yoyuz/my_site
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修改后台权限

Browse Source
This commit is contained in:
yoyuzh
2026-03-24 14:30:59 +08:00
parent 00f902f475
commit b2d9db7be9
9310 changed files with 1246063 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
node_modules/@noble/ciphers/LICENSE generated vendored Normal file
View File

@@ -0,0 +1,22 @@
The MIT License (MIT)
Copyright (c) 2022 Paul Miller (https://paulmillr.com)
Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the “Software”), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

543
node_modules/@noble/ciphers/README.md generated vendored Normal file
View File

@@ -0,0 +1,543 @@
# noble-ciphers
Audited & minimal JS implementation of Salsa20, ChaCha and AES.
- 🔒 [**Audited**](#security) by an independent security firm
- 🔻 Tree-shakeable: unused code is excluded from your builds
- 🏎 Fast: hand-optimized for caveats of JS engines
- 🔍 Reliable: property-based / cross-library / wycheproof tests ensure correctness
- 💼 AES: ECB, CBC, CTR, CFB, GCM, SIV (nonce misuse-resistant), AESKW, AESKWP
- 💃 Salsa20, ChaCha, XSalsa20, XChaCha, ChaCha8, ChaCha12, Poly1305
- 🥈 Two AES implementations: pure JS or friendly wrapper around webcrypto
- 🪶 29KB (11KB gzipped) for everything, 7KB (3KB gzipped) for ChaCha build
Take a glance at [GitHub Discussions](https://github.com/paulmillr/noble-ciphers/discussions) for questions and support.
### This library belongs to _noble_ cryptography
> **noble cryptography** — high-security, easily auditable set of contained cryptographic libraries and tools.
- Zero or minimal dependencies
- Highly readable TypeScript / JS code
- PGP-signed releases and transparent NPM builds
- All libraries:
[ciphers](https://github.com/paulmillr/noble-ciphers),
[curves](https://github.com/paulmillr/noble-curves),
[hashes](https://github.com/paulmillr/noble-hashes),
[post-quantum](https://github.com/paulmillr/noble-post-quantum),
4kb [secp256k1](https://github.com/paulmillr/noble-secp256k1) /
[ed25519](https://github.com/paulmillr/noble-ed25519)
- [Check out homepage](https://paulmillr.com/noble/)
for reading resources, documentation and apps built with noble
## Usage
> `npm install @noble/ciphers`
> `deno add jsr:@noble/ciphers`
> `deno doc jsr:@noble/ciphers` # command-line documentation
We support all major platforms and runtimes.
For React Native, you may need a
[polyfill for getRandomValues](https://github.com/LinusU/react-native-get-random-values).
A standalone file
[noble-ciphers.js](https://github.com/paulmillr/noble-ciphers/releases) is also available.
```ts
// import * from '@noble/ciphers'; // Error: use sub-imports, to ensure small app size
import { gcm, siv } from '@noble/ciphers/aes';
import { chacha20poly1305, xchacha20poly1305 } from '@noble/ciphers/chacha';
import { xsalsa20poly1305, secretbox } from '@noble/ciphers/salsa';
// Unauthenticated encryption: make sure to use HMAC or similar
import { ctr, cfb, cbc, ecb } from '@noble/ciphers/aes';
import { salsa20, xsalsa20 } from '@noble/ciphers/salsa';
import { chacha20, xchacha20, chacha8, chacha12 } from '@noble/ciphers/chacha';
import { aeskw, aeskwp } from '@noble/ciphers/aes'; // KW
import { bytesToHex, hexToBytes, bytesToUtf8, utf8ToBytes } from '@noble/ciphers/utils';
import { managedNonce, randomBytes } from '@noble/ciphers/webcrypto';
```
- [Examples](#examples)
- [XChaCha20-Poly1305 encryption](#xchacha20-poly1305-encryption)
- [AES-256-GCM encryption](#aes-256-gcm-encryption)
- [AES: gcm, siv, ctr, cfb, cbc, ecb](#aes-gcm-siv-ctr-cfb-cbc-ecb)
- [Friendly WebCrypto AES](#friendly-webcrypto-aes)
- [AESKW and AESKWP](#aeskw-and-aeskwp)
- [Auto-handle nonces](#auto-handle-nonces)
- [Reuse array for input and output](#reuse-array-for-input-and-output)
- [Internals](#internals)
- [Implemented primitives](#implemented-primitives)
- [Which cipher should I pick?](#which-cipher-should-i-pick)
- [How to encrypt properly](#how-to-encrypt-properly)
- [Nonces](#nonces)
- [Encryption limits](#encryption-limits)
- [AES internals and block modes](#aes-internals-and-block-modes)
- [Security](#security)
- [Speed](#speed)
- [Upgrading](#upgrading)
- [Contributing & testing](#contributing--testing)
- [License](#license)
## Examples
> [!NOTE]
> Use different nonce every time `encrypt()` is done.
#### XChaCha20-Poly1305 encryption
```js
import { xchacha20poly1305 } from '@noble/ciphers/chacha';
import { utf8ToBytes } from '@noble/ciphers/utils';
import { randomBytes } from '@noble/ciphers/webcrypto';
const key = randomBytes(32); // random key
// const key = new Uint8Array([ // existing key
// 169, 88, 160, 139, 168, 29, 147, 196, 14, 88, 237, 76, 243, 177, 109, 140,
// 195, 140, 80, 10, 216, 134, 215, 71, 191, 48, 20, 104, 189, 37, 38, 55,
// ]);
// import { hexToBytes } from '@noble/ciphers/utils'; // hex key
// const key = hexToBytes('4b7f89bac90a1086fef73f5da2cbe93b2fae9dfbf7678ae1f3e75fd118ddf999');
const nonce = randomBytes(24);
const chacha = xchacha20poly1305(key, nonce);
const data = utf8ToBytes('hello, noble');
const ciphertext = chacha.encrypt(data);
const data_ = chacha.decrypt(ciphertext); // utils.bytesToUtf8(data_) === data
```
#### AES-256-GCM encryption
```js
import { gcm } from '@noble/ciphers/aes';
import { utf8ToBytes } from '@noble/ciphers/utils';
import { randomBytes } from '@noble/ciphers/webcrypto';
const key = randomBytes(32);
const nonce = randomBytes(24);
const data = utf8ToBytes('hello, noble');
const aes = gcm(key, nonce);
const ciphertext = aes.encrypt(data);
const data_ = aes.decrypt(ciphertext); // utils.bytesToUtf8(data_) === data
```
#### AES: gcm, siv, ctr, cfb, cbc, ecb
```js
import { gcm, siv, ctr, cfb, cbc, ecb } from '@noble/ciphers/aes';
import { randomBytes } from '@noble/ciphers/webcrypto';
const plaintext = new Uint8Array(32).fill(16);
for (let cipher of [gcm, siv]) {
const key = randomBytes(32); // 24 for AES-192, 16 for AES-128
const nonce = randomBytes(12);
const ciphertext_ = cipher(key, nonce).encrypt(plaintext);
const plaintext_ = cipher(key, nonce).decrypt(ciphertext_);
}
for (const cipher of [ctr, cbc, cfb]) {
const key = randomBytes(32); // 24 for AES-192, 16 for AES-128
const nonce = randomBytes(16);
const ciphertext_ = cipher(key, nonce).encrypt(plaintext);
const plaintext_ = cipher(key, nonce).decrypt(ciphertext_);
}
for (const cipher of [ecb]) {
const key = randomBytes(32); // 24 for AES-192, 16 for AES-128
const ciphertext_ = cipher(key).encrypt(plaintext);
const plaintext_ = cipher(key).decrypt(ciphertext_);
}
```
#### Friendly WebCrypto AES
Noble implements AES. Sometimes people want to use built-in `crypto.subtle` instead. However, it has terrible API. We simplify access to built-ins.
> [!NOTE]
> Webcrypto methods are always async.
```js
import { gcm, ctr, cbc, randomBytes } from '@noble/ciphers/webcrypto';
const plaintext = new Uint8Array(32).fill(16);
const key = randomBytes(32);
for (const cipher of [gcm]) {
const nonce = randomBytes(12);
const ciphertext_ = await cipher(key, nonce).encrypt(plaintext);
const plaintext_ = await cipher(key, nonce).decrypt(ciphertext_);
}
for (const cipher of [ctr, cbc]) {
const nonce = randomBytes(16);
const ciphertext_ = await cipher(key, nonce).encrypt(plaintext);
const plaintext_ = await cipher(key, nonce).decrypt(ciphertext_);
}
```
#### AESKW and AESKWP
```ts
import { aeskw, aeskwp } from '@noble/ciphers/aes';
import { hexToBytes } from '@noble/ciphers/utils';
const kek = hexToBytes('000102030405060708090A0B0C0D0E0F');
const keyData = hexToBytes('00112233445566778899AABBCCDDEEFF');
const ciphertext = aeskw(kek).encrypt(keyData);
```
#### Auto-handle nonces
We provide API that manages nonce internally instead of exposing them to library's user.
For `encrypt`, a `nonceBytes`-length buffer is fetched from CSPRNG and prenended to encrypted ciphertext.
For `decrypt`, first `nonceBytes` of ciphertext are treated as nonce.
```js
import { xchacha20poly1305 } from '@noble/ciphers/chacha';
import { managedNonce } from '@noble/ciphers/webcrypto';
import { hexToBytes, utf8ToBytes } from '@noble/ciphers/utils';
const key = hexToBytes('fa686bfdffd3758f6377abbc23bf3d9bdc1a0dda4a6e7f8dbdd579fa1ff6d7e1');
const chacha = managedNonce(xchacha20poly1305)(key); // manages nonces for you
const data = utf8ToBytes('hello, noble');
const ciphertext = chacha.encrypt(data);
const data_ = chacha.decrypt(ciphertext);
```
#### Reuse array for input and output
To avoid additional allocations, Uint8Array can be reused
between encryption and decryption calls.
> [!NOTE]
> Some ciphers don't support unaligned (`byteOffset % 4 !== 0`) Uint8Array as
> destination. It can decrease performance, making the optimization pointless.
```js
import { chacha20poly1305 } from '@noble/ciphers/chacha';
import { utf8ToBytes } from '@noble/ciphers/utils';
import { randomBytes } from '@noble/ciphers/webcrypto';
const key = randomBytes(32);
const nonce = randomBytes(12);
const chacha = chacha20poly1305(key, nonce);
const input = utf8ToBytes('hello, noble'); // length == 12
const inputLength = input.length;
const tagLength = 16;
const buf = new Uint8Array(inputLength + tagLength);
const start = buf.subarray(0, inputLength);
start.set(input); // copy input to buf
chacha.encrypt(start, buf); // encrypt into `buf`
chacha.decrypt(buf, start); // decrypt into `start`
```
xsalsa20poly1305 also supports this, but requires 32 additional bytes for encryption / decryption,
due to its inner workings.
## Internals
### Implemented primitives
- [Salsa20](https://cr.yp.to/snuffle.html) stream cipher, released in 2005.
Salsa's goal was to implement AES replacement that does not rely on S-Boxes,
which are hard to implement in a constant-time manner.
Salsa20 is usually faster than AES, a big deal on slow, budget mobile phones.
- [XSalsa20](https://cr.yp.to/snuffle/xsalsa-20110204.pdf), extended-nonce
variant was released in 2008. It switched nonces from 96-bit to 192-bit,
and became safe to be picked at random. - Nacl / Libsodium popularized term "secretbox", a simple black-box
authenticated encryption. Secretbox is just xsalsa20-poly1305. We provide the
alias and corresponding seal / open methods. We don't provide "box" or "sealedbox".
- Check out [PDF](https://cr.yp.to/snuffle/salsafamily-20071225.pdf) and
[wiki](https://en.wikipedia.org/wiki/Salsa20).
- [ChaCha20](https://cr.yp.to/chacha.html) stream cipher, released
in 2008. Developed after Salsa20, ChaCha aims to increase diffusion per round.
It was standardized in [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439)
and is now used in TLS 1.3.
- [XChaCha20](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha)
extended-nonce variant is also provided. Similar to XSalsa, it's safe to use with
randomly-generated nonces.
- Check out [PDF](http://cr.yp.to/chacha/chacha-20080128.pdf) and [wiki](https://en.wikipedia.org/wiki/Salsa20).
- [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
is a variant of Rijndael block cipher, standardized by NIST in 2001.
We provide the fastest available pure JS implementation.
- We support AES-128, AES-192 and AES-256: the mode is selected dynamically,
based on key length (16, 24, 32).
- [AES-GCM-SIV](https://en.wikipedia.org/wiki/AES-GCM-SIV)
nonce-misuse-resistant mode is also provided. It's recommended to use it,
to prevent catastrophic consequences of nonce reuse. Our implementation of SIV
has the same speed as GCM: there is no performance hit.
- We also have AESKW and AESKWP from
[RFC 3394](https://datatracker.ietf.org/doc/html/rfc3394) / [RFC 5649](https://datatracker.ietf.org/doc/html/rfc5649)
- Check out [AES internals and block modes](#aes-internals-and-block-modes).
- We expose polynomial-evaluation MACs: [Poly1305](https://cr.yp.to/mac.html), AES-GCM's [GHash](https://en.wikipedia.org/wiki/Galois/Counter_Mode) and
AES-SIV's [Polyval](https://en.wikipedia.org/wiki/AES-GCM-SIV).
- Poly1305 ([PDF](https://cr.yp.to/mac/poly1305-20050329.pdf),
[wiki](https://en.wikipedia.org/wiki/Poly1305))
is a fast and parallel secret-key message-authentication code suitable for
a wide variety of applications. It was standardized in
[RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and is now used in TLS 1.3.
- Polynomial MACs are not perfect for every situation:
they lack Random Key Robustness: the MAC can be forged, and can't
be used in PAKE schemes. See
[invisible salamanders attack](https://keymaterial.net/2020/09/07/invisible-salamanders-in-aes-gcm-siv/).
To combat invisible salamanders, `hash(key)` can be included in ciphertext,
however, this would violate ciphertext indistinguishability:
an attacker would know which key was used - so `HKDF(key, i)`
could be used instead.
- Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G.
[See more info](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf).
### Which cipher should I pick?
We suggest to use XChaCha20-Poly1305.
If you can't use it, prefer AES-GCM-SIV, or AES-GCM.
### How to encrypt properly
- Use unpredictable key with enough entropy
- Random key must be using cryptographically secure random number generator (CSPRNG), not `Math.random` etc.
- Non-random key generated from KDF is fine
- Re-using key is fine, but be aware of rules for cryptographic key wear-out and [encryption limits](#encryption-limits)
- Use new nonce every time and [don't repeat it](#nonces)
- chacha and salsa20 are fine for sequential counters that _never_ repeat: `01, 02...`
- xchacha and xsalsa20 should use random nonces instead
- AES-GCM should use 12-byte nonces: smaller nonces are security risk
- Prefer authenticated encryption (AEAD)
- chacha20poly1305 / aes-gcm / ChaCha + HMAC / AES + HMAC is good
- chacha20 / aes-ctr / aes-cbc without poly1305 or hmac is bad
- Flipping bits or ciphertext substitution won't be detected in unauthenticated ciphers
- Don't re-use keys between different protocols
- For example, using secp256k1 key in AES can be bad
- Use hkdf or, at least, a hash function to create sub-key instead
- If you need AES, only use AES-256 for new protocols
- For post-quantum security
### Nonces
Most ciphers need a key and a nonce (aka initialization vector / IV) to encrypt a data:
ciphertext = encrypt(plaintext, key, nonce)
Repeating (key, nonce) pair with different plaintexts would allow an attacker to decrypt it:
ciphertext_a = encrypt(plaintext_a, key, nonce)
ciphertext_b = encrypt(plaintext_b, key, nonce)
stream_diff = xor(ciphertext_a, ciphertext_b) # Break encryption
So, you can't repeat nonces. One way of doing so is using counters:
for i in 0..:
ciphertext[i] = encrypt(plaintexts[i], key, i)
Another is generating random nonce every time:
for i in 0..:
rand_nonces[i] = random()
ciphertext[i] = encrypt(plaintexts[i], key, rand_nonces[i])
Counters are OK, but it's not always possible to store current counter value:
e.g. in decentralized, unsyncable systems.
Randomness is OK, but there's a catch:
ChaCha20 and AES-GCM use 96-bit / 12-byte nonces, which implies higher chance of collision.
In the example above, `random()` can collide and produce repeating nonce.
Chance is even higher for 64-bit nonces, which GCM allows - don't use them.
To safely use random nonces, utilize XSalsa20 or XChaCha:
they increased nonce length to 192-bit, minimizing a chance of collision.
AES-SIV is also fine. In situations where you can't use eXtended-nonce
algorithms, key rotation is advised. hkdf would work great for this case.
### Encryption limits
A "protected message" would mean a probability of `2**-50` that a passive attacker
successfully distinguishes the ciphertext outputs of the AEAD scheme from the outputs
of a random function. See [draft-irtf-cfrg-aead-limits](https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/) for details.
- Max message size:
- AES-GCM: ~68GB, `2**36-256`
- Salsa, ChaCha, XSalsa, XChaCha: ~256GB, `2**38-64`
- Max amount of protected messages, under same key:
- AES-GCM: `2**32.5`
- Salsa, ChaCha: `2**46`, but only integrity is affected, not confidentiality
- XSalsa, XChaCha: `2**72`
- Max amount of protected messages, across all keys:
- AES-GCM: `2**69/B` where B is max blocks encrypted by a key. Meaning
`2**59` for 1KB, `2**49` for 1MB, `2**39` for 1GB
- Salsa, ChaCha, XSalsa, XChaCha: `2**100`
##### AES internals and block modes
`cipher = encrypt(block, key)`. Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256bit). Every round does:
1. **S-box**, table substitution
2. **Shift rows**, cyclic shift left of all rows of data array
3. **Mix columns**, multiplying every column by fixed polynomial
4. **Add round key**, round_key xor i-th column of array
For non-deterministic (not ECB) schemes, initialization vector (IV) is mixed to block/key;
and each new round either depends on previous block's key, or on some counter.
- ECB (Electronic Codebook): Deterministic encryption; identical plaintext blocks yield identical ciphertexts. Insecure due to pattern leakage.
See [AES Penguin](https://words.filippo.io/the-ecb-penguin/)
- CBC (Cipher Block Chaining): Each plaintext block is XORed with the previous ciphertext block before encryption.
Hard to use: requires proper padding and an IV. Needs a separate MAC.
- CTR (Counter Mode): Turns a block cipher into a stream cipher using a counter and IV (nonce).
Efficient and parallelizable. Requires a unique nonce per encryption. Better, but still needs a separate MAC.
- GCM (Galois/Counter Mode): Combines CTR mode with polynomial MAC. Efficient and widely used.
- SIV (Synthetic IV): Nonce-misuse-resistant mode; repeating nonces reveal only if plaintexts are identical.
Maintains security even if nonces are reused.
- XTS: Designed for disk encryption.
Similar to ECB (deterministic), but has `[i][j]` tweak arguments corresponding to sector i and 16-byte block (part of sector) j.
Lacks MAC.
GCM / SIV are not ideal:
- Conservative key wear-out is `2**32` (4B) msgs
- MAC can be forged: see Poly1305 section above. Same for SIV
## Security
The library has been independently audited:
- at version 1.0.0, in Sep 2024, by [cure53](https://cure53.de)
- PDFs: [website](https://cure53.de/audit-report_noble-crypto-libs.pdf), [in-repo](./audit/2024-09-cure53-audit-nbl4.pdf)
- [Changes since audit](https://github.com/paulmillr/noble-ciphers/compare/1.0.0..main)
- Scope: everything
- The audit has been funded by [OpenSats](https://opensats.org)
It is tested against property-based, cross-library and Wycheproof vectors,
and is being fuzzed in [the separate repo](https://github.com/paulmillr/fuzzing).
If you see anything unusual: investigate and report.
### Constant-timeness
We're targetting algorithmic constant time. _JIT-compiler_ and _Garbage Collector_ make "constant time"
extremely hard to achieve [timing attack](https://en.wikipedia.org/wiki/Timing_attack) resistance
in a scripting language. Which means _any other JS library can't have
constant-timeness_. Even statically typed Rust, a language without GC,
[makes it harder to achieve constant-time](https://www.chosenplaintext.ca/open-source/rust-timing-shield/security)
for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones.
Use low-level libraries & languages.
The library uses T-tables for AES, which
[leak access timings](https://cr.yp.to/antiforgery/cachetiming-20050414.pdf).
This is also done in [OpenSSL](https://github.com/openssl/openssl/blob/2f33265039cdbd0e4589c80970e02e208f3f94d2/crypto/aes/aes_core.c#L706) and
[Go stdlib](https://cs.opensource.google/go/go/+/refs/tags/go1.22.6:src/crypto/aes/const.go;l=90) for performance reasons.
The analysis was mentioned in [hal-04652991](https://hal.science/hal-04652991/document).
### Supply chain security
- **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures
- **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
- Use GitHub CLI to verify single-file builds:
`gh attestation verify --owner paulmillr noble-ciphers.js`
- **Rare releasing** is followed to ensure less re-audit need for end-users
- **Dependencies** are minimized and locked-down: any dependency could get hacked and users will be downloading malware with every install.
- We make sure to use as few dependencies as possible
- Automatic dep updates are prevented by locking-down version ranges; diffs are checked with `npm-diff`
- **Dev Dependencies** are disabled for end-users; they are only used to develop / build the source code
For this package, there are 0 dependencies; and a few dev dependencies:
- micro-bmark, micro-should and jsbt are used for benchmarking / testing / build tooling and developed by the same author
- prettier, fast-check and typescript are used for code quality / test generation / ts compilation. It's hard to audit their source code thoroughly and fully because of their size
### Randomness
We're deferring to built-in
[crypto.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues)
which is considered cryptographically secure (CSPRNG).
In the past, browsers had bugs that made it weak: it may happen again.
Implementing a userspace CSPRNG to get resilient to the weakness
is even worse: there is no reliable userspace source of quality entropy.
## Speed
To summarize, noble is the fastest JS implementation of Salsa, ChaCha and AES.
You can gain additional speed-up and
avoid memory allocations by passing `output`
uint8array into encrypt / decrypt methods.
Benchmark results on Apple M4:
```
64B
xsalsa20poly1305 x 675,675 ops/sec @ 1μs/op
chacha20poly1305 x 568,181 ops/sec @ 1μs/op
xchacha20poly1305 x 460,617 ops/sec @ 2μs/op
aes-256-gcm x 201,126 ops/sec @ 4μs/op
aes-256-gcm-siv x 162,284 ops/sec @ 6μs/op
# Unauthenticated encryption
salsa20 x 1,655,629 ops/sec @ 604ns/op
xsalsa20 x 1,400,560 ops/sec @ 714ns/op
chacha20 x 1,996,007 ops/sec @ 501ns/op
xchacha20 x 1,404,494 ops/sec @ 712ns/op
chacha8 x 2,145,922 ops/sec @ 466ns/op
chacha12 x 2,036,659 ops/sec @ 491ns/op
aes-ecb-256 x 1,019,367 ops/sec @ 981ns/op
aes-cbc-256 x 931,966 ops/sec @ 1μs/op
aes-ctr-256 x 954,198 ops/sec @ 1μs/op
1MB
xsalsa20poly1305 x 322 ops/sec @ 3ms/op
chacha20poly1305 x 327 ops/sec @ 3ms/op
xchacha20poly1305 x 331 ops/sec @ 3ms/op
aes-256-gcm x 94 ops/sec @ 10ms/op
aes-256-gcm-siv x 90 ops/sec @ 11ms/op
# Unauthenticated encryption
salsa20 x 791 ops/sec @ 1ms/op
xsalsa20 x 801 ops/sec @ 1ms/op
chacha20 x 787 ops/sec @ 1ms/op
xchacha20 x 781 ops/sec @ 1ms/op
chacha8 x 1,457 ops/sec @ 686μs/op
chacha12 x 1,130 ops/sec @ 884μs/op
aes-ecb-256 x 289 ops/sec @ 3ms/op
aes-cbc-256 x 114 ops/sec @ 8ms/op
aes-ctr-256 x 127 ops/sec @ 7ms/op
# Wrapper over built-in webcrypto
webcrypto ctr-256 x 6,508 ops/sec @ 153μs/op
webcrypto cbc-256 x 1,820 ops/sec @ 549μs/op
webcrypto gcm-256 x 5,106 ops/sec @ 195μs/op
```
Compare to other implementations:
```
xsalsa20poly1305 (encrypt, 1MB)
├─tweetnacl x 196 ops/sec
└─noble x 305 ops/sec
chacha20poly1305 (encrypt, 1MB)
├─node x 1,668 ops/sec
├─stablelib x 202 ops/sec
└─noble x 319 ops/sec
aes-ctr-256 (encrypt, 1MB)
├─stablelib x 123 ops/sec
├─aesjs x 42 ops/sec
├─noble-webcrypto x 5,965 ops/sec
└─noble x 124 ops/sec
```
## Contributing & testing
- `npm install && npm run build && npm test` will build the code and run tests.
- `npm run lint` / `npm run format` will run linter / fix linter issues.
- `npm run bench` will run benchmarks, which may need their deps first (`npm run bench:install`)
- `npm run build:release` will build single file
Check out [github.com/paulmillr/guidelines](https://github.com/paulmillr/guidelines)
for general coding practices and rules.
See [paulmillr.com/noble](https://paulmillr.com/noble/)
for useful resources, articles, documentation and demos
related to the library.
## License
The MIT License (MIT)
Copyright (c) 2023 Paul Miller [(https://paulmillr.com)](https://paulmillr.com)
Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
See LICENSE file.

59
node_modules/@noble/ciphers/_arx.d.ts generated vendored Normal file
View File

@@ -0,0 +1,59 @@
/**
* Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
RFC8439 requires multi-step cipher stream, where
authKey starts with counter: 0, actual msg with counter: 1.
For this, we need a way to re-use nonce / counter:
const counter = new Uint8Array(4);
chacha(..., counter, ...); // counter is now 1
chacha(..., counter, ...); // counter is now 2
This is complicated:
- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB
- Original papers don't allow mutating counters
- Counter overflow is undefined [^1]
- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it
- Caveat: Cannot be re-used through all cases:
- * chacha has (counter | nonce)
- * xchacha has (nonce16 | counter | nonce16)
- Idea B: separate nonce / counter and provide separate API for counter re-use
- Caveat: there are different counter sizes depending on an algorithm.
- salsa & chacha also differ in structures of key & sigma:
salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3]
chacha: s(4) | k(8) | ctr(1) | nonce(3)
chacha20orig: s(4) | k(8) | ctr(2) | nonce(2)
- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)`
- Caveat: we can't re-use counter array
xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce).
[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
* @module
*/
import { type XorStream } from './utils.ts';
export declare function rotl(a: number, b: number): number;
/** Ciphers must use u32 for efficiency. */
export type CipherCoreFn = (sigma: Uint32Array, key: Uint32Array, nonce: Uint32Array, output: Uint32Array, counter: number, rounds?: number) => void;
/** Method which extends key + short nonce into larger nonce / diff key. */
export type ExtendNonceFn = (sigma: Uint32Array, key: Uint32Array, input: Uint32Array, output: Uint32Array) => void;
/** ARX cipher options.
* * `allowShortKeys` for 16-byte keys
* * `counterLength` in bytes
* * `counterRight`: right: `nonce|counter`; left: `counter|nonce`
* */
export type CipherOpts = {
allowShortKeys?: boolean;
extendNonceFn?: ExtendNonceFn;
counterLength?: number;
counterRight?: boolean;
rounds?: number;
};
/** Creates ARX-like (ChaCha, Salsa) cipher stream from core function. */
export declare function createCipher(core: CipherCoreFn, opts: CipherOpts): XorStream;
//# sourceMappingURL=_arx.d.ts.map

1
node_modules/@noble/ciphers/_arx.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_arx.d.ts","sourceRoot":"","sources":["src/_arx.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,EACL,KAAK,SAAS,EACf,MAAM,YAAY,CAAC;AAUpB,wBAAgB,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED,2CAA2C;AAC3C,MAAM,MAAM,YAAY,GAAG,CACzB,KAAK,EAAE,WAAW,EAClB,GAAG,EAAE,WAAW,EAChB,KAAK,EAAE,WAAW,EAClB,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,MAAM,KACZ,IAAI,CAAC;AAEV,2EAA2E;AAC3E,MAAM,MAAM,aAAa,GAAG,CAC1B,KAAK,EAAE,WAAW,EAClB,GAAG,EAAE,WAAW,EAChB,KAAK,EAAE,WAAW,EAClB,MAAM,EAAE,WAAW,KAChB,IAAI,CAAC;AAEV;;;;KAIK;AACL,MAAM,MAAM,UAAU,GAAG;IACvB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAwDF,yEAAyE;AACzE,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,GAAG,SAAS,CAkF5E"}

175
node_modules/@noble/ciphers/_arx.js generated vendored Normal file
View File

@@ -0,0 +1,175 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.rotl = rotl;
exports.createCipher = createCipher;
/**
* Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
RFC8439 requires multi-step cipher stream, where
authKey starts with counter: 0, actual msg with counter: 1.
For this, we need a way to re-use nonce / counter:
const counter = new Uint8Array(4);
chacha(..., counter, ...); // counter is now 1
chacha(..., counter, ...); // counter is now 2
This is complicated:
- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB
- Original papers don't allow mutating counters
- Counter overflow is undefined [^1]
- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it
- Caveat: Cannot be re-used through all cases:
- * chacha has (counter | nonce)
- * xchacha has (nonce16 | counter | nonce16)
- Idea B: separate nonce / counter and provide separate API for counter re-use
- Caveat: there are different counter sizes depending on an algorithm.
- salsa & chacha also differ in structures of key & sigma:
salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3]
chacha: s(4) | k(8) | ctr(1) | nonce(3)
chacha20orig: s(4) | k(8) | ctr(2) | nonce(2)
- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)`
- Caveat: we can't re-use counter array
xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce).
[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
* @module
*/
// prettier-ignore
const utils_ts_1 = require("./utils.js");
// We can't make top-level var depend on utils.utf8ToBytes
// because it's not present in all envs. Creating a similar fn here
const _utf8ToBytes = (str) => Uint8Array.from(str.split('').map((c) => c.charCodeAt(0)));
const sigma16 = _utf8ToBytes('expand 16-byte k');
const sigma32 = _utf8ToBytes('expand 32-byte k');
const sigma16_32 = (0, utils_ts_1.u32)(sigma16);
const sigma32_32 = (0, utils_ts_1.u32)(sigma32);
function rotl(a, b) {
return (a << b) | (a >>> (32 - b));
}
// Is byte array aligned to 4 byte offset (u32)?
function isAligned32(b) {
return b.byteOffset % 4 === 0;
}
// Salsa and Chacha block length is always 512-bit
const BLOCK_LEN = 64;
const BLOCK_LEN32 = 16;
// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ]
// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ]
const MAX_COUNTER = 2 ** 32 - 1;
const U32_EMPTY = new Uint32Array();
function runCipher(core, sigma, key, nonce, data, output, counter, rounds) {
const len = data.length;
const block = new Uint8Array(BLOCK_LEN);
const b32 = (0, utils_ts_1.u32)(block);
// Make sure that buffers aligned to 4 bytes
const isAligned = isAligned32(data) && isAligned32(output);
const d32 = isAligned ? (0, utils_ts_1.u32)(data) : U32_EMPTY;
const o32 = isAligned ? (0, utils_ts_1.u32)(output) : U32_EMPTY;
for (let pos = 0; pos < len; counter++) {
core(sigma, key, nonce, b32, counter, rounds);
if (counter >= MAX_COUNTER)
throw new Error('arx: counter overflow');
const take = Math.min(BLOCK_LEN, len - pos);
// aligned to 4 bytes
if (isAligned && take === BLOCK_LEN) {
const pos32 = pos / 4;
if (pos % 4 !== 0)
throw new Error('arx: invalid block position');
for (let j = 0, posj; j < BLOCK_LEN32; j++) {
posj = pos32 + j;
o32[posj] = d32[posj] ^ b32[j];
}
pos += BLOCK_LEN;
continue;
}
for (let j = 0, posj; j < take; j++) {
posj = pos + j;
output[posj] = data[posj] ^ block[j];
}
pos += take;
}
}
/** Creates ARX-like (ChaCha, Salsa) cipher stream from core function. */
function createCipher(core, opts) {
const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = (0, utils_ts_1.checkOpts)({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts);
if (typeof core !== 'function')
throw new Error('core must be a function');
(0, utils_ts_1.anumber)(counterLength);
(0, utils_ts_1.anumber)(rounds);
(0, utils_ts_1.abool)(counterRight);
(0, utils_ts_1.abool)(allowShortKeys);
return (key, nonce, data, output, counter = 0) => {
(0, utils_ts_1.abytes)(key);
(0, utils_ts_1.abytes)(nonce);
(0, utils_ts_1.abytes)(data);
const len = data.length;
if (output === undefined)
output = new Uint8Array(len);
(0, utils_ts_1.abytes)(output);
(0, utils_ts_1.anumber)(counter);
if (counter < 0 || counter >= MAX_COUNTER)
throw new Error('arx: counter overflow');
if (output.length < len)
throw new Error(`arx: output (${output.length}) is shorter than data (${len})`);
const toClean = [];
// Key & sigma
// key=16 -> sigma16, k=key|key
// key=32 -> sigma32, k=key
let l = key.length;
let k;
let sigma;
if (l === 32) {
toClean.push((k = (0, utils_ts_1.copyBytes)(key)));
sigma = sigma32_32;
}
else if (l === 16 && allowShortKeys) {
k = new Uint8Array(32);
k.set(key);
k.set(key, 16);
sigma = sigma16_32;
toClean.push(k);
}
else {
throw new Error(`arx: invalid 32-byte key, got length=${l}`);
}
// Nonce
// salsa20: 8 (8-byte counter)
// chacha20orig: 8 (8-byte counter)
// chacha20: 12 (4-byte counter)
// xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce)
// xchacha20: 24 (16 -> hchacha, 8 -> old nonce)
// Align nonce to 4 bytes
if (!isAligned32(nonce))
toClean.push((nonce = (0, utils_ts_1.copyBytes)(nonce)));
const k32 = (0, utils_ts_1.u32)(k);
// hsalsa & hchacha: handle extended nonce
if (extendNonceFn) {
if (nonce.length !== 24)
throw new Error(`arx: extended nonce must be 24 bytes`);
extendNonceFn(sigma, k32, (0, utils_ts_1.u32)(nonce.subarray(0, 16)), k32);
nonce = nonce.subarray(16);
}
// Handle nonce counter
const nonceNcLen = 16 - counterLength;
if (nonceNcLen !== nonce.length)
throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
// Pad counter when nonce is 64 bit
if (nonceNcLen !== 12) {
const nc = new Uint8Array(12);
nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
nonce = nc;
toClean.push(nonce);
}
const n32 = (0, utils_ts_1.u32)(nonce);
runCipher(core, sigma, k32, n32, data, output, counter, rounds);
(0, utils_ts_1.clean)(...toClean);
return output;
};
}
//# sourceMappingURL=_arx.js.map

1
node_modules/@noble/ciphers/_arx.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

19
node_modules/@noble/ciphers/_assert.d.ts generated vendored Normal file
View File

@@ -0,0 +1,19 @@
/**
* Internal assertion helpers.
* @module
* @deprecated
*/
import { abytes as ab, abool as abool_, aexists as ae, anumber as an, aoutput as ao, type IHash as H } from './utils.ts';
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const abool: typeof abool_;
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const abytes: typeof ab;
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const aexists: typeof ae;
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const anumber: typeof an;
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const aoutput: typeof ao;
/** @deprecated Use import from `noble/hashes/utils` module */
export type Hash = H;
//# sourceMappingURL=_assert.d.ts.map

1
node_modules/@noble/ciphers/_assert.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_assert.d.ts","sourceRoot":"","sources":["src/_assert.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,MAAM,IAAI,EAAE,EACZ,KAAK,IAAI,MAAM,EACf,OAAO,IAAI,EAAE,EACb,OAAO,IAAI,EAAE,EACb,OAAO,IAAI,EAAE,EACb,KAAK,KAAK,IAAI,CAAC,EAChB,MAAM,YAAY,CAAC;AACpB,8DAA8D;AAC9D,eAAO,MAAM,KAAK,EAAE,OAAO,MAAe,CAAC;AAC3C,8DAA8D;AAC9D,eAAO,MAAM,MAAM,EAAE,OAAO,EAAO,CAAC;AACpC,8DAA8D;AAC9D,eAAO,MAAM,OAAO,EAAE,OAAO,EAAO,CAAC;AACrC,8DAA8D;AAC9D,eAAO,MAAM,OAAO,EAAE,OAAO,EAAO,CAAC;AACrC,8DAA8D;AAC9D,eAAO,MAAM,OAAO,EAAE,OAAO,EAAO,CAAC;AACrC,8DAA8D;AAC9D,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC"}

20
node_modules/@noble/ciphers/_assert.js generated vendored Normal file
View File

@@ -0,0 +1,20 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.aoutput = exports.anumber = exports.aexists = exports.abytes = exports.abool = void 0;
/**
* Internal assertion helpers.
* @module
* @deprecated
*/
const utils_ts_1 = require("./utils.js");
/** @deprecated Use import from `noble/hashes/utils` module */
exports.abool = utils_ts_1.abool;
/** @deprecated Use import from `noble/hashes/utils` module */
exports.abytes = utils_ts_1.abytes;
/** @deprecated Use import from `noble/hashes/utils` module */
exports.aexists = utils_ts_1.aexists;
/** @deprecated Use import from `noble/hashes/utils` module */
exports.anumber = utils_ts_1.anumber;
/** @deprecated Use import from `noble/hashes/utils` module */
exports.aoutput = utils_ts_1.aoutput;
//# sourceMappingURL=_assert.js.map

1
node_modules/@noble/ciphers/_assert.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_assert.js","sourceRoot":"","sources":["src/_assert.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACH,yCAOoB;AACpB,8DAA8D;AACjD,QAAA,KAAK,GAAkB,gBAAM,CAAC;AAC3C,8DAA8D;AACjD,QAAA,MAAM,GAAc,iBAAE,CAAC;AACpC,8DAA8D;AACjD,QAAA,OAAO,GAAc,kBAAE,CAAC;AACrC,8DAA8D;AACjD,QAAA,OAAO,GAAc,kBAAE,CAAC;AACrC,8DAA8D;AACjD,QAAA,OAAO,GAAc,kBAAE,CAAC"}

41
node_modules/@noble/ciphers/_micro.d.ts generated vendored Normal file
View File

@@ -0,0 +1,41 @@
import { type Cipher, type XorStream } from './utils.ts';
export type ARXCipherN = ((key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => Cipher) & {
blockSize: number;
nonceLength: number;
tagLength: number;
};
/** hsalsa hashes key and nonce into key' and nonce'. */
export declare function hsalsa(s: Uint32Array, k: Uint32Array, i: Uint32Array, o32: Uint32Array): void;
/** hchacha hashes key and nonce into key' and nonce'. */
export declare function hchacha(s: Uint32Array, k: Uint32Array, i: Uint32Array, o32: Uint32Array): void;
/** salsa20, 12-byte nonce. */
export declare const salsa20: XorStream;
/** xsalsa20, 24-byte nonce. */
export declare const xsalsa20: XorStream;
/** chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. */
export declare const chacha20orig: XorStream;
/** chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. */
export declare const chacha20: XorStream;
/** xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha */
export declare const xchacha20: XorStream;
/** 8-round chacha from the original paper. */
export declare const chacha8: XorStream;
/** 12-round chacha from the original paper. */
export declare const chacha12: XorStream;
/** Poly1305 polynomial MAC. Can be speed-up using BigUint64Array, at the cost of complexity. */
export declare function poly1305(msg: Uint8Array, key: Uint8Array): Uint8Array;
/** xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. */
export declare const xsalsa20poly1305: ARXCipherN;
/** Alias to `xsalsa20poly1305`. */
export declare function secretbox(key: Uint8Array, nonce: Uint8Array): {
seal: (plaintext: Uint8Array) => Uint8Array;
open: (ciphertext: Uint8Array) => Uint8Array;
};
export declare const _poly1305_aead: (fn: XorStream) => (key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => Cipher;
/** chacha20-poly1305 12-byte-nonce chacha. */
export declare const chacha20poly1305: ARXCipherN;
/**
* XChaCha20-Poly1305 extended-nonce chacha. Can be safely used with random nonces (CSPRNG).
*/
export declare const xchacha20poly1305: ARXCipherN;
//# sourceMappingURL=_micro.d.ts.map

1
node_modules/@noble/ciphers/_micro.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_micro.d.ts","sourceRoot":"","sources":["src/_micro.ts"],"names":[],"mappings":"AASA,OAAO,EACL,KAAK,MAAM,EACX,KAAK,SAAS,EASf,MAAM,YAAY,CAAC;AAEpB,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IAC5F,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAuEF,wDAAwD;AAExD,wBAAgB,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,GAAG,IAAI,CAa7F;AAsBD,yDAAyD;AAEzD,wBAAgB,OAAO,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,GAAG,IAAI,CAa9F;AAED,8BAA8B;AAC9B,eAAO,MAAM,OAAO,EAAE,SAGpB,CAAC;AAEH,+BAA+B;AAC/B,eAAO,MAAM,QAAQ,EAAE,SAGrB,CAAC;AAEH,+EAA+E;AAC/E,eAAO,MAAM,YAAY,EAAE,SAIzB,CAAC;AAEH,qEAAqE;AACrE,eAAO,MAAM,QAAQ,EAAE,SAGrB,CAAC;AAEH,8FAA8F;AAC9F,eAAO,MAAM,SAAS,EAAE,SAItB,CAAC;AAEH,8CAA8C;AAC9C,eAAO,MAAM,OAAO,EAAE,SAIpB,CAAC;AAEH,+CAA+C;AAC/C,eAAO,MAAM,QAAQ,EAAE,SAIrB,CAAC;AAQH,gGAAgG;AAChG,wBAAgB,QAAQ,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,UAAU,CAcrE;AAuBD,yDAAyD;AACzD,eAAO,MAAM,gBAAgB,EAAE,UAsB9B,CAAC;AAEF,mCAAmC;AACnC,wBAAgB,SAAS,CACvB,GAAG,EAAE,UAAU,EACf,KAAK,EAAE,UAAU,GAChB;IACD,IAAI,EAAE,CAAC,SAAS,EAAE,UAAU,KAAK,UAAU,CAAC;IAC5C,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,KAAK,UAAU,CAAC;CAC9C,CAGA;AAED,eAAO,MAAM,cAAc,GACxB,IAAI,SAAS,MACb,KAAK,UAAU,EAAE,OAAO,UAAU,EAAE,MAAM,UAAU,KAAG,MAgBvD,CAAC;AAEJ,8CAA8C;AAC9C,eAAO,MAAM,gBAAgB,EAAE,UAG9B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,EAAE,UAG/B,CAAC"}

260
node_modules/@noble/ciphers/_micro.js generated vendored Normal file
View File

@@ -0,0 +1,260 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.xsalsa20poly1305 = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = exports.xsalsa20 = exports.salsa20 = void 0;
exports.hsalsa = hsalsa;
exports.hchacha = hchacha;
exports.poly1305 = poly1305;
exports.secretbox = secretbox;
/**
* noble-ciphers-micro: more auditable, but 4x slower version of salsa20, chacha & poly1305.
* Implements the same algorithms that are present in other files, but without
* unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling).
* @module
*/
/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
// prettier-ignore
const _arx_ts_1 = require("./_arx.js");
const utils_ts_1 = require("./utils.js");
function bytesToNumberLE(bytes) {
(0, utils_ts_1.abytes)(bytes);
return (0, utils_ts_1.hexToNumber)((0, utils_ts_1.bytesToHex)(Uint8Array.from(bytes).reverse()));
}
function numberToBytesLE(n, len) {
return (0, utils_ts_1.numberToBytesBE)(n, len).reverse();
}
function salsaQR(x, a, b, c, d) {
x[b] ^= (0, _arx_ts_1.rotl)((x[a] + x[d]) | 0, 7);
x[c] ^= (0, _arx_ts_1.rotl)((x[b] + x[a]) | 0, 9);
x[d] ^= (0, _arx_ts_1.rotl)((x[c] + x[b]) | 0, 13);
x[a] ^= (0, _arx_ts_1.rotl)((x[d] + x[c]) | 0, 18);
}
// prettier-ignore
function chachaQR(x, a, b, c, d) {
x[a] = (x[a] + x[b]) | 0;
x[d] = (0, _arx_ts_1.rotl)(x[d] ^ x[a], 16);
x[c] = (x[c] + x[d]) | 0;
x[b] = (0, _arx_ts_1.rotl)(x[b] ^ x[c], 12);
x[a] = (x[a] + x[b]) | 0;
x[d] = (0, _arx_ts_1.rotl)(x[d] ^ x[a], 8);
x[c] = (x[c] + x[d]) | 0;
x[b] = (0, _arx_ts_1.rotl)(x[b] ^ x[c], 7);
}
function salsaRound(x, rounds = 20) {
for (let r = 0; r < rounds; r += 2) {
salsaQR(x, 0, 4, 8, 12);
salsaQR(x, 5, 9, 13, 1);
salsaQR(x, 10, 14, 2, 6);
salsaQR(x, 15, 3, 7, 11);
salsaQR(x, 0, 1, 2, 3);
salsaQR(x, 5, 6, 7, 4);
salsaQR(x, 10, 11, 8, 9);
salsaQR(x, 15, 12, 13, 14);
}
}
function chachaRound(x, rounds = 20) {
for (let r = 0; r < rounds; r += 2) {
chachaQR(x, 0, 4, 8, 12);
chachaQR(x, 1, 5, 9, 13);
chachaQR(x, 2, 6, 10, 14);
chachaQR(x, 3, 7, 11, 15);
chachaQR(x, 0, 5, 10, 15);
chachaQR(x, 1, 6, 11, 12);
chachaQR(x, 2, 7, 8, 13);
chachaQR(x, 3, 4, 9, 14);
}
}
function salsaCore(s, k, n, out, cnt, rounds = 20) {
// prettier-ignore
const y = new Uint32Array([
s[0], k[0], k[1], k[2], // "expa" Key Key Key
k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce
cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key
k[5], k[6], k[7], s[3], // Key Key Key "te k"
]);
const x = y.slice();
salsaRound(x, rounds);
for (let i = 0; i < 16; i++)
out[i] = (y[i] + x[i]) | 0;
}
/** hsalsa hashes key and nonce into key' and nonce'. */
// prettier-ignore
function hsalsa(s, k, i, o32) {
const x = new Uint32Array([
s[0], k[0], k[1], k[2],
k[3], s[1], i[0], i[1],
i[2], i[3], s[2], k[4],
k[5], k[6], k[7], s[3]
]);
salsaRound(x, 20);
let oi = 0;
o32[oi++] = x[0];
o32[oi++] = x[5];
o32[oi++] = x[10];
o32[oi++] = x[15];
o32[oi++] = x[6];
o32[oi++] = x[7];
o32[oi++] = x[8];
o32[oi++] = x[9];
}
function chachaCore(s, k, n, out, cnt, rounds = 20) {
// prettier-ignore
const y = new Uint32Array([
s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k"
k[0], k[1], k[2], k[3], // Key Key Key Key
k[4], k[5], k[6], k[7], // Key Key Key Key
cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce
]);
const x = y.slice();
chachaRound(x, rounds);
for (let i = 0; i < 16; i++)
out[i] = (y[i] + x[i]) | 0;
}
/** hchacha hashes key and nonce into key' and nonce'. */
// prettier-ignore
function hchacha(s, k, i, o32) {
const x = new Uint32Array([
s[0], s[1], s[2], s[3],
k[0], k[1], k[2], k[3],
k[4], k[5], k[6], k[7],
i[0], i[1], i[2], i[3],
]);
chachaRound(x, 20);
let oi = 0;
o32[oi++] = x[0];
o32[oi++] = x[1];
o32[oi++] = x[2];
o32[oi++] = x[3];
o32[oi++] = x[12];
o32[oi++] = x[13];
o32[oi++] = x[14];
o32[oi++] = x[15];
}
/** salsa20, 12-byte nonce. */
exports.salsa20 = (0, _arx_ts_1.createCipher)(salsaCore, {
allowShortKeys: true,
counterRight: true,
});
/** xsalsa20, 24-byte nonce. */
exports.xsalsa20 = (0, _arx_ts_1.createCipher)(salsaCore, {
counterRight: true,
extendNonceFn: hsalsa,
});
/** chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. */
exports.chacha20orig = (0, _arx_ts_1.createCipher)(chachaCore, {
allowShortKeys: true,
counterRight: false,
counterLength: 8,
});
/** chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. */
exports.chacha20 = (0, _arx_ts_1.createCipher)(chachaCore, {
counterRight: false,
counterLength: 4,
});
/** xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha */
exports.xchacha20 = (0, _arx_ts_1.createCipher)(chachaCore, {
counterRight: false,
counterLength: 8,
extendNonceFn: hchacha,
});
/** 8-round chacha from the original paper. */
exports.chacha8 = (0, _arx_ts_1.createCipher)(chachaCore, {
counterRight: false,
counterLength: 4,
rounds: 8,
});
/** 12-round chacha from the original paper. */
exports.chacha12 = (0, _arx_ts_1.createCipher)(chachaCore, {
counterRight: false,
counterLength: 4,
rounds: 12,
});
const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5);
const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1);
const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff');
const _0 = BigInt(0);
const _1 = BigInt(1);
/** Poly1305 polynomial MAC. Can be speed-up using BigUint64Array, at the cost of complexity. */
function poly1305(msg, key) {
(0, utils_ts_1.abytes)(msg);
(0, utils_ts_1.abytes)(key, 32);
let acc = _0;
const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R;
const s = bytesToNumberLE(key.subarray(16));
// Process by 16 byte chunks
for (let i = 0; i < msg.length; i += 16) {
const m = msg.subarray(i, i + 16);
const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length));
acc = ((acc + n) * r) % POW_2_130_5;
}
const res = (acc + s) & POW_2_128_1;
return numberToBytesLE(res, 16);
}
function computeTag(fn, key, nonce, ciphertext, AAD) {
const res = [];
if (AAD) {
res.push(AAD);
const leftover = AAD.length % 16;
if (leftover > 0)
res.push(new Uint8Array(16 - leftover));
}
res.push(ciphertext);
const leftover = ciphertext.length % 16;
if (leftover > 0)
res.push(new Uint8Array(16 - leftover));
res.push((0, utils_ts_1.u64Lengths)(ciphertext.length, AAD ? AAD.length : 0, true));
const authKey = fn(key, nonce, new Uint8Array(32));
return poly1305((0, utils_ts_1.concatBytes)(...res), authKey);
}
/** xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. */
exports.xsalsa20poly1305 = (0, utils_ts_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsapoly(key, nonce) {
return {
encrypt(plaintext) {
const m = (0, utils_ts_1.concatBytes)(new Uint8Array(32), plaintext);
const c = (0, exports.xsalsa20)(key, nonce, m);
const authKey = c.subarray(0, 32);
const data = c.subarray(32);
const tag = poly1305(data, authKey);
return (0, utils_ts_1.concatBytes)(tag, data);
},
decrypt(ciphertext) {
const c = (0, utils_ts_1.concatBytes)(new Uint8Array(16), ciphertext);
const passedTag = c.subarray(16, 32);
const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32));
const tag = poly1305(c.subarray(32), authKey);
if (!(0, utils_ts_1.equalBytes)(tag, passedTag))
throw new Error('invalid poly1305 tag');
return (0, exports.xsalsa20)(key, nonce, c).subarray(32);
},
};
});
/** Alias to `xsalsa20poly1305`. */
function secretbox(key, nonce) {
const xs = (0, exports.xsalsa20poly1305)(key, nonce);
return { seal: xs.encrypt, open: xs.decrypt };
}
const _poly1305_aead = (fn) => (key, nonce, AAD) => {
const tagLength = 16;
return {
encrypt(plaintext) {
const data = fn(key, nonce, plaintext, undefined, 1); // stream from i=1
const tag = computeTag(fn, key, nonce, data, AAD);
return (0, utils_ts_1.concatBytes)(data, tag);
},
decrypt(ciphertext) {
const passedTag = ciphertext.subarray(-tagLength);
const data = ciphertext.subarray(0, -tagLength);
const tag = computeTag(fn, key, nonce, data, AAD);
if (!(0, utils_ts_1.equalBytes)(tag, passedTag))
throw new Error('invalid poly1305 tag');
return fn(key, nonce, data, undefined, 1); // stream from i=1
},
};
};
exports._poly1305_aead = _poly1305_aead;
/** chacha20-poly1305 12-byte-nonce chacha. */
exports.chacha20poly1305 = (0, utils_ts_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20));
/**
* XChaCha20-Poly1305 extended-nonce chacha. Can be safely used with random nonces (CSPRNG).
*/
exports.xchacha20poly1305 = (0, utils_ts_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20));
//# sourceMappingURL=_micro.js.map

1
node_modules/@noble/ciphers/_micro.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

29
node_modules/@noble/ciphers/_poly1305.d.ts generated vendored Normal file
View File

@@ -0,0 +1,29 @@
/**
* Poly1305 ([PDF](https://cr.yp.to/mac/poly1305-20050329.pdf),
* [wiki](https://en.wikipedia.org/wiki/Poly1305))
* is a fast and parallel secret-key message-authentication code suitable for
* a wide variety of applications. It was standardized in
* [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and is now used in TLS 1.3.
*
* Polynomial MACs are not perfect for every situation:
* they lack Random Key Robustness: the MAC can be forged, and can't be used in PAKE schemes.
* See [invisible salamanders attack](https://keymaterial.net/2020/09/07/invisible-salamanders-in-aes-gcm-siv/).
* To combat invisible salamanders, `hash(key)` can be included in ciphertext,
* however, this would violate ciphertext indistinguishability:
* an attacker would know which key was used - so `HKDF(key, i)`
* could be used instead.
*
* Check out [original website](https://cr.yp.to/mac.html).
* @module
*/
import { Hash, type Input } from './utils.ts';
export type CHash = ReturnType<typeof wrapConstructorWithKey>;
export declare function wrapConstructorWithKey<H extends Hash<H>>(hashCons: (key: Input) => Hash<H>): {
(msg: Input, key: Input): Uint8Array;
outputLen: number;
blockLen: number;
create(key: Input): Hash<H>;
};
/** Poly1305 MAC from RFC 8439. */
export declare const poly1305: CHash;
//# sourceMappingURL=_poly1305.d.ts.map

1
node_modules/@noble/ciphers/_poly1305.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_poly1305.d.ts","sourceRoot":"","sources":["src/_poly1305.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,IAAI,EAAE,KAAK,KAAK,EAA4C,MAAM,YAAY,CAAC;AA4QxF,MAAM,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAC9D,wBAAgB,sBAAsB,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC,EACtD,QAAQ,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,GAChC;IACD,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,GAAG,UAAU,CAAC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,GAAG,EAAE,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;CAC7B,CAOA;AAED,kCAAkC;AAClC,eAAO,MAAM,QAAQ,EAAE,KAA0D,CAAC"}

281
node_modules/@noble/ciphers/_poly1305.js generated vendored Normal file
View File

@@ -0,0 +1,281 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.poly1305 = void 0;
exports.wrapConstructorWithKey = wrapConstructorWithKey;
/**
* Poly1305 ([PDF](https://cr.yp.to/mac/poly1305-20050329.pdf),
* [wiki](https://en.wikipedia.org/wiki/Poly1305))
* is a fast and parallel secret-key message-authentication code suitable for
* a wide variety of applications. It was standardized in
* [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and is now used in TLS 1.3.
*
* Polynomial MACs are not perfect for every situation:
* they lack Random Key Robustness: the MAC can be forged, and can't be used in PAKE schemes.
* See [invisible salamanders attack](https://keymaterial.net/2020/09/07/invisible-salamanders-in-aes-gcm-siv/).
* To combat invisible salamanders, `hash(key)` can be included in ciphertext,
* however, this would violate ciphertext indistinguishability:
* an attacker would know which key was used - so `HKDF(key, i)`
* could be used instead.
*
* Check out [original website](https://cr.yp.to/mac.html).
* @module
*/
const utils_ts_1 = require("./utils.js");
// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna
const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8);
class Poly1305 {
constructor(key) {
this.blockLen = 16;
this.outputLen = 16;
this.buffer = new Uint8Array(16);
this.r = new Uint16Array(10);
this.h = new Uint16Array(10);
this.pad = new Uint16Array(8);
this.pos = 0;
this.finished = false;
key = (0, utils_ts_1.toBytes)(key);
(0, utils_ts_1.abytes)(key, 32);
const t0 = u8to16(key, 0);
const t1 = u8to16(key, 2);
const t2 = u8to16(key, 4);
const t3 = u8to16(key, 6);
const t4 = u8to16(key, 8);
const t5 = u8to16(key, 10);
const t6 = u8to16(key, 12);
const t7 = u8to16(key, 14);
// https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47
this.r[0] = t0 & 0x1fff;
this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
this.r[5] = (t4 >>> 1) & 0x1ffe;
this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
this.r[9] = (t7 >>> 5) & 0x007f;
for (let i = 0; i < 8; i++)
this.pad[i] = u8to16(key, 16 + 2 * i);
}
process(data, offset, isLast = false) {
const hibit = isLast ? 0 : 1 << 11;
const { h, r } = this;
const r0 = r[0];
const r1 = r[1];
const r2 = r[2];
const r3 = r[3];
const r4 = r[4];
const r5 = r[5];
const r6 = r[6];
const r7 = r[7];
const r8 = r[8];
const r9 = r[9];
const t0 = u8to16(data, offset + 0);
const t1 = u8to16(data, offset + 2);
const t2 = u8to16(data, offset + 4);
const t3 = u8to16(data, offset + 6);
const t4 = u8to16(data, offset + 8);
const t5 = u8to16(data, offset + 10);
const t6 = u8to16(data, offset + 12);
const t7 = u8to16(data, offset + 14);
let h0 = h[0] + (t0 & 0x1fff);
let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff);
let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff);
let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff);
let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff);
let h5 = h[5] + ((t4 >>> 1) & 0x1fff);
let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff);
let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff);
let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff);
let h9 = h[9] + ((t7 >>> 5) | hibit);
let c = 0;
let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6);
c = d0 >>> 13;
d0 &= 0x1fff;
d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1);
c += d0 >>> 13;
d0 &= 0x1fff;
let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7);
c = d1 >>> 13;
d1 &= 0x1fff;
d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2);
c += d1 >>> 13;
d1 &= 0x1fff;
let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8);
c = d2 >>> 13;
d2 &= 0x1fff;
d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3);
c += d2 >>> 13;
d2 &= 0x1fff;
let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9);
c = d3 >>> 13;
d3 &= 0x1fff;
d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4);
c += d3 >>> 13;
d3 &= 0x1fff;
let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0;
c = d4 >>> 13;
d4 &= 0x1fff;
d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5);
c += d4 >>> 13;
d4 &= 0x1fff;
let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1;
c = d5 >>> 13;
d5 &= 0x1fff;
d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6);
c += d5 >>> 13;
d5 &= 0x1fff;
let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2;
c = d6 >>> 13;
d6 &= 0x1fff;
d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7);
c += d6 >>> 13;
d6 &= 0x1fff;
let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3;
c = d7 >>> 13;
d7 &= 0x1fff;
d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8);
c += d7 >>> 13;
d7 &= 0x1fff;
let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4;
c = d8 >>> 13;
d8 &= 0x1fff;
d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9);
c += d8 >>> 13;
d8 &= 0x1fff;
let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5;
c = d9 >>> 13;
d9 &= 0x1fff;
d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0;
c += d9 >>> 13;
d9 &= 0x1fff;
c = ((c << 2) + c) | 0;
c = (c + d0) | 0;
d0 = c & 0x1fff;
c = c >>> 13;
d1 += c;
h[0] = d0;
h[1] = d1;
h[2] = d2;
h[3] = d3;
h[4] = d4;
h[5] = d5;
h[6] = d6;
h[7] = d7;
h[8] = d8;
h[9] = d9;
}
finalize() {
const { h, pad } = this;
const g = new Uint16Array(10);
let c = h[1] >>> 13;
h[1] &= 0x1fff;
for (let i = 2; i < 10; i++) {
h[i] += c;
c = h[i] >>> 13;
h[i] &= 0x1fff;
}
h[0] += c * 5;
c = h[0] >>> 13;
h[0] &= 0x1fff;
h[1] += c;
c = h[1] >>> 13;
h[1] &= 0x1fff;
h[2] += c;
g[0] = h[0] + 5;
c = g[0] >>> 13;
g[0] &= 0x1fff;
for (let i = 1; i < 10; i++) {
g[i] = h[i] + c;
c = g[i] >>> 13;
g[i] &= 0x1fff;
}
g[9] -= 1 << 13;
let mask = (c ^ 1) - 1;
for (let i = 0; i < 10; i++)
g[i] &= mask;
mask = ~mask;
for (let i = 0; i < 10; i++)
h[i] = (h[i] & mask) | g[i];
h[0] = (h[0] | (h[1] << 13)) & 0xffff;
h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff;
h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff;
h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff;
h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff;
h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff;
h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff;
h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff;
let f = h[0] + pad[0];
h[0] = f & 0xffff;
for (let i = 1; i < 8; i++) {
f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0;
h[i] = f & 0xffff;
}
(0, utils_ts_1.clean)(g);
}
update(data) {
(0, utils_ts_1.aexists)(this);
data = (0, utils_ts_1.toBytes)(data);
(0, utils_ts_1.abytes)(data);
const { buffer, blockLen } = this;
const len = data.length;
for (let pos = 0; pos < len;) {
const take = Math.min(blockLen - this.pos, len - pos);
// Fast path: we have at least one block in input
if (take === blockLen) {
for (; blockLen <= len - pos; pos += blockLen)
this.process(data, pos);
continue;
}
buffer.set(data.subarray(pos, pos + take), this.pos);
this.pos += take;
pos += take;
if (this.pos === blockLen) {
this.process(buffer, 0, false);
this.pos = 0;
}
}
return this;
}
destroy() {
(0, utils_ts_1.clean)(this.h, this.r, this.buffer, this.pad);
}
digestInto(out) {
(0, utils_ts_1.aexists)(this);
(0, utils_ts_1.aoutput)(out, this);
this.finished = true;
const { buffer, h } = this;
let { pos } = this;
if (pos) {
buffer[pos++] = 1;
for (; pos < 16; pos++)
buffer[pos] = 0;
this.process(buffer, 0, true);
}
this.finalize();
let opos = 0;
for (let i = 0; i < 8; i++) {
out[opos++] = h[i] >>> 0;
out[opos++] = h[i] >>> 8;
}
return out;
}
digest() {
const { buffer, outputLen } = this;
this.digestInto(buffer);
const res = buffer.slice(0, outputLen);
this.destroy();
return res;
}
}
function wrapConstructorWithKey(hashCons) {
const hashC = (msg, key) => hashCons(key).update((0, utils_ts_1.toBytes)(msg)).digest();
const tmp = hashCons(new Uint8Array(32));
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = (key) => hashCons(key);
return hashC;
}
/** Poly1305 MAC from RFC 8439. */
exports.poly1305 = wrapConstructorWithKey((key) => new Poly1305(key));
//# sourceMappingURL=_poly1305.js.map

1
node_modules/@noble/ciphers/_poly1305.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

33
node_modules/@noble/ciphers/_polyval.d.ts generated vendored Normal file
View File

@@ -0,0 +1,33 @@
/**
* GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV.
*
* Implemented in terms of GHash with conversion function for keys
* GCM GHASH from
* [NIST SP800-38d](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf),
* SIV from
* [RFC 8452](https://datatracker.ietf.org/doc/html/rfc8452).
*
* GHASH modulo: x^128 + x^7 + x^2 + x + 1
* POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1
*
* @module
*/
import { Hash, type Input } from './utils.ts';
/**
* `mulX_POLYVAL(ByteReverse(H))` from spec
* @param k mutated in place
*/
export declare function _toGHASHKey(k: Uint8Array): Uint8Array;
export type CHashPV = ReturnType<typeof wrapConstructorWithKey>;
declare function wrapConstructorWithKey<H extends Hash<H>>(hashCons: (key: Input, expectedLength?: number) => Hash<H>): {
(msg: Input, key: Input): Uint8Array;
outputLen: number;
blockLen: number;
create(key: Input, expectedLength?: number): Hash<H>;
};
/** GHash MAC for AES-GCM. */
export declare const ghash: CHashPV;
/** Polyval MAC for AES-SIV. */
export declare const polyval: CHashPV;
export {};
//# sourceMappingURL=_polyval.d.ts.map

1
node_modules/@noble/ciphers/_polyval.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_polyval.d.ts","sourceRoot":"","sources":["src/_polyval.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAEyB,IAAI,EAAE,KAAK,KAAK,EAC/C,MAAM,YAAY,CAAC;AA6BpB;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,UAAU,GAAG,UAAU,CAYrD;AAiLD,MAAM,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAChE,iBAAS,sBAAsB,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC,EAC/C,QAAQ,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,cAAc,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,GACzD;IACD,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,GAAG,UAAU,CAAC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;CACtD,CAQA;AAED,6BAA6B;AAC7B,eAAO,MAAM,KAAK,EAAE,OAEnB,CAAC;AAEF,+BAA+B;AAC/B,eAAO,MAAM,OAAO,EAAE,OAErB,CAAC"}

233
node_modules/@noble/ciphers/_polyval.js generated vendored Normal file
View File

@@ -0,0 +1,233 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.polyval = exports.ghash = void 0;
exports._toGHASHKey = _toGHASHKey;
/**
* GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV.
*
* Implemented in terms of GHash with conversion function for keys
* GCM GHASH from
* [NIST SP800-38d](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf),
* SIV from
* [RFC 8452](https://datatracker.ietf.org/doc/html/rfc8452).
*
* GHASH modulo: x^128 + x^7 + x^2 + x + 1
* POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1
*
* @module
*/
// prettier-ignore
const utils_ts_1 = require("./utils.js");
const BLOCK_SIZE = 16;
// TODO: rewrite
// temporary padding buffer
const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
const ZEROS32 = (0, utils_ts_1.u32)(ZEROS16);
const POLY = 0xe1; // v = 2*v % POLY
// v = 2*v % POLY
// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x
// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor)
const mul2 = (s0, s1, s2, s3) => {
const hiBit = s3 & 1;
return {
s3: (s2 << 31) | (s3 >>> 1),
s2: (s1 << 31) | (s2 >>> 1),
s1: (s0 << 31) | (s1 >>> 1),
s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly
};
};
const swapLE = (n) => (((n >>> 0) & 0xff) << 24) |
(((n >>> 8) & 0xff) << 16) |
(((n >>> 16) & 0xff) << 8) |
((n >>> 24) & 0xff) |
0;
/**
* `mulX_POLYVAL(ByteReverse(H))` from spec
* @param k mutated in place
*/
function _toGHASHKey(k) {
k.reverse();
const hiBit = k[15] & 1;
// k >>= 1
let carry = 0;
for (let i = 0; i < k.length; i++) {
const t = k[i];
k[i] = (t >>> 1) | carry;
carry = (t & 1) << 7;
}
k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000;
return k;
}
const estimateWindow = (bytes) => {
if (bytes > 64 * 1024)
return 8;
if (bytes > 1024)
return 4;
return 2;
};
class GHASH {
// We select bits per window adaptively based on expectedLength
constructor(key, expectedLength) {
this.blockLen = BLOCK_SIZE;
this.outputLen = BLOCK_SIZE;
this.s0 = 0;
this.s1 = 0;
this.s2 = 0;
this.s3 = 0;
this.finished = false;
key = (0, utils_ts_1.toBytes)(key);
(0, utils_ts_1.abytes)(key, 16);
const kView = (0, utils_ts_1.createView)(key);
let k0 = kView.getUint32(0, false);
let k1 = kView.getUint32(4, false);
let k2 = kView.getUint32(8, false);
let k3 = kView.getUint32(12, false);
// generate table of doubled keys (half of montgomery ladder)
const doubles = [];
for (let i = 0; i < 128; i++) {
doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) });
({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3));
}
const W = estimateWindow(expectedLength || 1024);
if (![1, 2, 4, 8].includes(W))
throw new Error('ghash: invalid window size, expected 2, 4 or 8');
this.W = W;
const bits = 128; // always 128 bits;
const windows = bits / W;
const windowSize = (this.windowSize = 2 ** W);
const items = [];
// Create precompute table for window of W bits
for (let w = 0; w < windows; w++) {
// truth table: 00, 01, 10, 11
for (let byte = 0; byte < windowSize; byte++) {
// prettier-ignore
let s0 = 0, s1 = 0, s2 = 0, s3 = 0;
for (let j = 0; j < W; j++) {
const bit = (byte >>> (W - j - 1)) & 1;
if (!bit)
continue;
const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j];
(s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3);
}
items.push({ s0, s1, s2, s3 });
}
}
this.t = items;
}
_updateBlock(s0, s1, s2, s3) {
(s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3);
const { W, t, windowSize } = this;
// prettier-ignore
let o0 = 0, o1 = 0, o2 = 0, o3 = 0;
const mask = (1 << W) - 1; // 2**W will kill performance.
let w = 0;
for (const num of [s0, s1, s2, s3]) {
for (let bytePos = 0; bytePos < 4; bytePos++) {
const byte = (num >>> (8 * bytePos)) & 0xff;
for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) {
const bit = (byte >>> (W * bitPos)) & mask;
const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit];
(o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3);
w += 1;
}
}
}
this.s0 = o0;
this.s1 = o1;
this.s2 = o2;
this.s3 = o3;
}
update(data) {
(0, utils_ts_1.aexists)(this);
data = (0, utils_ts_1.toBytes)(data);
(0, utils_ts_1.abytes)(data);
const b32 = (0, utils_ts_1.u32)(data);
const blocks = Math.floor(data.length / BLOCK_SIZE);
const left = data.length % BLOCK_SIZE;
for (let i = 0; i < blocks; i++) {
this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]);
}
if (left) {
ZEROS16.set(data.subarray(blocks * BLOCK_SIZE));
this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]);
(0, utils_ts_1.clean)(ZEROS32); // clean tmp buffer
}
return this;
}
destroy() {
const { t } = this;
// clean precompute table
for (const elm of t) {
(elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0);
}
}
digestInto(out) {
(0, utils_ts_1.aexists)(this);
(0, utils_ts_1.aoutput)(out, this);
this.finished = true;
const { s0, s1, s2, s3 } = this;
const o32 = (0, utils_ts_1.u32)(out);
o32[0] = s0;
o32[1] = s1;
o32[2] = s2;
o32[3] = s3;
return out;
}
digest() {
const res = new Uint8Array(BLOCK_SIZE);
this.digestInto(res);
this.destroy();
return res;
}
}
class Polyval extends GHASH {
constructor(key, expectedLength) {
key = (0, utils_ts_1.toBytes)(key);
(0, utils_ts_1.abytes)(key);
const ghKey = _toGHASHKey((0, utils_ts_1.copyBytes)(key));
super(ghKey, expectedLength);
(0, utils_ts_1.clean)(ghKey);
}
update(data) {
data = (0, utils_ts_1.toBytes)(data);
(0, utils_ts_1.aexists)(this);
const b32 = (0, utils_ts_1.u32)(data);
const left = data.length % BLOCK_SIZE;
const blocks = Math.floor(data.length / BLOCK_SIZE);
for (let i = 0; i < blocks; i++) {
this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0]));
}
if (left) {
ZEROS16.set(data.subarray(blocks * BLOCK_SIZE));
this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0]));
(0, utils_ts_1.clean)(ZEROS32);
}
return this;
}
digestInto(out) {
(0, utils_ts_1.aexists)(this);
(0, utils_ts_1.aoutput)(out, this);
this.finished = true;
// tmp ugly hack
const { s0, s1, s2, s3 } = this;
const o32 = (0, utils_ts_1.u32)(out);
o32[0] = s0;
o32[1] = s1;
o32[2] = s2;
o32[3] = s3;
return out.reverse();
}
}
function wrapConstructorWithKey(hashCons) {
const hashC = (msg, key) => hashCons(key, msg.length).update((0, utils_ts_1.toBytes)(msg)).digest();
const tmp = hashCons(new Uint8Array(16), 0);
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = (key, expectedLength) => hashCons(key, expectedLength);
return hashC;
}
/** GHash MAC for AES-GCM. */
exports.ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength));
/** Polyval MAC for AES-SIV. */
exports.polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength));
//# sourceMappingURL=_polyval.js.map

1
node_modules/@noble/ciphers/_polyval.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

117
node_modules/@noble/ciphers/aes.d.ts generated vendored Normal file
View File

@@ -0,0 +1,117 @@
import { type Cipher, type CipherWithOutput } from './utils.ts';
/** Key expansion used in CTR. */
declare function expandKeyLE(key: Uint8Array): Uint32Array;
declare function expandKeyDecLE(key: Uint8Array): Uint32Array;
declare function encrypt(xk: Uint32Array, s0: number, s1: number, s2: number, s3: number): {
s0: number;
s1: number;
s2: number;
s3: number;
};
declare function decrypt(xk: Uint32Array, s0: number, s1: number, s2: number, s3: number): {
s0: number;
s1: number;
s2: number;
s3: number;
};
declare function ctrCounter(xk: Uint32Array, nonce: Uint8Array, src: Uint8Array, dst?: Uint8Array): Uint8Array;
declare function ctr32(xk: Uint32Array, isLE: boolean, nonce: Uint8Array, src: Uint8Array, dst?: Uint8Array): Uint8Array;
/**
* CTR: counter mode. Creates stream cipher.
* Requires good IV. Parallelizable. OK, but no MAC.
*/
export declare const ctr: ((key: Uint8Array, nonce: Uint8Array) => CipherWithOutput) & {
blockSize: number;
nonceLength: number;
};
/** Options for ECB and CBC. */
export type BlockOpts = {
disablePadding?: boolean;
};
/**
* ECB: Electronic CodeBook. Simple deterministic replacement.
* Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/).
*/
export declare const ecb: ((key: Uint8Array, opts?: BlockOpts) => CipherWithOutput) & {
blockSize: number;
};
/**
* CBC: Cipher-Block-Chaining. Key is previous rounds block.
* Fragile: needs proper padding. Unauthenticated: needs MAC.
*/
export declare const cbc: ((key: Uint8Array, iv: Uint8Array, opts?: BlockOpts) => CipherWithOutput) & {
blockSize: number;
nonceLength: number;
};
/**
* CFB: Cipher Feedback Mode. The input for the block cipher is the previous cipher output.
* Unauthenticated: needs MAC.
*/
export declare const cfb: ((key: Uint8Array, iv: Uint8Array) => CipherWithOutput) & {
blockSize: number;
nonceLength: number;
};
/**
* GCM: Galois/Counter Mode.
* Modern, parallel version of CTR, with MAC.
* Be careful: MACs can be forged.
* Unsafe to use random nonces under the same key, due to collision chance.
* As for nonce size, prefer 12-byte, instead of 8-byte.
*/
export declare const gcm: ((key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => Cipher) & {
blockSize: number;
nonceLength: number;
tagLength: number;
varSizeNonce: true;
};
/**
* AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance.
* Guarantees that, when a nonce is repeated, the only security loss is that identical
* plaintexts will produce identical ciphertexts.
* RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452
*/
export declare const gcmsiv: ((key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => Cipher) & {
blockSize: number;
nonceLength: number;
tagLength: number;
varSizeNonce: true;
};
/**
* AES-GCM-SIV, not AES-SIV.
* This is legace name, use `gcmsiv` export instead.
* @deprecated
*/
export declare const siv: typeof gcmsiv;
declare function encryptBlock(xk: Uint32Array, block: Uint8Array): Uint8Array;
declare function decryptBlock(xk: Uint32Array, block: Uint8Array): Uint8Array;
/**
* AES-KW (key-wrap). Injects static IV into plaintext, adds counter, encrypts 6 times.
* Reduces block size from 16 to 8 bytes.
* For padded version, use aeskwp.
* [RFC 3394](https://datatracker.ietf.org/doc/rfc3394/),
* [NIST.SP.800-38F](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf).
*/
export declare const aeskw: ((kek: Uint8Array) => Cipher) & {
blockSize: number;
};
/**
* AES-KW, but with padding and allows random keys.
* Second u32 of IV is used as counter for length.
* [RFC 5649](https://www.rfc-editor.org/rfc/rfc5649)
*/
export declare const aeskwp: ((kek: Uint8Array) => Cipher) & {
blockSize: number;
};
/** Unsafe low-level internal methods. May change at any time. */
export declare const unsafe: {
expandKeyLE: typeof expandKeyLE;
expandKeyDecLE: typeof expandKeyDecLE;
encrypt: typeof encrypt;
decrypt: typeof decrypt;
encryptBlock: typeof encryptBlock;
decryptBlock: typeof decryptBlock;
ctrCounter: typeof ctrCounter;
ctr32: typeof ctr32;
};
export {};
//# sourceMappingURL=aes.d.ts.map

1
node_modules/@noble/ciphers/aes.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"aes.d.ts","sourceRoot":"","sources":["src/aes.ts"],"names":[],"mappings":"AAkBA,OAAO,EAIL,KAAK,MAAM,EAAE,KAAK,gBAAgB,EACnC,MAAM,YAAY,CAAC;AA0FpB,iCAAiC;AACjC,iBAAS,WAAW,CAAC,GAAG,EAAE,UAAU,GAAG,WAAW,CAsBjD;AAED,iBAAS,cAAc,CAAC,GAAG,EAAE,UAAU,GAAG,WAAW,CAkBpD;AAwBD,iBAAS,OAAO,CACd,EAAE,EAAE,WAAW,EACf,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,GACT;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAkBpD;AAGD,iBAAS,OAAO,CACd,EAAE,EAAE,WAAW,EACf,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,GACT;IACD,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;CACZ,CAkBA;AAGD,iBAAS,UAAU,CACjB,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,UAAU,EACjB,GAAG,EAAE,UAAU,EACf,GAAG,CAAC,EAAE,UAAU,GACf,UAAU,CAqCZ;AAKD,iBAAS,KAAK,CACZ,EAAE,EAAE,WAAW,EACf,IAAI,EAAE,OAAO,EACb,KAAK,EAAE,UAAU,EACjB,GAAG,EAAE,UAAU,EACf,GAAG,CAAC,EAAE,UAAU,GACf,UAAU,CAiCZ;AAED;;;GAGG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,KAAK,gBAAgB,CAAC,GAAG;IAC7E,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CAuBrB,CAAC;AAmDF,+BAA+B;AAC/B,MAAM,MAAM,SAAS,GAAG;IAAE,cAAc,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC;AAErD;;;GAGG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,SAAS,KAAK,gBAAgB,CAAC,GAAG;IAC5E,SAAS,EAAE,MAAM,CAAC;CAwCnB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,SAAS,KAAK,gBAAgB,CAAC,GAAG;IAC5F,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CAwDrB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,KAAK,gBAAgB,CAAC,GAAG;IAC1E,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CA4CrB,CAAC;AAqBF;;;;;;GAMG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IACrF,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,IAAI,CAAC;CA8DpB,CAAC;AASF;;;;;GAKG;AACH,eAAO,MAAM,MAAM,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IACxF,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,IAAI,CAAC;CAgGpB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,GAAG,EAAE,OAAO,MAAe,CAAC;AAQzC,iBAAS,YAAY,CAAC,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,GAAG,UAAU,CAOpE;AAED,iBAAS,YAAY,CAAC,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,GAAG,UAAU,CAOpE;AAsED;;;;;;GAMG;AACH,eAAO,MAAM,KAAK,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IAClD,SAAS,EAAE,MAAM,CAAC;CA0BnB,CAAC;AA0CF;;;;GAIG;AACH,eAAO,MAAM,MAAM,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IACnD,SAAS,EAAE,MAAM,CAAC;CA+BnB,CAAC;AAEF,iEAAiE;AACjE,eAAO,MAAM,MAAM,EAAE;IACnB,WAAW,EAAE,OAAO,WAAW,CAAC;IAChC,cAAc,EAAE,OAAO,cAAc,CAAC;IACtC,OAAO,EAAE,OAAO,OAAO,CAAC;IACxB,OAAO,EAAE,OAAO,OAAO,CAAC;IACxB,YAAY,EAAE,OAAO,YAAY,CAAC;IAClC,YAAY,EAAE,OAAO,YAAY,CAAC;IAClC,UAAU,EAAE,OAAO,UAAU,CAAC;IAC9B,KAAK,EAAE,OAAO,KAAK,CAAC;CAUrB,CAAC"}

906
node_modules/@noble/ciphers/aes.js generated vendored Normal file
View File

@@ -0,0 +1,906 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.unsafe = exports.aeskwp = exports.aeskw = exports.siv = exports.gcmsiv = exports.gcm = exports.cfb = exports.cbc = exports.ecb = exports.ctr = void 0;
/**
* [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
* a.k.a. Advanced Encryption Standard
* is a variant of Rijndael block cipher, standardized by NIST in 2001.
* We provide the fastest available pure JS implementation.
*
* Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round:
* 1. **S-box**, table substitution
* 2. **Shift rows**, cyclic shift left of all rows of data array
* 3. **Mix columns**, multiplying every column by fixed polynomial
* 4. **Add round key**, round_key xor i-th column of array
*
* Check out [FIPS-197](https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf)
* and [original proposal](https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf)
* @module
*/
const _polyval_ts_1 = require("./_polyval.js");
// prettier-ignore
const utils_ts_1 = require("./utils.js");
const BLOCK_SIZE = 16;
const BLOCK_SIZE32 = 4;
const EMPTY_BLOCK = /* @__PURE__ */ new Uint8Array(BLOCK_SIZE);
const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8
// TODO: remove multiplication, binary ops only
function mul2(n) {
return (n << 1) ^ (POLY & -(n >> 7));
}
function mul(a, b) {
let res = 0;
for (; b > 0; b >>= 1) {
// Montgomery ladder
res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time).
a = mul2(a); // a = 2*a
}
return res;
}
// AES S-box is generated using finite field inversion,
// an affine transform, and xor of a constant 0x63.
const sbox = /* @__PURE__ */ (() => {
const t = new Uint8Array(256);
for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x))
t[i] = x;
const box = new Uint8Array(256);
box[0] = 0x63; // first elm
for (let i = 0; i < 255; i++) {
let x = t[255 - i];
x |= x << 8;
box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff;
}
(0, utils_ts_1.clean)(t);
return box;
})();
// Inverted S-box
const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j));
// Rotate u32 by 8
const rotr32_8 = (n) => (n << 24) | (n >>> 8);
const rotl32_8 = (n) => (n << 8) | (n >>> 24);
// The byte swap operation for uint32 (LE<->BE)
const byteSwap = (word) => ((word << 24) & 0xff000000) |
((word << 8) & 0xff0000) |
((word >>> 8) & 0xff00) |
((word >>> 24) & 0xff);
// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes:
// - LE instead of BE
// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23;
// so index is u16, instead of u8. This speeds up things, unexpectedly
function genTtable(sbox, fn) {
if (sbox.length !== 256)
throw new Error('Wrong sbox length');
const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j]));
const T1 = T0.map(rotl32_8);
const T2 = T1.map(rotl32_8);
const T3 = T2.map(rotl32_8);
const T01 = new Uint32Array(256 * 256);
const T23 = new Uint32Array(256 * 256);
const sbox2 = new Uint16Array(256 * 256);
for (let i = 0; i < 256; i++) {
for (let j = 0; j < 256; j++) {
const idx = i * 256 + j;
T01[idx] = T0[i] ^ T1[j];
T23[idx] = T2[i] ^ T3[j];
sbox2[idx] = (sbox[i] << 8) | sbox[j];
}
}
return { sbox, sbox2, T0, T1, T2, T3, T01, T23 };
}
const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2));
const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14));
const xPowers = /* @__PURE__ */ (() => {
const p = new Uint8Array(16);
for (let i = 0, x = 1; i < 16; i++, x = mul2(x))
p[i] = x;
return p;
})();
/** Key expansion used in CTR. */
function expandKeyLE(key) {
(0, utils_ts_1.abytes)(key);
const len = key.length;
if (![16, 24, 32].includes(len))
throw new Error('aes: invalid key size, should be 16, 24 or 32, got ' + len);
const { sbox2 } = tableEncoding;
const toClean = [];
if (!(0, utils_ts_1.isAligned32)(key))
toClean.push((key = (0, utils_ts_1.copyBytes)(key)));
const k32 = (0, utils_ts_1.u32)(key);
const Nk = k32.length;
const subByte = (n) => applySbox(sbox2, n, n, n, n);
const xk = new Uint32Array(len + 28); // expanded key
xk.set(k32);
// 4.3.1 Key expansion
for (let i = Nk; i < xk.length; i++) {
let t = xk[i - 1];
if (i % Nk === 0)
t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1];
else if (Nk > 6 && i % Nk === 4)
t = subByte(t);
xk[i] = xk[i - Nk] ^ t;
}
(0, utils_ts_1.clean)(...toClean);
return xk;
}
function expandKeyDecLE(key) {
const encKey = expandKeyLE(key);
const xk = encKey.slice();
const Nk = encKey.length;
const { sbox2 } = tableEncoding;
const { T0, T1, T2, T3 } = tableDecoding;
// Inverse key by chunks of 4 (rounds)
for (let i = 0; i < Nk; i += 4) {
for (let j = 0; j < 4; j++)
xk[i + j] = encKey[Nk - i - 4 + j];
}
(0, utils_ts_1.clean)(encKey);
// apply InvMixColumn except first & last round
for (let i = 4; i < Nk - 4; i++) {
const x = xk[i];
const w = applySbox(sbox2, x, x, x, x);
xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24];
}
return xk;
}
// Apply tables
function apply0123(T01, T23, s0, s1, s2, s3) {
return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^
T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]);
}
function applySbox(sbox2, s0, s1, s2, s3) {
return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] |
(sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16));
}
function encrypt(xk, s0, s1, s2, s3) {
const { sbox2, T01, T23 } = tableEncoding;
let k = 0;
(s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
const rounds = xk.length / 4 - 2;
for (let i = 0; i < rounds; i++) {
const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3);
const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0);
const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1);
const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2);
(s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);
}
// last round (without mixcolumns, so using SBOX2 table)
const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3);
const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0);
const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1);
const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2);
return { s0: t0, s1: t1, s2: t2, s3: t3 };
}
// Can't be merged with encrypt: arg positions for apply0123 / applySbox are different
function decrypt(xk, s0, s1, s2, s3) {
const { sbox2, T01, T23 } = tableDecoding;
let k = 0;
(s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
const rounds = xk.length / 4 - 2;
for (let i = 0; i < rounds; i++) {
const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1);
const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2);
const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3);
const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0);
(s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);
}
// Last round
const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1);
const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2);
const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3);
const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0);
return { s0: t0, s1: t1, s2: t2, s3: t3 };
}
// TODO: investigate merging with ctr32
function ctrCounter(xk, nonce, src, dst) {
(0, utils_ts_1.abytes)(nonce, BLOCK_SIZE);
(0, utils_ts_1.abytes)(src);
const srcLen = src.length;
dst = (0, utils_ts_1.getOutput)(srcLen, dst);
(0, utils_ts_1.complexOverlapBytes)(src, dst);
const ctr = nonce;
const c32 = (0, utils_ts_1.u32)(ctr);
// Fill block (empty, ctr=0)
let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
const src32 = (0, utils_ts_1.u32)(src);
const dst32 = (0, utils_ts_1.u32)(dst);
// process blocks
for (let i = 0; i + 4 <= src32.length; i += 4) {
dst32[i + 0] = src32[i + 0] ^ s0;
dst32[i + 1] = src32[i + 1] ^ s1;
dst32[i + 2] = src32[i + 2] ^ s2;
dst32[i + 3] = src32[i + 3] ^ s3;
// Full 128 bit counter with wrap around
let carry = 1;
for (let i = ctr.length - 1; i >= 0; i--) {
carry = (carry + (ctr[i] & 0xff)) | 0;
ctr[i] = carry & 0xff;
carry >>>= 8;
}
({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
}
// leftovers (less than block)
// It's possible to handle > u32 fast, but is it worth it?
const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
if (start < srcLen) {
const b32 = new Uint32Array([s0, s1, s2, s3]);
const buf = (0, utils_ts_1.u8)(b32);
for (let i = start, pos = 0; i < srcLen; i++, pos++)
dst[i] = src[i] ^ buf[pos];
(0, utils_ts_1.clean)(b32);
}
return dst;
}
// AES CTR with overflowing 32 bit counter
// It's possible to do 32le significantly simpler (and probably faster) by using u32.
// But, we need both, and perf bottleneck is in ghash anyway.
function ctr32(xk, isLE, nonce, src, dst) {
(0, utils_ts_1.abytes)(nonce, BLOCK_SIZE);
(0, utils_ts_1.abytes)(src);
dst = (0, utils_ts_1.getOutput)(src.length, dst);
const ctr = nonce; // write new value to nonce, so it can be re-used
const c32 = (0, utils_ts_1.u32)(ctr);
const view = (0, utils_ts_1.createView)(ctr);
const src32 = (0, utils_ts_1.u32)(src);
const dst32 = (0, utils_ts_1.u32)(dst);
const ctrPos = isLE ? 0 : 12;
const srcLen = src.length;
// Fill block (empty, ctr=0)
let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value
let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
// process blocks
for (let i = 0; i + 4 <= src32.length; i += 4) {
dst32[i + 0] = src32[i + 0] ^ s0;
dst32[i + 1] = src32[i + 1] ^ s1;
dst32[i + 2] = src32[i + 2] ^ s2;
dst32[i + 3] = src32[i + 3] ^ s3;
ctrNum = (ctrNum + 1) >>> 0; // u32 wrap
view.setUint32(ctrPos, ctrNum, isLE);
({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
}
// leftovers (less than a block)
const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
if (start < srcLen) {
const b32 = new Uint32Array([s0, s1, s2, s3]);
const buf = (0, utils_ts_1.u8)(b32);
for (let i = start, pos = 0; i < srcLen; i++, pos++)
dst[i] = src[i] ^ buf[pos];
(0, utils_ts_1.clean)(b32);
}
return dst;
}
/**
* CTR: counter mode. Creates stream cipher.
* Requires good IV. Parallelizable. OK, but no MAC.
*/
exports.ctr = (0, utils_ts_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function aesctr(key, nonce) {
function processCtr(buf, dst) {
(0, utils_ts_1.abytes)(buf);
if (dst !== undefined) {
(0, utils_ts_1.abytes)(dst);
if (!(0, utils_ts_1.isAligned32)(dst))
throw new Error('unaligned destination');
}
const xk = expandKeyLE(key);
const n = (0, utils_ts_1.copyBytes)(nonce); // align + avoid changing
const toClean = [xk, n];
if (!(0, utils_ts_1.isAligned32)(buf))
toClean.push((buf = (0, utils_ts_1.copyBytes)(buf)));
const out = ctrCounter(xk, n, buf, dst);
(0, utils_ts_1.clean)(...toClean);
return out;
}
return {
encrypt: (plaintext, dst) => processCtr(plaintext, dst),
decrypt: (ciphertext, dst) => processCtr(ciphertext, dst),
};
});
function validateBlockDecrypt(data) {
(0, utils_ts_1.abytes)(data);
if (data.length % BLOCK_SIZE !== 0) {
throw new Error('aes-(cbc/ecb).decrypt ciphertext should consist of blocks with size ' + BLOCK_SIZE);
}
}
function validateBlockEncrypt(plaintext, pcks5, dst) {
(0, utils_ts_1.abytes)(plaintext);
let outLen = plaintext.length;
const remaining = outLen % BLOCK_SIZE;
if (!pcks5 && remaining !== 0)
throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding');
if (!(0, utils_ts_1.isAligned32)(plaintext))
plaintext = (0, utils_ts_1.copyBytes)(plaintext);
const b = (0, utils_ts_1.u32)(plaintext);
if (pcks5) {
let left = BLOCK_SIZE - remaining;
if (!left)
left = BLOCK_SIZE; // if no bytes left, create empty padding block
outLen = outLen + left;
}
dst = (0, utils_ts_1.getOutput)(outLen, dst);
(0, utils_ts_1.complexOverlapBytes)(plaintext, dst);
const o = (0, utils_ts_1.u32)(dst);
return { b, o, out: dst };
}
function validatePCKS(data, pcks5) {
if (!pcks5)
return data;
const len = data.length;
if (!len)
throw new Error('aes/pcks5: empty ciphertext not allowed');
const lastByte = data[len - 1];
if (lastByte <= 0 || lastByte > 16)
throw new Error('aes/pcks5: wrong padding');
const out = data.subarray(0, -lastByte);
for (let i = 0; i < lastByte; i++)
if (data[len - i - 1] !== lastByte)
throw new Error('aes/pcks5: wrong padding');
return out;
}
function padPCKS(left) {
const tmp = new Uint8Array(16);
const tmp32 = (0, utils_ts_1.u32)(tmp);
tmp.set(left);
const paddingByte = BLOCK_SIZE - left.length;
for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++)
tmp[i] = paddingByte;
return tmp32;
}
/**
* ECB: Electronic CodeBook. Simple deterministic replacement.
* Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/).
*/
exports.ecb = (0, utils_ts_1.wrapCipher)({ blockSize: 16 }, function aesecb(key, opts = {}) {
const pcks5 = !opts.disablePadding;
return {
encrypt(plaintext, dst) {
const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);
const xk = expandKeyLE(key);
let i = 0;
for (; i + 4 <= b.length;) {
const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
if (pcks5) {
const tmp32 = padPCKS(plaintext.subarray(i * 4));
const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]);
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
(0, utils_ts_1.clean)(xk);
return _out;
},
decrypt(ciphertext, dst) {
validateBlockDecrypt(ciphertext);
const xk = expandKeyDecLE(key);
dst = (0, utils_ts_1.getOutput)(ciphertext.length, dst);
const toClean = [xk];
if (!(0, utils_ts_1.isAligned32)(ciphertext))
toClean.push((ciphertext = (0, utils_ts_1.copyBytes)(ciphertext)));
(0, utils_ts_1.complexOverlapBytes)(ciphertext, dst);
const b = (0, utils_ts_1.u32)(ciphertext);
const o = (0, utils_ts_1.u32)(dst);
for (let i = 0; i + 4 <= b.length;) {
const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
(0, utils_ts_1.clean)(...toClean);
return validatePCKS(dst, pcks5);
},
};
});
/**
* CBC: Cipher-Block-Chaining. Key is previous rounds block.
* Fragile: needs proper padding. Unauthenticated: needs MAC.
*/
exports.cbc = (0, utils_ts_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function aescbc(key, iv, opts = {}) {
const pcks5 = !opts.disablePadding;
return {
encrypt(plaintext, dst) {
const xk = expandKeyLE(key);
const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);
let _iv = iv;
const toClean = [xk];
if (!(0, utils_ts_1.isAligned32)(_iv))
toClean.push((_iv = (0, utils_ts_1.copyBytes)(_iv)));
const n32 = (0, utils_ts_1.u32)(_iv);
// prettier-ignore
let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
let i = 0;
for (; i + 4 <= b.length;) {
(s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]);
({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
if (pcks5) {
const tmp32 = padPCKS(plaintext.subarray(i * 4));
(s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]);
({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
(0, utils_ts_1.clean)(...toClean);
return _out;
},
decrypt(ciphertext, dst) {
validateBlockDecrypt(ciphertext);
const xk = expandKeyDecLE(key);
let _iv = iv;
const toClean = [xk];
if (!(0, utils_ts_1.isAligned32)(_iv))
toClean.push((_iv = (0, utils_ts_1.copyBytes)(_iv)));
const n32 = (0, utils_ts_1.u32)(_iv);
dst = (0, utils_ts_1.getOutput)(ciphertext.length, dst);
if (!(0, utils_ts_1.isAligned32)(ciphertext))
toClean.push((ciphertext = (0, utils_ts_1.copyBytes)(ciphertext)));
(0, utils_ts_1.complexOverlapBytes)(ciphertext, dst);
const b = (0, utils_ts_1.u32)(ciphertext);
const o = (0, utils_ts_1.u32)(dst);
// prettier-ignore
let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
for (let i = 0; i + 4 <= b.length;) {
// prettier-ignore
const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3;
(s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]);
const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3);
(o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3);
}
(0, utils_ts_1.clean)(...toClean);
return validatePCKS(dst, pcks5);
},
};
});
/**
* CFB: Cipher Feedback Mode. The input for the block cipher is the previous cipher output.
* Unauthenticated: needs MAC.
*/
exports.cfb = (0, utils_ts_1.wrapCipher)({ blockSize: 16, nonceLength: 16 }, function aescfb(key, iv) {
function processCfb(src, isEncrypt, dst) {
(0, utils_ts_1.abytes)(src);
const srcLen = src.length;
dst = (0, utils_ts_1.getOutput)(srcLen, dst);
if ((0, utils_ts_1.overlapBytes)(src, dst))
throw new Error('overlapping src and dst not supported.');
const xk = expandKeyLE(key);
let _iv = iv;
const toClean = [xk];
if (!(0, utils_ts_1.isAligned32)(_iv))
toClean.push((_iv = (0, utils_ts_1.copyBytes)(_iv)));
if (!(0, utils_ts_1.isAligned32)(src))
toClean.push((src = (0, utils_ts_1.copyBytes)(src)));
const src32 = (0, utils_ts_1.u32)(src);
const dst32 = (0, utils_ts_1.u32)(dst);
const next32 = isEncrypt ? dst32 : src32;
const n32 = (0, utils_ts_1.u32)(_iv);
// prettier-ignore
let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
for (let i = 0; i + 4 <= src32.length;) {
const { s0: e0, s1: e1, s2: e2, s3: e3 } = encrypt(xk, s0, s1, s2, s3);
dst32[i + 0] = src32[i + 0] ^ e0;
dst32[i + 1] = src32[i + 1] ^ e1;
dst32[i + 2] = src32[i + 2] ^ e2;
dst32[i + 3] = src32[i + 3] ^ e3;
(s0 = next32[i++]), (s1 = next32[i++]), (s2 = next32[i++]), (s3 = next32[i++]);
}
// leftovers (less than block)
const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
if (start < srcLen) {
({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
const buf = (0, utils_ts_1.u8)(new Uint32Array([s0, s1, s2, s3]));
for (let i = start, pos = 0; i < srcLen; i++, pos++)
dst[i] = src[i] ^ buf[pos];
(0, utils_ts_1.clean)(buf);
}
(0, utils_ts_1.clean)(...toClean);
return dst;
}
return {
encrypt: (plaintext, dst) => processCfb(plaintext, true, dst),
decrypt: (ciphertext, dst) => processCfb(ciphertext, false, dst),
};
});
// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen
function computeTag(fn, isLE, key, data, AAD) {
const aadLength = AAD ? AAD.length : 0;
const h = fn.create(key, data.length + aadLength);
if (AAD)
h.update(AAD);
const num = (0, utils_ts_1.u64Lengths)(8 * data.length, 8 * aadLength, isLE);
h.update(data);
h.update(num);
const res = h.digest();
(0, utils_ts_1.clean)(num);
return res;
}
/**
* GCM: Galois/Counter Mode.
* Modern, parallel version of CTR, with MAC.
* Be careful: MACs can be forged.
* Unsafe to use random nonces under the same key, due to collision chance.
* As for nonce size, prefer 12-byte, instead of 8-byte.
*/
exports.gcm = (0, utils_ts_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16, varSizeNonce: true }, function aesgcm(key, nonce, AAD) {
// NIST 800-38d doesn't enforce minimum nonce length.
// We enforce 8 bytes for compat with openssl.
// 12 bytes are recommended. More than 12 bytes would be converted into 12.
if (nonce.length < 8)
throw new Error('aes/gcm: invalid nonce length');
const tagLength = 16;
function _computeTag(authKey, tagMask, data) {
const tag = computeTag(_polyval_ts_1.ghash, false, authKey, data, AAD);
for (let i = 0; i < tagMask.length; i++)
tag[i] ^= tagMask[i];
return tag;
}
function deriveKeys() {
const xk = expandKeyLE(key);
const authKey = EMPTY_BLOCK.slice();
const counter = EMPTY_BLOCK.slice();
ctr32(xk, false, counter, counter, authKey);
// NIST 800-38d, page 15: different behavior for 96-bit and non-96-bit nonces
if (nonce.length === 12) {
counter.set(nonce);
}
else {
const nonceLen = EMPTY_BLOCK.slice();
const view = (0, utils_ts_1.createView)(nonceLen);
(0, utils_ts_1.setBigUint64)(view, 8, BigInt(nonce.length * 8), false);
// ghash(nonce || u64be(0) || u64be(nonceLen*8))
const g = _polyval_ts_1.ghash.create(authKey).update(nonce).update(nonceLen);
g.digestInto(counter); // digestInto doesn't trigger '.destroy'
g.destroy();
}
const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK);
return { xk, authKey, counter, tagMask };
}
return {
encrypt(plaintext) {
const { xk, authKey, counter, tagMask } = deriveKeys();
const out = new Uint8Array(plaintext.length + tagLength);
const toClean = [xk, authKey, counter, tagMask];
if (!(0, utils_ts_1.isAligned32)(plaintext))
toClean.push((plaintext = (0, utils_ts_1.copyBytes)(plaintext)));
ctr32(xk, false, counter, plaintext, out.subarray(0, plaintext.length));
const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength));
toClean.push(tag);
out.set(tag, plaintext.length);
(0, utils_ts_1.clean)(...toClean);
return out;
},
decrypt(ciphertext) {
const { xk, authKey, counter, tagMask } = deriveKeys();
const toClean = [xk, authKey, tagMask, counter];
if (!(0, utils_ts_1.isAligned32)(ciphertext))
toClean.push((ciphertext = (0, utils_ts_1.copyBytes)(ciphertext)));
const data = ciphertext.subarray(0, -tagLength);
const passedTag = ciphertext.subarray(-tagLength);
const tag = _computeTag(authKey, tagMask, data);
toClean.push(tag);
if (!(0, utils_ts_1.equalBytes)(tag, passedTag))
throw new Error('aes/gcm: invalid ghash tag');
const out = ctr32(xk, false, counter, data);
(0, utils_ts_1.clean)(...toClean);
return out;
},
};
});
const limit = (name, min, max) => (value) => {
if (!Number.isSafeInteger(value) || min > value || value > max) {
const minmax = '[' + min + '..' + max + ']';
throw new Error('' + name + ': expected value in range ' + minmax + ', got ' + value);
}
};
/**
* AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance.
* Guarantees that, when a nonce is repeated, the only security loss is that identical
* plaintexts will produce identical ciphertexts.
* RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452
*/
exports.gcmsiv = (0, utils_ts_1.wrapCipher)({ blockSize: 16, nonceLength: 12, tagLength: 16, varSizeNonce: true }, function aessiv(key, nonce, AAD) {
const tagLength = 16;
// From RFC 8452: Section 6
const AAD_LIMIT = limit('AAD', 0, 2 ** 36);
const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36);
const NONCE_LIMIT = limit('nonce', 12, 12);
const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16);
(0, utils_ts_1.abytes)(key, 16, 24, 32);
NONCE_LIMIT(nonce.length);
if (AAD !== undefined)
AAD_LIMIT(AAD.length);
function deriveKeys() {
const xk = expandKeyLE(key);
const encKey = new Uint8Array(key.length);
const authKey = new Uint8Array(16);
const toClean = [xk, encKey];
let _nonce = nonce;
if (!(0, utils_ts_1.isAligned32)(_nonce))
toClean.push((_nonce = (0, utils_ts_1.copyBytes)(_nonce)));
const n32 = (0, utils_ts_1.u32)(_nonce);
// prettier-ignore
let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2];
let counter = 0;
for (const derivedKey of [authKey, encKey].map(utils_ts_1.u32)) {
const d32 = (0, utils_ts_1.u32)(derivedKey);
for (let i = 0; i < d32.length; i += 2) {
// aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ...
const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3);
d32[i + 0] = o0;
d32[i + 1] = o1;
s0 = ++counter; // increment counter inside state
}
}
const res = { authKey, encKey: expandKeyLE(encKey) };
// Cleanup
(0, utils_ts_1.clean)(...toClean);
return res;
}
function _computeTag(encKey, authKey, data) {
const tag = computeTag(_polyval_ts_1.polyval, true, authKey, data, AAD);
// Compute the expected tag by XORing S_s and the nonce, clearing the
// most significant bit of the last byte and encrypting with the
// message-encryption key.
for (let i = 0; i < 12; i++)
tag[i] ^= nonce[i];
tag[15] &= 0x7f; // Clear the highest bit
// encrypt tag as block
const t32 = (0, utils_ts_1.u32)(tag);
// prettier-ignore
let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3];
({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3));
(t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3);
return tag;
}
// actual decrypt/encrypt of message.
function processSiv(encKey, tag, input) {
let block = (0, utils_ts_1.copyBytes)(tag);
block[15] |= 0x80; // Force highest bit
const res = ctr32(encKey, true, block, input);
// Cleanup
(0, utils_ts_1.clean)(block);
return res;
}
return {
encrypt(plaintext) {
PLAIN_LIMIT(plaintext.length);
const { encKey, authKey } = deriveKeys();
const tag = _computeTag(encKey, authKey, plaintext);
const toClean = [encKey, authKey, tag];
if (!(0, utils_ts_1.isAligned32)(plaintext))
toClean.push((plaintext = (0, utils_ts_1.copyBytes)(plaintext)));
const out = new Uint8Array(plaintext.length + tagLength);
out.set(tag, plaintext.length);
out.set(processSiv(encKey, tag, plaintext));
// Cleanup
(0, utils_ts_1.clean)(...toClean);
return out;
},
decrypt(ciphertext) {
CIPHER_LIMIT(ciphertext.length);
const tag = ciphertext.subarray(-tagLength);
const { encKey, authKey } = deriveKeys();
const toClean = [encKey, authKey];
if (!(0, utils_ts_1.isAligned32)(ciphertext))
toClean.push((ciphertext = (0, utils_ts_1.copyBytes)(ciphertext)));
const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength));
const expectedTag = _computeTag(encKey, authKey, plaintext);
toClean.push(expectedTag);
if (!(0, utils_ts_1.equalBytes)(tag, expectedTag)) {
(0, utils_ts_1.clean)(...toClean);
throw new Error('invalid polyval tag');
}
// Cleanup
(0, utils_ts_1.clean)(...toClean);
return plaintext;
},
};
});
/**
* AES-GCM-SIV, not AES-SIV.
* This is legace name, use `gcmsiv` export instead.
* @deprecated
*/
exports.siv = exports.gcmsiv;
function isBytes32(a) {
return (a instanceof Uint32Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint32Array'));
}
function encryptBlock(xk, block) {
(0, utils_ts_1.abytes)(block, 16);
if (!isBytes32(xk))
throw new Error('_encryptBlock accepts result of expandKeyLE');
const b32 = (0, utils_ts_1.u32)(block);
let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]);
(b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);
return block;
}
function decryptBlock(xk, block) {
(0, utils_ts_1.abytes)(block, 16);
if (!isBytes32(xk))
throw new Error('_decryptBlock accepts result of expandKeyLE');
const b32 = (0, utils_ts_1.u32)(block);
let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]);
(b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);
return block;
}
/**
* AES-W (base for AESKW/AESKWP).
* Specs: [SP800-38F](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf),
* [RFC 3394](https://datatracker.ietf.org/doc/rfc3394/),
* [RFC 5649](https://datatracker.ietf.org/doc/rfc5649/).
*/
const AESW = {
/*
High-level pseudocode:
```
A: u64 = IV
out = []
for (let i=0, ctr = 0; i<6; i++) {
for (const chunk of chunks(plaintext, 8)) {
A ^= swapEndianess(ctr++)
[A, res] = chunks(encrypt(A || chunk), 8);
out ||= res
}
}
out = A || out
```
Decrypt is the same, but reversed.
*/
encrypt(kek, out) {
// Size is limited to 4GB, otherwise ctr will overflow and we'll need to switch to bigints.
// If you need it larger, open an issue.
if (out.length >= 2 ** 32)
throw new Error('plaintext should be less than 4gb');
const xk = expandKeyLE(kek);
if (out.length === 16)
encryptBlock(xk, out);
else {
const o32 = (0, utils_ts_1.u32)(out);
// prettier-ignore
let a0 = o32[0], a1 = o32[1]; // A
for (let j = 0, ctr = 1; j < 6; j++) {
for (let pos = 2; pos < o32.length; pos += 2, ctr++) {
const { s0, s1, s2, s3 } = encrypt(xk, a0, a1, o32[pos], o32[pos + 1]);
// A = MSB(64, B) ^ t where t = (n*j)+i
(a0 = s0), (a1 = s1 ^ byteSwap(ctr)), (o32[pos] = s2), (o32[pos + 1] = s3);
}
}
(o32[0] = a0), (o32[1] = a1); // out = A || out
}
xk.fill(0);
},
decrypt(kek, out) {
if (out.length - 8 >= 2 ** 32)
throw new Error('ciphertext should be less than 4gb');
const xk = expandKeyDecLE(kek);
const chunks = out.length / 8 - 1; // first chunk is IV
if (chunks === 1)
decryptBlock(xk, out);
else {
const o32 = (0, utils_ts_1.u32)(out);
// prettier-ignore
let a0 = o32[0], a1 = o32[1]; // A
for (let j = 0, ctr = chunks * 6; j < 6; j++) {
for (let pos = chunks * 2; pos >= 1; pos -= 2, ctr--) {
a1 ^= byteSwap(ctr);
const { s0, s1, s2, s3 } = decrypt(xk, a0, a1, o32[pos], o32[pos + 1]);
(a0 = s0), (a1 = s1), (o32[pos] = s2), (o32[pos + 1] = s3);
}
}
(o32[0] = a0), (o32[1] = a1);
}
xk.fill(0);
},
};
const AESKW_IV = /* @__PURE__ */ new Uint8Array(8).fill(0xa6); // A6A6A6A6A6A6A6A6
/**
* AES-KW (key-wrap). Injects static IV into plaintext, adds counter, encrypts 6 times.
* Reduces block size from 16 to 8 bytes.
* For padded version, use aeskwp.
* [RFC 3394](https://datatracker.ietf.org/doc/rfc3394/),
* [NIST.SP.800-38F](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf).
*/
exports.aeskw = (0, utils_ts_1.wrapCipher)({ blockSize: 8 }, (kek) => ({
encrypt(plaintext) {
if (!plaintext.length || plaintext.length % 8 !== 0)
throw new Error('invalid plaintext length');
if (plaintext.length === 8)
throw new Error('8-byte keys not allowed in AESKW, use AESKWP instead');
const out = (0, utils_ts_1.concatBytes)(AESKW_IV, plaintext);
AESW.encrypt(kek, out);
return out;
},
decrypt(ciphertext) {
// ciphertext must be at least 24 bytes and a multiple of 8 bytes
// 24 because should have at least two block (1 iv + 2).
// Replace with 16 to enable '8-byte keys'
if (ciphertext.length % 8 !== 0 || ciphertext.length < 3 * 8)
throw new Error('invalid ciphertext length');
const out = (0, utils_ts_1.copyBytes)(ciphertext);
AESW.decrypt(kek, out);
if (!(0, utils_ts_1.equalBytes)(out.subarray(0, 8), AESKW_IV))
throw new Error('integrity check failed');
out.subarray(0, 8).fill(0); // ciphertext.subarray(0, 8) === IV, but we clean it anyway
return out.subarray(8);
},
}));
/*
We don't support 8-byte keys. The rabbit hole:
- Wycheproof says: "NIST SP 800-38F does not define the wrapping of 8 byte keys.
RFC 3394 Section 2 on the other hand specifies that 8 byte keys are wrapped
by directly encrypting one block with AES."
- https://github.com/C2SP/wycheproof/blob/master/doc/key_wrap.md
- "RFC 3394 specifies in Section 2, that the input for the key wrap
algorithm must be at least two blocks and otherwise the constant
field and key are simply encrypted with ECB as a single block"
- What RFC 3394 actually says (in Section 2):
- "Before being wrapped, the key data is parsed into n blocks of 64 bits.
The only restriction the key wrap algorithm places on n is that n be
at least two"
- "For key data with length less than or equal to 64 bits, the constant
field used in this specification and the key data form a single
128-bit codebook input making this key wrap unnecessary."
- Which means "assert(n >= 2)" and "use something else for 8 byte keys"
- NIST SP800-38F actually prohibits 8-byte in "5.3.1 Mandatory Limits".
It states that plaintext for KW should be "2 to 2^54 -1 semiblocks".
- So, where does "directly encrypt single block with AES" come from?
- Not RFC 3394. Pseudocode of key wrap in 2.2 explicitly uses
loop of 6 for any code path
- There is a weird W3C spec:
https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#kw-aes128
- This spec is outdated, as admitted by Wycheproof authors
- There is RFC 5649 for padded key wrap, which is padding construction on
top of AESKW. In '4.1.2' it says: "If the padded plaintext contains exactly
eight octets, then prepend the AIV as defined in Section 3 above to P[1] and
encrypt the resulting 128-bit block using AES in ECB mode [Modes] with key
K (the KEK). In this case, the output is two 64-bit blocks C[0] and C[1]:"
- Browser subtle crypto is actually crashes on wrapping keys less than 16 bytes:
`Error: error:1C8000E6:Provider routines::invalid input length] { opensslErrorStack: [ 'error:030000BD:digital envelope routines::update error' ]`
In the end, seems like a bug in Wycheproof.
The 8-byte check can be easily disabled inside of AES_W.
*/
const AESKWP_IV = 0xa65959a6; // single u32le value
/**
* AES-KW, but with padding and allows random keys.
* Second u32 of IV is used as counter for length.
* [RFC 5649](https://www.rfc-editor.org/rfc/rfc5649)
*/
exports.aeskwp = (0, utils_ts_1.wrapCipher)({ blockSize: 8 }, (kek) => ({
encrypt(plaintext) {
if (!plaintext.length)
throw new Error('invalid plaintext length');
const padded = Math.ceil(plaintext.length / 8) * 8;
const out = new Uint8Array(8 + padded);
out.set(plaintext, 8);
const out32 = (0, utils_ts_1.u32)(out);
out32[0] = AESKWP_IV;
out32[1] = byteSwap(plaintext.length);
AESW.encrypt(kek, out);
return out;
},
decrypt(ciphertext) {
// 16 because should have at least one block
if (ciphertext.length < 16)
throw new Error('invalid ciphertext length');
const out = (0, utils_ts_1.copyBytes)(ciphertext);
const o32 = (0, utils_ts_1.u32)(out);
AESW.decrypt(kek, out);
const len = byteSwap(o32[1]) >>> 0;
const padded = Math.ceil(len / 8) * 8;
if (o32[0] !== AESKWP_IV || out.length - 8 !== padded)
throw new Error('integrity check failed');
for (let i = len; i < padded; i++)
if (out[8 + i] !== 0)
throw new Error('integrity check failed');
out.subarray(0, 8).fill(0); // ciphertext.subarray(0, 8) === IV, but we clean it anyway
return out.subarray(8, 8 + len);
},
}));
/** Unsafe low-level internal methods. May change at any time. */
exports.unsafe = {
expandKeyLE,
expandKeyDecLE,
encrypt,
decrypt,
encryptBlock,
decryptBlock,
ctrCounter,
ctr32,
};
//# sourceMappingURL=aes.js.map

1
node_modules/@noble/ciphers/aes.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

56
node_modules/@noble/ciphers/chacha.d.ts generated vendored Normal file
View File

@@ -0,0 +1,56 @@
import { type ARXCipher, type CipherWithOutput, type XorStream } from './utils.ts';
/**
* hchacha helper method, used primarily in xchacha, to hash
* key and nonce into key' and nonce'.
* Same as chachaCore, but there doesn't seem to be a way to move the block
* out without 25% performance hit.
*/
export declare function hchacha(s: Uint32Array, k: Uint32Array, i: Uint32Array, o32: Uint32Array): void;
/**
* Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter.
*/
export declare const chacha20orig: XorStream;
/**
* ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter.
* With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance.
*/
export declare const chacha20: XorStream;
/**
* XChaCha eXtended-nonce ChaCha. 24-byte nonce.
* With 24-byte nonce, it's safe to use fill it with random (CSPRNG).
* https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha
*/
export declare const xchacha20: XorStream;
/**
* Reduced 8-round chacha, described in original paper.
*/
export declare const chacha8: XorStream;
/**
* Reduced 12-round chacha, described in original paper.
*/
export declare const chacha12: XorStream;
/**
* AEAD algorithm from RFC 8439.
* Salsa20 and chacha (RFC 8439) use poly1305 differently.
* We could have composed them similar to:
* https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250
* But it's hard because of authKey:
* In salsa20, authKey changes position in salsa stream.
* In chacha, authKey can't be computed inside computeTag, it modifies the counter.
*/
export declare const _poly1305_aead: (xorStream: XorStream) => (key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => CipherWithOutput;
/**
* ChaCha20-Poly1305 from RFC 8439.
*
* Unsafe to use random nonces under the same key, due to collision chance.
* Prefer XChaCha instead.
*/
export declare const chacha20poly1305: ARXCipher;
/**
* XChaCha20-Poly1305 extended-nonce chacha.
*
* Can be safely used with random nonces (CSPRNG).
* See [IRTF draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha).
*/
export declare const xchacha20poly1305: ARXCipher;
//# sourceMappingURL=chacha.d.ts.map

1
node_modules/@noble/ciphers/chacha.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"chacha.d.ts","sourceRoot":"","sources":["src/chacha.ts"],"names":[],"mappings":"AAgBA,OAAO,EACL,KAAK,SAAS,EACd,KAAK,gBAAgB,EACrB,KAAK,SAAS,EAMf,MAAM,YAAY,CAAC;AAsEpB;;;;;GAKG;AAEH,wBAAgB,OAAO,CACrB,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,GAC/D,IAAI,CAmDN;AACD;;GAEG;AACH,eAAO,MAAM,YAAY,EAAE,SAIzB,CAAC;AACH;;;GAGG;AACH,eAAO,MAAM,QAAQ,EAAE,SAIrB,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,SAAS,EAAE,SAKtB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,OAAO,EAAE,SAIpB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,QAAQ,EAAE,SAIrB,CAAC;AA6BH;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,GACxB,WAAW,SAAS,MACpB,KAAK,UAAU,EAAE,OAAO,UAAU,EAAE,MAAM,UAAU,KAAG,gBA0BvD,CAAC;AAEJ;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,EAAE,SAG9B,CAAC;AACF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE,SAG/B,CAAC"}

320
node_modules/@noble/ciphers/chacha.js generated vendored Normal file
View File

@@ -0,0 +1,320 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.xchacha20poly1305 = exports.chacha20poly1305 = exports._poly1305_aead = exports.chacha12 = exports.chacha8 = exports.xchacha20 = exports.chacha20 = exports.chacha20orig = void 0;
exports.hchacha = hchacha;
/**
* [ChaCha20](https://cr.yp.to/chacha.html) stream cipher, released
* in 2008. Developed after Salsa20, ChaCha aims to increase diffusion per round.
* It was standardized in [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and
* is now used in TLS 1.3.
*
* [XChaCha20](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha)
* extended-nonce variant is also provided. Similar to XSalsa, it's safe to use with
* randomly-generated nonces.
*
* Check out [PDF](http://cr.yp.to/chacha/chacha-20080128.pdf) and
* [wiki](https://en.wikipedia.org/wiki/Salsa20).
* @module
*/
const _arx_ts_1 = require("./_arx.js");
const _poly1305_ts_1 = require("./_poly1305.js");
const utils_ts_1 = require("./utils.js");
/**
* ChaCha core function.
*/
// prettier-ignore
function chachaCore(s, k, n, out, cnt, rounds = 20) {
let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k"
y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key
y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key
y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce
// Save state to temporary variables
let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
for (let r = 0; r < rounds; r += 2) {
x00 = (x00 + x04) | 0;
x12 = (0, _arx_ts_1.rotl)(x12 ^ x00, 16);
x08 = (x08 + x12) | 0;
x04 = (0, _arx_ts_1.rotl)(x04 ^ x08, 12);
x00 = (x00 + x04) | 0;
x12 = (0, _arx_ts_1.rotl)(x12 ^ x00, 8);
x08 = (x08 + x12) | 0;
x04 = (0, _arx_ts_1.rotl)(x04 ^ x08, 7);
x01 = (x01 + x05) | 0;
x13 = (0, _arx_ts_1.rotl)(x13 ^ x01, 16);
x09 = (x09 + x13) | 0;
x05 = (0, _arx_ts_1.rotl)(x05 ^ x09, 12);
x01 = (x01 + x05) | 0;
x13 = (0, _arx_ts_1.rotl)(x13 ^ x01, 8);
x09 = (x09 + x13) | 0;
x05 = (0, _arx_ts_1.rotl)(x05 ^ x09, 7);
x02 = (x02 + x06) | 0;
x14 = (0, _arx_ts_1.rotl)(x14 ^ x02, 16);
x10 = (x10 + x14) | 0;
x06 = (0, _arx_ts_1.rotl)(x06 ^ x10, 12);
x02 = (x02 + x06) | 0;
x14 = (0, _arx_ts_1.rotl)(x14 ^ x02, 8);
x10 = (x10 + x14) | 0;
x06 = (0, _arx_ts_1.rotl)(x06 ^ x10, 7);
x03 = (x03 + x07) | 0;
x15 = (0, _arx_ts_1.rotl)(x15 ^ x03, 16);
x11 = (x11 + x15) | 0;
x07 = (0, _arx_ts_1.rotl)(x07 ^ x11, 12);
x03 = (x03 + x07) | 0;
x15 = (0, _arx_ts_1.rotl)(x15 ^ x03, 8);
x11 = (x11 + x15) | 0;
x07 = (0, _arx_ts_1.rotl)(x07 ^ x11, 7);
x00 = (x00 + x05) | 0;
x15 = (0, _arx_ts_1.rotl)(x15 ^ x00, 16);
x10 = (x10 + x15) | 0;
x05 = (0, _arx_ts_1.rotl)(x05 ^ x10, 12);
x00 = (x00 + x05) | 0;
x15 = (0, _arx_ts_1.rotl)(x15 ^ x00, 8);
x10 = (x10 + x15) | 0;
x05 = (0, _arx_ts_1.rotl)(x05 ^ x10, 7);
x01 = (x01 + x06) | 0;
x12 = (0, _arx_ts_1.rotl)(x12 ^ x01, 16);
x11 = (x11 + x12) | 0;
x06 = (0, _arx_ts_1.rotl)(x06 ^ x11, 12);
x01 = (x01 + x06) | 0;
x12 = (0, _arx_ts_1.rotl)(x12 ^ x01, 8);
x11 = (x11 + x12) | 0;
x06 = (0, _arx_ts_1.rotl)(x06 ^ x11, 7);
x02 = (x02 + x07) | 0;
x13 = (0, _arx_ts_1.rotl)(x13 ^ x02, 16);
x08 = (x08 + x13) | 0;
x07 = (0, _arx_ts_1.rotl)(x07 ^ x08, 12);
x02 = (x02 + x07) | 0;
x13 = (0, _arx_ts_1.rotl)(x13 ^ x02, 8);
x08 = (x08 + x13) | 0;
x07 = (0, _arx_ts_1.rotl)(x07 ^ x08, 7);
x03 = (x03 + x04) | 0;
x14 = (0, _arx_ts_1.rotl)(x14 ^ x03, 16);
x09 = (x09 + x14) | 0;
x04 = (0, _arx_ts_1.rotl)(x04 ^ x09, 12);
x03 = (x03 + x04) | 0;
x14 = (0, _arx_ts_1.rotl)(x14 ^ x03, 8);
x09 = (x09 + x14) | 0;
x04 = (0, _arx_ts_1.rotl)(x04 ^ x09, 7);
}
// Write output
let oi = 0;
out[oi++] = (y00 + x00) | 0;
out[oi++] = (y01 + x01) | 0;
out[oi++] = (y02 + x02) | 0;
out[oi++] = (y03 + x03) | 0;
out[oi++] = (y04 + x04) | 0;
out[oi++] = (y05 + x05) | 0;
out[oi++] = (y06 + x06) | 0;
out[oi++] = (y07 + x07) | 0;
out[oi++] = (y08 + x08) | 0;
out[oi++] = (y09 + x09) | 0;
out[oi++] = (y10 + x10) | 0;
out[oi++] = (y11 + x11) | 0;
out[oi++] = (y12 + x12) | 0;
out[oi++] = (y13 + x13) | 0;
out[oi++] = (y14 + x14) | 0;
out[oi++] = (y15 + x15) | 0;
}
/**
* hchacha helper method, used primarily in xchacha, to hash
* key and nonce into key' and nonce'.
* Same as chachaCore, but there doesn't seem to be a way to move the block
* out without 25% performance hit.
*/
// prettier-ignore
function hchacha(s, k, i, o32) {
let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3];
for (let r = 0; r < 20; r += 2) {
x00 = (x00 + x04) | 0;
x12 = (0, _arx_ts_1.rotl)(x12 ^ x00, 16);
x08 = (x08 + x12) | 0;
x04 = (0, _arx_ts_1.rotl)(x04 ^ x08, 12);
x00 = (x00 + x04) | 0;
x12 = (0, _arx_ts_1.rotl)(x12 ^ x00, 8);
x08 = (x08 + x12) | 0;
x04 = (0, _arx_ts_1.rotl)(x04 ^ x08, 7);
x01 = (x01 + x05) | 0;
x13 = (0, _arx_ts_1.rotl)(x13 ^ x01, 16);
x09 = (x09 + x13) | 0;
x05 = (0, _arx_ts_1.rotl)(x05 ^ x09, 12);
x01 = (x01 + x05) | 0;
x13 = (0, _arx_ts_1.rotl)(x13 ^ x01, 8);
x09 = (x09 + x13) | 0;
x05 = (0, _arx_ts_1.rotl)(x05 ^ x09, 7);
x02 = (x02 + x06) | 0;
x14 = (0, _arx_ts_1.rotl)(x14 ^ x02, 16);
x10 = (x10 + x14) | 0;
x06 = (0, _arx_ts_1.rotl)(x06 ^ x10, 12);
x02 = (x02 + x06) | 0;
x14 = (0, _arx_ts_1.rotl)(x14 ^ x02, 8);
x10 = (x10 + x14) | 0;
x06 = (0, _arx_ts_1.rotl)(x06 ^ x10, 7);
x03 = (x03 + x07) | 0;
x15 = (0, _arx_ts_1.rotl)(x15 ^ x03, 16);
x11 = (x11 + x15) | 0;
x07 = (0, _arx_ts_1.rotl)(x07 ^ x11, 12);
x03 = (x03 + x07) | 0;
x15 = (0, _arx_ts_1.rotl)(x15 ^ x03, 8);
x11 = (x11 + x15) | 0;
x07 = (0, _arx_ts_1.rotl)(x07 ^ x11, 7);
x00 = (x00 + x05) | 0;
x15 = (0, _arx_ts_1.rotl)(x15 ^ x00, 16);
x10 = (x10 + x15) | 0;
x05 = (0, _arx_ts_1.rotl)(x05 ^ x10, 12);
x00 = (x00 + x05) | 0;
x15 = (0, _arx_ts_1.rotl)(x15 ^ x00, 8);
x10 = (x10 + x15) | 0;
x05 = (0, _arx_ts_1.rotl)(x05 ^ x10, 7);
x01 = (x01 + x06) | 0;
x12 = (0, _arx_ts_1.rotl)(x12 ^ x01, 16);
x11 = (x11 + x12) | 0;
x06 = (0, _arx_ts_1.rotl)(x06 ^ x11, 12);
x01 = (x01 + x06) | 0;
x12 = (0, _arx_ts_1.rotl)(x12 ^ x01, 8);
x11 = (x11 + x12) | 0;
x06 = (0, _arx_ts_1.rotl)(x06 ^ x11, 7);
x02 = (x02 + x07) | 0;
x13 = (0, _arx_ts_1.rotl)(x13 ^ x02, 16);
x08 = (x08 + x13) | 0;
x07 = (0, _arx_ts_1.rotl)(x07 ^ x08, 12);
x02 = (x02 + x07) | 0;
x13 = (0, _arx_ts_1.rotl)(x13 ^ x02, 8);
x08 = (x08 + x13) | 0;
x07 = (0, _arx_ts_1.rotl)(x07 ^ x08, 7);
x03 = (x03 + x04) | 0;
x14 = (0, _arx_ts_1.rotl)(x14 ^ x03, 16);
x09 = (x09 + x14) | 0;
x04 = (0, _arx_ts_1.rotl)(x04 ^ x09, 12);
x03 = (x03 + x04) | 0;
x14 = (0, _arx_ts_1.rotl)(x14 ^ x03, 8);
x09 = (x09 + x14) | 0;
x04 = (0, _arx_ts_1.rotl)(x04 ^ x09, 7);
}
let oi = 0;
o32[oi++] = x00;
o32[oi++] = x01;
o32[oi++] = x02;
o32[oi++] = x03;
o32[oi++] = x12;
o32[oi++] = x13;
o32[oi++] = x14;
o32[oi++] = x15;
}
/**
* Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter.
*/
exports.chacha20orig = (0, _arx_ts_1.createCipher)(chachaCore, {
counterRight: false,
counterLength: 8,
allowShortKeys: true,
});
/**
* ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter.
* With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance.
*/
exports.chacha20 = (0, _arx_ts_1.createCipher)(chachaCore, {
counterRight: false,
counterLength: 4,
allowShortKeys: false,
});
/**
* XChaCha eXtended-nonce ChaCha. 24-byte nonce.
* With 24-byte nonce, it's safe to use fill it with random (CSPRNG).
* https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha
*/
exports.xchacha20 = (0, _arx_ts_1.createCipher)(chachaCore, {
counterRight: false,
counterLength: 8,
extendNonceFn: hchacha,
allowShortKeys: false,
});
/**
* Reduced 8-round chacha, described in original paper.
*/
exports.chacha8 = (0, _arx_ts_1.createCipher)(chachaCore, {
counterRight: false,
counterLength: 4,
rounds: 8,
});
/**
* Reduced 12-round chacha, described in original paper.
*/
exports.chacha12 = (0, _arx_ts_1.createCipher)(chachaCore, {
counterRight: false,
counterLength: 4,
rounds: 12,
});
const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
// Pad to digest size with zeros
const updatePadded = (h, msg) => {
h.update(msg);
const left = msg.length % 16;
if (left)
h.update(ZEROS16.subarray(left));
};
const ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
function computeTag(fn, key, nonce, data, AAD) {
const authKey = fn(key, nonce, ZEROS32);
const h = _poly1305_ts_1.poly1305.create(authKey);
if (AAD)
updatePadded(h, AAD);
updatePadded(h, data);
const num = (0, utils_ts_1.u64Lengths)(data.length, AAD ? AAD.length : 0, true);
h.update(num);
const res = h.digest();
(0, utils_ts_1.clean)(authKey, num);
return res;
}
/**
* AEAD algorithm from RFC 8439.
* Salsa20 and chacha (RFC 8439) use poly1305 differently.
* We could have composed them similar to:
* https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250
* But it's hard because of authKey:
* In salsa20, authKey changes position in salsa stream.
* In chacha, authKey can't be computed inside computeTag, it modifies the counter.
*/
const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
const tagLength = 16;
return {
encrypt(plaintext, output) {
const plength = plaintext.length;
output = (0, utils_ts_1.getOutput)(plength + tagLength, output, false);
output.set(plaintext);
const oPlain = output.subarray(0, -tagLength);
xorStream(key, nonce, oPlain, oPlain, 1);
const tag = computeTag(xorStream, key, nonce, oPlain, AAD);
output.set(tag, plength); // append tag
(0, utils_ts_1.clean)(tag);
return output;
},
decrypt(ciphertext, output) {
output = (0, utils_ts_1.getOutput)(ciphertext.length - tagLength, output, false);
const data = ciphertext.subarray(0, -tagLength);
const passedTag = ciphertext.subarray(-tagLength);
const tag = computeTag(xorStream, key, nonce, data, AAD);
if (!(0, utils_ts_1.equalBytes)(passedTag, tag))
throw new Error('invalid tag');
output.set(ciphertext.subarray(0, -tagLength));
xorStream(key, nonce, output, output, 1); // start stream with i=1
(0, utils_ts_1.clean)(tag);
return output;
},
};
};
exports._poly1305_aead = _poly1305_aead;
/**
* ChaCha20-Poly1305 from RFC 8439.
*
* Unsafe to use random nonces under the same key, due to collision chance.
* Prefer XChaCha instead.
*/
exports.chacha20poly1305 = (0, utils_ts_1.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, (0, exports._poly1305_aead)(exports.chacha20));
/**
* XChaCha20-Poly1305 extended-nonce chacha.
*
* Can be safely used with random nonces (CSPRNG).
* See [IRTF draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha).
*/
exports.xchacha20poly1305 = (0, utils_ts_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (0, exports._poly1305_aead)(exports.xchacha20));
//# sourceMappingURL=chacha.js.map

1
node_modules/@noble/ciphers/chacha.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

2
node_modules/@noble/ciphers/crypto.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
export declare const crypto: any;
//# sourceMappingURL=crypto.d.ts.map

1
node_modules/@noble/ciphers/crypto.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["src/crypto.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,MAAM,EAAE,GACqE,CAAC"}

5
node_modules/@noble/ciphers/crypto.js generated vendored Normal file
View File

@@ -0,0 +1,5 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.crypto = void 0;
exports.crypto = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
//# sourceMappingURL=crypto.js.map

1
node_modules/@noble/ciphers/crypto.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["src/crypto.ts"],"names":[],"mappings":";;;AAOa,QAAA,MAAM,GACjB,OAAO,UAAU,KAAK,QAAQ,IAAI,QAAQ,IAAI,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC"}

2
node_modules/@noble/ciphers/cryptoNode.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
export declare const crypto: any;
//# sourceMappingURL=cryptoNode.d.ts.map

1
node_modules/@noble/ciphers/cryptoNode.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"cryptoNode.d.ts","sourceRoot":"","sources":["src/cryptoNode.ts"],"names":[],"mappings":"AASA,eAAO,MAAM,MAAM,EAAE,GAKJ,CAAC"}

18
node_modules/@noble/ciphers/cryptoNode.js generated vendored Normal file
View File

@@ -0,0 +1,18 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.crypto = void 0;
/**
* Internal webcrypto alias.
* We prefer WebCrypto aka globalThis.crypto, which exists in node.js 16+.
* Falls back to Node.js built-in crypto for Node.js <=v14.
* See utils.ts for details.
* @module
*/
// @ts-ignore
const nc = require("node:crypto");
exports.crypto = nc && typeof nc === 'object' && 'webcrypto' in nc
? nc.webcrypto
: nc && typeof nc === 'object' && 'randomBytes' in nc
? nc
: undefined;
//# sourceMappingURL=cryptoNode.js.map

1
node_modules/@noble/ciphers/cryptoNode.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"cryptoNode.js","sourceRoot":"","sources":["src/cryptoNode.ts"],"names":[],"mappings":";;;AAAA;;;;;;GAMG;AACH,aAAa;AACb,kCAAkC;AACrB,QAAA,MAAM,GACjB,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,WAAW,IAAI,EAAE;IAC/C,CAAC,CAAE,EAAE,CAAC,SAAiB;IACvB,CAAC,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,aAAa,IAAI,EAAE;QACnD,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,SAAS,CAAC"}

59
node_modules/@noble/ciphers/esm/_arx.d.ts generated vendored Normal file
View File

@@ -0,0 +1,59 @@
/**
* Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
RFC8439 requires multi-step cipher stream, where
authKey starts with counter: 0, actual msg with counter: 1.
For this, we need a way to re-use nonce / counter:
const counter = new Uint8Array(4);
chacha(..., counter, ...); // counter is now 1
chacha(..., counter, ...); // counter is now 2
This is complicated:
- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB
- Original papers don't allow mutating counters
- Counter overflow is undefined [^1]
- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it
- Caveat: Cannot be re-used through all cases:
- * chacha has (counter | nonce)
- * xchacha has (nonce16 | counter | nonce16)
- Idea B: separate nonce / counter and provide separate API for counter re-use
- Caveat: there are different counter sizes depending on an algorithm.
- salsa & chacha also differ in structures of key & sigma:
salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3]
chacha: s(4) | k(8) | ctr(1) | nonce(3)
chacha20orig: s(4) | k(8) | ctr(2) | nonce(2)
- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)`
- Caveat: we can't re-use counter array
xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce).
[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
* @module
*/
import { type XorStream } from './utils.ts';
export declare function rotl(a: number, b: number): number;
/** Ciphers must use u32 for efficiency. */
export type CipherCoreFn = (sigma: Uint32Array, key: Uint32Array, nonce: Uint32Array, output: Uint32Array, counter: number, rounds?: number) => void;
/** Method which extends key + short nonce into larger nonce / diff key. */
export type ExtendNonceFn = (sigma: Uint32Array, key: Uint32Array, input: Uint32Array, output: Uint32Array) => void;
/** ARX cipher options.
* * `allowShortKeys` for 16-byte keys
* * `counterLength` in bytes
* * `counterRight`: right: `nonce|counter`; left: `counter|nonce`
* */
export type CipherOpts = {
allowShortKeys?: boolean;
extendNonceFn?: ExtendNonceFn;
counterLength?: number;
counterRight?: boolean;
rounds?: number;
};
/** Creates ARX-like (ChaCha, Salsa) cipher stream from core function. */
export declare function createCipher(core: CipherCoreFn, opts: CipherOpts): XorStream;
//# sourceMappingURL=_arx.d.ts.map

1
node_modules/@noble/ciphers/esm/_arx.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_arx.d.ts","sourceRoot":"","sources":["../src/_arx.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,EACL,KAAK,SAAS,EACf,MAAM,YAAY,CAAC;AAUpB,wBAAgB,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED,2CAA2C;AAC3C,MAAM,MAAM,YAAY,GAAG,CACzB,KAAK,EAAE,WAAW,EAClB,GAAG,EAAE,WAAW,EAChB,KAAK,EAAE,WAAW,EAClB,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,MAAM,KACZ,IAAI,CAAC;AAEV,2EAA2E;AAC3E,MAAM,MAAM,aAAa,GAAG,CAC1B,KAAK,EAAE,WAAW,EAClB,GAAG,EAAE,WAAW,EAChB,KAAK,EAAE,WAAW,EAClB,MAAM,EAAE,WAAW,KAChB,IAAI,CAAC;AAEV;;;;KAIK;AACL,MAAM,MAAM,UAAU,GAAG;IACvB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAwDF,yEAAyE;AACzE,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,GAAG,SAAS,CAkF5E"}

171
node_modules/@noble/ciphers/esm/_arx.js generated vendored Normal file
View File

@@ -0,0 +1,171 @@
/**
* Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
RFC8439 requires multi-step cipher stream, where
authKey starts with counter: 0, actual msg with counter: 1.
For this, we need a way to re-use nonce / counter:
const counter = new Uint8Array(4);
chacha(..., counter, ...); // counter is now 1
chacha(..., counter, ...); // counter is now 2
This is complicated:
- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB
- Original papers don't allow mutating counters
- Counter overflow is undefined [^1]
- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it
- Caveat: Cannot be re-used through all cases:
- * chacha has (counter | nonce)
- * xchacha has (nonce16 | counter | nonce16)
- Idea B: separate nonce / counter and provide separate API for counter re-use
- Caveat: there are different counter sizes depending on an algorithm.
- salsa & chacha also differ in structures of key & sigma:
salsa20: s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3]
chacha: s(4) | k(8) | ctr(1) | nonce(3)
chacha20orig: s(4) | k(8) | ctr(2) | nonce(2)
- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)`
- Caveat: we can't re-use counter array
xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce).
[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
* @module
*/
// prettier-ignore
import { abool, abytes, anumber, checkOpts, clean, copyBytes, u32 } from "./utils.js";
// We can't make top-level var depend on utils.utf8ToBytes
// because it's not present in all envs. Creating a similar fn here
const _utf8ToBytes = (str) => Uint8Array.from(str.split('').map((c) => c.charCodeAt(0)));
const sigma16 = _utf8ToBytes('expand 16-byte k');
const sigma32 = _utf8ToBytes('expand 32-byte k');
const sigma16_32 = u32(sigma16);
const sigma32_32 = u32(sigma32);
export function rotl(a, b) {
return (a << b) | (a >>> (32 - b));
}
// Is byte array aligned to 4 byte offset (u32)?
function isAligned32(b) {
return b.byteOffset % 4 === 0;
}
// Salsa and Chacha block length is always 512-bit
const BLOCK_LEN = 64;
const BLOCK_LEN32 = 16;
// new Uint32Array([2**32]) // => Uint32Array(1) [ 0 ]
// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ]
const MAX_COUNTER = 2 ** 32 - 1;
const U32_EMPTY = new Uint32Array();
function runCipher(core, sigma, key, nonce, data, output, counter, rounds) {
const len = data.length;
const block = new Uint8Array(BLOCK_LEN);
const b32 = u32(block);
// Make sure that buffers aligned to 4 bytes
const isAligned = isAligned32(data) && isAligned32(output);
const d32 = isAligned ? u32(data) : U32_EMPTY;
const o32 = isAligned ? u32(output) : U32_EMPTY;
for (let pos = 0; pos < len; counter++) {
core(sigma, key, nonce, b32, counter, rounds);
if (counter >= MAX_COUNTER)
throw new Error('arx: counter overflow');
const take = Math.min(BLOCK_LEN, len - pos);
// aligned to 4 bytes
if (isAligned && take === BLOCK_LEN) {
const pos32 = pos / 4;
if (pos % 4 !== 0)
throw new Error('arx: invalid block position');
for (let j = 0, posj; j < BLOCK_LEN32; j++) {
posj = pos32 + j;
o32[posj] = d32[posj] ^ b32[j];
}
pos += BLOCK_LEN;
continue;
}
for (let j = 0, posj; j < take; j++) {
posj = pos + j;
output[posj] = data[posj] ^ block[j];
}
pos += take;
}
}
/** Creates ARX-like (ChaCha, Salsa) cipher stream from core function. */
export function createCipher(core, opts) {
const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts);
if (typeof core !== 'function')
throw new Error('core must be a function');
anumber(counterLength);
anumber(rounds);
abool(counterRight);
abool(allowShortKeys);
return (key, nonce, data, output, counter = 0) => {
abytes(key);
abytes(nonce);
abytes(data);
const len = data.length;
if (output === undefined)
output = new Uint8Array(len);
abytes(output);
anumber(counter);
if (counter < 0 || counter >= MAX_COUNTER)
throw new Error('arx: counter overflow');
if (output.length < len)
throw new Error(`arx: output (${output.length}) is shorter than data (${len})`);
const toClean = [];
// Key & sigma
// key=16 -> sigma16, k=key|key
// key=32 -> sigma32, k=key
let l = key.length;
let k;
let sigma;
if (l === 32) {
toClean.push((k = copyBytes(key)));
sigma = sigma32_32;
}
else if (l === 16 && allowShortKeys) {
k = new Uint8Array(32);
k.set(key);
k.set(key, 16);
sigma = sigma16_32;
toClean.push(k);
}
else {
throw new Error(`arx: invalid 32-byte key, got length=${l}`);
}
// Nonce
// salsa20: 8 (8-byte counter)
// chacha20orig: 8 (8-byte counter)
// chacha20: 12 (4-byte counter)
// xsalsa20: 24 (16 -> hsalsa, 8 -> old nonce)
// xchacha20: 24 (16 -> hchacha, 8 -> old nonce)
// Align nonce to 4 bytes
if (!isAligned32(nonce))
toClean.push((nonce = copyBytes(nonce)));
const k32 = u32(k);
// hsalsa & hchacha: handle extended nonce
if (extendNonceFn) {
if (nonce.length !== 24)
throw new Error(`arx: extended nonce must be 24 bytes`);
extendNonceFn(sigma, k32, u32(nonce.subarray(0, 16)), k32);
nonce = nonce.subarray(16);
}
// Handle nonce counter
const nonceNcLen = 16 - counterLength;
if (nonceNcLen !== nonce.length)
throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
// Pad counter when nonce is 64 bit
if (nonceNcLen !== 12) {
const nc = new Uint8Array(12);
nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
nonce = nc;
toClean.push(nonce);
}
const n32 = u32(nonce);
runCipher(core, sigma, k32, n32, data, output, counter, rounds);
clean(...toClean);
return output;
};
}
//# sourceMappingURL=_arx.js.map

1
node_modules/@noble/ciphers/esm/_arx.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

19
node_modules/@noble/ciphers/esm/_assert.d.ts generated vendored Normal file
View File

@@ -0,0 +1,19 @@
/**
* Internal assertion helpers.
* @module
* @deprecated
*/
import { abytes as ab, abool as abool_, aexists as ae, anumber as an, aoutput as ao, type IHash as H } from './utils.ts';
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const abool: typeof abool_;
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const abytes: typeof ab;
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const aexists: typeof ae;
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const anumber: typeof an;
/** @deprecated Use import from `noble/hashes/utils` module */
export declare const aoutput: typeof ao;
/** @deprecated Use import from `noble/hashes/utils` module */
export type Hash = H;
//# sourceMappingURL=_assert.d.ts.map

1
node_modules/@noble/ciphers/esm/_assert.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_assert.d.ts","sourceRoot":"","sources":["../src/_assert.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,MAAM,IAAI,EAAE,EACZ,KAAK,IAAI,MAAM,EACf,OAAO,IAAI,EAAE,EACb,OAAO,IAAI,EAAE,EACb,OAAO,IAAI,EAAE,EACb,KAAK,KAAK,IAAI,CAAC,EAChB,MAAM,YAAY,CAAC;AACpB,8DAA8D;AAC9D,eAAO,MAAM,KAAK,EAAE,OAAO,MAAe,CAAC;AAC3C,8DAA8D;AAC9D,eAAO,MAAM,MAAM,EAAE,OAAO,EAAO,CAAC;AACpC,8DAA8D;AAC9D,eAAO,MAAM,OAAO,EAAE,OAAO,EAAO,CAAC;AACrC,8DAA8D;AAC9D,eAAO,MAAM,OAAO,EAAE,OAAO,EAAO,CAAC;AACrC,8DAA8D;AAC9D,eAAO,MAAM,OAAO,EAAE,OAAO,EAAO,CAAC;AACrC,8DAA8D;AAC9D,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC"}

17
node_modules/@noble/ciphers/esm/_assert.js generated vendored Normal file
View File

@@ -0,0 +1,17 @@
/**
* Internal assertion helpers.
* @module
* @deprecated
*/
import { abytes as ab, abool as abool_, aexists as ae, anumber as an, aoutput as ao, } from "./utils.js";
/** @deprecated Use import from `noble/hashes/utils` module */
export const abool = abool_;
/** @deprecated Use import from `noble/hashes/utils` module */
export const abytes = ab;
/** @deprecated Use import from `noble/hashes/utils` module */
export const aexists = ae;
/** @deprecated Use import from `noble/hashes/utils` module */
export const anumber = an;
/** @deprecated Use import from `noble/hashes/utils` module */
export const aoutput = ao;
//# sourceMappingURL=_assert.js.map

1
node_modules/@noble/ciphers/esm/_assert.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_assert.js","sourceRoot":"","sources":["../src/_assert.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,MAAM,IAAI,EAAE,EACZ,KAAK,IAAI,MAAM,EACf,OAAO,IAAI,EAAE,EACb,OAAO,IAAI,EAAE,EACb,OAAO,IAAI,EAAE,GAEd,MAAM,YAAY,CAAC;AACpB,8DAA8D;AAC9D,MAAM,CAAC,MAAM,KAAK,GAAkB,MAAM,CAAC;AAC3C,8DAA8D;AAC9D,MAAM,CAAC,MAAM,MAAM,GAAc,EAAE,CAAC;AACpC,8DAA8D;AAC9D,MAAM,CAAC,MAAM,OAAO,GAAc,EAAE,CAAC;AACrC,8DAA8D;AAC9D,MAAM,CAAC,MAAM,OAAO,GAAc,EAAE,CAAC;AACrC,8DAA8D;AAC9D,MAAM,CAAC,MAAM,OAAO,GAAc,EAAE,CAAC"}

41
node_modules/@noble/ciphers/esm/_micro.d.ts generated vendored Normal file
View File

@@ -0,0 +1,41 @@
import { type Cipher, type XorStream } from './utils.ts';
export type ARXCipherN = ((key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => Cipher) & {
blockSize: number;
nonceLength: number;
tagLength: number;
};
/** hsalsa hashes key and nonce into key' and nonce'. */
export declare function hsalsa(s: Uint32Array, k: Uint32Array, i: Uint32Array, o32: Uint32Array): void;
/** hchacha hashes key and nonce into key' and nonce'. */
export declare function hchacha(s: Uint32Array, k: Uint32Array, i: Uint32Array, o32: Uint32Array): void;
/** salsa20, 12-byte nonce. */
export declare const salsa20: XorStream;
/** xsalsa20, 24-byte nonce. */
export declare const xsalsa20: XorStream;
/** chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. */
export declare const chacha20orig: XorStream;
/** chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. */
export declare const chacha20: XorStream;
/** xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha */
export declare const xchacha20: XorStream;
/** 8-round chacha from the original paper. */
export declare const chacha8: XorStream;
/** 12-round chacha from the original paper. */
export declare const chacha12: XorStream;
/** Poly1305 polynomial MAC. Can be speed-up using BigUint64Array, at the cost of complexity. */
export declare function poly1305(msg: Uint8Array, key: Uint8Array): Uint8Array;
/** xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. */
export declare const xsalsa20poly1305: ARXCipherN;
/** Alias to `xsalsa20poly1305`. */
export declare function secretbox(key: Uint8Array, nonce: Uint8Array): {
seal: (plaintext: Uint8Array) => Uint8Array;
open: (ciphertext: Uint8Array) => Uint8Array;
};
export declare const _poly1305_aead: (fn: XorStream) => (key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => Cipher;
/** chacha20-poly1305 12-byte-nonce chacha. */
export declare const chacha20poly1305: ARXCipherN;
/**
* XChaCha20-Poly1305 extended-nonce chacha. Can be safely used with random nonces (CSPRNG).
*/
export declare const xchacha20poly1305: ARXCipherN;
//# sourceMappingURL=_micro.d.ts.map

1
node_modules/@noble/ciphers/esm/_micro.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_micro.d.ts","sourceRoot":"","sources":["../src/_micro.ts"],"names":[],"mappings":"AASA,OAAO,EACL,KAAK,MAAM,EACX,KAAK,SAAS,EASf,MAAM,YAAY,CAAC;AAEpB,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IAC5F,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAuEF,wDAAwD;AAExD,wBAAgB,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,GAAG,IAAI,CAa7F;AAsBD,yDAAyD;AAEzD,wBAAgB,OAAO,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,GAAG,IAAI,CAa9F;AAED,8BAA8B;AAC9B,eAAO,MAAM,OAAO,EAAE,SAGpB,CAAC;AAEH,+BAA+B;AAC/B,eAAO,MAAM,QAAQ,EAAE,SAGrB,CAAC;AAEH,+EAA+E;AAC/E,eAAO,MAAM,YAAY,EAAE,SAIzB,CAAC;AAEH,qEAAqE;AACrE,eAAO,MAAM,QAAQ,EAAE,SAGrB,CAAC;AAEH,8FAA8F;AAC9F,eAAO,MAAM,SAAS,EAAE,SAItB,CAAC;AAEH,8CAA8C;AAC9C,eAAO,MAAM,OAAO,EAAE,SAIpB,CAAC;AAEH,+CAA+C;AAC/C,eAAO,MAAM,QAAQ,EAAE,SAIrB,CAAC;AAQH,gGAAgG;AAChG,wBAAgB,QAAQ,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,UAAU,CAcrE;AAuBD,yDAAyD;AACzD,eAAO,MAAM,gBAAgB,EAAE,UAsB9B,CAAC;AAEF,mCAAmC;AACnC,wBAAgB,SAAS,CACvB,GAAG,EAAE,UAAU,EACf,KAAK,EAAE,UAAU,GAChB;IACD,IAAI,EAAE,CAAC,SAAS,EAAE,UAAU,KAAK,UAAU,CAAC;IAC5C,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,KAAK,UAAU,CAAC;CAC9C,CAGA;AAED,eAAO,MAAM,cAAc,GACxB,IAAI,SAAS,MACb,KAAK,UAAU,EAAE,OAAO,UAAU,EAAE,MAAM,UAAU,KAAG,MAgBvD,CAAC;AAEJ,8CAA8C;AAC9C,eAAO,MAAM,gBAAgB,EAAE,UAG9B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,EAAE,UAG/B,CAAC"}

252
node_modules/@noble/ciphers/esm/_micro.js generated vendored Normal file
View File

@@ -0,0 +1,252 @@
/**
* noble-ciphers-micro: more auditable, but 4x slower version of salsa20, chacha & poly1305.
* Implements the same algorithms that are present in other files, but without
* unrolled loops (https://en.wikipedia.org/wiki/Loop_unrolling).
* @module
*/
/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
// prettier-ignore
import { createCipher, rotl } from "./_arx.js";
import { abytes, bytesToHex, concatBytes, equalBytes, hexToNumber, numberToBytesBE, u64Lengths, wrapCipher, } from "./utils.js";
function bytesToNumberLE(bytes) {
abytes(bytes);
return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
}
function numberToBytesLE(n, len) {
return numberToBytesBE(n, len).reverse();
}
function salsaQR(x, a, b, c, d) {
x[b] ^= rotl((x[a] + x[d]) | 0, 7);
x[c] ^= rotl((x[b] + x[a]) | 0, 9);
x[d] ^= rotl((x[c] + x[b]) | 0, 13);
x[a] ^= rotl((x[d] + x[c]) | 0, 18);
}
// prettier-ignore
function chachaQR(x, a, b, c, d) {
x[a] = (x[a] + x[b]) | 0;
x[d] = rotl(x[d] ^ x[a], 16);
x[c] = (x[c] + x[d]) | 0;
x[b] = rotl(x[b] ^ x[c], 12);
x[a] = (x[a] + x[b]) | 0;
x[d] = rotl(x[d] ^ x[a], 8);
x[c] = (x[c] + x[d]) | 0;
x[b] = rotl(x[b] ^ x[c], 7);
}
function salsaRound(x, rounds = 20) {
for (let r = 0; r < rounds; r += 2) {
salsaQR(x, 0, 4, 8, 12);
salsaQR(x, 5, 9, 13, 1);
salsaQR(x, 10, 14, 2, 6);
salsaQR(x, 15, 3, 7, 11);
salsaQR(x, 0, 1, 2, 3);
salsaQR(x, 5, 6, 7, 4);
salsaQR(x, 10, 11, 8, 9);
salsaQR(x, 15, 12, 13, 14);
}
}
function chachaRound(x, rounds = 20) {
for (let r = 0; r < rounds; r += 2) {
chachaQR(x, 0, 4, 8, 12);
chachaQR(x, 1, 5, 9, 13);
chachaQR(x, 2, 6, 10, 14);
chachaQR(x, 3, 7, 11, 15);
chachaQR(x, 0, 5, 10, 15);
chachaQR(x, 1, 6, 11, 12);
chachaQR(x, 2, 7, 8, 13);
chachaQR(x, 3, 4, 9, 14);
}
}
function salsaCore(s, k, n, out, cnt, rounds = 20) {
// prettier-ignore
const y = new Uint32Array([
s[0], k[0], k[1], k[2], // "expa" Key Key Key
k[3], s[1], n[0], n[1], // Key "nd 3" Nonce Nonce
cnt, 0, s[2], k[4], // Pos. Pos. "2-by" Key
k[5], k[6], k[7], s[3], // Key Key Key "te k"
]);
const x = y.slice();
salsaRound(x, rounds);
for (let i = 0; i < 16; i++)
out[i] = (y[i] + x[i]) | 0;
}
/** hsalsa hashes key and nonce into key' and nonce'. */
// prettier-ignore
export function hsalsa(s, k, i, o32) {
const x = new Uint32Array([
s[0], k[0], k[1], k[2],
k[3], s[1], i[0], i[1],
i[2], i[3], s[2], k[4],
k[5], k[6], k[7], s[3]
]);
salsaRound(x, 20);
let oi = 0;
o32[oi++] = x[0];
o32[oi++] = x[5];
o32[oi++] = x[10];
o32[oi++] = x[15];
o32[oi++] = x[6];
o32[oi++] = x[7];
o32[oi++] = x[8];
o32[oi++] = x[9];
}
function chachaCore(s, k, n, out, cnt, rounds = 20) {
// prettier-ignore
const y = new Uint32Array([
s[0], s[1], s[2], s[3], // "expa" "nd 3" "2-by" "te k"
k[0], k[1], k[2], k[3], // Key Key Key Key
k[4], k[5], k[6], k[7], // Key Key Key Key
cnt, n[0], n[1], n[2], // Counter Counter Nonce Nonce
]);
const x = y.slice();
chachaRound(x, rounds);
for (let i = 0; i < 16; i++)
out[i] = (y[i] + x[i]) | 0;
}
/** hchacha hashes key and nonce into key' and nonce'. */
// prettier-ignore
export function hchacha(s, k, i, o32) {
const x = new Uint32Array([
s[0], s[1], s[2], s[3],
k[0], k[1], k[2], k[3],
k[4], k[5], k[6], k[7],
i[0], i[1], i[2], i[3],
]);
chachaRound(x, 20);
let oi = 0;
o32[oi++] = x[0];
o32[oi++] = x[1];
o32[oi++] = x[2];
o32[oi++] = x[3];
o32[oi++] = x[12];
o32[oi++] = x[13];
o32[oi++] = x[14];
o32[oi++] = x[15];
}
/** salsa20, 12-byte nonce. */
export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, {
allowShortKeys: true,
counterRight: true,
});
/** xsalsa20, 24-byte nonce. */
export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, {
counterRight: true,
extendNonceFn: hsalsa,
});
/** chacha20 non-RFC, original version by djb. 8-byte nonce, 8-byte counter. */
export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, {
allowShortKeys: true,
counterRight: false,
counterLength: 8,
});
/** chacha20 RFC 8439 (IETF / TLS). 12-byte nonce, 4-byte counter. */
export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 4,
});
/** xchacha20 eXtended-nonce. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha */
export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 8,
extendNonceFn: hchacha,
});
/** 8-round chacha from the original paper. */
export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 4,
rounds: 8,
});
/** 12-round chacha from the original paper. */
export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 4,
rounds: 12,
});
const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5);
const POW_2_128_1 = BigInt(2) ** BigInt(16 * 8) - BigInt(1);
const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff');
const _0 = BigInt(0);
const _1 = BigInt(1);
/** Poly1305 polynomial MAC. Can be speed-up using BigUint64Array, at the cost of complexity. */
export function poly1305(msg, key) {
abytes(msg);
abytes(key, 32);
let acc = _0;
const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R;
const s = bytesToNumberLE(key.subarray(16));
// Process by 16 byte chunks
for (let i = 0; i < msg.length; i += 16) {
const m = msg.subarray(i, i + 16);
const n = bytesToNumberLE(m) | (_1 << BigInt(8 * m.length));
acc = ((acc + n) * r) % POW_2_130_5;
}
const res = (acc + s) & POW_2_128_1;
return numberToBytesLE(res, 16);
}
function computeTag(fn, key, nonce, ciphertext, AAD) {
const res = [];
if (AAD) {
res.push(AAD);
const leftover = AAD.length % 16;
if (leftover > 0)
res.push(new Uint8Array(16 - leftover));
}
res.push(ciphertext);
const leftover = ciphertext.length % 16;
if (leftover > 0)
res.push(new Uint8Array(16 - leftover));
res.push(u64Lengths(ciphertext.length, AAD ? AAD.length : 0, true));
const authKey = fn(key, nonce, new Uint8Array(32));
return poly1305(concatBytes(...res), authKey);
}
/** xsalsa20-poly1305 eXtended-nonce (24 bytes) salsa. */
export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, function xsalsapoly(key, nonce) {
return {
encrypt(plaintext) {
const m = concatBytes(new Uint8Array(32), plaintext);
const c = xsalsa20(key, nonce, m);
const authKey = c.subarray(0, 32);
const data = c.subarray(32);
const tag = poly1305(data, authKey);
return concatBytes(tag, data);
},
decrypt(ciphertext) {
const c = concatBytes(new Uint8Array(16), ciphertext);
const passedTag = c.subarray(16, 32);
const authKey = xsalsa20(key, nonce, new Uint8Array(32));
const tag = poly1305(c.subarray(32), authKey);
if (!equalBytes(tag, passedTag))
throw new Error('invalid poly1305 tag');
return xsalsa20(key, nonce, c).subarray(32);
},
};
});
/** Alias to `xsalsa20poly1305`. */
export function secretbox(key, nonce) {
const xs = xsalsa20poly1305(key, nonce);
return { seal: xs.encrypt, open: xs.decrypt };
}
export const _poly1305_aead = (fn) => (key, nonce, AAD) => {
const tagLength = 16;
return {
encrypt(plaintext) {
const data = fn(key, nonce, plaintext, undefined, 1); // stream from i=1
const tag = computeTag(fn, key, nonce, data, AAD);
return concatBytes(data, tag);
},
decrypt(ciphertext) {
const passedTag = ciphertext.subarray(-tagLength);
const data = ciphertext.subarray(0, -tagLength);
const tag = computeTag(fn, key, nonce, data, AAD);
if (!equalBytes(tag, passedTag))
throw new Error('invalid poly1305 tag');
return fn(key, nonce, data, undefined, 1); // stream from i=1
},
};
};
/** chacha20-poly1305 12-byte-nonce chacha. */
export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20));
/**
* XChaCha20-Poly1305 extended-nonce chacha. Can be safely used with random nonces (CSPRNG).
*/
export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20));
//# sourceMappingURL=_micro.js.map

1
node_modules/@noble/ciphers/esm/_micro.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

29
node_modules/@noble/ciphers/esm/_poly1305.d.ts generated vendored Normal file
View File

@@ -0,0 +1,29 @@
/**
* Poly1305 ([PDF](https://cr.yp.to/mac/poly1305-20050329.pdf),
* [wiki](https://en.wikipedia.org/wiki/Poly1305))
* is a fast and parallel secret-key message-authentication code suitable for
* a wide variety of applications. It was standardized in
* [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and is now used in TLS 1.3.
*
* Polynomial MACs are not perfect for every situation:
* they lack Random Key Robustness: the MAC can be forged, and can't be used in PAKE schemes.
* See [invisible salamanders attack](https://keymaterial.net/2020/09/07/invisible-salamanders-in-aes-gcm-siv/).
* To combat invisible salamanders, `hash(key)` can be included in ciphertext,
* however, this would violate ciphertext indistinguishability:
* an attacker would know which key was used - so `HKDF(key, i)`
* could be used instead.
*
* Check out [original website](https://cr.yp.to/mac.html).
* @module
*/
import { Hash, type Input } from './utils.ts';
export type CHash = ReturnType<typeof wrapConstructorWithKey>;
export declare function wrapConstructorWithKey<H extends Hash<H>>(hashCons: (key: Input) => Hash<H>): {
(msg: Input, key: Input): Uint8Array;
outputLen: number;
blockLen: number;
create(key: Input): Hash<H>;
};
/** Poly1305 MAC from RFC 8439. */
export declare const poly1305: CHash;
//# sourceMappingURL=_poly1305.d.ts.map

1
node_modules/@noble/ciphers/esm/_poly1305.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_poly1305.d.ts","sourceRoot":"","sources":["../src/_poly1305.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,IAAI,EAAE,KAAK,KAAK,EAA4C,MAAM,YAAY,CAAC;AA4QxF,MAAM,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAC9D,wBAAgB,sBAAsB,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC,EACtD,QAAQ,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,GAChC;IACD,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,GAAG,UAAU,CAAC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,GAAG,EAAE,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;CAC7B,CAOA;AAED,kCAAkC;AAClC,eAAO,MAAM,QAAQ,EAAE,KAA0D,CAAC"}

277
node_modules/@noble/ciphers/esm/_poly1305.js generated vendored Normal file
View File

@@ -0,0 +1,277 @@
/**
* Poly1305 ([PDF](https://cr.yp.to/mac/poly1305-20050329.pdf),
* [wiki](https://en.wikipedia.org/wiki/Poly1305))
* is a fast and parallel secret-key message-authentication code suitable for
* a wide variety of applications. It was standardized in
* [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and is now used in TLS 1.3.
*
* Polynomial MACs are not perfect for every situation:
* they lack Random Key Robustness: the MAC can be forged, and can't be used in PAKE schemes.
* See [invisible salamanders attack](https://keymaterial.net/2020/09/07/invisible-salamanders-in-aes-gcm-siv/).
* To combat invisible salamanders, `hash(key)` can be included in ciphertext,
* however, this would violate ciphertext indistinguishability:
* an attacker would know which key was used - so `HKDF(key, i)`
* could be used instead.
*
* Check out [original website](https://cr.yp.to/mac.html).
* @module
*/
import { Hash, abytes, aexists, aoutput, clean, toBytes } from "./utils.js";
// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna
const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8);
class Poly1305 {
constructor(key) {
this.blockLen = 16;
this.outputLen = 16;
this.buffer = new Uint8Array(16);
this.r = new Uint16Array(10);
this.h = new Uint16Array(10);
this.pad = new Uint16Array(8);
this.pos = 0;
this.finished = false;
key = toBytes(key);
abytes(key, 32);
const t0 = u8to16(key, 0);
const t1 = u8to16(key, 2);
const t2 = u8to16(key, 4);
const t3 = u8to16(key, 6);
const t4 = u8to16(key, 8);
const t5 = u8to16(key, 10);
const t6 = u8to16(key, 12);
const t7 = u8to16(key, 14);
// https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47
this.r[0] = t0 & 0x1fff;
this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
this.r[5] = (t4 >>> 1) & 0x1ffe;
this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
this.r[9] = (t7 >>> 5) & 0x007f;
for (let i = 0; i < 8; i++)
this.pad[i] = u8to16(key, 16 + 2 * i);
}
process(data, offset, isLast = false) {
const hibit = isLast ? 0 : 1 << 11;
const { h, r } = this;
const r0 = r[0];
const r1 = r[1];
const r2 = r[2];
const r3 = r[3];
const r4 = r[4];
const r5 = r[5];
const r6 = r[6];
const r7 = r[7];
const r8 = r[8];
const r9 = r[9];
const t0 = u8to16(data, offset + 0);
const t1 = u8to16(data, offset + 2);
const t2 = u8to16(data, offset + 4);
const t3 = u8to16(data, offset + 6);
const t4 = u8to16(data, offset + 8);
const t5 = u8to16(data, offset + 10);
const t6 = u8to16(data, offset + 12);
const t7 = u8to16(data, offset + 14);
let h0 = h[0] + (t0 & 0x1fff);
let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff);
let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff);
let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff);
let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff);
let h5 = h[5] + ((t4 >>> 1) & 0x1fff);
let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff);
let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff);
let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff);
let h9 = h[9] + ((t7 >>> 5) | hibit);
let c = 0;
let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6);
c = d0 >>> 13;
d0 &= 0x1fff;
d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1);
c += d0 >>> 13;
d0 &= 0x1fff;
let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7);
c = d1 >>> 13;
d1 &= 0x1fff;
d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2);
c += d1 >>> 13;
d1 &= 0x1fff;
let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8);
c = d2 >>> 13;
d2 &= 0x1fff;
d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3);
c += d2 >>> 13;
d2 &= 0x1fff;
let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9);
c = d3 >>> 13;
d3 &= 0x1fff;
d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4);
c += d3 >>> 13;
d3 &= 0x1fff;
let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0;
c = d4 >>> 13;
d4 &= 0x1fff;
d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5);
c += d4 >>> 13;
d4 &= 0x1fff;
let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1;
c = d5 >>> 13;
d5 &= 0x1fff;
d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6);
c += d5 >>> 13;
d5 &= 0x1fff;
let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2;
c = d6 >>> 13;
d6 &= 0x1fff;
d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7);
c += d6 >>> 13;
d6 &= 0x1fff;
let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3;
c = d7 >>> 13;
d7 &= 0x1fff;
d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8);
c += d7 >>> 13;
d7 &= 0x1fff;
let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4;
c = d8 >>> 13;
d8 &= 0x1fff;
d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9);
c += d8 >>> 13;
d8 &= 0x1fff;
let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5;
c = d9 >>> 13;
d9 &= 0x1fff;
d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0;
c += d9 >>> 13;
d9 &= 0x1fff;
c = ((c << 2) + c) | 0;
c = (c + d0) | 0;
d0 = c & 0x1fff;
c = c >>> 13;
d1 += c;
h[0] = d0;
h[1] = d1;
h[2] = d2;
h[3] = d3;
h[4] = d4;
h[5] = d5;
h[6] = d6;
h[7] = d7;
h[8] = d8;
h[9] = d9;
}
finalize() {
const { h, pad } = this;
const g = new Uint16Array(10);
let c = h[1] >>> 13;
h[1] &= 0x1fff;
for (let i = 2; i < 10; i++) {
h[i] += c;
c = h[i] >>> 13;
h[i] &= 0x1fff;
}
h[0] += c * 5;
c = h[0] >>> 13;
h[0] &= 0x1fff;
h[1] += c;
c = h[1] >>> 13;
h[1] &= 0x1fff;
h[2] += c;
g[0] = h[0] + 5;
c = g[0] >>> 13;
g[0] &= 0x1fff;
for (let i = 1; i < 10; i++) {
g[i] = h[i] + c;
c = g[i] >>> 13;
g[i] &= 0x1fff;
}
g[9] -= 1 << 13;
let mask = (c ^ 1) - 1;
for (let i = 0; i < 10; i++)
g[i] &= mask;
mask = ~mask;
for (let i = 0; i < 10; i++)
h[i] = (h[i] & mask) | g[i];
h[0] = (h[0] | (h[1] << 13)) & 0xffff;
h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff;
h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff;
h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff;
h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff;
h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff;
h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff;
h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff;
let f = h[0] + pad[0];
h[0] = f & 0xffff;
for (let i = 1; i < 8; i++) {
f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0;
h[i] = f & 0xffff;
}
clean(g);
}
update(data) {
aexists(this);
data = toBytes(data);
abytes(data);
const { buffer, blockLen } = this;
const len = data.length;
for (let pos = 0; pos < len;) {
const take = Math.min(blockLen - this.pos, len - pos);
// Fast path: we have at least one block in input
if (take === blockLen) {
for (; blockLen <= len - pos; pos += blockLen)
this.process(data, pos);
continue;
}
buffer.set(data.subarray(pos, pos + take), this.pos);
this.pos += take;
pos += take;
if (this.pos === blockLen) {
this.process(buffer, 0, false);
this.pos = 0;
}
}
return this;
}
destroy() {
clean(this.h, this.r, this.buffer, this.pad);
}
digestInto(out) {
aexists(this);
aoutput(out, this);
this.finished = true;
const { buffer, h } = this;
let { pos } = this;
if (pos) {
buffer[pos++] = 1;
for (; pos < 16; pos++)
buffer[pos] = 0;
this.process(buffer, 0, true);
}
this.finalize();
let opos = 0;
for (let i = 0; i < 8; i++) {
out[opos++] = h[i] >>> 0;
out[opos++] = h[i] >>> 8;
}
return out;
}
digest() {
const { buffer, outputLen } = this;
this.digestInto(buffer);
const res = buffer.slice(0, outputLen);
this.destroy();
return res;
}
}
export function wrapConstructorWithKey(hashCons) {
const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest();
const tmp = hashCons(new Uint8Array(32));
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = (key) => hashCons(key);
return hashC;
}
/** Poly1305 MAC from RFC 8439. */
export const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key));
//# sourceMappingURL=_poly1305.js.map

1
node_modules/@noble/ciphers/esm/_poly1305.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

33
node_modules/@noble/ciphers/esm/_polyval.d.ts generated vendored Normal file
View File

@@ -0,0 +1,33 @@
/**
* GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV.
*
* Implemented in terms of GHash with conversion function for keys
* GCM GHASH from
* [NIST SP800-38d](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf),
* SIV from
* [RFC 8452](https://datatracker.ietf.org/doc/html/rfc8452).
*
* GHASH modulo: x^128 + x^7 + x^2 + x + 1
* POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1
*
* @module
*/
import { Hash, type Input } from './utils.ts';
/**
* `mulX_POLYVAL(ByteReverse(H))` from spec
* @param k mutated in place
*/
export declare function _toGHASHKey(k: Uint8Array): Uint8Array;
export type CHashPV = ReturnType<typeof wrapConstructorWithKey>;
declare function wrapConstructorWithKey<H extends Hash<H>>(hashCons: (key: Input, expectedLength?: number) => Hash<H>): {
(msg: Input, key: Input): Uint8Array;
outputLen: number;
blockLen: number;
create(key: Input, expectedLength?: number): Hash<H>;
};
/** GHash MAC for AES-GCM. */
export declare const ghash: CHashPV;
/** Polyval MAC for AES-SIV. */
export declare const polyval: CHashPV;
export {};
//# sourceMappingURL=_polyval.d.ts.map

1
node_modules/@noble/ciphers/esm/_polyval.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_polyval.d.ts","sourceRoot":"","sources":["../src/_polyval.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAEyB,IAAI,EAAE,KAAK,KAAK,EAC/C,MAAM,YAAY,CAAC;AA6BpB;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,UAAU,GAAG,UAAU,CAYrD;AAiLD,MAAM,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAChE,iBAAS,sBAAsB,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC,EAC/C,QAAQ,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,cAAc,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,GACzD;IACD,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,GAAG,UAAU,CAAC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;CACtD,CAQA;AAED,6BAA6B;AAC7B,eAAO,MAAM,KAAK,EAAE,OAEnB,CAAC;AAEF,+BAA+B;AAC/B,eAAO,MAAM,OAAO,EAAE,OAErB,CAAC"}

229
node_modules/@noble/ciphers/esm/_polyval.js generated vendored Normal file
View File

@@ -0,0 +1,229 @@
/**
* GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV.
*
* Implemented in terms of GHash with conversion function for keys
* GCM GHASH from
* [NIST SP800-38d](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf),
* SIV from
* [RFC 8452](https://datatracker.ietf.org/doc/html/rfc8452).
*
* GHASH modulo: x^128 + x^7 + x^2 + x + 1
* POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1
*
* @module
*/
// prettier-ignore
import { abytes, aexists, aoutput, clean, copyBytes, createView, Hash, toBytes, u32, } from "./utils.js";
const BLOCK_SIZE = 16;
// TODO: rewrite
// temporary padding buffer
const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
const ZEROS32 = u32(ZEROS16);
const POLY = 0xe1; // v = 2*v % POLY
// v = 2*v % POLY
// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x
// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor)
const mul2 = (s0, s1, s2, s3) => {
const hiBit = s3 & 1;
return {
s3: (s2 << 31) | (s3 >>> 1),
s2: (s1 << 31) | (s2 >>> 1),
s1: (s0 << 31) | (s1 >>> 1),
s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly
};
};
const swapLE = (n) => (((n >>> 0) & 0xff) << 24) |
(((n >>> 8) & 0xff) << 16) |
(((n >>> 16) & 0xff) << 8) |
((n >>> 24) & 0xff) |
0;
/**
* `mulX_POLYVAL(ByteReverse(H))` from spec
* @param k mutated in place
*/
export function _toGHASHKey(k) {
k.reverse();
const hiBit = k[15] & 1;
// k >>= 1
let carry = 0;
for (let i = 0; i < k.length; i++) {
const t = k[i];
k[i] = (t >>> 1) | carry;
carry = (t & 1) << 7;
}
k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000;
return k;
}
const estimateWindow = (bytes) => {
if (bytes > 64 * 1024)
return 8;
if (bytes > 1024)
return 4;
return 2;
};
class GHASH {
// We select bits per window adaptively based on expectedLength
constructor(key, expectedLength) {
this.blockLen = BLOCK_SIZE;
this.outputLen = BLOCK_SIZE;
this.s0 = 0;
this.s1 = 0;
this.s2 = 0;
this.s3 = 0;
this.finished = false;
key = toBytes(key);
abytes(key, 16);
const kView = createView(key);
let k0 = kView.getUint32(0, false);
let k1 = kView.getUint32(4, false);
let k2 = kView.getUint32(8, false);
let k3 = kView.getUint32(12, false);
// generate table of doubled keys (half of montgomery ladder)
const doubles = [];
for (let i = 0; i < 128; i++) {
doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) });
({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3));
}
const W = estimateWindow(expectedLength || 1024);
if (![1, 2, 4, 8].includes(W))
throw new Error('ghash: invalid window size, expected 2, 4 or 8');
this.W = W;
const bits = 128; // always 128 bits;
const windows = bits / W;
const windowSize = (this.windowSize = 2 ** W);
const items = [];
// Create precompute table for window of W bits
for (let w = 0; w < windows; w++) {
// truth table: 00, 01, 10, 11
for (let byte = 0; byte < windowSize; byte++) {
// prettier-ignore
let s0 = 0, s1 = 0, s2 = 0, s3 = 0;
for (let j = 0; j < W; j++) {
const bit = (byte >>> (W - j - 1)) & 1;
if (!bit)
continue;
const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j];
(s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3);
}
items.push({ s0, s1, s2, s3 });
}
}
this.t = items;
}
_updateBlock(s0, s1, s2, s3) {
(s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3);
const { W, t, windowSize } = this;
// prettier-ignore
let o0 = 0, o1 = 0, o2 = 0, o3 = 0;
const mask = (1 << W) - 1; // 2**W will kill performance.
let w = 0;
for (const num of [s0, s1, s2, s3]) {
for (let bytePos = 0; bytePos < 4; bytePos++) {
const byte = (num >>> (8 * bytePos)) & 0xff;
for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) {
const bit = (byte >>> (W * bitPos)) & mask;
const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit];
(o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3);
w += 1;
}
}
}
this.s0 = o0;
this.s1 = o1;
this.s2 = o2;
this.s3 = o3;
}
update(data) {
aexists(this);
data = toBytes(data);
abytes(data);
const b32 = u32(data);
const blocks = Math.floor(data.length / BLOCK_SIZE);
const left = data.length % BLOCK_SIZE;
for (let i = 0; i < blocks; i++) {
this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]);
}
if (left) {
ZEROS16.set(data.subarray(blocks * BLOCK_SIZE));
this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]);
clean(ZEROS32); // clean tmp buffer
}
return this;
}
destroy() {
const { t } = this;
// clean precompute table
for (const elm of t) {
(elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0);
}
}
digestInto(out) {
aexists(this);
aoutput(out, this);
this.finished = true;
const { s0, s1, s2, s3 } = this;
const o32 = u32(out);
o32[0] = s0;
o32[1] = s1;
o32[2] = s2;
o32[3] = s3;
return out;
}
digest() {
const res = new Uint8Array(BLOCK_SIZE);
this.digestInto(res);
this.destroy();
return res;
}
}
class Polyval extends GHASH {
constructor(key, expectedLength) {
key = toBytes(key);
abytes(key);
const ghKey = _toGHASHKey(copyBytes(key));
super(ghKey, expectedLength);
clean(ghKey);
}
update(data) {
data = toBytes(data);
aexists(this);
const b32 = u32(data);
const left = data.length % BLOCK_SIZE;
const blocks = Math.floor(data.length / BLOCK_SIZE);
for (let i = 0; i < blocks; i++) {
this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0]));
}
if (left) {
ZEROS16.set(data.subarray(blocks * BLOCK_SIZE));
this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0]));
clean(ZEROS32);
}
return this;
}
digestInto(out) {
aexists(this);
aoutput(out, this);
this.finished = true;
// tmp ugly hack
const { s0, s1, s2, s3 } = this;
const o32 = u32(out);
o32[0] = s0;
o32[1] = s1;
o32[2] = s2;
o32[3] = s3;
return out.reverse();
}
}
function wrapConstructorWithKey(hashCons) {
const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes(msg)).digest();
const tmp = hashCons(new Uint8Array(16), 0);
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = (key, expectedLength) => hashCons(key, expectedLength);
return hashC;
}
/** GHash MAC for AES-GCM. */
export const ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength));
/** Polyval MAC for AES-SIV. */
export const polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength));
//# sourceMappingURL=_polyval.js.map

1
node_modules/@noble/ciphers/esm/_polyval.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

117
node_modules/@noble/ciphers/esm/aes.d.ts generated vendored Normal file
View File

@@ -0,0 +1,117 @@
import { type Cipher, type CipherWithOutput } from './utils.ts';
/** Key expansion used in CTR. */
declare function expandKeyLE(key: Uint8Array): Uint32Array;
declare function expandKeyDecLE(key: Uint8Array): Uint32Array;
declare function encrypt(xk: Uint32Array, s0: number, s1: number, s2: number, s3: number): {
s0: number;
s1: number;
s2: number;
s3: number;
};
declare function decrypt(xk: Uint32Array, s0: number, s1: number, s2: number, s3: number): {
s0: number;
s1: number;
s2: number;
s3: number;
};
declare function ctrCounter(xk: Uint32Array, nonce: Uint8Array, src: Uint8Array, dst?: Uint8Array): Uint8Array;
declare function ctr32(xk: Uint32Array, isLE: boolean, nonce: Uint8Array, src: Uint8Array, dst?: Uint8Array): Uint8Array;
/**
* CTR: counter mode. Creates stream cipher.
* Requires good IV. Parallelizable. OK, but no MAC.
*/
export declare const ctr: ((key: Uint8Array, nonce: Uint8Array) => CipherWithOutput) & {
blockSize: number;
nonceLength: number;
};
/** Options for ECB and CBC. */
export type BlockOpts = {
disablePadding?: boolean;
};
/**
* ECB: Electronic CodeBook. Simple deterministic replacement.
* Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/).
*/
export declare const ecb: ((key: Uint8Array, opts?: BlockOpts) => CipherWithOutput) & {
blockSize: number;
};
/**
* CBC: Cipher-Block-Chaining. Key is previous rounds block.
* Fragile: needs proper padding. Unauthenticated: needs MAC.
*/
export declare const cbc: ((key: Uint8Array, iv: Uint8Array, opts?: BlockOpts) => CipherWithOutput) & {
blockSize: number;
nonceLength: number;
};
/**
* CFB: Cipher Feedback Mode. The input for the block cipher is the previous cipher output.
* Unauthenticated: needs MAC.
*/
export declare const cfb: ((key: Uint8Array, iv: Uint8Array) => CipherWithOutput) & {
blockSize: number;
nonceLength: number;
};
/**
* GCM: Galois/Counter Mode.
* Modern, parallel version of CTR, with MAC.
* Be careful: MACs can be forged.
* Unsafe to use random nonces under the same key, due to collision chance.
* As for nonce size, prefer 12-byte, instead of 8-byte.
*/
export declare const gcm: ((key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => Cipher) & {
blockSize: number;
nonceLength: number;
tagLength: number;
varSizeNonce: true;
};
/**
* AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance.
* Guarantees that, when a nonce is repeated, the only security loss is that identical
* plaintexts will produce identical ciphertexts.
* RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452
*/
export declare const gcmsiv: ((key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => Cipher) & {
blockSize: number;
nonceLength: number;
tagLength: number;
varSizeNonce: true;
};
/**
* AES-GCM-SIV, not AES-SIV.
* This is legace name, use `gcmsiv` export instead.
* @deprecated
*/
export declare const siv: typeof gcmsiv;
declare function encryptBlock(xk: Uint32Array, block: Uint8Array): Uint8Array;
declare function decryptBlock(xk: Uint32Array, block: Uint8Array): Uint8Array;
/**
* AES-KW (key-wrap). Injects static IV into plaintext, adds counter, encrypts 6 times.
* Reduces block size from 16 to 8 bytes.
* For padded version, use aeskwp.
* [RFC 3394](https://datatracker.ietf.org/doc/rfc3394/),
* [NIST.SP.800-38F](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf).
*/
export declare const aeskw: ((kek: Uint8Array) => Cipher) & {
blockSize: number;
};
/**
* AES-KW, but with padding and allows random keys.
* Second u32 of IV is used as counter for length.
* [RFC 5649](https://www.rfc-editor.org/rfc/rfc5649)
*/
export declare const aeskwp: ((kek: Uint8Array) => Cipher) & {
blockSize: number;
};
/** Unsafe low-level internal methods. May change at any time. */
export declare const unsafe: {
expandKeyLE: typeof expandKeyLE;
expandKeyDecLE: typeof expandKeyDecLE;
encrypt: typeof encrypt;
decrypt: typeof decrypt;
encryptBlock: typeof encryptBlock;
decryptBlock: typeof decryptBlock;
ctrCounter: typeof ctrCounter;
ctr32: typeof ctr32;
};
export {};
//# sourceMappingURL=aes.d.ts.map

1
node_modules/@noble/ciphers/esm/aes.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"aes.d.ts","sourceRoot":"","sources":["../src/aes.ts"],"names":[],"mappings":"AAkBA,OAAO,EAIL,KAAK,MAAM,EAAE,KAAK,gBAAgB,EACnC,MAAM,YAAY,CAAC;AA0FpB,iCAAiC;AACjC,iBAAS,WAAW,CAAC,GAAG,EAAE,UAAU,GAAG,WAAW,CAsBjD;AAED,iBAAS,cAAc,CAAC,GAAG,EAAE,UAAU,GAAG,WAAW,CAkBpD;AAwBD,iBAAS,OAAO,CACd,EAAE,EAAE,WAAW,EACf,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,GACT;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAkBpD;AAGD,iBAAS,OAAO,CACd,EAAE,EAAE,WAAW,EACf,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,GACT;IACD,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;CACZ,CAkBA;AAGD,iBAAS,UAAU,CACjB,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,UAAU,EACjB,GAAG,EAAE,UAAU,EACf,GAAG,CAAC,EAAE,UAAU,GACf,UAAU,CAqCZ;AAKD,iBAAS,KAAK,CACZ,EAAE,EAAE,WAAW,EACf,IAAI,EAAE,OAAO,EACb,KAAK,EAAE,UAAU,EACjB,GAAG,EAAE,UAAU,EACf,GAAG,CAAC,EAAE,UAAU,GACf,UAAU,CAiCZ;AAED;;;GAGG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,KAAK,gBAAgB,CAAC,GAAG;IAC7E,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CAuBrB,CAAC;AAmDF,+BAA+B;AAC/B,MAAM,MAAM,SAAS,GAAG;IAAE,cAAc,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC;AAErD;;;GAGG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,SAAS,KAAK,gBAAgB,CAAC,GAAG;IAC5E,SAAS,EAAE,MAAM,CAAC;CAwCnB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,SAAS,KAAK,gBAAgB,CAAC,GAAG;IAC5F,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CAwDrB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,KAAK,gBAAgB,CAAC,GAAG;IAC1E,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CA4CrB,CAAC;AAqBF;;;;;;GAMG;AACH,eAAO,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IACrF,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,IAAI,CAAC;CA8DpB,CAAC;AASF;;;;;GAKG;AACH,eAAO,MAAM,MAAM,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IACxF,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,IAAI,CAAC;CAgGpB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,GAAG,EAAE,OAAO,MAAe,CAAC;AAQzC,iBAAS,YAAY,CAAC,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,GAAG,UAAU,CAOpE;AAED,iBAAS,YAAY,CAAC,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,GAAG,UAAU,CAOpE;AAsED;;;;;;GAMG;AACH,eAAO,MAAM,KAAK,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IAClD,SAAS,EAAE,MAAM,CAAC;CA0BnB,CAAC;AA0CF;;;;GAIG;AACH,eAAO,MAAM,MAAM,EAAE,CAAC,CAAC,GAAG,EAAE,UAAU,KAAK,MAAM,CAAC,GAAG;IACnD,SAAS,EAAE,MAAM,CAAC;CA+BnB,CAAC;AAEF,iEAAiE;AACjE,eAAO,MAAM,MAAM,EAAE;IACnB,WAAW,EAAE,OAAO,WAAW,CAAC;IAChC,cAAc,EAAE,OAAO,cAAc,CAAC;IACtC,OAAO,EAAE,OAAO,OAAO,CAAC;IACxB,OAAO,EAAE,OAAO,OAAO,CAAC;IACxB,YAAY,EAAE,OAAO,YAAY,CAAC;IAClC,YAAY,EAAE,OAAO,YAAY,CAAC;IAClC,UAAU,EAAE,OAAO,UAAU,CAAC;IAC9B,KAAK,EAAE,OAAO,KAAK,CAAC;CAUrB,CAAC"}

903
node_modules/@noble/ciphers/esm/aes.js generated vendored Normal file
View File

@@ -0,0 +1,903 @@
/**
* [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
* a.k.a. Advanced Encryption Standard
* is a variant of Rijndael block cipher, standardized by NIST in 2001.
* We provide the fastest available pure JS implementation.
*
* Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round:
* 1. **S-box**, table substitution
* 2. **Shift rows**, cyclic shift left of all rows of data array
* 3. **Mix columns**, multiplying every column by fixed polynomial
* 4. **Add round key**, round_key xor i-th column of array
*
* Check out [FIPS-197](https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf)
* and [original proposal](https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf)
* @module
*/
import { ghash, polyval } from "./_polyval.js";
// prettier-ignore
import { abytes, clean, complexOverlapBytes, concatBytes, copyBytes, createView, equalBytes, getOutput, isAligned32, overlapBytes, setBigUint64, u32, u64Lengths, u8, wrapCipher, } from "./utils.js";
const BLOCK_SIZE = 16;
const BLOCK_SIZE32 = 4;
const EMPTY_BLOCK = /* @__PURE__ */ new Uint8Array(BLOCK_SIZE);
const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8
// TODO: remove multiplication, binary ops only
function mul2(n) {
return (n << 1) ^ (POLY & -(n >> 7));
}
function mul(a, b) {
let res = 0;
for (; b > 0; b >>= 1) {
// Montgomery ladder
res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time).
a = mul2(a); // a = 2*a
}
return res;
}
// AES S-box is generated using finite field inversion,
// an affine transform, and xor of a constant 0x63.
const sbox = /* @__PURE__ */ (() => {
const t = new Uint8Array(256);
for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x))
t[i] = x;
const box = new Uint8Array(256);
box[0] = 0x63; // first elm
for (let i = 0; i < 255; i++) {
let x = t[255 - i];
x |= x << 8;
box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff;
}
clean(t);
return box;
})();
// Inverted S-box
const invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j));
// Rotate u32 by 8
const rotr32_8 = (n) => (n << 24) | (n >>> 8);
const rotl32_8 = (n) => (n << 8) | (n >>> 24);
// The byte swap operation for uint32 (LE<->BE)
const byteSwap = (word) => ((word << 24) & 0xff000000) |
((word << 8) & 0xff0000) |
((word >>> 8) & 0xff00) |
((word >>> 24) & 0xff);
// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes:
// - LE instead of BE
// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23;
// so index is u16, instead of u8. This speeds up things, unexpectedly
function genTtable(sbox, fn) {
if (sbox.length !== 256)
throw new Error('Wrong sbox length');
const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j]));
const T1 = T0.map(rotl32_8);
const T2 = T1.map(rotl32_8);
const T3 = T2.map(rotl32_8);
const T01 = new Uint32Array(256 * 256);
const T23 = new Uint32Array(256 * 256);
const sbox2 = new Uint16Array(256 * 256);
for (let i = 0; i < 256; i++) {
for (let j = 0; j < 256; j++) {
const idx = i * 256 + j;
T01[idx] = T0[i] ^ T1[j];
T23[idx] = T2[i] ^ T3[j];
sbox2[idx] = (sbox[i] << 8) | sbox[j];
}
}
return { sbox, sbox2, T0, T1, T2, T3, T01, T23 };
}
const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2));
const tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14));
const xPowers = /* @__PURE__ */ (() => {
const p = new Uint8Array(16);
for (let i = 0, x = 1; i < 16; i++, x = mul2(x))
p[i] = x;
return p;
})();
/** Key expansion used in CTR. */
function expandKeyLE(key) {
abytes(key);
const len = key.length;
if (![16, 24, 32].includes(len))
throw new Error('aes: invalid key size, should be 16, 24 or 32, got ' + len);
const { sbox2 } = tableEncoding;
const toClean = [];
if (!isAligned32(key))
toClean.push((key = copyBytes(key)));
const k32 = u32(key);
const Nk = k32.length;
const subByte = (n) => applySbox(sbox2, n, n, n, n);
const xk = new Uint32Array(len + 28); // expanded key
xk.set(k32);
// 4.3.1 Key expansion
for (let i = Nk; i < xk.length; i++) {
let t = xk[i - 1];
if (i % Nk === 0)
t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1];
else if (Nk > 6 && i % Nk === 4)
t = subByte(t);
xk[i] = xk[i - Nk] ^ t;
}
clean(...toClean);
return xk;
}
function expandKeyDecLE(key) {
const encKey = expandKeyLE(key);
const xk = encKey.slice();
const Nk = encKey.length;
const { sbox2 } = tableEncoding;
const { T0, T1, T2, T3 } = tableDecoding;
// Inverse key by chunks of 4 (rounds)
for (let i = 0; i < Nk; i += 4) {
for (let j = 0; j < 4; j++)
xk[i + j] = encKey[Nk - i - 4 + j];
}
clean(encKey);
// apply InvMixColumn except first & last round
for (let i = 4; i < Nk - 4; i++) {
const x = xk[i];
const w = applySbox(sbox2, x, x, x, x);
xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24];
}
return xk;
}
// Apply tables
function apply0123(T01, T23, s0, s1, s2, s3) {
return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^
T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]);
}
function applySbox(sbox2, s0, s1, s2, s3) {
return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] |
(sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16));
}
function encrypt(xk, s0, s1, s2, s3) {
const { sbox2, T01, T23 } = tableEncoding;
let k = 0;
(s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
const rounds = xk.length / 4 - 2;
for (let i = 0; i < rounds; i++) {
const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3);
const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0);
const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1);
const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2);
(s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);
}
// last round (without mixcolumns, so using SBOX2 table)
const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3);
const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0);
const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1);
const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2);
return { s0: t0, s1: t1, s2: t2, s3: t3 };
}
// Can't be merged with encrypt: arg positions for apply0123 / applySbox are different
function decrypt(xk, s0, s1, s2, s3) {
const { sbox2, T01, T23 } = tableDecoding;
let k = 0;
(s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
const rounds = xk.length / 4 - 2;
for (let i = 0; i < rounds; i++) {
const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1);
const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2);
const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3);
const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0);
(s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);
}
// Last round
const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1);
const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2);
const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3);
const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0);
return { s0: t0, s1: t1, s2: t2, s3: t3 };
}
// TODO: investigate merging with ctr32
function ctrCounter(xk, nonce, src, dst) {
abytes(nonce, BLOCK_SIZE);
abytes(src);
const srcLen = src.length;
dst = getOutput(srcLen, dst);
complexOverlapBytes(src, dst);
const ctr = nonce;
const c32 = u32(ctr);
// Fill block (empty, ctr=0)
let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
const src32 = u32(src);
const dst32 = u32(dst);
// process blocks
for (let i = 0; i + 4 <= src32.length; i += 4) {
dst32[i + 0] = src32[i + 0] ^ s0;
dst32[i + 1] = src32[i + 1] ^ s1;
dst32[i + 2] = src32[i + 2] ^ s2;
dst32[i + 3] = src32[i + 3] ^ s3;
// Full 128 bit counter with wrap around
let carry = 1;
for (let i = ctr.length - 1; i >= 0; i--) {
carry = (carry + (ctr[i] & 0xff)) | 0;
ctr[i] = carry & 0xff;
carry >>>= 8;
}
({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
}
// leftovers (less than block)
// It's possible to handle > u32 fast, but is it worth it?
const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
if (start < srcLen) {
const b32 = new Uint32Array([s0, s1, s2, s3]);
const buf = u8(b32);
for (let i = start, pos = 0; i < srcLen; i++, pos++)
dst[i] = src[i] ^ buf[pos];
clean(b32);
}
return dst;
}
// AES CTR with overflowing 32 bit counter
// It's possible to do 32le significantly simpler (and probably faster) by using u32.
// But, we need both, and perf bottleneck is in ghash anyway.
function ctr32(xk, isLE, nonce, src, dst) {
abytes(nonce, BLOCK_SIZE);
abytes(src);
dst = getOutput(src.length, dst);
const ctr = nonce; // write new value to nonce, so it can be re-used
const c32 = u32(ctr);
const view = createView(ctr);
const src32 = u32(src);
const dst32 = u32(dst);
const ctrPos = isLE ? 0 : 12;
const srcLen = src.length;
// Fill block (empty, ctr=0)
let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value
let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
// process blocks
for (let i = 0; i + 4 <= src32.length; i += 4) {
dst32[i + 0] = src32[i + 0] ^ s0;
dst32[i + 1] = src32[i + 1] ^ s1;
dst32[i + 2] = src32[i + 2] ^ s2;
dst32[i + 3] = src32[i + 3] ^ s3;
ctrNum = (ctrNum + 1) >>> 0; // u32 wrap
view.setUint32(ctrPos, ctrNum, isLE);
({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
}
// leftovers (less than a block)
const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
if (start < srcLen) {
const b32 = new Uint32Array([s0, s1, s2, s3]);
const buf = u8(b32);
for (let i = start, pos = 0; i < srcLen; i++, pos++)
dst[i] = src[i] ^ buf[pos];
clean(b32);
}
return dst;
}
/**
* CTR: counter mode. Creates stream cipher.
* Requires good IV. Parallelizable. OK, but no MAC.
*/
export const ctr = /* @__PURE__ */ wrapCipher({ blockSize: 16, nonceLength: 16 }, function aesctr(key, nonce) {
function processCtr(buf, dst) {
abytes(buf);
if (dst !== undefined) {
abytes(dst);
if (!isAligned32(dst))
throw new Error('unaligned destination');
}
const xk = expandKeyLE(key);
const n = copyBytes(nonce); // align + avoid changing
const toClean = [xk, n];
if (!isAligned32(buf))
toClean.push((buf = copyBytes(buf)));
const out = ctrCounter(xk, n, buf, dst);
clean(...toClean);
return out;
}
return {
encrypt: (plaintext, dst) => processCtr(plaintext, dst),
decrypt: (ciphertext, dst) => processCtr(ciphertext, dst),
};
});
function validateBlockDecrypt(data) {
abytes(data);
if (data.length % BLOCK_SIZE !== 0) {
throw new Error('aes-(cbc/ecb).decrypt ciphertext should consist of blocks with size ' + BLOCK_SIZE);
}
}
function validateBlockEncrypt(plaintext, pcks5, dst) {
abytes(plaintext);
let outLen = plaintext.length;
const remaining = outLen % BLOCK_SIZE;
if (!pcks5 && remaining !== 0)
throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding');
if (!isAligned32(plaintext))
plaintext = copyBytes(plaintext);
const b = u32(plaintext);
if (pcks5) {
let left = BLOCK_SIZE - remaining;
if (!left)
left = BLOCK_SIZE; // if no bytes left, create empty padding block
outLen = outLen + left;
}
dst = getOutput(outLen, dst);
complexOverlapBytes(plaintext, dst);
const o = u32(dst);
return { b, o, out: dst };
}
function validatePCKS(data, pcks5) {
if (!pcks5)
return data;
const len = data.length;
if (!len)
throw new Error('aes/pcks5: empty ciphertext not allowed');
const lastByte = data[len - 1];
if (lastByte <= 0 || lastByte > 16)
throw new Error('aes/pcks5: wrong padding');
const out = data.subarray(0, -lastByte);
for (let i = 0; i < lastByte; i++)
if (data[len - i - 1] !== lastByte)
throw new Error('aes/pcks5: wrong padding');
return out;
}
function padPCKS(left) {
const tmp = new Uint8Array(16);
const tmp32 = u32(tmp);
tmp.set(left);
const paddingByte = BLOCK_SIZE - left.length;
for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++)
tmp[i] = paddingByte;
return tmp32;
}
/**
* ECB: Electronic CodeBook. Simple deterministic replacement.
* Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/).
*/
export const ecb = /* @__PURE__ */ wrapCipher({ blockSize: 16 }, function aesecb(key, opts = {}) {
const pcks5 = !opts.disablePadding;
return {
encrypt(plaintext, dst) {
const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);
const xk = expandKeyLE(key);
let i = 0;
for (; i + 4 <= b.length;) {
const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
if (pcks5) {
const tmp32 = padPCKS(plaintext.subarray(i * 4));
const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]);
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
clean(xk);
return _out;
},
decrypt(ciphertext, dst) {
validateBlockDecrypt(ciphertext);
const xk = expandKeyDecLE(key);
dst = getOutput(ciphertext.length, dst);
const toClean = [xk];
if (!isAligned32(ciphertext))
toClean.push((ciphertext = copyBytes(ciphertext)));
complexOverlapBytes(ciphertext, dst);
const b = u32(ciphertext);
const o = u32(dst);
for (let i = 0; i + 4 <= b.length;) {
const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
clean(...toClean);
return validatePCKS(dst, pcks5);
},
};
});
/**
* CBC: Cipher-Block-Chaining. Key is previous rounds block.
* Fragile: needs proper padding. Unauthenticated: needs MAC.
*/
export const cbc = /* @__PURE__ */ wrapCipher({ blockSize: 16, nonceLength: 16 }, function aescbc(key, iv, opts = {}) {
const pcks5 = !opts.disablePadding;
return {
encrypt(plaintext, dst) {
const xk = expandKeyLE(key);
const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);
let _iv = iv;
const toClean = [xk];
if (!isAligned32(_iv))
toClean.push((_iv = copyBytes(_iv)));
const n32 = u32(_iv);
// prettier-ignore
let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
let i = 0;
for (; i + 4 <= b.length;) {
(s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]);
({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
if (pcks5) {
const tmp32 = padPCKS(plaintext.subarray(i * 4));
(s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]);
({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
(o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
}
clean(...toClean);
return _out;
},
decrypt(ciphertext, dst) {
validateBlockDecrypt(ciphertext);
const xk = expandKeyDecLE(key);
let _iv = iv;
const toClean = [xk];
if (!isAligned32(_iv))
toClean.push((_iv = copyBytes(_iv)));
const n32 = u32(_iv);
dst = getOutput(ciphertext.length, dst);
if (!isAligned32(ciphertext))
toClean.push((ciphertext = copyBytes(ciphertext)));
complexOverlapBytes(ciphertext, dst);
const b = u32(ciphertext);
const o = u32(dst);
// prettier-ignore
let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
for (let i = 0; i + 4 <= b.length;) {
// prettier-ignore
const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3;
(s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]);
const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3);
(o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3);
}
clean(...toClean);
return validatePCKS(dst, pcks5);
},
};
});
/**
* CFB: Cipher Feedback Mode. The input for the block cipher is the previous cipher output.
* Unauthenticated: needs MAC.
*/
export const cfb = /* @__PURE__ */ wrapCipher({ blockSize: 16, nonceLength: 16 }, function aescfb(key, iv) {
function processCfb(src, isEncrypt, dst) {
abytes(src);
const srcLen = src.length;
dst = getOutput(srcLen, dst);
if (overlapBytes(src, dst))
throw new Error('overlapping src and dst not supported.');
const xk = expandKeyLE(key);
let _iv = iv;
const toClean = [xk];
if (!isAligned32(_iv))
toClean.push((_iv = copyBytes(_iv)));
if (!isAligned32(src))
toClean.push((src = copyBytes(src)));
const src32 = u32(src);
const dst32 = u32(dst);
const next32 = isEncrypt ? dst32 : src32;
const n32 = u32(_iv);
// prettier-ignore
let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
for (let i = 0; i + 4 <= src32.length;) {
const { s0: e0, s1: e1, s2: e2, s3: e3 } = encrypt(xk, s0, s1, s2, s3);
dst32[i + 0] = src32[i + 0] ^ e0;
dst32[i + 1] = src32[i + 1] ^ e1;
dst32[i + 2] = src32[i + 2] ^ e2;
dst32[i + 3] = src32[i + 3] ^ e3;
(s0 = next32[i++]), (s1 = next32[i++]), (s2 = next32[i++]), (s3 = next32[i++]);
}
// leftovers (less than block)
const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
if (start < srcLen) {
({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
const buf = u8(new Uint32Array([s0, s1, s2, s3]));
for (let i = start, pos = 0; i < srcLen; i++, pos++)
dst[i] = src[i] ^ buf[pos];
clean(buf);
}
clean(...toClean);
return dst;
}
return {
encrypt: (plaintext, dst) => processCfb(plaintext, true, dst),
decrypt: (ciphertext, dst) => processCfb(ciphertext, false, dst),
};
});
// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen
function computeTag(fn, isLE, key, data, AAD) {
const aadLength = AAD ? AAD.length : 0;
const h = fn.create(key, data.length + aadLength);
if (AAD)
h.update(AAD);
const num = u64Lengths(8 * data.length, 8 * aadLength, isLE);
h.update(data);
h.update(num);
const res = h.digest();
clean(num);
return res;
}
/**
* GCM: Galois/Counter Mode.
* Modern, parallel version of CTR, with MAC.
* Be careful: MACs can be forged.
* Unsafe to use random nonces under the same key, due to collision chance.
* As for nonce size, prefer 12-byte, instead of 8-byte.
*/
export const gcm = /* @__PURE__ */ wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16, varSizeNonce: true }, function aesgcm(key, nonce, AAD) {
// NIST 800-38d doesn't enforce minimum nonce length.
// We enforce 8 bytes for compat with openssl.
// 12 bytes are recommended. More than 12 bytes would be converted into 12.
if (nonce.length < 8)
throw new Error('aes/gcm: invalid nonce length');
const tagLength = 16;
function _computeTag(authKey, tagMask, data) {
const tag = computeTag(ghash, false, authKey, data, AAD);
for (let i = 0; i < tagMask.length; i++)
tag[i] ^= tagMask[i];
return tag;
}
function deriveKeys() {
const xk = expandKeyLE(key);
const authKey = EMPTY_BLOCK.slice();
const counter = EMPTY_BLOCK.slice();
ctr32(xk, false, counter, counter, authKey);
// NIST 800-38d, page 15: different behavior for 96-bit and non-96-bit nonces
if (nonce.length === 12) {
counter.set(nonce);
}
else {
const nonceLen = EMPTY_BLOCK.slice();
const view = createView(nonceLen);
setBigUint64(view, 8, BigInt(nonce.length * 8), false);
// ghash(nonce || u64be(0) || u64be(nonceLen*8))
const g = ghash.create(authKey).update(nonce).update(nonceLen);
g.digestInto(counter); // digestInto doesn't trigger '.destroy'
g.destroy();
}
const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK);
return { xk, authKey, counter, tagMask };
}
return {
encrypt(plaintext) {
const { xk, authKey, counter, tagMask } = deriveKeys();
const out = new Uint8Array(plaintext.length + tagLength);
const toClean = [xk, authKey, counter, tagMask];
if (!isAligned32(plaintext))
toClean.push((plaintext = copyBytes(plaintext)));
ctr32(xk, false, counter, plaintext, out.subarray(0, plaintext.length));
const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength));
toClean.push(tag);
out.set(tag, plaintext.length);
clean(...toClean);
return out;
},
decrypt(ciphertext) {
const { xk, authKey, counter, tagMask } = deriveKeys();
const toClean = [xk, authKey, tagMask, counter];
if (!isAligned32(ciphertext))
toClean.push((ciphertext = copyBytes(ciphertext)));
const data = ciphertext.subarray(0, -tagLength);
const passedTag = ciphertext.subarray(-tagLength);
const tag = _computeTag(authKey, tagMask, data);
toClean.push(tag);
if (!equalBytes(tag, passedTag))
throw new Error('aes/gcm: invalid ghash tag');
const out = ctr32(xk, false, counter, data);
clean(...toClean);
return out;
},
};
});
const limit = (name, min, max) => (value) => {
if (!Number.isSafeInteger(value) || min > value || value > max) {
const minmax = '[' + min + '..' + max + ']';
throw new Error('' + name + ': expected value in range ' + minmax + ', got ' + value);
}
};
/**
* AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance.
* Guarantees that, when a nonce is repeated, the only security loss is that identical
* plaintexts will produce identical ciphertexts.
* RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452
*/
export const gcmsiv = /* @__PURE__ */ wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16, varSizeNonce: true }, function aessiv(key, nonce, AAD) {
const tagLength = 16;
// From RFC 8452: Section 6
const AAD_LIMIT = limit('AAD', 0, 2 ** 36);
const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36);
const NONCE_LIMIT = limit('nonce', 12, 12);
const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16);
abytes(key, 16, 24, 32);
NONCE_LIMIT(nonce.length);
if (AAD !== undefined)
AAD_LIMIT(AAD.length);
function deriveKeys() {
const xk = expandKeyLE(key);
const encKey = new Uint8Array(key.length);
const authKey = new Uint8Array(16);
const toClean = [xk, encKey];
let _nonce = nonce;
if (!isAligned32(_nonce))
toClean.push((_nonce = copyBytes(_nonce)));
const n32 = u32(_nonce);
// prettier-ignore
let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2];
let counter = 0;
for (const derivedKey of [authKey, encKey].map(u32)) {
const d32 = u32(derivedKey);
for (let i = 0; i < d32.length; i += 2) {
// aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ...
const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3);
d32[i + 0] = o0;
d32[i + 1] = o1;
s0 = ++counter; // increment counter inside state
}
}
const res = { authKey, encKey: expandKeyLE(encKey) };
// Cleanup
clean(...toClean);
return res;
}
function _computeTag(encKey, authKey, data) {
const tag = computeTag(polyval, true, authKey, data, AAD);
// Compute the expected tag by XORing S_s and the nonce, clearing the
// most significant bit of the last byte and encrypting with the
// message-encryption key.
for (let i = 0; i < 12; i++)
tag[i] ^= nonce[i];
tag[15] &= 0x7f; // Clear the highest bit
// encrypt tag as block
const t32 = u32(tag);
// prettier-ignore
let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3];
({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3));
(t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3);
return tag;
}
// actual decrypt/encrypt of message.
function processSiv(encKey, tag, input) {
let block = copyBytes(tag);
block[15] |= 0x80; // Force highest bit
const res = ctr32(encKey, true, block, input);
// Cleanup
clean(block);
return res;
}
return {
encrypt(plaintext) {
PLAIN_LIMIT(plaintext.length);
const { encKey, authKey } = deriveKeys();
const tag = _computeTag(encKey, authKey, plaintext);
const toClean = [encKey, authKey, tag];
if (!isAligned32(plaintext))
toClean.push((plaintext = copyBytes(plaintext)));
const out = new Uint8Array(plaintext.length + tagLength);
out.set(tag, plaintext.length);
out.set(processSiv(encKey, tag, plaintext));
// Cleanup
clean(...toClean);
return out;
},
decrypt(ciphertext) {
CIPHER_LIMIT(ciphertext.length);
const tag = ciphertext.subarray(-tagLength);
const { encKey, authKey } = deriveKeys();
const toClean = [encKey, authKey];
if (!isAligned32(ciphertext))
toClean.push((ciphertext = copyBytes(ciphertext)));
const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength));
const expectedTag = _computeTag(encKey, authKey, plaintext);
toClean.push(expectedTag);
if (!equalBytes(tag, expectedTag)) {
clean(...toClean);
throw new Error('invalid polyval tag');
}
// Cleanup
clean(...toClean);
return plaintext;
},
};
});
/**
* AES-GCM-SIV, not AES-SIV.
* This is legace name, use `gcmsiv` export instead.
* @deprecated
*/
export const siv = gcmsiv;
function isBytes32(a) {
return (a instanceof Uint32Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint32Array'));
}
function encryptBlock(xk, block) {
abytes(block, 16);
if (!isBytes32(xk))
throw new Error('_encryptBlock accepts result of expandKeyLE');
const b32 = u32(block);
let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]);
(b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);
return block;
}
function decryptBlock(xk, block) {
abytes(block, 16);
if (!isBytes32(xk))
throw new Error('_decryptBlock accepts result of expandKeyLE');
const b32 = u32(block);
let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]);
(b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);
return block;
}
/**
* AES-W (base for AESKW/AESKWP).
* Specs: [SP800-38F](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf),
* [RFC 3394](https://datatracker.ietf.org/doc/rfc3394/),
* [RFC 5649](https://datatracker.ietf.org/doc/rfc5649/).
*/
const AESW = {
/*
High-level pseudocode:
```
A: u64 = IV
out = []
for (let i=0, ctr = 0; i<6; i++) {
for (const chunk of chunks(plaintext, 8)) {
A ^= swapEndianess(ctr++)
[A, res] = chunks(encrypt(A || chunk), 8);
out ||= res
}
}
out = A || out
```
Decrypt is the same, but reversed.
*/
encrypt(kek, out) {
// Size is limited to 4GB, otherwise ctr will overflow and we'll need to switch to bigints.
// If you need it larger, open an issue.
if (out.length >= 2 ** 32)
throw new Error('plaintext should be less than 4gb');
const xk = expandKeyLE(kek);
if (out.length === 16)
encryptBlock(xk, out);
else {
const o32 = u32(out);
// prettier-ignore
let a0 = o32[0], a1 = o32[1]; // A
for (let j = 0, ctr = 1; j < 6; j++) {
for (let pos = 2; pos < o32.length; pos += 2, ctr++) {
const { s0, s1, s2, s3 } = encrypt(xk, a0, a1, o32[pos], o32[pos + 1]);
// A = MSB(64, B) ^ t where t = (n*j)+i
(a0 = s0), (a1 = s1 ^ byteSwap(ctr)), (o32[pos] = s2), (o32[pos + 1] = s3);
}
}
(o32[0] = a0), (o32[1] = a1); // out = A || out
}
xk.fill(0);
},
decrypt(kek, out) {
if (out.length - 8 >= 2 ** 32)
throw new Error('ciphertext should be less than 4gb');
const xk = expandKeyDecLE(kek);
const chunks = out.length / 8 - 1; // first chunk is IV
if (chunks === 1)
decryptBlock(xk, out);
else {
const o32 = u32(out);
// prettier-ignore
let a0 = o32[0], a1 = o32[1]; // A
for (let j = 0, ctr = chunks * 6; j < 6; j++) {
for (let pos = chunks * 2; pos >= 1; pos -= 2, ctr--) {
a1 ^= byteSwap(ctr);
const { s0, s1, s2, s3 } = decrypt(xk, a0, a1, o32[pos], o32[pos + 1]);
(a0 = s0), (a1 = s1), (o32[pos] = s2), (o32[pos + 1] = s3);
}
}
(o32[0] = a0), (o32[1] = a1);
}
xk.fill(0);
},
};
const AESKW_IV = /* @__PURE__ */ new Uint8Array(8).fill(0xa6); // A6A6A6A6A6A6A6A6
/**
* AES-KW (key-wrap). Injects static IV into plaintext, adds counter, encrypts 6 times.
* Reduces block size from 16 to 8 bytes.
* For padded version, use aeskwp.
* [RFC 3394](https://datatracker.ietf.org/doc/rfc3394/),
* [NIST.SP.800-38F](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf).
*/
export const aeskw = /* @__PURE__ */ wrapCipher({ blockSize: 8 }, (kek) => ({
encrypt(plaintext) {
if (!plaintext.length || plaintext.length % 8 !== 0)
throw new Error('invalid plaintext length');
if (plaintext.length === 8)
throw new Error('8-byte keys not allowed in AESKW, use AESKWP instead');
const out = concatBytes(AESKW_IV, plaintext);
AESW.encrypt(kek, out);
return out;
},
decrypt(ciphertext) {
// ciphertext must be at least 24 bytes and a multiple of 8 bytes
// 24 because should have at least two block (1 iv + 2).
// Replace with 16 to enable '8-byte keys'
if (ciphertext.length % 8 !== 0 || ciphertext.length < 3 * 8)
throw new Error('invalid ciphertext length');
const out = copyBytes(ciphertext);
AESW.decrypt(kek, out);
if (!equalBytes(out.subarray(0, 8), AESKW_IV))
throw new Error('integrity check failed');
out.subarray(0, 8).fill(0); // ciphertext.subarray(0, 8) === IV, but we clean it anyway
return out.subarray(8);
},
}));
/*
We don't support 8-byte keys. The rabbit hole:
- Wycheproof says: "NIST SP 800-38F does not define the wrapping of 8 byte keys.
RFC 3394 Section 2 on the other hand specifies that 8 byte keys are wrapped
by directly encrypting one block with AES."
- https://github.com/C2SP/wycheproof/blob/master/doc/key_wrap.md
- "RFC 3394 specifies in Section 2, that the input for the key wrap
algorithm must be at least two blocks and otherwise the constant
field and key are simply encrypted with ECB as a single block"
- What RFC 3394 actually says (in Section 2):
- "Before being wrapped, the key data is parsed into n blocks of 64 bits.
The only restriction the key wrap algorithm places on n is that n be
at least two"
- "For key data with length less than or equal to 64 bits, the constant
field used in this specification and the key data form a single
128-bit codebook input making this key wrap unnecessary."
- Which means "assert(n >= 2)" and "use something else for 8 byte keys"
- NIST SP800-38F actually prohibits 8-byte in "5.3.1 Mandatory Limits".
It states that plaintext for KW should be "2 to 2^54 -1 semiblocks".
- So, where does "directly encrypt single block with AES" come from?
- Not RFC 3394. Pseudocode of key wrap in 2.2 explicitly uses
loop of 6 for any code path
- There is a weird W3C spec:
https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#kw-aes128
- This spec is outdated, as admitted by Wycheproof authors
- There is RFC 5649 for padded key wrap, which is padding construction on
top of AESKW. In '4.1.2' it says: "If the padded plaintext contains exactly
eight octets, then prepend the AIV as defined in Section 3 above to P[1] and
encrypt the resulting 128-bit block using AES in ECB mode [Modes] with key
K (the KEK). In this case, the output is two 64-bit blocks C[0] and C[1]:"
- Browser subtle crypto is actually crashes on wrapping keys less than 16 bytes:
`Error: error:1C8000E6:Provider routines::invalid input length] { opensslErrorStack: [ 'error:030000BD:digital envelope routines::update error' ]`
In the end, seems like a bug in Wycheproof.
The 8-byte check can be easily disabled inside of AES_W.
*/
const AESKWP_IV = 0xa65959a6; // single u32le value
/**
* AES-KW, but with padding and allows random keys.
* Second u32 of IV is used as counter for length.
* [RFC 5649](https://www.rfc-editor.org/rfc/rfc5649)
*/
export const aeskwp = /* @__PURE__ */ wrapCipher({ blockSize: 8 }, (kek) => ({
encrypt(plaintext) {
if (!plaintext.length)
throw new Error('invalid plaintext length');
const padded = Math.ceil(plaintext.length / 8) * 8;
const out = new Uint8Array(8 + padded);
out.set(plaintext, 8);
const out32 = u32(out);
out32[0] = AESKWP_IV;
out32[1] = byteSwap(plaintext.length);
AESW.encrypt(kek, out);
return out;
},
decrypt(ciphertext) {
// 16 because should have at least one block
if (ciphertext.length < 16)
throw new Error('invalid ciphertext length');
const out = copyBytes(ciphertext);
const o32 = u32(out);
AESW.decrypt(kek, out);
const len = byteSwap(o32[1]) >>> 0;
const padded = Math.ceil(len / 8) * 8;
if (o32[0] !== AESKWP_IV || out.length - 8 !== padded)
throw new Error('integrity check failed');
for (let i = len; i < padded; i++)
if (out[8 + i] !== 0)
throw new Error('integrity check failed');
out.subarray(0, 8).fill(0); // ciphertext.subarray(0, 8) === IV, but we clean it anyway
return out.subarray(8, 8 + len);
},
}));
/** Unsafe low-level internal methods. May change at any time. */
export const unsafe = {
expandKeyLE,
expandKeyDecLE,
encrypt,
decrypt,
encryptBlock,
decryptBlock,
ctrCounter,
ctr32,
};
//# sourceMappingURL=aes.js.map

1
node_modules/@noble/ciphers/esm/aes.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

56
node_modules/@noble/ciphers/esm/chacha.d.ts generated vendored Normal file
View File

@@ -0,0 +1,56 @@
import { type ARXCipher, type CipherWithOutput, type XorStream } from './utils.ts';
/**
* hchacha helper method, used primarily in xchacha, to hash
* key and nonce into key' and nonce'.
* Same as chachaCore, but there doesn't seem to be a way to move the block
* out without 25% performance hit.
*/
export declare function hchacha(s: Uint32Array, k: Uint32Array, i: Uint32Array, o32: Uint32Array): void;
/**
* Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter.
*/
export declare const chacha20orig: XorStream;
/**
* ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter.
* With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance.
*/
export declare const chacha20: XorStream;
/**
* XChaCha eXtended-nonce ChaCha. 24-byte nonce.
* With 24-byte nonce, it's safe to use fill it with random (CSPRNG).
* https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha
*/
export declare const xchacha20: XorStream;
/**
* Reduced 8-round chacha, described in original paper.
*/
export declare const chacha8: XorStream;
/**
* Reduced 12-round chacha, described in original paper.
*/
export declare const chacha12: XorStream;
/**
* AEAD algorithm from RFC 8439.
* Salsa20 and chacha (RFC 8439) use poly1305 differently.
* We could have composed them similar to:
* https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250
* But it's hard because of authKey:
* In salsa20, authKey changes position in salsa stream.
* In chacha, authKey can't be computed inside computeTag, it modifies the counter.
*/
export declare const _poly1305_aead: (xorStream: XorStream) => (key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => CipherWithOutput;
/**
* ChaCha20-Poly1305 from RFC 8439.
*
* Unsafe to use random nonces under the same key, due to collision chance.
* Prefer XChaCha instead.
*/
export declare const chacha20poly1305: ARXCipher;
/**
* XChaCha20-Poly1305 extended-nonce chacha.
*
* Can be safely used with random nonces (CSPRNG).
* See [IRTF draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha).
*/
export declare const xchacha20poly1305: ARXCipher;
//# sourceMappingURL=chacha.d.ts.map

1
node_modules/@noble/ciphers/esm/chacha.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"chacha.d.ts","sourceRoot":"","sources":["../src/chacha.ts"],"names":[],"mappings":"AAgBA,OAAO,EACL,KAAK,SAAS,EACd,KAAK,gBAAgB,EACrB,KAAK,SAAS,EAMf,MAAM,YAAY,CAAC;AAsEpB;;;;;GAKG;AAEH,wBAAgB,OAAO,CACrB,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,GAC/D,IAAI,CAmDN;AACD;;GAEG;AACH,eAAO,MAAM,YAAY,EAAE,SAIzB,CAAC;AACH;;;GAGG;AACH,eAAO,MAAM,QAAQ,EAAE,SAIrB,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,SAAS,EAAE,SAKtB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,OAAO,EAAE,SAIpB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,QAAQ,EAAE,SAIrB,CAAC;AA6BH;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,GACxB,WAAW,SAAS,MACpB,KAAK,UAAU,EAAE,OAAO,UAAU,EAAE,MAAM,UAAU,KAAG,gBA0BvD,CAAC;AAEJ;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,EAAE,SAG9B,CAAC;AACF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE,SAG/B,CAAC"}

315
node_modules/@noble/ciphers/esm/chacha.js generated vendored Normal file
View File

@@ -0,0 +1,315 @@
/**
* [ChaCha20](https://cr.yp.to/chacha.html) stream cipher, released
* in 2008. Developed after Salsa20, ChaCha aims to increase diffusion per round.
* It was standardized in [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and
* is now used in TLS 1.3.
*
* [XChaCha20](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha)
* extended-nonce variant is also provided. Similar to XSalsa, it's safe to use with
* randomly-generated nonces.
*
* Check out [PDF](http://cr.yp.to/chacha/chacha-20080128.pdf) and
* [wiki](https://en.wikipedia.org/wiki/Salsa20).
* @module
*/
import { createCipher, rotl } from "./_arx.js";
import { poly1305 } from "./_poly1305.js";
import { clean, equalBytes, getOutput, u64Lengths, wrapCipher, } from "./utils.js";
/**
* ChaCha core function.
*/
// prettier-ignore
function chachaCore(s, k, n, out, cnt, rounds = 20) {
let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa" "nd 3" "2-by" "te k"
y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key Key Key Key
y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key Key Key Key
y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter Counter Nonce Nonce
// Save state to temporary variables
let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
for (let r = 0; r < rounds; r += 2) {
x00 = (x00 + x04) | 0;
x12 = rotl(x12 ^ x00, 16);
x08 = (x08 + x12) | 0;
x04 = rotl(x04 ^ x08, 12);
x00 = (x00 + x04) | 0;
x12 = rotl(x12 ^ x00, 8);
x08 = (x08 + x12) | 0;
x04 = rotl(x04 ^ x08, 7);
x01 = (x01 + x05) | 0;
x13 = rotl(x13 ^ x01, 16);
x09 = (x09 + x13) | 0;
x05 = rotl(x05 ^ x09, 12);
x01 = (x01 + x05) | 0;
x13 = rotl(x13 ^ x01, 8);
x09 = (x09 + x13) | 0;
x05 = rotl(x05 ^ x09, 7);
x02 = (x02 + x06) | 0;
x14 = rotl(x14 ^ x02, 16);
x10 = (x10 + x14) | 0;
x06 = rotl(x06 ^ x10, 12);
x02 = (x02 + x06) | 0;
x14 = rotl(x14 ^ x02, 8);
x10 = (x10 + x14) | 0;
x06 = rotl(x06 ^ x10, 7);
x03 = (x03 + x07) | 0;
x15 = rotl(x15 ^ x03, 16);
x11 = (x11 + x15) | 0;
x07 = rotl(x07 ^ x11, 12);
x03 = (x03 + x07) | 0;
x15 = rotl(x15 ^ x03, 8);
x11 = (x11 + x15) | 0;
x07 = rotl(x07 ^ x11, 7);
x00 = (x00 + x05) | 0;
x15 = rotl(x15 ^ x00, 16);
x10 = (x10 + x15) | 0;
x05 = rotl(x05 ^ x10, 12);
x00 = (x00 + x05) | 0;
x15 = rotl(x15 ^ x00, 8);
x10 = (x10 + x15) | 0;
x05 = rotl(x05 ^ x10, 7);
x01 = (x01 + x06) | 0;
x12 = rotl(x12 ^ x01, 16);
x11 = (x11 + x12) | 0;
x06 = rotl(x06 ^ x11, 12);
x01 = (x01 + x06) | 0;
x12 = rotl(x12 ^ x01, 8);
x11 = (x11 + x12) | 0;
x06 = rotl(x06 ^ x11, 7);
x02 = (x02 + x07) | 0;
x13 = rotl(x13 ^ x02, 16);
x08 = (x08 + x13) | 0;
x07 = rotl(x07 ^ x08, 12);
x02 = (x02 + x07) | 0;
x13 = rotl(x13 ^ x02, 8);
x08 = (x08 + x13) | 0;
x07 = rotl(x07 ^ x08, 7);
x03 = (x03 + x04) | 0;
x14 = rotl(x14 ^ x03, 16);
x09 = (x09 + x14) | 0;
x04 = rotl(x04 ^ x09, 12);
x03 = (x03 + x04) | 0;
x14 = rotl(x14 ^ x03, 8);
x09 = (x09 + x14) | 0;
x04 = rotl(x04 ^ x09, 7);
}
// Write output
let oi = 0;
out[oi++] = (y00 + x00) | 0;
out[oi++] = (y01 + x01) | 0;
out[oi++] = (y02 + x02) | 0;
out[oi++] = (y03 + x03) | 0;
out[oi++] = (y04 + x04) | 0;
out[oi++] = (y05 + x05) | 0;
out[oi++] = (y06 + x06) | 0;
out[oi++] = (y07 + x07) | 0;
out[oi++] = (y08 + x08) | 0;
out[oi++] = (y09 + x09) | 0;
out[oi++] = (y10 + x10) | 0;
out[oi++] = (y11 + x11) | 0;
out[oi++] = (y12 + x12) | 0;
out[oi++] = (y13 + x13) | 0;
out[oi++] = (y14 + x14) | 0;
out[oi++] = (y15 + x15) | 0;
}
/**
* hchacha helper method, used primarily in xchacha, to hash
* key and nonce into key' and nonce'.
* Same as chachaCore, but there doesn't seem to be a way to move the block
* out without 25% performance hit.
*/
// prettier-ignore
export function hchacha(s, k, i, o32) {
let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3];
for (let r = 0; r < 20; r += 2) {
x00 = (x00 + x04) | 0;
x12 = rotl(x12 ^ x00, 16);
x08 = (x08 + x12) | 0;
x04 = rotl(x04 ^ x08, 12);
x00 = (x00 + x04) | 0;
x12 = rotl(x12 ^ x00, 8);
x08 = (x08 + x12) | 0;
x04 = rotl(x04 ^ x08, 7);
x01 = (x01 + x05) | 0;
x13 = rotl(x13 ^ x01, 16);
x09 = (x09 + x13) | 0;
x05 = rotl(x05 ^ x09, 12);
x01 = (x01 + x05) | 0;
x13 = rotl(x13 ^ x01, 8);
x09 = (x09 + x13) | 0;
x05 = rotl(x05 ^ x09, 7);
x02 = (x02 + x06) | 0;
x14 = rotl(x14 ^ x02, 16);
x10 = (x10 + x14) | 0;
x06 = rotl(x06 ^ x10, 12);
x02 = (x02 + x06) | 0;
x14 = rotl(x14 ^ x02, 8);
x10 = (x10 + x14) | 0;
x06 = rotl(x06 ^ x10, 7);
x03 = (x03 + x07) | 0;
x15 = rotl(x15 ^ x03, 16);
x11 = (x11 + x15) | 0;
x07 = rotl(x07 ^ x11, 12);
x03 = (x03 + x07) | 0;
x15 = rotl(x15 ^ x03, 8);
x11 = (x11 + x15) | 0;
x07 = rotl(x07 ^ x11, 7);
x00 = (x00 + x05) | 0;
x15 = rotl(x15 ^ x00, 16);
x10 = (x10 + x15) | 0;
x05 = rotl(x05 ^ x10, 12);
x00 = (x00 + x05) | 0;
x15 = rotl(x15 ^ x00, 8);
x10 = (x10 + x15) | 0;
x05 = rotl(x05 ^ x10, 7);
x01 = (x01 + x06) | 0;
x12 = rotl(x12 ^ x01, 16);
x11 = (x11 + x12) | 0;
x06 = rotl(x06 ^ x11, 12);
x01 = (x01 + x06) | 0;
x12 = rotl(x12 ^ x01, 8);
x11 = (x11 + x12) | 0;
x06 = rotl(x06 ^ x11, 7);
x02 = (x02 + x07) | 0;
x13 = rotl(x13 ^ x02, 16);
x08 = (x08 + x13) | 0;
x07 = rotl(x07 ^ x08, 12);
x02 = (x02 + x07) | 0;
x13 = rotl(x13 ^ x02, 8);
x08 = (x08 + x13) | 0;
x07 = rotl(x07 ^ x08, 7);
x03 = (x03 + x04) | 0;
x14 = rotl(x14 ^ x03, 16);
x09 = (x09 + x14) | 0;
x04 = rotl(x04 ^ x09, 12);
x03 = (x03 + x04) | 0;
x14 = rotl(x14 ^ x03, 8);
x09 = (x09 + x14) | 0;
x04 = rotl(x04 ^ x09, 7);
}
let oi = 0;
o32[oi++] = x00;
o32[oi++] = x01;
o32[oi++] = x02;
o32[oi++] = x03;
o32[oi++] = x12;
o32[oi++] = x13;
o32[oi++] = x14;
o32[oi++] = x15;
}
/**
* Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter.
*/
export const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 8,
allowShortKeys: true,
});
/**
* ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter.
* With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance.
*/
export const chacha20 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 4,
allowShortKeys: false,
});
/**
* XChaCha eXtended-nonce ChaCha. 24-byte nonce.
* With 24-byte nonce, it's safe to use fill it with random (CSPRNG).
* https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha
*/
export const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 8,
extendNonceFn: hchacha,
allowShortKeys: false,
});
/**
* Reduced 8-round chacha, described in original paper.
*/
export const chacha8 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 4,
rounds: 8,
});
/**
* Reduced 12-round chacha, described in original paper.
*/
export const chacha12 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 4,
rounds: 12,
});
const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
// Pad to digest size with zeros
const updatePadded = (h, msg) => {
h.update(msg);
const left = msg.length % 16;
if (left)
h.update(ZEROS16.subarray(left));
};
const ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
function computeTag(fn, key, nonce, data, AAD) {
const authKey = fn(key, nonce, ZEROS32);
const h = poly1305.create(authKey);
if (AAD)
updatePadded(h, AAD);
updatePadded(h, data);
const num = u64Lengths(data.length, AAD ? AAD.length : 0, true);
h.update(num);
const res = h.digest();
clean(authKey, num);
return res;
}
/**
* AEAD algorithm from RFC 8439.
* Salsa20 and chacha (RFC 8439) use poly1305 differently.
* We could have composed them similar to:
* https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250
* But it's hard because of authKey:
* In salsa20, authKey changes position in salsa stream.
* In chacha, authKey can't be computed inside computeTag, it modifies the counter.
*/
export const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
const tagLength = 16;
return {
encrypt(plaintext, output) {
const plength = plaintext.length;
output = getOutput(plength + tagLength, output, false);
output.set(plaintext);
const oPlain = output.subarray(0, -tagLength);
xorStream(key, nonce, oPlain, oPlain, 1);
const tag = computeTag(xorStream, key, nonce, oPlain, AAD);
output.set(tag, plength); // append tag
clean(tag);
return output;
},
decrypt(ciphertext, output) {
output = getOutput(ciphertext.length - tagLength, output, false);
const data = ciphertext.subarray(0, -tagLength);
const passedTag = ciphertext.subarray(-tagLength);
const tag = computeTag(xorStream, key, nonce, data, AAD);
if (!equalBytes(passedTag, tag))
throw new Error('invalid tag');
output.set(ciphertext.subarray(0, -tagLength));
xorStream(key, nonce, output, output, 1); // start stream with i=1
clean(tag);
return output;
},
};
};
/**
* ChaCha20-Poly1305 from RFC 8439.
*
* Unsafe to use random nonces under the same key, due to collision chance.
* Prefer XChaCha instead.
*/
export const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20));
/**
* XChaCha20-Poly1305 extended-nonce chacha.
*
* Can be safely used with random nonces (CSPRNG).
* See [IRTF draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha).
*/
export const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20));
//# sourceMappingURL=chacha.js.map

1
node_modules/@noble/ciphers/esm/chacha.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

2
node_modules/@noble/ciphers/esm/crypto.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
export declare const crypto: any;
//# sourceMappingURL=crypto.d.ts.map

1
node_modules/@noble/ciphers/esm/crypto.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,MAAM,EAAE,GACqE,CAAC"}

2
node_modules/@noble/ciphers/esm/crypto.js generated vendored Normal file
View File

@@ -0,0 +1,2 @@
export const crypto = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
//# sourceMappingURL=crypto.js.map

1
node_modules/@noble/ciphers/esm/crypto.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,MAAM,GACjB,OAAO,UAAU,KAAK,QAAQ,IAAI,QAAQ,IAAI,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC"}

2
node_modules/@noble/ciphers/esm/cryptoNode.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
export declare const crypto: any;
//# sourceMappingURL=cryptoNode.d.ts.map

1
node_modules/@noble/ciphers/esm/cryptoNode.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"cryptoNode.d.ts","sourceRoot":"","sources":["../src/cryptoNode.ts"],"names":[],"mappings":"AASA,eAAO,MAAM,MAAM,EAAE,GAKJ,CAAC"}

15
node_modules/@noble/ciphers/esm/cryptoNode.js generated vendored Normal file
View File

@@ -0,0 +1,15 @@
/**
* Internal webcrypto alias.
* We prefer WebCrypto aka globalThis.crypto, which exists in node.js 16+.
* Falls back to Node.js built-in crypto for Node.js <=v14.
* See utils.ts for details.
* @module
*/
// @ts-ignore
import * as nc from 'node:crypto';
export const crypto = nc && typeof nc === 'object' && 'webcrypto' in nc
? nc.webcrypto
: nc && typeof nc === 'object' && 'randomBytes' in nc
? nc
: undefined;
//# sourceMappingURL=cryptoNode.js.map

1
node_modules/@noble/ciphers/esm/cryptoNode.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"cryptoNode.js","sourceRoot":"","sources":["../src/cryptoNode.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,aAAa;AACb,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,MAAM,CAAC,MAAM,MAAM,GACjB,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,WAAW,IAAI,EAAE;IAC/C,CAAC,CAAE,EAAE,CAAC,SAAiB;IACvB,CAAC,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,aAAa,IAAI,EAAE;QACnD,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,SAAS,CAAC"}

9
node_modules/@noble/ciphers/esm/ff1.d.ts generated vendored Normal file
View File

@@ -0,0 +1,9 @@
import { type Cipher } from './utils.ts';
/** FPE-FF1 format-preserving encryption */
export declare function FF1(radix: number, key: Uint8Array, tweak?: Uint8Array): {
encrypt(x: number[]): number[];
decrypt(x: number[]): number[];
};
/** Binary version of FPE-FF1 format-preserving encryption. */
export declare function BinaryFF1(key: Uint8Array, tweak?: Uint8Array): Cipher;
//# sourceMappingURL=ff1.d.ts.map

1
node_modules/@noble/ciphers/esm/ff1.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"ff1.d.ts","sourceRoot":"","sources":["../src/ff1.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,KAAK,MAAM,EAA4D,MAAM,YAAY,CAAC;AA0FnG,2CAA2C;AAC3C,wBAAgB,GAAG,CACjB,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,UAAU,EACf,KAAK,GAAE,UAAsB,GAC5B;IAAE,OAAO,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAAC,OAAO,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAAA;CAAE,CAgCpE;AAqBD,8DAA8D;AAC9D,wBAAgB,SAAS,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,GAAE,UAAsB,GAAG,MAAM,CAMhF"}

160
node_modules/@noble/ciphers/esm/ff1.js generated vendored Normal file
View File

@@ -0,0 +1,160 @@
/**
* FPE-FF1 (Format-preserving encryption algorithm) specified in
* [NIST 800-38G](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf).
* @module
*/
import { unsafe } from "./aes.js";
import { abytes, anumber, bytesToNumberBE, clean, numberToBytesBE } from "./utils.js";
// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow
const { expandKeyLE, encryptBlock } = unsafe;
// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G.
// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf
const BLOCK_LEN = 16;
function mod(a, b) {
const result = a % b;
return result >= 0 ? result : b + result;
}
function NUMradix(radix, data) {
let res = BigInt(0);
for (let i of data)
res = res * BigInt(radix) + BigInt(i);
return res;
}
function getRound(radix, key, tweak, x) {
if (radix > 2 ** 16 - 1)
throw new Error('invalid radix ' + radix);
// radix**minlen ≥ 100
const minLen = Math.ceil(Math.log(100) / Math.log(radix));
const maxLen = 2 ** 32 - 1;
// 2 ≤ minlen ≤ maxlen < 2**32
if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32)
throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32');
if (!Array.isArray(x))
throw new Error('invalid X');
if (x.length < minLen || x.length > maxLen)
throw new Error('X is outside minLen..maxLen bounds');
const u = Math.floor(x.length / 2);
const v = x.length - u;
const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8);
const d = 4 * Math.ceil(b / 4) + 4;
const padding = mod(-tweak.length - b - 1, 16);
// P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4.
const P = Uint8Array.from([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]);
const view = new DataView(P.buffer);
view.setUint16(4, radix, false);
view.setUint32(8, x.length, false);
view.setUint32(12, tweak.length, false);
// Q = T || [0](tb1) mod 16 || [i]1 || [NUMradix(B)]b.
const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b);
PQ.set(P);
clean(P);
PQ.set(tweak, P.length);
const xk = expandKeyLE(key);
const round = (A, B, i, decrypt = false) => {
// Q = ... || [i]1 || [NUMradix(B)]b.
PQ[PQ.length - b - 1] = i;
if (b)
PQ.set(numberToBytesBE(NUMradix(radix, B), b), PQ.length - b);
// PRF
let r = new Uint8Array(16);
for (let j = 0; j < PQ.length / BLOCK_LEN; j++) {
for (let i = 0; i < BLOCK_LEN; i++)
r[i] ^= PQ[j * BLOCK_LEN + i];
encryptBlock(xk, r);
}
// Let S be the first d bytes of the following string of ⎡d/16⎤ blocks:
// R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ 1]16).
let s = Array.from(r);
for (let j = 1; s.length < d; j++) {
const block = numberToBytesBE(BigInt(j), 16);
for (let k = 0; k < BLOCK_LEN; k++)
block[k] ^= r[k];
s.push(...Array.from(encryptBlock(xk, block)));
}
let y = bytesToNumberBE(Uint8Array.from(s.slice(0, d)));
s.fill(0);
if (decrypt)
y = -y;
const m = i % 2 === 0 ? u : v;
let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m));
// STR(radix, m, c)
const C = Array(m).fill(0);
for (let i = 0; i < m; i++, c /= BigInt(radix))
C[m - 1 - i] = Number(c % BigInt(radix));
A.fill(0);
A = B;
B = C;
return [A, B];
};
const destroy = () => {
clean(xk, PQ);
};
return { u, round, destroy };
}
const EMPTY_BUF = /* @__PURE__ */ Uint8Array.of();
/** FPE-FF1 format-preserving encryption */
export function FF1(radix, key, tweak = EMPTY_BUF) {
anumber(radix);
abytes(key);
abytes(tweak);
const PQ = getRound.bind(null, radix, key, tweak);
return {
encrypt(x) {
const { u, round, destroy } = PQ(x);
let [A, B] = [x.slice(0, u), x.slice(u)];
for (let i = 0; i < 10; i++)
[A, B] = round(A, B, i);
destroy();
const res = A.concat(B);
A.fill(0);
B.fill(0);
return res;
},
decrypt(x) {
const { u, round, destroy } = PQ(x);
// The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm;
// the differences are in Step 6, where:
// 1) the order of the indices is reversed,
// 2) the roles of A and B are swapped
// 3) modular addition is replaced by modular subtraction, in Step 6vi.
let [B, A] = [x.slice(0, u), x.slice(u)];
for (let i = 9; i >= 0; i--)
[A, B] = round(A, B, i, true);
destroy();
const res = B.concat(A);
A.fill(0);
B.fill(0);
return res;
},
};
}
// Binary string which encodes each byte in little-endian byte order
const binLE = {
encode(bytes) {
const x = [];
for (let i = 0; i < bytes.length; i++) {
for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1)
x.push(tmp & 1);
}
return x;
},
decode(b) {
if (!Array.isArray(b) || b.length % 8)
throw new Error('Invalid binary string');
const res = new Uint8Array(b.length / 8);
for (let i = 0, j = 0; i < res.length; i++) {
res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3);
res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7);
}
return res;
},
};
/** Binary version of FPE-FF1 format-preserving encryption. */
export function BinaryFF1(key, tweak = EMPTY_BUF) {
const ff1 = FF1(2, key, tweak);
return {
encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))),
decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))),
};
}
//# sourceMappingURL=ff1.js.map

1
node_modules/@noble/ciphers/esm/ff1.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

2
node_modules/@noble/ciphers/esm/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
export {};
//# sourceMappingURL=index.d.ts.map

1
node_modules/@noble/ciphers/esm/index.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

28
node_modules/@noble/ciphers/esm/index.js generated vendored Normal file
View File

@@ -0,0 +1,28 @@
/**
* Audited & minimal JS implementation of Salsa20, ChaCha and AES. Check out individual modules.
* @example
```js
import { gcm, siv } from '@noble/ciphers/aes';
import { xsalsa20poly1305 } from '@noble/ciphers/salsa';
import { secretbox } from '@noble/ciphers/salsa'; // == xsalsa20poly1305
import { chacha20poly1305, xchacha20poly1305 } from '@noble/ciphers/chacha';
// Unauthenticated encryption: make sure to use HMAC or similar
import { ctr, cfb, cbc, ecb } from '@noble/ciphers/aes';
import { salsa20, xsalsa20 } from '@noble/ciphers/salsa';
import { chacha20, xchacha20, chacha8, chacha12 } from '@noble/ciphers/chacha';
// KW
import { aeskw, aeskwp } from '@noble/ciphers/aes';
// Utilities
import { bytesToHex, hexToBytes, bytesToUtf8, utf8ToBytes } from '@noble/ciphers/utils';
import { managedNonce, randomBytes } from '@noble/ciphers/webcrypto';
import { poly1305 } from '@noble/ciphers/_poly1305';
import { ghash, polyval } from '@noble/ciphers/_polyval';
```
* @module
*/
throw new Error('root module cannot be imported: import submodules instead. Check out README');
export {};
//# sourceMappingURL=index.js.map

1
node_modules/@noble/ciphers/esm/index.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,IAAI,KAAK,CAAC,6EAA6E,CAAC,CAAC"}

10
node_modules/@noble/ciphers/esm/package.json generated vendored Normal file
View File

@@ -0,0 +1,10 @@
{
"type": "module",
"sideEffects": false,
"browser": {
"node:crypto": false
},
"node": {
"./crypto": "./esm/cryptoNode.js"
}
}

33
node_modules/@noble/ciphers/esm/salsa.d.ts generated vendored Normal file
View File

@@ -0,0 +1,33 @@
import { type ARXCipher, type XorStream } from './utils.ts';
/**
* hsalsa hashing function, used primarily in xsalsa, to hash
* key and nonce into key' and nonce'.
* Same as salsaCore, but there doesn't seem to be a way to move the block
* out without 25% performance hit.
*/
export declare function hsalsa(s: Uint32Array, k: Uint32Array, i: Uint32Array, o32: Uint32Array): void;
/**
* Salsa20 from original paper.
* Unsafe to use random nonces under the same key, due to collision chance.
* Prefer XSalsa instead.
*/
export declare const salsa20: XorStream;
/**
* xsalsa20 eXtended-nonce salsa.
* Can be safely used with random 24-byte nonces (CSPRNG).
*/
export declare const xsalsa20: XorStream;
/**
* xsalsa20-poly1305 eXtended-nonce salsa.
* Can be safely used with random 24-byte nonces (CSPRNG).
* Also known as secretbox from libsodium / nacl.
*/
export declare const xsalsa20poly1305: ARXCipher;
/**
* Alias to `xsalsa20poly1305`, for compatibility with libsodium / nacl
*/
export declare function secretbox(key: Uint8Array, nonce: Uint8Array): {
seal: (plaintext: Uint8Array, output?: Uint8Array) => Uint8Array;
open: (ciphertext: Uint8Array, output?: Uint8Array) => Uint8Array;
};
//# sourceMappingURL=salsa.d.ts.map

1
node_modules/@noble/ciphers/esm/salsa.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"salsa.d.ts","sourceRoot":"","sources":["../src/salsa.ts"],"names":[],"mappings":"AAiBA,OAAO,EAEL,KAAK,SAAS,EAMd,KAAK,SAAS,EACf,MAAM,YAAY,CAAC;AA+CpB;;;;;GAKG;AAEH,wBAAgB,MAAM,CACpB,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,GAC/D,IAAI,CA4BN;AAED;;;;GAIG;AACH,eAAO,MAAM,OAAO,EAAE,SAGpB,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,QAAQ,EAAE,SAGrB,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,EAAE,SAsC9B,CAAC;AAEF;;GAEG;AACH,wBAAgB,SAAS,CACvB,GAAG,EAAE,UAAU,EACf,KAAK,EAAE,UAAU,GAChB;IACD,IAAI,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,UAAU,KAAK,UAAU,CAAC;IACjE,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,UAAU,KAAK,UAAU,CAAC;CACnE,CAGA"}

201
node_modules/@noble/ciphers/esm/salsa.js generated vendored Normal file
View File

@@ -0,0 +1,201 @@
/**
* [Salsa20](https://cr.yp.to/snuffle.html) stream cipher, released in 2005.
*
* Salsa's goal was to implement AES replacement that does not rely on S-Boxes,
* which are hard to implement in a constant-time manner.
* Salsa20 is usually faster than AES, a big deal on slow, budget mobile phones.
*
* [XSalsa20](https://cr.yp.to/snuffle/xsalsa-20110204.pdf), extended-nonce
* variant was released in 2008. It switched nonces from 96-bit to 192-bit,
* and became safe to be picked at random.
*
* Check out [PDF](https://cr.yp.to/snuffle/salsafamily-20071225.pdf) and
* [wiki](https://en.wikipedia.org/wiki/Salsa20).
* @module
*/
import { createCipher, rotl } from "./_arx.js";
import { poly1305 } from "./_poly1305.js";
import { abytes, clean, equalBytes, getOutput, wrapCipher, } from "./utils.js";
/** Salsa20 core function. */
// prettier-ignore
function salsaCore(s, k, n, out, cnt, rounds = 20) {
// Based on https://cr.yp.to/salsa20.html
let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key
y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce
y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key
y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k"
// Save state to temporary variables
let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
for (let r = 0; r < rounds; r += 2) {
x04 ^= rotl(x00 + x12 | 0, 7);
x08 ^= rotl(x04 + x00 | 0, 9);
x12 ^= rotl(x08 + x04 | 0, 13);
x00 ^= rotl(x12 + x08 | 0, 18);
x09 ^= rotl(x05 + x01 | 0, 7);
x13 ^= rotl(x09 + x05 | 0, 9);
x01 ^= rotl(x13 + x09 | 0, 13);
x05 ^= rotl(x01 + x13 | 0, 18);
x14 ^= rotl(x10 + x06 | 0, 7);
x02 ^= rotl(x14 + x10 | 0, 9);
x06 ^= rotl(x02 + x14 | 0, 13);
x10 ^= rotl(x06 + x02 | 0, 18);
x03 ^= rotl(x15 + x11 | 0, 7);
x07 ^= rotl(x03 + x15 | 0, 9);
x11 ^= rotl(x07 + x03 | 0, 13);
x15 ^= rotl(x11 + x07 | 0, 18);
x01 ^= rotl(x00 + x03 | 0, 7);
x02 ^= rotl(x01 + x00 | 0, 9);
x03 ^= rotl(x02 + x01 | 0, 13);
x00 ^= rotl(x03 + x02 | 0, 18);
x06 ^= rotl(x05 + x04 | 0, 7);
x07 ^= rotl(x06 + x05 | 0, 9);
x04 ^= rotl(x07 + x06 | 0, 13);
x05 ^= rotl(x04 + x07 | 0, 18);
x11 ^= rotl(x10 + x09 | 0, 7);
x08 ^= rotl(x11 + x10 | 0, 9);
x09 ^= rotl(x08 + x11 | 0, 13);
x10 ^= rotl(x09 + x08 | 0, 18);
x12 ^= rotl(x15 + x14 | 0, 7);
x13 ^= rotl(x12 + x15 | 0, 9);
x14 ^= rotl(x13 + x12 | 0, 13);
x15 ^= rotl(x14 + x13 | 0, 18);
}
// Write output
let oi = 0;
out[oi++] = (y00 + x00) | 0;
out[oi++] = (y01 + x01) | 0;
out[oi++] = (y02 + x02) | 0;
out[oi++] = (y03 + x03) | 0;
out[oi++] = (y04 + x04) | 0;
out[oi++] = (y05 + x05) | 0;
out[oi++] = (y06 + x06) | 0;
out[oi++] = (y07 + x07) | 0;
out[oi++] = (y08 + x08) | 0;
out[oi++] = (y09 + x09) | 0;
out[oi++] = (y10 + x10) | 0;
out[oi++] = (y11 + x11) | 0;
out[oi++] = (y12 + x12) | 0;
out[oi++] = (y13 + x13) | 0;
out[oi++] = (y14 + x14) | 0;
out[oi++] = (y15 + x15) | 0;
}
/**
* hsalsa hashing function, used primarily in xsalsa, to hash
* key and nonce into key' and nonce'.
* Same as salsaCore, but there doesn't seem to be a way to move the block
* out without 25% performance hit.
*/
// prettier-ignore
export function hsalsa(s, k, i, o32) {
let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3];
for (let r = 0; r < 20; r += 2) {
x04 ^= rotl(x00 + x12 | 0, 7);
x08 ^= rotl(x04 + x00 | 0, 9);
x12 ^= rotl(x08 + x04 | 0, 13);
x00 ^= rotl(x12 + x08 | 0, 18);
x09 ^= rotl(x05 + x01 | 0, 7);
x13 ^= rotl(x09 + x05 | 0, 9);
x01 ^= rotl(x13 + x09 | 0, 13);
x05 ^= rotl(x01 + x13 | 0, 18);
x14 ^= rotl(x10 + x06 | 0, 7);
x02 ^= rotl(x14 + x10 | 0, 9);
x06 ^= rotl(x02 + x14 | 0, 13);
x10 ^= rotl(x06 + x02 | 0, 18);
x03 ^= rotl(x15 + x11 | 0, 7);
x07 ^= rotl(x03 + x15 | 0, 9);
x11 ^= rotl(x07 + x03 | 0, 13);
x15 ^= rotl(x11 + x07 | 0, 18);
x01 ^= rotl(x00 + x03 | 0, 7);
x02 ^= rotl(x01 + x00 | 0, 9);
x03 ^= rotl(x02 + x01 | 0, 13);
x00 ^= rotl(x03 + x02 | 0, 18);
x06 ^= rotl(x05 + x04 | 0, 7);
x07 ^= rotl(x06 + x05 | 0, 9);
x04 ^= rotl(x07 + x06 | 0, 13);
x05 ^= rotl(x04 + x07 | 0, 18);
x11 ^= rotl(x10 + x09 | 0, 7);
x08 ^= rotl(x11 + x10 | 0, 9);
x09 ^= rotl(x08 + x11 | 0, 13);
x10 ^= rotl(x09 + x08 | 0, 18);
x12 ^= rotl(x15 + x14 | 0, 7);
x13 ^= rotl(x12 + x15 | 0, 9);
x14 ^= rotl(x13 + x12 | 0, 13);
x15 ^= rotl(x14 + x13 | 0, 18);
}
let oi = 0;
o32[oi++] = x00;
o32[oi++] = x05;
o32[oi++] = x10;
o32[oi++] = x15;
o32[oi++] = x06;
o32[oi++] = x07;
o32[oi++] = x08;
o32[oi++] = x09;
}
/**
* Salsa20 from original paper.
* Unsafe to use random nonces under the same key, due to collision chance.
* Prefer XSalsa instead.
*/
export const salsa20 = /* @__PURE__ */ createCipher(salsaCore, {
allowShortKeys: true,
counterRight: true,
});
/**
* xsalsa20 eXtended-nonce salsa.
* Can be safely used with random 24-byte nonces (CSPRNG).
*/
export const xsalsa20 = /* @__PURE__ */ createCipher(salsaCore, {
counterRight: true,
extendNonceFn: hsalsa,
});
/**
* xsalsa20-poly1305 eXtended-nonce salsa.
* Can be safely used with random 24-byte nonces (CSPRNG).
* Also known as secretbox from libsodium / nacl.
*/
export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => {
return {
encrypt(plaintext, output) {
// xsalsa20poly1305 optimizes by calculating auth key during the same call as encryption.
// Unfortunately, makes it hard to separate tag calculation & encryption itself,
// because 32 bytes is half-block of 64-byte salsa.
output = getOutput(plaintext.length + 32, output, false); // need 32 additional bytes, see above
const authKey = output.subarray(0, 32); // output[0..32] = poly1305 auth key
const ciphPlaintext = output.subarray(32); // output[32..] = plaintext, then ciphertext
output.set(plaintext, 32);
clean(authKey); // authKey is produced by xoring with zeros
xsalsa20(key, nonce, output, output); // output = stream ^ output; authKey = stream ^ zeros(32)
const tag = poly1305(ciphPlaintext, authKey); // calculate tag over ciphertext
output.set(tag, 16); // output[16..32] = tag
clean(output.subarray(0, 16), tag); // clean-up authKey remnants & copy of tag
return output.subarray(16); // return output[16..]
},
decrypt(ciphertext, output) {
// tmp part passed tag ciphertext
// [0..32] [32..48] [48..]
abytes(ciphertext);
output = getOutput(ciphertext.length + 32, output, false);
const tmp = output.subarray(0, 32); // output[0..32] is used to calc authKey
const passedTag = output.subarray(32, 48); // output[32..48] = passed tag
const ciphPlaintext = output.subarray(48); // output[48..] = ciphertext, then plaintext
output.set(ciphertext, 32); // copy ciphertext into output
clean(tmp); // authKey is produced by xoring with zeros
const authKey = xsalsa20(key, nonce, tmp, tmp); // authKey = stream ^ zeros(32)
const tag = poly1305(ciphPlaintext, authKey); // calculate tag over ciphertext
if (!equalBytes(passedTag, tag))
throw new Error('invalid tag');
xsalsa20(key, nonce, output.subarray(16), output.subarray(16)); // output = stream ^ output[16..]
clean(tmp, passedTag, tag);
return ciphPlaintext; // return output[48..], skipping zeroized output[0..48]
},
};
});
/**
* Alias to `xsalsa20poly1305`, for compatibility with libsodium / nacl
*/
export function secretbox(key, nonce) {
const xs = xsalsa20poly1305(key, nonce);
return { seal: xs.encrypt, open: xs.decrypt };
}
//# sourceMappingURL=salsa.js.map

1
node_modules/@noble/ciphers/esm/salsa.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

155
node_modules/@noble/ciphers/esm/utils.d.ts generated vendored Normal file
View File

@@ -0,0 +1,155 @@
/**
* Utilities for hex, bytes, CSPRNG.
* @module
*/
/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
export declare function isBytes(a: unknown): a is Uint8Array;
/** Asserts something is boolean. */
export declare function abool(b: boolean): void;
/** Asserts something is positive integer. */
export declare function anumber(n: number): void;
/** Asserts something is Uint8Array. */
export declare function abytes(b: Uint8Array | undefined, ...lengths: number[]): void;
/**
* Asserts something is hash
* TODO: remove
* @deprecated
*/
export declare function ahash(h: IHash): void;
/** Asserts a hash instance has not been destroyed / finished */
export declare function aexists(instance: any, checkFinished?: boolean): void;
/** Asserts output is properly-sized byte array */
export declare function aoutput(out: any, instance: any): void;
export type IHash = {
(data: string | Uint8Array): Uint8Array;
blockLen: number;
outputLen: number;
create: any;
};
/** Generic type encompassing 8/16/32-byte arrays - but not 64-byte. */
export type TypedArray = Int8Array | Uint8ClampedArray | Uint8Array | Uint16Array | Int16Array | Uint32Array | Int32Array;
/** Cast u8 / u16 / u32 to u8. */
export declare function u8(arr: TypedArray): Uint8Array;
/** Cast u8 / u16 / u32 to u32. */
export declare function u32(arr: TypedArray): Uint32Array;
/** Zeroize a byte array. Warning: JS provides no guarantees. */
export declare function clean(...arrays: TypedArray[]): void;
/** Create DataView of an array for easy byte-level manipulation. */
export declare function createView(arr: TypedArray): DataView;
/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
export declare const isLE: boolean;
/**
* Convert byte array to hex string. Uses built-in function, when available.
* @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
*/
export declare function bytesToHex(bytes: Uint8Array): string;
/**
* Convert hex string to byte array. Uses built-in function, when available.
* @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
*/
export declare function hexToBytes(hex: string): Uint8Array;
export declare function hexToNumber(hex: string): bigint;
export declare function bytesToNumberBE(bytes: Uint8Array): bigint;
export declare function numberToBytesBE(n: number | bigint, len: number): Uint8Array;
export declare const nextTick: () => Promise<void>;
/**
* Converts string to bytes using UTF8 encoding.
* @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
*/
export declare function utf8ToBytes(str: string): Uint8Array;
/**
* Converts bytes to string using UTF8 encoding.
* @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc'
*/
export declare function bytesToUtf8(bytes: Uint8Array): string;
export type Input = Uint8Array | string;
/**
* Normalizes (non-hex) string or Uint8Array to Uint8Array.
* Warning: when Uint8Array is passed, it would NOT get copied.
* Keep in mind for future mutable operations.
*/
export declare function toBytes(data: string | Uint8Array): Uint8Array;
/**
* Checks if two U8A use same underlying buffer and overlaps.
* This is invalid and can corrupt data.
*/
export declare function overlapBytes(a: Uint8Array, b: Uint8Array): boolean;
/**
* If input and output overlap and input starts before output, we will overwrite end of input before
* we start processing it, so this is not supported for most ciphers (except chacha/salse, which designed with this)
*/
export declare function complexOverlapBytes(input: Uint8Array, output: Uint8Array): void;
/**
* Copies several Uint8Arrays into one.
*/
export declare function concatBytes(...arrays: Uint8Array[]): Uint8Array;
type EmptyObj = {};
export declare function checkOpts<T1 extends EmptyObj, T2 extends EmptyObj>(defaults: T1, opts: T2): T1 & T2;
/** Compares 2 uint8array-s in kinda constant time. */
export declare function equalBytes(a: Uint8Array, b: Uint8Array): boolean;
/** For runtime check if class implements interface. */
export declare abstract class Hash<T extends Hash<T>> {
abstract blockLen: number;
abstract outputLen: number;
abstract update(buf: string | Uint8Array): this;
abstract digestInto(buf: Uint8Array): void;
abstract digest(): Uint8Array;
/**
* Resets internal state. Makes Hash instance unusable.
* Reset is impossible for keyed hashes if key is consumed into state. If digest is not consumed
* by user, they will need to manually call `destroy()` when zeroing is necessary.
*/
abstract destroy(): void;
}
/** Sync cipher: takes byte array and returns byte array. */
export type Cipher = {
encrypt(plaintext: Uint8Array): Uint8Array;
decrypt(ciphertext: Uint8Array): Uint8Array;
};
/** Async cipher e.g. from built-in WebCrypto. */
export type AsyncCipher = {
encrypt(plaintext: Uint8Array): Promise<Uint8Array>;
decrypt(ciphertext: Uint8Array): Promise<Uint8Array>;
};
/** Cipher with `output` argument which can optimize by doing 1 less allocation. */
export type CipherWithOutput = Cipher & {
encrypt(plaintext: Uint8Array, output?: Uint8Array): Uint8Array;
decrypt(ciphertext: Uint8Array, output?: Uint8Array): Uint8Array;
};
/**
* Params are outside of return type, so it is accessible before calling constructor.
* If function support multiple nonceLength's, we return the best one.
*/
export type CipherParams = {
blockSize: number;
nonceLength?: number;
tagLength?: number;
varSizeNonce?: boolean;
};
/** ARX cipher, like salsa or chacha. */
export type ARXCipher = ((key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => CipherWithOutput) & {
blockSize: number;
nonceLength: number;
tagLength: number;
};
export type CipherCons<T extends any[]> = (key: Uint8Array, ...args: T) => Cipher;
/**
* Wraps a cipher: validates args, ensures encrypt() can only be called once.
* @__NO_SIDE_EFFECTS__
*/
export declare const wrapCipher: <C extends CipherCons<any>, P extends CipherParams>(params: P, constructor: C) => C & P;
/** Represents salsa / chacha stream. */
export type XorStream = (key: Uint8Array, nonce: Uint8Array, data: Uint8Array, output?: Uint8Array, counter?: number) => Uint8Array;
/**
* By default, returns u8a of length.
* When out is available, it checks it for validity and uses it.
*/
export declare function getOutput(expectedLength: number, out?: Uint8Array, onlyAligned?: boolean): Uint8Array;
/** Polyfill for Safari 14. */
export declare function setBigUint64(view: DataView, byteOffset: number, value: bigint, isLE: boolean): void;
export declare function u64Lengths(dataLength: number, aadLength: number, isLE: boolean): Uint8Array;
export declare function isAligned32(bytes: Uint8Array): boolean;
export declare function copyBytes(bytes: Uint8Array): Uint8Array;
export {};
//# sourceMappingURL=utils.d.ts.map

1
node_modules/@noble/ciphers/esm/utils.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,uEAAuE;AAEvE,qFAAqF;AACrF,wBAAgB,OAAO,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,UAAU,CAEnD;AAED,oCAAoC;AACpC,wBAAgB,KAAK,CAAC,CAAC,EAAE,OAAO,GAAG,IAAI,CAEtC;AAED,6CAA6C;AAC7C,wBAAgB,OAAO,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI,CAEvC;AAED,uCAAuC;AACvC,wBAAgB,MAAM,CAAC,CAAC,EAAE,UAAU,GAAG,SAAS,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAI5E;AAED;;;;GAIG;AACH,wBAAgB,KAAK,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI,CAKpC;AAED,gEAAgE;AAChE,wBAAgB,OAAO,CAAC,QAAQ,EAAE,GAAG,EAAE,aAAa,UAAO,GAAG,IAAI,CAGjE;AAED,kDAAkD;AAClD,wBAAgB,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,GAAG,IAAI,CAMrD;AAED,MAAM,MAAM,KAAK,GAAG;IAClB,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,UAAU,CAAC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,GAAG,CAAC;CACb,CAAC;AAEF,uEAAuE;AAEvE,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,iBAAiB,GAAG,UAAU,GACjE,WAAW,GAAG,UAAU,GAAG,WAAW,GAAG,UAAU,CAAC;AAEtD,iCAAiC;AACjC,wBAAgB,EAAE,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAE9C;AAED,kCAAkC;AAClC,wBAAgB,GAAG,CAAC,GAAG,EAAE,UAAU,GAAG,WAAW,CAEhD;AAED,gEAAgE;AAChE,wBAAgB,KAAK,CAAC,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAInD;AAED,oEAAoE;AACpE,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,GAAG,QAAQ,CAEpD;AAED,4EAA4E;AAC5E,eAAO,MAAM,IAAI,EAAE,OACkD,CAAC;AAYtE;;;GAGG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAUpD;AAWD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAkBlD;AAGD,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAG/C;AAID,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAEzD;AAGD,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,UAAU,CAE3E;AAMD,eAAO,MAAM,QAAQ,QAAa,OAAO,CAAC,IAAI,CAAO,CAAC;AAMtD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAGnD;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAErD;AAGD,MAAM,MAAM,KAAK,GAAG,UAAU,GAAG,MAAM,CAAC;AACxC;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,UAAU,CAK7D;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAMlE;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAK/E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,UAAU,CAc/D;AAGD,KAAK,QAAQ,GAAG,EAAE,CAAC;AACnB,wBAAgB,SAAS,CAAC,EAAE,SAAS,QAAQ,EAAE,EAAE,SAAS,QAAQ,EAChE,QAAQ,EAAE,EAAE,EACZ,IAAI,EAAE,EAAE,GACP,EAAE,GAAG,EAAE,CAIT;AAED,sDAAsD;AACtD,wBAAgB,UAAU,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAKhE;AAGD,uDAAuD;AACvD,8BAAsB,IAAI,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC;IAC1C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;IAE/C,QAAQ,CAAC,UAAU,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI;IAC1C,QAAQ,CAAC,MAAM,IAAI,UAAU;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,OAAO,IAAI,IAAI;CACzB;AAKD,4DAA4D;AAC5D,MAAM,MAAM,MAAM,GAAG;IACnB,OAAO,CAAC,SAAS,EAAE,UAAU,GAAG,UAAU,CAAC;IAC3C,OAAO,CAAC,UAAU,EAAE,UAAU,GAAG,UAAU,CAAC;CAC7C,CAAC;AAEF,iDAAiD;AACjD,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,CAAC,SAAS,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACpD,OAAO,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACtD,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG;IACtC,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,UAAU,GAAG,UAAU,CAAC;IAChE,OAAO,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,UAAU,GAAG,UAAU,CAAC;CAClE,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB,CAAC;AACF,wCAAwC;AACxC,MAAM,MAAM,SAAS,GAAG,CAAC,CACvB,GAAG,EAAE,UAAU,EACf,KAAK,EAAE,UAAU,EACjB,GAAG,CAAC,EAAE,UAAU,KACb,gBAAgB,CAAC,GAAG;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AACF,MAAM,MAAM,UAAU,CAAC,CAAC,SAAS,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,CAAC,KAAK,MAAM,CAAC;AAClF;;;GAGG;AACH,eAAO,MAAM,UAAU,GAAI,CAAC,SAAS,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,YAAY,EAC1E,QAAQ,CAAC,EACT,aAAa,CAAC,KACb,CAAC,GAAG,CAqDN,CAAC;AAEF,wCAAwC;AACxC,MAAM,MAAM,SAAS,GAAG,CACtB,GAAG,EAAE,UAAU,EACf,KAAK,EAAE,UAAU,EACjB,IAAI,EAAE,UAAU,EAChB,MAAM,CAAC,EAAE,UAAU,EACnB,OAAO,CAAC,EAAE,MAAM,KACb,UAAU,CAAC;AAEhB;;;GAGG;AACH,wBAAgB,SAAS,CACvB,cAAc,EAAE,MAAM,EACtB,GAAG,CAAC,EAAE,UAAU,EAChB,WAAW,UAAO,GACjB,UAAU,CAMZ;AAED,8BAA8B;AAC9B,wBAAgB,YAAY,CAC1B,IAAI,EAAE,QAAQ,EACd,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,OAAO,GACZ,IAAI,CAUN;AAED,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,UAAU,CAO3F;AAGD,wBAAgB,WAAW,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAEtD;AAGD,wBAAgB,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,CAEvD"}

339
node_modules/@noble/ciphers/esm/utils.js generated vendored Normal file
View File

@@ -0,0 +1,339 @@
/**
* Utilities for hex, bytes, CSPRNG.
* @module
*/
/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
export function isBytes(a) {
return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
}
/** Asserts something is boolean. */
export function abool(b) {
if (typeof b !== 'boolean')
throw new Error(`boolean expected, not ${b}`);
}
/** Asserts something is positive integer. */
export function anumber(n) {
if (!Number.isSafeInteger(n) || n < 0)
throw new Error('positive integer expected, got ' + n);
}
/** Asserts something is Uint8Array. */
export function abytes(b, ...lengths) {
if (!isBytes(b))
throw new Error('Uint8Array expected');
if (lengths.length > 0 && !lengths.includes(b.length))
throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
}
/**
* Asserts something is hash
* TODO: remove
* @deprecated
*/
export function ahash(h) {
if (typeof h !== 'function' || typeof h.create !== 'function')
throw new Error('Hash should be wrapped by utils.createHasher');
anumber(h.outputLen);
anumber(h.blockLen);
}
/** Asserts a hash instance has not been destroyed / finished */
export function aexists(instance, checkFinished = true) {
if (instance.destroyed)
throw new Error('Hash instance has been destroyed');
if (checkFinished && instance.finished)
throw new Error('Hash#digest() has already been called');
}
/** Asserts output is properly-sized byte array */
export function aoutput(out, instance) {
abytes(out);
const min = instance.outputLen;
if (out.length < min) {
throw new Error('digestInto() expects output buffer of length at least ' + min);
}
}
/** Cast u8 / u16 / u32 to u8. */
export function u8(arr) {
return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);
}
/** Cast u8 / u16 / u32 to u32. */
export function u32(arr) {
return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
}
/** Zeroize a byte array. Warning: JS provides no guarantees. */
export function clean(...arrays) {
for (let i = 0; i < arrays.length; i++) {
arrays[i].fill(0);
}
}
/** Create DataView of an array for easy byte-level manipulation. */
export function createView(arr) {
return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
}
/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
export const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();
// Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex
const hasHexBuiltin = /* @__PURE__ */ (() =>
// @ts-ignore
typeof Uint8Array.from([]).toHex === 'function' && typeof Uint8Array.fromHex === 'function')();
// Array where index 0xf0 (240) is mapped to string 'f0'
const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
/**
* Convert byte array to hex string. Uses built-in function, when available.
* @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
*/
export function bytesToHex(bytes) {
abytes(bytes);
// @ts-ignore
if (hasHexBuiltin)
return bytes.toHex();
// pre-caching improves the speed 6x
let hex = '';
for (let i = 0; i < bytes.length; i++) {
hex += hexes[bytes[i]];
}
return hex;
}
// We use optimized technique to convert hex string to byte array
const asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
function asciiToBase16(ch) {
if (ch >= asciis._0 && ch <= asciis._9)
return ch - asciis._0; // '2' => 50-48
if (ch >= asciis.A && ch <= asciis.F)
return ch - (asciis.A - 10); // 'B' => 66-(65-10)
if (ch >= asciis.a && ch <= asciis.f)
return ch - (asciis.a - 10); // 'b' => 98-(97-10)
return;
}
/**
* Convert hex string to byte array. Uses built-in function, when available.
* @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
*/
export function hexToBytes(hex) {
if (typeof hex !== 'string')
throw new Error('hex string expected, got ' + typeof hex);
// @ts-ignore
if (hasHexBuiltin)
return Uint8Array.fromHex(hex);
const hl = hex.length;
const al = hl / 2;
if (hl % 2)
throw new Error('hex string expected, got unpadded hex of length ' + hl);
const array = new Uint8Array(al);
for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
const n1 = asciiToBase16(hex.charCodeAt(hi));
const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
if (n1 === undefined || n2 === undefined) {
const char = hex[hi] + hex[hi + 1];
throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
}
array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163
}
return array;
}
// Used in micro
export function hexToNumber(hex) {
if (typeof hex !== 'string')
throw new Error('hex string expected, got ' + typeof hex);
return BigInt(hex === '' ? '0' : '0x' + hex); // Big Endian
}
// Used in ff1
// BE: Big Endian, LE: Little Endian
export function bytesToNumberBE(bytes) {
return hexToNumber(bytesToHex(bytes));
}
// Used in micro, ff1
export function numberToBytesBE(n, len) {
return hexToBytes(n.toString(16).padStart(len * 2, '0'));
}
// TODO: remove
// There is no setImmediate in browser and setTimeout is slow.
// call of async fn will return Promise, which will be fullfiled only on
// next scheduler queue processing step and this is exactly what we need.
export const nextTick = async () => { };
/**
* Converts string to bytes using UTF8 encoding.
* @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
*/
export function utf8ToBytes(str) {
if (typeof str !== 'string')
throw new Error('string expected');
return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
}
/**
* Converts bytes to string using UTF8 encoding.
* @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc'
*/
export function bytesToUtf8(bytes) {
return new TextDecoder().decode(bytes);
}
/**
* Normalizes (non-hex) string or Uint8Array to Uint8Array.
* Warning: when Uint8Array is passed, it would NOT get copied.
* Keep in mind for future mutable operations.
*/
export function toBytes(data) {
if (typeof data === 'string')
data = utf8ToBytes(data);
else if (isBytes(data))
data = copyBytes(data);
else
throw new Error('Uint8Array expected, got ' + typeof data);
return data;
}
/**
* Checks if two U8A use same underlying buffer and overlaps.
* This is invalid and can corrupt data.
*/
export function overlapBytes(a, b) {
return (a.buffer === b.buffer && // best we can do, may fail with an obscure Proxy
a.byteOffset < b.byteOffset + b.byteLength && // a starts before b end
b.byteOffset < a.byteOffset + a.byteLength // b starts before a end
);
}
/**
* If input and output overlap and input starts before output, we will overwrite end of input before
* we start processing it, so this is not supported for most ciphers (except chacha/salse, which designed with this)
*/
export function complexOverlapBytes(input, output) {
// This is very cursed. It works somehow, but I'm completely unsure,
// reasoning about overlapping aligned windows is very hard.
if (overlapBytes(input, output) && input.byteOffset < output.byteOffset)
throw new Error('complex overlap of input and output is not supported');
}
/**
* Copies several Uint8Arrays into one.
*/
export function concatBytes(...arrays) {
let sum = 0;
for (let i = 0; i < arrays.length; i++) {
const a = arrays[i];
abytes(a);
sum += a.length;
}
const res = new Uint8Array(sum);
for (let i = 0, pad = 0; i < arrays.length; i++) {
const a = arrays[i];
res.set(a, pad);
pad += a.length;
}
return res;
}
export function checkOpts(defaults, opts) {
if (opts == null || typeof opts !== 'object')
throw new Error('options must be defined');
const merged = Object.assign(defaults, opts);
return merged;
}
/** Compares 2 uint8array-s in kinda constant time. */
export function equalBytes(a, b) {
if (a.length !== b.length)
return false;
let diff = 0;
for (let i = 0; i < a.length; i++)
diff |= a[i] ^ b[i];
return diff === 0;
}
// TODO: remove
/** For runtime check if class implements interface. */
export class Hash {
}
/**
* Wraps a cipher: validates args, ensures encrypt() can only be called once.
* @__NO_SIDE_EFFECTS__
*/
export const wrapCipher = (params, constructor) => {
function wrappedCipher(key, ...args) {
// Validate key
abytes(key);
// Big-Endian hardware is rare. Just in case someone still decides to run ciphers:
if (!isLE)
throw new Error('Non little-endian hardware is not yet supported');
// Validate nonce if nonceLength is present
if (params.nonceLength !== undefined) {
const nonce = args[0];
if (!nonce)
throw new Error('nonce / iv required');
if (params.varSizeNonce)
abytes(nonce);
else
abytes(nonce, params.nonceLength);
}
// Validate AAD if tagLength present
const tagl = params.tagLength;
if (tagl && args[1] !== undefined) {
abytes(args[1]);
}
const cipher = constructor(key, ...args);
const checkOutput = (fnLength, output) => {
if (output !== undefined) {
if (fnLength !== 2)
throw new Error('cipher output not supported');
abytes(output);
}
};
// Create wrapped cipher with validation and single-use encryption
let called = false;
const wrCipher = {
encrypt(data, output) {
if (called)
throw new Error('cannot encrypt() twice with same key + nonce');
called = true;
abytes(data);
checkOutput(cipher.encrypt.length, output);
return cipher.encrypt(data, output);
},
decrypt(data, output) {
abytes(data);
if (tagl && data.length < tagl)
throw new Error('invalid ciphertext length: smaller than tagLength=' + tagl);
checkOutput(cipher.decrypt.length, output);
return cipher.decrypt(data, output);
},
};
return wrCipher;
}
Object.assign(wrappedCipher, params);
return wrappedCipher;
};
/**
* By default, returns u8a of length.
* When out is available, it checks it for validity and uses it.
*/
export function getOutput(expectedLength, out, onlyAligned = true) {
if (out === undefined)
return new Uint8Array(expectedLength);
if (out.length !== expectedLength)
throw new Error('invalid output length, expected ' + expectedLength + ', got: ' + out.length);
if (onlyAligned && !isAligned32(out))
throw new Error('invalid output, must be aligned');
return out;
}
/** Polyfill for Safari 14. */
export function setBigUint64(view, byteOffset, value, isLE) {
if (typeof view.setBigUint64 === 'function')
return view.setBigUint64(byteOffset, value, isLE);
const _32n = BigInt(32);
const _u32_max = BigInt(0xffffffff);
const wh = Number((value >> _32n) & _u32_max);
const wl = Number(value & _u32_max);
const h = isLE ? 4 : 0;
const l = isLE ? 0 : 4;
view.setUint32(byteOffset + h, wh, isLE);
view.setUint32(byteOffset + l, wl, isLE);
}
export function u64Lengths(dataLength, aadLength, isLE) {
abool(isLE);
const num = new Uint8Array(16);
const view = createView(num);
setBigUint64(view, 0, BigInt(aadLength), isLE);
setBigUint64(view, 8, BigInt(dataLength), isLE);
return num;
}
// Is byte array aligned to 4 byte offset (u32)?
export function isAligned32(bytes) {
return bytes.byteOffset % 4 === 0;
}
// copy bytes to new u8a (aligned). Because Buffer.slice is broken.
export function copyBytes(bytes) {
return Uint8Array.from(bytes);
}
//# sourceMappingURL=utils.js.map

1
node_modules/@noble/ciphers/esm/utils.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

31
node_modules/@noble/ciphers/esm/webcrypto.d.ts generated vendored Normal file
View File

@@ -0,0 +1,31 @@
import { type AsyncCipher, type Cipher } from './utils.ts';
/**
* Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS.
*/
export declare function randomBytes(bytesLength?: number): Uint8Array;
export declare function getWebcryptoSubtle(): any;
type RemoveNonceInner<T extends any[], Ret> = ((...args: T) => Ret) extends (arg0: any, arg1: any, ...rest: infer R) => any ? (key: Uint8Array, ...args: R) => Ret : never;
type RemoveNonce<T extends (...args: any) => any> = RemoveNonceInner<Parameters<T>, ReturnType<T>>;
type CipherWithNonce = ((key: Uint8Array, nonce: Uint8Array, ...args: any[]) => Cipher) & {
nonceLength: number;
};
/**
* Uses CSPRG for nonce, nonce injected in ciphertext.
* @example
* const gcm = managedNonce(aes.gcm);
* const ciphr = gcm(key).encrypt(data);
* const plain = gcm(key).decrypt(ciph);
*/
export declare function managedNonce<T extends CipherWithNonce>(fn: T): RemoveNonce<T>;
export declare const utils: {
encrypt: (key: Uint8Array, ...all: any[]) => Promise<Uint8Array>;
decrypt: (key: Uint8Array, ...all: any[]) => Promise<Uint8Array>;
};
/** AES-CBC, native webcrypto version */
export declare const cbc: (key: Uint8Array, iv: Uint8Array) => AsyncCipher;
/** AES-CTR, native webcrypto version */
export declare const ctr: (key: Uint8Array, nonce: Uint8Array) => AsyncCipher;
/** AES-GCM, native webcrypto version */
export declare const gcm: (key: Uint8Array, nonce: Uint8Array, AAD?: Uint8Array) => AsyncCipher;
export {};
//# sourceMappingURL=webcrypto.d.ts.map

1
node_modules/@noble/ciphers/esm/webcrypto.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"webcrypto.d.ts","sourceRoot":"","sources":["../src/webcrypto.ts"],"names":[],"mappings":"AAYA,OAAO,EAAmB,KAAK,WAAW,EAAE,KAAK,MAAM,EAAe,MAAM,YAAY,CAAC;AAEzF;;GAEG;AACH,wBAAgB,WAAW,CAAC,WAAW,SAAK,GAAG,UAAU,CASxD;AAED,wBAAgB,kBAAkB,IAAI,GAAG,CAGxC;AAED,KAAK,gBAAgB,CAAC,CAAC,SAAS,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,GAAG,CAAC,SAAS,CAC1E,IAAI,EAAE,GAAG,EACT,IAAI,EAAE,GAAG,EACT,GAAG,IAAI,EAAE,MAAM,CAAC,KACb,GAAG,GACJ,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,CAAC,KAAK,GAAG,GACpC,KAAK,CAAC;AAEV,KAAK,WAAW,CAAC,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,GAAG,KAAK,GAAG,IAAI,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AACnG,KAAK,eAAe,GAAG,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,MAAM,CAAC,GAAG;IACxF,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,CAAC,SAAS,eAAe,EAAE,EAAE,EAAE,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAiB7E;AAID,eAAO,MAAM,KAAK,EAAE;IAClB,OAAO,EAAE,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IACjE,OAAO,EAAE,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;CAwBlE,CAAC;AA2CF,wCAAwC;AACxC,eAAO,MAAM,GAAG,EAAE,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,KAAK,WAChC,CAAC;AACxB,wCAAwC;AACxC,eAAO,MAAM,GAAG,EAAE,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,KAAK,WACnC,CAAC;AACxB,wCAAwC;AACxC,eAAO,MAAM,GAAG,EAAE,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,UAAU,KAAK,WAC9B,CAAC"}

135
node_modules/@noble/ciphers/esm/webcrypto.js generated vendored Normal file
View File

@@ -0,0 +1,135 @@
/**
* WebCrypto-based AES gcm/ctr/cbc, `managedNonce` and `randomBytes`.
* We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
* node.js versions earlier than v19 don't declare it in global scope.
* For node.js, package.js on#exports field mapping rewrites import
* from `crypto` to `cryptoNode`, which imports native module.
* Makes the utils un-importable in browsers without a bundler.
* Once node.js 18 is deprecated, we can just drop the import.
* @module
*/
// Use full path so that Node.js can rewrite it to `cryptoNode.js`.
import { crypto } from '@noble/ciphers/crypto';
import { abytes, anumber, concatBytes } from "./utils.js";
/**
* Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS.
*/
export function randomBytes(bytesLength = 32) {
if (crypto && typeof crypto.getRandomValues === 'function') {
return crypto.getRandomValues(new Uint8Array(bytesLength));
}
// Legacy Node.js compatibility
if (crypto && typeof crypto.randomBytes === 'function') {
return Uint8Array.from(crypto.randomBytes(bytesLength));
}
throw new Error('crypto.getRandomValues must be defined');
}
export function getWebcryptoSubtle() {
if (crypto && typeof crypto.subtle === 'object' && crypto.subtle != null)
return crypto.subtle;
throw new Error('crypto.subtle must be defined');
}
/**
* Uses CSPRG for nonce, nonce injected in ciphertext.
* @example
* const gcm = managedNonce(aes.gcm);
* const ciphr = gcm(key).encrypt(data);
* const plain = gcm(key).decrypt(ciph);
*/
export function managedNonce(fn) {
const { nonceLength } = fn;
anumber(nonceLength);
return ((key, ...args) => ({
encrypt(plaintext, ...argsEnc) {
const nonce = randomBytes(nonceLength);
const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc);
const out = concatBytes(nonce, ciphertext);
ciphertext.fill(0);
return out;
},
decrypt(ciphertext, ...argsDec) {
const nonce = ciphertext.subarray(0, nonceLength);
const data = ciphertext.subarray(nonceLength);
return fn(key, nonce, ...args).decrypt(data, ...argsDec);
},
}));
}
// Overridable
// @TODO
export const utils = {
async encrypt(key, keyParams, cryptParams, plaintext) {
const cr = getWebcryptoSubtle();
const iKey = await cr.importKey('raw', key, keyParams, true, ['encrypt']);
const ciphertext = await cr.encrypt(cryptParams, iKey, plaintext);
return new Uint8Array(ciphertext);
},
async decrypt(key, keyParams, cryptParams, ciphertext) {
const cr = getWebcryptoSubtle();
const iKey = await cr.importKey('raw', key, keyParams, true, ['decrypt']);
const plaintext = await cr.decrypt(cryptParams, iKey, ciphertext);
return new Uint8Array(plaintext);
},
};
const mode = {
CBC: 'AES-CBC',
CTR: 'AES-CTR',
GCM: 'AES-GCM',
};
function getCryptParams(algo, nonce, AAD) {
if (algo === mode.CBC)
return { name: mode.CBC, iv: nonce };
if (algo === mode.CTR)
return { name: mode.CTR, counter: nonce, length: 64 };
if (algo === mode.GCM) {
if (AAD)
return { name: mode.GCM, iv: nonce, additionalData: AAD };
else
return { name: mode.GCM, iv: nonce };
}
throw new Error('unknown aes block mode');
}
function generate(algo) {
return (key, nonce, AAD) => {
abytes(key);
abytes(nonce);
const keyParams = { name: algo, length: key.length * 8 };
const cryptParams = getCryptParams(algo, nonce, AAD);
let consumed = false;
return {
// keyLength,
encrypt(plaintext) {
abytes(plaintext);
if (consumed)
throw new Error('Cannot encrypt() twice with same key / nonce');
consumed = true;
return utils.encrypt(key, keyParams, cryptParams, plaintext);
},
decrypt(ciphertext) {
abytes(ciphertext);
return utils.decrypt(key, keyParams, cryptParams, ciphertext);
},
};
};
}
/** AES-CBC, native webcrypto version */
export const cbc = /* @__PURE__ */ (() => generate(mode.CBC))();
/** AES-CTR, native webcrypto version */
export const ctr = /* @__PURE__ */ (() => generate(mode.CTR))();
/** AES-GCM, native webcrypto version */
export const gcm =
/* @__PURE__ */ (() => generate(mode.GCM))();
// // Type tests
// import { siv, gcm, ctr, ecb, cbc } from '../aes.ts';
// import { xsalsa20poly1305 } from '../salsa.ts';
// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.ts';
// const wsiv = managedNonce(siv);
// const wgcm = managedNonce(gcm);
// const wctr = managedNonce(ctr);
// const wcbc = managedNonce(cbc);
// const wsalsapoly = managedNonce(xsalsa20poly1305);
// const wchacha = managedNonce(chacha20poly1305);
// const wxchacha = managedNonce(xchacha20poly1305);
// // should fail
// const wcbc2 = managedNonce(managedNonce(cbc));
// const wctr = managedNonce(ctr);
//# sourceMappingURL=webcrypto.js.map

1
node_modules/@noble/ciphers/esm/webcrypto.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"webcrypto.js","sourceRoot":"","sources":["../src/webcrypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,mEAAmE;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,MAAM,EAAE,OAAO,EAAiC,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzF;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,WAAW,GAAG,EAAE;IAC1C,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,eAAe,KAAK,UAAU,EAAE,CAAC;QAC3D,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7D,CAAC;IACD,+BAA+B;IAC/B,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;QACvD,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,IAAI,IAAI;QAAE,OAAO,MAAM,CAAC,MAAM,CAAC;IAC/F,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;AACnD,CAAC;AAeD;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAA4B,EAAK;IAC3D,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;IAC3B,OAAO,CAAC,WAAW,CAAC,CAAC;IACrB,OAAO,CAAC,CAAC,GAAe,EAAE,GAAG,IAAW,EAAO,EAAE,CAAC,CAAC;QACjD,OAAO,CAAC,SAAqB,EAAE,GAAG,OAAc;YAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;YACvC,MAAM,UAAU,GAAI,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC,OAAe,CAAC,SAAS,EAAE,GAAG,OAAO,CAAC,CAAC;YACnF,MAAM,GAAG,GAAG,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;YAC3C,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACnB,OAAO,GAAG,CAAC;QACb,CAAC;QACD,OAAO,CAAC,UAAsB,EAAE,GAAG,OAAc;YAC/C,MAAM,KAAK,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;YAClD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC9C,OAAQ,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC,OAAe,CAAC,IAAI,EAAE,GAAG,OAAO,CAAC,CAAC;QACpE,CAAC;KACF,CAAC,CAAmB,CAAC;AACxB,CAAC;AAED,cAAc;AACd,QAAQ;AACR,MAAM,CAAC,MAAM,KAAK,GAGd;IACF,KAAK,CAAC,OAAO,CACX,GAAe,EACf,SAAc,EACd,WAAgB,EAChB,SAAqB;QAErB,MAAM,EAAE,GAAG,kBAAkB,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;QAC1E,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;QAClE,OAAO,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACpC,CAAC;IACD,KAAK,CAAC,OAAO,CACX,GAAe,EACf,SAAc,EACd,WAAgB,EAChB,UAAsB;QAEtB,MAAM,EAAE,GAAG,kBAAkB,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;QAC1E,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;QAClE,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC;CACF,CAAC;AAEF,MAAM,IAAI,GAAG;IACX,GAAG,EAAE,SAAS;IACd,GAAG,EAAE,SAAS;IACd,GAAG,EAAE,SAAS;CACN,CAAC;AAGX,SAAS,cAAc,CAAC,IAAe,EAAE,KAAiB,EAAE,GAAgB;IAC1E,IAAI,IAAI,KAAK,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IAC5D,IAAI,IAAI,KAAK,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAC7E,IAAI,IAAI,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;QACtB,IAAI,GAAG;YAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,GAAG,EAAE,CAAC;;YAC9D,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IAC5C,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,QAAQ,CAAC,IAAe;IAC/B,OAAO,CAAC,GAAe,EAAE,KAAiB,EAAE,GAAgB,EAAe,EAAE;QAC3E,MAAM,CAAC,GAAG,CAAC,CAAC;QACZ,MAAM,CAAC,KAAK,CAAC,CAAC;QACd,MAAM,SAAS,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzD,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACrD,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,OAAO;YACL,aAAa;YACb,OAAO,CAAC,SAAqB;gBAC3B,MAAM,CAAC,SAAS,CAAC,CAAC;gBAClB,IAAI,QAAQ;oBAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;gBAC9E,QAAQ,GAAG,IAAI,CAAC;gBAChB,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;YAC/D,CAAC;YACD,OAAO,CAAC,UAAsB;gBAC5B,MAAM,CAAC,UAAU,CAAC,CAAC;gBACnB,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;YAChE,CAAC;SACF,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,wCAAwC;AACxC,MAAM,CAAC,MAAM,GAAG,GAAqD,eAAe,CAAC,CAAC,GAAG,EAAE,CACzF,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;AACxB,wCAAwC;AACxC,MAAM,CAAC,MAAM,GAAG,GAAwD,eAAe,CAAC,CAAC,GAAG,EAAE,CAC5F,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;AACxB,wCAAwC;AACxC,MAAM,CAAC,MAAM,GAAG;AACd,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;AAE/C,gBAAgB;AAChB,uDAAuD;AACvD,kDAAkD;AAClD,sEAAsE;AAEtE,kCAAkC;AAClC,kCAAkC;AAClC,kCAAkC;AAClC,kCAAkC;AAClC,qDAAqD;AACrD,kDAAkD;AAClD,oDAAoD;AAEpD,iBAAiB;AACjB,iDAAiD;AACjD,kCAAkC"}

9
node_modules/@noble/ciphers/ff1.d.ts generated vendored Normal file
View File

@@ -0,0 +1,9 @@
import { type Cipher } from './utils.ts';
/** FPE-FF1 format-preserving encryption */
export declare function FF1(radix: number, key: Uint8Array, tweak?: Uint8Array): {
encrypt(x: number[]): number[];
decrypt(x: number[]): number[];
};
/** Binary version of FPE-FF1 format-preserving encryption. */
export declare function BinaryFF1(key: Uint8Array, tweak?: Uint8Array): Cipher;
//# sourceMappingURL=ff1.d.ts.map

1
node_modules/@noble/ciphers/ff1.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"ff1.d.ts","sourceRoot":"","sources":["src/ff1.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,KAAK,MAAM,EAA4D,MAAM,YAAY,CAAC;AA0FnG,2CAA2C;AAC3C,wBAAgB,GAAG,CACjB,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,UAAU,EACf,KAAK,GAAE,UAAsB,GAC5B;IAAE,OAAO,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAAC,OAAO,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAAA;CAAE,CAgCpE;AAqBD,8DAA8D;AAC9D,wBAAgB,SAAS,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,GAAE,UAAsB,GAAG,MAAM,CAMhF"}

164
node_modules/@noble/ciphers/ff1.js generated vendored Normal file
View File

@@ -0,0 +1,164 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.FF1 = FF1;
exports.BinaryFF1 = BinaryFF1;
/**
* FPE-FF1 (Format-preserving encryption algorithm) specified in
* [NIST 800-38G](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf).
* @module
*/
const aes_ts_1 = require("./aes.js");
const utils_ts_1 = require("./utils.js");
// NOTE: no point in inlining encrypt instead of encryptBlock, since BigInt stuff will be slow
const { expandKeyLE, encryptBlock } = aes_ts_1.unsafe;
// Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publication 800-38G.
// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf
const BLOCK_LEN = 16;
function mod(a, b) {
const result = a % b;
return result >= 0 ? result : b + result;
}
function NUMradix(radix, data) {
let res = BigInt(0);
for (let i of data)
res = res * BigInt(radix) + BigInt(i);
return res;
}
function getRound(radix, key, tweak, x) {
if (radix > 2 ** 16 - 1)
throw new Error('invalid radix ' + radix);
// radix**minlen ≥ 100
const minLen = Math.ceil(Math.log(100) / Math.log(radix));
const maxLen = 2 ** 32 - 1;
// 2 ≤ minlen ≤ maxlen < 2**32
if (2 > minLen || minLen > maxLen || maxLen >= 2 ** 32)
throw new Error('Invalid radix: 2 ≤ minlen ≤ maxlen < 2**32');
if (!Array.isArray(x))
throw new Error('invalid X');
if (x.length < minLen || x.length > maxLen)
throw new Error('X is outside minLen..maxLen bounds');
const u = Math.floor(x.length / 2);
const v = x.length - u;
const b = Math.ceil(Math.ceil(v * Math.log2(radix)) / 8);
const d = 4 * Math.ceil(b / 4) + 4;
const padding = mod(-tweak.length - b - 1, 16);
// P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4.
const P = Uint8Array.from([1, 2, 1, 0, 0, 0, 10, u, 0, 0, 0, 0, 0, 0, 0, 0]);
const view = new DataView(P.buffer);
view.setUint16(4, radix, false);
view.setUint32(8, x.length, false);
view.setUint32(12, tweak.length, false);
// Q = T || [0](tb1) mod 16 || [i]1 || [NUMradix(B)]b.
const PQ = new Uint8Array(P.length + tweak.length + padding + 1 + b);
PQ.set(P);
(0, utils_ts_1.clean)(P);
PQ.set(tweak, P.length);
const xk = expandKeyLE(key);
const round = (A, B, i, decrypt = false) => {
// Q = ... || [i]1 || [NUMradix(B)]b.
PQ[PQ.length - b - 1] = i;
if (b)
PQ.set((0, utils_ts_1.numberToBytesBE)(NUMradix(radix, B), b), PQ.length - b);
// PRF
let r = new Uint8Array(16);
for (let j = 0; j < PQ.length / BLOCK_LEN; j++) {
for (let i = 0; i < BLOCK_LEN; i++)
r[i] ^= PQ[j * BLOCK_LEN + i];
encryptBlock(xk, r);
}
// Let S be the first d bytes of the following string of ⎡d/16⎤ blocks:
// R || CIPHK(R ⊕[1]16) || CIPHK(R ⊕[2]16) ...CIPHK(R ⊕[⎡d / 16⎤ 1]16).
let s = Array.from(r);
for (let j = 1; s.length < d; j++) {
const block = (0, utils_ts_1.numberToBytesBE)(BigInt(j), 16);
for (let k = 0; k < BLOCK_LEN; k++)
block[k] ^= r[k];
s.push(...Array.from(encryptBlock(xk, block)));
}
let y = (0, utils_ts_1.bytesToNumberBE)(Uint8Array.from(s.slice(0, d)));
s.fill(0);
if (decrypt)
y = -y;
const m = i % 2 === 0 ? u : v;
let c = mod(NUMradix(radix, A) + y, BigInt(radix) ** BigInt(m));
// STR(radix, m, c)
const C = Array(m).fill(0);
for (let i = 0; i < m; i++, c /= BigInt(radix))
C[m - 1 - i] = Number(c % BigInt(radix));
A.fill(0);
A = B;
B = C;
return [A, B];
};
const destroy = () => {
(0, utils_ts_1.clean)(xk, PQ);
};
return { u, round, destroy };
}
const EMPTY_BUF = /* @__PURE__ */ Uint8Array.of();
/** FPE-FF1 format-preserving encryption */
function FF1(radix, key, tweak = EMPTY_BUF) {
(0, utils_ts_1.anumber)(radix);
(0, utils_ts_1.abytes)(key);
(0, utils_ts_1.abytes)(tweak);
const PQ = getRound.bind(null, radix, key, tweak);
return {
encrypt(x) {
const { u, round, destroy } = PQ(x);
let [A, B] = [x.slice(0, u), x.slice(u)];
for (let i = 0; i < 10; i++)
[A, B] = round(A, B, i);
destroy();
const res = A.concat(B);
A.fill(0);
B.fill(0);
return res;
},
decrypt(x) {
const { u, round, destroy } = PQ(x);
// The FF1.Decrypt algorithm is similar to the FF1.Encrypt algorithm;
// the differences are in Step 6, where:
// 1) the order of the indices is reversed,
// 2) the roles of A and B are swapped
// 3) modular addition is replaced by modular subtraction, in Step 6vi.
let [B, A] = [x.slice(0, u), x.slice(u)];
for (let i = 9; i >= 0; i--)
[A, B] = round(A, B, i, true);
destroy();
const res = B.concat(A);
A.fill(0);
B.fill(0);
return res;
},
};
}
// Binary string which encodes each byte in little-endian byte order
const binLE = {
encode(bytes) {
const x = [];
for (let i = 0; i < bytes.length; i++) {
for (let j = 0, tmp = bytes[i]; j < 8; j++, tmp >>= 1)
x.push(tmp & 1);
}
return x;
},
decode(b) {
if (!Array.isArray(b) || b.length % 8)
throw new Error('Invalid binary string');
const res = new Uint8Array(b.length / 8);
for (let i = 0, j = 0; i < res.length; i++) {
res[i] = b[j++] | (b[j++] << 1) | (b[j++] << 2) | (b[j++] << 3);
res[i] |= (b[j++] << 4) | (b[j++] << 5) | (b[j++] << 6) | (b[j++] << 7);
}
return res;
},
};
/** Binary version of FPE-FF1 format-preserving encryption. */
function BinaryFF1(key, tweak = EMPTY_BUF) {
const ff1 = FF1(2, key, tweak);
return {
encrypt: (x) => binLE.decode(ff1.encrypt(binLE.encode(x))),
decrypt: (x) => binLE.decode(ff1.decrypt(binLE.encode(x))),
};
}
//# sourceMappingURL=ff1.js.map

1
node_modules/@noble/ciphers/ff1.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

1
node_modules/@noble/ciphers/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1 @@
//# sourceMappingURL=index.d.ts.map

Some files were not shown because too many files have changed in this diff Show More