@ray-js/wechat-tycrypto 0.0.1-beta-1

package/index..js

@@ -0,0 +1,1751 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+class IllegalStateError extends Error {
+  constructor(...args) {
+    super(...args);
+  }
+
+}
+class IllegalArgumentError extends Error {
+  constructor(...args) {
+    super(...args);
+  }
+
+}
+class SecurityError extends Error {
+  constructor(...args) {
+    super(...args);
+  }
+
+}
+
+function is_bytes(a) {
+  return a instanceof Uint8Array;
+}
+function _heap_init(heap, heapSize) {
+  const size = heap ? heap.byteLength : heapSize || 65536;
+  if (size & 0xfff || size <= 0) throw new Error('heap size must be a positive integer and a multiple of 4096');
+  heap = heap || new Uint8Array(new ArrayBuffer(size));
+  return heap;
+}
+function _heap_write(heap, hpos, data, dpos, dlen) {
+  const hlen = heap.length - hpos;
+  const wlen = hlen < dlen ? hlen : dlen;
+  heap.set(data.subarray(dpos, dpos + wlen), hpos);
+  return wlen;
+}
+function joinBytes(...arg) {
+  const totalLenght = arg.reduce((sum, curr) => sum + curr.length, 0);
+  const ret = new Uint8Array(totalLenght);
+  let cursor = 0;
+
+  for (let i = 0; i < arg.length; i++) {
+    ret.set(arg[i], cursor);
+    cursor += arg[i].length;
+  }
+
+  return ret;
+}
+
+/**
+ * @file {@link http://asmjs.org Asm.js} implementation of the {@link https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Advanced Encryption Standard}.
+ * @author Artem S Vybornov <vybornov@gmail.com>
+ * @license MIT
+ */
+
+/**
+ * Galois Field stuff init flag
+ */
+let ginit_done = false;
+/**
+ * Galois Field exponentiation and logarithm tables for 3 (the generator)
+ */
+
+let gexp3;
+let glog3;
+/**
+ * Init Galois Field tables
+ */
+
+function ginit() {
+  gexp3 = [];
+  glog3 = [];
+  let a = 1,
+      c,
+      d;
+
+  for (c = 0; c < 255; c++) {
+    gexp3[c] = a; // Multiply by three
+
+    d = a & 0x80, a <<= 1, a &= 255;
+    if (d === 0x80) a ^= 0x1b;
+    a ^= gexp3[c]; // Set the log table value
+
+    glog3[gexp3[c]] = c;
+  }
+
+  gexp3[255] = gexp3[0];
+  glog3[0] = 0;
+  ginit_done = true;
+}
+/**
+ * Galois Field multiplication
+ * @param {number} a
+ * @param {number} b
+ * @return {number}
+ */
+
+
+function gmul(a, b) {
+  let c = gexp3[(glog3[a] + glog3[b]) % 255];
+  if (a === 0 || b === 0) c = 0;
+  return c;
+}
+/**
+ * Galois Field reciprocal
+ * @param {number} a
+ * @return {number}
+ */
+
+
+function ginv(a) {
+  let i = gexp3[255 - glog3[a]];
+  if (a === 0) i = 0;
+  return i;
+}
+/**
+ * AES stuff init flag
+ */
+
+
+let aes_init_done = false;
+/**
+ * Encryption, Decryption, S-Box and KeyTransform tables
+ *
+ * @type {number[]}
+ */
+
+let aes_sbox;
+/**
+ * @type {number[]}
+ */
+
+let aes_sinv;
+/**
+ * @type {number[][]}
+ */
+
+let aes_enc;
+/**
+ * @type {number[][]}
+ */
+
+let aes_dec;
+/**
+ * Init AES tables
+ */
+
+function aes_init() {
+  if (!ginit_done) ginit(); // Calculates AES S-Box value
+
+  function _s(a) {
+    let c, s, x;
+    s = x = ginv(a);
+
+    for (c = 0; c < 4; c++) {
+      s = (s << 1 | s >>> 7) & 255;
+      x ^= s;
+    }
+
+    x ^= 99;
+    return x;
+  } // Tables
+
+
+  aes_sbox = [], aes_sinv = [], aes_enc = [[], [], [], []], aes_dec = [[], [], [], []];
+
+  for (let i = 0; i < 256; i++) {
+    const s = _s(i); // S-Box and its inverse
+
+
+    aes_sbox[i] = s;
+    aes_sinv[s] = i; // Ecryption and Decryption tables
+
+    aes_enc[0][i] = gmul(2, s) << 24 | s << 16 | s << 8 | gmul(3, s);
+    aes_dec[0][s] = gmul(14, i) << 24 | gmul(9, i) << 16 | gmul(13, i) << 8 | gmul(11, i); // Rotate tables
+
+    for (let t = 1; t < 4; t++) {
+      aes_enc[t][i] = aes_enc[t - 1][i] >>> 8 | aes_enc[t - 1][i] << 24;
+      aes_dec[t][s] = aes_dec[t - 1][s] >>> 8 | aes_dec[t - 1][s] << 24;
+    }
+  }
+
+  aes_init_done = true;
+}
+/**
+ * Asm.js module constructor.
+ *
+ * <p>
+ * Heap buffer layout by offset:
+ * <pre>
+ * 0x0000   encryption key schedule
+ * 0x0400   decryption key schedule
+ * 0x0800   sbox
+ * 0x0c00   inv sbox
+ * 0x1000   encryption tables
+ * 0x2000   decryption tables
+ * 0x3000   reserved (future GCM multiplication lookup table)
+ * 0x4000   data
+ * </pre>
+ * Don't touch anything before <code>0x400</code>.
+ * </p>
+ *
+ * @alias AES_asm
+ * @class
+ * @param foreign - <i>ignored</i>
+ * @param buffer - heap buffer to link with
+ */
+
+
+const wrapper = function wrapper(foreign, buffer) {
+  // Init AES stuff for the first time
+  if (!aes_init_done) aes_init(); // Fill up AES tables
+
+  const heap = new Uint32Array(buffer);
+  heap.set(aes_sbox, 0x0800 >> 2);
+  heap.set(aes_sinv, 0x0c00 >> 2);
+
+  for (let i = 0; i < 4; i++) {
+    heap.set(aes_enc[i], 0x1000 + 0x400 * i >> 2);
+    heap.set(aes_dec[i], 0x2000 + 0x400 * i >> 2);
+  }
+  /**
+   * Calculate AES key schedules.
+   * @instance
+   * @memberof AES_asm
+   * @param {number} ks - key size, 4/6/8 (for 128/192/256-bit key correspondingly)
+   * @param {number} k0 - key vector components
+   * @param {number} k1 - key vector components
+   * @param {number} k2 - key vector components
+   * @param {number} k3 - key vector components
+   * @param {number} k4 - key vector components
+   * @param {number} k5 - key vector components
+   * @param {number} k6 - key vector components
+   * @param {number} k7 - key vector components
+   */
+
+
+  function set_key(ks, k0, k1, k2, k3, k4, k5, k6, k7) {
+    const ekeys = heap.subarray(0x000, 60),
+          dkeys = heap.subarray(0x100, 0x100 + 60); // Encryption key schedule
+
+    ekeys.set([k0, k1, k2, k3, k4, k5, k6, k7]);
+    let i = ks;
+
+    for (let rcon = 1; i < 4 * ks + 28; i++) {
+      let k = ekeys[i - 1];
+
+      if (i % ks === 0 || ks === 8 && i % ks === 4) {
+        k = aes_sbox[k >>> 24] << 24 ^ aes_sbox[k >>> 16 & 255] << 16 ^ aes_sbox[k >>> 8 & 255] << 8 ^ aes_sbox[k & 255];
+      }
+
+      if (i % ks === 0) {
+        k = k << 8 ^ k >>> 24 ^ rcon << 24;
+        rcon = rcon << 1 ^ (rcon & 0x80 ? 0x1b : 0);
+      }
+
+      ekeys[i] = ekeys[i - ks] ^ k;
+    } // Decryption key schedule
+
+
+    for (let j = 0; j < i; j += 4) {
+      for (let jj = 0; jj < 4; jj++) {
+        const kk = ekeys[i - (4 + j) + (4 - jj) % 4];
+
+        if (j < 4 || j >= i - 4) {
+          dkeys[j + jj] = kk;
+        } else {
+          dkeys[j + jj] = aes_dec[0][aes_sbox[kk >>> 24]] ^ aes_dec[1][aes_sbox[kk >>> 16 & 255]] ^ aes_dec[2][aes_sbox[kk >>> 8 & 255]] ^ aes_dec[3][aes_sbox[kk & 255]];
+        }
+      }
+    } // Set rounds number
+
+
+    asm.set_rounds(ks + 5);
+  }
+
+  const asm = function (foreign, buffer) {
+    'use asm';
+
+    let S0 = 0,
+        S1 = 0,
+        S2 = 0,
+        S3 = 0,
+        I0 = 0,
+        I1 = 0,
+        I2 = 0,
+        I3 = 0,
+        N0 = 0,
+        N1 = 0,
+        N2 = 0,
+        N3 = 0,
+        M0 = 0,
+        M1 = 0,
+        M2 = 0,
+        M3 = 0,
+        H0 = 0,
+        H1 = 0,
+        H2 = 0,
+        H3 = 0,
+        R = 0;
+    const HEAP = new Uint32Array(buffer),
+          DATA = new Uint8Array(buffer);
+    /**
+     * AES core
+     * @param {number} k - precomputed key schedule offset
+     * @param {number} s - precomputed sbox table offset
+     * @param {number} t - precomputed round table offset
+     * @param {number} r - number of inner rounds to perform
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+    function _core(k, s, t, r, x0, x1, x2, x3) {
+      k = k | 0;
+      s = s | 0;
+      t = t | 0;
+      r = r | 0;
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+      let t1 = 0,
+          t2 = 0,
+          t3 = 0,
+          y0 = 0,
+          y1 = 0,
+          y2 = 0,
+          y3 = 0,
+          i = 0;
+      t1 = t | 0x400, t2 = t | 0x800, t3 = t | 0xc00; // round 0
+
+      x0 = x0 ^ HEAP[(k | 0) >> 2], x1 = x1 ^ HEAP[(k | 4) >> 2], x2 = x2 ^ HEAP[(k | 8) >> 2], x3 = x3 ^ HEAP[(k | 12) >> 2]; // round 1..r
+
+      for (i = 16; (i | 0) <= r << 4; i = i + 16 | 0) {
+        y0 = HEAP[(t | x0 >> 22 & 1020) >> 2] ^ HEAP[(t1 | x1 >> 14 & 1020) >> 2] ^ HEAP[(t2 | x2 >> 6 & 1020) >> 2] ^ HEAP[(t3 | x3 << 2 & 1020) >> 2] ^ HEAP[(k | i | 0) >> 2], y1 = HEAP[(t | x1 >> 22 & 1020) >> 2] ^ HEAP[(t1 | x2 >> 14 & 1020) >> 2] ^ HEAP[(t2 | x3 >> 6 & 1020) >> 2] ^ HEAP[(t3 | x0 << 2 & 1020) >> 2] ^ HEAP[(k | i | 4) >> 2], y2 = HEAP[(t | x2 >> 22 & 1020) >> 2] ^ HEAP[(t1 | x3 >> 14 & 1020) >> 2] ^ HEAP[(t2 | x0 >> 6 & 1020) >> 2] ^ HEAP[(t3 | x1 << 2 & 1020) >> 2] ^ HEAP[(k | i | 8) >> 2], y3 = HEAP[(t | x3 >> 22 & 1020) >> 2] ^ HEAP[(t1 | x0 >> 14 & 1020) >> 2] ^ HEAP[(t2 | x1 >> 6 & 1020) >> 2] ^ HEAP[(t3 | x2 << 2 & 1020) >> 2] ^ HEAP[(k | i | 12) >> 2];
+        x0 = y0, x1 = y1, x2 = y2, x3 = y3;
+      } // final round
+
+
+      S0 = HEAP[(s | x0 >> 22 & 1020) >> 2] << 24 ^ HEAP[(s | x1 >> 14 & 1020) >> 2] << 16 ^ HEAP[(s | x2 >> 6 & 1020) >> 2] << 8 ^ HEAP[(s | x3 << 2 & 1020) >> 2] ^ HEAP[(k | i | 0) >> 2], S1 = HEAP[(s | x1 >> 22 & 1020) >> 2] << 24 ^ HEAP[(s | x2 >> 14 & 1020) >> 2] << 16 ^ HEAP[(s | x3 >> 6 & 1020) >> 2] << 8 ^ HEAP[(s | x0 << 2 & 1020) >> 2] ^ HEAP[(k | i | 4) >> 2], S2 = HEAP[(s | x2 >> 22 & 1020) >> 2] << 24 ^ HEAP[(s | x3 >> 14 & 1020) >> 2] << 16 ^ HEAP[(s | x0 >> 6 & 1020) >> 2] << 8 ^ HEAP[(s | x1 << 2 & 1020) >> 2] ^ HEAP[(k | i | 8) >> 2], S3 = HEAP[(s | x3 >> 22 & 1020) >> 2] << 24 ^ HEAP[(s | x0 >> 14 & 1020) >> 2] << 16 ^ HEAP[(s | x1 >> 6 & 1020) >> 2] << 8 ^ HEAP[(s | x2 << 2 & 1020) >> 2] ^ HEAP[(k | i | 12) >> 2];
+    }
+    /**
+     * ECB mode encryption
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+
+    function _ecb_enc(x0, x1, x2, x3) {
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+
+      _core(0x0000, 0x0800, 0x1000, R, x0, x1, x2, x3);
+    }
+    /**
+     * ECB mode decryption
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+
+    function _ecb_dec(x0, x1, x2, x3) {
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+      let t = 0;
+
+      _core(0x0400, 0x0c00, 0x2000, R, x0, x3, x2, x1);
+
+      t = S1, S1 = S3, S3 = t;
+    }
+    /**
+     * CBC mode encryption
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+
+    function _cbc_enc(x0, x1, x2, x3) {
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+
+      _core(0x0000, 0x0800, 0x1000, R, I0 ^ x0, I1 ^ x1, I2 ^ x2, I3 ^ x3);
+
+      I0 = S0, I1 = S1, I2 = S2, I3 = S3;
+    }
+    /**
+     * CBC mode decryption
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+
+    function _cbc_dec(x0, x1, x2, x3) {
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+      let t = 0;
+
+      _core(0x0400, 0x0c00, 0x2000, R, x0, x3, x2, x1);
+
+      t = S1, S1 = S3, S3 = t;
+      S0 = S0 ^ I0, S1 = S1 ^ I1, S2 = S2 ^ I2, S3 = S3 ^ I3;
+      I0 = x0, I1 = x1, I2 = x2, I3 = x3;
+    }
+    /**
+     * CFB mode encryption
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+
+    function _cfb_enc(x0, x1, x2, x3) {
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+
+      _core(0x0000, 0x0800, 0x1000, R, I0, I1, I2, I3);
+
+      I0 = S0 = S0 ^ x0, I1 = S1 = S1 ^ x1, I2 = S2 = S2 ^ x2, I3 = S3 = S3 ^ x3;
+    }
+    /**
+     * CFB mode decryption
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+
+    function _cfb_dec(x0, x1, x2, x3) {
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+
+      _core(0x0000, 0x0800, 0x1000, R, I0, I1, I2, I3);
+
+      S0 = S0 ^ x0, S1 = S1 ^ x1, S2 = S2 ^ x2, S3 = S3 ^ x3;
+      I0 = x0, I1 = x1, I2 = x2, I3 = x3;
+    }
+    /**
+     * OFB mode encryption / decryption
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+
+    function _ofb(x0, x1, x2, x3) {
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+
+      _core(0x0000, 0x0800, 0x1000, R, I0, I1, I2, I3);
+
+      I0 = S0, I1 = S1, I2 = S2, I3 = S3;
+      S0 = S0 ^ x0, S1 = S1 ^ x1, S2 = S2 ^ x2, S3 = S3 ^ x3;
+    }
+    /**
+     * CTR mode encryption / decryption
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+
+    function _ctr(x0, x1, x2, x3) {
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+
+      _core(0x0000, 0x0800, 0x1000, R, N0, N1, N2, N3);
+
+      N3 = ~M3 & N3 | M3 & N3 + 1;
+      N2 = ~M2 & N2 | M2 & N2 + Number((N3 | 0) === 0);
+      N1 = ~M1 & N1 | M1 & N1 + Number((N2 | 0) === 0);
+      N0 = ~M0 & N0 | M0 & N0 + Number((N1 | 0) === 0);
+      S0 = S0 ^ x0;
+      S1 = S1 ^ x1;
+      S2 = S2 ^ x2;
+      S3 = S3 ^ x3;
+    }
+    /**
+     * GCM mode MAC calculation
+     * @param {number} x0 - 128-bit input block vector
+     * @param {number} x1 - 128-bit input block vector
+     * @param {number} x2 - 128-bit input block vector
+     * @param {number} x3 - 128-bit input block vector
+     */
+
+
+    function _gcm_mac(x0, x1, x2, x3) {
+      x0 = x0 | 0;
+      x1 = x1 | 0;
+      x2 = x2 | 0;
+      x3 = x3 | 0;
+      let y0 = 0,
+          y1 = 0,
+          y2 = 0,
+          y3 = 0,
+          z0 = 0,
+          z1 = 0,
+          z2 = 0,
+          z3 = 0,
+          i = 0,
+          c = 0;
+      x0 = x0 ^ I0, x1 = x1 ^ I1, x2 = x2 ^ I2, x3 = x3 ^ I3;
+      y0 = H0 | 0, y1 = H1 | 0, y2 = H2 | 0, y3 = H3 | 0;
+
+      for (; (i | 0) < 128; i = i + 1 | 0) {
+        if (y0 >>> 31) {
+          z0 = z0 ^ x0, z1 = z1 ^ x1, z2 = z2 ^ x2, z3 = z3 ^ x3;
+        }
+
+        y0 = y0 << 1 | y1 >>> 31, y1 = y1 << 1 | y2 >>> 31, y2 = y2 << 1 | y3 >>> 31, y3 = y3 << 1;
+        c = x3 & 1;
+        x3 = x3 >>> 1 | x2 << 31, x2 = x2 >>> 1 | x1 << 31, x1 = x1 >>> 1 | x0 << 31, x0 = x0 >>> 1;
+        if (c) x0 = x0 ^ 0xe1000000;
+      }
+
+      I0 = z0, I1 = z1, I2 = z2, I3 = z3;
+    }
+    /**
+     * Set the internal rounds number.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} r - number if inner AES rounds
+     */
+
+
+    function set_rounds(r) {
+      r = r | 0;
+      R = r;
+    }
+    /**
+     * Populate the internal state of the module.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} s0 - state vector
+     * @param {number} s1 - state vector
+     * @param {number} s2 - state vector
+     * @param {number} s3 - state vector
+     */
+
+
+    function set_state(s0, s1, s2, s3) {
+      s0 = s0 | 0;
+      s1 = s1 | 0;
+      s2 = s2 | 0;
+      s3 = s3 | 0;
+      S0 = s0, S1 = s1, S2 = s2, S3 = s3;
+    }
+    /**
+     * Populate the internal iv of the module.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} i0 - iv vector
+     * @param {number} i1 - iv vector
+     * @param {number} i2 - iv vector
+     * @param {number} i3 - iv vector
+     */
+
+
+    function set_iv(i0, i1, i2, i3) {
+      i0 = i0 | 0;
+      i1 = i1 | 0;
+      i2 = i2 | 0;
+      i3 = i3 | 0;
+      I0 = i0, I1 = i1, I2 = i2, I3 = i3;
+    }
+    /**
+     * Set nonce for CTR-family modes.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} n0 - nonce vector
+     * @param {number} n1 - nonce vector
+     * @param {number} n2 - nonce vector
+     * @param {number} n3 - nonce vector
+     */
+
+
+    function set_nonce(n0, n1, n2, n3) {
+      n0 = n0 | 0;
+      n1 = n1 | 0;
+      n2 = n2 | 0;
+      n3 = n3 | 0;
+      N0 = n0, N1 = n1, N2 = n2, N3 = n3;
+    }
+    /**
+     * Set counter mask for CTR-family modes.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} m0 - counter mask vector
+     * @param {number} m1 - counter mask vector
+     * @param {number} m2 - counter mask vector
+     * @param {number} m3 - counter mask vector
+     */
+
+
+    function set_mask(m0, m1, m2, m3) {
+      m0 = m0 | 0;
+      m1 = m1 | 0;
+      m2 = m2 | 0;
+      m3 = m3 | 0;
+      M0 = m0, M1 = m1, M2 = m2, M3 = m3;
+    }
+    /**
+     * Set counter for CTR-family modes.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} c0 - counter vector
+     * @param {number} c1 - counter vector
+     * @param {number} c2 - counter vector
+     * @param {number} c3 - counter vector
+     */
+
+
+    function set_counter(c0, c1, c2, c3) {
+      c0 = c0 | 0;
+      c1 = c1 | 0;
+      c2 = c2 | 0;
+      c3 = c3 | 0;
+      N3 = ~M3 & N3 | M3 & c3, N2 = ~M2 & N2 | M2 & c2, N1 = ~M1 & N1 | M1 & c1, N0 = ~M0 & N0 | M0 & c0;
+    }
+    /**
+     * Store the internal state vector into the heap.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} pos - offset where to put the data
+     * @return {number} The number of bytes have been written into the heap, always 16.
+     */
+
+
+    function get_state(pos) {
+      pos = pos | 0;
+      if (pos & 15) return -1;
+      DATA[pos | 0] = S0 >>> 24, DATA[pos | 1] = S0 >>> 16 & 255, DATA[pos | 2] = S0 >>> 8 & 255, DATA[pos | 3] = S0 & 255, DATA[pos | 4] = S1 >>> 24, DATA[pos | 5] = S1 >>> 16 & 255, DATA[pos | 6] = S1 >>> 8 & 255, DATA[pos | 7] = S1 & 255, DATA[pos | 8] = S2 >>> 24, DATA[pos | 9] = S2 >>> 16 & 255, DATA[pos | 10] = S2 >>> 8 & 255, DATA[pos | 11] = S2 & 255, DATA[pos | 12] = S3 >>> 24, DATA[pos | 13] = S3 >>> 16 & 255, DATA[pos | 14] = S3 >>> 8 & 255, DATA[pos | 15] = S3 & 255;
+      return 16;
+    }
+    /**
+     * Store the internal iv vector into the heap.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} pos - offset where to put the data
+     * @return {number} The number of bytes have been written into the heap, always 16.
+     */
+
+
+    function get_iv(pos) {
+      pos = pos | 0;
+      if (pos & 15) return -1;
+      DATA[pos | 0] = I0 >>> 24, DATA[pos | 1] = I0 >>> 16 & 255, DATA[pos | 2] = I0 >>> 8 & 255, DATA[pos | 3] = I0 & 255, DATA[pos | 4] = I1 >>> 24, DATA[pos | 5] = I1 >>> 16 & 255, DATA[pos | 6] = I1 >>> 8 & 255, DATA[pos | 7] = I1 & 255, DATA[pos | 8] = I2 >>> 24, DATA[pos | 9] = I2 >>> 16 & 255, DATA[pos | 10] = I2 >>> 8 & 255, DATA[pos | 11] = I2 & 255, DATA[pos | 12] = I3 >>> 24, DATA[pos | 13] = I3 >>> 16 & 255, DATA[pos | 14] = I3 >>> 8 & 255, DATA[pos | 15] = I3 & 255;
+      return 16;
+    }
+    /**
+     * GCM initialization.
+     * @instance
+     * @memberof AES_asm
+     */
+
+
+    function gcm_init() {
+      _ecb_enc(0, 0, 0, 0);
+
+      H0 = S0, H1 = S1, H2 = S2, H3 = S3;
+    }
+    /**
+     * Perform ciphering operation on the supplied data.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} mode - block cipher mode (see {@link AES_asm} mode constants)
+     * @param {number} pos - offset of the data being processed
+     * @param {number} len - length of the data being processed
+     * @return {number} Actual amount of data have been processed.
+     */
+
+
+    function cipher(mode, pos, len) {
+      mode = mode | 0;
+      pos = pos | 0;
+      len = len | 0;
+      let ret = 0;
+      if (pos & 15) return -1;
+
+      while ((len | 0) >= 16) {
+        _cipher_modes[mode & 7](DATA[pos | 0] << 24 | DATA[pos | 1] << 16 | DATA[pos | 2] << 8 | DATA[pos | 3], DATA[pos | 4] << 24 | DATA[pos | 5] << 16 | DATA[pos | 6] << 8 | DATA[pos | 7], DATA[pos | 8] << 24 | DATA[pos | 9] << 16 | DATA[pos | 10] << 8 | DATA[pos | 11], DATA[pos | 12] << 24 | DATA[pos | 13] << 16 | DATA[pos | 14] << 8 | DATA[pos | 15]);
+
+        DATA[pos | 0] = S0 >>> 24, DATA[pos | 1] = S0 >>> 16 & 255, DATA[pos | 2] = S0 >>> 8 & 255, DATA[pos | 3] = S0 & 255, DATA[pos | 4] = S1 >>> 24, DATA[pos | 5] = S1 >>> 16 & 255, DATA[pos | 6] = S1 >>> 8 & 255, DATA[pos | 7] = S1 & 255, DATA[pos | 8] = S2 >>> 24, DATA[pos | 9] = S2 >>> 16 & 255, DATA[pos | 10] = S2 >>> 8 & 255, DATA[pos | 11] = S2 & 255, DATA[pos | 12] = S3 >>> 24, DATA[pos | 13] = S3 >>> 16 & 255, DATA[pos | 14] = S3 >>> 8 & 255, DATA[pos | 15] = S3 & 255;
+        ret = ret + 16 | 0, pos = pos + 16 | 0, len = len - 16 | 0;
+      }
+
+      return ret | 0;
+    }
+    /**
+     * Calculates MAC of the supplied data.
+     * @instance
+     * @memberof AES_asm
+     * @param {number} mode - block cipher mode (see {@link AES_asm} mode constants)
+     * @param {number} pos - offset of the data being processed
+     * @param {number} len - length of the data being processed
+     * @return {number} Actual amount of data have been processed.
+     */
+
+
+    function mac(mode, pos, len) {
+      mode = mode | 0;
+      pos = pos | 0;
+      len = len | 0;
+      let ret = 0;
+      if (pos & 15) return -1;
+
+      while ((len | 0) >= 16) {
+        _mac_modes[mode & 1](DATA[pos | 0] << 24 | DATA[pos | 1] << 16 | DATA[pos | 2] << 8 | DATA[pos | 3], DATA[pos | 4] << 24 | DATA[pos | 5] << 16 | DATA[pos | 6] << 8 | DATA[pos | 7], DATA[pos | 8] << 24 | DATA[pos | 9] << 16 | DATA[pos | 10] << 8 | DATA[pos | 11], DATA[pos | 12] << 24 | DATA[pos | 13] << 16 | DATA[pos | 14] << 8 | DATA[pos | 15]);
+
+        ret = ret + 16 | 0, pos = pos + 16 | 0, len = len - 16 | 0;
+      }
+
+      return ret | 0;
+    }
+    /**
+     * AES cipher modes table (virual methods)
+     */
+
+
+    const _cipher_modes = [_ecb_enc, _ecb_dec, _cbc_enc, _cbc_dec, _cfb_enc, _cfb_dec, _ofb, _ctr];
+    /**
+     * AES MAC modes table (virual methods)
+     */
+
+    const _mac_modes = [_cbc_enc, _gcm_mac];
+    /**
+     * Asm.js module exports
+     */
+
+    return {
+      set_rounds: set_rounds,
+      set_state: set_state,
+      set_iv: set_iv,
+      set_nonce: set_nonce,
+      set_mask: set_mask,
+      set_counter: set_counter,
+      get_state: get_state,
+      get_iv: get_iv,
+      gcm_init: gcm_init,
+      cipher: cipher,
+      mac: mac,
+      set_key
+    };
+  }(foreign, buffer);
+
+  return asm;
+};
+
+class AES_asm {
+  constructor(foreign, heap) {
+    return wrapper(foreign, heap);
+  }
+  /**
+   * @param ks - key size, 4/6/8 (for 128/192/256-bit key correspondingly)
+   * @param k0 - key vector components
+   * @param k1 - key vector components
+   * @param k2 - key vector components
+   * @param k3 - key vector components
+   * @param k4 - key vector components
+   * @param k5 - key vector components
+   * @param k6 - key vector components
+   * @param k7 - key vector components
+   */
+
+
+  set_key(ks, k0, k1, k2, k3, k4, k5, k6, k7) {// 此处不需要实现
+  }
+
+  /**
+   * Populate the internal iv of the module
+   */
+  set_iv(i0, i1, i2, i3) {// 此处不需要实现
+  }
+  /**
+   * Set counter mask for CTR-family modes
+   */
+
+
+  set_mask(m0, m1, m2, m3) {// 此处不需要实现
+  }
+  /**
+   * Set nonce for CTR-family modes
+   */
+
+
+  set_nonce(n0, n1, n2, n3) {// 此处不需要实现
+  }
+
+  /**
+   * Set counter for CTR-family modes
+   */
+  set_counter(c0, c1, c2, c3) {// 此处不需要实现
+  }
+
+  /**
+   * Perform ciphering operation on the supplied data
+   *
+   * @param mode - block cipher mode (see {@link AES_asm} mode constants)
+   * @param pos - offset of the data being processed
+   * @param len - length of the data being processed
+   * @return Actual amount of data have been processed
+   */
+  cipher(mode, pos, len) {
+    // 此处实现忽略
+    return 0;
+  }
+  /**
+   * GCM initialization
+   */
+
+
+  gcm_init() {// 此处不需要实现
+  }
+  /**
+   * Store the internal iv vector into the heap
+   *
+   * @returns The number of bytes have been written into the heap, always 16
+   */
+
+
+  get_iv(pos) {
+    // 此处实现忽略
+    return 16;
+  }
+  /**
+   * Calculates MAC of the supplied data
+   *
+   * @param mode - block cipher mode (see {@link AES_asm} mode constants)
+   * @param pos - offset of the data being processed
+   * @param len - length of the data being processed
+   * @return Actual amount of data have been processed
+   */
+
+
+  mac(mode, pos, len) {
+    // 此处实现忽略
+    return 0;
+  }
+  /**
+   * Store the internal state vector into the heap.
+   *
+   * @param pos - offset where to put the data
+   * @return The number of bytes have been written into the heap, always 16.
+   */
+
+
+  get_state(pos) {
+    // 此处实现忽略
+    return 16;
+  }
+
+}
+/**
+ * AES enciphering mode constants
+ * @enum {number}
+ * @const
+ */
+
+AES_asm.ENC = {
+  ECB: 0,
+  CBC: 2,
+  CFB: 4,
+  OFB: 6,
+  CTR: 7
+};
+/**
+ * AES deciphering mode constants
+ * @enum {number}
+ * @const
+ */
+
+AES_asm.DEC = {
+  ECB: 1,
+  CBC: 3,
+  CFB: 5,
+  OFB: 6,
+  CTR: 7
+};
+/**
+ * AES MAC mode constants
+ * @enum {number}
+ * @const
+ */
+
+AES_asm.MAC = {
+  CBC: 0,
+  GCM: 1
+};
+/**
+ * Heap data offset
+ * @type {number}
+ * @const
+ */
+
+AES_asm.HEAP_DATA = 0x4000;
+
+class AES {
+  constructor(key, iv, padding = true, mode, heap, asm) {
+    this.pos = 0;
+    this.len = 0;
+    this.mode = mode; // The AES "worker"
+
+    this.heap = heap ? heap : _heap_init().subarray(AES_asm.HEAP_DATA);
+    this.asm = asm ? asm : new AES_asm(null, this.heap.buffer); // The AES object state
+
+    this.pos = 0;
+    this.len = 0; // Key
+
+    const keylen = key.length;
+    if (keylen !== 16 && keylen !== 24 && keylen !== 32) throw new IllegalArgumentError('illegal key size');
+    const keyview = new DataView(key.buffer, key.byteOffset, key.byteLength);
+    this.asm.set_key(keylen >> 2, keyview.getUint32(0), keyview.getUint32(4), keyview.getUint32(8), keyview.getUint32(12), keylen > 16 ? keyview.getUint32(16) : 0, keylen > 16 ? keyview.getUint32(20) : 0, keylen > 24 ? keyview.getUint32(24) : 0, keylen > 24 ? keyview.getUint32(28) : 0); // IV
+
+    if (iv !== undefined) {
+      if (iv.length !== 16) throw new IllegalArgumentError('illegal iv size');
+      const ivview = new DataView(iv.buffer, iv.byteOffset, iv.byteLength);
+      this.asm.set_iv(ivview.getUint32(0), ivview.getUint32(4), ivview.getUint32(8), ivview.getUint32(12));
+    } else {
+      this.asm.set_iv(0, 0, 0, 0);
+    }
+
+    this.padding = padding;
+  }
+
+  AES_Encrypt_process(data) {
+    if (!is_bytes(data)) throw new TypeError("data isn't of expected type");
+    const asm = this.asm;
+    const heap = this.heap;
+    const amode = AES_asm.ENC[this.mode];
+    const hpos = AES_asm.HEAP_DATA;
+    let pos = this.pos;
+    let len = this.len;
+    let dpos = 0;
+    let dlen = data.length || 0;
+    let rpos = 0;
+    const rlen = len + dlen & -16;
+    let wlen = 0;
+    const result = new Uint8Array(rlen);
+
+    while (dlen > 0) {
+      wlen = _heap_write(heap, pos + len, data, dpos, dlen);
+      len += wlen;
+      dpos += wlen;
+      dlen -= wlen;
+      wlen = asm.cipher(amode, hpos + pos, len);
+      if (wlen) result.set(heap.subarray(pos, pos + wlen), rpos);
+      rpos += wlen;
+
+      if (wlen < len) {
+        pos += wlen;
+        len -= wlen;
+      } else {
+        pos = 0;
+        len = 0;
+      }
+    }
+
+    this.pos = pos;
+    this.len = len;
+    return result;
+  }
+
+  AES_Encrypt_finish() {
+    const asm = this.asm;
+    const heap = this.heap;
+    const amode = AES_asm.ENC[this.mode];
+    const hpos = AES_asm.HEAP_DATA;
+    const pos = this.pos;
+    let len = this.len;
+    const plen = 16 - len % 16;
+    let rlen = len; // eslint-disable-next-line no-prototype-builtins
+
+    if (this.hasOwnProperty('padding')) {
+      if (this.padding) {
+        for (let p = 0; p < plen; ++p) {
+          heap[pos + len + p] = plen;
+        }
+
+        len += plen;
+        rlen = len;
+      } else if (len % 16) {
+        throw new IllegalArgumentError('data length must be a multiple of the block size');
+      }
+    } else {
+      len += plen;
+    }
+
+    const result = new Uint8Array(rlen);
+    if (len) asm.cipher(amode, hpos + pos, len);
+    if (rlen) result.set(heap.subarray(pos, pos + rlen));
+    this.pos = 0;
+    this.len = 0;
+    return result;
+  }
+
+  AES_Decrypt_process(data) {
+    if (!is_bytes(data)) throw new TypeError("data isn't of expected type");
+    const asm = this.asm;
+    const heap = this.heap;
+    const amode = AES_asm.DEC[this.mode];
+    const hpos = AES_asm.HEAP_DATA;
+    let pos = this.pos;
+    let len = this.len;
+    let dpos = 0;
+    let dlen = data.length || 0;
+    let rpos = 0;
+    let rlen = len + dlen & -16;
+    let plen = 0;
+    let wlen = 0;
+
+    if (this.padding) {
+      plen = len + dlen - rlen || 16;
+      rlen -= plen;
+    }
+
+    const result = new Uint8Array(rlen);
+
+    while (dlen > 0) {
+      wlen = _heap_write(heap, pos + len, data, dpos, dlen);
+      len += wlen;
+      dpos += wlen;
+      dlen -= wlen;
+      wlen = asm.cipher(amode, hpos + pos, len - (!dlen ? plen : 0));
+      if (wlen) result.set(heap.subarray(pos, pos + wlen), rpos);
+      rpos += wlen;
+
+      if (wlen < len) {
+        pos += wlen;
+        len -= wlen;
+      } else {
+        pos = 0;
+        len = 0;
+      }
+    }
+
+    this.pos = pos;
+    this.len = len;
+    return result;
+  }
+
+  AES_Decrypt_finish() {
+    const asm = this.asm;
+    const heap = this.heap;
+    const amode = AES_asm.DEC[this.mode];
+    const hpos = AES_asm.HEAP_DATA;
+    const pos = this.pos;
+    let len = this.len;
+    let rlen = len;
+
+    if (len > 0) {
+      if (len % 16) {
+        // eslint-disable-next-line no-prototype-builtins
+        if (this.hasOwnProperty('padding')) {
+          throw new IllegalArgumentError('data length must be a multiple of the block size');
+        } else {
+          len += 16 - len % 16;
+        }
+      }
+
+      asm.cipher(amode, hpos + pos, len); // eslint-disable-next-line no-prototype-builtins
+
+      if (this.hasOwnProperty('padding') && this.padding) {
+        const pad = heap[pos + rlen - 1];
+        if (pad < 1 || pad > 16 || pad > rlen) throw new SecurityError('bad padding');
+        let pcheck = 0;
+
+        for (let i = pad; i > 1; i--) pcheck |= pad ^ heap[pos + rlen - i];
+
+        if (pcheck) throw new SecurityError('bad padding');
+        rlen -= pad;
+      }
+    }
+
+    const result = new Uint8Array(rlen);
+
+    if (rlen > 0) {
+      result.set(heap.subarray(pos, pos + rlen));
+    }
+
+    this.pos = 0;
+    this.len = 0;
+    return result;
+  }
+
+}
+
+const _AES_GCM_data_maxLength = 68719476704; // 2^36 - 2^5
+
+class AES_GCM {
+  constructor(key, nonce, adata, tagSize = 16, aes) {
+    this.tagSize = tagSize;
+    this.gamma0 = 0;
+    this.counter = 1;
+    this.aes = aes ? aes : new AES(key, undefined, false, 'CTR'); // Init GCM
+
+    this.aes.asm.gcm_init(); // Tag size
+
+    if (this.tagSize < 4 || this.tagSize > 16) throw new IllegalArgumentError('illegal tagSize value'); // Nonce
+
+    const noncelen = nonce.length || 0;
+    const noncebuf = new Uint8Array(16);
+
+    if (noncelen !== 12) {
+      this._gcm_mac_process(nonce);
+
+      this.aes.heap[0] = 0;
+      this.aes.heap[1] = 0;
+      this.aes.heap[2] = 0;
+      this.aes.heap[3] = 0;
+      this.aes.heap[4] = 0;
+      this.aes.heap[5] = 0;
+      this.aes.heap[6] = 0;
+      this.aes.heap[7] = 0;
+      this.aes.heap[8] = 0;
+      this.aes.heap[9] = 0;
+      this.aes.heap[10] = 0;
+      this.aes.heap[11] = noncelen >>> 29;
+      this.aes.heap[12] = noncelen >>> 21 & 255;
+      this.aes.heap[13] = noncelen >>> 13 & 255;
+      this.aes.heap[14] = noncelen >>> 5 & 255;
+      this.aes.heap[15] = noncelen << 3 & 255;
+      this.aes.asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA, 16);
+      this.aes.asm.get_iv(AES_asm.HEAP_DATA);
+      this.aes.asm.set_iv(0, 0, 0, 0);
+      noncebuf.set(this.aes.heap.subarray(0, 16));
+    } else {
+      noncebuf.set(nonce);
+      noncebuf[15] = 1;
+    }
+
+    const nonceview = new DataView(noncebuf.buffer);
+    this.gamma0 = nonceview.getUint32(12);
+    this.aes.asm.set_nonce(nonceview.getUint32(0), nonceview.getUint32(4), nonceview.getUint32(8), 0);
+    this.aes.asm.set_mask(0, 0, 0, 0xffffffff); // Associated data
+
+    if (adata !== undefined) {
+      if (adata.length > _AES_GCM_data_maxLength) throw new IllegalArgumentError('illegal adata length');
+
+      if (adata.length) {
+        this.adata = adata;
+
+        this._gcm_mac_process(adata);
+      } else {
+        this.adata = undefined;
+      }
+    } else {
+      this.adata = undefined;
+    } // Counter
+
+
+    if (this.counter < 1 || this.counter > 0xffffffff) throw new RangeError('counter must be a positive 32-bit integer');
+    this.aes.asm.set_counter(0, 0, 0, this.gamma0 + this.counter | 0);
+  }
+
+  static encrypt(cleartext, key, nonce, adata, tagsize) {
+    return new AES_GCM(key, nonce, adata, tagsize).encrypt(cleartext);
+  }
+
+  static decrypt(ciphertext, key, nonce, adata, tagsize) {
+    return new AES_GCM(key, nonce, adata, tagsize).decrypt(ciphertext);
+  }
+
+  encrypt(data) {
+    return this.AES_GCM_encrypt(data);
+  }
+
+  decrypt(data) {
+    return this.AES_GCM_decrypt(data);
+  }
+
+  AES_GCM_Encrypt_process(data) {
+    let dpos = 0;
+    let dlen = data.length || 0;
+    const asm = this.aes.asm;
+    const heap = this.aes.heap;
+    let counter = this.counter;
+    let pos = this.aes.pos;
+    let len = this.aes.len;
+    let rpos = 0;
+    const rlen = len + dlen & -16;
+    let wlen = 0;
+    if ((counter - 1 << 4) + len + dlen > _AES_GCM_data_maxLength) throw new RangeError('counter overflow');
+    const result = new Uint8Array(rlen);
+
+    while (dlen > 0) {
+      wlen = _heap_write(heap, pos + len, data, dpos, dlen);
+      len += wlen;
+      dpos += wlen;
+      dlen -= wlen;
+      wlen = asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA + pos, len);
+      wlen = asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA + pos, wlen);
+      if (wlen) result.set(heap.subarray(pos, pos + wlen), rpos);
+      counter += wlen >>> 4;
+      rpos += wlen;
+
+      if (wlen < len) {
+        pos += wlen;
+        len -= wlen;
+      } else {
+        pos = 0;
+        len = 0;
+      }
+    }
+
+    this.counter = counter;
+    this.aes.pos = pos;
+    this.aes.len = len;
+    return result;
+  }
+
+  AES_GCM_Encrypt_finish() {
+    const asm = this.aes.asm;
+    const heap = this.aes.heap;
+    const counter = this.counter;
+    const tagSize = this.tagSize;
+    const adata = this.adata;
+    const pos = this.aes.pos;
+    const len = this.aes.len;
+    const result = new Uint8Array(len + tagSize);
+    asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA + pos, len + 15 & -16);
+    if (len) result.set(heap.subarray(pos, pos + len));
+    let i = len;
+
+    for (; i & 15; i++) heap[pos + i] = 0;
+
+    asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA + pos, i);
+    const alen = adata !== undefined ? adata.length : 0;
+    const clen = (counter - 1 << 4) + len;
+    heap[0] = 0;
+    heap[1] = 0;
+    heap[2] = 0;
+    heap[3] = alen >>> 29;
+    heap[4] = alen >>> 21;
+    heap[5] = alen >>> 13 & 255;
+    heap[6] = alen >>> 5 & 255;
+    heap[7] = alen << 3 & 255;
+    heap[8] = heap[9] = heap[10] = 0;
+    heap[11] = clen >>> 29;
+    heap[12] = clen >>> 21 & 255;
+    heap[13] = clen >>> 13 & 255;
+    heap[14] = clen >>> 5 & 255;
+    heap[15] = clen << 3 & 255;
+    asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA, 16);
+    asm.get_iv(AES_asm.HEAP_DATA);
+    asm.set_counter(0, 0, 0, this.gamma0);
+    asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA, 16);
+    result.set(heap.subarray(0, tagSize), len);
+    this.counter = 1;
+    this.aes.pos = 0;
+    this.aes.len = 0;
+    return result;
+  }
+
+  AES_GCM_Decrypt_process(data) {
+    let dpos = 0;
+    let dlen = data.length || 0;
+    const asm = this.aes.asm;
+    const heap = this.aes.heap;
+    let counter = this.counter;
+    const tagSize = this.tagSize;
+    let pos = this.aes.pos;
+    let len = this.aes.len;
+    let rpos = 0;
+    const rlen = len + dlen > tagSize ? len + dlen - tagSize & -16 : 0;
+    const tlen = len + dlen - rlen;
+    let wlen = 0;
+    if ((counter - 1 << 4) + len + dlen > _AES_GCM_data_maxLength) throw new RangeError('counter overflow');
+    const result = new Uint8Array(rlen);
+
+    while (dlen > tlen) {
+      wlen = _heap_write(heap, pos + len, data, dpos, dlen - tlen);
+      len += wlen;
+      dpos += wlen;
+      dlen -= wlen;
+      wlen = asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA + pos, wlen);
+      wlen = asm.cipher(AES_asm.DEC.CTR, AES_asm.HEAP_DATA + pos, wlen);
+      if (wlen) result.set(heap.subarray(pos, pos + wlen), rpos);
+      counter += wlen >>> 4;
+      rpos += wlen;
+      pos = 0;
+      len = 0;
+    }
+
+    if (dlen > 0) {
+      len += _heap_write(heap, 0, data, dpos, dlen);
+    }
+
+    this.counter = counter;
+    this.aes.pos = pos;
+    this.aes.len = len;
+    return result;
+  }
+
+  AES_GCM_Decrypt_finish() {
+    const asm = this.aes.asm;
+    const heap = this.aes.heap;
+    const tagSize = this.tagSize;
+    const adata = this.adata;
+    const counter = this.counter;
+    const pos = this.aes.pos;
+    const len = this.aes.len;
+    const rlen = len - tagSize;
+    if (len < tagSize) throw new IllegalStateError('authentication tag not found');
+    const result = new Uint8Array(rlen);
+    const atag = new Uint8Array(heap.subarray(pos + rlen, pos + len));
+    let i = rlen;
+
+    for (; i & 15; i++) heap[pos + i] = 0;
+
+    asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA + pos, i);
+    asm.cipher(AES_asm.DEC.CTR, AES_asm.HEAP_DATA + pos, i);
+    if (rlen) result.set(heap.subarray(pos, pos + rlen));
+    const alen = adata !== undefined ? adata.length : 0;
+    const clen = (counter - 1 << 4) + len - tagSize;
+    heap[0] = 0;
+    heap[1] = 0;
+    heap[2] = 0;
+    heap[3] = alen >>> 29;
+    heap[4] = alen >>> 21;
+    heap[5] = alen >>> 13 & 255;
+    heap[6] = alen >>> 5 & 255;
+    heap[7] = alen << 3 & 255;
+    heap[8] = heap[9] = heap[10] = 0;
+    heap[11] = clen >>> 29;
+    heap[12] = clen >>> 21 & 255;
+    heap[13] = clen >>> 13 & 255;
+    heap[14] = clen >>> 5 & 255;
+    heap[15] = clen << 3 & 255;
+    asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA, 16);
+    asm.get_iv(AES_asm.HEAP_DATA);
+    asm.set_counter(0, 0, 0, this.gamma0);
+    asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA, 16);
+    let acheck = 0;
+
+    for (let _i = 0; _i < tagSize; ++_i) acheck |= atag[_i] ^ heap[_i];
+
+    if (acheck) throw new SecurityError('data integrity check failed');
+    this.counter = 1;
+    this.aes.pos = 0;
+    this.aes.len = 0;
+    return result;
+  }
+
+  AES_GCM_decrypt(data) {
+    const result1 = this.AES_GCM_Decrypt_process(data);
+    const result2 = this.AES_GCM_Decrypt_finish();
+    const result = new Uint8Array(result1.length + result2.length);
+    if (result1.length) result.set(result1);
+    if (result2.length) result.set(result2, result1.length);
+    return result;
+  }
+
+  AES_GCM_encrypt(data) {
+    const result1 = this.AES_GCM_Encrypt_process(data);
+    const result2 = this.AES_GCM_Encrypt_finish();
+    const result = new Uint8Array(result1.length + result2.length);
+    if (result1.length) result.set(result1);
+    if (result2.length) result.set(result2, result1.length);
+    return result;
+  }
+
+  _gcm_mac_process(data) {
+    const heap = this.aes.heap;
+    const asm = this.aes.asm;
+    let dpos = 0;
+    let dlen = data.length || 0;
+    let wlen = 0;
+
+    while (dlen > 0) {
+      wlen = _heap_write(heap, 0, data, dpos, dlen);
+      dpos += wlen;
+      dlen -= wlen;
+
+      while (wlen & 15) heap[wlen++] = 0;
+
+      asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA, wlen);
+    }
+  }
+
+}
+
+class AES_ECB {
+  constructor(key, padding = false, aes) {
+    this.aes = aes ? aes : new AES(key, undefined, padding, 'ECB');
+  }
+
+  static encrypt(data, key, padding = false) {
+    return new AES_ECB(key, padding).encrypt(data);
+  }
+
+  static decrypt(data, key, padding = false) {
+    return new AES_ECB(key, padding).decrypt(data);
+  }
+
+  encrypt(data) {
+    const r1 = this.aes.AES_Encrypt_process(data);
+    const r2 = this.aes.AES_Encrypt_finish();
+    return joinBytes(r1, r2);
+  }
+
+  decrypt(data) {
+    const r1 = this.aes.AES_Decrypt_process(data);
+    const r2 = this.aes.AES_Decrypt_finish();
+    return joinBytes(r1, r2);
+  }
+
+}
+
+class AES_CBC {
+  constructor(key, iv, padding = true, aes) {
+    this.aes = aes ? aes : new AES(key, iv, padding, 'CBC');
+  }
+
+  static encrypt(data, key, padding = true, iv) {
+    return new AES_CBC(key, iv, padding).encrypt(data);
+  }
+
+  static decrypt(data, key, padding = true, iv) {
+    return new AES_CBC(key, iv, padding).decrypt(data);
+  }
+
+  encrypt(data) {
+    const r1 = this.aes.AES_Encrypt_process(data);
+    const r2 = this.aes.AES_Encrypt_finish();
+    return joinBytes(r1, r2);
+  }
+
+  decrypt(data) {
+    const r1 = this.aes.AES_Decrypt_process(data);
+    const r2 = this.aes.AES_Decrypt_finish();
+    return joinBytes(r1, r2);
+  }
+
+}
+
+/**
+ * Counter with CBC-MAC (CCM)
+ *
+ * Due to JS limitations (52 bits of Number precision) maximum encrypted message length
+ * is limited to ~4 PiB ( 2^52 - 16 ) per `nonce`-`key` pair.
+ * That also limits `lengthSize` parameter maximum value to 7 (not 8 as described in RFC3610).
+ *
+ * Additional authenticated data `adata` maximum length is chosen to be no more than 65279 bytes ( 2^16 - 2^8 ),
+ * which is considered enough for the most of use-cases.
+ *
+ * And one more important thing: in case of progressive ciphering of a data stream (in other
+ * words when data can't be held in-memory at a whole and are ciphered chunk-by-chunk)
+ * you have to know the `dataLength` in advance and pass that value to the cipher options.
+ */
+const _AES_CCM_adata_maxLength = 65279; // 2^16 - 2^8
+
+const _AES_CCM_data_maxLength = 4503599627370480; // 2^52 - 2^4
+
+class AES_CCM {
+  constructor(key, nonce, adata, tagSize = 16, dataLength, aes) {
+    this.counter = 1;
+    this.dataLength = -1;
+    this.aes = aes ? aes : new AES(key, undefined, undefined, 'CCM'); // Tag size
+
+    if (tagSize < 4 || tagSize > 16 || tagSize & 1) throw new IllegalArgumentError('illegal tagSize value');
+    this.tagSize = tagSize; // Nonce
+
+    this.nonce = nonce;
+    if (nonce.length < 8 || nonce.length > 13) throw new IllegalArgumentError('illegal nonce length');
+    this.lengthSize = 15 - nonce.length;
+    nonce = new Uint8Array(nonce.length + 1);
+    nonce[0] = this.lengthSize - 1;
+    nonce.set(this.nonce, 1);
+    if (dataLength < 0 || dataLength > _AES_CCM_data_maxLength || dataLength > Math.pow(2, 8 * this.lengthSize) - 16) throw new IllegalArgumentError('illegal dataLength value');
+
+    if (adata !== undefined) {
+      if (adata.length > _AES_CCM_adata_maxLength) throw new IllegalArgumentError('illegal adata length');
+      this.adata = adata.length ? adata : undefined;
+    }
+
+    this.dataLength = dataLength;
+    this.counter = 1;
+    this.AES_CCM_calculate_iv();
+    this.AES_CTR_set_options(nonce, this.counter, 8 * this.lengthSize);
+  }
+
+  static encrypt(clear, key, nonce, adata, tagsize = 16) {
+    return new AES_CCM(key, nonce, adata, tagsize, clear.length).encrypt(clear);
+  }
+
+  static decrypt(cipher, key, nonce, adata, tagsize = 16) {
+    return new AES_CCM(key, nonce, adata, tagsize, cipher.length - tagsize).decrypt(cipher);
+  }
+
+  encrypt(data) {
+    this.dataLength = data.length || 0;
+    const result1 = this.AES_CCM_Encrypt_process(data);
+    const result2 = this.AES_CCM_Encrypt_finish();
+    const result = new Uint8Array(result1.length + result2.length);
+    if (result1.length) result.set(result1);
+    if (result2.length) result.set(result2, result1.length);
+    return result;
+  }
+
+  decrypt(data) {
+    this.dataLength = data.length || 0;
+    const result1 = this.AES_CCM_Decrypt_process(data);
+    const result2 = this.AES_CCM_Decrypt_finish();
+    const result = new Uint8Array(result1.length + result2.length);
+    if (result1.length) result.set(result1);
+    if (result2.length) result.set(result2, result1.length);
+    return result;
+  }
+
+  AES_CCM_calculate_iv() {
+    const nonce = this.nonce;
+    const adata = this.adata;
+    const tagSize = this.tagSize;
+    const lengthSize = this.lengthSize;
+    const dataLength = this.dataLength;
+    const data = new Uint8Array(16 + (adata ? 2 + adata.length : 0)); // B0: flags(adata?, M', L'), nonce, len(data)
+
+    data[0] = (adata ? 64 : 0) | tagSize - 2 << 2 | lengthSize - 1;
+    data.set(nonce, 1);
+    if (lengthSize > 6) data[9] = dataLength / 0x100000000 >>> 16 & 15;
+    if (lengthSize > 5) data[10] = dataLength / 0x100000000 >>> 8 & 255;
+    if (lengthSize > 4) data[11] = dataLength / 0x100000000 & 255;
+    if (lengthSize > 3) data[12] = dataLength >>> 24;
+    if (lengthSize > 2) data[13] = dataLength >>> 16 & 255;
+    data[14] = dataLength >>> 8 & 255;
+    data[15] = dataLength & 255; // B*: len(adata), adata
+
+    if (adata) {
+      data[16] = adata.length >>> 8 & 255;
+      data[17] = adata.length & 255;
+      data.set(adata, 18);
+    }
+
+    this._cbc_mac_process(data);
+
+    this.aes.asm.get_state(AES_asm.HEAP_DATA);
+    const iv = new Uint8Array(this.aes.heap.subarray(0, 16));
+    const ivview = new DataView(iv.buffer, iv.byteOffset, iv.byteLength);
+    this.aes.asm.set_iv(ivview.getUint32(0), ivview.getUint32(4), ivview.getUint32(8), ivview.getUint32(12));
+  }
+
+  _cbc_mac_process(data) {
+    const heap = this.aes.heap;
+    const asm = this.aes.asm;
+    let dpos = 0;
+    let dlen = data.length || 0;
+    let wlen = 0;
+
+    while (dlen > 0) {
+      wlen = _heap_write(heap, 0, data, dpos, dlen);
+
+      while (wlen & 15) heap[wlen++] = 0;
+
+      dpos += wlen;
+      dlen -= wlen;
+      asm.mac(AES_asm.MAC.CBC, AES_asm.HEAP_DATA, wlen);
+    }
+  }
+
+  AES_CCM_Encrypt_process(data) {
+    const asm = this.aes.asm;
+    const heap = this.aes.heap;
+    let dpos = 0;
+    let dlen = data.length || 0;
+    let counter = this.counter;
+    let pos = this.aes.pos;
+    let len = this.aes.len;
+    const rlen = len + dlen & -16;
+    let rpos = 0;
+    let wlen = 0;
+    if ((counter - 1 << 4) + len + dlen > _AES_CCM_data_maxLength) // ??? should check against lengthSize
+      throw new RangeError('counter overflow');
+    const result = new Uint8Array(rlen);
+
+    while (dlen > 0) {
+      wlen = _heap_write(heap, pos + len, data, dpos, dlen);
+      len += wlen;
+      dpos += wlen;
+      dlen -= wlen;
+      wlen = asm.mac(AES_asm.MAC.CBC, AES_asm.HEAP_DATA + pos, len);
+      wlen = asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA + pos, wlen);
+      if (wlen) result.set(heap.subarray(pos, pos + wlen), rpos);
+      counter += wlen >>> 4;
+      rpos += wlen;
+
+      if (wlen < len) {
+        pos += wlen;
+        len -= wlen;
+      } else {
+        pos = 0;
+        len = 0;
+      }
+    }
+
+    this.counter = counter;
+    this.aes.pos = pos;
+    this.aes.len = len;
+    return result;
+  }
+
+  AES_CCM_Encrypt_finish() {
+    const asm = this.aes.asm;
+    const heap = this.aes.heap;
+    const tagSize = this.tagSize;
+    const pos = this.aes.pos;
+    const len = this.aes.len;
+    const result = new Uint8Array(len + tagSize);
+    let i = len;
+
+    for (; i & 15; i++) heap[pos + i] = 0;
+
+    asm.mac(AES_asm.MAC.CBC, AES_asm.HEAP_DATA + pos, i);
+    asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA + pos, i);
+    if (len) result.set(heap.subarray(pos, pos + len));
+    asm.set_counter(0, 0, 0, 0);
+    asm.get_iv(AES_asm.HEAP_DATA);
+    asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA, 16);
+    result.set(heap.subarray(0, tagSize), len);
+    this.counter = 1;
+    this.aes.pos = 0;
+    this.aes.len = 0;
+    return result;
+  }
+
+  AES_CCM_Decrypt_process(data) {
+    let dpos = 0;
+    let dlen = data.length || 0;
+    const asm = this.aes.asm;
+    const heap = this.aes.heap;
+    let counter = this.counter;
+    const tagSize = this.tagSize;
+    let pos = this.aes.pos;
+    let len = this.aes.len;
+    let rpos = 0;
+    const rlen = len + dlen > tagSize ? len + dlen - tagSize & -16 : 0;
+    const tlen = len + dlen - rlen;
+    let wlen = 0;
+    if ((counter - 1 << 4) + len + dlen > _AES_CCM_data_maxLength) throw new RangeError('counter overflow');
+    const result = new Uint8Array(rlen);
+
+    while (dlen > tlen) {
+      wlen = _heap_write(heap, pos + len, data, dpos, dlen - tlen);
+      len += wlen;
+      dpos += wlen;
+      dlen -= wlen;
+      wlen = asm.cipher(AES_asm.DEC.CTR, AES_asm.HEAP_DATA + pos, wlen);
+      wlen = asm.mac(AES_asm.MAC.CBC, AES_asm.HEAP_DATA + pos, wlen);
+      if (wlen) result.set(heap.subarray(pos, pos + wlen), rpos);
+      counter += wlen >>> 4;
+      rpos += wlen;
+      pos = 0;
+      len = 0;
+    }
+
+    if (dlen > 0) {
+      len += _heap_write(heap, 0, data, dpos, dlen);
+    }
+
+    this.counter = counter;
+    this.aes.pos = pos;
+    this.aes.len = len;
+    return result;
+  }
+
+  AES_CCM_Decrypt_finish() {
+    const asm = this.aes.asm;
+    const heap = this.aes.heap;
+    const tagSize = this.tagSize;
+    const pos = this.aes.pos;
+    const len = this.aes.len;
+    const rlen = len - tagSize;
+    if (len < tagSize) throw new IllegalStateError('authentication tag not found');
+    const result = new Uint8Array(rlen);
+    const atag = new Uint8Array(heap.subarray(pos + rlen, pos + len));
+    asm.cipher(AES_asm.DEC.CTR, AES_asm.HEAP_DATA + pos, rlen + 15 & -16);
+    result.set(heap.subarray(pos, pos + rlen));
+    let i = rlen;
+
+    for (; i & 15; i++) heap[pos + i] = 0;
+
+    asm.mac(AES_asm.MAC.CBC, AES_asm.HEAP_DATA + pos, i);
+    asm.set_counter(0, 0, 0, 0);
+    asm.get_iv(AES_asm.HEAP_DATA);
+    asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA, 16);
+    let acheck = 0;
+
+    for (let j = 0; j < tagSize; ++j) acheck |= atag[j] ^ heap[j];
+
+    if (acheck) throw new SecurityError('data integrity check failed');
+    this.counter = 1;
+    this.aes.pos = 0;
+    this.aes.len = 0;
+    return result;
+  }
+
+  AES_CTR_set_options(nonce, counter, size) {
+    if (size < 8 || size > 48) throw new IllegalArgumentError('illegal counter size');
+    const mask = Math.pow(2, size) - 1;
+    this.aes.asm.set_mask(0, 0, mask / 0x100000000 | 0, mask | 0);
+    const len = nonce.length;
+    if (!len || len > 16) throw new IllegalArgumentError('illegal nonce size');
+    this.nonce = nonce;
+    const view = new DataView(new ArrayBuffer(16));
+    new Uint8Array(view.buffer).set(nonce);
+    this.aes.asm.set_nonce(view.getUint32(0), view.getUint32(4), view.getUint32(8), view.getUint32(12));
+    if (counter < 0 || counter >= Math.pow(2, size)) throw new IllegalArgumentError('illegal counter value');
+    this.counter = counter;
+    this.aes.asm.set_counter(0, 0, counter / 0x100000000 | 0, counter | 0);
+  }
+
+}
+
+exports.AES = AES;
+exports.AES_CBC = AES_CBC;
+exports.AES_CCM = AES_CCM;
+exports.AES_ECB = AES_ECB;
+exports.AES_GCM = AES_GCM;
+exports.IllegalArgumentError = IllegalArgumentError;
+exports.IllegalStateError = IllegalStateError;
+exports.SecurityError = SecurityError;