]> git.immae.eu Git - perso/Immae/Projets/Cryptomonnaies/BIP39.git/blame - src/js/sjcl-bip39.js
Test order is randomized
[perso/Immae/Projets/Cryptomonnaies/BIP39.git] / src / js / sjcl-bip39.js
CommitLineData
e66c8a9b
IC
1// Select components from sjcl to suit the crypto operations bip39 requires.
2
3//// base.js
4
5/** @fileOverview Javascript cryptography implementation.
6 *
7 * Crush to remove comments, shorten variable names and
8 * generally reduce transmission size.
9 *
10 * @author Emily Stark
11 * @author Mike Hamburg
12 * @author Dan Boneh
13 */
14
15"use strict";
16/*jslint indent: 2, bitwise: false, nomen: false, plusplus: false, white: false, regexp: false */
17/*global document, window, escape, unescape, module, require, Uint32Array */
18
19/** @namespace The Stanford Javascript Crypto Library, top-level namespace. */
20var sjcl = {
21 /** @namespace Symmetric ciphers. */
22 cipher: {},
23
24 /** @namespace Hash functions. Right now only SHA256 is implemented. */
25 hash: {},
26
27 /** @namespace Key exchange functions. Right now only SRP is implemented. */
28 keyexchange: {},
29
30 /** @namespace Block cipher modes of operation. */
31 mode: {},
32
33 /** @namespace Miscellaneous. HMAC and PBKDF2. */
34 misc: {},
35
36 /**
37 * @namespace Bit array encoders and decoders.
38 *
39 * @description
40 * The members of this namespace are functions which translate between
41 * SJCL's bitArrays and other objects (usually strings). Because it
42 * isn't always clear which direction is encoding and which is decoding,
43 * the method names are "fromBits" and "toBits".
44 */
45 codec: {},
46
47 /** @namespace Exceptions. */
48 exception: {
49 /** @constructor Ciphertext is corrupt. */
50 corrupt: function(message) {
51 this.toString = function() { return "CORRUPT: "+this.message; };
52 this.message = message;
53 },
54
55 /** @constructor Invalid parameter. */
56 invalid: function(message) {
57 this.toString = function() { return "INVALID: "+this.message; };
58 this.message = message;
59 },
60
61 /** @constructor Bug or missing feature in SJCL. @constructor */
62 bug: function(message) {
63 this.toString = function() { return "BUG: "+this.message; };
64 this.message = message;
65 },
66
67 /** @constructor Something isn't ready. */
68 notReady: function(message) {
69 this.toString = function() { return "NOT READY: "+this.message; };
70 this.message = message;
71 }
72 }
73};
74
75if(typeof module !== 'undefined' && module.exports){
76 module.exports = sjcl;
77}
78if (typeof define === "function") {
79 define([], function () {
80 return sjcl;
81 });
82}
83
84
85//// bitArray.js
86
87/** @fileOverview Arrays of bits, encoded as arrays of Numbers.
88 *
89 * @author Emily Stark
90 * @author Mike Hamburg
91 * @author Dan Boneh
92 */
93
94/** @namespace Arrays of bits, encoded as arrays of Numbers.
95 *
96 * @description
97 * <p>
98 * These objects are the currency accepted by SJCL's crypto functions.
99 * </p>
100 *
101 * <p>
102 * Most of our crypto primitives operate on arrays of 4-byte words internally,
103 * but many of them can take arguments that are not a multiple of 4 bytes.
104 * This library encodes arrays of bits (whose size need not be a multiple of 8
105 * bits) as arrays of 32-bit words. The bits are packed, big-endian, into an
106 * array of words, 32 bits at a time. Since the words are double-precision
107 * floating point numbers, they fit some extra data. We use this (in a private,
108 * possibly-changing manner) to encode the number of bits actually present
109 * in the last word of the array.
110 * </p>
111 *
112 * <p>
113 * Because bitwise ops clear this out-of-band data, these arrays can be passed
114 * to ciphers like AES which want arrays of words.
115 * </p>
116 */
117sjcl.bitArray = {
118 /**
119 * Array slices in units of bits.
120 * @param {bitArray} a The array to slice.
121 * @param {Number} bstart The offset to the start of the slice, in bits.
122 * @param {Number} bend The offset to the end of the slice, in bits. If this is undefined,
123 * slice until the end of the array.
124 * @return {bitArray} The requested slice.
125 */
126 bitSlice: function (a, bstart, bend) {
127 a = sjcl.bitArray._shiftRight(a.slice(bstart/32), 32 - (bstart & 31)).slice(1);
128 return (bend === undefined) ? a : sjcl.bitArray.clamp(a, bend-bstart);
129 },
130
131 /**
132 * Extract a number packed into a bit array.
133 * @param {bitArray} a The array to slice.
134 * @param {Number} bstart The offset to the start of the slice, in bits.
135 * @param {Number} length The length of the number to extract.
136 * @return {Number} The requested slice.
137 */
138 extract: function(a, bstart, blength) {
139 // FIXME: this Math.floor is not necessary at all, but for some reason
140 // seems to suppress a bug in the Chromium JIT.
141 var x, sh = Math.floor((-bstart-blength) & 31);
142 if ((bstart + blength - 1 ^ bstart) & -32) {
143 // it crosses a boundary
144 x = (a[bstart/32|0] << (32 - sh)) ^ (a[bstart/32+1|0] >>> sh);
145 } else {
146 // within a single word
147 x = a[bstart/32|0] >>> sh;
148 }
149 return x & ((1<<blength) - 1);
150 },
151
152 /**
153 * Concatenate two bit arrays.
154 * @param {bitArray} a1 The first array.
155 * @param {bitArray} a2 The second array.
156 * @return {bitArray} The concatenation of a1 and a2.
157 */
158 concat: function (a1, a2) {
159 if (a1.length === 0 || a2.length === 0) {
160 return a1.concat(a2);
161 }
162
163 var last = a1[a1.length-1], shift = sjcl.bitArray.getPartial(last);
164 if (shift === 32) {
165 return a1.concat(a2);
166 } else {
167 return sjcl.bitArray._shiftRight(a2, shift, last|0, a1.slice(0,a1.length-1));
168 }
169 },
170
171 /**
172 * Find the length of an array of bits.
173 * @param {bitArray} a The array.
174 * @return {Number} The length of a, in bits.
175 */
176 bitLength: function (a) {
177 var l = a.length, x;
178 if (l === 0) { return 0; }
179 x = a[l - 1];
180 return (l-1) * 32 + sjcl.bitArray.getPartial(x);
181 },
182
183 /**
184 * Truncate an array.
185 * @param {bitArray} a The array.
186 * @param {Number} len The length to truncate to, in bits.
187 * @return {bitArray} A new array, truncated to len bits.
188 */
189 clamp: function (a, len) {
190 if (a.length * 32 < len) { return a; }
191 a = a.slice(0, Math.ceil(len / 32));
192 var l = a.length;
193 len = len & 31;
194 if (l > 0 && len) {
195 a[l-1] = sjcl.bitArray.partial(len, a[l-1] & 0x80000000 >> (len-1), 1);
196 }
197 return a;
198 },
199
200 /**
201 * Make a partial word for a bit array.
202 * @param {Number} len The number of bits in the word.
203 * @param {Number} x The bits.
204 * @param {Number} [0] _end Pass 1 if x has already been shifted to the high side.
205 * @return {Number} The partial word.
206 */
207 partial: function (len, x, _end) {
208 if (len === 32) { return x; }
209 return (_end ? x|0 : x << (32-len)) + len * 0x10000000000;
210 },
211
212 /**
213 * Get the number of bits used by a partial word.
214 * @param {Number} x The partial word.
215 * @return {Number} The number of bits used by the partial word.
216 */
217 getPartial: function (x) {
218 return Math.round(x/0x10000000000) || 32;
219 },
220
221 /**
222 * Compare two arrays for equality in a predictable amount of time.
223 * @param {bitArray} a The first array.
224 * @param {bitArray} b The second array.
225 * @return {boolean} true if a == b; false otherwise.
226 */
227 equal: function (a, b) {
228 if (sjcl.bitArray.bitLength(a) !== sjcl.bitArray.bitLength(b)) {
229 return false;
230 }
231 var x = 0, i;
232 for (i=0; i<a.length; i++) {
233 x |= a[i]^b[i];
234 }
235 return (x === 0);
236 },
237
238 /** Shift an array right.
239 * @param {bitArray} a The array to shift.
240 * @param {Number} shift The number of bits to shift.
241 * @param {Number} [carry=0] A byte to carry in
242 * @param {bitArray} [out=[]] An array to prepend to the output.
243 * @private
244 */
245 _shiftRight: function (a, shift, carry, out) {
246 var i, last2=0, shift2;
247 if (out === undefined) { out = []; }
248
249 for (; shift >= 32; shift -= 32) {
250 out.push(carry);
251 carry = 0;
252 }
253 if (shift === 0) {
254 return out.concat(a);
255 }
256
257 for (i=0; i<a.length; i++) {
258 out.push(carry | a[i]>>>shift);
259 carry = a[i] << (32-shift);
260 }
261 last2 = a.length ? a[a.length-1] : 0;
262 shift2 = sjcl.bitArray.getPartial(last2);
263 out.push(sjcl.bitArray.partial(shift+shift2 & 31, (shift + shift2 > 32) ? carry : out.pop(),1));
264 return out;
265 },
266
267 /** xor a block of 4 words together.
268 * @private
269 */
270 _xor4: function(x,y) {
271 return [x[0]^y[0],x[1]^y[1],x[2]^y[2],x[3]^y[3]];
272 },
273
274 /** byteswap a word array inplace.
275 * (does not handle partial words)
276 * @param {sjcl.bitArray} a word array
277 * @return {sjcl.bitArray} byteswapped array
278 */
279 byteswapM: function(a) {
280 var i, v, m = 0xff00;
281 for (i = 0; i < a.length; ++i) {
282 v = a[i];
283 a[i] = (v >>> 24) | ((v >>> 8) & m) | ((v & m) << 8) | (v << 24);
284 }
285 return a;
286 }
287};
288
289
290//// codecString.js
291
292/** @fileOverview Bit array codec implementations.
293 *
294 * @author Emily Stark
295 * @author Mike Hamburg
296 * @author Dan Boneh
297 */
298
299/** @namespace UTF-8 strings */
300sjcl.codec.utf8String = {
301 /** Convert from a bitArray to a UTF-8 string. */
302 fromBits: function (arr) {
303 var out = "", bl = sjcl.bitArray.bitLength(arr), i, tmp;
304 for (i=0; i<bl/8; i++) {
305 if ((i&3) === 0) {
306 tmp = arr[i/4];
307 }
308 out += String.fromCharCode(tmp >>> 24);
309 tmp <<= 8;
310 }
311 return decodeURIComponent(escape(out));
312 },
313
314 /** Convert from a UTF-8 string to a bitArray. */
315 toBits: function (str) {
316 str = unescape(encodeURIComponent(str));
317 var out = [], i, tmp=0;
318 for (i=0; i<str.length; i++) {
319 tmp = tmp << 8 | str.charCodeAt(i);
320 if ((i&3) === 3) {
321 out.push(tmp);
322 tmp = 0;
323 }
324 }
325 if (i&3) {
326 out.push(sjcl.bitArray.partial(8*(i&3), tmp));
327 }
328 return out;
329 }
330};
331
332
333//// codecHex.js
334
335/** @fileOverview Bit array codec implementations.
336 *
337 * @author Emily Stark
338 * @author Mike Hamburg
339 * @author Dan Boneh
340 */
341
342/** @namespace Hexadecimal */
343sjcl.codec.hex = {
344 /** Convert from a bitArray to a hex string. */
345 fromBits: function (arr) {
346 var out = "", i;
347 for (i=0; i<arr.length; i++) {
348 out += ((arr[i]|0)+0xF00000000000).toString(16).substr(4);
349 }
350 return out.substr(0, sjcl.bitArray.bitLength(arr)/4);//.replace(/(.{8})/g, "$1 ");
351 },
352 /** Convert from a hex string to a bitArray. */
353 toBits: function (str) {
354 var i, out=[], len;
355 str = str.replace(/\s|0x/g, "");
356 len = str.length;
357 str = str + "00000000";
358 for (i=0; i<str.length; i+=8) {
359 out.push(parseInt(str.substr(i,8),16)^0);
360 }
361 return sjcl.bitArray.clamp(out, len*4);
362 }
363};
364
365
366//// sha512.js
367
368/** @fileOverview Javascript SHA-512 implementation.
369 *
370 * This implementation was written for CryptoJS by Jeff Mott and adapted for
371 * SJCL by Stefan Thomas.
372 *
373 * CryptoJS (c) 2009–2012 by Jeff Mott. All rights reserved.
374 * Released with New BSD License
375 *
376 * @author Emily Stark
377 * @author Mike Hamburg
378 * @author Dan Boneh
379 * @author Jeff Mott
380 * @author Stefan Thomas
381 */
382
383/**
384 * Context for a SHA-512 operation in progress.
385 * @constructor
386 * @class Secure Hash Algorithm, 512 bits.
387 */
388sjcl.hash.sha512 = function (hash) {
389 if (!this._key[0]) { this._precompute(); }
390 if (hash) {
391 this._h = hash._h.slice(0);
392 this._buffer = hash._buffer.slice(0);
393 this._length = hash._length;
394 } else {
395 this.reset();
396 }
397};
398
399/**
400 * Hash a string or an array of words.
401 * @static
402 * @param {bitArray|String} data the data to hash.
403 * @return {bitArray} The hash value, an array of 16 big-endian words.
404 */
405sjcl.hash.sha512.hash = function (data) {
406 return (new sjcl.hash.sha512()).update(data).finalize();
407};
408
409sjcl.hash.sha512.prototype = {
410 /**
411 * The hash's block size, in bits.
412 * @constant
413 */
414 blockSize: 1024,
415
416 /**
417 * Reset the hash state.
418 * @return this
419 */
420 reset:function () {
421 this._h = this._init.slice(0);
422 this._buffer = [];
423 this._length = 0;
424 return this;
425 },
426
427 /**
428 * Input several words to the hash.
429 * @param {bitArray|String} data the data to hash.
430 * @return this
431 */
432 update: function (data) {
433 if (typeof data === "string") {
434 data = sjcl.codec.utf8String.toBits(data);
435 }
436 var i, b = this._buffer = sjcl.bitArray.concat(this._buffer, data),
437 ol = this._length,
438 nl = this._length = ol + sjcl.bitArray.bitLength(data);
439 for (i = 1024+ol & -1024; i <= nl; i+= 1024) {
440 this._block(b.splice(0,32));
441 }
442 return this;
443 },
444
445 /**
446 * Complete hashing and output the hash value.
447 * @return {bitArray} The hash value, an array of 16 big-endian words.
448 */
449 finalize:function () {
450 var i, b = this._buffer, h = this._h;
451
452 // Round out and push the buffer
453 b = sjcl.bitArray.concat(b, [sjcl.bitArray.partial(1,1)]);
454
455 // Round out the buffer to a multiple of 32 words, less the 4 length words.
456 for (i = b.length + 4; i & 31; i++) {
457 b.push(0);
458 }
459
460 // append the length
461 b.push(0);
462 b.push(0);
463 b.push(Math.floor(this._length / 0x100000000));
464 b.push(this._length | 0);
465
466 while (b.length) {
467 this._block(b.splice(0,32));
468 }
469
470 this.reset();
471 return h;
472 },
473
474 /**
475 * The SHA-512 initialization vector, to be precomputed.
476 * @private
477 */
478 _init:[],
479
480 /**
481 * Least significant 24 bits of SHA512 initialization values.
482 *
483 * Javascript only has 53 bits of precision, so we compute the 40 most
484 * significant bits and add the remaining 24 bits as constants.
485 *
486 * @private
487 */
488 _initr: [ 0xbcc908, 0xcaa73b, 0x94f82b, 0x1d36f1, 0xe682d1, 0x3e6c1f, 0x41bd6b, 0x7e2179 ],
489
490 /*
491 _init:
492 [0x6a09e667, 0xf3bcc908, 0xbb67ae85, 0x84caa73b, 0x3c6ef372, 0xfe94f82b, 0xa54ff53a, 0x5f1d36f1,
493 0x510e527f, 0xade682d1, 0x9b05688c, 0x2b3e6c1f, 0x1f83d9ab, 0xfb41bd6b, 0x5be0cd19, 0x137e2179],
494 */
495
496 /**
497 * The SHA-512 hash key, to be precomputed.
498 * @private
499 */
500 _key:[],
501
502 /**
503 * Least significant 24 bits of SHA512 key values.
504 * @private
505 */
506 _keyr:
507 [0x28ae22, 0xef65cd, 0x4d3b2f, 0x89dbbc, 0x48b538, 0x05d019, 0x194f9b, 0x6d8118,
508 0x030242, 0x706fbe, 0xe4b28c, 0xffb4e2, 0x7b896f, 0x1696b1, 0xc71235, 0x692694,
509 0xf14ad2, 0x4f25e3, 0x8cd5b5, 0xac9c65, 0x2b0275, 0xa6e483, 0x41fbd4, 0x1153b5,
510 0x66dfab, 0xb43210, 0xfb213f, 0xef0ee4, 0xa88fc2, 0x0aa725, 0x03826f, 0x0e6e70,
511 0xd22ffc, 0x26c926, 0xc42aed, 0x95b3df, 0xaf63de, 0x77b2a8, 0xedaee6, 0x82353b,
512 0xf10364, 0x423001, 0xf89791, 0x54be30, 0xef5218, 0x65a910, 0x71202a, 0xbbd1b8,
513 0xd2d0c8, 0x41ab53, 0x8eeb99, 0x9b48a8, 0xc95a63, 0x418acb, 0x63e373, 0xb2b8a3,
514 0xefb2fc, 0x172f60, 0xf0ab72, 0x6439ec, 0x631e28, 0x82bde9, 0xc67915, 0x72532b,
515 0x26619c, 0xc0c207, 0xe0eb1e, 0x6ed178, 0x176fba, 0xc898a6, 0xf90dae, 0x1c471b,
516 0x047d84, 0xc72493, 0xc9bebc, 0x100d4c, 0x3e42b6, 0x657e2a, 0xd6faec, 0x475817],
517
518 /*
519 _key:
520 [0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd, 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc,
521 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019, 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118,
522 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe, 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2,
523 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1, 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694,
524 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3, 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65,
525 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483, 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5,
526 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210, 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4,
527 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725, 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70,
528 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926, 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df,
529 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8, 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b,
530 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001, 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30,
531 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910, 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8,
532 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53, 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8,
533 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb, 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3,
534 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60, 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec,
535 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9, 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b,
536 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207, 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178,
537 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6, 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b,
538 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493, 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c,
539 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a, 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817],
540 */
541
542 /**
543 * Function to precompute _init and _key.
544 * @private
545 */
546 _precompute: function () {
547 // XXX: This code is for precomputing the SHA256 constants, change for
548 // SHA512 and re-enable.
549 var i = 0, prime = 2, factor;
550
551 function frac(x) { return (x-Math.floor(x)) * 0x100000000 | 0; }
552 function frac2(x) { return (x-Math.floor(x)) * 0x10000000000 & 0xff; }
553
554 outer: for (; i<80; prime++) {
555 for (factor=2; factor*factor <= prime; factor++) {
556 if (prime % factor === 0) {
557 // not a prime
558 continue outer;
559 }
560 }
561
562 if (i<8) {
563 this._init[i*2] = frac(Math.pow(prime, 1/2));
564 this._init[i*2+1] = (frac2(Math.pow(prime, 1/2)) << 24) | this._initr[i];
565 }
566 this._key[i*2] = frac(Math.pow(prime, 1/3));
567 this._key[i*2+1] = (frac2(Math.pow(prime, 1/3)) << 24) | this._keyr[i];
568 i++;
569 }
570 },
571
572 /**
573 * Perform one cycle of SHA-512.
574 * @param {bitArray} words one block of words.
575 * @private
576 */
577 _block:function (words) {
578 var i, wrh, wrl,
579 w = words.slice(0),
580 h = this._h,
581 k = this._key,
582 h0h = h[ 0], h0l = h[ 1], h1h = h[ 2], h1l = h[ 3],
583 h2h = h[ 4], h2l = h[ 5], h3h = h[ 6], h3l = h[ 7],
584 h4h = h[ 8], h4l = h[ 9], h5h = h[10], h5l = h[11],
585 h6h = h[12], h6l = h[13], h7h = h[14], h7l = h[15];
586
587 // Working variables
588 var ah = h0h, al = h0l, bh = h1h, bl = h1l,
589 ch = h2h, cl = h2l, dh = h3h, dl = h3l,
590 eh = h4h, el = h4l, fh = h5h, fl = h5l,
591 gh = h6h, gl = h6l, hh = h7h, hl = h7l;
592
593 for (i=0; i<80; i++) {
594 // load up the input word for this round
595 if (i<16) {
596 wrh = w[i * 2];
597 wrl = w[i * 2 + 1];
598 } else {
599 // Gamma0
600 var gamma0xh = w[(i-15) * 2];
601 var gamma0xl = w[(i-15) * 2 + 1];
602 var gamma0h =
603 ((gamma0xl << 31) | (gamma0xh >>> 1)) ^
604 ((gamma0xl << 24) | (gamma0xh >>> 8)) ^
605 (gamma0xh >>> 7);
606 var gamma0l =
607 ((gamma0xh << 31) | (gamma0xl >>> 1)) ^
608 ((gamma0xh << 24) | (gamma0xl >>> 8)) ^
609 ((gamma0xh << 25) | (gamma0xl >>> 7));
610
611 // Gamma1
612 var gamma1xh = w[(i-2) * 2];
613 var gamma1xl = w[(i-2) * 2 + 1];
614 var gamma1h =
615 ((gamma1xl << 13) | (gamma1xh >>> 19)) ^
616 ((gamma1xh << 3) | (gamma1xl >>> 29)) ^
617 (gamma1xh >>> 6);
618 var gamma1l =
619 ((gamma1xh << 13) | (gamma1xl >>> 19)) ^
620 ((gamma1xl << 3) | (gamma1xh >>> 29)) ^
621 ((gamma1xh << 26) | (gamma1xl >>> 6));
622
623 // Shortcuts
624 var wr7h = w[(i-7) * 2];
625 var wr7l = w[(i-7) * 2 + 1];
626
627 var wr16h = w[(i-16) * 2];
628 var wr16l = w[(i-16) * 2 + 1];
629
630 // W(round) = gamma0 + W(round - 7) + gamma1 + W(round - 16)
631 wrl = gamma0l + wr7l;
632 wrh = gamma0h + wr7h + ((wrl >>> 0) < (gamma0l >>> 0) ? 1 : 0);
633 wrl += gamma1l;
634 wrh += gamma1h + ((wrl >>> 0) < (gamma1l >>> 0) ? 1 : 0);
635 wrl += wr16l;
636 wrh += wr16h + ((wrl >>> 0) < (wr16l >>> 0) ? 1 : 0);
637 }
638
639 w[i*2] = wrh |= 0;
640 w[i*2 + 1] = wrl |= 0;
641
642 // Ch
643 var chh = (eh & fh) ^ (~eh & gh);
644 var chl = (el & fl) ^ (~el & gl);
645
646 // Maj
647 var majh = (ah & bh) ^ (ah & ch) ^ (bh & ch);
648 var majl = (al & bl) ^ (al & cl) ^ (bl & cl);
649
650 // Sigma0
651 var sigma0h = ((al << 4) | (ah >>> 28)) ^ ((ah << 30) | (al >>> 2)) ^ ((ah << 25) | (al >>> 7));
652 var sigma0l = ((ah << 4) | (al >>> 28)) ^ ((al << 30) | (ah >>> 2)) ^ ((al << 25) | (ah >>> 7));
653
654 // Sigma1
655 var sigma1h = ((el << 18) | (eh >>> 14)) ^ ((el << 14) | (eh >>> 18)) ^ ((eh << 23) | (el >>> 9));
656 var sigma1l = ((eh << 18) | (el >>> 14)) ^ ((eh << 14) | (el >>> 18)) ^ ((el << 23) | (eh >>> 9));
657
658 // K(round)
659 var krh = k[i*2];
660 var krl = k[i*2+1];
661
662 // t1 = h + sigma1 + ch + K(round) + W(round)
663 var t1l = hl + sigma1l;
664 var t1h = hh + sigma1h + ((t1l >>> 0) < (hl >>> 0) ? 1 : 0);
665 t1l += chl;
666 t1h += chh + ((t1l >>> 0) < (chl >>> 0) ? 1 : 0);
667 t1l += krl;
668 t1h += krh + ((t1l >>> 0) < (krl >>> 0) ? 1 : 0);
669 t1l = t1l + wrl|0; // FF32..FF34 perf issue https://bugzilla.mozilla.org/show_bug.cgi?id=1054972
670 t1h += wrh + ((t1l >>> 0) < (wrl >>> 0) ? 1 : 0);
671
672 // t2 = sigma0 + maj
673 var t2l = sigma0l + majl;
674 var t2h = sigma0h + majh + ((t2l >>> 0) < (sigma0l >>> 0) ? 1 : 0);
675
676 // Update working variables
677 hh = gh;
678 hl = gl;
679 gh = fh;
680 gl = fl;
681 fh = eh;
682 fl = el;
683 el = (dl + t1l) | 0;
684 eh = (dh + t1h + ((el >>> 0) < (dl >>> 0) ? 1 : 0)) | 0;
685 dh = ch;
686 dl = cl;
687 ch = bh;
688 cl = bl;
689 bh = ah;
690 bl = al;
691 al = (t1l + t2l) | 0;
692 ah = (t1h + t2h + ((al >>> 0) < (t1l >>> 0) ? 1 : 0)) | 0;
693 }
694
695 // Intermediate hash
696 h0l = h[1] = (h0l + al) | 0;
697 h[0] = (h0h + ah + ((h0l >>> 0) < (al >>> 0) ? 1 : 0)) | 0;
698 h1l = h[3] = (h1l + bl) | 0;
699 h[2] = (h1h + bh + ((h1l >>> 0) < (bl >>> 0) ? 1 : 0)) | 0;
700 h2l = h[5] = (h2l + cl) | 0;
701 h[4] = (h2h + ch + ((h2l >>> 0) < (cl >>> 0) ? 1 : 0)) | 0;
702 h3l = h[7] = (h3l + dl) | 0;
703 h[6] = (h3h + dh + ((h3l >>> 0) < (dl >>> 0) ? 1 : 0)) | 0;
704 h4l = h[9] = (h4l + el) | 0;
705 h[8] = (h4h + eh + ((h4l >>> 0) < (el >>> 0) ? 1 : 0)) | 0;
706 h5l = h[11] = (h5l + fl) | 0;
707 h[10] = (h5h + fh + ((h5l >>> 0) < (fl >>> 0) ? 1 : 0)) | 0;
708 h6l = h[13] = (h6l + gl) | 0;
709 h[12] = (h6h + gh + ((h6l >>> 0) < (gl >>> 0) ? 1 : 0)) | 0;
710 h7l = h[15] = (h7l + hl) | 0;
711 h[14] = (h7h + hh + ((h7l >>> 0) < (hl >>> 0) ? 1 : 0)) | 0;
712 }
713};
714
715
716//// hmac.js
717
718/** @fileOverview HMAC implementation.
719 *
720 * @author Emily Stark
721 * @author Mike Hamburg
722 * @author Dan Boneh
723 */
724
725/** HMAC with the specified hash function.
726 * @constructor
727 * @param {bitArray} key the key for HMAC.
728 * @param {Object} [hash=sjcl.hash.sha256] The hash function to use.
729 */
730sjcl.misc.hmac = function (key, Hash) {
731 this._hash = Hash = Hash || sjcl.hash.sha256;
732 var exKey = [[],[]], i,
733 bs = Hash.prototype.blockSize / 32;
734 this._baseHash = [new Hash(), new Hash()];
735
736 if (key.length > bs) {
737 key = Hash.hash(key);
738 }
739
740 for (i=0; i<bs; i++) {
741 exKey[0][i] = key[i]^0x36363636;
742 exKey[1][i] = key[i]^0x5C5C5C5C;
743 }
744
745 this._baseHash[0].update(exKey[0]);
746 this._baseHash[1].update(exKey[1]);
747 this._resultHash = new Hash(this._baseHash[0]);
748};
749
750/** HMAC with the specified hash function. Also called encrypt since it's a prf.
751 * @param {bitArray|String} data The data to mac.
752 */
753sjcl.misc.hmac.prototype.encrypt = sjcl.misc.hmac.prototype.mac = function (data) {
754 if (!this._updated) {
755 this.update(data);
756 return this.digest(data);
757 } else {
758 throw new sjcl.exception.invalid("encrypt on already updated hmac called!");
759 }
760};
761
762sjcl.misc.hmac.prototype.reset = function () {
763 this._resultHash = new this._hash(this._baseHash[0]);
764 this._updated = false;
765};
766
767sjcl.misc.hmac.prototype.update = function (data) {
768 this._updated = true;
769 this._resultHash.update(data);
770};
771
772sjcl.misc.hmac.prototype.digest = function () {
773 var w = this._resultHash.finalize(), result = new (this._hash)(this._baseHash[1]).update(w).finalize();
774
775 this.reset();
776
777 return result;
778};
779
780
781//// pbkdf2.js
782
783
784/** @fileOverview Password-based key-derivation function, version 2.0.
785 *
786 * @author Emily Stark
787 * @author Mike Hamburg
788 * @author Dan Boneh
789 */
790
791/** Password-Based Key-Derivation Function, version 2.0.
792 *
793 * Generate keys from passwords using PBKDF2-HMAC-SHA256.
794 *
795 * This is the method specified by RSA's PKCS #5 standard.
796 *
797 * @param {bitArray|String} password The password.
798 * @param {bitArray|String} salt The salt. Should have lots of entropy.
799 * @param {Number} [count=1000] The number of iterations. Higher numbers make the function slower but more secure.
800 * @param {Number} [length] The length of the derived key. Defaults to the
801 output size of the hash function.
802 * @param {Object} [Prff=sjcl.misc.hmac] The pseudorandom function family.
803 * @return {bitArray} the derived key.
804 */
805sjcl.misc.pbkdf2 = function (password, salt, count, length, Prff) {
806 count = count || 1000;
807
808 if (length < 0 || count < 0) {
809 throw sjcl.exception.invalid("invalid params to pbkdf2");
810 }
811
812 if (typeof password === "string") {
813 password = sjcl.codec.utf8String.toBits(password);
814 }
815
816 if (typeof salt === "string") {
817 salt = sjcl.codec.utf8String.toBits(salt);
818 }
819
820 Prff = Prff || sjcl.misc.hmac;
821
822 var prf = new Prff(password),
823 u, ui, i, j, k, out = [], b = sjcl.bitArray;
824
825 for (k = 1; 32 * out.length < (length || 1); k++) {
826 u = ui = prf.encrypt(b.concat(salt,[k]));
827
828 for (i=1; i<count; i++) {
829 ui = prf.encrypt(ui);
830 for (j=0; j<ui.length; j++) {
831 u[j] ^= ui[j];
832 }
833 }
834
835 out = out.concat(u);
836 }
837
838 if (length) { out = b.clamp(out, length); }
839
840 return out;
841};
842
843
844//// sha256.js
845
846/** @fileOverview Javascript SHA-256 implementation.
847 *
848 * An older version of this implementation is available in the public
849 * domain, but this one is (c) Emily Stark, Mike Hamburg, Dan Boneh,
850 * Stanford University 2008-2010 and BSD-licensed for liability
851 * reasons.
852 *
853 * Special thanks to Aldo Cortesi for pointing out several bugs in
854 * this code.
855 *
856 * @author Emily Stark
857 * @author Mike Hamburg
858 * @author Dan Boneh
859 */
860
861/**
862 * Context for a SHA-256 operation in progress.
863 * @constructor
864 * @class Secure Hash Algorithm, 256 bits.
865 */
866sjcl.hash.sha256 = function (hash) {
867 if (!this._key[0]) { this._precompute(); }
868 if (hash) {
869 this._h = hash._h.slice(0);
870 this._buffer = hash._buffer.slice(0);
871 this._length = hash._length;
872 } else {
873 this.reset();
874 }
875};
876
877/**
878 * Hash a string or an array of words.
879 * @static
880 * @param {bitArray|String} data the data to hash.
881 * @return {bitArray} The hash value, an array of 16 big-endian words.
882 */
883sjcl.hash.sha256.hash = function (data) {
884 return (new sjcl.hash.sha256()).update(data).finalize();
885};
886
887sjcl.hash.sha256.prototype = {
888 /**
889 * The hash's block size, in bits.
890 * @constant
891 */
892 blockSize: 512,
893
894 /**
895 * Reset the hash state.
896 * @return this
897 */
898 reset:function () {
899 this._h = this._init.slice(0);
900 this._buffer = [];
901 this._length = 0;
902 return this;
903 },
904
905 /**
906 * Input several words to the hash.
907 * @param {bitArray|String} data the data to hash.
908 * @return this
909 */
910 update: function (data) {
911 if (typeof data === "string") {
912 data = sjcl.codec.utf8String.toBits(data);
913 }
914 var i, b = this._buffer = sjcl.bitArray.concat(this._buffer, data),
915 ol = this._length,
916 nl = this._length = ol + sjcl.bitArray.bitLength(data);
917 for (i = 512+ol & -512; i <= nl; i+= 512) {
918 this._block(b.splice(0,16));
919 }
920 return this;
921 },
922
923 /**
924 * Complete hashing and output the hash value.
925 * @return {bitArray} The hash value, an array of 8 big-endian words.
926 */
927 finalize:function () {
928 var i, b = this._buffer, h = this._h;
929
930 // Round out and push the buffer
931 b = sjcl.bitArray.concat(b, [sjcl.bitArray.partial(1,1)]);
932
933 // Round out the buffer to a multiple of 16 words, less the 2 length words.
934 for (i = b.length + 2; i & 15; i++) {
935 b.push(0);
936 }
937
938 // append the length
939 b.push(Math.floor(this._length / 0x100000000));
940 b.push(this._length | 0);
941
942 while (b.length) {
943 this._block(b.splice(0,16));
944 }
945
946 this.reset();
947 return h;
948 },
949
950 /**
951 * The SHA-256 initialization vector, to be precomputed.
952 * @private
953 */
954 _init:[],
955 /*
956 _init:[0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19],
957 */
958
959 /**
960 * The SHA-256 hash key, to be precomputed.
961 * @private
962 */
963 _key:[],
964 /*
965 _key:
966 [0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
967 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
968 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
969 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
970 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
971 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
972 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
973 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2],
974 */
975
976
977 /**
978 * Function to precompute _init and _key.
979 * @private
980 */
981 _precompute: function () {
982 var i = 0, prime = 2, factor;
983
984 function frac(x) { return (x-Math.floor(x)) * 0x100000000 | 0; }
985
986 outer: for (; i<64; prime++) {
987 for (factor=2; factor*factor <= prime; factor++) {
988 if (prime % factor === 0) {
989 // not a prime
990 continue outer;
991 }
992 }
993
994 if (i<8) {
995 this._init[i] = frac(Math.pow(prime, 1/2));
996 }
997 this._key[i] = frac(Math.pow(prime, 1/3));
998 i++;
999 }
1000 },
1001
1002 /**
1003 * Perform one cycle of SHA-256.
1004 * @param {bitArray} words one block of words.
1005 * @private
1006 */
1007 _block:function (words) {
1008 var i, tmp, a, b,
1009 w = words.slice(0),
1010 h = this._h,
1011 k = this._key,
1012 h0 = h[0], h1 = h[1], h2 = h[2], h3 = h[3],
1013 h4 = h[4], h5 = h[5], h6 = h[6], h7 = h[7];
1014
1015 /* Rationale for placement of |0 :
1016 * If a value can overflow is original 32 bits by a factor of more than a few
1017 * million (2^23 ish), there is a possibility that it might overflow the
1018 * 53-bit mantissa and lose precision.
1019 *
1020 * To avoid this, we clamp back to 32 bits by |'ing with 0 on any value that
1021 * propagates around the loop, and on the hash state h[]. I don't believe
1022 * that the clamps on h4 and on h0 are strictly necessary, but it's close
1023 * (for h4 anyway), and better safe than sorry.
1024 *
1025 * The clamps on h[] are necessary for the output to be correct even in the
1026 * common case and for short inputs.
1027 */
1028 for (i=0; i<64; i++) {
1029 // load up the input word for this round
1030 if (i<16) {
1031 tmp = w[i];
1032 } else {
1033 a = w[(i+1 ) & 15];
1034 b = w[(i+14) & 15];
1035 tmp = w[i&15] = ((a>>>7 ^ a>>>18 ^ a>>>3 ^ a<<25 ^ a<<14) +
1036 (b>>>17 ^ b>>>19 ^ b>>>10 ^ b<<15 ^ b<<13) +
1037 w[i&15] + w[(i+9) & 15]) | 0;
1038 }
1039
1040 tmp = (tmp + h7 + (h4>>>6 ^ h4>>>11 ^ h4>>>25 ^ h4<<26 ^ h4<<21 ^ h4<<7) + (h6 ^ h4&(h5^h6)) + k[i]); // | 0;
1041
1042 // shift register
1043 h7 = h6; h6 = h5; h5 = h4;
1044 h4 = h3 + tmp | 0;
1045 h3 = h2; h2 = h1; h1 = h0;
1046
1047 h0 = (tmp + ((h1&h2) ^ (h3&(h1^h2))) + (h1>>>2 ^ h1>>>13 ^ h1>>>22 ^ h1<<30 ^ h1<<19 ^ h1<<10)) | 0;
1048 }
1049
1050 h[0] = h[0]+h0 | 0;
1051 h[1] = h[1]+h1 | 0;
1052 h[2] = h[2]+h2 | 0;
1053 h[3] = h[3]+h3 | 0;
1054 h[4] = h[4]+h4 | 0;
1055 h[5] = h[5]+h5 | 0;
1056 h[6] = h[6]+h6 | 0;
1057 h[7] = h[7]+h7 | 0;
1058 }
1059};