From 20bea94ab6b91c85b171dcf86baba0a64169d508 Mon Sep 17 00:00:00 2001 From: Giulio Cesare Solaroli Date: Fri, 30 Aug 2013 15:56:53 +0000 Subject: First release of /delta version --- (limited to 'frontend/delta/js/Clipperz/Crypto') diff --git a/frontend/delta/js/Clipperz/Crypto/AES.js b/frontend/delta/js/Clipperz/Crypto/AES.js new file mode 100644 index 0000000..cb56f11 --- a/dev/null +++ b/frontend/delta/js/Clipperz/Crypto/AES.js @@ -0,0 +1,859 @@ +/* + +Copyright 2008-2013 Clipperz Srl + +This file is part of Clipperz, the online password manager. +For further information about its features and functionalities please +refer to http://www.clipperz.com. + +* Clipperz is free software: you can redistribute it and/or modify it + under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + +* Clipperz is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU Affero General Public License for more details. + +* You should have received a copy of the GNU Affero General Public + License along with Clipperz. If not, see http://www.gnu.org/licenses/. + +*/ + +try { if (typeof(Clipperz.ByteArray) == 'undefined') { throw ""; }} catch (e) { + throw "Clipperz.Crypto.AES depends on Clipperz.ByteArray!"; +} + +// Dependency commented to avoid a circular reference +//try { if (typeof(Clipperz.Crypto.PRNG) == 'undefined') { throw ""; }} catch (e) { +// throw "Clipperz.Crypto.AES depends on Clipperz.Crypto.PRNG!"; +//} + +if (typeof(Clipperz.Crypto.AES) == 'undefined') { Clipperz.Crypto.AES = {}; } + +//############################################################################# + +Clipperz.Crypto.AES.DeferredExecutionContext = function(args) { + args = args || {}; + + this._key = args.key; + this._message = args.message; + this._result = args.message.clone(); + this._nonce = args.nonce; + this._messageLength = this._message.length(); + + this._messageArray = this._message.arrayValues(); + this._resultArray = this._result.arrayValues(); + this._nonceArray = this._nonce.arrayValues(); + + this._executionStep = 0; + +// this._elaborationChunkSize = 1024; // 4096; // 16384; // 4096; + this._elaborationChunks = 10; + this._pauseTime = 0.02; // 0.02 // 0.2; + + return this; +} + +Clipperz.Crypto.AES.DeferredExecutionContext.prototype = MochiKit.Base.update(null, { + + 'key': function() { + return this._key; + }, + + 'message': function() { + return this._message; + }, + + 'messageLength': function() { + return this._messageLength; + }, + + 'result': function() { + return new Clipperz.ByteArray(this.resultArray()); + }, + + 'nonce': function() { + return this._nonce; + }, + + 'messageArray': function() { + return this._messageArray; + }, + + 'resultArray': function() { + return this._resultArray; + }, + + 'nonceArray': function() { + return this._nonceArray; + }, + + 'elaborationChunkSize': function() { +// return Clipperz.Crypto.AES.DeferredExecution.chunkSize; +// return this._elaborationChunkSize; + return (this._elaborationChunks * 1024); + }, + + 'executionStep': function() { + return this._executionStep; + }, + + 'setExecutionStep': function(aValue) { + this._executionStep = aValue; + }, + + 'tuneExecutionParameters': function (anElapsedTime) { +//var originalChunks = this._elaborationChunks; + if (anElapsedTime > 0) { + this._elaborationChunks = Math.round(this._elaborationChunks * ((anElapsedTime + 1000)/(anElapsedTime * 2))); + } +//Clipperz.log("tuneExecutionParameters - elapsedTime: " + anElapsedTime + /*originalChunks,*/ " chunks # " + this._elaborationChunks + " [" + this._executionStep + " / " + this._messageLength + "]"); + }, + + 'pause': function(aValue) { +// return MochiKit.Async.wait(Clipperz.Crypto.AES.DeferredExecution.pauseTime, aValue); + return MochiKit.Async.wait(this._pauseTime, aValue); + }, + + 'isDone': function () { + return (this._executionStep >= this._messageLength); + }, + + //----------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" + +}); + +//############################################################################# + +Clipperz.Crypto.AES.Key = function(args) { + args = args || {}; + + this._key = args.key; + this._keySize = args.keySize || this.key().length(); + + if (this.keySize() == 128/8) { + this._b = 176; + this._numberOfRounds = 10; + } else if (this.keySize() == 256/8) { + this._b = 240; + this._numberOfRounds = 14; + } else { + Clipperz.logError("AES unsupported key size: " + (this.keySize() * 8) + " bits"); + throw Clipperz.Crypto.AES.exception.UnsupportedKeySize; + } + + this._stretchedKey = null; + + return this; +} + +Clipperz.Crypto.AES.Key.prototype = MochiKit.Base.update(null, { + + 'asString': function() { + return "Clipperz.Crypto.AES.Key (" + this.key().toHexString() + ")"; + }, + + //----------------------------------------------------------------------------- + + 'key': function() { + return this._key; + }, + + 'keySize': function() { + return this._keySize; + }, + + 'b': function() { + return this._b; + }, + + 'numberOfRounds': function() { + return this._numberOfRounds; + }, + //========================================================================= + + 'keyScheduleCore': function(aWord, aRoundConstantsIndex) { + var result; + var sbox; + + sbox = Clipperz.Crypto.AES.sbox(); + + result = [ sbox[aWord[1]] ^ Clipperz.Crypto.AES.roundConstants()[aRoundConstantsIndex], + sbox[aWord[2]], + sbox[aWord[3]], + sbox[aWord[0]] ]; + + return result; + }, + + //----------------------------------------------------------------------------- + + 'xorWithPreviousStretchValues': function(aKey, aWord, aPreviousWordIndex) { + var result; + var i,c; + + result = []; + c = 4; + for (i=0; i 5 9 13 1 + // 2 6 10 14 10 14 2 6 + // 3 7 11 15 15 3 7 11 + // + '_shiftRowMapping': null, + 'shiftRowMapping': function() { + if (Clipperz.Crypto.AES._shiftRowMapping == null) { + Clipperz.Crypto.AES._shiftRowMapping = [0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11]; + } + + return Clipperz.Crypto.AES._shiftRowMapping; + }, + + //----------------------------------------------------------------------------- + + '_mixColumnsMatrix': null, + 'mixColumnsMatrix': function() { + if (Clipperz.Crypto.AES._mixColumnsMatrix == null) { + Clipperz.Crypto.AES._mixColumnsMatrix = [ [2, 3, 1 ,1], + [1, 2, 3, 1], + [1, 1, 2, 3], + [3, 1, 1, 2] ]; + } + + return Clipperz.Crypto.AES._mixColumnsMatrix; + }, + + '_roundConstants': null, + 'roundConstants': function() { + if (Clipperz.Crypto.AES._roundConstants == null) { + Clipperz.Crypto.AES._roundConstants = [ , 1, 2, 4, 8, 16, 32, 64, 128, 27, 54, 108, 216, 171, 77, 154]; +// Clipperz.Crypto.AES._roundConstants = [ , 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a]; + } + + return Clipperz.Crypto.AES._roundConstants; + }, + + //============================================================================= + + 'incrementNonce': function(aNonce) { +//Clipperz.Profile.start("Clipperz.Crypto.AES.incrementNonce"); + var i; + var done; + + done = false; + i = aNonce.length - 1; + + while ((i>=0) && (done == false)) { + var currentByteValue; + + currentByteValue = aNonce[i]; + + if (currentByteValue == 0xff) { + aNonce[i] = 0; + if (i>= 0) { + i --; + } else { + done = true; + } + } else { + aNonce[i] = currentByteValue + 1; + done = true; + } + } +//Clipperz.Profile.stop("Clipperz.Crypto.AES.incrementNonce"); + }, + + //----------------------------------------------------------------------------- + + 'encryptBlock': function(aKey, aBlock) { + var result; + var state; + + state = new Clipperz.Crypto.AES.State({block:aBlock, key:aKey}); +//is(state.data(), 'before'); + state.encrypt(); + result = state.data(); + + return result; + }, + + //----------------------------------------------------------------------------- + + 'encryptBlocks': function(aKey, aMessage, aNonce) { + var result; + var nonce; + var self; + var messageIndex; + var messageLength; + var blockSize; + + self = Clipperz.Crypto.AES; + blockSize = 128/8; + messageLength = aMessage.length; + nonce = aNonce; + + result = aMessage; + messageIndex = 0; + while (messageIndex < messageLength) { + var encryptedBlock; + var i,c; + + self.incrementNonce(nonce); + encryptedBlock = self.encryptBlock(aKey, nonce); + + if ((messageLength - messageIndex) > blockSize) { + c = blockSize; + } else { + c = messageLength - messageIndex; + } + + for (i=0; i blockSize) { + c = blockSize; + } else { + c = executionLimit - messageIndex; + } + + for (i=0; i 0) { + this._elaborationChunks = Math.round(this._elaborationChunks * ((anElapsedTime + 1000)/(anElapsedTime * 2))); + } +//Clipperz.log("tuneExecutionParameters - elapsedTime: " + anElapsedTime + /*originalChunks,*/ " chunks # " + this._elaborationChunks + " [" + this._executionStep + " / " + this._messageLength + "]"); + }, + + 'pause': function(aValue) { +// return MochiKit.Async.wait(Clipperz.Crypto.AES_2.DeferredExecution.pauseTime, aValue); + return MochiKit.Async.wait(this._pauseTime, aValue); + }, + + 'isDone': function () { + return (this._executionStep >= this._messageLength); + }, + + //----------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" + +}); + +//############################################################################# + +Clipperz.Crypto.AES_2.Key = function(args) { + args = args || {}; + + this._key = args.key; + this._keySize = args.keySize || this.key().length(); + + if (this.keySize() == 128/8) { + this._b = 176; + this._numberOfRounds = 10; + } else if (this.keySize() == 256/8) { + this._b = 240; + this._numberOfRounds = 14; + } else { + Clipperz.logError("AES unsupported key size: " + (this.keySize() * 8) + " bits"); + throw Clipperz.Crypto.AES_2.exception.UnsupportedKeySize; + } + + this._stretchedKey = null; + + return this; +} + +Clipperz.Crypto.AES_2.Key.prototype = MochiKit.Base.update(null, { + + 'asString': function() { + return "Clipperz.Crypto.AES_2.Key (" + this.key().toHexString() + ")"; + }, + + //----------------------------------------------------------------------------- + + 'key': function() { + return this._key; + }, + + 'keySize': function() { + return this._keySize; + }, + + 'b': function() { + return this._b; + }, + + 'numberOfRounds': function() { + return this._numberOfRounds; + }, + //========================================================================= + + 'keyScheduleCore': function(aWord, aRoundConstantsIndex) { + var result; + var sbox; + + sbox = Clipperz.Crypto.AES_2.sbox(); + + result = [ sbox[aWord[1]] ^ Clipperz.Crypto.AES_2.roundConstants()[aRoundConstantsIndex], + sbox[aWord[2]], + sbox[aWord[3]], + sbox[aWord[0]] ]; + + return result; + }, + + //----------------------------------------------------------------------------- + + 'xorWithPreviousStretchValues': function(aKey, aWord, aPreviousWordIndex) { + var result; + var i,c; + + result = []; + c = 4; + for (i=0; i 5 9 13 1 + // 2 6 10 14 10 14 2 6 + // 3 7 11 15 15 3 7 11 + // + '_shiftRowMapping': null, + 'shiftRowMapping': function() { + if (Clipperz.Crypto.AES_2._shiftRowMapping == null) { + Clipperz.Crypto.AES_2._shiftRowMapping = [0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11]; + } + + return Clipperz.Crypto.AES_2._shiftRowMapping; + }, + + //----------------------------------------------------------------------------- + + '_mixColumnsMatrix': null, + 'mixColumnsMatrix': function() { + if (Clipperz.Crypto.AES_2._mixColumnsMatrix == null) { + Clipperz.Crypto.AES_2._mixColumnsMatrix = [ [2, 3, 1 ,1], + [1, 2, 3, 1], + [1, 1, 2, 3], + [3, 1, 1, 2] ]; + } + + return Clipperz.Crypto.AES_2._mixColumnsMatrix; + }, + + '_roundConstants': null, + 'roundConstants': function() { + if (Clipperz.Crypto.AES_2._roundConstants == null) { + Clipperz.Crypto.AES_2._roundConstants = [ , 1, 2, 4, 8, 16, 32, 64, 128, 27, 54, 108, 216, 171, 77, 154]; +// Clipperz.Crypto.AES_2._roundConstants = [ , 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a]; + } + + return Clipperz.Crypto.AES_2._roundConstants; + }, + + //============================================================================= + + 'incrementNonce': function(nonce) { + var i; + var done; + + done = false; + i = nonce.length - 1; + + while ((i>=0) && (done == false)) { + var currentByteValue; + + currentByteValue = nonce[i]; + + if (currentByteValue == 0xff) { + nonce[i] = 0; + if (i>= 0) { + i --; + } else { + done = true; + } + } else { + nonce[i] = currentByteValue + 1; + done = true; + } + } + }, + + //----------------------------------------------------------------------------- + + 'encryptBlock': function(aKey, aBlock) { + var result; + var state; + + state = new Clipperz.Crypto.AES_2.State({block:aBlock, key:aKey}); +//is(state.data(), 'before'); + state.encrypt(); + result = state.data(); + + return result; + }, + + //----------------------------------------------------------------------------- + + 'encryptBlocks': function(aKey, aMessage, aNonce) { + var result; + var nonce; + var self; + var messageIndex; + var messageLength; + var blockSize; + + self = Clipperz.Crypto.AES_2; + blockSize = 128/8; + messageLength = aMessage.length; + nonce = aNonce; + + result = aMessage; + messageIndex = 0; + while (messageIndex < messageLength) { + var encryptedBlock; + var i,c; + + encryptedBlock = self.encryptBlock(aKey, nonce); + + if ((messageLength - messageIndex) > blockSize) { + c = blockSize; + } else { + c = messageLength - messageIndex; + } + + for (i=0; i blockSize) { + c = blockSize; + } else { + c = executionLimit - messageIndex; + } + + for (i=0; i> 16) + (y >> 16) + (lsw >> 16); + return (msw << 16) | (lsw & 0xFFFF); +} +function S (X, n) {return ( X >>> n ) | (X << (32 - n));} +function R (X, n) {return ( X >>> n );} +function Ch(x, y, z) {return ((x & y) ^ ((~x) & z));} +function Maj(x, y, z) {return ((x & y) ^ (x & z) ^ (y & z));} +function Sigma0256(x) {return (S(x, 2) ^ S(x, 13) ^ S(x, 22));} +function Sigma1256(x) {return (S(x, 6) ^ S(x, 11) ^ S(x, 25));} +function Gamma0256(x) {return (S(x, 7) ^ S(x, 18) ^ R(x, 3));} +function Gamma1256(x) {return (S(x, 17) ^ S(x, 19) ^ R(x, 10));} +function core_sha256 (m, l) { + var K = new Array(0x428A2F98,0x71374491,0xB5C0FBCF,0xE9B5DBA5,0x3956C25B,0x59F111F1,0x923F82A4,0xAB1C5ED5,0xD807AA98,0x12835B01,0x243185BE,0x550C7DC3,0x72BE5D74,0x80DEB1FE,0x9BDC06A7,0xC19BF174,0xE49B69C1,0xEFBE4786,0xFC19DC6,0x240CA1CC,0x2DE92C6F,0x4A7484AA,0x5CB0A9DC,0x76F988DA,0x983E5152,0xA831C66D,0xB00327C8,0xBF597FC7,0xC6E00BF3,0xD5A79147,0x6CA6351,0x14292967,0x27B70A85,0x2E1B2138,0x4D2C6DFC,0x53380D13,0x650A7354,0x766A0ABB,0x81C2C92E,0x92722C85,0xA2BFE8A1,0xA81A664B,0xC24B8B70,0xC76C51A3,0xD192E819,0xD6990624,0xF40E3585,0x106AA070,0x19A4C116,0x1E376C08,0x2748774C,0x34B0BCB5,0x391C0CB3,0x4ED8AA4A,0x5B9CCA4F,0x682E6FF3,0x748F82EE,0x78A5636F,0x84C87814,0x8CC70208,0x90BEFFFA,0xA4506CEB,0xBEF9A3F7,0xC67178F2); + var HASH = new Array(0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19); + var W = new Array(64); + var a, b, c, d, e, f, g, h, i, j; + var T1, T2; + /* append padding */ + m[l >> 5] |= 0x80 << (24 - l % 32); + m[((l + 64 >> 9) << 4) + 15] = l; + for ( var i = 0; i>5] |= (str.charCodeAt(i / chrsz) & mask) << (24 - i%32); + return bin; +} +function binb2hex (binarray) { + var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */ + var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; + var str = ""; + for (var i = 0; i < binarray.length * 4; i++) { + str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF); + } + return str; +} +function hex_sha256(s){return binb2hex(core_sha256(str2binb(s),s.length * chrsz));} + + + +//############################################################################# +// Downloaded on March 30, 2006 from http://www.fourmilab.ch/javascrypt/javascrypt.zip (entropy.js) +//############################################################################# + + // Entropy collection utilities + + /* Start by declaring static storage and initialise + the entropy vector from the time we come through + here. */ + + var entropyData = new Array(); // Collected entropy data + var edlen = 0; // Keyboard array data length + + addEntropyTime(); // Start entropy collection with page load time + ce(); // Roll milliseconds into initial entropy + + // Add a byte to the entropy vector + + function addEntropyByte(b) { + entropyData[edlen++] = b; + } + + /* Capture entropy. When the user presses a key or performs + various other events for which we can request + notification, add the time in 255ths of a second to the + entropyData array. The name of the function is short + so it doesn't bloat the form object declarations in + which it appears in various "onXXX" events. */ + + function ce() { + addEntropyByte(Math.floor((((new Date).getMilliseconds()) * 255) / 999)); + } + + // Add a 32 bit quantity to the entropy vector + + function addEntropy32(w) { + var i; + + for (i = 0; i < 4; i++) { + addEntropyByte(w & 0xFF); + w >>= 8; + } + } + + /* Add the current time and date (milliseconds since the epoch, + truncated to 32 bits) to the entropy vector. */ + + function addEntropyTime() { + addEntropy32((new Date()).getTime()); + } + + /* Start collection of entropy from mouse movements. The + argument specifies the number of entropy items to be + obtained from mouse motion, after which mouse motion + will be ignored. Note that you can re-enable mouse + motion collection at any time if not already underway. */ + + var mouseMotionCollect = 0; + var oldMoveHandler; // For saving and restoring mouse move handler in IE4 + + function mouseMotionEntropy(maxsamp) { + if (mouseMotionCollect <= 0) { + mouseMotionCollect = maxsamp; + if ((document.implementation.hasFeature("Events", "2.0")) && + document.addEventListener) { + // Browser supports Document Object Model (DOM) 2 events + document.addEventListener("mousemove", mouseMoveEntropy, false); + } else { + if (document.attachEvent) { + // Internet Explorer 5 and above event model + document.attachEvent("onmousemove", mouseMoveEntropy); + } else { + // Internet Explorer 4 event model + oldMoveHandler = document.onmousemove; + document.onmousemove = mouseMoveEntropy; + } + } +//dump("Mouse enable", mouseMotionCollect); + } + } + + /* Collect entropy from mouse motion events. Note that + this is craftily coded to work with either DOM2 or Internet + Explorer style events. Note that we don't use every successive + mouse movement event. Instead, we XOR the three bytes collected + from the mouse and use that to determine how many subsequent + mouse movements we ignore before capturing the next one. */ + + var mouseEntropyTime = 0; // Delay counter for mouse entropy collection + + function mouseMoveEntropy(e) { + if (!e) { + e = window.event; // Internet Explorer event model + } + if (mouseMotionCollect > 0) { + if (mouseEntropyTime-- <= 0) { + addEntropyByte(e.screenX & 0xFF); + addEntropyByte(e.screenY & 0xFF); + ce(); + mouseMotionCollect--; + mouseEntropyTime = (entropyData[edlen - 3] ^ entropyData[edlen - 2] ^ + entropyData[edlen - 1]) % 19; +//dump("Mouse Move", byteArrayToHex(entropyData.slice(-3))); + } + if (mouseMotionCollect <= 0) { + if (document.removeEventListener) { + document.removeEventListener("mousemove", mouseMoveEntropy, false); + } else if (document.detachEvent) { + document.detachEvent("onmousemove", mouseMoveEntropy); + } else { + document.onmousemove = oldMoveHandler; + } +//dump("Spung!", 0); + } + } + } + + /* Compute a 32 byte key value from the entropy vector. + We compute the value by taking the MD5 sum of the even + and odd bytes respectively of the entropy vector, then + concatenating the two MD5 sums. */ + + function keyFromEntropy() { + var i, k = new Array(32); + + if (edlen == 0) { + alert("Blooie! Entropy vector void at call to keyFromEntropy."); + } +//dump("Entropy bytes", edlen); + + md5_init(); + for (i = 0; i < edlen; i += 2) { + md5_update(entropyData[i]); + } + md5_finish(); + for (i = 0; i < 16; i++) { + k[i] = digestBits[i]; + } + + md5_init(); + for (i = 1; i < edlen; i += 2) { + md5_update(entropyData[i]); + } + md5_finish(); + for (i = 0; i < 16; i++) { + k[i + 16] = digestBits[i]; + } + +//dump("keyFromEntropy", byteArrayToHex(k)); + return k; + } + +//############################################################################# +// Downloaded on March 30, 2006 from http://www.fourmilab.ch/javascrypt/javascrypt.zip (aesprng.js) +//############################################################################# + + + // AES based pseudorandom number generator + + /* Constructor. Called with an array of 32 byte (0-255) values + containing the initial seed. */ + + function AESprng(seed) { + this.key = new Array(); + this.key = seed; + this.itext = hexToByteArray("9F489613248148F9C27945C6AE62EECA3E3367BB14064E4E6DC67A9F28AB3BD1"); + this.nbytes = 0; // Bytes left in buffer + + this.next = AESprng_next; + this.nextbits = AESprng_nextbits; + this.nextInt = AESprng_nextInt; + this.round = AESprng_round; + + /* Encrypt the initial text with the seed key + three times, feeding the output of the encryption + back into the key for the next round. */ + + bsb = blockSizeInBits; + blockSizeInBits = 256; + var i, ct; + for (i = 0; i < 3; i++) { + this.key = rijndaelEncrypt(this.itext, this.key, "ECB"); + } + + /* Now make between one and four additional + key-feedback rounds, with the number determined + by bits from the result of the first three + rounds. */ + + var n = 1 + (this.key[3] & 2) + (this.key[9] & 1); + for (i = 0; i < n; i++) { + this.key = rijndaelEncrypt(this.itext, this.key, "ECB"); + } + blockSizeInBits = bsb; + } + + function AESprng_round() { + bsb = blockSizeInBits; + blockSizeInBits = 256; + this.key = rijndaelEncrypt(this.itext, this.key, "ECB"); + this.nbytes = 32; + blockSizeInBits = bsb; + } + + // Return next byte from the generator + + function AESprng_next() { + if (this.nbytes <= 0) { + this.round(); + } + return(this.key[--this.nbytes]); + } + + // Return n bit integer value (up to maximum integer size) + + function AESprng_nextbits(n) { + var i, w = 0, nbytes = Math.floor((n + 7) / 8); + + for (i = 0; i < nbytes; i++) { + w = (w << 8) | this.next(); + } + return w & ((1 << n) - 1); + } + + // Return integer between 0 and n inclusive + + function AESprng_nextInt(n) { + var p = 1, nb = 0; + + // Determine smallest p, 2^p > n + // nb = log_2 p + + while (n >= p) { + p <<= 1; + nb++; + } + p--; + + /* Generate values from 0 through n by first generating + values v from 0 to (2^p)-1, then discarding any results v > n. + For the rationale behind this (and why taking + values mod (n + 1) is biased toward smaller values, see + Ferguson and Schneier, "Practical Cryptography", + ISBN 0-471-22357-3, section 10.8). */ + + while (true) { + var v = this.nextbits(nb) & p; + + if (v <= n) { + return v; + } + } + } + +//############################################################################# +// Downloaded on March 30, 2006 from http://www.fourmilab.ch/javascrypt/javascrypt.zip (md5.js) +//############################################################################# + +/* + * md5.jvs 1.0b 27/06/96 + * + * Javascript implementation of the RSA Data Security, Inc. MD5 + * Message-Digest Algorithm. + * + * Copyright (c) 1996 Henri Torgemane. All Rights Reserved. + * + * Permission to use, copy, modify, and distribute this software + * and its documentation for any purposes and without + * fee is hereby granted provided that this copyright notice + * appears in all copies. + * + * Of course, this soft is provided "as is" without express or implied + * warranty of any kind. + + This version contains some trivial reformatting modifications + by John Walker. + + */ + +function array(n) { + for (i = 0; i < n; i++) { + this[i] = 0; + } + this.length = n; +} + +/* Some basic logical functions had to be rewritten because of a bug in + * Javascript.. Just try to compute 0xffffffff >> 4 with it.. + * Of course, these functions are slower than the original would be, but + * at least, they work! + */ + +function integer(n) { + return n % (0xffffffff + 1); +} + +function shr(a, b) { + a = integer(a); + b = integer(b); + if (a - 0x80000000 >= 0) { + a = a % 0x80000000; + a >>= b; + a += 0x40000000 >> (b - 1); + } else { + a >>= b; + } + return a; +} + +function shl1(a) { + a = a % 0x80000000; + if (a & 0x40000000 == 0x40000000) { + a -= 0x40000000; + a *= 2; + a += 0x80000000; + } else { + a *= 2; + } + return a; +} + +function shl(a, b) { + a = integer(a); + b = integer(b); + for (var i = 0; i < b; i++) { + a = shl1(a); + } + return a; +} + +function and(a, b) { + a = integer(a); + b = integer(b); + var t1 = a - 0x80000000; + var t2 = b - 0x80000000; + if (t1 >= 0) { + if (t2 >= 0) { + return ((t1 & t2) + 0x80000000); + } else { + return (t1 & b); + } + } else { + if (t2 >= 0) { + return (a & t2); + } else { + return (a & b); + } + } +} + +function or(a, b) { + a = integer(a); + b = integer(b); + var t1 = a - 0x80000000; + var t2 = b - 0x80000000; + if (t1 >= 0) { + if (t2 >= 0) { + return ((t1 | t2) + 0x80000000); + } else { + return ((t1 | b) + 0x80000000); + } + } else { + if (t2 >= 0) { + return ((a | t2) + 0x80000000); + } else { + return (a | b); + } + } +} + +function xor(a, b) { + a = integer(a); + b = integer(b); + var t1 = a - 0x80000000; + var t2 = b - 0x80000000; + if (t1 >= 0) { + if (t2 >= 0) { + return (t1 ^ t2); + } else { + return ((t1 ^ b) + 0x80000000); + } + } else { + if (t2 >= 0) { + return ((a ^ t2) + 0x80000000); + } else { + return (a ^ b); + } + } +} + +function not(a) { + a = integer(a); + return 0xffffffff - a; +} + +/* Here begin the real algorithm */ + +var state = new array(4); +var count = new array(2); + count[0] = 0; + count[1] = 0; +var buffer = new array(64); +var transformBuffer = new array(16); +var digestBits = new array(16); + +var S11 = 7; +var S12 = 12; +var S13 = 17; +var S14 = 22; +var S21 = 5; +var S22 = 9; +var S23 = 14; +var S24 = 20; +var S31 = 4; +var S32 = 11; +var S33 = 16; +var S34 = 23; +var S41 = 6; +var S42 = 10; +var S43 = 15; +var S44 = 21; + +function F(x, y, z) { + return or(and(x, y), and(not(x), z)); +} + +function G(x, y, z) { + return or(and(x, z), and(y, not(z))); +} + +function H(x, y, z) { + return xor(xor(x, y), z); +} + +function I(x, y, z) { + return xor(y ,or(x , not(z))); +} + +function rotateLeft(a, n) { + return or(shl(a, n), (shr(a, (32 - n)))); +} + +function FF(a, b, c, d, x, s, ac) { + a = a + F(b, c, d) + x + ac; + a = rotateLeft(a, s); + a = a + b; + return a; +} + +function GG(a, b, c, d, x, s, ac) { + a = a + G(b, c, d) + x + ac; + a = rotateLeft(a, s); + a = a + b; + return a; +} + +function HH(a, b, c, d, x, s, ac) { + a = a + H(b, c, d) + x + ac; + a = rotateLeft(a, s); + a = a + b; + return a; +} + +function II(a, b, c, d, x, s, ac) { + a = a + I(b, c, d) + x + ac; + a = rotateLeft(a, s); + a = a + b; + return a; +} + +function transform(buf, offset) { + var a = 0, b = 0, c = 0, d = 0; + var x = transformBuffer; + + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + + for (i = 0; i < 16; i++) { + x[i] = and(buf[i * 4 + offset], 0xFF); + for (j = 1; j < 4; j++) { + x[i] += shl(and(buf[i * 4 + j + offset] ,0xFF), j * 8); + } + } + + /* Round 1 */ + a = FF( a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */ + d = FF( d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */ + c = FF( c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */ + b = FF( b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */ + a = FF( a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */ + d = FF( d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ + c = FF( c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ + b = FF( b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */ + a = FF( a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ + d = FF( d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */ + c = FF( c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ + b = FF( b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ + a = FF( a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ + d = FF( d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ + c = FF( c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ + b = FF( b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ + + /* Round 2 */ + a = GG( a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ + d = GG( d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ + c = GG( c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ + b = GG( b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ + a = GG( a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */ + d = GG( d, a, b, c, x[10], S22, 0x2441453); /* 22 */ + c = GG( c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ + b = GG( b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */ + a = GG( a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */ + d = GG( d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ + c = GG( c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */ + b = GG( b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */ + a = GG( a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ + d = GG( d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */ + c = GG( c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */ + b = GG( b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ + + /* Round 3 */ + a = HH( a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */ + d = HH( d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */ + c = HH( c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ + b = HH( b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ + a = HH( a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */ + d = HH( d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */ + c = HH( c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */ + b = HH( b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ + a = HH( a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ + d = HH( d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */ + c = HH( c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */ + b = HH( b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */ + a = HH( a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */ + d = HH( d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ + c = HH( c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ + b = HH( b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */ + + /* Round 4 */ + a = II( a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */ + d = II( d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */ + c = II( c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ + b = II( b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */ + a = II( a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ + d = II( d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */ + c = II( c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ + b = II( b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */ + a = II( a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */ + d = II( d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ + c = II( c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */ + b = II( b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ + a = II( a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */ + d = II( d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ + c = II( c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */ + b = II( b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */ + + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + +} + +function md5_init() { + count[0] = count[1] = 0; + state[0] = 0x67452301; + state[1] = 0xefcdab89; + state[2] = 0x98badcfe; + state[3] = 0x10325476; + for (i = 0; i < digestBits.length; i++) { + digestBits[i] = 0; + } +} + +function md5_update(b) { + var index, i; + + index = and(shr(count[0],3) , 0x3F); + if (count[0] < 0xFFFFFFFF - 7) { + count[0] += 8; + } else { + count[1]++; + count[0] -= 0xFFFFFFFF + 1; + count[0] += 8; + } + buffer[index] = and(b, 0xff); + if (index >= 63) { + transform(buffer, 0); + } +} + +function md5_finish() { + var bits = new array(8); + var padding; + var i = 0, index = 0, padLen = 0; + + for (i = 0; i < 4; i++) { + bits[i] = and(shr(count[0], (i * 8)), 0xFF); + } + for (i = 0; i < 4; i++) { + bits[i + 4] = and(shr(count[1], (i * 8)), 0xFF); + } + index = and(shr(count[0], 3), 0x3F); + padLen = (index < 56) ? (56 - index) : (120 - index); + padding = new array(64); + padding[0] = 0x80; + for (i = 0; i < padLen; i++) { + md5_update(padding[i]); + } + for (i = 0; i < 8; i++) { + md5_update(bits[i]); + } + + for (i = 0; i < 4; i++) { + for (j = 0; j < 4; j++) { + digestBits[i * 4 + j] = and(shr(state[i], (j * 8)) , 0xFF); + } + } +} + +/* End of the MD5 algorithm */ + +//############################################################################# +// Downloaded on March 30, 2006 from http://www.fourmilab.ch/javascrypt/javascrypt.zip (aes.js) +//############################################################################# + + +/* rijndael.js Rijndael Reference Implementation + + This is a modified version of the software described below, + produced in September 2003 by John Walker for use in the + JavsScrypt browser-based encryption package. The principal + changes are replacing the original getRandomBytes function with + one which calls our pseudorandom generator (which must + be instantiated and seeded before the first call on getRandomBytes), + and changing keySizeInBits to 256. Some code not required by the + JavsScrypt application has been commented out. Please see + http://www.fourmilab.ch/javascrypt/ for further information on + JavaScrypt. + + The following is the original copyright and application + information. + + Copyright (c) 2001 Fritz Schneider + + This software is provided as-is, without express or implied warranty. + Permission to use, copy, modify, distribute or sell this software, with or + without fee, for any purpose and by any individual or organization, is hereby + granted, provided that the above copyright notice and this paragraph appear + in all copies. Distribution as a part of an application or binary must + include the above copyright notice in the documentation and/or other materials + provided with the application or distribution. + + As the above disclaimer notes, you are free to use this code however you + want. However, I would request that you send me an email + (fritz /at/ cs /dot/ ucsd /dot/ edu) to say hi if you find this code useful + or instructional. Seeing that people are using the code acts as + encouragement for me to continue development. If you *really* want to thank + me you can buy the book I wrote with Thomas Powell, _JavaScript: + _The_Complete_Reference_ :) + + This code is an UNOPTIMIZED REFERENCE implementation of Rijndael. + If there is sufficient interest I can write an optimized (word-based, + table-driven) version, although you might want to consider using a + compiled language if speed is critical to your application. As it stands, + one run of the monte carlo test (10,000 encryptions) can take up to + several minutes, depending upon your processor. You shouldn't expect more + than a few kilobytes per second in throughput. + + Also note that there is very little error checking in these functions. + Doing proper error checking is always a good idea, but the ideal + implementation (using the instanceof operator and exceptions) requires + IE5+/NS6+, and I've chosen to implement this code so that it is compatible + with IE4/NS4. + + And finally, because JavaScript doesn't have an explicit byte/char data + type (although JavaScript 2.0 most likely will), when I refer to "byte" + in this code I generally mean "32 bit integer with value in the interval + [0,255]" which I treat as a byte. + + See http://www-cse.ucsd.edu/~fritz/rijndael.html for more documentation + of the (very simple) API provided by this code. + + Fritz Schneider + fritz at cs.ucsd.edu + +*/ + + +// Rijndael parameters -- Valid values are 128, 192, or 256 + +var keySizeInBits = 256; +var blockSizeInBits = 128; + +// +// Note: in the following code the two dimensional arrays are indexed as +// you would probably expect, as array[row][column]. The state arrays +// are 2d arrays of the form state[4][Nb]. + + +// The number of rounds for the cipher, indexed by [Nk][Nb] +var roundsArray = [ ,,,,[,,,,10,, 12,, 14],, + [,,,,12,, 12,, 14],, + [,,,,14,, 14,, 14] ]; + +// The number of bytes to shift by in shiftRow, indexed by [Nb][row] +var shiftOffsets = [ ,,,,[,1, 2, 3],,[,1, 2, 3],,[,1, 3, 4] ]; + +// The round constants used in subkey expansion +var Rcon = [ +0x01, 0x02, 0x04, 0x08, 0x10, 0x20, +0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, +0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, +0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, +0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 ]; + +// Precomputed lookup table for the SBox +var SBox = [ + 99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, +118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, +114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, +216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, +235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, +179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, +190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, +249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, +188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, +23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, +144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, + 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, +141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, + 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, +181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, +248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, +140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, + 22 ]; + +// Precomputed lookup table for the inverse SBox +var SBoxInverse = [ + 82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215, +251, 124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222, +233, 203, 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66, +250, 195, 78, 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73, +109, 139, 209, 37, 114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92, +204, 93, 101, 182, 146, 108, 112, 72, 80, 253, 237, 185, 218, 94, 21, + 70, 87, 167, 141, 157, 132, 144, 216, 171, 0, 140, 188, 211, 10, 247, +228, 88, 5, 184, 179, 69, 6, 208, 44, 30, 143, 202, 63, 15, 2, +193, 175, 189, 3, 1, 19, 138, 107, 58, 145, 17, 65, 79, 103, 220, +234, 151, 242, 207, 206, 240, 180, 230, 115, 150, 172, 116, 34, 231, 173, + 53, 133, 226, 249, 55, 232, 28, 117, 223, 110, 71, 241, 26, 113, 29, + 41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27, 252, 86, 62, 75, +198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244, 31, 221, 168, + 51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95, 96, 81, +127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239, 160, +224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97, + 23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12, +125 ]; + +// This method circularly shifts the array left by the number of elements +// given in its parameter. It returns the resulting array and is used for +// the ShiftRow step. Note that shift() and push() could be used for a more +// elegant solution, but they require IE5.5+, so I chose to do it manually. + +function cyclicShiftLeft(theArray, positions) { + var temp = theArray.slice(0, positions); + theArray = theArray.slice(positions).concat(temp); + return theArray; +} + +// Cipher parameters ... do not change these +var Nk = keySizeInBits / 32; +var Nb = blockSizeInBits / 32; +var Nr = roundsArray[Nk][Nb]; + +// Multiplies the element "poly" of GF(2^8) by x. See the Rijndael spec. + +function xtime(poly) { + poly <<= 1; + return ((poly & 0x100) ? (poly ^ 0x11B) : (poly)); +} + +// Multiplies the two elements of GF(2^8) together and returns the result. +// See the Rijndael spec, but should be straightforward: for each power of +// the indeterminant that has a 1 coefficient in x, add y times that power +// to the result. x and y should be bytes representing elements of GF(2^8) + +function mult_GF256(x, y) { + var bit, result = 0; + + for (bit = 1; bit < 256; bit *= 2, y = xtime(y)) { + if (x & bit) + result ^= y; + } + return result; +} + +// Performs the substitution step of the cipher. State is the 2d array of +// state information (see spec) and direction is string indicating whether +// we are performing the forward substitution ("encrypt") or inverse +// substitution (anything else) + +function byteSub(state, direction) { + var S; + if (direction == "encrypt") // Point S to the SBox we're using + S = SBox; + else + S = SBoxInverse; + for (var i = 0; i < 4; i++) // Substitute for every byte in state + for (var j = 0; j < Nb; j++) + state[i][j] = S[state[i][j]]; +} + +// Performs the row shifting step of the cipher. + +function shiftRow(state, direction) { + for (var i=1; i<4; i++) // Row 0 never shifts + if (direction == "encrypt") + state[i] = cyclicShiftLeft(state[i], shiftOffsets[Nb][i]); + else + state[i] = cyclicShiftLeft(state[i], Nb - shiftOffsets[Nb][i]); + +} + +// Performs the column mixing step of the cipher. Most of these steps can +// be combined into table lookups on 32bit values (at least for encryption) +// to greatly increase the speed. + +function mixColumn(state, direction) { + var b = []; // Result of matrix multiplications + for (var j = 0; j < Nb; j++) { // Go through each column... + for (var i = 0; i < 4; i++) { // and for each row in the column... + if (direction == "encrypt") + b[i] = mult_GF256(state[i][j], 2) ^ // perform mixing + mult_GF256(state[(i+1)%4][j], 3) ^ + state[(i+2)%4][j] ^ + state[(i+3)%4][j]; + else + b[i] = mult_GF256(state[i][j], 0xE) ^ + mult_GF256(state[(i+1)%4][j], 0xB) ^ + mult_GF256(state[(i+2)%4][j], 0xD) ^ + mult_GF256(state[(i+3)%4][j], 9); + } + for (var i = 0; i < 4; i++) // Place result back into column + state[i][j] = b[i]; + } +} + +// Adds the current round key to the state information. Straightforward. + +function addRoundKey(state, roundKey) { + for (var j = 0; j < Nb; j++) { // Step through columns... + state[0][j] ^= (roundKey[j] & 0xFF); // and XOR + state[1][j] ^= ((roundKey[j]>>8) & 0xFF); + state[2][j] ^= ((roundKey[j]>>16) & 0xFF); + state[3][j] ^= ((roundKey[j]>>24) & 0xFF); + } +} + +// This function creates the expanded key from the input (128/192/256-bit) +// key. The parameter key is an array of bytes holding the value of the key. +// The returned value is an array whose elements are the 32-bit words that +// make up the expanded key. + +function keyExpansion(key) { + var expandedKey = new Array(); + var temp; + + // in case the key size or parameters were changed... + Nk = keySizeInBits / 32; + Nb = blockSizeInBits / 32; + Nr = roundsArray[Nk][Nb]; + + for (var j=0; j < Nk; j++) // Fill in input key first + expandedKey[j] = + (key[4*j]) | (key[4*j+1]<<8) | (key[4*j+2]<<16) | (key[4*j+3]<<24); + + // Now walk down the rest of the array filling in expanded key bytes as + // per Rijndael's spec + for (j = Nk; j < Nb * (Nr + 1); j++) { // For each word of expanded key + temp = expandedKey[j - 1]; + if (j % Nk == 0) + temp = ( (SBox[(temp>>8) & 0xFF]) | + (SBox[(temp>>16) & 0xFF]<<8) | + (SBox[(temp>>24) & 0xFF]<<16) | + (SBox[temp & 0xFF]<<24) ) ^ Rcon[Math.floor(j / Nk) - 1]; + else if (Nk > 6 && j % Nk == 4) + temp = (SBox[(temp>>24) & 0xFF]<<24) | + (SBox[(temp>>16) & 0xFF]<<16) | + (SBox[(temp>>8) & 0xFF]<<8) | + (SBox[temp & 0xFF]); + expandedKey[j] = expandedKey[j-Nk] ^ temp; + } + return expandedKey; +} + +// Rijndael's round functions... + +function Round(state, roundKey) { + byteSub(state, "encrypt"); + shiftRow(state, "encrypt"); + mixColumn(state, "encrypt"); + addRoundKey(state, roundKey); +} + +function InverseRound(state, roundKey) { + addRoundKey(state, roundKey); + mixColumn(state, "decrypt"); + shiftRow(state, "decrypt"); + byteSub(state, "decrypt"); +} + +function FinalRound(state, roundKey) { + byteSub(state, "encrypt"); + shiftRow(state, "encrypt"); + addRoundKey(state, roundKey); +} + +function InverseFinalRound(state, roundKey){ + addRoundKey(state, roundKey); + shiftRow(state, "decrypt"); + byteSub(state, "decrypt"); +} + +// encrypt is the basic encryption function. It takes parameters +// block, an array of bytes representing a plaintext block, and expandedKey, +// an array of words representing the expanded key previously returned by +// keyExpansion(). The ciphertext block is returned as an array of bytes. + +function encrypt(block, expandedKey) { + var i; + if (!block || block.length*8 != blockSizeInBits) + return; + if (!expandedKey) + return; + + block = packBytes(block); + addRoundKey(block, expandedKey); + for (i=1; i0; i--) + InverseRound(block, expandedKey.slice(Nb*i, Nb*(i+1))); + addRoundKey(block, expandedKey); + return unpackBytes(block); +} + +/* !NEEDED +// This method takes a byte array (byteArray) and converts it to a string by +// applying String.fromCharCode() to each value and concatenating the result. +// The resulting string is returned. Note that this function SKIPS zero bytes +// under the assumption that they are padding added in formatPlaintext(). +// Obviously, do not invoke this method on raw data that can contain zero +// bytes. It is really only appropriate for printable ASCII/Latin-1 +// values. Roll your own function for more robust functionality :) + +function byteArrayToString(byteArray) { + var result = ""; + for(var i=0; i "10ff". The function returns a +// string. + +function byteArrayToHex(byteArray) { + var result = ""; + if (!byteArray) + return; + for (var i=0; i [16, 255]. This +// function returns an array. + +function hexToByteArray(hexString) { + var byteArray = []; + if (hexString.length % 2) // must have even length + return; + if (hexString.indexOf("0x") == 0 || hexString.indexOf("0X") == 0) + hexString = hexString.substring(2); + for (var i = 0; i 0) { +//alert("adding " + (bpb - 1) + " bytes"); +// plaintext = plaintext.concat(getRandomBytes(bpb - i)); + { + var paddingBytes; + var ii,cc; + + paddingBytes = new Array(); + cc = bpb - i; + for (ii=0; ii0; block--) { + aBlock = + decrypt(ciphertext.slice(block*bpb,(block+1)*bpb), expandedKey); + if (mode == "CBC") + for (var i=0; i= 0x80) && (c <= 0x7FF)) { + // 0x80 - 0x7FF: Output as two byte code, 0xC0 in first byte + // 0x80 in second byte + utf8 += String.fromCharCode((c >> 6) | 0xC0); + utf8 += String.fromCharCode((c & 0x3F) | 0x80); + } else { + // 0x800 - 0xFFFF: Output as three bytes, 0xE0 in first byte + // 0x80 in second byte + // 0x80 in third byte + utf8 += String.fromCharCode((c >> 12) | 0xE0); + utf8 += String.fromCharCode(((c >> 6) & 0x3F) | 0x80); + utf8 += String.fromCharCode((c & 0x3F) | 0x80); + } + } + return utf8; + } + + // UTF8_TO_UNICODE -- Decode UTF-8 argument into Unicode string return value + + function utf8_to_unicode(utf8) { + var s = "", i = 0, b1, b2, b2; + + while (i < utf8.length) { + b1 = utf8.charCodeAt(i); + if (b1 < 0x80) { // One byte code: 0x00 0x7F + s += String.fromCharCode(b1); + i++; + } else if((b1 >= 0xC0) && (b1 < 0xE0)) { // Two byte code: 0x80 - 0x7FF + b2 = utf8.charCodeAt(i + 1); + s += String.fromCharCode(((b1 & 0x1F) << 6) | (b2 & 0x3F)); + i += 2; + } else { // Three byte code: 0x800 - 0xFFFF + b2 = utf8.charCodeAt(i + 1); + b3 = utf8.charCodeAt(i + 2); + s += String.fromCharCode(((b1 & 0xF) << 12) | + ((b2 & 0x3F) << 6) | + (b3 & 0x3F)); + i += 3; + } + } + return s; + } + + /* ENCODE_UTF8 -- Encode string as UTF8 only if it contains + a character of 0x9D (Unicode OPERATING + SYSTEM COMMAND) or a character greater + than 0xFF. This permits all strings + consisting exclusively of 8 bit + graphic characters to be encoded as + themselves. We choose 0x9D as the sentinel + character as opposed to one of the more + logical PRIVATE USE characters because 0x9D + is not overloaded by the regrettable + "Windows-1252" character set. Now such characters + don't belong in JavaScript strings, but you never + know what somebody is going to paste into a + text box, so this choice keeps Windows-encoded + strings from bloating to UTF-8 encoding. */ + + function encode_utf8(s) { + var i, necessary = false; + + for (i = 0; i < s.length; i++) { + if ((s.charCodeAt(i) == 0x9D) || + (s.charCodeAt(i) > 0xFF)) { + necessary = true; + break; + } + } + if (!necessary) { + return s; + } + return String.fromCharCode(0x9D) + unicode_to_utf8(s); + } + + /* DECODE_UTF8 -- Decode a string encoded with encode_utf8 + above. If the string begins with the + sentinel character 0x9D (OPERATING + SYSTEM COMMAND), then we decode the + balance as a UTF-8 stream. Otherwise, + the string is output unchanged, as + it's guaranteed to contain only 8 bit + characters excluding 0x9D. */ + + function decode_utf8(s) { + if ((s.length > 0) && (s.charCodeAt(0) == 0x9D)) { + return utf8_to_unicode(s.substring(1)); + } + return s; + } + + +//############################################################################# +// Downloaded on April 26, 2006 from http://pajhome.org.uk/crypt/md5/md5.js +//############################################################################# + +/* + * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message + * Digest Algorithm, as defined in RFC 1321. + * Version 2.1 Copyright (C) Paul Johnston 1999 - 2002. + * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet + * Distributed under the BSD License + * See http://pajhome.org.uk/crypt/md5 for more info. + */ + +/* + * Configurable variables. You may need to tweak these to be compatible with + * the server-side, but the defaults work in most cases. + */ +var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */ +var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */ +var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */ + +/* + * These are the functions you'll usually want to call + * They take string arguments and return either hex or base-64 encoded strings + */ +function hex_md5(s){ return binl2hex(core_md5(str2binl(s), s.length * chrsz));} +function b64_md5(s){ return binl2b64(core_md5(str2binl(s), s.length * chrsz));} +function str_md5(s){ return binl2str(core_md5(str2binl(s), s.length * chrsz));} +function hex_hmac_md5(key, data) { return binl2hex(core_hmac_md5(key, data)); } +function b64_hmac_md5(key, data) { return binl2b64(core_hmac_md5(key, data)); } +function str_hmac_md5(key, data) { return binl2str(core_hmac_md5(key, data)); } + +/* + * Perform a simple self-test to see if the VM is working + */ +function md5_vm_test() +{ + return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"; +} + +/* + * Calculate the MD5 of an array of little-endian words, and a bit length + */ +function core_md5(x, len) +{ + /* append padding */ + x[len >> 5] |= 0x80 << ((len) % 32); + x[(((len + 64) >>> 9) << 4) + 14] = len; + + var a = 1732584193; + var b = -271733879; + var c = -1732584194; + var d = 271733878; + + for(var i = 0; i < x.length; i += 16) + { + var olda = a; + var oldb = b; + var oldc = c; + var oldd = d; + + a = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936); + d = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586); + c = md5_ff(c, d, a, b, x[i+ 2], 17, 606105819); + b = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330); + a = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897); + d = md5_ff(d, a, b, c, x[i+ 5], 12, 1200080426); + c = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341); + b = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983); + a = md5_ff(a, b, c, d, x[i+ 8], 7 , 1770035416); + d = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417); + c = md5_ff(c, d, a, b, x[i+10], 17, -42063); + b = md5_ff(b, c, d, a, x[i+11], 22, -1990404162); + a = md5_ff(a, b, c, d, x[i+12], 7 , 1804603682); + d = md5_ff(d, a, b, c, x[i+13], 12, -40341101); + c = md5_ff(c, d, a, b, x[i+14], 17, -1502002290); + b = md5_ff(b, c, d, a, x[i+15], 22, 1236535329); + + a = md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510); + d = md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632); + c = md5_gg(c, d, a, b, x[i+11], 14, 643717713); + b = md5_gg(b, c, d, a, x[i+ 0], 20, -373897302); + a = md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691); + d = md5_gg(d, a, b, c, x[i+10], 9 , 38016083); + c = md5_gg(c, d, a, b, x[i+15], 14, -660478335); + b = md5_gg(b, c, d, a, x[i+ 4], 20, -405537848); + a = md5_gg(a, b, c, d, x[i+ 9], 5 , 568446438); + d = md5_gg(d, a, b, c, x[i+14], 9 , -1019803690); + c = md5_gg(c, d, a, b, x[i+ 3], 14, -187363961); + b = md5_gg(b, c, d, a, x[i+ 8], 20, 1163531501); + a = md5_gg(a, b, c, d, x[i+13], 5 , -1444681467); + d = md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784); + c = md5_gg(c, d, a, b, x[i+ 7], 14, 1735328473); + b = md5_gg(b, c, d, a, x[i+12], 20, -1926607734); + + a = md5_hh(a, b, c, d, x[i+ 5], 4 , -378558); + d = md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463); + c = md5_hh(c, d, a, b, x[i+11], 16, 1839030562); + b = md5_hh(b, c, d, a, x[i+14], 23, -35309556); + a = md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060); + d = md5_hh(d, a, b, c, x[i+ 4], 11, 1272893353); + c = md5_hh(c, d, a, b, x[i+ 7], 16, -155497632); + b = md5_hh(b, c, d, a, x[i+10], 23, -1094730640); + a = md5_hh(a, b, c, d, x[i+13], 4 , 681279174); + d = md5_hh(d, a, b, c, x[i+ 0], 11, -358537222); + c = md5_hh(c, d, a, b, x[i+ 3], 16, -722521979); + b = md5_hh(b, c, d, a, x[i+ 6], 23, 76029189); + a = md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487); + d = md5_hh(d, a, b, c, x[i+12], 11, -421815835); + c = md5_hh(c, d, a, b, x[i+15], 16, 530742520); + b = md5_hh(b, c, d, a, x[i+ 2], 23, -995338651); + + a = md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844); + d = md5_ii(d, a, b, c, x[i+ 7], 10, 1126891415); + c = md5_ii(c, d, a, b, x[i+14], 15, -1416354905); + b = md5_ii(b, c, d, a, x[i+ 5], 21, -57434055); + a = md5_ii(a, b, c, d, x[i+12], 6 , 1700485571); + d = md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606); + c = md5_ii(c, d, a, b, x[i+10], 15, -1051523); + b = md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799); + a = md5_ii(a, b, c, d, x[i+ 8], 6 , 1873313359); + d = md5_ii(d, a, b, c, x[i+15], 10, -30611744); + c = md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380); + b = md5_ii(b, c, d, a, x[i+13], 21, 1309151649); + a = md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070); + d = md5_ii(d, a, b, c, x[i+11], 10, -1120210379); + c = md5_ii(c, d, a, b, x[i+ 2], 15, 718787259); + b = md5_ii(b, c, d, a, x[i+ 9], 21, -343485551); + + a = safe_add(a, olda); + b = safe_add(b, oldb); + c = safe_add(c, oldc); + d = safe_add(d, oldd); + } + return Array(a, b, c, d); + +} + +/* + * These functions implement the four basic operations the algorithm uses. + */ +function md5_cmn(q, a, b, x, s, t) +{ + return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b); +} +function md5_ff(a, b, c, d, x, s, t) +{ + return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t); +} +function md5_gg(a, b, c, d, x, s, t) +{ + return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t); +} +function md5_hh(a, b, c, d, x, s, t) +{ + return md5_cmn(b ^ c ^ d, a, b, x, s, t); +} +function md5_ii(a, b, c, d, x, s, t) +{ + return md5_cmn(c ^ (b | (~d)), a, b, x, s, t); +} + +/* + * Calculate the HMAC-MD5, of a key and some data + */ +function core_hmac_md5(key, data) +{ + var bkey = str2binl(key); + if(bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz); + + var ipad = Array(16), opad = Array(16); + for(var i = 0; i < 16; i++) + { + ipad[i] = bkey[i] ^ 0x36363636; + opad[i] = bkey[i] ^ 0x5C5C5C5C; + } + + var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz); + return core_md5(opad.concat(hash), 512 + 128); +} + +/* + * Add integers, wrapping at 2^32. This uses 16-bit operations internally + * to work around bugs in some JS interpreters. + */ +function safe_add(x, y) +{ + var lsw = (x & 0xFFFF) + (y & 0xFFFF); + var msw = (x >> 16) + (y >> 16) + (lsw >> 16); + return (msw << 16) | (lsw & 0xFFFF); +} + +/* + * Bitwise rotate a 32-bit number to the left. + */ +function bit_rol(num, cnt) +{ + return (num << cnt) | (num >>> (32 - cnt)); +} + +/* + * Convert a string to an array of little-endian words + * If chrsz is ASCII, characters >255 have their hi-byte silently ignored. + */ +function str2binl(str) +{ + var bin = Array(); + var mask = (1 << chrsz) - 1; + for(var i = 0; i < str.length * chrsz; i += chrsz) + bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (i%32); + return bin; +} + +/* + * Convert an array of little-endian words to a string + */ +function binl2str(bin) +{ + var str = ""; + var mask = (1 << chrsz) - 1; + for(var i = 0; i < bin.length * 32; i += chrsz) + str += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask); + return str; +} + +/* + * Convert an array of little-endian words to a hex string. + */ +function binl2hex(binarray) +{ + var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; + var str = ""; + for(var i = 0; i < binarray.length * 4; i++) + { + str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) + + hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF); + } + return str; +} + +/* + * Convert an array of little-endian words to a base-64 string + */ +function binl2b64(binarray) +{ + var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + var str = ""; + for(var i = 0; i < binarray.length * 4; i += 3) + { + var triplet = (((binarray[i >> 2] >> 8 * ( i %4)) & 0xFF) << 16) + | (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 ) + | ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF); + for(var j = 0; j < 4; j++) + { + if(i * 8 + j * 6 > binarray.length * 32) str += b64pad; + else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F); + } + } + return str; +} + + +//############################################################################# +//############################################################################# +//############################################################################# + + + +MochiKit.Base.update(Clipperz.Crypto.Base, { + + '__repr__': function () { + return "[" + this.NAME + " " + this.VERSION + "]"; + }, + + 'toString': function () { + return this.__repr__(); + }, + + //----------------------------------------------------------------------------- + + 'encryptUsingSecretKey': function (aKey, aMessage) { +//Clipperz.Profile.start("Clipperz.Crypto.Base.encryptUsingSecretKey"); + var result; + var plaintext; + var header; + var key; + + key = hexToByteArray(Clipperz.Crypto.Base.computeHashValue(aKey)); + + addEntropyTime(); + prng = new AESprng(keyFromEntropy()); + + plaintext = encode_utf8(aMessage); + + header = Clipperz.Base.byteArrayToString(hexToByteArray(Clipperz.Crypto.Base.computeMD5HashValue(plaintext))); + + // Add message length in bytes to header + i = plaintext.length; + header += String.fromCharCode(i >>> 24); + header += String.fromCharCode(i >>> 16); + header += String.fromCharCode(i >>> 8); + header += String.fromCharCode(i & 0xFF); + + // The format of the actual message passed to rijndaelEncrypt + // is: + // + // Bytes Content + // 0-15 MD5 signature of plaintext + // 16-19 Length of plaintext, big-endian order + // 20-end Plaintext + // + // Note that this message will be padded with zero bytes + // to an integral number of AES blocks (blockSizeInBits / 8). + // This does not include the initial vector for CBC + // encryption, which is added internally by rijndaelEncrypt. + result = byteArrayToHex(rijndaelEncrypt(header + plaintext, key, "CBC")); + + delete prng; + +//Clipperz.Profile.stop("Clipperz.Crypto.Base.encryptUsingSecretKey"); + return result; + }, + + //............................................................................. + + 'decryptUsingSecretKey': function (aKey, aMessage) { +//Clipperz.Profile.start("Clipperz.Crypto.Base.decryptUsingSecretKey"); + var key; + var decryptedText; + var textLength; + var header; + var headerDigest; + var plaintext; + var i; + + key = hexToByteArray(Clipperz.Crypto.Base.computeHashValue(aKey)); + + decryptedText = rijndaelDecrypt(hexToByteArray(aMessage), key, "CBC"); + + header = decryptedText.slice(0, 20); + decryptedText = decryptedText.slice(20); + + headerDigest = byteArrayToHex(header.slice(0,16)); + textLength = (header[16] << 24) | (header[17] << 16) | (header[18] << 8) | header[19]; + + if ((textLength < 0) || (textLength > decryptedText.length)) { +// jslog.warning("Message (length " + decryptedText.length + ") truncated. " + textLength + " characters expected."); + // Try to sauve qui peut by setting length to entire message + textLength = decryptedText.length; + } + + plainText = ""; + + for (i=0; iy? (x and y are nonnegative bigInts) +// function greaterShift(x,y,shift)//is (x <<(shift*bpe)) > y? +// function isZero(x) //is the bigInt x equal to zero? +// function millerRabin(x,b) //does one round of Miller-Rabin base integer b say that bigInt x is possibly prime (as opposed to definitely composite)? +// function modInt(x,n) //return x mod n for bigInt x and integer n. +// function negative(x) //is bigInt x negative? +// +// The following functions do not modify their inputs, but allocate memory and call functions with underscores +// +// function add(x,y) //return (x+y) for bigInts x and y. +// function addInt(x,n) //return (x+n) where x is a bigInt and n is an integer. +// function expand(x,n) //return a copy of x with at least n elements, adding leading zeros if needed +// function inverseMod(x,n) //return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null +// function mod(x,n) //return a new bigInt equal to (x mod n) for bigInts x and n. +// function mult(x,y) //return x*y for bigInts x and y. This is faster when y=1. +// function randTruePrime_(ans,k) //do ans = a random k-bit true random prime (not just probable prime) with 1 in the msb. +// function squareMod_(x,n) //do x=x*x mod n for bigInts x,n +// function sub_(x,y) //do x=x-y for bigInts x and y. Negative answers will be 2s complement. +// function subShift_(x,y,ys) //do x=x-(y<<(ys*bpe)). Negative answers will be 2s complement. +// +// The following functions are based on algorithms from the _Handbook of Applied Cryptography_ +// powMod_() = algorithm 14.94, Montgomery exponentiation +// eGCD_,inverseMod_() = algorithm 14.61, Binary extended GCD_ +// GCD_() = algorothm 14.57, Lehmer's algorithm +// mont_() = algorithm 14.36, Montgomery multiplication +// divide_() = algorithm 14.20 Multiple-precision division +// squareMod_() = algorithm 14.16 Multiple-precision squaring +// randTruePrime_() = algorithm 4.62, Maurer's algorithm +// millerRabin() = algorithm 4.24, Miller-Rabin algorithm +// +// Profiling shows: +// randTruePrime_() spends: +// 10% of its time in calls to powMod_() +// 85% of its time in calls to millerRabin() +// millerRabin() spends: +// 99% of its time in calls to powMod_() (always with a base of 2) +// powMod_() spends: +// 94% of its time in calls to mont_() (almost always with x==y) +// +// This suggests there are several ways to speed up this library slightly: +// - convert powMod_ to use a Montgomery form of k-ary window (or maybe a Montgomery form of sliding window) +// -- this should especially focus on being fast when raising 2 to a power mod n +// - convert randTruePrime_() to use a minimum r of 1/3 instead of 1/2 with the appropriate change to the test +// - tune the parameters in randTruePrime_(), including c, m, and recLimit +// - speed up the single loop in mont_() that takes 95% of the runtime, perhaps by reducing checking +// within the loop when all the parameters are the same length. +// +// There are several ideas that look like they wouldn't help much at all: +// - replacing trial division in randTruePrime_() with a sieve (that speeds up something taking almost no time anyway) +// - increase bpe from 15 to 30 (that would help if we had a 32*32->64 multiplier, but not with JavaScript's 32*32->32) +// - speeding up mont_(x,y,n,np) when x==y by doing a non-modular, non-Montgomery square +// followed by a Montgomery reduction. The intermediate answer will be twice as long as x, so that +// method would be slower. This is unfortunate because the code currently spends almost all of its time +// doing mont_(x,x,...), both for randTruePrime_() and powMod_(). A faster method for Montgomery squaring +// would have a large impact on the speed of randTruePrime_() and powMod_(). HAC has a couple of poorly-worded +// sentences that seem to imply it's faster to do a non-modular square followed by a single +// Montgomery reduction, but that's obviously wrong. +//////////////////////////////////////////////////////////////////////////////////////// + +//globals +bpe=0; //bits stored per array element +mask=0; //AND this with an array element to chop it down to bpe bits +radix=mask+1; //equals 2^bpe. A single 1 bit to the left of the last bit of mask. + +//the digits for converting to different bases +digitsStr='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_=!@#$%^&*()[]{}|;:,.<>/?`~ \\\'\"+-'; + +//initialize the global variables +for (bpe=0; (1<<(bpe+1)) > (1<>=1; //bpe=number of bits in one element of the array representing the bigInt +mask=(1<0); j--); + for (z=0,w=x[j]; w; (w>>=1),z++); + z+=bpe*j; + return z; +} + +//return a copy of x with at least n elements, adding leading zeros if needed +function expand(x,n) { + var ans=int2bigInt(0,(x.length>n ? x.length : n)*bpe,0); + copy_(ans,x); + return ans; +} + +//return a k-bit true random prime using Maurer's algorithm. +function randTruePrime(k) { + var ans=int2bigInt(0,k,0); + randTruePrime_(ans,k); + return trim(ans,1); +} + +//return a new bigInt equal to (x mod n) for bigInts x and n. +function mod(x,n) { + var ans=dup(x); + mod_(ans,n); + return trim(ans,1); +} + +//return (x+n) where x is a bigInt and n is an integer. +function addInt(x,n) { + var ans=expand(x,x.length+1); + addInt_(ans,n); + return trim(ans,1); +} + +//return x*y for bigInts x and y. This is faster when yy.length ? x.length+1 : y.length+1)); + sub_(ans,y); + return trim(ans,1); +} + +//return (x+y) for bigInts x and y. +function add(x,y) { + var ans=expand(x,(x.length>y.length ? x.length+1 : y.length+1)); + add_(ans,y); + return trim(ans,1); +} + +//return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null +function inverseMod(x,n) { + var ans=expand(x,n.length); + var s; + s=inverseMod_(ans,n); + return s ? trim(ans,1) : null; +} + +//return (x*y mod n) for bigInts x,y,n. For greater speed, let y>1))-1; //pm is binary number with all ones, just over sqrt(2^k) + copyInt_(ans,0); + for (dd=1;dd;) { + dd=0; + ans[0]= 1 | (1<<(k-1)) | Math.floor(Math.random()*(1<2*m) //generate this k-bit number by first recursively generating a number that has between k/2 and k-m bits + for (r=1; k-k*r<=m; ) + r=pows[Math.floor(Math.random()*512)]; //r=Math.pow(2,Math.random()-1); + else + r=.5; + + //simulation suggests the more complex algorithm using r=.333 is only slightly faster. + + recSize=Math.floor(r*k)+1; + + randTruePrime_(s_q,recSize); + copyInt_(s_i2,0); + s_i2[Math.floor((k-2)/bpe)] |= (1<<((k-2)%bpe)); //s_i2=2^(k-2) + divide_(s_i2,s_q,s_i,s_rm); //s_i=floor((2^(k-1))/(2q)) + + z=bitSize(s_i); + + for (;;) { + for (;;) { //generate z-bit numbers until one falls in the range [0,s_i-1] + randBigInt_(s_R,z,0); + if (greater(s_i,s_R)) + break; + } //now s_R is in the range [0,s_i-1] + addInt_(s_R,1); //now s_R is in the range [1,s_i] + add_(s_R,s_i); //now s_R is in the range [s_i+1,2*s_i] + + copy_(s_n,s_q); + mult_(s_n,s_R); + multInt_(s_n,2); + addInt_(s_n,1); //s_n=2*s_R*s_q+1 + + copy_(s_r2,s_R); + multInt_(s_r2,2); //s_r2=2*s_R + + //check s_n for divisibility by small primes up to B + for (divisible=0,j=0; (j0); j--); //strip leading zeros + for (zz=0,w=s_n[j]; w; (w>>=1),zz++); + zz+=bpe*j; //zz=number of bits in s_n, ignoring leading zeros + for (;;) { //generate z-bit numbers until one falls in the range [0,s_n-1] + randBigInt_(s_a,zz,0); + if (greater(s_n,s_a)) + break; + } //now s_a is in the range [0,s_n-1] + addInt_(s_n,3); //now s_a is in the range [0,s_n-4] + addInt_(s_a,2); //now s_a is in the range [2,s_n-2] + copy_(s_b,s_a); + copy_(s_n1,s_n); + addInt_(s_n1,-1); + powMod_(s_b,s_n1,s_n); //s_b=s_a^(s_n-1) modulo s_n + addInt_(s_b,-1); + if (isZero(s_b)) { + copy_(s_b,s_a); + powMod_(s_b,s_r2,s_n); + addInt_(s_b,-1); + copy_(s_aa,s_n); + copy_(s_d,s_b); + GCD_(s_d,s_n); //if s_b and s_n are relatively prime, then s_n is a prime + if (equalsInt(s_d,1)) { + copy_(ans,s_aa); + return; //if we've made it this far, then s_n is absolutely guaranteed to be prime + } + } + } + } +} + +//set b to an n-bit random BigInt. If s=1, then nth bit (most significant bit) is set to 1. +//array b must be big enough to hold the result. Must have n>=1 +function randBigInt_(b,n,s) { + var i,a; + for (i=0;i=0;i--); //find most significant element of x + xp=x[i]; + yp=y[i]; + A=1; B=0; C=0; D=1; + while ((yp+C) && (yp+D)) { + q =Math.floor((xp+A)/(yp+C)); + qp=Math.floor((xp+B)/(yp+D)); + if (q!=qp) + break; + t= A-q*C; A=C; C=t; // do (A,B,xp, C,D,yp) = (C,D,yp, A,B,xp) - q*(0,0,0, C,D,yp) + t= B-q*D; B=D; D=t; + t=xp-q*yp; xp=yp; yp=t; + } + if (B) { + copy_(T,x); + linComb_(x,y,A,B); //x=A*x+B*y + linComb_(y,T,D,C); //y=D*y+C*T + } else { + mod_(x,y); + copy_(T,x); + copy_(x,y); + copy_(y,T); + } + } + if (y[0]==0) + return; + t=modInt(x,y[0]); + copyInt_(x,y[0]); + y[0]=t; + while (y[0]) { + x[0]%=y[0]; + t=x[0]; x[0]=y[0]; y[0]=t; + } +} + +//do x=x**(-1) mod n, for bigInts x and n. +//If no inverse exists, it sets x to zero and returns 0, else it returns 1. +//The x array must be at least as large as the n array. +function inverseMod_(x,n) { + var k=1+2*Math.max(x.length,n.length); + + if(!(x[0]&1) && !(n[0]&1)) { //if both inputs are even, then inverse doesn't exist + copyInt_(x,0); + return 0; + } + + if (eg_u.length!=k) { + eg_u=new Array(k); + eg_v=new Array(k); + eg_A=new Array(k); + eg_B=new Array(k); + eg_C=new Array(k); + eg_D=new Array(k); + } + + copy_(eg_u,x); + copy_(eg_v,n); + copyInt_(eg_A,1); + copyInt_(eg_B,0); + copyInt_(eg_C,0); + copyInt_(eg_D,1); + for (;;) { + while(!(eg_u[0]&1)) { //while eg_u is even + halve_(eg_u); + if (!(eg_A[0]&1) && !(eg_B[0]&1)) { //if eg_A==eg_B==0 mod 2 + halve_(eg_A); + halve_(eg_B); + } else { + add_(eg_A,n); halve_(eg_A); + sub_(eg_B,x); halve_(eg_B); + } + } + + while (!(eg_v[0]&1)) { //while eg_v is even + halve_(eg_v); + if (!(eg_C[0]&1) && !(eg_D[0]&1)) { //if eg_C==eg_D==0 mod 2 + halve_(eg_C); + halve_(eg_D); + } else { + add_(eg_C,n); halve_(eg_C); + sub_(eg_D,x); halve_(eg_D); + } + } + + if (!greater(eg_v,eg_u)) { //eg_v <= eg_u + sub_(eg_u,eg_v); + sub_(eg_A,eg_C); + sub_(eg_B,eg_D); + } else { //eg_v > eg_u + sub_(eg_v,eg_u); + sub_(eg_C,eg_A); + sub_(eg_D,eg_B); + } + + if (equalsInt(eg_u,0)) { + if (negative(eg_C)) //make sure answer is nonnegative + add_(eg_C,n); + copy_(x,eg_C); + + if (!equalsInt(eg_v,1)) { //if GCD_(x,n)!=1, then there is no inverse + copyInt_(x,0); + return 0; + } + return 1; + } + } +} + +//return x**(-1) mod n, for integers x and n. Return 0 if there is no inverse +function inverseModInt_(x,n) { + var a=1,b=0,t; + for (;;) { + if (x==1) return a; + if (x==0) return 0; + b-=a*Math.floor(n/x); + n%=x; + + if (n==1) return b; //to avoid negatives, change this b to n-b, and each -= to += + if (n==0) return 0; + a-=b*Math.floor(x/n); + x%=n; + } +} + +//Given positive bigInts x and y, change the bigints v, a, and b to positive bigInts such that: +// v = GCD_(x,y) = a*x-b*y +//The bigInts v, a, b, must have exactly as many elements as the larger of x and y. +function eGCD_(x,y,v,a,b) { + var g=0; + var k=Math.max(x.length,y.length); + if (eg_u.length!=k) { + eg_u=new Array(k); + eg_A=new Array(k); + eg_B=new Array(k); + eg_C=new Array(k); + eg_D=new Array(k); + } + while(!(x[0]&1) && !(y[0]&1)) { //while x and y both even + halve_(x); + halve_(y); + g++; + } + copy_(eg_u,x); + copy_(v,y); + copyInt_(eg_A,1); + copyInt_(eg_B,0); + copyInt_(eg_C,0); + copyInt_(eg_D,1); + for (;;) { + while(!(eg_u[0]&1)) { //while u is even + halve_(eg_u); + if (!(eg_A[0]&1) && !(eg_B[0]&1)) { //if A==B==0 mod 2 + halve_(eg_A); + halve_(eg_B); + } else { + add_(eg_A,y); halve_(eg_A); + sub_(eg_B,x); halve_(eg_B); + } + } + + while (!(v[0]&1)) { //while v is even + halve_(v); + if (!(eg_C[0]&1) && !(eg_D[0]&1)) { //if C==D==0 mod 2 + halve_(eg_C); + halve_(eg_D); + } else { + add_(eg_C,y); halve_(eg_C); + sub_(eg_D,x); halve_(eg_D); + } + } + + if (!greater(v,eg_u)) { //v<=u + sub_(eg_u,v); + sub_(eg_A,eg_C); + sub_(eg_B,eg_D); + } else { //v>u + sub_(v,eg_u); + sub_(eg_C,eg_A); + sub_(eg_D,eg_B); + } + if (equalsInt(eg_u,0)) { + if (negative(eg_C)) { //make sure a (C)is nonnegative + add_(eg_C,y); + sub_(eg_D,x); + } + multInt_(eg_D,-1); ///make sure b (D) is nonnegative + copy_(a,eg_C); + copy_(b,eg_D); + leftShift_(v,g); + return; + } + } +} + + +//is bigInt x negative? +function negative(x) { + return ((x[x.length-1]>>(bpe-1))&1); +} + + +//is (x << (shift*bpe)) > y? +//x and y are nonnegative bigInts +//shift is a nonnegative integer +function greaterShift(x,y,shift) { + var kx=x.length, ky=y.length; + k=((kx+shift)=0; i++) + if (x[i]>0) + return 1; //if there are nonzeros in x to the left of the first column of y, then x is bigger + for (i=kx-1+shift; i0) + return 0; //if there are nonzeros in y to the left of the first column of x, then x is not bigger + for (i=k-1; i>=shift; i--) + if (x[i-shift]>y[i]) return 1; + else if (x[i-shift] y? (x and y both nonnegative) +function greater(x,y) { + var i; + var k=(x.length=0;i--) + if (x[i]>y[i]) + return 1; + else if (x[i]ky;kx--); + + //normalize: ensure the most significant element of y has its highest bit set + b=y[ky-1]; + for (a=0; b; a++) + b>>=1; + a=bpe-a; //a is how many bits to shift so that the high order bit of y is leftmost in its array element + leftShift_(y,a); //multiply both by 1<=ky; i--) { + if (r[i]==y[ky-1]) + q[i-ky]=mask; + else + q[i-ky]=Math.floor((r[i]*radix+r[i-1])/y[ky-1]); + + //The following for(;;) loop is equivalent to the commented while loop, + //except that the uncommented version avoids overflow. + //The commented loop comes from HAC, which assumes r[-1]==y[-1]==0 + // while (q[i-ky]*(y[ky-1]*radix+y[ky-2]) > r[i]*radix*radix+r[i-1]*radix+r[i-2]) + // q[i-ky]--; + for (;;) { + y2=(ky>1 ? y[ky-2] : 0)*q[i-ky]; + c=y2>>bpe; + y2=y2 & mask; + y1=c+q[i-ky]*y[ky-1]; + c=y1>>bpe; + y1=y1 & mask; + + if (c==r[i] ? y1==r[i-1] ? y2>(i>1 ? r[i-2] : 0) : y1>r[i-1] : c>r[i]) + q[i-ky]--; + else + break; + } + + linCombShift_(r,y,-q[i-ky],i-ky); //r=r-q[i-ky]*leftShift_(y,i-ky) + if (negative(r)) { + addShift_(r,y,i-ky); //r=r+leftShift_(y,i-ky) + q[i-ky]--; + } + } + + rightShift_(y,a); //undo the normalization step + rightShift_(r,a); //undo the normalization step +} + +//do carries and borrows so each element of the bigInt x fits in bpe bits. +function carry_(x) { + var i,k,c,b; + k=x.length; + c=0; + for (i=0;i>bpe); + c+=b*radix; + } + x[i]=c & mask; + c=(c>>bpe)-b; + } +} + +//return x mod n for bigInt x and integer n. +function modInt(x,n) { + var i,c=0; + for (i=x.length-1; i>=0; i--) + c=(c*radix+x[i])%n; + return c; +} + +//convert the integer t into a bigInt with at least the given number of bits. +//the returned array stores the bigInt in bpe-bit chunks, little endian (buff[0] is least significant word) +//Pad the array with leading zeros so that it has at least minSize elements. +//There will always be at least one leading 0 element. +function int2bigInt(t,bits,minSize) { + var i,k; + k=Math.ceil(bits/bpe)+1; + k=minSize>k ? minSize : k; + buff=new Array(k); + copyInt_(buff,t); + return buff; +} + +//return the bigInt given a string representation in a given base. +//Pad the array with leading zeros so that it has at least minSize elements. +//If base=-1, then it reads in a space-separated list of array elements in decimal. +//The array will always have at least one leading zero, unless base=-1. +function str2bigInt(s,base,minSize) { + var d, i, j, x, y, kk; + var k=s.length; + if (base==-1) { //comma-separated list of array elements in decimal + x=new Array(0); + for (;;) { + y=new Array(x.length+1); + for (i=0;i=36) //convert lowercase to uppercase if base<=36 + d-=26; + if (d=0) { //ignore illegal characters + multInt_(x,base); + addInt_(x,d); + } + } + + for (k=x.length;k>0 && !x[k-1];k--); //strip off leading zeros + k=minSize>k+1 ? minSize : k+1; + y=new Array(k); + kk=ky.length) { + for (;i0;i--) + s+=x[i]+','; + s+=x[0]; + } + else { //return it in the given base + while (!isZero(s6)) { + t=divInt_(s6,base); //t=s6 % base; s6=floor(s6/base); + s=digitsStr.substring(t,t+1)+s; + } + } + if (s.length==0) + s="0"; + return s; +} + +//returns a duplicate of bigInt x +function dup(x) { + var i; + buff=new Array(x.length); + copy_(buff,x); + return buff; +} + +//do x=y on bigInts x and y. x must be an array at least as big as y (not counting the leading zeros in y). +function copy_(x,y) { + var i; + var k=x.length>=bpe; + } +} + +//do x=x+n where x is a bigInt and n is an integer. +//x must be large enough to hold the result. +function addInt_(x,n) { + var i,k,c,b; + x[0]+=n; + k=x.length; + c=0; + for (i=0;i>bpe); + c+=b*radix; + } + x[i]=c & mask; + c=(c>>bpe)-b; + if (!c) return; //stop carrying as soon as the carry_ is zero + } +} + +//right shift bigInt x by n bits. 0 <= n < bpe. +function rightShift_(x,n) { + var i; + var k=Math.floor(n/bpe); + if (k) { + for (i=0;i>n)); + } + x[i]>>=n; +} + +//do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement +function halve_(x) { + var i; + for (i=0;i>1)); + } + x[i]=(x[i]>>1) | (x[i] & (radix>>1)); //most significant bit stays the same +} + +//left shift bigInt x by n bits. +function leftShift_(x,n) { + var i; + var k=Math.floor(n/bpe); + if (k) { + for (i=x.length; i>=k; i--) //left shift x by k elements + x[i]=x[i-k]; + for (;i>=0;i--) + x[i]=0; + n%=bpe; + } + if (!n) + return; + for (i=x.length-1;i>0;i--) { + x[i]=mask & ((x[i]<>(bpe-n))); + } + x[i]=mask & (x[i]<>bpe); + c+=b*radix; + } + x[i]=c & mask; + c=(c>>bpe)-b; + } +} + +//do x=floor(x/n) for bigInt x and integer n, and return the remainder +function divInt_(x,n) { + var i,r=0,s; + for (i=x.length-1;i>=0;i--) { + s=r*radix+x[i]; + x[i]=Math.floor(s/n); + r=s%n; + } + return r; +} + +//do the linear combination x=a*x+b*y for bigInts x and y, and integers a and b. +//x must be large enough to hold the answer. +function linComb_(x,y,a,b) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;i>=bpe; + } +} + +//do the linear combination x=a*x+b*(y<<(ys*bpe)) for bigInts x and y, and integers a, b and ys. +//x must be large enough to hold the answer. +function linCombShift_(x,y,b,ys) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x+(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys. +//x must be large enough to hold the answer. +function addShift_(x,y,ys) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x-(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys. +//x must be large enough to hold the answer. +function subShift_(x,y,ys) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x-y for bigInts x and y. +//x must be large enough to hold the answer. +//negative answers will be 2s complement +function sub_(x,y) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x+y for bigInts x and y. +//x must be large enough to hold the answer. +function add_(x,y) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x*y for bigInts x and y. This is faster when y0 && !x[kx-1]; kx--); //ignore leading zeros in x + k=kx>n.length ? 2*kx : 2*n.length; //k=# elements in the product, which is twice the elements in the larger of x and n + if (s0.length!=k) + s0=new Array(k); + copyInt_(s0,0); + for (i=0;i>=bpe; + for (j=i+1;j>=bpe; + } + s0[i+kx]=c; + } + mod_(s0,n); + copy_(x,s0); +} + +//return x with exactly k leading zero elements +function trim(x,k) { + var i,y; + for (i=x.length; i>0 && !x[i-1]; i--); + y=new Array(i+k); + copy_(y,x); + return y; +} + +//do x=x**y mod n, where x,y,n are bigInts and ** is exponentiation. 0**0=1. +//this is faster when n is odd. x usually needs to have as many elements as n. +function powMod_(x,y,n) { + var k1,k2,kn,np; + if(s7.length!=n.length) + s7=dup(n); + + //for even modulus, use a simple square-and-multiply algorithm, + //rather than using the more complex Montgomery algorithm. + if ((n[0]&1)==0) { + copy_(s7,x); + copyInt_(x,1); + while(!equalsInt(y,0)) { + if (y[0]&1) + multMod_(x,s7,n); + divInt_(y,2); + squareMod_(s7,n); + } + return; + } + + //calculate np from n for the Montgomery multiplications + copyInt_(s7,0); + for (kn=n.length;kn>0 && !n[kn-1];kn--); + np=radix-inverseModInt_(modInt(n,radix),radix); + s7[kn]=1; + multMod_(x ,s7,n); // x = x * 2**(kn*bp) mod n + + if (s3.length!=x.length) + s3=dup(x); + else + copy_(s3,x); + + for (k1=y.length-1;k1>0 & !y[k1]; k1--); //k1=first nonzero element of y + if (y[k1]==0) { //anything to the 0th power is 1 + copyInt_(x,1); + return; + } + for (k2=1<<(bpe-1);k2 && !(y[k1] & k2); k2>>=1); //k2=position of first 1 bit in y[k1] + for (;;) { + if (!(k2>>=1)) { //look at next bit of y + k1--; + if (k1<0) { + mont_(x,one,n,np); + return; + } + k2=1<<(bpe-1); + } + mont_(x,x,n,np); + + if (k2 & y[k1]) //if next bit is a 1 + mont_(x,s3,n,np); + } +} + +//do x=x*y*Ri mod n for bigInts x,y,n, +// where Ri = 2**(-kn*bpe) mod n, and kn is the +// number of elements in the n array, not +// counting leading zeros. +//x must be large enough to hold the answer. +//It's OK if x and y are the same variable. +//must have: +// x,y < n +// n is odd +// np = -(n^(-1)) mod radix +function mont_(x,y,n,np) { + var i,j,c,ui,t; + var kn=n.length; + var ky=y.length; + + if (sa.length!=kn) + sa=new Array(kn); + + for (;kn>0 && n[kn-1]==0;kn--); //ignore leading zeros of n + //this function sometimes gives wrong answers when the next line is uncommented + //for (;ky>0 && y[ky-1]==0;ky--); //ignore leading zeros of y + + copyInt_(sa,0); + + //the following loop consumes 95% of the runtime for randTruePrime_() and powMod_() for large keys + for (i=0; i> bpe; + t=x[i]; + + //do sa=(sa+x[i]*y+ui*n)/b where b=2**bpe + for (j=1;j>=bpe; + } + for (;j>=bpe; + } + sa[j-1]=c & mask; + } + + if (!greater(n,sa)) + sub_(sa,n); + copy_(x,sa); +} + + + + +//############################################################################# +//############################################################################# +//############################################################################# +//############################################################################# +//############################################################################# +//############################################################################# +//############################################################################# + + + + + +//############################################################################# + +Clipperz.Crypto.BigInt = function (aValue, aBase) { + var base; + var value; + + if (typeof(aValue) == 'object') { + this._internalValue = aValue; + } else { + if (typeof(aValue) == 'undefined') { + value = "0"; + } else { + value = aValue + ""; + } + + if (typeof(aBase) == 'undefined') { + base = 10; + } else { + base = aBase; + } + + this._internalValue = str2bigInt(value, base, 1, 1); + } + + return this; +} + +//============================================================================= + +MochiKit.Base.update(Clipperz.Crypto.BigInt.prototype, { + + 'clone': function() { + return new Clipperz.Crypto.BigInt(this.internalValue()); + }, + + //------------------------------------------------------------------------- + + 'internalValue': function () { + return this._internalValue; + }, + + //------------------------------------------------------------------------- + + 'isBigInt': true, + + //------------------------------------------------------------------------- + + 'toString': function(aBase) { + return this.asString(aBase); + }, + + //------------------------------------------------------------------------- + + 'asString': function (aBase, minimumLength) { + var result; + var base; + + if (typeof(aBase) == 'undefined') { + base = 10; + } else { + base = aBase; + } + + result = bigInt2str(this.internalValue(), base).toLowerCase(); + + if ((typeof(minimumLength) != 'undefined') && (result.length < minimumLength)) { + var i, c; + c = (minimumLength - result.length); + for (i=0; i 0) { + leftShift_(internalResult, bitsLeftToShift); + } + result = new Clipperz.Crypto.BigInt(internalResult); + + return result; + }, + + //------------------------------------------------------------------------- + + 'bitSize': function() { + return bitSize(this.internalValue()); + }, + + //------------------------------------------------------------------------- + + 'isBitSet': function(aBitPosition) { + var result; + + if (this.asByteArray().bitAtIndex(aBitPosition) == 0) { + result = false; + } else { + result = true; + }; + + return result; + }, + + //------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" + +}); + +//############################################################################# + +Clipperz.Crypto.BigInt.randomPrime = function(aBitSize) { + return new Clipperz.Crypto.BigInt(randTruePrime(aBitSize)); +} + +//############################################################################# +//############################################################################# + +Clipperz.Crypto.BigInt.ZERO = new Clipperz.Crypto.BigInt(0); + +//############################################################################# + +Clipperz.Crypto.BigInt.equals = function(a, b) { + return a.equals(b); +} + +Clipperz.Crypto.BigInt.add = function(a, b) { + return a.add(b); +} + +Clipperz.Crypto.BigInt.subtract = function(a, b) { + return a.subtract(b); +} + +Clipperz.Crypto.BigInt.multiply = function(a, b, module) { + return a.multiply(b, module); +} + +Clipperz.Crypto.BigInt.module = function(a, module) { + return a.module(module); +} + +Clipperz.Crypto.BigInt.powerModule = function(a, b, module) { + return a.powerModule(b, module); +} + +Clipperz.Crypto.BigInt.exception = { + UnknownType: new MochiKit.Base.NamedError("Clipperz.Crypto.BigInt.exception.UnknownType") +} diff --git a/frontend/delta/js/Clipperz/Crypto/BigInt_scoped.js b/frontend/delta/js/Clipperz/Crypto/BigInt_scoped.js new file mode 100644 index 0000000..bc60330 --- a/dev/null +++ b/frontend/delta/js/Clipperz/Crypto/BigInt_scoped.js @@ -0,0 +1,1644 @@ +/* + +Copyright 2008-2013 Clipperz Srl + +This file is part of Clipperz, the online password manager. +For further information about its features and functionalities please +refer to http://www.clipperz.com. + +* Clipperz is free software: you can redistribute it and/or modify it + under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + +* Clipperz is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU Affero General Public License for more details. + +* You should have received a copy of the GNU Affero General Public + License along with Clipperz. If not, see http://www.gnu.org/licenses/. + +*/ + +if (typeof(Clipperz) == 'undefined') { Clipperz = {}; } +if (typeof(Clipperz.Crypto) == 'undefined') { Clipperz.Crypto = {}; } + +if (typeof(Leemon) == 'undefined') { Leemon = {}; } +if (typeof(Baird.Crypto) == 'undefined') { Baird.Crypto = {}; } +if (typeof(Baird.Crypto.BigInt) == 'undefined') { Baird.Crypto.BigInt = {}; } + + +//############################################################################# +// Downloaded on March 05, 2007 from http://www.leemon.com/crypto/BigInt.js +//############################################################################# + +//////////////////////////////////////////////////////////////////////////////////////// +// Big Integer Library v. 5.0 +// Created 2000, last modified 2006 +// Leemon Baird +// www.leemon.com +// +// This file is public domain. You can use it for any purpose without restriction. +// I do not guarantee that it is correct, so use it at your own risk. If you use +// it for something interesting, I'd appreciate hearing about it. If you find +// any bugs or make any improvements, I'd appreciate hearing about those too. +// It would also be nice if my name and address were left in the comments. +// But none of that is required. +// +// This code defines a bigInt library for arbitrary-precision integers. +// A bigInt is an array of integers storing the value in chunks of bpe bits, +// little endian (buff[0] is the least significant word). +// Negative bigInts are stored two's complement. +// Some functions assume their parameters have at least one leading zero element. +// Functions with an underscore at the end of the name have unpredictable behavior in case of overflow, +// so the caller must make sure overflow won't happen. +// For each function where a parameter is modified, that same +// variable must not be used as another argument too. +// So, you cannot square x by doing multMod_(x,x,n). +// You must use squareMod_(x,n) instead, or do y=dup(x); multMod_(x,y,n). +// +// These functions are designed to avoid frequent dynamic memory allocation in the inner loop. +// For most functions, if it needs a BigInt as a local variable it will actually use +// a global, and will only allocate to it when it's not the right size. This ensures +// that when a function is called repeatedly with same-sized parameters, it only allocates +// memory on the first call. +// +// Note that for cryptographic purposes, the calls to Math.random() must +// be replaced with calls to a better pseudorandom number generator. +// +// In the following, "bigInt" means a bigInt with at least one leading zero element, +// and "integer" means a nonnegative integer less than radix. In some cases, integer +// can be negative. Negative bigInts are 2s complement. +// +// The following functions do not modify their inputs, but dynamically allocate memory every time they are called: +// +// function bigInt2str(x,base) //convert a bigInt into a string in a given base, from base 2 up to base 95 +// function dup(x) //returns a copy of bigInt x +// function findPrimes(n) //return array of all primes less than integer n +// function int2bigInt(t,n,m) //convert integer t to a bigInt with at least n bits and m array elements +// function str2bigInt(s,b,n,m) //convert string s in base b to a bigInt with at least n bits and m array elements +// function trim(x,k) //return a copy of x with exactly k leading zero elements +// +// The following functions do not modify their inputs, so there is never a problem with the result being too big: +// +// function bitSize(x) //returns how many bits long the bigInt x is, not counting leading zeros +// function equals(x,y) //is the bigInt x equal to the bigint y? +// function equalsInt(x,y) //is bigint x equal to integer y? +// function greater(x,y) //is x>y? (x and y are nonnegative bigInts) +// function greaterShift(x,y,shift)//is (x <<(shift*bpe)) > y? +// function isZero(x) //is the bigInt x equal to zero? +// function millerRabin(x,b) //does one round of Miller-Rabin base integer b say that bigInt x is possibly prime (as opposed to definitely composite)? +// function modInt(x,n) //return x mod n for bigInt x and integer n. +// function negative(x) //is bigInt x negative? +// +// The following functions do not modify their inputs, but allocate memory and call functions with underscores +// +// function add(x,y) //return (x+y) for bigInts x and y. +// function addInt(x,n) //return (x+n) where x is a bigInt and n is an integer. +// function expand(x,n) //return a copy of x with at least n elements, adding leading zeros if needed +// function inverseMod(x,n) //return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null +// function mod(x,n) //return a new bigInt equal to (x mod n) for bigInts x and n. +// function mult(x,y) //return x*y for bigInts x and y. This is faster when y=1. +// function randTruePrime_(ans,k) //do ans = a random k-bit true random prime (not just probable prime) with 1 in the msb. +// function squareMod_(x,n) //do x=x*x mod n for bigInts x,n +// function sub_(x,y) //do x=x-y for bigInts x and y. Negative answers will be 2s complement. +// function subShift_(x,y,ys) //do x=x-(y<<(ys*bpe)). Negative answers will be 2s complement. +// +// The following functions are based on algorithms from the _Handbook of Applied Cryptography_ +// powMod_() = algorithm 14.94, Montgomery exponentiation +// eGCD_,inverseMod_() = algorithm 14.61, Binary extended GCD_ +// GCD_() = algorothm 14.57, Lehmer's algorithm +// mont_() = algorithm 14.36, Montgomery multiplication +// divide_() = algorithm 14.20 Multiple-precision division +// squareMod_() = algorithm 14.16 Multiple-precision squaring +// randTruePrime_() = algorithm 4.62, Maurer's algorithm +// millerRabin() = algorithm 4.24, Miller-Rabin algorithm +// +// Profiling shows: +// randTruePrime_() spends: +// 10% of its time in calls to powMod_() +// 85% of its time in calls to millerRabin() +// millerRabin() spends: +// 99% of its time in calls to powMod_() (always with a base of 2) +// powMod_() spends: +// 94% of its time in calls to mont_() (almost always with x==y) +// +// This suggests there are several ways to speed up this library slightly: +// - convert powMod_ to use a Montgomery form of k-ary window (or maybe a Montgomery form of sliding window) +// -- this should especially focus on being fast when raising 2 to a power mod n +// - convert randTruePrime_() to use a minimum r of 1/3 instead of 1/2 with the appropriate change to the test +// - tune the parameters in randTruePrime_(), including c, m, and recLimit +// - speed up the single loop in mont_() that takes 95% of the runtime, perhaps by reducing checking +// within the loop when all the parameters are the same length. +// +// There are several ideas that look like they wouldn't help much at all: +// - replacing trial division in randTruePrime_() with a sieve (that speeds up something taking almost no time anyway) +// - increase bpe from 15 to 30 (that would help if we had a 32*32->64 multiplier, but not with JavaScript's 32*32->32) +// - speeding up mont_(x,y,n,np) when x==y by doing a non-modular, non-Montgomery square +// followed by a Montgomery reduction. The intermediate answer will be twice as long as x, so that +// method would be slower. This is unfortunate because the code currently spends almost all of its time +// doing mont_(x,x,...), both for randTruePrime_() and powMod_(). A faster method for Montgomery squaring +// would have a large impact on the speed of randTruePrime_() and powMod_(). HAC has a couple of poorly-worded +// sentences that seem to imply it's faster to do a non-modular square followed by a single +// Montgomery reduction, but that's obviously wrong. +//////////////////////////////////////////////////////////////////////////////////////// + +// +// The whole library has been moved into the Baird.Crypto.BigInt scope by Giulio Cesare Solaroli +// +Baird.Crypto.BigInt.VERSION = "5.0"; +Baird.Crypto.BigInt.NAME = "Baird.Crypto.BigInt"; + +MochiKit.Base.update(Baird.Crypto.BigInt, { + //globals + 'bpe': 0, //bits stored per array element + 'mask': 0, //AND this with an array element to chop it down to bpe bits + 'radix': Baird.Crypto.BigInt.mask + 1, //equals 2^bpe. A single 1 bit to the left of the last bit of mask. + + //the digits for converting to different bases + 'digitsStr': '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_=!@#$%^&*()[]{}|;:,.<>/?`~ \\\'\"+-', + +//initialize the global variables +for (bpe=0; (1<<(bpe+1)) > (1<>=1; //bpe=number of bits in one element of the array representing the bigInt +mask=(1<0); j--); + for (z=0,w=x[j]; w; (w>>=1),z++); + z+=bpe*j; + return z; + }, + + //return a copy of x with at least n elements, adding leading zeros if needed + 'expand': function(x,n) { + var ans=int2bigInt(0,(x.length>n ? x.length : n)*bpe,0); + copy_(ans,x); + return ans; + }, + + //return a k-bit true random prime using Maurer's algorithm. + 'randTruePrime': function(k) { + var ans=int2bigInt(0,k,0); + randTruePrime_(ans,k); + return trim(ans,1); + }, + + //return a new bigInt equal to (x mod n) for bigInts x and n. + 'mod': function(x,n) { + var ans=dup(x); + mod_(ans,n); + return trim(ans,1); + }, + + //return (x+n) where x is a bigInt and n is an integer. + 'addInt': function(x,n) { + var ans=expand(x,x.length+1); + addInt_(ans,n); + return trim(ans,1); + }, + + //return x*y for bigInts x and y. This is faster when yy.length ? x.length+1 : y.length+1)); + sub_(ans,y); + return trim(ans,1); + }, + + //return (x+y) for bigInts x and y. + 'add': function(x,y) { + var ans=expand(x,(x.length>y.length ? x.length+1 : y.length+1)); + add_(ans,y); + return trim(ans,1); + }, + + //return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null + 'inverseMod': function(x,n) { + var ans=expand(x,n.length); + var s; + s=inverseMod_(ans,n); + return s ? trim(ans,1) : null; + }, + + //return (x*y mod n) for bigInts x,y,n. For greater speed, let y>1))-1; //pm is binary number with all ones, just over sqrt(2^k) + copyInt_(ans,0); + for (dd=1;dd;) { + dd=0; + ans[0]= 1 | (1<<(k-1)) | Math.floor(Math.random()*(1<2*m) //generate this k-bit number by first recursively generating a number that has between k/2 and k-m bits + for (r=1; k-k*r<=m; ) + r=pows[Math.floor(Math.random()*512)]; //r=Math.pow(2,Math.random()-1); + else + r=.5; + + //simulation suggests the more complex algorithm using r=.333 is only slightly faster. + + recSize=Math.floor(r*k)+1; + + randTruePrime_(s_q,recSize); + copyInt_(s_i2,0); + s_i2[Math.floor((k-2)/bpe)] |= (1<<((k-2)%bpe)); //s_i2=2^(k-2) + divide_(s_i2,s_q,s_i,s_rm); //s_i=floor((2^(k-1))/(2q)) + + z=bitSize(s_i); + + for (;;) { + for (;;) { //generate z-bit numbers until one falls in the range [0,s_i-1] + randBigInt_(s_R,z,0); + if (greater(s_i,s_R)) + break; + } //now s_R is in the range [0,s_i-1] + addInt_(s_R,1); //now s_R is in the range [1,s_i] + add_(s_R,s_i); //now s_R is in the range [s_i+1,2*s_i] + + copy_(s_n,s_q); + mult_(s_n,s_R); + multInt_(s_n,2); + addInt_(s_n,1); //s_n=2*s_R*s_q+1 + + copy_(s_r2,s_R); + multInt_(s_r2,2); //s_r2=2*s_R + + //check s_n for divisibility by small primes up to B + for (divisible=0,j=0; (j0); j--); //strip leading zeros + for (zz=0,w=s_n[j]; w; (w>>=1),zz++); + zz+=bpe*j; //zz=number of bits in s_n, ignoring leading zeros + for (;;) { //generate z-bit numbers until one falls in the range [0,s_n-1] + randBigInt_(s_a,zz,0); + if (greater(s_n,s_a)) + break; + } //now s_a is in the range [0,s_n-1] + addInt_(s_n,3); //now s_a is in the range [0,s_n-4] + addInt_(s_a,2); //now s_a is in the range [2,s_n-2] + copy_(s_b,s_a); + copy_(s_n1,s_n); + addInt_(s_n1,-1); + powMod_(s_b,s_n1,s_n); //s_b=s_a^(s_n-1) modulo s_n + addInt_(s_b,-1); + if (isZero(s_b)) { + copy_(s_b,s_a); + powMod_(s_b,s_r2,s_n); + addInt_(s_b,-1); + copy_(s_aa,s_n); + copy_(s_d,s_b); + GCD_(s_d,s_n); //if s_b and s_n are relatively prime, then s_n is a prime + if (equalsInt(s_d,1)) { + copy_(ans,s_aa); + return; //if we've made it this far, then s_n is absolutely guaranteed to be prime + } + } + } + } + }, + + //set b to an n-bit random BigInt. If s=1, then nth bit (most significant bit) is set to 1. + //array b must be big enough to hold the result. Must have n>=1 + 'randBigInt_': function(b,n,s) { + var i,a; + for (i=0;i=0;i--); //find most significant element of x + xp=x[i]; + yp=y[i]; + A=1; B=0; C=0; D=1; + while ((yp+C) && (yp+D)) { + q =Math.floor((xp+A)/(yp+C)); + qp=Math.floor((xp+B)/(yp+D)); + if (q!=qp) + break; + t= A-q*C; A=C; C=t; // do (A,B,xp, C,D,yp) = (C,D,yp, A,B,xp) - q*(0,0,0, C,D,yp) + t= B-q*D; B=D; D=t; + t=xp-q*yp; xp=yp; yp=t; + } + if (B) { + copy_(T,x); + linComb_(x,y,A,B); //x=A*x+B*y + linComb_(y,T,D,C); //y=D*y+C*T + } else { + mod_(x,y); + copy_(T,x); + copy_(x,y); + copy_(y,T); + } + } + if (y[0]==0) + return; + t=modInt(x,y[0]); + copyInt_(x,y[0]); + y[0]=t; + while (y[0]) { + x[0]%=y[0]; + t=x[0]; x[0]=y[0]; y[0]=t; + } + }, + +//do x=x**(-1) mod n, for bigInts x and n. +//If no inverse exists, it sets x to zero and returns 0, else it returns 1. +//The x array must be at least as large as the n array. +function inverseMod_(x,n) { + var k=1+2*Math.max(x.length,n.length); + + if(!(x[0]&1) && !(n[0]&1)) { //if both inputs are even, then inverse doesn't exist + copyInt_(x,0); + return 0; + } + + if (eg_u.length!=k) { + eg_u=new Array(k); + eg_v=new Array(k); + eg_A=new Array(k); + eg_B=new Array(k); + eg_C=new Array(k); + eg_D=new Array(k); + } + + copy_(eg_u,x); + copy_(eg_v,n); + copyInt_(eg_A,1); + copyInt_(eg_B,0); + copyInt_(eg_C,0); + copyInt_(eg_D,1); + for (;;) { + while(!(eg_u[0]&1)) { //while eg_u is even + halve_(eg_u); + if (!(eg_A[0]&1) && !(eg_B[0]&1)) { //if eg_A==eg_B==0 mod 2 + halve_(eg_A); + halve_(eg_B); + } else { + add_(eg_A,n); halve_(eg_A); + sub_(eg_B,x); halve_(eg_B); + } + } + + while (!(eg_v[0]&1)) { //while eg_v is even + halve_(eg_v); + if (!(eg_C[0]&1) && !(eg_D[0]&1)) { //if eg_C==eg_D==0 mod 2 + halve_(eg_C); + halve_(eg_D); + } else { + add_(eg_C,n); halve_(eg_C); + sub_(eg_D,x); halve_(eg_D); + } + } + + if (!greater(eg_v,eg_u)) { //eg_v <= eg_u + sub_(eg_u,eg_v); + sub_(eg_A,eg_C); + sub_(eg_B,eg_D); + } else { //eg_v > eg_u + sub_(eg_v,eg_u); + sub_(eg_C,eg_A); + sub_(eg_D,eg_B); + } + + if (equalsInt(eg_u,0)) { + if (negative(eg_C)) //make sure answer is nonnegative + add_(eg_C,n); + copy_(x,eg_C); + + if (!equalsInt(eg_v,1)) { //if GCD_(x,n)!=1, then there is no inverse + copyInt_(x,0); + return 0; + } + return 1; + } + } +} + +//return x**(-1) mod n, for integers x and n. Return 0 if there is no inverse +function inverseModInt_(x,n) { + var a=1,b=0,t; + for (;;) { + if (x==1) return a; + if (x==0) return 0; + b-=a*Math.floor(n/x); + n%=x; + + if (n==1) return b; //to avoid negatives, change this b to n-b, and each -= to += + if (n==0) return 0; + a-=b*Math.floor(x/n); + x%=n; + } +} + +//Given positive bigInts x and y, change the bigints v, a, and b to positive bigInts such that: +// v = GCD_(x,y) = a*x-b*y +//The bigInts v, a, b, must have exactly as many elements as the larger of x and y. +function eGCD_(x,y,v,a,b) { + var g=0; + var k=Math.max(x.length,y.length); + if (eg_u.length!=k) { + eg_u=new Array(k); + eg_A=new Array(k); + eg_B=new Array(k); + eg_C=new Array(k); + eg_D=new Array(k); + } + while(!(x[0]&1) && !(y[0]&1)) { //while x and y both even + halve_(x); + halve_(y); + g++; + } + copy_(eg_u,x); + copy_(v,y); + copyInt_(eg_A,1); + copyInt_(eg_B,0); + copyInt_(eg_C,0); + copyInt_(eg_D,1); + for (;;) { + while(!(eg_u[0]&1)) { //while u is even + halve_(eg_u); + if (!(eg_A[0]&1) && !(eg_B[0]&1)) { //if A==B==0 mod 2 + halve_(eg_A); + halve_(eg_B); + } else { + add_(eg_A,y); halve_(eg_A); + sub_(eg_B,x); halve_(eg_B); + } + } + + while (!(v[0]&1)) { //while v is even + halve_(v); + if (!(eg_C[0]&1) && !(eg_D[0]&1)) { //if C==D==0 mod 2 + halve_(eg_C); + halve_(eg_D); + } else { + add_(eg_C,y); halve_(eg_C); + sub_(eg_D,x); halve_(eg_D); + } + } + + if (!greater(v,eg_u)) { //v<=u + sub_(eg_u,v); + sub_(eg_A,eg_C); + sub_(eg_B,eg_D); + } else { //v>u + sub_(v,eg_u); + sub_(eg_C,eg_A); + sub_(eg_D,eg_B); + } + if (equalsInt(eg_u,0)) { + if (negative(eg_C)) { //make sure a (C)is nonnegative + add_(eg_C,y); + sub_(eg_D,x); + } + multInt_(eg_D,-1); ///make sure b (D) is nonnegative + copy_(a,eg_C); + copy_(b,eg_D); + leftShift_(v,g); + return; + } + } +} + + +//is bigInt x negative? +function negative(x) { + return ((x[x.length-1]>>(bpe-1))&1); +} + + +//is (x << (shift*bpe)) > y? +//x and y are nonnegative bigInts +//shift is a nonnegative integer +function greaterShift(x,y,shift) { + var kx=x.length, ky=y.length; + k=((kx+shift)=0; i++) + if (x[i]>0) + return 1; //if there are nonzeros in x to the left of the first column of y, then x is bigger + for (i=kx-1+shift; i0) + return 0; //if there are nonzeros in y to the left of the first column of x, then x is not bigger + for (i=k-1; i>=shift; i--) + if (x[i-shift]>y[i]) return 1; + else if (x[i-shift] y? (x and y both nonnegative) +function greater(x,y) { + var i; + var k=(x.length=0;i--) + if (x[i]>y[i]) + return 1; + else if (x[i]ky;kx--); + + //normalize: ensure the most significant element of y has its highest bit set + b=y[ky-1]; + for (a=0; b; a++) + b>>=1; + a=bpe-a; //a is how many bits to shift so that the high order bit of y is leftmost in its array element + leftShift_(y,a); //multiply both by 1<=ky; i--) { + if (r[i]==y[ky-1]) + q[i-ky]=mask; + else + q[i-ky]=Math.floor((r[i]*radix+r[i-1])/y[ky-1]); + + //The following for(;;) loop is equivalent to the commented while loop, + //except that the uncommented version avoids overflow. + //The commented loop comes from HAC, which assumes r[-1]==y[-1]==0 + // while (q[i-ky]*(y[ky-1]*radix+y[ky-2]) > r[i]*radix*radix+r[i-1]*radix+r[i-2]) + // q[i-ky]--; + for (;;) { + y2=(ky>1 ? y[ky-2] : 0)*q[i-ky]; + c=y2>>bpe; + y2=y2 & mask; + y1=c+q[i-ky]*y[ky-1]; + c=y1>>bpe; + y1=y1 & mask; + + if (c==r[i] ? y1==r[i-1] ? y2>(i>1 ? r[i-2] : 0) : y1>r[i-1] : c>r[i]) + q[i-ky]--; + else + break; + } + + linCombShift_(r,y,-q[i-ky],i-ky); //r=r-q[i-ky]*leftShift_(y,i-ky) + if (negative(r)) { + addShift_(r,y,i-ky); //r=r+leftShift_(y,i-ky) + q[i-ky]--; + } + } + + rightShift_(y,a); //undo the normalization step + rightShift_(r,a); //undo the normalization step +} + +//do carries and borrows so each element of the bigInt x fits in bpe bits. +function carry_(x) { + var i,k,c,b; + k=x.length; + c=0; + for (i=0;i>bpe); + c+=b*radix; + } + x[i]=c & mask; + c=(c>>bpe)-b; + } +} + +//return x mod n for bigInt x and integer n. +function modInt(x,n) { + var i,c=0; + for (i=x.length-1; i>=0; i--) + c=(c*radix+x[i])%n; + return c; +} + +//convert the integer t into a bigInt with at least the given number of bits. +//the returned array stores the bigInt in bpe-bit chunks, little endian (buff[0] is least significant word) +//Pad the array with leading zeros so that it has at least minSize elements. +//There will always be at least one leading 0 element. +function int2bigInt(t,bits,minSize) { + var i,k; + k=Math.ceil(bits/bpe)+1; + k=minSize>k ? minSize : k; + buff=new Array(k); + copyInt_(buff,t); + return buff; +} + +//return the bigInt given a string representation in a given base. +//Pad the array with leading zeros so that it has at least minSize elements. +//If base=-1, then it reads in a space-separated list of array elements in decimal. +//The array will always have at least one leading zero, unless base=-1. +function str2bigInt(s,base,minSize) { + var d, i, j, x, y, kk; + var k=s.length; + if (base==-1) { //comma-separated list of array elements in decimal + x=new Array(0); + for (;;) { + y=new Array(x.length+1); + for (i=0;i=36) //convert lowercase to uppercase if base<=36 + d-=26; + if (d=0) { //ignore illegal characters + multInt_(x,base); + addInt_(x,d); + } + } + + for (k=x.length;k>0 && !x[k-1];k--); //strip off leading zeros + k=minSize>k+1 ? minSize : k+1; + y=new Array(k); + kk=ky.length) { + for (;i0;i--) + s+=x[i]+','; + s+=x[0]; + } + else { //return it in the given base + while (!isZero(s6)) { + t=divInt_(s6,base); //t=s6 % base; s6=floor(s6/base); + s=digitsStr.substring(t,t+1)+s; + } + } + if (s.length==0) + s="0"; + return s; +} + +//returns a duplicate of bigInt x +function dup(x) { + var i; + buff=new Array(x.length); + copy_(buff,x); + return buff; +} + +//do x=y on bigInts x and y. x must be an array at least as big as y (not counting the leading zeros in y). +function copy_(x,y) { + var i; + var k=x.length>=bpe; + } +} + +//do x=x+n where x is a bigInt and n is an integer. +//x must be large enough to hold the result. +function addInt_(x,n) { + var i,k,c,b; + x[0]+=n; + k=x.length; + c=0; + for (i=0;i>bpe); + c+=b*radix; + } + x[i]=c & mask; + c=(c>>bpe)-b; + if (!c) return; //stop carrying as soon as the carry_ is zero + } +} + +//right shift bigInt x by n bits. 0 <= n < bpe. +function rightShift_(x,n) { + var i; + var k=Math.floor(n/bpe); + if (k) { + for (i=0;i>n)); + } + x[i]>>=n; +} + +//do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement +function halve_(x) { + var i; + for (i=0;i>1)); + } + x[i]=(x[i]>>1) | (x[i] & (radix>>1)); //most significant bit stays the same +} + +//left shift bigInt x by n bits. +function leftShift_(x,n) { + var i; + var k=Math.floor(n/bpe); + if (k) { + for (i=x.length; i>=k; i--) //left shift x by k elements + x[i]=x[i-k]; + for (;i>=0;i--) + x[i]=0; + n%=bpe; + } + if (!n) + return; + for (i=x.length-1;i>0;i--) { + x[i]=mask & ((x[i]<>(bpe-n))); + } + x[i]=mask & (x[i]<>bpe); + c+=b*radix; + } + x[i]=c & mask; + c=(c>>bpe)-b; + } +} + +//do x=floor(x/n) for bigInt x and integer n, and return the remainder +function divInt_(x,n) { + var i,r=0,s; + for (i=x.length-1;i>=0;i--) { + s=r*radix+x[i]; + x[i]=Math.floor(s/n); + r=s%n; + } + return r; +} + +//do the linear combination x=a*x+b*y for bigInts x and y, and integers a and b. +//x must be large enough to hold the answer. +function linComb_(x,y,a,b) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;i>=bpe; + } +} + +//do the linear combination x=a*x+b*(y<<(ys*bpe)) for bigInts x and y, and integers a, b and ys. +//x must be large enough to hold the answer. +function linCombShift_(x,y,b,ys) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x+(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys. +//x must be large enough to hold the answer. +function addShift_(x,y,ys) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x-(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys. +//x must be large enough to hold the answer. +function subShift_(x,y,ys) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x-y for bigInts x and y. +//x must be large enough to hold the answer. +//negative answers will be 2s complement +function sub_(x,y) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x+y for bigInts x and y. +//x must be large enough to hold the answer. +function add_(x,y) { + var i,c,k,kk; + k=x.length>=bpe; + } + for (i=k;c && i>=bpe; + } +} + +//do x=x*y for bigInts x and y. This is faster when y0 && !x[kx-1]; kx--); //ignore leading zeros in x + k=kx>n.length ? 2*kx : 2*n.length; //k=# elements in the product, which is twice the elements in the larger of x and n + if (s0.length!=k) + s0=new Array(k); + copyInt_(s0,0); + for (i=0;i>=bpe; + for (j=i+1;j>=bpe; + } + s0[i+kx]=c; + } + mod_(s0,n); + copy_(x,s0); +} + +//return x with exactly k leading zero elements +function trim(x,k) { + var i,y; + for (i=x.length; i>0 && !x[i-1]; i--); + y=new Array(i+k); + copy_(y,x); + return y; +} + +//do x=x**y mod n, where x,y,n are bigInts and ** is exponentiation. 0**0=1. +//this is faster when n is odd. x usually needs to have as many elements as n. +function powMod_(x,y,n) { + var k1,k2,kn,np; + if(s7.length!=n.length) + s7=dup(n); + + //for even modulus, use a simple square-and-multiply algorithm, + //rather than using the more complex Montgomery algorithm. + if ((n[0]&1)==0) { + copy_(s7,x); + copyInt_(x,1); + while(!equalsInt(y,0)) { + if (y[0]&1) + multMod_(x,s7,n); + divInt_(y,2); + squareMod_(s7,n); + } + return; + } + + //calculate np from n for the Montgomery multiplications + copyInt_(s7,0); + for (kn=n.length;kn>0 && !n[kn-1];kn--); + np=radix-inverseModInt_(modInt(n,radix),radix); + s7[kn]=1; + multMod_(x ,s7,n); // x = x * 2**(kn*bp) mod n + + if (s3.length!=x.length) + s3=dup(x); + else + copy_(s3,x); + + for (k1=y.length-1;k1>0 & !y[k1]; k1--); //k1=first nonzero element of y + if (y[k1]==0) { //anything to the 0th power is 1 + copyInt_(x,1); + return; + } + for (k2=1<<(bpe-1);k2 && !(y[k1] & k2); k2>>=1); //k2=position of first 1 bit in y[k1] + for (;;) { + if (!(k2>>=1)) { //look at next bit of y + k1--; + if (k1<0) { + mont_(x,one,n,np); + return; + } + k2=1<<(bpe-1); + } + mont_(x,x,n,np); + + if (k2 & y[k1]) //if next bit is a 1 + mont_(x,s3,n,np); + } +} + +//do x=x*y*Ri mod n for bigInts x,y,n, +// where Ri = 2**(-kn*bpe) mod n, and kn is the +// number of elements in the n array, not +// counting leading zeros. +//x must be large enough to hold the answer. +//It's OK if x and y are the same variable. +//must have: +// x,y < n +// n is odd +// np = -(n^(-1)) mod radix +function mont_(x,y,n,np) { + var i,j,c,ui,t; + var kn=n.length; + var ky=y.length; + + if (sa.length!=kn) + sa=new Array(kn); + + for (;kn>0 && n[kn-1]==0;kn--); //ignore leading zeros of n + //this function sometimes gives wrong answers when the next line is uncommented + //for (;ky>0 && y[ky-1]==0;ky--); //ignore leading zeros of y + + copyInt_(sa,0); + + //the following loop consumes 95% of the runtime for randTruePrime_() and powMod_() for large keys + for (i=0; i> bpe; + t=x[i]; + + //do sa=(sa+x[i]*y+ui*n)/b where b=2**bpe + for (j=1;j>=bpe; + } + for (;j>=bpe; + } + sa[j-1]=c & mask; + } + + if (!greater(n,sa)) + sub_(sa,n); + copy_(x,sa); +} + + + + +//############################################################################# +//############################################################################# +//############################################################################# +//############################################################################# +//############################################################################# +//############################################################################# +//############################################################################# + + + + + +//############################################################################# + +Clipperz.Crypto.BigInt = function (aValue, aBase) { + var base; + var value; + + if (typeof(aValue) == 'object') { + this._internalValue = aValue; + } else { + if (typeof(aValue) == 'undefined') { + value = "0"; + } else { + value = aValue + ""; + } + + if (typeof(aBase) == 'undefined') { + base = 10; + } else { + base = aBase; + } + + this._internalValue = str2bigInt(value, base, 1, 1); + } + + return this; +} + +//============================================================================= + +MochiKit.Base.update(Clipperz.Crypto.BigInt.prototype, { + + //------------------------------------------------------------------------- + + 'internalValue': function () { + return this._internalValue; + }, + + //------------------------------------------------------------------------- + + 'isBigInt': true, + + //------------------------------------------------------------------------- + + 'toString': function(aBase) { + return this.asString(aBase); + }, + + //------------------------------------------------------------------------- + + 'asString': function (aBase) { + var base; + + if (typeof(aBase) == 'undefined') { + base = 10; + } else { + base = aBase; + } + + return bigInt2str(this.internalValue(), base).toLowerCase(); + }, + + //------------------------------------------------------------------------- + + 'equals': function (aValue) { + var result; + + if (aValue.isBigInt) { + result = equals(this.internalValue(), aValue.internalValue()); + } else if (typeof(aValue) == "number") { + result = equalsInt(this.internalValue(), aValue); + } else { + throw Clipperz.Crypt.BigInt.exception.UnknownType; + } + + return result; + }, + + //------------------------------------------------------------------------- + + 'add': function (aValue) { + var result; + + if (aValue.isBigInt) { + result = add(this.internalValue(), aValue.internalValue()); + } else { + result = addInt(this.internalValue(), aValue); + } + + return new Clipperz.Crypto.BigInt(result); + }, + + //------------------------------------------------------------------------- + + 'subtract': function (aValue) { + var result; + var value; + + if (aValue.isBigInt) { + value = aValue; + } else { + value = new Clipperz.Crypto.BigInt(aValue); + } + + result = sub(this.internalValue(), value.internalValue()); + + return new Clipperz.Crypto.BigInt(result); + }, + + //------------------------------------------------------------------------- + + 'multiply': function (aValue, aModule) { + var result; + var value; + + if (aValue.isBigInt) { + value = aValue; + } else { + value = new Clipperz.Crypto.BigInt(aValue); + } + + if (typeof(aModule) == 'undefined') { + result = mult(this.internalValue(), value.internalValue()); + } else { + result = multMod(this.internalValue(), value.internalValue(), aModule); + } + + return new Clipperz.Crypto.BigInt(result); + }, + + //------------------------------------------------------------------------- + + 'module': function (aModule) { + var result; + var module; + + if (aModule.isBigInt) { + module = aModule; + } else { + module = new Clipperz.Crypto.BigInt(aModule); + } + + result = mod(this.internalValue(), module.internalValue()); + + return new Clipperz.Crypto.BigInt(result); + }, + + //------------------------------------------------------------------------- + + 'powerModule': function(aValue, aModule) { + var result; + var value; + var module; + + if (aValue.isBigInt) { + value = aValue; + } else { + value = new Clipperz.Crypto.BigInt(aValue); + } + + if (aModule.isBigInt) { + module = aModule; + } else { + module = new Clipperz.Crypto.BigInt(aModule); + } + + if (aValue == -1) { + result = inverseMod(this.internalValue(), module.internalValue()); + } else { + result = powMod(this.internalValue(), value.internalValue(), module.internalValue()); + } + + return new Clipperz.Crypto.BigInt(result); + }, + + //------------------------------------------------------------------------- + + 'bitSize': function() { + return bitSize(this.internalValue()); + }, + + //------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" + +}); + +//############################################################################# + +Clipperz.Crypto.BigInt.randomPrime = function(aBitSize) { + return new Clipperz.Crypto.BigInt(randTruePrime(aBitSize)); +} + +//############################################################################# +//############################################################################# +//############################################################################# + +Clipperz.Crypto.BigInt.equals = function(a, b) { + return a.equals(b); +} + +Clipperz.Crypto.BigInt.add = function(a, b) { + return a.add(b); +} + +Clipperz.Crypto.BigInt.subtract = function(a, b) { + return a.subtract(b); +} + +Clipperz.Crypto.BigInt.multiply = function(a, b, module) { + return a.multiply(b, module); +} + +Clipperz.Crypto.BigInt.module = function(a, module) { + return a.module(module); +} + +Clipperz.Crypto.BigInt.powerModule = function(a, b, module) { + return a.powerModule(b, module); +} + +Clipperz.Crypto.BigInt.exception = { + UnknownType: new MochiKit.Base.NamedError("Clipperz.Crypto.BigInt.exception.UnknownType") +} diff --git a/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/Curve.js b/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/Curve.js new file mode 100644 index 0000000..0d76b9c --- a/dev/null +++ b/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/Curve.js @@ -0,0 +1,500 @@ +/* + +Copyright 2008-2013 Clipperz Srl + +This file is part of Clipperz, the online password manager. +For further information about its features and functionalities please +refer to http://www.clipperz.com. + +* Clipperz is free software: you can redistribute it and/or modify it + under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + +* Clipperz is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU Affero General Public License for more details. + +* You should have received a copy of the GNU Affero General Public + License along with Clipperz. If not, see http://www.gnu.org/licenses/. + +*/ + +//try { if (typeof(Clipperz.ByteArray) == 'undefined') { throw ""; }} catch (e) { +// throw "Clipperz.Crypto.ECC depends on Clipperz.ByteArray!"; +//} +if (typeof(Clipperz.Crypto.ECC) == 'undefined') { Clipperz.Crypto.ECC = {}; } +if (typeof(Clipperz.Crypto.ECC.BinaryField) == 'undefined') { Clipperz.Crypto.ECC.BinaryField = {}; } + +Clipperz.Crypto.ECC.BinaryField.Curve = function(args) { + args = args || {}; + + this._modulus = args.modulus; + + this._a = args.a; + this._b = args.b; + this._G = args.G; + this._r = args.r; + this._h = args.h; + + this._finiteField = null; + + return this; +} + +Clipperz.Crypto.ECC.BinaryField.Curve.prototype = MochiKit.Base.update(null, { + + 'asString': function() { + return "Clipperz.Crypto.ECC.BinaryField.Curve"; + }, + + //----------------------------------------------------------------------------- + + 'modulus': function() { + return this._modulus; + }, + + 'a': function() { + return this._a; + }, + + 'b': function() { + return this._b; + }, + + 'G': function() { + return this._G; + }, + + 'r': function() { + return this._r; + }, + + 'h': function() { + return this._h; + }, + + //----------------------------------------------------------------------------- + + 'finiteField': function() { + if (this._finiteField == null) { + this._finiteField = new Clipperz.Crypto.ECC.BinaryField.FiniteField({modulus:this.modulus()}) + } + + return this._finiteField; + }, + + //----------------------------------------------------------------------------- + + 'negate': function(aPointA) { + var result; + + result = new Clipperz.Crypto.ECC.Point({x:aPointA.x(), y:this.finiteField().add(aPointA.y(), aPointA.x())}) + + return result; + }, + + //----------------------------------------------------------------------------- + + 'add': function(aPointA, aPointB) { + var result; + + if (aPointA.isZero()) { + result = aPointB; + } else if (aPointB.isZero()) { + result = aPointA; + } else if ( (aPointA.x().compare(aPointB.x()) == 0) && ((aPointA.y().compare(aPointB.y()) != 0) || aPointB.x().isZero())) { + result = new Clipperz.Crypto.ECC.BinaryField.Point({x:Clipperz.Crypto.ECC.BinaryField.Value.O, y:Clipperz.Crypto.ECC.BinaryField.Value.O}); + } else { + var f2m; + var x, y; + var lambda; + var aX, aY, bX, bY; + + aX = aPointA.x()._value; + aY = aPointA.y()._value; + bX = aPointB.x()._value; + bY = aPointB.y()._value; + + f2m = this.finiteField(); + + if (aPointA.x().compare(aPointB.x()) != 0) { + lambda = f2m._fastMultiply( + f2m._add(aY, bY), + f2m._inverse(f2m._add(aX, bX)) + ); + x = f2m._add(this.a()._value, f2m._square(lambda)); + f2m._overwriteAdd(x, lambda); + f2m._overwriteAdd(x, aX); + f2m._overwriteAdd(x, bX); + } else { + lambda = f2m._add(bX, f2m._fastMultiply(bY, f2m._inverse(bX))); + x = f2m._add(this.a()._value, f2m._square(lambda)); + f2m._overwriteAdd(x, lambda); + } + + y = f2m._fastMultiply(f2m._add(bX, x), lambda); + f2m._overwriteAdd(y, x); + f2m._overwriteAdd(y, bY); + + result = new Clipperz.Crypto.ECC.BinaryField.Point({x:new Clipperz.Crypto.ECC.BinaryField.Value(x), y:new Clipperz.Crypto.ECC.BinaryField.Value(y)}) + } + + return result; + }, + + //----------------------------------------------------------------------------- + + 'addTwice': function(aPointA) { + return this.add(aPointA, aPointA); + }, + + //----------------------------------------------------------------------------- + + 'overwriteAdd': function(aPointA, aPointB) { + if (aPointA.isZero()) { +// result = aPointB; + aPointA._x._value = aPointB._x._value; + aPointA._y._value = aPointB._y._value; + } else if (aPointB.isZero()) { +// result = aPointA; + } else if ( (aPointA.x().compare(aPointB.x()) == 0) && ((aPointA.y().compare(aPointB.y()) != 0) || aPointB.x().isZero())) { +// result = new Clipperz.Crypto.ECC.BinaryField.Point({x:Clipperz.Crypto.ECC.BinaryField.Value.O, y:Clipperz.Crypto.ECC.BinaryField.Value.O}); + aPointA._x = Clipperz.Crypto.ECC.BinaryField.Value.O; + aPointA._y = Clipperz.Crypto.ECC.BinaryField.Value.O; + } else { + var f2m; + var x, y; + var lambda; + var aX, aY, bX, bY; + + aX = aPointA.x()._value; + aY = aPointA.y()._value; + bX = aPointB.x()._value; + bY = aPointB.y()._value; + + f2m = this.finiteField(); + + if (aPointA.x().compare(aPointB.x()) != 0) { + lambda = f2m._fastMultiply( + f2m._add(aY, bY), + f2m._inverse(f2m._add(aX, bX)) + ); + x = f2m._add(this.a()._value, f2m._square(lambda)); + f2m._overwriteAdd(x, lambda); + f2m._overwriteAdd(x, aX); + f2m._overwriteAdd(x, bX); + } else { + lambda = f2m._add(bX, f2m._fastMultiply(bY, f2m._inverse(bX))); + x = f2m._add(this.a()._value, f2m._square(lambda)); + f2m._overwriteAdd(x, lambda); + } + + y = f2m._fastMultiply(f2m._add(bX, x), lambda); + f2m._overwriteAdd(y, x); + f2m._overwriteAdd(y, bY); + +// result = new Clipperz.Crypto.ECC.BinaryField.Point({x:new Clipperz.Crypto.ECC.BinaryField.Value(x), y:new Clipperz.Crypto.ECC.BinaryField.Value(y)}) + aPointA._x._value = x; + aPointA._y._value = y; + + } + + return result; + }, + + //----------------------------------------------------------------------------- + + 'multiply': function(aValue, aPoint) { + var result; + +//console.profile(); + result = new Clipperz.Crypto.ECC.BinaryField.Point({x:Clipperz.Crypto.ECC.BinaryField.Value.O, y:Clipperz.Crypto.ECC.BinaryField.Value.O}); + + if (aValue.isZero() == false) { + var k, Q; + var i; + var countIndex; countIndex = 0; + + if (aValue.compare(Clipperz.Crypto.ECC.BinaryField.Value.O) > 0) { + k = aValue; + Q = aPoint; + } else { + Clipperz.logError("The Clipperz.Crypto.ECC.BinaryFields.Value does not work with negative values!!!!"); + k = aValue.negate(); + Q = this.negate(aPoint); + } + + for (i=k.bitSize()-1; i>=0; i--) { + result = this.add(result, result); +// this.overwriteAdd(result, result); + if (k.isBitSet(i)) { + result = this.add(result, Q); +// this.overwriteAdd(result, Q); + } + +// if (countIndex==100) {Clipperz.log("multiply.break"); break;} else countIndex++; + } + } +//console.profileEnd(); + + return result; + }, + + //----------------------------------------------------------------------------- + + 'deferredMultiply': function(aValue, aPoint) { + var deferredResult; + var result; + +Clipperz.log(">>> deferredMultiply - value: " + aValue + ", point: " + aPoint); +//console.profile("ECC.Curve.multiply"); + deferredResult = new MochiKit.Async.Deferred(); +//deferredResult.addCallback(function(res) {console.profile("ECC.Curve.deferredMultiply"); return res;} ); +//deferredResult.addBoth(function(res) {Clipperz.logDebug("# 1: " + res); return res;}); + + result = new Clipperz.Crypto.ECC.BinaryField.Point({x:Clipperz.Crypto.ECC.BinaryField.Value.O, y:Clipperz.Crypto.ECC.BinaryField.Value.O}); +//deferredResult.addBoth(function(res) {Clipperz.logDebug("# 2: " + res); return res;}); + + if (aValue.isZero() == false) { + var k, Q; + var i; + var countIndex; countIndex = 0; + + if (aValue.compare(Clipperz.Crypto.ECC.BinaryField.Value.O) > 0) { + k = aValue; + Q = aPoint; + } else { + Clipperz.logError("The Clipperz.Crypto.ECC.BinaryFields.Value does not work with negative values!!!!"); + k = aValue.negate(); + Q = this.negate(aPoint); + } + + + for (i=k.bitSize()-1; i>=0; i--) { + deferredResult.addMethod(this, "addTwice"); +//# result = this.add(result, result); +// this.overwriteAdd(result, result); + if (k.isBitSet(i)) { + deferredResult.addMethod(this, "add", Q); +//# result = this.add(result, Q); +// this.overwriteAdd(result, Q); + } + if (i%20 == 0) {deferredResult.addCallback(MochiKit.Async.wait, 0.1);} + } + } +//#console.profileEnd(); +//deferredResult.addBoth(function(res) {console.profileEnd(); return res;}); + deferredResult.callback(result); + +//# return result; + return deferredResult; + }, + + //----------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" +}); + + +//############################################################################# + +Clipperz.Crypto.ECC.StandardCurves = {}; + +MochiKit.Base.update(Clipperz.Crypto.ECC.StandardCurves, { +/* + '_K571': null, + 'K571': function() { + if (Clipperz.Crypto.ECC.StandardCurves._K571 == null) { + Clipperz.Crypto.ECC.StandardCurves._K571 = new Clipperz.Crypto.ECC.BinaryField.Curve({ + modulus: new Clipperz.Crypto.ECC.BinaryField.Value('08000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000425', 16), + a: new Clipperz.Crypto.ECC.BinaryField.Value('0', 16), + b: new Clipperz.Crypto.ECC.BinaryField.Value('1', 16), + G: new Clipperz.Crypto.ECC.BinaryField.Point({ + x: new Clipperz.Crypto.ECC.BinaryField.Value('026eb7a8 59923fbc 82189631 f8103fe4 ac9ca297 0012d5d4 60248048 01841ca4 43709584 93b205e6 47da304d b4ceb08c bbd1ba39 494776fb 988b4717 4dca88c7 e2945283 a01c8972', 16), + y: new Clipperz.Crypto.ECC.BinaryField.Value('0349dc80 7f4fbf37 4f4aeade 3bca9531 4dd58cec 9f307a54 ffc61efc 006d8a2c 9d4979c0 ac44aea7 4fbebbb9 f772aedc b620b01a 7ba7af1b 320430c8 591984f6 01cd4c14 3ef1c7a3', 16) + }), + r: new Clipperz.Crypto.ECC.BinaryField.Value('02000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 131850e1 f19a63e4 b391a8db 917f4138 b630d84b e5d63938 1e91deb4 5cfe778f 637c1001', 16), + h: new Clipperz.Crypto.ECC.BinaryField.Value('4', 16) + }); + } + + return Clipperz.Crypto.ECC.StandardCurves._K571; + }, + + + + '_K283': null, + 'K283': function() { // f(z) = z^283 + z^12 + z^7 + z^5 + 1 + if (Clipperz.Crypto.ECC.StandardCurves._K283 == null) { + Clipperz.Crypto.ECC.StandardCurves._K283 = new Clipperz.Crypto.ECC.BinaryField.Curve({ + modulus: new Clipperz.Crypto.ECC.BinaryField.Value('08000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 000010a1', 16), + a: new Clipperz.Crypto.ECC.BinaryField.Value('0', 16), + b: new Clipperz.Crypto.ECC.BinaryField.Value('1', 16), + G: new Clipperz.Crypto.ECC.BinaryField.Point({ + x: new Clipperz.Crypto.ECC.BinaryField.Value('0503213f 78ca4488 3f1a3b81 62f188e5 53cd265f 23c1567a 16876913 b0c2ac24 58492836', 16), + y: new Clipperz.Crypto.ECC.BinaryField.Value('01ccda38 0f1c9e31 8d90f95d 07e5426f e87e45c0 e8184698 e4596236 4e341161 77dd2259', 16) + }), + r: new Clipperz.Crypto.ECC.BinaryField.Value('01ffffff ffffffff ffffffff ffffffff ffffe9ae 2ed07577 265dff7f 94451e06 1e163c61', 16), + h: new Clipperz.Crypto.ECC.BinaryField.Value('4', 16) + }); + } + + return Clipperz.Crypto.ECC.StandardCurves._K283; + }, +*/ + //----------------------------------------------------------------------------- + + '_B571': null, + 'B571': function() { // f(z) = z^571 + z^10 + z^5 + z^2 + 1 + if (Clipperz.Crypto.ECC.StandardCurves._B571 == null) { + Clipperz.Crypto.ECC.StandardCurves._B571 = new Clipperz.Crypto.ECC.BinaryField.Curve({ + modulus: new Clipperz.Crypto.ECC.BinaryField.Value('80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425', 16), + a: new Clipperz.Crypto.ECC.BinaryField.Value('1', 16), + b: new Clipperz.Crypto.ECC.BinaryField.Value('02f40e7e2221f295de297117b7f3d62f5c6a97ffcb8ceff1cd6ba8ce4a9a18ad84ffabbd8efa59332be7ad6756a66e294afd185a78ff12aa520e4de739baca0c7ffeff7f2955727a', 16), + G: new Clipperz.Crypto.ECC.BinaryField.Point({ + x: new Clipperz.Crypto.ECC.BinaryField.Value('0303001d 34b85629 6c16c0d4 0d3cd775 0a93d1d2 955fa80a a5f40fc8 db7b2abd bde53950 f4c0d293 cdd711a3 5b67fb14 99ae6003 8614f139 4abfa3b4 c850d927 e1e7769c 8eec2d19', 16), + y: new Clipperz.Crypto.ECC.BinaryField.Value('037bf273 42da639b 6dccfffe b73d69d7 8c6c27a6 009cbbca 1980f853 3921e8a6 84423e43 bab08a57 6291af8f 461bb2a8 b3531d2f 0485c19b 16e2f151 6e23dd3c 1a4827af 1b8ac15b', 16) + }), + r: new Clipperz.Crypto.ECC.BinaryField.Value('03ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff e661ce18 ff559873 08059b18 6823851e c7dd9ca1 161de93d 5174d66e 8382e9bb 2fe84e47', 16), + h: new Clipperz.Crypto.ECC.BinaryField.Value('2', 16) + +// S: new Clipperz.Crypto.ECC.BinaryField.Value('2aa058f73a0e33ab486b0f610410c53a7f132310', 10), +// n: new Clipperz.Crypto.ECC.BinaryField.Value('03ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe661ce18ff55987308059b186823851ec7dd9ca1161de93d5174d66e8382e9bb2fe84e47', 16) + }); + + //----------------------------------------------------------------------------- + // + // Guide to Elliptic Curve Cryptography + // Darrel Hankerson, Alfred Menezes, Scott Vanstone + // - Pag: 56, Alorithm 2.45 (with a typo!!!) + // + //----------------------------------------------------------------------------- + // + // http://www.milw0rm.com/papers/136 + // + // ------------------------------------------------------------------------- + // Polynomial Reduction Algorithm Modulo f571 + // ------------------------------------------------------------------------- + // + // Input: Polynomial p(x) of degree 1140 or less, stored as + // an array of 2T machinewords. + // Output: p(x) mod f571(x) + // + // FOR i = T-1, ..., 0 DO + // SET X := P[i+T] + // P[i] := P[i] ^ (X<<5) ^ (X<<7) ^ (X<<10) ^ (X<<15) + // P[i+1] := P[i+1] ^ (X>>17) ^ (X>>22) ^ (X>>25) ^ (X>>27) + // + // SET X := P[T-1] >> 27 + // P[0] := P[0] ^ X ^ (X<<2) ^ (X<<5) ^ (X<<10) + // P[T-1] := P[T-1] & 0x07ffffff + // + // RETURN P[T-1],...,P[0] + // + // ------------------------------------------------------------------------- + // + Clipperz.Crypto.ECC.StandardCurves._B571.finiteField().slowModule = Clipperz.Crypto.ECC.StandardCurves._B571.finiteField().module; + Clipperz.Crypto.ECC.StandardCurves._B571.finiteField().module = function(aValue) { + var result; + + if (aValue.bitSize() > 1140) { + Clipperz.logWarning("ECC.StandarCurves.B571.finiteField().module: falling back to default implementation"); + result = Clipperz.Crypto.ECC.StandardCurves._B571.finiteField().slowModule(aValue); + } else { + var C, T; + var i; + + C = aValue._value.slice(0); + for (i=35; i>=18; i--) { + T = C[i]; + C[i-18] = (((C[i-18] ^ (T<<5) ^ (T<<7) ^ (T<<10) ^ (T<<15)) & 0xffffffff) >>> 0); + C[i-17] = ((C[i-17] ^ (T>>>27) ^ (T>>>25) ^ (T>>>22) ^ (T>>>17)) >>> 0); + } + T = (C[17] >>> 27); + C[0] = ((C[0] ^ T ^ ((T<<2) ^ (T<<5) ^ (T<<10)) & 0xffffffff) >>> 0); + C[17] = (C[17] & 0x07ffffff); + + for(i=18; i<=35; i++) { + C[i] = 0; + } + + result = new Clipperz.Crypto.ECC.BinaryField.Value(C); + } + + return result; + }; + } + + return Clipperz.Crypto.ECC.StandardCurves._B571; + }, + + //----------------------------------------------------------------------------- + + '_B283': null, + 'B283': function() { // f(z) = z^283 + z^12 + z^7 + z^5 + 1 + if (Clipperz.Crypto.ECC.StandardCurves._B283 == null) { + Clipperz.Crypto.ECC.StandardCurves._B283 = new Clipperz.Crypto.ECC.BinaryField.Curve({ +// modulus: new Clipperz.Crypto.ECC.BinaryField.Value('10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 000010a1', 16), + modulus: new Clipperz.Crypto.ECC.BinaryField.Value('08000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 000010a1', 16), + a: new Clipperz.Crypto.ECC.BinaryField.Value('1', 16), + b: new Clipperz.Crypto.ECC.BinaryField.Value('027b680a c8b8596d a5a4af8a 19a0303f ca97fd76 45309fa2 a581485a f6263e31 3b79a2f5', 16), + G: new Clipperz.Crypto.ECC.BinaryField.Point({ + x: new Clipperz.Crypto.ECC.BinaryField.Value('05f93925 8db7dd90 e1934f8c 70b0dfec 2eed25b8 557eac9c 80e2e198 f8cdbecd 86b12053', 16), + y: new Clipperz.Crypto.ECC.BinaryField.Value('03676854 fe24141c b98fe6d4 b20d02b4 516ff702 350eddb0 826779c8 13f0df45 be8112f4', 16) + }), + r: new Clipperz.Crypto.ECC.BinaryField.Value('03ffffff ffffffff ffffffff ffffffff ffffef90 399660fc 938a9016 5b042a7c efadb307', 16), + h: new Clipperz.Crypto.ECC.BinaryField.Value('2', 16) + +// S: new Clipperz.Crypto.ECC.BinaryField.Value('2aa058f73a0e33ab486b0f610410c53a7f132310', 10), +// n: new Clipperz.Crypto.ECC.BinaryField.Value('03ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe661ce18ff55987308059b186823851ec7dd9ca1161de93d5174d66e8382e9bb2fe84e47', 16) + }); + + //----------------------------------------------------------------------------- + // + // Guide to Elliptic Curve Cryptography + // Darrel Hankerson, Alfred Menezes, Scott Vanstone + // - Pag: 56, Alorithm 2.43 + // + //----------------------------------------------------------------------------- + Clipperz.Crypto.ECC.StandardCurves._B283.finiteField().slowModule = Clipperz.Crypto.ECC.StandardCurves._B283.finiteField().module; + Clipperz.Crypto.ECC.StandardCurves._B283.finiteField().module = function(aValue) { + var result; + + if (aValue.bitSize() > 564) { + Clipperz.logWarning("ECC.StandarCurves.B283.finiteField().module: falling back to default implementation"); + result = Clipperz.Crypto.ECC.StandardCurves._B283.finiteField().slowModule(aValue); + } else { + var C, T; + var i; + + C = aValue._value.slice(0); + for (i=17; i>=9; i--) { + T = C[i]; + C[i-9] = (((C[i-9] ^ (T<<5) ^ (T<<10) ^ (T<<12) ^ (T<<17)) & 0xffffffff) >>> 0); + C[i-8] = ((C[i-8] ^ (T>>>27) ^ (T>>>22) ^ (T>>>20) ^ (T>>>15)) >>> 0); + } + T = (C[8] >>> 27); + C[0] = ((C[0] ^ T ^ ((T<<5) ^ (T<<7) ^ (T<<12)) & 0xffffffff) >>> 0); + C[8] = (C[8] & 0x07ffffff); + + for(i=9; i<=17; i++) { + C[i] = 0; + } + + result = new Clipperz.Crypto.ECC.BinaryField.Value(C); + } + + return result; + }; + } + + return Clipperz.Crypto.ECC.StandardCurves._B283; + }, + + //----------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" +}); + +//############################################################################# + diff --git a/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/FiniteField.js b/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/FiniteField.js new file mode 100644 index 0000000..7b7c2c6 --- a/dev/null +++ b/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/FiniteField.js @@ -0,0 +1,519 @@ +/* + +Copyright 2008-2013 Clipperz Srl + +This file is part of Clipperz, the online password manager. +For further information about its features and functionalities please +refer to http://www.clipperz.com. + +* Clipperz is free software: you can redistribute it and/or modify it + under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + +* Clipperz is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU Affero General Public License for more details. + +* You should have received a copy of the GNU Affero General Public + License along with Clipperz. If not, see http://www.gnu.org/licenses/. + +*/ + +//try { if (typeof(Clipperz.ByteArray) == 'undefined') { throw ""; }} catch (e) { +// throw "Clipperz.Crypto.ECC depends on Clipperz.ByteArray!"; +//} +if (typeof(Clipperz.Crypto.ECC) == 'undefined') { Clipperz.Crypto.ECC = {}; } +if (typeof(Clipperz.Crypto.ECC.BinaryField) == 'undefined') { Clipperz.Crypto.ECC.BinaryField = {}; } + +Clipperz.Crypto.ECC.BinaryField.FiniteField = function(args) { + args = args || {}; + this._modulus = args.modulus; + + return this; +} + +Clipperz.Crypto.ECC.BinaryField.FiniteField.prototype = MochiKit.Base.update(null, { + + 'asString': function() { + return "Clipperz.Crypto.ECC.BinaryField.FiniteField (" + this.modulus().asString() + ")"; + }, + + //----------------------------------------------------------------------------- + + 'modulus': function() { + return this._modulus; + }, + + //----------------------------------------------------------------------------- + + '_module': function(aValue) { + var result; + var modulusComparison; + + modulusComparison = Clipperz.Crypto.ECC.BinaryField.Value._compare(aValue, this.modulus()._value); + + if (modulusComparison < 0) { + result = aValue; + } else if (modulusComparison == 0) { + result = [0]; + } else { + var modulusBitSize; + var resultBitSize; + + result = aValue; + + modulusBitSize = this.modulus().bitSize(); + resultBitSize = Clipperz.Crypto.ECC.BinaryField.Value._bitSize(result); + while (resultBitSize >= modulusBitSize) { + Clipperz.Crypto.ECC.BinaryField.Value._overwriteXor(result, Clipperz.Crypto.ECC.BinaryField.Value._shiftLeft(this.modulus()._value, resultBitSize - modulusBitSize)); + resultBitSize = Clipperz.Crypto.ECC.BinaryField.Value._bitSize(result); + } + } + + return result; + }, + + 'module': function(aValue) { + return new Clipperz.Crypto.ECC.BinaryField.Value(this._module(aValue._value.slice(0))); + }, + + //----------------------------------------------------------------------------- + + '_add': function(a, b) { + return Clipperz.Crypto.ECC.BinaryField.Value._xor(a, b); + }, + + '_overwriteAdd': function(a, b) { + Clipperz.Crypto.ECC.BinaryField.Value._overwriteXor(a, b); + }, + + 'add': function(a, b) { + return new Clipperz.Crypto.ECC.BinaryField.Value(this._add(a._value, b._value)); + }, + + //----------------------------------------------------------------------------- + + 'negate': function(aValue) { + return aValue.clone(); + }, + + //----------------------------------------------------------------------------- + + '_multiply': function(a, b) { + var result; + var valueToXor; + var i,c; + + result = [0]; + valueToXor = b; + c = Clipperz.Crypto.ECC.BinaryField.Value._bitSize(a); + for (i=0; i>> i) & 0x01) == 1) { + Clipperz.Crypto.ECC.BinaryField.Value._overwriteXor(result, B, ii); + } + } + + if (i < (c-1)) { + B = Clipperz.Crypto.ECC.BinaryField.Value._overwriteShiftLeft(B, 1); + } + } + result = this._module(result); + + return result; + }, + + 'fastMultiply': function(a, b) { + return new Clipperz.Crypto.ECC.BinaryField.Value(this._fastMultiply(a._value, b._value)); + }, + + //----------------------------------------------------------------------------- + // + // Guide to Elliptic Curve Cryptography + // Darrel Hankerson, Alfred Menezes, Scott Vanstone + // - Pag: 49, Alorithm 2.34 + // + //----------------------------------------------------------------------------- + + '_square': function(aValue) { + var result; + var value; + var c,i; + var precomputedValues; + + value = aValue; + result = new Array(value.length * 2); + precomputedValues = Clipperz.Crypto.ECC.BinaryField.FiniteField.squarePrecomputedBytes; + + c = value.length; + for (i=0; i>> 8]) << 16); + + result[i*2 + 1] = precomputedValues[(value[i] & 0x00ff0000) >>> 16]; + result[i*2 + 1] |= ((precomputedValues[(value[i] & 0xff000000) >>> 24]) << 16); + } + + return this._module(result); + }, + + 'square': function(aValue) { + return new Clipperz.Crypto.ECC.BinaryField.Value(this._square(aValue._value)); + }, + + //----------------------------------------------------------------------------- + + '_inverse': function(aValue) { + var result; + var b, c; + var u, v; + +// b = Clipperz.Crypto.ECC.BinaryField.Value.I._value; + b = [1]; +// c = Clipperz.Crypto.ECC.BinaryField.Value.O._value; + c = [0]; + u = this._module(aValue); + v = this.modulus()._value.slice(0); + + while (Clipperz.Crypto.ECC.BinaryField.Value._bitSize(u) > 1) { + var bitDifferenceSize; + + bitDifferenceSize = Clipperz.Crypto.ECC.BinaryField.Value._bitSize(u) - Clipperz.Crypto.ECC.BinaryField.Value._bitSize(v); + if (bitDifferenceSize < 0) { + var swap; + + swap = u; + u = v; + v = swap; + + swap = c; + c = b; + b = swap; + + bitDifferenceSize = -bitDifferenceSize; + } + + u = this._add(u, Clipperz.Crypto.ECC.BinaryField.Value._shiftLeft(v, bitDifferenceSize)); + b = this._add(b, Clipperz.Crypto.ECC.BinaryField.Value._shiftLeft(c, bitDifferenceSize)); +// this._overwriteAdd(u, Clipperz.Crypto.ECC.BinaryField.Value._shiftLeft(v, bitDifferenceSize)); +// this._overwriteAdd(b, Clipperz.Crypto.ECC.BinaryField.Value._shiftLeft(c, bitDifferenceSize)); + } + + result = this._module(b); + + return result; + }, + + 'inverse': function(aValue) { + return new Clipperz.Crypto.ECC.BinaryField.Value(this._inverse(aValue._value)); + }, + + //----------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" +}); + + +Clipperz.Crypto.ECC.BinaryField.FiniteField.squarePrecomputedBytes = [ + 0x0000, // 0 = 0000 0000 -> 0000 0000 0000 0000 + 0x0001, // 1 = 0000 0001 -> 0000 0000 0000 0001 + 0x0004, // 2 = 0000 0010 -> 0000 0000 0000 0100 + 0x0005, // 3 = 0000 0011 -> 0000 0000 0000 0101 + 0x0010, // 4 = 0000 0100 -> 0000 0000 0001 0000 + 0x0011, // 5 = 0000 0101 -> 0000 0000 0001 0001 + 0x0014, // 6 = 0000 0110 -> 0000 0000 0001 0100 + 0x0015, // 7 = 0000 0111 -> 0000 0000 0001 0101 + 0x0040, // 8 = 0000 1000 -> 0000 0000 0100 0000 + 0x0041, // 9 = 0000 1001 -> 0000 0000 0100 0001 + 0x0044, // 10 = 0000 1010 -> 0000 0000 0100 0100 + 0x0045, // 11 = 0000 1011 -> 0000 0000 0100 0101 + 0x0050, // 12 = 0000 1100 -> 0000 0000 0101 0000 + 0x0051, // 13 = 0000 1101 -> 0000 0000 0101 0001 + 0x0054, // 14 = 0000 1110 -> 0000 0000 0101 0100 + 0x0055, // 15 = 0000 1111 -> 0000 0000 0101 0101 + + 0x0100, // 16 = 0001 0000 -> 0000 0001 0000 0000 + 0x0101, // 17 = 0001 0001 -> 0000 0001 0000 0001 + 0x0104, // 18 = 0001 0010 -> 0000 0001 0000 0100 + 0x0105, // 19 = 0001 0011 -> 0000 0001 0000 0101 + 0x0110, // 20 = 0001 0100 -> 0000 0001 0001 0000 + 0x0111, // 21 = 0001 0101 -> 0000 0001 0001 0001 + 0x0114, // 22 = 0001 0110 -> 0000 0001 0001 0100 + 0x0115, // 23 = 0001 0111 -> 0000 0001 0001 0101 + 0x0140, // 24 = 0001 1000 -> 0000 0001 0100 0000 + 0x0141, // 25 = 0001 1001 -> 0000 0001 0100 0001 + 0x0144, // 26 = 0001 1010 -> 0000 0001 0100 0100 + 0x0145, // 27 = 0001 1011 -> 0000 0001 0100 0101 + 0x0150, // 28 = 0001 1100 -> 0000 0001 0101 0000 + 0x0151, // 28 = 0001 1101 -> 0000 0001 0101 0001 + 0x0154, // 30 = 0001 1110 -> 0000 0001 0101 0100 + 0x0155, // 31 = 0001 1111 -> 0000 0001 0101 0101 + + 0x0400, // 32 = 0010 0000 -> 0000 0100 0000 0000 + 0x0401, // 33 = 0010 0001 -> 0000 0100 0000 0001 + 0x0404, // 34 = 0010 0010 -> 0000 0100 0000 0100 + 0x0405, // 35 = 0010 0011 -> 0000 0100 0000 0101 + 0x0410, // 36 = 0010 0100 -> 0000 0100 0001 0000 + 0x0411, // 37 = 0010 0101 -> 0000 0100 0001 0001 + 0x0414, // 38 = 0010 0110 -> 0000 0100 0001 0100 + 0x0415, // 39 = 0010 0111 -> 0000 0100 0001 0101 + 0x0440, // 40 = 0010 1000 -> 0000 0100 0100 0000 + 0x0441, // 41 = 0010 1001 -> 0000 0100 0100 0001 + 0x0444, // 42 = 0010 1010 -> 0000 0100 0100 0100 + 0x0445, // 43 = 0010 1011 -> 0000 0100 0100 0101 + 0x0450, // 44 = 0010 1100 -> 0000 0100 0101 0000 + 0x0451, // 45 = 0010 1101 -> 0000 0100 0101 0001 + 0x0454, // 46 = 0010 1110 -> 0000 0100 0101 0100 + 0x0455, // 47 = 0010 1111 -> 0000 0100 0101 0101 + + 0x0500, // 48 = 0011 0000 -> 0000 0101 0000 0000 + 0x0501, // 49 = 0011 0001 -> 0000 0101 0000 0001 + 0x0504, // 50 = 0011 0010 -> 0000 0101 0000 0100 + 0x0505, // 51 = 0011 0011 -> 0000 0101 0000 0101 + 0x0510, // 52 = 0011 0100 -> 0000 0101 0001 0000 + 0x0511, // 53 = 0011 0101 -> 0000 0101 0001 0001 + 0x0514, // 54 = 0011 0110 -> 0000 0101 0001 0100 + 0x0515, // 55 = 0011 0111 -> 0000 0101 0001 0101 + 0x0540, // 56 = 0011 1000 -> 0000 0101 0100 0000 + 0x0541, // 57 = 0011 1001 -> 0000 0101 0100 0001 + 0x0544, // 58 = 0011 1010 -> 0000 0101 0100 0100 + 0x0545, // 59 = 0011 1011 -> 0000 0101 0100 0101 + 0x0550, // 60 = 0011 1100 -> 0000 0101 0101 0000 + 0x0551, // 61 = 0011 1101 -> 0000 0101 0101 0001 + 0x0554, // 62 = 0011 1110 -> 0000 0101 0101 0100 + 0x0555, // 63 = 0011 1111 -> 0000 0101 0101 0101 + + 0x1000, // 64 = 0100 0000 -> 0001 0000 0000 0000 + 0x1001, // 65 = 0100 0001 -> 0001 0000 0000 0001 + 0x1004, // 66 = 0100 0010 -> 0001 0000 0000 0100 + 0x1005, // 67 = 0100 0011 -> 0001 0000 0000 0101 + 0x1010, // 68 = 0100 0100 -> 0001 0000 0001 0000 + 0x1011, // 69 = 0100 0101 -> 0001 0000 0001 0001 + 0x1014, // 70 = 0100 0110 -> 0001 0000 0001 0100 + 0x1015, // 71 = 0100 0111 -> 0001 0000 0001 0101 + 0x1040, // 72 = 0100 1000 -> 0001 0000 0100 0000 + 0x1041, // 73 = 0100 1001 -> 0001 0000 0100 0001 + 0x1044, // 74 = 0100 1010 -> 0001 0000 0100 0100 + 0x1045, // 75 = 0100 1011 -> 0001 0000 0100 0101 + 0x1050, // 76 = 0100 1100 -> 0001 0000 0101 0000 + 0x1051, // 77 = 0100 1101 -> 0001 0000 0101 0001 + 0x1054, // 78 = 0100 1110 -> 0001 0000 0101 0100 + 0x1055, // 79 = 0100 1111 -> 0001 0000 0101 0101 + + 0x1100, // 80 = 0101 0000 -> 0001 0001 0000 0000 + 0x1101, // 81 = 0101 0001 -> 0001 0001 0000 0001 + 0x1104, // 82 = 0101 0010 -> 0001 0001 0000 0100 + 0x1105, // 83 = 0101 0011 -> 0001 0001 0000 0101 + 0x1110, // 84 = 0101 0100 -> 0001 0001 0001 0000 + 0x1111, // 85 = 0101 0101 -> 0001 0001 0001 0001 + 0x1114, // 86 = 0101 0110 -> 0001 0001 0001 0100 + 0x1115, // 87 = 0101 0111 -> 0001 0001 0001 0101 + 0x1140, // 88 = 0101 1000 -> 0001 0001 0100 0000 + 0x1141, // 89 = 0101 1001 -> 0001 0001 0100 0001 + 0x1144, // 90 = 0101 1010 -> 0001 0001 0100 0100 + 0x1145, // 91 = 0101 1011 -> 0001 0001 0100 0101 + 0x1150, // 92 = 0101 1100 -> 0001 0001 0101 0000 + 0x1151, // 93 = 0101 1101 -> 0001 0001 0101 0001 + 0x1154, // 94 = 0101 1110 -> 0001 0001 0101 0100 + 0x1155, // 95 = 0101 1111 -> 0001 0001 0101 0101 + + 0x1400, // 96 = 0110 0000 -> 0001 0100 0000 0000 + 0x1401, // 97 = 0110 0001 -> 0001 0100 0000 0001 + 0x1404, // 98 = 0110 0010 -> 0001 0100 0000 0100 + 0x1405, // 99 = 0110 0011 -> 0001 0100 0000 0101 + 0x1410, // 100 = 0110 0100 -> 0001 0100 0001 0000 + 0x1411, // 101 = 0110 0101 -> 0001 0100 0001 0001 + 0x1414, // 102 = 0110 0110 -> 0001 0100 0001 0100 + 0x1415, // 103 = 0110 0111 -> 0001 0100 0001 0101 + 0x1440, // 104 = 0110 1000 -> 0001 0100 0100 0000 + 0x1441, // 105 = 0110 1001 -> 0001 0100 0100 0001 + 0x1444, // 106 = 0110 1010 -> 0001 0100 0100 0100 + 0x1445, // 107 = 0110 1011 -> 0001 0100 0100 0101 + 0x1450, // 108 = 0110 1100 -> 0001 0100 0101 0000 + 0x1451, // 109 = 0110 1101 -> 0001 0100 0101 0001 + 0x1454, // 110 = 0110 1110 -> 0001 0100 0101 0100 + 0x1455, // 111 = 0110 1111 -> 0001 0100 0101 0101 + + 0x1500, // 112 = 0111 0000 -> 0001 0101 0000 0000 + 0x1501, // 113 = 0111 0001 -> 0001 0101 0000 0001 + 0x1504, // 114 = 0111 0010 -> 0001 0101 0000 0100 + 0x1505, // 115 = 0111 0011 -> 0001 0101 0000 0101 + 0x1510, // 116 = 0111 0100 -> 0001 0101 0001 0000 + 0x1511, // 117 = 0111 0101 -> 0001 0101 0001 0001 + 0x1514, // 118 = 0111 0110 -> 0001 0101 0001 0100 + 0x1515, // 119 = 0111 0111 -> 0001 0101 0001 0101 + 0x1540, // 120 = 0111 1000 -> 0001 0101 0100 0000 + 0x1541, // 121 = 0111 1001 -> 0001 0101 0100 0001 + 0x1544, // 122 = 0111 1010 -> 0001 0101 0100 0100 + 0x1545, // 123 = 0111 1011 -> 0001 0101 0100 0101 + 0x1550, // 124 = 0111 1100 -> 0001 0101 0101 0000 + 0x1551, // 125 = 0111 1101 -> 0001 0101 0101 0001 + 0x1554, // 126 = 0111 1110 -> 0001 0101 0101 0100 + 0x1555, // 127 = 0111 1111 -> 0001 0101 0101 0101 + + 0x4000, // 128 = 1000 0000 -> 0100 0000 0000 0000 + 0x4001, // 129 = 1000 0001 -> 0100 0000 0000 0001 + 0x4004, // 130 = 1000 0010 -> 0100 0000 0000 0100 + 0x4005, // 131 = 1000 0011 -> 0100 0000 0000 0101 + 0x4010, // 132 = 1000 0100 -> 0100 0000 0001 0000 + 0x4011, // 133 = 1000 0101 -> 0100 0000 0001 0001 + 0x4014, // 134 = 1000 0110 -> 0100 0000 0001 0100 + 0x4015, // 135 = 1000 0111 -> 0100 0000 0001 0101 + 0x4040, // 136 = 1000 1000 -> 0100 0000 0100 0000 + 0x4041, // 137 = 1000 1001 -> 0100 0000 0100 0001 + 0x4044, // 138 = 1000 1010 -> 0100 0000 0100 0100 + 0x4045, // 139 = 1000 1011 -> 0100 0000 0100 0101 + 0x4050, // 140 = 1000 1100 -> 0100 0000 0101 0000 + 0x4051, // 141 = 1000 1101 -> 0100 0000 0101 0001 + 0x4054, // 142 = 1000 1110 -> 0100 0000 0101 0100 + 0x4055, // 143 = 1000 1111 -> 0100 0000 0101 0101 + + 0x4100, // 144 = 1001 0000 -> 0100 0001 0000 0000 + 0x4101, // 145 = 1001 0001 -> 0100 0001 0000 0001 + 0x4104, // 146 = 1001 0010 -> 0100 0001 0000 0100 + 0x4105, // 147 = 1001 0011 -> 0100 0001 0000 0101 + 0x4110, // 148 = 1001 0100 -> 0100 0001 0001 0000 + 0x4111, // 149 = 1001 0101 -> 0100 0001 0001 0001 + 0x4114, // 150 = 1001 0110 -> 0100 0001 0001 0100 + 0x4115, // 151 = 1001 0111 -> 0100 0001 0001 0101 + 0x4140, // 152 = 1001 1000 -> 0100 0001 0100 0000 + 0x4141, // 153 = 1001 1001 -> 0100 0001 0100 0001 + 0x4144, // 154 = 1001 1010 -> 0100 0001 0100 0100 + 0x4145, // 155 = 1001 1011 -> 0100 0001 0100 0101 + 0x4150, // 156 = 1001 1100 -> 0100 0001 0101 0000 + 0x4151, // 157 = 1001 1101 -> 0100 0001 0101 0001 + 0x4154, // 158 = 1001 1110 -> 0100 0001 0101 0100 + 0x4155, // 159 = 1001 1111 -> 0100 0001 0101 0101 + + 0x4400, // 160 = 1010 0000 -> 0100 0100 0000 0000 + 0x4401, // 161 = 1010 0001 -> 0100 0100 0000 0001 + 0x4404, // 162 = 1010 0010 -> 0100 0100 0000 0100 + 0x4405, // 163 = 1010 0011 -> 0100 0100 0000 0101 + 0x4410, // 164 = 1010 0100 -> 0100 0100 0001 0000 + 0x4411, // 165 = 1010 0101 -> 0100 0100 0001 0001 + 0x4414, // 166 = 1010 0110 -> 0100 0100 0001 0100 + 0x4415, // 167 = 1010 0111 -> 0100 0100 0001 0101 + 0x4440, // 168 = 1010 1000 -> 0100 0100 0100 0000 + 0x4441, // 169 = 1010 1001 -> 0100 0100 0100 0001 + 0x4444, // 170 = 1010 1010 -> 0100 0100 0100 0100 + 0x4445, // 171 = 1010 1011 -> 0100 0100 0100 0101 + 0x4450, // 172 = 1010 1100 -> 0100 0100 0101 0000 + 0x4451, // 173 = 1010 1101 -> 0100 0100 0101 0001 + 0x4454, // 174 = 1010 1110 -> 0100 0100 0101 0100 + 0x4455, // 175 = 1010 1111 -> 0100 0100 0101 0101 + + 0x4500, // 176 = 1011 0000 -> 0100 0101 0000 0000 + 0x4501, // 177 = 1011 0001 -> 0100 0101 0000 0001 + 0x4504, // 178 = 1011 0010 -> 0100 0101 0000 0100 + 0x4505, // 179 = 1011 0011 -> 0100 0101 0000 0101 + 0x4510, // 180 = 1011 0100 -> 0100 0101 0001 0000 + 0x4511, // 181 = 1011 0101 -> 0100 0101 0001 0001 + 0x4514, // 182 = 1011 0110 -> 0100 0101 0001 0100 + 0x4515, // 183 = 1011 0111 -> 0100 0101 0001 0101 + 0x4540, // 184 = 1011 1000 -> 0100 0101 0100 0000 + 0x4541, // 185 = 1011 1001 -> 0100 0101 0100 0001 + 0x4544, // 186 = 1011 1010 -> 0100 0101 0100 0100 + 0x4545, // 187 = 1011 1011 -> 0100 0101 0100 0101 + 0x4550, // 188 = 1011 1100 -> 0100 0101 0101 0000 + 0x4551, // 189 = 1011 1101 -> 0100 0101 0101 0001 + 0x4554, // 190 = 1011 1110 -> 0100 0101 0101 0100 + 0x4555, // 191 = 1011 1111 -> 0100 0101 0101 0101 + + 0x5000, // 192 = 1100 0000 -> 0101 0000 0000 0000 + 0x5001, // 193 = 1100 0001 -> 0101 0000 0000 0001 + 0x5004, // 194 = 1100 0010 -> 0101 0000 0000 0100 + 0x5005, // 195 = 1100 0011 -> 0101 0000 0000 0101 + 0x5010, // 196 = 1100 0100 -> 0101 0000 0001 0000 + 0x5011, // 197 = 1100 0101 -> 0101 0000 0001 0001 + 0x5014, // 198 = 1100 0110 -> 0101 0000 0001 0100 + 0x5015, // 199 = 1100 0111 -> 0101 0000 0001 0101 + 0x5040, // 200 = 1100 1000 -> 0101 0000 0100 0000 + 0x5041, // 201 = 1100 1001 -> 0101 0000 0100 0001 + 0x5044, // 202 = 1100 1010 -> 0101 0000 0100 0100 + 0x5045, // 203 = 1100 1011 -> 0101 0000 0100 0101 + 0x5050, // 204 = 1100 1100 -> 0101 0000 0101 0000 + 0x5051, // 205 = 1100 1101 -> 0101 0000 0101 0001 + 0x5054, // 206 = 1100 1110 -> 0101 0000 0101 0100 + 0x5055, // 207 = 1100 1111 -> 0101 0000 0101 0101 + + 0x5100, // 208 = 1101 0000 -> 0101 0001 0000 0000 + 0x5101, // 209 = 1101 0001 -> 0101 0001 0000 0001 + 0x5104, // 210 = 1101 0010 -> 0101 0001 0000 0100 + 0x5105, // 211 = 1101 0011 -> 0101 0001 0000 0101 + 0x5110, // 212 = 1101 0100 -> 0101 0001 0001 0000 + 0x5111, // 213 = 1101 0101 -> 0101 0001 0001 0001 + 0x5114, // 214 = 1101 0110 -> 0101 0001 0001 0100 + 0x5115, // 215 = 1101 0111 -> 0101 0001 0001 0101 + 0x5140, // 216 = 1101 1000 -> 0101 0001 0100 0000 + 0x5141, // 217 = 1101 1001 -> 0101 0001 0100 0001 + 0x5144, // 218 = 1101 1010 -> 0101 0001 0100 0100 + 0x5145, // 219 = 1101 1011 -> 0101 0001 0100 0101 + 0x5150, // 220 = 1101 1100 -> 0101 0001 0101 0000 + 0x5151, // 221 = 1101 1101 -> 0101 0001 0101 0001 + 0x5154, // 222 = 1101 1110 -> 0101 0001 0101 0100 + 0x5155, // 223 = 1101 1111 -> 0101 0001 0101 0101 + + 0x5400, // 224 = 1110 0000 -> 0101 0100 0000 0000 + 0x5401, // 225 = 1110 0001 -> 0101 0100 0000 0001 + 0x5404, // 226 = 1110 0010 -> 0101 0100 0000 0100 + 0x5405, // 227 = 1110 0011 -> 0101 0100 0000 0101 + 0x5410, // 228 = 1110 0100 -> 0101 0100 0001 0000 + 0x5411, // 229 = 1110 0101 -> 0101 0100 0001 0001 + 0x5414, // 230 = 1110 0110 -> 0101 0100 0001 0100 + 0x5415, // 231 = 1110 0111 -> 0101 0100 0001 0101 + 0x5440, // 232 = 1110 1000 -> 0101 0100 0100 0000 + 0x5441, // 233 = 1110 1001 -> 0101 0100 0100 0001 + 0x5444, // 234 = 1110 1010 -> 0101 0100 0100 0100 + 0x5445, // 235 = 1110 1011 -> 0101 0100 0100 0101 + 0x5450, // 236 = 1110 1100 -> 0101 0100 0101 0000 + 0x5451, // 237 = 1110 1101 -> 0101 0100 0101 0001 + 0x5454, // 238 = 1110 1110 -> 0101 0100 0101 0100 + 0x5455, // 239 = 1110 1111 -> 0101 0100 0101 0101 + + 0x5500, // 240 = 1111 0000 -> 0101 0101 0000 0000 + 0x5501, // 241 = 1111 0001 -> 0101 0101 0000 0001 + 0x5504, // 242 = 1111 0010 -> 0101 0101 0000 0100 + 0x5505, // 243 = 1111 0011 -> 0101 0101 0000 0101 + 0x5510, // 244 = 1111 0100 -> 0101 0101 0001 0000 + 0x5511, // 245 = 1111 0101 -> 0101 0101 0001 0001 + 0x5514, // 246 = 1111 0110 -> 0101 0101 0001 0100 + 0x5515, // 247 = 1111 0111 -> 0101 0101 0001 0101 + 0x5540, // 248 = 1111 1000 -> 0101 0101 0100 0000 + 0x5541, // 249 = 1111 1001 -> 0101 0101 0100 0001 + 0x5544, // 250 = 1111 1010 -> 0101 0101 0100 0100 + 0x5545, // 251 = 1111 1011 -> 0101 0101 0100 0101 + 0x5550, // 252 = 1111 1100 -> 0101 0101 0101 0000 + 0x5551, // 253 = 1111 1101 -> 0101 0101 0101 0001 + 0x5554, // 254 = 1111 1110 -> 0101 0101 0101 0100 + 0x5555 // 255 = 1111 1111 -> 0101 0101 0101 0101 + +] diff --git a/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/Point.js b/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/Point.js new file mode 100644 index 0000000..fef3220 --- a/dev/null +++ b/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/Point.js @@ -0,0 +1,62 @@ +/* + +Copyright 2008-2013 Clipperz Srl + +This file is part of Clipperz, the online password manager. +For further information about its features and functionalities please +refer to http://www.clipperz.com. + +* Clipperz is free software: you can redistribute it and/or modify it + under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + +* Clipperz is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU Affero General Public License for more details. + +* You should have received a copy of the GNU Affero General Public + License along with Clipperz. If not, see http://www.gnu.org/licenses/. + +*/ + +//try { if (typeof(Clipperz.ByteArray) == 'undefined') { throw ""; }} catch (e) { +// throw "Clipperz.Crypto.ECC depends on Clipperz.ByteArray!"; +//} +if (typeof(Clipperz.Crypto.ECC) == 'undefined') { Clipperz.Crypto.ECC = {}; } +if (typeof(Clipperz.Crypto.ECC.BinaryField) == 'undefined') { Clipperz.Crypto.ECC.BinaryField = {}; } + +Clipperz.Crypto.ECC.BinaryField.Point = function(args) { + args = args || {}; + this._x = args.x; + this._y = args.y; + + return this; +} + +Clipperz.Crypto.ECC.BinaryField.Point.prototype = MochiKit.Base.update(null, { + + 'asString': function() { + return "Clipperz.Crypto.ECC.BinaryField.Point (" + this.x() + ", " + this.y() + ")"; + }, + + //----------------------------------------------------------------------------- + + 'x': function() { + return this._x; + }, + + 'y': function() { + return this._y; + }, + + //----------------------------------------------------------------------------- + + 'isZero': function() { + return (this.x().isZero() && this.y().isZero()) + }, + + //----------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" +}); diff --git a/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/Value.js b/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/Value.js new file mode 100644 index 0000000..634772a --- a/dev/null +++ b/frontend/delta/js/Clipperz/Crypto/ECC/BinaryField/Value.js @@ -0,0 +1,379 @@ +/* + +Copyright 2008-2013 Clipperz Srl + +This file is part of Clipperz, the online password manager. +For further information about its features and functionalities please +refer to http://www.clipperz.com. + +* Clipperz is free software: you can redistribute it and/or modify it + under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + +* Clipperz is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU Affero General Public License for more details. + +* You should have received a copy of the GNU Affero General Public + License along with Clipperz. If not, see http://www.gnu.org/licenses/. + +*/ + +//try { if (typeof(Clipperz.ByteArray) == 'undefined') { throw ""; }} catch (e) { +// throw "Clipperz.Crypto.ECC depends on Clipperz.ByteArray!"; +//} +if (typeof(Clipperz) == 'undefined') { Clipperz = {}; } +if (typeof(Clipperz.Crypto) == 'undefined') { Clipperz.Crypto = {}; } +if (typeof(Clipperz.Crypto.ECC) == 'undefined') { Clipperz.Crypto.ECC = {}; } +if (typeof(Clipperz.Crypto.ECC.BinaryField) == 'undefined') { Clipperz.Crypto.ECC.BinaryField = {}; } + +Clipperz.Crypto.ECC.BinaryField.Value = function(aValue, aBase, aBitSize) { + if (aValue.constructor == String) { + var value; + var stringLength; + var numberOfWords; + var i,c; + + if (aBase != 16) { + throw Clipperz.Crypto.ECC.BinaryField.Value.exception.UnsupportedBase; + } + + value = aValue.replace(/ /g, ''); + stringLength = value.length; + numberOfWords = Math.ceil(stringLength / 8); + this._value = new Array(numberOfWords); + + c = numberOfWords; + for (i=0; i>> 0); + } + + return result; +}; + +Clipperz.Crypto.ECC.BinaryField.Value._overwriteXor = function(a, b, aFirstItemOffset) { + var i,c; + var firstItemOffset; + + firstItemOffset = aFirstItemOffset || 0; + + c = Math.max((a.length - firstItemOffset), b.length) + firstItemOffset; + for (i=firstItemOffset; i>> 0); + } +}; + +Clipperz.Crypto.ECC.BinaryField.Value._shiftLeft = function(aWordArray, aNumberOfBitsToShift) { + var numberOfWordsToShift; + var numberOfBitsToShift; + var result; + var overflowValue; + var nextOverflowValue; + var i,c; + + numberOfWordsToShift = Math.floor(aNumberOfBitsToShift / 32); + numberOfBitsToShift = aNumberOfBitsToShift % 32; + + result = new Array(aWordArray.length + numberOfWordsToShift); + + c = numberOfWordsToShift; + for (i=0; i 0) { + nextOverflowValue = (value >>> (32 - numberOfBitsToShift)); + value = value & (0xffffffff >>> numberOfBitsToShift); + resultWord = (((value << numberOfBitsToShift) | overflowValue) >>> 0); + } else { + resultWord = value; + } + + result[i+numberOfWordsToShift] = resultWord; + overflowValue = nextOverflowValue; + } + + if (overflowValue != 0) { + result[aWordArray.length + numberOfWordsToShift] = overflowValue; + } + + return result; +}; + +Clipperz.Crypto.ECC.BinaryField.Value._overwriteShiftLeft = function(aWordArray, aNumberOfBitsToShift) { + var numberOfWordsToShift; + var numberOfBitsToShift; + var result; + var overflowValue; + var i,c; + + numberOfWordsToShift = Math.floor(aNumberOfBitsToShift / 32); + numberOfBitsToShift = aNumberOfBitsToShift % 32; + + result = new Array(aWordArray.length + numberOfWordsToShift); + + c = numberOfWordsToShift; + for (i=0; i 0) { + var nextOverflowValue; + + nextOverflowValue = (value >>> (32 - numberOfBitsToShift)); + value = value & (0xffffffff >>> numberOfBitsToShift); + resultWord = (((value << numberOfBitsToShift) | overflowValue) >>> 0); + } else { + resultWord = value; + } + + result[i+numberOfWordsToShift] = resultWord; + overflowValue = nextOverflowValue; + } + + if (overflowValue != 0) { + result[aWordArray.length + numberOfWordsToShift] = overflowValue; + } + + return result; +}; + +Clipperz.Crypto.ECC.BinaryField.Value._bitSize = function(aWordArray) { + var result; + var notNullElements; + var mostValuableWord; + var matchingBitsInMostImportantWord; + var mask; + var i,c; + + notNullElements = aWordArray.length; + + if ((aWordArray.length == 1) && (aWordArray[0] == 0)) { + result = 0; + } else { + notNullElements --; + while((notNullElements > 0) && (aWordArray[notNullElements] == 0)) { + notNullElements --; + } + + result = notNullElements * 32; + mostValuableWord = aWordArray[notNullElements]; + + matchingBits = 32; + mask = 0x80000000; + + while ((matchingBits > 0) && ((mostValuableWord & mask) == 0)) { + matchingBits --; + mask >>>= 1; + } + + result += matchingBits; + } + + return result; +}; + +Clipperz.Crypto.ECC.BinaryField.Value._isBitSet = function(aWordArray, aBitPosition) { + var result; + var byteIndex; + var bitIndexInSelectedByte; + + byteIndex = Math.floor(aBitPosition / 32); + bitIndexInSelectedByte = aBitPosition % 32; + + if (byteIndex <= aWordArray.length) { + result = ((aWordArray[byteIndex] & (1 << bitIndexInSelectedByte)) != 0); + } else { + result = false; + } + + return result; +}; + +Clipperz.Crypto.ECC.BinaryField.Value._compare = function(a,b) { + var result; + var i,c; + + result = MochiKit.Base.compare(a.length, b.length); + + c = a.length; + for (i=0; (i>17) ^ (X>>22) ^ (X>>25) ^ (X>>27) + // + // SET X := P[T-1] >> 27 + // P[0] := P[0] ^ X ^ (X<<2) ^ (X<<5) ^ (X<<10) + // P[T-1] := P[T-1] & 0x07ffffff + // + // RETURN P[T-1],...,P[0] + // + // ------------------------------------------------------------------------- + // + Clipperz.Crypto.ECC.StandardCurves._B571.finiteField().slowModule = Clipperz.Crypto.ECC.StandardCurves._B571.finiteField().module; + Clipperz.Crypto.ECC.StandardCurves._B571.finiteField().module = function(aValue) { + var result; + + if (aValue.bitSize() > 1140) { + Clipperz.logWarning("ECC.StandarCurves.B571.finiteField().module: falling back to default implementation"); + result = Clipperz.Crypto.ECC.StandardCurves._B571.finiteField().slowModule(aValue); + } else { + var C, T; + var i; + + C = aValue._value.slice(0); + for (i=35; i>=18; i--) { + T = C[i]; + C[i-18] = (((C[i-18] ^ (T<<5) ^ (T<<7) ^ (T<<10) ^ (T<<15)) & 0xffffffff) >>> 0); + C[i-17] = ((C[i-17] ^ (T>>>27) ^ (T>>>25) ^ (T>>>22) ^ (T>>>17)) >>> 0); + } + T = (C[17] >>> 27); + C[0] = ((C[0] ^ T ^ ((T<<2) ^ (T<<5) ^ (T<<10)) & 0xffffffff) >>> 0); + C[17] = (C[17] & 0x07ffffff); + + for(i=18; i<=35; i++) { + C[i] = 0; + } + + result = new Clipperz.Crypto.ECC.BinaryField.Value(C); + } + + return result; + }; + } + + return Clipperz.Crypto.ECC.StandardCurves._B571; + }, + + //----------------------------------------------------------------------------- + + '_B283': null, + 'B283': function() { // f(z) = z^283 + z^12 + z^7 + z^5 + 1 + if ((Clipperz.Crypto.ECC.StandardCurves._B283 == null) && (typeof(Clipperz.Crypto.ECC.BinaryField.Curve) != 'undefined')) { + Clipperz.Crypto.ECC.StandardCurves._B283 = new Clipperz.Crypto.ECC.BinaryField.Curve({ + modulus: new Clipperz.Crypto.ECC.BinaryField.Value('08000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 000010a1', 16), + a: new Clipperz.Crypto.ECC.BinaryField.Value('1', 16), + b: new Clipperz.Crypto.ECC.BinaryField.Value('027b680a c8b8596d a5a4af8a 19a0303f ca97fd76 45309fa2 a581485a f6263e31 3b79a2f5', 16), + G: new Clipperz.Crypto.ECC.BinaryField.Point({ + x: new Clipperz.Crypto.ECC.BinaryField.Value('05f93925 8db7dd90 e1934f8c 70b0dfec 2eed25b8 557eac9c 80e2e198 f8cdbecd 86b12053', 16), + y: new Clipperz.Crypto.ECC.BinaryField.Value('03676854 fe24141c b98fe6d4 b20d02b4 516ff702 350eddb0 826779c8 13f0df45 be8112f4', 16) + }), + r: new Clipperz.Crypto.ECC.BinaryField.Value('03ffffff ffffffff ffffffff ffffffff ffffef90 399660fc 938a9016 5b042a7c efadb307', 16), + h: new Clipperz.Crypto.ECC.BinaryField.Value('2', 16) + }); + + //----------------------------------------------------------------------------- + // + // Guide to Elliptic Curve Cryptography + // Darrel Hankerson, Alfred Menezes, Scott Vanstone + // - Pag: 56, Alorithm 2.43 + // + //----------------------------------------------------------------------------- + Clipperz.Crypto.ECC.StandardCurves._B283.finiteField().slowModule = Clipperz.Crypto.ECC.StandardCurves._B283.finiteField().module; + Clipperz.Crypto.ECC.StandardCurves._B283.finiteField().module = function(aValue) { + var result; + + if (aValue.bitSize() > 564) { + Clipperz.logWarning("ECC.StandarCurves.B283.finiteField().module: falling back to default implementation"); + result = Clipperz.Crypto.ECC.StandardCurves._B283.finiteField().slowModule(aValue); + } else { + var C, T; + var i; + + C = aValue._value.slice(0); + for (i=17; i>=9; i--) { + T = C[i]; + C[i-9] = (((C[i-9] ^ (T<<5) ^ (T<<10) ^ (T<<12) ^ (T<<17)) & 0xffffffff) >>> 0); + C[i-8] = ((C[i-8] ^ (T>>>27) ^ (T>>>22) ^ (T>>>20) ^ (T>>>15)) >>> 0); + } + T = (C[8] >>> 27); + C[0] = ((C[0] ^ T ^ ((T<<5) ^ (T<<7) ^ (T<<12)) & 0xffffffff) >>> 0); + C[8] = (C[8] & 0x07ffffff); + + for(i=9; i<=17; i++) { + C[i] = 0; + } + + result = new Clipperz.Crypto.ECC.BinaryField.Value(C); + } + + return result; + }; + } + + return Clipperz.Crypto.ECC.StandardCurves._B283; + }, + + //============================================================================== + __syntaxFix__: "syntax fix" +}); + + + diff --git a/frontend/delta/js/Clipperz/Crypto/PRNG.js b/frontend/delta/js/Clipperz/Crypto/PRNG.js new file mode 100644 index 0000000..c539f06 --- a/dev/null +++ b/frontend/delta/js/Clipperz/Crypto/PRNG.js @@ -0,0 +1,841 @@ +/* + +Copyright 2008-2013 Clipperz Srl + +This file is part of Clipperz, the online password manager. +For further information about its features and functionalities please +refer to http://www.clipperz.com. + +* Clipperz is free software: you can redistribute it and/or modify it + under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + +* Clipperz is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU Affero General Public License for more details. + +* You should have received a copy of the GNU Affero General Public + License along with Clipperz. If not, see http://www.gnu.org/licenses/. + +*/ + +try { if (typeof(Clipperz.ByteArray) == 'undefined') { throw ""; }} catch (e) { + throw "Clipperz.Crypto.PRNG depends on Clipperz.ByteArray!"; +} + +try { if (typeof(Clipperz.Crypto.SHA) == 'undefined') { throw ""; }} catch (e) { + throw "Clipperz.Crypto.PRNG depends on Clipperz.Crypto.SHA!"; +} + +try { if (typeof(Clipperz.Crypto.AES) == 'undefined') { throw ""; }} catch (e) { + throw "Clipperz.Crypto.PRNG depends on Clipperz.Crypto.AES!"; +} + +if (typeof(Clipperz.Crypto.PRNG) == 'undefined') { Clipperz.Crypto.PRNG = {}; } + +//############################################################################# + +Clipperz.Crypto.PRNG.EntropyAccumulator = function(args) { + args = args || {}; +// MochiKit.Base.bindMethods(this); + + this._stack = new Clipperz.ByteArray(); + this._maxStackLengthBeforeHashing = args.maxStackLengthBeforeHashing || 256; + return this; +} + +Clipperz.Crypto.PRNG.EntropyAccumulator.prototype = MochiKit.Base.update(null, { + + 'toString': function() { + return "Clipperz.Crypto.PRNG.EntropyAccumulator"; + }, + + //------------------------------------------------------------------------- + + 'stack': function() { + return this._stack; + }, + + 'setStack': function(aValue) { + this._stack = aValue; + }, + + 'resetStack': function() { + this.stack().reset(); + }, + + 'maxStackLengthBeforeHashing': function() { + return this._maxStackLengthBeforeHashing; + }, + + //------------------------------------------------------------------------- + + 'addRandomByte': function(aValue) { + this.stack().appendByte(aValue); + + if (this.stack().length() > this.maxStackLengthBeforeHashing()) { + this.setStack(Clipperz.Crypto.SHA.sha_d256(this.stack())); + } + }, + + //------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" +}); + +//############################################################################# + +Clipperz.Crypto.PRNG.RandomnessSource = function(args) { + args = args || {}; + MochiKit.Base.bindMethods(this); + + this._generator = args.generator || null; + this._sourceId = args.sourceId || null; + this._boostMode = args.boostMode || false; + + this._nextPoolIndex = 0; + + return this; +} + +Clipperz.Crypto.PRNG.RandomnessSource.prototype = MochiKit.Base.update(null, { + + 'generator': function() { + return this._generator; + }, + + 'setGenerator': function(aValue) { + this._generator = aValue; + }, + + //------------------------------------------------------------------------- + + 'boostMode': function() { + return this._boostMode; + }, + + 'setBoostMode': function(aValue) { + this._boostMode = aValue; + }, + + //------------------------------------------------------------------------- + + 'sourceId': function() { + return this._sourceId; + }, + + 'setSourceId': function(aValue) { + this._sourceId = aValue; + }, + + //------------------------------------------------------------------------- + + 'nextPoolIndex': function() { + return this._nextPoolIndex; + }, + + 'incrementNextPoolIndex': function() { + this._nextPoolIndex = ((this._nextPoolIndex + 1) % this.generator().numberOfEntropyAccumulators()); + }, + + //------------------------------------------------------------------------- + + 'updateGeneratorWithValue': function(aRandomValue) { + if (this.generator() != null) { + this.generator().addRandomByte(this.sourceId(), this.nextPoolIndex(), aRandomValue); + this.incrementNextPoolIndex(); + } + }, + + //------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" +}); + +//############################################################################# + +Clipperz.Crypto.PRNG.TimeRandomnessSource = function(args) { + args = args || {}; +// MochiKit.Base.bindMethods(this); + + this._intervalTime = args.intervalTime || 1000; + + Clipperz.Crypto.PRNG.RandomnessSource.call(this, args); + + this.collectEntropy(); + return this; +} + +Clipperz.Crypto.PRNG.TimeRandomnessSource.prototype = MochiKit.Base.update(new Clipperz.Crypto.PRNG.RandomnessSource, { + + 'intervalTime': function() { + return this._intervalTime; + }, + + //------------------------------------------------------------------------- + + 'collectEntropy': function() { + var now; + var entropyByte; + var intervalTime; + now = new Date(); + entropyByte = (now.getTime() & 0xff); + + intervalTime = this.intervalTime(); + if (this.boostMode() == true) { + intervalTime = intervalTime / 9; + } + + this.updateGeneratorWithValue(entropyByte); + setTimeout(this.collectEntropy, intervalTime); + }, + + //------------------------------------------------------------------------- + + 'numberOfRandomBits': function() { + return 5; + }, + + //------------------------------------------------------------------------- + + 'pollingFrequency': function() { + return 10; + }, + + //------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" +}); + +//***************************************************************************** + +Clipperz.Crypto.PRNG.MouseRandomnessSource = function(args) { + args = args || {}; + + Clipperz.Crypto.PRNG.RandomnessSource.call(this, args); + + this._numberOfBitsToCollectAtEachEvent = 4; + this._randomBitsCollector = 0; + this._numberOfRandomBitsCollected = 0; + + MochiKit.Signal.connect(document, 'onmousemove', this, 'collectEntropy'); + + return this; +} + +Clipperz.Crypto.PRNG.MouseRandomnessSource.prototype = MochiKit.Base.update(new Clipperz.Crypto.PRNG.RandomnessSource, { + + //------------------------------------------------------------------------- + + 'numberOfBitsToCollectAtEachEvent': function() { + return this._numberOfBitsToCollectAtEachEvent; + }, + + //------------------------------------------------------------------------- + + 'randomBitsCollector': function() { + return this._randomBitsCollector; + }, + + 'setRandomBitsCollector': function(aValue) { + this._randomBitsCollector = aValue; + }, + + 'appendRandomBitsToRandomBitsCollector': function(aValue) { + var collectedBits; + var numberOfRandomBitsCollected; + + numberOfRandomBitsCollected = this.numberOfRandomBitsCollected(); + collectetBits = this.randomBitsCollector() | (aValue << numberOfRandomBitsCollected); + this.setRandomBitsCollector(collectetBits); + numberOfRandomBitsCollected += this.numberOfBitsToCollectAtEachEvent(); + + if (numberOfRandomBitsCollected == 8) { + this.updateGeneratorWithValue(collectetBits); + numberOfRandomBitsCollected = 0; + this.setRandomBitsCollector(0); + } + + this.setNumberOfRandomBitsCollected(numberOfRandomBitsCollected) + }, + + //------------------------------------------------------------------------- + + 'numberOfRandomBitsCollected': function() { + return this._numberOfRandomBitsCollected; + }, + + 'setNumberOfRandomBitsCollected': function(aValue) { + this._numberOfRandomBitsCollected = aValue; + }, + + //------------------------------------------------------------------------- + + 'collectEntropy': function(anEvent) { + var mouseLocation; + var randomBit; + var mask; + + mask = 0xffffffff >>> (32 - this.numberOfBitsToCollectAtEachEvent()); + + mouseLocation = anEvent.mouse().client; + randomBit = ((mouseLocation.x ^ mouseLocation.y) & mask); + this.appendRandomBitsToRandomBitsCollector(randomBit) + }, + + //------------------------------------------------------------------------- + + 'numberOfRandomBits': function() { + return 1; + }, + + //------------------------------------------------------------------------- + + 'pollingFrequency': function() { + return 10; + }, + + //------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" +}); + +//***************************************************************************** + +Clipperz.Crypto.PRNG.KeyboardRandomnessSource = function(args) { + args = args || {}; + Clipperz.Crypto.PRNG.RandomnessSource.call(this, args); + + this._randomBitsCollector = 0; + this._numberOfRandomBitsCollected = 0; + + MochiKit.Signal.connect(document, 'onkeypress', this, 'collectEntropy'); + + return this; +} + +Clipperz.Crypto.PRNG.KeyboardRandomnessSource.prototype = MochiKit.Base.update(new Clipperz.Crypto.PRNG.RandomnessSource, { + + //------------------------------------------------------------------------- + + 'randomBitsCollector': function() { + return this._randomBitsCollector; + }, + + 'setRandomBitsCollector': function(aValue) { + this._randomBitsCollector = aValue; + }, + + 'appendRandomBitToRandomBitsCollector': function(aValue) { + var collectedBits; + var numberOfRandomBitsCollected; + + numberOfRandomBitsCollected = this.numberOfRandomBitsCollected(); + collectetBits = this.randomBitsCollector() | (aValue << numberOfRandomBitsCollected); + this.setRandomBitsCollector(collectetBits); + numberOfRandomBitsCollected ++; + + if (numberOfRandomBitsCollected == 8) { + this.updateGeneratorWithValue(collectetBits); + numberOfRandomBitsCollected = 0; + this.setRandomBitsCollector(0); + } + + this.setNumberOfRandomBitsCollected(numberOfRandomBitsCollected) + }, + + //------------------------------------------------------------------------- + + 'numberOfRandomBitsCollected': function() { + return this._numberOfRandomBitsCollected; + }, + + 'setNumberOfRandomBitsCollected': function(aValue) { + this._numberOfRandomBitsCollected = aValue; + }, + + //------------------------------------------------------------------------- + + 'collectEntropy': function(anEvent) { +/* + var mouseLocation; + var randomBit; + + mouseLocation = anEvent.mouse().client; + + randomBit = ((mouseLocation.x ^ mouseLocation.y) & 0x1); + this.appendRandomBitToRandomBitsCollector(randomBit); +*/ + }, + + //------------------------------------------------------------------------- + + 'numberOfRandomBits': function() { + return 1; + }, + + //------------------------------------------------------------------------- + + 'pollingFrequency': function() { + return 10; + }, + + //------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" +}); + +//############################################################################# + +Clipperz.Crypto.PRNG.Fortuna = function(args) { + var i,c; + + args = args || {}; + + this._key = args.seed || null; + if (this._key == null) { + this._counter = 0; + this._key = new Clipperz.ByteArray(); + } else { + this._counter = 1; + } + + this._aesKey = null; + + this._firstPoolReseedLevel = args.firstPoolReseedLevel || 32 || 64; + this._numberOfEntropyAccumulators = args.numberOfEntropyAccumulators || 32; + + this._accumulators = []; + c = this.numberOfEntropyAccumulators(); + for (i=0; i>> (32 - c); + for (i=0; i>> (c - i))) == 0)) { + newKeySeed.appendBlock(this.accumulators()[i].stack()); + this.accumulators()[i].resetStack(); + } + } + + if (reseedCounter == 1) { + c = this.randomnessSources().length; + for (i=0; i this.firstPoolReseedLevel()) { + this.reseed(); + } + } + }, + + //------------------------------------------------------------------------- + + 'numberOfEntropyAccumulators': function() { + return this._numberOfEntropyAccumulators; + }, + + //------------------------------------------------------------------------- + + 'randomnessSources': function() { + return this._randomnessSources; + }, + + 'addRandomnessSource': function(aRandomnessSource) { + aRandomnessSource.setGenerator(this); + aRandomnessSource.setSourceId(this.randomnessSources().length); + this.randomnessSources().push(aRandomnessSource); + + if (this.isReadyToGenerateRandomValues() == false) { + aRandomnessSource.setBoostMode(true); + } + }, + + //------------------------------------------------------------------------- + + 'deferredEntropyCollection': function(aValue) { + var result; + + + if (this.isReadyToGenerateRandomValues()) { + result = aValue; + } else { + var deferredResult; + + deferredResult = new Clipperz.Async.Deferred("PRNG.deferredEntropyCollection"); + deferredResult.addCallback(MochiKit.Base.partial(MochiKit.Async.succeed, aValue)); + MochiKit.Signal.connect(this, + 'readyToGenerateRandomBytes', + deferredResult, + 'callback'); + + result = deferredResult; + } + + return result; + }, + + //------------------------------------------------------------------------- + + 'fastEntropyAccumulationForTestingPurpose': function() { + while (! this.isReadyToGenerateRandomValues()) { + this.addRandomByte(Math.floor(Math.random() * 32), Math.floor(Math.random() * 32), Math.floor(Math.random() * 256)); + } + }, + + //------------------------------------------------------------------------- + + 'dump': function(appendToDoc) { + var tbl; + var i,c; + + tbl = document.createElement("table"); + tbl.border = 0; + with (tbl.style) { + border = "1px solid lightgrey"; + fontFamily = 'Helvetica, Arial, sans-serif'; + fontSize = '8pt'; + //borderCollapse = "collapse"; + } + var hdr = tbl.createTHead(); + var hdrtr = hdr.insertRow(0); + // document.createElement("tr"); + { + var ntd; + + ntd = hdrtr.insertCell(0); + ntd.style.borderBottom = "1px solid lightgrey"; + ntd.style.borderRight = "1px solid lightgrey"; + ntd.appendChild(document.createTextNode("#")); + + ntd = hdrtr.insertCell(1); + ntd.style.borderBottom = "1px solid lightgrey"; + ntd.style.borderRight = "1px solid lightgrey"; + ntd.appendChild(document.createTextNode("s")); + + ntd = hdrtr.insertCell(2); + ntd.colSpan = this.firstPoolReseedLevel(); + ntd.style.borderBottom = "1px solid lightgrey"; + ntd.style.borderRight = "1px solid lightgrey"; + ntd.appendChild(document.createTextNode("base values")); + + ntd = hdrtr.insertCell(3); + ntd.colSpan = 20; + ntd.style.borderBottom = "1px solid lightgrey"; + ntd.appendChild(document.createTextNode("extra values")); + + } + + c = this.accumulators().length; + for (i=0; i>> aNumberOfBits) | (aValue << (32 - aNumberOfBits)); + +//Clipperz.Profile.stop("Clipperz.Crypto.SHA.rotateRight"); + return result; + }, + + 'shiftRight': function(aValue, aNumberOfBits) { +//Clipperz.Profile.start("Clipperz.Crypto.SHA.shiftRight"); + var result; + + result = aValue >>> aNumberOfBits; + +//Clipperz.Profile.stop("Clipperz.Crypto.SHA.shiftRight"); + return result; + }, + + //----------------------------------------------------------------------------- + + 'safeAdd': function() { +//Clipperz.Profile.start("Clipperz.Crypto.SHA.safeAdd"); + var result; + var i, c; + + result = arguments[0]; + c = arguments.length; + for (i=1; i> 16) + (arguments[i] >> 16) + (lowerBytesSum >> 16)) << 16) | (lowerBytesSum & 0xffff); + } + +//Clipperz.Profile.stop("Clipperz.Crypto.SHA.safeAdd"); + return result; + }, + + //----------------------------------------------------------------------------- + + 'sha256_array': function(aValue) { +//Clipperz.Profile.start("Clipperz.Crypto.SHA.sha256_array"); + var result; + var message; + var h0, h1, h2, h3, h4, h5, h6, h7; + var k; + var messageLength; + var messageLengthInBits; + var _i, _c; + var charBits; + var rotateRight; + var shiftRight; + var safeAdd; + var bytesPerBlock; + var currentMessageIndex; + + bytesPerBlock = 512/8; + rotateRight = Clipperz.Crypto.SHA.rotateRight; + shiftRight = Clipperz.Crypto.SHA.shiftRight; + safeAdd = Clipperz.Crypto.SHA.safeAdd; + + charBits = 8; + + h0 = 0x6a09e667; + h1 = 0xbb67ae85; + h2 = 0x3c6ef372; + h3 = 0xa54ff53a; + h4 = 0x510e527f; + h5 = 0x9b05688c; + h6 = 0x1f83d9ab; + h7 = 0x5be0cd19; + + k = [ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, + 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, + 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, + 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, + 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, + 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, + 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, + 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2]; + + message = aValue; + messageLength = message.length; + + //Pre-processing: + message.push(0x80); // append a single "1" bit to message + + _c = (512 - (((messageLength + 1) * charBits) % 512) - 64) / charBits; + if (_c < 0) { + _c = _c + (512 / charBits); + } + + for (_i=0; _i<_c; _i++) { + message.push(0x00); // append "0" bits until message length ≡ 448 ≡ -64 (mod 512) + } + + messageLengthInBits = messageLength * charBits; + message.push(0x00); // the 4 most high byte are alway 0 as message length is represented with a 32bit value; + message.push(0x00); + message.push(0x00); + message.push(0x00); + message.push((messageLengthInBits >> 24) & 0xff); + message.push((messageLengthInBits >> 16) & 0xff); + message.push((messageLengthInBits >> 8) & 0xff); + message.push( messageLengthInBits & 0xff); + + currentMessageIndex = 0; + while(currentMessageIndex < message.length) { + var w; + var a, b, c, d, e, f, g, h; + + w = Array(64); + + _c = 16; + for (_i=0; _i<_c; _i++) { + var _j; + + _j = currentMessageIndex + _i*4; + w[_i] = (message[_j] << 24) | (message[_j + 1] << 16) | (message[_j + 2] << 8) | (message[_j + 3] << 0); + } + + _c = 64; + for (_i=16; _i<_c; _i++) { + var s0, s1; + + s0 = (rotateRight(w[_i-15], 7)) ^ (rotateRight(w[_i-15], 18)) ^ (shiftRight(w[_i-15], 3)); + s1 = (rotateRight(w[_i-2], 17)) ^ (rotateRight(w[_i-2], 19)) ^ (shiftRight(w[_i-2], 10)); + w[_i] = safeAdd(w[_i-16], s0, w[_i-7], s1); + } + + a=h0; b=h1; c=h2; d=h3; e=h4; f=h5; g=h6; h=h7; + + _c = 64; + for (_i=0; _i<_c; _i++) { + var s0, s1, ch, maj, t1, t2; + + s0 = (rotateRight(a, 2)) ^ (rotateRight(a, 13)) ^ (rotateRight(a, 22)); + maj = (a & b) ^ (a & c) ^ (b & c); + t2 = safeAdd(s0, maj); + s1 = (rotateRight(e, 6)) ^ (rotateRight(e, 11)) ^ (rotateRight(e, 25)); + ch = (e & f) ^ ((~e) & g); + t1 = safeAdd(h, s1, ch, k[_i], w[_i]); + + h = g; + g = f; + f = e; + e = safeAdd(d, t1); + d = c; + c = b; + b = a; + a = safeAdd(t1, t2); + } + + h0 = safeAdd(h0, a); + h1 = safeAdd(h1, b); + h2 = safeAdd(h2, c); + h3 = safeAdd(h3, d); + h4 = safeAdd(h4, e); + h5 = safeAdd(h5, f); + h6 = safeAdd(h6, g); + h7 = safeAdd(h7, h); + + currentMessageIndex += bytesPerBlock; + } + + result = new Array(256/8); + result[0] = (h0 >> 24) & 0xff; + result[1] = (h0 >> 16) & 0xff; + result[2] = (h0 >> 8) & 0xff; + result[3] = h0 & 0xff; + + result[4] = (h1 >> 24) & 0xff; + result[5] = (h1 >> 16) & 0xff; + result[6] = (h1 >> 8) & 0xff; + result[7] = h1 & 0xff; + + result[8] = (h2 >> 24) & 0xff; + result[9] = (h2 >> 16) & 0xff; + result[10] = (h2 >> 8) & 0xff; + result[11] = h2 & 0xff; + + result[12] = (h3 >> 24) & 0xff; + result[13] = (h3 >> 16) & 0xff; + result[14] = (h3 >> 8) & 0xff; + result[15] = h3 & 0xff; + + result[16] = (h4 >> 24) & 0xff; + result[17] = (h4 >> 16) & 0xff; + result[18] = (h4 >> 8) & 0xff; + result[19] = h4 & 0xff; + + result[20] = (h5 >> 24) & 0xff; + result[21] = (h5 >> 16) & 0xff; + result[22] = (h5 >> 8) & 0xff; + result[23] = h5 & 0xff; + + result[24] = (h6 >> 24) & 0xff; + result[25] = (h6 >> 16) & 0xff; + result[26] = (h6 >> 8) & 0xff; + result[27] = h6 & 0xff; + + result[28] = (h7 >> 24) & 0xff; + result[29] = (h7 >> 16) & 0xff; + result[30] = (h7 >> 8) & 0xff; + result[31] = h7 & 0xff; + +//Clipperz.Profile.stop("Clipperz.Crypto.SHA.sha256_array"); + return result; + }, + + //----------------------------------------------------------------------------- + + 'sha256': function(aValue) { +//Clipperz.Profile.start("Clipperz.Crypto.SHA.sha256"); + var result; + var resultArray; + var valueArray; + + valueArray = aValue.arrayValues(); + resultArray = Clipperz.Crypto.SHA.sha256_array(valueArray); + + result = new Clipperz.ByteArray(resultArray); + +//Clipperz.Profile.stop("Clipperz.Crypto.SHA.sha256"); + return result; + }, + + //----------------------------------------------------------------------------- + + 'sha_d256': function(aValue) { +//Clipperz.Profile.start("Clipperz.Crypto.SHA.sha_d256"); + var result; + var resultArray; + var valueArray; + + valueArray = aValue.arrayValues(); + resultArray = Clipperz.Crypto.SHA.sha256_array(valueArray); + resultArray = Clipperz.Crypto.SHA.sha256_array(resultArray); + + result = new Clipperz.ByteArray(resultArray); + +//Clipperz.Profile.stop("Clipperz.Crypto.SHA.sha256"); + return result; + }, + + //----------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" + +}); diff --git a/frontend/delta/js/Clipperz/Crypto/SRP.js b/frontend/delta/js/Clipperz/Crypto/SRP.js new file mode 100644 index 0000000..597e72d --- a/dev/null +++ b/frontend/delta/js/Clipperz/Crypto/SRP.js @@ -0,0 +1,316 @@ +/* + +Copyright 2008-2013 Clipperz Srl + +This file is part of Clipperz, the online password manager. +For further information about its features and functionalities please +refer to http://www.clipperz.com. + +* Clipperz is free software: you can redistribute it and/or modify it + under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + +* Clipperz is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU Affero General Public License for more details. + +* You should have received a copy of the GNU Affero General Public + License along with Clipperz. If not, see http://www.gnu.org/licenses/. + +*/ + +try { if (typeof(Clipperz.ByteArray) == 'undefined') { throw ""; }} catch (e) { + throw "Clipperz.Crypto.PRNG depends on Clipperz.ByteArray!"; +} + +try { if (typeof(Clipperz.Crypto.BigInt) == 'undefined') { throw ""; }} catch (e) { + throw "Clipperz.Crypto.SRP depends on Clipperz.Crypto.BigInt!"; +} + +try { if (typeof(Clipperz.Crypto.PRNG) == 'undefined') { throw ""; }} catch (e) { + throw "Clipperz.Crypto.SRP depends on Clipperz.Crypto.PRNG!"; +} + +if (typeof(Clipperz.Crypto.SRP) == 'undefined') { Clipperz.Crypto.SRP = {}; } + +Clipperz.Crypto.SRP.VERSION = "0.1"; +Clipperz.Crypto.SRP.NAME = "Clipperz.Crypto.SRP"; + +//############################################################################# + +MochiKit.Base.update(Clipperz.Crypto.SRP, { + + '_n': null, + '_g': null, + //------------------------------------------------------------------------- + + 'n': function() { + if (Clipperz.Crypto.SRP._n == null) { + Clipperz.Crypto.SRP._n = new Clipperz.Crypto.BigInt("115b8b692e0e045692cf280b436735c77a5a9e8a9e7ed56c965f87db5b2a2ece3", 16); + } + + return Clipperz.Crypto.SRP._n; + }, + + //------------------------------------------------------------------------- + + 'g': function() { + if (Clipperz.Crypto.SRP._g == null) { + Clipperz.Crypto.SRP._g = new Clipperz.Crypto.BigInt(2); // eventually 5 (as suggested on the Diffi-Helmann documentation) + } + + return Clipperz.Crypto.SRP._g; + }, + + //----------------------------------------------------------------------------- + + 'exception': { + 'InvalidValue': new MochiKit.Base.NamedError("Clipperz.Crypto.SRP.exception.InvalidValue") + }, + + //------------------------------------------------------------------------- + __syntaxFix__: "syntax fix" + +}); + +//############################################################################# +// +// S R P C o n n e c t i o n version 1.0 +// +//============================================================================= +Clipperz.Crypto.SRP.Connection = function (args) { + args = args || {}; + + this._C = args.C; + this._P = args.P; + this.hash = args.hash; + + this._a = null; + this._A = null; + + this._s = null; + this._B = null; + + this._x = null; + + this._u = null; + this._K = null; + this._M1 = null; + this._M2 = null; + + this._sessionKey = null; + + return this; +} + +Clipperz.Crypto.SRP.Connection.prototype = MochiKit.Base.update(null, { + + 'toString': function () { + return "Clipperz.Crypto.SRP.Connection (username: " + this.username() + "). Status: " + this.statusDescription(); + }, + + //------------------------------------------------------------------------- + + 'C': function () { + return this._C; + }, + + //------------------------------------------------------------------------- + + 'P': function () { + return this._P; + }, + + //------------------------------------------------------------------------- + + 'a': function () { + if (this._a == null) { + this._a = new Clipperz.Crypto.BigInt(Clipperz.Crypto.PRNG.defaultRandomGenerator().getRandomBytes(32).toHexString().substring(2), 16); +// this._a = new Clipperz.Crypto.BigInt("37532428169486597638072888476611365392249575518156687476805936694442691012367", 10); + } + + return this._a; + }, + + //------------------------------------------------------------------------- + + 'A': function () { + if (this._A == null) { + // Warning: this value should be strictly greater than zero: how should we perform this check? + this._A = Clipperz.Crypto.SRP.g().powerModule(this.a(), Clipperz.Crypto.SRP.n()); + + if (this._A.equals(0)) { + Clipperz.logError("Clipperz.Crypto.SRP.Connection: trying to set 'A' to 0."); + throw Clipperz.Crypto.SRP.exception.InvalidValue; + } + } + + return this._A; + }, + + //------------------------------------------------------------------------- + + 's': function () { + return this._s; + }, + + 'set_s': function(aValue) { + this._s = aValue; + }, + + //------------------------------------------------------------------------- + + 'B': function () { + return this._B; + }, + + 'set_B': function(aValue) { + // Warning: this value should be strictly greater than zero: how should we perform this check? + if (! aValue.equals(0)) { + this._B = aValue; + } else { + Clipperz.logError("Clipperz.Crypto.SRP.Connection: trying to set 'B' to 0."); + throw Clipperz.Crypto.SRP.exception.InvalidValue; + } + }, + + //------------------------------------------------------------------------- + + 'x': function () { + if (this._x == null) { + this._x = new Clipperz.Crypto.BigInt(this.stringHash(this.s().asString(16, 64) + this.P()), 16); + } + + return this._x; + }, + + //------------------------------------------------------------------------- + + 'u': function () { + if (this._u == null) { + this._u = new Clipperz.Crypto.BigInt(this.stringHash(this.B().asString()), 16); + } + + return this._u; + }, + + //------------------------------------------------------------------------- + + 'S': function () { + if (this._S == null) { + var bigint; + var srp; + + bigint = Clipperz.Crypto.BigInt; + srp = Clipperz.Crypto.SRP; + + this._S = bigint.powerModule( + bigint.subtract(this.B(), bigint.powerModule(srp.g(), this.x(), srp.n())), + bigint.add(this.a(), bigint.multiply(this.u(), this.x())), + srp.n() + ) + } + + return this._S; + }, + + //------------------------------------------------------------------------- + + 'K': function () { + if (this._K == null) { + this._K = this.stringHash(this.S().asString()); + } + + return this._K; + }, + + //------------------------------------------------------------------------- + + 'M1': function () { + if (this._M1 == null) { + this._M1 = this.stringHash(this.A().asString(10) + this.B().asString(10) + this.K()); + } + + return this._M1; + }, + + //------------------------------------------------------------------------- + + 'M2': function () { + if (this._M2 == null) { + this._M2 = this.stringHash(this.A().asString(10) + this.M1() + this.K()); + } + + return this._M2; + }, + + //========================================================================= + + 'serverSideCredentialsWithSalt': function(aSalt) { + var result; + var s, x, v; + + s = aSalt; + x = this.stringHash(s + this.P()); + v = Clipperz.Crypto.SRP.g().powerModule(new Clipperz.Crypto.BigInt(x, 16), Clipperz.Crypto.SRP.n()); + + result = {}; + result['C'] = this.C(); + result['s'] = s; + result['v'] = v.asString(16); + + return result; + }, + + 'serverSideCredentials': function() { + var result; + var s; + + s = Clipperz.Crypto.PRNG.defaultRandomGenerator().getRandomBytes(32).toHexString().substring(2); + + result = this.serverSideCredentialsWithSalt(s); + + return result; + }, + + //========================================================================= +/* + 'computeServerSide_S': function(b) { + var result; + var v; + var bigint; + var srp; + + bigint = Clipperz.Crypto.BigInt; + srp = Clipperz.Crypto.SRP; + + v = new Clipperz.Crypto.BigInt(srpConnection.serverSideCredentialsWithSalt(this.s().asString(16, 64)).v, 16); +// _S = (this.A().multiply(this.v().modPow(this.u(), this.n()))).modPow(this.b(), this.n()); + result = bigint.powerModule( + bigint.multiply( + this.A(), + bigint.powerModule(v, this.u(), srp.n()) + ), new Clipperz.Crypto.BigInt(b, 10), srp.n() + ); + + return result; + }, +*/ + //========================================================================= + + 'stringHash': function(aValue) { + var result; + + result = this.hash(new Clipperz.ByteArray(aValue)).toHexString().substring(2); + + return result; + }, + + //========================================================================= + __syntaxFix__: "syntax fix" + +}); + +//############################################################################# -- cgit v0.9.0.2