123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222 |
- "use strict";
- /**
- * @fileOverview
- * Core operations on curve 25519 required for the higher level modules.
- */
- /*
- * Copyright (c) 2007, 2013, 2014 Michele Bini
- * Copyright (c) 2014 Mega Limited
- * under the MIT License.
- *
- * Authors: Guy K. Kloss, Michele Bini
- *
- * You should have received a copy of the license along with this program.
- */
- var core = require('./core');
- var utils = require('./utils');
- /**
- * @exports jodid25519/curve255
- * Legacy compatibility module for Michele Bini's previous curve255.js.
- *
- * @description
- * Legacy compatibility module for Michele Bini's previous curve255.js.
- *
- * <p>
- * This code presents an API with all key formats as previously available
- * from Michele Bini's curve255.js implementation.
- * </p>
- */
- var ns = {};
- function curve25519_raw(f, c) {
- var a, x_1, q;
- x_1 = c;
- a = core.dbl(x_1, core.ONE());
- q = [x_1, core.ONE()];
- var n = 255;
- while (core.getbit(f, n) == 0) {
- n--;
- // For correct constant-time operation, bit 255 should always be
- // set to 1 so the following 'while' loop is never entered.
- if (n < 0) {
- return core.ZERO();
- }
- }
- n--;
- var aq = [a, q];
- while (n >= 0) {
- var r, s;
- var b = core.getbit(f, n);
- r = core.sum(aq[0][0], aq[0][1], aq[1][0], aq[1][1], x_1);
- s = core.dbl(aq[1 - b][0], aq[1 - b][1]);
- aq[1 - b] = s;
- aq[b] = r;
- n--;
- }
- q = aq[1];
- q[1] = core.invmodp(q[1]);
- q[0] = core.mulmodp(q[0], q[1]);
- core.reduce(q[0]);
- return q[0];
- }
- function curve25519b32(a, b) {
- return _base32encode(curve25519(_base32decode(a),
- _base32decode(b)));
- }
- function curve25519(f, c) {
- if (!c) {
- c = core.BASE();
- }
- f[0] &= 0xFFF8;
- f[15] = (f[15] & 0x7FFF) | 0x4000;
- return curve25519_raw(f, c);
- }
- function _hexEncodeVector(k) {
- var hexKey = utils.hexEncode(k);
- // Pad with '0' at the front.
- hexKey = new Array(64 + 1 - hexKey.length).join('0') + hexKey;
- // Invert bytes.
- return hexKey.split(/(..)/).reverse().join('');
- }
- function _hexDecodeVector(v) {
- // assert(length(x) == 64);
- // Invert bytes.
- var hexKey = v.split(/(..)/).reverse().join('');
- return utils.hexDecode(hexKey);
- }
- // Expose some functions to the outside through this name space.
- /**
- * Computes the scalar product of a point on the curve 25519.
- *
- * This function is used for the DH key-exchange protocol.
- *
- * Before multiplication, some bit operations are applied to the
- * private key to ensure it is a valid Curve25519 secret key.
- * It is the user's responsibility to make sure that the private
- * key is a uniformly random, secret value.
- *
- * @function
- * @param f {array}
- * Private key.
- * @param c {array}
- * Public point on the curve. If not given, the curve's base point is used.
- * @returns {array}
- * Key point resulting from scalar product.
- */
- ns.curve25519 = curve25519;
- /**
- * Computes the scalar product of a point on the curve 25519.
- *
- * This variant does not make sure that the private key is valid.
- * The user has the responsibility to ensure the private key is
- * valid or that this results in a safe protocol. Unless you know
- * exactly what you are doing, you should not use this variant,
- * please use 'curve25519' instead.
- *
- * @function
- * @param f {array}
- * Private key.
- * @param c {array}
- * Public point on the curve. If not given, the curve's base point is used.
- * @returns {array}
- * Key point resulting from scalar product.
- */
- ns.curve25519_raw = curve25519_raw;
- /**
- * Encodes the internal representation of a key to a canonical hex
- * representation.
- *
- * This is the format commonly used in other libraries and for
- * test vectors, and is equivalent to the hex dump of the key in
- * little-endian binary format.
- *
- * @function
- * @param n {array}
- * Array representation of key.
- * @returns {string}
- * Hexadecimal string representation of key.
- */
- ns.hexEncodeVector = _hexEncodeVector;
- /**
- * Decodes a canonical hex representation of a key
- * to an internally compatible array representation.
- *
- * @function
- * @param n {string}
- * Hexadecimal string representation of key.
- * @returns {array}
- * Array representation of key.
- */
- ns.hexDecodeVector = _hexDecodeVector;
- /**
- * Encodes the internal representation of a key into a
- * hexadecimal representation.
- *
- * This is a strict positional notation, most significant digit first.
- *
- * @function
- * @param n {array}
- * Array representation of key.
- * @returns {string}
- * Hexadecimal string representation of key.
- */
- ns.hexencode = utils.hexEncode;
- /**
- * Decodes a hex representation of a key to an internally
- * compatible array representation.
- *
- * @function
- * @param n {string}
- * Hexadecimal string representation of key.
- * @returns {array}
- * Array representation of key.
- */
- ns.hexdecode = utils.hexDecode;
- /**
- * Encodes the internal representation of a key to a base32
- * representation.
- *
- * @function
- * @param n {array}
- * Array representation of key.
- * @returns {string}
- * Base32 string representation of key.
- */
- ns.base32encode = utils.base32encode;
- /**
- * Decodes a base32 representation of a key to an internally
- * compatible array representation.
- *
- * @function
- * @param n {string}
- * Base32 string representation of key.
- * @returns {array}
- * Array representation of key.
- */
- ns.base32decode = utils.base32decode;
- module.exports = ns;
|