├── .gitignore
├── .travis.yml
├── test_browser
    └── test.html
├── .eslintrc.json
├── example
    └── sessionKeysSample.js
├── index.html
├── package.json
├── CODE_OF_CONDUCT.md
├── index.js
├── test
    └── test.js
├── README.md
└── dist
    └── sessionKeys.js


/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules/
2 | npm-debug.log
3 | test_browser/test_bundle.js
4 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: node_js
2 | node_js:
3 |   - "12"
4 |   - "11"
5 |   - "10"
6 | 


--------------------------------------------------------------------------------
/test_browser/test.html:
--------------------------------------------------------------------------------
1 | <!-- run with : 'npm run test_browser' -->
2 | <script src="test_bundle.js"></script>
3 | 


--------------------------------------------------------------------------------
/.eslintrc.json:
--------------------------------------------------------------------------------
1 | {
2 |     "extends": "standard",
3 |     "installedESLint": true,
4 |     "plugins": [
5 |         "standard",
6 |         "promise"
7 |     ]
8 | }


--------------------------------------------------------------------------------
/example/sessionKeysSample.js:
--------------------------------------------------------------------------------
 1 | var sessionKeys = require('../')
 2 | 
 3 | sessionKeys.generate('user@example.com', 'my secret password', function (err, keys) {
 4 |   if (err) {
 5 |     console.log(err.stack)
 6 |   }
 7 | 
 8 |   console.log(keys)
 9 | })
10 | 


--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |     <body>
 3 |         <h2>sessionKeys</h2>
 4 |         <p>Open the browser console and try:</p>
 5 |         <code>
 6 |             sessionKeys.generate('user@example.com', 'my secret password', function(err, keys) { console.log(keys) })
 7 |         </code>
 8 |         <script src="dist/sessionKeys.js"></script>
 9 |     </body>
10 | </html>
11 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "session-keys",
 3 |   "version": "2.0.4",
 4 |   "description": "Derives NaCl compatible public and private encryption keys, symmetric encryption keys, and digital signature keys from an ID and password using SHA256, scrypt, and TweetNaCl.js.",
 5 |   "main": "index.js",
 6 |   "scripts": {
 7 |     "test": "tape test/*.js",
 8 |     "test-browser": "rm -f test_browser/test_bundle.js && browserify test/*.js > test_browser/test_bundle.js && open test_browser/test.html",
 9 |     "build": "browserify index.js --standalone sessionKeys > dist/sessionKeys.js"
10 |   },
11 |   "repository": {
12 |     "type": "git",
13 |     "url": "git@github.com:grempe/session-keys-js.git"
14 |   },
15 |   "keywords": [
16 |     "cryptography",
17 |     "public key",
18 |     "private key",
19 |     "keypairs",
20 |     "signatures",
21 |     "security",
22 |     "SHA256",
23 |     "NaCl",
24 |     "TweetNaCl",
25 |     "Curve25519",
26 |     "ed25519",
27 |     "scrypt",
28 |     "password",
29 |     "passphrase"
30 |   ],
31 |   "author": "Glenn Rempe <glenn@rempe.us> (https://www.rempe.us/)",
32 |   "license": "MIT",
33 |   "bugs": {
34 |     "url": "https://github.com/grempe/session-keys-js/issues"
35 |   },
36 |   "homepage": "https://github.com/grempe/session-keys-js",
37 |   "dependencies": {
38 |     "base64-js": "^1.3.1",
39 |     "fast-sha256": "^1.1.0",
40 |     "scrypt-async": "^2.0.1",
41 |     "tweetnacl": "^1.0.1"
42 |   },
43 |   "devDependencies": {
44 |     "browserify": "^16.5.0",
45 |     "eslint": "^6.2.1",
46 |     "eslint-config-standard": "^14.0.1",
47 |     "eslint-plugin-promise": "^4.2.1",
48 |     "eslint-plugin-standard": "^4.0.1",
49 |     "tap-spec": "^5.0.0",
50 |     "tape": "^4.11.0",
51 |     "watchify": "^3.11.1"
52 |   }
53 | }
54 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Contributor Code of Conduct
 2 | 
 3 | As contributors and maintainers of this project, and in the interest of
 4 | fostering an open and welcoming community, we pledge to respect all people who
 5 | contribute through reporting issues, posting feature requests, updating
 6 | documentation, submitting pull requests or patches, and other activities.
 7 | 
 8 | We are committed to making participation in this project a harassment-free
 9 | experience for everyone, regardless of level of experience, gender, gender
10 | identity and expression, sexual orientation, disability, personal appearance,
11 | body size, race, ethnicity, age, religion, or nationality.
12 | 
13 | Examples of unacceptable behavior by participants include:
14 | 
15 | * The use of sexualized language or imagery
16 | * Personal attacks
17 | * Trolling or insulting/derogatory comments
18 | * Public or private harassment
19 | * Publishing other's private information, such as physical or electronic
20 |   addresses, without explicit permission
21 | * Other unethical or unprofessional conduct
22 | 
23 | Project maintainers have the right and responsibility to remove, edit, or
24 | reject comments, commits, code, wiki edits, issues, and other contributions
25 | that are not aligned to this Code of Conduct, or to ban temporarily or
26 | permanently any contributor for other behaviors that they deem inappropriate,
27 | threatening, offensive, or harmful.
28 | 
29 | By adopting this Code of Conduct, project maintainers commit themselves to
30 | fairly and consistently applying these principles to every aspect of managing
31 | this project. Project maintainers who do not follow or enforce the Code of
32 | Conduct may be permanently removed from the project team.
33 | 
34 | This code of conduct applies both within project spaces and in public spaces
35 | when an individual is representing the project or its community.
36 | 
37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
38 | reported by contacting a project maintainer at glenn@rempe.us. All
39 | complaints will be reviewed and investigated and will result in a response that
40 | is deemed necessary and appropriate to the circumstances. Maintainers are
41 | obligated to maintain confidentiality with regard to the reporter of an
42 | incident.
43 | 
44 | This Code of Conduct is adapted from the [Contributor Covenant][homepage],
45 | version 1.3.0, available at
46 | [http://contributor-covenant.org/version/1/3/0/][version]
47 | 
48 | [homepage]: http://contributor-covenant.org
49 | [version]: http://contributor-covenant.org/version/1/3/0/
50 | 


--------------------------------------------------------------------------------
/index.js:
--------------------------------------------------------------------------------
  1 | var sha256 = require('fast-sha256')
  2 | var scrypt = require('scrypt-async')
  3 | var nacl = require('tweetnacl')
  4 | var base64 = require('base64-js')
  5 | 
  6 | // Code inspired by:
  7 | // https://github.com/kaepora/miniLock/blob/master/src/js/miniLock.js
  8 | // https://github.com/jo/session25519
  9 | 
 10 | // Extracted from tweetnacl-util-js
 11 | // https://github.com/dchest/tweetnacl-util-js/blob/master/nacl-util.js#L16
 12 | function decodeUTF8 (s) {
 13 |   var i, d, b
 14 |   d = unescape(encodeURIComponent(s))
 15 |   b = new Uint8Array(d.length)
 16 | 
 17 |   for (i = 0; i < d.length; i++) b[i] = d.charCodeAt(i)
 18 |   return b
 19 | }
 20 | 
 21 | // Convert a decimal to hex with proper padding
 22 | // Input:
 23 | //   d                      // A decimal number between 0-255
 24 | //
 25 | // Result:
 26 | //   Returns a padded hex string representing the decimal arg
 27 | //
 28 | function decToHex (d) {
 29 |   var hex = Number(d).toString(16)
 30 |   while (hex.length < 2) {
 31 |     hex = '0' + hex
 32 |   }
 33 |   return hex
 34 | }
 35 | 
 36 | // Convert Uint8Array of bytes to hex
 37 | // Input:
 38 | //   arr                      // Uint8Array of bytes to convert to hex
 39 | //
 40 | // Result:
 41 | //   Returns a Base16 hex encoded version of arr
 42 | //
 43 | function byteArrayToHex (arr) {
 44 |   var hex, i
 45 |   hex = ''
 46 |   for (i = 0; i < arr.length; ++i) {
 47 |     hex += decToHex(arr[i])
 48 |   }
 49 |   return hex
 50 | }
 51 | 
 52 | // Input:
 53 | //   key                      // User key hash (Uint8Array)
 54 | //   salt                     // Salt (username or email) (Uint8Array)
 55 | //   callback function
 56 | //
 57 | // Result:
 58 | //   Returns 256 bytes of scrypt derived key material in a Uint8Array,
 59 | //   which is then passed to the callback.
 60 | //
 61 | function getScryptKey (key, salt, callback) {
 62 |   'use strict'
 63 | 
 64 |   scrypt(key, salt, {
 65 |     N: 16384,
 66 |     r: 8,
 67 |     p: 1,
 68 |     dkLen: 256,
 69 |     encoding: 'binary'
 70 |   }, function (derivedKey) {
 71 |     return callback(derivedKey)
 72 |   })
 73 | }
 74 | 
 75 | // Input:
 76 | //  id          // A UTF-8 username or email
 77 | //  password    // A UTF-8 passphrase
 78 | //  callback    // A callback function
 79 | //
 80 | // Result:
 81 | //   An object literal with all key material
 82 | //
 83 | exports.generate = function (id, password, callback) {
 84 |   'use strict'
 85 | 
 86 |   var idSha256Bbytes, idSha256Hex, scryptKey, scryptSalt, byteKeys,
 87 |     hexKeys, naclEncryptionKeyPairs, naclEncryptionKeyPairsBase64,
 88 |     naclSigningKeyPairs, naclSigningKeyPairsBase64, out
 89 | 
 90 |   idSha256Bbytes = sha256(decodeUTF8(id))
 91 |   idSha256Hex = byteArrayToHex(idSha256Bbytes)
 92 | 
 93 |   scryptKey = sha256(decodeUTF8(password))
 94 |   scryptSalt = sha256(decodeUTF8([idSha256Hex, idSha256Hex.length, 'session_keys'].join('')))
 95 | 
 96 |   getScryptKey(scryptKey, scryptSalt, function (scryptByteArray) {
 97 |     try {
 98 |       byteKeys = []
 99 |       hexKeys = []
100 |       naclEncryptionKeyPairs = []
101 |       naclEncryptionKeyPairsBase64 = []
102 |       naclSigningKeyPairs = []
103 |       naclSigningKeyPairsBase64 = []
104 | 
105 |       // Generate 8 pairs of all types of keys. The key types
106 |       // at each Array index are all derived from the same key
107 |       // bytes. Use different Array index values for each to ensure
108 |       // they don't share common key bytes. For example:
109 |       //
110 |       // uuid : output.hexKeys[0]
111 |       // encryption keypair : output.naclEncryptionKeyPairs[1]
112 |       // signing keypair : output.naclSigningKeyPairs[2]
113 |       //
114 |       var b = 0
115 |       for (var i = 0; i < 8; ++i) {
116 |         var byteArr = scryptByteArray.subarray(b, b + 32)
117 |         byteKeys.push(byteArr)
118 |         hexKeys.push(byteArrayToHex(byteArr))
119 | 
120 |         var naclEncryptionKeyPair = nacl.box.keyPair.fromSecretKey(byteArr)
121 |         var naclSigningKeyPair = nacl.sign.keyPair.fromSeed(byteArr)
122 | 
123 |         naclEncryptionKeyPairs.push(naclEncryptionKeyPair)
124 |         naclEncryptionKeyPairsBase64.push({
125 |           secretKey: base64.fromByteArray(naclEncryptionKeyPair.secretKey),
126 |           publicKey: base64.fromByteArray(naclEncryptionKeyPair.publicKey)
127 |         })
128 | 
129 |         naclSigningKeyPairs.push(naclSigningKeyPair)
130 |         naclSigningKeyPairsBase64.push({
131 |           secretKey: base64.fromByteArray(naclSigningKeyPair.secretKey),
132 |           publicKey: base64.fromByteArray(naclSigningKeyPair.publicKey)
133 |         })
134 | 
135 |         b += 32
136 |       }
137 | 
138 |       out = {}
139 |       out.id = idSha256Hex
140 |       out.byteKeys = byteKeys
141 |       out.hexKeys = hexKeys
142 |       out.naclEncryptionKeyPairs = naclEncryptionKeyPairs
143 |       out.naclEncryptionKeyPairsBase64 = naclEncryptionKeyPairsBase64
144 |       out.naclSigningKeyPairs = naclSigningKeyPairs
145 |       out.naclSigningKeyPairsBase64 = naclSigningKeyPairsBase64
146 | 
147 |       return callback(null, out)
148 |     } catch (err) {
149 |       return callback(err)
150 |     }
151 |   })
152 | }
153 | 


--------------------------------------------------------------------------------
/test/test.js:
--------------------------------------------------------------------------------
  1 | var sessionKeys = require('../')
  2 | var test = require('tape')
  3 | var base64 = require('base64-js')
  4 | 
  5 | // ##########################################################################
  6 | // # WARNING : WARNING : WARNING : WARNING : WARNING : WARNING : WARNING
  7 | // # DO NOT CHANGE THE RESULT VALUES. THEY ARE USED BY MORE THAN ONE LIBRARY
  8 | // # AND THE OUTPUTS MUST BE CONSTANT TO ENSURE INTEROPERABILITY!
  9 | // #
 10 | // # IF THESE TESTS NO LONGER PASS THEN INTEROPERABILITY IS BROKEN!
 11 | // ##########################################################################
 12 | 
 13 | // INTERACTIVE
 14 | 
 15 | test('interactive test', function (t) {
 16 |   sessionKeys.generate('user@example.com', 'pet sprain our trial patch bg', function (err, key) {
 17 |     t.plan(7)
 18 | 
 19 |     t.notOk(err, 'interactive no error')
 20 | 
 21 |     t.equal(key.byteKeys.length, 8, 'interactive byteKeys length')
 22 |     t.equal(key.hexKeys.length, 8, 'interactive hexKeys length')
 23 |     t.equal(key.naclEncryptionKeyPairs.length, 8, 'interactive naclEncryptionKeyPairs length')
 24 |     t.equal(key.naclEncryptionKeyPairsBase64.length, 8, 'interactive naclEncryptionKeyPairsBase64 length')
 25 |     t.equal(key.naclSigningKeyPairs.length, 8, 'interactive naclSigningKeyPairs length')
 26 |     t.equal(key.naclSigningKeyPairsBase64.length, 8, 'interactive naclSigningKeyPairsBase64 length')
 27 |   })
 28 | })
 29 | 
 30 | test('interactive id test', function (t) {
 31 |   sessionKeys.generate('user@example.com', 'pet sprain our trial patch bg', function (err, key) {
 32 |     t.plan(2)
 33 | 
 34 |     t.notOk(err, 'interactive id no error')
 35 | 
 36 |     t.equals(key.id, 'b4c9a289323b21a01c3e940f150eb9b8c542587f1abfd8f0e1cc1ffc5e475514', 'interactive id')
 37 |   })
 38 | })
 39 | 
 40 | test('interactive byteKeys test', function (t) {
 41 |   sessionKeys.generate('user@example.com', 'pet sprain our trial patch bg', function (err, key) {
 42 |     t.plan(2)
 43 | 
 44 |     t.notOk(err, 'interactive byteKeys no error')
 45 | 
 46 |     t.deepEqual(key.byteKeys,
 47 |       [
 48 |         new Uint8Array([227, 213, 226, 155, 22, 212, 112, 32, 60, 247, 86, 101, 125, 154, 151, 234, 71, 59, 82, 79, 8, 52, 188, 100, 91, 28, 165, 216, 183, 137, 157, 17]),
 49 |         new Uint8Array([1, 37, 254, 86, 67, 74, 79, 174, 191, 132, 239, 255, 168, 102, 235, 106, 29, 219, 45, 47, 237, 108, 62, 205, 151, 27, 163, 160, 14, 0, 166, 54]),
 50 |         new Uint8Array([81, 64, 179, 222, 199, 221, 82, 29, 93, 162, 162, 48, 44, 38, 209, 199, 21, 244, 64, 92, 47, 201, 177, 111, 93, 89, 82, 130, 203, 120, 135, 187]),
 51 |         new Uint8Array([128, 57, 78, 134, 230, 191, 121, 88, 50, 177, 118, 75, 63, 231, 21, 168, 106, 103, 187, 78, 254, 58, 140, 198, 237, 3, 109, 126, 68, 60, 204, 216]),
 52 |         new Uint8Array([125, 57, 175, 89, 168, 203, 202, 97, 200, 211, 78, 174, 118, 117, 162, 77, 206, 120, 124, 239, 76, 158, 219, 104, 27, 72, 253, 129, 100, 216, 68, 122]),
 53 |         new Uint8Array([244, 123, 137, 212, 254, 81, 59, 36, 159, 247, 79, 163, 24, 189, 249, 58, 104, 13, 58, 174, 84, 236, 166, 53, 158, 251, 235, 160, 188, 44, 17, 35]),
 54 |         new Uint8Array([70, 41, 248, 98, 4, 156, 146, 253, 236, 23, 38, 177, 1, 91, 139, 123, 15, 96, 53, 41, 168, 60, 244, 52, 89, 16, 219, 60, 29, 183, 32, 110]),
 55 |         new Uint8Array([61, 52, 141, 115, 90, 229, 18, 231, 253, 192, 39, 20, 196, 222, 98, 126, 178, 56, 26, 30, 100, 75, 225, 191, 81, 74, 155, 41, 78, 19, 53, 97])
 56 |       ]
 57 |       , 'interactive byteKeys')
 58 |   })
 59 | })
 60 | 
 61 | test('interactive hexKeys test', function (t) {
 62 |   sessionKeys.generate('user@example.com', 'pet sprain our trial patch bg', function (err, key) {
 63 |     t.plan(2)
 64 | 
 65 |     t.notOk(err, 'interactive hexKeys no error')
 66 | 
 67 |     t.deepEqual(key.hexKeys,
 68 |       [
 69 |         'e3d5e29b16d470203cf756657d9a97ea473b524f0834bc645b1ca5d8b7899d11',
 70 |         '0125fe56434a4faebf84efffa866eb6a1ddb2d2fed6c3ecd971ba3a00e00a636',
 71 |         '5140b3dec7dd521d5da2a2302c26d1c715f4405c2fc9b16f5d595282cb7887bb',
 72 |         '80394e86e6bf795832b1764b3fe715a86a67bb4efe3a8cc6ed036d7e443cccd8',
 73 |         '7d39af59a8cbca61c8d34eae7675a24dce787cef4c9edb681b48fd8164d8447a',
 74 |         'f47b89d4fe513b249ff74fa318bdf93a680d3aae54eca6359efbeba0bc2c1123',
 75 |         '4629f862049c92fdec1726b1015b8b7b0f603529a83cf4345910db3c1db7206e',
 76 |         '3d348d735ae512e7fdc02714c4de627eb2381a1e644be1bf514a9b294e133561'
 77 |       ]
 78 |       , 'interactive hexKeys')
 79 |   })
 80 | })
 81 | 
 82 | test('interactive naclEncryptionKeyPairsBase64 test', function (t) {
 83 |   sessionKeys.generate('user@example.com', 'pet sprain our trial patch bg', function (err, key) {
 84 |     t.plan(2)
 85 | 
 86 |     t.notOk(err, 'interactive naclEncryptionKeyPairsBase64 no error')
 87 | 
 88 |     t.deepEqual(key.naclEncryptionKeyPairsBase64,
 89 |       [
 90 |         {secretKey: '49XimxbUcCA891ZlfZqX6kc7Uk8INLxkWxyl2LeJnRE=', publicKey: '9G8XJgiIXj32stQmxtUa8vmmvLGTssTrEwd9tIYpVkA='},
 91 |         {secretKey: 'ASX+VkNKT66/hO//qGbrah3bLS/tbD7NlxujoA4ApjY=', publicKey: 'JH73SmhYv43j25rpC8q797XHQi4hx/DrAcQCb5i143k='},
 92 |         {secretKey: 'UUCz3sfdUh1doqIwLCbRxxX0QFwvybFvXVlSgst4h7s=', publicKey: 'HmpoJqIjMnHYqvQheiCc8HXymyiGHX3ell8A+2WE330='},
 93 |         {secretKey: 'gDlOhua/eVgysXZLP+cVqGpnu07+OozG7QNtfkQ8zNg=', publicKey: 'otEJhqs+cpZ1x4OHva30k4T8ye7x5eUBc2UR5IcZkhc='},
 94 |         {secretKey: 'fTmvWajLymHI006udnWiTc54fO9MnttoG0j9gWTYRHo=', publicKey: 'AHHyBuknbD8/2sOe5fUWY7y9zVkOD1SrjaLdBRglVDM='},
 95 |         {secretKey: '9HuJ1P5ROySf90+jGL35OmgNOq5U7KY1nvvroLwsESM=', publicKey: 'uFKZeT1VgkltnczCmljitEQswPFjQT2mS6nRKAJ4YnE='},
 96 |         {secretKey: 'Rin4YgSckv3sFyaxAVuLew9gNSmoPPQ0WRDbPB23IG4=', publicKey: 'W/VA/NmgV4idPxVtzuGE8Uo5bs2fQU0L2cxhoZJFgyU='},
 97 |         {secretKey: 'PTSNc1rlEuf9wCcUxN5ifrI4Gh5kS+G/UUqbKU4TNWE=', publicKey: 'zyQcH+swlgDiBwzDAtFnTMKWR//DdNPyFYNLLMOLsjc='}
 98 |       ]
 99 |       , 'interactive naclEncryptionKeyPairsBase64')
100 |   })
101 | })
102 | 
103 | test('interactive naclSigningKeyPairsBase64 test', function (t) {
104 |   sessionKeys.generate('user@example.com', 'pet sprain our trial patch bg', function (err, key) {
105 |     t.plan(9)
106 | 
107 |     t.notOk(err, 'interactive naclSigningKeyPairsBase64 no error')
108 | 
109 |     // NOTE : Test only the public (verify) key against the Ruby gem output.
110 |     // RbNaCl and tweetnacl-js somehow have different private key values,
111 |     // but the same public key values. This is OK, since the private
112 |     // key is never shared.
113 |     t.equals(key.naclSigningKeyPairsBase64[0]['publicKey'], '9mc6TmR6fw+OfPZA+TI4pDMeensYo3vHjCAWwNJr5Sg=', 'public key 0')
114 |     t.equals(key.naclSigningKeyPairsBase64[1]['publicKey'], 'IA4yoeU/2xv2elvmJWFLP3Hiy2Hp5FdGpdrJjkf+5FU=', 'public key 1')
115 |     t.equals(key.naclSigningKeyPairsBase64[2]['publicKey'], '/orhEpXoWrbHQcWlg/IEnNiJvW+2j0lS7+/gvOFlppc=', 'public key 2')
116 |     t.equals(key.naclSigningKeyPairsBase64[3]['publicKey'], 'JAr8Pcij0HTvraNF9UeZ3vx0rvtixv4aIIMuDXrq+xc=', 'public key 3')
117 |     t.equals(key.naclSigningKeyPairsBase64[4]['publicKey'], 'j9v+uOiZ2iVYwIiSMEeh8LVtFVagKkQ0n8lM6g7NIEY=', 'public key 4')
118 |     t.equals(key.naclSigningKeyPairsBase64[5]['publicKey'], 'SJF1MvZ0Ggb1UQWHKkn9NHAkHU9A/ofV159fCsB6Pbo=', 'public key 5')
119 |     t.equals(key.naclSigningKeyPairsBase64[6]['publicKey'], 'KlYHO13rFU3vlWxHvMo0s7nILVH6rzsgDAblSz3yVaw=', 'public key 6')
120 |     t.equals(key.naclSigningKeyPairsBase64[7]['publicKey'], 'HllzWBHwzXC4XnQU0xSzGDYN5aUhD2lbSQJVF3f2mQA=', 'public key 7')
121 |   })
122 | })
123 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # sessionKeys (JavaScript)
  2 | 
  3 | [![js-standard-style](https://cdn.rawgit.com/feross/standard/master/badge.svg)](https://github.com/feross/standard)
  4 | 
  5 | [![Build Status](https://travis-ci.org/grempe/session-keys-js.svg?branch=master)](https://travis-ci.org/grempe/session-keys-js)
  6 | 
  7 | `sessionKeys` is a cryptographic tool for the generation of unique user IDs,
  8 | and NaCl compatible [Curve25519](https://cr.yp.to/ecdh.html) encryption, and
  9 | [Ed25519](http://ed25519.cr.yp.to) digital signature keys using JavaScript.
 10 | 
 11 | It is compatible with [grempe/session-keys-rb](https://github.com/grempe/session-keys-rb)
 12 | which can generates identical IDs and crypto keys server-side using Ruby when given the
 13 | same username and passphrase values. Both libraries have extensive tests to
 14 | ensure they remain interoperable.
 15 | 
 16 | ## Security
 17 | 
 18 | The encryption and signing keys are created with
 19 | [TweetNaCl.js](https://github.com/dchest/tweetnacl-js), a port of
 20 | [TweetNaCl](http://tweetnacl.cr.yp.to/) / [NaCl](http://nacl.cr.yp.to/) to
 21 | JavaScript for modern browsers and Node.js. The encryption keys are for the
 22 | Public-key authenticated encryption `box` construction which
 23 | implements `curve25519-xsalsa20-poly1305`. The signing keys are for the `Ed25519`
 24 | digital signature system.
 25 | 
 26 | The strength of the system lies in the fact that the keypairs are derived from
 27 | passing an identifier such as a username or email address, and a high-entropy
 28 | passphrase through the `SHA256` cryptographic one-way hash function,
 29 | and then 'stretching' that username/password into strong key material using
 30 | the `scrypt` key derivation function.
 31 | 
 32 | The benefit of this approach are manifold:
 33 | 
 34 | - Cryptographically secure key generation, full 32 byte (256 bit) keys
 35 | - Risk of brute force attempts at key discovery likely eliminated
 36 | - A deterministic ID protects user privacy when used in place of stored username on server
 37 | - No need to manage or move keypairs around for use on different devices
 38 | - Users never need to store sensitive key material on disk
 39 | - Key material can't be stolen or copied without compromise of username/passphrase
 40 | - Key material is deterministic, same username/passphrase always results in same keys
 41 | - Multiple sets of key material are generated, allowing applications to secure different things with different keys
 42 | - Cross language, Javascript and Ruby currently supported.
 43 | 
 44 | The code is simple and easily auditable, and uses only the fast and secure `SHA256`
 45 | hash function, `scrypt` for strong key derivation, and the `NaCL` compatible
 46 | encryption and digital signature keys provided by `tweetnacl-js`.
 47 | 
 48 | This code was inspired by, but is **incompatible** with, the
 49 | [session25519](https://github.com/jo/session25519) library created by
 50 | [Johannes Jörg Schmidt (@jo)](https://github.com/jo).
 51 | 
 52 | It bears repeating that **the strength of this system is very strongly
 53 | tied to the strength of the passphrase chosen by the user**. Application
 54 | developers are **strongly encouraged** to enforce the use of
 55 | high-entropy passphrases by their users. Memorable high-entropy passphrases,
 56 | such as can be generated using [Diceware](https://www.rempe.us/diceware/),
 57 | and measured with password strength estimation tools like
 58 | [zxcvbn](https://github.com/dropbox/zxcvbn), are critically important to
 59 | the overall security of this system.
 60 | 
 61 | ## Usage
 62 | 
 63 | Simply pass in a user identifier, such as an email address and a high-entropy
 64 | passphrase. The callback will return an Object Literal with the key material.
 65 | 
 66 | A total of 256 bytes of key material is derived, and this is split into 8
 67 | 32 byte keys which are returned as an Array of [Uint8Array](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array)
 68 | objects with raw binary data.
 69 | 
 70 | Each of those keys are also returned as hex values, and derived encryption
 71 | and signing keypairs with Base64 encoded versions as well for convenience.
 72 | This gives you eight different secure keys to choose from with various
 73 | representations.
 74 | 
 75 | 
 76 | ```js
 77 | var sessionKeys = require('session-keys')
 78 | 
 79 | sessionKeys.generate('user@example.com', 'my secret password', function(err, keys) {
 80 |   // {
 81 |   //   id: "0123456789abcdef",
 82 |   //   byteKeys: [...],
 83 |   //   hexKeys: [...],
 84 |   //   naclEncryptionKeyPairs: [...],
 85 |   //   naclEncryptionKeyPairsBase64: [...],
 86 |   //   naclSigningKeyPairs: [...],
 87 |   //   naclSigningKeyPairsBase64: [...],
 88 |   // }
 89 | })
 90 | ```
 91 | 
 92 | ## Cryptographic Design
 93 | 
 94 | The following pseudo-code illustrates how `sessionKeys` derives keys
 95 | from a user ID and passphrase.
 96 | 
 97 | ```txt
 98 | // PSEUDOCODE
 99 | 
100 | // 32 Byte hash of the user name
101 | id = SHA256(username)
102 | 
103 | // 32 Byte hash of the password
104 | key = SHA256(password)
105 | 
106 | // 32 Byte hash of the ID, its length, and a library specific string
107 | salt = SHA256(id + idLength + 'session_keys')
108 | 
109 | // scrypt params
110 | // 256 bytes of scrypt output
111 | derivedBytes = scrypt(key, salt, N = 16384, r = 8, p = 1, dkLen = 256)
112 | 
113 | // Return all of the following
114 | //////////////////////////////
115 | 
116 | // The hex encoded sha256(username)
117 | idhex = hex(id)
118 | 
119 | // Split the 256 derived bytes into 8 * 32 byte Uint8Array keys
120 | byteKeys = []
121 | 
122 | // For each byteKey generate:
123 | 
124 |   // An Array of the hex values of each byteKey
125 |   hexKeys = []
126 | 
127 |   // An Array of NaCl Encryption keys seeded from each byteKey
128 |   naclEncryptionKeyPairs = []
129 | 
130 |   // An Array of NaCl Encryption keys seeded from each byteKey, Base 64 encoded
131 |   naclEncryptionKeyPairsBase64 = []
132 | 
133 |   // An Array of NaCl Signing keys seeded from each byteKey
134 |   naclSigningKeyPairs = []
135 | 
136 |   // An Array of NaCl Signing keys seeded from each byteKey, Base 64 encoded
137 |   naclSigningKeyPairsBase64 = []
138 | 
139 | ```
140 | 
141 | ## Performance
142 | 
143 | The author of [scrypt-async-js](https://github.com/dchest/scrypt-async-js),
144 | which is the strong key derivation mechanism used by `sessionKeys`, [recommends](https://github.com/dchest/scrypt-async-js/commit/ac57f235b505eb3f4fa8f2f95ae22d7eddd655d5)
145 | using `setImmediate`:
146 | 
147 | > Using `setImmediate` massively improves performance. Since
148 | > most browsers don't support it, you'll have to include a
149 | > shim for it.
150 | 
151 | - [YuzuJS/setImmediate](https://github.com/YuzuJS/setImmediate)
152 | - [setImmediate shim demo](http://jphpsf.github.io/setImmediate-shim-demo/)
153 | - [caniuse setImmediate](http://caniuse.com/#search=setImmediate)
154 | 
155 | Performance in this context is *not* about making the key derivation run faster, as
156 | that would kind of defeat the purpose. It is instead about ensuring your
157 | application remains responsive while this code is running.
158 | 
159 | ## Resources
160 | 
161 | ### fast-sha256-js
162 | - Origin: https://github.com/dchest/fast-sha256-js
163 | - License: Public Domain
164 | 
165 | ### scrypt-async-js
166 | - Origin: https://github.com/dchest/scrypt-async-js
167 | - License: BSD-like, see LICENSE file or MIT license at your choice.
168 | 
169 | ### TweetNaCl.js
170 | - Origin: https://github.com/dchest/tweetnacl-js
171 | - License: Public Domain
172 | 
173 | ### base64-js
174 | - Origin: https://github.com/beatgammit/base64-js
175 | - License: MIT
176 | 
177 | ## Development
178 | 
179 | ### Setup
180 | 
181 | This project now manages all dependencies with [yarn](https://yarnpkg.com) which
182 | you'll need to install first.
183 | 
184 | Make sure you are using v0.16.0 or higher.
185 | 
186 | ```
187 | $ yarn -V
188 | 0.16.0
189 | ```
190 | 
191 | Install all dependencies locally.
192 | 
193 | ```
194 | yarn
195 | ```
196 | 
197 | ### Build
198 | 
199 | You can build a `dist` version of `sessionKeys` using `browserify`. There is a
200 | pre-built version in the `dist` directory of this repository which includes
201 | all dependencies and can be used with a `<script>` tag in the browser.
202 | 
203 | ```sh
204 | yarn run build
205 | ```
206 | 
207 | ### Testing
208 | 
209 | ```sh
210 | # run all tests locally with node
211 | yarn test
212 | 
213 | # run all tests locally from test.html in your default browser
214 | # test output will be in your browser's console.
215 | yarn run test-browser
216 | ```
217 | 
218 | ### Installation Security : Signed Git Commits
219 | 
220 | Most, if not all, of the commits and tags in the repository for this code are
221 | signed with my PGP/GPG code signing key. I have uploaded my code signing public
222 | keys to GitHub and you can now verify those signatures with the GitHub UI.
223 | See [this list of commits](https://github.com/grempe/session-keys-js/commits/master)
224 | and look for the `Verified` tag next to each commit. You can click on that tag
225 | for additional information.
226 | 
227 | You can also clone the repository and verify the signatures locally using your
228 | own GnuPG installation. You can find my certificates and read about how to conduct
229 | this verification at [https://www.rempe.us/keys/](https://www.rempe.us/keys/).
230 | 
231 | ### Contributing
232 | 
233 | Bug reports and pull requests are welcome on GitHub
234 | at [https://github.com/grempe/session-keys-js](https://github.com/grempe/session-keys-js). This
235 | project is intended to be a safe, welcoming space for collaboration, and contributors
236 | are expected to adhere to the
237 | [Contributor Covenant](http://contributor-covenant.org) code of conduct.
238 | 
239 | ## Legal
240 | 
241 | ### Copyright
242 | 
243 | (c) 2016 Glenn Rempe <[glenn@rempe.us](mailto:glenn@rempe.us)> ([https://www.rempe.us/](https://www.rempe.us/))
244 | 
245 | ### License
246 | 
247 | The gem is available as open source under the terms of
248 | the [MIT License](http://opensource.org/licenses/MIT).
249 | 
250 | ### Warranty
251 | 
252 | Unless required by applicable law or agreed to in writing,
253 | software distributed under the License is distributed on an
254 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
255 | either express or implied. See the LICENSE.txt file for the
256 | specific language governing permissions and limitations under
257 | the License.
258 | 
259 | ## Thank You!
260 | 
261 | Thanks to Dmitry Chestnykh ([@dchest](https://github.com/dchest)) and
262 | Tony Arcieri ([@bascule](https://github.com/bascule)) for all the great
263 | code and help, and [Johannes Jörg Schmidt (@jo)](https://github.com/jo)
264 | for the original implementation.
265 | 


--------------------------------------------------------------------------------
/dist/sessionKeys.js:
--------------------------------------------------------------------------------
   1 | (function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.sessionKeys = f()}})(function(){var define,module,exports;return (function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o<r.length;o++)s(r[o]);return s})({1:[function(require,module,exports){
   2 | var sha256 = require('fast-sha256')
   3 | var scrypt = require('scrypt-async')
   4 | var nacl = require('tweetnacl')
   5 | var base64 = require('base64-js')
   6 | 
   7 | // Code inspired by:
   8 | // https://github.com/kaepora/miniLock/blob/master/src/js/miniLock.js
   9 | // https://github.com/jo/session25519
  10 | 
  11 | // Extracted from tweetnacl-util-js
  12 | // https://github.com/dchest/tweetnacl-util-js/blob/master/nacl-util.js#L16
  13 | function decodeUTF8 (s) {
  14 |   var i, d, b
  15 |   d = unescape(encodeURIComponent(s))
  16 |   b = new Uint8Array(d.length)
  17 | 
  18 |   for (i = 0; i < d.length; i++) b[i] = d.charCodeAt(i)
  19 |   return b
  20 | }
  21 | 
  22 | // Convert a decimal to hex with proper padding
  23 | // Input:
  24 | //   d                      // A decimal number between 0-255
  25 | //
  26 | // Result:
  27 | //   Returns a padded hex string representing the decimal arg
  28 | //
  29 | function decToHex (d) {
  30 |   var hex = Number(d).toString(16)
  31 |   while (hex.length < 2) {
  32 |     hex = '0' + hex
  33 |   }
  34 |   return hex
  35 | }
  36 | 
  37 | // Convert Uint8Array of bytes to hex
  38 | // Input:
  39 | //   arr                      // Uint8Array of bytes to convert to hex
  40 | //
  41 | // Result:
  42 | //   Returns a Base16 hex encoded version of arr
  43 | //
  44 | function byteArrayToHex (arr) {
  45 |   var hex, i
  46 |   hex = ''
  47 |   for (i = 0; i < arr.length; ++i) {
  48 |     hex += decToHex(arr[i])
  49 |   }
  50 |   return hex
  51 | }
  52 | 
  53 | // Input:
  54 | //   key                      // User key hash (Uint8Array)
  55 | //   salt                     // Salt (username or email) (Uint8Array)
  56 | //   callback function
  57 | //
  58 | // Result:
  59 | //   Returns 256 bytes of scrypt derived key material in a Uint8Array,
  60 | //   which is then passed to the callback.
  61 | //
  62 | function getScryptKey (key, salt, callback) {
  63 |   'use strict'
  64 | 
  65 |   scrypt(key, salt, {
  66 |     N: 16384,
  67 |     r: 8,
  68 |     p: 1,
  69 |     dkLen: 256,
  70 |     encoding: 'binary'
  71 |   }, function (derivedKey) {
  72 |     return callback(derivedKey)
  73 |   })
  74 | }
  75 | 
  76 | // Input:
  77 | //  id          // A UTF-8 username or email
  78 | //  password    // A UTF-8 passphrase
  79 | //  callback    // A callback function
  80 | //
  81 | // Result:
  82 | //   An object literal with all key material
  83 | //
  84 | exports.generate = function (id, password, callback) {
  85 |   'use strict'
  86 | 
  87 |   var idSha256Bbytes, idSha256Hex, scryptKey, scryptSalt, byteKeys,
  88 |     hexKeys, naclEncryptionKeyPairs, naclEncryptionKeyPairsBase64,
  89 |     naclSigningKeyPairs, naclSigningKeyPairsBase64, out
  90 | 
  91 |   idSha256Bbytes = sha256(decodeUTF8(id))
  92 |   idSha256Hex = byteArrayToHex(idSha256Bbytes)
  93 | 
  94 |   scryptKey = sha256(decodeUTF8(password))
  95 |   scryptSalt = sha256(decodeUTF8([idSha256Hex, idSha256Hex.length, 'session_keys'].join('')))
  96 | 
  97 |   getScryptKey(scryptKey, scryptSalt, function (scryptByteArray) {
  98 |     try {
  99 |       byteKeys = []
 100 |       hexKeys = []
 101 |       naclEncryptionKeyPairs = []
 102 |       naclEncryptionKeyPairsBase64 = []
 103 |       naclSigningKeyPairs = []
 104 |       naclSigningKeyPairsBase64 = []
 105 | 
 106 |       // Generate 8 pairs of all types of keys. The key types
 107 |       // at each Array index are all derived from the same key
 108 |       // bytes. Use different Array index values for each to ensure
 109 |       // they don't share common key bytes. For example:
 110 |       //
 111 |       // uuid : output.hexKeys[0]
 112 |       // encryption keypair : output.naclEncryptionKeyPairs[1]
 113 |       // signing keypair : output.naclSigningKeyPairs[2]
 114 |       //
 115 |       var b = 0
 116 |       for (var i = 0; i < 8; ++i) {
 117 |         var byteArr = scryptByteArray.subarray(b, b + 32)
 118 |         byteKeys.push(byteArr)
 119 |         hexKeys.push(byteArrayToHex(byteArr))
 120 | 
 121 |         var naclEncryptionKeyPair = nacl.box.keyPair.fromSecretKey(byteArr)
 122 |         var naclSigningKeyPair = nacl.sign.keyPair.fromSeed(byteArr)
 123 | 
 124 |         naclEncryptionKeyPairs.push(naclEncryptionKeyPair)
 125 |         naclEncryptionKeyPairsBase64.push({
 126 |           secretKey: base64.fromByteArray(naclEncryptionKeyPair.secretKey),
 127 |           publicKey: base64.fromByteArray(naclEncryptionKeyPair.publicKey)
 128 |         })
 129 | 
 130 |         naclSigningKeyPairs.push(naclSigningKeyPair)
 131 |         naclSigningKeyPairsBase64.push({
 132 |           secretKey: base64.fromByteArray(naclSigningKeyPair.secretKey),
 133 |           publicKey: base64.fromByteArray(naclSigningKeyPair.publicKey)
 134 |         })
 135 | 
 136 |         b += 32
 137 |       }
 138 | 
 139 |       out = {}
 140 |       out.id = idSha256Hex
 141 |       out.byteKeys = byteKeys
 142 |       out.hexKeys = hexKeys
 143 |       out.naclEncryptionKeyPairs = naclEncryptionKeyPairs
 144 |       out.naclEncryptionKeyPairsBase64 = naclEncryptionKeyPairsBase64
 145 |       out.naclSigningKeyPairs = naclSigningKeyPairs
 146 |       out.naclSigningKeyPairsBase64 = naclSigningKeyPairsBase64
 147 | 
 148 |       return callback(null, out)
 149 |     } catch (err) {
 150 |       return callback(err)
 151 |     }
 152 |   })
 153 | }
 154 | 
 155 | },{"base64-js":2,"fast-sha256":4,"scrypt-async":5,"tweetnacl":6}],2:[function(require,module,exports){
 156 | 'use strict'
 157 | 
 158 | exports.byteLength = byteLength
 159 | exports.toByteArray = toByteArray
 160 | exports.fromByteArray = fromByteArray
 161 | 
 162 | var lookup = []
 163 | var revLookup = []
 164 | var Arr = typeof Uint8Array !== 'undefined' ? Uint8Array : Array
 165 | 
 166 | var code = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
 167 | for (var i = 0, len = code.length; i < len; ++i) {
 168 |   lookup[i] = code[i]
 169 |   revLookup[code.charCodeAt(i)] = i
 170 | }
 171 | 
 172 | // Support decoding URL-safe base64 strings, as Node.js does.
 173 | // See: https://en.wikipedia.org/wiki/Base64#URL_applications
 174 | revLookup['-'.charCodeAt(0)] = 62
 175 | revLookup['_'.charCodeAt(0)] = 63
 176 | 
 177 | function getLens (b64) {
 178 |   var len = b64.length
 179 | 
 180 |   if (len % 4 > 0) {
 181 |     throw new Error('Invalid string. Length must be a multiple of 4')
 182 |   }
 183 | 
 184 |   // Trim off extra bytes after placeholder bytes are found
 185 |   // See: https://github.com/beatgammit/base64-js/issues/42
 186 |   var validLen = b64.indexOf('=')
 187 |   if (validLen === -1) validLen = len
 188 | 
 189 |   var placeHoldersLen = validLen === len
 190 |     ? 0
 191 |     : 4 - (validLen % 4)
 192 | 
 193 |   return [validLen, placeHoldersLen]
 194 | }
 195 | 
 196 | // base64 is 4/3 + up to two characters of the original data
 197 | function byteLength (b64) {
 198 |   var lens = getLens(b64)
 199 |   var validLen = lens[0]
 200 |   var placeHoldersLen = lens[1]
 201 |   return ((validLen + placeHoldersLen) * 3 / 4) - placeHoldersLen
 202 | }
 203 | 
 204 | function _byteLength (b64, validLen, placeHoldersLen) {
 205 |   return ((validLen + placeHoldersLen) * 3 / 4) - placeHoldersLen
 206 | }
 207 | 
 208 | function toByteArray (b64) {
 209 |   var tmp
 210 |   var lens = getLens(b64)
 211 |   var validLen = lens[0]
 212 |   var placeHoldersLen = lens[1]
 213 | 
 214 |   var arr = new Arr(_byteLength(b64, validLen, placeHoldersLen))
 215 | 
 216 |   var curByte = 0
 217 | 
 218 |   // if there are placeholders, only get up to the last complete 4 chars
 219 |   var len = placeHoldersLen > 0
 220 |     ? validLen - 4
 221 |     : validLen
 222 | 
 223 |   var i
 224 |   for (i = 0; i < len; i += 4) {
 225 |     tmp =
 226 |       (revLookup[b64.charCodeAt(i)] << 18) |
 227 |       (revLookup[b64.charCodeAt(i + 1)] << 12) |
 228 |       (revLookup[b64.charCodeAt(i + 2)] << 6) |
 229 |       revLookup[b64.charCodeAt(i + 3)]
 230 |     arr[curByte++] = (tmp >> 16) & 0xFF
 231 |     arr[curByte++] = (tmp >> 8) & 0xFF
 232 |     arr[curByte++] = tmp & 0xFF
 233 |   }
 234 | 
 235 |   if (placeHoldersLen === 2) {
 236 |     tmp =
 237 |       (revLookup[b64.charCodeAt(i)] << 2) |
 238 |       (revLookup[b64.charCodeAt(i + 1)] >> 4)
 239 |     arr[curByte++] = tmp & 0xFF
 240 |   }
 241 | 
 242 |   if (placeHoldersLen === 1) {
 243 |     tmp =
 244 |       (revLookup[b64.charCodeAt(i)] << 10) |
 245 |       (revLookup[b64.charCodeAt(i + 1)] << 4) |
 246 |       (revLookup[b64.charCodeAt(i + 2)] >> 2)
 247 |     arr[curByte++] = (tmp >> 8) & 0xFF
 248 |     arr[curByte++] = tmp & 0xFF
 249 |   }
 250 | 
 251 |   return arr
 252 | }
 253 | 
 254 | function tripletToBase64 (num) {
 255 |   return lookup[num >> 18 & 0x3F] +
 256 |     lookup[num >> 12 & 0x3F] +
 257 |     lookup[num >> 6 & 0x3F] +
 258 |     lookup[num & 0x3F]
 259 | }
 260 | 
 261 | function encodeChunk (uint8, start, end) {
 262 |   var tmp
 263 |   var output = []
 264 |   for (var i = start; i < end; i += 3) {
 265 |     tmp =
 266 |       ((uint8[i] << 16) & 0xFF0000) +
 267 |       ((uint8[i + 1] << 8) & 0xFF00) +
 268 |       (uint8[i + 2] & 0xFF)
 269 |     output.push(tripletToBase64(tmp))
 270 |   }
 271 |   return output.join('')
 272 | }
 273 | 
 274 | function fromByteArray (uint8) {
 275 |   var tmp
 276 |   var len = uint8.length
 277 |   var extraBytes = len % 3 // if we have 1 byte left, pad 2 bytes
 278 |   var parts = []
 279 |   var maxChunkLength = 16383 // must be multiple of 3
 280 | 
 281 |   // go through the array every three bytes, we'll deal with trailing stuff later
 282 |   for (var i = 0, len2 = len - extraBytes; i < len2; i += maxChunkLength) {
 283 |     parts.push(encodeChunk(
 284 |       uint8, i, (i + maxChunkLength) > len2 ? len2 : (i + maxChunkLength)
 285 |     ))
 286 |   }
 287 | 
 288 |   // pad the end with zeros, but make sure to not forget the extra bytes
 289 |   if (extraBytes === 1) {
 290 |     tmp = uint8[len - 1]
 291 |     parts.push(
 292 |       lookup[tmp >> 2] +
 293 |       lookup[(tmp << 4) & 0x3F] +
 294 |       '=='
 295 |     )
 296 |   } else if (extraBytes === 2) {
 297 |     tmp = (uint8[len - 2] << 8) + uint8[len - 1]
 298 |     parts.push(
 299 |       lookup[tmp >> 10] +
 300 |       lookup[(tmp >> 4) & 0x3F] +
 301 |       lookup[(tmp << 2) & 0x3F] +
 302 |       '='
 303 |     )
 304 |   }
 305 | 
 306 |   return parts.join('')
 307 | }
 308 | 
 309 | },{}],3:[function(require,module,exports){
 310 | 
 311 | },{}],4:[function(require,module,exports){
 312 | (function (root, factory) {
 313 |     // Hack to make all exports of this module sha256 function object properties.
 314 |     var exports = {};
 315 |     factory(exports);
 316 |     var sha256 = exports["default"];
 317 |     for (var k in exports) {
 318 |         sha256[k] = exports[k];
 319 |     }
 320 |         
 321 |     if (typeof module === 'object' && typeof module.exports === 'object') {
 322 |         module.exports = sha256;
 323 |     } else if (typeof define === 'function' && define.amd) {
 324 |         define(function() { return sha256; }); 
 325 |     } else {
 326 |         root.sha256 = sha256;
 327 |     }
 328 | })(this, function(exports) {
 329 | "use strict";
 330 | exports.__esModule = true;
 331 | // SHA-256 (+ HMAC and PBKDF2) for JavaScript.
 332 | //
 333 | // Written in 2014-2016 by Dmitry Chestnykh.
 334 | // Public domain, no warranty.
 335 | //
 336 | // Functions (accept and return Uint8Arrays):
 337 | //
 338 | //   sha256(message) -> hash
 339 | //   sha256.hmac(key, message) -> mac
 340 | //   sha256.pbkdf2(password, salt, rounds, dkLen) -> dk
 341 | //
 342 | //  Classes:
 343 | //
 344 | //   new sha256.Hash()
 345 | //   new sha256.HMAC(key)
 346 | //
 347 | exports.digestLength = 32;
 348 | exports.blockSize = 64;
 349 | // SHA-256 constants
 350 | var K = new Uint32Array([
 351 |     0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
 352 |     0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
 353 |     0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
 354 |     0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
 355 |     0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
 356 |     0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
 357 |     0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
 358 |     0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
 359 |     0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
 360 |     0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
 361 |     0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
 362 |     0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
 363 |     0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
 364 | ]);
 365 | function hashBlocks(w, v, p, pos, len) {
 366 |     var a, b, c, d, e, f, g, h, u, i, j, t1, t2;
 367 |     while (len >= 64) {
 368 |         a = v[0];
 369 |         b = v[1];
 370 |         c = v[2];
 371 |         d = v[3];
 372 |         e = v[4];
 373 |         f = v[5];
 374 |         g = v[6];
 375 |         h = v[7];
 376 |         for (i = 0; i < 16; i++) {
 377 |             j = pos + i * 4;
 378 |             w[i] = (((p[j] & 0xff) << 24) | ((p[j + 1] & 0xff) << 16) |
 379 |                 ((p[j + 2] & 0xff) << 8) | (p[j + 3] & 0xff));
 380 |         }
 381 |         for (i = 16; i < 64; i++) {
 382 |             u = w[i - 2];
 383 |             t1 = (u >>> 17 | u << (32 - 17)) ^ (u >>> 19 | u << (32 - 19)) ^ (u >>> 10);
 384 |             u = w[i - 15];
 385 |             t2 = (u >>> 7 | u << (32 - 7)) ^ (u >>> 18 | u << (32 - 18)) ^ (u >>> 3);
 386 |             w[i] = (t1 + w[i - 7] | 0) + (t2 + w[i - 16] | 0);
 387 |         }
 388 |         for (i = 0; i < 64; i++) {
 389 |             t1 = (((((e >>> 6 | e << (32 - 6)) ^ (e >>> 11 | e << (32 - 11)) ^
 390 |                 (e >>> 25 | e << (32 - 25))) + ((e & f) ^ (~e & g))) | 0) +
 391 |                 ((h + ((K[i] + w[i]) | 0)) | 0)) | 0;
 392 |             t2 = (((a >>> 2 | a << (32 - 2)) ^ (a >>> 13 | a << (32 - 13)) ^
 393 |                 (a >>> 22 | a << (32 - 22))) + ((a & b) ^ (a & c) ^ (b & c))) | 0;
 394 |             h = g;
 395 |             g = f;
 396 |             f = e;
 397 |             e = (d + t1) | 0;
 398 |             d = c;
 399 |             c = b;
 400 |             b = a;
 401 |             a = (t1 + t2) | 0;
 402 |         }
 403 |         v[0] += a;
 404 |         v[1] += b;
 405 |         v[2] += c;
 406 |         v[3] += d;
 407 |         v[4] += e;
 408 |         v[5] += f;
 409 |         v[6] += g;
 410 |         v[7] += h;
 411 |         pos += 64;
 412 |         len -= 64;
 413 |     }
 414 |     return pos;
 415 | }
 416 | // Hash implements SHA256 hash algorithm.
 417 | var Hash = /** @class */ (function () {
 418 |     function Hash() {
 419 |         this.digestLength = exports.digestLength;
 420 |         this.blockSize = exports.blockSize;
 421 |         // Note: Int32Array is used instead of Uint32Array for performance reasons.
 422 |         this.state = new Int32Array(8); // hash state
 423 |         this.temp = new Int32Array(64); // temporary state
 424 |         this.buffer = new Uint8Array(128); // buffer for data to hash
 425 |         this.bufferLength = 0; // number of bytes in buffer
 426 |         this.bytesHashed = 0; // number of total bytes hashed
 427 |         this.finished = false; // indicates whether the hash was finalized
 428 |         this.reset();
 429 |     }
 430 |     // Resets hash state making it possible
 431 |     // to re-use this instance to hash other data.
 432 |     Hash.prototype.reset = function () {
 433 |         this.state[0] = 0x6a09e667;
 434 |         this.state[1] = 0xbb67ae85;
 435 |         this.state[2] = 0x3c6ef372;
 436 |         this.state[3] = 0xa54ff53a;
 437 |         this.state[4] = 0x510e527f;
 438 |         this.state[5] = 0x9b05688c;
 439 |         this.state[6] = 0x1f83d9ab;
 440 |         this.state[7] = 0x5be0cd19;
 441 |         this.bufferLength = 0;
 442 |         this.bytesHashed = 0;
 443 |         this.finished = false;
 444 |         return this;
 445 |     };
 446 |     // Cleans internal buffers and re-initializes hash state.
 447 |     Hash.prototype.clean = function () {
 448 |         for (var i = 0; i < this.buffer.length; i++) {
 449 |             this.buffer[i] = 0;
 450 |         }
 451 |         for (var i = 0; i < this.temp.length; i++) {
 452 |             this.temp[i] = 0;
 453 |         }
 454 |         this.reset();
 455 |     };
 456 |     // Updates hash state with the given data.
 457 |     //
 458 |     // Optionally, length of the data can be specified to hash
 459 |     // fewer bytes than data.length.
 460 |     //
 461 |     // Throws error when trying to update already finalized hash:
 462 |     // instance must be reset to use it again.
 463 |     Hash.prototype.update = function (data, dataLength) {
 464 |         if (dataLength === void 0) { dataLength = data.length; }
 465 |         if (this.finished) {
 466 |             throw new Error("SHA256: can't update because hash was finished.");
 467 |         }
 468 |         var dataPos = 0;
 469 |         this.bytesHashed += dataLength;
 470 |         if (this.bufferLength > 0) {
 471 |             while (this.bufferLength < 64 && dataLength > 0) {
 472 |                 this.buffer[this.bufferLength++] = data[dataPos++];
 473 |                 dataLength--;
 474 |             }
 475 |             if (this.bufferLength === 64) {
 476 |                 hashBlocks(this.temp, this.state, this.buffer, 0, 64);
 477 |                 this.bufferLength = 0;
 478 |             }
 479 |         }
 480 |         if (dataLength >= 64) {
 481 |             dataPos = hashBlocks(this.temp, this.state, data, dataPos, dataLength);
 482 |             dataLength %= 64;
 483 |         }
 484 |         while (dataLength > 0) {
 485 |             this.buffer[this.bufferLength++] = data[dataPos++];
 486 |             dataLength--;
 487 |         }
 488 |         return this;
 489 |     };
 490 |     // Finalizes hash state and puts hash into out.
 491 |     //
 492 |     // If hash was already finalized, puts the same value.
 493 |     Hash.prototype.finish = function (out) {
 494 |         if (!this.finished) {
 495 |             var bytesHashed = this.bytesHashed;
 496 |             var left = this.bufferLength;
 497 |             var bitLenHi = (bytesHashed / 0x20000000) | 0;
 498 |             var bitLenLo = bytesHashed << 3;
 499 |             var padLength = (bytesHashed % 64 < 56) ? 64 : 128;
 500 |             this.buffer[left] = 0x80;
 501 |             for (var i = left + 1; i < padLength - 8; i++) {
 502 |                 this.buffer[i] = 0;
 503 |             }
 504 |             this.buffer[padLength - 8] = (bitLenHi >>> 24) & 0xff;
 505 |             this.buffer[padLength - 7] = (bitLenHi >>> 16) & 0xff;
 506 |             this.buffer[padLength - 6] = (bitLenHi >>> 8) & 0xff;
 507 |             this.buffer[padLength - 5] = (bitLenHi >>> 0) & 0xff;
 508 |             this.buffer[padLength - 4] = (bitLenLo >>> 24) & 0xff;
 509 |             this.buffer[padLength - 3] = (bitLenLo >>> 16) & 0xff;
 510 |             this.buffer[padLength - 2] = (bitLenLo >>> 8) & 0xff;
 511 |             this.buffer[padLength - 1] = (bitLenLo >>> 0) & 0xff;
 512 |             hashBlocks(this.temp, this.state, this.buffer, 0, padLength);
 513 |             this.finished = true;
 514 |         }
 515 |         for (var i = 0; i < 8; i++) {
 516 |             out[i * 4 + 0] = (this.state[i] >>> 24) & 0xff;
 517 |             out[i * 4 + 1] = (this.state[i] >>> 16) & 0xff;
 518 |             out[i * 4 + 2] = (this.state[i] >>> 8) & 0xff;
 519 |             out[i * 4 + 3] = (this.state[i] >>> 0) & 0xff;
 520 |         }
 521 |         return this;
 522 |     };
 523 |     // Returns the final hash digest.
 524 |     Hash.prototype.digest = function () {
 525 |         var out = new Uint8Array(this.digestLength);
 526 |         this.finish(out);
 527 |         return out;
 528 |     };
 529 |     // Internal function for use in HMAC for optimization.
 530 |     Hash.prototype._saveState = function (out) {
 531 |         for (var i = 0; i < this.state.length; i++) {
 532 |             out[i] = this.state[i];
 533 |         }
 534 |     };
 535 |     // Internal function for use in HMAC for optimization.
 536 |     Hash.prototype._restoreState = function (from, bytesHashed) {
 537 |         for (var i = 0; i < this.state.length; i++) {
 538 |             this.state[i] = from[i];
 539 |         }
 540 |         this.bytesHashed = bytesHashed;
 541 |         this.finished = false;
 542 |         this.bufferLength = 0;
 543 |     };
 544 |     return Hash;
 545 | }());
 546 | exports.Hash = Hash;
 547 | // HMAC implements HMAC-SHA256 message authentication algorithm.
 548 | var HMAC = /** @class */ (function () {
 549 |     function HMAC(key) {
 550 |         this.inner = new Hash();
 551 |         this.outer = new Hash();
 552 |         this.blockSize = this.inner.blockSize;
 553 |         this.digestLength = this.inner.digestLength;
 554 |         var pad = new Uint8Array(this.blockSize);
 555 |         if (key.length > this.blockSize) {
 556 |             (new Hash()).update(key).finish(pad).clean();
 557 |         }
 558 |         else {
 559 |             for (var i = 0; i < key.length; i++) {
 560 |                 pad[i] = key[i];
 561 |             }
 562 |         }
 563 |         for (var i = 0; i < pad.length; i++) {
 564 |             pad[i] ^= 0x36;
 565 |         }
 566 |         this.inner.update(pad);
 567 |         for (var i = 0; i < pad.length; i++) {
 568 |             pad[i] ^= 0x36 ^ 0x5c;
 569 |         }
 570 |         this.outer.update(pad);
 571 |         this.istate = new Uint32Array(8);
 572 |         this.ostate = new Uint32Array(8);
 573 |         this.inner._saveState(this.istate);
 574 |         this.outer._saveState(this.ostate);
 575 |         for (var i = 0; i < pad.length; i++) {
 576 |             pad[i] = 0;
 577 |         }
 578 |     }
 579 |     // Returns HMAC state to the state initialized with key
 580 |     // to make it possible to run HMAC over the other data with the same
 581 |     // key without creating a new instance.
 582 |     HMAC.prototype.reset = function () {
 583 |         this.inner._restoreState(this.istate, this.inner.blockSize);
 584 |         this.outer._restoreState(this.ostate, this.outer.blockSize);
 585 |         return this;
 586 |     };
 587 |     // Cleans HMAC state.
 588 |     HMAC.prototype.clean = function () {
 589 |         for (var i = 0; i < this.istate.length; i++) {
 590 |             this.ostate[i] = this.istate[i] = 0;
 591 |         }
 592 |         this.inner.clean();
 593 |         this.outer.clean();
 594 |     };
 595 |     // Updates state with provided data.
 596 |     HMAC.prototype.update = function (data) {
 597 |         this.inner.update(data);
 598 |         return this;
 599 |     };
 600 |     // Finalizes HMAC and puts the result in out.
 601 |     HMAC.prototype.finish = function (out) {
 602 |         if (this.outer.finished) {
 603 |             this.outer.finish(out);
 604 |         }
 605 |         else {
 606 |             this.inner.finish(out);
 607 |             this.outer.update(out, this.digestLength).finish(out);
 608 |         }
 609 |         return this;
 610 |     };
 611 |     // Returns message authentication code.
 612 |     HMAC.prototype.digest = function () {
 613 |         var out = new Uint8Array(this.digestLength);
 614 |         this.finish(out);
 615 |         return out;
 616 |     };
 617 |     return HMAC;
 618 | }());
 619 | exports.HMAC = HMAC;
 620 | // Returns SHA256 hash of data.
 621 | function hash(data) {
 622 |     var h = (new Hash()).update(data);
 623 |     var digest = h.digest();
 624 |     h.clean();
 625 |     return digest;
 626 | }
 627 | exports.hash = hash;
 628 | // Function hash is both available as module.hash and as default export.
 629 | exports["default"] = hash;
 630 | // Returns HMAC-SHA256 of data under the key.
 631 | function hmac(key, data) {
 632 |     var h = (new HMAC(key)).update(data);
 633 |     var digest = h.digest();
 634 |     h.clean();
 635 |     return digest;
 636 | }
 637 | exports.hmac = hmac;
 638 | // Derives a key from password and salt using PBKDF2-HMAC-SHA256
 639 | // with the given number of iterations.
 640 | //
 641 | // The number of bytes returned is equal to dkLen.
 642 | //
 643 | // (For better security, avoid dkLen greater than hash length - 32 bytes).
 644 | function pbkdf2(password, salt, iterations, dkLen) {
 645 |     var prf = new HMAC(password);
 646 |     var len = prf.digestLength;
 647 |     var ctr = new Uint8Array(4);
 648 |     var t = new Uint8Array(len);
 649 |     var u = new Uint8Array(len);
 650 |     var dk = new Uint8Array(dkLen);
 651 |     for (var i = 0; i * len < dkLen; i++) {
 652 |         var c = i + 1;
 653 |         ctr[0] = (c >>> 24) & 0xff;
 654 |         ctr[1] = (c >>> 16) & 0xff;
 655 |         ctr[2] = (c >>> 8) & 0xff;
 656 |         ctr[3] = (c >>> 0) & 0xff;
 657 |         prf.reset();
 658 |         prf.update(salt);
 659 |         prf.update(ctr);
 660 |         prf.finish(u);
 661 |         for (var j = 0; j < len; j++) {
 662 |             t[j] = u[j];
 663 |         }
 664 |         for (var j = 2; j <= iterations; j++) {
 665 |             prf.reset();
 666 |             prf.update(u).finish(u);
 667 |             for (var k = 0; k < len; k++) {
 668 |                 t[k] ^= u[k];
 669 |             }
 670 |         }
 671 |         for (var j = 0; j < len && i * len + j < dkLen; j++) {
 672 |             dk[i * len + j] = t[j];
 673 |         }
 674 |     }
 675 |     for (var i = 0; i < len; i++) {
 676 |         t[i] = u[i] = 0;
 677 |     }
 678 |     for (var i = 0; i < 4; i++) {
 679 |         ctr[i] = 0;
 680 |     }
 681 |     prf.clean();
 682 |     return dk;
 683 | }
 684 | exports.pbkdf2 = pbkdf2;
 685 | });
 686 | 
 687 | },{}],5:[function(require,module,exports){
 688 | /*!
 689 |  * Fast "async" scrypt implementation in JavaScript.
 690 |  * Copyright (c) 2013-2016 Dmitry Chestnykh | BSD License
 691 |  * https://github.com/dchest/scrypt-async-js
 692 |  */
 693 | 
 694 | /**
 695 |  * scrypt(password, salt, options, callback)
 696 |  *
 697 |  * where
 698 |  *
 699 |  * password and salt are strings or arrays of bytes (Array of Uint8Array)
 700 |  * options is
 701 |  *
 702 |  * {
 703 |  *    N:      // CPU/memory cost parameter, must be power of two
 704 |  *            // (alternatively, you can specify logN)
 705 |  *    r:      // block size
 706 |  *    p:      // parallelization parameter
 707 |  *    dkLen:  // length of derived key, default = 32
 708 |  *    encoding: // optional encoding:
 709 |  *                    "base64" - standard Base64 encoding
 710 |  *                    "hex" — hex encoding,
 711 |  *                    "binary" — Uint8Array,
 712 |  *                    undefined/null - Array of bytes
 713 |  *    interruptStep: // optional, steps to split calculations (default is 0)
 714 |  * }
 715 |  *
 716 |  * Derives a key from password and salt and calls callback
 717 |  * with derived key as the only argument.
 718 |  *
 719 |  * Calculations are interrupted with setImmediate (or zero setTimeout) at the
 720 |  * given interruptSteps to avoid freezing the browser. If it's undefined or zero,
 721 |  * the callback is called immediately after the calculation, avoiding setImmediate.
 722 |  *
 723 |  * Legacy way (only supports p = 1) to call this function is:
 724 |  *
 725 |  * scrypt(password, salt, logN, r, dkLen, [interruptStep], callback, [encoding])
 726 |  *
 727 |  * In legacy API, if interruptStep is not given, it defaults to 1000.
 728 |  * Pass 0 to have callback called immediately.
 729 |  *
 730 |  */
 731 | function scrypt(password, salt, logN, r, dkLen, interruptStep, callback, encoding) {
 732 |   'use strict';
 733 | 
 734 |   function SHA256(m) {
 735 |     /** @const */ var K = [
 736 |       0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
 737 |       0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
 738 |       0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
 739 |       0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
 740 |       0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
 741 |       0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
 742 |       0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
 743 |       0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
 744 |       0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
 745 |       0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
 746 |       0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
 747 |       0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
 748 |       0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
 749 |     ];
 750 | 
 751 |     var h0 = 0x6a09e667, h1 = 0xbb67ae85, h2 = 0x3c6ef372, h3 = 0xa54ff53a,
 752 |         h4 = 0x510e527f, h5 = 0x9b05688c, h6 = 0x1f83d9ab, h7 = 0x5be0cd19,
 753 |         w = new Array(64);
 754 | 
 755 |     function blocks(p) {
 756 |       var off = 0, len = p.length;
 757 |       while (len >= 64) {
 758 |         var a = h0, b = h1, c = h2, d = h3, e = h4, f = h5, g = h6, h = h7,
 759 |             u, i, j, t1, t2;
 760 | 
 761 |         for (i = 0; i < 16; i++) {
 762 |           j = off + i*4;
 763 |           w[i] = ((p[j] & 0xff)<<24) | ((p[j+1] & 0xff)<<16) |
 764 |                  ((p[j+2] & 0xff)<<8) | (p[j+3] & 0xff);
 765 |         }
 766 | 
 767 |         for (i = 16; i < 64; i++) {
 768 |           u = w[i-2];
 769 |           t1 = ((u>>>17) | (u<<(32-17))) ^ ((u>>>19) | (u<<(32-19))) ^ (u>>>10);
 770 | 
 771 |           u = w[i-15];
 772 |           t2 = ((u>>>7) | (u<<(32-7))) ^ ((u>>>18) | (u<<(32-18))) ^ (u>>>3);
 773 | 
 774 |           w[i] = (((t1 + w[i-7]) | 0) + ((t2 + w[i-16]) | 0)) | 0;
 775 |         }
 776 | 
 777 |         for (i = 0; i < 64; i++) {
 778 |           t1 = ((((((e>>>6) | (e<<(32-6))) ^ ((e>>>11) | (e<<(32-11))) ^
 779 |                ((e>>>25) | (e<<(32-25)))) + ((e & f) ^ (~e & g))) | 0) +
 780 |                ((h + ((K[i] + w[i]) | 0)) | 0)) | 0;
 781 | 
 782 |           t2 = ((((a>>>2) | (a<<(32-2))) ^ ((a>>>13) | (a<<(32-13))) ^
 783 |                ((a>>>22) | (a<<(32-22)))) + ((a & b) ^ (a & c) ^ (b & c))) | 0;
 784 | 
 785 |           h = g;
 786 |           g = f;
 787 |           f = e;
 788 |           e = (d + t1) | 0;
 789 |           d = c;
 790 |           c = b;
 791 |           b = a;
 792 |           a = (t1 + t2) | 0;
 793 |         }
 794 | 
 795 |         h0 = (h0 + a) | 0;
 796 |         h1 = (h1 + b) | 0;
 797 |         h2 = (h2 + c) | 0;
 798 |         h3 = (h3 + d) | 0;
 799 |         h4 = (h4 + e) | 0;
 800 |         h5 = (h5 + f) | 0;
 801 |         h6 = (h6 + g) | 0;
 802 |         h7 = (h7 + h) | 0;
 803 | 
 804 |         off += 64;
 805 |         len -= 64;
 806 |       }
 807 |     }
 808 | 
 809 |     blocks(m);
 810 | 
 811 |     var i, bytesLeft = m.length % 64,
 812 |         bitLenHi = (m.length / 0x20000000) | 0,
 813 |         bitLenLo = m.length << 3,
 814 |         numZeros = (bytesLeft < 56) ? 56 : 120,
 815 |         p = m.slice(m.length - bytesLeft, m.length);
 816 | 
 817 |     p.push(0x80);
 818 |     for (i = bytesLeft + 1; i < numZeros; i++) p.push(0);
 819 |     p.push((bitLenHi>>>24) & 0xff);
 820 |     p.push((bitLenHi>>>16) & 0xff);
 821 |     p.push((bitLenHi>>>8)  & 0xff);
 822 |     p.push((bitLenHi>>>0)  & 0xff);
 823 |     p.push((bitLenLo>>>24) & 0xff);
 824 |     p.push((bitLenLo>>>16) & 0xff);
 825 |     p.push((bitLenLo>>>8)  & 0xff);
 826 |     p.push((bitLenLo>>>0)  & 0xff);
 827 | 
 828 |     blocks(p);
 829 | 
 830 |     return [
 831 |       (h0>>>24) & 0xff, (h0>>>16) & 0xff, (h0>>>8) & 0xff, (h0>>>0) & 0xff,
 832 |       (h1>>>24) & 0xff, (h1>>>16) & 0xff, (h1>>>8) & 0xff, (h1>>>0) & 0xff,
 833 |       (h2>>>24) & 0xff, (h2>>>16) & 0xff, (h2>>>8) & 0xff, (h2>>>0) & 0xff,
 834 |       (h3>>>24) & 0xff, (h3>>>16) & 0xff, (h3>>>8) & 0xff, (h3>>>0) & 0xff,
 835 |       (h4>>>24) & 0xff, (h4>>>16) & 0xff, (h4>>>8) & 0xff, (h4>>>0) & 0xff,
 836 |       (h5>>>24) & 0xff, (h5>>>16) & 0xff, (h5>>>8) & 0xff, (h5>>>0) & 0xff,
 837 |       (h6>>>24) & 0xff, (h6>>>16) & 0xff, (h6>>>8) & 0xff, (h6>>>0) & 0xff,
 838 |       (h7>>>24) & 0xff, (h7>>>16) & 0xff, (h7>>>8) & 0xff, (h7>>>0) & 0xff
 839 |     ];
 840 |   }
 841 | 
 842 |   function PBKDF2_HMAC_SHA256_OneIter(password, salt, dkLen) {
 843 |     // compress password if it's longer than hash block length
 844 |     if(password.length > 64) {
 845 |       // SHA256 expects password to be an Array. If it's not
 846 |       // (i.e. it doesn't have .push method), convert it to one.
 847 |       password = SHA256(password.push ? password : Array.prototype.slice.call(password, 0));
 848 |     }
 849 | 
 850 |     var i, innerLen = 64 + salt.length + 4,
 851 |         inner = new Array(innerLen),
 852 |         outerKey = new Array(64),
 853 |         dk = [];
 854 | 
 855 |     // inner = (password ^ ipad) || salt || counter
 856 |     for (i = 0; i < 64; i++) inner[i] = 0x36;
 857 |     for (i = 0; i < password.length; i++) inner[i] ^= password[i];
 858 |     for (i = 0; i < salt.length; i++) inner[64+i] = salt[i];
 859 |     for (i = innerLen - 4; i < innerLen; i++) inner[i] = 0;
 860 | 
 861 |     // outerKey = password ^ opad
 862 |     for (i = 0; i < 64; i++) outerKey[i] = 0x5c;
 863 |     for (i = 0; i < password.length; i++) outerKey[i] ^= password[i];
 864 | 
 865 |     // increments counter inside inner
 866 |     function incrementCounter() {
 867 |       for (var i = innerLen-1; i >= innerLen-4; i--) {
 868 |         inner[i]++;
 869 |         if (inner[i] <= 0xff) return;
 870 |         inner[i] = 0;
 871 |       }
 872 |     }
 873 | 
 874 |     // output blocks = SHA256(outerKey || SHA256(inner)) ...
 875 |     while (dkLen >= 32) {
 876 |       incrementCounter();
 877 |       dk = dk.concat(SHA256(outerKey.concat(SHA256(inner))));
 878 |       dkLen -= 32;
 879 |     }
 880 |     if (dkLen > 0) {
 881 |       incrementCounter();
 882 |       dk = dk.concat(SHA256(outerKey.concat(SHA256(inner))).slice(0, dkLen));
 883 |     }
 884 |     return dk;
 885 |   }
 886 | 
 887 |   function salsaXOR(tmp, B, bin, bout) {
 888 |     var j0  = tmp[0]  ^ B[bin++],
 889 |         j1  = tmp[1]  ^ B[bin++],
 890 |         j2  = tmp[2]  ^ B[bin++],
 891 |         j3  = tmp[3]  ^ B[bin++],
 892 |         j4  = tmp[4]  ^ B[bin++],
 893 |         j5  = tmp[5]  ^ B[bin++],
 894 |         j6  = tmp[6]  ^ B[bin++],
 895 |         j7  = tmp[7]  ^ B[bin++],
 896 |         j8  = tmp[8]  ^ B[bin++],
 897 |         j9  = tmp[9]  ^ B[bin++],
 898 |         j10 = tmp[10] ^ B[bin++],
 899 |         j11 = tmp[11] ^ B[bin++],
 900 |         j12 = tmp[12] ^ B[bin++],
 901 |         j13 = tmp[13] ^ B[bin++],
 902 |         j14 = tmp[14] ^ B[bin++],
 903 |         j15 = tmp[15] ^ B[bin++],
 904 |         u, i;
 905 | 
 906 |     var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
 907 |         x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
 908 |         x15 = j15;
 909 | 
 910 |     for (i = 0; i < 8; i += 2) {
 911 |       u =  x0 + x12;   x4 ^= u<<7  | u>>>(32-7);
 912 |       u =  x4 +  x0;   x8 ^= u<<9  | u>>>(32-9);
 913 |       u =  x8 +  x4;  x12 ^= u<<13 | u>>>(32-13);
 914 |       u = x12 +  x8;   x0 ^= u<<18 | u>>>(32-18);
 915 | 
 916 |       u =  x5 +  x1;   x9 ^= u<<7  | u>>>(32-7);
 917 |       u =  x9 +  x5;  x13 ^= u<<9  | u>>>(32-9);
 918 |       u = x13 +  x9;   x1 ^= u<<13 | u>>>(32-13);
 919 |       u =  x1 + x13;   x5 ^= u<<18 | u>>>(32-18);
 920 | 
 921 |       u = x10 +  x6;  x14 ^= u<<7  | u>>>(32-7);
 922 |       u = x14 + x10;   x2 ^= u<<9  | u>>>(32-9);
 923 |       u =  x2 + x14;   x6 ^= u<<13 | u>>>(32-13);
 924 |       u =  x6 +  x2;  x10 ^= u<<18 | u>>>(32-18);
 925 | 
 926 |       u = x15 + x11;   x3 ^= u<<7  | u>>>(32-7);
 927 |       u =  x3 + x15;   x7 ^= u<<9  | u>>>(32-9);
 928 |       u =  x7 +  x3;  x11 ^= u<<13 | u>>>(32-13);
 929 |       u = x11 +  x7;  x15 ^= u<<18 | u>>>(32-18);
 930 | 
 931 |       u =  x0 +  x3;   x1 ^= u<<7  | u>>>(32-7);
 932 |       u =  x1 +  x0;   x2 ^= u<<9  | u>>>(32-9);
 933 |       u =  x2 +  x1;   x3 ^= u<<13 | u>>>(32-13);
 934 |       u =  x3 +  x2;   x0 ^= u<<18 | u>>>(32-18);
 935 | 
 936 |       u =  x5 +  x4;   x6 ^= u<<7  | u>>>(32-7);
 937 |       u =  x6 +  x5;   x7 ^= u<<9  | u>>>(32-9);
 938 |       u =  x7 +  x6;   x4 ^= u<<13 | u>>>(32-13);
 939 |       u =  x4 +  x7;   x5 ^= u<<18 | u>>>(32-18);
 940 | 
 941 |       u = x10 +  x9;  x11 ^= u<<7  | u>>>(32-7);
 942 |       u = x11 + x10;   x8 ^= u<<9  | u>>>(32-9);
 943 |       u =  x8 + x11;   x9 ^= u<<13 | u>>>(32-13);
 944 |       u =  x9 +  x8;  x10 ^= u<<18 | u>>>(32-18);
 945 | 
 946 |       u = x15 + x14;  x12 ^= u<<7  | u>>>(32-7);
 947 |       u = x12 + x15;  x13 ^= u<<9  | u>>>(32-9);
 948 |       u = x13 + x12;  x14 ^= u<<13 | u>>>(32-13);
 949 |       u = x14 + x13;  x15 ^= u<<18 | u>>>(32-18);
 950 |     }
 951 | 
 952 |     B[bout++] = tmp[0]  = (x0  + j0)  | 0;
 953 |     B[bout++] = tmp[1]  = (x1  + j1)  | 0;
 954 |     B[bout++] = tmp[2]  = (x2  + j2)  | 0;
 955 |     B[bout++] = tmp[3]  = (x3  + j3)  | 0;
 956 |     B[bout++] = tmp[4]  = (x4  + j4)  | 0;
 957 |     B[bout++] = tmp[5]  = (x5  + j5)  | 0;
 958 |     B[bout++] = tmp[6]  = (x6  + j6)  | 0;
 959 |     B[bout++] = tmp[7]  = (x7  + j7)  | 0;
 960 |     B[bout++] = tmp[8]  = (x8  + j8)  | 0;
 961 |     B[bout++] = tmp[9]  = (x9  + j9)  | 0;
 962 |     B[bout++] = tmp[10] = (x10 + j10) | 0;
 963 |     B[bout++] = tmp[11] = (x11 + j11) | 0;
 964 |     B[bout++] = tmp[12] = (x12 + j12) | 0;
 965 |     B[bout++] = tmp[13] = (x13 + j13) | 0;
 966 |     B[bout++] = tmp[14] = (x14 + j14) | 0;
 967 |     B[bout++] = tmp[15] = (x15 + j15) | 0;
 968 |   }
 969 | 
 970 |   function blockCopy(dst, di, src, si, len) {
 971 |     while (len--) dst[di++] = src[si++];
 972 |   }
 973 | 
 974 |   function blockXOR(dst, di, src, si, len) {
 975 |     while (len--) dst[di++] ^= src[si++];
 976 |   }
 977 | 
 978 |   function blockMix(tmp, B, bin, bout, r) {
 979 |     blockCopy(tmp, 0, B, bin + (2*r-1)*16, 16);
 980 |     for (var i = 0; i < 2*r; i += 2) {
 981 |       salsaXOR(tmp, B, bin + i*16,      bout + i*8);
 982 |       salsaXOR(tmp, B, bin + i*16 + 16, bout + i*8 + r*16);
 983 |     }
 984 |   }
 985 | 
 986 |   function integerify(B, bi, r) {
 987 |     return B[bi+(2*r-1)*16];
 988 |   }
 989 | 
 990 |   function stringToUTF8Bytes(s) {
 991 |     var arr = [];
 992 |     for (var i = 0; i < s.length; i++) {
 993 |       var c = s.charCodeAt(i);
 994 |       if (c < 0x80) {
 995 |         arr.push(c);
 996 |       } else if (c < 0x800) {
 997 |         arr.push(0xc0 | c >> 6);
 998 |         arr.push(0x80 | c & 0x3f);
 999 |       } else if (c < 0xd800) {
1000 |         arr.push(0xe0 | c >> 12);
1001 |         arr.push(0x80 | (c >> 6) & 0x3f);
1002 |         arr.push(0x80 | c & 0x3f);
1003 |       } else {
1004 |         if (i >= s.length - 1) {
1005 |           throw new Error('invalid string');
1006 |         }
1007 |         i++; // get one more character
1008 |         c = (c & 0x3ff) << 10;
1009 |         c |= s.charCodeAt(i) & 0x3ff;
1010 |         c += 0x10000;
1011 | 
1012 |         arr.push(0xf0 | c >> 18);
1013 |         arr.push(0x80 | (c >> 12) & 0x3f);
1014 |         arr.push(0x80 | (c >> 6) & 0x3f);
1015 |         arr.push(0x80 | c & 0x3f);
1016 |       }
1017 |     }
1018 |     return arr;
1019 |   }
1020 | 
1021 |   function bytesToHex(p) {
1022 |     /** @const */
1023 |     var enc = '0123456789abcdef'.split('');
1024 | 
1025 |     var len = p.length,
1026 |         arr = [],
1027 |         i = 0;
1028 | 
1029 |     for (; i < len; i++) {
1030 |         arr.push(enc[(p[i]>>>4) & 15]);
1031 |         arr.push(enc[(p[i]>>>0) & 15]);
1032 |     }
1033 |     return arr.join('');
1034 |   }
1035 | 
1036 |   function bytesToBase64(p) {
1037 |     /** @const */
1038 |     var enc = ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' +
1039 |               '0123456789+/').split('');
1040 | 
1041 |     var len = p.length,
1042 |         arr = [],
1043 |         i = 0,
1044 |         a, b, c, t;
1045 | 
1046 |     while (i < len) {
1047 |       a = i < len ? p[i++] : 0;
1048 |       b = i < len ? p[i++] : 0;
1049 |       c = i < len ? p[i++] : 0;
1050 |       t = (a << 16) + (b << 8) + c;
1051 |       arr.push(enc[(t >>> 3 * 6) & 63]);
1052 |       arr.push(enc[(t >>> 2 * 6) & 63]);
1053 |       arr.push(enc[(t >>> 1 * 6) & 63]);
1054 |       arr.push(enc[(t >>> 0 * 6) & 63]);
1055 |     }
1056 |     if (len % 3 > 0) {
1057 |       arr[arr.length-1] = '=';
1058 |       if (len % 3 === 1) arr[arr.length-2] = '=';
1059 |     }
1060 |     return arr.join('');
1061 |   }
1062 | 
1063 | 
1064 |   // Generate key.
1065 | 
1066 |   var MAX_UINT = (-1)>>>0,
1067 |       p = 1;
1068 | 
1069 |   if (typeof logN === "object") {
1070 |     // Called as: scrypt(password, salt, opts, callback)
1071 |     if (arguments.length > 4) {
1072 |       throw new Error('scrypt: incorrect number of arguments');
1073 |     }
1074 | 
1075 |     var opts = logN;
1076 | 
1077 |     callback = r;
1078 |     logN = opts.logN;
1079 |     if (typeof logN === 'undefined') {
1080 |       if (typeof opts.N !== 'undefined') {
1081 |         if (opts.N < 2 || opts.N > MAX_UINT)
1082 |           throw new Error('scrypt: N is out of range');
1083 | 
1084 |         if ((opts.N & (opts.N - 1)) !== 0)
1085 |           throw new Error('scrypt: N is not a power of 2');
1086 | 
1087 |         logN = Math.log(opts.N) / Math.LN2;
1088 |       } else {
1089 |         throw new Error('scrypt: missing N parameter');
1090 |       }
1091 |     }
1092 | 
1093 |     // XXX: If opts.p or opts.dkLen is 0, it will be set to the default value
1094 |     // instead of throwing due to incorrect value. To avoid breaking
1095 |     // compatibility, this will only be changed in the next major version.
1096 |     p = opts.p || 1;
1097 |     r = opts.r;
1098 |     dkLen = opts.dkLen || 32;
1099 |     interruptStep = opts.interruptStep || 0;
1100 |     encoding = opts.encoding;
1101 |   }
1102 | 
1103 |   if (p < 1)
1104 |     throw new Error('scrypt: invalid p');
1105 | 
1106 |   if (r <= 0)
1107 |     throw new Error('scrypt: invalid r');
1108 | 
1109 |   if (logN < 1 || logN > 31)
1110 |     throw new Error('scrypt: logN must be between 1 and 31');
1111 | 
1112 | 
1113 |   var N = (1<<logN)>>>0,
1114 |       XY, V, B, tmp;
1115 | 
1116 |   if (r*p >= 1<<30 || r > MAX_UINT/128/p || r > MAX_UINT/256 || N > MAX_UINT/128/r)
1117 |     throw new Error('scrypt: parameters are too large');
1118 | 
1119 |   // Decode strings.
1120 |   if (typeof password === 'string')
1121 |     password = stringToUTF8Bytes(password);
1122 |   if (typeof salt === 'string')
1123 |     salt = stringToUTF8Bytes(salt);
1124 | 
1125 |   if (typeof Int32Array !== 'undefined') {
1126 |     //XXX We can use Uint32Array, but Int32Array is faster in Safari.
1127 |     XY = new Int32Array(64*r);
1128 |     V = new Int32Array(32*N*r);
1129 |     tmp = new Int32Array(16);
1130 |   } else {
1131 |     XY = [];
1132 |     V = [];
1133 |     tmp = new Array(16);
1134 |   }
1135 |   B = PBKDF2_HMAC_SHA256_OneIter(password, salt, p*128*r);
1136 | 
1137 |   var xi = 0, yi = 32 * r;
1138 | 
1139 |   function smixStart(pos) {
1140 |     for (var i = 0; i < 32*r; i++) {
1141 |       var j = pos + i*4;
1142 |       XY[xi+i] = ((B[j+3] & 0xff)<<24) | ((B[j+2] & 0xff)<<16) |
1143 |                  ((B[j+1] & 0xff)<<8)  | ((B[j+0] & 0xff)<<0);
1144 |     }
1145 |   }
1146 | 
1147 |   function smixStep1(start, end) {
1148 |     for (var i = start; i < end; i += 2) {
1149 |       blockCopy(V, i*(32*r), XY, xi, 32*r);
1150 |       blockMix(tmp, XY, xi, yi, r);
1151 | 
1152 |       blockCopy(V, (i+1)*(32*r), XY, yi, 32*r);
1153 |       blockMix(tmp, XY, yi, xi, r);
1154 |     }
1155 |   }
1156 | 
1157 |   function smixStep2(start, end) {
1158 |     for (var i = start; i < end; i += 2) {
1159 |       var j = integerify(XY, xi, r) & (N-1);
1160 |       blockXOR(XY, xi, V, j*(32*r), 32*r);
1161 |       blockMix(tmp, XY, xi, yi, r);
1162 | 
1163 |       j = integerify(XY, yi, r) & (N-1);
1164 |       blockXOR(XY, yi, V, j*(32*r), 32*r);
1165 |       blockMix(tmp, XY, yi, xi, r);
1166 |     }
1167 |   }
1168 | 
1169 |   function smixFinish(pos) {
1170 |     for (var i = 0; i < 32*r; i++) {
1171 |       var j = XY[xi+i];
1172 |       B[pos + i*4 + 0] = (j>>>0)  & 0xff;
1173 |       B[pos + i*4 + 1] = (j>>>8)  & 0xff;
1174 |       B[pos + i*4 + 2] = (j>>>16) & 0xff;
1175 |       B[pos + i*4 + 3] = (j>>>24) & 0xff;
1176 |     }
1177 |   }
1178 | 
1179 |   var nextTick = (typeof setImmediate !== 'undefined') ? setImmediate : setTimeout;
1180 | 
1181 |   function interruptedFor(start, end, step, fn, donefn) {
1182 |     (function performStep() {
1183 |       nextTick(function() {
1184 |         fn(start, start + step < end ? start + step : end);
1185 |         start += step;
1186 |         if (start < end)
1187 |           performStep();
1188 |         else
1189 |           donefn();
1190 |         });
1191 |     })();
1192 |   }
1193 | 
1194 |   function getResult(enc) {
1195 |       var result = PBKDF2_HMAC_SHA256_OneIter(password, B, dkLen);
1196 |       if (enc === 'base64')
1197 |         return bytesToBase64(result);
1198 |       else if (enc === 'hex')
1199 |         return bytesToHex(result);
1200 |       else if (enc === 'binary')
1201 |         return new Uint8Array(result);
1202 |       else
1203 |         return result;
1204 |   }
1205 | 
1206 |   // Blocking variant.
1207 |   function calculateSync() {
1208 |     for (var i = 0; i < p; i++) {
1209 |       smixStart(i*128*r);
1210 |       smixStep1(0, N);
1211 |       smixStep2(0, N);
1212 |       smixFinish(i*128*r);
1213 |     }
1214 |     callback(getResult(encoding));
1215 |   }
1216 | 
1217 |   // Async variant.
1218 |   function calculateAsync(i) {
1219 |       smixStart(i*128*r);
1220 |       interruptedFor(0, N, interruptStep*2, smixStep1, function() {
1221 |         interruptedFor(0, N, interruptStep*2, smixStep2, function () {
1222 |           smixFinish(i*128*r);
1223 |           if (i + 1 < p) {
1224 |             nextTick(function() { calculateAsync(i + 1); });
1225 |           } else {
1226 |             callback(getResult(encoding));
1227 |           }
1228 |         });
1229 |       });
1230 |   }
1231 | 
1232 |   if (typeof interruptStep === 'function') {
1233 |     // Called as: scrypt(...,      callback, [encoding])
1234 |     //  shifting: scrypt(..., interruptStep,  callback, [encoding])
1235 |     encoding = callback;
1236 |     callback = interruptStep;
1237 |     interruptStep = 1000;
1238 |   }
1239 | 
1240 |   if (interruptStep <= 0) {
1241 |     calculateSync();
1242 |   } else {
1243 |     calculateAsync(0);
1244 |   }
1245 | }
1246 | 
1247 | if (typeof module !== 'undefined') module.exports = scrypt;
1248 | 
1249 | },{}],6:[function(require,module,exports){
1250 | (function(nacl) {
1251 | 'use strict';
1252 | 
1253 | // Ported in 2014 by Dmitry Chestnykh and Devi Mandiri.
1254 | // Public domain.
1255 | //
1256 | // Implementation derived from TweetNaCl version 20140427.
1257 | // See for details: http://tweetnacl.cr.yp.to/
1258 | 
1259 | var gf = function(init) {
1260 |   var i, r = new Float64Array(16);
1261 |   if (init) for (i = 0; i < init.length; i++) r[i] = init[i];
1262 |   return r;
1263 | };
1264 | 
1265 | //  Pluggable, initialized in high-level API below.
1266 | var randombytes = function(/* x, n */) { throw new Error('no PRNG'); };
1267 | 
1268 | var _0 = new Uint8Array(16);
1269 | var _9 = new Uint8Array(32); _9[0] = 9;
1270 | 
1271 | var gf0 = gf(),
1272 |     gf1 = gf([1]),
1273 |     _121665 = gf([0xdb41, 1]),
1274 |     D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),
1275 |     D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]),
1276 |     X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]),
1277 |     Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]),
1278 |     I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);
1279 | 
1280 | function ts64(x, i, h, l) {
1281 |   x[i]   = (h >> 24) & 0xff;
1282 |   x[i+1] = (h >> 16) & 0xff;
1283 |   x[i+2] = (h >>  8) & 0xff;
1284 |   x[i+3] = h & 0xff;
1285 |   x[i+4] = (l >> 24)  & 0xff;
1286 |   x[i+5] = (l >> 16)  & 0xff;
1287 |   x[i+6] = (l >>  8)  & 0xff;
1288 |   x[i+7] = l & 0xff;
1289 | }
1290 | 
1291 | function vn(x, xi, y, yi, n) {
1292 |   var i,d = 0;
1293 |   for (i = 0; i < n; i++) d |= x[xi+i]^y[yi+i];
1294 |   return (1 & ((d - 1) >>> 8)) - 1;
1295 | }
1296 | 
1297 | function crypto_verify_16(x, xi, y, yi) {
1298 |   return vn(x,xi,y,yi,16);
1299 | }
1300 | 
1301 | function crypto_verify_32(x, xi, y, yi) {
1302 |   return vn(x,xi,y,yi,32);
1303 | }
1304 | 
1305 | function core_salsa20(o, p, k, c) {
1306 |   var j0  = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
1307 |       j1  = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
1308 |       j2  = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
1309 |       j3  = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
1310 |       j4  = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
1311 |       j5  = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
1312 |       j6  = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
1313 |       j7  = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
1314 |       j8  = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
1315 |       j9  = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
1316 |       j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
1317 |       j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
1318 |       j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
1319 |       j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
1320 |       j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
1321 |       j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
1322 | 
1323 |   var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
1324 |       x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
1325 |       x15 = j15, u;
1326 | 
1327 |   for (var i = 0; i < 20; i += 2) {
1328 |     u = x0 + x12 | 0;
1329 |     x4 ^= u<<7 | u>>>(32-7);
1330 |     u = x4 + x0 | 0;
1331 |     x8 ^= u<<9 | u>>>(32-9);
1332 |     u = x8 + x4 | 0;
1333 |     x12 ^= u<<13 | u>>>(32-13);
1334 |     u = x12 + x8 | 0;
1335 |     x0 ^= u<<18 | u>>>(32-18);
1336 | 
1337 |     u = x5 + x1 | 0;
1338 |     x9 ^= u<<7 | u>>>(32-7);
1339 |     u = x9 + x5 | 0;
1340 |     x13 ^= u<<9 | u>>>(32-9);
1341 |     u = x13 + x9 | 0;
1342 |     x1 ^= u<<13 | u>>>(32-13);
1343 |     u = x1 + x13 | 0;
1344 |     x5 ^= u<<18 | u>>>(32-18);
1345 | 
1346 |     u = x10 + x6 | 0;
1347 |     x14 ^= u<<7 | u>>>(32-7);
1348 |     u = x14 + x10 | 0;
1349 |     x2 ^= u<<9 | u>>>(32-9);
1350 |     u = x2 + x14 | 0;
1351 |     x6 ^= u<<13 | u>>>(32-13);
1352 |     u = x6 + x2 | 0;
1353 |     x10 ^= u<<18 | u>>>(32-18);
1354 | 
1355 |     u = x15 + x11 | 0;
1356 |     x3 ^= u<<7 | u>>>(32-7);
1357 |     u = x3 + x15 | 0;
1358 |     x7 ^= u<<9 | u>>>(32-9);
1359 |     u = x7 + x3 | 0;
1360 |     x11 ^= u<<13 | u>>>(32-13);
1361 |     u = x11 + x7 | 0;
1362 |     x15 ^= u<<18 | u>>>(32-18);
1363 | 
1364 |     u = x0 + x3 | 0;
1365 |     x1 ^= u<<7 | u>>>(32-7);
1366 |     u = x1 + x0 | 0;
1367 |     x2 ^= u<<9 | u>>>(32-9);
1368 |     u = x2 + x1 | 0;
1369 |     x3 ^= u<<13 | u>>>(32-13);
1370 |     u = x3 + x2 | 0;
1371 |     x0 ^= u<<18 | u>>>(32-18);
1372 | 
1373 |     u = x5 + x4 | 0;
1374 |     x6 ^= u<<7 | u>>>(32-7);
1375 |     u = x6 + x5 | 0;
1376 |     x7 ^= u<<9 | u>>>(32-9);
1377 |     u = x7 + x6 | 0;
1378 |     x4 ^= u<<13 | u>>>(32-13);
1379 |     u = x4 + x7 | 0;
1380 |     x5 ^= u<<18 | u>>>(32-18);
1381 | 
1382 |     u = x10 + x9 | 0;
1383 |     x11 ^= u<<7 | u>>>(32-7);
1384 |     u = x11 + x10 | 0;
1385 |     x8 ^= u<<9 | u>>>(32-9);
1386 |     u = x8 + x11 | 0;
1387 |     x9 ^= u<<13 | u>>>(32-13);
1388 |     u = x9 + x8 | 0;
1389 |     x10 ^= u<<18 | u>>>(32-18);
1390 | 
1391 |     u = x15 + x14 | 0;
1392 |     x12 ^= u<<7 | u>>>(32-7);
1393 |     u = x12 + x15 | 0;
1394 |     x13 ^= u<<9 | u>>>(32-9);
1395 |     u = x13 + x12 | 0;
1396 |     x14 ^= u<<13 | u>>>(32-13);
1397 |     u = x14 + x13 | 0;
1398 |     x15 ^= u<<18 | u>>>(32-18);
1399 |   }
1400 |    x0 =  x0 +  j0 | 0;
1401 |    x1 =  x1 +  j1 | 0;
1402 |    x2 =  x2 +  j2 | 0;
1403 |    x3 =  x3 +  j3 | 0;
1404 |    x4 =  x4 +  j4 | 0;
1405 |    x5 =  x5 +  j5 | 0;
1406 |    x6 =  x6 +  j6 | 0;
1407 |    x7 =  x7 +  j7 | 0;
1408 |    x8 =  x8 +  j8 | 0;
1409 |    x9 =  x9 +  j9 | 0;
1410 |   x10 = x10 + j10 | 0;
1411 |   x11 = x11 + j11 | 0;
1412 |   x12 = x12 + j12 | 0;
1413 |   x13 = x13 + j13 | 0;
1414 |   x14 = x14 + j14 | 0;
1415 |   x15 = x15 + j15 | 0;
1416 | 
1417 |   o[ 0] = x0 >>>  0 & 0xff;
1418 |   o[ 1] = x0 >>>  8 & 0xff;
1419 |   o[ 2] = x0 >>> 16 & 0xff;
1420 |   o[ 3] = x0 >>> 24 & 0xff;
1421 | 
1422 |   o[ 4] = x1 >>>  0 & 0xff;
1423 |   o[ 5] = x1 >>>  8 & 0xff;
1424 |   o[ 6] = x1 >>> 16 & 0xff;
1425 |   o[ 7] = x1 >>> 24 & 0xff;
1426 | 
1427 |   o[ 8] = x2 >>>  0 & 0xff;
1428 |   o[ 9] = x2 >>>  8 & 0xff;
1429 |   o[10] = x2 >>> 16 & 0xff;
1430 |   o[11] = x2 >>> 24 & 0xff;
1431 | 
1432 |   o[12] = x3 >>>  0 & 0xff;
1433 |   o[13] = x3 >>>  8 & 0xff;
1434 |   o[14] = x3 >>> 16 & 0xff;
1435 |   o[15] = x3 >>> 24 & 0xff;
1436 | 
1437 |   o[16] = x4 >>>  0 & 0xff;
1438 |   o[17] = x4 >>>  8 & 0xff;
1439 |   o[18] = x4 >>> 16 & 0xff;
1440 |   o[19] = x4 >>> 24 & 0xff;
1441 | 
1442 |   o[20] = x5 >>>  0 & 0xff;
1443 |   o[21] = x5 >>>  8 & 0xff;
1444 |   o[22] = x5 >>> 16 & 0xff;
1445 |   o[23] = x5 >>> 24 & 0xff;
1446 | 
1447 |   o[24] = x6 >>>  0 & 0xff;
1448 |   o[25] = x6 >>>  8 & 0xff;
1449 |   o[26] = x6 >>> 16 & 0xff;
1450 |   o[27] = x6 >>> 24 & 0xff;
1451 | 
1452 |   o[28] = x7 >>>  0 & 0xff;
1453 |   o[29] = x7 >>>  8 & 0xff;
1454 |   o[30] = x7 >>> 16 & 0xff;
1455 |   o[31] = x7 >>> 24 & 0xff;
1456 | 
1457 |   o[32] = x8 >>>  0 & 0xff;
1458 |   o[33] = x8 >>>  8 & 0xff;
1459 |   o[34] = x8 >>> 16 & 0xff;
1460 |   o[35] = x8 >>> 24 & 0xff;
1461 | 
1462 |   o[36] = x9 >>>  0 & 0xff;
1463 |   o[37] = x9 >>>  8 & 0xff;
1464 |   o[38] = x9 >>> 16 & 0xff;
1465 |   o[39] = x9 >>> 24 & 0xff;
1466 | 
1467 |   o[40] = x10 >>>  0 & 0xff;
1468 |   o[41] = x10 >>>  8 & 0xff;
1469 |   o[42] = x10 >>> 16 & 0xff;
1470 |   o[43] = x10 >>> 24 & 0xff;
1471 | 
1472 |   o[44] = x11 >>>  0 & 0xff;
1473 |   o[45] = x11 >>>  8 & 0xff;
1474 |   o[46] = x11 >>> 16 & 0xff;
1475 |   o[47] = x11 >>> 24 & 0xff;
1476 | 
1477 |   o[48] = x12 >>>  0 & 0xff;
1478 |   o[49] = x12 >>>  8 & 0xff;
1479 |   o[50] = x12 >>> 16 & 0xff;
1480 |   o[51] = x12 >>> 24 & 0xff;
1481 | 
1482 |   o[52] = x13 >>>  0 & 0xff;
1483 |   o[53] = x13 >>>  8 & 0xff;
1484 |   o[54] = x13 >>> 16 & 0xff;
1485 |   o[55] = x13 >>> 24 & 0xff;
1486 | 
1487 |   o[56] = x14 >>>  0 & 0xff;
1488 |   o[57] = x14 >>>  8 & 0xff;
1489 |   o[58] = x14 >>> 16 & 0xff;
1490 |   o[59] = x14 >>> 24 & 0xff;
1491 | 
1492 |   o[60] = x15 >>>  0 & 0xff;
1493 |   o[61] = x15 >>>  8 & 0xff;
1494 |   o[62] = x15 >>> 16 & 0xff;
1495 |   o[63] = x15 >>> 24 & 0xff;
1496 | }
1497 | 
1498 | function core_hsalsa20(o,p,k,c) {
1499 |   var j0  = c[ 0] & 0xff | (c[ 1] & 0xff)<<8 | (c[ 2] & 0xff)<<16 | (c[ 3] & 0xff)<<24,
1500 |       j1  = k[ 0] & 0xff | (k[ 1] & 0xff)<<8 | (k[ 2] & 0xff)<<16 | (k[ 3] & 0xff)<<24,
1501 |       j2  = k[ 4] & 0xff | (k[ 5] & 0xff)<<8 | (k[ 6] & 0xff)<<16 | (k[ 7] & 0xff)<<24,
1502 |       j3  = k[ 8] & 0xff | (k[ 9] & 0xff)<<8 | (k[10] & 0xff)<<16 | (k[11] & 0xff)<<24,
1503 |       j4  = k[12] & 0xff | (k[13] & 0xff)<<8 | (k[14] & 0xff)<<16 | (k[15] & 0xff)<<24,
1504 |       j5  = c[ 4] & 0xff | (c[ 5] & 0xff)<<8 | (c[ 6] & 0xff)<<16 | (c[ 7] & 0xff)<<24,
1505 |       j6  = p[ 0] & 0xff | (p[ 1] & 0xff)<<8 | (p[ 2] & 0xff)<<16 | (p[ 3] & 0xff)<<24,
1506 |       j7  = p[ 4] & 0xff | (p[ 5] & 0xff)<<8 | (p[ 6] & 0xff)<<16 | (p[ 7] & 0xff)<<24,
1507 |       j8  = p[ 8] & 0xff | (p[ 9] & 0xff)<<8 | (p[10] & 0xff)<<16 | (p[11] & 0xff)<<24,
1508 |       j9  = p[12] & 0xff | (p[13] & 0xff)<<8 | (p[14] & 0xff)<<16 | (p[15] & 0xff)<<24,
1509 |       j10 = c[ 8] & 0xff | (c[ 9] & 0xff)<<8 | (c[10] & 0xff)<<16 | (c[11] & 0xff)<<24,
1510 |       j11 = k[16] & 0xff | (k[17] & 0xff)<<8 | (k[18] & 0xff)<<16 | (k[19] & 0xff)<<24,
1511 |       j12 = k[20] & 0xff | (k[21] & 0xff)<<8 | (k[22] & 0xff)<<16 | (k[23] & 0xff)<<24,
1512 |       j13 = k[24] & 0xff | (k[25] & 0xff)<<8 | (k[26] & 0xff)<<16 | (k[27] & 0xff)<<24,
1513 |       j14 = k[28] & 0xff | (k[29] & 0xff)<<8 | (k[30] & 0xff)<<16 | (k[31] & 0xff)<<24,
1514 |       j15 = c[12] & 0xff | (c[13] & 0xff)<<8 | (c[14] & 0xff)<<16 | (c[15] & 0xff)<<24;
1515 | 
1516 |   var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
1517 |       x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
1518 |       x15 = j15, u;
1519 | 
1520 |   for (var i = 0; i < 20; i += 2) {
1521 |     u = x0 + x12 | 0;
1522 |     x4 ^= u<<7 | u>>>(32-7);
1523 |     u = x4 + x0 | 0;
1524 |     x8 ^= u<<9 | u>>>(32-9);
1525 |     u = x8 + x4 | 0;
1526 |     x12 ^= u<<13 | u>>>(32-13);
1527 |     u = x12 + x8 | 0;
1528 |     x0 ^= u<<18 | u>>>(32-18);
1529 | 
1530 |     u = x5 + x1 | 0;
1531 |     x9 ^= u<<7 | u>>>(32-7);
1532 |     u = x9 + x5 | 0;
1533 |     x13 ^= u<<9 | u>>>(32-9);
1534 |     u = x13 + x9 | 0;
1535 |     x1 ^= u<<13 | u>>>(32-13);
1536 |     u = x1 + x13 | 0;
1537 |     x5 ^= u<<18 | u>>>(32-18);
1538 | 
1539 |     u = x10 + x6 | 0;
1540 |     x14 ^= u<<7 | u>>>(32-7);
1541 |     u = x14 + x10 | 0;
1542 |     x2 ^= u<<9 | u>>>(32-9);
1543 |     u = x2 + x14 | 0;
1544 |     x6 ^= u<<13 | u>>>(32-13);
1545 |     u = x6 + x2 | 0;
1546 |     x10 ^= u<<18 | u>>>(32-18);
1547 | 
1548 |     u = x15 + x11 | 0;
1549 |     x3 ^= u<<7 | u>>>(32-7);
1550 |     u = x3 + x15 | 0;
1551 |     x7 ^= u<<9 | u>>>(32-9);
1552 |     u = x7 + x3 | 0;
1553 |     x11 ^= u<<13 | u>>>(32-13);
1554 |     u = x11 + x7 | 0;
1555 |     x15 ^= u<<18 | u>>>(32-18);
1556 | 
1557 |     u = x0 + x3 | 0;
1558 |     x1 ^= u<<7 | u>>>(32-7);
1559 |     u = x1 + x0 | 0;
1560 |     x2 ^= u<<9 | u>>>(32-9);
1561 |     u = x2 + x1 | 0;
1562 |     x3 ^= u<<13 | u>>>(32-13);
1563 |     u = x3 + x2 | 0;
1564 |     x0 ^= u<<18 | u>>>(32-18);
1565 | 
1566 |     u = x5 + x4 | 0;
1567 |     x6 ^= u<<7 | u>>>(32-7);
1568 |     u = x6 + x5 | 0;
1569 |     x7 ^= u<<9 | u>>>(32-9);
1570 |     u = x7 + x6 | 0;
1571 |     x4 ^= u<<13 | u>>>(32-13);
1572 |     u = x4 + x7 | 0;
1573 |     x5 ^= u<<18 | u>>>(32-18);
1574 | 
1575 |     u = x10 + x9 | 0;
1576 |     x11 ^= u<<7 | u>>>(32-7);
1577 |     u = x11 + x10 | 0;
1578 |     x8 ^= u<<9 | u>>>(32-9);
1579 |     u = x8 + x11 | 0;
1580 |     x9 ^= u<<13 | u>>>(32-13);
1581 |     u = x9 + x8 | 0;
1582 |     x10 ^= u<<18 | u>>>(32-18);
1583 | 
1584 |     u = x15 + x14 | 0;
1585 |     x12 ^= u<<7 | u>>>(32-7);
1586 |     u = x12 + x15 | 0;
1587 |     x13 ^= u<<9 | u>>>(32-9);
1588 |     u = x13 + x12 | 0;
1589 |     x14 ^= u<<13 | u>>>(32-13);
1590 |     u = x14 + x13 | 0;
1591 |     x15 ^= u<<18 | u>>>(32-18);
1592 |   }
1593 | 
1594 |   o[ 0] = x0 >>>  0 & 0xff;
1595 |   o[ 1] = x0 >>>  8 & 0xff;
1596 |   o[ 2] = x0 >>> 16 & 0xff;
1597 |   o[ 3] = x0 >>> 24 & 0xff;
1598 | 
1599 |   o[ 4] = x5 >>>  0 & 0xff;
1600 |   o[ 5] = x5 >>>  8 & 0xff;
1601 |   o[ 6] = x5 >>> 16 & 0xff;
1602 |   o[ 7] = x5 >>> 24 & 0xff;
1603 | 
1604 |   o[ 8] = x10 >>>  0 & 0xff;
1605 |   o[ 9] = x10 >>>  8 & 0xff;
1606 |   o[10] = x10 >>> 16 & 0xff;
1607 |   o[11] = x10 >>> 24 & 0xff;
1608 | 
1609 |   o[12] = x15 >>>  0 & 0xff;
1610 |   o[13] = x15 >>>  8 & 0xff;
1611 |   o[14] = x15 >>> 16 & 0xff;
1612 |   o[15] = x15 >>> 24 & 0xff;
1613 | 
1614 |   o[16] = x6 >>>  0 & 0xff;
1615 |   o[17] = x6 >>>  8 & 0xff;
1616 |   o[18] = x6 >>> 16 & 0xff;
1617 |   o[19] = x6 >>> 24 & 0xff;
1618 | 
1619 |   o[20] = x7 >>>  0 & 0xff;
1620 |   o[21] = x7 >>>  8 & 0xff;
1621 |   o[22] = x7 >>> 16 & 0xff;
1622 |   o[23] = x7 >>> 24 & 0xff;
1623 | 
1624 |   o[24] = x8 >>>  0 & 0xff;
1625 |   o[25] = x8 >>>  8 & 0xff;
1626 |   o[26] = x8 >>> 16 & 0xff;
1627 |   o[27] = x8 >>> 24 & 0xff;
1628 | 
1629 |   o[28] = x9 >>>  0 & 0xff;
1630 |   o[29] = x9 >>>  8 & 0xff;
1631 |   o[30] = x9 >>> 16 & 0xff;
1632 |   o[31] = x9 >>> 24 & 0xff;
1633 | }
1634 | 
1635 | function crypto_core_salsa20(out,inp,k,c) {
1636 |   core_salsa20(out,inp,k,c);
1637 | }
1638 | 
1639 | function crypto_core_hsalsa20(out,inp,k,c) {
1640 |   core_hsalsa20(out,inp,k,c);
1641 | }
1642 | 
1643 | var sigma = new Uint8Array([101, 120, 112, 97, 110, 100, 32, 51, 50, 45, 98, 121, 116, 101, 32, 107]);
1644 |             // "expand 32-byte k"
1645 | 
1646 | function crypto_stream_salsa20_xor(c,cpos,m,mpos,b,n,k) {
1647 |   var z = new Uint8Array(16), x = new Uint8Array(64);
1648 |   var u, i;
1649 |   for (i = 0; i < 16; i++) z[i] = 0;
1650 |   for (i = 0; i < 8; i++) z[i] = n[i];
1651 |   while (b >= 64) {
1652 |     crypto_core_salsa20(x,z,k,sigma);
1653 |     for (i = 0; i < 64; i++) c[cpos+i] = m[mpos+i] ^ x[i];
1654 |     u = 1;
1655 |     for (i = 8; i < 16; i++) {
1656 |       u = u + (z[i] & 0xff) | 0;
1657 |       z[i] = u & 0xff;
1658 |       u >>>= 8;
1659 |     }
1660 |     b -= 64;
1661 |     cpos += 64;
1662 |     mpos += 64;
1663 |   }
1664 |   if (b > 0) {
1665 |     crypto_core_salsa20(x,z,k,sigma);
1666 |     for (i = 0; i < b; i++) c[cpos+i] = m[mpos+i] ^ x[i];
1667 |   }
1668 |   return 0;
1669 | }
1670 | 
1671 | function crypto_stream_salsa20(c,cpos,b,n,k) {
1672 |   var z = new Uint8Array(16), x = new Uint8Array(64);
1673 |   var u, i;
1674 |   for (i = 0; i < 16; i++) z[i] = 0;
1675 |   for (i = 0; i < 8; i++) z[i] = n[i];
1676 |   while (b >= 64) {
1677 |     crypto_core_salsa20(x,z,k,sigma);
1678 |     for (i = 0; i < 64; i++) c[cpos+i] = x[i];
1679 |     u = 1;
1680 |     for (i = 8; i < 16; i++) {
1681 |       u = u + (z[i] & 0xff) | 0;
1682 |       z[i] = u & 0xff;
1683 |       u >>>= 8;
1684 |     }
1685 |     b -= 64;
1686 |     cpos += 64;
1687 |   }
1688 |   if (b > 0) {
1689 |     crypto_core_salsa20(x,z,k,sigma);
1690 |     for (i = 0; i < b; i++) c[cpos+i] = x[i];
1691 |   }
1692 |   return 0;
1693 | }
1694 | 
1695 | function crypto_stream(c,cpos,d,n,k) {
1696 |   var s = new Uint8Array(32);
1697 |   crypto_core_hsalsa20(s,n,k,sigma);
1698 |   var sn = new Uint8Array(8);
1699 |   for (var i = 0; i < 8; i++) sn[i] = n[i+16];
1700 |   return crypto_stream_salsa20(c,cpos,d,sn,s);
1701 | }
1702 | 
1703 | function crypto_stream_xor(c,cpos,m,mpos,d,n,k) {
1704 |   var s = new Uint8Array(32);
1705 |   crypto_core_hsalsa20(s,n,k,sigma);
1706 |   var sn = new Uint8Array(8);
1707 |   for (var i = 0; i < 8; i++) sn[i] = n[i+16];
1708 |   return crypto_stream_salsa20_xor(c,cpos,m,mpos,d,sn,s);
1709 | }
1710 | 
1711 | /*
1712 | * Port of Andrew Moon's Poly1305-donna-16. Public domain.
1713 | * https://github.com/floodyberry/poly1305-donna
1714 | */
1715 | 
1716 | var poly1305 = function(key) {
1717 |   this.buffer = new Uint8Array(16);
1718 |   this.r = new Uint16Array(10);
1719 |   this.h = new Uint16Array(10);
1720 |   this.pad = new Uint16Array(8);
1721 |   this.leftover = 0;
1722 |   this.fin = 0;
1723 | 
1724 |   var t0, t1, t2, t3, t4, t5, t6, t7;
1725 | 
1726 |   t0 = key[ 0] & 0xff | (key[ 1] & 0xff) << 8; this.r[0] = ( t0                     ) & 0x1fff;
1727 |   t1 = key[ 2] & 0xff | (key[ 3] & 0xff) << 8; this.r[1] = ((t0 >>> 13) | (t1 <<  3)) & 0x1fff;
1728 |   t2 = key[ 4] & 0xff | (key[ 5] & 0xff) << 8; this.r[2] = ((t1 >>> 10) | (t2 <<  6)) & 0x1f03;
1729 |   t3 = key[ 6] & 0xff | (key[ 7] & 0xff) << 8; this.r[3] = ((t2 >>>  7) | (t3 <<  9)) & 0x1fff;
1730 |   t4 = key[ 8] & 0xff | (key[ 9] & 0xff) << 8; this.r[4] = ((t3 >>>  4) | (t4 << 12)) & 0x00ff;
1731 |   this.r[5] = ((t4 >>>  1)) & 0x1ffe;
1732 |   t5 = key[10] & 0xff | (key[11] & 0xff) << 8; this.r[6] = ((t4 >>> 14) | (t5 <<  2)) & 0x1fff;
1733 |   t6 = key[12] & 0xff | (key[13] & 0xff) << 8; this.r[7] = ((t5 >>> 11) | (t6 <<  5)) & 0x1f81;
1734 |   t7 = key[14] & 0xff | (key[15] & 0xff) << 8; this.r[8] = ((t6 >>>  8) | (t7 <<  8)) & 0x1fff;
1735 |   this.r[9] = ((t7 >>>  5)) & 0x007f;
1736 | 
1737 |   this.pad[0] = key[16] & 0xff | (key[17] & 0xff) << 8;
1738 |   this.pad[1] = key[18] & 0xff | (key[19] & 0xff) << 8;
1739 |   this.pad[2] = key[20] & 0xff | (key[21] & 0xff) << 8;
1740 |   this.pad[3] = key[22] & 0xff | (key[23] & 0xff) << 8;
1741 |   this.pad[4] = key[24] & 0xff | (key[25] & 0xff) << 8;
1742 |   this.pad[5] = key[26] & 0xff | (key[27] & 0xff) << 8;
1743 |   this.pad[6] = key[28] & 0xff | (key[29] & 0xff) << 8;
1744 |   this.pad[7] = key[30] & 0xff | (key[31] & 0xff) << 8;
1745 | };
1746 | 
1747 | poly1305.prototype.blocks = function(m, mpos, bytes) {
1748 |   var hibit = this.fin ? 0 : (1 << 11);
1749 |   var t0, t1, t2, t3, t4, t5, t6, t7, c;
1750 |   var d0, d1, d2, d3, d4, d5, d6, d7, d8, d9;
1751 | 
1752 |   var h0 = this.h[0],
1753 |       h1 = this.h[1],
1754 |       h2 = this.h[2],
1755 |       h3 = this.h[3],
1756 |       h4 = this.h[4],
1757 |       h5 = this.h[5],
1758 |       h6 = this.h[6],
1759 |       h7 = this.h[7],
1760 |       h8 = this.h[8],
1761 |       h9 = this.h[9];
1762 | 
1763 |   var r0 = this.r[0],
1764 |       r1 = this.r[1],
1765 |       r2 = this.r[2],
1766 |       r3 = this.r[3],
1767 |       r4 = this.r[4],
1768 |       r5 = this.r[5],
1769 |       r6 = this.r[6],
1770 |       r7 = this.r[7],
1771 |       r8 = this.r[8],
1772 |       r9 = this.r[9];
1773 | 
1774 |   while (bytes >= 16) {
1775 |     t0 = m[mpos+ 0] & 0xff | (m[mpos+ 1] & 0xff) << 8; h0 += ( t0                     ) & 0x1fff;
1776 |     t1 = m[mpos+ 2] & 0xff | (m[mpos+ 3] & 0xff) << 8; h1 += ((t0 >>> 13) | (t1 <<  3)) & 0x1fff;
1777 |     t2 = m[mpos+ 4] & 0xff | (m[mpos+ 5] & 0xff) << 8; h2 += ((t1 >>> 10) | (t2 <<  6)) & 0x1fff;
1778 |     t3 = m[mpos+ 6] & 0xff | (m[mpos+ 7] & 0xff) << 8; h3 += ((t2 >>>  7) | (t3 <<  9)) & 0x1fff;
1779 |     t4 = m[mpos+ 8] & 0xff | (m[mpos+ 9] & 0xff) << 8; h4 += ((t3 >>>  4) | (t4 << 12)) & 0x1fff;
1780 |     h5 += ((t4 >>>  1)) & 0x1fff;
1781 |     t5 = m[mpos+10] & 0xff | (m[mpos+11] & 0xff) << 8; h6 += ((t4 >>> 14) | (t5 <<  2)) & 0x1fff;
1782 |     t6 = m[mpos+12] & 0xff | (m[mpos+13] & 0xff) << 8; h7 += ((t5 >>> 11) | (t6 <<  5)) & 0x1fff;
1783 |     t7 = m[mpos+14] & 0xff | (m[mpos+15] & 0xff) << 8; h8 += ((t6 >>>  8) | (t7 <<  8)) & 0x1fff;
1784 |     h9 += ((t7 >>> 5)) | hibit;
1785 | 
1786 |     c = 0;
1787 | 
1788 |     d0 = c;
1789 |     d0 += h0 * r0;
1790 |     d0 += h1 * (5 * r9);
1791 |     d0 += h2 * (5 * r8);
1792 |     d0 += h3 * (5 * r7);
1793 |     d0 += h4 * (5 * r6);
1794 |     c = (d0 >>> 13); d0 &= 0x1fff;
1795 |     d0 += h5 * (5 * r5);
1796 |     d0 += h6 * (5 * r4);
1797 |     d0 += h7 * (5 * r3);
1798 |     d0 += h8 * (5 * r2);
1799 |     d0 += h9 * (5 * r1);
1800 |     c += (d0 >>> 13); d0 &= 0x1fff;
1801 | 
1802 |     d1 = c;
1803 |     d1 += h0 * r1;
1804 |     d1 += h1 * r0;
1805 |     d1 += h2 * (5 * r9);
1806 |     d1 += h3 * (5 * r8);
1807 |     d1 += h4 * (5 * r7);
1808 |     c = (d1 >>> 13); d1 &= 0x1fff;
1809 |     d1 += h5 * (5 * r6);
1810 |     d1 += h6 * (5 * r5);
1811 |     d1 += h7 * (5 * r4);
1812 |     d1 += h8 * (5 * r3);
1813 |     d1 += h9 * (5 * r2);
1814 |     c += (d1 >>> 13); d1 &= 0x1fff;
1815 | 
1816 |     d2 = c;
1817 |     d2 += h0 * r2;
1818 |     d2 += h1 * r1;
1819 |     d2 += h2 * r0;
1820 |     d2 += h3 * (5 * r9);
1821 |     d2 += h4 * (5 * r8);
1822 |     c = (d2 >>> 13); d2 &= 0x1fff;
1823 |     d2 += h5 * (5 * r7);
1824 |     d2 += h6 * (5 * r6);
1825 |     d2 += h7 * (5 * r5);
1826 |     d2 += h8 * (5 * r4);
1827 |     d2 += h9 * (5 * r3);
1828 |     c += (d2 >>> 13); d2 &= 0x1fff;
1829 | 
1830 |     d3 = c;
1831 |     d3 += h0 * r3;
1832 |     d3 += h1 * r2;
1833 |     d3 += h2 * r1;
1834 |     d3 += h3 * r0;
1835 |     d3 += h4 * (5 * r9);
1836 |     c = (d3 >>> 13); d3 &= 0x1fff;
1837 |     d3 += h5 * (5 * r8);
1838 |     d3 += h6 * (5 * r7);
1839 |     d3 += h7 * (5 * r6);
1840 |     d3 += h8 * (5 * r5);
1841 |     d3 += h9 * (5 * r4);
1842 |     c += (d3 >>> 13); d3 &= 0x1fff;
1843 | 
1844 |     d4 = c;
1845 |     d4 += h0 * r4;
1846 |     d4 += h1 * r3;
1847 |     d4 += h2 * r2;
1848 |     d4 += h3 * r1;
1849 |     d4 += h4 * r0;
1850 |     c = (d4 >>> 13); d4 &= 0x1fff;
1851 |     d4 += h5 * (5 * r9);
1852 |     d4 += h6 * (5 * r8);
1853 |     d4 += h7 * (5 * r7);
1854 |     d4 += h8 * (5 * r6);
1855 |     d4 += h9 * (5 * r5);
1856 |     c += (d4 >>> 13); d4 &= 0x1fff;
1857 | 
1858 |     d5 = c;
1859 |     d5 += h0 * r5;
1860 |     d5 += h1 * r4;
1861 |     d5 += h2 * r3;
1862 |     d5 += h3 * r2;
1863 |     d5 += h4 * r1;
1864 |     c = (d5 >>> 13); d5 &= 0x1fff;
1865 |     d5 += h5 * r0;
1866 |     d5 += h6 * (5 * r9);
1867 |     d5 += h7 * (5 * r8);
1868 |     d5 += h8 * (5 * r7);
1869 |     d5 += h9 * (5 * r6);
1870 |     c += (d5 >>> 13); d5 &= 0x1fff;
1871 | 
1872 |     d6 = c;
1873 |     d6 += h0 * r6;
1874 |     d6 += h1 * r5;
1875 |     d6 += h2 * r4;
1876 |     d6 += h3 * r3;
1877 |     d6 += h4 * r2;
1878 |     c = (d6 >>> 13); d6 &= 0x1fff;
1879 |     d6 += h5 * r1;
1880 |     d6 += h6 * r0;
1881 |     d6 += h7 * (5 * r9);
1882 |     d6 += h8 * (5 * r8);
1883 |     d6 += h9 * (5 * r7);
1884 |     c += (d6 >>> 13); d6 &= 0x1fff;
1885 | 
1886 |     d7 = c;
1887 |     d7 += h0 * r7;
1888 |     d7 += h1 * r6;
1889 |     d7 += h2 * r5;
1890 |     d7 += h3 * r4;
1891 |     d7 += h4 * r3;
1892 |     c = (d7 >>> 13); d7 &= 0x1fff;
1893 |     d7 += h5 * r2;
1894 |     d7 += h6 * r1;
1895 |     d7 += h7 * r0;
1896 |     d7 += h8 * (5 * r9);
1897 |     d7 += h9 * (5 * r8);
1898 |     c += (d7 >>> 13); d7 &= 0x1fff;
1899 | 
1900 |     d8 = c;
1901 |     d8 += h0 * r8;
1902 |     d8 += h1 * r7;
1903 |     d8 += h2 * r6;
1904 |     d8 += h3 * r5;
1905 |     d8 += h4 * r4;
1906 |     c = (d8 >>> 13); d8 &= 0x1fff;
1907 |     d8 += h5 * r3;
1908 |     d8 += h6 * r2;
1909 |     d8 += h7 * r1;
1910 |     d8 += h8 * r0;
1911 |     d8 += h9 * (5 * r9);
1912 |     c += (d8 >>> 13); d8 &= 0x1fff;
1913 | 
1914 |     d9 = c;
1915 |     d9 += h0 * r9;
1916 |     d9 += h1 * r8;
1917 |     d9 += h2 * r7;
1918 |     d9 += h3 * r6;
1919 |     d9 += h4 * r5;
1920 |     c = (d9 >>> 13); d9 &= 0x1fff;
1921 |     d9 += h5 * r4;
1922 |     d9 += h6 * r3;
1923 |     d9 += h7 * r2;
1924 |     d9 += h8 * r1;
1925 |     d9 += h9 * r0;
1926 |     c += (d9 >>> 13); d9 &= 0x1fff;
1927 | 
1928 |     c = (((c << 2) + c)) | 0;
1929 |     c = (c + d0) | 0;
1930 |     d0 = c & 0x1fff;
1931 |     c = (c >>> 13);
1932 |     d1 += c;
1933 | 
1934 |     h0 = d0;
1935 |     h1 = d1;
1936 |     h2 = d2;
1937 |     h3 = d3;
1938 |     h4 = d4;
1939 |     h5 = d5;
1940 |     h6 = d6;
1941 |     h7 = d7;
1942 |     h8 = d8;
1943 |     h9 = d9;
1944 | 
1945 |     mpos += 16;
1946 |     bytes -= 16;
1947 |   }
1948 |   this.h[0] = h0;
1949 |   this.h[1] = h1;
1950 |   this.h[2] = h2;
1951 |   this.h[3] = h3;
1952 |   this.h[4] = h4;
1953 |   this.h[5] = h5;
1954 |   this.h[6] = h6;
1955 |   this.h[7] = h7;
1956 |   this.h[8] = h8;
1957 |   this.h[9] = h9;
1958 | };
1959 | 
1960 | poly1305.prototype.finish = function(mac, macpos) {
1961 |   var g = new Uint16Array(10);
1962 |   var c, mask, f, i;
1963 | 
1964 |   if (this.leftover) {
1965 |     i = this.leftover;
1966 |     this.buffer[i++] = 1;
1967 |     for (; i < 16; i++) this.buffer[i] = 0;
1968 |     this.fin = 1;
1969 |     this.blocks(this.buffer, 0, 16);
1970 |   }
1971 | 
1972 |   c = this.h[1] >>> 13;
1973 |   this.h[1] &= 0x1fff;
1974 |   for (i = 2; i < 10; i++) {
1975 |     this.h[i] += c;
1976 |     c = this.h[i] >>> 13;
1977 |     this.h[i] &= 0x1fff;
1978 |   }
1979 |   this.h[0] += (c * 5);
1980 |   c = this.h[0] >>> 13;
1981 |   this.h[0] &= 0x1fff;
1982 |   this.h[1] += c;
1983 |   c = this.h[1] >>> 13;
1984 |   this.h[1] &= 0x1fff;
1985 |   this.h[2] += c;
1986 | 
1987 |   g[0] = this.h[0] + 5;
1988 |   c = g[0] >>> 13;
1989 |   g[0] &= 0x1fff;
1990 |   for (i = 1; i < 10; i++) {
1991 |     g[i] = this.h[i] + c;
1992 |     c = g[i] >>> 13;
1993 |     g[i] &= 0x1fff;
1994 |   }
1995 |   g[9] -= (1 << 13);
1996 | 
1997 |   mask = (c ^ 1) - 1;
1998 |   for (i = 0; i < 10; i++) g[i] &= mask;
1999 |   mask = ~mask;
2000 |   for (i = 0; i < 10; i++) this.h[i] = (this.h[i] & mask) | g[i];
2001 | 
2002 |   this.h[0] = ((this.h[0]       ) | (this.h[1] << 13)                    ) & 0xffff;
2003 |   this.h[1] = ((this.h[1] >>>  3) | (this.h[2] << 10)                    ) & 0xffff;
2004 |   this.h[2] = ((this.h[2] >>>  6) | (this.h[3] <<  7)                    ) & 0xffff;
2005 |   this.h[3] = ((this.h[3] >>>  9) | (this.h[4] <<  4)                    ) & 0xffff;
2006 |   this.h[4] = ((this.h[4] >>> 12) | (this.h[5] <<  1) | (this.h[6] << 14)) & 0xffff;
2007 |   this.h[5] = ((this.h[6] >>>  2) | (this.h[7] << 11)                    ) & 0xffff;
2008 |   this.h[6] = ((this.h[7] >>>  5) | (this.h[8] <<  8)                    ) & 0xffff;
2009 |   this.h[7] = ((this.h[8] >>>  8) | (this.h[9] <<  5)                    ) & 0xffff;
2010 | 
2011 |   f = this.h[0] + this.pad[0];
2012 |   this.h[0] = f & 0xffff;
2013 |   for (i = 1; i < 8; i++) {
2014 |     f = (((this.h[i] + this.pad[i]) | 0) + (f >>> 16)) | 0;
2015 |     this.h[i] = f & 0xffff;
2016 |   }
2017 | 
2018 |   mac[macpos+ 0] = (this.h[0] >>> 0) & 0xff;
2019 |   mac[macpos+ 1] = (this.h[0] >>> 8) & 0xff;
2020 |   mac[macpos+ 2] = (this.h[1] >>> 0) & 0xff;
2021 |   mac[macpos+ 3] = (this.h[1] >>> 8) & 0xff;
2022 |   mac[macpos+ 4] = (this.h[2] >>> 0) & 0xff;
2023 |   mac[macpos+ 5] = (this.h[2] >>> 8) & 0xff;
2024 |   mac[macpos+ 6] = (this.h[3] >>> 0) & 0xff;
2025 |   mac[macpos+ 7] = (this.h[3] >>> 8) & 0xff;
2026 |   mac[macpos+ 8] = (this.h[4] >>> 0) & 0xff;
2027 |   mac[macpos+ 9] = (this.h[4] >>> 8) & 0xff;
2028 |   mac[macpos+10] = (this.h[5] >>> 0) & 0xff;
2029 |   mac[macpos+11] = (this.h[5] >>> 8) & 0xff;
2030 |   mac[macpos+12] = (this.h[6] >>> 0) & 0xff;
2031 |   mac[macpos+13] = (this.h[6] >>> 8) & 0xff;
2032 |   mac[macpos+14] = (this.h[7] >>> 0) & 0xff;
2033 |   mac[macpos+15] = (this.h[7] >>> 8) & 0xff;
2034 | };
2035 | 
2036 | poly1305.prototype.update = function(m, mpos, bytes) {
2037 |   var i, want;
2038 | 
2039 |   if (this.leftover) {
2040 |     want = (16 - this.leftover);
2041 |     if (want > bytes)
2042 |       want = bytes;
2043 |     for (i = 0; i < want; i++)
2044 |       this.buffer[this.leftover + i] = m[mpos+i];
2045 |     bytes -= want;
2046 |     mpos += want;
2047 |     this.leftover += want;
2048 |     if (this.leftover < 16)
2049 |       return;
2050 |     this.blocks(this.buffer, 0, 16);
2051 |     this.leftover = 0;
2052 |   }
2053 | 
2054 |   if (bytes >= 16) {
2055 |     want = bytes - (bytes % 16);
2056 |     this.blocks(m, mpos, want);
2057 |     mpos += want;
2058 |     bytes -= want;
2059 |   }
2060 | 
2061 |   if (bytes) {
2062 |     for (i = 0; i < bytes; i++)
2063 |       this.buffer[this.leftover + i] = m[mpos+i];
2064 |     this.leftover += bytes;
2065 |   }
2066 | };
2067 | 
2068 | function crypto_onetimeauth(out, outpos, m, mpos, n, k) {
2069 |   var s = new poly1305(k);
2070 |   s.update(m, mpos, n);
2071 |   s.finish(out, outpos);
2072 |   return 0;
2073 | }
2074 | 
2075 | function crypto_onetimeauth_verify(h, hpos, m, mpos, n, k) {
2076 |   var x = new Uint8Array(16);
2077 |   crypto_onetimeauth(x,0,m,mpos,n,k);
2078 |   return crypto_verify_16(h,hpos,x,0);
2079 | }
2080 | 
2081 | function crypto_secretbox(c,m,d,n,k) {
2082 |   var i;
2083 |   if (d < 32) return -1;
2084 |   crypto_stream_xor(c,0,m,0,d,n,k);
2085 |   crypto_onetimeauth(c, 16, c, 32, d - 32, c);
2086 |   for (i = 0; i < 16; i++) c[i] = 0;
2087 |   return 0;
2088 | }
2089 | 
2090 | function crypto_secretbox_open(m,c,d,n,k) {
2091 |   var i;
2092 |   var x = new Uint8Array(32);
2093 |   if (d < 32) return -1;
2094 |   crypto_stream(x,0,32,n,k);
2095 |   if (crypto_onetimeauth_verify(c, 16,c, 32,d - 32,x) !== 0) return -1;
2096 |   crypto_stream_xor(m,0,c,0,d,n,k);
2097 |   for (i = 0; i < 32; i++) m[i] = 0;
2098 |   return 0;
2099 | }
2100 | 
2101 | function set25519(r, a) {
2102 |   var i;
2103 |   for (i = 0; i < 16; i++) r[i] = a[i]|0;
2104 | }
2105 | 
2106 | function car25519(o) {
2107 |   var i, v, c = 1;
2108 |   for (i = 0; i < 16; i++) {
2109 |     v = o[i] + c + 65535;
2110 |     c = Math.floor(v / 65536);
2111 |     o[i] = v - c * 65536;
2112 |   }
2113 |   o[0] += c-1 + 37 * (c-1);
2114 | }
2115 | 
2116 | function sel25519(p, q, b) {
2117 |   var t, c = ~(b-1);
2118 |   for (var i = 0; i < 16; i++) {
2119 |     t = c & (p[i] ^ q[i]);
2120 |     p[i] ^= t;
2121 |     q[i] ^= t;
2122 |   }
2123 | }
2124 | 
2125 | function pack25519(o, n) {
2126 |   var i, j, b;
2127 |   var m = gf(), t = gf();
2128 |   for (i = 0; i < 16; i++) t[i] = n[i];
2129 |   car25519(t);
2130 |   car25519(t);
2131 |   car25519(t);
2132 |   for (j = 0; j < 2; j++) {
2133 |     m[0] = t[0] - 0xffed;
2134 |     for (i = 1; i < 15; i++) {
2135 |       m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);
2136 |       m[i-1] &= 0xffff;
2137 |     }
2138 |     m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);
2139 |     b = (m[15]>>16) & 1;
2140 |     m[14] &= 0xffff;
2141 |     sel25519(t, m, 1-b);
2142 |   }
2143 |   for (i = 0; i < 16; i++) {
2144 |     o[2*i] = t[i] & 0xff;
2145 |     o[2*i+1] = t[i]>>8;
2146 |   }
2147 | }
2148 | 
2149 | function neq25519(a, b) {
2150 |   var c = new Uint8Array(32), d = new Uint8Array(32);
2151 |   pack25519(c, a);
2152 |   pack25519(d, b);
2153 |   return crypto_verify_32(c, 0, d, 0);
2154 | }
2155 | 
2156 | function par25519(a) {
2157 |   var d = new Uint8Array(32);
2158 |   pack25519(d, a);
2159 |   return d[0] & 1;
2160 | }
2161 | 
2162 | function unpack25519(o, n) {
2163 |   var i;
2164 |   for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8);
2165 |   o[15] &= 0x7fff;
2166 | }
2167 | 
2168 | function A(o, a, b) {
2169 |   for (var i = 0; i < 16; i++) o[i] = a[i] + b[i];
2170 | }
2171 | 
2172 | function Z(o, a, b) {
2173 |   for (var i = 0; i < 16; i++) o[i] = a[i] - b[i];
2174 | }
2175 | 
2176 | function M(o, a, b) {
2177 |   var v, c,
2178 |      t0 = 0,  t1 = 0,  t2 = 0,  t3 = 0,  t4 = 0,  t5 = 0,  t6 = 0,  t7 = 0,
2179 |      t8 = 0,  t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0,
2180 |     t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0,
2181 |     t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0,
2182 |     b0 = b[0],
2183 |     b1 = b[1],
2184 |     b2 = b[2],
2185 |     b3 = b[3],
2186 |     b4 = b[4],
2187 |     b5 = b[5],
2188 |     b6 = b[6],
2189 |     b7 = b[7],
2190 |     b8 = b[8],
2191 |     b9 = b[9],
2192 |     b10 = b[10],
2193 |     b11 = b[11],
2194 |     b12 = b[12],
2195 |     b13 = b[13],
2196 |     b14 = b[14],
2197 |     b15 = b[15];
2198 | 
2199 |   v = a[0];
2200 |   t0 += v * b0;
2201 |   t1 += v * b1;
2202 |   t2 += v * b2;
2203 |   t3 += v * b3;
2204 |   t4 += v * b4;
2205 |   t5 += v * b5;
2206 |   t6 += v * b6;
2207 |   t7 += v * b7;
2208 |   t8 += v * b8;
2209 |   t9 += v * b9;
2210 |   t10 += v * b10;
2211 |   t11 += v * b11;
2212 |   t12 += v * b12;
2213 |   t13 += v * b13;
2214 |   t14 += v * b14;
2215 |   t15 += v * b15;
2216 |   v = a[1];
2217 |   t1 += v * b0;
2218 |   t2 += v * b1;
2219 |   t3 += v * b2;
2220 |   t4 += v * b3;
2221 |   t5 += v * b4;
2222 |   t6 += v * b5;
2223 |   t7 += v * b6;
2224 |   t8 += v * b7;
2225 |   t9 += v * b8;
2226 |   t10 += v * b9;
2227 |   t11 += v * b10;
2228 |   t12 += v * b11;
2229 |   t13 += v * b12;
2230 |   t14 += v * b13;
2231 |   t15 += v * b14;
2232 |   t16 += v * b15;
2233 |   v = a[2];
2234 |   t2 += v * b0;
2235 |   t3 += v * b1;
2236 |   t4 += v * b2;
2237 |   t5 += v * b3;
2238 |   t6 += v * b4;
2239 |   t7 += v * b5;
2240 |   t8 += v * b6;
2241 |   t9 += v * b7;
2242 |   t10 += v * b8;
2243 |   t11 += v * b9;
2244 |   t12 += v * b10;
2245 |   t13 += v * b11;
2246 |   t14 += v * b12;
2247 |   t15 += v * b13;
2248 |   t16 += v * b14;
2249 |   t17 += v * b15;
2250 |   v = a[3];
2251 |   t3 += v * b0;
2252 |   t4 += v * b1;
2253 |   t5 += v * b2;
2254 |   t6 += v * b3;
2255 |   t7 += v * b4;
2256 |   t8 += v * b5;
2257 |   t9 += v * b6;
2258 |   t10 += v * b7;
2259 |   t11 += v * b8;
2260 |   t12 += v * b9;
2261 |   t13 += v * b10;
2262 |   t14 += v * b11;
2263 |   t15 += v * b12;
2264 |   t16 += v * b13;
2265 |   t17 += v * b14;
2266 |   t18 += v * b15;
2267 |   v = a[4];
2268 |   t4 += v * b0;
2269 |   t5 += v * b1;
2270 |   t6 += v * b2;
2271 |   t7 += v * b3;
2272 |   t8 += v * b4;
2273 |   t9 += v * b5;
2274 |   t10 += v * b6;
2275 |   t11 += v * b7;
2276 |   t12 += v * b8;
2277 |   t13 += v * b9;
2278 |   t14 += v * b10;
2279 |   t15 += v * b11;
2280 |   t16 += v * b12;
2281 |   t17 += v * b13;
2282 |   t18 += v * b14;
2283 |   t19 += v * b15;
2284 |   v = a[5];
2285 |   t5 += v * b0;
2286 |   t6 += v * b1;
2287 |   t7 += v * b2;
2288 |   t8 += v * b3;
2289 |   t9 += v * b4;
2290 |   t10 += v * b5;
2291 |   t11 += v * b6;
2292 |   t12 += v * b7;
2293 |   t13 += v * b8;
2294 |   t14 += v * b9;
2295 |   t15 += v * b10;
2296 |   t16 += v * b11;
2297 |   t17 += v * b12;
2298 |   t18 += v * b13;
2299 |   t19 += v * b14;
2300 |   t20 += v * b15;
2301 |   v = a[6];
2302 |   t6 += v * b0;
2303 |   t7 += v * b1;
2304 |   t8 += v * b2;
2305 |   t9 += v * b3;
2306 |   t10 += v * b4;
2307 |   t11 += v * b5;
2308 |   t12 += v * b6;
2309 |   t13 += v * b7;
2310 |   t14 += v * b8;
2311 |   t15 += v * b9;
2312 |   t16 += v * b10;
2313 |   t17 += v * b11;
2314 |   t18 += v * b12;
2315 |   t19 += v * b13;
2316 |   t20 += v * b14;
2317 |   t21 += v * b15;
2318 |   v = a[7];
2319 |   t7 += v * b0;
2320 |   t8 += v * b1;
2321 |   t9 += v * b2;
2322 |   t10 += v * b3;
2323 |   t11 += v * b4;
2324 |   t12 += v * b5;
2325 |   t13 += v * b6;
2326 |   t14 += v * b7;
2327 |   t15 += v * b8;
2328 |   t16 += v * b9;
2329 |   t17 += v * b10;
2330 |   t18 += v * b11;
2331 |   t19 += v * b12;
2332 |   t20 += v * b13;
2333 |   t21 += v * b14;
2334 |   t22 += v * b15;
2335 |   v = a[8];
2336 |   t8 += v * b0;
2337 |   t9 += v * b1;
2338 |   t10 += v * b2;
2339 |   t11 += v * b3;
2340 |   t12 += v * b4;
2341 |   t13 += v * b5;
2342 |   t14 += v * b6;
2343 |   t15 += v * b7;
2344 |   t16 += v * b8;
2345 |   t17 += v * b9;
2346 |   t18 += v * b10;
2347 |   t19 += v * b11;
2348 |   t20 += v * b12;
2349 |   t21 += v * b13;
2350 |   t22 += v * b14;
2351 |   t23 += v * b15;
2352 |   v = a[9];
2353 |   t9 += v * b0;
2354 |   t10 += v * b1;
2355 |   t11 += v * b2;
2356 |   t12 += v * b3;
2357 |   t13 += v * b4;
2358 |   t14 += v * b5;
2359 |   t15 += v * b6;
2360 |   t16 += v * b7;
2361 |   t17 += v * b8;
2362 |   t18 += v * b9;
2363 |   t19 += v * b10;
2364 |   t20 += v * b11;
2365 |   t21 += v * b12;
2366 |   t22 += v * b13;
2367 |   t23 += v * b14;
2368 |   t24 += v * b15;
2369 |   v = a[10];
2370 |   t10 += v * b0;
2371 |   t11 += v * b1;
2372 |   t12 += v * b2;
2373 |   t13 += v * b3;
2374 |   t14 += v * b4;
2375 |   t15 += v * b5;
2376 |   t16 += v * b6;
2377 |   t17 += v * b7;
2378 |   t18 += v * b8;
2379 |   t19 += v * b9;
2380 |   t20 += v * b10;
2381 |   t21 += v * b11;
2382 |   t22 += v * b12;
2383 |   t23 += v * b13;
2384 |   t24 += v * b14;
2385 |   t25 += v * b15;
2386 |   v = a[11];
2387 |   t11 += v * b0;
2388 |   t12 += v * b1;
2389 |   t13 += v * b2;
2390 |   t14 += v * b3;
2391 |   t15 += v * b4;
2392 |   t16 += v * b5;
2393 |   t17 += v * b6;
2394 |   t18 += v * b7;
2395 |   t19 += v * b8;
2396 |   t20 += v * b9;
2397 |   t21 += v * b10;
2398 |   t22 += v * b11;
2399 |   t23 += v * b12;
2400 |   t24 += v * b13;
2401 |   t25 += v * b14;
2402 |   t26 += v * b15;
2403 |   v = a[12];
2404 |   t12 += v * b0;
2405 |   t13 += v * b1;
2406 |   t14 += v * b2;
2407 |   t15 += v * b3;
2408 |   t16 += v * b4;
2409 |   t17 += v * b5;
2410 |   t18 += v * b6;
2411 |   t19 += v * b7;
2412 |   t20 += v * b8;
2413 |   t21 += v * b9;
2414 |   t22 += v * b10;
2415 |   t23 += v * b11;
2416 |   t24 += v * b12;
2417 |   t25 += v * b13;
2418 |   t26 += v * b14;
2419 |   t27 += v * b15;
2420 |   v = a[13];
2421 |   t13 += v * b0;
2422 |   t14 += v * b1;
2423 |   t15 += v * b2;
2424 |   t16 += v * b3;
2425 |   t17 += v * b4;
2426 |   t18 += v * b5;
2427 |   t19 += v * b6;
2428 |   t20 += v * b7;
2429 |   t21 += v * b8;
2430 |   t22 += v * b9;
2431 |   t23 += v * b10;
2432 |   t24 += v * b11;
2433 |   t25 += v * b12;
2434 |   t26 += v * b13;
2435 |   t27 += v * b14;
2436 |   t28 += v * b15;
2437 |   v = a[14];
2438 |   t14 += v * b0;
2439 |   t15 += v * b1;
2440 |   t16 += v * b2;
2441 |   t17 += v * b3;
2442 |   t18 += v * b4;
2443 |   t19 += v * b5;
2444 |   t20 += v * b6;
2445 |   t21 += v * b7;
2446 |   t22 += v * b8;
2447 |   t23 += v * b9;
2448 |   t24 += v * b10;
2449 |   t25 += v * b11;
2450 |   t26 += v * b12;
2451 |   t27 += v * b13;
2452 |   t28 += v * b14;
2453 |   t29 += v * b15;
2454 |   v = a[15];
2455 |   t15 += v * b0;
2456 |   t16 += v * b1;
2457 |   t17 += v * b2;
2458 |   t18 += v * b3;
2459 |   t19 += v * b4;
2460 |   t20 += v * b5;
2461 |   t21 += v * b6;
2462 |   t22 += v * b7;
2463 |   t23 += v * b8;
2464 |   t24 += v * b9;
2465 |   t25 += v * b10;
2466 |   t26 += v * b11;
2467 |   t27 += v * b12;
2468 |   t28 += v * b13;
2469 |   t29 += v * b14;
2470 |   t30 += v * b15;
2471 | 
2472 |   t0  += 38 * t16;
2473 |   t1  += 38 * t17;
2474 |   t2  += 38 * t18;
2475 |   t3  += 38 * t19;
2476 |   t4  += 38 * t20;
2477 |   t5  += 38 * t21;
2478 |   t6  += 38 * t22;
2479 |   t7  += 38 * t23;
2480 |   t8  += 38 * t24;
2481 |   t9  += 38 * t25;
2482 |   t10 += 38 * t26;
2483 |   t11 += 38 * t27;
2484 |   t12 += 38 * t28;
2485 |   t13 += 38 * t29;
2486 |   t14 += 38 * t30;
2487 |   // t15 left as is
2488 | 
2489 |   // first car
2490 |   c = 1;
2491 |   v =  t0 + c + 65535; c = Math.floor(v / 65536);  t0 = v - c * 65536;
2492 |   v =  t1 + c + 65535; c = Math.floor(v / 65536);  t1 = v - c * 65536;
2493 |   v =  t2 + c + 65535; c = Math.floor(v / 65536);  t2 = v - c * 65536;
2494 |   v =  t3 + c + 65535; c = Math.floor(v / 65536);  t3 = v - c * 65536;
2495 |   v =  t4 + c + 65535; c = Math.floor(v / 65536);  t4 = v - c * 65536;
2496 |   v =  t5 + c + 65535; c = Math.floor(v / 65536);  t5 = v - c * 65536;
2497 |   v =  t6 + c + 65535; c = Math.floor(v / 65536);  t6 = v - c * 65536;
2498 |   v =  t7 + c + 65535; c = Math.floor(v / 65536);  t7 = v - c * 65536;
2499 |   v =  t8 + c + 65535; c = Math.floor(v / 65536);  t8 = v - c * 65536;
2500 |   v =  t9 + c + 65535; c = Math.floor(v / 65536);  t9 = v - c * 65536;
2501 |   v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
2502 |   v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
2503 |   v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
2504 |   v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
2505 |   v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
2506 |   v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
2507 |   t0 += c-1 + 37 * (c-1);
2508 | 
2509 |   // second car
2510 |   c = 1;
2511 |   v =  t0 + c + 65535; c = Math.floor(v / 65536);  t0 = v - c * 65536;
2512 |   v =  t1 + c + 65535; c = Math.floor(v / 65536);  t1 = v - c * 65536;
2513 |   v =  t2 + c + 65535; c = Math.floor(v / 65536);  t2 = v - c * 65536;
2514 |   v =  t3 + c + 65535; c = Math.floor(v / 65536);  t3 = v - c * 65536;
2515 |   v =  t4 + c + 65535; c = Math.floor(v / 65536);  t4 = v - c * 65536;
2516 |   v =  t5 + c + 65535; c = Math.floor(v / 65536);  t5 = v - c * 65536;
2517 |   v =  t6 + c + 65535; c = Math.floor(v / 65536);  t6 = v - c * 65536;
2518 |   v =  t7 + c + 65535; c = Math.floor(v / 65536);  t7 = v - c * 65536;
2519 |   v =  t8 + c + 65535; c = Math.floor(v / 65536);  t8 = v - c * 65536;
2520 |   v =  t9 + c + 65535; c = Math.floor(v / 65536);  t9 = v - c * 65536;
2521 |   v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
2522 |   v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
2523 |   v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
2524 |   v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
2525 |   v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
2526 |   v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
2527 |   t0 += c-1 + 37 * (c-1);
2528 | 
2529 |   o[ 0] = t0;
2530 |   o[ 1] = t1;
2531 |   o[ 2] = t2;
2532 |   o[ 3] = t3;
2533 |   o[ 4] = t4;
2534 |   o[ 5] = t5;
2535 |   o[ 6] = t6;
2536 |   o[ 7] = t7;
2537 |   o[ 8] = t8;
2538 |   o[ 9] = t9;
2539 |   o[10] = t10;
2540 |   o[11] = t11;
2541 |   o[12] = t12;
2542 |   o[13] = t13;
2543 |   o[14] = t14;
2544 |   o[15] = t15;
2545 | }
2546 | 
2547 | function S(o, a) {
2548 |   M(o, a, a);
2549 | }
2550 | 
2551 | function inv25519(o, i) {
2552 |   var c = gf();
2553 |   var a;
2554 |   for (a = 0; a < 16; a++) c[a] = i[a];
2555 |   for (a = 253; a >= 0; a--) {
2556 |     S(c, c);
2557 |     if(a !== 2 && a !== 4) M(c, c, i);
2558 |   }
2559 |   for (a = 0; a < 16; a++) o[a] = c[a];
2560 | }
2561 | 
2562 | function pow2523(o, i) {
2563 |   var c = gf();
2564 |   var a;
2565 |   for (a = 0; a < 16; a++) c[a] = i[a];
2566 |   for (a = 250; a >= 0; a--) {
2567 |       S(c, c);
2568 |       if(a !== 1) M(c, c, i);
2569 |   }
2570 |   for (a = 0; a < 16; a++) o[a] = c[a];
2571 | }
2572 | 
2573 | function crypto_scalarmult(q, n, p) {
2574 |   var z = new Uint8Array(32);
2575 |   var x = new Float64Array(80), r, i;
2576 |   var a = gf(), b = gf(), c = gf(),
2577 |       d = gf(), e = gf(), f = gf();
2578 |   for (i = 0; i < 31; i++) z[i] = n[i];
2579 |   z[31]=(n[31]&127)|64;
2580 |   z[0]&=248;
2581 |   unpack25519(x,p);
2582 |   for (i = 0; i < 16; i++) {
2583 |     b[i]=x[i];
2584 |     d[i]=a[i]=c[i]=0;
2585 |   }
2586 |   a[0]=d[0]=1;
2587 |   for (i=254; i>=0; --i) {
2588 |     r=(z[i>>>3]>>>(i&7))&1;
2589 |     sel25519(a,b,r);
2590 |     sel25519(c,d,r);
2591 |     A(e,a,c);
2592 |     Z(a,a,c);
2593 |     A(c,b,d);
2594 |     Z(b,b,d);
2595 |     S(d,e);
2596 |     S(f,a);
2597 |     M(a,c,a);
2598 |     M(c,b,e);
2599 |     A(e,a,c);
2600 |     Z(a,a,c);
2601 |     S(b,a);
2602 |     Z(c,d,f);
2603 |     M(a,c,_121665);
2604 |     A(a,a,d);
2605 |     M(c,c,a);
2606 |     M(a,d,f);
2607 |     M(d,b,x);
2608 |     S(b,e);
2609 |     sel25519(a,b,r);
2610 |     sel25519(c,d,r);
2611 |   }
2612 |   for (i = 0; i < 16; i++) {
2613 |     x[i+16]=a[i];
2614 |     x[i+32]=c[i];
2615 |     x[i+48]=b[i];
2616 |     x[i+64]=d[i];
2617 |   }
2618 |   var x32 = x.subarray(32);
2619 |   var x16 = x.subarray(16);
2620 |   inv25519(x32,x32);
2621 |   M(x16,x16,x32);
2622 |   pack25519(q,x16);
2623 |   return 0;
2624 | }
2625 | 
2626 | function crypto_scalarmult_base(q, n) {
2627 |   return crypto_scalarmult(q, n, _9);
2628 | }
2629 | 
2630 | function crypto_box_keypair(y, x) {
2631 |   randombytes(x, 32);
2632 |   return crypto_scalarmult_base(y, x);
2633 | }
2634 | 
2635 | function crypto_box_beforenm(k, y, x) {
2636 |   var s = new Uint8Array(32);
2637 |   crypto_scalarmult(s, x, y);
2638 |   return crypto_core_hsalsa20(k, _0, s, sigma);
2639 | }
2640 | 
2641 | var crypto_box_afternm = crypto_secretbox;
2642 | var crypto_box_open_afternm = crypto_secretbox_open;
2643 | 
2644 | function crypto_box(c, m, d, n, y, x) {
2645 |   var k = new Uint8Array(32);
2646 |   crypto_box_beforenm(k, y, x);
2647 |   return crypto_box_afternm(c, m, d, n, k);
2648 | }
2649 | 
2650 | function crypto_box_open(m, c, d, n, y, x) {
2651 |   var k = new Uint8Array(32);
2652 |   crypto_box_beforenm(k, y, x);
2653 |   return crypto_box_open_afternm(m, c, d, n, k);
2654 | }
2655 | 
2656 | var K = [
2657 |   0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd,
2658 |   0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc,
2659 |   0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019,
2660 |   0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118,
2661 |   0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe,
2662 |   0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2,
2663 |   0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1,
2664 |   0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694,
2665 |   0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3,
2666 |   0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65,
2667 |   0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483,
2668 |   0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5,
2669 |   0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210,
2670 |   0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4,
2671 |   0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725,
2672 |   0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70,
2673 |   0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926,
2674 |   0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df,
2675 |   0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8,
2676 |   0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b,
2677 |   0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001,
2678 |   0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30,
2679 |   0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910,
2680 |   0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8,
2681 |   0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53,
2682 |   0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8,
2683 |   0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb,
2684 |   0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3,
2685 |   0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60,
2686 |   0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec,
2687 |   0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9,
2688 |   0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b,
2689 |   0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207,
2690 |   0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178,
2691 |   0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6,
2692 |   0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b,
2693 |   0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493,
2694 |   0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c,
2695 |   0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a,
2696 |   0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817
2697 | ];
2698 | 
2699 | function crypto_hashblocks_hl(hh, hl, m, n) {
2700 |   var wh = new Int32Array(16), wl = new Int32Array(16),
2701 |       bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7,
2702 |       bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7,
2703 |       th, tl, i, j, h, l, a, b, c, d;
2704 | 
2705 |   var ah0 = hh[0],
2706 |       ah1 = hh[1],
2707 |       ah2 = hh[2],
2708 |       ah3 = hh[3],
2709 |       ah4 = hh[4],
2710 |       ah5 = hh[5],
2711 |       ah6 = hh[6],
2712 |       ah7 = hh[7],
2713 | 
2714 |       al0 = hl[0],
2715 |       al1 = hl[1],
2716 |       al2 = hl[2],
2717 |       al3 = hl[3],
2718 |       al4 = hl[4],
2719 |       al5 = hl[5],
2720 |       al6 = hl[6],
2721 |       al7 = hl[7];
2722 | 
2723 |   var pos = 0;
2724 |   while (n >= 128) {
2725 |     for (i = 0; i < 16; i++) {
2726 |       j = 8 * i + pos;
2727 |       wh[i] = (m[j+0] << 24) | (m[j+1] << 16) | (m[j+2] << 8) | m[j+3];
2728 |       wl[i] = (m[j+4] << 24) | (m[j+5] << 16) | (m[j+6] << 8) | m[j+7];
2729 |     }
2730 |     for (i = 0; i < 80; i++) {
2731 |       bh0 = ah0;
2732 |       bh1 = ah1;
2733 |       bh2 = ah2;
2734 |       bh3 = ah3;
2735 |       bh4 = ah4;
2736 |       bh5 = ah5;
2737 |       bh6 = ah6;
2738 |       bh7 = ah7;
2739 | 
2740 |       bl0 = al0;
2741 |       bl1 = al1;
2742 |       bl2 = al2;
2743 |       bl3 = al3;
2744 |       bl4 = al4;
2745 |       bl5 = al5;
2746 |       bl6 = al6;
2747 |       bl7 = al7;
2748 | 
2749 |       // add
2750 |       h = ah7;
2751 |       l = al7;
2752 | 
2753 |       a = l & 0xffff; b = l >>> 16;
2754 |       c = h & 0xffff; d = h >>> 16;
2755 | 
2756 |       // Sigma1
2757 |       h = ((ah4 >>> 14) | (al4 << (32-14))) ^ ((ah4 >>> 18) | (al4 << (32-18))) ^ ((al4 >>> (41-32)) | (ah4 << (32-(41-32))));
2758 |       l = ((al4 >>> 14) | (ah4 << (32-14))) ^ ((al4 >>> 18) | (ah4 << (32-18))) ^ ((ah4 >>> (41-32)) | (al4 << (32-(41-32))));
2759 | 
2760 |       a += l & 0xffff; b += l >>> 16;
2761 |       c += h & 0xffff; d += h >>> 16;
2762 | 
2763 |       // Ch
2764 |       h = (ah4 & ah5) ^ (~ah4 & ah6);
2765 |       l = (al4 & al5) ^ (~al4 & al6);
2766 | 
2767 |       a += l & 0xffff; b += l >>> 16;
2768 |       c += h & 0xffff; d += h >>> 16;
2769 | 
2770 |       // K
2771 |       h = K[i*2];
2772 |       l = K[i*2+1];
2773 | 
2774 |       a += l & 0xffff; b += l >>> 16;
2775 |       c += h & 0xffff; d += h >>> 16;
2776 | 
2777 |       // w
2778 |       h = wh[i%16];
2779 |       l = wl[i%16];
2780 | 
2781 |       a += l & 0xffff; b += l >>> 16;
2782 |       c += h & 0xffff; d += h >>> 16;
2783 | 
2784 |       b += a >>> 16;
2785 |       c += b >>> 16;
2786 |       d += c >>> 16;
2787 | 
2788 |       th = c & 0xffff | d << 16;
2789 |       tl = a & 0xffff | b << 16;
2790 | 
2791 |       // add
2792 |       h = th;
2793 |       l = tl;
2794 | 
2795 |       a = l & 0xffff; b = l >>> 16;
2796 |       c = h & 0xffff; d = h >>> 16;
2797 | 
2798 |       // Sigma0
2799 |       h = ((ah0 >>> 28) | (al0 << (32-28))) ^ ((al0 >>> (34-32)) | (ah0 << (32-(34-32)))) ^ ((al0 >>> (39-32)) | (ah0 << (32-(39-32))));
2800 |       l = ((al0 >>> 28) | (ah0 << (32-28))) ^ ((ah0 >>> (34-32)) | (al0 << (32-(34-32)))) ^ ((ah0 >>> (39-32)) | (al0 << (32-(39-32))));
2801 | 
2802 |       a += l & 0xffff; b += l >>> 16;
2803 |       c += h & 0xffff; d += h >>> 16;
2804 | 
2805 |       // Maj
2806 |       h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2);
2807 |       l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2);
2808 | 
2809 |       a += l & 0xffff; b += l >>> 16;
2810 |       c += h & 0xffff; d += h >>> 16;
2811 | 
2812 |       b += a >>> 16;
2813 |       c += b >>> 16;
2814 |       d += c >>> 16;
2815 | 
2816 |       bh7 = (c & 0xffff) | (d << 16);
2817 |       bl7 = (a & 0xffff) | (b << 16);
2818 | 
2819 |       // add
2820 |       h = bh3;
2821 |       l = bl3;
2822 | 
2823 |       a = l & 0xffff; b = l >>> 16;
2824 |       c = h & 0xffff; d = h >>> 16;
2825 | 
2826 |       h = th;
2827 |       l = tl;
2828 | 
2829 |       a += l & 0xffff; b += l >>> 16;
2830 |       c += h & 0xffff; d += h >>> 16;
2831 | 
2832 |       b += a >>> 16;
2833 |       c += b >>> 16;
2834 |       d += c >>> 16;
2835 | 
2836 |       bh3 = (c & 0xffff) | (d << 16);
2837 |       bl3 = (a & 0xffff) | (b << 16);
2838 | 
2839 |       ah1 = bh0;
2840 |       ah2 = bh1;
2841 |       ah3 = bh2;
2842 |       ah4 = bh3;
2843 |       ah5 = bh4;
2844 |       ah6 = bh5;
2845 |       ah7 = bh6;
2846 |       ah0 = bh7;
2847 | 
2848 |       al1 = bl0;
2849 |       al2 = bl1;
2850 |       al3 = bl2;
2851 |       al4 = bl3;
2852 |       al5 = bl4;
2853 |       al6 = bl5;
2854 |       al7 = bl6;
2855 |       al0 = bl7;
2856 | 
2857 |       if (i%16 === 15) {
2858 |         for (j = 0; j < 16; j++) {
2859 |           // add
2860 |           h = wh[j];
2861 |           l = wl[j];
2862 | 
2863 |           a = l & 0xffff; b = l >>> 16;
2864 |           c = h & 0xffff; d = h >>> 16;
2865 | 
2866 |           h = wh[(j+9)%16];
2867 |           l = wl[(j+9)%16];
2868 | 
2869 |           a += l & 0xffff; b += l >>> 16;
2870 |           c += h & 0xffff; d += h >>> 16;
2871 | 
2872 |           // sigma0
2873 |           th = wh[(j+1)%16];
2874 |           tl = wl[(j+1)%16];
2875 |           h = ((th >>> 1) | (tl << (32-1))) ^ ((th >>> 8) | (tl << (32-8))) ^ (th >>> 7);
2876 |           l = ((tl >>> 1) | (th << (32-1))) ^ ((tl >>> 8) | (th << (32-8))) ^ ((tl >>> 7) | (th << (32-7)));
2877 | 
2878 |           a += l & 0xffff; b += l >>> 16;
2879 |           c += h & 0xffff; d += h >>> 16;
2880 | 
2881 |           // sigma1
2882 |           th = wh[(j+14)%16];
2883 |           tl = wl[(j+14)%16];
2884 |           h = ((th >>> 19) | (tl << (32-19))) ^ ((tl >>> (61-32)) | (th << (32-(61-32)))) ^ (th >>> 6);
2885 |           l = ((tl >>> 19) | (th << (32-19))) ^ ((th >>> (61-32)) | (tl << (32-(61-32)))) ^ ((tl >>> 6) | (th << (32-6)));
2886 | 
2887 |           a += l & 0xffff; b += l >>> 16;
2888 |           c += h & 0xffff; d += h >>> 16;
2889 | 
2890 |           b += a >>> 16;
2891 |           c += b >>> 16;
2892 |           d += c >>> 16;
2893 | 
2894 |           wh[j] = (c & 0xffff) | (d << 16);
2895 |           wl[j] = (a & 0xffff) | (b << 16);
2896 |         }
2897 |       }
2898 |     }
2899 | 
2900 |     // add
2901 |     h = ah0;
2902 |     l = al0;
2903 | 
2904 |     a = l & 0xffff; b = l >>> 16;
2905 |     c = h & 0xffff; d = h >>> 16;
2906 | 
2907 |     h = hh[0];
2908 |     l = hl[0];
2909 | 
2910 |     a += l & 0xffff; b += l >>> 16;
2911 |     c += h & 0xffff; d += h >>> 16;
2912 | 
2913 |     b += a >>> 16;
2914 |     c += b >>> 16;
2915 |     d += c >>> 16;
2916 | 
2917 |     hh[0] = ah0 = (c & 0xffff) | (d << 16);
2918 |     hl[0] = al0 = (a & 0xffff) | (b << 16);
2919 | 
2920 |     h = ah1;
2921 |     l = al1;
2922 | 
2923 |     a = l & 0xffff; b = l >>> 16;
2924 |     c = h & 0xffff; d = h >>> 16;
2925 | 
2926 |     h = hh[1];
2927 |     l = hl[1];
2928 | 
2929 |     a += l & 0xffff; b += l >>> 16;
2930 |     c += h & 0xffff; d += h >>> 16;
2931 | 
2932 |     b += a >>> 16;
2933 |     c += b >>> 16;
2934 |     d += c >>> 16;
2935 | 
2936 |     hh[1] = ah1 = (c & 0xffff) | (d << 16);
2937 |     hl[1] = al1 = (a & 0xffff) | (b << 16);
2938 | 
2939 |     h = ah2;
2940 |     l = al2;
2941 | 
2942 |     a = l & 0xffff; b = l >>> 16;
2943 |     c = h & 0xffff; d = h >>> 16;
2944 | 
2945 |     h = hh[2];
2946 |     l = hl[2];
2947 | 
2948 |     a += l & 0xffff; b += l >>> 16;
2949 |     c += h & 0xffff; d += h >>> 16;
2950 | 
2951 |     b += a >>> 16;
2952 |     c += b >>> 16;
2953 |     d += c >>> 16;
2954 | 
2955 |     hh[2] = ah2 = (c & 0xffff) | (d << 16);
2956 |     hl[2] = al2 = (a & 0xffff) | (b << 16);
2957 | 
2958 |     h = ah3;
2959 |     l = al3;
2960 | 
2961 |     a = l & 0xffff; b = l >>> 16;
2962 |     c = h & 0xffff; d = h >>> 16;
2963 | 
2964 |     h = hh[3];
2965 |     l = hl[3];
2966 | 
2967 |     a += l & 0xffff; b += l >>> 16;
2968 |     c += h & 0xffff; d += h >>> 16;
2969 | 
2970 |     b += a >>> 16;
2971 |     c += b >>> 16;
2972 |     d += c >>> 16;
2973 | 
2974 |     hh[3] = ah3 = (c & 0xffff) | (d << 16);
2975 |     hl[3] = al3 = (a & 0xffff) | (b << 16);
2976 | 
2977 |     h = ah4;
2978 |     l = al4;
2979 | 
2980 |     a = l & 0xffff; b = l >>> 16;
2981 |     c = h & 0xffff; d = h >>> 16;
2982 | 
2983 |     h = hh[4];
2984 |     l = hl[4];
2985 | 
2986 |     a += l & 0xffff; b += l >>> 16;
2987 |     c += h & 0xffff; d += h >>> 16;
2988 | 
2989 |     b += a >>> 16;
2990 |     c += b >>> 16;
2991 |     d += c >>> 16;
2992 | 
2993 |     hh[4] = ah4 = (c & 0xffff) | (d << 16);
2994 |     hl[4] = al4 = (a & 0xffff) | (b << 16);
2995 | 
2996 |     h = ah5;
2997 |     l = al5;
2998 | 
2999 |     a = l & 0xffff; b = l >>> 16;
3000 |     c = h & 0xffff; d = h >>> 16;
3001 | 
3002 |     h = hh[5];
3003 |     l = hl[5];
3004 | 
3005 |     a += l & 0xffff; b += l >>> 16;
3006 |     c += h & 0xffff; d += h >>> 16;
3007 | 
3008 |     b += a >>> 16;
3009 |     c += b >>> 16;
3010 |     d += c >>> 16;
3011 | 
3012 |     hh[5] = ah5 = (c & 0xffff) | (d << 16);
3013 |     hl[5] = al5 = (a & 0xffff) | (b << 16);
3014 | 
3015 |     h = ah6;
3016 |     l = al6;
3017 | 
3018 |     a = l & 0xffff; b = l >>> 16;
3019 |     c = h & 0xffff; d = h >>> 16;
3020 | 
3021 |     h = hh[6];
3022 |     l = hl[6];
3023 | 
3024 |     a += l & 0xffff; b += l >>> 16;
3025 |     c += h & 0xffff; d += h >>> 16;
3026 | 
3027 |     b += a >>> 16;
3028 |     c += b >>> 16;
3029 |     d += c >>> 16;
3030 | 
3031 |     hh[6] = ah6 = (c & 0xffff) | (d << 16);
3032 |     hl[6] = al6 = (a & 0xffff) | (b << 16);
3033 | 
3034 |     h = ah7;
3035 |     l = al7;
3036 | 
3037 |     a = l & 0xffff; b = l >>> 16;
3038 |     c = h & 0xffff; d = h >>> 16;
3039 | 
3040 |     h = hh[7];
3041 |     l = hl[7];
3042 | 
3043 |     a += l & 0xffff; b += l >>> 16;
3044 |     c += h & 0xffff; d += h >>> 16;
3045 | 
3046 |     b += a >>> 16;
3047 |     c += b >>> 16;
3048 |     d += c >>> 16;
3049 | 
3050 |     hh[7] = ah7 = (c & 0xffff) | (d << 16);
3051 |     hl[7] = al7 = (a & 0xffff) | (b << 16);
3052 | 
3053 |     pos += 128;
3054 |     n -= 128;
3055 |   }
3056 | 
3057 |   return n;
3058 | }
3059 | 
3060 | function crypto_hash(out, m, n) {
3061 |   var hh = new Int32Array(8),
3062 |       hl = new Int32Array(8),
3063 |       x = new Uint8Array(256),
3064 |       i, b = n;
3065 | 
3066 |   hh[0] = 0x6a09e667;
3067 |   hh[1] = 0xbb67ae85;
3068 |   hh[2] = 0x3c6ef372;
3069 |   hh[3] = 0xa54ff53a;
3070 |   hh[4] = 0x510e527f;
3071 |   hh[5] = 0x9b05688c;
3072 |   hh[6] = 0x1f83d9ab;
3073 |   hh[7] = 0x5be0cd19;
3074 | 
3075 |   hl[0] = 0xf3bcc908;
3076 |   hl[1] = 0x84caa73b;
3077 |   hl[2] = 0xfe94f82b;
3078 |   hl[3] = 0x5f1d36f1;
3079 |   hl[4] = 0xade682d1;
3080 |   hl[5] = 0x2b3e6c1f;
3081 |   hl[6] = 0xfb41bd6b;
3082 |   hl[7] = 0x137e2179;
3083 | 
3084 |   crypto_hashblocks_hl(hh, hl, m, n);
3085 |   n %= 128;
3086 | 
3087 |   for (i = 0; i < n; i++) x[i] = m[b-n+i];
3088 |   x[n] = 128;
3089 | 
3090 |   n = 256-128*(n<112?1:0);
3091 |   x[n-9] = 0;
3092 |   ts64(x, n-8,  (b / 0x20000000) | 0, b << 3);
3093 |   crypto_hashblocks_hl(hh, hl, x, n);
3094 | 
3095 |   for (i = 0; i < 8; i++) ts64(out, 8*i, hh[i], hl[i]);
3096 | 
3097 |   return 0;
3098 | }
3099 | 
3100 | function add(p, q) {
3101 |   var a = gf(), b = gf(), c = gf(),
3102 |       d = gf(), e = gf(), f = gf(),
3103 |       g = gf(), h = gf(), t = gf();
3104 | 
3105 |   Z(a, p[1], p[0]);
3106 |   Z(t, q[1], q[0]);
3107 |   M(a, a, t);
3108 |   A(b, p[0], p[1]);
3109 |   A(t, q[0], q[1]);
3110 |   M(b, b, t);
3111 |   M(c, p[3], q[3]);
3112 |   M(c, c, D2);
3113 |   M(d, p[2], q[2]);
3114 |   A(d, d, d);
3115 |   Z(e, b, a);
3116 |   Z(f, d, c);
3117 |   A(g, d, c);
3118 |   A(h, b, a);
3119 | 
3120 |   M(p[0], e, f);
3121 |   M(p[1], h, g);
3122 |   M(p[2], g, f);
3123 |   M(p[3], e, h);
3124 | }
3125 | 
3126 | function cswap(p, q, b) {
3127 |   var i;
3128 |   for (i = 0; i < 4; i++) {
3129 |     sel25519(p[i], q[i], b);
3130 |   }
3131 | }
3132 | 
3133 | function pack(r, p) {
3134 |   var tx = gf(), ty = gf(), zi = gf();
3135 |   inv25519(zi, p[2]);
3136 |   M(tx, p[0], zi);
3137 |   M(ty, p[1], zi);
3138 |   pack25519(r, ty);
3139 |   r[31] ^= par25519(tx) << 7;
3140 | }
3141 | 
3142 | function scalarmult(p, q, s) {
3143 |   var b, i;
3144 |   set25519(p[0], gf0);
3145 |   set25519(p[1], gf1);
3146 |   set25519(p[2], gf1);
3147 |   set25519(p[3], gf0);
3148 |   for (i = 255; i >= 0; --i) {
3149 |     b = (s[(i/8)|0] >> (i&7)) & 1;
3150 |     cswap(p, q, b);
3151 |     add(q, p);
3152 |     add(p, p);
3153 |     cswap(p, q, b);
3154 |   }
3155 | }
3156 | 
3157 | function scalarbase(p, s) {
3158 |   var q = [gf(), gf(), gf(), gf()];
3159 |   set25519(q[0], X);
3160 |   set25519(q[1], Y);
3161 |   set25519(q[2], gf1);
3162 |   M(q[3], X, Y);
3163 |   scalarmult(p, q, s);
3164 | }
3165 | 
3166 | function crypto_sign_keypair(pk, sk, seeded) {
3167 |   var d = new Uint8Array(64);
3168 |   var p = [gf(), gf(), gf(), gf()];
3169 |   var i;
3170 | 
3171 |   if (!seeded) randombytes(sk, 32);
3172 |   crypto_hash(d, sk, 32);
3173 |   d[0] &= 248;
3174 |   d[31] &= 127;
3175 |   d[31] |= 64;
3176 | 
3177 |   scalarbase(p, d);
3178 |   pack(pk, p);
3179 | 
3180 |   for (i = 0; i < 32; i++) sk[i+32] = pk[i];
3181 |   return 0;
3182 | }
3183 | 
3184 | var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]);
3185 | 
3186 | function modL(r, x) {
3187 |   var carry, i, j, k;
3188 |   for (i = 63; i >= 32; --i) {
3189 |     carry = 0;
3190 |     for (j = i - 32, k = i - 12; j < k; ++j) {
3191 |       x[j] += carry - 16 * x[i] * L[j - (i - 32)];
3192 |       carry = (x[j] + 128) >> 8;
3193 |       x[j] -= carry * 256;
3194 |     }
3195 |     x[j] += carry;
3196 |     x[i] = 0;
3197 |   }
3198 |   carry = 0;
3199 |   for (j = 0; j < 32; j++) {
3200 |     x[j] += carry - (x[31] >> 4) * L[j];
3201 |     carry = x[j] >> 8;
3202 |     x[j] &= 255;
3203 |   }
3204 |   for (j = 0; j < 32; j++) x[j] -= carry * L[j];
3205 |   for (i = 0; i < 32; i++) {
3206 |     x[i+1] += x[i] >> 8;
3207 |     r[i] = x[i] & 255;
3208 |   }
3209 | }
3210 | 
3211 | function reduce(r) {
3212 |   var x = new Float64Array(64), i;
3213 |   for (i = 0; i < 64; i++) x[i] = r[i];
3214 |   for (i = 0; i < 64; i++) r[i] = 0;
3215 |   modL(r, x);
3216 | }
3217 | 
3218 | // Note: difference from C - smlen returned, not passed as argument.
3219 | function crypto_sign(sm, m, n, sk) {
3220 |   var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64);
3221 |   var i, j, x = new Float64Array(64);
3222 |   var p = [gf(), gf(), gf(), gf()];
3223 | 
3224 |   crypto_hash(d, sk, 32);
3225 |   d[0] &= 248;
3226 |   d[31] &= 127;
3227 |   d[31] |= 64;
3228 | 
3229 |   var smlen = n + 64;
3230 |   for (i = 0; i < n; i++) sm[64 + i] = m[i];
3231 |   for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i];
3232 | 
3233 |   crypto_hash(r, sm.subarray(32), n+32);
3234 |   reduce(r);
3235 |   scalarbase(p, r);
3236 |   pack(sm, p);
3237 | 
3238 |   for (i = 32; i < 64; i++) sm[i] = sk[i];
3239 |   crypto_hash(h, sm, n + 64);
3240 |   reduce(h);
3241 | 
3242 |   for (i = 0; i < 64; i++) x[i] = 0;
3243 |   for (i = 0; i < 32; i++) x[i] = r[i];
3244 |   for (i = 0; i < 32; i++) {
3245 |     for (j = 0; j < 32; j++) {
3246 |       x[i+j] += h[i] * d[j];
3247 |     }
3248 |   }
3249 | 
3250 |   modL(sm.subarray(32), x);
3251 |   return smlen;
3252 | }
3253 | 
3254 | function unpackneg(r, p) {
3255 |   var t = gf(), chk = gf(), num = gf(),
3256 |       den = gf(), den2 = gf(), den4 = gf(),
3257 |       den6 = gf();
3258 | 
3259 |   set25519(r[2], gf1);
3260 |   unpack25519(r[1], p);
3261 |   S(num, r[1]);
3262 |   M(den, num, D);
3263 |   Z(num, num, r[2]);
3264 |   A(den, r[2], den);
3265 | 
3266 |   S(den2, den);
3267 |   S(den4, den2);
3268 |   M(den6, den4, den2);
3269 |   M(t, den6, num);
3270 |   M(t, t, den);
3271 | 
3272 |   pow2523(t, t);
3273 |   M(t, t, num);
3274 |   M(t, t, den);
3275 |   M(t, t, den);
3276 |   M(r[0], t, den);
3277 | 
3278 |   S(chk, r[0]);
3279 |   M(chk, chk, den);
3280 |   if (neq25519(chk, num)) M(r[0], r[0], I);
3281 | 
3282 |   S(chk, r[0]);
3283 |   M(chk, chk, den);
3284 |   if (neq25519(chk, num)) return -1;
3285 | 
3286 |   if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]);
3287 | 
3288 |   M(r[3], r[0], r[1]);
3289 |   return 0;
3290 | }
3291 | 
3292 | function crypto_sign_open(m, sm, n, pk) {
3293 |   var i, mlen;
3294 |   var t = new Uint8Array(32), h = new Uint8Array(64);
3295 |   var p = [gf(), gf(), gf(), gf()],
3296 |       q = [gf(), gf(), gf(), gf()];
3297 | 
3298 |   mlen = -1;
3299 |   if (n < 64) return -1;
3300 | 
3301 |   if (unpackneg(q, pk)) return -1;
3302 | 
3303 |   for (i = 0; i < n; i++) m[i] = sm[i];
3304 |   for (i = 0; i < 32; i++) m[i+32] = pk[i];
3305 |   crypto_hash(h, m, n);
3306 |   reduce(h);
3307 |   scalarmult(p, q, h);
3308 | 
3309 |   scalarbase(q, sm.subarray(32));
3310 |   add(p, q);
3311 |   pack(t, p);
3312 | 
3313 |   n -= 64;
3314 |   if (crypto_verify_32(sm, 0, t, 0)) {
3315 |     for (i = 0; i < n; i++) m[i] = 0;
3316 |     return -1;
3317 |   }
3318 | 
3319 |   for (i = 0; i < n; i++) m[i] = sm[i + 64];
3320 |   mlen = n;
3321 |   return mlen;
3322 | }
3323 | 
3324 | var crypto_secretbox_KEYBYTES = 32,
3325 |     crypto_secretbox_NONCEBYTES = 24,
3326 |     crypto_secretbox_ZEROBYTES = 32,
3327 |     crypto_secretbox_BOXZEROBYTES = 16,
3328 |     crypto_scalarmult_BYTES = 32,
3329 |     crypto_scalarmult_SCALARBYTES = 32,
3330 |     crypto_box_PUBLICKEYBYTES = 32,
3331 |     crypto_box_SECRETKEYBYTES = 32,
3332 |     crypto_box_BEFORENMBYTES = 32,
3333 |     crypto_box_NONCEBYTES = crypto_secretbox_NONCEBYTES,
3334 |     crypto_box_ZEROBYTES = crypto_secretbox_ZEROBYTES,
3335 |     crypto_box_BOXZEROBYTES = crypto_secretbox_BOXZEROBYTES,
3336 |     crypto_sign_BYTES = 64,
3337 |     crypto_sign_PUBLICKEYBYTES = 32,
3338 |     crypto_sign_SECRETKEYBYTES = 64,
3339 |     crypto_sign_SEEDBYTES = 32,
3340 |     crypto_hash_BYTES = 64;
3341 | 
3342 | nacl.lowlevel = {
3343 |   crypto_core_hsalsa20: crypto_core_hsalsa20,
3344 |   crypto_stream_xor: crypto_stream_xor,
3345 |   crypto_stream: crypto_stream,
3346 |   crypto_stream_salsa20_xor: crypto_stream_salsa20_xor,
3347 |   crypto_stream_salsa20: crypto_stream_salsa20,
3348 |   crypto_onetimeauth: crypto_onetimeauth,
3349 |   crypto_onetimeauth_verify: crypto_onetimeauth_verify,
3350 |   crypto_verify_16: crypto_verify_16,
3351 |   crypto_verify_32: crypto_verify_32,
3352 |   crypto_secretbox: crypto_secretbox,
3353 |   crypto_secretbox_open: crypto_secretbox_open,
3354 |   crypto_scalarmult: crypto_scalarmult,
3355 |   crypto_scalarmult_base: crypto_scalarmult_base,
3356 |   crypto_box_beforenm: crypto_box_beforenm,
3357 |   crypto_box_afternm: crypto_box_afternm,
3358 |   crypto_box: crypto_box,
3359 |   crypto_box_open: crypto_box_open,
3360 |   crypto_box_keypair: crypto_box_keypair,
3361 |   crypto_hash: crypto_hash,
3362 |   crypto_sign: crypto_sign,
3363 |   crypto_sign_keypair: crypto_sign_keypair,
3364 |   crypto_sign_open: crypto_sign_open,
3365 | 
3366 |   crypto_secretbox_KEYBYTES: crypto_secretbox_KEYBYTES,
3367 |   crypto_secretbox_NONCEBYTES: crypto_secretbox_NONCEBYTES,
3368 |   crypto_secretbox_ZEROBYTES: crypto_secretbox_ZEROBYTES,
3369 |   crypto_secretbox_BOXZEROBYTES: crypto_secretbox_BOXZEROBYTES,
3370 |   crypto_scalarmult_BYTES: crypto_scalarmult_BYTES,
3371 |   crypto_scalarmult_SCALARBYTES: crypto_scalarmult_SCALARBYTES,
3372 |   crypto_box_PUBLICKEYBYTES: crypto_box_PUBLICKEYBYTES,
3373 |   crypto_box_SECRETKEYBYTES: crypto_box_SECRETKEYBYTES,
3374 |   crypto_box_BEFORENMBYTES: crypto_box_BEFORENMBYTES,
3375 |   crypto_box_NONCEBYTES: crypto_box_NONCEBYTES,
3376 |   crypto_box_ZEROBYTES: crypto_box_ZEROBYTES,
3377 |   crypto_box_BOXZEROBYTES: crypto_box_BOXZEROBYTES,
3378 |   crypto_sign_BYTES: crypto_sign_BYTES,
3379 |   crypto_sign_PUBLICKEYBYTES: crypto_sign_PUBLICKEYBYTES,
3380 |   crypto_sign_SECRETKEYBYTES: crypto_sign_SECRETKEYBYTES,
3381 |   crypto_sign_SEEDBYTES: crypto_sign_SEEDBYTES,
3382 |   crypto_hash_BYTES: crypto_hash_BYTES
3383 | };
3384 | 
3385 | /* High-level API */
3386 | 
3387 | function checkLengths(k, n) {
3388 |   if (k.length !== crypto_secretbox_KEYBYTES) throw new Error('bad key size');
3389 |   if (n.length !== crypto_secretbox_NONCEBYTES) throw new Error('bad nonce size');
3390 | }
3391 | 
3392 | function checkBoxLengths(pk, sk) {
3393 |   if (pk.length !== crypto_box_PUBLICKEYBYTES) throw new Error('bad public key size');
3394 |   if (sk.length !== crypto_box_SECRETKEYBYTES) throw new Error('bad secret key size');
3395 | }
3396 | 
3397 | function checkArrayTypes() {
3398 |   for (var i = 0; i < arguments.length; i++) {
3399 |     if (!(arguments[i] instanceof Uint8Array))
3400 |       throw new TypeError('unexpected type, use Uint8Array');
3401 |   }
3402 | }
3403 | 
3404 | function cleanup(arr) {
3405 |   for (var i = 0; i < arr.length; i++) arr[i] = 0;
3406 | }
3407 | 
3408 | nacl.randomBytes = function(n) {
3409 |   var b = new Uint8Array(n);
3410 |   randombytes(b, n);
3411 |   return b;
3412 | };
3413 | 
3414 | nacl.secretbox = function(msg, nonce, key) {
3415 |   checkArrayTypes(msg, nonce, key);
3416 |   checkLengths(key, nonce);
3417 |   var m = new Uint8Array(crypto_secretbox_ZEROBYTES + msg.length);
3418 |   var c = new Uint8Array(m.length);
3419 |   for (var i = 0; i < msg.length; i++) m[i+crypto_secretbox_ZEROBYTES] = msg[i];
3420 |   crypto_secretbox(c, m, m.length, nonce, key);
3421 |   return c.subarray(crypto_secretbox_BOXZEROBYTES);
3422 | };
3423 | 
3424 | nacl.secretbox.open = function(box, nonce, key) {
3425 |   checkArrayTypes(box, nonce, key);
3426 |   checkLengths(key, nonce);
3427 |   var c = new Uint8Array(crypto_secretbox_BOXZEROBYTES + box.length);
3428 |   var m = new Uint8Array(c.length);
3429 |   for (var i = 0; i < box.length; i++) c[i+crypto_secretbox_BOXZEROBYTES] = box[i];
3430 |   if (c.length < 32) return null;
3431 |   if (crypto_secretbox_open(m, c, c.length, nonce, key) !== 0) return null;
3432 |   return m.subarray(crypto_secretbox_ZEROBYTES);
3433 | };
3434 | 
3435 | nacl.secretbox.keyLength = crypto_secretbox_KEYBYTES;
3436 | nacl.secretbox.nonceLength = crypto_secretbox_NONCEBYTES;
3437 | nacl.secretbox.overheadLength = crypto_secretbox_BOXZEROBYTES;
3438 | 
3439 | nacl.scalarMult = function(n, p) {
3440 |   checkArrayTypes(n, p);
3441 |   if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
3442 |   if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size');
3443 |   var q = new Uint8Array(crypto_scalarmult_BYTES);
3444 |   crypto_scalarmult(q, n, p);
3445 |   return q;
3446 | };
3447 | 
3448 | nacl.scalarMult.base = function(n) {
3449 |   checkArrayTypes(n);
3450 |   if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
3451 |   var q = new Uint8Array(crypto_scalarmult_BYTES);
3452 |   crypto_scalarmult_base(q, n);
3453 |   return q;
3454 | };
3455 | 
3456 | nacl.scalarMult.scalarLength = crypto_scalarmult_SCALARBYTES;
3457 | nacl.scalarMult.groupElementLength = crypto_scalarmult_BYTES;
3458 | 
3459 | nacl.box = function(msg, nonce, publicKey, secretKey) {
3460 |   var k = nacl.box.before(publicKey, secretKey);
3461 |   return nacl.secretbox(msg, nonce, k);
3462 | };
3463 | 
3464 | nacl.box.before = function(publicKey, secretKey) {
3465 |   checkArrayTypes(publicKey, secretKey);
3466 |   checkBoxLengths(publicKey, secretKey);
3467 |   var k = new Uint8Array(crypto_box_BEFORENMBYTES);
3468 |   crypto_box_beforenm(k, publicKey, secretKey);
3469 |   return k;
3470 | };
3471 | 
3472 | nacl.box.after = nacl.secretbox;
3473 | 
3474 | nacl.box.open = function(msg, nonce, publicKey, secretKey) {
3475 |   var k = nacl.box.before(publicKey, secretKey);
3476 |   return nacl.secretbox.open(msg, nonce, k);
3477 | };
3478 | 
3479 | nacl.box.open.after = nacl.secretbox.open;
3480 | 
3481 | nacl.box.keyPair = function() {
3482 |   var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
3483 |   var sk = new Uint8Array(crypto_box_SECRETKEYBYTES);
3484 |   crypto_box_keypair(pk, sk);
3485 |   return {publicKey: pk, secretKey: sk};
3486 | };
3487 | 
3488 | nacl.box.keyPair.fromSecretKey = function(secretKey) {
3489 |   checkArrayTypes(secretKey);
3490 |   if (secretKey.length !== crypto_box_SECRETKEYBYTES)
3491 |     throw new Error('bad secret key size');
3492 |   var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
3493 |   crypto_scalarmult_base(pk, secretKey);
3494 |   return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
3495 | };
3496 | 
3497 | nacl.box.publicKeyLength = crypto_box_PUBLICKEYBYTES;
3498 | nacl.box.secretKeyLength = crypto_box_SECRETKEYBYTES;
3499 | nacl.box.sharedKeyLength = crypto_box_BEFORENMBYTES;
3500 | nacl.box.nonceLength = crypto_box_NONCEBYTES;
3501 | nacl.box.overheadLength = nacl.secretbox.overheadLength;
3502 | 
3503 | nacl.sign = function(msg, secretKey) {
3504 |   checkArrayTypes(msg, secretKey);
3505 |   if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
3506 |     throw new Error('bad secret key size');
3507 |   var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length);
3508 |   crypto_sign(signedMsg, msg, msg.length, secretKey);
3509 |   return signedMsg;
3510 | };
3511 | 
3512 | nacl.sign.open = function(signedMsg, publicKey) {
3513 |   checkArrayTypes(signedMsg, publicKey);
3514 |   if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
3515 |     throw new Error('bad public key size');
3516 |   var tmp = new Uint8Array(signedMsg.length);
3517 |   var mlen = crypto_sign_open(tmp, signedMsg, signedMsg.length, publicKey);
3518 |   if (mlen < 0) return null;
3519 |   var m = new Uint8Array(mlen);
3520 |   for (var i = 0; i < m.length; i++) m[i] = tmp[i];
3521 |   return m;
3522 | };
3523 | 
3524 | nacl.sign.detached = function(msg, secretKey) {
3525 |   var signedMsg = nacl.sign(msg, secretKey);
3526 |   var sig = new Uint8Array(crypto_sign_BYTES);
3527 |   for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i];
3528 |   return sig;
3529 | };
3530 | 
3531 | nacl.sign.detached.verify = function(msg, sig, publicKey) {
3532 |   checkArrayTypes(msg, sig, publicKey);
3533 |   if (sig.length !== crypto_sign_BYTES)
3534 |     throw new Error('bad signature size');
3535 |   if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
3536 |     throw new Error('bad public key size');
3537 |   var sm = new Uint8Array(crypto_sign_BYTES + msg.length);
3538 |   var m = new Uint8Array(crypto_sign_BYTES + msg.length);
3539 |   var i;
3540 |   for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i];
3541 |   for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i];
3542 |   return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0);
3543 | };
3544 | 
3545 | nacl.sign.keyPair = function() {
3546 |   var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
3547 |   var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
3548 |   crypto_sign_keypair(pk, sk);
3549 |   return {publicKey: pk, secretKey: sk};
3550 | };
3551 | 
3552 | nacl.sign.keyPair.fromSecretKey = function(secretKey) {
3553 |   checkArrayTypes(secretKey);
3554 |   if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
3555 |     throw new Error('bad secret key size');
3556 |   var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
3557 |   for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i];
3558 |   return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
3559 | };
3560 | 
3561 | nacl.sign.keyPair.fromSeed = function(seed) {
3562 |   checkArrayTypes(seed);
3563 |   if (seed.length !== crypto_sign_SEEDBYTES)
3564 |     throw new Error('bad seed size');
3565 |   var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
3566 |   var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
3567 |   for (var i = 0; i < 32; i++) sk[i] = seed[i];
3568 |   crypto_sign_keypair(pk, sk, true);
3569 |   return {publicKey: pk, secretKey: sk};
3570 | };
3571 | 
3572 | nacl.sign.publicKeyLength = crypto_sign_PUBLICKEYBYTES;
3573 | nacl.sign.secretKeyLength = crypto_sign_SECRETKEYBYTES;
3574 | nacl.sign.seedLength = crypto_sign_SEEDBYTES;
3575 | nacl.sign.signatureLength = crypto_sign_BYTES;
3576 | 
3577 | nacl.hash = function(msg) {
3578 |   checkArrayTypes(msg);
3579 |   var h = new Uint8Array(crypto_hash_BYTES);
3580 |   crypto_hash(h, msg, msg.length);
3581 |   return h;
3582 | };
3583 | 
3584 | nacl.hash.hashLength = crypto_hash_BYTES;
3585 | 
3586 | nacl.verify = function(x, y) {
3587 |   checkArrayTypes(x, y);
3588 |   // Zero length arguments are considered not equal.
3589 |   if (x.length === 0 || y.length === 0) return false;
3590 |   if (x.length !== y.length) return false;
3591 |   return (vn(x, 0, y, 0, x.length) === 0) ? true : false;
3592 | };
3593 | 
3594 | nacl.setPRNG = function(fn) {
3595 |   randombytes = fn;
3596 | };
3597 | 
3598 | (function() {
3599 |   // Initialize PRNG if environment provides CSPRNG.
3600 |   // If not, methods calling randombytes will throw.
3601 |   var crypto = typeof self !== 'undefined' ? (self.crypto || self.msCrypto) : null;
3602 |   if (crypto && crypto.getRandomValues) {
3603 |     // Browsers.
3604 |     var QUOTA = 65536;
3605 |     nacl.setPRNG(function(x, n) {
3606 |       var i, v = new Uint8Array(n);
3607 |       for (i = 0; i < n; i += QUOTA) {
3608 |         crypto.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
3609 |       }
3610 |       for (i = 0; i < n; i++) x[i] = v[i];
3611 |       cleanup(v);
3612 |     });
3613 |   } else if (typeof require !== 'undefined') {
3614 |     // Node.js.
3615 |     crypto = require('crypto');
3616 |     if (crypto && crypto.randomBytes) {
3617 |       nacl.setPRNG(function(x, n) {
3618 |         var i, v = crypto.randomBytes(n);
3619 |         for (i = 0; i < n; i++) x[i] = v[i];
3620 |         cleanup(v);
3621 |       });
3622 |     }
3623 |   }
3624 | })();
3625 | 
3626 | })(typeof module !== 'undefined' && module.exports ? module.exports : (self.nacl = self.nacl || {}));
3627 | 
3628 | },{"crypto":3}]},{},[1])(1)
3629 | });


--------------------------------------------------------------------------------