.js"); +Object.defineProperty(exports, "randomBytes", { enumerable: true, get: function () { return crypto_js_1.randomBytes; } }); +Object.defineProperty(exports, "getWebcryptoSubtle", { enumerable: true, get: function () { return crypto_js_1.getWebcryptoSubtle; } }); const utils_js_1 = require("./utils.js"); const _assert_js_1 = require("./_assert.js"); const _assert_js_2 = require("./_assert.js"); @@ -19,7 +19,7 @@ function managedNonce(fn) { return ((key, ...args) => ({ encrypt: (plaintext, ...argsEnc) => { const { nonceLength } = fn; - const nonce = (0, crypto_1.randomBytes)(nonceLength); + const nonce = (0, crypto_js_1.randomBytes)(nonceLength); const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc); const out = (0, utils_js_1.concatBytes)(nonce, ciphertext); ciphertext.fill(0); @@ -37,13 +37,13 @@ exports.managedNonce = managedNonce; // Overridable exports.utils = { async encrypt(key, keyParams, cryptParams, plaintext) { - const cr = (0, crypto_1.getWebcryptoSubtle)(); + const cr = (0, crypto_js_1.getWebcryptoSubtle)(); const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']); const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext); return new Uint8Array(ciphertext); }, async decrypt(key, keyParams, cryptParams, ciphertext) { - const cr = (0, crypto_1.getWebcryptoSubtle)(); + const cr = (0, crypto_js_1.getWebcryptoSubtle)(); const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']); const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext); return new Uint8Array(plaintext); From ec3429996639ac9d0a8feb6187f1d0600fea59ec Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 14:52:01 +0800 Subject: [PATCH 07/13] Clean all built js files --- _arx.js | 171 ------------- _assert.js | 50 ---- _micro.js | 295 --------------------- _poly1305.js | 268 -------------------- _polyval.js | 221 ---------------- aes.js | 633 ---------------------------------------------- chacha.js | 323 ----------------------- crypto.js | 17 -- cryptoNode.js | 22 -- esm/_arx.js | 166 ------------ esm/_assert.js | 41 --- esm/_micro.js | 287 --------------------- esm/_poly1305.js | 264 ------------------- esm/_polyval.js | 217 ---------------- esm/aes.js | 628 --------------------------------------------- esm/chacha.js | 318 ----------------------- esm/crypto.js | 12 - esm/cryptoNode.js | 17 -- esm/ff1.js | 149 ----------- esm/index.js | 3 - esm/salsa.js | 205 --------------- esm/utils.js | 182 ------------- esm/webcrypto.js | 96 ------- ff1.js | 154 ----------- index.js | 3 - salsa.js | 210 --------------- utils.js | 206 --------------- webcrypto.js | 98 ------- 28 files changed, 5256 deletions(-) delete mode 100644 _arx.js delete mode 100644 _assert.js delete mode 100644 _micro.js delete mode 100644 _poly1305.js delete mode 100644 _polyval.js delete mode 100644 aes.js delete mode 100644 chacha.js delete mode 100644 crypto.js delete mode 100644 cryptoNode.js delete mode 100644 esm/_arx.js delete mode 100644 esm/_assert.js delete mode 100644 esm/_micro.js delete mode 100644 esm/_poly1305.js delete mode 100644 esm/_polyval.js delete mode 100644 esm/aes.js delete mode 100644 esm/chacha.js delete mode 100644 esm/crypto.js delete mode 100644 esm/cryptoNode.js delete mode 100644 esm/ff1.js delete mode 100644 esm/index.js delete mode 100644 esm/salsa.js delete mode 100644 esm/utils.js delete mode 100644 esm/webcrypto.js delete mode 100644 ff1.js delete mode 100644 index.js delete mode 100644 salsa.js delete mode 100644 utils.js delete mode 100644 webcrypto.js diff --git a/_arx.js b/_arx.js deleted file mode 100644 index 4c8e20d..0000000 --- a/_arx.js +++ /dev/null @@ -1,171 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.createCipher = exports.rotl = void 0; -// Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers. -const _assert_js_1 = require("./_assert.js"); -const utils_js_1 = require("./utils.js"); -/* -RFC8439 requires multi-step cipher stream, where -authKey starts with counter: 0, actual msg with counter: 1. - -For this, we need a way to re-use nonce / counter: - - const counter = new Uint8Array(4); - chacha(..., counter, ...); // counter is now 1 - chacha(..., counter, ...); // counter is now 2 - -This is complicated: - -- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB -- Original papers don't allow mutating counters -- Counter overflow is undefined [^1] -- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it -- Caveat: Cannot be re-used through all cases: -- * chacha has (counter | nonce) -- * xchacha has (nonce16 | counter | nonce16) -- Idea B: separate nonce / counter and provide separate API for counter re-use -- Caveat: there are different counter sizes depending on an algorithm. -- salsa & chacha also differ in structures of key & sigma: - salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3] - chacha: s(4) | k(8) | ctr(1) | nonce(3) - chacha20orig: s(4) | k(8) | ctr(2) | nonce(2) -- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)` -- Caveat: we can't re-use counter array - -xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal -(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce). - -[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/ -[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2 -*/ -const sigma16 = (0, utils_js_1.utf8ToBytes)('expand 16-byte k'); -const sigma32 = (0, utils_js_1.utf8ToBytes)('expand 32-byte k'); -const sigma16_32 = (0, utils_js_1.u32)(sigma16); -const sigma32_32 = (0, utils_js_1.u32)(sigma32); -function rotl(a, b) { - return (a << b) | (a >>> (32 - b)); -} -exports.rotl = rotl; -// Is byte array aligned to 4 byte offset (u32)? -function isAligned32(b) { - return b.byteOffset % 4 === 0; -} -// Salsa and Chacha block length is always 512-bit -const BLOCK_LEN = 64; -const BLOCK_LEN32 = 16; -// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ] -// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ] -const MAX_COUNTER = 2 ** 32 - 1; -const U32_EMPTY = new Uint32Array(); -function runCipher(core, sigma, key, nonce, data, output, counter, rounds) { - const len = data.length; - const block = new Uint8Array(BLOCK_LEN); - const b32 = (0, utils_js_1.u32)(block); - // Make sure that buffers aligned to 4 bytes - const isAligned = isAligned32(data) && isAligned32(output); - const d32 = isAligned ? (0, utils_js_1.u32)(data) : U32_EMPTY; - const o32 = isAligned ? (0, utils_js_1.u32)(output) : U32_EMPTY; - for (let pos = 0; pos < len; counter++) { - core(sigma, key, nonce, b32, counter, rounds); - if (counter >= MAX_COUNTER) - throw new Error('arx: counter overflow'); - const take = Math.min(BLOCK_LEN, len - pos); - // aligned to 4 bytes - if (isAligned && take === BLOCK_LEN) { - const pos32 = pos / 4; - if (pos % 4 !== 0) - throw new Error('arx: invalid block position'); - for (let j = 0, posj; j < BLOCK_LEN32; j++) { - posj = pos32 + j; - o32[posj] = d32[posj] ^ b32[j]; - } - pos += BLOCK_LEN; - continue; - } - for (let j = 0, posj; j < take; j++) { - posj = pos + j; - output[posj] = data[posj] ^ block[j]; - } - pos += take; - } -} -function createCipher(core, opts) { - const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = (0, utils_js_1.checkOpts)({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); - if (typeof core !== 'function') - throw new Error('core must be a function'); - (0, _assert_js_1.number)(counterLength); - (0, _assert_js_1.number)(rounds); - (0, _assert_js_1.bool)(counterRight); - (0, _assert_js_1.bool)(allowShortKeys); - return (key, nonce, data, output, counter = 0) => { - (0, _assert_js_1.bytes)(key); - (0, _assert_js_1.bytes)(nonce); - (0, _assert_js_1.bytes)(data); - const len = data.length; - if (!output) - output = new Uint8Array(len); - (0, _assert_js_1.bytes)(output); - (0, _assert_js_1.number)(counter); - if (counter < 0 || counter >= MAX_COUNTER) - throw new Error('arx: counter overflow'); - if (output.length < len) - throw new Error(`arx: output (${output.length}) is shorter than data (${len})`); - const toClean = []; - // Key & sigma - // key=16 -> sigma16, k=key|key - // key=32 -> sigma32, k=key - let l = key.length, k, sigma; - if (l === 32) { - k = key.slice(); - toClean.push(k); - sigma = sigma32_32; - } - else if (l === 16 && allowShortKeys) { - k = new Uint8Array(32); - k.set(key); - k.set(key, 16); - sigma = sigma16_32; - toClean.push(k); - } - else { - throw new Error(`arx: invalid 32-byte key, got length=${l}`); - } - // Nonce - // salsa20: 8 (8-byte counter) - // chacha20orig: 8 (8-byte counter) - // chacha20: 12 (4-byte counter) - // xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce) - // xchacha20: 24 (16 -> hchacha, 8 -> old nonce) - // Align nonce to 4 bytes - if (!isAligned32(nonce)) { - nonce = nonce.slice(); - toClean.push(nonce); - } - const k32 = (0, utils_js_1.u32)(k); - // hsalsa & hchacha: handle extended nonce - if (extendNonceFn) { - if (nonce.length !== 24) - throw new Error(`arx: extended nonce must be 24 bytes`); - extendNonceFn(sigma, k32, (0, utils_js_1.u32)(nonce.subarray(0, 16)), k32); - nonce = nonce.subarray(16); - } - // Handle nonce counter - const nonceNcLen = 16 - counterLength; - if (nonceNcLen !== nonce.length) - throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); - // Pad counter when nonce is 64 bit - if (nonceNcLen !== 12) { - const nc = new Uint8Array(12); - nc.set(nonce, counterRight ? 0 : 12 - nonce.length); - nonce = nc; - toClean.push(nonce); - } - const n32 = (0, utils_js_1.u32)(nonce); - runCipher(core, sigma, k32, n32, data, output, counter, rounds); - while (toClean.length > 0) - toClean.pop().fill(0); - return output; - }; -} -exports.createCipher = createCipher; -//# sourceMappingURL=_arx.js.map \ No newline at end of file diff --git a/_assert.js b/_assert.js deleted file mode 100644 index 83ace83..0000000 --- a/_assert.js +++ /dev/null @@ -1,50 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.output = exports.exists = exports.hash = exports.bytes = exports.bool = exports.number = exports.isBytes = void 0; -function number(n) { - if (!Number.isSafeInteger(n) || n < 0) - throw new Error(`positive integer expected, not ${n}`); -} -exports.number = number; -function bool(b) { - if (typeof b !== 'boolean') - throw new Error(`boolean expected, not ${b}`); -} -exports.bool = bool; -function isBytes(a) { - return (a instanceof Uint8Array || - (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')); -} -exports.isBytes = isBytes; -function bytes(b, ...lengths) { - if (!isBytes(b)) - throw new Error('Uint8Array expected'); - if (lengths.length > 0 && !lengths.includes(b.length)) - throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); -} -exports.bytes = bytes; -function hash(hash) { - if (typeof hash !== 'function' || typeof hash.create !== 'function') - throw new Error('hash must be wrapped by utils.wrapConstructor'); - number(hash.outputLen); - number(hash.blockLen); -} -exports.hash = hash; -function exists(instance, checkFinished = true) { - if (instance.destroyed) - throw new Error('Hash instance has been destroyed'); - if (checkFinished && instance.finished) - throw new Error('Hash#digest() has already been called'); -} -exports.exists = exists; -function output(out, instance) { - bytes(out); - const min = instance.outputLen; - if (out.length < min) { - throw new Error(`digestInto() expects output buffer of length at least ${min}`); - } -} -exports.output = output; -const assert = { number, bool, bytes, hash, exists, output }; -exports.default = assert; -//# sourceMappingURL=_assert.js.map \ No newline at end of file diff --git a/_micro.js b/_micro.js deleted file mode 100644 index 523065c..0000000 --- a/_micro.js +++ /dev/null @@ -1,295 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.secretbox = exports.xsalsa20poly1305 = exports.poly1305 = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = exports.xsalsa20 = exports.salsa20 = exports.hchacha = exports.hsalsa = void 0; -/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ -// prettier-ignore -const utils_js_1 = require("./utils.js"); -const _arx_js_1 = require("./_arx.js"); -const _assert_js_1 = require("./_assert.js"); -/* -noble-ciphers-micro: more auditable, but slower version of salsa20, chacha & poly1305. -Implements the same algorithms that are present in other files, but without -unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling). -*/ -function bytesToNumberLE(bytes) { - return (0, utils_js_1.hexToNumber)((0, utils_js_1.bytesToHex)(Uint8Array.from(bytes).reverse())); -} -function numberToBytesLE(n, len) { - return (0, utils_js_1.numberToBytesBE)(n, len).reverse(); -} -function salsaQR(x, a, b, c, d) { - x[b] ^= (0, _arx_js_1.rotl)((x[a] + x[d]) | 0, 7); - x[c] ^= (0, _arx_js_1.rotl)((x[b] + x[a]) | 0, 9); - x[d] ^= (0, _arx_js_1.rotl)((x[c] + x[b]) | 0, 13); - x[a] ^= (0, _arx_js_1.rotl)((x[d] + x[c]) | 0, 18); -} -// prettier-ignore -function chachaQR(x, a, b, c, d) { - x[a] = (x[a] + x[b]) | 0; - x[d] = (0, _arx_js_1.rotl)(x[d] ^ x[a], 16); - x[c] = (x[c] + x[d]) | 0; - x[b] = (0, _arx_js_1.rotl)(x[b] ^ x[c], 12); - x[a] = (x[a] + x[b]) | 0; - x[d] = (0, _arx_js_1.rotl)(x[d] ^ x[a], 8); - x[c] = (x[c] + x[d]) | 0; - x[b] = (0, _arx_js_1.rotl)(x[b] ^ x[c], 7); -} -function salsaRound(x, rounds = 20) { - for (let r = 0; r < rounds; r += 2) { - salsaQR(x, 0, 4, 8, 12); - salsaQR(x, 5, 9, 13, 1); - salsaQR(x, 10, 14, 2, 6); - salsaQR(x, 15, 3, 7, 11); - salsaQR(x, 0, 1, 2, 3); - salsaQR(x, 5, 6, 7, 4); - salsaQR(x, 10, 11, 8, 9); - salsaQR(x, 15, 12, 13, 14); - } -} -function chachaRound(x, rounds = 20) { - for (let r = 0; r < rounds; r += 2) { - chachaQR(x, 0, 4, 8, 12); - chachaQR(x, 1, 5, 9, 13); - chachaQR(x, 2, 6, 10, 14); - chachaQR(x, 3, 7, 11, 15); - chachaQR(x, 0, 5, 10, 15); - chachaQR(x, 1, 6, 11, 12); - chachaQR(x, 2, 7, 8, 13); - chachaQR(x, 3, 4, 9, 14); - } -} -function salsaCore(s, k, n, out, cnt, rounds = 20) { - // prettier-ignore - const y = new Uint32Array([ - s[0], k[0], k[1], k[2], // "expa" Key Key Key - k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce - cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key - k[5], k[6], k[7], s[3], // Key Key Key "te k" - ]); - const x = y.slice(); - salsaRound(x, rounds); - for (let i = 0; i < 16; i++) - out[i] = (y[i] + x[i]) | 0; -} -// prettier-ignore -function hsalsa(s, k, i, o32) { - const x = new Uint32Array([ - s[0], k[0], k[1], k[2], - k[3], s[1], i[0], i[1], - i[2], i[3], s[2], k[4], - k[5], k[6], k[7], s[3] - ]); - salsaRound(x, 20); - let oi = 0; - o32[oi++] = x[0]; - o32[oi++] = x[5]; - o32[oi++] = x[10]; - o32[oi++] = x[15]; - o32[oi++] = x[6]; - o32[oi++] = x[7]; - o32[oi++] = x[8]; - o32[oi++] = x[9]; -} -exports.hsalsa = hsalsa; -function chachaCore(s, k, n, out, cnt, rounds = 20) { - // prettier-ignore - const y = new Uint32Array([ - s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k" - k[0], k[1], k[2], k[3], // Key Key Key Key - k[4], k[5], k[6], k[7], // Key Key Key Key - cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce - ]); - const x = y.slice(); - chachaRound(x, rounds); - for (let i = 0; i < 16; i++) - out[i] = (y[i] + x[i]) | 0; -} -// prettier-ignore -function hchacha(s, k, i, o32) { - const x = new Uint32Array([ - s[0], s[1], s[2], s[3], - k[0], k[1], k[2], k[3], - k[4], k[5], k[6], k[7], - i[0], i[1], i[2], i[3], - ]); - chachaRound(x, 20); - let oi = 0; - o32[oi++] = x[0]; - o32[oi++] = x[1]; - o32[oi++] = x[2]; - o32[oi++] = x[3]; - o32[oi++] = x[12]; - o32[oi++] = x[13]; - o32[oi++] = x[14]; - o32[oi++] = x[15]; -} -exports.hchacha = hchacha; -/** - * salsa20, 12-byte nonce. - */ -exports.salsa20 = (0, _arx_js_1.createCipher)(salsaCore, { - allowShortKeys: true, - counterRight: true, -}); -/** - * xsalsa20, 24-byte nonce. - */ -exports.xsalsa20 = (0, _arx_js_1.createCipher)(salsaCore, { - counterRight: true, - extendNonceFn: hsalsa, -}); -/** - * chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. - */ -exports.chacha20orig = (0, _arx_js_1.createCipher)(chachaCore, { - allowShortKeys: true, - counterRight: false, - counterLength: 8, -}); -/** - * chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. - */ -exports.chacha20 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, -}); -/** - * xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - */ -exports.xchacha20 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 8, - extendNonceFn: hchacha, -}); -/** - * 8-round chacha from the original paper. - */ -exports.chacha8 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 8, -}); -/** - * 12-round chacha from the original paper. - */ -exports.chacha12 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 12, -}); -const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5); -const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1); -const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff'); -const _0 = BigInt(0); -const _1 = BigInt(1); -// Can be speed-up using BigUint64Array, but would be more complicated -function poly1305(msg, key) { - (0, _assert_js_1.bytes)(msg); - (0, _assert_js_1.bytes)(key); - let acc = _0; - const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R; - const s = bytesToNumberLE(key.subarray(16)); - // Process by 16 byte chunks - for (let i = 0; i < msg.length; i += 16) { - const m = msg.subarray(i, i + 16); - const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length)); - acc = ((acc + n) * r) % POW_2_130_5; - } - const res = (acc + s) & POW_2_128_1; - return numberToBytesLE(res, 16); -} -exports.poly1305 = poly1305; -function computeTag(fn, key, nonce, ciphertext, AAD) { - const res = []; - if (AAD) { - res.push(AAD); - const leftover = AAD.length % 16; - if (leftover > 0) - res.push(new Uint8Array(16 - leftover)); - } - res.push(ciphertext); - const leftover = ciphertext.length % 16; - if (leftover > 0) - res.push(new Uint8Array(16 - leftover)); - // Lengths - const num = new Uint8Array(16); - const view = (0, utils_js_1.createView)(num); - (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD ? AAD.length : 0), true); - (0, utils_js_1.setBigUint64)(view, 8, BigInt(ciphertext.length), true); - res.push(num); - const authKey = fn(key, nonce, new Uint8Array(32)); - return poly1305((0, utils_js_1.concatBytes)(...res), authKey); -} -/** - * xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. - */ -exports.xsalsa20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsa20poly1305(key, nonce) { - (0, _assert_js_1.bytes)(key); - (0, _assert_js_1.bytes)(nonce); - return { - encrypt: (plaintext) => { - (0, _assert_js_1.bytes)(plaintext); - const m = (0, utils_js_1.concatBytes)(new Uint8Array(32), plaintext); - const c = (0, exports.xsalsa20)(key, nonce, m); - const authKey = c.subarray(0, 32); - const data = c.subarray(32); - const tag = poly1305(data, authKey); - return (0, utils_js_1.concatBytes)(tag, data); - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - if (ciphertext.length < 16) - throw new Error('encrypted data must be at least 16 bytes'); - const c = (0, utils_js_1.concatBytes)(new Uint8Array(16), ciphertext); - const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32)); - const tag = poly1305(c.subarray(32), authKey); - if (!(0, utils_js_1.equalBytes)(c.subarray(16, 32), tag)) - throw new Error('invalid poly1305 tag'); - return (0, exports.xsalsa20)(key, nonce, c).subarray(32); - }, - }; -}); -/** - * Alias to xsalsa20-poly1305 - */ -function secretbox(key, nonce) { - const xs = (0, exports.xsalsa20poly1305)(key, nonce); - return { seal: xs.encrypt, open: xs.decrypt }; -} -exports.secretbox = secretbox; -const _poly1305_aead = (fn) => (key, nonce, AAD) => { - const tagLength = 16; - const keyLength = 32; - (0, _assert_js_1.bytes)(key, keyLength); - (0, _assert_js_1.bytes)(nonce); - return { - encrypt: (plaintext) => { - (0, _assert_js_1.bytes)(plaintext); - const res = fn(key, nonce, plaintext, undefined, 1); - const tag = computeTag(fn, key, nonce, res, AAD); - return (0, utils_js_1.concatBytes)(res, tag); - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - if (ciphertext.length < tagLength) - throw new Error(`encrypted data must be at least ${tagLength} bytes`); - const passedTag = ciphertext.subarray(-tagLength); - const data = ciphertext.subarray(0, -tagLength); - const tag = computeTag(fn, key, nonce, data, AAD); - if (!(0, utils_js_1.equalBytes)(passedTag, tag)) - throw new Error('invalid poly1305 tag'); - return fn(key, nonce, data, undefined, 1); - }, - }; -}; -exports._poly1305_aead = _poly1305_aead; -/** - * chacha20-poly1305 12-byte-nonce chacha. - */ -exports.chacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20)); -/** - * xchacha20-poly1305 eXtended-nonce (24 bytes) chacha. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -exports.xchacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20)); -//# sourceMappingURL=_micro.js.map \ No newline at end of file diff --git a/_poly1305.js b/_poly1305.js deleted file mode 100644 index 0652e24..0000000 --- a/_poly1305.js +++ /dev/null @@ -1,268 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.poly1305 = exports.wrapConstructorWithKey = void 0; -const _assert_js_1 = require("./_assert.js"); -const utils_js_1 = require("./utils.js"); -// Poly1305 is a fast and parallel secret-key message-authentication code. -// https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf -// https://datatracker.ietf.org/doc/html/rfc8439 -// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna -const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8); -class Poly1305 { - constructor(key) { - this.blockLen = 16; - this.outputLen = 16; - this.buffer = new Uint8Array(16); - this.r = new Uint16Array(10); - this.h = new Uint16Array(10); - this.pad = new Uint16Array(8); - this.pos = 0; - this.finished = false; - key = (0, utils_js_1.toBytes)(key); - (0, _assert_js_1.bytes)(key, 32); - const t0 = u8to16(key, 0); - const t1 = u8to16(key, 2); - const t2 = u8to16(key, 4); - const t3 = u8to16(key, 6); - const t4 = u8to16(key, 8); - const t5 = u8to16(key, 10); - const t6 = u8to16(key, 12); - const t7 = u8to16(key, 14); - // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47 - this.r[0] = t0 & 0x1fff; - this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; - this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; - this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; - this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; - this.r[5] = (t4 >>> 1) & 0x1ffe; - this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; - this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; - this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; - this.r[9] = (t7 >>> 5) & 0x007f; - for (let i = 0; i < 8; i++) - this.pad[i] = u8to16(key, 16 + 2 * i); - } - process(data, offset, isLast = false) { - const hibit = isLast ? 0 : 1 << 11; - const { h, r } = this; - const r0 = r[0]; - const r1 = r[1]; - const r2 = r[2]; - const r3 = r[3]; - const r4 = r[4]; - const r5 = r[5]; - const r6 = r[6]; - const r7 = r[7]; - const r8 = r[8]; - const r9 = r[9]; - const t0 = u8to16(data, offset + 0); - const t1 = u8to16(data, offset + 2); - const t2 = u8to16(data, offset + 4); - const t3 = u8to16(data, offset + 6); - const t4 = u8to16(data, offset + 8); - const t5 = u8to16(data, offset + 10); - const t6 = u8to16(data, offset + 12); - const t7 = u8to16(data, offset + 14); - let h0 = h[0] + (t0 & 0x1fff); - let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff); - let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff); - let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff); - let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff); - let h5 = h[5] + ((t4 >>> 1) & 0x1fff); - let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff); - let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff); - let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff); - let h9 = h[9] + ((t7 >>> 5) | hibit); - let c = 0; - let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); - c = d0 >>> 13; - d0 &= 0x1fff; - d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); - c += d0 >>> 13; - d0 &= 0x1fff; - let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); - c = d1 >>> 13; - d1 &= 0x1fff; - d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); - c += d1 >>> 13; - d1 &= 0x1fff; - let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); - c = d2 >>> 13; - d2 &= 0x1fff; - d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); - c += d2 >>> 13; - d2 &= 0x1fff; - let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); - c = d3 >>> 13; - d3 &= 0x1fff; - d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); - c += d3 >>> 13; - d3 &= 0x1fff; - let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; - c = d4 >>> 13; - d4 &= 0x1fff; - d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); - c += d4 >>> 13; - d4 &= 0x1fff; - let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; - c = d5 >>> 13; - d5 &= 0x1fff; - d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); - c += d5 >>> 13; - d5 &= 0x1fff; - let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; - c = d6 >>> 13; - d6 &= 0x1fff; - d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); - c += d6 >>> 13; - d6 &= 0x1fff; - let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; - c = d7 >>> 13; - d7 &= 0x1fff; - d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); - c += d7 >>> 13; - d7 &= 0x1fff; - let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; - c = d8 >>> 13; - d8 &= 0x1fff; - d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); - c += d8 >>> 13; - d8 &= 0x1fff; - let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; - c = d9 >>> 13; - d9 &= 0x1fff; - d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; - c += d9 >>> 13; - d9 &= 0x1fff; - c = ((c << 2) + c) | 0; - c = (c + d0) | 0; - d0 = c & 0x1fff; - c = c >>> 13; - d1 += c; - h[0] = d0; - h[1] = d1; - h[2] = d2; - h[3] = d3; - h[4] = d4; - h[5] = d5; - h[6] = d6; - h[7] = d7; - h[8] = d8; - h[9] = d9; - } - finalize() { - const { h, pad } = this; - const g = new Uint16Array(10); - let c = h[1] >>> 13; - h[1] &= 0x1fff; - for (let i = 2; i < 10; i++) { - h[i] += c; - c = h[i] >>> 13; - h[i] &= 0x1fff; - } - h[0] += c * 5; - c = h[0] >>> 13; - h[0] &= 0x1fff; - h[1] += c; - c = h[1] >>> 13; - h[1] &= 0x1fff; - h[2] += c; - g[0] = h[0] + 5; - c = g[0] >>> 13; - g[0] &= 0x1fff; - for (let i = 1; i < 10; i++) { - g[i] = h[i] + c; - c = g[i] >>> 13; - g[i] &= 0x1fff; - } - g[9] -= 1 << 13; - let mask = (c ^ 1) - 1; - for (let i = 0; i < 10; i++) - g[i] &= mask; - mask = ~mask; - for (let i = 0; i < 10; i++) - h[i] = (h[i] & mask) | g[i]; - h[0] = (h[0] | (h[1] << 13)) & 0xffff; - h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff; - h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff; - h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff; - h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff; - h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff; - h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff; - h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff; - let f = h[0] + pad[0]; - h[0] = f & 0xffff; - for (let i = 1; i < 8; i++) { - f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0; - h[i] = f & 0xffff; - } - } - update(data) { - (0, _assert_js_1.exists)(this); - const { buffer, blockLen } = this; - data = (0, utils_js_1.toBytes)(data); - const len = data.length; - for (let pos = 0; pos < len;) { - const take = Math.min(blockLen - this.pos, len - pos); - // Fast path: we have at least one block in input - if (take === blockLen) { - for (; blockLen <= len - pos; pos += blockLen) - this.process(data, pos); - continue; - } - buffer.set(data.subarray(pos, pos + take), this.pos); - this.pos += take; - pos += take; - if (this.pos === blockLen) { - this.process(buffer, 0, false); - this.pos = 0; - } - } - return this; - } - destroy() { - this.h.fill(0); - this.r.fill(0); - this.buffer.fill(0); - this.pad.fill(0); - } - digestInto(out) { - (0, _assert_js_1.exists)(this); - (0, _assert_js_1.output)(out, this); - this.finished = true; - const { buffer, h } = this; - let { pos } = this; - if (pos) { - buffer[pos++] = 1; - // buffer.subarray(pos).fill(0); - for (; pos < 16; pos++) - buffer[pos] = 0; - this.process(buffer, 0, true); - } - this.finalize(); - let opos = 0; - for (let i = 0; i < 8; i++) { - out[opos++] = h[i] >>> 0; - out[opos++] = h[i] >>> 8; - } - return out; - } - digest() { - const { buffer, outputLen } = this; - this.digestInto(buffer); - const res = buffer.slice(0, outputLen); - this.destroy(); - return res; - } -} -function wrapConstructorWithKey(hashCons) { - const hashC = (msg, key) => hashCons(key).update((0, utils_js_1.toBytes)(msg)).digest(); - const tmp = hashCons(new Uint8Array(32)); - hashC.outputLen = tmp.outputLen; - hashC.blockLen = tmp.blockLen; - hashC.create = (key) => hashCons(key); - return hashC; -} -exports.wrapConstructorWithKey = wrapConstructorWithKey; -exports.poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); -//# sourceMappingURL=_poly1305.js.map \ No newline at end of file diff --git a/_polyval.js b/_polyval.js deleted file mode 100644 index 7183fc9..0000000 --- a/_polyval.js +++ /dev/null @@ -1,221 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.polyval = exports.ghash = exports._toGHASHKey = void 0; -const utils_js_1 = require("./utils.js"); -const _assert_js_1 = require("./_assert.js"); -// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV. -// Implemented in terms of GHash with conversion function for keys -// GCM GHASH from NIST SP800-38d, SIV from RFC 8452. -// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf -// GHASH modulo: x^128 + x^7 + x^2 + x + 1 -// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1 -const BLOCK_SIZE = 16; -// TODO: rewrite -// temporary padding buffer -const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); -const ZEROS32 = (0, utils_js_1.u32)(ZEROS16); -const POLY = 0xe1; // v = 2*v % POLY -// v = 2*v % POLY -// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x -// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor) -const mul2 = (s0, s1, s2, s3) => { - const hiBit = s3 & 1; - return { - s3: (s2 << 31) | (s3 >>> 1), - s2: (s1 << 31) | (s2 >>> 1), - s1: (s0 << 31) | (s1 >>> 1), - s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly - }; -}; -const swapLE = (n) => (((n >>> 0) & 0xff) << 24) | - (((n >>> 8) & 0xff) << 16) | - (((n >>> 16) & 0xff) << 8) | - ((n >>> 24) & 0xff) | - 0; -/** - * `mulX_POLYVAL(ByteReverse(H))` from spec - * @param k mutated in place - */ -function _toGHASHKey(k) { - k.reverse(); - const hiBit = k[15] & 1; - // k >>= 1 - let carry = 0; - for (let i = 0; i < k.length; i++) { - const t = k[i]; - k[i] = (t >>> 1) | carry; - carry = (t & 1) << 7; - } - k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000; - return k; -} -exports._toGHASHKey = _toGHASHKey; -const estimateWindow = (bytes) => { - if (bytes > 64 * 1024) - return 8; - if (bytes > 1024) - return 4; - return 2; -}; -class GHASH { - // We select bits per window adaptively based on expectedLength - constructor(key, expectedLength) { - this.blockLen = BLOCK_SIZE; - this.outputLen = BLOCK_SIZE; - this.s0 = 0; - this.s1 = 0; - this.s2 = 0; - this.s3 = 0; - this.finished = false; - key = (0, utils_js_1.toBytes)(key); - (0, _assert_js_1.bytes)(key, 16); - const kView = (0, utils_js_1.createView)(key); - let k0 = kView.getUint32(0, false); - let k1 = kView.getUint32(4, false); - let k2 = kView.getUint32(8, false); - let k3 = kView.getUint32(12, false); - // generate table of doubled keys (half of montgomery ladder) - const doubles = []; - for (let i = 0; i < 128; i++) { - doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) }); - ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3)); - } - const W = estimateWindow(expectedLength || 1024); - if (![1, 2, 4, 8].includes(W)) - throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`); - this.W = W; - const bits = 128; // always 128 bits; - const windows = bits / W; - const windowSize = (this.windowSize = 2 ** W); - const items = []; - // Create precompute table for window of W bits - for (let w = 0; w < windows; w++) { - // truth table: 00, 01, 10, 11 - for (let byte = 0; byte < windowSize; byte++) { - // prettier-ignore - let s0 = 0, s1 = 0, s2 = 0, s3 = 0; - for (let j = 0; j < W; j++) { - const bit = (byte >>> (W - j - 1)) & 1; - if (!bit) - continue; - const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j]; - (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3); - } - items.push({ s0, s1, s2, s3 }); - } - } - this.t = items; - } - _updateBlock(s0, s1, s2, s3) { - (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3); - const { W, t, windowSize } = this; - // prettier-ignore - let o0 = 0, o1 = 0, o2 = 0, o3 = 0; - const mask = (1 << W) - 1; // 2**W will kill performance. - let w = 0; - for (const num of [s0, s1, s2, s3]) { - for (let bytePos = 0; bytePos < 4; bytePos++) { - const byte = (num >>> (8 * bytePos)) & 0xff; - for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) { - const bit = (byte >>> (W * bitPos)) & mask; - const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit]; - (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3); - w += 1; - } - } - } - this.s0 = o0; - this.s1 = o1; - this.s2 = o2; - this.s3 = o3; - } - update(data) { - data = (0, utils_js_1.toBytes)(data); - (0, _assert_js_1.exists)(this); - const b32 = (0, utils_js_1.u32)(data); - const blocks = Math.floor(data.length / BLOCK_SIZE); - const left = data.length % BLOCK_SIZE; - for (let i = 0; i < blocks; i++) { - this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]); - } - if (left) { - ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); - this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]); - ZEROS32.fill(0); // clean tmp buffer - } - return this; - } - destroy() { - const { t } = this; - // clean precompute table - for (const elm of t) { - (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0); - } - } - digestInto(out) { - (0, _assert_js_1.exists)(this); - (0, _assert_js_1.output)(out, this); - this.finished = true; - const { s0, s1, s2, s3 } = this; - const o32 = (0, utils_js_1.u32)(out); - o32[0] = s0; - o32[1] = s1; - o32[2] = s2; - o32[3] = s3; - return out; - } - digest() { - const res = new Uint8Array(BLOCK_SIZE); - this.digestInto(res); - this.destroy(); - return res; - } -} -class Polyval extends GHASH { - constructor(key, expectedLength) { - key = (0, utils_js_1.toBytes)(key); - const ghKey = _toGHASHKey(key.slice()); - super(ghKey, expectedLength); - ghKey.fill(0); - } - update(data) { - data = (0, utils_js_1.toBytes)(data); - (0, _assert_js_1.exists)(this); - const b32 = (0, utils_js_1.u32)(data); - const left = data.length % BLOCK_SIZE; - const blocks = Math.floor(data.length / BLOCK_SIZE); - for (let i = 0; i < blocks; i++) { - this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0])); - } - if (left) { - ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); - this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0])); - ZEROS32.fill(0); // clean tmp buffer - } - return this; - } - digestInto(out) { - (0, _assert_js_1.exists)(this); - (0, _assert_js_1.output)(out, this); - this.finished = true; - // tmp ugly hack - const { s0, s1, s2, s3 } = this; - const o32 = (0, utils_js_1.u32)(out); - o32[0] = s0; - o32[1] = s1; - o32[2] = s2; - o32[3] = s3; - return out.reverse(); - } -} -function wrapConstructorWithKey(hashCons) { - const hashC = (msg, key) => hashCons(key, msg.length).update((0, utils_js_1.toBytes)(msg)).digest(); - const tmp = hashCons(new Uint8Array(16), 0); - hashC.outputLen = tmp.outputLen; - hashC.blockLen = tmp.blockLen; - hashC.create = (key, expectedLength) => hashCons(key, expectedLength); - return hashC; -} -exports.ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength)); -exports.polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength)); -//# sourceMappingURL=_polyval.js.map \ No newline at end of file diff --git a/aes.js b/aes.js deleted file mode 100644 index 2147b0a..0000000 --- a/aes.js +++ /dev/null @@ -1,633 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.unsafe = exports.siv = exports.gcm = exports.cbc = exports.ecb = exports.ctr = exports.expandKeyDecLE = exports.expandKeyLE = void 0; -// prettier-ignore -const utils_js_1 = require("./utils.js"); -const _polyval_js_1 = require("./_polyval.js"); -const _assert_js_1 = require("./_assert.js"); -/* -AES (Advanced Encryption Standard) aka Rijndael block cipher. - -Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round: -1. **S-box**, table substitution -2. **Shift rows**, cyclic shift left of all rows of data array -3. **Mix columns**, multiplying every column by fixed polynomial -4. **Add round key**, round_key xor i-th column of array - -Resources: -- FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf -- Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf -*/ -const BLOCK_SIZE = 16; -const BLOCK_SIZE32 = 4; -const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE); -const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8 -// TODO: remove multiplication, binary ops only -function mul2(n) { - return (n << 1) ^ (POLY & -(n >> 7)); -} -function mul(a, b) { - let res = 0; - for (; b > 0; b >>= 1) { - // Montgomery ladder - res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time). - a = mul2(a); // a = 2*a - } - return res; -} -// AES S-box is generated using finite field inversion, -// an affine transform, and xor of a constant 0x63. -const sbox = /* @__PURE__ */ (() => { - let t = new Uint8Array(256); - for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x)) - t[i] = x; - const box = new Uint8Array(256); - box[0] = 0x63; // first elm - for (let i = 0; i < 255; i++) { - let x = t[255 - i]; - x |= x << 8; - box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff; - } - return box; -})(); -// Inverted S-box -const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j)); -// Rotate u32 by 8 -const rotr32_8 = (n) => (n << 24) | (n >>> 8); -const rotl32_8 = (n) => (n << 8) | (n >>> 24); -// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes: -// - LE instead of BE -// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23; -// so index is u16, instead of u8. This speeds up things, unexpectedly -function genTtable(sbox, fn) { - if (sbox.length !== 256) - throw new Error('Wrong sbox length'); - const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j])); - const T1 = T0.map(rotl32_8); - const T2 = T1.map(rotl32_8); - const T3 = T2.map(rotl32_8); - const T01 = new Uint32Array(256 * 256); - const T23 = new Uint32Array(256 * 256); - const sbox2 = new Uint16Array(256 * 256); - for (let i = 0; i < 256; i++) { - for (let j = 0; j < 256; j++) { - const idx = i * 256 + j; - T01[idx] = T0[i] ^ T1[j]; - T23[idx] = T2[i] ^ T3[j]; - sbox2[idx] = (sbox[i] << 8) | sbox[j]; - } - } - return { sbox, sbox2, T0, T1, T2, T3, T01, T23 }; -} -const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2)); -const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14)); -const xPowers = /* @__PURE__ */ (() => { - const p = new Uint8Array(16); - for (let i = 0, x = 1; i < 16; i++, x = mul2(x)) - p[i] = x; - return p; -})(); -function expandKeyLE(key) { - (0, _assert_js_1.bytes)(key); - const len = key.length; - if (![16, 24, 32].includes(len)) - throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`); - const { sbox2 } = tableEncoding; - const k32 = (0, utils_js_1.u32)(key); - const Nk = k32.length; - const subByte = (n) => applySbox(sbox2, n, n, n, n); - const xk = new Uint32Array(len + 28); // expanded key - xk.set(k32); - // 4.3.1 Key expansion - for (let i = Nk; i < xk.length; i++) { - let t = xk[i - 1]; - if (i % Nk === 0) - t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1]; - else if (Nk > 6 && i % Nk === 4) - t = subByte(t); - xk[i] = xk[i - Nk] ^ t; - } - return xk; -} -exports.expandKeyLE = expandKeyLE; -function expandKeyDecLE(key) { - const encKey = expandKeyLE(key); - const xk = encKey.slice(); - const Nk = encKey.length; - const { sbox2 } = tableEncoding; - const { T0, T1, T2, T3 } = tableDecoding; - // Inverse key by chunks of 4 (rounds) - for (let i = 0; i < Nk; i += 4) { - for (let j = 0; j < 4; j++) - xk[i + j] = encKey[Nk - i - 4 + j]; - } - encKey.fill(0); - // apply InvMixColumn except first & last round - for (let i = 4; i < Nk - 4; i++) { - const x = xk[i]; - const w = applySbox(sbox2, x, x, x, x); - xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24]; - } - return xk; -} -exports.expandKeyDecLE = expandKeyDecLE; -// Apply tables -function apply0123(T01, T23, s0, s1, s2, s3) { - return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^ - T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]); -} -function applySbox(sbox2, s0, s1, s2, s3) { - return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] | - (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16)); -} -function encrypt(xk, s0, s1, s2, s3) { - const { sbox2, T01, T23 } = tableEncoding; - let k = 0; - (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); - const rounds = xk.length / 4 - 2; - for (let i = 0; i < rounds; i++) { - const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3); - const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0); - const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1); - const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2); - (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); - } - // last round (without mixcolumns, so using SBOX2 table) - const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3); - const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0); - const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1); - const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2); - return { s0: t0, s1: t1, s2: t2, s3: t3 }; -} -function decrypt(xk, s0, s1, s2, s3) { - const { sbox2, T01, T23 } = tableDecoding; - let k = 0; - (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); - const rounds = xk.length / 4 - 2; - for (let i = 0; i < rounds; i++) { - const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1); - const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2); - const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3); - const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0); - (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); - } - // Last round - const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1); - const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2); - const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3); - const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0); - return { s0: t0, s1: t1, s2: t2, s3: t3 }; -} -function getDst(len, dst) { - if (!dst) - return new Uint8Array(len); - (0, _assert_js_1.bytes)(dst); - if (dst.length < len) - throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`); - return dst; -} -// TODO: investigate merging with ctr32 -function ctrCounter(xk, nonce, src, dst) { - (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); - (0, _assert_js_1.bytes)(src); - const srcLen = src.length; - dst = getDst(srcLen, dst); - const ctr = nonce; - const c32 = (0, utils_js_1.u32)(ctr); - // Fill block (empty, ctr=0) - let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); - const src32 = (0, utils_js_1.u32)(src); - const dst32 = (0, utils_js_1.u32)(dst); - // process blocks - for (let i = 0; i + 4 <= src32.length; i += 4) { - dst32[i + 0] = src32[i + 0] ^ s0; - dst32[i + 1] = src32[i + 1] ^ s1; - dst32[i + 2] = src32[i + 2] ^ s2; - dst32[i + 3] = src32[i + 3] ^ s3; - // Full 128 bit counter with wrap around - let carry = 1; - for (let i = ctr.length - 1; i >= 0; i--) { - carry = (carry + (ctr[i] & 0xff)) | 0; - ctr[i] = carry & 0xff; - carry >>>= 8; - } - ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); - } - // leftovers (less than block) - // It's possible to handle > u32 fast, but is it worth it? - const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); - if (start < srcLen) { - const b32 = new Uint32Array([s0, s1, s2, s3]); - const buf = (0, utils_js_1.u8)(b32); - for (let i = start, pos = 0; i < srcLen; i++, pos++) - dst[i] = src[i] ^ buf[pos]; - } - return dst; -} -// AES CTR with overflowing 32 bit counter -// It's possible to do 32le significantly simpler (and probably faster) by using u32. -// But, we need both, and perf bottleneck is in ghash anyway. -function ctr32(xk, isLE, nonce, src, dst) { - (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); - (0, _assert_js_1.bytes)(src); - dst = getDst(src.length, dst); - const ctr = nonce; // write new value to nonce, so it can be re-used - const c32 = (0, utils_js_1.u32)(ctr); - const view = (0, utils_js_1.createView)(ctr); - const src32 = (0, utils_js_1.u32)(src); - const dst32 = (0, utils_js_1.u32)(dst); - const ctrPos = isLE ? 0 : 12; - const srcLen = src.length; - // Fill block (empty, ctr=0) - let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value - let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); - // process blocks - for (let i = 0; i + 4 <= src32.length; i += 4) { - dst32[i + 0] = src32[i + 0] ^ s0; - dst32[i + 1] = src32[i + 1] ^ s1; - dst32[i + 2] = src32[i + 2] ^ s2; - dst32[i + 3] = src32[i + 3] ^ s3; - ctrNum = (ctrNum + 1) >>> 0; // u32 wrap - view.setUint32(ctrPos, ctrNum, isLE); - ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); - } - // leftovers (less than a block) - const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); - if (start < srcLen) { - const b32 = new Uint32Array([s0, s1, s2, s3]); - const buf = (0, utils_js_1.u8)(b32); - for (let i = start, pos = 0; i < srcLen; i++, pos++) - dst[i] = src[i] ^ buf[pos]; - } - return dst; -} -/** - * CTR: counter mode. Creates stream cipher. - * Requires good IV. Parallelizable. OK, but no MAC. - */ -exports.ctr = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) { - (0, _assert_js_1.bytes)(key); - (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); - function processCtr(buf, dst) { - const xk = expandKeyLE(key); - const n = nonce.slice(); - const out = ctrCounter(xk, n, buf, dst); - xk.fill(0); - n.fill(0); - return out; - } - return { - encrypt: (plaintext, dst) => processCtr(plaintext, dst), - decrypt: (ciphertext, dst) => processCtr(ciphertext, dst), - }; -}); -function validateBlockDecrypt(data) { - (0, _assert_js_1.bytes)(data); - if (data.length % BLOCK_SIZE !== 0) { - throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`); - } -} -function validateBlockEncrypt(plaintext, pcks5, dst) { - let outLen = plaintext.length; - const remaining = outLen % BLOCK_SIZE; - if (!pcks5 && remaining !== 0) - throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding'); - const b = (0, utils_js_1.u32)(plaintext); - if (pcks5) { - let left = BLOCK_SIZE - remaining; - if (!left) - left = BLOCK_SIZE; // if no bytes left, create empty padding block - outLen = outLen + left; - } - const out = getDst(outLen, dst); - const o = (0, utils_js_1.u32)(out); - return { b, o, out }; -} -function validatePCKS(data, pcks5) { - if (!pcks5) - return data; - const len = data.length; - if (!len) - throw new Error(`aes/pcks5: empty ciphertext not allowed`); - const lastByte = data[len - 1]; - if (lastByte <= 0 || lastByte > 16) - throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`); - const out = data.subarray(0, -lastByte); - for (let i = 0; i < lastByte; i++) - if (data[len - i - 1] !== lastByte) - throw new Error(`aes/pcks5: wrong padding`); - return out; -} -function padPCKS(left) { - const tmp = new Uint8Array(16); - const tmp32 = (0, utils_js_1.u32)(tmp); - tmp.set(left); - const paddingByte = BLOCK_SIZE - left.length; - for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++) - tmp[i] = paddingByte; - return tmp32; -} -/** - * ECB: Electronic CodeBook. Simple deterministic replacement. - * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/). - */ -exports.ecb = (0, utils_js_1.wrapCipher)({ blockSize: 16 }, function ecb(key, opts = {}) { - (0, _assert_js_1.bytes)(key); - const pcks5 = !opts.disablePadding; - return { - encrypt: (plaintext, dst) => { - (0, _assert_js_1.bytes)(plaintext); - const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); - const xk = expandKeyLE(key); - let i = 0; - for (; i + 4 <= b.length;) { - const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - if (pcks5) { - const tmp32 = padPCKS(plaintext.subarray(i * 4)); - const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return _out; - }, - decrypt: (ciphertext, dst) => { - validateBlockDecrypt(ciphertext); - const xk = expandKeyDecLE(key); - const out = getDst(ciphertext.length, dst); - const b = (0, utils_js_1.u32)(ciphertext); - const o = (0, utils_js_1.u32)(out); - for (let i = 0; i + 4 <= b.length;) { - const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return validatePCKS(out, pcks5); - }, - }; -}); -/** - * CBC: Cipher-Block-Chaining. Key is previous round’s block. - * Fragile: needs proper padding. Unauthenticated: needs MAC. - */ -exports.cbc = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) { - (0, _assert_js_1.bytes)(key); - (0, _assert_js_1.bytes)(iv, 16); - const pcks5 = !opts.disablePadding; - return { - encrypt: (plaintext, dst) => { - const xk = expandKeyLE(key); - const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); - const n32 = (0, utils_js_1.u32)(iv); - // prettier-ignore - let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; - let i = 0; - for (; i + 4 <= b.length;) { - (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]); - ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - if (pcks5) { - const tmp32 = padPCKS(plaintext.subarray(i * 4)); - (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]); - ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return _out; - }, - decrypt: (ciphertext, dst) => { - validateBlockDecrypt(ciphertext); - const xk = expandKeyDecLE(key); - const n32 = (0, utils_js_1.u32)(iv); - const out = getDst(ciphertext.length, dst); - const b = (0, utils_js_1.u32)(ciphertext); - const o = (0, utils_js_1.u32)(out); - // prettier-ignore - let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; - for (let i = 0; i + 4 <= b.length;) { - // prettier-ignore - const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3; - (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]); - const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3); - (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3); - } - xk.fill(0); - return validatePCKS(out, pcks5); - }, - }; -}); -// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen -function computeTag(fn, isLE, key, data, AAD) { - const h = fn.create(key, data.length + (AAD?.length || 0)); - if (AAD) - h.update(AAD); - h.update(data); - const num = new Uint8Array(16); - const view = (0, utils_js_1.createView)(num); - if (AAD) - (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD.length * 8), isLE); - (0, utils_js_1.setBigUint64)(view, 8, BigInt(data.length * 8), isLE); - h.update(num); - return h.digest(); -} -/** - * GCM: Galois/Counter Mode. - * Good, modern version of CTR, parallel, with MAC. - * Be careful: MACs can be forged. - */ -exports.gcm = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) { - (0, _assert_js_1.bytes)(nonce); - // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure. - if (nonce.length === 0) - throw new Error('aes/gcm: empty nonce'); - const tagLength = 16; - function _computeTag(authKey, tagMask, data) { - const tag = computeTag(_polyval_js_1.ghash, false, authKey, data, AAD); - for (let i = 0; i < tagMask.length; i++) - tag[i] ^= tagMask[i]; - return tag; - } - function deriveKeys() { - const xk = expandKeyLE(key); - const authKey = EMPTY_BLOCK.slice(); - const counter = EMPTY_BLOCK.slice(); - ctr32(xk, false, counter, counter, authKey); - if (nonce.length === 12) { - counter.set(nonce); - } - else { - // Spec (NIST 800-38d) supports variable size nonce. - // Not supported for now, but can be useful. - const nonceLen = EMPTY_BLOCK.slice(); - const view = (0, utils_js_1.createView)(nonceLen); - (0, utils_js_1.setBigUint64)(view, 8, BigInt(nonce.length * 8), false); - // ghash(nonce || u64be(0) || u64be(nonceLen*8)) - _polyval_js_1.ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter); - } - const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK); - return { xk, authKey, counter, tagMask }; - } - return { - encrypt: (plaintext) => { - (0, _assert_js_1.bytes)(plaintext); - const { xk, authKey, counter, tagMask } = deriveKeys(); - const out = new Uint8Array(plaintext.length + tagLength); - ctr32(xk, false, counter, plaintext, out); - const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength)); - out.set(tag, plaintext.length); - xk.fill(0); - return out; - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - if (ciphertext.length < tagLength) - throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`); - const { xk, authKey, counter, tagMask } = deriveKeys(); - const data = ciphertext.subarray(0, -tagLength); - const passedTag = ciphertext.subarray(-tagLength); - const tag = _computeTag(authKey, tagMask, data); - if (!(0, utils_js_1.equalBytes)(tag, passedTag)) - throw new Error('aes/gcm: invalid ghash tag'); - const out = ctr32(xk, false, counter, data); - authKey.fill(0); - tagMask.fill(0); - xk.fill(0); - return out; - }, - }; -}); -const limit = (name, min, max) => (value) => { - if (!Number.isSafeInteger(value) || min > value || value > max) - throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`); -}; -/** - * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance. - * Guarantees that, when a nonce is repeated, the only security loss is that identical - * plaintexts will produce identical ciphertexts. - * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452 - */ -exports.siv = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) { - const tagLength = 16; - // From RFC 8452: Section 6 - const AAD_LIMIT = limit('AAD', 0, 2 ** 36); - const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36); - const NONCE_LIMIT = limit('nonce', 12, 12); - const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16); - (0, _assert_js_1.bytes)(nonce); - NONCE_LIMIT(nonce.length); - if (AAD) { - (0, _assert_js_1.bytes)(AAD); - AAD_LIMIT(AAD.length); - } - function deriveKeys() { - const len = key.length; - if (len !== 16 && len !== 24 && len !== 32) - throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`); - const xk = expandKeyLE(key); - const encKey = new Uint8Array(len); - const authKey = new Uint8Array(16); - const n32 = (0, utils_js_1.u32)(nonce); - // prettier-ignore - let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2]; - let counter = 0; - for (const derivedKey of [authKey, encKey].map(utils_js_1.u32)) { - const d32 = (0, utils_js_1.u32)(derivedKey); - for (let i = 0; i < d32.length; i += 2) { - // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ... - const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3); - d32[i + 0] = o0; - d32[i + 1] = o1; - s0 = ++counter; // increment counter inside state - } - } - xk.fill(0); - return { authKey, encKey: expandKeyLE(encKey) }; - } - function _computeTag(encKey, authKey, data) { - const tag = computeTag(_polyval_js_1.polyval, true, authKey, data, AAD); - // Compute the expected tag by XORing S_s and the nonce, clearing the - // most significant bit of the last byte and encrypting with the - // message-encryption key. - for (let i = 0; i < 12; i++) - tag[i] ^= nonce[i]; - tag[15] &= 0x7f; // Clear the highest bit - // encrypt tag as block - const t32 = (0, utils_js_1.u32)(tag); - // prettier-ignore - let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3]; - ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3)); - (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3); - return tag; - } - // actual decrypt/encrypt of message. - function processSiv(encKey, tag, input) { - let block = tag.slice(); - block[15] |= 0x80; // Force highest bit - return ctr32(encKey, true, block, input); - } - return { - encrypt: (plaintext) => { - (0, _assert_js_1.bytes)(plaintext); - PLAIN_LIMIT(plaintext.length); - const { encKey, authKey } = deriveKeys(); - const tag = _computeTag(encKey, authKey, plaintext); - const out = new Uint8Array(plaintext.length + tagLength); - out.set(tag, plaintext.length); - out.set(processSiv(encKey, tag, plaintext)); - encKey.fill(0); - authKey.fill(0); - return out; - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - CIPHER_LIMIT(ciphertext.length); - const tag = ciphertext.subarray(-tagLength); - const { encKey, authKey } = deriveKeys(); - const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength)); - const expectedTag = _computeTag(encKey, authKey, plaintext); - encKey.fill(0); - authKey.fill(0); - if (!(0, utils_js_1.equalBytes)(tag, expectedTag)) - throw new Error('invalid polyval tag'); - return plaintext; - }, - }; -}); -function isBytes32(a) { - return (a != null && - typeof a === 'object' && - (a instanceof Uint32Array || a.constructor.name === 'Uint32Array')); -} -function encryptBlock(xk, block) { - (0, _assert_js_1.bytes)(block, 16); - if (!isBytes32(xk)) - throw new Error('_encryptBlock accepts result of expandKeyLE'); - const b32 = (0, utils_js_1.u32)(block); - let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]); - (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); - return block; -} -function decryptBlock(xk, block) { - (0, _assert_js_1.bytes)(block, 16); - if (!isBytes32(xk)) - throw new Error('_decryptBlock accepts result of expandKeyLE'); - const b32 = (0, utils_js_1.u32)(block); - let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]); - (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); - return block; -} -// Highly unsafe private functions for implementing new modes or ciphers based on AES -// Can change at any time, no API guarantees -exports.unsafe = { - expandKeyLE, - expandKeyDecLE, - encrypt, - decrypt, - encryptBlock, - decryptBlock, - ctrCounter, - ctr32, -}; -//# sourceMappingURL=aes.js.map \ No newline at end of file diff --git a/chacha.js b/chacha.js deleted file mode 100644 index a10250d..0000000 --- a/chacha.js +++ /dev/null @@ -1,323 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = exports.hchacha = void 0; -// prettier-ignore -const utils_js_1 = require("./utils.js"); -const _poly1305_js_1 = require("./_poly1305.js"); -const _arx_js_1 = require("./_arx.js"); -const _assert_js_1 = require("./_assert.js"); -// ChaCha20 stream cipher was released in 2008. ChaCha aims to increase -// the diffusion per round, but had slightly less cryptanalysis. -// https://cr.yp.to/chacha.html, http://cr.yp.to/chacha/chacha-20080128.pdf -/** - * ChaCha core function. - */ -// prettier-ignore -function chachaCore(s, k, n, out, cnt, rounds = 20) { - let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k" - y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key - y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key - y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce - // Save state to temporary variables - let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; - for (let r = 0; r < rounds; r += 2) { - x00 = (x00 + x04) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 16); - x08 = (x08 + x12) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 12); - x00 = (x00 + x04) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 8); - x08 = (x08 + x12) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 7); - x01 = (x01 + x05) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 16); - x09 = (x09 + x13) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 12); - x01 = (x01 + x05) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 8); - x09 = (x09 + x13) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 7); - x02 = (x02 + x06) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 16); - x10 = (x10 + x14) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 12); - x02 = (x02 + x06) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 8); - x10 = (x10 + x14) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 7); - x03 = (x03 + x07) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 16); - x11 = (x11 + x15) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 12); - x03 = (x03 + x07) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 8); - x11 = (x11 + x15) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 7); - x00 = (x00 + x05) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 16); - x10 = (x10 + x15) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 12); - x00 = (x00 + x05) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 8); - x10 = (x10 + x15) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 7); - x01 = (x01 + x06) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 16); - x11 = (x11 + x12) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 12); - x01 = (x01 + x06) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 8); - x11 = (x11 + x12) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 7); - x02 = (x02 + x07) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 16); - x08 = (x08 + x13) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 12); - x02 = (x02 + x07) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 8); - x08 = (x08 + x13) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 7); - x03 = (x03 + x04) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 16); - x09 = (x09 + x14) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 12); - x03 = (x03 + x04) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 8); - x09 = (x09 + x14) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 7); - } - // Write output - let oi = 0; - out[oi++] = (y00 + x00) | 0; - out[oi++] = (y01 + x01) | 0; - out[oi++] = (y02 + x02) | 0; - out[oi++] = (y03 + x03) | 0; - out[oi++] = (y04 + x04) | 0; - out[oi++] = (y05 + x05) | 0; - out[oi++] = (y06 + x06) | 0; - out[oi++] = (y07 + x07) | 0; - out[oi++] = (y08 + x08) | 0; - out[oi++] = (y09 + x09) | 0; - out[oi++] = (y10 + x10) | 0; - out[oi++] = (y11 + x11) | 0; - out[oi++] = (y12 + x12) | 0; - out[oi++] = (y13 + x13) | 0; - out[oi++] = (y14 + x14) | 0; - out[oi++] = (y15 + x15) | 0; -} -/** - * hchacha helper method, used primarily in xchacha, to hash - * key and nonce into key' and nonce'. - * Same as chachaCore, but there doesn't seem to be a way to move the block - * out without 25% performance hit. - */ -// prettier-ignore -function hchacha(s, k, i, o32) { - let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; - for (let r = 0; r < 20; r += 2) { - x00 = (x00 + x04) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 16); - x08 = (x08 + x12) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 12); - x00 = (x00 + x04) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 8); - x08 = (x08 + x12) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 7); - x01 = (x01 + x05) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 16); - x09 = (x09 + x13) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 12); - x01 = (x01 + x05) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 8); - x09 = (x09 + x13) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 7); - x02 = (x02 + x06) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 16); - x10 = (x10 + x14) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 12); - x02 = (x02 + x06) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 8); - x10 = (x10 + x14) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 7); - x03 = (x03 + x07) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 16); - x11 = (x11 + x15) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 12); - x03 = (x03 + x07) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 8); - x11 = (x11 + x15) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 7); - x00 = (x00 + x05) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 16); - x10 = (x10 + x15) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 12); - x00 = (x00 + x05) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 8); - x10 = (x10 + x15) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 7); - x01 = (x01 + x06) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 16); - x11 = (x11 + x12) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 12); - x01 = (x01 + x06) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 8); - x11 = (x11 + x12) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 7); - x02 = (x02 + x07) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 16); - x08 = (x08 + x13) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 12); - x02 = (x02 + x07) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 8); - x08 = (x08 + x13) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 7); - x03 = (x03 + x04) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 16); - x09 = (x09 + x14) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 12); - x03 = (x03 + x04) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 8); - x09 = (x09 + x14) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 7); - } - let oi = 0; - o32[oi++] = x00; - o32[oi++] = x01; - o32[oi++] = x02; - o32[oi++] = x03; - o32[oi++] = x12; - o32[oi++] = x13; - o32[oi++] = x14; - o32[oi++] = x15; -} -exports.hchacha = hchacha; -/** - * Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter. - */ -exports.chacha20orig = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 8, - allowShortKeys: true, -}); -/** - * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -exports.chacha20 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - allowShortKeys: false, -}); -/** - * XChaCha eXtended-nonce ChaCha. 24-byte nonce. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - */ -exports.xchacha20 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 8, - extendNonceFn: hchacha, - allowShortKeys: false, -}); -/** - * Reduced 8-round chacha, described in original paper. - */ -exports.chacha8 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 8, -}); -/** - * Reduced 12-round chacha, described in original paper. - */ -exports.chacha12 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 12, -}); -const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); -// Pad to digest size with zeros -const updatePadded = (h, msg) => { - h.update(msg); - const left = msg.length % 16; - if (left) - h.update(ZEROS16.subarray(left)); -}; -const ZEROS32 = /* @__PURE__ */ new Uint8Array(32); -function computeTag(fn, key, nonce, data, AAD) { - const authKey = fn(key, nonce, ZEROS32); - const h = _poly1305_js_1.poly1305.create(authKey); - if (AAD) - updatePadded(h, AAD); - updatePadded(h, data); - const num = new Uint8Array(16); - const view = (0, utils_js_1.createView)(num); - (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD ? AAD.length : 0), true); - (0, utils_js_1.setBigUint64)(view, 8, BigInt(data.length), true); - h.update(num); - const res = h.digest(); - authKey.fill(0); - return res; -} -/** - * AEAD algorithm from RFC 8439. - * Salsa20 and chacha (RFC 8439) use poly1305 differently. - * We could have composed them similar to: - * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250 - * But it's hard because of authKey: - * In salsa20, authKey changes position in salsa stream. - * In chacha, authKey can't be computed inside computeTag, it modifies the counter. - */ -const _poly1305_aead = (xorStream) => (key, nonce, AAD) => { - const tagLength = 16; - (0, _assert_js_1.bytes)(key, 32); - (0, _assert_js_1.bytes)(nonce); - return { - encrypt: (plaintext, output) => { - const plength = plaintext.length; - const clength = plength + tagLength; - if (output) { - (0, _assert_js_1.bytes)(output, clength); - } - else { - output = new Uint8Array(clength); - } - xorStream(key, nonce, plaintext, output, 1); - const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD); - output.set(tag, plength); // append tag - return output; - }, - decrypt: (ciphertext, output) => { - const clength = ciphertext.length; - const plength = clength - tagLength; - if (clength < tagLength) - throw new Error(`encrypted data must be at least ${tagLength} bytes`); - if (output) { - (0, _assert_js_1.bytes)(output, plength); - } - else { - output = new Uint8Array(plength); - } - const data = ciphertext.subarray(0, -tagLength); - const passedTag = ciphertext.subarray(-tagLength); - const tag = computeTag(xorStream, key, nonce, data, AAD); - if (!(0, utils_js_1.equalBytes)(passedTag, tag)) - throw new Error('invalid tag'); - xorStream(key, nonce, data, output, 1); - return output; - }, - }; -}; -exports._poly1305_aead = _poly1305_aead; -/** - * ChaCha20-Poly1305 from RFC 8439. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -exports.chacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20)); -/** - * XChaCha20-Poly1305 extended-nonce chacha. - * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -exports.xchacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20)); -//# sourceMappingURL=chacha.js.map \ No newline at end of file diff --git a/crypto.js b/crypto.js deleted file mode 100644 index e166f22..0000000 --- a/crypto.js +++ /dev/null @@ -1,17 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.getWebcryptoSubtle = exports.randomBytes = void 0; -const cr = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined; -function randomBytes(bytesLength = 32) { - if (cr && typeof cr.getRandomValues === 'function') - return cr.getRandomValues(new Uint8Array(bytesLength)); - throw new Error('crypto.getRandomValues must be defined'); -} -exports.randomBytes = randomBytes; -function getWebcryptoSubtle() { - if (cr && typeof cr.subtle === 'object' && cr.subtle != null) - return cr.subtle; - throw new Error('crypto.subtle must be defined'); -} -exports.getWebcryptoSubtle = getWebcryptoSubtle; -//# sourceMappingURL=crypto.js.map \ No newline at end of file diff --git a/cryptoNode.js b/cryptoNode.js deleted file mode 100644 index ac61d9d..0000000 --- a/cryptoNode.js +++ /dev/null @@ -1,22 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.getWebcryptoSubtle = exports.randomBytes = void 0; -// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. -// See utils.ts for details. -// The file will throw on node.js 14 and earlier. -// @ts-ignore -const nc = require("node:crypto"); -const cr = nc && typeof nc === 'object' && 'webcrypto' in nc ? nc.webcrypto : undefined; -function randomBytes(bytesLength = 32) { - if (cr && typeof cr.getRandomValues === 'function') - return cr.getRandomValues(new Uint8Array(bytesLength)); - throw new Error('crypto.getRandomValues must be defined'); -} -exports.randomBytes = randomBytes; -function getWebcryptoSubtle() { - if (cr && typeof cr.subtle === 'object' && cr.subtle != null) - return cr.subtle; - throw new Error('crypto.subtle must be defined'); -} -exports.getWebcryptoSubtle = getWebcryptoSubtle; -//# sourceMappingURL=cryptoNode.js.map \ No newline at end of file diff --git a/esm/_arx.js b/esm/_arx.js deleted file mode 100644 index b949f4d..0000000 --- a/esm/_arx.js +++ /dev/null @@ -1,166 +0,0 @@ -// Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers. -import { number as anumber, bytes as abytes, bool as abool } from './_assert.js'; -import { checkOpts, u32, utf8ToBytes } from './utils.js'; -/* -RFC8439 requires multi-step cipher stream, where -authKey starts with counter: 0, actual msg with counter: 1. - -For this, we need a way to re-use nonce / counter: - - const counter = new Uint8Array(4); - chacha(..., counter, ...); // counter is now 1 - chacha(..., counter, ...); // counter is now 2 - -This is complicated: - -- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB -- Original papers don't allow mutating counters -- Counter overflow is undefined [^1] -- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it -- Caveat: Cannot be re-used through all cases: -- * chacha has (counter | nonce) -- * xchacha has (nonce16 | counter | nonce16) -- Idea B: separate nonce / counter and provide separate API for counter re-use -- Caveat: there are different counter sizes depending on an algorithm. -- salsa & chacha also differ in structures of key & sigma: - salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3] - chacha: s(4) | k(8) | ctr(1) | nonce(3) - chacha20orig: s(4) | k(8) | ctr(2) | nonce(2) -- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)` -- Caveat: we can't re-use counter array - -xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal -(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce). - -[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/ -[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2 -*/ -const sigma16 = utf8ToBytes('expand 16-byte k'); -const sigma32 = utf8ToBytes('expand 32-byte k'); -const sigma16_32 = u32(sigma16); -const sigma32_32 = u32(sigma32); -export function rotl(a, b) { - return (a << b) | (a >>> (32 - b)); -} -// Is byte array aligned to 4 byte offset (u32)? -function isAligned32(b) { - return b.byteOffset % 4 === 0; -} -// Salsa and Chacha block length is always 512-bit -const BLOCK_LEN = 64; -const BLOCK_LEN32 = 16; -// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ] -// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ] -const MAX_COUNTER = 2 ** 32 - 1; -const U32_EMPTY = new Uint32Array(); -function runCipher(core, sigma, key, nonce, data, output, counter, rounds) { - const len = data.length; - const block = new Uint8Array(BLOCK_LEN); - const b32 = u32(block); - // Make sure that buffers aligned to 4 bytes - const isAligned = isAligned32(data) && isAligned32(output); - const d32 = isAligned ? u32(data) : U32_EMPTY; - const o32 = isAligned ? u32(output) : U32_EMPTY; - for (let pos = 0; pos < len; counter++) { - core(sigma, key, nonce, b32, counter, rounds); - if (counter >= MAX_COUNTER) - throw new Error('arx: counter overflow'); - const take = Math.min(BLOCK_LEN, len - pos); - // aligned to 4 bytes - if (isAligned && take === BLOCK_LEN) { - const pos32 = pos / 4; - if (pos % 4 !== 0) - throw new Error('arx: invalid block position'); - for (let j = 0, posj; j < BLOCK_LEN32; j++) { - posj = pos32 + j; - o32[posj] = d32[posj] ^ b32[j]; - } - pos += BLOCK_LEN; - continue; - } - for (let j = 0, posj; j < take; j++) { - posj = pos + j; - output[posj] = data[posj] ^ block[j]; - } - pos += take; - } -} -export function createCipher(core, opts) { - const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); - if (typeof core !== 'function') - throw new Error('core must be a function'); - anumber(counterLength); - anumber(rounds); - abool(counterRight); - abool(allowShortKeys); - return (key, nonce, data, output, counter = 0) => { - abytes(key); - abytes(nonce); - abytes(data); - const len = data.length; - if (!output) - output = new Uint8Array(len); - abytes(output); - anumber(counter); - if (counter < 0 || counter >= MAX_COUNTER) - throw new Error('arx: counter overflow'); - if (output.length < len) - throw new Error(`arx: output (${output.length}) is shorter than data (${len})`); - const toClean = []; - // Key & sigma - // key=16 -> sigma16, k=key|key - // key=32 -> sigma32, k=key - let l = key.length, k, sigma; - if (l === 32) { - k = key.slice(); - toClean.push(k); - sigma = sigma32_32; - } - else if (l === 16 && allowShortKeys) { - k = new Uint8Array(32); - k.set(key); - k.set(key, 16); - sigma = sigma16_32; - toClean.push(k); - } - else { - throw new Error(`arx: invalid 32-byte key, got length=${l}`); - } - // Nonce - // salsa20: 8 (8-byte counter) - // chacha20orig: 8 (8-byte counter) - // chacha20: 12 (4-byte counter) - // xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce) - // xchacha20: 24 (16 -> hchacha, 8 -> old nonce) - // Align nonce to 4 bytes - if (!isAligned32(nonce)) { - nonce = nonce.slice(); - toClean.push(nonce); - } - const k32 = u32(k); - // hsalsa & hchacha: handle extended nonce - if (extendNonceFn) { - if (nonce.length !== 24) - throw new Error(`arx: extended nonce must be 24 bytes`); - extendNonceFn(sigma, k32, u32(nonce.subarray(0, 16)), k32); - nonce = nonce.subarray(16); - } - // Handle nonce counter - const nonceNcLen = 16 - counterLength; - if (nonceNcLen !== nonce.length) - throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); - // Pad counter when nonce is 64 bit - if (nonceNcLen !== 12) { - const nc = new Uint8Array(12); - nc.set(nonce, counterRight ? 0 : 12 - nonce.length); - nonce = nc; - toClean.push(nonce); - } - const n32 = u32(nonce); - runCipher(core, sigma, k32, n32, data, output, counter, rounds); - while (toClean.length > 0) - toClean.pop().fill(0); - return output; - }; -} -//# sourceMappingURL=_arx.js.map \ No newline at end of file diff --git a/esm/_assert.js b/esm/_assert.js deleted file mode 100644 index 330fa25..0000000 --- a/esm/_assert.js +++ /dev/null @@ -1,41 +0,0 @@ -function number(n) { - if (!Number.isSafeInteger(n) || n < 0) - throw new Error(`positive integer expected, not ${n}`); -} -function bool(b) { - if (typeof b !== 'boolean') - throw new Error(`boolean expected, not ${b}`); -} -export function isBytes(a) { - return (a instanceof Uint8Array || - (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')); -} -function bytes(b, ...lengths) { - if (!isBytes(b)) - throw new Error('Uint8Array expected'); - if (lengths.length > 0 && !lengths.includes(b.length)) - throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); -} -function hash(hash) { - if (typeof hash !== 'function' || typeof hash.create !== 'function') - throw new Error('hash must be wrapped by utils.wrapConstructor'); - number(hash.outputLen); - number(hash.blockLen); -} -function exists(instance, checkFinished = true) { - if (instance.destroyed) - throw new Error('Hash instance has been destroyed'); - if (checkFinished && instance.finished) - throw new Error('Hash#digest() has already been called'); -} -function output(out, instance) { - bytes(out); - const min = instance.outputLen; - if (out.length < min) { - throw new Error(`digestInto() expects output buffer of length at least ${min}`); - } -} -export { number, bool, bytes, hash, exists, output }; -const assert = { number, bool, bytes, hash, exists, output }; -export default assert; -//# sourceMappingURL=_assert.js.map \ No newline at end of file diff --git a/esm/_micro.js b/esm/_micro.js deleted file mode 100644 index fae5252..0000000 --- a/esm/_micro.js +++ /dev/null @@ -1,287 +0,0 @@ -/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ -// prettier-ignore -import { createView, setBigUint64, wrapCipher, bytesToHex, concatBytes, equalBytes, hexToNumber, numberToBytesBE, } from './utils.js'; -import { createCipher, rotl } from './_arx.js'; -import { bytes as abytes } from './_assert.js'; -/* -noble-ciphers-micro: more auditable, but slower version of salsa20, chacha & poly1305. -Implements the same algorithms that are present in other files, but without -unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling). -*/ -function bytesToNumberLE(bytes) { - return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse())); -} -function numberToBytesLE(n, len) { - return numberToBytesBE(n, len).reverse(); -} -function salsaQR(x, a, b, c, d) { - x[b] ^= rotl((x[a] + x[d]) | 0, 7); - x[c] ^= rotl((x[b] + x[a]) | 0, 9); - x[d] ^= rotl((x[c] + x[b]) | 0, 13); - x[a] ^= rotl((x[d] + x[c]) | 0, 18); -} -// prettier-ignore -function chachaQR(x, a, b, c, d) { - x[a] = (x[a] + x[b]) | 0; - x[d] = rotl(x[d] ^ x[a], 16); - x[c] = (x[c] + x[d]) | 0; - x[b] = rotl(x[b] ^ x[c], 12); - x[a] = (x[a] + x[b]) | 0; - x[d] = rotl(x[d] ^ x[a], 8); - x[c] = (x[c] + x[d]) | 0; - x[b] = rotl(x[b] ^ x[c], 7); -} -function salsaRound(x, rounds = 20) { - for (let r = 0; r < rounds; r += 2) { - salsaQR(x, 0, 4, 8, 12); - salsaQR(x, 5, 9, 13, 1); - salsaQR(x, 10, 14, 2, 6); - salsaQR(x, 15, 3, 7, 11); - salsaQR(x, 0, 1, 2, 3); - salsaQR(x, 5, 6, 7, 4); - salsaQR(x, 10, 11, 8, 9); - salsaQR(x, 15, 12, 13, 14); - } -} -function chachaRound(x, rounds = 20) { - for (let r = 0; r < rounds; r += 2) { - chachaQR(x, 0, 4, 8, 12); - chachaQR(x, 1, 5, 9, 13); - chachaQR(x, 2, 6, 10, 14); - chachaQR(x, 3, 7, 11, 15); - chachaQR(x, 0, 5, 10, 15); - chachaQR(x, 1, 6, 11, 12); - chachaQR(x, 2, 7, 8, 13); - chachaQR(x, 3, 4, 9, 14); - } -} -function salsaCore(s, k, n, out, cnt, rounds = 20) { - // prettier-ignore - const y = new Uint32Array([ - s[0], k[0], k[1], k[2], // "expa" Key Key Key - k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce - cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key - k[5], k[6], k[7], s[3], // Key Key Key "te k" - ]); - const x = y.slice(); - salsaRound(x, rounds); - for (let i = 0; i < 16; i++) - out[i] = (y[i] + x[i]) | 0; -} -// prettier-ignore -export function hsalsa(s, k, i, o32) { - const x = new Uint32Array([ - s[0], k[0], k[1], k[2], - k[3], s[1], i[0], i[1], - i[2], i[3], s[2], k[4], - k[5], k[6], k[7], s[3] - ]); - salsaRound(x, 20); - let oi = 0; - o32[oi++] = x[0]; - o32[oi++] = x[5]; - o32[oi++] = x[10]; - o32[oi++] = x[15]; - o32[oi++] = x[6]; - o32[oi++] = x[7]; - o32[oi++] = x[8]; - o32[oi++] = x[9]; -} -function chachaCore(s, k, n, out, cnt, rounds = 20) { - // prettier-ignore - const y = new Uint32Array([ - s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k" - k[0], k[1], k[2], k[3], // Key Key Key Key - k[4], k[5], k[6], k[7], // Key Key Key Key - cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce - ]); - const x = y.slice(); - chachaRound(x, rounds); - for (let i = 0; i < 16; i++) - out[i] = (y[i] + x[i]) | 0; -} -// prettier-ignore -export function hchacha(s, k, i, o32) { - const x = new Uint32Array([ - s[0], s[1], s[2], s[3], - k[0], k[1], k[2], k[3], - k[4], k[5], k[6], k[7], - i[0], i[1], i[2], i[3], - ]); - chachaRound(x, 20); - let oi = 0; - o32[oi++] = x[0]; - o32[oi++] = x[1]; - o32[oi++] = x[2]; - o32[oi++] = x[3]; - o32[oi++] = x[12]; - o32[oi++] = x[13]; - o32[oi++] = x[14]; - o32[oi++] = x[15]; -} -/** - * salsa20, 12-byte nonce. - */ -export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, { - allowShortKeys: true, - counterRight: true, -}); -/** - * xsalsa20, 24-byte nonce. - */ -export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, { - counterRight: true, - extendNonceFn: hsalsa, -}); -/** - * chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. - */ -export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, { - allowShortKeys: true, - counterRight: false, - counterLength: 8, -}); -/** - * chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. - */ -export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, -}); -/** - * xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - */ -export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 8, - extendNonceFn: hchacha, -}); -/** - * 8-round chacha from the original paper. - */ -export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 8, -}); -/** - * 12-round chacha from the original paper. - */ -export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 12, -}); -const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5); -const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1); -const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff'); -const _0 = BigInt(0); -const _1 = BigInt(1); -// Can be speed-up using BigUint64Array, but would be more complicated -export function poly1305(msg, key) { - abytes(msg); - abytes(key); - let acc = _0; - const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R; - const s = bytesToNumberLE(key.subarray(16)); - // Process by 16 byte chunks - for (let i = 0; i < msg.length; i += 16) { - const m = msg.subarray(i, i + 16); - const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length)); - acc = ((acc + n) * r) % POW_2_130_5; - } - const res = (acc + s) & POW_2_128_1; - return numberToBytesLE(res, 16); -} -function computeTag(fn, key, nonce, ciphertext, AAD) { - const res = []; - if (AAD) { - res.push(AAD); - const leftover = AAD.length % 16; - if (leftover > 0) - res.push(new Uint8Array(16 - leftover)); - } - res.push(ciphertext); - const leftover = ciphertext.length % 16; - if (leftover > 0) - res.push(new Uint8Array(16 - leftover)); - // Lengths - const num = new Uint8Array(16); - const view = createView(num); - setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); - setBigUint64(view, 8, BigInt(ciphertext.length), true); - res.push(num); - const authKey = fn(key, nonce, new Uint8Array(32)); - return poly1305(concatBytes(...res), authKey); -} -/** - * xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. - */ -export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsa20poly1305(key, nonce) { - abytes(key); - abytes(nonce); - return { - encrypt: (plaintext) => { - abytes(plaintext); - const m = concatBytes(new Uint8Array(32), plaintext); - const c = xsalsa20(key, nonce, m); - const authKey = c.subarray(0, 32); - const data = c.subarray(32); - const tag = poly1305(data, authKey); - return concatBytes(tag, data); - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - if (ciphertext.length < 16) - throw new Error('encrypted data must be at least 16 bytes'); - const c = concatBytes(new Uint8Array(16), ciphertext); - const authKey = xsalsa20(key, nonce, new Uint8Array(32)); - const tag = poly1305(c.subarray(32), authKey); - if (!equalBytes(c.subarray(16, 32), tag)) - throw new Error('invalid poly1305 tag'); - return xsalsa20(key, nonce, c).subarray(32); - }, - }; -}); -/** - * Alias to xsalsa20-poly1305 - */ -export function secretbox(key, nonce) { - const xs = xsalsa20poly1305(key, nonce); - return { seal: xs.encrypt, open: xs.decrypt }; -} -export const _poly1305_aead = (fn) => (key, nonce, AAD) => { - const tagLength = 16; - const keyLength = 32; - abytes(key, keyLength); - abytes(nonce); - return { - encrypt: (plaintext) => { - abytes(plaintext); - const res = fn(key, nonce, plaintext, undefined, 1); - const tag = computeTag(fn, key, nonce, res, AAD); - return concatBytes(res, tag); - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - if (ciphertext.length < tagLength) - throw new Error(`encrypted data must be at least ${tagLength} bytes`); - const passedTag = ciphertext.subarray(-tagLength); - const data = ciphertext.subarray(0, -tagLength); - const tag = computeTag(fn, key, nonce, data, AAD); - if (!equalBytes(passedTag, tag)) - throw new Error('invalid poly1305 tag'); - return fn(key, nonce, data, undefined, 1); - }, - }; -}; -/** - * chacha20-poly1305 12-byte-nonce chacha. - */ -export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); -/** - * xchacha20-poly1305 eXtended-nonce (24 bytes) chacha. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); -//# sourceMappingURL=_micro.js.map \ No newline at end of file diff --git a/esm/_poly1305.js b/esm/_poly1305.js deleted file mode 100644 index 883c3a5..0000000 --- a/esm/_poly1305.js +++ /dev/null @@ -1,264 +0,0 @@ -import { exists as aexists, bytes as abytes, output as aoutput } from './_assert.js'; -import { toBytes } from './utils.js'; -// Poly1305 is a fast and parallel secret-key message-authentication code. -// https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf -// https://datatracker.ietf.org/doc/html/rfc8439 -// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna -const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8); -class Poly1305 { - constructor(key) { - this.blockLen = 16; - this.outputLen = 16; - this.buffer = new Uint8Array(16); - this.r = new Uint16Array(10); - this.h = new Uint16Array(10); - this.pad = new Uint16Array(8); - this.pos = 0; - this.finished = false; - key = toBytes(key); - abytes(key, 32); - const t0 = u8to16(key, 0); - const t1 = u8to16(key, 2); - const t2 = u8to16(key, 4); - const t3 = u8to16(key, 6); - const t4 = u8to16(key, 8); - const t5 = u8to16(key, 10); - const t6 = u8to16(key, 12); - const t7 = u8to16(key, 14); - // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47 - this.r[0] = t0 & 0x1fff; - this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; - this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; - this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; - this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; - this.r[5] = (t4 >>> 1) & 0x1ffe; - this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; - this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; - this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; - this.r[9] = (t7 >>> 5) & 0x007f; - for (let i = 0; i < 8; i++) - this.pad[i] = u8to16(key, 16 + 2 * i); - } - process(data, offset, isLast = false) { - const hibit = isLast ? 0 : 1 << 11; - const { h, r } = this; - const r0 = r[0]; - const r1 = r[1]; - const r2 = r[2]; - const r3 = r[3]; - const r4 = r[4]; - const r5 = r[5]; - const r6 = r[6]; - const r7 = r[7]; - const r8 = r[8]; - const r9 = r[9]; - const t0 = u8to16(data, offset + 0); - const t1 = u8to16(data, offset + 2); - const t2 = u8to16(data, offset + 4); - const t3 = u8to16(data, offset + 6); - const t4 = u8to16(data, offset + 8); - const t5 = u8to16(data, offset + 10); - const t6 = u8to16(data, offset + 12); - const t7 = u8to16(data, offset + 14); - let h0 = h[0] + (t0 & 0x1fff); - let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff); - let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff); - let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff); - let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff); - let h5 = h[5] + ((t4 >>> 1) & 0x1fff); - let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff); - let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff); - let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff); - let h9 = h[9] + ((t7 >>> 5) | hibit); - let c = 0; - let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); - c = d0 >>> 13; - d0 &= 0x1fff; - d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); - c += d0 >>> 13; - d0 &= 0x1fff; - let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); - c = d1 >>> 13; - d1 &= 0x1fff; - d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); - c += d1 >>> 13; - d1 &= 0x1fff; - let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); - c = d2 >>> 13; - d2 &= 0x1fff; - d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); - c += d2 >>> 13; - d2 &= 0x1fff; - let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); - c = d3 >>> 13; - d3 &= 0x1fff; - d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); - c += d3 >>> 13; - d3 &= 0x1fff; - let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; - c = d4 >>> 13; - d4 &= 0x1fff; - d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); - c += d4 >>> 13; - d4 &= 0x1fff; - let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; - c = d5 >>> 13; - d5 &= 0x1fff; - d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); - c += d5 >>> 13; - d5 &= 0x1fff; - let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; - c = d6 >>> 13; - d6 &= 0x1fff; - d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); - c += d6 >>> 13; - d6 &= 0x1fff; - let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; - c = d7 >>> 13; - d7 &= 0x1fff; - d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); - c += d7 >>> 13; - d7 &= 0x1fff; - let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; - c = d8 >>> 13; - d8 &= 0x1fff; - d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); - c += d8 >>> 13; - d8 &= 0x1fff; - let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; - c = d9 >>> 13; - d9 &= 0x1fff; - d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; - c += d9 >>> 13; - d9 &= 0x1fff; - c = ((c << 2) + c) | 0; - c = (c + d0) | 0; - d0 = c & 0x1fff; - c = c >>> 13; - d1 += c; - h[0] = d0; - h[1] = d1; - h[2] = d2; - h[3] = d3; - h[4] = d4; - h[5] = d5; - h[6] = d6; - h[7] = d7; - h[8] = d8; - h[9] = d9; - } - finalize() { - const { h, pad } = this; - const g = new Uint16Array(10); - let c = h[1] >>> 13; - h[1] &= 0x1fff; - for (let i = 2; i < 10; i++) { - h[i] += c; - c = h[i] >>> 13; - h[i] &= 0x1fff; - } - h[0] += c * 5; - c = h[0] >>> 13; - h[0] &= 0x1fff; - h[1] += c; - c = h[1] >>> 13; - h[1] &= 0x1fff; - h[2] += c; - g[0] = h[0] + 5; - c = g[0] >>> 13; - g[0] &= 0x1fff; - for (let i = 1; i < 10; i++) { - g[i] = h[i] + c; - c = g[i] >>> 13; - g[i] &= 0x1fff; - } - g[9] -= 1 << 13; - let mask = (c ^ 1) - 1; - for (let i = 0; i < 10; i++) - g[i] &= mask; - mask = ~mask; - for (let i = 0; i < 10; i++) - h[i] = (h[i] & mask) | g[i]; - h[0] = (h[0] | (h[1] << 13)) & 0xffff; - h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff; - h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff; - h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff; - h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff; - h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff; - h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff; - h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff; - let f = h[0] + pad[0]; - h[0] = f & 0xffff; - for (let i = 1; i < 8; i++) { - f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0; - h[i] = f & 0xffff; - } - } - update(data) { - aexists(this); - const { buffer, blockLen } = this; - data = toBytes(data); - const len = data.length; - for (let pos = 0; pos < len;) { - const take = Math.min(blockLen - this.pos, len - pos); - // Fast path: we have at least one block in input - if (take === blockLen) { - for (; blockLen <= len - pos; pos += blockLen) - this.process(data, pos); - continue; - } - buffer.set(data.subarray(pos, pos + take), this.pos); - this.pos += take; - pos += take; - if (this.pos === blockLen) { - this.process(buffer, 0, false); - this.pos = 0; - } - } - return this; - } - destroy() { - this.h.fill(0); - this.r.fill(0); - this.buffer.fill(0); - this.pad.fill(0); - } - digestInto(out) { - aexists(this); - aoutput(out, this); - this.finished = true; - const { buffer, h } = this; - let { pos } = this; - if (pos) { - buffer[pos++] = 1; - // buffer.subarray(pos).fill(0); - for (; pos < 16; pos++) - buffer[pos] = 0; - this.process(buffer, 0, true); - } - this.finalize(); - let opos = 0; - for (let i = 0; i < 8; i++) { - out[opos++] = h[i] >>> 0; - out[opos++] = h[i] >>> 8; - } - return out; - } - digest() { - const { buffer, outputLen } = this; - this.digestInto(buffer); - const res = buffer.slice(0, outputLen); - this.destroy(); - return res; - } -} -export function wrapConstructorWithKey(hashCons) { - const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest(); - const tmp = hashCons(new Uint8Array(32)); - hashC.outputLen = tmp.outputLen; - hashC.blockLen = tmp.blockLen; - hashC.create = (key) => hashCons(key); - return hashC; -} -export const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); -//# sourceMappingURL=_poly1305.js.map \ No newline at end of file diff --git a/esm/_polyval.js b/esm/_polyval.js deleted file mode 100644 index 4c64930..0000000 --- a/esm/_polyval.js +++ /dev/null @@ -1,217 +0,0 @@ -import { createView, toBytes, u32 } from './utils.js'; -import { bytes as abytes, exists as aexists, output as aoutput } from './_assert.js'; -// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV. -// Implemented in terms of GHash with conversion function for keys -// GCM GHASH from NIST SP800-38d, SIV from RFC 8452. -// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf -// GHASH modulo: x^128 + x^7 + x^2 + x + 1 -// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1 -const BLOCK_SIZE = 16; -// TODO: rewrite -// temporary padding buffer -const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); -const ZEROS32 = u32(ZEROS16); -const POLY = 0xe1; // v = 2*v % POLY -// v = 2*v % POLY -// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x -// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor) -const mul2 = (s0, s1, s2, s3) => { - const hiBit = s3 & 1; - return { - s3: (s2 << 31) | (s3 >>> 1), - s2: (s1 << 31) | (s2 >>> 1), - s1: (s0 << 31) | (s1 >>> 1), - s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly - }; -}; -const swapLE = (n) => (((n >>> 0) & 0xff) << 24) | - (((n >>> 8) & 0xff) << 16) | - (((n >>> 16) & 0xff) << 8) | - ((n >>> 24) & 0xff) | - 0; -/** - * `mulX_POLYVAL(ByteReverse(H))` from spec - * @param k mutated in place - */ -export function _toGHASHKey(k) { - k.reverse(); - const hiBit = k[15] & 1; - // k >>= 1 - let carry = 0; - for (let i = 0; i < k.length; i++) { - const t = k[i]; - k[i] = (t >>> 1) | carry; - carry = (t & 1) << 7; - } - k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000; - return k; -} -const estimateWindow = (bytes) => { - if (bytes > 64 * 1024) - return 8; - if (bytes > 1024) - return 4; - return 2; -}; -class GHASH { - // We select bits per window adaptively based on expectedLength - constructor(key, expectedLength) { - this.blockLen = BLOCK_SIZE; - this.outputLen = BLOCK_SIZE; - this.s0 = 0; - this.s1 = 0; - this.s2 = 0; - this.s3 = 0; - this.finished = false; - key = toBytes(key); - abytes(key, 16); - const kView = createView(key); - let k0 = kView.getUint32(0, false); - let k1 = kView.getUint32(4, false); - let k2 = kView.getUint32(8, false); - let k3 = kView.getUint32(12, false); - // generate table of doubled keys (half of montgomery ladder) - const doubles = []; - for (let i = 0; i < 128; i++) { - doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) }); - ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3)); - } - const W = estimateWindow(expectedLength || 1024); - if (![1, 2, 4, 8].includes(W)) - throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`); - this.W = W; - const bits = 128; // always 128 bits; - const windows = bits / W; - const windowSize = (this.windowSize = 2 ** W); - const items = []; - // Create precompute table for window of W bits - for (let w = 0; w < windows; w++) { - // truth table: 00, 01, 10, 11 - for (let byte = 0; byte < windowSize; byte++) { - // prettier-ignore - let s0 = 0, s1 = 0, s2 = 0, s3 = 0; - for (let j = 0; j < W; j++) { - const bit = (byte >>> (W - j - 1)) & 1; - if (!bit) - continue; - const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j]; - (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3); - } - items.push({ s0, s1, s2, s3 }); - } - } - this.t = items; - } - _updateBlock(s0, s1, s2, s3) { - (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3); - const { W, t, windowSize } = this; - // prettier-ignore - let o0 = 0, o1 = 0, o2 = 0, o3 = 0; - const mask = (1 << W) - 1; // 2**W will kill performance. - let w = 0; - for (const num of [s0, s1, s2, s3]) { - for (let bytePos = 0; bytePos < 4; bytePos++) { - const byte = (num >>> (8 * bytePos)) & 0xff; - for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) { - const bit = (byte >>> (W * bitPos)) & mask; - const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit]; - (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3); - w += 1; - } - } - } - this.s0 = o0; - this.s1 = o1; - this.s2 = o2; - this.s3 = o3; - } - update(data) { - data = toBytes(data); - aexists(this); - const b32 = u32(data); - const blocks = Math.floor(data.length / BLOCK_SIZE); - const left = data.length % BLOCK_SIZE; - for (let i = 0; i < blocks; i++) { - this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]); - } - if (left) { - ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); - this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]); - ZEROS32.fill(0); // clean tmp buffer - } - return this; - } - destroy() { - const { t } = this; - // clean precompute table - for (const elm of t) { - (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0); - } - } - digestInto(out) { - aexists(this); - aoutput(out, this); - this.finished = true; - const { s0, s1, s2, s3 } = this; - const o32 = u32(out); - o32[0] = s0; - o32[1] = s1; - o32[2] = s2; - o32[3] = s3; - return out; - } - digest() { - const res = new Uint8Array(BLOCK_SIZE); - this.digestInto(res); - this.destroy(); - return res; - } -} -class Polyval extends GHASH { - constructor(key, expectedLength) { - key = toBytes(key); - const ghKey = _toGHASHKey(key.slice()); - super(ghKey, expectedLength); - ghKey.fill(0); - } - update(data) { - data = toBytes(data); - aexists(this); - const b32 = u32(data); - const left = data.length % BLOCK_SIZE; - const blocks = Math.floor(data.length / BLOCK_SIZE); - for (let i = 0; i < blocks; i++) { - this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0])); - } - if (left) { - ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); - this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0])); - ZEROS32.fill(0); // clean tmp buffer - } - return this; - } - digestInto(out) { - aexists(this); - aoutput(out, this); - this.finished = true; - // tmp ugly hack - const { s0, s1, s2, s3 } = this; - const o32 = u32(out); - o32[0] = s0; - o32[1] = s1; - o32[2] = s2; - o32[3] = s3; - return out.reverse(); - } -} -function wrapConstructorWithKey(hashCons) { - const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes(msg)).digest(); - const tmp = hashCons(new Uint8Array(16), 0); - hashC.outputLen = tmp.outputLen; - hashC.blockLen = tmp.blockLen; - hashC.create = (key, expectedLength) => hashCons(key, expectedLength); - return hashC; -} -export const ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength)); -export const polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength)); -//# sourceMappingURL=_polyval.js.map \ No newline at end of file diff --git a/esm/aes.js b/esm/aes.js deleted file mode 100644 index a26e498..0000000 --- a/esm/aes.js +++ /dev/null @@ -1,628 +0,0 @@ -// prettier-ignore -import { wrapCipher, createView, setBigUint64, equalBytes, u32, u8, } from './utils.js'; -import { ghash, polyval } from './_polyval.js'; -import { bytes as abytes } from './_assert.js'; -/* -AES (Advanced Encryption Standard) aka Rijndael block cipher. - -Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round: -1. **S-box**, table substitution -2. **Shift rows**, cyclic shift left of all rows of data array -3. **Mix columns**, multiplying every column by fixed polynomial -4. **Add round key**, round_key xor i-th column of array - -Resources: -- FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf -- Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf -*/ -const BLOCK_SIZE = 16; -const BLOCK_SIZE32 = 4; -const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE); -const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8 -// TODO: remove multiplication, binary ops only -function mul2(n) { - return (n << 1) ^ (POLY & -(n >> 7)); -} -function mul(a, b) { - let res = 0; - for (; b > 0; b >>= 1) { - // Montgomery ladder - res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time). - a = mul2(a); // a = 2*a - } - return res; -} -// AES S-box is generated using finite field inversion, -// an affine transform, and xor of a constant 0x63. -const sbox = /* @__PURE__ */ (() => { - let t = new Uint8Array(256); - for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x)) - t[i] = x; - const box = new Uint8Array(256); - box[0] = 0x63; // first elm - for (let i = 0; i < 255; i++) { - let x = t[255 - i]; - x |= x << 8; - box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff; - } - return box; -})(); -// Inverted S-box -const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j)); -// Rotate u32 by 8 -const rotr32_8 = (n) => (n << 24) | (n >>> 8); -const rotl32_8 = (n) => (n << 8) | (n >>> 24); -// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes: -// - LE instead of BE -// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23; -// so index is u16, instead of u8. This speeds up things, unexpectedly -function genTtable(sbox, fn) { - if (sbox.length !== 256) - throw new Error('Wrong sbox length'); - const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j])); - const T1 = T0.map(rotl32_8); - const T2 = T1.map(rotl32_8); - const T3 = T2.map(rotl32_8); - const T01 = new Uint32Array(256 * 256); - const T23 = new Uint32Array(256 * 256); - const sbox2 = new Uint16Array(256 * 256); - for (let i = 0; i < 256; i++) { - for (let j = 0; j < 256; j++) { - const idx = i * 256 + j; - T01[idx] = T0[i] ^ T1[j]; - T23[idx] = T2[i] ^ T3[j]; - sbox2[idx] = (sbox[i] << 8) | sbox[j]; - } - } - return { sbox, sbox2, T0, T1, T2, T3, T01, T23 }; -} -const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2)); -const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14)); -const xPowers = /* @__PURE__ */ (() => { - const p = new Uint8Array(16); - for (let i = 0, x = 1; i < 16; i++, x = mul2(x)) - p[i] = x; - return p; -})(); -export function expandKeyLE(key) { - abytes(key); - const len = key.length; - if (![16, 24, 32].includes(len)) - throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`); - const { sbox2 } = tableEncoding; - const k32 = u32(key); - const Nk = k32.length; - const subByte = (n) => applySbox(sbox2, n, n, n, n); - const xk = new Uint32Array(len + 28); // expanded key - xk.set(k32); - // 4.3.1 Key expansion - for (let i = Nk; i < xk.length; i++) { - let t = xk[i - 1]; - if (i % Nk === 0) - t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1]; - else if (Nk > 6 && i % Nk === 4) - t = subByte(t); - xk[i] = xk[i - Nk] ^ t; - } - return xk; -} -export function expandKeyDecLE(key) { - const encKey = expandKeyLE(key); - const xk = encKey.slice(); - const Nk = encKey.length; - const { sbox2 } = tableEncoding; - const { T0, T1, T2, T3 } = tableDecoding; - // Inverse key by chunks of 4 (rounds) - for (let i = 0; i < Nk; i += 4) { - for (let j = 0; j < 4; j++) - xk[i + j] = encKey[Nk - i - 4 + j]; - } - encKey.fill(0); - // apply InvMixColumn except first & last round - for (let i = 4; i < Nk - 4; i++) { - const x = xk[i]; - const w = applySbox(sbox2, x, x, x, x); - xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24]; - } - return xk; -} -// Apply tables -function apply0123(T01, T23, s0, s1, s2, s3) { - return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^ - T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]); -} -function applySbox(sbox2, s0, s1, s2, s3) { - return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] | - (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16)); -} -function encrypt(xk, s0, s1, s2, s3) { - const { sbox2, T01, T23 } = tableEncoding; - let k = 0; - (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); - const rounds = xk.length / 4 - 2; - for (let i = 0; i < rounds; i++) { - const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3); - const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0); - const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1); - const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2); - (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); - } - // last round (without mixcolumns, so using SBOX2 table) - const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3); - const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0); - const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1); - const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2); - return { s0: t0, s1: t1, s2: t2, s3: t3 }; -} -function decrypt(xk, s0, s1, s2, s3) { - const { sbox2, T01, T23 } = tableDecoding; - let k = 0; - (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); - const rounds = xk.length / 4 - 2; - for (let i = 0; i < rounds; i++) { - const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1); - const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2); - const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3); - const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0); - (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); - } - // Last round - const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1); - const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2); - const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3); - const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0); - return { s0: t0, s1: t1, s2: t2, s3: t3 }; -} -function getDst(len, dst) { - if (!dst) - return new Uint8Array(len); - abytes(dst); - if (dst.length < len) - throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`); - return dst; -} -// TODO: investigate merging with ctr32 -function ctrCounter(xk, nonce, src, dst) { - abytes(nonce, BLOCK_SIZE); - abytes(src); - const srcLen = src.length; - dst = getDst(srcLen, dst); - const ctr = nonce; - const c32 = u32(ctr); - // Fill block (empty, ctr=0) - let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); - const src32 = u32(src); - const dst32 = u32(dst); - // process blocks - for (let i = 0; i + 4 <= src32.length; i += 4) { - dst32[i + 0] = src32[i + 0] ^ s0; - dst32[i + 1] = src32[i + 1] ^ s1; - dst32[i + 2] = src32[i + 2] ^ s2; - dst32[i + 3] = src32[i + 3] ^ s3; - // Full 128 bit counter with wrap around - let carry = 1; - for (let i = ctr.length - 1; i >= 0; i--) { - carry = (carry + (ctr[i] & 0xff)) | 0; - ctr[i] = carry & 0xff; - carry >>>= 8; - } - ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); - } - // leftovers (less than block) - // It's possible to handle > u32 fast, but is it worth it? - const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); - if (start < srcLen) { - const b32 = new Uint32Array([s0, s1, s2, s3]); - const buf = u8(b32); - for (let i = start, pos = 0; i < srcLen; i++, pos++) - dst[i] = src[i] ^ buf[pos]; - } - return dst; -} -// AES CTR with overflowing 32 bit counter -// It's possible to do 32le significantly simpler (and probably faster) by using u32. -// But, we need both, and perf bottleneck is in ghash anyway. -function ctr32(xk, isLE, nonce, src, dst) { - abytes(nonce, BLOCK_SIZE); - abytes(src); - dst = getDst(src.length, dst); - const ctr = nonce; // write new value to nonce, so it can be re-used - const c32 = u32(ctr); - const view = createView(ctr); - const src32 = u32(src); - const dst32 = u32(dst); - const ctrPos = isLE ? 0 : 12; - const srcLen = src.length; - // Fill block (empty, ctr=0) - let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value - let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); - // process blocks - for (let i = 0; i + 4 <= src32.length; i += 4) { - dst32[i + 0] = src32[i + 0] ^ s0; - dst32[i + 1] = src32[i + 1] ^ s1; - dst32[i + 2] = src32[i + 2] ^ s2; - dst32[i + 3] = src32[i + 3] ^ s3; - ctrNum = (ctrNum + 1) >>> 0; // u32 wrap - view.setUint32(ctrPos, ctrNum, isLE); - ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); - } - // leftovers (less than a block) - const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); - if (start < srcLen) { - const b32 = new Uint32Array([s0, s1, s2, s3]); - const buf = u8(b32); - for (let i = start, pos = 0; i < srcLen; i++, pos++) - dst[i] = src[i] ^ buf[pos]; - } - return dst; -} -/** - * CTR: counter mode. Creates stream cipher. - * Requires good IV. Parallelizable. OK, but no MAC. - */ -export const ctr = wrapCipher({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) { - abytes(key); - abytes(nonce, BLOCK_SIZE); - function processCtr(buf, dst) { - const xk = expandKeyLE(key); - const n = nonce.slice(); - const out = ctrCounter(xk, n, buf, dst); - xk.fill(0); - n.fill(0); - return out; - } - return { - encrypt: (plaintext, dst) => processCtr(plaintext, dst), - decrypt: (ciphertext, dst) => processCtr(ciphertext, dst), - }; -}); -function validateBlockDecrypt(data) { - abytes(data); - if (data.length % BLOCK_SIZE !== 0) { - throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`); - } -} -function validateBlockEncrypt(plaintext, pcks5, dst) { - let outLen = plaintext.length; - const remaining = outLen % BLOCK_SIZE; - if (!pcks5 && remaining !== 0) - throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding'); - const b = u32(plaintext); - if (pcks5) { - let left = BLOCK_SIZE - remaining; - if (!left) - left = BLOCK_SIZE; // if no bytes left, create empty padding block - outLen = outLen + left; - } - const out = getDst(outLen, dst); - const o = u32(out); - return { b, o, out }; -} -function validatePCKS(data, pcks5) { - if (!pcks5) - return data; - const len = data.length; - if (!len) - throw new Error(`aes/pcks5: empty ciphertext not allowed`); - const lastByte = data[len - 1]; - if (lastByte <= 0 || lastByte > 16) - throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`); - const out = data.subarray(0, -lastByte); - for (let i = 0; i < lastByte; i++) - if (data[len - i - 1] !== lastByte) - throw new Error(`aes/pcks5: wrong padding`); - return out; -} -function padPCKS(left) { - const tmp = new Uint8Array(16); - const tmp32 = u32(tmp); - tmp.set(left); - const paddingByte = BLOCK_SIZE - left.length; - for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++) - tmp[i] = paddingByte; - return tmp32; -} -/** - * ECB: Electronic CodeBook. Simple deterministic replacement. - * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/). - */ -export const ecb = wrapCipher({ blockSize: 16 }, function ecb(key, opts = {}) { - abytes(key); - const pcks5 = !opts.disablePadding; - return { - encrypt: (plaintext, dst) => { - abytes(plaintext); - const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); - const xk = expandKeyLE(key); - let i = 0; - for (; i + 4 <= b.length;) { - const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - if (pcks5) { - const tmp32 = padPCKS(plaintext.subarray(i * 4)); - const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return _out; - }, - decrypt: (ciphertext, dst) => { - validateBlockDecrypt(ciphertext); - const xk = expandKeyDecLE(key); - const out = getDst(ciphertext.length, dst); - const b = u32(ciphertext); - const o = u32(out); - for (let i = 0; i + 4 <= b.length;) { - const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return validatePCKS(out, pcks5); - }, - }; -}); -/** - * CBC: Cipher-Block-Chaining. Key is previous round’s block. - * Fragile: needs proper padding. Unauthenticated: needs MAC. - */ -export const cbc = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) { - abytes(key); - abytes(iv, 16); - const pcks5 = !opts.disablePadding; - return { - encrypt: (plaintext, dst) => { - const xk = expandKeyLE(key); - const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); - const n32 = u32(iv); - // prettier-ignore - let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; - let i = 0; - for (; i + 4 <= b.length;) { - (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]); - ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - if (pcks5) { - const tmp32 = padPCKS(plaintext.subarray(i * 4)); - (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]); - ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return _out; - }, - decrypt: (ciphertext, dst) => { - validateBlockDecrypt(ciphertext); - const xk = expandKeyDecLE(key); - const n32 = u32(iv); - const out = getDst(ciphertext.length, dst); - const b = u32(ciphertext); - const o = u32(out); - // prettier-ignore - let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; - for (let i = 0; i + 4 <= b.length;) { - // prettier-ignore - const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3; - (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]); - const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3); - (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3); - } - xk.fill(0); - return validatePCKS(out, pcks5); - }, - }; -}); -// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen -function computeTag(fn, isLE, key, data, AAD) { - const h = fn.create(key, data.length + (AAD?.length || 0)); - if (AAD) - h.update(AAD); - h.update(data); - const num = new Uint8Array(16); - const view = createView(num); - if (AAD) - setBigUint64(view, 0, BigInt(AAD.length * 8), isLE); - setBigUint64(view, 8, BigInt(data.length * 8), isLE); - h.update(num); - return h.digest(); -} -/** - * GCM: Galois/Counter Mode. - * Good, modern version of CTR, parallel, with MAC. - * Be careful: MACs can be forged. - */ -export const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) { - abytes(nonce); - // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure. - if (nonce.length === 0) - throw new Error('aes/gcm: empty nonce'); - const tagLength = 16; - function _computeTag(authKey, tagMask, data) { - const tag = computeTag(ghash, false, authKey, data, AAD); - for (let i = 0; i < tagMask.length; i++) - tag[i] ^= tagMask[i]; - return tag; - } - function deriveKeys() { - const xk = expandKeyLE(key); - const authKey = EMPTY_BLOCK.slice(); - const counter = EMPTY_BLOCK.slice(); - ctr32(xk, false, counter, counter, authKey); - if (nonce.length === 12) { - counter.set(nonce); - } - else { - // Spec (NIST 800-38d) supports variable size nonce. - // Not supported for now, but can be useful. - const nonceLen = EMPTY_BLOCK.slice(); - const view = createView(nonceLen); - setBigUint64(view, 8, BigInt(nonce.length * 8), false); - // ghash(nonce || u64be(0) || u64be(nonceLen*8)) - ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter); - } - const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK); - return { xk, authKey, counter, tagMask }; - } - return { - encrypt: (plaintext) => { - abytes(plaintext); - const { xk, authKey, counter, tagMask } = deriveKeys(); - const out = new Uint8Array(plaintext.length + tagLength); - ctr32(xk, false, counter, plaintext, out); - const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength)); - out.set(tag, plaintext.length); - xk.fill(0); - return out; - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - if (ciphertext.length < tagLength) - throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`); - const { xk, authKey, counter, tagMask } = deriveKeys(); - const data = ciphertext.subarray(0, -tagLength); - const passedTag = ciphertext.subarray(-tagLength); - const tag = _computeTag(authKey, tagMask, data); - if (!equalBytes(tag, passedTag)) - throw new Error('aes/gcm: invalid ghash tag'); - const out = ctr32(xk, false, counter, data); - authKey.fill(0); - tagMask.fill(0); - xk.fill(0); - return out; - }, - }; -}); -const limit = (name, min, max) => (value) => { - if (!Number.isSafeInteger(value) || min > value || value > max) - throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`); -}; -/** - * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance. - * Guarantees that, when a nonce is repeated, the only security loss is that identical - * plaintexts will produce identical ciphertexts. - * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452 - */ -export const siv = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) { - const tagLength = 16; - // From RFC 8452: Section 6 - const AAD_LIMIT = limit('AAD', 0, 2 ** 36); - const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36); - const NONCE_LIMIT = limit('nonce', 12, 12); - const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16); - abytes(nonce); - NONCE_LIMIT(nonce.length); - if (AAD) { - abytes(AAD); - AAD_LIMIT(AAD.length); - } - function deriveKeys() { - const len = key.length; - if (len !== 16 && len !== 24 && len !== 32) - throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`); - const xk = expandKeyLE(key); - const encKey = new Uint8Array(len); - const authKey = new Uint8Array(16); - const n32 = u32(nonce); - // prettier-ignore - let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2]; - let counter = 0; - for (const derivedKey of [authKey, encKey].map(u32)) { - const d32 = u32(derivedKey); - for (let i = 0; i < d32.length; i += 2) { - // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ... - const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3); - d32[i + 0] = o0; - d32[i + 1] = o1; - s0 = ++counter; // increment counter inside state - } - } - xk.fill(0); - return { authKey, encKey: expandKeyLE(encKey) }; - } - function _computeTag(encKey, authKey, data) { - const tag = computeTag(polyval, true, authKey, data, AAD); - // Compute the expected tag by XORing S_s and the nonce, clearing the - // most significant bit of the last byte and encrypting with the - // message-encryption key. - for (let i = 0; i < 12; i++) - tag[i] ^= nonce[i]; - tag[15] &= 0x7f; // Clear the highest bit - // encrypt tag as block - const t32 = u32(tag); - // prettier-ignore - let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3]; - ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3)); - (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3); - return tag; - } - // actual decrypt/encrypt of message. - function processSiv(encKey, tag, input) { - let block = tag.slice(); - block[15] |= 0x80; // Force highest bit - return ctr32(encKey, true, block, input); - } - return { - encrypt: (plaintext) => { - abytes(plaintext); - PLAIN_LIMIT(plaintext.length); - const { encKey, authKey } = deriveKeys(); - const tag = _computeTag(encKey, authKey, plaintext); - const out = new Uint8Array(plaintext.length + tagLength); - out.set(tag, plaintext.length); - out.set(processSiv(encKey, tag, plaintext)); - encKey.fill(0); - authKey.fill(0); - return out; - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - CIPHER_LIMIT(ciphertext.length); - const tag = ciphertext.subarray(-tagLength); - const { encKey, authKey } = deriveKeys(); - const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength)); - const expectedTag = _computeTag(encKey, authKey, plaintext); - encKey.fill(0); - authKey.fill(0); - if (!equalBytes(tag, expectedTag)) - throw new Error('invalid polyval tag'); - return plaintext; - }, - }; -}); -function isBytes32(a) { - return (a != null && - typeof a === 'object' && - (a instanceof Uint32Array || a.constructor.name === 'Uint32Array')); -} -function encryptBlock(xk, block) { - abytes(block, 16); - if (!isBytes32(xk)) - throw new Error('_encryptBlock accepts result of expandKeyLE'); - const b32 = u32(block); - let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]); - (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); - return block; -} -function decryptBlock(xk, block) { - abytes(block, 16); - if (!isBytes32(xk)) - throw new Error('_decryptBlock accepts result of expandKeyLE'); - const b32 = u32(block); - let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]); - (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); - return block; -} -// Highly unsafe private functions for implementing new modes or ciphers based on AES -// Can change at any time, no API guarantees -export const unsafe = { - expandKeyLE, - expandKeyDecLE, - encrypt, - decrypt, - encryptBlock, - decryptBlock, - ctrCounter, - ctr32, -}; -//# sourceMappingURL=aes.js.map \ No newline at end of file diff --git a/esm/chacha.js b/esm/chacha.js deleted file mode 100644 index e23fcce..0000000 --- a/esm/chacha.js +++ /dev/null @@ -1,318 +0,0 @@ -// prettier-ignore -import { wrapCipher, createView, equalBytes, setBigUint64, } from './utils.js'; -import { poly1305 } from './_poly1305.js'; -import { createCipher, rotl } from './_arx.js'; -import { bytes as abytes } from './_assert.js'; -// ChaCha20 stream cipher was released in 2008. ChaCha aims to increase -// the diffusion per round, but had slightly less cryptanalysis. -// https://cr.yp.to/chacha.html, http://cr.yp.to/chacha/chacha-20080128.pdf -/** - * ChaCha core function. - */ -// prettier-ignore -function chachaCore(s, k, n, out, cnt, rounds = 20) { - let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k" - y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key - y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key - y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce - // Save state to temporary variables - let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; - for (let r = 0; r < rounds; r += 2) { - x00 = (x00 + x04) | 0; - x12 = rotl(x12 ^ x00, 16); - x08 = (x08 + x12) | 0; - x04 = rotl(x04 ^ x08, 12); - x00 = (x00 + x04) | 0; - x12 = rotl(x12 ^ x00, 8); - x08 = (x08 + x12) | 0; - x04 = rotl(x04 ^ x08, 7); - x01 = (x01 + x05) | 0; - x13 = rotl(x13 ^ x01, 16); - x09 = (x09 + x13) | 0; - x05 = rotl(x05 ^ x09, 12); - x01 = (x01 + x05) | 0; - x13 = rotl(x13 ^ x01, 8); - x09 = (x09 + x13) | 0; - x05 = rotl(x05 ^ x09, 7); - x02 = (x02 + x06) | 0; - x14 = rotl(x14 ^ x02, 16); - x10 = (x10 + x14) | 0; - x06 = rotl(x06 ^ x10, 12); - x02 = (x02 + x06) | 0; - x14 = rotl(x14 ^ x02, 8); - x10 = (x10 + x14) | 0; - x06 = rotl(x06 ^ x10, 7); - x03 = (x03 + x07) | 0; - x15 = rotl(x15 ^ x03, 16); - x11 = (x11 + x15) | 0; - x07 = rotl(x07 ^ x11, 12); - x03 = (x03 + x07) | 0; - x15 = rotl(x15 ^ x03, 8); - x11 = (x11 + x15) | 0; - x07 = rotl(x07 ^ x11, 7); - x00 = (x00 + x05) | 0; - x15 = rotl(x15 ^ x00, 16); - x10 = (x10 + x15) | 0; - x05 = rotl(x05 ^ x10, 12); - x00 = (x00 + x05) | 0; - x15 = rotl(x15 ^ x00, 8); - x10 = (x10 + x15) | 0; - x05 = rotl(x05 ^ x10, 7); - x01 = (x01 + x06) | 0; - x12 = rotl(x12 ^ x01, 16); - x11 = (x11 + x12) | 0; - x06 = rotl(x06 ^ x11, 12); - x01 = (x01 + x06) | 0; - x12 = rotl(x12 ^ x01, 8); - x11 = (x11 + x12) | 0; - x06 = rotl(x06 ^ x11, 7); - x02 = (x02 + x07) | 0; - x13 = rotl(x13 ^ x02, 16); - x08 = (x08 + x13) | 0; - x07 = rotl(x07 ^ x08, 12); - x02 = (x02 + x07) | 0; - x13 = rotl(x13 ^ x02, 8); - x08 = (x08 + x13) | 0; - x07 = rotl(x07 ^ x08, 7); - x03 = (x03 + x04) | 0; - x14 = rotl(x14 ^ x03, 16); - x09 = (x09 + x14) | 0; - x04 = rotl(x04 ^ x09, 12); - x03 = (x03 + x04) | 0; - x14 = rotl(x14 ^ x03, 8); - x09 = (x09 + x14) | 0; - x04 = rotl(x04 ^ x09, 7); - } - // Write output - let oi = 0; - out[oi++] = (y00 + x00) | 0; - out[oi++] = (y01 + x01) | 0; - out[oi++] = (y02 + x02) | 0; - out[oi++] = (y03 + x03) | 0; - out[oi++] = (y04 + x04) | 0; - out[oi++] = (y05 + x05) | 0; - out[oi++] = (y06 + x06) | 0; - out[oi++] = (y07 + x07) | 0; - out[oi++] = (y08 + x08) | 0; - out[oi++] = (y09 + x09) | 0; - out[oi++] = (y10 + x10) | 0; - out[oi++] = (y11 + x11) | 0; - out[oi++] = (y12 + x12) | 0; - out[oi++] = (y13 + x13) | 0; - out[oi++] = (y14 + x14) | 0; - out[oi++] = (y15 + x15) | 0; -} -/** - * hchacha helper method, used primarily in xchacha, to hash - * key and nonce into key' and nonce'. - * Same as chachaCore, but there doesn't seem to be a way to move the block - * out without 25% performance hit. - */ -// prettier-ignore -export function hchacha(s, k, i, o32) { - let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; - for (let r = 0; r < 20; r += 2) { - x00 = (x00 + x04) | 0; - x12 = rotl(x12 ^ x00, 16); - x08 = (x08 + x12) | 0; - x04 = rotl(x04 ^ x08, 12); - x00 = (x00 + x04) | 0; - x12 = rotl(x12 ^ x00, 8); - x08 = (x08 + x12) | 0; - x04 = rotl(x04 ^ x08, 7); - x01 = (x01 + x05) | 0; - x13 = rotl(x13 ^ x01, 16); - x09 = (x09 + x13) | 0; - x05 = rotl(x05 ^ x09, 12); - x01 = (x01 + x05) | 0; - x13 = rotl(x13 ^ x01, 8); - x09 = (x09 + x13) | 0; - x05 = rotl(x05 ^ x09, 7); - x02 = (x02 + x06) | 0; - x14 = rotl(x14 ^ x02, 16); - x10 = (x10 + x14) | 0; - x06 = rotl(x06 ^ x10, 12); - x02 = (x02 + x06) | 0; - x14 = rotl(x14 ^ x02, 8); - x10 = (x10 + x14) | 0; - x06 = rotl(x06 ^ x10, 7); - x03 = (x03 + x07) | 0; - x15 = rotl(x15 ^ x03, 16); - x11 = (x11 + x15) | 0; - x07 = rotl(x07 ^ x11, 12); - x03 = (x03 + x07) | 0; - x15 = rotl(x15 ^ x03, 8); - x11 = (x11 + x15) | 0; - x07 = rotl(x07 ^ x11, 7); - x00 = (x00 + x05) | 0; - x15 = rotl(x15 ^ x00, 16); - x10 = (x10 + x15) | 0; - x05 = rotl(x05 ^ x10, 12); - x00 = (x00 + x05) | 0; - x15 = rotl(x15 ^ x00, 8); - x10 = (x10 + x15) | 0; - x05 = rotl(x05 ^ x10, 7); - x01 = (x01 + x06) | 0; - x12 = rotl(x12 ^ x01, 16); - x11 = (x11 + x12) | 0; - x06 = rotl(x06 ^ x11, 12); - x01 = (x01 + x06) | 0; - x12 = rotl(x12 ^ x01, 8); - x11 = (x11 + x12) | 0; - x06 = rotl(x06 ^ x11, 7); - x02 = (x02 + x07) | 0; - x13 = rotl(x13 ^ x02, 16); - x08 = (x08 + x13) | 0; - x07 = rotl(x07 ^ x08, 12); - x02 = (x02 + x07) | 0; - x13 = rotl(x13 ^ x02, 8); - x08 = (x08 + x13) | 0; - x07 = rotl(x07 ^ x08, 7); - x03 = (x03 + x04) | 0; - x14 = rotl(x14 ^ x03, 16); - x09 = (x09 + x14) | 0; - x04 = rotl(x04 ^ x09, 12); - x03 = (x03 + x04) | 0; - x14 = rotl(x14 ^ x03, 8); - x09 = (x09 + x14) | 0; - x04 = rotl(x04 ^ x09, 7); - } - let oi = 0; - o32[oi++] = x00; - o32[oi++] = x01; - o32[oi++] = x02; - o32[oi++] = x03; - o32[oi++] = x12; - o32[oi++] = x13; - o32[oi++] = x14; - o32[oi++] = x15; -} -/** - * Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter. - */ -export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 8, - allowShortKeys: true, -}); -/** - * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - allowShortKeys: false, -}); -/** - * XChaCha eXtended-nonce ChaCha. 24-byte nonce. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - */ -export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 8, - extendNonceFn: hchacha, - allowShortKeys: false, -}); -/** - * Reduced 8-round chacha, described in original paper. - */ -export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 8, -}); -/** - * Reduced 12-round chacha, described in original paper. - */ -export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 12, -}); -const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); -// Pad to digest size with zeros -const updatePadded = (h, msg) => { - h.update(msg); - const left = msg.length % 16; - if (left) - h.update(ZEROS16.subarray(left)); -}; -const ZEROS32 = /* @__PURE__ */ new Uint8Array(32); -function computeTag(fn, key, nonce, data, AAD) { - const authKey = fn(key, nonce, ZEROS32); - const h = poly1305.create(authKey); - if (AAD) - updatePadded(h, AAD); - updatePadded(h, data); - const num = new Uint8Array(16); - const view = createView(num); - setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); - setBigUint64(view, 8, BigInt(data.length), true); - h.update(num); - const res = h.digest(); - authKey.fill(0); - return res; -} -/** - * AEAD algorithm from RFC 8439. - * Salsa20 and chacha (RFC 8439) use poly1305 differently. - * We could have composed them similar to: - * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250 - * But it's hard because of authKey: - * In salsa20, authKey changes position in salsa stream. - * In chacha, authKey can't be computed inside computeTag, it modifies the counter. - */ -export const _poly1305_aead = (xorStream) => (key, nonce, AAD) => { - const tagLength = 16; - abytes(key, 32); - abytes(nonce); - return { - encrypt: (plaintext, output) => { - const plength = plaintext.length; - const clength = plength + tagLength; - if (output) { - abytes(output, clength); - } - else { - output = new Uint8Array(clength); - } - xorStream(key, nonce, plaintext, output, 1); - const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD); - output.set(tag, plength); // append tag - return output; - }, - decrypt: (ciphertext, output) => { - const clength = ciphertext.length; - const plength = clength - tagLength; - if (clength < tagLength) - throw new Error(`encrypted data must be at least ${tagLength} bytes`); - if (output) { - abytes(output, plength); - } - else { - output = new Uint8Array(plength); - } - const data = ciphertext.subarray(0, -tagLength); - const passedTag = ciphertext.subarray(-tagLength); - const tag = computeTag(xorStream, key, nonce, data, AAD); - if (!equalBytes(passedTag, tag)) - throw new Error('invalid tag'); - xorStream(key, nonce, data, output, 1); - return output; - }, - }; -}; -/** - * ChaCha20-Poly1305 from RFC 8439. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); -/** - * XChaCha20-Poly1305 extended-nonce chacha. - * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); -//# sourceMappingURL=chacha.js.map \ No newline at end of file diff --git a/esm/crypto.js b/esm/crypto.js deleted file mode 100644 index 63bf63e..0000000 --- a/esm/crypto.js +++ /dev/null @@ -1,12 +0,0 @@ -const cr = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined; -export function randomBytes(bytesLength = 32) { - if (cr && typeof cr.getRandomValues === 'function') - return cr.getRandomValues(new Uint8Array(bytesLength)); - throw new Error('crypto.getRandomValues must be defined'); -} -export function getWebcryptoSubtle() { - if (cr && typeof cr.subtle === 'object' && cr.subtle != null) - return cr.subtle; - throw new Error('crypto.subtle must be defined'); -} -//# sourceMappingURL=crypto.js.map \ No newline at end of file diff --git a/esm/cryptoNode.js b/esm/cryptoNode.js deleted file mode 100644 index 956ce1b..0000000 --- a/esm/cryptoNode.js +++ /dev/null @@ -1,17 +0,0 @@ -// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. -// See utils.ts for details. -// The file will throw on node.js 14 and earlier. -// @ts-ignore -import * as nc from 'node:crypto'; -const cr = nc && typeof nc === 'object' && 'webcrypto' in nc ? nc.webcrypto : undefined; -export function randomBytes(bytesLength = 32) { - if (cr && typeof cr.getRandomValues === 'function') - return cr.getRandomValues(new Uint8Array(bytesLength)); - throw new Error('crypto.getRandomValues must be defined'); -} -export function getWebcryptoSubtle() { - if (cr && typeof cr.subtle === 'object' && cr.subtle != null) - return cr.subtle; - throw new Error('crypto.subtle must be defined'); -} -//# sourceMappingURL=cryptoNode.js.map \ No newline at end of file diff --git a/esm/ff1.js b/esm/ff1.js deleted file mode 100644 index 33907e1..0000000 --- a/esm/ff1.js +++ /dev/null @@ -1,149 +0,0 @@ -import { bytesToNumberBE, numberToBytesBE } from './utils.js'; -import { unsafe } from './aes.js'; -// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow -const { expandKeyLE, encryptBlock } = unsafe; -// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G. -// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf -const BLOCK_LEN = 16; -function mod(a, b) { - const result = a % b; - return result >= 0 ? result : b + result; -} -function NUMradix(radix, data) { - let res = BigInt(0); - for (let i of data) - res = res * BigInt(radix) + BigInt(i); - return res; -} -function getRound(radix, key, tweak, x) { - if (radix > 2 ** 16 - 1) - throw new Error(`Invalid radix: ${radix}`); - // radix**minlen ≥ 100 - const minLen = Math.ceil(Math.log(100) / Math.log(radix)); - const maxLen = 2 ** 32 - 1; - // 2 ≤ minlen ≤ maxlen < 2**32 - if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32) - throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32'); - if (x.length < minLen || x.length > maxLen) - throw new Error('X is outside minLen..maxLen bounds'); - const u = Math.floor(x.length / 2); - const v = x.length - u; - const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8); - const d = 4 * Math.ceil(b / 4) + 4; - const padding = mod(-tweak.length - b - 1, 16); - // P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4. - const P = new Uint8Array([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]); - const view = new DataView(P.buffer); - view.setUint16(4, radix, false); - view.setUint32(8, x.length, false); - view.setUint32(12, tweak.length, false); - // Q = T || [0](−t−b−1) mod 16 || [i]1 || [NUMradix(B)]b. - const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b); - PQ.set(P); - P.fill(0); - PQ.set(tweak, P.length); - const xk = expandKeyLE(key); - const round = (A, B, i, decrypt = false) => { - // Q = ... || [i]1 || [NUMradix(B)]b. - PQ[PQ.length - b - 1] = i; - if (b) - PQ.set(numberToBytesBE(NUMradix(radix, B), b), PQ.length - b); - // PRF - let r = new Uint8Array(16); - for (let j = 0; j < PQ.length / BLOCK_LEN; j++) { - for (let i = 0; i < BLOCK_LEN; i++) - r[i] ^= PQ[j * BLOCK_LEN + i]; - encryptBlock(xk, r); - } - // Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: - // R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ – 1]16). - let s = Array.from(r); - for (let j = 1; s.length < d; j++) { - const block = numberToBytesBE(BigInt(j), 16); - for (let k = 0; k < BLOCK_LEN; k++) - block[k] ^= r[k]; - s.push(...Array.from(encryptBlock(xk, block))); - } - let y = bytesToNumberBE(Uint8Array.from(s.slice(0, d))); - s.fill(0); - if (decrypt) - y = -y; - const m = i % 2 === 0 ? u : v; - let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m)); - // STR(radix, m, c) - const C = Array(m).fill(0); - for (let i = 0; i < m; i++, c /= BigInt(radix)) - C[m - 1 - i] = Number(c % BigInt(radix)); - A.fill(0); - A = B; - B = C; - return [A, B]; - }; - const destroy = () => { - xk.fill(0); - PQ.fill(0); - }; - return { u, round, destroy }; -} -const EMPTY_BUF = new Uint8Array([]); -export function FF1(radix, key, tweak = EMPTY_BUF) { - const PQ = getRound.bind(null, radix, key, tweak); - return { - encrypt(x) { - const { u, round, destroy } = PQ(x); - let [A, B] = [x.slice(0, u), x.slice(u)]; - for (let i = 0; i < 10; i++) - [A, B] = round(A, B, i); - destroy(); - const res = A.concat(B); - A.fill(0); - B.fill(0); - return res; - }, - decrypt(x) { - const { u, round, destroy } = PQ(x); - // The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm; - // the differences are in Step 6, where: - // 1) the order of the indices is reversed, - // 2) the roles of A and B are swapped - // 3) modular addition is replaced by modular subtraction, in Step 6vi. - let [B, A] = [x.slice(0, u), x.slice(u)]; - for (let i = 9; i >= 0; i--) - [A, B] = round(A, B, i, true); - destroy(); - const res = B.concat(A); - A.fill(0); - B.fill(0); - return res; - }, - }; -} -// Binary string which encodes each byte in little-endian byte order -const binLE = { - encode(bytes) { - const x = []; - for (let i = 0; i < bytes.length; i++) { - for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1) - x.push(tmp & 1); - } - return x; - }, - decode(b) { - if (b.length % 8) - throw new Error('Invalid binary string'); - const res = new Uint8Array(b.length / 8); - for (let i = 0, j = 0; i < res.length; i++) { - res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3); - res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7); - } - return res; - }, -}; -export function BinaryFF1(key, tweak = EMPTY_BUF) { - const ff1 = FF1(2, key, tweak); - return { - encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))), - decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))), - }; -} -//# sourceMappingURL=ff1.js.map \ No newline at end of file diff --git a/esm/index.js b/esm/index.js deleted file mode 100644 index 9a9d7ac..0000000 --- a/esm/index.js +++ /dev/null @@ -1,3 +0,0 @@ -throw new Error('noble-ciphers have no entry-point: consult README for usage'); -export {}; -//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/esm/salsa.js b/esm/salsa.js deleted file mode 100644 index a956d46..0000000 --- a/esm/salsa.js +++ /dev/null @@ -1,205 +0,0 @@ -import { bytes as abytes } from './_assert.js'; -import { createCipher, rotl } from './_arx.js'; -import { poly1305 } from './_poly1305.js'; -import { wrapCipher, equalBytes } from './utils.js'; -// Salsa20 stream cipher was released in 2005. -// Salsa's goal was to implement AES replacement that does not rely on S-Boxes, -// which are hard to implement in a constant-time manner. -// https://cr.yp.to/snuffle.html, https://cr.yp.to/snuffle/salsafamily-20071225.pdf -/** - * Salsa20 core function. - */ -// prettier-ignore -function salsaCore(s, k, n, out, cnt, rounds = 20) { - // Based on https://cr.yp.to/salsa20.html - let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key - y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce - y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key - y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k" - // Save state to temporary variables - let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; - for (let r = 0; r < rounds; r += 2) { - x04 ^= rotl(x00 + x12 | 0, 7); - x08 ^= rotl(x04 + x00 | 0, 9); - x12 ^= rotl(x08 + x04 | 0, 13); - x00 ^= rotl(x12 + x08 | 0, 18); - x09 ^= rotl(x05 + x01 | 0, 7); - x13 ^= rotl(x09 + x05 | 0, 9); - x01 ^= rotl(x13 + x09 | 0, 13); - x05 ^= rotl(x01 + x13 | 0, 18); - x14 ^= rotl(x10 + x06 | 0, 7); - x02 ^= rotl(x14 + x10 | 0, 9); - x06 ^= rotl(x02 + x14 | 0, 13); - x10 ^= rotl(x06 + x02 | 0, 18); - x03 ^= rotl(x15 + x11 | 0, 7); - x07 ^= rotl(x03 + x15 | 0, 9); - x11 ^= rotl(x07 + x03 | 0, 13); - x15 ^= rotl(x11 + x07 | 0, 18); - x01 ^= rotl(x00 + x03 | 0, 7); - x02 ^= rotl(x01 + x00 | 0, 9); - x03 ^= rotl(x02 + x01 | 0, 13); - x00 ^= rotl(x03 + x02 | 0, 18); - x06 ^= rotl(x05 + x04 | 0, 7); - x07 ^= rotl(x06 + x05 | 0, 9); - x04 ^= rotl(x07 + x06 | 0, 13); - x05 ^= rotl(x04 + x07 | 0, 18); - x11 ^= rotl(x10 + x09 | 0, 7); - x08 ^= rotl(x11 + x10 | 0, 9); - x09 ^= rotl(x08 + x11 | 0, 13); - x10 ^= rotl(x09 + x08 | 0, 18); - x12 ^= rotl(x15 + x14 | 0, 7); - x13 ^= rotl(x12 + x15 | 0, 9); - x14 ^= rotl(x13 + x12 | 0, 13); - x15 ^= rotl(x14 + x13 | 0, 18); - } - // Write output - let oi = 0; - out[oi++] = (y00 + x00) | 0; - out[oi++] = (y01 + x01) | 0; - out[oi++] = (y02 + x02) | 0; - out[oi++] = (y03 + x03) | 0; - out[oi++] = (y04 + x04) | 0; - out[oi++] = (y05 + x05) | 0; - out[oi++] = (y06 + x06) | 0; - out[oi++] = (y07 + x07) | 0; - out[oi++] = (y08 + x08) | 0; - out[oi++] = (y09 + x09) | 0; - out[oi++] = (y10 + x10) | 0; - out[oi++] = (y11 + x11) | 0; - out[oi++] = (y12 + x12) | 0; - out[oi++] = (y13 + x13) | 0; - out[oi++] = (y14 + x14) | 0; - out[oi++] = (y15 + x15) | 0; -} -/** - * hsalsa hashing function, used primarily in xsalsa, to hash - * key and nonce into key' and nonce'. - * Same as salsaCore, but there doesn't seem to be a way to move the block - * out without 25% performance hit. - */ -// prettier-ignore -export function hsalsa(s, k, i, o32) { - let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3]; - for (let r = 0; r < 20; r += 2) { - x04 ^= rotl(x00 + x12 | 0, 7); - x08 ^= rotl(x04 + x00 | 0, 9); - x12 ^= rotl(x08 + x04 | 0, 13); - x00 ^= rotl(x12 + x08 | 0, 18); - x09 ^= rotl(x05 + x01 | 0, 7); - x13 ^= rotl(x09 + x05 | 0, 9); - x01 ^= rotl(x13 + x09 | 0, 13); - x05 ^= rotl(x01 + x13 | 0, 18); - x14 ^= rotl(x10 + x06 | 0, 7); - x02 ^= rotl(x14 + x10 | 0, 9); - x06 ^= rotl(x02 + x14 | 0, 13); - x10 ^= rotl(x06 + x02 | 0, 18); - x03 ^= rotl(x15 + x11 | 0, 7); - x07 ^= rotl(x03 + x15 | 0, 9); - x11 ^= rotl(x07 + x03 | 0, 13); - x15 ^= rotl(x11 + x07 | 0, 18); - x01 ^= rotl(x00 + x03 | 0, 7); - x02 ^= rotl(x01 + x00 | 0, 9); - x03 ^= rotl(x02 + x01 | 0, 13); - x00 ^= rotl(x03 + x02 | 0, 18); - x06 ^= rotl(x05 + x04 | 0, 7); - x07 ^= rotl(x06 + x05 | 0, 9); - x04 ^= rotl(x07 + x06 | 0, 13); - x05 ^= rotl(x04 + x07 | 0, 18); - x11 ^= rotl(x10 + x09 | 0, 7); - x08 ^= rotl(x11 + x10 | 0, 9); - x09 ^= rotl(x08 + x11 | 0, 13); - x10 ^= rotl(x09 + x08 | 0, 18); - x12 ^= rotl(x15 + x14 | 0, 7); - x13 ^= rotl(x12 + x15 | 0, 9); - x14 ^= rotl(x13 + x12 | 0, 13); - x15 ^= rotl(x14 + x13 | 0, 18); - } - let oi = 0; - o32[oi++] = x00; - o32[oi++] = x05; - o32[oi++] = x10; - o32[oi++] = x15; - o32[oi++] = x06; - o32[oi++] = x07; - o32[oi++] = x08; - o32[oi++] = x09; -} -/** - * Salsa20 from original paper. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, { - allowShortKeys: true, - counterRight: true, -}); -/** - * xsalsa20 eXtended-nonce salsa. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, { - counterRight: true, - extendNonceFn: hsalsa, -}); -/** - * xsalsa20-poly1305 eXtended-nonce salsa. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - * Also known as secretbox from libsodium / nacl. - */ -export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => { - const tagLength = 16; - abytes(key, 32); - abytes(nonce, 24); - return { - encrypt: (plaintext, output) => { - abytes(plaintext); - // This is small optimization (calculate auth key with same call as encryption itself) makes it hard - // to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte) - const clength = plaintext.length + 32; - if (output) { - abytes(output, clength); - } - else { - output = new Uint8Array(clength); - } - output.set(plaintext, 32); - xsalsa20(key, nonce, output, output); - const authKey = output.subarray(0, 32); - const tag = poly1305(output.subarray(32), authKey); - // Clean auth key, even though JS provides no guarantees about memory cleaning - output.set(tag, tagLength); - output.subarray(0, tagLength).fill(0); - return output.subarray(tagLength); - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - const clength = ciphertext.length; - if (clength < tagLength) - throw new Error('encrypted data should be at least 16 bytes'); - // Create new ciphertext array: - // auth tag auth tag from ciphertext ciphertext - // [bytes 0..16] [bytes 16..32] [bytes 32..] - // 16 instead of 32, because we already have 16 byte tag - const ciphertext_ = new Uint8Array(clength + tagLength); // alloc - ciphertext_.set(ciphertext, tagLength); - // Each xsalsa20 calls to hsalsa to calculate key, but seems not much perf difference - // Separate call to calculate authkey, since first bytes contains tag - const authKey = xsalsa20(key, nonce, new Uint8Array(32)); // alloc(32) - const tag = poly1305(ciphertext_.subarray(32), authKey); - if (!equalBytes(ciphertext_.subarray(16, 32), tag)) - throw new Error('invalid tag'); - const plaintext = xsalsa20(key, nonce, ciphertext_); // alloc - // Clean auth key, even though JS provides no guarantees about memory cleaning - plaintext.subarray(0, 32).fill(0); - authKey.fill(0); - return plaintext.subarray(32); - }, - }; -}); -/** - * Alias to xsalsa20poly1305, for compatibility with libsodium / nacl - */ -export function secretbox(key, nonce) { - const xs = xsalsa20poly1305(key, nonce); - return { seal: xs.encrypt, open: xs.decrypt }; -} -//# sourceMappingURL=salsa.js.map \ No newline at end of file diff --git a/esm/utils.js b/esm/utils.js deleted file mode 100644 index 90ceb2e..0000000 --- a/esm/utils.js +++ /dev/null @@ -1,182 +0,0 @@ -/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ -import { bytes as abytes, isBytes } from './_assert.js'; -// Cast array to different type -export const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength); -export const u16 = (arr) => new Uint16Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 2)); -export const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); -// Cast array to view -export const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); -// big-endian hardware is rare. Just in case someone still decides to run ciphers: -// early-throw an error because we don't support BE yet. -export const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44; -if (!isLE) - throw new Error('Non little-endian hardware is not supported'); -// Array where index 0xf0 (240) is mapped to string 'f0' -const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0')); -/** - * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123' - */ -export function bytesToHex(bytes) { - abytes(bytes); - // pre-caching improves the speed 6x - let hex = ''; - for (let i = 0; i < bytes.length; i++) { - hex += hexes[bytes[i]]; - } - return hex; -} -// We use optimized technique to convert hex string to byte array -const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; -function asciiToBase16(char) { - if (char >= asciis._0 && char <= asciis._9) - return char - asciis._0; - if (char >= asciis._A && char <= asciis._F) - return char - (asciis._A - 10); - if (char >= asciis._a && char <= asciis._f) - return char - (asciis._a - 10); - return; -} -/** - * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23]) - */ -export function hexToBytes(hex) { - if (typeof hex !== 'string') - throw new Error('hex string expected, got ' + typeof hex); - const hl = hex.length; - const al = hl / 2; - if (hl % 2) - throw new Error('padded hex string expected, got unpadded hex of length ' + hl); - const array = new Uint8Array(al); - for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { - const n1 = asciiToBase16(hex.charCodeAt(hi)); - const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); - if (n1 === undefined || n2 === undefined) { - const char = hex[hi] + hex[hi + 1]; - throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); - } - array[ai] = n1 * 16 + n2; - } - return array; -} -export function hexToNumber(hex) { - if (typeof hex !== 'string') - throw new Error('hex string expected, got ' + typeof hex); - // Big Endian - return BigInt(hex === '' ? '0' : `0x${hex}`); -} -// BE: Big Endian, LE: Little Endian -export function bytesToNumberBE(bytes) { - return hexToNumber(bytesToHex(bytes)); -} -export function numberToBytesBE(n, len) { - return hexToBytes(n.toString(16).padStart(len * 2, '0')); -} -// There is no setImmediate in browser and setTimeout is slow. -// call of async fn will return Promise, which will be fullfiled only on -// next scheduler queue processing step and this is exactly what we need. -export const nextTick = async () => { }; -// Returns control to thread each 'tick' ms to avoid blocking -export async function asyncLoop(iters, tick, cb) { - let ts = Date.now(); - for (let i = 0; i < iters; i++) { - cb(i); - // Date.now() is not monotonic, so in case if clock goes backwards we return return control too - const diff = Date.now() - ts; - if (diff >= 0 && diff < tick) - continue; - await nextTick(); - ts += diff; - } -} -/** - * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99]) - */ -export function utf8ToBytes(str) { - if (typeof str !== 'string') - throw new Error(`string expected, got ${typeof str}`); - return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809 -} -/** - * @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc' - */ -export function bytesToUtf8(bytes) { - return new TextDecoder().decode(bytes); -} -/** - * Normalizes (non-hex) string or Uint8Array to Uint8Array. - * Warning: when Uint8Array is passed, it would NOT get copied. - * Keep in mind for future mutable operations. - */ -export function toBytes(data) { - if (typeof data === 'string') - data = utf8ToBytes(data); - else if (isBytes(data)) - data = data.slice(); - else - throw new Error(`Uint8Array expected, got ${typeof data}`); - return data; -} -/** - * Copies several Uint8Arrays into one. - */ -export function concatBytes(...arrays) { - let sum = 0; - for (let i = 0; i < arrays.length; i++) { - const a = arrays[i]; - abytes(a); - sum += a.length; - } - const res = new Uint8Array(sum); - for (let i = 0, pad = 0; i < arrays.length; i++) { - const a = arrays[i]; - res.set(a, pad); - pad += a.length; - } - return res; -} -export function checkOpts(defaults, opts) { - if (opts == null || typeof opts !== 'object') - throw new Error('options must be defined'); - const merged = Object.assign(defaults, opts); - return merged; -} -// Compares 2 u8a-s in kinda constant time -export function equalBytes(a, b) { - if (a.length !== b.length) - return false; - let diff = 0; - for (let i = 0; i < a.length; i++) - diff |= a[i] ^ b[i]; - return diff === 0; -} -// For runtime check if class implements interface -export class Hash { -} -/** - * @__NO_SIDE_EFFECTS__ - */ -export const wrapCipher = (params, c) => { - Object.assign(c, params); - return c; -}; -// Polyfill for Safari 14 -export function setBigUint64(view, byteOffset, value, isLE) { - if (typeof view.setBigUint64 === 'function') - return view.setBigUint64(byteOffset, value, isLE); - const _32n = BigInt(32); - const _u32_max = BigInt(0xffffffff); - const wh = Number((value >> _32n) & _u32_max); - const wl = Number(value & _u32_max); - const h = isLE ? 4 : 0; - const l = isLE ? 0 : 4; - view.setUint32(byteOffset + h, wh, isLE); - view.setUint32(byteOffset + l, wl, isLE); -} -export function u64Lengths(ciphertext, AAD) { - const num = new Uint8Array(16); - const view = createView(num); - setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); - setBigUint64(view, 8, BigInt(ciphertext.length), true); - return num; -} -//# sourceMappingURL=utils.js.map \ No newline at end of file diff --git a/esm/webcrypto.js b/esm/webcrypto.js deleted file mode 100644 index b7b9388..0000000 --- a/esm/webcrypto.js +++ /dev/null @@ -1,96 +0,0 @@ -// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. -// node.js versions earlier than v19 don't declare it in global scope. -// For node.js, package.js on#exports field mapping rewrites import -// from `crypto` to `cryptoNode`, which imports native module. -// Makes the utils un-importable in browsers without a bundler. -// Once node.js 18 is deprecated, we can just drop the import. -import { randomBytes, getWebcryptoSubtle } from './crypto.js'; -import { concatBytes } from './utils.js'; -import { number } from './_assert.js'; -import { bytes as abytes } from './_assert.js'; -/** - * Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS. - */ -export { randomBytes, getWebcryptoSubtle }; -// Uses CSPRG for nonce, nonce injected in ciphertext -export function managedNonce(fn) { - number(fn.nonceLength); - return ((key, ...args) => ({ - encrypt: (plaintext, ...argsEnc) => { - const { nonceLength } = fn; - const nonce = randomBytes(nonceLength); - const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc); - const out = concatBytes(nonce, ciphertext); - ciphertext.fill(0); - return out; - }, - decrypt: (ciphertext, ...argsDec) => { - const { nonceLength } = fn; - const nonce = ciphertext.subarray(0, nonceLength); - const data = ciphertext.subarray(nonceLength); - return fn(key, nonce, ...args).decrypt(data, ...argsDec); - }, - })); -} -// Overridable -export const utils = { - async encrypt(key, keyParams, cryptParams, plaintext) { - const cr = getWebcryptoSubtle(); - const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']); - const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext); - return new Uint8Array(ciphertext); - }, - async decrypt(key, keyParams, cryptParams, ciphertext) { - const cr = getWebcryptoSubtle(); - const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']); - const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext); - return new Uint8Array(plaintext); - }, -}; -function getCryptParams(algo, nonce, AAD) { - if (algo === "AES-CBC" /* BlockMode.CBC */) - return { name: "AES-CBC" /* BlockMode.CBC */, iv: nonce }; - if (algo === "AES-CTR" /* BlockMode.CTR */) - return { name: "AES-CTR" /* BlockMode.CTR */, counter: nonce, length: 64 }; - if (algo === "AES-GCM" /* BlockMode.GCM */) - return { name: "AES-GCM" /* BlockMode.GCM */, iv: nonce, additionalData: AAD }; - throw new Error('unknown aes block mode'); -} -function generate(algo) { - return (key, nonce, AAD) => { - abytes(key); - abytes(nonce); - // const keyLength = key.length; - const keyParams = { name: algo, length: key.length * 8 }; - const cryptParams = getCryptParams(algo, nonce, AAD); - return { - // keyLength, - encrypt(plaintext) { - abytes(plaintext); - return utils.encrypt(key, keyParams, cryptParams, plaintext); - }, - decrypt(ciphertext) { - abytes(ciphertext); - return utils.decrypt(key, keyParams, cryptParams, ciphertext); - }, - }; - }; -} -export const cbc = generate("AES-CBC" /* BlockMode.CBC */); -export const ctr = generate("AES-CTR" /* BlockMode.CTR */); -export const gcm = generate("AES-GCM" /* BlockMode.GCM */); -// // Type tests -// import { siv, gcm, ctr, ecb, cbc } from '../aes.js'; -// import { xsalsa20poly1305 } from '../salsa.js'; -// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.js'; -// const wsiv = managedNonce(siv); -// const wgcm = managedNonce(gcm); -// const wctr = managedNonce(ctr); -// const wcbc = managedNonce(cbc); -// const wsalsapoly = managedNonce(xsalsa20poly1305); -// const wchacha = managedNonce(chacha20poly1305); -// const wxchacha = managedNonce(xchacha20poly1305); -// // should fail -// const wcbc2 = managedNonce(managedNonce(cbc)); -// const wecb = managedNonce(ecb); -//# sourceMappingURL=webcrypto.js.map \ No newline at end of file diff --git a/ff1.js b/ff1.js deleted file mode 100644 index 38018e7..0000000 --- a/ff1.js +++ /dev/null @@ -1,154 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.BinaryFF1 = exports.FF1 = void 0; -const utils_js_1 = require("./utils.js"); -const aes_js_1 = require("./aes.js"); -// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow -const { expandKeyLE, encryptBlock } = aes_js_1.unsafe; -// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G. -// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf -const BLOCK_LEN = 16; -function mod(a, b) { - const result = a % b; - return result >= 0 ? result : b + result; -} -function NUMradix(radix, data) { - let res = BigInt(0); - for (let i of data) - res = res * BigInt(radix) + BigInt(i); - return res; -} -function getRound(radix, key, tweak, x) { - if (radix > 2 ** 16 - 1) - throw new Error(`Invalid radix: ${radix}`); - // radix**minlen ≥ 100 - const minLen = Math.ceil(Math.log(100) / Math.log(radix)); - const maxLen = 2 ** 32 - 1; - // 2 ≤ minlen ≤ maxlen < 2**32 - if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32) - throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32'); - if (x.length < minLen || x.length > maxLen) - throw new Error('X is outside minLen..maxLen bounds'); - const u = Math.floor(x.length / 2); - const v = x.length - u; - const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8); - const d = 4 * Math.ceil(b / 4) + 4; - const padding = mod(-tweak.length - b - 1, 16); - // P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4. - const P = new Uint8Array([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]); - const view = new DataView(P.buffer); - view.setUint16(4, radix, false); - view.setUint32(8, x.length, false); - view.setUint32(12, tweak.length, false); - // Q = T || [0](−t−b−1) mod 16 || [i]1 || [NUMradix(B)]b. - const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b); - PQ.set(P); - P.fill(0); - PQ.set(tweak, P.length); - const xk = expandKeyLE(key); - const round = (A, B, i, decrypt = false) => { - // Q = ... || [i]1 || [NUMradix(B)]b. - PQ[PQ.length - b - 1] = i; - if (b) - PQ.set((0, utils_js_1.numberToBytesBE)(NUMradix(radix, B), b), PQ.length - b); - // PRF - let r = new Uint8Array(16); - for (let j = 0; j < PQ.length / BLOCK_LEN; j++) { - for (let i = 0; i < BLOCK_LEN; i++) - r[i] ^= PQ[j * BLOCK_LEN + i]; - encryptBlock(xk, r); - } - // Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: - // R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ – 1]16). - let s = Array.from(r); - for (let j = 1; s.length < d; j++) { - const block = (0, utils_js_1.numberToBytesBE)(BigInt(j), 16); - for (let k = 0; k < BLOCK_LEN; k++) - block[k] ^= r[k]; - s.push(...Array.from(encryptBlock(xk, block))); - } - let y = (0, utils_js_1.bytesToNumberBE)(Uint8Array.from(s.slice(0, d))); - s.fill(0); - if (decrypt) - y = -y; - const m = i % 2 === 0 ? u : v; - let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m)); - // STR(radix, m, c) - const C = Array(m).fill(0); - for (let i = 0; i < m; i++, c /= BigInt(radix)) - C[m - 1 - i] = Number(c % BigInt(radix)); - A.fill(0); - A = B; - B = C; - return [A, B]; - }; - const destroy = () => { - xk.fill(0); - PQ.fill(0); - }; - return { u, round, destroy }; -} -const EMPTY_BUF = new Uint8Array([]); -function FF1(radix, key, tweak = EMPTY_BUF) { - const PQ = getRound.bind(null, radix, key, tweak); - return { - encrypt(x) { - const { u, round, destroy } = PQ(x); - let [A, B] = [x.slice(0, u), x.slice(u)]; - for (let i = 0; i < 10; i++) - [A, B] = round(A, B, i); - destroy(); - const res = A.concat(B); - A.fill(0); - B.fill(0); - return res; - }, - decrypt(x) { - const { u, round, destroy } = PQ(x); - // The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm; - // the differences are in Step 6, where: - // 1) the order of the indices is reversed, - // 2) the roles of A and B are swapped - // 3) modular addition is replaced by modular subtraction, in Step 6vi. - let [B, A] = [x.slice(0, u), x.slice(u)]; - for (let i = 9; i >= 0; i--) - [A, B] = round(A, B, i, true); - destroy(); - const res = B.concat(A); - A.fill(0); - B.fill(0); - return res; - }, - }; -} -exports.FF1 = FF1; -// Binary string which encodes each byte in little-endian byte order -const binLE = { - encode(bytes) { - const x = []; - for (let i = 0; i < bytes.length; i++) { - for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1) - x.push(tmp & 1); - } - return x; - }, - decode(b) { - if (b.length % 8) - throw new Error('Invalid binary string'); - const res = new Uint8Array(b.length / 8); - for (let i = 0, j = 0; i < res.length; i++) { - res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3); - res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7); - } - return res; - }, -}; -function BinaryFF1(key, tweak = EMPTY_BUF) { - const ff1 = FF1(2, key, tweak); - return { - encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))), - decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))), - }; -} -exports.BinaryFF1 = BinaryFF1; -//# sourceMappingURL=ff1.js.map \ No newline at end of file diff --git a/index.js b/index.js deleted file mode 100644 index 5a9cbf1..0000000 --- a/index.js +++ /dev/null @@ -1,3 +0,0 @@ -"use strict"; -throw new Error('noble-ciphers have no entry-point: consult README for usage'); -//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/salsa.js b/salsa.js deleted file mode 100644 index 7e151ce..0000000 --- a/salsa.js +++ /dev/null @@ -1,210 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.secretbox = exports.xsalsa20poly1305 = exports.xsalsa20 = exports.salsa20 = exports.hsalsa = void 0; -const _assert_js_1 = require("./_assert.js"); -const _arx_js_1 = require("./_arx.js"); -const _poly1305_js_1 = require("./_poly1305.js"); -const utils_js_1 = require("./utils.js"); -// Salsa20 stream cipher was released in 2005. -// Salsa's goal was to implement AES replacement that does not rely on S-Boxes, -// which are hard to implement in a constant-time manner. -// https://cr.yp.to/snuffle.html, https://cr.yp.to/snuffle/salsafamily-20071225.pdf -/** - * Salsa20 core function. - */ -// prettier-ignore -function salsaCore(s, k, n, out, cnt, rounds = 20) { - // Based on https://cr.yp.to/salsa20.html - let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key - y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce - y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key - y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k" - // Save state to temporary variables - let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; - for (let r = 0; r < rounds; r += 2) { - x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7); - x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9); - x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13); - x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18); - x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7); - x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9); - x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13); - x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18); - x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7); - x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9); - x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13); - x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18); - x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7); - x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9); - x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13); - x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18); - x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7); - x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9); - x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13); - x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18); - x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7); - x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9); - x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13); - x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18); - x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7); - x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9); - x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13); - x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18); - x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7); - x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9); - x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13); - x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18); - } - // Write output - let oi = 0; - out[oi++] = (y00 + x00) | 0; - out[oi++] = (y01 + x01) | 0; - out[oi++] = (y02 + x02) | 0; - out[oi++] = (y03 + x03) | 0; - out[oi++] = (y04 + x04) | 0; - out[oi++] = (y05 + x05) | 0; - out[oi++] = (y06 + x06) | 0; - out[oi++] = (y07 + x07) | 0; - out[oi++] = (y08 + x08) | 0; - out[oi++] = (y09 + x09) | 0; - out[oi++] = (y10 + x10) | 0; - out[oi++] = (y11 + x11) | 0; - out[oi++] = (y12 + x12) | 0; - out[oi++] = (y13 + x13) | 0; - out[oi++] = (y14 + x14) | 0; - out[oi++] = (y15 + x15) | 0; -} -/** - * hsalsa hashing function, used primarily in xsalsa, to hash - * key and nonce into key' and nonce'. - * Same as salsaCore, but there doesn't seem to be a way to move the block - * out without 25% performance hit. - */ -// prettier-ignore -function hsalsa(s, k, i, o32) { - let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3]; - for (let r = 0; r < 20; r += 2) { - x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7); - x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9); - x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13); - x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18); - x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7); - x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9); - x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13); - x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18); - x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7); - x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9); - x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13); - x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18); - x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7); - x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9); - x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13); - x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18); - x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7); - x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9); - x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13); - x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18); - x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7); - x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9); - x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13); - x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18); - x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7); - x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9); - x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13); - x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18); - x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7); - x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9); - x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13); - x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18); - } - let oi = 0; - o32[oi++] = x00; - o32[oi++] = x05; - o32[oi++] = x10; - o32[oi++] = x15; - o32[oi++] = x06; - o32[oi++] = x07; - o32[oi++] = x08; - o32[oi++] = x09; -} -exports.hsalsa = hsalsa; -/** - * Salsa20 from original paper. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -exports.salsa20 = (0, _arx_js_1.createCipher)(salsaCore, { - allowShortKeys: true, - counterRight: true, -}); -/** - * xsalsa20 eXtended-nonce salsa. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -exports.xsalsa20 = (0, _arx_js_1.createCipher)(salsaCore, { - counterRight: true, - extendNonceFn: hsalsa, -}); -/** - * xsalsa20-poly1305 eXtended-nonce salsa. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - * Also known as secretbox from libsodium / nacl. - */ -exports.xsalsa20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => { - const tagLength = 16; - (0, _assert_js_1.bytes)(key, 32); - (0, _assert_js_1.bytes)(nonce, 24); - return { - encrypt: (plaintext, output) => { - (0, _assert_js_1.bytes)(plaintext); - // This is small optimization (calculate auth key with same call as encryption itself) makes it hard - // to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte) - const clength = plaintext.length + 32; - if (output) { - (0, _assert_js_1.bytes)(output, clength); - } - else { - output = new Uint8Array(clength); - } - output.set(plaintext, 32); - (0, exports.xsalsa20)(key, nonce, output, output); - const authKey = output.subarray(0, 32); - const tag = (0, _poly1305_js_1.poly1305)(output.subarray(32), authKey); - // Clean auth key, even though JS provides no guarantees about memory cleaning - output.set(tag, tagLength); - output.subarray(0, tagLength).fill(0); - return output.subarray(tagLength); - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - const clength = ciphertext.length; - if (clength < tagLength) - throw new Error('encrypted data should be at least 16 bytes'); - // Create new ciphertext array: - // auth tag auth tag from ciphertext ciphertext - // [bytes 0..16] [bytes 16..32] [bytes 32..] - // 16 instead of 32, because we already have 16 byte tag - const ciphertext_ = new Uint8Array(clength + tagLength); // alloc - ciphertext_.set(ciphertext, tagLength); - // Each xsalsa20 calls to hsalsa to calculate key, but seems not much perf difference - // Separate call to calculate authkey, since first bytes contains tag - const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32)); // alloc(32) - const tag = (0, _poly1305_js_1.poly1305)(ciphertext_.subarray(32), authKey); - if (!(0, utils_js_1.equalBytes)(ciphertext_.subarray(16, 32), tag)) - throw new Error('invalid tag'); - const plaintext = (0, exports.xsalsa20)(key, nonce, ciphertext_); // alloc - // Clean auth key, even though JS provides no guarantees about memory cleaning - plaintext.subarray(0, 32).fill(0); - authKey.fill(0); - return plaintext.subarray(32); - }, - }; -}); -/** - * Alias to xsalsa20poly1305, for compatibility with libsodium / nacl - */ -function secretbox(key, nonce) { - const xs = (0, exports.xsalsa20poly1305)(key, nonce); - return { seal: xs.encrypt, open: xs.decrypt }; -} -exports.secretbox = secretbox; -//# sourceMappingURL=salsa.js.map \ No newline at end of file diff --git a/utils.js b/utils.js deleted file mode 100644 index 00cb4c2..0000000 --- a/utils.js +++ /dev/null @@ -1,206 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.u64Lengths = exports.setBigUint64 = exports.wrapCipher = exports.Hash = exports.equalBytes = exports.checkOpts = exports.concatBytes = exports.toBytes = exports.bytesToUtf8 = exports.utf8ToBytes = exports.asyncLoop = exports.nextTick = exports.numberToBytesBE = exports.bytesToNumberBE = exports.hexToNumber = exports.hexToBytes = exports.bytesToHex = exports.isLE = exports.createView = exports.u32 = exports.u16 = exports.u8 = void 0; -/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ -const _assert_js_1 = require("./_assert.js"); -// Cast array to different type -const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength); -exports.u8 = u8; -const u16 = (arr) => new Uint16Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 2)); -exports.u16 = u16; -const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); -exports.u32 = u32; -// Cast array to view -const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); -exports.createView = createView; -// big-endian hardware is rare. Just in case someone still decides to run ciphers: -// early-throw an error because we don't support BE yet. -exports.isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44; -if (!exports.isLE) - throw new Error('Non little-endian hardware is not supported'); -// Array where index 0xf0 (240) is mapped to string 'f0' -const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0')); -/** - * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123' - */ -function bytesToHex(bytes) { - (0, _assert_js_1.bytes)(bytes); - // pre-caching improves the speed 6x - let hex = ''; - for (let i = 0; i < bytes.length; i++) { - hex += hexes[bytes[i]]; - } - return hex; -} -exports.bytesToHex = bytesToHex; -// We use optimized technique to convert hex string to byte array -const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; -function asciiToBase16(char) { - if (char >= asciis._0 && char <= asciis._9) - return char - asciis._0; - if (char >= asciis._A && char <= asciis._F) - return char - (asciis._A - 10); - if (char >= asciis._a && char <= asciis._f) - return char - (asciis._a - 10); - return; -} -/** - * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23]) - */ -function hexToBytes(hex) { - if (typeof hex !== 'string') - throw new Error('hex string expected, got ' + typeof hex); - const hl = hex.length; - const al = hl / 2; - if (hl % 2) - throw new Error('padded hex string expected, got unpadded hex of length ' + hl); - const array = new Uint8Array(al); - for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { - const n1 = asciiToBase16(hex.charCodeAt(hi)); - const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); - if (n1 === undefined || n2 === undefined) { - const char = hex[hi] + hex[hi + 1]; - throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); - } - array[ai] = n1 * 16 + n2; - } - return array; -} -exports.hexToBytes = hexToBytes; -function hexToNumber(hex) { - if (typeof hex !== 'string') - throw new Error('hex string expected, got ' + typeof hex); - // Big Endian - return BigInt(hex === '' ? '0' : `0x${hex}`); -} -exports.hexToNumber = hexToNumber; -// BE: Big Endian, LE: Little Endian -function bytesToNumberBE(bytes) { - return hexToNumber(bytesToHex(bytes)); -} -exports.bytesToNumberBE = bytesToNumberBE; -function numberToBytesBE(n, len) { - return hexToBytes(n.toString(16).padStart(len * 2, '0')); -} -exports.numberToBytesBE = numberToBytesBE; -// There is no setImmediate in browser and setTimeout is slow. -// call of async fn will return Promise, which will be fullfiled only on -// next scheduler queue processing step and this is exactly what we need. -const nextTick = async () => { }; -exports.nextTick = nextTick; -// Returns control to thread each 'tick' ms to avoid blocking -async function asyncLoop(iters, tick, cb) { - let ts = Date.now(); - for (let i = 0; i < iters; i++) { - cb(i); - // Date.now() is not monotonic, so in case if clock goes backwards we return return control too - const diff = Date.now() - ts; - if (diff >= 0 && diff < tick) - continue; - await (0, exports.nextTick)(); - ts += diff; - } -} -exports.asyncLoop = asyncLoop; -/** - * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99]) - */ -function utf8ToBytes(str) { - if (typeof str !== 'string') - throw new Error(`string expected, got ${typeof str}`); - return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809 -} -exports.utf8ToBytes = utf8ToBytes; -/** - * @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc' - */ -function bytesToUtf8(bytes) { - return new TextDecoder().decode(bytes); -} -exports.bytesToUtf8 = bytesToUtf8; -/** - * Normalizes (non-hex) string or Uint8Array to Uint8Array. - * Warning: when Uint8Array is passed, it would NOT get copied. - * Keep in mind for future mutable operations. - */ -function toBytes(data) { - if (typeof data === 'string') - data = utf8ToBytes(data); - else if ((0, _assert_js_1.isBytes)(data)) - data = data.slice(); - else - throw new Error(`Uint8Array expected, got ${typeof data}`); - return data; -} -exports.toBytes = toBytes; -/** - * Copies several Uint8Arrays into one. - */ -function concatBytes(...arrays) { - let sum = 0; - for (let i = 0; i < arrays.length; i++) { - const a = arrays[i]; - (0, _assert_js_1.bytes)(a); - sum += a.length; - } - const res = new Uint8Array(sum); - for (let i = 0, pad = 0; i < arrays.length; i++) { - const a = arrays[i]; - res.set(a, pad); - pad += a.length; - } - return res; -} -exports.concatBytes = concatBytes; -function checkOpts(defaults, opts) { - if (opts == null || typeof opts !== 'object') - throw new Error('options must be defined'); - const merged = Object.assign(defaults, opts); - return merged; -} -exports.checkOpts = checkOpts; -// Compares 2 u8a-s in kinda constant time -function equalBytes(a, b) { - if (a.length !== b.length) - return false; - let diff = 0; - for (let i = 0; i < a.length; i++) - diff |= a[i] ^ b[i]; - return diff === 0; -} -exports.equalBytes = equalBytes; -// For runtime check if class implements interface -class Hash { -} -exports.Hash = Hash; -/** - * @__NO_SIDE_EFFECTS__ - */ -const wrapCipher = (params, c) => { - Object.assign(c, params); - return c; -}; -exports.wrapCipher = wrapCipher; -// Polyfill for Safari 14 -function setBigUint64(view, byteOffset, value, isLE) { - if (typeof view.setBigUint64 === 'function') - return view.setBigUint64(byteOffset, value, isLE); - const _32n = BigInt(32); - const _u32_max = BigInt(0xffffffff); - const wh = Number((value >> _32n) & _u32_max); - const wl = Number(value & _u32_max); - const h = isLE ? 4 : 0; - const l = isLE ? 0 : 4; - view.setUint32(byteOffset + h, wh, isLE); - view.setUint32(byteOffset + l, wl, isLE); -} -exports.setBigUint64 = setBigUint64; -function u64Lengths(ciphertext, AAD) { - const num = new Uint8Array(16); - const view = (0, exports.createView)(num); - setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); - setBigUint64(view, 8, BigInt(ciphertext.length), true); - return num; -} -exports.u64Lengths = u64Lengths; -//# sourceMappingURL=utils.js.map \ No newline at end of file diff --git a/webcrypto.js b/webcrypto.js deleted file mode 100644 index 228c620..0000000 --- a/webcrypto.js +++ /dev/null @@ -1,98 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.gcm = exports.ctr = exports.cbc = exports.utils = exports.managedNonce = exports.getWebcryptoSubtle = exports.randomBytes = void 0; -// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. -// node.js versions earlier than v19 don't declare it in global scope. -// For node.js, package.js on#exports field mapping rewrites import -// from `crypto` to `cryptoNode`, which imports native module. -// Makes the utils un-importable in browsers without a bundler. -// Once node.js 18 is deprecated, we can just drop the import. -const crypto_js_1 = require("./crypto.js"); -Object.defineProperty(exports, "randomBytes", { enumerable: true, get: function () { return crypto_js_1.randomBytes; } }); -Object.defineProperty(exports, "getWebcryptoSubtle", { enumerable: true, get: function () { return crypto_js_1.getWebcryptoSubtle; } }); -const utils_js_1 = require("./utils.js"); -const _assert_js_1 = require("./_assert.js"); -const _assert_js_2 = require("./_assert.js"); -// Uses CSPRG for nonce, nonce injected in ciphertext -function managedNonce(fn) { - (0, _assert_js_1.number)(fn.nonceLength); - return ((key, ...args) => ({ - encrypt: (plaintext, ...argsEnc) => { - const { nonceLength } = fn; - const nonce = (0, crypto_js_1.randomBytes)(nonceLength); - const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc); - const out = (0, utils_js_1.concatBytes)(nonce, ciphertext); - ciphertext.fill(0); - return out; - }, - decrypt: (ciphertext, ...argsDec) => { - const { nonceLength } = fn; - const nonce = ciphertext.subarray(0, nonceLength); - const data = ciphertext.subarray(nonceLength); - return fn(key, nonce, ...args).decrypt(data, ...argsDec); - }, - })); -} -exports.managedNonce = managedNonce; -// Overridable -exports.utils = { - async encrypt(key, keyParams, cryptParams, plaintext) { - const cr = (0, crypto_js_1.getWebcryptoSubtle)(); - const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']); - const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext); - return new Uint8Array(ciphertext); - }, - async decrypt(key, keyParams, cryptParams, ciphertext) { - const cr = (0, crypto_js_1.getWebcryptoSubtle)(); - const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']); - const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext); - return new Uint8Array(plaintext); - }, -}; -function getCryptParams(algo, nonce, AAD) { - if (algo === "AES-CBC" /* BlockMode.CBC */) - return { name: "AES-CBC" /* BlockMode.CBC */, iv: nonce }; - if (algo === "AES-CTR" /* BlockMode.CTR */) - return { name: "AES-CTR" /* BlockMode.CTR */, counter: nonce, length: 64 }; - if (algo === "AES-GCM" /* BlockMode.GCM */) - return { name: "AES-GCM" /* BlockMode.GCM */, iv: nonce, additionalData: AAD }; - throw new Error('unknown aes block mode'); -} -function generate(algo) { - return (key, nonce, AAD) => { - (0, _assert_js_2.bytes)(key); - (0, _assert_js_2.bytes)(nonce); - // const keyLength = key.length; - const keyParams = { name: algo, length: key.length * 8 }; - const cryptParams = getCryptParams(algo, nonce, AAD); - return { - // keyLength, - encrypt(plaintext) { - (0, _assert_js_2.bytes)(plaintext); - return exports.utils.encrypt(key, keyParams, cryptParams, plaintext); - }, - decrypt(ciphertext) { - (0, _assert_js_2.bytes)(ciphertext); - return exports.utils.decrypt(key, keyParams, cryptParams, ciphertext); - }, - }; - }; -} -exports.cbc = generate("AES-CBC" /* BlockMode.CBC */); -exports.ctr = generate("AES-CTR" /* BlockMode.CTR */); -exports.gcm = generate("AES-GCM" /* BlockMode.GCM */); -// // Type tests -// import { siv, gcm, ctr, ecb, cbc } from '../aes.js'; -// import { xsalsa20poly1305 } from '../salsa.js'; -// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.js'; -// const wsiv = managedNonce(siv); -// const wgcm = managedNonce(gcm); -// const wctr = managedNonce(ctr); -// const wcbc = managedNonce(cbc); -// const wsalsapoly = managedNonce(xsalsa20poly1305); -// const wchacha = managedNonce(chacha20poly1305); -// const wxchacha = managedNonce(xchacha20poly1305); -// // should fail -// const wcbc2 = managedNonce(managedNonce(cbc)); -// const wecb = managedNonce(ecb); -//# sourceMappingURL=webcrypto.js.map \ No newline at end of file From 70b52a412311db7f6b874bbbf8f80b7dbe149e58 Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 20:43:49 +0800 Subject: [PATCH 08/13] Fix test --- src/webcrypto.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/webcrypto.ts b/src/webcrypto.ts index db85c53..001f7c5 100644 --- a/src/webcrypto.ts +++ b/src/webcrypto.ts @@ -4,7 +4,10 @@ // from `crypto` to `cryptoNode`, which imports native module. // Makes the utils un-importable in browsers without a bundler. // Once node.js 18 is deprecated, we can just drop the import. -import { randomBytes, getWebcryptoSubtle } from './crypto.js'; +// +// Use full path so that Node.js can rewrite it to `cryptoNode.js`. +// @ts-ignore: `tsc` doesn't understand `@noble/ciphers/crypto` is a valid import. +import { randomBytes, getWebcryptoSubtle } from '@noble/ciphers/crypto'; import { Cipher, concatBytes } from './utils.js'; import { number } from './_assert.js'; import { AsyncCipher } from './utils.js'; From 78cee8ac56616d234986ef771eca7fc58e94d3e1 Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 21:05:39 +0800 Subject: [PATCH 09/13] Format files --- src/webcrypto.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/webcrypto.ts b/src/webcrypto.ts index 001f7c5..21005d2 100644 --- a/src/webcrypto.ts +++ b/src/webcrypto.ts @@ -4,7 +4,7 @@ // from `crypto` to `cryptoNode`, which imports native module. // Makes the utils un-importable in browsers without a bundler. // Once node.js 18 is deprecated, we can just drop the import. -// +// // Use full path so that Node.js can rewrite it to `cryptoNode.js`. // @ts-ignore: `tsc` doesn't understand `@noble/ciphers/crypto` is a valid import. import { randomBytes, getWebcryptoSubtle } from '@noble/ciphers/crypto'; From 64059f95a776e4de8fd01081ad95e6305ef9fe82 Mon Sep 17 00:00:00 2001 From: ocavue Date: Sun, 11 Feb 2024 03:00:44 +0800 Subject: [PATCH 10/13] Revert package-lock.json change - No target of this PR --- package-lock.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 8b89578..6a6b48b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@noble/ciphers", - "version": "0.5.1", + "version": "0.4.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@noble/ciphers", - "version": "0.5.1", + "version": "0.4.1", "license": "MIT", "devDependencies": { "@scure/base": "1.1.3", From df3b4154bacb7972e507e26a7f4758673ee871ea Mon Sep 17 00:00:00 2001 From: ocavue Date: Sat, 10 Feb 2024 14:36:17 +0800 Subject: [PATCH 11/13] add all built js files (before tsconfig change) --- _arx.js | 171 +++++++++++++ _assert.js | 50 ++++ _micro.js | 295 +++++++++++++++++++++ _poly1305.js | 268 ++++++++++++++++++++ _polyval.js | 221 ++++++++++++++++ aes.js | 633 ++++++++++++++++++++++++++++++++++++++++++++++ chacha.js | 323 +++++++++++++++++++++++ crypto.js | 17 ++ cryptoNode.js | 22 ++ esm/_arx.js | 166 ++++++++++++ esm/_assert.js | 41 +++ esm/_micro.js | 287 +++++++++++++++++++++ esm/_poly1305.js | 264 +++++++++++++++++++ esm/_polyval.js | 217 ++++++++++++++++ esm/aes.js | 628 +++++++++++++++++++++++++++++++++++++++++++++ esm/chacha.js | 318 +++++++++++++++++++++++ esm/crypto.js | 12 + esm/cryptoNode.js | 17 ++ esm/ff1.js | 149 +++++++++++ esm/index.js | 3 + esm/salsa.js | 205 +++++++++++++++ esm/utils.js | 182 +++++++++++++ esm/webcrypto.js | 96 +++++++ ff1.js | 154 +++++++++++ index.js | 3 + salsa.js | 210 +++++++++++++++ utils.js | 206 +++++++++++++++ webcrypto.js | 98 +++++++ 28 files changed, 5256 insertions(+) create mode 100644 _arx.js create mode 100644 _assert.js create mode 100644 _micro.js create mode 100644 _poly1305.js create mode 100644 _polyval.js create mode 100644 aes.js create mode 100644 chacha.js create mode 100644 crypto.js create mode 100644 cryptoNode.js create mode 100644 esm/_arx.js create mode 100644 esm/_assert.js create mode 100644 esm/_micro.js create mode 100644 esm/_poly1305.js create mode 100644 esm/_polyval.js create mode 100644 esm/aes.js create mode 100644 esm/chacha.js create mode 100644 esm/crypto.js create mode 100644 esm/cryptoNode.js create mode 100644 esm/ff1.js create mode 100644 esm/index.js create mode 100644 esm/salsa.js create mode 100644 esm/utils.js create mode 100644 esm/webcrypto.js create mode 100644 ff1.js create mode 100644 index.js create mode 100644 salsa.js create mode 100644 utils.js create mode 100644 webcrypto.js diff --git a/_arx.js b/_arx.js new file mode 100644 index 0000000..4c8e20d --- /dev/null +++ b/_arx.js @@ -0,0 +1,171 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.createCipher = exports.rotl = void 0; +// Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers. +const _assert_js_1 = require("./_assert.js"); +const utils_js_1 = require("./utils.js"); +/* +RFC8439 requires multi-step cipher stream, where +authKey starts with counter: 0, actual msg with counter: 1. + +For this, we need a way to re-use nonce / counter: + + const counter = new Uint8Array(4); + chacha(..., counter, ...); // counter is now 1 + chacha(..., counter, ...); // counter is now 2 + +This is complicated: + +- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB +- Original papers don't allow mutating counters +- Counter overflow is undefined [^1] +- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it +- Caveat: Cannot be re-used through all cases: +- * chacha has (counter | nonce) +- * xchacha has (nonce16 | counter | nonce16) +- Idea B: separate nonce / counter and provide separate API for counter re-use +- Caveat: there are different counter sizes depending on an algorithm. +- salsa & chacha also differ in structures of key & sigma: + salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3] + chacha: s(4) | k(8) | ctr(1) | nonce(3) + chacha20orig: s(4) | k(8) | ctr(2) | nonce(2) +- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)` +- Caveat: we can't re-use counter array + +xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal +(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce). + +[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/ +[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2 +*/ +const sigma16 = (0, utils_js_1.utf8ToBytes)('expand 16-byte k'); +const sigma32 = (0, utils_js_1.utf8ToBytes)('expand 32-byte k'); +const sigma16_32 = (0, utils_js_1.u32)(sigma16); +const sigma32_32 = (0, utils_js_1.u32)(sigma32); +function rotl(a, b) { + return (a << b) | (a >>> (32 - b)); +} +exports.rotl = rotl; +// Is byte array aligned to 4 byte offset (u32)? +function isAligned32(b) { + return b.byteOffset % 4 === 0; +} +// Salsa and Chacha block length is always 512-bit +const BLOCK_LEN = 64; +const BLOCK_LEN32 = 16; +// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ] +// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ] +const MAX_COUNTER = 2 ** 32 - 1; +const U32_EMPTY = new Uint32Array(); +function runCipher(core, sigma, key, nonce, data, output, counter, rounds) { + const len = data.length; + const block = new Uint8Array(BLOCK_LEN); + const b32 = (0, utils_js_1.u32)(block); + // Make sure that buffers aligned to 4 bytes + const isAligned = isAligned32(data) && isAligned32(output); + const d32 = isAligned ? (0, utils_js_1.u32)(data) : U32_EMPTY; + const o32 = isAligned ? (0, utils_js_1.u32)(output) : U32_EMPTY; + for (let pos = 0; pos < len; counter++) { + core(sigma, key, nonce, b32, counter, rounds); + if (counter >= MAX_COUNTER) + throw new Error('arx: counter overflow'); + const take = Math.min(BLOCK_LEN, len - pos); + // aligned to 4 bytes + if (isAligned && take === BLOCK_LEN) { + const pos32 = pos / 4; + if (pos % 4 !== 0) + throw new Error('arx: invalid block position'); + for (let j = 0, posj; j < BLOCK_LEN32; j++) { + posj = pos32 + j; + o32[posj] = d32[posj] ^ b32[j]; + } + pos += BLOCK_LEN; + continue; + } + for (let j = 0, posj; j < take; j++) { + posj = pos + j; + output[posj] = data[posj] ^ block[j]; + } + pos += take; + } +} +function createCipher(core, opts) { + const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = (0, utils_js_1.checkOpts)({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); + if (typeof core !== 'function') + throw new Error('core must be a function'); + (0, _assert_js_1.number)(counterLength); + (0, _assert_js_1.number)(rounds); + (0, _assert_js_1.bool)(counterRight); + (0, _assert_js_1.bool)(allowShortKeys); + return (key, nonce, data, output, counter = 0) => { + (0, _assert_js_1.bytes)(key); + (0, _assert_js_1.bytes)(nonce); + (0, _assert_js_1.bytes)(data); + const len = data.length; + if (!output) + output = new Uint8Array(len); + (0, _assert_js_1.bytes)(output); + (0, _assert_js_1.number)(counter); + if (counter < 0 || counter >= MAX_COUNTER) + throw new Error('arx: counter overflow'); + if (output.length < len) + throw new Error(`arx: output (${output.length}) is shorter than data (${len})`); + const toClean = []; + // Key & sigma + // key=16 -> sigma16, k=key|key + // key=32 -> sigma32, k=key + let l = key.length, k, sigma; + if (l === 32) { + k = key.slice(); + toClean.push(k); + sigma = sigma32_32; + } + else if (l === 16 && allowShortKeys) { + k = new Uint8Array(32); + k.set(key); + k.set(key, 16); + sigma = sigma16_32; + toClean.push(k); + } + else { + throw new Error(`arx: invalid 32-byte key, got length=${l}`); + } + // Nonce + // salsa20: 8 (8-byte counter) + // chacha20orig: 8 (8-byte counter) + // chacha20: 12 (4-byte counter) + // xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce) + // xchacha20: 24 (16 -> hchacha, 8 -> old nonce) + // Align nonce to 4 bytes + if (!isAligned32(nonce)) { + nonce = nonce.slice(); + toClean.push(nonce); + } + const k32 = (0, utils_js_1.u32)(k); + // hsalsa & hchacha: handle extended nonce + if (extendNonceFn) { + if (nonce.length !== 24) + throw new Error(`arx: extended nonce must be 24 bytes`); + extendNonceFn(sigma, k32, (0, utils_js_1.u32)(nonce.subarray(0, 16)), k32); + nonce = nonce.subarray(16); + } + // Handle nonce counter + const nonceNcLen = 16 - counterLength; + if (nonceNcLen !== nonce.length) + throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); + // Pad counter when nonce is 64 bit + if (nonceNcLen !== 12) { + const nc = new Uint8Array(12); + nc.set(nonce, counterRight ? 0 : 12 - nonce.length); + nonce = nc; + toClean.push(nonce); + } + const n32 = (0, utils_js_1.u32)(nonce); + runCipher(core, sigma, k32, n32, data, output, counter, rounds); + while (toClean.length > 0) + toClean.pop().fill(0); + return output; + }; +} +exports.createCipher = createCipher; +//# sourceMappingURL=_arx.js.map \ No newline at end of file diff --git a/_assert.js b/_assert.js new file mode 100644 index 0000000..83ace83 --- /dev/null +++ b/_assert.js @@ -0,0 +1,50 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.output = exports.exists = exports.hash = exports.bytes = exports.bool = exports.number = exports.isBytes = void 0; +function number(n) { + if (!Number.isSafeInteger(n) || n < 0) + throw new Error(`positive integer expected, not ${n}`); +} +exports.number = number; +function bool(b) { + if (typeof b !== 'boolean') + throw new Error(`boolean expected, not ${b}`); +} +exports.bool = bool; +function isBytes(a) { + return (a instanceof Uint8Array || + (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')); +} +exports.isBytes = isBytes; +function bytes(b, ...lengths) { + if (!isBytes(b)) + throw new Error('Uint8Array expected'); + if (lengths.length > 0 && !lengths.includes(b.length)) + throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); +} +exports.bytes = bytes; +function hash(hash) { + if (typeof hash !== 'function' || typeof hash.create !== 'function') + throw new Error('hash must be wrapped by utils.wrapConstructor'); + number(hash.outputLen); + number(hash.blockLen); +} +exports.hash = hash; +function exists(instance, checkFinished = true) { + if (instance.destroyed) + throw new Error('Hash instance has been destroyed'); + if (checkFinished && instance.finished) + throw new Error('Hash#digest() has already been called'); +} +exports.exists = exists; +function output(out, instance) { + bytes(out); + const min = instance.outputLen; + if (out.length < min) { + throw new Error(`digestInto() expects output buffer of length at least ${min}`); + } +} +exports.output = output; +const assert = { number, bool, bytes, hash, exists, output }; +exports.default = assert; +//# sourceMappingURL=_assert.js.map \ No newline at end of file diff --git a/_micro.js b/_micro.js new file mode 100644 index 0000000..523065c --- /dev/null +++ b/_micro.js @@ -0,0 +1,295 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.secretbox = exports.xsalsa20poly1305 = exports.poly1305 = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = exports.xsalsa20 = exports.salsa20 = exports.hchacha = exports.hsalsa = void 0; +/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ +// prettier-ignore +const utils_js_1 = require("./utils.js"); +const _arx_js_1 = require("./_arx.js"); +const _assert_js_1 = require("./_assert.js"); +/* +noble-ciphers-micro: more auditable, but slower version of salsa20, chacha & poly1305. +Implements the same algorithms that are present in other files, but without +unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling). +*/ +function bytesToNumberLE(bytes) { + return (0, utils_js_1.hexToNumber)((0, utils_js_1.bytesToHex)(Uint8Array.from(bytes).reverse())); +} +function numberToBytesLE(n, len) { + return (0, utils_js_1.numberToBytesBE)(n, len).reverse(); +} +function salsaQR(x, a, b, c, d) { + x[b] ^= (0, _arx_js_1.rotl)((x[a] + x[d]) | 0, 7); + x[c] ^= (0, _arx_js_1.rotl)((x[b] + x[a]) | 0, 9); + x[d] ^= (0, _arx_js_1.rotl)((x[c] + x[b]) | 0, 13); + x[a] ^= (0, _arx_js_1.rotl)((x[d] + x[c]) | 0, 18); +} +// prettier-ignore +function chachaQR(x, a, b, c, d) { + x[a] = (x[a] + x[b]) | 0; + x[d] = (0, _arx_js_1.rotl)(x[d] ^ x[a], 16); + x[c] = (x[c] + x[d]) | 0; + x[b] = (0, _arx_js_1.rotl)(x[b] ^ x[c], 12); + x[a] = (x[a] + x[b]) | 0; + x[d] = (0, _arx_js_1.rotl)(x[d] ^ x[a], 8); + x[c] = (x[c] + x[d]) | 0; + x[b] = (0, _arx_js_1.rotl)(x[b] ^ x[c], 7); +} +function salsaRound(x, rounds = 20) { + for (let r = 0; r < rounds; r += 2) { + salsaQR(x, 0, 4, 8, 12); + salsaQR(x, 5, 9, 13, 1); + salsaQR(x, 10, 14, 2, 6); + salsaQR(x, 15, 3, 7, 11); + salsaQR(x, 0, 1, 2, 3); + salsaQR(x, 5, 6, 7, 4); + salsaQR(x, 10, 11, 8, 9); + salsaQR(x, 15, 12, 13, 14); + } +} +function chachaRound(x, rounds = 20) { + for (let r = 0; r < rounds; r += 2) { + chachaQR(x, 0, 4, 8, 12); + chachaQR(x, 1, 5, 9, 13); + chachaQR(x, 2, 6, 10, 14); + chachaQR(x, 3, 7, 11, 15); + chachaQR(x, 0, 5, 10, 15); + chachaQR(x, 1, 6, 11, 12); + chachaQR(x, 2, 7, 8, 13); + chachaQR(x, 3, 4, 9, 14); + } +} +function salsaCore(s, k, n, out, cnt, rounds = 20) { + // prettier-ignore + const y = new Uint32Array([ + s[0], k[0], k[1], k[2], // "expa" Key Key Key + k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce + cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key + k[5], k[6], k[7], s[3], // Key Key Key "te k" + ]); + const x = y.slice(); + salsaRound(x, rounds); + for (let i = 0; i < 16; i++) + out[i] = (y[i] + x[i]) | 0; +} +// prettier-ignore +function hsalsa(s, k, i, o32) { + const x = new Uint32Array([ + s[0], k[0], k[1], k[2], + k[3], s[1], i[0], i[1], + i[2], i[3], s[2], k[4], + k[5], k[6], k[7], s[3] + ]); + salsaRound(x, 20); + let oi = 0; + o32[oi++] = x[0]; + o32[oi++] = x[5]; + o32[oi++] = x[10]; + o32[oi++] = x[15]; + o32[oi++] = x[6]; + o32[oi++] = x[7]; + o32[oi++] = x[8]; + o32[oi++] = x[9]; +} +exports.hsalsa = hsalsa; +function chachaCore(s, k, n, out, cnt, rounds = 20) { + // prettier-ignore + const y = new Uint32Array([ + s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k" + k[0], k[1], k[2], k[3], // Key Key Key Key + k[4], k[5], k[6], k[7], // Key Key Key Key + cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce + ]); + const x = y.slice(); + chachaRound(x, rounds); + for (let i = 0; i < 16; i++) + out[i] = (y[i] + x[i]) | 0; +} +// prettier-ignore +function hchacha(s, k, i, o32) { + const x = new Uint32Array([ + s[0], s[1], s[2], s[3], + k[0], k[1], k[2], k[3], + k[4], k[5], k[6], k[7], + i[0], i[1], i[2], i[3], + ]); + chachaRound(x, 20); + let oi = 0; + o32[oi++] = x[0]; + o32[oi++] = x[1]; + o32[oi++] = x[2]; + o32[oi++] = x[3]; + o32[oi++] = x[12]; + o32[oi++] = x[13]; + o32[oi++] = x[14]; + o32[oi++] = x[15]; +} +exports.hchacha = hchacha; +/** + * salsa20, 12-byte nonce. + */ +exports.salsa20 = (0, _arx_js_1.createCipher)(salsaCore, { + allowShortKeys: true, + counterRight: true, +}); +/** + * xsalsa20, 24-byte nonce. + */ +exports.xsalsa20 = (0, _arx_js_1.createCipher)(salsaCore, { + counterRight: true, + extendNonceFn: hsalsa, +}); +/** + * chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. + */ +exports.chacha20orig = (0, _arx_js_1.createCipher)(chachaCore, { + allowShortKeys: true, + counterRight: false, + counterLength: 8, +}); +/** + * chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. + */ +exports.chacha20 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, +}); +/** + * xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + */ +exports.xchacha20 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 8, + extendNonceFn: hchacha, +}); +/** + * 8-round chacha from the original paper. + */ +exports.chacha8 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 8, +}); +/** + * 12-round chacha from the original paper. + */ +exports.chacha12 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 12, +}); +const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5); +const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1); +const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff'); +const _0 = BigInt(0); +const _1 = BigInt(1); +// Can be speed-up using BigUint64Array, but would be more complicated +function poly1305(msg, key) { + (0, _assert_js_1.bytes)(msg); + (0, _assert_js_1.bytes)(key); + let acc = _0; + const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R; + const s = bytesToNumberLE(key.subarray(16)); + // Process by 16 byte chunks + for (let i = 0; i < msg.length; i += 16) { + const m = msg.subarray(i, i + 16); + const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length)); + acc = ((acc + n) * r) % POW_2_130_5; + } + const res = (acc + s) & POW_2_128_1; + return numberToBytesLE(res, 16); +} +exports.poly1305 = poly1305; +function computeTag(fn, key, nonce, ciphertext, AAD) { + const res = []; + if (AAD) { + res.push(AAD); + const leftover = AAD.length % 16; + if (leftover > 0) + res.push(new Uint8Array(16 - leftover)); + } + res.push(ciphertext); + const leftover = ciphertext.length % 16; + if (leftover > 0) + res.push(new Uint8Array(16 - leftover)); + // Lengths + const num = new Uint8Array(16); + const view = (0, utils_js_1.createView)(num); + (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD ? AAD.length : 0), true); + (0, utils_js_1.setBigUint64)(view, 8, BigInt(ciphertext.length), true); + res.push(num); + const authKey = fn(key, nonce, new Uint8Array(32)); + return poly1305((0, utils_js_1.concatBytes)(...res), authKey); +} +/** + * xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. + */ +exports.xsalsa20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsa20poly1305(key, nonce) { + (0, _assert_js_1.bytes)(key); + (0, _assert_js_1.bytes)(nonce); + return { + encrypt: (plaintext) => { + (0, _assert_js_1.bytes)(plaintext); + const m = (0, utils_js_1.concatBytes)(new Uint8Array(32), plaintext); + const c = (0, exports.xsalsa20)(key, nonce, m); + const authKey = c.subarray(0, 32); + const data = c.subarray(32); + const tag = poly1305(data, authKey); + return (0, utils_js_1.concatBytes)(tag, data); + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + if (ciphertext.length < 16) + throw new Error('encrypted data must be at least 16 bytes'); + const c = (0, utils_js_1.concatBytes)(new Uint8Array(16), ciphertext); + const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32)); + const tag = poly1305(c.subarray(32), authKey); + if (!(0, utils_js_1.equalBytes)(c.subarray(16, 32), tag)) + throw new Error('invalid poly1305 tag'); + return (0, exports.xsalsa20)(key, nonce, c).subarray(32); + }, + }; +}); +/** + * Alias to xsalsa20-poly1305 + */ +function secretbox(key, nonce) { + const xs = (0, exports.xsalsa20poly1305)(key, nonce); + return { seal: xs.encrypt, open: xs.decrypt }; +} +exports.secretbox = secretbox; +const _poly1305_aead = (fn) => (key, nonce, AAD) => { + const tagLength = 16; + const keyLength = 32; + (0, _assert_js_1.bytes)(key, keyLength); + (0, _assert_js_1.bytes)(nonce); + return { + encrypt: (plaintext) => { + (0, _assert_js_1.bytes)(plaintext); + const res = fn(key, nonce, plaintext, undefined, 1); + const tag = computeTag(fn, key, nonce, res, AAD); + return (0, utils_js_1.concatBytes)(res, tag); + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + if (ciphertext.length < tagLength) + throw new Error(`encrypted data must be at least ${tagLength} bytes`); + const passedTag = ciphertext.subarray(-tagLength); + const data = ciphertext.subarray(0, -tagLength); + const tag = computeTag(fn, key, nonce, data, AAD); + if (!(0, utils_js_1.equalBytes)(passedTag, tag)) + throw new Error('invalid poly1305 tag'); + return fn(key, nonce, data, undefined, 1); + }, + }; +}; +exports._poly1305_aead = _poly1305_aead; +/** + * chacha20-poly1305 12-byte-nonce chacha. + */ +exports.chacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20)); +/** + * xchacha20-poly1305 eXtended-nonce (24 bytes) chacha. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +exports.xchacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20)); +//# sourceMappingURL=_micro.js.map \ No newline at end of file diff --git a/_poly1305.js b/_poly1305.js new file mode 100644 index 0000000..0652e24 --- /dev/null +++ b/_poly1305.js @@ -0,0 +1,268 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.poly1305 = exports.wrapConstructorWithKey = void 0; +const _assert_js_1 = require("./_assert.js"); +const utils_js_1 = require("./utils.js"); +// Poly1305 is a fast and parallel secret-key message-authentication code. +// https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf +// https://datatracker.ietf.org/doc/html/rfc8439 +// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna +const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8); +class Poly1305 { + constructor(key) { + this.blockLen = 16; + this.outputLen = 16; + this.buffer = new Uint8Array(16); + this.r = new Uint16Array(10); + this.h = new Uint16Array(10); + this.pad = new Uint16Array(8); + this.pos = 0; + this.finished = false; + key = (0, utils_js_1.toBytes)(key); + (0, _assert_js_1.bytes)(key, 32); + const t0 = u8to16(key, 0); + const t1 = u8to16(key, 2); + const t2 = u8to16(key, 4); + const t3 = u8to16(key, 6); + const t4 = u8to16(key, 8); + const t5 = u8to16(key, 10); + const t6 = u8to16(key, 12); + const t7 = u8to16(key, 14); + // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47 + this.r[0] = t0 & 0x1fff; + this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; + this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; + this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; + this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; + this.r[5] = (t4 >>> 1) & 0x1ffe; + this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; + this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; + this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; + this.r[9] = (t7 >>> 5) & 0x007f; + for (let i = 0; i < 8; i++) + this.pad[i] = u8to16(key, 16 + 2 * i); + } + process(data, offset, isLast = false) { + const hibit = isLast ? 0 : 1 << 11; + const { h, r } = this; + const r0 = r[0]; + const r1 = r[1]; + const r2 = r[2]; + const r3 = r[3]; + const r4 = r[4]; + const r5 = r[5]; + const r6 = r[6]; + const r7 = r[7]; + const r8 = r[8]; + const r9 = r[9]; + const t0 = u8to16(data, offset + 0); + const t1 = u8to16(data, offset + 2); + const t2 = u8to16(data, offset + 4); + const t3 = u8to16(data, offset + 6); + const t4 = u8to16(data, offset + 8); + const t5 = u8to16(data, offset + 10); + const t6 = u8to16(data, offset + 12); + const t7 = u8to16(data, offset + 14); + let h0 = h[0] + (t0 & 0x1fff); + let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff); + let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff); + let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff); + let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff); + let h5 = h[5] + ((t4 >>> 1) & 0x1fff); + let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff); + let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff); + let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff); + let h9 = h[9] + ((t7 >>> 5) | hibit); + let c = 0; + let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); + c = d0 >>> 13; + d0 &= 0x1fff; + d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); + c += d0 >>> 13; + d0 &= 0x1fff; + let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); + c = d1 >>> 13; + d1 &= 0x1fff; + d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); + c += d1 >>> 13; + d1 &= 0x1fff; + let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); + c = d2 >>> 13; + d2 &= 0x1fff; + d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); + c += d2 >>> 13; + d2 &= 0x1fff; + let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); + c = d3 >>> 13; + d3 &= 0x1fff; + d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); + c += d3 >>> 13; + d3 &= 0x1fff; + let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; + c = d4 >>> 13; + d4 &= 0x1fff; + d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); + c += d4 >>> 13; + d4 &= 0x1fff; + let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; + c = d5 >>> 13; + d5 &= 0x1fff; + d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); + c += d5 >>> 13; + d5 &= 0x1fff; + let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; + c = d6 >>> 13; + d6 &= 0x1fff; + d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); + c += d6 >>> 13; + d6 &= 0x1fff; + let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; + c = d7 >>> 13; + d7 &= 0x1fff; + d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); + c += d7 >>> 13; + d7 &= 0x1fff; + let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; + c = d8 >>> 13; + d8 &= 0x1fff; + d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); + c += d8 >>> 13; + d8 &= 0x1fff; + let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; + c = d9 >>> 13; + d9 &= 0x1fff; + d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; + c += d9 >>> 13; + d9 &= 0x1fff; + c = ((c << 2) + c) | 0; + c = (c + d0) | 0; + d0 = c & 0x1fff; + c = c >>> 13; + d1 += c; + h[0] = d0; + h[1] = d1; + h[2] = d2; + h[3] = d3; + h[4] = d4; + h[5] = d5; + h[6] = d6; + h[7] = d7; + h[8] = d8; + h[9] = d9; + } + finalize() { + const { h, pad } = this; + const g = new Uint16Array(10); + let c = h[1] >>> 13; + h[1] &= 0x1fff; + for (let i = 2; i < 10; i++) { + h[i] += c; + c = h[i] >>> 13; + h[i] &= 0x1fff; + } + h[0] += c * 5; + c = h[0] >>> 13; + h[0] &= 0x1fff; + h[1] += c; + c = h[1] >>> 13; + h[1] &= 0x1fff; + h[2] += c; + g[0] = h[0] + 5; + c = g[0] >>> 13; + g[0] &= 0x1fff; + for (let i = 1; i < 10; i++) { + g[i] = h[i] + c; + c = g[i] >>> 13; + g[i] &= 0x1fff; + } + g[9] -= 1 << 13; + let mask = (c ^ 1) - 1; + for (let i = 0; i < 10; i++) + g[i] &= mask; + mask = ~mask; + for (let i = 0; i < 10; i++) + h[i] = (h[i] & mask) | g[i]; + h[0] = (h[0] | (h[1] << 13)) & 0xffff; + h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff; + h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff; + h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff; + h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff; + h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff; + h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff; + h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff; + let f = h[0] + pad[0]; + h[0] = f & 0xffff; + for (let i = 1; i < 8; i++) { + f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0; + h[i] = f & 0xffff; + } + } + update(data) { + (0, _assert_js_1.exists)(this); + const { buffer, blockLen } = this; + data = (0, utils_js_1.toBytes)(data); + const len = data.length; + for (let pos = 0; pos < len;) { + const take = Math.min(blockLen - this.pos, len - pos); + // Fast path: we have at least one block in input + if (take === blockLen) { + for (; blockLen <= len - pos; pos += blockLen) + this.process(data, pos); + continue; + } + buffer.set(data.subarray(pos, pos + take), this.pos); + this.pos += take; + pos += take; + if (this.pos === blockLen) { + this.process(buffer, 0, false); + this.pos = 0; + } + } + return this; + } + destroy() { + this.h.fill(0); + this.r.fill(0); + this.buffer.fill(0); + this.pad.fill(0); + } + digestInto(out) { + (0, _assert_js_1.exists)(this); + (0, _assert_js_1.output)(out, this); + this.finished = true; + const { buffer, h } = this; + let { pos } = this; + if (pos) { + buffer[pos++] = 1; + // buffer.subarray(pos).fill(0); + for (; pos < 16; pos++) + buffer[pos] = 0; + this.process(buffer, 0, true); + } + this.finalize(); + let opos = 0; + for (let i = 0; i < 8; i++) { + out[opos++] = h[i] >>> 0; + out[opos++] = h[i] >>> 8; + } + return out; + } + digest() { + const { buffer, outputLen } = this; + this.digestInto(buffer); + const res = buffer.slice(0, outputLen); + this.destroy(); + return res; + } +} +function wrapConstructorWithKey(hashCons) { + const hashC = (msg, key) => hashCons(key).update((0, utils_js_1.toBytes)(msg)).digest(); + const tmp = hashCons(new Uint8Array(32)); + hashC.outputLen = tmp.outputLen; + hashC.blockLen = tmp.blockLen; + hashC.create = (key) => hashCons(key); + return hashC; +} +exports.wrapConstructorWithKey = wrapConstructorWithKey; +exports.poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); +//# sourceMappingURL=_poly1305.js.map \ No newline at end of file diff --git a/_polyval.js b/_polyval.js new file mode 100644 index 0000000..7183fc9 --- /dev/null +++ b/_polyval.js @@ -0,0 +1,221 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.polyval = exports.ghash = exports._toGHASHKey = void 0; +const utils_js_1 = require("./utils.js"); +const _assert_js_1 = require("./_assert.js"); +// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV. +// Implemented in terms of GHash with conversion function for keys +// GCM GHASH from NIST SP800-38d, SIV from RFC 8452. +// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf +// GHASH modulo: x^128 + x^7 + x^2 + x + 1 +// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1 +const BLOCK_SIZE = 16; +// TODO: rewrite +// temporary padding buffer +const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); +const ZEROS32 = (0, utils_js_1.u32)(ZEROS16); +const POLY = 0xe1; // v = 2*v % POLY +// v = 2*v % POLY +// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x +// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor) +const mul2 = (s0, s1, s2, s3) => { + const hiBit = s3 & 1; + return { + s3: (s2 << 31) | (s3 >>> 1), + s2: (s1 << 31) | (s2 >>> 1), + s1: (s0 << 31) | (s1 >>> 1), + s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly + }; +}; +const swapLE = (n) => (((n >>> 0) & 0xff) << 24) | + (((n >>> 8) & 0xff) << 16) | + (((n >>> 16) & 0xff) << 8) | + ((n >>> 24) & 0xff) | + 0; +/** + * `mulX_POLYVAL(ByteReverse(H))` from spec + * @param k mutated in place + */ +function _toGHASHKey(k) { + k.reverse(); + const hiBit = k[15] & 1; + // k >>= 1 + let carry = 0; + for (let i = 0; i < k.length; i++) { + const t = k[i]; + k[i] = (t >>> 1) | carry; + carry = (t & 1) << 7; + } + k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000; + return k; +} +exports._toGHASHKey = _toGHASHKey; +const estimateWindow = (bytes) => { + if (bytes > 64 * 1024) + return 8; + if (bytes > 1024) + return 4; + return 2; +}; +class GHASH { + // We select bits per window adaptively based on expectedLength + constructor(key, expectedLength) { + this.blockLen = BLOCK_SIZE; + this.outputLen = BLOCK_SIZE; + this.s0 = 0; + this.s1 = 0; + this.s2 = 0; + this.s3 = 0; + this.finished = false; + key = (0, utils_js_1.toBytes)(key); + (0, _assert_js_1.bytes)(key, 16); + const kView = (0, utils_js_1.createView)(key); + let k0 = kView.getUint32(0, false); + let k1 = kView.getUint32(4, false); + let k2 = kView.getUint32(8, false); + let k3 = kView.getUint32(12, false); + // generate table of doubled keys (half of montgomery ladder) + const doubles = []; + for (let i = 0; i < 128; i++) { + doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) }); + ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3)); + } + const W = estimateWindow(expectedLength || 1024); + if (![1, 2, 4, 8].includes(W)) + throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`); + this.W = W; + const bits = 128; // always 128 bits; + const windows = bits / W; + const windowSize = (this.windowSize = 2 ** W); + const items = []; + // Create precompute table for window of W bits + for (let w = 0; w < windows; w++) { + // truth table: 00, 01, 10, 11 + for (let byte = 0; byte < windowSize; byte++) { + // prettier-ignore + let s0 = 0, s1 = 0, s2 = 0, s3 = 0; + for (let j = 0; j < W; j++) { + const bit = (byte >>> (W - j - 1)) & 1; + if (!bit) + continue; + const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j]; + (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3); + } + items.push({ s0, s1, s2, s3 }); + } + } + this.t = items; + } + _updateBlock(s0, s1, s2, s3) { + (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3); + const { W, t, windowSize } = this; + // prettier-ignore + let o0 = 0, o1 = 0, o2 = 0, o3 = 0; + const mask = (1 << W) - 1; // 2**W will kill performance. + let w = 0; + for (const num of [s0, s1, s2, s3]) { + for (let bytePos = 0; bytePos < 4; bytePos++) { + const byte = (num >>> (8 * bytePos)) & 0xff; + for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) { + const bit = (byte >>> (W * bitPos)) & mask; + const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit]; + (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3); + w += 1; + } + } + } + this.s0 = o0; + this.s1 = o1; + this.s2 = o2; + this.s3 = o3; + } + update(data) { + data = (0, utils_js_1.toBytes)(data); + (0, _assert_js_1.exists)(this); + const b32 = (0, utils_js_1.u32)(data); + const blocks = Math.floor(data.length / BLOCK_SIZE); + const left = data.length % BLOCK_SIZE; + for (let i = 0; i < blocks; i++) { + this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]); + } + if (left) { + ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); + this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]); + ZEROS32.fill(0); // clean tmp buffer + } + return this; + } + destroy() { + const { t } = this; + // clean precompute table + for (const elm of t) { + (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0); + } + } + digestInto(out) { + (0, _assert_js_1.exists)(this); + (0, _assert_js_1.output)(out, this); + this.finished = true; + const { s0, s1, s2, s3 } = this; + const o32 = (0, utils_js_1.u32)(out); + o32[0] = s0; + o32[1] = s1; + o32[2] = s2; + o32[3] = s3; + return out; + } + digest() { + const res = new Uint8Array(BLOCK_SIZE); + this.digestInto(res); + this.destroy(); + return res; + } +} +class Polyval extends GHASH { + constructor(key, expectedLength) { + key = (0, utils_js_1.toBytes)(key); + const ghKey = _toGHASHKey(key.slice()); + super(ghKey, expectedLength); + ghKey.fill(0); + } + update(data) { + data = (0, utils_js_1.toBytes)(data); + (0, _assert_js_1.exists)(this); + const b32 = (0, utils_js_1.u32)(data); + const left = data.length % BLOCK_SIZE; + const blocks = Math.floor(data.length / BLOCK_SIZE); + for (let i = 0; i < blocks; i++) { + this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0])); + } + if (left) { + ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); + this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0])); + ZEROS32.fill(0); // clean tmp buffer + } + return this; + } + digestInto(out) { + (0, _assert_js_1.exists)(this); + (0, _assert_js_1.output)(out, this); + this.finished = true; + // tmp ugly hack + const { s0, s1, s2, s3 } = this; + const o32 = (0, utils_js_1.u32)(out); + o32[0] = s0; + o32[1] = s1; + o32[2] = s2; + o32[3] = s3; + return out.reverse(); + } +} +function wrapConstructorWithKey(hashCons) { + const hashC = (msg, key) => hashCons(key, msg.length).update((0, utils_js_1.toBytes)(msg)).digest(); + const tmp = hashCons(new Uint8Array(16), 0); + hashC.outputLen = tmp.outputLen; + hashC.blockLen = tmp.blockLen; + hashC.create = (key, expectedLength) => hashCons(key, expectedLength); + return hashC; +} +exports.ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength)); +exports.polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength)); +//# sourceMappingURL=_polyval.js.map \ No newline at end of file diff --git a/aes.js b/aes.js new file mode 100644 index 0000000..2147b0a --- /dev/null +++ b/aes.js @@ -0,0 +1,633 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.unsafe = exports.siv = exports.gcm = exports.cbc = exports.ecb = exports.ctr = exports.expandKeyDecLE = exports.expandKeyLE = void 0; +// prettier-ignore +const utils_js_1 = require("./utils.js"); +const _polyval_js_1 = require("./_polyval.js"); +const _assert_js_1 = require("./_assert.js"); +/* +AES (Advanced Encryption Standard) aka Rijndael block cipher. + +Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round: +1. **S-box**, table substitution +2. **Shift rows**, cyclic shift left of all rows of data array +3. **Mix columns**, multiplying every column by fixed polynomial +4. **Add round key**, round_key xor i-th column of array + +Resources: +- FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf +- Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf +*/ +const BLOCK_SIZE = 16; +const BLOCK_SIZE32 = 4; +const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE); +const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8 +// TODO: remove multiplication, binary ops only +function mul2(n) { + return (n << 1) ^ (POLY & -(n >> 7)); +} +function mul(a, b) { + let res = 0; + for (; b > 0; b >>= 1) { + // Montgomery ladder + res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time). + a = mul2(a); // a = 2*a + } + return res; +} +// AES S-box is generated using finite field inversion, +// an affine transform, and xor of a constant 0x63. +const sbox = /* @__PURE__ */ (() => { + let t = new Uint8Array(256); + for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x)) + t[i] = x; + const box = new Uint8Array(256); + box[0] = 0x63; // first elm + for (let i = 0; i < 255; i++) { + let x = t[255 - i]; + x |= x << 8; + box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff; + } + return box; +})(); +// Inverted S-box +const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j)); +// Rotate u32 by 8 +const rotr32_8 = (n) => (n << 24) | (n >>> 8); +const rotl32_8 = (n) => (n << 8) | (n >>> 24); +// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes: +// - LE instead of BE +// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23; +// so index is u16, instead of u8. This speeds up things, unexpectedly +function genTtable(sbox, fn) { + if (sbox.length !== 256) + throw new Error('Wrong sbox length'); + const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j])); + const T1 = T0.map(rotl32_8); + const T2 = T1.map(rotl32_8); + const T3 = T2.map(rotl32_8); + const T01 = new Uint32Array(256 * 256); + const T23 = new Uint32Array(256 * 256); + const sbox2 = new Uint16Array(256 * 256); + for (let i = 0; i < 256; i++) { + for (let j = 0; j < 256; j++) { + const idx = i * 256 + j; + T01[idx] = T0[i] ^ T1[j]; + T23[idx] = T2[i] ^ T3[j]; + sbox2[idx] = (sbox[i] << 8) | sbox[j]; + } + } + return { sbox, sbox2, T0, T1, T2, T3, T01, T23 }; +} +const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2)); +const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14)); +const xPowers = /* @__PURE__ */ (() => { + const p = new Uint8Array(16); + for (let i = 0, x = 1; i < 16; i++, x = mul2(x)) + p[i] = x; + return p; +})(); +function expandKeyLE(key) { + (0, _assert_js_1.bytes)(key); + const len = key.length; + if (![16, 24, 32].includes(len)) + throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`); + const { sbox2 } = tableEncoding; + const k32 = (0, utils_js_1.u32)(key); + const Nk = k32.length; + const subByte = (n) => applySbox(sbox2, n, n, n, n); + const xk = new Uint32Array(len + 28); // expanded key + xk.set(k32); + // 4.3.1 Key expansion + for (let i = Nk; i < xk.length; i++) { + let t = xk[i - 1]; + if (i % Nk === 0) + t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1]; + else if (Nk > 6 && i % Nk === 4) + t = subByte(t); + xk[i] = xk[i - Nk] ^ t; + } + return xk; +} +exports.expandKeyLE = expandKeyLE; +function expandKeyDecLE(key) { + const encKey = expandKeyLE(key); + const xk = encKey.slice(); + const Nk = encKey.length; + const { sbox2 } = tableEncoding; + const { T0, T1, T2, T3 } = tableDecoding; + // Inverse key by chunks of 4 (rounds) + for (let i = 0; i < Nk; i += 4) { + for (let j = 0; j < 4; j++) + xk[i + j] = encKey[Nk - i - 4 + j]; + } + encKey.fill(0); + // apply InvMixColumn except first & last round + for (let i = 4; i < Nk - 4; i++) { + const x = xk[i]; + const w = applySbox(sbox2, x, x, x, x); + xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24]; + } + return xk; +} +exports.expandKeyDecLE = expandKeyDecLE; +// Apply tables +function apply0123(T01, T23, s0, s1, s2, s3) { + return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^ + T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]); +} +function applySbox(sbox2, s0, s1, s2, s3) { + return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] | + (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16)); +} +function encrypt(xk, s0, s1, s2, s3) { + const { sbox2, T01, T23 } = tableEncoding; + let k = 0; + (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); + const rounds = xk.length / 4 - 2; + for (let i = 0; i < rounds; i++) { + const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3); + const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0); + const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1); + const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2); + (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); + } + // last round (without mixcolumns, so using SBOX2 table) + const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3); + const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0); + const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1); + const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2); + return { s0: t0, s1: t1, s2: t2, s3: t3 }; +} +function decrypt(xk, s0, s1, s2, s3) { + const { sbox2, T01, T23 } = tableDecoding; + let k = 0; + (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); + const rounds = xk.length / 4 - 2; + for (let i = 0; i < rounds; i++) { + const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1); + const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2); + const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3); + const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0); + (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); + } + // Last round + const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1); + const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2); + const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3); + const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0); + return { s0: t0, s1: t1, s2: t2, s3: t3 }; +} +function getDst(len, dst) { + if (!dst) + return new Uint8Array(len); + (0, _assert_js_1.bytes)(dst); + if (dst.length < len) + throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`); + return dst; +} +// TODO: investigate merging with ctr32 +function ctrCounter(xk, nonce, src, dst) { + (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); + (0, _assert_js_1.bytes)(src); + const srcLen = src.length; + dst = getDst(srcLen, dst); + const ctr = nonce; + const c32 = (0, utils_js_1.u32)(ctr); + // Fill block (empty, ctr=0) + let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); + const src32 = (0, utils_js_1.u32)(src); + const dst32 = (0, utils_js_1.u32)(dst); + // process blocks + for (let i = 0; i + 4 <= src32.length; i += 4) { + dst32[i + 0] = src32[i + 0] ^ s0; + dst32[i + 1] = src32[i + 1] ^ s1; + dst32[i + 2] = src32[i + 2] ^ s2; + dst32[i + 3] = src32[i + 3] ^ s3; + // Full 128 bit counter with wrap around + let carry = 1; + for (let i = ctr.length - 1; i >= 0; i--) { + carry = (carry + (ctr[i] & 0xff)) | 0; + ctr[i] = carry & 0xff; + carry >>>= 8; + } + ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); + } + // leftovers (less than block) + // It's possible to handle > u32 fast, but is it worth it? + const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); + if (start < srcLen) { + const b32 = new Uint32Array([s0, s1, s2, s3]); + const buf = (0, utils_js_1.u8)(b32); + for (let i = start, pos = 0; i < srcLen; i++, pos++) + dst[i] = src[i] ^ buf[pos]; + } + return dst; +} +// AES CTR with overflowing 32 bit counter +// It's possible to do 32le significantly simpler (and probably faster) by using u32. +// But, we need both, and perf bottleneck is in ghash anyway. +function ctr32(xk, isLE, nonce, src, dst) { + (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); + (0, _assert_js_1.bytes)(src); + dst = getDst(src.length, dst); + const ctr = nonce; // write new value to nonce, so it can be re-used + const c32 = (0, utils_js_1.u32)(ctr); + const view = (0, utils_js_1.createView)(ctr); + const src32 = (0, utils_js_1.u32)(src); + const dst32 = (0, utils_js_1.u32)(dst); + const ctrPos = isLE ? 0 : 12; + const srcLen = src.length; + // Fill block (empty, ctr=0) + let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value + let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); + // process blocks + for (let i = 0; i + 4 <= src32.length; i += 4) { + dst32[i + 0] = src32[i + 0] ^ s0; + dst32[i + 1] = src32[i + 1] ^ s1; + dst32[i + 2] = src32[i + 2] ^ s2; + dst32[i + 3] = src32[i + 3] ^ s3; + ctrNum = (ctrNum + 1) >>> 0; // u32 wrap + view.setUint32(ctrPos, ctrNum, isLE); + ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); + } + // leftovers (less than a block) + const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); + if (start < srcLen) { + const b32 = new Uint32Array([s0, s1, s2, s3]); + const buf = (0, utils_js_1.u8)(b32); + for (let i = start, pos = 0; i < srcLen; i++, pos++) + dst[i] = src[i] ^ buf[pos]; + } + return dst; +} +/** + * CTR: counter mode. Creates stream cipher. + * Requires good IV. Parallelizable. OK, but no MAC. + */ +exports.ctr = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) { + (0, _assert_js_1.bytes)(key); + (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); + function processCtr(buf, dst) { + const xk = expandKeyLE(key); + const n = nonce.slice(); + const out = ctrCounter(xk, n, buf, dst); + xk.fill(0); + n.fill(0); + return out; + } + return { + encrypt: (plaintext, dst) => processCtr(plaintext, dst), + decrypt: (ciphertext, dst) => processCtr(ciphertext, dst), + }; +}); +function validateBlockDecrypt(data) { + (0, _assert_js_1.bytes)(data); + if (data.length % BLOCK_SIZE !== 0) { + throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`); + } +} +function validateBlockEncrypt(plaintext, pcks5, dst) { + let outLen = plaintext.length; + const remaining = outLen % BLOCK_SIZE; + if (!pcks5 && remaining !== 0) + throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding'); + const b = (0, utils_js_1.u32)(plaintext); + if (pcks5) { + let left = BLOCK_SIZE - remaining; + if (!left) + left = BLOCK_SIZE; // if no bytes left, create empty padding block + outLen = outLen + left; + } + const out = getDst(outLen, dst); + const o = (0, utils_js_1.u32)(out); + return { b, o, out }; +} +function validatePCKS(data, pcks5) { + if (!pcks5) + return data; + const len = data.length; + if (!len) + throw new Error(`aes/pcks5: empty ciphertext not allowed`); + const lastByte = data[len - 1]; + if (lastByte <= 0 || lastByte > 16) + throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`); + const out = data.subarray(0, -lastByte); + for (let i = 0; i < lastByte; i++) + if (data[len - i - 1] !== lastByte) + throw new Error(`aes/pcks5: wrong padding`); + return out; +} +function padPCKS(left) { + const tmp = new Uint8Array(16); + const tmp32 = (0, utils_js_1.u32)(tmp); + tmp.set(left); + const paddingByte = BLOCK_SIZE - left.length; + for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++) + tmp[i] = paddingByte; + return tmp32; +} +/** + * ECB: Electronic CodeBook. Simple deterministic replacement. + * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/). + */ +exports.ecb = (0, utils_js_1.wrapCipher)({ blockSize: 16 }, function ecb(key, opts = {}) { + (0, _assert_js_1.bytes)(key); + const pcks5 = !opts.disablePadding; + return { + encrypt: (plaintext, dst) => { + (0, _assert_js_1.bytes)(plaintext); + const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); + const xk = expandKeyLE(key); + let i = 0; + for (; i + 4 <= b.length;) { + const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + if (pcks5) { + const tmp32 = padPCKS(plaintext.subarray(i * 4)); + const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return _out; + }, + decrypt: (ciphertext, dst) => { + validateBlockDecrypt(ciphertext); + const xk = expandKeyDecLE(key); + const out = getDst(ciphertext.length, dst); + const b = (0, utils_js_1.u32)(ciphertext); + const o = (0, utils_js_1.u32)(out); + for (let i = 0; i + 4 <= b.length;) { + const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return validatePCKS(out, pcks5); + }, + }; +}); +/** + * CBC: Cipher-Block-Chaining. Key is previous round’s block. + * Fragile: needs proper padding. Unauthenticated: needs MAC. + */ +exports.cbc = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) { + (0, _assert_js_1.bytes)(key); + (0, _assert_js_1.bytes)(iv, 16); + const pcks5 = !opts.disablePadding; + return { + encrypt: (plaintext, dst) => { + const xk = expandKeyLE(key); + const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); + const n32 = (0, utils_js_1.u32)(iv); + // prettier-ignore + let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; + let i = 0; + for (; i + 4 <= b.length;) { + (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]); + ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + if (pcks5) { + const tmp32 = padPCKS(plaintext.subarray(i * 4)); + (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]); + ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return _out; + }, + decrypt: (ciphertext, dst) => { + validateBlockDecrypt(ciphertext); + const xk = expandKeyDecLE(key); + const n32 = (0, utils_js_1.u32)(iv); + const out = getDst(ciphertext.length, dst); + const b = (0, utils_js_1.u32)(ciphertext); + const o = (0, utils_js_1.u32)(out); + // prettier-ignore + let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; + for (let i = 0; i + 4 <= b.length;) { + // prettier-ignore + const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3; + (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]); + const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3); + (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3); + } + xk.fill(0); + return validatePCKS(out, pcks5); + }, + }; +}); +// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen +function computeTag(fn, isLE, key, data, AAD) { + const h = fn.create(key, data.length + (AAD?.length || 0)); + if (AAD) + h.update(AAD); + h.update(data); + const num = new Uint8Array(16); + const view = (0, utils_js_1.createView)(num); + if (AAD) + (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD.length * 8), isLE); + (0, utils_js_1.setBigUint64)(view, 8, BigInt(data.length * 8), isLE); + h.update(num); + return h.digest(); +} +/** + * GCM: Galois/Counter Mode. + * Good, modern version of CTR, parallel, with MAC. + * Be careful: MACs can be forged. + */ +exports.gcm = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) { + (0, _assert_js_1.bytes)(nonce); + // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure. + if (nonce.length === 0) + throw new Error('aes/gcm: empty nonce'); + const tagLength = 16; + function _computeTag(authKey, tagMask, data) { + const tag = computeTag(_polyval_js_1.ghash, false, authKey, data, AAD); + for (let i = 0; i < tagMask.length; i++) + tag[i] ^= tagMask[i]; + return tag; + } + function deriveKeys() { + const xk = expandKeyLE(key); + const authKey = EMPTY_BLOCK.slice(); + const counter = EMPTY_BLOCK.slice(); + ctr32(xk, false, counter, counter, authKey); + if (nonce.length === 12) { + counter.set(nonce); + } + else { + // Spec (NIST 800-38d) supports variable size nonce. + // Not supported for now, but can be useful. + const nonceLen = EMPTY_BLOCK.slice(); + const view = (0, utils_js_1.createView)(nonceLen); + (0, utils_js_1.setBigUint64)(view, 8, BigInt(nonce.length * 8), false); + // ghash(nonce || u64be(0) || u64be(nonceLen*8)) + _polyval_js_1.ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter); + } + const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK); + return { xk, authKey, counter, tagMask }; + } + return { + encrypt: (plaintext) => { + (0, _assert_js_1.bytes)(plaintext); + const { xk, authKey, counter, tagMask } = deriveKeys(); + const out = new Uint8Array(plaintext.length + tagLength); + ctr32(xk, false, counter, plaintext, out); + const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength)); + out.set(tag, plaintext.length); + xk.fill(0); + return out; + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + if (ciphertext.length < tagLength) + throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`); + const { xk, authKey, counter, tagMask } = deriveKeys(); + const data = ciphertext.subarray(0, -tagLength); + const passedTag = ciphertext.subarray(-tagLength); + const tag = _computeTag(authKey, tagMask, data); + if (!(0, utils_js_1.equalBytes)(tag, passedTag)) + throw new Error('aes/gcm: invalid ghash tag'); + const out = ctr32(xk, false, counter, data); + authKey.fill(0); + tagMask.fill(0); + xk.fill(0); + return out; + }, + }; +}); +const limit = (name, min, max) => (value) => { + if (!Number.isSafeInteger(value) || min > value || value > max) + throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`); +}; +/** + * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance. + * Guarantees that, when a nonce is repeated, the only security loss is that identical + * plaintexts will produce identical ciphertexts. + * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452 + */ +exports.siv = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) { + const tagLength = 16; + // From RFC 8452: Section 6 + const AAD_LIMIT = limit('AAD', 0, 2 ** 36); + const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36); + const NONCE_LIMIT = limit('nonce', 12, 12); + const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16); + (0, _assert_js_1.bytes)(nonce); + NONCE_LIMIT(nonce.length); + if (AAD) { + (0, _assert_js_1.bytes)(AAD); + AAD_LIMIT(AAD.length); + } + function deriveKeys() { + const len = key.length; + if (len !== 16 && len !== 24 && len !== 32) + throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`); + const xk = expandKeyLE(key); + const encKey = new Uint8Array(len); + const authKey = new Uint8Array(16); + const n32 = (0, utils_js_1.u32)(nonce); + // prettier-ignore + let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2]; + let counter = 0; + for (const derivedKey of [authKey, encKey].map(utils_js_1.u32)) { + const d32 = (0, utils_js_1.u32)(derivedKey); + for (let i = 0; i < d32.length; i += 2) { + // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ... + const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3); + d32[i + 0] = o0; + d32[i + 1] = o1; + s0 = ++counter; // increment counter inside state + } + } + xk.fill(0); + return { authKey, encKey: expandKeyLE(encKey) }; + } + function _computeTag(encKey, authKey, data) { + const tag = computeTag(_polyval_js_1.polyval, true, authKey, data, AAD); + // Compute the expected tag by XORing S_s and the nonce, clearing the + // most significant bit of the last byte and encrypting with the + // message-encryption key. + for (let i = 0; i < 12; i++) + tag[i] ^= nonce[i]; + tag[15] &= 0x7f; // Clear the highest bit + // encrypt tag as block + const t32 = (0, utils_js_1.u32)(tag); + // prettier-ignore + let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3]; + ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3)); + (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3); + return tag; + } + // actual decrypt/encrypt of message. + function processSiv(encKey, tag, input) { + let block = tag.slice(); + block[15] |= 0x80; // Force highest bit + return ctr32(encKey, true, block, input); + } + return { + encrypt: (plaintext) => { + (0, _assert_js_1.bytes)(plaintext); + PLAIN_LIMIT(plaintext.length); + const { encKey, authKey } = deriveKeys(); + const tag = _computeTag(encKey, authKey, plaintext); + const out = new Uint8Array(plaintext.length + tagLength); + out.set(tag, plaintext.length); + out.set(processSiv(encKey, tag, plaintext)); + encKey.fill(0); + authKey.fill(0); + return out; + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + CIPHER_LIMIT(ciphertext.length); + const tag = ciphertext.subarray(-tagLength); + const { encKey, authKey } = deriveKeys(); + const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength)); + const expectedTag = _computeTag(encKey, authKey, plaintext); + encKey.fill(0); + authKey.fill(0); + if (!(0, utils_js_1.equalBytes)(tag, expectedTag)) + throw new Error('invalid polyval tag'); + return plaintext; + }, + }; +}); +function isBytes32(a) { + return (a != null && + typeof a === 'object' && + (a instanceof Uint32Array || a.constructor.name === 'Uint32Array')); +} +function encryptBlock(xk, block) { + (0, _assert_js_1.bytes)(block, 16); + if (!isBytes32(xk)) + throw new Error('_encryptBlock accepts result of expandKeyLE'); + const b32 = (0, utils_js_1.u32)(block); + let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]); + (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); + return block; +} +function decryptBlock(xk, block) { + (0, _assert_js_1.bytes)(block, 16); + if (!isBytes32(xk)) + throw new Error('_decryptBlock accepts result of expandKeyLE'); + const b32 = (0, utils_js_1.u32)(block); + let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]); + (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); + return block; +} +// Highly unsafe private functions for implementing new modes or ciphers based on AES +// Can change at any time, no API guarantees +exports.unsafe = { + expandKeyLE, + expandKeyDecLE, + encrypt, + decrypt, + encryptBlock, + decryptBlock, + ctrCounter, + ctr32, +}; +//# sourceMappingURL=aes.js.map \ No newline at end of file diff --git a/chacha.js b/chacha.js new file mode 100644 index 0000000..a10250d --- /dev/null +++ b/chacha.js @@ -0,0 +1,323 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = exports.hchacha = void 0; +// prettier-ignore +const utils_js_1 = require("./utils.js"); +const _poly1305_js_1 = require("./_poly1305.js"); +const _arx_js_1 = require("./_arx.js"); +const _assert_js_1 = require("./_assert.js"); +// ChaCha20 stream cipher was released in 2008. ChaCha aims to increase +// the diffusion per round, but had slightly less cryptanalysis. +// https://cr.yp.to/chacha.html, http://cr.yp.to/chacha/chacha-20080128.pdf +/** + * ChaCha core function. + */ +// prettier-ignore +function chachaCore(s, k, n, out, cnt, rounds = 20) { + let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k" + y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key + y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key + y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce + // Save state to temporary variables + let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; + for (let r = 0; r < rounds; r += 2) { + x00 = (x00 + x04) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 16); + x08 = (x08 + x12) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 12); + x00 = (x00 + x04) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 8); + x08 = (x08 + x12) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 7); + x01 = (x01 + x05) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 16); + x09 = (x09 + x13) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 12); + x01 = (x01 + x05) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 8); + x09 = (x09 + x13) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 7); + x02 = (x02 + x06) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 16); + x10 = (x10 + x14) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 12); + x02 = (x02 + x06) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 8); + x10 = (x10 + x14) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 7); + x03 = (x03 + x07) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 16); + x11 = (x11 + x15) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 12); + x03 = (x03 + x07) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 8); + x11 = (x11 + x15) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 7); + x00 = (x00 + x05) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 16); + x10 = (x10 + x15) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 12); + x00 = (x00 + x05) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 8); + x10 = (x10 + x15) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 7); + x01 = (x01 + x06) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 16); + x11 = (x11 + x12) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 12); + x01 = (x01 + x06) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 8); + x11 = (x11 + x12) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 7); + x02 = (x02 + x07) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 16); + x08 = (x08 + x13) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 12); + x02 = (x02 + x07) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 8); + x08 = (x08 + x13) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 7); + x03 = (x03 + x04) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 16); + x09 = (x09 + x14) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 12); + x03 = (x03 + x04) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 8); + x09 = (x09 + x14) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 7); + } + // Write output + let oi = 0; + out[oi++] = (y00 + x00) | 0; + out[oi++] = (y01 + x01) | 0; + out[oi++] = (y02 + x02) | 0; + out[oi++] = (y03 + x03) | 0; + out[oi++] = (y04 + x04) | 0; + out[oi++] = (y05 + x05) | 0; + out[oi++] = (y06 + x06) | 0; + out[oi++] = (y07 + x07) | 0; + out[oi++] = (y08 + x08) | 0; + out[oi++] = (y09 + x09) | 0; + out[oi++] = (y10 + x10) | 0; + out[oi++] = (y11 + x11) | 0; + out[oi++] = (y12 + x12) | 0; + out[oi++] = (y13 + x13) | 0; + out[oi++] = (y14 + x14) | 0; + out[oi++] = (y15 + x15) | 0; +} +/** + * hchacha helper method, used primarily in xchacha, to hash + * key and nonce into key' and nonce'. + * Same as chachaCore, but there doesn't seem to be a way to move the block + * out without 25% performance hit. + */ +// prettier-ignore +function hchacha(s, k, i, o32) { + let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; + for (let r = 0; r < 20; r += 2) { + x00 = (x00 + x04) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 16); + x08 = (x08 + x12) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 12); + x00 = (x00 + x04) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 8); + x08 = (x08 + x12) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 7); + x01 = (x01 + x05) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 16); + x09 = (x09 + x13) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 12); + x01 = (x01 + x05) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 8); + x09 = (x09 + x13) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 7); + x02 = (x02 + x06) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 16); + x10 = (x10 + x14) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 12); + x02 = (x02 + x06) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 8); + x10 = (x10 + x14) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 7); + x03 = (x03 + x07) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 16); + x11 = (x11 + x15) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 12); + x03 = (x03 + x07) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 8); + x11 = (x11 + x15) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 7); + x00 = (x00 + x05) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 16); + x10 = (x10 + x15) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 12); + x00 = (x00 + x05) | 0; + x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 8); + x10 = (x10 + x15) | 0; + x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 7); + x01 = (x01 + x06) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 16); + x11 = (x11 + x12) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 12); + x01 = (x01 + x06) | 0; + x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 8); + x11 = (x11 + x12) | 0; + x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 7); + x02 = (x02 + x07) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 16); + x08 = (x08 + x13) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 12); + x02 = (x02 + x07) | 0; + x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 8); + x08 = (x08 + x13) | 0; + x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 7); + x03 = (x03 + x04) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 16); + x09 = (x09 + x14) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 12); + x03 = (x03 + x04) | 0; + x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 8); + x09 = (x09 + x14) | 0; + x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 7); + } + let oi = 0; + o32[oi++] = x00; + o32[oi++] = x01; + o32[oi++] = x02; + o32[oi++] = x03; + o32[oi++] = x12; + o32[oi++] = x13; + o32[oi++] = x14; + o32[oi++] = x15; +} +exports.hchacha = hchacha; +/** + * Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter. + */ +exports.chacha20orig = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 8, + allowShortKeys: true, +}); +/** + * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +exports.chacha20 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + allowShortKeys: false, +}); +/** + * XChaCha eXtended-nonce ChaCha. 24-byte nonce. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + */ +exports.xchacha20 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 8, + extendNonceFn: hchacha, + allowShortKeys: false, +}); +/** + * Reduced 8-round chacha, described in original paper. + */ +exports.chacha8 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 8, +}); +/** + * Reduced 12-round chacha, described in original paper. + */ +exports.chacha12 = (0, _arx_js_1.createCipher)(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 12, +}); +const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); +// Pad to digest size with zeros +const updatePadded = (h, msg) => { + h.update(msg); + const left = msg.length % 16; + if (left) + h.update(ZEROS16.subarray(left)); +}; +const ZEROS32 = /* @__PURE__ */ new Uint8Array(32); +function computeTag(fn, key, nonce, data, AAD) { + const authKey = fn(key, nonce, ZEROS32); + const h = _poly1305_js_1.poly1305.create(authKey); + if (AAD) + updatePadded(h, AAD); + updatePadded(h, data); + const num = new Uint8Array(16); + const view = (0, utils_js_1.createView)(num); + (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD ? AAD.length : 0), true); + (0, utils_js_1.setBigUint64)(view, 8, BigInt(data.length), true); + h.update(num); + const res = h.digest(); + authKey.fill(0); + return res; +} +/** + * AEAD algorithm from RFC 8439. + * Salsa20 and chacha (RFC 8439) use poly1305 differently. + * We could have composed them similar to: + * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250 + * But it's hard because of authKey: + * In salsa20, authKey changes position in salsa stream. + * In chacha, authKey can't be computed inside computeTag, it modifies the counter. + */ +const _poly1305_aead = (xorStream) => (key, nonce, AAD) => { + const tagLength = 16; + (0, _assert_js_1.bytes)(key, 32); + (0, _assert_js_1.bytes)(nonce); + return { + encrypt: (plaintext, output) => { + const plength = plaintext.length; + const clength = plength + tagLength; + if (output) { + (0, _assert_js_1.bytes)(output, clength); + } + else { + output = new Uint8Array(clength); + } + xorStream(key, nonce, plaintext, output, 1); + const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD); + output.set(tag, plength); // append tag + return output; + }, + decrypt: (ciphertext, output) => { + const clength = ciphertext.length; + const plength = clength - tagLength; + if (clength < tagLength) + throw new Error(`encrypted data must be at least ${tagLength} bytes`); + if (output) { + (0, _assert_js_1.bytes)(output, plength); + } + else { + output = new Uint8Array(plength); + } + const data = ciphertext.subarray(0, -tagLength); + const passedTag = ciphertext.subarray(-tagLength); + const tag = computeTag(xorStream, key, nonce, data, AAD); + if (!(0, utils_js_1.equalBytes)(passedTag, tag)) + throw new Error('invalid tag'); + xorStream(key, nonce, data, output, 1); + return output; + }, + }; +}; +exports._poly1305_aead = _poly1305_aead; +/** + * ChaCha20-Poly1305 from RFC 8439. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +exports.chacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20)); +/** + * XChaCha20-Poly1305 extended-nonce chacha. + * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +exports.xchacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20)); +//# sourceMappingURL=chacha.js.map \ No newline at end of file diff --git a/crypto.js b/crypto.js new file mode 100644 index 0000000..e166f22 --- /dev/null +++ b/crypto.js @@ -0,0 +1,17 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.getWebcryptoSubtle = exports.randomBytes = void 0; +const cr = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined; +function randomBytes(bytesLength = 32) { + if (cr && typeof cr.getRandomValues === 'function') + return cr.getRandomValues(new Uint8Array(bytesLength)); + throw new Error('crypto.getRandomValues must be defined'); +} +exports.randomBytes = randomBytes; +function getWebcryptoSubtle() { + if (cr && typeof cr.subtle === 'object' && cr.subtle != null) + return cr.subtle; + throw new Error('crypto.subtle must be defined'); +} +exports.getWebcryptoSubtle = getWebcryptoSubtle; +//# sourceMappingURL=crypto.js.map \ No newline at end of file diff --git a/cryptoNode.js b/cryptoNode.js new file mode 100644 index 0000000..ac61d9d --- /dev/null +++ b/cryptoNode.js @@ -0,0 +1,22 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.getWebcryptoSubtle = exports.randomBytes = void 0; +// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. +// See utils.ts for details. +// The file will throw on node.js 14 and earlier. +// @ts-ignore +const nc = require("node:crypto"); +const cr = nc && typeof nc === 'object' && 'webcrypto' in nc ? nc.webcrypto : undefined; +function randomBytes(bytesLength = 32) { + if (cr && typeof cr.getRandomValues === 'function') + return cr.getRandomValues(new Uint8Array(bytesLength)); + throw new Error('crypto.getRandomValues must be defined'); +} +exports.randomBytes = randomBytes; +function getWebcryptoSubtle() { + if (cr && typeof cr.subtle === 'object' && cr.subtle != null) + return cr.subtle; + throw new Error('crypto.subtle must be defined'); +} +exports.getWebcryptoSubtle = getWebcryptoSubtle; +//# sourceMappingURL=cryptoNode.js.map \ No newline at end of file diff --git a/esm/_arx.js b/esm/_arx.js new file mode 100644 index 0000000..b949f4d --- /dev/null +++ b/esm/_arx.js @@ -0,0 +1,166 @@ +// Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers. +import { number as anumber, bytes as abytes, bool as abool } from './_assert.js'; +import { checkOpts, u32, utf8ToBytes } from './utils.js'; +/* +RFC8439 requires multi-step cipher stream, where +authKey starts with counter: 0, actual msg with counter: 1. + +For this, we need a way to re-use nonce / counter: + + const counter = new Uint8Array(4); + chacha(..., counter, ...); // counter is now 1 + chacha(..., counter, ...); // counter is now 2 + +This is complicated: + +- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB +- Original papers don't allow mutating counters +- Counter overflow is undefined [^1] +- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it +- Caveat: Cannot be re-used through all cases: +- * chacha has (counter | nonce) +- * xchacha has (nonce16 | counter | nonce16) +- Idea B: separate nonce / counter and provide separate API for counter re-use +- Caveat: there are different counter sizes depending on an algorithm. +- salsa & chacha also differ in structures of key & sigma: + salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3] + chacha: s(4) | k(8) | ctr(1) | nonce(3) + chacha20orig: s(4) | k(8) | ctr(2) | nonce(2) +- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)` +- Caveat: we can't re-use counter array + +xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal +(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce). + +[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/ +[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2 +*/ +const sigma16 = utf8ToBytes('expand 16-byte k'); +const sigma32 = utf8ToBytes('expand 32-byte k'); +const sigma16_32 = u32(sigma16); +const sigma32_32 = u32(sigma32); +export function rotl(a, b) { + return (a << b) | (a >>> (32 - b)); +} +// Is byte array aligned to 4 byte offset (u32)? +function isAligned32(b) { + return b.byteOffset % 4 === 0; +} +// Salsa and Chacha block length is always 512-bit +const BLOCK_LEN = 64; +const BLOCK_LEN32 = 16; +// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ] +// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ] +const MAX_COUNTER = 2 ** 32 - 1; +const U32_EMPTY = new Uint32Array(); +function runCipher(core, sigma, key, nonce, data, output, counter, rounds) { + const len = data.length; + const block = new Uint8Array(BLOCK_LEN); + const b32 = u32(block); + // Make sure that buffers aligned to 4 bytes + const isAligned = isAligned32(data) && isAligned32(output); + const d32 = isAligned ? u32(data) : U32_EMPTY; + const o32 = isAligned ? u32(output) : U32_EMPTY; + for (let pos = 0; pos < len; counter++) { + core(sigma, key, nonce, b32, counter, rounds); + if (counter >= MAX_COUNTER) + throw new Error('arx: counter overflow'); + const take = Math.min(BLOCK_LEN, len - pos); + // aligned to 4 bytes + if (isAligned && take === BLOCK_LEN) { + const pos32 = pos / 4; + if (pos % 4 !== 0) + throw new Error('arx: invalid block position'); + for (let j = 0, posj; j < BLOCK_LEN32; j++) { + posj = pos32 + j; + o32[posj] = d32[posj] ^ b32[j]; + } + pos += BLOCK_LEN; + continue; + } + for (let j = 0, posj; j < take; j++) { + posj = pos + j; + output[posj] = data[posj] ^ block[j]; + } + pos += take; + } +} +export function createCipher(core, opts) { + const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); + if (typeof core !== 'function') + throw new Error('core must be a function'); + anumber(counterLength); + anumber(rounds); + abool(counterRight); + abool(allowShortKeys); + return (key, nonce, data, output, counter = 0) => { + abytes(key); + abytes(nonce); + abytes(data); + const len = data.length; + if (!output) + output = new Uint8Array(len); + abytes(output); + anumber(counter); + if (counter < 0 || counter >= MAX_COUNTER) + throw new Error('arx: counter overflow'); + if (output.length < len) + throw new Error(`arx: output (${output.length}) is shorter than data (${len})`); + const toClean = []; + // Key & sigma + // key=16 -> sigma16, k=key|key + // key=32 -> sigma32, k=key + let l = key.length, k, sigma; + if (l === 32) { + k = key.slice(); + toClean.push(k); + sigma = sigma32_32; + } + else if (l === 16 && allowShortKeys) { + k = new Uint8Array(32); + k.set(key); + k.set(key, 16); + sigma = sigma16_32; + toClean.push(k); + } + else { + throw new Error(`arx: invalid 32-byte key, got length=${l}`); + } + // Nonce + // salsa20: 8 (8-byte counter) + // chacha20orig: 8 (8-byte counter) + // chacha20: 12 (4-byte counter) + // xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce) + // xchacha20: 24 (16 -> hchacha, 8 -> old nonce) + // Align nonce to 4 bytes + if (!isAligned32(nonce)) { + nonce = nonce.slice(); + toClean.push(nonce); + } + const k32 = u32(k); + // hsalsa & hchacha: handle extended nonce + if (extendNonceFn) { + if (nonce.length !== 24) + throw new Error(`arx: extended nonce must be 24 bytes`); + extendNonceFn(sigma, k32, u32(nonce.subarray(0, 16)), k32); + nonce = nonce.subarray(16); + } + // Handle nonce counter + const nonceNcLen = 16 - counterLength; + if (nonceNcLen !== nonce.length) + throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); + // Pad counter when nonce is 64 bit + if (nonceNcLen !== 12) { + const nc = new Uint8Array(12); + nc.set(nonce, counterRight ? 0 : 12 - nonce.length); + nonce = nc; + toClean.push(nonce); + } + const n32 = u32(nonce); + runCipher(core, sigma, k32, n32, data, output, counter, rounds); + while (toClean.length > 0) + toClean.pop().fill(0); + return output; + }; +} +//# sourceMappingURL=_arx.js.map \ No newline at end of file diff --git a/esm/_assert.js b/esm/_assert.js new file mode 100644 index 0000000..330fa25 --- /dev/null +++ b/esm/_assert.js @@ -0,0 +1,41 @@ +function number(n) { + if (!Number.isSafeInteger(n) || n < 0) + throw new Error(`positive integer expected, not ${n}`); +} +function bool(b) { + if (typeof b !== 'boolean') + throw new Error(`boolean expected, not ${b}`); +} +export function isBytes(a) { + return (a instanceof Uint8Array || + (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')); +} +function bytes(b, ...lengths) { + if (!isBytes(b)) + throw new Error('Uint8Array expected'); + if (lengths.length > 0 && !lengths.includes(b.length)) + throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); +} +function hash(hash) { + if (typeof hash !== 'function' || typeof hash.create !== 'function') + throw new Error('hash must be wrapped by utils.wrapConstructor'); + number(hash.outputLen); + number(hash.blockLen); +} +function exists(instance, checkFinished = true) { + if (instance.destroyed) + throw new Error('Hash instance has been destroyed'); + if (checkFinished && instance.finished) + throw new Error('Hash#digest() has already been called'); +} +function output(out, instance) { + bytes(out); + const min = instance.outputLen; + if (out.length < min) { + throw new Error(`digestInto() expects output buffer of length at least ${min}`); + } +} +export { number, bool, bytes, hash, exists, output }; +const assert = { number, bool, bytes, hash, exists, output }; +export default assert; +//# sourceMappingURL=_assert.js.map \ No newline at end of file diff --git a/esm/_micro.js b/esm/_micro.js new file mode 100644 index 0000000..fae5252 --- /dev/null +++ b/esm/_micro.js @@ -0,0 +1,287 @@ +/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ +// prettier-ignore +import { createView, setBigUint64, wrapCipher, bytesToHex, concatBytes, equalBytes, hexToNumber, numberToBytesBE, } from './utils.js'; +import { createCipher, rotl } from './_arx.js'; +import { bytes as abytes } from './_assert.js'; +/* +noble-ciphers-micro: more auditable, but slower version of salsa20, chacha & poly1305. +Implements the same algorithms that are present in other files, but without +unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling). +*/ +function bytesToNumberLE(bytes) { + return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse())); +} +function numberToBytesLE(n, len) { + return numberToBytesBE(n, len).reverse(); +} +function salsaQR(x, a, b, c, d) { + x[b] ^= rotl((x[a] + x[d]) | 0, 7); + x[c] ^= rotl((x[b] + x[a]) | 0, 9); + x[d] ^= rotl((x[c] + x[b]) | 0, 13); + x[a] ^= rotl((x[d] + x[c]) | 0, 18); +} +// prettier-ignore +function chachaQR(x, a, b, c, d) { + x[a] = (x[a] + x[b]) | 0; + x[d] = rotl(x[d] ^ x[a], 16); + x[c] = (x[c] + x[d]) | 0; + x[b] = rotl(x[b] ^ x[c], 12); + x[a] = (x[a] + x[b]) | 0; + x[d] = rotl(x[d] ^ x[a], 8); + x[c] = (x[c] + x[d]) | 0; + x[b] = rotl(x[b] ^ x[c], 7); +} +function salsaRound(x, rounds = 20) { + for (let r = 0; r < rounds; r += 2) { + salsaQR(x, 0, 4, 8, 12); + salsaQR(x, 5, 9, 13, 1); + salsaQR(x, 10, 14, 2, 6); + salsaQR(x, 15, 3, 7, 11); + salsaQR(x, 0, 1, 2, 3); + salsaQR(x, 5, 6, 7, 4); + salsaQR(x, 10, 11, 8, 9); + salsaQR(x, 15, 12, 13, 14); + } +} +function chachaRound(x, rounds = 20) { + for (let r = 0; r < rounds; r += 2) { + chachaQR(x, 0, 4, 8, 12); + chachaQR(x, 1, 5, 9, 13); + chachaQR(x, 2, 6, 10, 14); + chachaQR(x, 3, 7, 11, 15); + chachaQR(x, 0, 5, 10, 15); + chachaQR(x, 1, 6, 11, 12); + chachaQR(x, 2, 7, 8, 13); + chachaQR(x, 3, 4, 9, 14); + } +} +function salsaCore(s, k, n, out, cnt, rounds = 20) { + // prettier-ignore + const y = new Uint32Array([ + s[0], k[0], k[1], k[2], // "expa" Key Key Key + k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce + cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key + k[5], k[6], k[7], s[3], // Key Key Key "te k" + ]); + const x = y.slice(); + salsaRound(x, rounds); + for (let i = 0; i < 16; i++) + out[i] = (y[i] + x[i]) | 0; +} +// prettier-ignore +export function hsalsa(s, k, i, o32) { + const x = new Uint32Array([ + s[0], k[0], k[1], k[2], + k[3], s[1], i[0], i[1], + i[2], i[3], s[2], k[4], + k[5], k[6], k[7], s[3] + ]); + salsaRound(x, 20); + let oi = 0; + o32[oi++] = x[0]; + o32[oi++] = x[5]; + o32[oi++] = x[10]; + o32[oi++] = x[15]; + o32[oi++] = x[6]; + o32[oi++] = x[7]; + o32[oi++] = x[8]; + o32[oi++] = x[9]; +} +function chachaCore(s, k, n, out, cnt, rounds = 20) { + // prettier-ignore + const y = new Uint32Array([ + s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k" + k[0], k[1], k[2], k[3], // Key Key Key Key + k[4], k[5], k[6], k[7], // Key Key Key Key + cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce + ]); + const x = y.slice(); + chachaRound(x, rounds); + for (let i = 0; i < 16; i++) + out[i] = (y[i] + x[i]) | 0; +} +// prettier-ignore +export function hchacha(s, k, i, o32) { + const x = new Uint32Array([ + s[0], s[1], s[2], s[3], + k[0], k[1], k[2], k[3], + k[4], k[5], k[6], k[7], + i[0], i[1], i[2], i[3], + ]); + chachaRound(x, 20); + let oi = 0; + o32[oi++] = x[0]; + o32[oi++] = x[1]; + o32[oi++] = x[2]; + o32[oi++] = x[3]; + o32[oi++] = x[12]; + o32[oi++] = x[13]; + o32[oi++] = x[14]; + o32[oi++] = x[15]; +} +/** + * salsa20, 12-byte nonce. + */ +export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, { + allowShortKeys: true, + counterRight: true, +}); +/** + * xsalsa20, 24-byte nonce. + */ +export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, { + counterRight: true, + extendNonceFn: hsalsa, +}); +/** + * chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. + */ +export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, { + allowShortKeys: true, + counterRight: false, + counterLength: 8, +}); +/** + * chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. + */ +export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, +}); +/** + * xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + */ +export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 8, + extendNonceFn: hchacha, +}); +/** + * 8-round chacha from the original paper. + */ +export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 8, +}); +/** + * 12-round chacha from the original paper. + */ +export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 12, +}); +const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5); +const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1); +const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff'); +const _0 = BigInt(0); +const _1 = BigInt(1); +// Can be speed-up using BigUint64Array, but would be more complicated +export function poly1305(msg, key) { + abytes(msg); + abytes(key); + let acc = _0; + const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R; + const s = bytesToNumberLE(key.subarray(16)); + // Process by 16 byte chunks + for (let i = 0; i < msg.length; i += 16) { + const m = msg.subarray(i, i + 16); + const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length)); + acc = ((acc + n) * r) % POW_2_130_5; + } + const res = (acc + s) & POW_2_128_1; + return numberToBytesLE(res, 16); +} +function computeTag(fn, key, nonce, ciphertext, AAD) { + const res = []; + if (AAD) { + res.push(AAD); + const leftover = AAD.length % 16; + if (leftover > 0) + res.push(new Uint8Array(16 - leftover)); + } + res.push(ciphertext); + const leftover = ciphertext.length % 16; + if (leftover > 0) + res.push(new Uint8Array(16 - leftover)); + // Lengths + const num = new Uint8Array(16); + const view = createView(num); + setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); + setBigUint64(view, 8, BigInt(ciphertext.length), true); + res.push(num); + const authKey = fn(key, nonce, new Uint8Array(32)); + return poly1305(concatBytes(...res), authKey); +} +/** + * xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. + */ +export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsa20poly1305(key, nonce) { + abytes(key); + abytes(nonce); + return { + encrypt: (plaintext) => { + abytes(plaintext); + const m = concatBytes(new Uint8Array(32), plaintext); + const c = xsalsa20(key, nonce, m); + const authKey = c.subarray(0, 32); + const data = c.subarray(32); + const tag = poly1305(data, authKey); + return concatBytes(tag, data); + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + if (ciphertext.length < 16) + throw new Error('encrypted data must be at least 16 bytes'); + const c = concatBytes(new Uint8Array(16), ciphertext); + const authKey = xsalsa20(key, nonce, new Uint8Array(32)); + const tag = poly1305(c.subarray(32), authKey); + if (!equalBytes(c.subarray(16, 32), tag)) + throw new Error('invalid poly1305 tag'); + return xsalsa20(key, nonce, c).subarray(32); + }, + }; +}); +/** + * Alias to xsalsa20-poly1305 + */ +export function secretbox(key, nonce) { + const xs = xsalsa20poly1305(key, nonce); + return { seal: xs.encrypt, open: xs.decrypt }; +} +export const _poly1305_aead = (fn) => (key, nonce, AAD) => { + const tagLength = 16; + const keyLength = 32; + abytes(key, keyLength); + abytes(nonce); + return { + encrypt: (plaintext) => { + abytes(plaintext); + const res = fn(key, nonce, plaintext, undefined, 1); + const tag = computeTag(fn, key, nonce, res, AAD); + return concatBytes(res, tag); + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + if (ciphertext.length < tagLength) + throw new Error(`encrypted data must be at least ${tagLength} bytes`); + const passedTag = ciphertext.subarray(-tagLength); + const data = ciphertext.subarray(0, -tagLength); + const tag = computeTag(fn, key, nonce, data, AAD); + if (!equalBytes(passedTag, tag)) + throw new Error('invalid poly1305 tag'); + return fn(key, nonce, data, undefined, 1); + }, + }; +}; +/** + * chacha20-poly1305 12-byte-nonce chacha. + */ +export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); +/** + * xchacha20-poly1305 eXtended-nonce (24 bytes) chacha. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); +//# sourceMappingURL=_micro.js.map \ No newline at end of file diff --git a/esm/_poly1305.js b/esm/_poly1305.js new file mode 100644 index 0000000..883c3a5 --- /dev/null +++ b/esm/_poly1305.js @@ -0,0 +1,264 @@ +import { exists as aexists, bytes as abytes, output as aoutput } from './_assert.js'; +import { toBytes } from './utils.js'; +// Poly1305 is a fast and parallel secret-key message-authentication code. +// https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf +// https://datatracker.ietf.org/doc/html/rfc8439 +// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna +const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8); +class Poly1305 { + constructor(key) { + this.blockLen = 16; + this.outputLen = 16; + this.buffer = new Uint8Array(16); + this.r = new Uint16Array(10); + this.h = new Uint16Array(10); + this.pad = new Uint16Array(8); + this.pos = 0; + this.finished = false; + key = toBytes(key); + abytes(key, 32); + const t0 = u8to16(key, 0); + const t1 = u8to16(key, 2); + const t2 = u8to16(key, 4); + const t3 = u8to16(key, 6); + const t4 = u8to16(key, 8); + const t5 = u8to16(key, 10); + const t6 = u8to16(key, 12); + const t7 = u8to16(key, 14); + // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47 + this.r[0] = t0 & 0x1fff; + this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; + this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; + this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; + this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; + this.r[5] = (t4 >>> 1) & 0x1ffe; + this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; + this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; + this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; + this.r[9] = (t7 >>> 5) & 0x007f; + for (let i = 0; i < 8; i++) + this.pad[i] = u8to16(key, 16 + 2 * i); + } + process(data, offset, isLast = false) { + const hibit = isLast ? 0 : 1 << 11; + const { h, r } = this; + const r0 = r[0]; + const r1 = r[1]; + const r2 = r[2]; + const r3 = r[3]; + const r4 = r[4]; + const r5 = r[5]; + const r6 = r[6]; + const r7 = r[7]; + const r8 = r[8]; + const r9 = r[9]; + const t0 = u8to16(data, offset + 0); + const t1 = u8to16(data, offset + 2); + const t2 = u8to16(data, offset + 4); + const t3 = u8to16(data, offset + 6); + const t4 = u8to16(data, offset + 8); + const t5 = u8to16(data, offset + 10); + const t6 = u8to16(data, offset + 12); + const t7 = u8to16(data, offset + 14); + let h0 = h[0] + (t0 & 0x1fff); + let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff); + let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff); + let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff); + let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff); + let h5 = h[5] + ((t4 >>> 1) & 0x1fff); + let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff); + let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff); + let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff); + let h9 = h[9] + ((t7 >>> 5) | hibit); + let c = 0; + let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); + c = d0 >>> 13; + d0 &= 0x1fff; + d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); + c += d0 >>> 13; + d0 &= 0x1fff; + let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); + c = d1 >>> 13; + d1 &= 0x1fff; + d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); + c += d1 >>> 13; + d1 &= 0x1fff; + let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); + c = d2 >>> 13; + d2 &= 0x1fff; + d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); + c += d2 >>> 13; + d2 &= 0x1fff; + let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); + c = d3 >>> 13; + d3 &= 0x1fff; + d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); + c += d3 >>> 13; + d3 &= 0x1fff; + let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; + c = d4 >>> 13; + d4 &= 0x1fff; + d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); + c += d4 >>> 13; + d4 &= 0x1fff; + let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; + c = d5 >>> 13; + d5 &= 0x1fff; + d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); + c += d5 >>> 13; + d5 &= 0x1fff; + let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; + c = d6 >>> 13; + d6 &= 0x1fff; + d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); + c += d6 >>> 13; + d6 &= 0x1fff; + let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; + c = d7 >>> 13; + d7 &= 0x1fff; + d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); + c += d7 >>> 13; + d7 &= 0x1fff; + let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; + c = d8 >>> 13; + d8 &= 0x1fff; + d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); + c += d8 >>> 13; + d8 &= 0x1fff; + let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; + c = d9 >>> 13; + d9 &= 0x1fff; + d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; + c += d9 >>> 13; + d9 &= 0x1fff; + c = ((c << 2) + c) | 0; + c = (c + d0) | 0; + d0 = c & 0x1fff; + c = c >>> 13; + d1 += c; + h[0] = d0; + h[1] = d1; + h[2] = d2; + h[3] = d3; + h[4] = d4; + h[5] = d5; + h[6] = d6; + h[7] = d7; + h[8] = d8; + h[9] = d9; + } + finalize() { + const { h, pad } = this; + const g = new Uint16Array(10); + let c = h[1] >>> 13; + h[1] &= 0x1fff; + for (let i = 2; i < 10; i++) { + h[i] += c; + c = h[i] >>> 13; + h[i] &= 0x1fff; + } + h[0] += c * 5; + c = h[0] >>> 13; + h[0] &= 0x1fff; + h[1] += c; + c = h[1] >>> 13; + h[1] &= 0x1fff; + h[2] += c; + g[0] = h[0] + 5; + c = g[0] >>> 13; + g[0] &= 0x1fff; + for (let i = 1; i < 10; i++) { + g[i] = h[i] + c; + c = g[i] >>> 13; + g[i] &= 0x1fff; + } + g[9] -= 1 << 13; + let mask = (c ^ 1) - 1; + for (let i = 0; i < 10; i++) + g[i] &= mask; + mask = ~mask; + for (let i = 0; i < 10; i++) + h[i] = (h[i] & mask) | g[i]; + h[0] = (h[0] | (h[1] << 13)) & 0xffff; + h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff; + h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff; + h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff; + h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff; + h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff; + h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff; + h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff; + let f = h[0] + pad[0]; + h[0] = f & 0xffff; + for (let i = 1; i < 8; i++) { + f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0; + h[i] = f & 0xffff; + } + } + update(data) { + aexists(this); + const { buffer, blockLen } = this; + data = toBytes(data); + const len = data.length; + for (let pos = 0; pos < len;) { + const take = Math.min(blockLen - this.pos, len - pos); + // Fast path: we have at least one block in input + if (take === blockLen) { + for (; blockLen <= len - pos; pos += blockLen) + this.process(data, pos); + continue; + } + buffer.set(data.subarray(pos, pos + take), this.pos); + this.pos += take; + pos += take; + if (this.pos === blockLen) { + this.process(buffer, 0, false); + this.pos = 0; + } + } + return this; + } + destroy() { + this.h.fill(0); + this.r.fill(0); + this.buffer.fill(0); + this.pad.fill(0); + } + digestInto(out) { + aexists(this); + aoutput(out, this); + this.finished = true; + const { buffer, h } = this; + let { pos } = this; + if (pos) { + buffer[pos++] = 1; + // buffer.subarray(pos).fill(0); + for (; pos < 16; pos++) + buffer[pos] = 0; + this.process(buffer, 0, true); + } + this.finalize(); + let opos = 0; + for (let i = 0; i < 8; i++) { + out[opos++] = h[i] >>> 0; + out[opos++] = h[i] >>> 8; + } + return out; + } + digest() { + const { buffer, outputLen } = this; + this.digestInto(buffer); + const res = buffer.slice(0, outputLen); + this.destroy(); + return res; + } +} +export function wrapConstructorWithKey(hashCons) { + const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest(); + const tmp = hashCons(new Uint8Array(32)); + hashC.outputLen = tmp.outputLen; + hashC.blockLen = tmp.blockLen; + hashC.create = (key) => hashCons(key); + return hashC; +} +export const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); +//# sourceMappingURL=_poly1305.js.map \ No newline at end of file diff --git a/esm/_polyval.js b/esm/_polyval.js new file mode 100644 index 0000000..4c64930 --- /dev/null +++ b/esm/_polyval.js @@ -0,0 +1,217 @@ +import { createView, toBytes, u32 } from './utils.js'; +import { bytes as abytes, exists as aexists, output as aoutput } from './_assert.js'; +// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV. +// Implemented in terms of GHash with conversion function for keys +// GCM GHASH from NIST SP800-38d, SIV from RFC 8452. +// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf +// GHASH modulo: x^128 + x^7 + x^2 + x + 1 +// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1 +const BLOCK_SIZE = 16; +// TODO: rewrite +// temporary padding buffer +const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); +const ZEROS32 = u32(ZEROS16); +const POLY = 0xe1; // v = 2*v % POLY +// v = 2*v % POLY +// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x +// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor) +const mul2 = (s0, s1, s2, s3) => { + const hiBit = s3 & 1; + return { + s3: (s2 << 31) | (s3 >>> 1), + s2: (s1 << 31) | (s2 >>> 1), + s1: (s0 << 31) | (s1 >>> 1), + s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly + }; +}; +const swapLE = (n) => (((n >>> 0) & 0xff) << 24) | + (((n >>> 8) & 0xff) << 16) | + (((n >>> 16) & 0xff) << 8) | + ((n >>> 24) & 0xff) | + 0; +/** + * `mulX_POLYVAL(ByteReverse(H))` from spec + * @param k mutated in place + */ +export function _toGHASHKey(k) { + k.reverse(); + const hiBit = k[15] & 1; + // k >>= 1 + let carry = 0; + for (let i = 0; i < k.length; i++) { + const t = k[i]; + k[i] = (t >>> 1) | carry; + carry = (t & 1) << 7; + } + k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000; + return k; +} +const estimateWindow = (bytes) => { + if (bytes > 64 * 1024) + return 8; + if (bytes > 1024) + return 4; + return 2; +}; +class GHASH { + // We select bits per window adaptively based on expectedLength + constructor(key, expectedLength) { + this.blockLen = BLOCK_SIZE; + this.outputLen = BLOCK_SIZE; + this.s0 = 0; + this.s1 = 0; + this.s2 = 0; + this.s3 = 0; + this.finished = false; + key = toBytes(key); + abytes(key, 16); + const kView = createView(key); + let k0 = kView.getUint32(0, false); + let k1 = kView.getUint32(4, false); + let k2 = kView.getUint32(8, false); + let k3 = kView.getUint32(12, false); + // generate table of doubled keys (half of montgomery ladder) + const doubles = []; + for (let i = 0; i < 128; i++) { + doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) }); + ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3)); + } + const W = estimateWindow(expectedLength || 1024); + if (![1, 2, 4, 8].includes(W)) + throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`); + this.W = W; + const bits = 128; // always 128 bits; + const windows = bits / W; + const windowSize = (this.windowSize = 2 ** W); + const items = []; + // Create precompute table for window of W bits + for (let w = 0; w < windows; w++) { + // truth table: 00, 01, 10, 11 + for (let byte = 0; byte < windowSize; byte++) { + // prettier-ignore + let s0 = 0, s1 = 0, s2 = 0, s3 = 0; + for (let j = 0; j < W; j++) { + const bit = (byte >>> (W - j - 1)) & 1; + if (!bit) + continue; + const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j]; + (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3); + } + items.push({ s0, s1, s2, s3 }); + } + } + this.t = items; + } + _updateBlock(s0, s1, s2, s3) { + (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3); + const { W, t, windowSize } = this; + // prettier-ignore + let o0 = 0, o1 = 0, o2 = 0, o3 = 0; + const mask = (1 << W) - 1; // 2**W will kill performance. + let w = 0; + for (const num of [s0, s1, s2, s3]) { + for (let bytePos = 0; bytePos < 4; bytePos++) { + const byte = (num >>> (8 * bytePos)) & 0xff; + for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) { + const bit = (byte >>> (W * bitPos)) & mask; + const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit]; + (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3); + w += 1; + } + } + } + this.s0 = o0; + this.s1 = o1; + this.s2 = o2; + this.s3 = o3; + } + update(data) { + data = toBytes(data); + aexists(this); + const b32 = u32(data); + const blocks = Math.floor(data.length / BLOCK_SIZE); + const left = data.length % BLOCK_SIZE; + for (let i = 0; i < blocks; i++) { + this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]); + } + if (left) { + ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); + this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]); + ZEROS32.fill(0); // clean tmp buffer + } + return this; + } + destroy() { + const { t } = this; + // clean precompute table + for (const elm of t) { + (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0); + } + } + digestInto(out) { + aexists(this); + aoutput(out, this); + this.finished = true; + const { s0, s1, s2, s3 } = this; + const o32 = u32(out); + o32[0] = s0; + o32[1] = s1; + o32[2] = s2; + o32[3] = s3; + return out; + } + digest() { + const res = new Uint8Array(BLOCK_SIZE); + this.digestInto(res); + this.destroy(); + return res; + } +} +class Polyval extends GHASH { + constructor(key, expectedLength) { + key = toBytes(key); + const ghKey = _toGHASHKey(key.slice()); + super(ghKey, expectedLength); + ghKey.fill(0); + } + update(data) { + data = toBytes(data); + aexists(this); + const b32 = u32(data); + const left = data.length % BLOCK_SIZE; + const blocks = Math.floor(data.length / BLOCK_SIZE); + for (let i = 0; i < blocks; i++) { + this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0])); + } + if (left) { + ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); + this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0])); + ZEROS32.fill(0); // clean tmp buffer + } + return this; + } + digestInto(out) { + aexists(this); + aoutput(out, this); + this.finished = true; + // tmp ugly hack + const { s0, s1, s2, s3 } = this; + const o32 = u32(out); + o32[0] = s0; + o32[1] = s1; + o32[2] = s2; + o32[3] = s3; + return out.reverse(); + } +} +function wrapConstructorWithKey(hashCons) { + const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes(msg)).digest(); + const tmp = hashCons(new Uint8Array(16), 0); + hashC.outputLen = tmp.outputLen; + hashC.blockLen = tmp.blockLen; + hashC.create = (key, expectedLength) => hashCons(key, expectedLength); + return hashC; +} +export const ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength)); +export const polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength)); +//# sourceMappingURL=_polyval.js.map \ No newline at end of file diff --git a/esm/aes.js b/esm/aes.js new file mode 100644 index 0000000..a26e498 --- /dev/null +++ b/esm/aes.js @@ -0,0 +1,628 @@ +// prettier-ignore +import { wrapCipher, createView, setBigUint64, equalBytes, u32, u8, } from './utils.js'; +import { ghash, polyval } from './_polyval.js'; +import { bytes as abytes } from './_assert.js'; +/* +AES (Advanced Encryption Standard) aka Rijndael block cipher. + +Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round: +1. **S-box**, table substitution +2. **Shift rows**, cyclic shift left of all rows of data array +3. **Mix columns**, multiplying every column by fixed polynomial +4. **Add round key**, round_key xor i-th column of array + +Resources: +- FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf +- Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf +*/ +const BLOCK_SIZE = 16; +const BLOCK_SIZE32 = 4; +const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE); +const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8 +// TODO: remove multiplication, binary ops only +function mul2(n) { + return (n << 1) ^ (POLY & -(n >> 7)); +} +function mul(a, b) { + let res = 0; + for (; b > 0; b >>= 1) { + // Montgomery ladder + res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time). + a = mul2(a); // a = 2*a + } + return res; +} +// AES S-box is generated using finite field inversion, +// an affine transform, and xor of a constant 0x63. +const sbox = /* @__PURE__ */ (() => { + let t = new Uint8Array(256); + for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x)) + t[i] = x; + const box = new Uint8Array(256); + box[0] = 0x63; // first elm + for (let i = 0; i < 255; i++) { + let x = t[255 - i]; + x |= x << 8; + box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff; + } + return box; +})(); +// Inverted S-box +const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j)); +// Rotate u32 by 8 +const rotr32_8 = (n) => (n << 24) | (n >>> 8); +const rotl32_8 = (n) => (n << 8) | (n >>> 24); +// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes: +// - LE instead of BE +// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23; +// so index is u16, instead of u8. This speeds up things, unexpectedly +function genTtable(sbox, fn) { + if (sbox.length !== 256) + throw new Error('Wrong sbox length'); + const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j])); + const T1 = T0.map(rotl32_8); + const T2 = T1.map(rotl32_8); + const T3 = T2.map(rotl32_8); + const T01 = new Uint32Array(256 * 256); + const T23 = new Uint32Array(256 * 256); + const sbox2 = new Uint16Array(256 * 256); + for (let i = 0; i < 256; i++) { + for (let j = 0; j < 256; j++) { + const idx = i * 256 + j; + T01[idx] = T0[i] ^ T1[j]; + T23[idx] = T2[i] ^ T3[j]; + sbox2[idx] = (sbox[i] << 8) | sbox[j]; + } + } + return { sbox, sbox2, T0, T1, T2, T3, T01, T23 }; +} +const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2)); +const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14)); +const xPowers = /* @__PURE__ */ (() => { + const p = new Uint8Array(16); + for (let i = 0, x = 1; i < 16; i++, x = mul2(x)) + p[i] = x; + return p; +})(); +export function expandKeyLE(key) { + abytes(key); + const len = key.length; + if (![16, 24, 32].includes(len)) + throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`); + const { sbox2 } = tableEncoding; + const k32 = u32(key); + const Nk = k32.length; + const subByte = (n) => applySbox(sbox2, n, n, n, n); + const xk = new Uint32Array(len + 28); // expanded key + xk.set(k32); + // 4.3.1 Key expansion + for (let i = Nk; i < xk.length; i++) { + let t = xk[i - 1]; + if (i % Nk === 0) + t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1]; + else if (Nk > 6 && i % Nk === 4) + t = subByte(t); + xk[i] = xk[i - Nk] ^ t; + } + return xk; +} +export function expandKeyDecLE(key) { + const encKey = expandKeyLE(key); + const xk = encKey.slice(); + const Nk = encKey.length; + const { sbox2 } = tableEncoding; + const { T0, T1, T2, T3 } = tableDecoding; + // Inverse key by chunks of 4 (rounds) + for (let i = 0; i < Nk; i += 4) { + for (let j = 0; j < 4; j++) + xk[i + j] = encKey[Nk - i - 4 + j]; + } + encKey.fill(0); + // apply InvMixColumn except first & last round + for (let i = 4; i < Nk - 4; i++) { + const x = xk[i]; + const w = applySbox(sbox2, x, x, x, x); + xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24]; + } + return xk; +} +// Apply tables +function apply0123(T01, T23, s0, s1, s2, s3) { + return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^ + T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]); +} +function applySbox(sbox2, s0, s1, s2, s3) { + return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] | + (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16)); +} +function encrypt(xk, s0, s1, s2, s3) { + const { sbox2, T01, T23 } = tableEncoding; + let k = 0; + (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); + const rounds = xk.length / 4 - 2; + for (let i = 0; i < rounds; i++) { + const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3); + const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0); + const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1); + const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2); + (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); + } + // last round (without mixcolumns, so using SBOX2 table) + const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3); + const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0); + const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1); + const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2); + return { s0: t0, s1: t1, s2: t2, s3: t3 }; +} +function decrypt(xk, s0, s1, s2, s3) { + const { sbox2, T01, T23 } = tableDecoding; + let k = 0; + (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); + const rounds = xk.length / 4 - 2; + for (let i = 0; i < rounds; i++) { + const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1); + const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2); + const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3); + const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0); + (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); + } + // Last round + const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1); + const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2); + const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3); + const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0); + return { s0: t0, s1: t1, s2: t2, s3: t3 }; +} +function getDst(len, dst) { + if (!dst) + return new Uint8Array(len); + abytes(dst); + if (dst.length < len) + throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`); + return dst; +} +// TODO: investigate merging with ctr32 +function ctrCounter(xk, nonce, src, dst) { + abytes(nonce, BLOCK_SIZE); + abytes(src); + const srcLen = src.length; + dst = getDst(srcLen, dst); + const ctr = nonce; + const c32 = u32(ctr); + // Fill block (empty, ctr=0) + let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); + const src32 = u32(src); + const dst32 = u32(dst); + // process blocks + for (let i = 0; i + 4 <= src32.length; i += 4) { + dst32[i + 0] = src32[i + 0] ^ s0; + dst32[i + 1] = src32[i + 1] ^ s1; + dst32[i + 2] = src32[i + 2] ^ s2; + dst32[i + 3] = src32[i + 3] ^ s3; + // Full 128 bit counter with wrap around + let carry = 1; + for (let i = ctr.length - 1; i >= 0; i--) { + carry = (carry + (ctr[i] & 0xff)) | 0; + ctr[i] = carry & 0xff; + carry >>>= 8; + } + ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); + } + // leftovers (less than block) + // It's possible to handle > u32 fast, but is it worth it? + const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); + if (start < srcLen) { + const b32 = new Uint32Array([s0, s1, s2, s3]); + const buf = u8(b32); + for (let i = start, pos = 0; i < srcLen; i++, pos++) + dst[i] = src[i] ^ buf[pos]; + } + return dst; +} +// AES CTR with overflowing 32 bit counter +// It's possible to do 32le significantly simpler (and probably faster) by using u32. +// But, we need both, and perf bottleneck is in ghash anyway. +function ctr32(xk, isLE, nonce, src, dst) { + abytes(nonce, BLOCK_SIZE); + abytes(src); + dst = getDst(src.length, dst); + const ctr = nonce; // write new value to nonce, so it can be re-used + const c32 = u32(ctr); + const view = createView(ctr); + const src32 = u32(src); + const dst32 = u32(dst); + const ctrPos = isLE ? 0 : 12; + const srcLen = src.length; + // Fill block (empty, ctr=0) + let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value + let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); + // process blocks + for (let i = 0; i + 4 <= src32.length; i += 4) { + dst32[i + 0] = src32[i + 0] ^ s0; + dst32[i + 1] = src32[i + 1] ^ s1; + dst32[i + 2] = src32[i + 2] ^ s2; + dst32[i + 3] = src32[i + 3] ^ s3; + ctrNum = (ctrNum + 1) >>> 0; // u32 wrap + view.setUint32(ctrPos, ctrNum, isLE); + ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); + } + // leftovers (less than a block) + const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); + if (start < srcLen) { + const b32 = new Uint32Array([s0, s1, s2, s3]); + const buf = u8(b32); + for (let i = start, pos = 0; i < srcLen; i++, pos++) + dst[i] = src[i] ^ buf[pos]; + } + return dst; +} +/** + * CTR: counter mode. Creates stream cipher. + * Requires good IV. Parallelizable. OK, but no MAC. + */ +export const ctr = wrapCipher({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) { + abytes(key); + abytes(nonce, BLOCK_SIZE); + function processCtr(buf, dst) { + const xk = expandKeyLE(key); + const n = nonce.slice(); + const out = ctrCounter(xk, n, buf, dst); + xk.fill(0); + n.fill(0); + return out; + } + return { + encrypt: (plaintext, dst) => processCtr(plaintext, dst), + decrypt: (ciphertext, dst) => processCtr(ciphertext, dst), + }; +}); +function validateBlockDecrypt(data) { + abytes(data); + if (data.length % BLOCK_SIZE !== 0) { + throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`); + } +} +function validateBlockEncrypt(plaintext, pcks5, dst) { + let outLen = plaintext.length; + const remaining = outLen % BLOCK_SIZE; + if (!pcks5 && remaining !== 0) + throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding'); + const b = u32(plaintext); + if (pcks5) { + let left = BLOCK_SIZE - remaining; + if (!left) + left = BLOCK_SIZE; // if no bytes left, create empty padding block + outLen = outLen + left; + } + const out = getDst(outLen, dst); + const o = u32(out); + return { b, o, out }; +} +function validatePCKS(data, pcks5) { + if (!pcks5) + return data; + const len = data.length; + if (!len) + throw new Error(`aes/pcks5: empty ciphertext not allowed`); + const lastByte = data[len - 1]; + if (lastByte <= 0 || lastByte > 16) + throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`); + const out = data.subarray(0, -lastByte); + for (let i = 0; i < lastByte; i++) + if (data[len - i - 1] !== lastByte) + throw new Error(`aes/pcks5: wrong padding`); + return out; +} +function padPCKS(left) { + const tmp = new Uint8Array(16); + const tmp32 = u32(tmp); + tmp.set(left); + const paddingByte = BLOCK_SIZE - left.length; + for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++) + tmp[i] = paddingByte; + return tmp32; +} +/** + * ECB: Electronic CodeBook. Simple deterministic replacement. + * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/). + */ +export const ecb = wrapCipher({ blockSize: 16 }, function ecb(key, opts = {}) { + abytes(key); + const pcks5 = !opts.disablePadding; + return { + encrypt: (plaintext, dst) => { + abytes(plaintext); + const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); + const xk = expandKeyLE(key); + let i = 0; + for (; i + 4 <= b.length;) { + const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + if (pcks5) { + const tmp32 = padPCKS(plaintext.subarray(i * 4)); + const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return _out; + }, + decrypt: (ciphertext, dst) => { + validateBlockDecrypt(ciphertext); + const xk = expandKeyDecLE(key); + const out = getDst(ciphertext.length, dst); + const b = u32(ciphertext); + const o = u32(out); + for (let i = 0; i + 4 <= b.length;) { + const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return validatePCKS(out, pcks5); + }, + }; +}); +/** + * CBC: Cipher-Block-Chaining. Key is previous round’s block. + * Fragile: needs proper padding. Unauthenticated: needs MAC. + */ +export const cbc = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) { + abytes(key); + abytes(iv, 16); + const pcks5 = !opts.disablePadding; + return { + encrypt: (plaintext, dst) => { + const xk = expandKeyLE(key); + const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); + const n32 = u32(iv); + // prettier-ignore + let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; + let i = 0; + for (; i + 4 <= b.length;) { + (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]); + ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + if (pcks5) { + const tmp32 = padPCKS(plaintext.subarray(i * 4)); + (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]); + ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); + (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); + } + xk.fill(0); + return _out; + }, + decrypt: (ciphertext, dst) => { + validateBlockDecrypt(ciphertext); + const xk = expandKeyDecLE(key); + const n32 = u32(iv); + const out = getDst(ciphertext.length, dst); + const b = u32(ciphertext); + const o = u32(out); + // prettier-ignore + let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; + for (let i = 0; i + 4 <= b.length;) { + // prettier-ignore + const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3; + (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]); + const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3); + (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3); + } + xk.fill(0); + return validatePCKS(out, pcks5); + }, + }; +}); +// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen +function computeTag(fn, isLE, key, data, AAD) { + const h = fn.create(key, data.length + (AAD?.length || 0)); + if (AAD) + h.update(AAD); + h.update(data); + const num = new Uint8Array(16); + const view = createView(num); + if (AAD) + setBigUint64(view, 0, BigInt(AAD.length * 8), isLE); + setBigUint64(view, 8, BigInt(data.length * 8), isLE); + h.update(num); + return h.digest(); +} +/** + * GCM: Galois/Counter Mode. + * Good, modern version of CTR, parallel, with MAC. + * Be careful: MACs can be forged. + */ +export const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) { + abytes(nonce); + // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure. + if (nonce.length === 0) + throw new Error('aes/gcm: empty nonce'); + const tagLength = 16; + function _computeTag(authKey, tagMask, data) { + const tag = computeTag(ghash, false, authKey, data, AAD); + for (let i = 0; i < tagMask.length; i++) + tag[i] ^= tagMask[i]; + return tag; + } + function deriveKeys() { + const xk = expandKeyLE(key); + const authKey = EMPTY_BLOCK.slice(); + const counter = EMPTY_BLOCK.slice(); + ctr32(xk, false, counter, counter, authKey); + if (nonce.length === 12) { + counter.set(nonce); + } + else { + // Spec (NIST 800-38d) supports variable size nonce. + // Not supported for now, but can be useful. + const nonceLen = EMPTY_BLOCK.slice(); + const view = createView(nonceLen); + setBigUint64(view, 8, BigInt(nonce.length * 8), false); + // ghash(nonce || u64be(0) || u64be(nonceLen*8)) + ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter); + } + const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK); + return { xk, authKey, counter, tagMask }; + } + return { + encrypt: (plaintext) => { + abytes(plaintext); + const { xk, authKey, counter, tagMask } = deriveKeys(); + const out = new Uint8Array(plaintext.length + tagLength); + ctr32(xk, false, counter, plaintext, out); + const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength)); + out.set(tag, plaintext.length); + xk.fill(0); + return out; + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + if (ciphertext.length < tagLength) + throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`); + const { xk, authKey, counter, tagMask } = deriveKeys(); + const data = ciphertext.subarray(0, -tagLength); + const passedTag = ciphertext.subarray(-tagLength); + const tag = _computeTag(authKey, tagMask, data); + if (!equalBytes(tag, passedTag)) + throw new Error('aes/gcm: invalid ghash tag'); + const out = ctr32(xk, false, counter, data); + authKey.fill(0); + tagMask.fill(0); + xk.fill(0); + return out; + }, + }; +}); +const limit = (name, min, max) => (value) => { + if (!Number.isSafeInteger(value) || min > value || value > max) + throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`); +}; +/** + * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance. + * Guarantees that, when a nonce is repeated, the only security loss is that identical + * plaintexts will produce identical ciphertexts. + * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452 + */ +export const siv = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) { + const tagLength = 16; + // From RFC 8452: Section 6 + const AAD_LIMIT = limit('AAD', 0, 2 ** 36); + const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36); + const NONCE_LIMIT = limit('nonce', 12, 12); + const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16); + abytes(nonce); + NONCE_LIMIT(nonce.length); + if (AAD) { + abytes(AAD); + AAD_LIMIT(AAD.length); + } + function deriveKeys() { + const len = key.length; + if (len !== 16 && len !== 24 && len !== 32) + throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`); + const xk = expandKeyLE(key); + const encKey = new Uint8Array(len); + const authKey = new Uint8Array(16); + const n32 = u32(nonce); + // prettier-ignore + let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2]; + let counter = 0; + for (const derivedKey of [authKey, encKey].map(u32)) { + const d32 = u32(derivedKey); + for (let i = 0; i < d32.length; i += 2) { + // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ... + const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3); + d32[i + 0] = o0; + d32[i + 1] = o1; + s0 = ++counter; // increment counter inside state + } + } + xk.fill(0); + return { authKey, encKey: expandKeyLE(encKey) }; + } + function _computeTag(encKey, authKey, data) { + const tag = computeTag(polyval, true, authKey, data, AAD); + // Compute the expected tag by XORing S_s and the nonce, clearing the + // most significant bit of the last byte and encrypting with the + // message-encryption key. + for (let i = 0; i < 12; i++) + tag[i] ^= nonce[i]; + tag[15] &= 0x7f; // Clear the highest bit + // encrypt tag as block + const t32 = u32(tag); + // prettier-ignore + let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3]; + ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3)); + (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3); + return tag; + } + // actual decrypt/encrypt of message. + function processSiv(encKey, tag, input) { + let block = tag.slice(); + block[15] |= 0x80; // Force highest bit + return ctr32(encKey, true, block, input); + } + return { + encrypt: (plaintext) => { + abytes(plaintext); + PLAIN_LIMIT(plaintext.length); + const { encKey, authKey } = deriveKeys(); + const tag = _computeTag(encKey, authKey, plaintext); + const out = new Uint8Array(plaintext.length + tagLength); + out.set(tag, plaintext.length); + out.set(processSiv(encKey, tag, plaintext)); + encKey.fill(0); + authKey.fill(0); + return out; + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + CIPHER_LIMIT(ciphertext.length); + const tag = ciphertext.subarray(-tagLength); + const { encKey, authKey } = deriveKeys(); + const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength)); + const expectedTag = _computeTag(encKey, authKey, plaintext); + encKey.fill(0); + authKey.fill(0); + if (!equalBytes(tag, expectedTag)) + throw new Error('invalid polyval tag'); + return plaintext; + }, + }; +}); +function isBytes32(a) { + return (a != null && + typeof a === 'object' && + (a instanceof Uint32Array || a.constructor.name === 'Uint32Array')); +} +function encryptBlock(xk, block) { + abytes(block, 16); + if (!isBytes32(xk)) + throw new Error('_encryptBlock accepts result of expandKeyLE'); + const b32 = u32(block); + let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]); + (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); + return block; +} +function decryptBlock(xk, block) { + abytes(block, 16); + if (!isBytes32(xk)) + throw new Error('_decryptBlock accepts result of expandKeyLE'); + const b32 = u32(block); + let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]); + (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); + return block; +} +// Highly unsafe private functions for implementing new modes or ciphers based on AES +// Can change at any time, no API guarantees +export const unsafe = { + expandKeyLE, + expandKeyDecLE, + encrypt, + decrypt, + encryptBlock, + decryptBlock, + ctrCounter, + ctr32, +}; +//# sourceMappingURL=aes.js.map \ No newline at end of file diff --git a/esm/chacha.js b/esm/chacha.js new file mode 100644 index 0000000..e23fcce --- /dev/null +++ b/esm/chacha.js @@ -0,0 +1,318 @@ +// prettier-ignore +import { wrapCipher, createView, equalBytes, setBigUint64, } from './utils.js'; +import { poly1305 } from './_poly1305.js'; +import { createCipher, rotl } from './_arx.js'; +import { bytes as abytes } from './_assert.js'; +// ChaCha20 stream cipher was released in 2008. ChaCha aims to increase +// the diffusion per round, but had slightly less cryptanalysis. +// https://cr.yp.to/chacha.html, http://cr.yp.to/chacha/chacha-20080128.pdf +/** + * ChaCha core function. + */ +// prettier-ignore +function chachaCore(s, k, n, out, cnt, rounds = 20) { + let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k" + y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key + y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key + y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce + // Save state to temporary variables + let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; + for (let r = 0; r < rounds; r += 2) { + x00 = (x00 + x04) | 0; + x12 = rotl(x12 ^ x00, 16); + x08 = (x08 + x12) | 0; + x04 = rotl(x04 ^ x08, 12); + x00 = (x00 + x04) | 0; + x12 = rotl(x12 ^ x00, 8); + x08 = (x08 + x12) | 0; + x04 = rotl(x04 ^ x08, 7); + x01 = (x01 + x05) | 0; + x13 = rotl(x13 ^ x01, 16); + x09 = (x09 + x13) | 0; + x05 = rotl(x05 ^ x09, 12); + x01 = (x01 + x05) | 0; + x13 = rotl(x13 ^ x01, 8); + x09 = (x09 + x13) | 0; + x05 = rotl(x05 ^ x09, 7); + x02 = (x02 + x06) | 0; + x14 = rotl(x14 ^ x02, 16); + x10 = (x10 + x14) | 0; + x06 = rotl(x06 ^ x10, 12); + x02 = (x02 + x06) | 0; + x14 = rotl(x14 ^ x02, 8); + x10 = (x10 + x14) | 0; + x06 = rotl(x06 ^ x10, 7); + x03 = (x03 + x07) | 0; + x15 = rotl(x15 ^ x03, 16); + x11 = (x11 + x15) | 0; + x07 = rotl(x07 ^ x11, 12); + x03 = (x03 + x07) | 0; + x15 = rotl(x15 ^ x03, 8); + x11 = (x11 + x15) | 0; + x07 = rotl(x07 ^ x11, 7); + x00 = (x00 + x05) | 0; + x15 = rotl(x15 ^ x00, 16); + x10 = (x10 + x15) | 0; + x05 = rotl(x05 ^ x10, 12); + x00 = (x00 + x05) | 0; + x15 = rotl(x15 ^ x00, 8); + x10 = (x10 + x15) | 0; + x05 = rotl(x05 ^ x10, 7); + x01 = (x01 + x06) | 0; + x12 = rotl(x12 ^ x01, 16); + x11 = (x11 + x12) | 0; + x06 = rotl(x06 ^ x11, 12); + x01 = (x01 + x06) | 0; + x12 = rotl(x12 ^ x01, 8); + x11 = (x11 + x12) | 0; + x06 = rotl(x06 ^ x11, 7); + x02 = (x02 + x07) | 0; + x13 = rotl(x13 ^ x02, 16); + x08 = (x08 + x13) | 0; + x07 = rotl(x07 ^ x08, 12); + x02 = (x02 + x07) | 0; + x13 = rotl(x13 ^ x02, 8); + x08 = (x08 + x13) | 0; + x07 = rotl(x07 ^ x08, 7); + x03 = (x03 + x04) | 0; + x14 = rotl(x14 ^ x03, 16); + x09 = (x09 + x14) | 0; + x04 = rotl(x04 ^ x09, 12); + x03 = (x03 + x04) | 0; + x14 = rotl(x14 ^ x03, 8); + x09 = (x09 + x14) | 0; + x04 = rotl(x04 ^ x09, 7); + } + // Write output + let oi = 0; + out[oi++] = (y00 + x00) | 0; + out[oi++] = (y01 + x01) | 0; + out[oi++] = (y02 + x02) | 0; + out[oi++] = (y03 + x03) | 0; + out[oi++] = (y04 + x04) | 0; + out[oi++] = (y05 + x05) | 0; + out[oi++] = (y06 + x06) | 0; + out[oi++] = (y07 + x07) | 0; + out[oi++] = (y08 + x08) | 0; + out[oi++] = (y09 + x09) | 0; + out[oi++] = (y10 + x10) | 0; + out[oi++] = (y11 + x11) | 0; + out[oi++] = (y12 + x12) | 0; + out[oi++] = (y13 + x13) | 0; + out[oi++] = (y14 + x14) | 0; + out[oi++] = (y15 + x15) | 0; +} +/** + * hchacha helper method, used primarily in xchacha, to hash + * key and nonce into key' and nonce'. + * Same as chachaCore, but there doesn't seem to be a way to move the block + * out without 25% performance hit. + */ +// prettier-ignore +export function hchacha(s, k, i, o32) { + let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; + for (let r = 0; r < 20; r += 2) { + x00 = (x00 + x04) | 0; + x12 = rotl(x12 ^ x00, 16); + x08 = (x08 + x12) | 0; + x04 = rotl(x04 ^ x08, 12); + x00 = (x00 + x04) | 0; + x12 = rotl(x12 ^ x00, 8); + x08 = (x08 + x12) | 0; + x04 = rotl(x04 ^ x08, 7); + x01 = (x01 + x05) | 0; + x13 = rotl(x13 ^ x01, 16); + x09 = (x09 + x13) | 0; + x05 = rotl(x05 ^ x09, 12); + x01 = (x01 + x05) | 0; + x13 = rotl(x13 ^ x01, 8); + x09 = (x09 + x13) | 0; + x05 = rotl(x05 ^ x09, 7); + x02 = (x02 + x06) | 0; + x14 = rotl(x14 ^ x02, 16); + x10 = (x10 + x14) | 0; + x06 = rotl(x06 ^ x10, 12); + x02 = (x02 + x06) | 0; + x14 = rotl(x14 ^ x02, 8); + x10 = (x10 + x14) | 0; + x06 = rotl(x06 ^ x10, 7); + x03 = (x03 + x07) | 0; + x15 = rotl(x15 ^ x03, 16); + x11 = (x11 + x15) | 0; + x07 = rotl(x07 ^ x11, 12); + x03 = (x03 + x07) | 0; + x15 = rotl(x15 ^ x03, 8); + x11 = (x11 + x15) | 0; + x07 = rotl(x07 ^ x11, 7); + x00 = (x00 + x05) | 0; + x15 = rotl(x15 ^ x00, 16); + x10 = (x10 + x15) | 0; + x05 = rotl(x05 ^ x10, 12); + x00 = (x00 + x05) | 0; + x15 = rotl(x15 ^ x00, 8); + x10 = (x10 + x15) | 0; + x05 = rotl(x05 ^ x10, 7); + x01 = (x01 + x06) | 0; + x12 = rotl(x12 ^ x01, 16); + x11 = (x11 + x12) | 0; + x06 = rotl(x06 ^ x11, 12); + x01 = (x01 + x06) | 0; + x12 = rotl(x12 ^ x01, 8); + x11 = (x11 + x12) | 0; + x06 = rotl(x06 ^ x11, 7); + x02 = (x02 + x07) | 0; + x13 = rotl(x13 ^ x02, 16); + x08 = (x08 + x13) | 0; + x07 = rotl(x07 ^ x08, 12); + x02 = (x02 + x07) | 0; + x13 = rotl(x13 ^ x02, 8); + x08 = (x08 + x13) | 0; + x07 = rotl(x07 ^ x08, 7); + x03 = (x03 + x04) | 0; + x14 = rotl(x14 ^ x03, 16); + x09 = (x09 + x14) | 0; + x04 = rotl(x04 ^ x09, 12); + x03 = (x03 + x04) | 0; + x14 = rotl(x14 ^ x03, 8); + x09 = (x09 + x14) | 0; + x04 = rotl(x04 ^ x09, 7); + } + let oi = 0; + o32[oi++] = x00; + o32[oi++] = x01; + o32[oi++] = x02; + o32[oi++] = x03; + o32[oi++] = x12; + o32[oi++] = x13; + o32[oi++] = x14; + o32[oi++] = x15; +} +/** + * Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter. + */ +export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 8, + allowShortKeys: true, +}); +/** + * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + allowShortKeys: false, +}); +/** + * XChaCha eXtended-nonce ChaCha. 24-byte nonce. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + */ +export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 8, + extendNonceFn: hchacha, + allowShortKeys: false, +}); +/** + * Reduced 8-round chacha, described in original paper. + */ +export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 8, +}); +/** + * Reduced 12-round chacha, described in original paper. + */ +export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, { + counterRight: false, + counterLength: 4, + rounds: 12, +}); +const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); +// Pad to digest size with zeros +const updatePadded = (h, msg) => { + h.update(msg); + const left = msg.length % 16; + if (left) + h.update(ZEROS16.subarray(left)); +}; +const ZEROS32 = /* @__PURE__ */ new Uint8Array(32); +function computeTag(fn, key, nonce, data, AAD) { + const authKey = fn(key, nonce, ZEROS32); + const h = poly1305.create(authKey); + if (AAD) + updatePadded(h, AAD); + updatePadded(h, data); + const num = new Uint8Array(16); + const view = createView(num); + setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); + setBigUint64(view, 8, BigInt(data.length), true); + h.update(num); + const res = h.digest(); + authKey.fill(0); + return res; +} +/** + * AEAD algorithm from RFC 8439. + * Salsa20 and chacha (RFC 8439) use poly1305 differently. + * We could have composed them similar to: + * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250 + * But it's hard because of authKey: + * In salsa20, authKey changes position in salsa stream. + * In chacha, authKey can't be computed inside computeTag, it modifies the counter. + */ +export const _poly1305_aead = (xorStream) => (key, nonce, AAD) => { + const tagLength = 16; + abytes(key, 32); + abytes(nonce); + return { + encrypt: (plaintext, output) => { + const plength = plaintext.length; + const clength = plength + tagLength; + if (output) { + abytes(output, clength); + } + else { + output = new Uint8Array(clength); + } + xorStream(key, nonce, plaintext, output, 1); + const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD); + output.set(tag, plength); // append tag + return output; + }, + decrypt: (ciphertext, output) => { + const clength = ciphertext.length; + const plength = clength - tagLength; + if (clength < tagLength) + throw new Error(`encrypted data must be at least ${tagLength} bytes`); + if (output) { + abytes(output, plength); + } + else { + output = new Uint8Array(plength); + } + const data = ciphertext.subarray(0, -tagLength); + const passedTag = ciphertext.subarray(-tagLength); + const tag = computeTag(xorStream, key, nonce, data, AAD); + if (!equalBytes(passedTag, tag)) + throw new Error('invalid tag'); + xorStream(key, nonce, data, output, 1); + return output; + }, + }; +}; +/** + * ChaCha20-Poly1305 from RFC 8439. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); +/** + * XChaCha20-Poly1305 extended-nonce chacha. + * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); +//# sourceMappingURL=chacha.js.map \ No newline at end of file diff --git a/esm/crypto.js b/esm/crypto.js new file mode 100644 index 0000000..63bf63e --- /dev/null +++ b/esm/crypto.js @@ -0,0 +1,12 @@ +const cr = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined; +export function randomBytes(bytesLength = 32) { + if (cr && typeof cr.getRandomValues === 'function') + return cr.getRandomValues(new Uint8Array(bytesLength)); + throw new Error('crypto.getRandomValues must be defined'); +} +export function getWebcryptoSubtle() { + if (cr && typeof cr.subtle === 'object' && cr.subtle != null) + return cr.subtle; + throw new Error('crypto.subtle must be defined'); +} +//# sourceMappingURL=crypto.js.map \ No newline at end of file diff --git a/esm/cryptoNode.js b/esm/cryptoNode.js new file mode 100644 index 0000000..956ce1b --- /dev/null +++ b/esm/cryptoNode.js @@ -0,0 +1,17 @@ +// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. +// See utils.ts for details. +// The file will throw on node.js 14 and earlier. +// @ts-ignore +import * as nc from 'node:crypto'; +const cr = nc && typeof nc === 'object' && 'webcrypto' in nc ? nc.webcrypto : undefined; +export function randomBytes(bytesLength = 32) { + if (cr && typeof cr.getRandomValues === 'function') + return cr.getRandomValues(new Uint8Array(bytesLength)); + throw new Error('crypto.getRandomValues must be defined'); +} +export function getWebcryptoSubtle() { + if (cr && typeof cr.subtle === 'object' && cr.subtle != null) + return cr.subtle; + throw new Error('crypto.subtle must be defined'); +} +//# sourceMappingURL=cryptoNode.js.map \ No newline at end of file diff --git a/esm/ff1.js b/esm/ff1.js new file mode 100644 index 0000000..33907e1 --- /dev/null +++ b/esm/ff1.js @@ -0,0 +1,149 @@ +import { bytesToNumberBE, numberToBytesBE } from './utils.js'; +import { unsafe } from './aes.js'; +// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow +const { expandKeyLE, encryptBlock } = unsafe; +// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G. +// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf +const BLOCK_LEN = 16; +function mod(a, b) { + const result = a % b; + return result >= 0 ? result : b + result; +} +function NUMradix(radix, data) { + let res = BigInt(0); + for (let i of data) + res = res * BigInt(radix) + BigInt(i); + return res; +} +function getRound(radix, key, tweak, x) { + if (radix > 2 ** 16 - 1) + throw new Error(`Invalid radix: ${radix}`); + // radix**minlen ≥ 100 + const minLen = Math.ceil(Math.log(100) / Math.log(radix)); + const maxLen = 2 ** 32 - 1; + // 2 ≤ minlen ≤ maxlen < 2**32 + if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32) + throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32'); + if (x.length < minLen || x.length > maxLen) + throw new Error('X is outside minLen..maxLen bounds'); + const u = Math.floor(x.length / 2); + const v = x.length - u; + const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8); + const d = 4 * Math.ceil(b / 4) + 4; + const padding = mod(-tweak.length - b - 1, 16); + // P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4. + const P = new Uint8Array([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]); + const view = new DataView(P.buffer); + view.setUint16(4, radix, false); + view.setUint32(8, x.length, false); + view.setUint32(12, tweak.length, false); + // Q = T || [0](−t−b−1) mod 16 || [i]1 || [NUMradix(B)]b. + const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b); + PQ.set(P); + P.fill(0); + PQ.set(tweak, P.length); + const xk = expandKeyLE(key); + const round = (A, B, i, decrypt = false) => { + // Q = ... || [i]1 || [NUMradix(B)]b. + PQ[PQ.length - b - 1] = i; + if (b) + PQ.set(numberToBytesBE(NUMradix(radix, B), b), PQ.length - b); + // PRF + let r = new Uint8Array(16); + for (let j = 0; j < PQ.length / BLOCK_LEN; j++) { + for (let i = 0; i < BLOCK_LEN; i++) + r[i] ^= PQ[j * BLOCK_LEN + i]; + encryptBlock(xk, r); + } + // Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: + // R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ – 1]16). + let s = Array.from(r); + for (let j = 1; s.length < d; j++) { + const block = numberToBytesBE(BigInt(j), 16); + for (let k = 0; k < BLOCK_LEN; k++) + block[k] ^= r[k]; + s.push(...Array.from(encryptBlock(xk, block))); + } + let y = bytesToNumberBE(Uint8Array.from(s.slice(0, d))); + s.fill(0); + if (decrypt) + y = -y; + const m = i % 2 === 0 ? u : v; + let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m)); + // STR(radix, m, c) + const C = Array(m).fill(0); + for (let i = 0; i < m; i++, c /= BigInt(radix)) + C[m - 1 - i] = Number(c % BigInt(radix)); + A.fill(0); + A = B; + B = C; + return [A, B]; + }; + const destroy = () => { + xk.fill(0); + PQ.fill(0); + }; + return { u, round, destroy }; +} +const EMPTY_BUF = new Uint8Array([]); +export function FF1(radix, key, tweak = EMPTY_BUF) { + const PQ = getRound.bind(null, radix, key, tweak); + return { + encrypt(x) { + const { u, round, destroy } = PQ(x); + let [A, B] = [x.slice(0, u), x.slice(u)]; + for (let i = 0; i < 10; i++) + [A, B] = round(A, B, i); + destroy(); + const res = A.concat(B); + A.fill(0); + B.fill(0); + return res; + }, + decrypt(x) { + const { u, round, destroy } = PQ(x); + // The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm; + // the differences are in Step 6, where: + // 1) the order of the indices is reversed, + // 2) the roles of A and B are swapped + // 3) modular addition is replaced by modular subtraction, in Step 6vi. + let [B, A] = [x.slice(0, u), x.slice(u)]; + for (let i = 9; i >= 0; i--) + [A, B] = round(A, B, i, true); + destroy(); + const res = B.concat(A); + A.fill(0); + B.fill(0); + return res; + }, + }; +} +// Binary string which encodes each byte in little-endian byte order +const binLE = { + encode(bytes) { + const x = []; + for (let i = 0; i < bytes.length; i++) { + for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1) + x.push(tmp & 1); + } + return x; + }, + decode(b) { + if (b.length % 8) + throw new Error('Invalid binary string'); + const res = new Uint8Array(b.length / 8); + for (let i = 0, j = 0; i < res.length; i++) { + res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3); + res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7); + } + return res; + }, +}; +export function BinaryFF1(key, tweak = EMPTY_BUF) { + const ff1 = FF1(2, key, tweak); + return { + encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))), + decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))), + }; +} +//# sourceMappingURL=ff1.js.map \ No newline at end of file diff --git a/esm/index.js b/esm/index.js new file mode 100644 index 0000000..5a9cbf1 --- /dev/null +++ b/esm/index.js @@ -0,0 +1,3 @@ +"use strict"; +throw new Error('noble-ciphers have no entry-point: consult README for usage'); +//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/esm/salsa.js b/esm/salsa.js new file mode 100644 index 0000000..a956d46 --- /dev/null +++ b/esm/salsa.js @@ -0,0 +1,205 @@ +import { bytes as abytes } from './_assert.js'; +import { createCipher, rotl } from './_arx.js'; +import { poly1305 } from './_poly1305.js'; +import { wrapCipher, equalBytes } from './utils.js'; +// Salsa20 stream cipher was released in 2005. +// Salsa's goal was to implement AES replacement that does not rely on S-Boxes, +// which are hard to implement in a constant-time manner. +// https://cr.yp.to/snuffle.html, https://cr.yp.to/snuffle/salsafamily-20071225.pdf +/** + * Salsa20 core function. + */ +// prettier-ignore +function salsaCore(s, k, n, out, cnt, rounds = 20) { + // Based on https://cr.yp.to/salsa20.html + let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key + y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce + y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key + y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k" + // Save state to temporary variables + let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; + for (let r = 0; r < rounds; r += 2) { + x04 ^= rotl(x00 + x12 | 0, 7); + x08 ^= rotl(x04 + x00 | 0, 9); + x12 ^= rotl(x08 + x04 | 0, 13); + x00 ^= rotl(x12 + x08 | 0, 18); + x09 ^= rotl(x05 + x01 | 0, 7); + x13 ^= rotl(x09 + x05 | 0, 9); + x01 ^= rotl(x13 + x09 | 0, 13); + x05 ^= rotl(x01 + x13 | 0, 18); + x14 ^= rotl(x10 + x06 | 0, 7); + x02 ^= rotl(x14 + x10 | 0, 9); + x06 ^= rotl(x02 + x14 | 0, 13); + x10 ^= rotl(x06 + x02 | 0, 18); + x03 ^= rotl(x15 + x11 | 0, 7); + x07 ^= rotl(x03 + x15 | 0, 9); + x11 ^= rotl(x07 + x03 | 0, 13); + x15 ^= rotl(x11 + x07 | 0, 18); + x01 ^= rotl(x00 + x03 | 0, 7); + x02 ^= rotl(x01 + x00 | 0, 9); + x03 ^= rotl(x02 + x01 | 0, 13); + x00 ^= rotl(x03 + x02 | 0, 18); + x06 ^= rotl(x05 + x04 | 0, 7); + x07 ^= rotl(x06 + x05 | 0, 9); + x04 ^= rotl(x07 + x06 | 0, 13); + x05 ^= rotl(x04 + x07 | 0, 18); + x11 ^= rotl(x10 + x09 | 0, 7); + x08 ^= rotl(x11 + x10 | 0, 9); + x09 ^= rotl(x08 + x11 | 0, 13); + x10 ^= rotl(x09 + x08 | 0, 18); + x12 ^= rotl(x15 + x14 | 0, 7); + x13 ^= rotl(x12 + x15 | 0, 9); + x14 ^= rotl(x13 + x12 | 0, 13); + x15 ^= rotl(x14 + x13 | 0, 18); + } + // Write output + let oi = 0; + out[oi++] = (y00 + x00) | 0; + out[oi++] = (y01 + x01) | 0; + out[oi++] = (y02 + x02) | 0; + out[oi++] = (y03 + x03) | 0; + out[oi++] = (y04 + x04) | 0; + out[oi++] = (y05 + x05) | 0; + out[oi++] = (y06 + x06) | 0; + out[oi++] = (y07 + x07) | 0; + out[oi++] = (y08 + x08) | 0; + out[oi++] = (y09 + x09) | 0; + out[oi++] = (y10 + x10) | 0; + out[oi++] = (y11 + x11) | 0; + out[oi++] = (y12 + x12) | 0; + out[oi++] = (y13 + x13) | 0; + out[oi++] = (y14 + x14) | 0; + out[oi++] = (y15 + x15) | 0; +} +/** + * hsalsa hashing function, used primarily in xsalsa, to hash + * key and nonce into key' and nonce'. + * Same as salsaCore, but there doesn't seem to be a way to move the block + * out without 25% performance hit. + */ +// prettier-ignore +export function hsalsa(s, k, i, o32) { + let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3]; + for (let r = 0; r < 20; r += 2) { + x04 ^= rotl(x00 + x12 | 0, 7); + x08 ^= rotl(x04 + x00 | 0, 9); + x12 ^= rotl(x08 + x04 | 0, 13); + x00 ^= rotl(x12 + x08 | 0, 18); + x09 ^= rotl(x05 + x01 | 0, 7); + x13 ^= rotl(x09 + x05 | 0, 9); + x01 ^= rotl(x13 + x09 | 0, 13); + x05 ^= rotl(x01 + x13 | 0, 18); + x14 ^= rotl(x10 + x06 | 0, 7); + x02 ^= rotl(x14 + x10 | 0, 9); + x06 ^= rotl(x02 + x14 | 0, 13); + x10 ^= rotl(x06 + x02 | 0, 18); + x03 ^= rotl(x15 + x11 | 0, 7); + x07 ^= rotl(x03 + x15 | 0, 9); + x11 ^= rotl(x07 + x03 | 0, 13); + x15 ^= rotl(x11 + x07 | 0, 18); + x01 ^= rotl(x00 + x03 | 0, 7); + x02 ^= rotl(x01 + x00 | 0, 9); + x03 ^= rotl(x02 + x01 | 0, 13); + x00 ^= rotl(x03 + x02 | 0, 18); + x06 ^= rotl(x05 + x04 | 0, 7); + x07 ^= rotl(x06 + x05 | 0, 9); + x04 ^= rotl(x07 + x06 | 0, 13); + x05 ^= rotl(x04 + x07 | 0, 18); + x11 ^= rotl(x10 + x09 | 0, 7); + x08 ^= rotl(x11 + x10 | 0, 9); + x09 ^= rotl(x08 + x11 | 0, 13); + x10 ^= rotl(x09 + x08 | 0, 18); + x12 ^= rotl(x15 + x14 | 0, 7); + x13 ^= rotl(x12 + x15 | 0, 9); + x14 ^= rotl(x13 + x12 | 0, 13); + x15 ^= rotl(x14 + x13 | 0, 18); + } + let oi = 0; + o32[oi++] = x00; + o32[oi++] = x05; + o32[oi++] = x10; + o32[oi++] = x15; + o32[oi++] = x06; + o32[oi++] = x07; + o32[oi++] = x08; + o32[oi++] = x09; +} +/** + * Salsa20 from original paper. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, { + allowShortKeys: true, + counterRight: true, +}); +/** + * xsalsa20 eXtended-nonce salsa. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, { + counterRight: true, + extendNonceFn: hsalsa, +}); +/** + * xsalsa20-poly1305 eXtended-nonce salsa. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + * Also known as secretbox from libsodium / nacl. + */ +export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => { + const tagLength = 16; + abytes(key, 32); + abytes(nonce, 24); + return { + encrypt: (plaintext, output) => { + abytes(plaintext); + // This is small optimization (calculate auth key with same call as encryption itself) makes it hard + // to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte) + const clength = plaintext.length + 32; + if (output) { + abytes(output, clength); + } + else { + output = new Uint8Array(clength); + } + output.set(plaintext, 32); + xsalsa20(key, nonce, output, output); + const authKey = output.subarray(0, 32); + const tag = poly1305(output.subarray(32), authKey); + // Clean auth key, even though JS provides no guarantees about memory cleaning + output.set(tag, tagLength); + output.subarray(0, tagLength).fill(0); + return output.subarray(tagLength); + }, + decrypt: (ciphertext) => { + abytes(ciphertext); + const clength = ciphertext.length; + if (clength < tagLength) + throw new Error('encrypted data should be at least 16 bytes'); + // Create new ciphertext array: + // auth tag auth tag from ciphertext ciphertext + // [bytes 0..16] [bytes 16..32] [bytes 32..] + // 16 instead of 32, because we already have 16 byte tag + const ciphertext_ = new Uint8Array(clength + tagLength); // alloc + ciphertext_.set(ciphertext, tagLength); + // Each xsalsa20 calls to hsalsa to calculate key, but seems not much perf difference + // Separate call to calculate authkey, since first bytes contains tag + const authKey = xsalsa20(key, nonce, new Uint8Array(32)); // alloc(32) + const tag = poly1305(ciphertext_.subarray(32), authKey); + if (!equalBytes(ciphertext_.subarray(16, 32), tag)) + throw new Error('invalid tag'); + const plaintext = xsalsa20(key, nonce, ciphertext_); // alloc + // Clean auth key, even though JS provides no guarantees about memory cleaning + plaintext.subarray(0, 32).fill(0); + authKey.fill(0); + return plaintext.subarray(32); + }, + }; +}); +/** + * Alias to xsalsa20poly1305, for compatibility with libsodium / nacl + */ +export function secretbox(key, nonce) { + const xs = xsalsa20poly1305(key, nonce); + return { seal: xs.encrypt, open: xs.decrypt }; +} +//# sourceMappingURL=salsa.js.map \ No newline at end of file diff --git a/esm/utils.js b/esm/utils.js new file mode 100644 index 0000000..90ceb2e --- /dev/null +++ b/esm/utils.js @@ -0,0 +1,182 @@ +/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ +import { bytes as abytes, isBytes } from './_assert.js'; +// Cast array to different type +export const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength); +export const u16 = (arr) => new Uint16Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 2)); +export const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); +// Cast array to view +export const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); +// big-endian hardware is rare. Just in case someone still decides to run ciphers: +// early-throw an error because we don't support BE yet. +export const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44; +if (!isLE) + throw new Error('Non little-endian hardware is not supported'); +// Array where index 0xf0 (240) is mapped to string 'f0' +const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0')); +/** + * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123' + */ +export function bytesToHex(bytes) { + abytes(bytes); + // pre-caching improves the speed 6x + let hex = ''; + for (let i = 0; i < bytes.length; i++) { + hex += hexes[bytes[i]]; + } + return hex; +} +// We use optimized technique to convert hex string to byte array +const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; +function asciiToBase16(char) { + if (char >= asciis._0 && char <= asciis._9) + return char - asciis._0; + if (char >= asciis._A && char <= asciis._F) + return char - (asciis._A - 10); + if (char >= asciis._a && char <= asciis._f) + return char - (asciis._a - 10); + return; +} +/** + * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23]) + */ +export function hexToBytes(hex) { + if (typeof hex !== 'string') + throw new Error('hex string expected, got ' + typeof hex); + const hl = hex.length; + const al = hl / 2; + if (hl % 2) + throw new Error('padded hex string expected, got unpadded hex of length ' + hl); + const array = new Uint8Array(al); + for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { + const n1 = asciiToBase16(hex.charCodeAt(hi)); + const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); + if (n1 === undefined || n2 === undefined) { + const char = hex[hi] + hex[hi + 1]; + throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); + } + array[ai] = n1 * 16 + n2; + } + return array; +} +export function hexToNumber(hex) { + if (typeof hex !== 'string') + throw new Error('hex string expected, got ' + typeof hex); + // Big Endian + return BigInt(hex === '' ? '0' : `0x${hex}`); +} +// BE: Big Endian, LE: Little Endian +export function bytesToNumberBE(bytes) { + return hexToNumber(bytesToHex(bytes)); +} +export function numberToBytesBE(n, len) { + return hexToBytes(n.toString(16).padStart(len * 2, '0')); +} +// There is no setImmediate in browser and setTimeout is slow. +// call of async fn will return Promise, which will be fullfiled only on +// next scheduler queue processing step and this is exactly what we need. +export const nextTick = async () => { }; +// Returns control to thread each 'tick' ms to avoid blocking +export async function asyncLoop(iters, tick, cb) { + let ts = Date.now(); + for (let i = 0; i < iters; i++) { + cb(i); + // Date.now() is not monotonic, so in case if clock goes backwards we return return control too + const diff = Date.now() - ts; + if (diff >= 0 && diff < tick) + continue; + await nextTick(); + ts += diff; + } +} +/** + * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99]) + */ +export function utf8ToBytes(str) { + if (typeof str !== 'string') + throw new Error(`string expected, got ${typeof str}`); + return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809 +} +/** + * @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc' + */ +export function bytesToUtf8(bytes) { + return new TextDecoder().decode(bytes); +} +/** + * Normalizes (non-hex) string or Uint8Array to Uint8Array. + * Warning: when Uint8Array is passed, it would NOT get copied. + * Keep in mind for future mutable operations. + */ +export function toBytes(data) { + if (typeof data === 'string') + data = utf8ToBytes(data); + else if (isBytes(data)) + data = data.slice(); + else + throw new Error(`Uint8Array expected, got ${typeof data}`); + return data; +} +/** + * Copies several Uint8Arrays into one. + */ +export function concatBytes(...arrays) { + let sum = 0; + for (let i = 0; i < arrays.length; i++) { + const a = arrays[i]; + abytes(a); + sum += a.length; + } + const res = new Uint8Array(sum); + for (let i = 0, pad = 0; i < arrays.length; i++) { + const a = arrays[i]; + res.set(a, pad); + pad += a.length; + } + return res; +} +export function checkOpts(defaults, opts) { + if (opts == null || typeof opts !== 'object') + throw new Error('options must be defined'); + const merged = Object.assign(defaults, opts); + return merged; +} +// Compares 2 u8a-s in kinda constant time +export function equalBytes(a, b) { + if (a.length !== b.length) + return false; + let diff = 0; + for (let i = 0; i < a.length; i++) + diff |= a[i] ^ b[i]; + return diff === 0; +} +// For runtime check if class implements interface +export class Hash { +} +/** + * @__NO_SIDE_EFFECTS__ + */ +export const wrapCipher = (params, c) => { + Object.assign(c, params); + return c; +}; +// Polyfill for Safari 14 +export function setBigUint64(view, byteOffset, value, isLE) { + if (typeof view.setBigUint64 === 'function') + return view.setBigUint64(byteOffset, value, isLE); + const _32n = BigInt(32); + const _u32_max = BigInt(0xffffffff); + const wh = Number((value >> _32n) & _u32_max); + const wl = Number(value & _u32_max); + const h = isLE ? 4 : 0; + const l = isLE ? 0 : 4; + view.setUint32(byteOffset + h, wh, isLE); + view.setUint32(byteOffset + l, wl, isLE); +} +export function u64Lengths(ciphertext, AAD) { + const num = new Uint8Array(16); + const view = createView(num); + setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); + setBigUint64(view, 8, BigInt(ciphertext.length), true); + return num; +} +//# sourceMappingURL=utils.js.map \ No newline at end of file diff --git a/esm/webcrypto.js b/esm/webcrypto.js new file mode 100644 index 0000000..b067413 --- /dev/null +++ b/esm/webcrypto.js @@ -0,0 +1,96 @@ +// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. +// node.js versions earlier than v19 don't declare it in global scope. +// For node.js, package.js on#exports field mapping rewrites import +// from `crypto` to `cryptoNode`, which imports native module. +// Makes the utils un-importable in browsers without a bundler. +// Once node.js 18 is deprecated, we can just drop the import. +import { randomBytes, getWebcryptoSubtle } from '@noble/ciphers/crypto'; +import { concatBytes } from './utils.js'; +import { number } from './_assert.js'; +import { bytes as abytes } from './_assert.js'; +/** + * Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS. + */ +export { randomBytes, getWebcryptoSubtle }; +// Uses CSPRG for nonce, nonce injected in ciphertext +export function managedNonce(fn) { + number(fn.nonceLength); + return ((key, ...args) => ({ + encrypt: (plaintext, ...argsEnc) => { + const { nonceLength } = fn; + const nonce = randomBytes(nonceLength); + const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc); + const out = concatBytes(nonce, ciphertext); + ciphertext.fill(0); + return out; + }, + decrypt: (ciphertext, ...argsDec) => { + const { nonceLength } = fn; + const nonce = ciphertext.subarray(0, nonceLength); + const data = ciphertext.subarray(nonceLength); + return fn(key, nonce, ...args).decrypt(data, ...argsDec); + }, + })); +} +// Overridable +export const utils = { + async encrypt(key, keyParams, cryptParams, plaintext) { + const cr = getWebcryptoSubtle(); + const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']); + const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext); + return new Uint8Array(ciphertext); + }, + async decrypt(key, keyParams, cryptParams, ciphertext) { + const cr = getWebcryptoSubtle(); + const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']); + const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext); + return new Uint8Array(plaintext); + }, +}; +function getCryptParams(algo, nonce, AAD) { + if (algo === "AES-CBC" /* BlockMode.CBC */) + return { name: "AES-CBC" /* BlockMode.CBC */, iv: nonce }; + if (algo === "AES-CTR" /* BlockMode.CTR */) + return { name: "AES-CTR" /* BlockMode.CTR */, counter: nonce, length: 64 }; + if (algo === "AES-GCM" /* BlockMode.GCM */) + return { name: "AES-GCM" /* BlockMode.GCM */, iv: nonce, additionalData: AAD }; + throw new Error('unknown aes block mode'); +} +function generate(algo) { + return (key, nonce, AAD) => { + abytes(key); + abytes(nonce); + // const keyLength = key.length; + const keyParams = { name: algo, length: key.length * 8 }; + const cryptParams = getCryptParams(algo, nonce, AAD); + return { + // keyLength, + encrypt(plaintext) { + abytes(plaintext); + return utils.encrypt(key, keyParams, cryptParams, plaintext); + }, + decrypt(ciphertext) { + abytes(ciphertext); + return utils.decrypt(key, keyParams, cryptParams, ciphertext); + }, + }; + }; +} +export const cbc = generate("AES-CBC" /* BlockMode.CBC */); +export const ctr = generate("AES-CTR" /* BlockMode.CTR */); +export const gcm = generate("AES-GCM" /* BlockMode.GCM */); +// // Type tests +// import { siv, gcm, ctr, ecb, cbc } from '../aes.js'; +// import { xsalsa20poly1305 } from '../salsa.js'; +// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.js'; +// const wsiv = managedNonce(siv); +// const wgcm = managedNonce(gcm); +// const wctr = managedNonce(ctr); +// const wcbc = managedNonce(cbc); +// const wsalsapoly = managedNonce(xsalsa20poly1305); +// const wchacha = managedNonce(chacha20poly1305); +// const wxchacha = managedNonce(xchacha20poly1305); +// // should fail +// const wcbc2 = managedNonce(managedNonce(cbc)); +// const wecb = managedNonce(ecb); +//# sourceMappingURL=webcrypto.js.map \ No newline at end of file diff --git a/ff1.js b/ff1.js new file mode 100644 index 0000000..38018e7 --- /dev/null +++ b/ff1.js @@ -0,0 +1,154 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.BinaryFF1 = exports.FF1 = void 0; +const utils_js_1 = require("./utils.js"); +const aes_js_1 = require("./aes.js"); +// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow +const { expandKeyLE, encryptBlock } = aes_js_1.unsafe; +// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G. +// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf +const BLOCK_LEN = 16; +function mod(a, b) { + const result = a % b; + return result >= 0 ? result : b + result; +} +function NUMradix(radix, data) { + let res = BigInt(0); + for (let i of data) + res = res * BigInt(radix) + BigInt(i); + return res; +} +function getRound(radix, key, tweak, x) { + if (radix > 2 ** 16 - 1) + throw new Error(`Invalid radix: ${radix}`); + // radix**minlen ≥ 100 + const minLen = Math.ceil(Math.log(100) / Math.log(radix)); + const maxLen = 2 ** 32 - 1; + // 2 ≤ minlen ≤ maxlen < 2**32 + if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32) + throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32'); + if (x.length < minLen || x.length > maxLen) + throw new Error('X is outside minLen..maxLen bounds'); + const u = Math.floor(x.length / 2); + const v = x.length - u; + const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8); + const d = 4 * Math.ceil(b / 4) + 4; + const padding = mod(-tweak.length - b - 1, 16); + // P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4. + const P = new Uint8Array([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]); + const view = new DataView(P.buffer); + view.setUint16(4, radix, false); + view.setUint32(8, x.length, false); + view.setUint32(12, tweak.length, false); + // Q = T || [0](−t−b−1) mod 16 || [i]1 || [NUMradix(B)]b. + const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b); + PQ.set(P); + P.fill(0); + PQ.set(tweak, P.length); + const xk = expandKeyLE(key); + const round = (A, B, i, decrypt = false) => { + // Q = ... || [i]1 || [NUMradix(B)]b. + PQ[PQ.length - b - 1] = i; + if (b) + PQ.set((0, utils_js_1.numberToBytesBE)(NUMradix(radix, B), b), PQ.length - b); + // PRF + let r = new Uint8Array(16); + for (let j = 0; j < PQ.length / BLOCK_LEN; j++) { + for (let i = 0; i < BLOCK_LEN; i++) + r[i] ^= PQ[j * BLOCK_LEN + i]; + encryptBlock(xk, r); + } + // Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: + // R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ – 1]16). + let s = Array.from(r); + for (let j = 1; s.length < d; j++) { + const block = (0, utils_js_1.numberToBytesBE)(BigInt(j), 16); + for (let k = 0; k < BLOCK_LEN; k++) + block[k] ^= r[k]; + s.push(...Array.from(encryptBlock(xk, block))); + } + let y = (0, utils_js_1.bytesToNumberBE)(Uint8Array.from(s.slice(0, d))); + s.fill(0); + if (decrypt) + y = -y; + const m = i % 2 === 0 ? u : v; + let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m)); + // STR(radix, m, c) + const C = Array(m).fill(0); + for (let i = 0; i < m; i++, c /= BigInt(radix)) + C[m - 1 - i] = Number(c % BigInt(radix)); + A.fill(0); + A = B; + B = C; + return [A, B]; + }; + const destroy = () => { + xk.fill(0); + PQ.fill(0); + }; + return { u, round, destroy }; +} +const EMPTY_BUF = new Uint8Array([]); +function FF1(radix, key, tweak = EMPTY_BUF) { + const PQ = getRound.bind(null, radix, key, tweak); + return { + encrypt(x) { + const { u, round, destroy } = PQ(x); + let [A, B] = [x.slice(0, u), x.slice(u)]; + for (let i = 0; i < 10; i++) + [A, B] = round(A, B, i); + destroy(); + const res = A.concat(B); + A.fill(0); + B.fill(0); + return res; + }, + decrypt(x) { + const { u, round, destroy } = PQ(x); + // The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm; + // the differences are in Step 6, where: + // 1) the order of the indices is reversed, + // 2) the roles of A and B are swapped + // 3) modular addition is replaced by modular subtraction, in Step 6vi. + let [B, A] = [x.slice(0, u), x.slice(u)]; + for (let i = 9; i >= 0; i--) + [A, B] = round(A, B, i, true); + destroy(); + const res = B.concat(A); + A.fill(0); + B.fill(0); + return res; + }, + }; +} +exports.FF1 = FF1; +// Binary string which encodes each byte in little-endian byte order +const binLE = { + encode(bytes) { + const x = []; + for (let i = 0; i < bytes.length; i++) { + for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1) + x.push(tmp & 1); + } + return x; + }, + decode(b) { + if (b.length % 8) + throw new Error('Invalid binary string'); + const res = new Uint8Array(b.length / 8); + for (let i = 0, j = 0; i < res.length; i++) { + res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3); + res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7); + } + return res; + }, +}; +function BinaryFF1(key, tweak = EMPTY_BUF) { + const ff1 = FF1(2, key, tweak); + return { + encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))), + decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))), + }; +} +exports.BinaryFF1 = BinaryFF1; +//# sourceMappingURL=ff1.js.map \ No newline at end of file diff --git a/index.js b/index.js new file mode 100644 index 0000000..5a9cbf1 --- /dev/null +++ b/index.js @@ -0,0 +1,3 @@ +"use strict"; +throw new Error('noble-ciphers have no entry-point: consult README for usage'); +//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/salsa.js b/salsa.js new file mode 100644 index 0000000..7e151ce --- /dev/null +++ b/salsa.js @@ -0,0 +1,210 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.secretbox = exports.xsalsa20poly1305 = exports.xsalsa20 = exports.salsa20 = exports.hsalsa = void 0; +const _assert_js_1 = require("./_assert.js"); +const _arx_js_1 = require("./_arx.js"); +const _poly1305_js_1 = require("./_poly1305.js"); +const utils_js_1 = require("./utils.js"); +// Salsa20 stream cipher was released in 2005. +// Salsa's goal was to implement AES replacement that does not rely on S-Boxes, +// which are hard to implement in a constant-time manner. +// https://cr.yp.to/snuffle.html, https://cr.yp.to/snuffle/salsafamily-20071225.pdf +/** + * Salsa20 core function. + */ +// prettier-ignore +function salsaCore(s, k, n, out, cnt, rounds = 20) { + // Based on https://cr.yp.to/salsa20.html + let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key + y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce + y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key + y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k" + // Save state to temporary variables + let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; + for (let r = 0; r < rounds; r += 2) { + x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7); + x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9); + x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13); + x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18); + x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7); + x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9); + x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13); + x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18); + x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7); + x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9); + x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13); + x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18); + x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7); + x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9); + x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13); + x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18); + x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7); + x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9); + x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13); + x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18); + x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7); + x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9); + x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13); + x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18); + x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7); + x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9); + x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13); + x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18); + x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7); + x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9); + x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13); + x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18); + } + // Write output + let oi = 0; + out[oi++] = (y00 + x00) | 0; + out[oi++] = (y01 + x01) | 0; + out[oi++] = (y02 + x02) | 0; + out[oi++] = (y03 + x03) | 0; + out[oi++] = (y04 + x04) | 0; + out[oi++] = (y05 + x05) | 0; + out[oi++] = (y06 + x06) | 0; + out[oi++] = (y07 + x07) | 0; + out[oi++] = (y08 + x08) | 0; + out[oi++] = (y09 + x09) | 0; + out[oi++] = (y10 + x10) | 0; + out[oi++] = (y11 + x11) | 0; + out[oi++] = (y12 + x12) | 0; + out[oi++] = (y13 + x13) | 0; + out[oi++] = (y14 + x14) | 0; + out[oi++] = (y15 + x15) | 0; +} +/** + * hsalsa hashing function, used primarily in xsalsa, to hash + * key and nonce into key' and nonce'. + * Same as salsaCore, but there doesn't seem to be a way to move the block + * out without 25% performance hit. + */ +// prettier-ignore +function hsalsa(s, k, i, o32) { + let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3]; + for (let r = 0; r < 20; r += 2) { + x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7); + x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9); + x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13); + x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18); + x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7); + x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9); + x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13); + x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18); + x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7); + x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9); + x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13); + x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18); + x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7); + x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9); + x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13); + x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18); + x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7); + x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9); + x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13); + x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18); + x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7); + x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9); + x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13); + x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18); + x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7); + x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9); + x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13); + x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18); + x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7); + x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9); + x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13); + x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18); + } + let oi = 0; + o32[oi++] = x00; + o32[oi++] = x05; + o32[oi++] = x10; + o32[oi++] = x15; + o32[oi++] = x06; + o32[oi++] = x07; + o32[oi++] = x08; + o32[oi++] = x09; +} +exports.hsalsa = hsalsa; +/** + * Salsa20 from original paper. + * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. + */ +exports.salsa20 = (0, _arx_js_1.createCipher)(salsaCore, { + allowShortKeys: true, + counterRight: true, +}); +/** + * xsalsa20 eXtended-nonce salsa. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + */ +exports.xsalsa20 = (0, _arx_js_1.createCipher)(salsaCore, { + counterRight: true, + extendNonceFn: hsalsa, +}); +/** + * xsalsa20-poly1305 eXtended-nonce salsa. + * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). + * Also known as secretbox from libsodium / nacl. + */ +exports.xsalsa20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => { + const tagLength = 16; + (0, _assert_js_1.bytes)(key, 32); + (0, _assert_js_1.bytes)(nonce, 24); + return { + encrypt: (plaintext, output) => { + (0, _assert_js_1.bytes)(plaintext); + // This is small optimization (calculate auth key with same call as encryption itself) makes it hard + // to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte) + const clength = plaintext.length + 32; + if (output) { + (0, _assert_js_1.bytes)(output, clength); + } + else { + output = new Uint8Array(clength); + } + output.set(plaintext, 32); + (0, exports.xsalsa20)(key, nonce, output, output); + const authKey = output.subarray(0, 32); + const tag = (0, _poly1305_js_1.poly1305)(output.subarray(32), authKey); + // Clean auth key, even though JS provides no guarantees about memory cleaning + output.set(tag, tagLength); + output.subarray(0, tagLength).fill(0); + return output.subarray(tagLength); + }, + decrypt: (ciphertext) => { + (0, _assert_js_1.bytes)(ciphertext); + const clength = ciphertext.length; + if (clength < tagLength) + throw new Error('encrypted data should be at least 16 bytes'); + // Create new ciphertext array: + // auth tag auth tag from ciphertext ciphertext + // [bytes 0..16] [bytes 16..32] [bytes 32..] + // 16 instead of 32, because we already have 16 byte tag + const ciphertext_ = new Uint8Array(clength + tagLength); // alloc + ciphertext_.set(ciphertext, tagLength); + // Each xsalsa20 calls to hsalsa to calculate key, but seems not much perf difference + // Separate call to calculate authkey, since first bytes contains tag + const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32)); // alloc(32) + const tag = (0, _poly1305_js_1.poly1305)(ciphertext_.subarray(32), authKey); + if (!(0, utils_js_1.equalBytes)(ciphertext_.subarray(16, 32), tag)) + throw new Error('invalid tag'); + const plaintext = (0, exports.xsalsa20)(key, nonce, ciphertext_); // alloc + // Clean auth key, even though JS provides no guarantees about memory cleaning + plaintext.subarray(0, 32).fill(0); + authKey.fill(0); + return plaintext.subarray(32); + }, + }; +}); +/** + * Alias to xsalsa20poly1305, for compatibility with libsodium / nacl + */ +function secretbox(key, nonce) { + const xs = (0, exports.xsalsa20poly1305)(key, nonce); + return { seal: xs.encrypt, open: xs.decrypt }; +} +exports.secretbox = secretbox; +//# sourceMappingURL=salsa.js.map \ No newline at end of file diff --git a/utils.js b/utils.js new file mode 100644 index 0000000..00cb4c2 --- /dev/null +++ b/utils.js @@ -0,0 +1,206 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.u64Lengths = exports.setBigUint64 = exports.wrapCipher = exports.Hash = exports.equalBytes = exports.checkOpts = exports.concatBytes = exports.toBytes = exports.bytesToUtf8 = exports.utf8ToBytes = exports.asyncLoop = exports.nextTick = exports.numberToBytesBE = exports.bytesToNumberBE = exports.hexToNumber = exports.hexToBytes = exports.bytesToHex = exports.isLE = exports.createView = exports.u32 = exports.u16 = exports.u8 = void 0; +/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ +const _assert_js_1 = require("./_assert.js"); +// Cast array to different type +const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength); +exports.u8 = u8; +const u16 = (arr) => new Uint16Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 2)); +exports.u16 = u16; +const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); +exports.u32 = u32; +// Cast array to view +const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); +exports.createView = createView; +// big-endian hardware is rare. Just in case someone still decides to run ciphers: +// early-throw an error because we don't support BE yet. +exports.isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44; +if (!exports.isLE) + throw new Error('Non little-endian hardware is not supported'); +// Array where index 0xf0 (240) is mapped to string 'f0' +const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0')); +/** + * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123' + */ +function bytesToHex(bytes) { + (0, _assert_js_1.bytes)(bytes); + // pre-caching improves the speed 6x + let hex = ''; + for (let i = 0; i < bytes.length; i++) { + hex += hexes[bytes[i]]; + } + return hex; +} +exports.bytesToHex = bytesToHex; +// We use optimized technique to convert hex string to byte array +const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; +function asciiToBase16(char) { + if (char >= asciis._0 && char <= asciis._9) + return char - asciis._0; + if (char >= asciis._A && char <= asciis._F) + return char - (asciis._A - 10); + if (char >= asciis._a && char <= asciis._f) + return char - (asciis._a - 10); + return; +} +/** + * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23]) + */ +function hexToBytes(hex) { + if (typeof hex !== 'string') + throw new Error('hex string expected, got ' + typeof hex); + const hl = hex.length; + const al = hl / 2; + if (hl % 2) + throw new Error('padded hex string expected, got unpadded hex of length ' + hl); + const array = new Uint8Array(al); + for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { + const n1 = asciiToBase16(hex.charCodeAt(hi)); + const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); + if (n1 === undefined || n2 === undefined) { + const char = hex[hi] + hex[hi + 1]; + throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); + } + array[ai] = n1 * 16 + n2; + } + return array; +} +exports.hexToBytes = hexToBytes; +function hexToNumber(hex) { + if (typeof hex !== 'string') + throw new Error('hex string expected, got ' + typeof hex); + // Big Endian + return BigInt(hex === '' ? '0' : `0x${hex}`); +} +exports.hexToNumber = hexToNumber; +// BE: Big Endian, LE: Little Endian +function bytesToNumberBE(bytes) { + return hexToNumber(bytesToHex(bytes)); +} +exports.bytesToNumberBE = bytesToNumberBE; +function numberToBytesBE(n, len) { + return hexToBytes(n.toString(16).padStart(len * 2, '0')); +} +exports.numberToBytesBE = numberToBytesBE; +// There is no setImmediate in browser and setTimeout is slow. +// call of async fn will return Promise, which will be fullfiled only on +// next scheduler queue processing step and this is exactly what we need. +const nextTick = async () => { }; +exports.nextTick = nextTick; +// Returns control to thread each 'tick' ms to avoid blocking +async function asyncLoop(iters, tick, cb) { + let ts = Date.now(); + for (let i = 0; i < iters; i++) { + cb(i); + // Date.now() is not monotonic, so in case if clock goes backwards we return return control too + const diff = Date.now() - ts; + if (diff >= 0 && diff < tick) + continue; + await (0, exports.nextTick)(); + ts += diff; + } +} +exports.asyncLoop = asyncLoop; +/** + * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99]) + */ +function utf8ToBytes(str) { + if (typeof str !== 'string') + throw new Error(`string expected, got ${typeof str}`); + return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809 +} +exports.utf8ToBytes = utf8ToBytes; +/** + * @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc' + */ +function bytesToUtf8(bytes) { + return new TextDecoder().decode(bytes); +} +exports.bytesToUtf8 = bytesToUtf8; +/** + * Normalizes (non-hex) string or Uint8Array to Uint8Array. + * Warning: when Uint8Array is passed, it would NOT get copied. + * Keep in mind for future mutable operations. + */ +function toBytes(data) { + if (typeof data === 'string') + data = utf8ToBytes(data); + else if ((0, _assert_js_1.isBytes)(data)) + data = data.slice(); + else + throw new Error(`Uint8Array expected, got ${typeof data}`); + return data; +} +exports.toBytes = toBytes; +/** + * Copies several Uint8Arrays into one. + */ +function concatBytes(...arrays) { + let sum = 0; + for (let i = 0; i < arrays.length; i++) { + const a = arrays[i]; + (0, _assert_js_1.bytes)(a); + sum += a.length; + } + const res = new Uint8Array(sum); + for (let i = 0, pad = 0; i < arrays.length; i++) { + const a = arrays[i]; + res.set(a, pad); + pad += a.length; + } + return res; +} +exports.concatBytes = concatBytes; +function checkOpts(defaults, opts) { + if (opts == null || typeof opts !== 'object') + throw new Error('options must be defined'); + const merged = Object.assign(defaults, opts); + return merged; +} +exports.checkOpts = checkOpts; +// Compares 2 u8a-s in kinda constant time +function equalBytes(a, b) { + if (a.length !== b.length) + return false; + let diff = 0; + for (let i = 0; i < a.length; i++) + diff |= a[i] ^ b[i]; + return diff === 0; +} +exports.equalBytes = equalBytes; +// For runtime check if class implements interface +class Hash { +} +exports.Hash = Hash; +/** + * @__NO_SIDE_EFFECTS__ + */ +const wrapCipher = (params, c) => { + Object.assign(c, params); + return c; +}; +exports.wrapCipher = wrapCipher; +// Polyfill for Safari 14 +function setBigUint64(view, byteOffset, value, isLE) { + if (typeof view.setBigUint64 === 'function') + return view.setBigUint64(byteOffset, value, isLE); + const _32n = BigInt(32); + const _u32_max = BigInt(0xffffffff); + const wh = Number((value >> _32n) & _u32_max); + const wl = Number(value & _u32_max); + const h = isLE ? 4 : 0; + const l = isLE ? 0 : 4; + view.setUint32(byteOffset + h, wh, isLE); + view.setUint32(byteOffset + l, wl, isLE); +} +exports.setBigUint64 = setBigUint64; +function u64Lengths(ciphertext, AAD) { + const num = new Uint8Array(16); + const view = (0, exports.createView)(num); + setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); + setBigUint64(view, 8, BigInt(ciphertext.length), true); + return num; +} +exports.u64Lengths = u64Lengths; +//# sourceMappingURL=utils.js.map \ No newline at end of file diff --git a/webcrypto.js b/webcrypto.js new file mode 100644 index 0000000..c77690b --- /dev/null +++ b/webcrypto.js @@ -0,0 +1,98 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.gcm = exports.ctr = exports.cbc = exports.utils = exports.managedNonce = exports.getWebcryptoSubtle = exports.randomBytes = void 0; +// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. +// node.js versions earlier than v19 don't declare it in global scope. +// For node.js, package.js on#exports field mapping rewrites import +// from `crypto` to `cryptoNode`, which imports native module. +// Makes the utils un-importable in browsers without a bundler. +// Once node.js 18 is deprecated, we can just drop the import. +const crypto_1 = require("@noble/ciphers/crypto"); +Object.defineProperty(exports, "randomBytes", { enumerable: true, get: function () { return crypto_1.randomBytes; } }); +Object.defineProperty(exports, "getWebcryptoSubtle", { enumerable: true, get: function () { return crypto_1.getWebcryptoSubtle; } }); +const utils_js_1 = require("./utils.js"); +const _assert_js_1 = require("./_assert.js"); +const _assert_js_2 = require("./_assert.js"); +// Uses CSPRG for nonce, nonce injected in ciphertext +function managedNonce(fn) { + (0, _assert_js_1.number)(fn.nonceLength); + return ((key, ...args) => ({ + encrypt: (plaintext, ...argsEnc) => { + const { nonceLength } = fn; + const nonce = (0, crypto_1.randomBytes)(nonceLength); + const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc); + const out = (0, utils_js_1.concatBytes)(nonce, ciphertext); + ciphertext.fill(0); + return out; + }, + decrypt: (ciphertext, ...argsDec) => { + const { nonceLength } = fn; + const nonce = ciphertext.subarray(0, nonceLength); + const data = ciphertext.subarray(nonceLength); + return fn(key, nonce, ...args).decrypt(data, ...argsDec); + }, + })); +} +exports.managedNonce = managedNonce; +// Overridable +exports.utils = { + async encrypt(key, keyParams, cryptParams, plaintext) { + const cr = (0, crypto_1.getWebcryptoSubtle)(); + const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']); + const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext); + return new Uint8Array(ciphertext); + }, + async decrypt(key, keyParams, cryptParams, ciphertext) { + const cr = (0, crypto_1.getWebcryptoSubtle)(); + const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']); + const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext); + return new Uint8Array(plaintext); + }, +}; +function getCryptParams(algo, nonce, AAD) { + if (algo === "AES-CBC" /* BlockMode.CBC */) + return { name: "AES-CBC" /* BlockMode.CBC */, iv: nonce }; + if (algo === "AES-CTR" /* BlockMode.CTR */) + return { name: "AES-CTR" /* BlockMode.CTR */, counter: nonce, length: 64 }; + if (algo === "AES-GCM" /* BlockMode.GCM */) + return { name: "AES-GCM" /* BlockMode.GCM */, iv: nonce, additionalData: AAD }; + throw new Error('unknown aes block mode'); +} +function generate(algo) { + return (key, nonce, AAD) => { + (0, _assert_js_2.bytes)(key); + (0, _assert_js_2.bytes)(nonce); + // const keyLength = key.length; + const keyParams = { name: algo, length: key.length * 8 }; + const cryptParams = getCryptParams(algo, nonce, AAD); + return { + // keyLength, + encrypt(plaintext) { + (0, _assert_js_2.bytes)(plaintext); + return exports.utils.encrypt(key, keyParams, cryptParams, plaintext); + }, + decrypt(ciphertext) { + (0, _assert_js_2.bytes)(ciphertext); + return exports.utils.decrypt(key, keyParams, cryptParams, ciphertext); + }, + }; + }; +} +exports.cbc = generate("AES-CBC" /* BlockMode.CBC */); +exports.ctr = generate("AES-CTR" /* BlockMode.CTR */); +exports.gcm = generate("AES-GCM" /* BlockMode.GCM */); +// // Type tests +// import { siv, gcm, ctr, ecb, cbc } from '../aes.js'; +// import { xsalsa20poly1305 } from '../salsa.js'; +// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.js'; +// const wsiv = managedNonce(siv); +// const wgcm = managedNonce(gcm); +// const wctr = managedNonce(ctr); +// const wcbc = managedNonce(cbc); +// const wsalsapoly = managedNonce(xsalsa20poly1305); +// const wchacha = managedNonce(chacha20poly1305); +// const wxchacha = managedNonce(xchacha20poly1305); +// // should fail +// const wcbc2 = managedNonce(managedNonce(cbc)); +// const wecb = managedNonce(ecb); +//# sourceMappingURL=webcrypto.js.map \ No newline at end of file From 1fc2c4afc0f3fbe6ddbb4ddcef79b7544d50d2a9 Mon Sep 17 00:00:00 2001 From: ocavue Date: Sun, 11 Feb 2024 03:02:09 +0800 Subject: [PATCH 12/13] add all built js files (after tsconfig change) --- esm/index.js | 2 +- esm/webcrypto.js | 3 +++ webcrypto.js | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/esm/index.js b/esm/index.js index 5a9cbf1..9a9d7ac 100644 --- a/esm/index.js +++ b/esm/index.js @@ -1,3 +1,3 @@ -"use strict"; throw new Error('noble-ciphers have no entry-point: consult README for usage'); +export {}; //# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/esm/webcrypto.js b/esm/webcrypto.js index b067413..ffb89ba 100644 --- a/esm/webcrypto.js +++ b/esm/webcrypto.js @@ -4,6 +4,9 @@ // from `crypto` to `cryptoNode`, which imports native module. // Makes the utils un-importable in browsers without a bundler. // Once node.js 18 is deprecated, we can just drop the import. +// +// Use full path so that Node.js can rewrite it to `cryptoNode.js`. +// @ts-ignore: `tsc` doesn't understand `@noble/ciphers/crypto` is a valid import. import { randomBytes, getWebcryptoSubtle } from '@noble/ciphers/crypto'; import { concatBytes } from './utils.js'; import { number } from './_assert.js'; diff --git a/webcrypto.js b/webcrypto.js index c77690b..32091b3 100644 --- a/webcrypto.js +++ b/webcrypto.js @@ -7,6 +7,9 @@ exports.gcm = exports.ctr = exports.cbc = exports.utils = exports.managedNonce = // from `crypto` to `cryptoNode`, which imports native module. // Makes the utils un-importable in browsers without a bundler. // Once node.js 18 is deprecated, we can just drop the import. +// +// Use full path so that Node.js can rewrite it to `cryptoNode.js`. +// @ts-ignore: `tsc` doesn't understand `@noble/ciphers/crypto` is a valid import. const crypto_1 = require("@noble/ciphers/crypto"); Object.defineProperty(exports, "randomBytes", { enumerable: true, get: function () { return crypto_1.randomBytes; } }); Object.defineProperty(exports, "getWebcryptoSubtle", { enumerable: true, get: function () { return crypto_1.getWebcryptoSubtle; } }); From e308b4f85435364061f8ccdad1cdda400a065ba4 Mon Sep 17 00:00:00 2001 From: ocavue Date: Sun, 11 Feb 2024 03:03:02 +0800 Subject: [PATCH 13/13] clean js files --- _arx.js | 171 ------------- _assert.js | 50 ---- _micro.js | 295 --------------------- _poly1305.js | 268 -------------------- _polyval.js | 221 ---------------- aes.js | 633 ---------------------------------------------- chacha.js | 323 ----------------------- crypto.js | 17 -- cryptoNode.js | 22 -- esm/_arx.js | 166 ------------ esm/_assert.js | 41 --- esm/_micro.js | 287 --------------------- esm/_poly1305.js | 264 ------------------- esm/_polyval.js | 217 ---------------- esm/aes.js | 628 --------------------------------------------- esm/chacha.js | 318 ----------------------- esm/crypto.js | 12 - esm/cryptoNode.js | 17 -- esm/ff1.js | 149 ----------- esm/index.js | 3 - esm/salsa.js | 205 --------------- esm/utils.js | 182 ------------- esm/webcrypto.js | 99 -------- ff1.js | 154 ----------- index.js | 3 - salsa.js | 210 --------------- utils.js | 206 --------------- webcrypto.js | 101 -------- 28 files changed, 5262 deletions(-) delete mode 100644 _arx.js delete mode 100644 _assert.js delete mode 100644 _micro.js delete mode 100644 _poly1305.js delete mode 100644 _polyval.js delete mode 100644 aes.js delete mode 100644 chacha.js delete mode 100644 crypto.js delete mode 100644 cryptoNode.js delete mode 100644 esm/_arx.js delete mode 100644 esm/_assert.js delete mode 100644 esm/_micro.js delete mode 100644 esm/_poly1305.js delete mode 100644 esm/_polyval.js delete mode 100644 esm/aes.js delete mode 100644 esm/chacha.js delete mode 100644 esm/crypto.js delete mode 100644 esm/cryptoNode.js delete mode 100644 esm/ff1.js delete mode 100644 esm/index.js delete mode 100644 esm/salsa.js delete mode 100644 esm/utils.js delete mode 100644 esm/webcrypto.js delete mode 100644 ff1.js delete mode 100644 index.js delete mode 100644 salsa.js delete mode 100644 utils.js delete mode 100644 webcrypto.js diff --git a/_arx.js b/_arx.js deleted file mode 100644 index 4c8e20d..0000000 --- a/_arx.js +++ /dev/null @@ -1,171 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.createCipher = exports.rotl = void 0; -// Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers. -const _assert_js_1 = require("./_assert.js"); -const utils_js_1 = require("./utils.js"); -/* -RFC8439 requires multi-step cipher stream, where -authKey starts with counter: 0, actual msg with counter: 1. - -For this, we need a way to re-use nonce / counter: - - const counter = new Uint8Array(4); - chacha(..., counter, ...); // counter is now 1 - chacha(..., counter, ...); // counter is now 2 - -This is complicated: - -- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB -- Original papers don't allow mutating counters -- Counter overflow is undefined [^1] -- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it -- Caveat: Cannot be re-used through all cases: -- * chacha has (counter | nonce) -- * xchacha has (nonce16 | counter | nonce16) -- Idea B: separate nonce / counter and provide separate API for counter re-use -- Caveat: there are different counter sizes depending on an algorithm. -- salsa & chacha also differ in structures of key & sigma: - salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3] - chacha: s(4) | k(8) | ctr(1) | nonce(3) - chacha20orig: s(4) | k(8) | ctr(2) | nonce(2) -- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)` -- Caveat: we can't re-use counter array - -xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal -(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce). - -[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/ -[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2 -*/ -const sigma16 = (0, utils_js_1.utf8ToBytes)('expand 16-byte k'); -const sigma32 = (0, utils_js_1.utf8ToBytes)('expand 32-byte k'); -const sigma16_32 = (0, utils_js_1.u32)(sigma16); -const sigma32_32 = (0, utils_js_1.u32)(sigma32); -function rotl(a, b) { - return (a << b) | (a >>> (32 - b)); -} -exports.rotl = rotl; -// Is byte array aligned to 4 byte offset (u32)? -function isAligned32(b) { - return b.byteOffset % 4 === 0; -} -// Salsa and Chacha block length is always 512-bit -const BLOCK_LEN = 64; -const BLOCK_LEN32 = 16; -// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ] -// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ] -const MAX_COUNTER = 2 ** 32 - 1; -const U32_EMPTY = new Uint32Array(); -function runCipher(core, sigma, key, nonce, data, output, counter, rounds) { - const len = data.length; - const block = new Uint8Array(BLOCK_LEN); - const b32 = (0, utils_js_1.u32)(block); - // Make sure that buffers aligned to 4 bytes - const isAligned = isAligned32(data) && isAligned32(output); - const d32 = isAligned ? (0, utils_js_1.u32)(data) : U32_EMPTY; - const o32 = isAligned ? (0, utils_js_1.u32)(output) : U32_EMPTY; - for (let pos = 0; pos < len; counter++) { - core(sigma, key, nonce, b32, counter, rounds); - if (counter >= MAX_COUNTER) - throw new Error('arx: counter overflow'); - const take = Math.min(BLOCK_LEN, len - pos); - // aligned to 4 bytes - if (isAligned && take === BLOCK_LEN) { - const pos32 = pos / 4; - if (pos % 4 !== 0) - throw new Error('arx: invalid block position'); - for (let j = 0, posj; j < BLOCK_LEN32; j++) { - posj = pos32 + j; - o32[posj] = d32[posj] ^ b32[j]; - } - pos += BLOCK_LEN; - continue; - } - for (let j = 0, posj; j < take; j++) { - posj = pos + j; - output[posj] = data[posj] ^ block[j]; - } - pos += take; - } -} -function createCipher(core, opts) { - const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = (0, utils_js_1.checkOpts)({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); - if (typeof core !== 'function') - throw new Error('core must be a function'); - (0, _assert_js_1.number)(counterLength); - (0, _assert_js_1.number)(rounds); - (0, _assert_js_1.bool)(counterRight); - (0, _assert_js_1.bool)(allowShortKeys); - return (key, nonce, data, output, counter = 0) => { - (0, _assert_js_1.bytes)(key); - (0, _assert_js_1.bytes)(nonce); - (0, _assert_js_1.bytes)(data); - const len = data.length; - if (!output) - output = new Uint8Array(len); - (0, _assert_js_1.bytes)(output); - (0, _assert_js_1.number)(counter); - if (counter < 0 || counter >= MAX_COUNTER) - throw new Error('arx: counter overflow'); - if (output.length < len) - throw new Error(`arx: output (${output.length}) is shorter than data (${len})`); - const toClean = []; - // Key & sigma - // key=16 -> sigma16, k=key|key - // key=32 -> sigma32, k=key - let l = key.length, k, sigma; - if (l === 32) { - k = key.slice(); - toClean.push(k); - sigma = sigma32_32; - } - else if (l === 16 && allowShortKeys) { - k = new Uint8Array(32); - k.set(key); - k.set(key, 16); - sigma = sigma16_32; - toClean.push(k); - } - else { - throw new Error(`arx: invalid 32-byte key, got length=${l}`); - } - // Nonce - // salsa20: 8 (8-byte counter) - // chacha20orig: 8 (8-byte counter) - // chacha20: 12 (4-byte counter) - // xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce) - // xchacha20: 24 (16 -> hchacha, 8 -> old nonce) - // Align nonce to 4 bytes - if (!isAligned32(nonce)) { - nonce = nonce.slice(); - toClean.push(nonce); - } - const k32 = (0, utils_js_1.u32)(k); - // hsalsa & hchacha: handle extended nonce - if (extendNonceFn) { - if (nonce.length !== 24) - throw new Error(`arx: extended nonce must be 24 bytes`); - extendNonceFn(sigma, k32, (0, utils_js_1.u32)(nonce.subarray(0, 16)), k32); - nonce = nonce.subarray(16); - } - // Handle nonce counter - const nonceNcLen = 16 - counterLength; - if (nonceNcLen !== nonce.length) - throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); - // Pad counter when nonce is 64 bit - if (nonceNcLen !== 12) { - const nc = new Uint8Array(12); - nc.set(nonce, counterRight ? 0 : 12 - nonce.length); - nonce = nc; - toClean.push(nonce); - } - const n32 = (0, utils_js_1.u32)(nonce); - runCipher(core, sigma, k32, n32, data, output, counter, rounds); - while (toClean.length > 0) - toClean.pop().fill(0); - return output; - }; -} -exports.createCipher = createCipher; -//# sourceMappingURL=_arx.js.map \ No newline at end of file diff --git a/_assert.js b/_assert.js deleted file mode 100644 index 83ace83..0000000 --- a/_assert.js +++ /dev/null @@ -1,50 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.output = exports.exists = exports.hash = exports.bytes = exports.bool = exports.number = exports.isBytes = void 0; -function number(n) { - if (!Number.isSafeInteger(n) || n < 0) - throw new Error(`positive integer expected, not ${n}`); -} -exports.number = number; -function bool(b) { - if (typeof b !== 'boolean') - throw new Error(`boolean expected, not ${b}`); -} -exports.bool = bool; -function isBytes(a) { - return (a instanceof Uint8Array || - (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')); -} -exports.isBytes = isBytes; -function bytes(b, ...lengths) { - if (!isBytes(b)) - throw new Error('Uint8Array expected'); - if (lengths.length > 0 && !lengths.includes(b.length)) - throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); -} -exports.bytes = bytes; -function hash(hash) { - if (typeof hash !== 'function' || typeof hash.create !== 'function') - throw new Error('hash must be wrapped by utils.wrapConstructor'); - number(hash.outputLen); - number(hash.blockLen); -} -exports.hash = hash; -function exists(instance, checkFinished = true) { - if (instance.destroyed) - throw new Error('Hash instance has been destroyed'); - if (checkFinished && instance.finished) - throw new Error('Hash#digest() has already been called'); -} -exports.exists = exists; -function output(out, instance) { - bytes(out); - const min = instance.outputLen; - if (out.length < min) { - throw new Error(`digestInto() expects output buffer of length at least ${min}`); - } -} -exports.output = output; -const assert = { number, bool, bytes, hash, exists, output }; -exports.default = assert; -//# sourceMappingURL=_assert.js.map \ No newline at end of file diff --git a/_micro.js b/_micro.js deleted file mode 100644 index 523065c..0000000 --- a/_micro.js +++ /dev/null @@ -1,295 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.secretbox = exports.xsalsa20poly1305 = exports.poly1305 = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = exports.xsalsa20 = exports.salsa20 = exports.hchacha = exports.hsalsa = void 0; -/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ -// prettier-ignore -const utils_js_1 = require("./utils.js"); -const _arx_js_1 = require("./_arx.js"); -const _assert_js_1 = require("./_assert.js"); -/* -noble-ciphers-micro: more auditable, but slower version of salsa20, chacha & poly1305. -Implements the same algorithms that are present in other files, but without -unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling). -*/ -function bytesToNumberLE(bytes) { - return (0, utils_js_1.hexToNumber)((0, utils_js_1.bytesToHex)(Uint8Array.from(bytes).reverse())); -} -function numberToBytesLE(n, len) { - return (0, utils_js_1.numberToBytesBE)(n, len).reverse(); -} -function salsaQR(x, a, b, c, d) { - x[b] ^= (0, _arx_js_1.rotl)((x[a] + x[d]) | 0, 7); - x[c] ^= (0, _arx_js_1.rotl)((x[b] + x[a]) | 0, 9); - x[d] ^= (0, _arx_js_1.rotl)((x[c] + x[b]) | 0, 13); - x[a] ^= (0, _arx_js_1.rotl)((x[d] + x[c]) | 0, 18); -} -// prettier-ignore -function chachaQR(x, a, b, c, d) { - x[a] = (x[a] + x[b]) | 0; - x[d] = (0, _arx_js_1.rotl)(x[d] ^ x[a], 16); - x[c] = (x[c] + x[d]) | 0; - x[b] = (0, _arx_js_1.rotl)(x[b] ^ x[c], 12); - x[a] = (x[a] + x[b]) | 0; - x[d] = (0, _arx_js_1.rotl)(x[d] ^ x[a], 8); - x[c] = (x[c] + x[d]) | 0; - x[b] = (0, _arx_js_1.rotl)(x[b] ^ x[c], 7); -} -function salsaRound(x, rounds = 20) { - for (let r = 0; r < rounds; r += 2) { - salsaQR(x, 0, 4, 8, 12); - salsaQR(x, 5, 9, 13, 1); - salsaQR(x, 10, 14, 2, 6); - salsaQR(x, 15, 3, 7, 11); - salsaQR(x, 0, 1, 2, 3); - salsaQR(x, 5, 6, 7, 4); - salsaQR(x, 10, 11, 8, 9); - salsaQR(x, 15, 12, 13, 14); - } -} -function chachaRound(x, rounds = 20) { - for (let r = 0; r < rounds; r += 2) { - chachaQR(x, 0, 4, 8, 12); - chachaQR(x, 1, 5, 9, 13); - chachaQR(x, 2, 6, 10, 14); - chachaQR(x, 3, 7, 11, 15); - chachaQR(x, 0, 5, 10, 15); - chachaQR(x, 1, 6, 11, 12); - chachaQR(x, 2, 7, 8, 13); - chachaQR(x, 3, 4, 9, 14); - } -} -function salsaCore(s, k, n, out, cnt, rounds = 20) { - // prettier-ignore - const y = new Uint32Array([ - s[0], k[0], k[1], k[2], // "expa" Key Key Key - k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce - cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key - k[5], k[6], k[7], s[3], // Key Key Key "te k" - ]); - const x = y.slice(); - salsaRound(x, rounds); - for (let i = 0; i < 16; i++) - out[i] = (y[i] + x[i]) | 0; -} -// prettier-ignore -function hsalsa(s, k, i, o32) { - const x = new Uint32Array([ - s[0], k[0], k[1], k[2], - k[3], s[1], i[0], i[1], - i[2], i[3], s[2], k[4], - k[5], k[6], k[7], s[3] - ]); - salsaRound(x, 20); - let oi = 0; - o32[oi++] = x[0]; - o32[oi++] = x[5]; - o32[oi++] = x[10]; - o32[oi++] = x[15]; - o32[oi++] = x[6]; - o32[oi++] = x[7]; - o32[oi++] = x[8]; - o32[oi++] = x[9]; -} -exports.hsalsa = hsalsa; -function chachaCore(s, k, n, out, cnt, rounds = 20) { - // prettier-ignore - const y = new Uint32Array([ - s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k" - k[0], k[1], k[2], k[3], // Key Key Key Key - k[4], k[5], k[6], k[7], // Key Key Key Key - cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce - ]); - const x = y.slice(); - chachaRound(x, rounds); - for (let i = 0; i < 16; i++) - out[i] = (y[i] + x[i]) | 0; -} -// prettier-ignore -function hchacha(s, k, i, o32) { - const x = new Uint32Array([ - s[0], s[1], s[2], s[3], - k[0], k[1], k[2], k[3], - k[4], k[5], k[6], k[7], - i[0], i[1], i[2], i[3], - ]); - chachaRound(x, 20); - let oi = 0; - o32[oi++] = x[0]; - o32[oi++] = x[1]; - o32[oi++] = x[2]; - o32[oi++] = x[3]; - o32[oi++] = x[12]; - o32[oi++] = x[13]; - o32[oi++] = x[14]; - o32[oi++] = x[15]; -} -exports.hchacha = hchacha; -/** - * salsa20, 12-byte nonce. - */ -exports.salsa20 = (0, _arx_js_1.createCipher)(salsaCore, { - allowShortKeys: true, - counterRight: true, -}); -/** - * xsalsa20, 24-byte nonce. - */ -exports.xsalsa20 = (0, _arx_js_1.createCipher)(salsaCore, { - counterRight: true, - extendNonceFn: hsalsa, -}); -/** - * chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. - */ -exports.chacha20orig = (0, _arx_js_1.createCipher)(chachaCore, { - allowShortKeys: true, - counterRight: false, - counterLength: 8, -}); -/** - * chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. - */ -exports.chacha20 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, -}); -/** - * xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - */ -exports.xchacha20 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 8, - extendNonceFn: hchacha, -}); -/** - * 8-round chacha from the original paper. - */ -exports.chacha8 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 8, -}); -/** - * 12-round chacha from the original paper. - */ -exports.chacha12 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 12, -}); -const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5); -const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1); -const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff'); -const _0 = BigInt(0); -const _1 = BigInt(1); -// Can be speed-up using BigUint64Array, but would be more complicated -function poly1305(msg, key) { - (0, _assert_js_1.bytes)(msg); - (0, _assert_js_1.bytes)(key); - let acc = _0; - const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R; - const s = bytesToNumberLE(key.subarray(16)); - // Process by 16 byte chunks - for (let i = 0; i < msg.length; i += 16) { - const m = msg.subarray(i, i + 16); - const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length)); - acc = ((acc + n) * r) % POW_2_130_5; - } - const res = (acc + s) & POW_2_128_1; - return numberToBytesLE(res, 16); -} -exports.poly1305 = poly1305; -function computeTag(fn, key, nonce, ciphertext, AAD) { - const res = []; - if (AAD) { - res.push(AAD); - const leftover = AAD.length % 16; - if (leftover > 0) - res.push(new Uint8Array(16 - leftover)); - } - res.push(ciphertext); - const leftover = ciphertext.length % 16; - if (leftover > 0) - res.push(new Uint8Array(16 - leftover)); - // Lengths - const num = new Uint8Array(16); - const view = (0, utils_js_1.createView)(num); - (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD ? AAD.length : 0), true); - (0, utils_js_1.setBigUint64)(view, 8, BigInt(ciphertext.length), true); - res.push(num); - const authKey = fn(key, nonce, new Uint8Array(32)); - return poly1305((0, utils_js_1.concatBytes)(...res), authKey); -} -/** - * xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. - */ -exports.xsalsa20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsa20poly1305(key, nonce) { - (0, _assert_js_1.bytes)(key); - (0, _assert_js_1.bytes)(nonce); - return { - encrypt: (plaintext) => { - (0, _assert_js_1.bytes)(plaintext); - const m = (0, utils_js_1.concatBytes)(new Uint8Array(32), plaintext); - const c = (0, exports.xsalsa20)(key, nonce, m); - const authKey = c.subarray(0, 32); - const data = c.subarray(32); - const tag = poly1305(data, authKey); - return (0, utils_js_1.concatBytes)(tag, data); - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - if (ciphertext.length < 16) - throw new Error('encrypted data must be at least 16 bytes'); - const c = (0, utils_js_1.concatBytes)(new Uint8Array(16), ciphertext); - const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32)); - const tag = poly1305(c.subarray(32), authKey); - if (!(0, utils_js_1.equalBytes)(c.subarray(16, 32), tag)) - throw new Error('invalid poly1305 tag'); - return (0, exports.xsalsa20)(key, nonce, c).subarray(32); - }, - }; -}); -/** - * Alias to xsalsa20-poly1305 - */ -function secretbox(key, nonce) { - const xs = (0, exports.xsalsa20poly1305)(key, nonce); - return { seal: xs.encrypt, open: xs.decrypt }; -} -exports.secretbox = secretbox; -const _poly1305_aead = (fn) => (key, nonce, AAD) => { - const tagLength = 16; - const keyLength = 32; - (0, _assert_js_1.bytes)(key, keyLength); - (0, _assert_js_1.bytes)(nonce); - return { - encrypt: (plaintext) => { - (0, _assert_js_1.bytes)(plaintext); - const res = fn(key, nonce, plaintext, undefined, 1); - const tag = computeTag(fn, key, nonce, res, AAD); - return (0, utils_js_1.concatBytes)(res, tag); - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - if (ciphertext.length < tagLength) - throw new Error(`encrypted data must be at least ${tagLength} bytes`); - const passedTag = ciphertext.subarray(-tagLength); - const data = ciphertext.subarray(0, -tagLength); - const tag = computeTag(fn, key, nonce, data, AAD); - if (!(0, utils_js_1.equalBytes)(passedTag, tag)) - throw new Error('invalid poly1305 tag'); - return fn(key, nonce, data, undefined, 1); - }, - }; -}; -exports._poly1305_aead = _poly1305_aead; -/** - * chacha20-poly1305 12-byte-nonce chacha. - */ -exports.chacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20)); -/** - * xchacha20-poly1305 eXtended-nonce (24 bytes) chacha. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -exports.xchacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20)); -//# sourceMappingURL=_micro.js.map \ No newline at end of file diff --git a/_poly1305.js b/_poly1305.js deleted file mode 100644 index 0652e24..0000000 --- a/_poly1305.js +++ /dev/null @@ -1,268 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.poly1305 = exports.wrapConstructorWithKey = void 0; -const _assert_js_1 = require("./_assert.js"); -const utils_js_1 = require("./utils.js"); -// Poly1305 is a fast and parallel secret-key message-authentication code. -// https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf -// https://datatracker.ietf.org/doc/html/rfc8439 -// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna -const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8); -class Poly1305 { - constructor(key) { - this.blockLen = 16; - this.outputLen = 16; - this.buffer = new Uint8Array(16); - this.r = new Uint16Array(10); - this.h = new Uint16Array(10); - this.pad = new Uint16Array(8); - this.pos = 0; - this.finished = false; - key = (0, utils_js_1.toBytes)(key); - (0, _assert_js_1.bytes)(key, 32); - const t0 = u8to16(key, 0); - const t1 = u8to16(key, 2); - const t2 = u8to16(key, 4); - const t3 = u8to16(key, 6); - const t4 = u8to16(key, 8); - const t5 = u8to16(key, 10); - const t6 = u8to16(key, 12); - const t7 = u8to16(key, 14); - // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47 - this.r[0] = t0 & 0x1fff; - this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; - this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; - this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; - this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; - this.r[5] = (t4 >>> 1) & 0x1ffe; - this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; - this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; - this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; - this.r[9] = (t7 >>> 5) & 0x007f; - for (let i = 0; i < 8; i++) - this.pad[i] = u8to16(key, 16 + 2 * i); - } - process(data, offset, isLast = false) { - const hibit = isLast ? 0 : 1 << 11; - const { h, r } = this; - const r0 = r[0]; - const r1 = r[1]; - const r2 = r[2]; - const r3 = r[3]; - const r4 = r[4]; - const r5 = r[5]; - const r6 = r[6]; - const r7 = r[7]; - const r8 = r[8]; - const r9 = r[9]; - const t0 = u8to16(data, offset + 0); - const t1 = u8to16(data, offset + 2); - const t2 = u8to16(data, offset + 4); - const t3 = u8to16(data, offset + 6); - const t4 = u8to16(data, offset + 8); - const t5 = u8to16(data, offset + 10); - const t6 = u8to16(data, offset + 12); - const t7 = u8to16(data, offset + 14); - let h0 = h[0] + (t0 & 0x1fff); - let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff); - let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff); - let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff); - let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff); - let h5 = h[5] + ((t4 >>> 1) & 0x1fff); - let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff); - let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff); - let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff); - let h9 = h[9] + ((t7 >>> 5) | hibit); - let c = 0; - let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); - c = d0 >>> 13; - d0 &= 0x1fff; - d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); - c += d0 >>> 13; - d0 &= 0x1fff; - let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); - c = d1 >>> 13; - d1 &= 0x1fff; - d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); - c += d1 >>> 13; - d1 &= 0x1fff; - let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); - c = d2 >>> 13; - d2 &= 0x1fff; - d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); - c += d2 >>> 13; - d2 &= 0x1fff; - let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); - c = d3 >>> 13; - d3 &= 0x1fff; - d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); - c += d3 >>> 13; - d3 &= 0x1fff; - let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; - c = d4 >>> 13; - d4 &= 0x1fff; - d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); - c += d4 >>> 13; - d4 &= 0x1fff; - let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; - c = d5 >>> 13; - d5 &= 0x1fff; - d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); - c += d5 >>> 13; - d5 &= 0x1fff; - let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; - c = d6 >>> 13; - d6 &= 0x1fff; - d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); - c += d6 >>> 13; - d6 &= 0x1fff; - let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; - c = d7 >>> 13; - d7 &= 0x1fff; - d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); - c += d7 >>> 13; - d7 &= 0x1fff; - let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; - c = d8 >>> 13; - d8 &= 0x1fff; - d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); - c += d8 >>> 13; - d8 &= 0x1fff; - let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; - c = d9 >>> 13; - d9 &= 0x1fff; - d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; - c += d9 >>> 13; - d9 &= 0x1fff; - c = ((c << 2) + c) | 0; - c = (c + d0) | 0; - d0 = c & 0x1fff; - c = c >>> 13; - d1 += c; - h[0] = d0; - h[1] = d1; - h[2] = d2; - h[3] = d3; - h[4] = d4; - h[5] = d5; - h[6] = d6; - h[7] = d7; - h[8] = d8; - h[9] = d9; - } - finalize() { - const { h, pad } = this; - const g = new Uint16Array(10); - let c = h[1] >>> 13; - h[1] &= 0x1fff; - for (let i = 2; i < 10; i++) { - h[i] += c; - c = h[i] >>> 13; - h[i] &= 0x1fff; - } - h[0] += c * 5; - c = h[0] >>> 13; - h[0] &= 0x1fff; - h[1] += c; - c = h[1] >>> 13; - h[1] &= 0x1fff; - h[2] += c; - g[0] = h[0] + 5; - c = g[0] >>> 13; - g[0] &= 0x1fff; - for (let i = 1; i < 10; i++) { - g[i] = h[i] + c; - c = g[i] >>> 13; - g[i] &= 0x1fff; - } - g[9] -= 1 << 13; - let mask = (c ^ 1) - 1; - for (let i = 0; i < 10; i++) - g[i] &= mask; - mask = ~mask; - for (let i = 0; i < 10; i++) - h[i] = (h[i] & mask) | g[i]; - h[0] = (h[0] | (h[1] << 13)) & 0xffff; - h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff; - h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff; - h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff; - h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff; - h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff; - h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff; - h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff; - let f = h[0] + pad[0]; - h[0] = f & 0xffff; - for (let i = 1; i < 8; i++) { - f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0; - h[i] = f & 0xffff; - } - } - update(data) { - (0, _assert_js_1.exists)(this); - const { buffer, blockLen } = this; - data = (0, utils_js_1.toBytes)(data); - const len = data.length; - for (let pos = 0; pos < len;) { - const take = Math.min(blockLen - this.pos, len - pos); - // Fast path: we have at least one block in input - if (take === blockLen) { - for (; blockLen <= len - pos; pos += blockLen) - this.process(data, pos); - continue; - } - buffer.set(data.subarray(pos, pos + take), this.pos); - this.pos += take; - pos += take; - if (this.pos === blockLen) { - this.process(buffer, 0, false); - this.pos = 0; - } - } - return this; - } - destroy() { - this.h.fill(0); - this.r.fill(0); - this.buffer.fill(0); - this.pad.fill(0); - } - digestInto(out) { - (0, _assert_js_1.exists)(this); - (0, _assert_js_1.output)(out, this); - this.finished = true; - const { buffer, h } = this; - let { pos } = this; - if (pos) { - buffer[pos++] = 1; - // buffer.subarray(pos).fill(0); - for (; pos < 16; pos++) - buffer[pos] = 0; - this.process(buffer, 0, true); - } - this.finalize(); - let opos = 0; - for (let i = 0; i < 8; i++) { - out[opos++] = h[i] >>> 0; - out[opos++] = h[i] >>> 8; - } - return out; - } - digest() { - const { buffer, outputLen } = this; - this.digestInto(buffer); - const res = buffer.slice(0, outputLen); - this.destroy(); - return res; - } -} -function wrapConstructorWithKey(hashCons) { - const hashC = (msg, key) => hashCons(key).update((0, utils_js_1.toBytes)(msg)).digest(); - const tmp = hashCons(new Uint8Array(32)); - hashC.outputLen = tmp.outputLen; - hashC.blockLen = tmp.blockLen; - hashC.create = (key) => hashCons(key); - return hashC; -} -exports.wrapConstructorWithKey = wrapConstructorWithKey; -exports.poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); -//# sourceMappingURL=_poly1305.js.map \ No newline at end of file diff --git a/_polyval.js b/_polyval.js deleted file mode 100644 index 7183fc9..0000000 --- a/_polyval.js +++ /dev/null @@ -1,221 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.polyval = exports.ghash = exports._toGHASHKey = void 0; -const utils_js_1 = require("./utils.js"); -const _assert_js_1 = require("./_assert.js"); -// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV. -// Implemented in terms of GHash with conversion function for keys -// GCM GHASH from NIST SP800-38d, SIV from RFC 8452. -// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf -// GHASH modulo: x^128 + x^7 + x^2 + x + 1 -// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1 -const BLOCK_SIZE = 16; -// TODO: rewrite -// temporary padding buffer -const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); -const ZEROS32 = (0, utils_js_1.u32)(ZEROS16); -const POLY = 0xe1; // v = 2*v % POLY -// v = 2*v % POLY -// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x -// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor) -const mul2 = (s0, s1, s2, s3) => { - const hiBit = s3 & 1; - return { - s3: (s2 << 31) | (s3 >>> 1), - s2: (s1 << 31) | (s2 >>> 1), - s1: (s0 << 31) | (s1 >>> 1), - s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly - }; -}; -const swapLE = (n) => (((n >>> 0) & 0xff) << 24) | - (((n >>> 8) & 0xff) << 16) | - (((n >>> 16) & 0xff) << 8) | - ((n >>> 24) & 0xff) | - 0; -/** - * `mulX_POLYVAL(ByteReverse(H))` from spec - * @param k mutated in place - */ -function _toGHASHKey(k) { - k.reverse(); - const hiBit = k[15] & 1; - // k >>= 1 - let carry = 0; - for (let i = 0; i < k.length; i++) { - const t = k[i]; - k[i] = (t >>> 1) | carry; - carry = (t & 1) << 7; - } - k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000; - return k; -} -exports._toGHASHKey = _toGHASHKey; -const estimateWindow = (bytes) => { - if (bytes > 64 * 1024) - return 8; - if (bytes > 1024) - return 4; - return 2; -}; -class GHASH { - // We select bits per window adaptively based on expectedLength - constructor(key, expectedLength) { - this.blockLen = BLOCK_SIZE; - this.outputLen = BLOCK_SIZE; - this.s0 = 0; - this.s1 = 0; - this.s2 = 0; - this.s3 = 0; - this.finished = false; - key = (0, utils_js_1.toBytes)(key); - (0, _assert_js_1.bytes)(key, 16); - const kView = (0, utils_js_1.createView)(key); - let k0 = kView.getUint32(0, false); - let k1 = kView.getUint32(4, false); - let k2 = kView.getUint32(8, false); - let k3 = kView.getUint32(12, false); - // generate table of doubled keys (half of montgomery ladder) - const doubles = []; - for (let i = 0; i < 128; i++) { - doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) }); - ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3)); - } - const W = estimateWindow(expectedLength || 1024); - if (![1, 2, 4, 8].includes(W)) - throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`); - this.W = W; - const bits = 128; // always 128 bits; - const windows = bits / W; - const windowSize = (this.windowSize = 2 ** W); - const items = []; - // Create precompute table for window of W bits - for (let w = 0; w < windows; w++) { - // truth table: 00, 01, 10, 11 - for (let byte = 0; byte < windowSize; byte++) { - // prettier-ignore - let s0 = 0, s1 = 0, s2 = 0, s3 = 0; - for (let j = 0; j < W; j++) { - const bit = (byte >>> (W - j - 1)) & 1; - if (!bit) - continue; - const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j]; - (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3); - } - items.push({ s0, s1, s2, s3 }); - } - } - this.t = items; - } - _updateBlock(s0, s1, s2, s3) { - (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3); - const { W, t, windowSize } = this; - // prettier-ignore - let o0 = 0, o1 = 0, o2 = 0, o3 = 0; - const mask = (1 << W) - 1; // 2**W will kill performance. - let w = 0; - for (const num of [s0, s1, s2, s3]) { - for (let bytePos = 0; bytePos < 4; bytePos++) { - const byte = (num >>> (8 * bytePos)) & 0xff; - for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) { - const bit = (byte >>> (W * bitPos)) & mask; - const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit]; - (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3); - w += 1; - } - } - } - this.s0 = o0; - this.s1 = o1; - this.s2 = o2; - this.s3 = o3; - } - update(data) { - data = (0, utils_js_1.toBytes)(data); - (0, _assert_js_1.exists)(this); - const b32 = (0, utils_js_1.u32)(data); - const blocks = Math.floor(data.length / BLOCK_SIZE); - const left = data.length % BLOCK_SIZE; - for (let i = 0; i < blocks; i++) { - this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]); - } - if (left) { - ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); - this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]); - ZEROS32.fill(0); // clean tmp buffer - } - return this; - } - destroy() { - const { t } = this; - // clean precompute table - for (const elm of t) { - (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0); - } - } - digestInto(out) { - (0, _assert_js_1.exists)(this); - (0, _assert_js_1.output)(out, this); - this.finished = true; - const { s0, s1, s2, s3 } = this; - const o32 = (0, utils_js_1.u32)(out); - o32[0] = s0; - o32[1] = s1; - o32[2] = s2; - o32[3] = s3; - return out; - } - digest() { - const res = new Uint8Array(BLOCK_SIZE); - this.digestInto(res); - this.destroy(); - return res; - } -} -class Polyval extends GHASH { - constructor(key, expectedLength) { - key = (0, utils_js_1.toBytes)(key); - const ghKey = _toGHASHKey(key.slice()); - super(ghKey, expectedLength); - ghKey.fill(0); - } - update(data) { - data = (0, utils_js_1.toBytes)(data); - (0, _assert_js_1.exists)(this); - const b32 = (0, utils_js_1.u32)(data); - const left = data.length % BLOCK_SIZE; - const blocks = Math.floor(data.length / BLOCK_SIZE); - for (let i = 0; i < blocks; i++) { - this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0])); - } - if (left) { - ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); - this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0])); - ZEROS32.fill(0); // clean tmp buffer - } - return this; - } - digestInto(out) { - (0, _assert_js_1.exists)(this); - (0, _assert_js_1.output)(out, this); - this.finished = true; - // tmp ugly hack - const { s0, s1, s2, s3 } = this; - const o32 = (0, utils_js_1.u32)(out); - o32[0] = s0; - o32[1] = s1; - o32[2] = s2; - o32[3] = s3; - return out.reverse(); - } -} -function wrapConstructorWithKey(hashCons) { - const hashC = (msg, key) => hashCons(key, msg.length).update((0, utils_js_1.toBytes)(msg)).digest(); - const tmp = hashCons(new Uint8Array(16), 0); - hashC.outputLen = tmp.outputLen; - hashC.blockLen = tmp.blockLen; - hashC.create = (key, expectedLength) => hashCons(key, expectedLength); - return hashC; -} -exports.ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength)); -exports.polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength)); -//# sourceMappingURL=_polyval.js.map \ No newline at end of file diff --git a/aes.js b/aes.js deleted file mode 100644 index 2147b0a..0000000 --- a/aes.js +++ /dev/null @@ -1,633 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.unsafe = exports.siv = exports.gcm = exports.cbc = exports.ecb = exports.ctr = exports.expandKeyDecLE = exports.expandKeyLE = void 0; -// prettier-ignore -const utils_js_1 = require("./utils.js"); -const _polyval_js_1 = require("./_polyval.js"); -const _assert_js_1 = require("./_assert.js"); -/* -AES (Advanced Encryption Standard) aka Rijndael block cipher. - -Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round: -1. **S-box**, table substitution -2. **Shift rows**, cyclic shift left of all rows of data array -3. **Mix columns**, multiplying every column by fixed polynomial -4. **Add round key**, round_key xor i-th column of array - -Resources: -- FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf -- Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf -*/ -const BLOCK_SIZE = 16; -const BLOCK_SIZE32 = 4; -const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE); -const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8 -// TODO: remove multiplication, binary ops only -function mul2(n) { - return (n << 1) ^ (POLY & -(n >> 7)); -} -function mul(a, b) { - let res = 0; - for (; b > 0; b >>= 1) { - // Montgomery ladder - res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time). - a = mul2(a); // a = 2*a - } - return res; -} -// AES S-box is generated using finite field inversion, -// an affine transform, and xor of a constant 0x63. -const sbox = /* @__PURE__ */ (() => { - let t = new Uint8Array(256); - for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x)) - t[i] = x; - const box = new Uint8Array(256); - box[0] = 0x63; // first elm - for (let i = 0; i < 255; i++) { - let x = t[255 - i]; - x |= x << 8; - box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff; - } - return box; -})(); -// Inverted S-box -const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j)); -// Rotate u32 by 8 -const rotr32_8 = (n) => (n << 24) | (n >>> 8); -const rotl32_8 = (n) => (n << 8) | (n >>> 24); -// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes: -// - LE instead of BE -// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23; -// so index is u16, instead of u8. This speeds up things, unexpectedly -function genTtable(sbox, fn) { - if (sbox.length !== 256) - throw new Error('Wrong sbox length'); - const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j])); - const T1 = T0.map(rotl32_8); - const T2 = T1.map(rotl32_8); - const T3 = T2.map(rotl32_8); - const T01 = new Uint32Array(256 * 256); - const T23 = new Uint32Array(256 * 256); - const sbox2 = new Uint16Array(256 * 256); - for (let i = 0; i < 256; i++) { - for (let j = 0; j < 256; j++) { - const idx = i * 256 + j; - T01[idx] = T0[i] ^ T1[j]; - T23[idx] = T2[i] ^ T3[j]; - sbox2[idx] = (sbox[i] << 8) | sbox[j]; - } - } - return { sbox, sbox2, T0, T1, T2, T3, T01, T23 }; -} -const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2)); -const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14)); -const xPowers = /* @__PURE__ */ (() => { - const p = new Uint8Array(16); - for (let i = 0, x = 1; i < 16; i++, x = mul2(x)) - p[i] = x; - return p; -})(); -function expandKeyLE(key) { - (0, _assert_js_1.bytes)(key); - const len = key.length; - if (![16, 24, 32].includes(len)) - throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`); - const { sbox2 } = tableEncoding; - const k32 = (0, utils_js_1.u32)(key); - const Nk = k32.length; - const subByte = (n) => applySbox(sbox2, n, n, n, n); - const xk = new Uint32Array(len + 28); // expanded key - xk.set(k32); - // 4.3.1 Key expansion - for (let i = Nk; i < xk.length; i++) { - let t = xk[i - 1]; - if (i % Nk === 0) - t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1]; - else if (Nk > 6 && i % Nk === 4) - t = subByte(t); - xk[i] = xk[i - Nk] ^ t; - } - return xk; -} -exports.expandKeyLE = expandKeyLE; -function expandKeyDecLE(key) { - const encKey = expandKeyLE(key); - const xk = encKey.slice(); - const Nk = encKey.length; - const { sbox2 } = tableEncoding; - const { T0, T1, T2, T3 } = tableDecoding; - // Inverse key by chunks of 4 (rounds) - for (let i = 0; i < Nk; i += 4) { - for (let j = 0; j < 4; j++) - xk[i + j] = encKey[Nk - i - 4 + j]; - } - encKey.fill(0); - // apply InvMixColumn except first & last round - for (let i = 4; i < Nk - 4; i++) { - const x = xk[i]; - const w = applySbox(sbox2, x, x, x, x); - xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24]; - } - return xk; -} -exports.expandKeyDecLE = expandKeyDecLE; -// Apply tables -function apply0123(T01, T23, s0, s1, s2, s3) { - return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^ - T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]); -} -function applySbox(sbox2, s0, s1, s2, s3) { - return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] | - (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16)); -} -function encrypt(xk, s0, s1, s2, s3) { - const { sbox2, T01, T23 } = tableEncoding; - let k = 0; - (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); - const rounds = xk.length / 4 - 2; - for (let i = 0; i < rounds; i++) { - const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3); - const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0); - const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1); - const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2); - (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); - } - // last round (without mixcolumns, so using SBOX2 table) - const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3); - const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0); - const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1); - const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2); - return { s0: t0, s1: t1, s2: t2, s3: t3 }; -} -function decrypt(xk, s0, s1, s2, s3) { - const { sbox2, T01, T23 } = tableDecoding; - let k = 0; - (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); - const rounds = xk.length / 4 - 2; - for (let i = 0; i < rounds; i++) { - const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1); - const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2); - const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3); - const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0); - (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); - } - // Last round - const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1); - const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2); - const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3); - const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0); - return { s0: t0, s1: t1, s2: t2, s3: t3 }; -} -function getDst(len, dst) { - if (!dst) - return new Uint8Array(len); - (0, _assert_js_1.bytes)(dst); - if (dst.length < len) - throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`); - return dst; -} -// TODO: investigate merging with ctr32 -function ctrCounter(xk, nonce, src, dst) { - (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); - (0, _assert_js_1.bytes)(src); - const srcLen = src.length; - dst = getDst(srcLen, dst); - const ctr = nonce; - const c32 = (0, utils_js_1.u32)(ctr); - // Fill block (empty, ctr=0) - let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); - const src32 = (0, utils_js_1.u32)(src); - const dst32 = (0, utils_js_1.u32)(dst); - // process blocks - for (let i = 0; i + 4 <= src32.length; i += 4) { - dst32[i + 0] = src32[i + 0] ^ s0; - dst32[i + 1] = src32[i + 1] ^ s1; - dst32[i + 2] = src32[i + 2] ^ s2; - dst32[i + 3] = src32[i + 3] ^ s3; - // Full 128 bit counter with wrap around - let carry = 1; - for (let i = ctr.length - 1; i >= 0; i--) { - carry = (carry + (ctr[i] & 0xff)) | 0; - ctr[i] = carry & 0xff; - carry >>>= 8; - } - ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); - } - // leftovers (less than block) - // It's possible to handle > u32 fast, but is it worth it? - const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); - if (start < srcLen) { - const b32 = new Uint32Array([s0, s1, s2, s3]); - const buf = (0, utils_js_1.u8)(b32); - for (let i = start, pos = 0; i < srcLen; i++, pos++) - dst[i] = src[i] ^ buf[pos]; - } - return dst; -} -// AES CTR with overflowing 32 bit counter -// It's possible to do 32le significantly simpler (and probably faster) by using u32. -// But, we need both, and perf bottleneck is in ghash anyway. -function ctr32(xk, isLE, nonce, src, dst) { - (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); - (0, _assert_js_1.bytes)(src); - dst = getDst(src.length, dst); - const ctr = nonce; // write new value to nonce, so it can be re-used - const c32 = (0, utils_js_1.u32)(ctr); - const view = (0, utils_js_1.createView)(ctr); - const src32 = (0, utils_js_1.u32)(src); - const dst32 = (0, utils_js_1.u32)(dst); - const ctrPos = isLE ? 0 : 12; - const srcLen = src.length; - // Fill block (empty, ctr=0) - let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value - let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); - // process blocks - for (let i = 0; i + 4 <= src32.length; i += 4) { - dst32[i + 0] = src32[i + 0] ^ s0; - dst32[i + 1] = src32[i + 1] ^ s1; - dst32[i + 2] = src32[i + 2] ^ s2; - dst32[i + 3] = src32[i + 3] ^ s3; - ctrNum = (ctrNum + 1) >>> 0; // u32 wrap - view.setUint32(ctrPos, ctrNum, isLE); - ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); - } - // leftovers (less than a block) - const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); - if (start < srcLen) { - const b32 = new Uint32Array([s0, s1, s2, s3]); - const buf = (0, utils_js_1.u8)(b32); - for (let i = start, pos = 0; i < srcLen; i++, pos++) - dst[i] = src[i] ^ buf[pos]; - } - return dst; -} -/** - * CTR: counter mode. Creates stream cipher. - * Requires good IV. Parallelizable. OK, but no MAC. - */ -exports.ctr = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) { - (0, _assert_js_1.bytes)(key); - (0, _assert_js_1.bytes)(nonce, BLOCK_SIZE); - function processCtr(buf, dst) { - const xk = expandKeyLE(key); - const n = nonce.slice(); - const out = ctrCounter(xk, n, buf, dst); - xk.fill(0); - n.fill(0); - return out; - } - return { - encrypt: (plaintext, dst) => processCtr(plaintext, dst), - decrypt: (ciphertext, dst) => processCtr(ciphertext, dst), - }; -}); -function validateBlockDecrypt(data) { - (0, _assert_js_1.bytes)(data); - if (data.length % BLOCK_SIZE !== 0) { - throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`); - } -} -function validateBlockEncrypt(plaintext, pcks5, dst) { - let outLen = plaintext.length; - const remaining = outLen % BLOCK_SIZE; - if (!pcks5 && remaining !== 0) - throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding'); - const b = (0, utils_js_1.u32)(plaintext); - if (pcks5) { - let left = BLOCK_SIZE - remaining; - if (!left) - left = BLOCK_SIZE; // if no bytes left, create empty padding block - outLen = outLen + left; - } - const out = getDst(outLen, dst); - const o = (0, utils_js_1.u32)(out); - return { b, o, out }; -} -function validatePCKS(data, pcks5) { - if (!pcks5) - return data; - const len = data.length; - if (!len) - throw new Error(`aes/pcks5: empty ciphertext not allowed`); - const lastByte = data[len - 1]; - if (lastByte <= 0 || lastByte > 16) - throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`); - const out = data.subarray(0, -lastByte); - for (let i = 0; i < lastByte; i++) - if (data[len - i - 1] !== lastByte) - throw new Error(`aes/pcks5: wrong padding`); - return out; -} -function padPCKS(left) { - const tmp = new Uint8Array(16); - const tmp32 = (0, utils_js_1.u32)(tmp); - tmp.set(left); - const paddingByte = BLOCK_SIZE - left.length; - for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++) - tmp[i] = paddingByte; - return tmp32; -} -/** - * ECB: Electronic CodeBook. Simple deterministic replacement. - * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/). - */ -exports.ecb = (0, utils_js_1.wrapCipher)({ blockSize: 16 }, function ecb(key, opts = {}) { - (0, _assert_js_1.bytes)(key); - const pcks5 = !opts.disablePadding; - return { - encrypt: (plaintext, dst) => { - (0, _assert_js_1.bytes)(plaintext); - const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); - const xk = expandKeyLE(key); - let i = 0; - for (; i + 4 <= b.length;) { - const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - if (pcks5) { - const tmp32 = padPCKS(plaintext.subarray(i * 4)); - const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return _out; - }, - decrypt: (ciphertext, dst) => { - validateBlockDecrypt(ciphertext); - const xk = expandKeyDecLE(key); - const out = getDst(ciphertext.length, dst); - const b = (0, utils_js_1.u32)(ciphertext); - const o = (0, utils_js_1.u32)(out); - for (let i = 0; i + 4 <= b.length;) { - const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return validatePCKS(out, pcks5); - }, - }; -}); -/** - * CBC: Cipher-Block-Chaining. Key is previous round’s block. - * Fragile: needs proper padding. Unauthenticated: needs MAC. - */ -exports.cbc = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) { - (0, _assert_js_1.bytes)(key); - (0, _assert_js_1.bytes)(iv, 16); - const pcks5 = !opts.disablePadding; - return { - encrypt: (plaintext, dst) => { - const xk = expandKeyLE(key); - const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); - const n32 = (0, utils_js_1.u32)(iv); - // prettier-ignore - let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; - let i = 0; - for (; i + 4 <= b.length;) { - (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]); - ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - if (pcks5) { - const tmp32 = padPCKS(plaintext.subarray(i * 4)); - (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]); - ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return _out; - }, - decrypt: (ciphertext, dst) => { - validateBlockDecrypt(ciphertext); - const xk = expandKeyDecLE(key); - const n32 = (0, utils_js_1.u32)(iv); - const out = getDst(ciphertext.length, dst); - const b = (0, utils_js_1.u32)(ciphertext); - const o = (0, utils_js_1.u32)(out); - // prettier-ignore - let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; - for (let i = 0; i + 4 <= b.length;) { - // prettier-ignore - const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3; - (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]); - const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3); - (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3); - } - xk.fill(0); - return validatePCKS(out, pcks5); - }, - }; -}); -// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen -function computeTag(fn, isLE, key, data, AAD) { - const h = fn.create(key, data.length + (AAD?.length || 0)); - if (AAD) - h.update(AAD); - h.update(data); - const num = new Uint8Array(16); - const view = (0, utils_js_1.createView)(num); - if (AAD) - (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD.length * 8), isLE); - (0, utils_js_1.setBigUint64)(view, 8, BigInt(data.length * 8), isLE); - h.update(num); - return h.digest(); -} -/** - * GCM: Galois/Counter Mode. - * Good, modern version of CTR, parallel, with MAC. - * Be careful: MACs can be forged. - */ -exports.gcm = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) { - (0, _assert_js_1.bytes)(nonce); - // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure. - if (nonce.length === 0) - throw new Error('aes/gcm: empty nonce'); - const tagLength = 16; - function _computeTag(authKey, tagMask, data) { - const tag = computeTag(_polyval_js_1.ghash, false, authKey, data, AAD); - for (let i = 0; i < tagMask.length; i++) - tag[i] ^= tagMask[i]; - return tag; - } - function deriveKeys() { - const xk = expandKeyLE(key); - const authKey = EMPTY_BLOCK.slice(); - const counter = EMPTY_BLOCK.slice(); - ctr32(xk, false, counter, counter, authKey); - if (nonce.length === 12) { - counter.set(nonce); - } - else { - // Spec (NIST 800-38d) supports variable size nonce. - // Not supported for now, but can be useful. - const nonceLen = EMPTY_BLOCK.slice(); - const view = (0, utils_js_1.createView)(nonceLen); - (0, utils_js_1.setBigUint64)(view, 8, BigInt(nonce.length * 8), false); - // ghash(nonce || u64be(0) || u64be(nonceLen*8)) - _polyval_js_1.ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter); - } - const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK); - return { xk, authKey, counter, tagMask }; - } - return { - encrypt: (plaintext) => { - (0, _assert_js_1.bytes)(plaintext); - const { xk, authKey, counter, tagMask } = deriveKeys(); - const out = new Uint8Array(plaintext.length + tagLength); - ctr32(xk, false, counter, plaintext, out); - const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength)); - out.set(tag, plaintext.length); - xk.fill(0); - return out; - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - if (ciphertext.length < tagLength) - throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`); - const { xk, authKey, counter, tagMask } = deriveKeys(); - const data = ciphertext.subarray(0, -tagLength); - const passedTag = ciphertext.subarray(-tagLength); - const tag = _computeTag(authKey, tagMask, data); - if (!(0, utils_js_1.equalBytes)(tag, passedTag)) - throw new Error('aes/gcm: invalid ghash tag'); - const out = ctr32(xk, false, counter, data); - authKey.fill(0); - tagMask.fill(0); - xk.fill(0); - return out; - }, - }; -}); -const limit = (name, min, max) => (value) => { - if (!Number.isSafeInteger(value) || min > value || value > max) - throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`); -}; -/** - * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance. - * Guarantees that, when a nonce is repeated, the only security loss is that identical - * plaintexts will produce identical ciphertexts. - * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452 - */ -exports.siv = (0, utils_js_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) { - const tagLength = 16; - // From RFC 8452: Section 6 - const AAD_LIMIT = limit('AAD', 0, 2 ** 36); - const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36); - const NONCE_LIMIT = limit('nonce', 12, 12); - const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16); - (0, _assert_js_1.bytes)(nonce); - NONCE_LIMIT(nonce.length); - if (AAD) { - (0, _assert_js_1.bytes)(AAD); - AAD_LIMIT(AAD.length); - } - function deriveKeys() { - const len = key.length; - if (len !== 16 && len !== 24 && len !== 32) - throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`); - const xk = expandKeyLE(key); - const encKey = new Uint8Array(len); - const authKey = new Uint8Array(16); - const n32 = (0, utils_js_1.u32)(nonce); - // prettier-ignore - let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2]; - let counter = 0; - for (const derivedKey of [authKey, encKey].map(utils_js_1.u32)) { - const d32 = (0, utils_js_1.u32)(derivedKey); - for (let i = 0; i < d32.length; i += 2) { - // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ... - const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3); - d32[i + 0] = o0; - d32[i + 1] = o1; - s0 = ++counter; // increment counter inside state - } - } - xk.fill(0); - return { authKey, encKey: expandKeyLE(encKey) }; - } - function _computeTag(encKey, authKey, data) { - const tag = computeTag(_polyval_js_1.polyval, true, authKey, data, AAD); - // Compute the expected tag by XORing S_s and the nonce, clearing the - // most significant bit of the last byte and encrypting with the - // message-encryption key. - for (let i = 0; i < 12; i++) - tag[i] ^= nonce[i]; - tag[15] &= 0x7f; // Clear the highest bit - // encrypt tag as block - const t32 = (0, utils_js_1.u32)(tag); - // prettier-ignore - let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3]; - ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3)); - (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3); - return tag; - } - // actual decrypt/encrypt of message. - function processSiv(encKey, tag, input) { - let block = tag.slice(); - block[15] |= 0x80; // Force highest bit - return ctr32(encKey, true, block, input); - } - return { - encrypt: (plaintext) => { - (0, _assert_js_1.bytes)(plaintext); - PLAIN_LIMIT(plaintext.length); - const { encKey, authKey } = deriveKeys(); - const tag = _computeTag(encKey, authKey, plaintext); - const out = new Uint8Array(plaintext.length + tagLength); - out.set(tag, plaintext.length); - out.set(processSiv(encKey, tag, plaintext)); - encKey.fill(0); - authKey.fill(0); - return out; - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - CIPHER_LIMIT(ciphertext.length); - const tag = ciphertext.subarray(-tagLength); - const { encKey, authKey } = deriveKeys(); - const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength)); - const expectedTag = _computeTag(encKey, authKey, plaintext); - encKey.fill(0); - authKey.fill(0); - if (!(0, utils_js_1.equalBytes)(tag, expectedTag)) - throw new Error('invalid polyval tag'); - return plaintext; - }, - }; -}); -function isBytes32(a) { - return (a != null && - typeof a === 'object' && - (a instanceof Uint32Array || a.constructor.name === 'Uint32Array')); -} -function encryptBlock(xk, block) { - (0, _assert_js_1.bytes)(block, 16); - if (!isBytes32(xk)) - throw new Error('_encryptBlock accepts result of expandKeyLE'); - const b32 = (0, utils_js_1.u32)(block); - let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]); - (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); - return block; -} -function decryptBlock(xk, block) { - (0, _assert_js_1.bytes)(block, 16); - if (!isBytes32(xk)) - throw new Error('_decryptBlock accepts result of expandKeyLE'); - const b32 = (0, utils_js_1.u32)(block); - let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]); - (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); - return block; -} -// Highly unsafe private functions for implementing new modes or ciphers based on AES -// Can change at any time, no API guarantees -exports.unsafe = { - expandKeyLE, - expandKeyDecLE, - encrypt, - decrypt, - encryptBlock, - decryptBlock, - ctrCounter, - ctr32, -}; -//# sourceMappingURL=aes.js.map \ No newline at end of file diff --git a/chacha.js b/chacha.js deleted file mode 100644 index a10250d..0000000 --- a/chacha.js +++ /dev/null @@ -1,323 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = exports.hchacha = void 0; -// prettier-ignore -const utils_js_1 = require("./utils.js"); -const _poly1305_js_1 = require("./_poly1305.js"); -const _arx_js_1 = require("./_arx.js"); -const _assert_js_1 = require("./_assert.js"); -// ChaCha20 stream cipher was released in 2008. ChaCha aims to increase -// the diffusion per round, but had slightly less cryptanalysis. -// https://cr.yp.to/chacha.html, http://cr.yp.to/chacha/chacha-20080128.pdf -/** - * ChaCha core function. - */ -// prettier-ignore -function chachaCore(s, k, n, out, cnt, rounds = 20) { - let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k" - y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key - y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key - y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce - // Save state to temporary variables - let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; - for (let r = 0; r < rounds; r += 2) { - x00 = (x00 + x04) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 16); - x08 = (x08 + x12) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 12); - x00 = (x00 + x04) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 8); - x08 = (x08 + x12) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 7); - x01 = (x01 + x05) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 16); - x09 = (x09 + x13) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 12); - x01 = (x01 + x05) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 8); - x09 = (x09 + x13) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 7); - x02 = (x02 + x06) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 16); - x10 = (x10 + x14) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 12); - x02 = (x02 + x06) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 8); - x10 = (x10 + x14) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 7); - x03 = (x03 + x07) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 16); - x11 = (x11 + x15) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 12); - x03 = (x03 + x07) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 8); - x11 = (x11 + x15) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 7); - x00 = (x00 + x05) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 16); - x10 = (x10 + x15) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 12); - x00 = (x00 + x05) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 8); - x10 = (x10 + x15) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 7); - x01 = (x01 + x06) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 16); - x11 = (x11 + x12) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 12); - x01 = (x01 + x06) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 8); - x11 = (x11 + x12) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 7); - x02 = (x02 + x07) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 16); - x08 = (x08 + x13) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 12); - x02 = (x02 + x07) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 8); - x08 = (x08 + x13) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 7); - x03 = (x03 + x04) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 16); - x09 = (x09 + x14) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 12); - x03 = (x03 + x04) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 8); - x09 = (x09 + x14) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 7); - } - // Write output - let oi = 0; - out[oi++] = (y00 + x00) | 0; - out[oi++] = (y01 + x01) | 0; - out[oi++] = (y02 + x02) | 0; - out[oi++] = (y03 + x03) | 0; - out[oi++] = (y04 + x04) | 0; - out[oi++] = (y05 + x05) | 0; - out[oi++] = (y06 + x06) | 0; - out[oi++] = (y07 + x07) | 0; - out[oi++] = (y08 + x08) | 0; - out[oi++] = (y09 + x09) | 0; - out[oi++] = (y10 + x10) | 0; - out[oi++] = (y11 + x11) | 0; - out[oi++] = (y12 + x12) | 0; - out[oi++] = (y13 + x13) | 0; - out[oi++] = (y14 + x14) | 0; - out[oi++] = (y15 + x15) | 0; -} -/** - * hchacha helper method, used primarily in xchacha, to hash - * key and nonce into key' and nonce'. - * Same as chachaCore, but there doesn't seem to be a way to move the block - * out without 25% performance hit. - */ -// prettier-ignore -function hchacha(s, k, i, o32) { - let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; - for (let r = 0; r < 20; r += 2) { - x00 = (x00 + x04) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 16); - x08 = (x08 + x12) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 12); - x00 = (x00 + x04) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x00, 8); - x08 = (x08 + x12) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x08, 7); - x01 = (x01 + x05) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 16); - x09 = (x09 + x13) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 12); - x01 = (x01 + x05) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x01, 8); - x09 = (x09 + x13) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x09, 7); - x02 = (x02 + x06) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 16); - x10 = (x10 + x14) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 12); - x02 = (x02 + x06) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x02, 8); - x10 = (x10 + x14) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x10, 7); - x03 = (x03 + x07) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 16); - x11 = (x11 + x15) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 12); - x03 = (x03 + x07) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x03, 8); - x11 = (x11 + x15) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x11, 7); - x00 = (x00 + x05) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 16); - x10 = (x10 + x15) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 12); - x00 = (x00 + x05) | 0; - x15 = (0, _arx_js_1.rotl)(x15 ^ x00, 8); - x10 = (x10 + x15) | 0; - x05 = (0, _arx_js_1.rotl)(x05 ^ x10, 7); - x01 = (x01 + x06) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 16); - x11 = (x11 + x12) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 12); - x01 = (x01 + x06) | 0; - x12 = (0, _arx_js_1.rotl)(x12 ^ x01, 8); - x11 = (x11 + x12) | 0; - x06 = (0, _arx_js_1.rotl)(x06 ^ x11, 7); - x02 = (x02 + x07) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 16); - x08 = (x08 + x13) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 12); - x02 = (x02 + x07) | 0; - x13 = (0, _arx_js_1.rotl)(x13 ^ x02, 8); - x08 = (x08 + x13) | 0; - x07 = (0, _arx_js_1.rotl)(x07 ^ x08, 7); - x03 = (x03 + x04) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 16); - x09 = (x09 + x14) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 12); - x03 = (x03 + x04) | 0; - x14 = (0, _arx_js_1.rotl)(x14 ^ x03, 8); - x09 = (x09 + x14) | 0; - x04 = (0, _arx_js_1.rotl)(x04 ^ x09, 7); - } - let oi = 0; - o32[oi++] = x00; - o32[oi++] = x01; - o32[oi++] = x02; - o32[oi++] = x03; - o32[oi++] = x12; - o32[oi++] = x13; - o32[oi++] = x14; - o32[oi++] = x15; -} -exports.hchacha = hchacha; -/** - * Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter. - */ -exports.chacha20orig = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 8, - allowShortKeys: true, -}); -/** - * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -exports.chacha20 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - allowShortKeys: false, -}); -/** - * XChaCha eXtended-nonce ChaCha. 24-byte nonce. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - */ -exports.xchacha20 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 8, - extendNonceFn: hchacha, - allowShortKeys: false, -}); -/** - * Reduced 8-round chacha, described in original paper. - */ -exports.chacha8 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 8, -}); -/** - * Reduced 12-round chacha, described in original paper. - */ -exports.chacha12 = (0, _arx_js_1.createCipher)(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 12, -}); -const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); -// Pad to digest size with zeros -const updatePadded = (h, msg) => { - h.update(msg); - const left = msg.length % 16; - if (left) - h.update(ZEROS16.subarray(left)); -}; -const ZEROS32 = /* @__PURE__ */ new Uint8Array(32); -function computeTag(fn, key, nonce, data, AAD) { - const authKey = fn(key, nonce, ZEROS32); - const h = _poly1305_js_1.poly1305.create(authKey); - if (AAD) - updatePadded(h, AAD); - updatePadded(h, data); - const num = new Uint8Array(16); - const view = (0, utils_js_1.createView)(num); - (0, utils_js_1.setBigUint64)(view, 0, BigInt(AAD ? AAD.length : 0), true); - (0, utils_js_1.setBigUint64)(view, 8, BigInt(data.length), true); - h.update(num); - const res = h.digest(); - authKey.fill(0); - return res; -} -/** - * AEAD algorithm from RFC 8439. - * Salsa20 and chacha (RFC 8439) use poly1305 differently. - * We could have composed them similar to: - * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250 - * But it's hard because of authKey: - * In salsa20, authKey changes position in salsa stream. - * In chacha, authKey can't be computed inside computeTag, it modifies the counter. - */ -const _poly1305_aead = (xorStream) => (key, nonce, AAD) => { - const tagLength = 16; - (0, _assert_js_1.bytes)(key, 32); - (0, _assert_js_1.bytes)(nonce); - return { - encrypt: (plaintext, output) => { - const plength = plaintext.length; - const clength = plength + tagLength; - if (output) { - (0, _assert_js_1.bytes)(output, clength); - } - else { - output = new Uint8Array(clength); - } - xorStream(key, nonce, plaintext, output, 1); - const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD); - output.set(tag, plength); // append tag - return output; - }, - decrypt: (ciphertext, output) => { - const clength = ciphertext.length; - const plength = clength - tagLength; - if (clength < tagLength) - throw new Error(`encrypted data must be at least ${tagLength} bytes`); - if (output) { - (0, _assert_js_1.bytes)(output, plength); - } - else { - output = new Uint8Array(plength); - } - const data = ciphertext.subarray(0, -tagLength); - const passedTag = ciphertext.subarray(-tagLength); - const tag = computeTag(xorStream, key, nonce, data, AAD); - if (!(0, utils_js_1.equalBytes)(passedTag, tag)) - throw new Error('invalid tag'); - xorStream(key, nonce, data, output, 1); - return output; - }, - }; -}; -exports._poly1305_aead = _poly1305_aead; -/** - * ChaCha20-Poly1305 from RFC 8439. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -exports.chacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20)); -/** - * XChaCha20-Poly1305 extended-nonce chacha. - * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -exports.xchacha20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20)); -//# sourceMappingURL=chacha.js.map \ No newline at end of file diff --git a/crypto.js b/crypto.js deleted file mode 100644 index e166f22..0000000 --- a/crypto.js +++ /dev/null @@ -1,17 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.getWebcryptoSubtle = exports.randomBytes = void 0; -const cr = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined; -function randomBytes(bytesLength = 32) { - if (cr && typeof cr.getRandomValues === 'function') - return cr.getRandomValues(new Uint8Array(bytesLength)); - throw new Error('crypto.getRandomValues must be defined'); -} -exports.randomBytes = randomBytes; -function getWebcryptoSubtle() { - if (cr && typeof cr.subtle === 'object' && cr.subtle != null) - return cr.subtle; - throw new Error('crypto.subtle must be defined'); -} -exports.getWebcryptoSubtle = getWebcryptoSubtle; -//# sourceMappingURL=crypto.js.map \ No newline at end of file diff --git a/cryptoNode.js b/cryptoNode.js deleted file mode 100644 index ac61d9d..0000000 --- a/cryptoNode.js +++ /dev/null @@ -1,22 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.getWebcryptoSubtle = exports.randomBytes = void 0; -// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. -// See utils.ts for details. -// The file will throw on node.js 14 and earlier. -// @ts-ignore -const nc = require("node:crypto"); -const cr = nc && typeof nc === 'object' && 'webcrypto' in nc ? nc.webcrypto : undefined; -function randomBytes(bytesLength = 32) { - if (cr && typeof cr.getRandomValues === 'function') - return cr.getRandomValues(new Uint8Array(bytesLength)); - throw new Error('crypto.getRandomValues must be defined'); -} -exports.randomBytes = randomBytes; -function getWebcryptoSubtle() { - if (cr && typeof cr.subtle === 'object' && cr.subtle != null) - return cr.subtle; - throw new Error('crypto.subtle must be defined'); -} -exports.getWebcryptoSubtle = getWebcryptoSubtle; -//# sourceMappingURL=cryptoNode.js.map \ No newline at end of file diff --git a/esm/_arx.js b/esm/_arx.js deleted file mode 100644 index b949f4d..0000000 --- a/esm/_arx.js +++ /dev/null @@ -1,166 +0,0 @@ -// Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers. -import { number as anumber, bytes as abytes, bool as abool } from './_assert.js'; -import { checkOpts, u32, utf8ToBytes } from './utils.js'; -/* -RFC8439 requires multi-step cipher stream, where -authKey starts with counter: 0, actual msg with counter: 1. - -For this, we need a way to re-use nonce / counter: - - const counter = new Uint8Array(4); - chacha(..., counter, ...); // counter is now 1 - chacha(..., counter, ...); // counter is now 2 - -This is complicated: - -- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB -- Original papers don't allow mutating counters -- Counter overflow is undefined [^1] -- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it -- Caveat: Cannot be re-used through all cases: -- * chacha has (counter | nonce) -- * xchacha has (nonce16 | counter | nonce16) -- Idea B: separate nonce / counter and provide separate API for counter re-use -- Caveat: there are different counter sizes depending on an algorithm. -- salsa & chacha also differ in structures of key & sigma: - salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3] - chacha: s(4) | k(8) | ctr(1) | nonce(3) - chacha20orig: s(4) | k(8) | ctr(2) | nonce(2) -- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)` -- Caveat: we can't re-use counter array - -xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal -(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce). - -[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/ -[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2 -*/ -const sigma16 = utf8ToBytes('expand 16-byte k'); -const sigma32 = utf8ToBytes('expand 32-byte k'); -const sigma16_32 = u32(sigma16); -const sigma32_32 = u32(sigma32); -export function rotl(a, b) { - return (a << b) | (a >>> (32 - b)); -} -// Is byte array aligned to 4 byte offset (u32)? -function isAligned32(b) { - return b.byteOffset % 4 === 0; -} -// Salsa and Chacha block length is always 512-bit -const BLOCK_LEN = 64; -const BLOCK_LEN32 = 16; -// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ] -// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ] -const MAX_COUNTER = 2 ** 32 - 1; -const U32_EMPTY = new Uint32Array(); -function runCipher(core, sigma, key, nonce, data, output, counter, rounds) { - const len = data.length; - const block = new Uint8Array(BLOCK_LEN); - const b32 = u32(block); - // Make sure that buffers aligned to 4 bytes - const isAligned = isAligned32(data) && isAligned32(output); - const d32 = isAligned ? u32(data) : U32_EMPTY; - const o32 = isAligned ? u32(output) : U32_EMPTY; - for (let pos = 0; pos < len; counter++) { - core(sigma, key, nonce, b32, counter, rounds); - if (counter >= MAX_COUNTER) - throw new Error('arx: counter overflow'); - const take = Math.min(BLOCK_LEN, len - pos); - // aligned to 4 bytes - if (isAligned && take === BLOCK_LEN) { - const pos32 = pos / 4; - if (pos % 4 !== 0) - throw new Error('arx: invalid block position'); - for (let j = 0, posj; j < BLOCK_LEN32; j++) { - posj = pos32 + j; - o32[posj] = d32[posj] ^ b32[j]; - } - pos += BLOCK_LEN; - continue; - } - for (let j = 0, posj; j < take; j++) { - posj = pos + j; - output[posj] = data[posj] ^ block[j]; - } - pos += take; - } -} -export function createCipher(core, opts) { - const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); - if (typeof core !== 'function') - throw new Error('core must be a function'); - anumber(counterLength); - anumber(rounds); - abool(counterRight); - abool(allowShortKeys); - return (key, nonce, data, output, counter = 0) => { - abytes(key); - abytes(nonce); - abytes(data); - const len = data.length; - if (!output) - output = new Uint8Array(len); - abytes(output); - anumber(counter); - if (counter < 0 || counter >= MAX_COUNTER) - throw new Error('arx: counter overflow'); - if (output.length < len) - throw new Error(`arx: output (${output.length}) is shorter than data (${len})`); - const toClean = []; - // Key & sigma - // key=16 -> sigma16, k=key|key - // key=32 -> sigma32, k=key - let l = key.length, k, sigma; - if (l === 32) { - k = key.slice(); - toClean.push(k); - sigma = sigma32_32; - } - else if (l === 16 && allowShortKeys) { - k = new Uint8Array(32); - k.set(key); - k.set(key, 16); - sigma = sigma16_32; - toClean.push(k); - } - else { - throw new Error(`arx: invalid 32-byte key, got length=${l}`); - } - // Nonce - // salsa20: 8 (8-byte counter) - // chacha20orig: 8 (8-byte counter) - // chacha20: 12 (4-byte counter) - // xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce) - // xchacha20: 24 (16 -> hchacha, 8 -> old nonce) - // Align nonce to 4 bytes - if (!isAligned32(nonce)) { - nonce = nonce.slice(); - toClean.push(nonce); - } - const k32 = u32(k); - // hsalsa & hchacha: handle extended nonce - if (extendNonceFn) { - if (nonce.length !== 24) - throw new Error(`arx: extended nonce must be 24 bytes`); - extendNonceFn(sigma, k32, u32(nonce.subarray(0, 16)), k32); - nonce = nonce.subarray(16); - } - // Handle nonce counter - const nonceNcLen = 16 - counterLength; - if (nonceNcLen !== nonce.length) - throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); - // Pad counter when nonce is 64 bit - if (nonceNcLen !== 12) { - const nc = new Uint8Array(12); - nc.set(nonce, counterRight ? 0 : 12 - nonce.length); - nonce = nc; - toClean.push(nonce); - } - const n32 = u32(nonce); - runCipher(core, sigma, k32, n32, data, output, counter, rounds); - while (toClean.length > 0) - toClean.pop().fill(0); - return output; - }; -} -//# sourceMappingURL=_arx.js.map \ No newline at end of file diff --git a/esm/_assert.js b/esm/_assert.js deleted file mode 100644 index 330fa25..0000000 --- a/esm/_assert.js +++ /dev/null @@ -1,41 +0,0 @@ -function number(n) { - if (!Number.isSafeInteger(n) || n < 0) - throw new Error(`positive integer expected, not ${n}`); -} -function bool(b) { - if (typeof b !== 'boolean') - throw new Error(`boolean expected, not ${b}`); -} -export function isBytes(a) { - return (a instanceof Uint8Array || - (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')); -} -function bytes(b, ...lengths) { - if (!isBytes(b)) - throw new Error('Uint8Array expected'); - if (lengths.length > 0 && !lengths.includes(b.length)) - throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); -} -function hash(hash) { - if (typeof hash !== 'function' || typeof hash.create !== 'function') - throw new Error('hash must be wrapped by utils.wrapConstructor'); - number(hash.outputLen); - number(hash.blockLen); -} -function exists(instance, checkFinished = true) { - if (instance.destroyed) - throw new Error('Hash instance has been destroyed'); - if (checkFinished && instance.finished) - throw new Error('Hash#digest() has already been called'); -} -function output(out, instance) { - bytes(out); - const min = instance.outputLen; - if (out.length < min) { - throw new Error(`digestInto() expects output buffer of length at least ${min}`); - } -} -export { number, bool, bytes, hash, exists, output }; -const assert = { number, bool, bytes, hash, exists, output }; -export default assert; -//# sourceMappingURL=_assert.js.map \ No newline at end of file diff --git a/esm/_micro.js b/esm/_micro.js deleted file mode 100644 index fae5252..0000000 --- a/esm/_micro.js +++ /dev/null @@ -1,287 +0,0 @@ -/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ -// prettier-ignore -import { createView, setBigUint64, wrapCipher, bytesToHex, concatBytes, equalBytes, hexToNumber, numberToBytesBE, } from './utils.js'; -import { createCipher, rotl } from './_arx.js'; -import { bytes as abytes } from './_assert.js'; -/* -noble-ciphers-micro: more auditable, but slower version of salsa20, chacha & poly1305. -Implements the same algorithms that are present in other files, but without -unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling). -*/ -function bytesToNumberLE(bytes) { - return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse())); -} -function numberToBytesLE(n, len) { - return numberToBytesBE(n, len).reverse(); -} -function salsaQR(x, a, b, c, d) { - x[b] ^= rotl((x[a] + x[d]) | 0, 7); - x[c] ^= rotl((x[b] + x[a]) | 0, 9); - x[d] ^= rotl((x[c] + x[b]) | 0, 13); - x[a] ^= rotl((x[d] + x[c]) | 0, 18); -} -// prettier-ignore -function chachaQR(x, a, b, c, d) { - x[a] = (x[a] + x[b]) | 0; - x[d] = rotl(x[d] ^ x[a], 16); - x[c] = (x[c] + x[d]) | 0; - x[b] = rotl(x[b] ^ x[c], 12); - x[a] = (x[a] + x[b]) | 0; - x[d] = rotl(x[d] ^ x[a], 8); - x[c] = (x[c] + x[d]) | 0; - x[b] = rotl(x[b] ^ x[c], 7); -} -function salsaRound(x, rounds = 20) { - for (let r = 0; r < rounds; r += 2) { - salsaQR(x, 0, 4, 8, 12); - salsaQR(x, 5, 9, 13, 1); - salsaQR(x, 10, 14, 2, 6); - salsaQR(x, 15, 3, 7, 11); - salsaQR(x, 0, 1, 2, 3); - salsaQR(x, 5, 6, 7, 4); - salsaQR(x, 10, 11, 8, 9); - salsaQR(x, 15, 12, 13, 14); - } -} -function chachaRound(x, rounds = 20) { - for (let r = 0; r < rounds; r += 2) { - chachaQR(x, 0, 4, 8, 12); - chachaQR(x, 1, 5, 9, 13); - chachaQR(x, 2, 6, 10, 14); - chachaQR(x, 3, 7, 11, 15); - chachaQR(x, 0, 5, 10, 15); - chachaQR(x, 1, 6, 11, 12); - chachaQR(x, 2, 7, 8, 13); - chachaQR(x, 3, 4, 9, 14); - } -} -function salsaCore(s, k, n, out, cnt, rounds = 20) { - // prettier-ignore - const y = new Uint32Array([ - s[0], k[0], k[1], k[2], // "expa" Key Key Key - k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce - cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key - k[5], k[6], k[7], s[3], // Key Key Key "te k" - ]); - const x = y.slice(); - salsaRound(x, rounds); - for (let i = 0; i < 16; i++) - out[i] = (y[i] + x[i]) | 0; -} -// prettier-ignore -export function hsalsa(s, k, i, o32) { - const x = new Uint32Array([ - s[0], k[0], k[1], k[2], - k[3], s[1], i[0], i[1], - i[2], i[3], s[2], k[4], - k[5], k[6], k[7], s[3] - ]); - salsaRound(x, 20); - let oi = 0; - o32[oi++] = x[0]; - o32[oi++] = x[5]; - o32[oi++] = x[10]; - o32[oi++] = x[15]; - o32[oi++] = x[6]; - o32[oi++] = x[7]; - o32[oi++] = x[8]; - o32[oi++] = x[9]; -} -function chachaCore(s, k, n, out, cnt, rounds = 20) { - // prettier-ignore - const y = new Uint32Array([ - s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k" - k[0], k[1], k[2], k[3], // Key Key Key Key - k[4], k[5], k[6], k[7], // Key Key Key Key - cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce - ]); - const x = y.slice(); - chachaRound(x, rounds); - for (let i = 0; i < 16; i++) - out[i] = (y[i] + x[i]) | 0; -} -// prettier-ignore -export function hchacha(s, k, i, o32) { - const x = new Uint32Array([ - s[0], s[1], s[2], s[3], - k[0], k[1], k[2], k[3], - k[4], k[5], k[6], k[7], - i[0], i[1], i[2], i[3], - ]); - chachaRound(x, 20); - let oi = 0; - o32[oi++] = x[0]; - o32[oi++] = x[1]; - o32[oi++] = x[2]; - o32[oi++] = x[3]; - o32[oi++] = x[12]; - o32[oi++] = x[13]; - o32[oi++] = x[14]; - o32[oi++] = x[15]; -} -/** - * salsa20, 12-byte nonce. - */ -export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, { - allowShortKeys: true, - counterRight: true, -}); -/** - * xsalsa20, 24-byte nonce. - */ -export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, { - counterRight: true, - extendNonceFn: hsalsa, -}); -/** - * chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. - */ -export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, { - allowShortKeys: true, - counterRight: false, - counterLength: 8, -}); -/** - * chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. - */ -export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, -}); -/** - * xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - */ -export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 8, - extendNonceFn: hchacha, -}); -/** - * 8-round chacha from the original paper. - */ -export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 8, -}); -/** - * 12-round chacha from the original paper. - */ -export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 12, -}); -const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5); -const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1); -const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff'); -const _0 = BigInt(0); -const _1 = BigInt(1); -// Can be speed-up using BigUint64Array, but would be more complicated -export function poly1305(msg, key) { - abytes(msg); - abytes(key); - let acc = _0; - const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R; - const s = bytesToNumberLE(key.subarray(16)); - // Process by 16 byte chunks - for (let i = 0; i < msg.length; i += 16) { - const m = msg.subarray(i, i + 16); - const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length)); - acc = ((acc + n) * r) % POW_2_130_5; - } - const res = (acc + s) & POW_2_128_1; - return numberToBytesLE(res, 16); -} -function computeTag(fn, key, nonce, ciphertext, AAD) { - const res = []; - if (AAD) { - res.push(AAD); - const leftover = AAD.length % 16; - if (leftover > 0) - res.push(new Uint8Array(16 - leftover)); - } - res.push(ciphertext); - const leftover = ciphertext.length % 16; - if (leftover > 0) - res.push(new Uint8Array(16 - leftover)); - // Lengths - const num = new Uint8Array(16); - const view = createView(num); - setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); - setBigUint64(view, 8, BigInt(ciphertext.length), true); - res.push(num); - const authKey = fn(key, nonce, new Uint8Array(32)); - return poly1305(concatBytes(...res), authKey); -} -/** - * xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. - */ -export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsa20poly1305(key, nonce) { - abytes(key); - abytes(nonce); - return { - encrypt: (plaintext) => { - abytes(plaintext); - const m = concatBytes(new Uint8Array(32), plaintext); - const c = xsalsa20(key, nonce, m); - const authKey = c.subarray(0, 32); - const data = c.subarray(32); - const tag = poly1305(data, authKey); - return concatBytes(tag, data); - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - if (ciphertext.length < 16) - throw new Error('encrypted data must be at least 16 bytes'); - const c = concatBytes(new Uint8Array(16), ciphertext); - const authKey = xsalsa20(key, nonce, new Uint8Array(32)); - const tag = poly1305(c.subarray(32), authKey); - if (!equalBytes(c.subarray(16, 32), tag)) - throw new Error('invalid poly1305 tag'); - return xsalsa20(key, nonce, c).subarray(32); - }, - }; -}); -/** - * Alias to xsalsa20-poly1305 - */ -export function secretbox(key, nonce) { - const xs = xsalsa20poly1305(key, nonce); - return { seal: xs.encrypt, open: xs.decrypt }; -} -export const _poly1305_aead = (fn) => (key, nonce, AAD) => { - const tagLength = 16; - const keyLength = 32; - abytes(key, keyLength); - abytes(nonce); - return { - encrypt: (plaintext) => { - abytes(plaintext); - const res = fn(key, nonce, plaintext, undefined, 1); - const tag = computeTag(fn, key, nonce, res, AAD); - return concatBytes(res, tag); - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - if (ciphertext.length < tagLength) - throw new Error(`encrypted data must be at least ${tagLength} bytes`); - const passedTag = ciphertext.subarray(-tagLength); - const data = ciphertext.subarray(0, -tagLength); - const tag = computeTag(fn, key, nonce, data, AAD); - if (!equalBytes(passedTag, tag)) - throw new Error('invalid poly1305 tag'); - return fn(key, nonce, data, undefined, 1); - }, - }; -}; -/** - * chacha20-poly1305 12-byte-nonce chacha. - */ -export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); -/** - * xchacha20-poly1305 eXtended-nonce (24 bytes) chacha. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); -//# sourceMappingURL=_micro.js.map \ No newline at end of file diff --git a/esm/_poly1305.js b/esm/_poly1305.js deleted file mode 100644 index 883c3a5..0000000 --- a/esm/_poly1305.js +++ /dev/null @@ -1,264 +0,0 @@ -import { exists as aexists, bytes as abytes, output as aoutput } from './_assert.js'; -import { toBytes } from './utils.js'; -// Poly1305 is a fast and parallel secret-key message-authentication code. -// https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf -// https://datatracker.ietf.org/doc/html/rfc8439 -// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna -const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8); -class Poly1305 { - constructor(key) { - this.blockLen = 16; - this.outputLen = 16; - this.buffer = new Uint8Array(16); - this.r = new Uint16Array(10); - this.h = new Uint16Array(10); - this.pad = new Uint16Array(8); - this.pos = 0; - this.finished = false; - key = toBytes(key); - abytes(key, 32); - const t0 = u8to16(key, 0); - const t1 = u8to16(key, 2); - const t2 = u8to16(key, 4); - const t3 = u8to16(key, 6); - const t4 = u8to16(key, 8); - const t5 = u8to16(key, 10); - const t6 = u8to16(key, 12); - const t7 = u8to16(key, 14); - // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47 - this.r[0] = t0 & 0x1fff; - this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff; - this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03; - this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff; - this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff; - this.r[5] = (t4 >>> 1) & 0x1ffe; - this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff; - this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81; - this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff; - this.r[9] = (t7 >>> 5) & 0x007f; - for (let i = 0; i < 8; i++) - this.pad[i] = u8to16(key, 16 + 2 * i); - } - process(data, offset, isLast = false) { - const hibit = isLast ? 0 : 1 << 11; - const { h, r } = this; - const r0 = r[0]; - const r1 = r[1]; - const r2 = r[2]; - const r3 = r[3]; - const r4 = r[4]; - const r5 = r[5]; - const r6 = r[6]; - const r7 = r[7]; - const r8 = r[8]; - const r9 = r[9]; - const t0 = u8to16(data, offset + 0); - const t1 = u8to16(data, offset + 2); - const t2 = u8to16(data, offset + 4); - const t3 = u8to16(data, offset + 6); - const t4 = u8to16(data, offset + 8); - const t5 = u8to16(data, offset + 10); - const t6 = u8to16(data, offset + 12); - const t7 = u8to16(data, offset + 14); - let h0 = h[0] + (t0 & 0x1fff); - let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff); - let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff); - let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff); - let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff); - let h5 = h[5] + ((t4 >>> 1) & 0x1fff); - let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff); - let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff); - let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff); - let h9 = h[9] + ((t7 >>> 5) | hibit); - let c = 0; - let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); - c = d0 >>> 13; - d0 &= 0x1fff; - d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); - c += d0 >>> 13; - d0 &= 0x1fff; - let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); - c = d1 >>> 13; - d1 &= 0x1fff; - d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); - c += d1 >>> 13; - d1 &= 0x1fff; - let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); - c = d2 >>> 13; - d2 &= 0x1fff; - d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); - c += d2 >>> 13; - d2 &= 0x1fff; - let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); - c = d3 >>> 13; - d3 &= 0x1fff; - d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); - c += d3 >>> 13; - d3 &= 0x1fff; - let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; - c = d4 >>> 13; - d4 &= 0x1fff; - d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); - c += d4 >>> 13; - d4 &= 0x1fff; - let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; - c = d5 >>> 13; - d5 &= 0x1fff; - d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); - c += d5 >>> 13; - d5 &= 0x1fff; - let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; - c = d6 >>> 13; - d6 &= 0x1fff; - d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); - c += d6 >>> 13; - d6 &= 0x1fff; - let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; - c = d7 >>> 13; - d7 &= 0x1fff; - d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); - c += d7 >>> 13; - d7 &= 0x1fff; - let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; - c = d8 >>> 13; - d8 &= 0x1fff; - d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); - c += d8 >>> 13; - d8 &= 0x1fff; - let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; - c = d9 >>> 13; - d9 &= 0x1fff; - d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; - c += d9 >>> 13; - d9 &= 0x1fff; - c = ((c << 2) + c) | 0; - c = (c + d0) | 0; - d0 = c & 0x1fff; - c = c >>> 13; - d1 += c; - h[0] = d0; - h[1] = d1; - h[2] = d2; - h[3] = d3; - h[4] = d4; - h[5] = d5; - h[6] = d6; - h[7] = d7; - h[8] = d8; - h[9] = d9; - } - finalize() { - const { h, pad } = this; - const g = new Uint16Array(10); - let c = h[1] >>> 13; - h[1] &= 0x1fff; - for (let i = 2; i < 10; i++) { - h[i] += c; - c = h[i] >>> 13; - h[i] &= 0x1fff; - } - h[0] += c * 5; - c = h[0] >>> 13; - h[0] &= 0x1fff; - h[1] += c; - c = h[1] >>> 13; - h[1] &= 0x1fff; - h[2] += c; - g[0] = h[0] + 5; - c = g[0] >>> 13; - g[0] &= 0x1fff; - for (let i = 1; i < 10; i++) { - g[i] = h[i] + c; - c = g[i] >>> 13; - g[i] &= 0x1fff; - } - g[9] -= 1 << 13; - let mask = (c ^ 1) - 1; - for (let i = 0; i < 10; i++) - g[i] &= mask; - mask = ~mask; - for (let i = 0; i < 10; i++) - h[i] = (h[i] & mask) | g[i]; - h[0] = (h[0] | (h[1] << 13)) & 0xffff; - h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff; - h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff; - h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff; - h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff; - h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff; - h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff; - h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff; - let f = h[0] + pad[0]; - h[0] = f & 0xffff; - for (let i = 1; i < 8; i++) { - f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0; - h[i] = f & 0xffff; - } - } - update(data) { - aexists(this); - const { buffer, blockLen } = this; - data = toBytes(data); - const len = data.length; - for (let pos = 0; pos < len;) { - const take = Math.min(blockLen - this.pos, len - pos); - // Fast path: we have at least one block in input - if (take === blockLen) { - for (; blockLen <= len - pos; pos += blockLen) - this.process(data, pos); - continue; - } - buffer.set(data.subarray(pos, pos + take), this.pos); - this.pos += take; - pos += take; - if (this.pos === blockLen) { - this.process(buffer, 0, false); - this.pos = 0; - } - } - return this; - } - destroy() { - this.h.fill(0); - this.r.fill(0); - this.buffer.fill(0); - this.pad.fill(0); - } - digestInto(out) { - aexists(this); - aoutput(out, this); - this.finished = true; - const { buffer, h } = this; - let { pos } = this; - if (pos) { - buffer[pos++] = 1; - // buffer.subarray(pos).fill(0); - for (; pos < 16; pos++) - buffer[pos] = 0; - this.process(buffer, 0, true); - } - this.finalize(); - let opos = 0; - for (let i = 0; i < 8; i++) { - out[opos++] = h[i] >>> 0; - out[opos++] = h[i] >>> 8; - } - return out; - } - digest() { - const { buffer, outputLen } = this; - this.digestInto(buffer); - const res = buffer.slice(0, outputLen); - this.destroy(); - return res; - } -} -export function wrapConstructorWithKey(hashCons) { - const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest(); - const tmp = hashCons(new Uint8Array(32)); - hashC.outputLen = tmp.outputLen; - hashC.blockLen = tmp.blockLen; - hashC.create = (key) => hashCons(key); - return hashC; -} -export const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); -//# sourceMappingURL=_poly1305.js.map \ No newline at end of file diff --git a/esm/_polyval.js b/esm/_polyval.js deleted file mode 100644 index 4c64930..0000000 --- a/esm/_polyval.js +++ /dev/null @@ -1,217 +0,0 @@ -import { createView, toBytes, u32 } from './utils.js'; -import { bytes as abytes, exists as aexists, output as aoutput } from './_assert.js'; -// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV. -// Implemented in terms of GHash with conversion function for keys -// GCM GHASH from NIST SP800-38d, SIV from RFC 8452. -// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf -// GHASH modulo: x^128 + x^7 + x^2 + x + 1 -// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1 -const BLOCK_SIZE = 16; -// TODO: rewrite -// temporary padding buffer -const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); -const ZEROS32 = u32(ZEROS16); -const POLY = 0xe1; // v = 2*v % POLY -// v = 2*v % POLY -// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x -// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor) -const mul2 = (s0, s1, s2, s3) => { - const hiBit = s3 & 1; - return { - s3: (s2 << 31) | (s3 >>> 1), - s2: (s1 << 31) | (s2 >>> 1), - s1: (s0 << 31) | (s1 >>> 1), - s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly - }; -}; -const swapLE = (n) => (((n >>> 0) & 0xff) << 24) | - (((n >>> 8) & 0xff) << 16) | - (((n >>> 16) & 0xff) << 8) | - ((n >>> 24) & 0xff) | - 0; -/** - * `mulX_POLYVAL(ByteReverse(H))` from spec - * @param k mutated in place - */ -export function _toGHASHKey(k) { - k.reverse(); - const hiBit = k[15] & 1; - // k >>= 1 - let carry = 0; - for (let i = 0; i < k.length; i++) { - const t = k[i]; - k[i] = (t >>> 1) | carry; - carry = (t & 1) << 7; - } - k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000; - return k; -} -const estimateWindow = (bytes) => { - if (bytes > 64 * 1024) - return 8; - if (bytes > 1024) - return 4; - return 2; -}; -class GHASH { - // We select bits per window adaptively based on expectedLength - constructor(key, expectedLength) { - this.blockLen = BLOCK_SIZE; - this.outputLen = BLOCK_SIZE; - this.s0 = 0; - this.s1 = 0; - this.s2 = 0; - this.s3 = 0; - this.finished = false; - key = toBytes(key); - abytes(key, 16); - const kView = createView(key); - let k0 = kView.getUint32(0, false); - let k1 = kView.getUint32(4, false); - let k2 = kView.getUint32(8, false); - let k3 = kView.getUint32(12, false); - // generate table of doubled keys (half of montgomery ladder) - const doubles = []; - for (let i = 0; i < 128; i++) { - doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) }); - ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3)); - } - const W = estimateWindow(expectedLength || 1024); - if (![1, 2, 4, 8].includes(W)) - throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`); - this.W = W; - const bits = 128; // always 128 bits; - const windows = bits / W; - const windowSize = (this.windowSize = 2 ** W); - const items = []; - // Create precompute table for window of W bits - for (let w = 0; w < windows; w++) { - // truth table: 00, 01, 10, 11 - for (let byte = 0; byte < windowSize; byte++) { - // prettier-ignore - let s0 = 0, s1 = 0, s2 = 0, s3 = 0; - for (let j = 0; j < W; j++) { - const bit = (byte >>> (W - j - 1)) & 1; - if (!bit) - continue; - const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j]; - (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3); - } - items.push({ s0, s1, s2, s3 }); - } - } - this.t = items; - } - _updateBlock(s0, s1, s2, s3) { - (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3); - const { W, t, windowSize } = this; - // prettier-ignore - let o0 = 0, o1 = 0, o2 = 0, o3 = 0; - const mask = (1 << W) - 1; // 2**W will kill performance. - let w = 0; - for (const num of [s0, s1, s2, s3]) { - for (let bytePos = 0; bytePos < 4; bytePos++) { - const byte = (num >>> (8 * bytePos)) & 0xff; - for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) { - const bit = (byte >>> (W * bitPos)) & mask; - const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit]; - (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3); - w += 1; - } - } - } - this.s0 = o0; - this.s1 = o1; - this.s2 = o2; - this.s3 = o3; - } - update(data) { - data = toBytes(data); - aexists(this); - const b32 = u32(data); - const blocks = Math.floor(data.length / BLOCK_SIZE); - const left = data.length % BLOCK_SIZE; - for (let i = 0; i < blocks; i++) { - this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]); - } - if (left) { - ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); - this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]); - ZEROS32.fill(0); // clean tmp buffer - } - return this; - } - destroy() { - const { t } = this; - // clean precompute table - for (const elm of t) { - (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0); - } - } - digestInto(out) { - aexists(this); - aoutput(out, this); - this.finished = true; - const { s0, s1, s2, s3 } = this; - const o32 = u32(out); - o32[0] = s0; - o32[1] = s1; - o32[2] = s2; - o32[3] = s3; - return out; - } - digest() { - const res = new Uint8Array(BLOCK_SIZE); - this.digestInto(res); - this.destroy(); - return res; - } -} -class Polyval extends GHASH { - constructor(key, expectedLength) { - key = toBytes(key); - const ghKey = _toGHASHKey(key.slice()); - super(ghKey, expectedLength); - ghKey.fill(0); - } - update(data) { - data = toBytes(data); - aexists(this); - const b32 = u32(data); - const left = data.length % BLOCK_SIZE; - const blocks = Math.floor(data.length / BLOCK_SIZE); - for (let i = 0; i < blocks; i++) { - this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0])); - } - if (left) { - ZEROS16.set(data.subarray(blocks * BLOCK_SIZE)); - this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0])); - ZEROS32.fill(0); // clean tmp buffer - } - return this; - } - digestInto(out) { - aexists(this); - aoutput(out, this); - this.finished = true; - // tmp ugly hack - const { s0, s1, s2, s3 } = this; - const o32 = u32(out); - o32[0] = s0; - o32[1] = s1; - o32[2] = s2; - o32[3] = s3; - return out.reverse(); - } -} -function wrapConstructorWithKey(hashCons) { - const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes(msg)).digest(); - const tmp = hashCons(new Uint8Array(16), 0); - hashC.outputLen = tmp.outputLen; - hashC.blockLen = tmp.blockLen; - hashC.create = (key, expectedLength) => hashCons(key, expectedLength); - return hashC; -} -export const ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength)); -export const polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength)); -//# sourceMappingURL=_polyval.js.map \ No newline at end of file diff --git a/esm/aes.js b/esm/aes.js deleted file mode 100644 index a26e498..0000000 --- a/esm/aes.js +++ /dev/null @@ -1,628 +0,0 @@ -// prettier-ignore -import { wrapCipher, createView, setBigUint64, equalBytes, u32, u8, } from './utils.js'; -import { ghash, polyval } from './_polyval.js'; -import { bytes as abytes } from './_assert.js'; -/* -AES (Advanced Encryption Standard) aka Rijndael block cipher. - -Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round: -1. **S-box**, table substitution -2. **Shift rows**, cyclic shift left of all rows of data array -3. **Mix columns**, multiplying every column by fixed polynomial -4. **Add round key**, round_key xor i-th column of array - -Resources: -- FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf -- Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf -*/ -const BLOCK_SIZE = 16; -const BLOCK_SIZE32 = 4; -const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE); -const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8 -// TODO: remove multiplication, binary ops only -function mul2(n) { - return (n << 1) ^ (POLY & -(n >> 7)); -} -function mul(a, b) { - let res = 0; - for (; b > 0; b >>= 1) { - // Montgomery ladder - res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time). - a = mul2(a); // a = 2*a - } - return res; -} -// AES S-box is generated using finite field inversion, -// an affine transform, and xor of a constant 0x63. -const sbox = /* @__PURE__ */ (() => { - let t = new Uint8Array(256); - for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x)) - t[i] = x; - const box = new Uint8Array(256); - box[0] = 0x63; // first elm - for (let i = 0; i < 255; i++) { - let x = t[255 - i]; - x |= x << 8; - box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff; - } - return box; -})(); -// Inverted S-box -const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j)); -// Rotate u32 by 8 -const rotr32_8 = (n) => (n << 24) | (n >>> 8); -const rotl32_8 = (n) => (n << 8) | (n >>> 24); -// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes: -// - LE instead of BE -// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23; -// so index is u16, instead of u8. This speeds up things, unexpectedly -function genTtable(sbox, fn) { - if (sbox.length !== 256) - throw new Error('Wrong sbox length'); - const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j])); - const T1 = T0.map(rotl32_8); - const T2 = T1.map(rotl32_8); - const T3 = T2.map(rotl32_8); - const T01 = new Uint32Array(256 * 256); - const T23 = new Uint32Array(256 * 256); - const sbox2 = new Uint16Array(256 * 256); - for (let i = 0; i < 256; i++) { - for (let j = 0; j < 256; j++) { - const idx = i * 256 + j; - T01[idx] = T0[i] ^ T1[j]; - T23[idx] = T2[i] ^ T3[j]; - sbox2[idx] = (sbox[i] << 8) | sbox[j]; - } - } - return { sbox, sbox2, T0, T1, T2, T3, T01, T23 }; -} -const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2)); -const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14)); -const xPowers = /* @__PURE__ */ (() => { - const p = new Uint8Array(16); - for (let i = 0, x = 1; i < 16; i++, x = mul2(x)) - p[i] = x; - return p; -})(); -export function expandKeyLE(key) { - abytes(key); - const len = key.length; - if (![16, 24, 32].includes(len)) - throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`); - const { sbox2 } = tableEncoding; - const k32 = u32(key); - const Nk = k32.length; - const subByte = (n) => applySbox(sbox2, n, n, n, n); - const xk = new Uint32Array(len + 28); // expanded key - xk.set(k32); - // 4.3.1 Key expansion - for (let i = Nk; i < xk.length; i++) { - let t = xk[i - 1]; - if (i % Nk === 0) - t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1]; - else if (Nk > 6 && i % Nk === 4) - t = subByte(t); - xk[i] = xk[i - Nk] ^ t; - } - return xk; -} -export function expandKeyDecLE(key) { - const encKey = expandKeyLE(key); - const xk = encKey.slice(); - const Nk = encKey.length; - const { sbox2 } = tableEncoding; - const { T0, T1, T2, T3 } = tableDecoding; - // Inverse key by chunks of 4 (rounds) - for (let i = 0; i < Nk; i += 4) { - for (let j = 0; j < 4; j++) - xk[i + j] = encKey[Nk - i - 4 + j]; - } - encKey.fill(0); - // apply InvMixColumn except first & last round - for (let i = 4; i < Nk - 4; i++) { - const x = xk[i]; - const w = applySbox(sbox2, x, x, x, x); - xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24]; - } - return xk; -} -// Apply tables -function apply0123(T01, T23, s0, s1, s2, s3) { - return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^ - T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]); -} -function applySbox(sbox2, s0, s1, s2, s3) { - return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] | - (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16)); -} -function encrypt(xk, s0, s1, s2, s3) { - const { sbox2, T01, T23 } = tableEncoding; - let k = 0; - (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); - const rounds = xk.length / 4 - 2; - for (let i = 0; i < rounds; i++) { - const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3); - const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0); - const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1); - const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2); - (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); - } - // last round (without mixcolumns, so using SBOX2 table) - const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3); - const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0); - const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1); - const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2); - return { s0: t0, s1: t1, s2: t2, s3: t3 }; -} -function decrypt(xk, s0, s1, s2, s3) { - const { sbox2, T01, T23 } = tableDecoding; - let k = 0; - (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]); - const rounds = xk.length / 4 - 2; - for (let i = 0; i < rounds; i++) { - const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1); - const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2); - const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3); - const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0); - (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3); - } - // Last round - const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1); - const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2); - const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3); - const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0); - return { s0: t0, s1: t1, s2: t2, s3: t3 }; -} -function getDst(len, dst) { - if (!dst) - return new Uint8Array(len); - abytes(dst); - if (dst.length < len) - throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`); - return dst; -} -// TODO: investigate merging with ctr32 -function ctrCounter(xk, nonce, src, dst) { - abytes(nonce, BLOCK_SIZE); - abytes(src); - const srcLen = src.length; - dst = getDst(srcLen, dst); - const ctr = nonce; - const c32 = u32(ctr); - // Fill block (empty, ctr=0) - let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); - const src32 = u32(src); - const dst32 = u32(dst); - // process blocks - for (let i = 0; i + 4 <= src32.length; i += 4) { - dst32[i + 0] = src32[i + 0] ^ s0; - dst32[i + 1] = src32[i + 1] ^ s1; - dst32[i + 2] = src32[i + 2] ^ s2; - dst32[i + 3] = src32[i + 3] ^ s3; - // Full 128 bit counter with wrap around - let carry = 1; - for (let i = ctr.length - 1; i >= 0; i--) { - carry = (carry + (ctr[i] & 0xff)) | 0; - ctr[i] = carry & 0xff; - carry >>>= 8; - } - ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); - } - // leftovers (less than block) - // It's possible to handle > u32 fast, but is it worth it? - const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); - if (start < srcLen) { - const b32 = new Uint32Array([s0, s1, s2, s3]); - const buf = u8(b32); - for (let i = start, pos = 0; i < srcLen; i++, pos++) - dst[i] = src[i] ^ buf[pos]; - } - return dst; -} -// AES CTR with overflowing 32 bit counter -// It's possible to do 32le significantly simpler (and probably faster) by using u32. -// But, we need both, and perf bottleneck is in ghash anyway. -function ctr32(xk, isLE, nonce, src, dst) { - abytes(nonce, BLOCK_SIZE); - abytes(src); - dst = getDst(src.length, dst); - const ctr = nonce; // write new value to nonce, so it can be re-used - const c32 = u32(ctr); - const view = createView(ctr); - const src32 = u32(src); - const dst32 = u32(dst); - const ctrPos = isLE ? 0 : 12; - const srcLen = src.length; - // Fill block (empty, ctr=0) - let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value - let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]); - // process blocks - for (let i = 0; i + 4 <= src32.length; i += 4) { - dst32[i + 0] = src32[i + 0] ^ s0; - dst32[i + 1] = src32[i + 1] ^ s1; - dst32[i + 2] = src32[i + 2] ^ s2; - dst32[i + 3] = src32[i + 3] ^ s3; - ctrNum = (ctrNum + 1) >>> 0; // u32 wrap - view.setUint32(ctrPos, ctrNum, isLE); - ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3])); - } - // leftovers (less than a block) - const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32); - if (start < srcLen) { - const b32 = new Uint32Array([s0, s1, s2, s3]); - const buf = u8(b32); - for (let i = start, pos = 0; i < srcLen; i++, pos++) - dst[i] = src[i] ^ buf[pos]; - } - return dst; -} -/** - * CTR: counter mode. Creates stream cipher. - * Requires good IV. Parallelizable. OK, but no MAC. - */ -export const ctr = wrapCipher({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) { - abytes(key); - abytes(nonce, BLOCK_SIZE); - function processCtr(buf, dst) { - const xk = expandKeyLE(key); - const n = nonce.slice(); - const out = ctrCounter(xk, n, buf, dst); - xk.fill(0); - n.fill(0); - return out; - } - return { - encrypt: (plaintext, dst) => processCtr(plaintext, dst), - decrypt: (ciphertext, dst) => processCtr(ciphertext, dst), - }; -}); -function validateBlockDecrypt(data) { - abytes(data); - if (data.length % BLOCK_SIZE !== 0) { - throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`); - } -} -function validateBlockEncrypt(plaintext, pcks5, dst) { - let outLen = plaintext.length; - const remaining = outLen % BLOCK_SIZE; - if (!pcks5 && remaining !== 0) - throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding'); - const b = u32(plaintext); - if (pcks5) { - let left = BLOCK_SIZE - remaining; - if (!left) - left = BLOCK_SIZE; // if no bytes left, create empty padding block - outLen = outLen + left; - } - const out = getDst(outLen, dst); - const o = u32(out); - return { b, o, out }; -} -function validatePCKS(data, pcks5) { - if (!pcks5) - return data; - const len = data.length; - if (!len) - throw new Error(`aes/pcks5: empty ciphertext not allowed`); - const lastByte = data[len - 1]; - if (lastByte <= 0 || lastByte > 16) - throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`); - const out = data.subarray(0, -lastByte); - for (let i = 0; i < lastByte; i++) - if (data[len - i - 1] !== lastByte) - throw new Error(`aes/pcks5: wrong padding`); - return out; -} -function padPCKS(left) { - const tmp = new Uint8Array(16); - const tmp32 = u32(tmp); - tmp.set(left); - const paddingByte = BLOCK_SIZE - left.length; - for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++) - tmp[i] = paddingByte; - return tmp32; -} -/** - * ECB: Electronic CodeBook. Simple deterministic replacement. - * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/). - */ -export const ecb = wrapCipher({ blockSize: 16 }, function ecb(key, opts = {}) { - abytes(key); - const pcks5 = !opts.disablePadding; - return { - encrypt: (plaintext, dst) => { - abytes(plaintext); - const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); - const xk = expandKeyLE(key); - let i = 0; - for (; i + 4 <= b.length;) { - const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - if (pcks5) { - const tmp32 = padPCKS(plaintext.subarray(i * 4)); - const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return _out; - }, - decrypt: (ciphertext, dst) => { - validateBlockDecrypt(ciphertext); - const xk = expandKeyDecLE(key); - const out = getDst(ciphertext.length, dst); - const b = u32(ciphertext); - const o = u32(out); - for (let i = 0; i + 4 <= b.length;) { - const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return validatePCKS(out, pcks5); - }, - }; -}); -/** - * CBC: Cipher-Block-Chaining. Key is previous round’s block. - * Fragile: needs proper padding. Unauthenticated: needs MAC. - */ -export const cbc = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) { - abytes(key); - abytes(iv, 16); - const pcks5 = !opts.disablePadding; - return { - encrypt: (plaintext, dst) => { - const xk = expandKeyLE(key); - const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst); - const n32 = u32(iv); - // prettier-ignore - let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; - let i = 0; - for (; i + 4 <= b.length;) { - (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]); - ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - if (pcks5) { - const tmp32 = padPCKS(plaintext.subarray(i * 4)); - (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]); - ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3)); - (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3); - } - xk.fill(0); - return _out; - }, - decrypt: (ciphertext, dst) => { - validateBlockDecrypt(ciphertext); - const xk = expandKeyDecLE(key); - const n32 = u32(iv); - const out = getDst(ciphertext.length, dst); - const b = u32(ciphertext); - const o = u32(out); - // prettier-ignore - let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3]; - for (let i = 0; i + 4 <= b.length;) { - // prettier-ignore - const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3; - (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]); - const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3); - (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3); - } - xk.fill(0); - return validatePCKS(out, pcks5); - }, - }; -}); -// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen -function computeTag(fn, isLE, key, data, AAD) { - const h = fn.create(key, data.length + (AAD?.length || 0)); - if (AAD) - h.update(AAD); - h.update(data); - const num = new Uint8Array(16); - const view = createView(num); - if (AAD) - setBigUint64(view, 0, BigInt(AAD.length * 8), isLE); - setBigUint64(view, 8, BigInt(data.length * 8), isLE); - h.update(num); - return h.digest(); -} -/** - * GCM: Galois/Counter Mode. - * Good, modern version of CTR, parallel, with MAC. - * Be careful: MACs can be forged. - */ -export const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) { - abytes(nonce); - // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure. - if (nonce.length === 0) - throw new Error('aes/gcm: empty nonce'); - const tagLength = 16; - function _computeTag(authKey, tagMask, data) { - const tag = computeTag(ghash, false, authKey, data, AAD); - for (let i = 0; i < tagMask.length; i++) - tag[i] ^= tagMask[i]; - return tag; - } - function deriveKeys() { - const xk = expandKeyLE(key); - const authKey = EMPTY_BLOCK.slice(); - const counter = EMPTY_BLOCK.slice(); - ctr32(xk, false, counter, counter, authKey); - if (nonce.length === 12) { - counter.set(nonce); - } - else { - // Spec (NIST 800-38d) supports variable size nonce. - // Not supported for now, but can be useful. - const nonceLen = EMPTY_BLOCK.slice(); - const view = createView(nonceLen); - setBigUint64(view, 8, BigInt(nonce.length * 8), false); - // ghash(nonce || u64be(0) || u64be(nonceLen*8)) - ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter); - } - const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK); - return { xk, authKey, counter, tagMask }; - } - return { - encrypt: (plaintext) => { - abytes(plaintext); - const { xk, authKey, counter, tagMask } = deriveKeys(); - const out = new Uint8Array(plaintext.length + tagLength); - ctr32(xk, false, counter, plaintext, out); - const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength)); - out.set(tag, plaintext.length); - xk.fill(0); - return out; - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - if (ciphertext.length < tagLength) - throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`); - const { xk, authKey, counter, tagMask } = deriveKeys(); - const data = ciphertext.subarray(0, -tagLength); - const passedTag = ciphertext.subarray(-tagLength); - const tag = _computeTag(authKey, tagMask, data); - if (!equalBytes(tag, passedTag)) - throw new Error('aes/gcm: invalid ghash tag'); - const out = ctr32(xk, false, counter, data); - authKey.fill(0); - tagMask.fill(0); - xk.fill(0); - return out; - }, - }; -}); -const limit = (name, min, max) => (value) => { - if (!Number.isSafeInteger(value) || min > value || value > max) - throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`); -}; -/** - * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance. - * Guarantees that, when a nonce is repeated, the only security loss is that identical - * plaintexts will produce identical ciphertexts. - * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452 - */ -export const siv = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) { - const tagLength = 16; - // From RFC 8452: Section 6 - const AAD_LIMIT = limit('AAD', 0, 2 ** 36); - const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36); - const NONCE_LIMIT = limit('nonce', 12, 12); - const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16); - abytes(nonce); - NONCE_LIMIT(nonce.length); - if (AAD) { - abytes(AAD); - AAD_LIMIT(AAD.length); - } - function deriveKeys() { - const len = key.length; - if (len !== 16 && len !== 24 && len !== 32) - throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`); - const xk = expandKeyLE(key); - const encKey = new Uint8Array(len); - const authKey = new Uint8Array(16); - const n32 = u32(nonce); - // prettier-ignore - let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2]; - let counter = 0; - for (const derivedKey of [authKey, encKey].map(u32)) { - const d32 = u32(derivedKey); - for (let i = 0; i < d32.length; i += 2) { - // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ... - const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3); - d32[i + 0] = o0; - d32[i + 1] = o1; - s0 = ++counter; // increment counter inside state - } - } - xk.fill(0); - return { authKey, encKey: expandKeyLE(encKey) }; - } - function _computeTag(encKey, authKey, data) { - const tag = computeTag(polyval, true, authKey, data, AAD); - // Compute the expected tag by XORing S_s and the nonce, clearing the - // most significant bit of the last byte and encrypting with the - // message-encryption key. - for (let i = 0; i < 12; i++) - tag[i] ^= nonce[i]; - tag[15] &= 0x7f; // Clear the highest bit - // encrypt tag as block - const t32 = u32(tag); - // prettier-ignore - let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3]; - ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3)); - (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3); - return tag; - } - // actual decrypt/encrypt of message. - function processSiv(encKey, tag, input) { - let block = tag.slice(); - block[15] |= 0x80; // Force highest bit - return ctr32(encKey, true, block, input); - } - return { - encrypt: (plaintext) => { - abytes(plaintext); - PLAIN_LIMIT(plaintext.length); - const { encKey, authKey } = deriveKeys(); - const tag = _computeTag(encKey, authKey, plaintext); - const out = new Uint8Array(plaintext.length + tagLength); - out.set(tag, plaintext.length); - out.set(processSiv(encKey, tag, plaintext)); - encKey.fill(0); - authKey.fill(0); - return out; - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - CIPHER_LIMIT(ciphertext.length); - const tag = ciphertext.subarray(-tagLength); - const { encKey, authKey } = deriveKeys(); - const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength)); - const expectedTag = _computeTag(encKey, authKey, plaintext); - encKey.fill(0); - authKey.fill(0); - if (!equalBytes(tag, expectedTag)) - throw new Error('invalid polyval tag'); - return plaintext; - }, - }; -}); -function isBytes32(a) { - return (a != null && - typeof a === 'object' && - (a instanceof Uint32Array || a.constructor.name === 'Uint32Array')); -} -function encryptBlock(xk, block) { - abytes(block, 16); - if (!isBytes32(xk)) - throw new Error('_encryptBlock accepts result of expandKeyLE'); - const b32 = u32(block); - let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]); - (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); - return block; -} -function decryptBlock(xk, block) { - abytes(block, 16); - if (!isBytes32(xk)) - throw new Error('_decryptBlock accepts result of expandKeyLE'); - const b32 = u32(block); - let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]); - (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3); - return block; -} -// Highly unsafe private functions for implementing new modes or ciphers based on AES -// Can change at any time, no API guarantees -export const unsafe = { - expandKeyLE, - expandKeyDecLE, - encrypt, - decrypt, - encryptBlock, - decryptBlock, - ctrCounter, - ctr32, -}; -//# sourceMappingURL=aes.js.map \ No newline at end of file diff --git a/esm/chacha.js b/esm/chacha.js deleted file mode 100644 index e23fcce..0000000 --- a/esm/chacha.js +++ /dev/null @@ -1,318 +0,0 @@ -// prettier-ignore -import { wrapCipher, createView, equalBytes, setBigUint64, } from './utils.js'; -import { poly1305 } from './_poly1305.js'; -import { createCipher, rotl } from './_arx.js'; -import { bytes as abytes } from './_assert.js'; -// ChaCha20 stream cipher was released in 2008. ChaCha aims to increase -// the diffusion per round, but had slightly less cryptanalysis. -// https://cr.yp.to/chacha.html, http://cr.yp.to/chacha/chacha-20080128.pdf -/** - * ChaCha core function. - */ -// prettier-ignore -function chachaCore(s, k, n, out, cnt, rounds = 20) { - let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k" - y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key - y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key - y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce - // Save state to temporary variables - let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; - for (let r = 0; r < rounds; r += 2) { - x00 = (x00 + x04) | 0; - x12 = rotl(x12 ^ x00, 16); - x08 = (x08 + x12) | 0; - x04 = rotl(x04 ^ x08, 12); - x00 = (x00 + x04) | 0; - x12 = rotl(x12 ^ x00, 8); - x08 = (x08 + x12) | 0; - x04 = rotl(x04 ^ x08, 7); - x01 = (x01 + x05) | 0; - x13 = rotl(x13 ^ x01, 16); - x09 = (x09 + x13) | 0; - x05 = rotl(x05 ^ x09, 12); - x01 = (x01 + x05) | 0; - x13 = rotl(x13 ^ x01, 8); - x09 = (x09 + x13) | 0; - x05 = rotl(x05 ^ x09, 7); - x02 = (x02 + x06) | 0; - x14 = rotl(x14 ^ x02, 16); - x10 = (x10 + x14) | 0; - x06 = rotl(x06 ^ x10, 12); - x02 = (x02 + x06) | 0; - x14 = rotl(x14 ^ x02, 8); - x10 = (x10 + x14) | 0; - x06 = rotl(x06 ^ x10, 7); - x03 = (x03 + x07) | 0; - x15 = rotl(x15 ^ x03, 16); - x11 = (x11 + x15) | 0; - x07 = rotl(x07 ^ x11, 12); - x03 = (x03 + x07) | 0; - x15 = rotl(x15 ^ x03, 8); - x11 = (x11 + x15) | 0; - x07 = rotl(x07 ^ x11, 7); - x00 = (x00 + x05) | 0; - x15 = rotl(x15 ^ x00, 16); - x10 = (x10 + x15) | 0; - x05 = rotl(x05 ^ x10, 12); - x00 = (x00 + x05) | 0; - x15 = rotl(x15 ^ x00, 8); - x10 = (x10 + x15) | 0; - x05 = rotl(x05 ^ x10, 7); - x01 = (x01 + x06) | 0; - x12 = rotl(x12 ^ x01, 16); - x11 = (x11 + x12) | 0; - x06 = rotl(x06 ^ x11, 12); - x01 = (x01 + x06) | 0; - x12 = rotl(x12 ^ x01, 8); - x11 = (x11 + x12) | 0; - x06 = rotl(x06 ^ x11, 7); - x02 = (x02 + x07) | 0; - x13 = rotl(x13 ^ x02, 16); - x08 = (x08 + x13) | 0; - x07 = rotl(x07 ^ x08, 12); - x02 = (x02 + x07) | 0; - x13 = rotl(x13 ^ x02, 8); - x08 = (x08 + x13) | 0; - x07 = rotl(x07 ^ x08, 7); - x03 = (x03 + x04) | 0; - x14 = rotl(x14 ^ x03, 16); - x09 = (x09 + x14) | 0; - x04 = rotl(x04 ^ x09, 12); - x03 = (x03 + x04) | 0; - x14 = rotl(x14 ^ x03, 8); - x09 = (x09 + x14) | 0; - x04 = rotl(x04 ^ x09, 7); - } - // Write output - let oi = 0; - out[oi++] = (y00 + x00) | 0; - out[oi++] = (y01 + x01) | 0; - out[oi++] = (y02 + x02) | 0; - out[oi++] = (y03 + x03) | 0; - out[oi++] = (y04 + x04) | 0; - out[oi++] = (y05 + x05) | 0; - out[oi++] = (y06 + x06) | 0; - out[oi++] = (y07 + x07) | 0; - out[oi++] = (y08 + x08) | 0; - out[oi++] = (y09 + x09) | 0; - out[oi++] = (y10 + x10) | 0; - out[oi++] = (y11 + x11) | 0; - out[oi++] = (y12 + x12) | 0; - out[oi++] = (y13 + x13) | 0; - out[oi++] = (y14 + x14) | 0; - out[oi++] = (y15 + x15) | 0; -} -/** - * hchacha helper method, used primarily in xchacha, to hash - * key and nonce into key' and nonce'. - * Same as chachaCore, but there doesn't seem to be a way to move the block - * out without 25% performance hit. - */ -// prettier-ignore -export function hchacha(s, k, i, o32) { - let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; - for (let r = 0; r < 20; r += 2) { - x00 = (x00 + x04) | 0; - x12 = rotl(x12 ^ x00, 16); - x08 = (x08 + x12) | 0; - x04 = rotl(x04 ^ x08, 12); - x00 = (x00 + x04) | 0; - x12 = rotl(x12 ^ x00, 8); - x08 = (x08 + x12) | 0; - x04 = rotl(x04 ^ x08, 7); - x01 = (x01 + x05) | 0; - x13 = rotl(x13 ^ x01, 16); - x09 = (x09 + x13) | 0; - x05 = rotl(x05 ^ x09, 12); - x01 = (x01 + x05) | 0; - x13 = rotl(x13 ^ x01, 8); - x09 = (x09 + x13) | 0; - x05 = rotl(x05 ^ x09, 7); - x02 = (x02 + x06) | 0; - x14 = rotl(x14 ^ x02, 16); - x10 = (x10 + x14) | 0; - x06 = rotl(x06 ^ x10, 12); - x02 = (x02 + x06) | 0; - x14 = rotl(x14 ^ x02, 8); - x10 = (x10 + x14) | 0; - x06 = rotl(x06 ^ x10, 7); - x03 = (x03 + x07) | 0; - x15 = rotl(x15 ^ x03, 16); - x11 = (x11 + x15) | 0; - x07 = rotl(x07 ^ x11, 12); - x03 = (x03 + x07) | 0; - x15 = rotl(x15 ^ x03, 8); - x11 = (x11 + x15) | 0; - x07 = rotl(x07 ^ x11, 7); - x00 = (x00 + x05) | 0; - x15 = rotl(x15 ^ x00, 16); - x10 = (x10 + x15) | 0; - x05 = rotl(x05 ^ x10, 12); - x00 = (x00 + x05) | 0; - x15 = rotl(x15 ^ x00, 8); - x10 = (x10 + x15) | 0; - x05 = rotl(x05 ^ x10, 7); - x01 = (x01 + x06) | 0; - x12 = rotl(x12 ^ x01, 16); - x11 = (x11 + x12) | 0; - x06 = rotl(x06 ^ x11, 12); - x01 = (x01 + x06) | 0; - x12 = rotl(x12 ^ x01, 8); - x11 = (x11 + x12) | 0; - x06 = rotl(x06 ^ x11, 7); - x02 = (x02 + x07) | 0; - x13 = rotl(x13 ^ x02, 16); - x08 = (x08 + x13) | 0; - x07 = rotl(x07 ^ x08, 12); - x02 = (x02 + x07) | 0; - x13 = rotl(x13 ^ x02, 8); - x08 = (x08 + x13) | 0; - x07 = rotl(x07 ^ x08, 7); - x03 = (x03 + x04) | 0; - x14 = rotl(x14 ^ x03, 16); - x09 = (x09 + x14) | 0; - x04 = rotl(x04 ^ x09, 12); - x03 = (x03 + x04) | 0; - x14 = rotl(x14 ^ x03, 8); - x09 = (x09 + x14) | 0; - x04 = rotl(x04 ^ x09, 7); - } - let oi = 0; - o32[oi++] = x00; - o32[oi++] = x01; - o32[oi++] = x02; - o32[oi++] = x03; - o32[oi++] = x12; - o32[oi++] = x13; - o32[oi++] = x14; - o32[oi++] = x15; -} -/** - * Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter. - */ -export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 8, - allowShortKeys: true, -}); -/** - * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - allowShortKeys: false, -}); -/** - * XChaCha eXtended-nonce ChaCha. 24-byte nonce. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - */ -export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 8, - extendNonceFn: hchacha, - allowShortKeys: false, -}); -/** - * Reduced 8-round chacha, described in original paper. - */ -export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 8, -}); -/** - * Reduced 12-round chacha, described in original paper. - */ -export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, { - counterRight: false, - counterLength: 4, - rounds: 12, -}); -const ZEROS16 = /* @__PURE__ */ new Uint8Array(16); -// Pad to digest size with zeros -const updatePadded = (h, msg) => { - h.update(msg); - const left = msg.length % 16; - if (left) - h.update(ZEROS16.subarray(left)); -}; -const ZEROS32 = /* @__PURE__ */ new Uint8Array(32); -function computeTag(fn, key, nonce, data, AAD) { - const authKey = fn(key, nonce, ZEROS32); - const h = poly1305.create(authKey); - if (AAD) - updatePadded(h, AAD); - updatePadded(h, data); - const num = new Uint8Array(16); - const view = createView(num); - setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); - setBigUint64(view, 8, BigInt(data.length), true); - h.update(num); - const res = h.digest(); - authKey.fill(0); - return res; -} -/** - * AEAD algorithm from RFC 8439. - * Salsa20 and chacha (RFC 8439) use poly1305 differently. - * We could have composed them similar to: - * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250 - * But it's hard because of authKey: - * In salsa20, authKey changes position in salsa stream. - * In chacha, authKey can't be computed inside computeTag, it modifies the counter. - */ -export const _poly1305_aead = (xorStream) => (key, nonce, AAD) => { - const tagLength = 16; - abytes(key, 32); - abytes(nonce); - return { - encrypt: (plaintext, output) => { - const plength = plaintext.length; - const clength = plength + tagLength; - if (output) { - abytes(output, clength); - } - else { - output = new Uint8Array(clength); - } - xorStream(key, nonce, plaintext, output, 1); - const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD); - output.set(tag, plength); // append tag - return output; - }, - decrypt: (ciphertext, output) => { - const clength = ciphertext.length; - const plength = clength - tagLength; - if (clength < tagLength) - throw new Error(`encrypted data must be at least ${tagLength} bytes`); - if (output) { - abytes(output, plength); - } - else { - output = new Uint8Array(plength); - } - const data = ciphertext.subarray(0, -tagLength); - const passedTag = ciphertext.subarray(-tagLength); - const tag = computeTag(xorStream, key, nonce, data, AAD); - if (!equalBytes(passedTag, tag)) - throw new Error('invalid tag'); - xorStream(key, nonce, data, output, 1); - return output; - }, - }; -}; -/** - * ChaCha20-Poly1305 from RFC 8439. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); -/** - * XChaCha20-Poly1305 extended-nonce chacha. - * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); -//# sourceMappingURL=chacha.js.map \ No newline at end of file diff --git a/esm/crypto.js b/esm/crypto.js deleted file mode 100644 index 63bf63e..0000000 --- a/esm/crypto.js +++ /dev/null @@ -1,12 +0,0 @@ -const cr = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined; -export function randomBytes(bytesLength = 32) { - if (cr && typeof cr.getRandomValues === 'function') - return cr.getRandomValues(new Uint8Array(bytesLength)); - throw new Error('crypto.getRandomValues must be defined'); -} -export function getWebcryptoSubtle() { - if (cr && typeof cr.subtle === 'object' && cr.subtle != null) - return cr.subtle; - throw new Error('crypto.subtle must be defined'); -} -//# sourceMappingURL=crypto.js.map \ No newline at end of file diff --git a/esm/cryptoNode.js b/esm/cryptoNode.js deleted file mode 100644 index 956ce1b..0000000 --- a/esm/cryptoNode.js +++ /dev/null @@ -1,17 +0,0 @@ -// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. -// See utils.ts for details. -// The file will throw on node.js 14 and earlier. -// @ts-ignore -import * as nc from 'node:crypto'; -const cr = nc && typeof nc === 'object' && 'webcrypto' in nc ? nc.webcrypto : undefined; -export function randomBytes(bytesLength = 32) { - if (cr && typeof cr.getRandomValues === 'function') - return cr.getRandomValues(new Uint8Array(bytesLength)); - throw new Error('crypto.getRandomValues must be defined'); -} -export function getWebcryptoSubtle() { - if (cr && typeof cr.subtle === 'object' && cr.subtle != null) - return cr.subtle; - throw new Error('crypto.subtle must be defined'); -} -//# sourceMappingURL=cryptoNode.js.map \ No newline at end of file diff --git a/esm/ff1.js b/esm/ff1.js deleted file mode 100644 index 33907e1..0000000 --- a/esm/ff1.js +++ /dev/null @@ -1,149 +0,0 @@ -import { bytesToNumberBE, numberToBytesBE } from './utils.js'; -import { unsafe } from './aes.js'; -// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow -const { expandKeyLE, encryptBlock } = unsafe; -// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G. -// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf -const BLOCK_LEN = 16; -function mod(a, b) { - const result = a % b; - return result >= 0 ? result : b + result; -} -function NUMradix(radix, data) { - let res = BigInt(0); - for (let i of data) - res = res * BigInt(radix) + BigInt(i); - return res; -} -function getRound(radix, key, tweak, x) { - if (radix > 2 ** 16 - 1) - throw new Error(`Invalid radix: ${radix}`); - // radix**minlen ≥ 100 - const minLen = Math.ceil(Math.log(100) / Math.log(radix)); - const maxLen = 2 ** 32 - 1; - // 2 ≤ minlen ≤ maxlen < 2**32 - if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32) - throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32'); - if (x.length < minLen || x.length > maxLen) - throw new Error('X is outside minLen..maxLen bounds'); - const u = Math.floor(x.length / 2); - const v = x.length - u; - const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8); - const d = 4 * Math.ceil(b / 4) + 4; - const padding = mod(-tweak.length - b - 1, 16); - // P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4. - const P = new Uint8Array([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]); - const view = new DataView(P.buffer); - view.setUint16(4, radix, false); - view.setUint32(8, x.length, false); - view.setUint32(12, tweak.length, false); - // Q = T || [0](−t−b−1) mod 16 || [i]1 || [NUMradix(B)]b. - const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b); - PQ.set(P); - P.fill(0); - PQ.set(tweak, P.length); - const xk = expandKeyLE(key); - const round = (A, B, i, decrypt = false) => { - // Q = ... || [i]1 || [NUMradix(B)]b. - PQ[PQ.length - b - 1] = i; - if (b) - PQ.set(numberToBytesBE(NUMradix(radix, B), b), PQ.length - b); - // PRF - let r = new Uint8Array(16); - for (let j = 0; j < PQ.length / BLOCK_LEN; j++) { - for (let i = 0; i < BLOCK_LEN; i++) - r[i] ^= PQ[j * BLOCK_LEN + i]; - encryptBlock(xk, r); - } - // Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: - // R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ – 1]16). - let s = Array.from(r); - for (let j = 1; s.length < d; j++) { - const block = numberToBytesBE(BigInt(j), 16); - for (let k = 0; k < BLOCK_LEN; k++) - block[k] ^= r[k]; - s.push(...Array.from(encryptBlock(xk, block))); - } - let y = bytesToNumberBE(Uint8Array.from(s.slice(0, d))); - s.fill(0); - if (decrypt) - y = -y; - const m = i % 2 === 0 ? u : v; - let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m)); - // STR(radix, m, c) - const C = Array(m).fill(0); - for (let i = 0; i < m; i++, c /= BigInt(radix)) - C[m - 1 - i] = Number(c % BigInt(radix)); - A.fill(0); - A = B; - B = C; - return [A, B]; - }; - const destroy = () => { - xk.fill(0); - PQ.fill(0); - }; - return { u, round, destroy }; -} -const EMPTY_BUF = new Uint8Array([]); -export function FF1(radix, key, tweak = EMPTY_BUF) { - const PQ = getRound.bind(null, radix, key, tweak); - return { - encrypt(x) { - const { u, round, destroy } = PQ(x); - let [A, B] = [x.slice(0, u), x.slice(u)]; - for (let i = 0; i < 10; i++) - [A, B] = round(A, B, i); - destroy(); - const res = A.concat(B); - A.fill(0); - B.fill(0); - return res; - }, - decrypt(x) { - const { u, round, destroy } = PQ(x); - // The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm; - // the differences are in Step 6, where: - // 1) the order of the indices is reversed, - // 2) the roles of A and B are swapped - // 3) modular addition is replaced by modular subtraction, in Step 6vi. - let [B, A] = [x.slice(0, u), x.slice(u)]; - for (let i = 9; i >= 0; i--) - [A, B] = round(A, B, i, true); - destroy(); - const res = B.concat(A); - A.fill(0); - B.fill(0); - return res; - }, - }; -} -// Binary string which encodes each byte in little-endian byte order -const binLE = { - encode(bytes) { - const x = []; - for (let i = 0; i < bytes.length; i++) { - for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1) - x.push(tmp & 1); - } - return x; - }, - decode(b) { - if (b.length % 8) - throw new Error('Invalid binary string'); - const res = new Uint8Array(b.length / 8); - for (let i = 0, j = 0; i < res.length; i++) { - res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3); - res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7); - } - return res; - }, -}; -export function BinaryFF1(key, tweak = EMPTY_BUF) { - const ff1 = FF1(2, key, tweak); - return { - encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))), - decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))), - }; -} -//# sourceMappingURL=ff1.js.map \ No newline at end of file diff --git a/esm/index.js b/esm/index.js deleted file mode 100644 index 9a9d7ac..0000000 --- a/esm/index.js +++ /dev/null @@ -1,3 +0,0 @@ -throw new Error('noble-ciphers have no entry-point: consult README for usage'); -export {}; -//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/esm/salsa.js b/esm/salsa.js deleted file mode 100644 index a956d46..0000000 --- a/esm/salsa.js +++ /dev/null @@ -1,205 +0,0 @@ -import { bytes as abytes } from './_assert.js'; -import { createCipher, rotl } from './_arx.js'; -import { poly1305 } from './_poly1305.js'; -import { wrapCipher, equalBytes } from './utils.js'; -// Salsa20 stream cipher was released in 2005. -// Salsa's goal was to implement AES replacement that does not rely on S-Boxes, -// which are hard to implement in a constant-time manner. -// https://cr.yp.to/snuffle.html, https://cr.yp.to/snuffle/salsafamily-20071225.pdf -/** - * Salsa20 core function. - */ -// prettier-ignore -function salsaCore(s, k, n, out, cnt, rounds = 20) { - // Based on https://cr.yp.to/salsa20.html - let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key - y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce - y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key - y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k" - // Save state to temporary variables - let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; - for (let r = 0; r < rounds; r += 2) { - x04 ^= rotl(x00 + x12 | 0, 7); - x08 ^= rotl(x04 + x00 | 0, 9); - x12 ^= rotl(x08 + x04 | 0, 13); - x00 ^= rotl(x12 + x08 | 0, 18); - x09 ^= rotl(x05 + x01 | 0, 7); - x13 ^= rotl(x09 + x05 | 0, 9); - x01 ^= rotl(x13 + x09 | 0, 13); - x05 ^= rotl(x01 + x13 | 0, 18); - x14 ^= rotl(x10 + x06 | 0, 7); - x02 ^= rotl(x14 + x10 | 0, 9); - x06 ^= rotl(x02 + x14 | 0, 13); - x10 ^= rotl(x06 + x02 | 0, 18); - x03 ^= rotl(x15 + x11 | 0, 7); - x07 ^= rotl(x03 + x15 | 0, 9); - x11 ^= rotl(x07 + x03 | 0, 13); - x15 ^= rotl(x11 + x07 | 0, 18); - x01 ^= rotl(x00 + x03 | 0, 7); - x02 ^= rotl(x01 + x00 | 0, 9); - x03 ^= rotl(x02 + x01 | 0, 13); - x00 ^= rotl(x03 + x02 | 0, 18); - x06 ^= rotl(x05 + x04 | 0, 7); - x07 ^= rotl(x06 + x05 | 0, 9); - x04 ^= rotl(x07 + x06 | 0, 13); - x05 ^= rotl(x04 + x07 | 0, 18); - x11 ^= rotl(x10 + x09 | 0, 7); - x08 ^= rotl(x11 + x10 | 0, 9); - x09 ^= rotl(x08 + x11 | 0, 13); - x10 ^= rotl(x09 + x08 | 0, 18); - x12 ^= rotl(x15 + x14 | 0, 7); - x13 ^= rotl(x12 + x15 | 0, 9); - x14 ^= rotl(x13 + x12 | 0, 13); - x15 ^= rotl(x14 + x13 | 0, 18); - } - // Write output - let oi = 0; - out[oi++] = (y00 + x00) | 0; - out[oi++] = (y01 + x01) | 0; - out[oi++] = (y02 + x02) | 0; - out[oi++] = (y03 + x03) | 0; - out[oi++] = (y04 + x04) | 0; - out[oi++] = (y05 + x05) | 0; - out[oi++] = (y06 + x06) | 0; - out[oi++] = (y07 + x07) | 0; - out[oi++] = (y08 + x08) | 0; - out[oi++] = (y09 + x09) | 0; - out[oi++] = (y10 + x10) | 0; - out[oi++] = (y11 + x11) | 0; - out[oi++] = (y12 + x12) | 0; - out[oi++] = (y13 + x13) | 0; - out[oi++] = (y14 + x14) | 0; - out[oi++] = (y15 + x15) | 0; -} -/** - * hsalsa hashing function, used primarily in xsalsa, to hash - * key and nonce into key' and nonce'. - * Same as salsaCore, but there doesn't seem to be a way to move the block - * out without 25% performance hit. - */ -// prettier-ignore -export function hsalsa(s, k, i, o32) { - let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3]; - for (let r = 0; r < 20; r += 2) { - x04 ^= rotl(x00 + x12 | 0, 7); - x08 ^= rotl(x04 + x00 | 0, 9); - x12 ^= rotl(x08 + x04 | 0, 13); - x00 ^= rotl(x12 + x08 | 0, 18); - x09 ^= rotl(x05 + x01 | 0, 7); - x13 ^= rotl(x09 + x05 | 0, 9); - x01 ^= rotl(x13 + x09 | 0, 13); - x05 ^= rotl(x01 + x13 | 0, 18); - x14 ^= rotl(x10 + x06 | 0, 7); - x02 ^= rotl(x14 + x10 | 0, 9); - x06 ^= rotl(x02 + x14 | 0, 13); - x10 ^= rotl(x06 + x02 | 0, 18); - x03 ^= rotl(x15 + x11 | 0, 7); - x07 ^= rotl(x03 + x15 | 0, 9); - x11 ^= rotl(x07 + x03 | 0, 13); - x15 ^= rotl(x11 + x07 | 0, 18); - x01 ^= rotl(x00 + x03 | 0, 7); - x02 ^= rotl(x01 + x00 | 0, 9); - x03 ^= rotl(x02 + x01 | 0, 13); - x00 ^= rotl(x03 + x02 | 0, 18); - x06 ^= rotl(x05 + x04 | 0, 7); - x07 ^= rotl(x06 + x05 | 0, 9); - x04 ^= rotl(x07 + x06 | 0, 13); - x05 ^= rotl(x04 + x07 | 0, 18); - x11 ^= rotl(x10 + x09 | 0, 7); - x08 ^= rotl(x11 + x10 | 0, 9); - x09 ^= rotl(x08 + x11 | 0, 13); - x10 ^= rotl(x09 + x08 | 0, 18); - x12 ^= rotl(x15 + x14 | 0, 7); - x13 ^= rotl(x12 + x15 | 0, 9); - x14 ^= rotl(x13 + x12 | 0, 13); - x15 ^= rotl(x14 + x13 | 0, 18); - } - let oi = 0; - o32[oi++] = x00; - o32[oi++] = x05; - o32[oi++] = x10; - o32[oi++] = x15; - o32[oi++] = x06; - o32[oi++] = x07; - o32[oi++] = x08; - o32[oi++] = x09; -} -/** - * Salsa20 from original paper. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, { - allowShortKeys: true, - counterRight: true, -}); -/** - * xsalsa20 eXtended-nonce salsa. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, { - counterRight: true, - extendNonceFn: hsalsa, -}); -/** - * xsalsa20-poly1305 eXtended-nonce salsa. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - * Also known as secretbox from libsodium / nacl. - */ -export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => { - const tagLength = 16; - abytes(key, 32); - abytes(nonce, 24); - return { - encrypt: (plaintext, output) => { - abytes(plaintext); - // This is small optimization (calculate auth key with same call as encryption itself) makes it hard - // to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte) - const clength = plaintext.length + 32; - if (output) { - abytes(output, clength); - } - else { - output = new Uint8Array(clength); - } - output.set(plaintext, 32); - xsalsa20(key, nonce, output, output); - const authKey = output.subarray(0, 32); - const tag = poly1305(output.subarray(32), authKey); - // Clean auth key, even though JS provides no guarantees about memory cleaning - output.set(tag, tagLength); - output.subarray(0, tagLength).fill(0); - return output.subarray(tagLength); - }, - decrypt: (ciphertext) => { - abytes(ciphertext); - const clength = ciphertext.length; - if (clength < tagLength) - throw new Error('encrypted data should be at least 16 bytes'); - // Create new ciphertext array: - // auth tag auth tag from ciphertext ciphertext - // [bytes 0..16] [bytes 16..32] [bytes 32..] - // 16 instead of 32, because we already have 16 byte tag - const ciphertext_ = new Uint8Array(clength + tagLength); // alloc - ciphertext_.set(ciphertext, tagLength); - // Each xsalsa20 calls to hsalsa to calculate key, but seems not much perf difference - // Separate call to calculate authkey, since first bytes contains tag - const authKey = xsalsa20(key, nonce, new Uint8Array(32)); // alloc(32) - const tag = poly1305(ciphertext_.subarray(32), authKey); - if (!equalBytes(ciphertext_.subarray(16, 32), tag)) - throw new Error('invalid tag'); - const plaintext = xsalsa20(key, nonce, ciphertext_); // alloc - // Clean auth key, even though JS provides no guarantees about memory cleaning - plaintext.subarray(0, 32).fill(0); - authKey.fill(0); - return plaintext.subarray(32); - }, - }; -}); -/** - * Alias to xsalsa20poly1305, for compatibility with libsodium / nacl - */ -export function secretbox(key, nonce) { - const xs = xsalsa20poly1305(key, nonce); - return { seal: xs.encrypt, open: xs.decrypt }; -} -//# sourceMappingURL=salsa.js.map \ No newline at end of file diff --git a/esm/utils.js b/esm/utils.js deleted file mode 100644 index 90ceb2e..0000000 --- a/esm/utils.js +++ /dev/null @@ -1,182 +0,0 @@ -/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ -import { bytes as abytes, isBytes } from './_assert.js'; -// Cast array to different type -export const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength); -export const u16 = (arr) => new Uint16Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 2)); -export const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); -// Cast array to view -export const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); -// big-endian hardware is rare. Just in case someone still decides to run ciphers: -// early-throw an error because we don't support BE yet. -export const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44; -if (!isLE) - throw new Error('Non little-endian hardware is not supported'); -// Array where index 0xf0 (240) is mapped to string 'f0' -const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0')); -/** - * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123' - */ -export function bytesToHex(bytes) { - abytes(bytes); - // pre-caching improves the speed 6x - let hex = ''; - for (let i = 0; i < bytes.length; i++) { - hex += hexes[bytes[i]]; - } - return hex; -} -// We use optimized technique to convert hex string to byte array -const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; -function asciiToBase16(char) { - if (char >= asciis._0 && char <= asciis._9) - return char - asciis._0; - if (char >= asciis._A && char <= asciis._F) - return char - (asciis._A - 10); - if (char >= asciis._a && char <= asciis._f) - return char - (asciis._a - 10); - return; -} -/** - * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23]) - */ -export function hexToBytes(hex) { - if (typeof hex !== 'string') - throw new Error('hex string expected, got ' + typeof hex); - const hl = hex.length; - const al = hl / 2; - if (hl % 2) - throw new Error('padded hex string expected, got unpadded hex of length ' + hl); - const array = new Uint8Array(al); - for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { - const n1 = asciiToBase16(hex.charCodeAt(hi)); - const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); - if (n1 === undefined || n2 === undefined) { - const char = hex[hi] + hex[hi + 1]; - throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); - } - array[ai] = n1 * 16 + n2; - } - return array; -} -export function hexToNumber(hex) { - if (typeof hex !== 'string') - throw new Error('hex string expected, got ' + typeof hex); - // Big Endian - return BigInt(hex === '' ? '0' : `0x${hex}`); -} -// BE: Big Endian, LE: Little Endian -export function bytesToNumberBE(bytes) { - return hexToNumber(bytesToHex(bytes)); -} -export function numberToBytesBE(n, len) { - return hexToBytes(n.toString(16).padStart(len * 2, '0')); -} -// There is no setImmediate in browser and setTimeout is slow. -// call of async fn will return Promise, which will be fullfiled only on -// next scheduler queue processing step and this is exactly what we need. -export const nextTick = async () => { }; -// Returns control to thread each 'tick' ms to avoid blocking -export async function asyncLoop(iters, tick, cb) { - let ts = Date.now(); - for (let i = 0; i < iters; i++) { - cb(i); - // Date.now() is not monotonic, so in case if clock goes backwards we return return control too - const diff = Date.now() - ts; - if (diff >= 0 && diff < tick) - continue; - await nextTick(); - ts += diff; - } -} -/** - * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99]) - */ -export function utf8ToBytes(str) { - if (typeof str !== 'string') - throw new Error(`string expected, got ${typeof str}`); - return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809 -} -/** - * @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc' - */ -export function bytesToUtf8(bytes) { - return new TextDecoder().decode(bytes); -} -/** - * Normalizes (non-hex) string or Uint8Array to Uint8Array. - * Warning: when Uint8Array is passed, it would NOT get copied. - * Keep in mind for future mutable operations. - */ -export function toBytes(data) { - if (typeof data === 'string') - data = utf8ToBytes(data); - else if (isBytes(data)) - data = data.slice(); - else - throw new Error(`Uint8Array expected, got ${typeof data}`); - return data; -} -/** - * Copies several Uint8Arrays into one. - */ -export function concatBytes(...arrays) { - let sum = 0; - for (let i = 0; i < arrays.length; i++) { - const a = arrays[i]; - abytes(a); - sum += a.length; - } - const res = new Uint8Array(sum); - for (let i = 0, pad = 0; i < arrays.length; i++) { - const a = arrays[i]; - res.set(a, pad); - pad += a.length; - } - return res; -} -export function checkOpts(defaults, opts) { - if (opts == null || typeof opts !== 'object') - throw new Error('options must be defined'); - const merged = Object.assign(defaults, opts); - return merged; -} -// Compares 2 u8a-s in kinda constant time -export function equalBytes(a, b) { - if (a.length !== b.length) - return false; - let diff = 0; - for (let i = 0; i < a.length; i++) - diff |= a[i] ^ b[i]; - return diff === 0; -} -// For runtime check if class implements interface -export class Hash { -} -/** - * @__NO_SIDE_EFFECTS__ - */ -export const wrapCipher = (params, c) => { - Object.assign(c, params); - return c; -}; -// Polyfill for Safari 14 -export function setBigUint64(view, byteOffset, value, isLE) { - if (typeof view.setBigUint64 === 'function') - return view.setBigUint64(byteOffset, value, isLE); - const _32n = BigInt(32); - const _u32_max = BigInt(0xffffffff); - const wh = Number((value >> _32n) & _u32_max); - const wl = Number(value & _u32_max); - const h = isLE ? 4 : 0; - const l = isLE ? 0 : 4; - view.setUint32(byteOffset + h, wh, isLE); - view.setUint32(byteOffset + l, wl, isLE); -} -export function u64Lengths(ciphertext, AAD) { - const num = new Uint8Array(16); - const view = createView(num); - setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); - setBigUint64(view, 8, BigInt(ciphertext.length), true); - return num; -} -//# sourceMappingURL=utils.js.map \ No newline at end of file diff --git a/esm/webcrypto.js b/esm/webcrypto.js deleted file mode 100644 index ffb89ba..0000000 --- a/esm/webcrypto.js +++ /dev/null @@ -1,99 +0,0 @@ -// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. -// node.js versions earlier than v19 don't declare it in global scope. -// For node.js, package.js on#exports field mapping rewrites import -// from `crypto` to `cryptoNode`, which imports native module. -// Makes the utils un-importable in browsers without a bundler. -// Once node.js 18 is deprecated, we can just drop the import. -// -// Use full path so that Node.js can rewrite it to `cryptoNode.js`. -// @ts-ignore: `tsc` doesn't understand `@noble/ciphers/crypto` is a valid import. -import { randomBytes, getWebcryptoSubtle } from '@noble/ciphers/crypto'; -import { concatBytes } from './utils.js'; -import { number } from './_assert.js'; -import { bytes as abytes } from './_assert.js'; -/** - * Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS. - */ -export { randomBytes, getWebcryptoSubtle }; -// Uses CSPRG for nonce, nonce injected in ciphertext -export function managedNonce(fn) { - number(fn.nonceLength); - return ((key, ...args) => ({ - encrypt: (plaintext, ...argsEnc) => { - const { nonceLength } = fn; - const nonce = randomBytes(nonceLength); - const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc); - const out = concatBytes(nonce, ciphertext); - ciphertext.fill(0); - return out; - }, - decrypt: (ciphertext, ...argsDec) => { - const { nonceLength } = fn; - const nonce = ciphertext.subarray(0, nonceLength); - const data = ciphertext.subarray(nonceLength); - return fn(key, nonce, ...args).decrypt(data, ...argsDec); - }, - })); -} -// Overridable -export const utils = { - async encrypt(key, keyParams, cryptParams, plaintext) { - const cr = getWebcryptoSubtle(); - const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']); - const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext); - return new Uint8Array(ciphertext); - }, - async decrypt(key, keyParams, cryptParams, ciphertext) { - const cr = getWebcryptoSubtle(); - const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']); - const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext); - return new Uint8Array(plaintext); - }, -}; -function getCryptParams(algo, nonce, AAD) { - if (algo === "AES-CBC" /* BlockMode.CBC */) - return { name: "AES-CBC" /* BlockMode.CBC */, iv: nonce }; - if (algo === "AES-CTR" /* BlockMode.CTR */) - return { name: "AES-CTR" /* BlockMode.CTR */, counter: nonce, length: 64 }; - if (algo === "AES-GCM" /* BlockMode.GCM */) - return { name: "AES-GCM" /* BlockMode.GCM */, iv: nonce, additionalData: AAD }; - throw new Error('unknown aes block mode'); -} -function generate(algo) { - return (key, nonce, AAD) => { - abytes(key); - abytes(nonce); - // const keyLength = key.length; - const keyParams = { name: algo, length: key.length * 8 }; - const cryptParams = getCryptParams(algo, nonce, AAD); - return { - // keyLength, - encrypt(plaintext) { - abytes(plaintext); - return utils.encrypt(key, keyParams, cryptParams, plaintext); - }, - decrypt(ciphertext) { - abytes(ciphertext); - return utils.decrypt(key, keyParams, cryptParams, ciphertext); - }, - }; - }; -} -export const cbc = generate("AES-CBC" /* BlockMode.CBC */); -export const ctr = generate("AES-CTR" /* BlockMode.CTR */); -export const gcm = generate("AES-GCM" /* BlockMode.GCM */); -// // Type tests -// import { siv, gcm, ctr, ecb, cbc } from '../aes.js'; -// import { xsalsa20poly1305 } from '../salsa.js'; -// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.js'; -// const wsiv = managedNonce(siv); -// const wgcm = managedNonce(gcm); -// const wctr = managedNonce(ctr); -// const wcbc = managedNonce(cbc); -// const wsalsapoly = managedNonce(xsalsa20poly1305); -// const wchacha = managedNonce(chacha20poly1305); -// const wxchacha = managedNonce(xchacha20poly1305); -// // should fail -// const wcbc2 = managedNonce(managedNonce(cbc)); -// const wecb = managedNonce(ecb); -//# sourceMappingURL=webcrypto.js.map \ No newline at end of file diff --git a/ff1.js b/ff1.js deleted file mode 100644 index 38018e7..0000000 --- a/ff1.js +++ /dev/null @@ -1,154 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.BinaryFF1 = exports.FF1 = void 0; -const utils_js_1 = require("./utils.js"); -const aes_js_1 = require("./aes.js"); -// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow -const { expandKeyLE, encryptBlock } = aes_js_1.unsafe; -// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G. -// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf -const BLOCK_LEN = 16; -function mod(a, b) { - const result = a % b; - return result >= 0 ? result : b + result; -} -function NUMradix(radix, data) { - let res = BigInt(0); - for (let i of data) - res = res * BigInt(radix) + BigInt(i); - return res; -} -function getRound(radix, key, tweak, x) { - if (radix > 2 ** 16 - 1) - throw new Error(`Invalid radix: ${radix}`); - // radix**minlen ≥ 100 - const minLen = Math.ceil(Math.log(100) / Math.log(radix)); - const maxLen = 2 ** 32 - 1; - // 2 ≤ minlen ≤ maxlen < 2**32 - if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32) - throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32'); - if (x.length < minLen || x.length > maxLen) - throw new Error('X is outside minLen..maxLen bounds'); - const u = Math.floor(x.length / 2); - const v = x.length - u; - const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8); - const d = 4 * Math.ceil(b / 4) + 4; - const padding = mod(-tweak.length - b - 1, 16); - // P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4. - const P = new Uint8Array([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]); - const view = new DataView(P.buffer); - view.setUint16(4, radix, false); - view.setUint32(8, x.length, false); - view.setUint32(12, tweak.length, false); - // Q = T || [0](−t−b−1) mod 16 || [i]1 || [NUMradix(B)]b. - const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b); - PQ.set(P); - P.fill(0); - PQ.set(tweak, P.length); - const xk = expandKeyLE(key); - const round = (A, B, i, decrypt = false) => { - // Q = ... || [i]1 || [NUMradix(B)]b. - PQ[PQ.length - b - 1] = i; - if (b) - PQ.set((0, utils_js_1.numberToBytesBE)(NUMradix(radix, B), b), PQ.length - b); - // PRF - let r = new Uint8Array(16); - for (let j = 0; j < PQ.length / BLOCK_LEN; j++) { - for (let i = 0; i < BLOCK_LEN; i++) - r[i] ^= PQ[j * BLOCK_LEN + i]; - encryptBlock(xk, r); - } - // Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: - // R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ – 1]16). - let s = Array.from(r); - for (let j = 1; s.length < d; j++) { - const block = (0, utils_js_1.numberToBytesBE)(BigInt(j), 16); - for (let k = 0; k < BLOCK_LEN; k++) - block[k] ^= r[k]; - s.push(...Array.from(encryptBlock(xk, block))); - } - let y = (0, utils_js_1.bytesToNumberBE)(Uint8Array.from(s.slice(0, d))); - s.fill(0); - if (decrypt) - y = -y; - const m = i % 2 === 0 ? u : v; - let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m)); - // STR(radix, m, c) - const C = Array(m).fill(0); - for (let i = 0; i < m; i++, c /= BigInt(radix)) - C[m - 1 - i] = Number(c % BigInt(radix)); - A.fill(0); - A = B; - B = C; - return [A, B]; - }; - const destroy = () => { - xk.fill(0); - PQ.fill(0); - }; - return { u, round, destroy }; -} -const EMPTY_BUF = new Uint8Array([]); -function FF1(radix, key, tweak = EMPTY_BUF) { - const PQ = getRound.bind(null, radix, key, tweak); - return { - encrypt(x) { - const { u, round, destroy } = PQ(x); - let [A, B] = [x.slice(0, u), x.slice(u)]; - for (let i = 0; i < 10; i++) - [A, B] = round(A, B, i); - destroy(); - const res = A.concat(B); - A.fill(0); - B.fill(0); - return res; - }, - decrypt(x) { - const { u, round, destroy } = PQ(x); - // The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm; - // the differences are in Step 6, where: - // 1) the order of the indices is reversed, - // 2) the roles of A and B are swapped - // 3) modular addition is replaced by modular subtraction, in Step 6vi. - let [B, A] = [x.slice(0, u), x.slice(u)]; - for (let i = 9; i >= 0; i--) - [A, B] = round(A, B, i, true); - destroy(); - const res = B.concat(A); - A.fill(0); - B.fill(0); - return res; - }, - }; -} -exports.FF1 = FF1; -// Binary string which encodes each byte in little-endian byte order -const binLE = { - encode(bytes) { - const x = []; - for (let i = 0; i < bytes.length; i++) { - for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1) - x.push(tmp & 1); - } - return x; - }, - decode(b) { - if (b.length % 8) - throw new Error('Invalid binary string'); - const res = new Uint8Array(b.length / 8); - for (let i = 0, j = 0; i < res.length; i++) { - res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3); - res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7); - } - return res; - }, -}; -function BinaryFF1(key, tweak = EMPTY_BUF) { - const ff1 = FF1(2, key, tweak); - return { - encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))), - decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))), - }; -} -exports.BinaryFF1 = BinaryFF1; -//# sourceMappingURL=ff1.js.map \ No newline at end of file diff --git a/index.js b/index.js deleted file mode 100644 index 5a9cbf1..0000000 --- a/index.js +++ /dev/null @@ -1,3 +0,0 @@ -"use strict"; -throw new Error('noble-ciphers have no entry-point: consult README for usage'); -//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/salsa.js b/salsa.js deleted file mode 100644 index 7e151ce..0000000 --- a/salsa.js +++ /dev/null @@ -1,210 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.secretbox = exports.xsalsa20poly1305 = exports.xsalsa20 = exports.salsa20 = exports.hsalsa = void 0; -const _assert_js_1 = require("./_assert.js"); -const _arx_js_1 = require("./_arx.js"); -const _poly1305_js_1 = require("./_poly1305.js"); -const utils_js_1 = require("./utils.js"); -// Salsa20 stream cipher was released in 2005. -// Salsa's goal was to implement AES replacement that does not rely on S-Boxes, -// which are hard to implement in a constant-time manner. -// https://cr.yp.to/snuffle.html, https://cr.yp.to/snuffle/salsafamily-20071225.pdf -/** - * Salsa20 core function. - */ -// prettier-ignore -function salsaCore(s, k, n, out, cnt, rounds = 20) { - // Based on https://cr.yp.to/salsa20.html - let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key - y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce - y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key - y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k" - // Save state to temporary variables - let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; - for (let r = 0; r < rounds; r += 2) { - x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7); - x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9); - x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13); - x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18); - x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7); - x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9); - x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13); - x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18); - x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7); - x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9); - x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13); - x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18); - x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7); - x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9); - x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13); - x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18); - x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7); - x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9); - x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13); - x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18); - x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7); - x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9); - x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13); - x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18); - x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7); - x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9); - x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13); - x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18); - x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7); - x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9); - x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13); - x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18); - } - // Write output - let oi = 0; - out[oi++] = (y00 + x00) | 0; - out[oi++] = (y01 + x01) | 0; - out[oi++] = (y02 + x02) | 0; - out[oi++] = (y03 + x03) | 0; - out[oi++] = (y04 + x04) | 0; - out[oi++] = (y05 + x05) | 0; - out[oi++] = (y06 + x06) | 0; - out[oi++] = (y07 + x07) | 0; - out[oi++] = (y08 + x08) | 0; - out[oi++] = (y09 + x09) | 0; - out[oi++] = (y10 + x10) | 0; - out[oi++] = (y11 + x11) | 0; - out[oi++] = (y12 + x12) | 0; - out[oi++] = (y13 + x13) | 0; - out[oi++] = (y14 + x14) | 0; - out[oi++] = (y15 + x15) | 0; -} -/** - * hsalsa hashing function, used primarily in xsalsa, to hash - * key and nonce into key' and nonce'. - * Same as salsaCore, but there doesn't seem to be a way to move the block - * out without 25% performance hit. - */ -// prettier-ignore -function hsalsa(s, k, i, o32) { - let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3]; - for (let r = 0; r < 20; r += 2) { - x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7); - x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9); - x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13); - x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18); - x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7); - x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9); - x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13); - x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18); - x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7); - x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9); - x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13); - x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18); - x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7); - x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9); - x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13); - x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18); - x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7); - x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9); - x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13); - x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18); - x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7); - x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9); - x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13); - x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18); - x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7); - x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9); - x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13); - x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18); - x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7); - x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9); - x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13); - x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18); - } - let oi = 0; - o32[oi++] = x00; - o32[oi++] = x05; - o32[oi++] = x10; - o32[oi++] = x15; - o32[oi++] = x06; - o32[oi++] = x07; - o32[oi++] = x08; - o32[oi++] = x09; -} -exports.hsalsa = hsalsa; -/** - * Salsa20 from original paper. - * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance. - */ -exports.salsa20 = (0, _arx_js_1.createCipher)(salsaCore, { - allowShortKeys: true, - counterRight: true, -}); -/** - * xsalsa20 eXtended-nonce salsa. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - */ -exports.xsalsa20 = (0, _arx_js_1.createCipher)(salsaCore, { - counterRight: true, - extendNonceFn: hsalsa, -}); -/** - * xsalsa20-poly1305 eXtended-nonce salsa. - * With 24-byte nonce, it's safe to use fill it with random (CSPRNG). - * Also known as secretbox from libsodium / nacl. - */ -exports.xsalsa20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => { - const tagLength = 16; - (0, _assert_js_1.bytes)(key, 32); - (0, _assert_js_1.bytes)(nonce, 24); - return { - encrypt: (plaintext, output) => { - (0, _assert_js_1.bytes)(plaintext); - // This is small optimization (calculate auth key with same call as encryption itself) makes it hard - // to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte) - const clength = plaintext.length + 32; - if (output) { - (0, _assert_js_1.bytes)(output, clength); - } - else { - output = new Uint8Array(clength); - } - output.set(plaintext, 32); - (0, exports.xsalsa20)(key, nonce, output, output); - const authKey = output.subarray(0, 32); - const tag = (0, _poly1305_js_1.poly1305)(output.subarray(32), authKey); - // Clean auth key, even though JS provides no guarantees about memory cleaning - output.set(tag, tagLength); - output.subarray(0, tagLength).fill(0); - return output.subarray(tagLength); - }, - decrypt: (ciphertext) => { - (0, _assert_js_1.bytes)(ciphertext); - const clength = ciphertext.length; - if (clength < tagLength) - throw new Error('encrypted data should be at least 16 bytes'); - // Create new ciphertext array: - // auth tag auth tag from ciphertext ciphertext - // [bytes 0..16] [bytes 16..32] [bytes 32..] - // 16 instead of 32, because we already have 16 byte tag - const ciphertext_ = new Uint8Array(clength + tagLength); // alloc - ciphertext_.set(ciphertext, tagLength); - // Each xsalsa20 calls to hsalsa to calculate key, but seems not much perf difference - // Separate call to calculate authkey, since first bytes contains tag - const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32)); // alloc(32) - const tag = (0, _poly1305_js_1.poly1305)(ciphertext_.subarray(32), authKey); - if (!(0, utils_js_1.equalBytes)(ciphertext_.subarray(16, 32), tag)) - throw new Error('invalid tag'); - const plaintext = (0, exports.xsalsa20)(key, nonce, ciphertext_); // alloc - // Clean auth key, even though JS provides no guarantees about memory cleaning - plaintext.subarray(0, 32).fill(0); - authKey.fill(0); - return plaintext.subarray(32); - }, - }; -}); -/** - * Alias to xsalsa20poly1305, for compatibility with libsodium / nacl - */ -function secretbox(key, nonce) { - const xs = (0, exports.xsalsa20poly1305)(key, nonce); - return { seal: xs.encrypt, open: xs.decrypt }; -} -exports.secretbox = secretbox; -//# sourceMappingURL=salsa.js.map \ No newline at end of file diff --git a/utils.js b/utils.js deleted file mode 100644 index 00cb4c2..0000000 --- a/utils.js +++ /dev/null @@ -1,206 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.u64Lengths = exports.setBigUint64 = exports.wrapCipher = exports.Hash = exports.equalBytes = exports.checkOpts = exports.concatBytes = exports.toBytes = exports.bytesToUtf8 = exports.utf8ToBytes = exports.asyncLoop = exports.nextTick = exports.numberToBytesBE = exports.bytesToNumberBE = exports.hexToNumber = exports.hexToBytes = exports.bytesToHex = exports.isLE = exports.createView = exports.u32 = exports.u16 = exports.u8 = void 0; -/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */ -const _assert_js_1 = require("./_assert.js"); -// Cast array to different type -const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength); -exports.u8 = u8; -const u16 = (arr) => new Uint16Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 2)); -exports.u16 = u16; -const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); -exports.u32 = u32; -// Cast array to view -const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); -exports.createView = createView; -// big-endian hardware is rare. Just in case someone still decides to run ciphers: -// early-throw an error because we don't support BE yet. -exports.isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44; -if (!exports.isLE) - throw new Error('Non little-endian hardware is not supported'); -// Array where index 0xf0 (240) is mapped to string 'f0' -const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0')); -/** - * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123' - */ -function bytesToHex(bytes) { - (0, _assert_js_1.bytes)(bytes); - // pre-caching improves the speed 6x - let hex = ''; - for (let i = 0; i < bytes.length; i++) { - hex += hexes[bytes[i]]; - } - return hex; -} -exports.bytesToHex = bytesToHex; -// We use optimized technique to convert hex string to byte array -const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; -function asciiToBase16(char) { - if (char >= asciis._0 && char <= asciis._9) - return char - asciis._0; - if (char >= asciis._A && char <= asciis._F) - return char - (asciis._A - 10); - if (char >= asciis._a && char <= asciis._f) - return char - (asciis._a - 10); - return; -} -/** - * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23]) - */ -function hexToBytes(hex) { - if (typeof hex !== 'string') - throw new Error('hex string expected, got ' + typeof hex); - const hl = hex.length; - const al = hl / 2; - if (hl % 2) - throw new Error('padded hex string expected, got unpadded hex of length ' + hl); - const array = new Uint8Array(al); - for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { - const n1 = asciiToBase16(hex.charCodeAt(hi)); - const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); - if (n1 === undefined || n2 === undefined) { - const char = hex[hi] + hex[hi + 1]; - throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); - } - array[ai] = n1 * 16 + n2; - } - return array; -} -exports.hexToBytes = hexToBytes; -function hexToNumber(hex) { - if (typeof hex !== 'string') - throw new Error('hex string expected, got ' + typeof hex); - // Big Endian - return BigInt(hex === '' ? '0' : `0x${hex}`); -} -exports.hexToNumber = hexToNumber; -// BE: Big Endian, LE: Little Endian -function bytesToNumberBE(bytes) { - return hexToNumber(bytesToHex(bytes)); -} -exports.bytesToNumberBE = bytesToNumberBE; -function numberToBytesBE(n, len) { - return hexToBytes(n.toString(16).padStart(len * 2, '0')); -} -exports.numberToBytesBE = numberToBytesBE; -// There is no setImmediate in browser and setTimeout is slow. -// call of async fn will return Promise, which will be fullfiled only on -// next scheduler queue processing step and this is exactly what we need. -const nextTick = async () => { }; -exports.nextTick = nextTick; -// Returns control to thread each 'tick' ms to avoid blocking -async function asyncLoop(iters, tick, cb) { - let ts = Date.now(); - for (let i = 0; i < iters; i++) { - cb(i); - // Date.now() is not monotonic, so in case if clock goes backwards we return return control too - const diff = Date.now() - ts; - if (diff >= 0 && diff < tick) - continue; - await (0, exports.nextTick)(); - ts += diff; - } -} -exports.asyncLoop = asyncLoop; -/** - * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99]) - */ -function utf8ToBytes(str) { - if (typeof str !== 'string') - throw new Error(`string expected, got ${typeof str}`); - return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809 -} -exports.utf8ToBytes = utf8ToBytes; -/** - * @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc' - */ -function bytesToUtf8(bytes) { - return new TextDecoder().decode(bytes); -} -exports.bytesToUtf8 = bytesToUtf8; -/** - * Normalizes (non-hex) string or Uint8Array to Uint8Array. - * Warning: when Uint8Array is passed, it would NOT get copied. - * Keep in mind for future mutable operations. - */ -function toBytes(data) { - if (typeof data === 'string') - data = utf8ToBytes(data); - else if ((0, _assert_js_1.isBytes)(data)) - data = data.slice(); - else - throw new Error(`Uint8Array expected, got ${typeof data}`); - return data; -} -exports.toBytes = toBytes; -/** - * Copies several Uint8Arrays into one. - */ -function concatBytes(...arrays) { - let sum = 0; - for (let i = 0; i < arrays.length; i++) { - const a = arrays[i]; - (0, _assert_js_1.bytes)(a); - sum += a.length; - } - const res = new Uint8Array(sum); - for (let i = 0, pad = 0; i < arrays.length; i++) { - const a = arrays[i]; - res.set(a, pad); - pad += a.length; - } - return res; -} -exports.concatBytes = concatBytes; -function checkOpts(defaults, opts) { - if (opts == null || typeof opts !== 'object') - throw new Error('options must be defined'); - const merged = Object.assign(defaults, opts); - return merged; -} -exports.checkOpts = checkOpts; -// Compares 2 u8a-s in kinda constant time -function equalBytes(a, b) { - if (a.length !== b.length) - return false; - let diff = 0; - for (let i = 0; i < a.length; i++) - diff |= a[i] ^ b[i]; - return diff === 0; -} -exports.equalBytes = equalBytes; -// For runtime check if class implements interface -class Hash { -} -exports.Hash = Hash; -/** - * @__NO_SIDE_EFFECTS__ - */ -const wrapCipher = (params, c) => { - Object.assign(c, params); - return c; -}; -exports.wrapCipher = wrapCipher; -// Polyfill for Safari 14 -function setBigUint64(view, byteOffset, value, isLE) { - if (typeof view.setBigUint64 === 'function') - return view.setBigUint64(byteOffset, value, isLE); - const _32n = BigInt(32); - const _u32_max = BigInt(0xffffffff); - const wh = Number((value >> _32n) & _u32_max); - const wl = Number(value & _u32_max); - const h = isLE ? 4 : 0; - const l = isLE ? 0 : 4; - view.setUint32(byteOffset + h, wh, isLE); - view.setUint32(byteOffset + l, wl, isLE); -} -exports.setBigUint64 = setBigUint64; -function u64Lengths(ciphertext, AAD) { - const num = new Uint8Array(16); - const view = (0, exports.createView)(num); - setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); - setBigUint64(view, 8, BigInt(ciphertext.length), true); - return num; -} -exports.u64Lengths = u64Lengths; -//# sourceMappingURL=utils.js.map \ No newline at end of file diff --git a/webcrypto.js b/webcrypto.js deleted file mode 100644 index 32091b3..0000000 --- a/webcrypto.js +++ /dev/null @@ -1,101 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.gcm = exports.ctr = exports.cbc = exports.utils = exports.managedNonce = exports.getWebcryptoSubtle = exports.randomBytes = void 0; -// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. -// node.js versions earlier than v19 don't declare it in global scope. -// For node.js, package.js on#exports field mapping rewrites import -// from `crypto` to `cryptoNode`, which imports native module. -// Makes the utils un-importable in browsers without a bundler. -// Once node.js 18 is deprecated, we can just drop the import. -// -// Use full path so that Node.js can rewrite it to `cryptoNode.js`. -// @ts-ignore: `tsc` doesn't understand `@noble/ciphers/crypto` is a valid import. -const crypto_1 = require("@noble/ciphers/crypto"); -Object.defineProperty(exports, "randomBytes", { enumerable: true, get: function () { return crypto_1.randomBytes; } }); -Object.defineProperty(exports, "getWebcryptoSubtle", { enumerable: true, get: function () { return crypto_1.getWebcryptoSubtle; } }); -const utils_js_1 = require("./utils.js"); -const _assert_js_1 = require("./_assert.js"); -const _assert_js_2 = require("./_assert.js"); -// Uses CSPRG for nonce, nonce injected in ciphertext -function managedNonce(fn) { - (0, _assert_js_1.number)(fn.nonceLength); - return ((key, ...args) => ({ - encrypt: (plaintext, ...argsEnc) => { - const { nonceLength } = fn; - const nonce = (0, crypto_1.randomBytes)(nonceLength); - const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc); - const out = (0, utils_js_1.concatBytes)(nonce, ciphertext); - ciphertext.fill(0); - return out; - }, - decrypt: (ciphertext, ...argsDec) => { - const { nonceLength } = fn; - const nonce = ciphertext.subarray(0, nonceLength); - const data = ciphertext.subarray(nonceLength); - return fn(key, nonce, ...args).decrypt(data, ...argsDec); - }, - })); -} -exports.managedNonce = managedNonce; -// Overridable -exports.utils = { - async encrypt(key, keyParams, cryptParams, plaintext) { - const cr = (0, crypto_1.getWebcryptoSubtle)(); - const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']); - const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext); - return new Uint8Array(ciphertext); - }, - async decrypt(key, keyParams, cryptParams, ciphertext) { - const cr = (0, crypto_1.getWebcryptoSubtle)(); - const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']); - const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext); - return new Uint8Array(plaintext); - }, -}; -function getCryptParams(algo, nonce, AAD) { - if (algo === "AES-CBC" /* BlockMode.CBC */) - return { name: "AES-CBC" /* BlockMode.CBC */, iv: nonce }; - if (algo === "AES-CTR" /* BlockMode.CTR */) - return { name: "AES-CTR" /* BlockMode.CTR */, counter: nonce, length: 64 }; - if (algo === "AES-GCM" /* BlockMode.GCM */) - return { name: "AES-GCM" /* BlockMode.GCM */, iv: nonce, additionalData: AAD }; - throw new Error('unknown aes block mode'); -} -function generate(algo) { - return (key, nonce, AAD) => { - (0, _assert_js_2.bytes)(key); - (0, _assert_js_2.bytes)(nonce); - // const keyLength = key.length; - const keyParams = { name: algo, length: key.length * 8 }; - const cryptParams = getCryptParams(algo, nonce, AAD); - return { - // keyLength, - encrypt(plaintext) { - (0, _assert_js_2.bytes)(plaintext); - return exports.utils.encrypt(key, keyParams, cryptParams, plaintext); - }, - decrypt(ciphertext) { - (0, _assert_js_2.bytes)(ciphertext); - return exports.utils.decrypt(key, keyParams, cryptParams, ciphertext); - }, - }; - }; -} -exports.cbc = generate("AES-CBC" /* BlockMode.CBC */); -exports.ctr = generate("AES-CTR" /* BlockMode.CTR */); -exports.gcm = generate("AES-GCM" /* BlockMode.GCM */); -// // Type tests -// import { siv, gcm, ctr, ecb, cbc } from '../aes.js'; -// import { xsalsa20poly1305 } from '../salsa.js'; -// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.js'; -// const wsiv = managedNonce(siv); -// const wgcm = managedNonce(gcm); -// const wctr = managedNonce(ctr); -// const wcbc = managedNonce(cbc); -// const wsalsapoly = managedNonce(xsalsa20poly1305); -// const wchacha = managedNonce(chacha20poly1305); -// const wxchacha = managedNonce(xchacha20poly1305); -// // should fail -// const wcbc2 = managedNonce(managedNonce(cbc)); -// const wecb = managedNonce(ecb); -//# sourceMappingURL=webcrypto.js.map \ No newline at end of file