├── package.json
├── LICENSE
├── README.md
├── test.js
├── sha1.js
├── sha256.js
├── tea-block.js
├── aes.js
└── aes-ctr.js


/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "crypto-libraries",
 3 |     "description": "Collection of cryptographic routines",
 4 |     "repository": { "type": "git", "url": "https://github.com/chrisveness/crypto" },
 5 |     "author": "Chris Veness",
 6 |     "version": "0.0.0",
 7 |     "devDependencies": {
 8 |         "browserify": "^4.0.0",
 9 |         "tap-spec": "^0.2.0",
10 |         "tape": "^2.12.0"
11 |     },
12 |     "testling": {
13 |         "files": "test.js",
14 |         "browsers": [
15 |             "iexplore/7..latest",
16 |             "chrome/26..latest",
17 |             "firefox/21..latest",
18 |             "safari/4..latest",
19 |             "opera/11.5..latest",
20 |             "iphone/6..latest",
21 |             "ipad/6..latest",
22 |             "android-browser/4.2..latest"
23 |         ]
24 |     },
25 |     "scripts": {
26 |         "test": "tape test.js | tap-spec"
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014 Chris Veness
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | crypto
 2 | ======
 3 | 
 4 | Libraries of cryptographic functions implemented in JavaScript.
 5 | 
 6 | aes.js
 7 | ------
 8 | 
 9 | This is a reference implementation of the algorithm described in the FIPS-197 standard. It implements
10 | the standard very closely, in order to aid in understanding the standard and the algorithm itself.
11 | 
12 | This comprises:
13 | 
14 | - `cipher`: takes a 128-bit input block and applies the cipher algorithm to produce a 128-bit output block
15 | - `keyExpansion`: applies a key expansion to a 128-/192-/256-bit cipher key to produce a 2D byte-array
16 |   key schedule for the cipher routine
17 | 
18 | More details are available at www.movable-type.co.uk/scripts/aes.html.
19 | 
20 | aes-ctr.js
21 | ----------
22 | 
23 | This is a counter-mode (CTR) wrapper for the AES function.
24 | 
25 | This comprises:
26 | 
27 | - `encrypt`: encrypt a plaintext using a supplied password
28 | - `decrypt`: decrypt an encrypted ciphertext using a supplied password
29 | 
30 | Note that there are no standards for data storage formats of AES encryption mode wrapper functions,
31 | so this is unlikely to inter-operate with standard library functions.
32 | 
33 | More details are available at www.movable-type.co.uk/scripts/aes.html.
34 | 
35 | sha1.js
36 | -------
37 | 
38 | This is a reference implementation of the algorithm described in the FIPS-180-2 standard. It implements
39 | the standard very closely, in order to aid in understanding the standard and the algorithm itself.
40 | 
41 | This comprises:
42 | 
43 | - `hash`: takes a (Unicode) string and generates a hash (of the UTF-8 encoded string)
44 | 
45 | More details are available at www.movable-type.co.uk/scripts/sha1.html.
46 | 
47 | sha256.js
48 | -------
49 | 
50 | This is a reference implementation of the algorithm described in the FIPS-180-2 standard. It implements
51 | the standard very closely, in order to aid in understanding the standard and the algorithm itself.
52 | 
53 | This comprises:
54 | 
55 | - `hash`: takes a (Unicode) string and generates a hash (of the UTF-8 encoded string)
56 | 
57 | More details are available at www.movable-type.co.uk/scripts/sha256.html.
58 | 
59 | 
60 | tea-block.js
61 | ------------
62 | 
63 | Wheeler & Needham’s *Tiny Encryption Algorithm* is a simple but powerful encryption algorithm which
64 | provides strong encryption in just a few lines of concise, clear code. This implements the (corrected)
65 | ‘Block TEA’ variant (xxtea).
66 | 
67 | The library includes:
68 | 
69 | - `encrypt` a text with a password
70 | - `decrypt` an encrypted text
71 | - `encode` an array of longs using a 128-bit key
72 | - `decode` an encoded array of longs
73 | 
74 | More details are available at www.movable-type.co.uk/scripts/tea-block.html.
75 | 
76 | Documentation
77 | -------------
78 | 
79 | Documentation for all these methods is available at www.movable-type.co.uk/scripts/js/crypto/docs.
80 | 
81 | Browser support
82 | ---------------
83 | 
84 | [![browser support](https://ci.testling.com/chrisveness/crypto.png)](https://ci.testling.com/chrisveness/crypto)
85 | 
86 | IE9- doesn’t have btoa()/atob(): if you need to support IE9-, you can use David Chambers’
87 | [Base64 polyfill](https://github.com/davidchambers/Base64.js).
88 | 


--------------------------------------------------------------------------------
/test.js:
--------------------------------------------------------------------------------
  1 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  2 | //  Crypto Test Harness                                                    (c) Chris Veness 2014  */
  3 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  4 | 'use strict'
  5 | 
  6 | var test = require('tape');
  7 | 
  8 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  9 | /* AES - test vectors: csrc.nist.gov/publications/fips/fips197/fips-197.pdf C.1                   */
 10 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 11 | 
 12 | test('aes', function(assert) {
 13 |     var Aes = require('./aes.js');
 14 | 
 15 |     var plaintext = vectorToBytes('00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff');
 16 | 
 17 |     var key128    = vectorToBytes('00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f');
 18 |     var cipher128 = vectorToBytes('69 c4 e0 d8 6a 7b 04 30 d8 cd b7 80 70 b4 c5 5a');
 19 | 
 20 |     var key192    = vectorToBytes('00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17');
 21 |     var cipher192 = vectorToBytes('dd a9 7c a4 86 4c df e0 6e af 70 a0 ec 0d 71 91');
 22 | 
 23 |     var key256    = vectorToBytes('00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f');
 24 |     var cipher256 = vectorToBytes('8e a2 b7 ca 51 67 45 bf ea fc 49 90 4b 49 60 89');
 25 | 
 26 |     assert.deepEqual(Aes.cipher(plaintext, Aes.keyExpansion(key128)), cipher128, 'Aes-128-bit test vector');
 27 |     assert.deepEqual(Aes.cipher(plaintext, Aes.keyExpansion(key192)), cipher192, 'Aes-192-bit test vector');
 28 |     assert.deepEqual(Aes.cipher(plaintext, Aes.keyExpansion(key256)), cipher256, 'Aes-256-bit test vector');
 29 |     assert.end();
 30 | 
 31 |     function vectorToBytes(v) {
 32 |         var a = v.split(/ /);
 33 |         for (var i=0; i<a.length; i++) a[i] = parseInt('0x'+a[i]);
 34 |         return a;
 35 |     }
 36 | 
 37 |     function bytesToVector(b) {
 38 |         var v = b.slice(); // clone b
 39 |         for (var i=0; i<v.length; i++) {
 40 |             v[i] = v[i]<0x10 ? '0'+v[i].toString(16) : v[i].toString(16);
 41 |         }
 42 |         return v.join(' ');
 43 |     }
 44 | });
 45 | 
 46 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 47 | /* Aes CTR: test Unicode text & password (ciphertext will be different on each invocation)        */
 48 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 49 | 
 50 | test('aes.ctr', function(assert) {
 51 |     var Aes = require('./aes.js');
 52 |     Aes.Ctr = require('./aes-ctr.js');
 53 | 
 54 |     var origtext = 'My big secret סוד קצת بت سرية  ความลับบิต 位的秘密';
 55 |     var ciphertext = Aes.Ctr.encrypt(origtext, 'pāšşŵōřđ', 256);
 56 |     var decrtext = Aes.Ctr.decrypt(ciphertext, 'pāšşŵōřđ', 256);
 57 | 
 58 |     assert.equal(decrtext, origtext, 'decrypted ciphertext matches original text');
 59 |     assert.end();
 60 | });
 61 | 
 62 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 63 | /* Block TEA: test decrypted encrypted text matches original text (with Unicode text & password)  */
 64 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 65 | 
 66 | test('tea-block', function(assert) {
 67 |     var Tea = require('./tea-block.js');
 68 | 
 69 |     var origtext = 'My big secret סוד קצת بت سرية  ความลับบิต 位的秘密';
 70 |     var ciphertext = Tea.encrypt(origtext, 'pāšşŵōřđ');
 71 |     var decrtext = Tea.decrypt(ciphertext, 'pāšşŵōřđ');
 72 | 
 73 |     assert.equal(decrtext, origtext, 'decrypted ciphertext matches original text');
 74 |     assert.end();
 75 | });
 76 | 
 77 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 78 | /* SHA-1: csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA1.pdf                             */
 79 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 80 | 
 81 | test('sha1', function(assert) {
 82 |     var Sha1 = require('./sha1.js');
 83 | 
 84 |     var msg1 = 'abc';
 85 |     assert.equal(Sha1.hash(msg1), 'a9993e364706816aba3e25717850c26c9cd0d89d', 'sha1 1 block msg');
 86 |     var msg2 = 'abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq';
 87 |     assert.equal(Sha1.hash(msg2), '84983e441c3bd26ebaae4aa1f95129e5e54670f1', 'sha1 2 block msg');
 88 | 
 89 |     assert.end();
 90 | });
 91 | 
 92 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 93 | /* SHA-256: csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA256.pdf                         */
 94 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 95 | 
 96 | test('sha256', function(assert) {
 97 |     var Sha256 = require('./sha256.js');
 98 | 
 99 |     var msg1 = 'abc';
100 |     assert.equal(Sha256.hash(msg1), 'ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad', 'sha256 1 block msg');
101 |     var msg2 = 'abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq';
102 |     assert.equal(Sha256.hash(msg2), '248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1', 'sha256 2 block msg');
103 | 
104 |     assert.end();
105 | });
106 | 
107 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
108 | 


--------------------------------------------------------------------------------
/sha1.js:
--------------------------------------------------------------------------------
  1 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  2 | /*  SHA-1 implementation in JavaScript                  (c) Chris Veness 2002-2014 / MIT Licence  */
  3 | /*                                                                                                */
  4 | /*  - see http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html                              */
  5 | /*        http://csrc.nist.gov/groups/ST/toolkit/examples.html                                    */
  6 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  7 | 
  8 | /* jshint node:true *//* global define, escape, unescape */
  9 | 'use strict';
 10 | 
 11 | 
 12 | /**
 13 |  * SHA-1 hash function reference implementation.
 14 |  *
 15 |  * @namespace
 16 |  */
 17 | var Sha1 = {};
 18 | 
 19 | 
 20 | /**
 21 |  * Generates SHA-1 hash of string.
 22 |  *
 23 |  * @param   {string} msg - (Unicode) string to be hashed.
 24 |  * @returns {string} Hash of msg as hex character string.
 25 |  */
 26 | Sha1.hash = function(msg) {
 27 |     // convert string to UTF-8, as SHA only deals with byte-streams
 28 |     msg = msg.utf8Encode();
 29 | 
 30 |     // constants [§4.2.1]
 31 |     var K = [ 0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xca62c1d6 ];
 32 | 
 33 |     // PREPROCESSING
 34 | 
 35 |     msg += String.fromCharCode(0x80);  // add trailing '1' bit (+ 0's padding) to string [§5.1.1]
 36 | 
 37 |     // convert string msg into 512-bit/16-integer blocks arrays of ints [§5.2.1]
 38 |     var l = msg.length/4 + 2; // length (in 32-bit integers) of msg + ‘1’ + appended length
 39 |     var N = Math.ceil(l/16);  // number of 16-integer-blocks required to hold 'l' ints
 40 |     var M = new Array(N);
 41 | 
 42 |     for (var i=0; i<N; i++) {
 43 |         M[i] = new Array(16);
 44 |         for (var j=0; j<16; j++) {  // encode 4 chars per integer, big-endian encoding
 45 |             M[i][j] = (msg.charCodeAt(i*64+j*4)<<24) | (msg.charCodeAt(i*64+j*4+1)<<16) |
 46 |                 (msg.charCodeAt(i*64+j*4+2)<<8) | (msg.charCodeAt(i*64+j*4+3));
 47 |         } // note running off the end of msg is ok 'cos bitwise ops on NaN return 0
 48 |     }
 49 |     // add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
 50 |     // note: most significant word would be (len-1)*8 >>> 32, but since JS converts
 51 |     // bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
 52 |     M[N-1][14] = ((msg.length-1)*8) / Math.pow(2, 32); M[N-1][14] = Math.floor(M[N-1][14]);
 53 |     M[N-1][15] = ((msg.length-1)*8) & 0xffffffff;
 54 | 
 55 |     // set initial hash value [§5.3.1]
 56 |     var H0 = 0x67452301;
 57 |     var H1 = 0xefcdab89;
 58 |     var H2 = 0x98badcfe;
 59 |     var H3 = 0x10325476;
 60 |     var H4 = 0xc3d2e1f0;
 61 | 
 62 |     // HASH COMPUTATION [§6.1.2]
 63 | 
 64 |     var W = new Array(80); var a, b, c, d, e;
 65 |     for (var i=0; i<N; i++) {
 66 | 
 67 |         // 1 - prepare message schedule 'W'
 68 |         for (var t=0;  t<16; t++) W[t] = M[i][t];
 69 |         for (var t=16; t<80; t++) W[t] = Sha1.ROTL(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16], 1);
 70 | 
 71 |         // 2 - initialise five working variables a, b, c, d, e with previous hash value
 72 |         a = H0; b = H1; c = H2; d = H3; e = H4;
 73 | 
 74 |         // 3 - main loop
 75 |         for (var t=0; t<80; t++) {
 76 |             var s = Math.floor(t/20); // seq for blocks of 'f' functions and 'K' constants
 77 |             var T = (Sha1.ROTL(a,5) + Sha1.f(s,b,c,d) + e + K[s] + W[t]) & 0xffffffff;
 78 |             e = d;
 79 |             d = c;
 80 |             c = Sha1.ROTL(b, 30);
 81 |             b = a;
 82 |             a = T;
 83 |         }
 84 | 
 85 |         // 4 - compute the new intermediate hash value (note 'addition modulo 2^32')
 86 |         H0 = (H0+a) & 0xffffffff;
 87 |         H1 = (H1+b) & 0xffffffff;
 88 |         H2 = (H2+c) & 0xffffffff;
 89 |         H3 = (H3+d) & 0xffffffff;
 90 |         H4 = (H4+e) & 0xffffffff;
 91 |     }
 92 | 
 93 |     return Sha1.toHexStr(H0) + Sha1.toHexStr(H1) + Sha1.toHexStr(H2) +
 94 |            Sha1.toHexStr(H3) + Sha1.toHexStr(H4);
 95 | };
 96 | 
 97 | 
 98 | /**
 99 |  * Function 'f' [§4.1.1].
100 |  * @private
101 |  */
102 | Sha1.f = function(s, x, y, z)  {
103 |     switch (s) {
104 |         case 0: return (x & y) ^ (~x & z);           // Ch()
105 |         case 1: return  x ^ y  ^  z;                 // Parity()
106 |         case 2: return (x & y) ^ (x & z) ^ (y & z);  // Maj()
107 |         case 3: return  x ^ y  ^  z;                 // Parity()
108 |     }
109 | };
110 | 
111 | /**
112 |  * Rotates left (circular left shift) value x by n positions [§3.2.5].
113 |  * @private
114 |  */
115 | Sha1.ROTL = function(x, n) {
116 |     return (x<<n) | (x>>>(32-n));
117 | };
118 | 
119 | 
120 | /**
121 |  * Hexadecimal representation of a number.
122 |  * @private
123 |  */
124 | Sha1.toHexStr = function(n) {
125 |     // note can't use toString(16) as it is implementation-dependant,
126 |     // and in IE returns signed numbers when used on full words
127 |     var s="", v;
128 |     for (var i=7; i>=0; i--) { v = (n>>>(i*4)) & 0xf; s += v.toString(16); }
129 |     return s;
130 | };
131 | 
132 | 
133 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
134 | 
135 | 
136 | /** Extend String object with method to encode multi-byte string to utf8
137 |  *  - monsur.hossa.in/2012/07/20/utf-8-in-javascript.html */
138 | if (typeof String.prototype.utf8Encode == 'undefined') {
139 |     String.prototype.utf8Encode = function() {
140 |         return unescape( encodeURIComponent( this ) );
141 |     };
142 | }
143 | 
144 | /** Extend String object with method to decode utf8 string to multi-byte */
145 | if (typeof String.prototype.utf8Decode == 'undefined') {
146 |     String.prototype.utf8Decode = function() {
147 |         try {
148 |             return decodeURIComponent( escape( this ) );
149 |         } catch (e) {
150 |             return this; // invalid UTF-8? return as-is
151 |         }
152 |     };
153 | }
154 | 
155 | 
156 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
157 | if (typeof module != 'undefined' && module.exports) module.exports = Sha1; // CommonJs export
158 | if (typeof define == 'function' && define.amd) define([], function() { return Sha1; }); // AMD
159 | 


--------------------------------------------------------------------------------
/sha256.js:
--------------------------------------------------------------------------------
  1 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  2 | /*  SHA-256 implementation in JavaScript                (c) Chris Veness 2002-2014 / MIT Licence  */
  3 | /*                                                                                                */
  4 | /*  - see http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html                              */
  5 | /*        http://csrc.nist.gov/groups/ST/toolkit/examples.html                                    */
  6 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  7 | 
  8 | /* jshint node:true *//* global define, escape, unescape */
  9 | 'use strict';
 10 | 
 11 | 
 12 | /**
 13 |  * SHA-256 hash function reference implementation.
 14 |  *
 15 |  * @namespace
 16 |  */
 17 | var Sha256 = {};
 18 | 
 19 | 
 20 | /**
 21 |  * Generates SHA-256 hash of string.
 22 |  *
 23 |  * @param   {string} msg - String to be hashed
 24 |  * @returns {string} Hash of msg as hex character string
 25 |  */
 26 | Sha256.hash = function(msg) {
 27 |     // convert string to UTF-8, as SHA only deals with byte-streams
 28 |     msg = msg.utf8Encode();
 29 |     
 30 |     // constants [§4.2.2]
 31 |     var K = [
 32 |         0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
 33 |         0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
 34 |         0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
 35 |         0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
 36 |         0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
 37 |         0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
 38 |         0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
 39 |         0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 ];
 40 |     // initial hash value [§5.3.1]
 41 |     var H = [
 42 |         0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 ];
 43 | 
 44 |     // PREPROCESSING 
 45 |  
 46 |     msg += String.fromCharCode(0x80);  // add trailing '1' bit (+ 0's padding) to string [§5.1.1]
 47 | 
 48 |     // convert string msg into 512-bit/16-integer blocks arrays of ints [§5.2.1]
 49 |     var l = msg.length/4 + 2; // length (in 32-bit integers) of msg + ‘1’ + appended length
 50 |     var N = Math.ceil(l/16);  // number of 16-integer-blocks required to hold 'l' ints
 51 |     var M = new Array(N);
 52 | 
 53 |     for (var i=0; i<N; i++) {
 54 |         M[i] = new Array(16);
 55 |         for (var j=0; j<16; j++) {  // encode 4 chars per integer, big-endian encoding
 56 |             M[i][j] = (msg.charCodeAt(i*64+j*4)<<24) | (msg.charCodeAt(i*64+j*4+1)<<16) | 
 57 |                       (msg.charCodeAt(i*64+j*4+2)<<8) | (msg.charCodeAt(i*64+j*4+3));
 58 |         } // note running off the end of msg is ok 'cos bitwise ops on NaN return 0
 59 |     }
 60 |     // add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
 61 |     // note: most significant word would be (len-1)*8 >>> 32, but since JS converts
 62 |     // bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
 63 |     M[N-1][14] = ((msg.length-1)*8) / Math.pow(2, 32); M[N-1][14] = Math.floor(M[N-1][14]);
 64 |     M[N-1][15] = ((msg.length-1)*8) & 0xffffffff;
 65 | 
 66 | 
 67 |     // HASH COMPUTATION [§6.1.2]
 68 | 
 69 |     var W = new Array(64); var a, b, c, d, e, f, g, h;
 70 |     for (var i=0; i<N; i++) {
 71 | 
 72 |         // 1 - prepare message schedule 'W'
 73 |         for (var t=0;  t<16; t++) W[t] = M[i][t];
 74 |         for (var t=16; t<64; t++) W[t] = (Sha256.σ1(W[t-2]) + W[t-7] + Sha256.σ0(W[t-15]) + W[t-16]) & 0xffffffff;
 75 | 
 76 |         // 2 - initialise working variables a, b, c, d, e, f, g, h with previous hash value
 77 |         a = H[0]; b = H[1]; c = H[2]; d = H[3]; e = H[4]; f = H[5]; g = H[6]; h = H[7];
 78 | 
 79 |         // 3 - main loop (note 'addition modulo 2^32')
 80 |         for (var t=0; t<64; t++) {
 81 |             var T1 = h + Sha256.Σ1(e) + Sha256.Ch(e, f, g) + K[t] + W[t];
 82 |             var T2 =     Sha256.Σ0(a) + Sha256.Maj(a, b, c);
 83 |             h = g;
 84 |             g = f;
 85 |             f = e;
 86 |             e = (d + T1) & 0xffffffff;
 87 |             d = c;
 88 |             c = b;
 89 |             b = a;
 90 |             a = (T1 + T2) & 0xffffffff;
 91 |         }
 92 |          // 4 - compute the new intermediate hash value (note 'addition modulo 2^32')
 93 |         H[0] = (H[0]+a) & 0xffffffff;
 94 |         H[1] = (H[1]+b) & 0xffffffff; 
 95 |         H[2] = (H[2]+c) & 0xffffffff; 
 96 |         H[3] = (H[3]+d) & 0xffffffff; 
 97 |         H[4] = (H[4]+e) & 0xffffffff;
 98 |         H[5] = (H[5]+f) & 0xffffffff;
 99 |         H[6] = (H[6]+g) & 0xffffffff; 
100 |         H[7] = (H[7]+h) & 0xffffffff; 
101 |     }
102 | 
103 |     return Sha256.toHexStr(H[0]) + Sha256.toHexStr(H[1]) + Sha256.toHexStr(H[2]) + Sha256.toHexStr(H[3]) + 
104 |            Sha256.toHexStr(H[4]) + Sha256.toHexStr(H[5]) + Sha256.toHexStr(H[6]) + Sha256.toHexStr(H[7]);
105 | };
106 | 
107 | 
108 | /**
109 |  * Rotates right (circular right shift) value x by n positions [§3.2.4].
110 |  * @private
111 |  */
112 | Sha256.ROTR = function(n, x) {
113 |     return (x >>> n) | (x << (32-n));
114 | };
115 | 
116 | /**
117 |  * Logical functions [§4.1.2].
118 |  * @private
119 |  */
120 | Sha256.Σ0  = function(x) { return Sha256.ROTR(2,  x) ^ Sha256.ROTR(13, x) ^ Sha256.ROTR(22, x); };
121 | Sha256.Σ1  = function(x) { return Sha256.ROTR(6,  x) ^ Sha256.ROTR(11, x) ^ Sha256.ROTR(25, x); };
122 | Sha256.σ0  = function(x) { return Sha256.ROTR(7,  x) ^ Sha256.ROTR(18, x) ^ (x>>>3);  };
123 | Sha256.σ1  = function(x) { return Sha256.ROTR(17, x) ^ Sha256.ROTR(19, x) ^ (x>>>10); };
124 | Sha256.Ch  = function(x, y, z) { return (x & y) ^ (~x & z); };
125 | Sha256.Maj = function(x, y, z) { return (x & y) ^ (x & z) ^ (y & z); };
126 | 
127 | 
128 | /**
129 |  * Hexadecimal representation of a number.
130 |  * @private
131 |  */
132 | Sha256.toHexStr = function(n) {
133 |     // note can't use toString(16) as it is implementation-dependant,
134 |     // and in IE returns signed numbers when used on full words
135 |     var s="", v;
136 |     for (var i=7; i>=0; i--) { v = (n>>>(i*4)) & 0xf; s += v.toString(16); }
137 |     return s;
138 | };
139 | 
140 | 
141 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
142 | 
143 | 
144 | /** Extend String object with method to encode multi-byte string to utf8
145 |  *  - monsur.hossa.in/2012/07/20/utf-8-in-javascript.html */
146 | if (typeof String.prototype.utf8Encode == 'undefined') {
147 |     String.prototype.utf8Encode = function() {
148 |         return unescape( encodeURIComponent( this ) );
149 |     };
150 | }
151 | 
152 | /** Extend String object with method to decode utf8 string to multi-byte */
153 | if (typeof String.prototype.utf8Decode == 'undefined') {
154 |     String.prototype.utf8Decode = function() {
155 |         try {
156 |             return decodeURIComponent( escape( this ) );
157 |         } catch (e) {
158 |             return this; // invalid UTF-8? return as-is
159 |         }
160 |     };
161 | }
162 | 
163 | 
164 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
165 | if (typeof module != 'undefined' && module.exports) module.exports = Sha256; // CommonJs export
166 | if (typeof define == 'function' && define.amd) define([], function() { return Sha256; }); // AMD
167 | 


--------------------------------------------------------------------------------
/tea-block.js:
--------------------------------------------------------------------------------
  1 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  2 | /*  Block TEA (xxtea) Tiny Encryption Algorithm         (c) Chris Veness 2002-2014 / MIT Licence  */
  3 | /*   - www.movable-type.co.uk/scripts/tea-block.html                                              */
  4 | /*                                                                                                */
  5 | /*  Algorithm: David Wheeler & Roger Needham, Cambridge University Computer Lab                   */
  6 | /*             http://www.cl.cam.ac.uk/ftp/papers/djw-rmn/djw-rmn-tea.html (1994)                 */
  7 | /*             http://www.cl.cam.ac.uk/ftp/users/djw3/xtea.ps (1997)                              */
  8 | /*             http://www.cl.cam.ac.uk/ftp/users/djw3/xxtea.ps (1998)                             */
  9 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
 10 | 
 11 | /* jshint node:true *//* global define, escape, unescape, btoa, atob */
 12 | 'use strict';
 13 | 
 14 | 
 15 | /**
 16 |  * Tiny Encryption Algorithm
 17 |  *
 18 |  * @namespace
 19 |  */
 20 | var Tea = {};
 21 | 
 22 | 
 23 | /**
 24 |  * Encrypts text using Corrected Block TEA (xxtea) algorithm.
 25 |  *
 26 |  * @param   {string} plaintext - String to be encrypted (multi-byte safe).
 27 |  * @param   {string} password - Password to be used for encryption (1st 16 chars).
 28 |  * @returns {string} Encrypted text (encoded as base64).
 29 |  */
 30 | Tea.encrypt = function(plaintext, password) {
 31 |     plaintext = String(plaintext);
 32 |     password = String(password);
 33 | 
 34 |     if (plaintext.length == 0) return('');  // nothing to encrypt
 35 | 
 36 |     //  v is n-word data vector; converted to array of longs from UTF-8 string
 37 |     var v = Tea.strToLongs(plaintext.utf8Encode());
 38 |     //  k is 4-word key; simply convert first 16 chars of password as key
 39 |     var k = Tea.strToLongs(password.utf8Encode().slice(0,16));
 40 |     var n = v.length;
 41 | 
 42 |     v = Tea.encode(v, k);
 43 | 
 44 |     // convert array of longs to string
 45 |     var ciphertext = Tea.longsToStr(v);
 46 | 
 47 |     // convert binary string to base64 ascii for safe transport
 48 |     return ciphertext.base64Encode();
 49 | };
 50 | 
 51 | 
 52 | /**
 53 |  * Decrypts text using Corrected Block TEA (xxtea) algorithm.
 54 |  *
 55 |  * @param   {string} ciphertext - String to be decrypted.
 56 |  * @param   {string} password - Password to be used for decryption (1st 16 chars).
 57 |  * @returns {string} Decrypted text.
 58 |  */
 59 | Tea.decrypt = function(ciphertext, password) {
 60 |     ciphertext = String(ciphertext);
 61 |     password = String(password);
 62 | 
 63 |     if (ciphertext.length == 0) return('');
 64 | 
 65 |     //  v is n-word data vector; converted to array of longs from base64 string
 66 |     var v = Tea.strToLongs(ciphertext.base64Decode());
 67 |     //  k is 4-word key; simply convert first 16 chars of password as key
 68 |     var k = Tea.strToLongs(password.utf8Encode().slice(0,16));
 69 |     var n = v.length;
 70 | 
 71 |     v = Tea.decode(v, k);
 72 | 
 73 |     var plaintext = Tea.longsToStr(v);
 74 | 
 75 |     // strip trailing null chars resulting from filling 4-char blocks:
 76 |     plaintext = plaintext.replace(/\0+$/,'');
 77 | 
 78 |     return plaintext.utf8Decode();
 79 | };
 80 | 
 81 | 
 82 | /**
 83 |  * XXTEA: encodes array of unsigned 32-bit integers using 128-bit key.
 84 |  *
 85 |  * @param   {number[]} v - Data vector.
 86 |  * @param   {number[]} k - Key.
 87 |  * @returns {number[]} Encoded vector.
 88 |  */
 89 | Tea.encode = function(v, k) {
 90 |     if (v.length < 2) v[1] = 0;  // algorithm doesn't work for n<2 so fudge by adding a null
 91 |     var n = v.length;
 92 | 
 93 |     var z = v[n-1], y = v[0], delta = 0x9E3779B9;
 94 |     var mx, e, q = Math.floor(6 + 52/n), sum = 0;
 95 | 
 96 |     while (q-- > 0) {  // 6 + 52/n operations gives between 6 & 32 mixes on each word
 97 |         sum += delta;
 98 |         e = sum>>>2 & 3;
 99 |         for (var p = 0; p < n; p++) {
100 |             y = v[(p+1)%n];
101 |             mx = (z>>>5 ^ y<<2) + (y>>>3 ^ z<<4) ^ (sum^y) + (k[p&3 ^ e] ^ z);
102 |             z = v[p] += mx;
103 |         }
104 |     }
105 | 
106 |     return v;
107 | };
108 | 
109 | 
110 | /**
111 |  * XXTEA: decodes array of unsigned 32-bit integers using 128-bit key.
112 |  *
113 |  * @param   {number[]} v - Data vector.
114 |  * @param   {number[]} k - Key.
115 |  * @returns {number[]} Decoded vector.
116 |  */
117 | Tea.decode = function(v, k) {
118 |     var n = v.length;
119 | 
120 |     var z = v[n-1], y = v[0], delta = 0x9E3779B9;
121 |     var mx, e, q = Math.floor(6 + 52/n), sum = q*delta;
122 | 
123 |     while (sum != 0) {
124 |         e = sum>>>2 & 3;
125 |         for (var p = n-1; p >= 0; p--) {
126 |             z = v[p>0 ? p-1 : n-1];
127 |             mx = (z>>>5 ^ y<<2) + (y>>>3 ^ z<<4) ^ (sum^y) + (k[p&3 ^ e] ^ z);
128 |             y = v[p] -= mx;
129 |         }
130 |         sum -= delta;
131 |     }
132 | 
133 |     return v;
134 | };
135 | 
136 | 
137 | /**
138 |  * Converts string to array of longs (each containing 4 chars).
139 |  * @private
140 |  */
141 | Tea.strToLongs = function(s) {
142 |     // note chars must be within ISO-8859-1 (Unicode code-point <= U+00FF) to fit 4/long
143 |     var l = new Array(Math.ceil(s.length/4));
144 |     for (var i=0; i<l.length; i++) {
145 |         // note little-endian encoding - endianness is irrelevant as long as it matches longsToStr()
146 |         l[i] = s.charCodeAt(i*4)        + (s.charCodeAt(i*4+1)<<8) +
147 |               (s.charCodeAt(i*4+2)<<16) + (s.charCodeAt(i*4+3)<<24);
148 |     }
149 |     return l; // note running off the end of the string generates nulls since bitwise operators
150 | };            // treat NaN as 0
151 | 
152 | 
153 | /**
154 |  * Converts array of longs to string.
155 |  * @private
156 |  */
157 | Tea.longsToStr = function(l) {
158 |     var a = new Array(l.length);
159 |     for (var i=0; i<l.length; i++) {
160 |         a[i] = String.fromCharCode(l[i] & 0xFF, l[i]>>>8 & 0xFF, l[i]>>>16 & 0xFF, l[i]>>>24 & 0xFF);
161 |     }
162 |     return a.join('');  // use Array.join() for better performance than repeated string appends
163 | };
164 | 
165 | 
166 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
167 | 
168 | 
169 | /** Extend String object with method to encode multi-byte string to utf8
170 |  *  - monsur.hossa.in/2012/07/20/utf-8-in-javascript.html */
171 | if (typeof String.prototype.utf8Encode == 'undefined') {
172 |     String.prototype.utf8Encode = function() {
173 |         return unescape( encodeURIComponent( this ) );
174 |     };
175 | }
176 | 
177 | /** Extend String object with method to decode utf8 string to multi-byte */
178 | if (typeof String.prototype.utf8Decode == 'undefined') {
179 |     String.prototype.utf8Decode = function() {
180 |         try {
181 |             return decodeURIComponent( escape( this ) );
182 |         } catch (e) {
183 |             return this; // invalid UTF-8? return as-is
184 |         }
185 |     };
186 | }
187 | 
188 | 
189 | /** Extend String object with method to encode base64
190 |  *  - developer.mozilla.org/en-US/docs/Web/API/window.btoa, nodejs.org/api/buffer.html
191 |  *  note: if btoa()/atob() are not available (eg IE9-), try github.com/davidchambers/Base64.js */
192 | if (typeof String.prototype.base64Encode == 'undefined') {
193 |     String.prototype.base64Encode = function() {
194 |         if (typeof btoa != 'undefined') return btoa(this); // browser
195 |         if (typeof Buffer != 'undefined') return new Buffer(this, 'utf8').toString('base64'); // Node.js
196 |         throw new Error('No Base64 Encode');
197 |     };
198 | }
199 | 
200 | /** Extend String object with method to decode base64 */
201 | if (typeof String.prototype.base64Decode == 'undefined') {
202 |     String.prototype.base64Decode = function() {
203 |         if (typeof atob != 'undefined') return atob(this); // browser
204 |         if (typeof Buffer != 'undefined') return new Buffer(this, 'base64').toString('utf8'); // Node.js
205 |         throw new Error('No Base64 Decode');
206 |     };
207 | }
208 | 
209 | 
210 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
211 | if (typeof module != 'undefined' && module.exports) module.exports = Tea; // CommonJS export
212 | if (typeof define == 'function' && define.amd) define([''], function() { return Tea; }); // AMD
213 | 


--------------------------------------------------------------------------------
/aes.js:
--------------------------------------------------------------------------------
  1 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  2 | /*  AES implementation in JavaScript                     (c) Chris Veness 2005-2014 / MIT Licence */
  3 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  4 | 
  5 | /* jshint node:true *//* global define */
  6 | 'use strict';
  7 | 
  8 | 
  9 | /**
 10 |  * AES (Rijndael cipher) encryption routines,
 11 |  *
 12 |  * Reference implementation of FIPS-197 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
 13 |  *
 14 |  * @namespace
 15 |  */
 16 | var Aes = {};
 17 | 
 18 | 
 19 | /**
 20 |  * AES Cipher function: encrypt 'input' state with Rijndael algorithm [§5.1];
 21 |  *   applies Nr rounds (10/12/14) using key schedule w for 'add round key' stage.
 22 |  *
 23 |  * @param   {number[]}   input - 16-byte (128-bit) input state array.
 24 |  * @param   {number[][]} w - Key schedule as 2D byte-array (Nr+1 x Nb bytes).
 25 |  * @returns {number[]}   Encrypted output state array.
 26 |  */
 27 | Aes.cipher = function(input, w) {
 28 |     var Nb = 4;               // block size (in words): no of columns in state (fixed at 4 for AES)
 29 |     var Nr = w.length/Nb - 1; // no of rounds: 10/12/14 for 128/192/256-bit keys
 30 | 
 31 |     var state = [[],[],[],[]];  // initialise 4xNb byte-array 'state' with input [§3.4]
 32 |     for (var i=0; i<4*Nb; i++) state[i%4][Math.floor(i/4)] = input[i];
 33 | 
 34 |     state = Aes.addRoundKey(state, w, 0, Nb);
 35 | 
 36 |     for (var round=1; round<Nr; round++) {
 37 |         state = Aes.subBytes(state, Nb);
 38 |         state = Aes.shiftRows(state, Nb);
 39 |         state = Aes.mixColumns(state, Nb);
 40 |         state = Aes.addRoundKey(state, w, round, Nb);
 41 |     }
 42 | 
 43 |     state = Aes.subBytes(state, Nb);
 44 |     state = Aes.shiftRows(state, Nb);
 45 |     state = Aes.addRoundKey(state, w, Nr, Nb);
 46 | 
 47 |     var output = new Array(4*Nb);  // convert state to 1-d array before returning [§3.4]
 48 |     for (var i=0; i<4*Nb; i++) output[i] = state[i%4][Math.floor(i/4)];
 49 | 
 50 |     return output;
 51 | };
 52 | 
 53 | 
 54 | /**
 55 |  * Perform key expansion to generate a key schedule from a cipher key [§5.2].
 56 |  *
 57 |  * @param   {number[]}   key - Cipher key as 16/24/32-byte array.
 58 |  * @returns {number[][]} Expanded key schedule as 2D byte-array (Nr+1 x Nb bytes).
 59 |  */
 60 | Aes.keyExpansion = function(key) {
 61 |     var Nb = 4;            // block size (in words): no of columns in state (fixed at 4 for AES)
 62 |     var Nk = key.length/4; // key length (in words): 4/6/8 for 128/192/256-bit keys
 63 |     var Nr = Nk + 6;       // no of rounds: 10/12/14 for 128/192/256-bit keys
 64 | 
 65 |     var w = new Array(Nb*(Nr+1));
 66 |     var temp = new Array(4);
 67 | 
 68 |     // initialise first Nk words of expanded key with cipher key
 69 |     for (var i=0; i<Nk; i++) {
 70 |         var r = [key[4*i], key[4*i+1], key[4*i+2], key[4*i+3]];
 71 |         w[i] = r;
 72 |     }
 73 | 
 74 |     // expand the key into the remainder of the schedule
 75 |     for (var i=Nk; i<(Nb*(Nr+1)); i++) {
 76 |         w[i] = new Array(4);
 77 |         for (var t=0; t<4; t++) temp[t] = w[i-1][t];
 78 |         // each Nk'th word has extra transformation
 79 |         if (i % Nk == 0) {
 80 |             temp = Aes.subWord(Aes.rotWord(temp));
 81 |             for (var t=0; t<4; t++) temp[t] ^= Aes.rCon[i/Nk][t];
 82 |         }
 83 |         // 256-bit key has subWord applied every 4th word
 84 |         else if (Nk > 6 && i%Nk == 4) {
 85 |             temp = Aes.subWord(temp);
 86 |         }
 87 |         // xor w[i] with w[i-1] and w[i-Nk]
 88 |         for (var t=0; t<4; t++) w[i][t] = w[i-Nk][t] ^ temp[t];
 89 |     }
 90 | 
 91 |     return w;
 92 | };
 93 | 
 94 | 
 95 | /**
 96 |  * Apply SBox to state S [§5.1.1]
 97 |  * @private
 98 |  */
 99 | Aes.subBytes = function(s, Nb) {
100 |     for (var r=0; r<4; r++) {
101 |         for (var c=0; c<Nb; c++) s[r][c] = Aes.sBox[s[r][c]];
102 |     }
103 |     return s;
104 | };
105 | 
106 | 
107 | /**
108 |  * Shift row r of state S left by r bytes [§5.1.2]
109 |  * @private
110 |  */
111 | Aes.shiftRows = function(s, Nb) {
112 |     var t = new Array(4);
113 |     for (var r=1; r<4; r++) {
114 |         for (var c=0; c<4; c++) t[c] = s[r][(c+r)%Nb];  // shift into temp copy
115 |         for (var c=0; c<4; c++) s[r][c] = t[c];         // and copy back
116 |     }          // note that this will work for Nb=4,5,6, but not 7,8 (always 4 for AES):
117 |     return s;  // see asmaes.sourceforge.net/rijndael/rijndaelImplementation.pdf
118 | };
119 | 
120 | 
121 | /**
122 |  * Combine bytes of each col of state S [§5.1.3]
123 |  * @private
124 |  */
125 | Aes.mixColumns = function(s, Nb) {
126 |     for (var c=0; c<4; c++) {
127 |         var a = new Array(4);  // 'a' is a copy of the current column from 's'
128 |         var b = new Array(4);  // 'b' is a•{02} in GF(2^8)
129 |         for (var i=0; i<4; i++) {
130 |             a[i] = s[i][c];
131 |             b[i] = s[i][c]&0x80 ? s[i][c]<<1 ^ 0x011b : s[i][c]<<1;
132 |         }
133 |         // a[n] ^ b[n] is a•{03} in GF(2^8)
134 |         s[0][c] = b[0] ^ a[1] ^ b[1] ^ a[2] ^ a[3]; // {02}•a0 + {03}•a1 + a2 + a3
135 |         s[1][c] = a[0] ^ b[1] ^ a[2] ^ b[2] ^ a[3]; // a0 • {02}•a1 + {03}•a2 + a3
136 |         s[2][c] = a[0] ^ a[1] ^ b[2] ^ a[3] ^ b[3]; // a0 + a1 + {02}•a2 + {03}•a3
137 |         s[3][c] = a[0] ^ b[0] ^ a[1] ^ a[2] ^ b[3]; // {03}•a0 + a1 + a2 + {02}•a3
138 |     }
139 |     return s;
140 | };
141 | 
142 | 
143 | /**
144 |  * Xor Round Key into state S [§5.1.4]
145 |  * @private
146 |  */
147 | Aes.addRoundKey = function(state, w, rnd, Nb) {
148 |     for (var r=0; r<4; r++) {
149 |         for (var c=0; c<Nb; c++) state[r][c] ^= w[rnd*4+c][r];
150 |     }
151 |     return state;
152 | };
153 | 
154 | 
155 | /**
156 |  * Apply SBox to 4-byte word w
157 |  * @private
158 |  */
159 | Aes.subWord = function(w) {
160 |     for (var i=0; i<4; i++) w[i] = Aes.sBox[w[i]];
161 |     return w;
162 | };
163 | 
164 | 
165 | /**
166 |  * Rotate 4-byte word w left by one byte
167 |  * @private
168 |  */
169 | Aes.rotWord = function(w) {
170 |     var tmp = w[0];
171 |     for (var i=0; i<3; i++) w[i] = w[i+1];
172 |     w[3] = tmp;
173 |     return w;
174 | };
175 | 
176 | 
177 | // sBox is pre-computed multiplicative inverse in GF(2^8) used in subBytes and keyExpansion [§5.1.1]
178 | Aes.sBox =  [0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76,
179 |              0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0,
180 |              0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15,
181 |              0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a,0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75,
182 |              0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84,
183 |              0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf,
184 |              0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8,
185 |              0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2,
186 |              0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73,
187 |              0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb,
188 |              0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79,
189 |              0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08,
190 |              0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a,
191 |              0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e,
192 |              0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf,
193 |              0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16];
194 | 
195 | 
196 | // rCon is Round Constant used for the Key Expansion [1st col is 2^(r-1) in GF(2^8)] [§5.2]
197 | Aes.rCon = [ [0x00, 0x00, 0x00, 0x00],
198 |              [0x01, 0x00, 0x00, 0x00],
199 |              [0x02, 0x00, 0x00, 0x00],
200 |              [0x04, 0x00, 0x00, 0x00],
201 |              [0x08, 0x00, 0x00, 0x00],
202 |              [0x10, 0x00, 0x00, 0x00],
203 |              [0x20, 0x00, 0x00, 0x00],
204 |              [0x40, 0x00, 0x00, 0x00],
205 |              [0x80, 0x00, 0x00, 0x00],
206 |              [0x1b, 0x00, 0x00, 0x00],
207 |              [0x36, 0x00, 0x00, 0x00] ]; 
208 | 
209 | 
210 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
211 | if (typeof module != 'undefined' && module.exports) module.exports = Aes; // CommonJs export
212 | if (typeof define == 'function' && define.amd) define([], function() { return Aes; }); // AMD
213 | 


--------------------------------------------------------------------------------
/aes-ctr.js:
--------------------------------------------------------------------------------
  1 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  2 | /*  AES Counter-mode implementation in JavaScript       (c) Chris Veness 2005-2014 / MIT Licence  */
  3 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
  4 | 
  5 | /* jshint node:true *//* global define, escape, unescape, btoa, atob */
  6 | 'use strict';
  7 | if (typeof module!='undefined' && module.exports) var Aes = require('./aes'); // CommonJS (Node.js)
  8 | 
  9 | 
 10 | /**
 11 |  * Aes.Ctr: Counter-mode (CTR) wrapper for AES.
 12 |  *
 13 |  * This encrypts a Unicode string to produces a base64 ciphertext using 128/192/256-bit AES,
 14 |  * and the converse to decrypt an encrypted ciphertext.
 15 |  *
 16 |  * See http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
 17 |  *
 18 |  * @augments Aes
 19 |  */
 20 | Aes.Ctr = {};
 21 | 
 22 | 
 23 | /**
 24 |  * Encrypt a text using AES encryption in Counter mode of operation.
 25 |  *
 26 |  * Unicode multi-byte character safe
 27 |  *
 28 |  * @param   {string} plaintext - Source text to be encrypted.
 29 |  * @param   {string} password - The password to use to generate a key.
 30 |  * @param   {number} nBits - Number of bits to be used in the key; 128 / 192 / 256.
 31 |  * @returns {string} Encrypted text.
 32 |  *
 33 |  * @example
 34 |  *   var encr = Aes.Ctr.encrypt('big secret', 'pāşšŵōřđ', 256); // encr: 'lwGl66VVwVObKIr6of8HVqJr'
 35 |  */
 36 | Aes.Ctr.encrypt = function(plaintext, password, nBits) {
 37 |     var blockSize = 16;  // block size fixed at 16 bytes / 128 bits (Nb=4) for AES
 38 |     if (!(nBits==128 || nBits==192 || nBits==256)) return ''; // standard allows 128/192/256 bit keys
 39 |     plaintext = String(plaintext).utf8Encode();
 40 |     password = String(password).utf8Encode();
 41 | 
 42 |     // use AES itself to encrypt password to get cipher key (using plain password as source for key
 43 |     // expansion) - gives us well encrypted key (though hashed key might be preferred for prod'n use)
 44 |     var nBytes = nBits/8;  // no bytes in key (16/24/32)
 45 |     var pwBytes = new Array(nBytes);
 46 |     for (var i=0; i<nBytes; i++) {  // use 1st 16/24/32 chars of password for key
 47 |         pwBytes[i] = isNaN(password.charCodeAt(i)) ? 0 : password.charCodeAt(i);
 48 |     }
 49 |     var key = Aes.cipher(pwBytes, Aes.keyExpansion(pwBytes)); // gives us 16-byte key
 50 |     key = key.concat(key.slice(0, nBytes-16));  // expand key to 16/24/32 bytes long
 51 | 
 52 |     // initialise 1st 8 bytes of counter block with nonce (NIST SP800-38A §B.2): [0-1] = millisec,
 53 |     // [2-3] = random, [4-7] = seconds, together giving full sub-millisec uniqueness up to Feb 2106
 54 |     var counterBlock = new Array(blockSize);
 55 | 
 56 |     var nonce = (new Date()).getTime();  // timestamp: milliseconds since 1-Jan-1970
 57 |     var nonceMs = nonce%1000;
 58 |     var nonceSec = Math.floor(nonce/1000);
 59 |     var nonceRnd = Math.floor(Math.random()*0xffff);
 60 |     // for debugging: nonce = nonceMs = nonceSec = nonceRnd = 0;
 61 | 
 62 |     for (var i=0; i<2; i++) counterBlock[i]   = (nonceMs  >>> i*8) & 0xff;
 63 |     for (var i=0; i<2; i++) counterBlock[i+2] = (nonceRnd >>> i*8) & 0xff;
 64 |     for (var i=0; i<4; i++) counterBlock[i+4] = (nonceSec >>> i*8) & 0xff;
 65 | 
 66 |     // and convert it to a string to go on the front of the ciphertext
 67 |     var ctrTxt = '';
 68 |     for (var i=0; i<8; i++) ctrTxt += String.fromCharCode(counterBlock[i]);
 69 | 
 70 |     // generate key schedule - an expansion of the key into distinct Key Rounds for each round
 71 |     var keySchedule = Aes.keyExpansion(key);
 72 | 
 73 |     var blockCount = Math.ceil(plaintext.length/blockSize);
 74 |     var ciphertxt = new Array(blockCount);  // ciphertext as array of strings
 75 | 
 76 |     for (var b=0; b<blockCount; b++) {
 77 |         // set counter (block #) in last 8 bytes of counter block (leaving nonce in 1st 8 bytes)
 78 |         // done in two stages for 32-bit ops: using two words allows us to go past 2^32 blocks (68GB)
 79 |         for (var c=0; c<4; c++) counterBlock[15-c] = (b >>> c*8) & 0xff;
 80 |         for (var c=0; c<4; c++) counterBlock[15-c-4] = (b/0x100000000 >>> c*8);
 81 | 
 82 |         var cipherCntr = Aes.cipher(counterBlock, keySchedule);  // -- encrypt counter block --
 83 | 
 84 |         // block size is reduced on final block
 85 |         var blockLength = b<blockCount-1 ? blockSize : (plaintext.length-1)%blockSize+1;
 86 |         var cipherChar = new Array(blockLength);
 87 | 
 88 |         for (var i=0; i<blockLength; i++) {  // -- xor plaintext with ciphered counter char-by-char --
 89 |             cipherChar[i] = cipherCntr[i] ^ plaintext.charCodeAt(b*blockSize+i);
 90 |             cipherChar[i] = String.fromCharCode(cipherChar[i]);
 91 |         }
 92 |         ciphertxt[b] = cipherChar.join('');
 93 |     }
 94 | 
 95 |     // use Array.join() for better performance than repeated string appends
 96 |     var ciphertext = ctrTxt + ciphertxt.join('');
 97 |     ciphertext = ciphertext.base64Encode();
 98 | 
 99 |     return ciphertext;
100 | };
101 | 
102 | 
103 | /**
104 |  * Decrypt a text encrypted by AES in counter mode of operation
105 |  *
106 |  * @param   {string} ciphertext - Source text to be encrypted.
107 |  * @param   {string} password - Password to use to generate a key.
108 |  * @param   {number} nBits - Number of bits to be used in the key; 128 / 192 / 256.
109 |  * @returns {string} Decrypted text
110 |  *
111 |  * @example
112 |  *   var decr = Aes.Ctr.encrypt('lwGl66VVwVObKIr6of8HVqJr', 'pāşšŵōřđ', 256); // decr: 'big secret'
113 |  */
114 | Aes.Ctr.decrypt = function(ciphertext, password, nBits) {
115 |     var blockSize = 16;  // block size fixed at 16 bytes / 128 bits (Nb=4) for AES
116 |     if (!(nBits==128 || nBits==192 || nBits==256)) return ''; // standard allows 128/192/256 bit keys
117 |     ciphertext = String(ciphertext).base64Decode();
118 |     password = String(password).utf8Encode();
119 | 
120 |     // use AES to encrypt password (mirroring encrypt routine)
121 |     var nBytes = nBits/8;  // no bytes in key
122 |     var pwBytes = new Array(nBytes);
123 |     for (var i=0; i<nBytes; i++) {
124 |         pwBytes[i] = isNaN(password.charCodeAt(i)) ? 0 : password.charCodeAt(i);
125 |     }
126 |     var key = Aes.cipher(pwBytes, Aes.keyExpansion(pwBytes));
127 |     key = key.concat(key.slice(0, nBytes-16));  // expand key to 16/24/32 bytes long
128 | 
129 |     // recover nonce from 1st 8 bytes of ciphertext
130 |     var counterBlock = new Array(8);
131 |     var ctrTxt = ciphertext.slice(0, 8);
132 |     for (var i=0; i<8; i++) counterBlock[i] = ctrTxt.charCodeAt(i);
133 | 
134 |     // generate key schedule
135 |     var keySchedule = Aes.keyExpansion(key);
136 | 
137 |     // separate ciphertext into blocks (skipping past initial 8 bytes)
138 |     var nBlocks = Math.ceil((ciphertext.length-8) / blockSize);
139 |     var ct = new Array(nBlocks);
140 |     for (var b=0; b<nBlocks; b++) ct[b] = ciphertext.slice(8+b*blockSize, 8+b*blockSize+blockSize);
141 |     ciphertext = ct;  // ciphertext is now array of block-length strings
142 | 
143 |     // plaintext will get generated block-by-block into array of block-length strings
144 |     var plaintxt = new Array(ciphertext.length);
145 | 
146 |     for (var b=0; b<nBlocks; b++) {
147 |         // set counter (block #) in last 8 bytes of counter block (leaving nonce in 1st 8 bytes)
148 |         for (var c=0; c<4; c++) counterBlock[15-c] = ((b) >>> c*8) & 0xff;
149 |         for (var c=0; c<4; c++) counterBlock[15-c-4] = (((b+1)/0x100000000-1) >>> c*8) & 0xff;
150 | 
151 |         var cipherCntr = Aes.cipher(counterBlock, keySchedule);  // encrypt counter block
152 | 
153 |         var plaintxtByte = new Array(ciphertext[b].length);
154 |         for (var i=0; i<ciphertext[b].length; i++) {
155 |             // -- xor plaintxt with ciphered counter byte-by-byte --
156 |             plaintxtByte[i] = cipherCntr[i] ^ ciphertext[b].charCodeAt(i);
157 |             plaintxtByte[i] = String.fromCharCode(plaintxtByte[i]);
158 |         }
159 |         plaintxt[b] = plaintxtByte.join('');
160 |     }
161 | 
162 |     // join array of blocks into single plaintext string
163 |     var plaintext = plaintxt.join('');
164 |     plaintext = plaintext.utf8Decode();  // decode from UTF8 back to Unicode multi-byte chars
165 | 
166 |     return plaintext;
167 | };
168 | 
169 | 
170 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
171 | 
172 | 
173 | /** Extend String object with method to encode multi-byte string to utf8
174 |  *  - monsur.hossa.in/2012/07/20/utf-8-in-javascript.html */
175 | if (typeof String.prototype.utf8Encode == 'undefined') {
176 |     String.prototype.utf8Encode = function() {
177 |         return unescape( encodeURIComponent( this ) );
178 |     };
179 | }
180 | 
181 | /** Extend String object with method to decode utf8 string to multi-byte */
182 | if (typeof String.prototype.utf8Decode == 'undefined') {
183 |     String.prototype.utf8Decode = function() {
184 |         try {
185 |             return decodeURIComponent( escape( this ) );
186 |         } catch (e) {
187 |             return this; // invalid UTF-8? return as-is
188 |         }
189 |     };
190 | }
191 | 
192 | 
193 | /** Extend String object with method to encode base64
194 |  *  - developer.mozilla.org/en-US/docs/Web/API/window.btoa, nodejs.org/api/buffer.html
195 |  *  note: if btoa()/atob() are not available (eg IE9-), try github.com/davidchambers/Base64.js */
196 | if (typeof String.prototype.base64Encode == 'undefined') {
197 |     String.prototype.base64Encode = function() {
198 |         if (typeof btoa != 'undefined') return btoa(this); // browser
199 |         if (typeof Buffer != 'undefined') return new Buffer(this, 'utf8').toString('base64'); // Node.js
200 |         throw new Error('No Base64 Encode');
201 |     };
202 | }
203 | 
204 | /** Extend String object with method to decode base64 */
205 | if (typeof String.prototype.base64Decode == 'undefined') {
206 |     String.prototype.base64Decode = function() {
207 |         if (typeof atob != 'undefined') return atob(this); // browser
208 |         if (typeof Buffer != 'undefined') return new Buffer(this, 'base64').toString('utf8'); // Node.js
209 |         throw new Error('No Base64 Decode');
210 |     };
211 | }
212 | 
213 | 
214 | /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
215 | if (typeof module != 'undefined' && module.exports) module.exports = Aes.Ctr; // CommonJs export
216 | if (typeof define == 'function' && define.amd) define(['Aes'], function() { return Aes.Ctr; }); // AMD
217 | 


--------------------------------------------------------------------------------