98 | * These objects are the currency accepted by SJCL's crypto functions.
99 | *
100 | *
101 | *
102 | * Most of our crypto primitives operate on arrays of 4-byte words internally,
103 | * but many of them can take arguments that are not a multiple of 4 bytes.
104 | * This library encodes arrays of bits (whose size need not be a multiple of 8
105 | * bits) as arrays of 32-bit words. The bits are packed, big-endian, into an
106 | * array of words, 32 bits at a time. Since the words are double-precision
107 | * floating point numbers, they fit some extra data. We use this (in a private,
108 | * possibly-changing manner) to encode the number of bits actually present
109 | * in the last word of the array.
110 | *
111 | *
112 | *
113 | * Because bitwise ops clear this out-of-band data, these arrays can be passed
114 | * to ciphers like AES which want arrays of words.
115 | *
116 | */
117 | sjcl.bitArray = {
118 | /**
119 | * Array slices in units of bits.
120 | * @param {bitArray} a The array to slice.
121 | * @param {Number} bstart The offset to the start of the slice, in bits.
122 | * @param {Number} bend The offset to the end of the slice, in bits. If this is undefined,
123 | * slice until the end of the array.
124 | * @return {bitArray} The requested slice.
125 | */
126 | bitSlice: function (a, bstart, bend) {
127 | a = sjcl.bitArray._shiftRight(a.slice(bstart/32), 32 - (bstart & 31)).slice(1);
128 | return (bend === undefined) ? a : sjcl.bitArray.clamp(a, bend-bstart);
129 | },
130 |
131 | /**
132 | * Extract a number packed into a bit array.
133 | * @param {bitArray} a The array to slice.
134 | * @param {Number} bstart The offset to the start of the slice, in bits.
135 | * @param {Number} length The length of the number to extract.
136 | * @return {Number} The requested slice.
137 | */
138 | extract: function(a, bstart, blength) {
139 | // FIXME: this Math.floor is not necessary at all, but for some reason
140 | // seems to suppress a bug in the Chromium JIT.
141 | var x, sh = Math.floor((-bstart-blength) & 31);
142 | if ((bstart + blength - 1 ^ bstart) & -32) {
143 | // it crosses a boundary
144 | x = (a[bstart/32|0] << (32 - sh)) ^ (a[bstart/32+1|0] >>> sh);
145 | } else {
146 | // within a single word
147 | x = a[bstart/32|0] >>> sh;
148 | }
149 | return x & ((1< 0 && len) {
195 | a[l-1] = sjcl.bitArray.partial(len, a[l-1] & 0x80000000 >> (len-1), 1);
196 | }
197 | return a;
198 | },
199 |
200 | /**
201 | * Make a partial word for a bit array.
202 | * @param {Number} len The number of bits in the word.
203 | * @param {Number} x The bits.
204 | * @param {Number} [0] _end Pass 1 if x has already been shifted to the high side.
205 | * @return {Number} The partial word.
206 | */
207 | partial: function (len, x, _end) {
208 | if (len === 32) { return x; }
209 | return (_end ? x|0 : x << (32-len)) + len * 0x10000000000;
210 | },
211 |
212 | /**
213 | * Get the number of bits used by a partial word.
214 | * @param {Number} x The partial word.
215 | * @return {Number} The number of bits used by the partial word.
216 | */
217 | getPartial: function (x) {
218 | return Math.round(x/0x10000000000) || 32;
219 | },
220 |
221 | /**
222 | * Compare two arrays for equality in a predictable amount of time.
223 | * @param {bitArray} a The first array.
224 | * @param {bitArray} b The second array.
225 | * @return {boolean} true if a == b; false otherwise.
226 | */
227 | equal: function (a, b) {
228 | if (sjcl.bitArray.bitLength(a) !== sjcl.bitArray.bitLength(b)) {
229 | return false;
230 | }
231 | var x = 0, i;
232 | for (i=0; i= 32; shift -= 32) {
250 | out.push(carry);
251 | carry = 0;
252 | }
253 | if (shift === 0) {
254 | return out.concat(a);
255 | }
256 |
257 | for (i=0; i>>shift);
259 | carry = a[i] << (32-shift);
260 | }
261 | last2 = a.length ? a[a.length-1] : 0;
262 | shift2 = sjcl.bitArray.getPartial(last2);
263 | out.push(sjcl.bitArray.partial(shift+shift2 & 31, (shift + shift2 > 32) ? carry : out.pop(),1));
264 | return out;
265 | },
266 |
267 | /** xor a block of 4 words together.
268 | * @private
269 | */
270 | _xor4: function(x,y) {
271 | return [x[0]^y[0],x[1]^y[1],x[2]^y[2],x[3]^y[3]];
272 | },
273 |
274 | /** byteswap a word array inplace.
275 | * (does not handle partial words)
276 | * @param {sjcl.bitArray} a word array
277 | * @return {sjcl.bitArray} byteswapped array
278 | */
279 | byteswapM: function(a) {
280 | var i, v, m = 0xff00;
281 | for (i = 0; i < a.length; ++i) {
282 | v = a[i];
283 | a[i] = (v >>> 24) | ((v >>> 8) & m) | ((v & m) << 8) | (v << 24);
284 | }
285 | return a;
286 | }
287 | };
288 |
289 |
290 | //// codecString.js
291 |
292 | /** @fileOverview Bit array codec implementations.
293 | *
294 | * @author Emily Stark
295 | * @author Mike Hamburg
296 | * @author Dan Boneh
297 | */
298 |
299 | /** @namespace UTF-8 strings */
300 | sjcl.codec.utf8String = {
301 | /** Convert from a bitArray to a UTF-8 string. */
302 | fromBits: function (arr) {
303 | var out = "", bl = sjcl.bitArray.bitLength(arr), i, tmp;
304 | for (i=0; i>> 24);
309 | tmp <<= 8;
310 | }
311 | return decodeURIComponent(escape(out));
312 | },
313 |
314 | /** Convert from a UTF-8 string to a bitArray. */
315 | toBits: function (str) {
316 | str = unescape(encodeURIComponent(str));
317 | var out = [], i, tmp=0;
318 | for (i=0; i>> 1)) ^
604 | ((gamma0xl << 24) | (gamma0xh >>> 8)) ^
605 | (gamma0xh >>> 7);
606 | var gamma0l =
607 | ((gamma0xh << 31) | (gamma0xl >>> 1)) ^
608 | ((gamma0xh << 24) | (gamma0xl >>> 8)) ^
609 | ((gamma0xh << 25) | (gamma0xl >>> 7));
610 |
611 | // Gamma1
612 | var gamma1xh = w[(i-2) * 2];
613 | var gamma1xl = w[(i-2) * 2 + 1];
614 | var gamma1h =
615 | ((gamma1xl << 13) | (gamma1xh >>> 19)) ^
616 | ((gamma1xh << 3) | (gamma1xl >>> 29)) ^
617 | (gamma1xh >>> 6);
618 | var gamma1l =
619 | ((gamma1xh << 13) | (gamma1xl >>> 19)) ^
620 | ((gamma1xl << 3) | (gamma1xh >>> 29)) ^
621 | ((gamma1xh << 26) | (gamma1xl >>> 6));
622 |
623 | // Shortcuts
624 | var wr7h = w[(i-7) * 2];
625 | var wr7l = w[(i-7) * 2 + 1];
626 |
627 | var wr16h = w[(i-16) * 2];
628 | var wr16l = w[(i-16) * 2 + 1];
629 |
630 | // W(round) = gamma0 + W(round - 7) + gamma1 + W(round - 16)
631 | wrl = gamma0l + wr7l;
632 | wrh = gamma0h + wr7h + ((wrl >>> 0) < (gamma0l >>> 0) ? 1 : 0);
633 | wrl += gamma1l;
634 | wrh += gamma1h + ((wrl >>> 0) < (gamma1l >>> 0) ? 1 : 0);
635 | wrl += wr16l;
636 | wrh += wr16h + ((wrl >>> 0) < (wr16l >>> 0) ? 1 : 0);
637 | }
638 |
639 | w[i*2] = wrh |= 0;
640 | w[i*2 + 1] = wrl |= 0;
641 |
642 | // Ch
643 | var chh = (eh & fh) ^ (~eh & gh);
644 | var chl = (el & fl) ^ (~el & gl);
645 |
646 | // Maj
647 | var majh = (ah & bh) ^ (ah & ch) ^ (bh & ch);
648 | var majl = (al & bl) ^ (al & cl) ^ (bl & cl);
649 |
650 | // Sigma0
651 | var sigma0h = ((al << 4) | (ah >>> 28)) ^ ((ah << 30) | (al >>> 2)) ^ ((ah << 25) | (al >>> 7));
652 | var sigma0l = ((ah << 4) | (al >>> 28)) ^ ((al << 30) | (ah >>> 2)) ^ ((al << 25) | (ah >>> 7));
653 |
654 | // Sigma1
655 | var sigma1h = ((el << 18) | (eh >>> 14)) ^ ((el << 14) | (eh >>> 18)) ^ ((eh << 23) | (el >>> 9));
656 | var sigma1l = ((eh << 18) | (el >>> 14)) ^ ((eh << 14) | (el >>> 18)) ^ ((el << 23) | (eh >>> 9));
657 |
658 | // K(round)
659 | var krh = k[i*2];
660 | var krl = k[i*2+1];
661 |
662 | // t1 = h + sigma1 + ch + K(round) + W(round)
663 | var t1l = hl + sigma1l;
664 | var t1h = hh + sigma1h + ((t1l >>> 0) < (hl >>> 0) ? 1 : 0);
665 | t1l += chl;
666 | t1h += chh + ((t1l >>> 0) < (chl >>> 0) ? 1 : 0);
667 | t1l += krl;
668 | t1h += krh + ((t1l >>> 0) < (krl >>> 0) ? 1 : 0);
669 | t1l = t1l + wrl|0; // FF32..FF34 perf issue https://bugzilla.mozilla.org/show_bug.cgi?id=1054972
670 | t1h += wrh + ((t1l >>> 0) < (wrl >>> 0) ? 1 : 0);
671 |
672 | // t2 = sigma0 + maj
673 | var t2l = sigma0l + majl;
674 | var t2h = sigma0h + majh + ((t2l >>> 0) < (sigma0l >>> 0) ? 1 : 0);
675 |
676 | // Update working variables
677 | hh = gh;
678 | hl = gl;
679 | gh = fh;
680 | gl = fl;
681 | fh = eh;
682 | fl = el;
683 | el = (dl + t1l) | 0;
684 | eh = (dh + t1h + ((el >>> 0) < (dl >>> 0) ? 1 : 0)) | 0;
685 | dh = ch;
686 | dl = cl;
687 | ch = bh;
688 | cl = bl;
689 | bh = ah;
690 | bl = al;
691 | al = (t1l + t2l) | 0;
692 | ah = (t1h + t2h + ((al >>> 0) < (t1l >>> 0) ? 1 : 0)) | 0;
693 | }
694 |
695 | // Intermediate hash
696 | h0l = h[1] = (h0l + al) | 0;
697 | h[0] = (h0h + ah + ((h0l >>> 0) < (al >>> 0) ? 1 : 0)) | 0;
698 | h1l = h[3] = (h1l + bl) | 0;
699 | h[2] = (h1h + bh + ((h1l >>> 0) < (bl >>> 0) ? 1 : 0)) | 0;
700 | h2l = h[5] = (h2l + cl) | 0;
701 | h[4] = (h2h + ch + ((h2l >>> 0) < (cl >>> 0) ? 1 : 0)) | 0;
702 | h3l = h[7] = (h3l + dl) | 0;
703 | h[6] = (h3h + dh + ((h3l >>> 0) < (dl >>> 0) ? 1 : 0)) | 0;
704 | h4l = h[9] = (h4l + el) | 0;
705 | h[8] = (h4h + eh + ((h4l >>> 0) < (el >>> 0) ? 1 : 0)) | 0;
706 | h5l = h[11] = (h5l + fl) | 0;
707 | h[10] = (h5h + fh + ((h5l >>> 0) < (fl >>> 0) ? 1 : 0)) | 0;
708 | h6l = h[13] = (h6l + gl) | 0;
709 | h[12] = (h6h + gh + ((h6l >>> 0) < (gl >>> 0) ? 1 : 0)) | 0;
710 | h7l = h[15] = (h7l + hl) | 0;
711 | h[14] = (h7h + hh + ((h7l >>> 0) < (hl >>> 0) ? 1 : 0)) | 0;
712 | }
713 | };
714 |
715 |
716 | //// hmac.js
717 |
718 | /** @fileOverview HMAC implementation.
719 | *
720 | * @author Emily Stark
721 | * @author Mike Hamburg
722 | * @author Dan Boneh
723 | */
724 |
725 | /** HMAC with the specified hash function.
726 | * @constructor
727 | * @param {bitArray} key the key for HMAC.
728 | * @param {Object} [hash=sjcl.hash.sha256] The hash function to use.
729 | */
730 | sjcl.misc.hmac = function (key, Hash) {
731 | this._hash = Hash = Hash || sjcl.hash.sha256;
732 | var exKey = [[],[]], i,
733 | bs = Hash.prototype.blockSize / 32;
734 | this._baseHash = [new Hash(), new Hash()];
735 |
736 | if (key.length > bs) {
737 | key = Hash.hash(key);
738 | }
739 |
740 | for (i=0; i>>7 ^ a>>>18 ^ a>>>3 ^ a<<25 ^ a<<14) +
1036 | (b>>>17 ^ b>>>19 ^ b>>>10 ^ b<<15 ^ b<<13) +
1037 | w[i&15] + w[(i+9) & 15]) | 0;
1038 | }
1039 |
1040 | tmp = (tmp + h7 + (h4>>>6 ^ h4>>>11 ^ h4>>>25 ^ h4<<26 ^ h4<<21 ^ h4<<7) + (h6 ^ h4&(h5^h6)) + k[i]); // | 0;
1041 |
1042 | // shift register
1043 | h7 = h6; h6 = h5; h5 = h4;
1044 | h4 = h3 + tmp | 0;
1045 | h3 = h2; h2 = h1; h1 = h0;
1046 |
1047 | h0 = (tmp + ((h1&h2) ^ (h3&(h1^h2))) + (h1>>>2 ^ h1>>>13 ^ h1>>>22 ^ h1<<30 ^ h1<<19 ^ h1<<10)) | 0;
1048 | }
1049 |
1050 | h[0] = h[0]+h0 | 0;
1051 | h[1] = h[1]+h1 | 0;
1052 | h[2] = h[2]+h2 | 0;
1053 | h[3] = h[3]+h3 | 0;
1054 | h[4] = h[4]+h4 | 0;
1055 | h[5] = h[5]+h5 | 0;
1056 | h[6] = h[6]+h6 | 0;
1057 | h[7] = h[7]+h7 | 0;
1058 | }
1059 | };
1060 |
--------------------------------------------------------------------------------