salty-crypto 0.0.5 → 0.1.0

package/dist/salty-crypto.js

@@ -1 +1 @@
-!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports):"function"==typeof define&&define.amd?define(["exports"],e):e((t="undefined"!=typeof globalThis?globalThis:t||self).SaltyCrypto={})}(this,(function(t){"use strict";function e(t,e){return t<<e|t>>>32-e}function s(t,s,i,h,r){t[s]+=t[i],t[r]^=t[s],t[r]=e(t[r],16),t[h]+=t[r],t[i]^=t[h],t[i]=e(t[i],12),t[s]+=t[i],t[r]^=t[s],t[r]=e(t[r],8),t[h]+=t[r],t[i]^=t[h],t[i]=e(t[i],7)}function i(t,e,s,i){t[0]+=1634760805,t[1]+=857760878,t[2]+=2036477234,t[3]+=1797285236,t[4]+=e.getUint32(0,!0),t[5]+=e.getUint32(4,!0),t[6]+=e.getUint32(8,!0),t[7]+=e.getUint32(12,!0),t[8]+=e.getUint32(16,!0),t[9]+=e.getUint32(20,!0),t[10]+=e.getUint32(24,!0),t[11]+=e.getUint32(28,!0),t[12]+=s,t[13]+=i.getUint32(0,!0),t[14]+=i.getUint32(4,!0),t[15]+=i.getUint32(8,!0)}function h(t,e,h){const r=new Uint32Array(16);i(r,t,e,h);for(let t=0;t<20;t+=2)s(r,0,4,8,12),s(r,1,5,9,13),s(r,2,6,10,14),s(r,3,7,11,15),s(r,0,5,10,15),s(r,1,6,11,12),s(r,2,7,8,13),s(r,3,4,9,14);return i(r,t,e,h),r}function r(t,e,s,i,r=0,n=s.byteLength){const a=n>>6,o=63&n;for(let n=0;n<a;n++){const a=h(t,r+n,e);for(let t=0;t<64;t++)i[(n<<6)+t]=s[(n<<6)+t]^a[t>>2]>>((3&t)<<3)}if(0!==o){const n=h(t,r+a,e);for(let t=0;t<o;t++)i[(a<<6)+t]=s[(a<<6)+t]^n[t>>2]>>((3&t)<<3)}}var n=Object.freeze({__proto__:null,CHACHA20_BLOCKBYTES:64,CHACHA20_KEYBYTES:32,CHACHA20_NONCEBYTES:12,chacha20:r,chacha20_block:h,chacha20_quarter_round:s});class a{static digest(t,e){const s=new a(t);s.update(e,0,e.byteLength);const i=new Uint8Array(a.TAGBYTES);return s.finish(i,0),i}constructor(t){this.key=t,this.buffer=new Uint8Array(16),this.r=new Uint16Array(10),this.h=new Uint16Array(10),this.pad=new Uint16Array(8),this.leftover=0,this.fin=0;const e=255&t[0]|(255&t[1])<<8;this.r[0]=8191&e;const s=255&t[2]|(255&t[3])<<8;this.r[1]=8191&(e>>>13|s<<3);const i=255&t[4]|(255&t[5])<<8;this.r[2]=7939&(s>>>10|i<<6);const h=255&t[6]|(255&t[7])<<8;this.r[3]=8191&(i>>>7|h<<9);const r=255&t[8]|(255&t[9])<<8;this.r[4]=255&(h>>>4|r<<12),this.r[5]=r>>>1&8190;const n=255&t[10]|(255&t[11])<<8;this.r[6]=8191&(r>>>14|n<<2);const a=255&t[12]|(255&t[13])<<8;this.r[7]=8065&(n>>>11|a<<5);const o=255&t[14]|(255&t[15])<<8;this.r[8]=8191&(a>>>8|o<<8),this.r[9]=o>>>5&127,this.pad[0]=255&t[16]|(255&t[17])<<8,this.pad[1]=255&t[18]|(255&t[19])<<8,this.pad[2]=255&t[20]|(255&t[21])<<8,this.pad[3]=255&t[22]|(255&t[23])<<8,this.pad[4]=255&t[24]|(255&t[25])<<8,this.pad[5]=255&t[26]|(255&t[27])<<8,this.pad[6]=255&t[28]|(255&t[29])<<8,this.pad[7]=255&t[30]|(255&t[31])<<8}blocks(t,e,s){const i=this.fin?0:2048;let h=this.h[0],r=this.h[1],n=this.h[2],a=this.h[3],o=this.h[4],c=this.h[5],l=this.h[6],u=this.h[7],f=this.h[8],y=this.h[9],p=this.r[0],d=this.r[1],m=this.r[2],g=this.r[3],b=this.r[4],K=this.r[5],w=this.r[6],A=this.r[7],_=this.r[8],E=this.r[9];for(;s>=16;){const U=255&t[e+0]|(255&t[e+1])<<8;h+=8191&U;const v=255&t[e+2]|(255&t[e+3])<<8;r+=8191&(U>>>13|v<<3);const M=255&t[e+4]|(255&t[e+5])<<8;n+=8191&(v>>>10|M<<6);const S=255&t[e+6]|(255&t[e+7])<<8;a+=8191&(M>>>7|S<<9);const N=255&t[e+8]|(255&t[e+9])<<8;o+=8191&(S>>>4|N<<12),c+=N>>>1&8191;const L=255&t[e+10]|(255&t[e+11])<<8;l+=8191&(N>>>14|L<<2);const k=255&t[e+12]|(255&t[e+13])<<8;u+=8191&(L>>>11|k<<5);const x=255&t[e+14]|(255&t[e+15])<<8;f+=8191&(k>>>8|x<<8),y+=x>>>5|i;let H=0,P=H;P+=h*p,P+=r*(5*E),P+=n*(5*_),P+=a*(5*A),P+=o*(5*w),H=P>>>13,P&=8191,P+=c*(5*K),P+=l*(5*b),P+=u*(5*g),P+=f*(5*m),P+=y*(5*d),H+=P>>>13,P&=8191;let B=H;B+=h*d,B+=r*p,B+=n*(5*E),B+=a*(5*_),B+=o*(5*A),H=B>>>13,B&=8191,B+=c*(5*w),B+=l*(5*K),B+=u*(5*b),B+=f*(5*g),B+=y*(5*m),H+=B>>>13,B&=8191;let X=H;X+=h*m,X+=r*d,X+=n*p,X+=a*(5*E),X+=o*(5*_),H=X>>>13,X&=8191,X+=c*(5*A),X+=l*(5*w),X+=u*(5*K),X+=f*(5*b),X+=y*(5*g),H+=X>>>13,X&=8191;let C=H;C+=h*g,C+=r*m,C+=n*d,C+=a*p,C+=o*(5*E),H=C>>>13,C&=8191,C+=c*(5*_),C+=l*(5*A),C+=u*(5*w),C+=f*(5*K),C+=y*(5*b),H+=C>>>13,C&=8191;let T=H;T+=h*b,T+=r*g,T+=n*m,T+=a*d,T+=o*p,H=T>>>13,T&=8191,T+=c*(5*E),T+=l*(5*_),T+=u*(5*A),T+=f*(5*w),T+=y*(5*K),H+=T>>>13,T&=8191;let O=H;O+=h*K,O+=r*b,O+=n*g,O+=a*m,O+=o*d,H=O>>>13,O&=8191,O+=c*p,O+=l*(5*E),O+=u*(5*_),O+=f*(5*A),O+=y*(5*w),H+=O>>>13,O&=8191;let I=H;I+=h*w,I+=r*K,I+=n*b,I+=a*g,I+=o*m,H=I>>>13,I&=8191,I+=c*d,I+=l*p,I+=u*(5*E),I+=f*(5*_),I+=y*(5*A),H+=I>>>13,I&=8191;let Y=H;Y+=h*A,Y+=r*w,Y+=n*K,Y+=a*b,Y+=o*g,H=Y>>>13,Y&=8191,Y+=c*m,Y+=l*d,Y+=u*p,Y+=f*(5*E),Y+=y*(5*_),H+=Y>>>13,Y&=8191;let z=H;z+=h*_,z+=r*A,z+=n*w,z+=a*K,z+=o*b,H=z>>>13,z&=8191,z+=c*g,z+=l*m,z+=u*d,z+=f*p,z+=y*(5*E),H+=z>>>13,z&=8191;let j=H;j+=h*E,j+=r*_,j+=n*A,j+=a*w,j+=o*K,H=j>>>13,j&=8191,j+=c*b,j+=l*g,j+=u*m,j+=f*d,j+=y*p,H+=j>>>13,j&=8191,H=(H<<2)+H|0,H=H+P|0,P=8191&H,H>>>=13,B+=H,h=P,r=B,n=X,a=C,o=T,c=O,l=I,u=Y,f=z,y=j,e+=16,s-=16}this.h[0]=h,this.h[1]=r,this.h[2]=n,this.h[3]=a,this.h[4]=o,this.h[5]=c,this.h[6]=l,this.h[7]=u,this.h[8]=f,this.h[9]=y}finish(t,e){if(this.leftover){let t=this.leftover;for(this.buffer[t++]=1;t<16;t++)this.buffer[t]=0;this.fin=1,this.blocks(this.buffer,0,16)}let s=this.h[1]>>>13;this.h[1]&=8191;for(let t=2;t<10;t++)this.h[t]+=s,s=this.h[t]>>>13,this.h[t]&=8191;this.h[0]+=5*s,s=this.h[0]>>>13,this.h[0]&=8191,this.h[1]+=s,s=this.h[1]>>>13,this.h[1]&=8191,this.h[2]+=s;const i=new Uint16Array(10);i[0]=this.h[0]+5,s=i[0]>>>13,i[0]&=8191;for(let t=1;t<10;t++)i[t]=this.h[t]+s,s=i[t]>>>13,i[t]&=8191;i[9]-=8192;let h=(1^s)-1;for(let t=0;t<10;t++)i[t]&=h;h=~h;for(let t=0;t<10;t++)this.h[t]=this.h[t]&h|i[t];this.h[0]=65535&(this.h[0]|this.h[1]<<13),this.h[1]=65535&(this.h[1]>>>3|this.h[2]<<10),this.h[2]=65535&(this.h[2]>>>6|this.h[3]<<7),this.h[3]=65535&(this.h[3]>>>9|this.h[4]<<4),this.h[4]=65535&(this.h[4]>>>12|this.h[5]<<1|this.h[6]<<14),this.h[5]=65535&(this.h[6]>>>2|this.h[7]<<11),this.h[6]=65535&(this.h[7]>>>5|this.h[8]<<8),this.h[7]=65535&(this.h[8]>>>8|this.h[9]<<5);let r=this.h[0]+this.pad[0];this.h[0]=65535&r;for(let t=1;t<8;t++)r=(this.h[t]+this.pad[t]|0)+(r>>>16)|0,this.h[t]=65535&r;t[e+0]=this.h[0]>>>0&255,t[e+1]=this.h[0]>>>8&255,t[e+2]=this.h[1]>>>0&255,t[e+3]=this.h[1]>>>8&255,t[e+4]=this.h[2]>>>0&255,t[e+5]=this.h[2]>>>8&255,t[e+6]=this.h[3]>>>0&255,t[e+7]=this.h[3]>>>8&255,t[e+8]=this.h[4]>>>0&255,t[e+9]=this.h[4]>>>8&255,t[e+10]=this.h[5]>>>0&255,t[e+11]=this.h[5]>>>8&255,t[e+12]=this.h[6]>>>0&255,t[e+13]=this.h[6]>>>8&255,t[e+14]=this.h[7]>>>0&255,t[e+15]=this.h[7]>>>8&255}update(t,e,s){if(this.leftover){let i=16-this.leftover;i>s&&(i=s);for(let s=0;s<i;s++)this.buffer[this.leftover+s]=t[e+s];if(s-=i,e+=i,this.leftover+=i,this.leftover<16)return;this.blocks(this.buffer,0,16),this.leftover=0}if(s>=16){const i=s-s%16;this.blocks(t,e,i),e+=i,s-=i}if(s){for(let i=0;i<s;i++)this.buffer[this.leftover+i]=t[e+i];this.leftover+=s}}}a.KEYBYTES=32,a.TAGBYTES=16,a.BLOCKBYTES=16;var o=Object.freeze({__proto__:null,Poly1305:a});const c=new Uint8Array(16);function l(t,e){const s=15&e;0!==s&&t.update(c,0,16-s)}function u(t,e,s,i,h,n){const o=new Uint8Array(a.KEYBYTES);r(e,s,o,o,0);const c=new a(o);void 0!==n&&(c.update(n,0,n.byteLength),l(c,n.byteLength)),c.update(i,0,h),l(c,h);const u=new Uint8Array(16),f=new DataView(u.buffer);void 0!==n&&f.setUint32(0,n.byteLength,!0),f.setUint32(8,h,!0),c.update(u,0,u.byteLength),c.finish(t,0)}function f(t,e,s,i,h,n,a){r(h,n,t,e,1,s),u(i,h,n,e,s,a)}function y(t,e,s,i){const h=new Uint8Array(t.byteLength+16);return f(t,h,t.byteLength,h.subarray(t.byteLength),e,s,i),h}function p(t,e,s,i,h,n,a){const o=new Uint8Array(16);u(o,h,n,e,s,a);const c=0===function(t,e,s){let i=0;for(let h=0;h<s;h++)i|=t[h]^e[h];return(1&i-1>>>8)-1}(o,i,o.byteLength);return c&&r(h,n,e,t,1,s),c}class d extends Error{}function m(t,e,s,i){const h=new Uint8Array(t.byteLength-16);if(!p(h,t,h.byteLength,t.subarray(h.byteLength),e,s,i))throw new d("ChaCha20Poly1305 AEAD authentication failed");return h}var g=Object.freeze({__proto__:null,AEAD_CHACHA20_POLY1305_KEYBYTES:32,AEAD_CHACHA20_POLY1305_NONCEBYTES:12,AEAD_CHACHA20_POLY1305_TAGBYTES:16,AuthenticationFailure:d,aead_decrypt:m,aead_decrypt_detached:p,aead_encrypt:y,aead_encrypt_detached:f});function b(t,e){return t>>>e|t<<32-e}function K(t,e,s,i,h,r,n){t[e]=t[e]+t[s]+r,t[h]=b(t[h]^t[e],16),t[i]=t[i]+t[h],t[s]=b(t[s]^t[i],12),t[e]=t[e]+t[s]+n,t[h]=b(t[h]^t[e],8),t[i]=t[i]+t[h],t[s]=b(t[s]^t[i],7)}const w=Uint32Array.from([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]),A=Uint8Array.from([0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,14,10,4,8,9,15,13,6,1,12,0,2,11,7,5,3,11,8,12,0,5,2,15,13,10,14,3,6,7,1,9,4,7,9,3,1,13,12,11,14,2,6,5,10,4,0,15,8,9,0,5,7,2,4,10,15,14,1,11,12,6,8,3,13,2,12,6,10,0,11,8,3,4,13,7,5,15,14,1,9,12,5,1,15,14,13,4,10,0,7,6,3,9,2,8,11,13,11,7,14,12,1,3,9,5,0,15,4,8,6,2,10,6,15,14,9,11,3,0,8,12,2,13,7,1,4,10,5,10,2,8,4,7,6,1,5,15,11,9,14,3,12,13,0]);function _(t,e){return A[(t<<4)+e]}class E{static digest(t,e,s){const i=new E(e,s);return i.update(t),i.final()}constructor(t=E.OUTBYTES,e){var s;this.outlen=t,this.b=new Uint8Array(64),this.bv=new DataView(this.b.buffer),this.h=Uint32Array.from(w),this.t=new Uint32Array(2),this.c=0;const i=null!==(s=null==e?void 0:e.byteLength)&&void 0!==s?s:0;if(0==t||t>32||i>32)throw new Error("illegal BLAKE2s parameter length(s)");this.h[0]^=16842752^i<<8^t,void 0!==e&&i>0&&(this.update(e),this.c=64)}update(t){for(let e=0;e<t.byteLength;e++)64==this.c&&(this.t[0]+=this.c,this.t[0]<this.c&&this.t[1]++,this.compress(!1),this.c=0),this.b[this.c++]=t[e]}final(t){for(this.t[0]+=this.c,this.t[0]<this.c&&this.t[1]++;this.c<64;)this.b[this.c++]=0;this.compress(!0),void 0===t&&(t=new Uint8Array(this.outlen));for(let e=0;e<this.outlen;e++)t[e]=this.h[e>>2]>>8*(3&e)&255;return t}compress(t){const e=new Uint32Array(16),s=new Uint32Array(16);for(let t=0;t<8;t++)e[t]=this.h[t],e[t+8]=w[t];e[12]^=this.t[0],e[13]^=this.t[1],t&&(e[14]=~e[14]);for(let t=0;t<16;t++)s[t]=this.bv.getUint32(t<<2,!0);for(let t=0;t<10;t++)K(e,0,4,8,12,s[_(t,0)],s[_(t,1)]),K(e,1,5,9,13,s[_(t,2)],s[_(t,3)]),K(e,2,6,10,14,s[_(t,4)],s[_(t,5)]),K(e,3,7,11,15,s[_(t,6)],s[_(t,7)]),K(e,0,5,10,15,s[_(t,8)],s[_(t,9)]),K(e,1,6,11,12,s[_(t,10)],s[_(t,11)]),K(e,2,7,8,13,s[_(t,12)],s[_(t,13)]),K(e,3,4,9,14,s[_(t,14)],s[_(t,15)]);for(let t=0;t<8;t++)this.h[t]^=e[t]^e[t+8]}}E.KEYBYTES=32,E.OUTBYTES=32,E.BLOCKLEN=64;var U=Object.freeze({__proto__:null,BLAKE2s:E});class v{constructor(t=0,e=0){this.lo=t,this.hi=e}increment(){const t=this.lo,e=t+1|0;this.lo=e,e<t&&(this.hi=this.hi+1|0)}reset(t=0,e=0){this.lo=t,this.hi=e}static get MAX(){return new v(4294967295,4294967295)}}function M(t,e){const s=Math.min(t.byteLength,e.byteLength),i=new Uint8Array(s);for(let h=0;h<s;h++)i[h]=t[h]^e[h];return i}function S(t,e){const s=new Uint8Array(t.byteLength+e.byteLength);return s.set(t,0),s.set(e,t.byteLength),s}const N=new Uint8Array(0);class L{constructor(t){const e=this.generateKeypair();this.dhlen=this.dh(e,e.public).byteLength,this.hmac=null!=t?t:function(t){const e=new Uint8Array(t.hashBlocklen());e.fill(54);const s=new Uint8Array(t.hashBlocklen());return s.fill(92),(i,h)=>{const r=t._padOrHash(i,t.hashBlocklen());return t.hash(S(M(r,s),t.hash(S(M(r,e),h))))}}(this)}rekey(t){return new DataView(this.encrypt(t,v.MAX,new Uint8Array(32)).buffer)}_padOrHash(t,e){const s=t.byteLength>e?this.hash(t):t;return S(s,new Uint8Array(e-s.byteLength))}hkdf(t,e,s){const i=this.hmac(t,e),h=this.hmac(i,Uint8Array.from([1])),r=this.hmac(i,S(h,Uint8Array.from([2])));switch(s){case 2:return[h,r];case 3:return[h,r,this.hmac(i,S(r,Uint8Array.from([3])))]}}matchingPattern(t){const e=new RegExp(`^Noise_([A-Za-z0-9+]+)_${this.dhName()}_${this.cipherName()}_${this.hashName()}$`).exec(t);return null===e?null:e[1]}}class k{constructor(t,e){this.algorithms=t,this.view=null,this.nonce=new v,void 0!==e&&(this.view=new DataView(e.buffer))}encrypt(t,e){if(null===this.view)return t;const s=this.algorithms.encrypt(this.view,this.nonce,t,e);return this.nonce.increment(),s}decrypt(t,e){if(null===this.view)return t;const s=this.algorithms.decrypt(this.view,this.nonce,t,e);return this.nonce.increment(),s}rekey(){null!==this.view&&(this.view=this.algorithms.rekey(this.view))}}var x=Object.freeze({__proto__:null,CipherState:k,NoiseHandshake:class{constructor(t,e,s,i={}){var h,r,n,a,o;this.algorithms=t,this.pattern=e,this.role=s,this.stepIndex=0,this.staticKeypair=null!==(h=i.staticKeypair)&&void 0!==h?h:this.algorithms.generateKeypair(),this.remoteStaticPublicKey=null!==(r=i.remoteStaticPublicKey)&&void 0!==r?r:null,this.ephemeralKeypair=null!==(n=i.pregeneratedEphemeralKeypair)&&void 0!==n?n:this.algorithms.generateKeypair(),this.remoteEphemeralPublicKey=null!==(a=i.remotePregeneratedEphemeralPublicKey)&&void 0!==a?a:null,this.preSharedKeys=i.preSharedKeys,this.preSharedKeys&&(this.preSharedKeys=this.preSharedKeys.slice(),0===this.preSharedKeys.length&&(this.preSharedKeys=void 0));const c=(new TextEncoder).encode("Noise_"+this.pattern.name+"_"+this.algorithms.dhName()+"_"+this.algorithms.cipherName()+"_"+this.algorithms.hashName());this.cipherState=new k(this.algorithms),this.chainingKey=this.algorithms._padOrHash(c,this.algorithms.hash(N).byteLength),this.handshakeHash=this.chainingKey,this.mixHash(null!==(o=i.prologue)&&void 0!==o?o:N),this.pattern.initiatorPreMessage.forEach((t=>this.mixHash("e"===t?this.isInitiator?this.ephemeralKeypair.public:this.remoteEphemeralPublicKey:this.isInitiator?this.staticKeypair.public:this.remoteStaticPublicKey))),this.pattern.responderPreMessage.forEach((t=>this.mixHash("e"===t?this.isInitiator?this.remoteEphemeralPublicKey:this.ephemeralKeypair.public:this.isInitiator?this.remoteStaticPublicKey:this.staticKeypair.public)))}get isInitiator(){return"initiator"===this.role}mixHash(t){this.handshakeHash=this.algorithms.hash(S(this.handshakeHash,t))}mixKey(t){const[e,s]=this.algorithms.hkdf(this.chainingKey,t,2);this.chainingKey=e,this.cipherState=new k(this.algorithms,s)}mixKeyAndHashNextPSK(){const t=this.preSharedKeys.shift(),[e,s,i]=this.algorithms.hkdf(this.chainingKey,t,3);this.chainingKey=e,this.mixHash(s),this.cipherState=new k(this.algorithms,i)}encryptAndHash(t){const e=this.cipherState.encrypt(t,this.handshakeHash);return this.mixHash(e),e}decryptAndHash(t){const e=this.cipherState.decrypt(t,this.handshakeHash);return this.mixHash(t),e}_split(){if(this.stepIndex<this.pattern.messages.length)return null;{let[t,e]=this.algorithms.hkdf(this.chainingKey,N,2).map((t=>new k(this.algorithms,t)));return this.isInitiator?{send:t,recv:e}:{send:e,recv:t}}}_nextStep(){if(this.stepIndex>=this.pattern.messages.length)throw new Error("Handshake already complete, cannot continue");return this.pattern.messages[this.stepIndex++]}_processKeyMixToken(t){switch(t){case"ee":this.mixKey(this.algorithms.dh(this.ephemeralKeypair,this.remoteEphemeralPublicKey));break;case"es":this.mixKey(this.isInitiator?this.algorithms.dh(this.ephemeralKeypair,this.remoteStaticPublicKey):this.algorithms.dh(this.staticKeypair,this.remoteEphemeralPublicKey));break;case"se":this.mixKey(this.isInitiator?this.algorithms.dh(this.staticKeypair,this.remoteEphemeralPublicKey):this.algorithms.dh(this.ephemeralKeypair,this.remoteStaticPublicKey));break;case"ss":this.mixKey(this.algorithms.dh(this.staticKeypair,this.remoteStaticPublicKey));break;case"psk":this.mixKeyAndHashNextPSK()}}writeMessage(t){const e=[];let s;if(this._nextStep().forEach((t=>{switch(t){case"e":e.push(this.ephemeralKeypair.public),this.mixHash(this.ephemeralKeypair.public),this.preSharedKeys&&this.mixKey(this.ephemeralKeypair.public);break;case"s":e.push(this.encryptAndHash(this.staticKeypair.public));break;default:this._processKeyMixToken(t)}})),e.push(this.encryptAndHash(t)),1===e.length)s=e[0];else{s=new Uint8Array(e.reduce(((t,e)=>t+e.byteLength),0));let t=0;e.forEach((e=>{s.set(e,t),t+=e.byteLength}))}return{packet:s,finished:this._split()}}readMessage(t){const e=e=>{const s=t.slice(0,e);return t=t.subarray(e),s};this._nextStep().forEach((t=>{switch(t){case"e":this.remoteEphemeralPublicKey=e(this.algorithms.dhlen),this.mixHash(this.remoteEphemeralPublicKey),this.preSharedKeys&&this.mixKey(this.remoteEphemeralPublicKey);break;case"s":this.remoteStaticPublicKey=this.decryptAndHash(e(this.algorithms.dhlen+(this.cipherState.view?16:0)));break;default:this._processKeyMixToken(t)}}));return{message:this.decryptAndHash(t),finished:this._split()}}async completeHandshake(t,e,s=(async t=>{}),i=(async()=>new Uint8Array(0))){const h=async()=>{const{packet:e,finished:s}=this.writeMessage(await i());return await t(e),s||r()},r=async()=>{const{message:t,finished:i}=this.readMessage(await e());return await s(t),i||h()};return this.isInitiator?h():r()}},NoiseProtocolAlgorithms:L,Nonce:v,bytesAppend:S,bytesXor:M});const H={};function P(t,e,s,i){const h={name:t,baseName:t,messages:e,initiatorPreMessage:s,responderPreMessage:i};H[h.name]=h}P("I1K1",[["e","s"],["e","ee","es"],["se"]],[],["s"]),P("I1K",[["e","es","s"],["e","ee"],["se"]],[],["s"]),P("I1N",[["e","s"],["e","ee"],["se"]],[],[]),P("I1X1",[["e","s"],["e","ee","s"],["se","es"]],[],[]),P("I1X",[["e","s"],["e","ee","s","es"],["se"]],[],[]),P("IK1",[["e","s"],["e","ee","se","es"]],[],["s"]),P("IK",[["e","es","s","ss"],["e","ee","se"]],[],["s"]),P("IN",[["e","s"],["e","ee","se"]],[],[]),P("IX1",[["e","s"],["e","ee","se","s"],["es"]],[],[]),P("IX",[["e","s"],["e","ee","se","s","es"]],[],[]),P("K1K1",[["e"],["e","ee","es"],["se"]],["s"],["s"]),P("K1K",[["e","es"],["e","ee"],["se"]],["s"],["s"]),P("K1N",[["e"],["e","ee"],["se"]],["s"],[]),P("K1X1",[["e"],["e","ee","s"],["se","es"]],["s"],[]),P("K1X",[["e"],["e","ee","s","es"],["se"]],["s"],[]),P("K",[["e","es","ss"]],["s"],["s"]),P("KK1",[["e"],["e","ee","se","es"]],["s"],["s"]),P("KK",[["e","es","ss"],["e","ee","se"]],["s"],["s"]),P("KN",[["e"],["e","ee","se"]],["s"],[]),P("KX1",[["e"],["e","ee","se","s"],["es"]],["s"],[]),P("KX",[["e"],["e","ee","se","s","es"]],["s"],[]),P("N",[["e","es"]],[],["s"]),P("NK1",[["e"],["e","ee","es"]],[],["s"]),P("NK",[["e","es"],["e","ee"]],[],["s"]),P("NN",[["e"],["e","ee"]],[],[]),P("NX1",[["e"],["e","ee","s"],["es"]],[],[]),P("NX",[["e"],["e","ee","s","es"]],[],[]),P("X1K1",[["e"],["e","ee","es"],["s"],["se"]],[],["s"]),P("X1K",[["e","es"],["e","ee"],["s"],["se"]],[],["s"]),P("X1N",[["e"],["e","ee"],["s"],["se"]],[],[]),P("X1X1",[["e"],["e","ee","s"],["es","s"],["se"]],[],[]),P("X1X",[["e"],["e","ee","s","es"],["s"],["se"]],[],[]),P("X",[["e","es","s","ss"]],[],["s"]),P("XK1",[["e"],["e","ee","es"],["s","se"]],[],["s"]),P("XK",[["e","es"],["e","ee"],["s","se"]],[],["s"]),P("XN",[["e"],["e","ee"],["s","se"]],[],[]),P("XX1",[["e"],["e","ee","s"],["es","s","se"]],[],[]),P("XX",[["e"],["e","ee","s","es"],["s","se"]],[],[]);const B=/^([NKX]|[NKXI]1?[NKX]1?)([a-z][a-z0-9]*(\+[a-z][a-z0-9]*)*)?$/,X=/^psk([0-9]+)$/;var C=Object.freeze({__proto__:null,PATTERNS:H,isOneWay:function(t){return 1===t.baseName.length},lookupPattern:function(t){var e,s,i;const h=B.exec(t);if(null===h)return null;const r=null!==(s=null===(e=h[2])||void 0===e?void 0:e.split("+"))&&void 0!==s?s:[];let n=null!==(i=H[h[1]])&&void 0!==i?i:null;return n?(r.forEach((t=>n=n&&function(t,e){const s=X.exec(e);if(null===s)return null;const i=parseInt(s[1],10),h=t.messages;return Object.assign(Object.assign({},t),{messages:0===i?[["psk",...h[0]],...h.slice(1)]:[...h.slice(0,i-1),[...h[i-1],"psk"],...h.slice(i)]})}(n,t))),n&&Object.assign(Object.assign({},n),{name:t})):null}});const T=(()=>{var t="undefined"!=typeof self?self.crypto||self.msCrypto:null;if(t&&t.getRandomValues){const e=65536;return(s,i)=>{for(let h=0;h<i;h+=e)t.getRandomValues(s.subarray(h,h+Math.min(i-h,e)))}}if("undefined"!=typeof require&&(t=require("crypto"))&&t.randomBytes)return(e,s)=>e.set(t.randomBytes(s));throw new Error("No usable randomness source found")})();function O(t){const e=new Uint8Array(t);return T(e,t),e}var I=Object.freeze({__proto__:null,_randomBytes:T,randomBytes:O});function Y(){return new Float64Array(16)}const z=new Uint8Array(32);z[0]=9;const j=Y();function D(t){let e=1;for(let s=0;s<16;s++){const i=t[s]+e+65535;e=Math.floor(i/65536),t[s]=i-65536*e}t[0]+=e-1+37*(e-1)}function V(t,e,s){const i=~(s-1);for(let s=0;s<16;s++){const h=i&(t[s]^e[s]);t[s]^=h,e[s]^=h}}function R(t,e,s){for(let i=0;i<16;i++)t[i]=e[i]+s[i]}function $(t,e,s){for(let i=0;i<16;i++)t[i]=e[i]-s[i]}function q(t,e,s){let i=0,h=0,r=0,n=0,a=0,o=0,c=0,l=0,u=0,f=0,y=0,p=0,d=0,m=0,g=0,b=0,K=0,w=0,A=0,_=0,E=0,U=0,v=0,M=0,S=0,N=0,L=0,k=0,x=0,H=0,P=0;const B=s[0],X=s[1],C=s[2],T=s[3],O=s[4],I=s[5],Y=s[6],z=s[7],j=s[8],D=s[9],V=s[10],R=s[11],$=s[12],q=s[13],F=s[14],G=s[15];let W=e[0];i+=W*B,h+=W*X,r+=W*C,n+=W*T,a+=W*O,o+=W*I,c+=W*Y,l+=W*z,u+=W*j,f+=W*D,y+=W*V,p+=W*R,d+=W*$,m+=W*q,g+=W*F,b+=W*G,W=e[1],h+=W*B,r+=W*X,n+=W*C,a+=W*T,o+=W*O,c+=W*I,l+=W*Y,u+=W*z,f+=W*j,y+=W*D,p+=W*V,d+=W*R,m+=W*$,g+=W*q,b+=W*F,K+=W*G,W=e[2],r+=W*B,n+=W*X,a+=W*C,o+=W*T,c+=W*O,l+=W*I,u+=W*Y,f+=W*z,y+=W*j,p+=W*D,d+=W*V,m+=W*R,g+=W*$,b+=W*q,K+=W*F,w+=W*G,W=e[3],n+=W*B,a+=W*X,o+=W*C,c+=W*T,l+=W*O,u+=W*I,f+=W*Y,y+=W*z,p+=W*j,d+=W*D,m+=W*V,g+=W*R,b+=W*$,K+=W*q,w+=W*F,A+=W*G,W=e[4],a+=W*B,o+=W*X,c+=W*C,l+=W*T,u+=W*O,f+=W*I,y+=W*Y,p+=W*z,d+=W*j,m+=W*D,g+=W*V,b+=W*R,K+=W*$,w+=W*q,A+=W*F,_+=W*G,W=e[5],o+=W*B,c+=W*X,l+=W*C,u+=W*T,f+=W*O,y+=W*I,p+=W*Y,d+=W*z,m+=W*j,g+=W*D,b+=W*V,K+=W*R,w+=W*$,A+=W*q,_+=W*F,E+=W*G,W=e[6],c+=W*B,l+=W*X,u+=W*C,f+=W*T,y+=W*O,p+=W*I,d+=W*Y,m+=W*z,g+=W*j,b+=W*D,K+=W*V,w+=W*R,A+=W*$,_+=W*q,E+=W*F,U+=W*G,W=e[7],l+=W*B,u+=W*X,f+=W*C,y+=W*T,p+=W*O,d+=W*I,m+=W*Y,g+=W*z,b+=W*j,K+=W*D,w+=W*V,A+=W*R,_+=W*$,E+=W*q,U+=W*F,v+=W*G,W=e[8],u+=W*B,f+=W*X,y+=W*C,p+=W*T,d+=W*O,m+=W*I,g+=W*Y,b+=W*z,K+=W*j,w+=W*D,A+=W*V,_+=W*R,E+=W*$,U+=W*q,v+=W*F,M+=W*G,W=e[9],f+=W*B,y+=W*X,p+=W*C,d+=W*T,m+=W*O,g+=W*I,b+=W*Y,K+=W*z,w+=W*j,A+=W*D,_+=W*V,E+=W*R,U+=W*$,v+=W*q,M+=W*F,S+=W*G,W=e[10],y+=W*B,p+=W*X,d+=W*C,m+=W*T,g+=W*O,b+=W*I,K+=W*Y,w+=W*z,A+=W*j,_+=W*D,E+=W*V,U+=W*R,v+=W*$,M+=W*q,S+=W*F,N+=W*G,W=e[11],p+=W*B,d+=W*X,m+=W*C,g+=W*T,b+=W*O,K+=W*I,w+=W*Y,A+=W*z,_+=W*j,E+=W*D,U+=W*V,v+=W*R,M+=W*$,S+=W*q,N+=W*F,L+=W*G,W=e[12],d+=W*B,m+=W*X,g+=W*C,b+=W*T,K+=W*O,w+=W*I,A+=W*Y,_+=W*z,E+=W*j,U+=W*D,v+=W*V,M+=W*R,S+=W*$,N+=W*q,L+=W*F,k+=W*G,W=e[13],m+=W*B,g+=W*X,b+=W*C,K+=W*T,w+=W*O,A+=W*I,_+=W*Y,E+=W*z,U+=W*j,v+=W*D,M+=W*V,S+=W*R,N+=W*$,L+=W*q,k+=W*F,x+=W*G,W=e[14],g+=W*B,b+=W*X,K+=W*C,w+=W*T,A+=W*O,_+=W*I,E+=W*Y,U+=W*z,v+=W*j,M+=W*D,S+=W*V,N+=W*R,L+=W*$,k+=W*q,x+=W*F,H+=W*G,W=e[15],b+=W*B,K+=W*X,w+=W*C,A+=W*T,_+=W*O,E+=W*I,U+=W*Y,v+=W*z,M+=W*j,S+=W*D,N+=W*V,L+=W*R,k+=W*$,x+=W*q,H+=W*F,P+=W*G,i+=38*K,h+=38*w,r+=38*A,n+=38*_,a+=38*E,o+=38*U,c+=38*v,l+=38*M,u+=38*S,f+=38*N,y+=38*L,p+=38*k,d+=38*x,m+=38*H,g+=38*P;let Z=1;W=i+Z+65535,Z=Math.floor(W/65536),i=W-65536*Z,W=h+Z+65535,Z=Math.floor(W/65536),h=W-65536*Z,W=r+Z+65535,Z=Math.floor(W/65536),r=W-65536*Z,W=n+Z+65535,Z=Math.floor(W/65536),n=W-65536*Z,W=a+Z+65535,Z=Math.floor(W/65536),a=W-65536*Z,W=o+Z+65535,Z=Math.floor(W/65536),o=W-65536*Z,W=c+Z+65535,Z=Math.floor(W/65536),c=W-65536*Z,W=l+Z+65535,Z=Math.floor(W/65536),l=W-65536*Z,W=u+Z+65535,Z=Math.floor(W/65536),u=W-65536*Z,W=f+Z+65535,Z=Math.floor(W/65536),f=W-65536*Z,W=y+Z+65535,Z=Math.floor(W/65536),y=W-65536*Z,W=p+Z+65535,Z=Math.floor(W/65536),p=W-65536*Z,W=d+Z+65535,Z=Math.floor(W/65536),d=W-65536*Z,W=m+Z+65535,Z=Math.floor(W/65536),m=W-65536*Z,W=g+Z+65535,Z=Math.floor(W/65536),g=W-65536*Z,W=b+Z+65535,Z=Math.floor(W/65536),b=W-65536*Z,i+=Z-1+37*(Z-1),Z=1,W=i+Z+65535,Z=Math.floor(W/65536),i=W-65536*Z,W=h+Z+65535,Z=Math.floor(W/65536),h=W-65536*Z,W=r+Z+65535,Z=Math.floor(W/65536),r=W-65536*Z,W=n+Z+65535,Z=Math.floor(W/65536),n=W-65536*Z,W=a+Z+65535,Z=Math.floor(W/65536),a=W-65536*Z,W=o+Z+65535,Z=Math.floor(W/65536),o=W-65536*Z,W=c+Z+65535,Z=Math.floor(W/65536),c=W-65536*Z,W=l+Z+65535,Z=Math.floor(W/65536),l=W-65536*Z,W=u+Z+65535,Z=Math.floor(W/65536),u=W-65536*Z,W=f+Z+65535,Z=Math.floor(W/65536),f=W-65536*Z,W=y+Z+65535,Z=Math.floor(W/65536),y=W-65536*Z,W=p+Z+65535,Z=Math.floor(W/65536),p=W-65536*Z,W=d+Z+65535,Z=Math.floor(W/65536),d=W-65536*Z,W=m+Z+65535,Z=Math.floor(W/65536),m=W-65536*Z,W=g+Z+65535,Z=Math.floor(W/65536),g=W-65536*Z,W=b+Z+65535,Z=Math.floor(W/65536),b=W-65536*Z,i+=Z-1+37*(Z-1),t[0]=i,t[1]=h,t[2]=r,t[3]=n,t[4]=a,t[5]=o,t[6]=c,t[7]=l,t[8]=u,t[9]=f,t[10]=y,t[11]=p,t[12]=d,t[13]=m,t[14]=g,t[15]=b}function F(t,e){q(t,e,e)}function G(t,e,s){const i=new Uint8Array(32),h=new Float64Array(80),r=Y(),n=Y(),a=Y(),o=Y(),c=Y(),l=Y();for(let t=0;t<31;t++)i[t]=e[t];i[31]=127&e[31]|64,i[0]&=248,function(t,e){for(let s=0;s<16;s++)t[s]=e[2*s]+(e[2*s+1]<<8);t[15]&=32767}(h,s);for(let t=0;t<16;t++)n[t]=h[t],o[t]=r[t]=a[t]=0;r[0]=o[0]=1;for(let t=254;t>=0;--t){const e=i[t>>>3]>>>(7&t)&1;V(r,n,e),V(a,o,e),R(c,r,a),$(r,r,a),R(a,n,o),$(n,n,o),F(o,c),F(l,r),q(r,a,r),q(a,n,c),R(c,r,a),$(r,r,a),F(n,r),$(a,o,l),q(r,a,j),R(r,r,o),q(a,a,r),q(r,o,l),q(o,n,h),F(n,c),V(r,n,e),V(a,o,e)}for(let t=0;t<16;t++)h[t+16]=r[t],h[t+32]=a[t],h[t+48]=n[t],h[t+64]=o[t];const u=h.subarray(32),f=h.subarray(16);!function(t,e){const s=Y();for(let t=0;t<16;t++)s[t]=e[t];for(let t=253;t>=0;t--)F(s,s),2!==t&&4!==t&&q(s,s,e);for(let e=0;e<16;e++)t[e]=s[e]}(u,u),q(f,f,u),function(t,e){const s=Y(),i=Y();for(let t=0;t<16;t++)i[t]=e[t];D(i),D(i),D(i);for(let t=0;t<2;t++){s[0]=i[0]-65517;for(let t=1;t<15;t++)s[t]=i[t]-65535-(s[t-1]>>16&1),s[t-1]&=65535;s[15]=i[15]-32767-(s[14]>>16&1);const t=s[15]>>16&1;s[14]&=65535,V(i,s,1-t)}for(let e=0;e<16;e++)t[2*e]=255&i[e],t[2*e+1]=i[e]>>8}(t,f)}function W(t,e){G(t,e,z)}function Z(t,e){if(32!==t.length)throw new Error("bad n size");if(32!==e.length)throw new Error("bad p size");const s=new Uint8Array(32);return G(s,t,e),s}function J(t){if(32!==t.length)throw new Error("bad n size");const e=new Uint8Array(32);return W(e,t),e}j[0]=56129,j[1]=1,Z.scalarLength=32,Z.groupElementLength=32;var Q=Object.freeze({__proto__:null,crypto_scalarmult:G,crypto_scalarmult_BYTES:32,crypto_scalarmult_SCALARBYTES:32,crypto_scalarmult_base:W,scalarMult:Z,scalarMultBase:J});function tt(t){const e=new DataView(new ArrayBuffer(12));return e.setUint32(4,t.lo,!0),e.setUint32(8,t.hi,!0),e}var et=Object.freeze({__proto__:null,Noise_25519_ChaChaPoly_BLAKE2s:class extends L{constructor(){super()}dhName(){return"25519"}generateKeypair(){const t=O(Z.scalarLength);return{public:J(t),secret:t}}dh(t,e){return Z(t.secret,e)}cipherName(){return"ChaChaPoly"}encrypt(t,e,s,i){return y(s,t,tt(e),i)}decrypt(t,e,s,i){return m(s,t,tt(e),i)}hashName(){return"BLAKE2s"}hash(t){return E.digest(t)}hashBlocklen(){return E.BLOCKLEN}}});t.AEAD=g,t.BLAKE2=U,t.ChaCha20=n,t.Noise=x,t.NoiseProfiles=et,t.Patterns=C,t.Poly1305=o,t.Random=I,t.X25519=Q}));
+!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports):"function"==typeof define&&define.amd?define(["exports"],e):e((t="undefined"!=typeof globalThis?globalThis:t||self).SaltyCrypto={})}(this,(function(t){"use strict";function e(t,e){return t<<e|t>>>32-e}function s(t,s,i,h,r){t[s]+=t[i],t[r]^=t[s],t[r]=e(t[r],16),t[h]+=t[r],t[i]^=t[h],t[i]=e(t[i],12),t[s]+=t[i],t[r]^=t[s],t[r]=e(t[r],8),t[h]+=t[r],t[i]^=t[h],t[i]=e(t[i],7)}function i(t,e,s,i){t[0]+=1634760805,t[1]+=857760878,t[2]+=2036477234,t[3]+=1797285236,t[4]+=e.getUint32(0,!0),t[5]+=e.getUint32(4,!0),t[6]+=e.getUint32(8,!0),t[7]+=e.getUint32(12,!0),t[8]+=e.getUint32(16,!0),t[9]+=e.getUint32(20,!0),t[10]+=e.getUint32(24,!0),t[11]+=e.getUint32(28,!0),t[12]+=s,t[13]+=i.getUint32(0,!0),t[14]+=i.getUint32(4,!0),t[15]+=i.getUint32(8,!0)}function h(t,e,h){const r=new Uint32Array(16);i(r,t,e,h);for(let t=0;t<20;t+=2)s(r,0,4,8,12),s(r,1,5,9,13),s(r,2,6,10,14),s(r,3,7,11,15),s(r,0,5,10,15),s(r,1,6,11,12),s(r,2,7,8,13),s(r,3,4,9,14);return i(r,t,e,h),r}const r={NAME:"chacha20",KEYBYTES:32,NONCEBYTES:12,BLOCKBYTES:64,stream_xor(t,e,s,i,n=0,a=s.byteLength){const o=function(t){const e=new DataView(new ArrayBuffer(r.NONCEBYTES));return e.setUint32(0,t.extra,!0),e.setUint32(4,t.lo,!0),e.setUint32(8,t.hi,!0),e}(e),l=a>>6,c=63&a;for(let e=0;e<l;e++){const r=h(t,n+e,o);for(let t=0;t<64;t++)i[(e<<6)+t]=s[(e<<6)+t]^r[t>>2]>>((3&t)<<3)}if(0!==c){const e=h(t,n+l,o);for(let t=0;t<c;t++)i[(l<<6)+t]=s[(l<<6)+t]^e[t>>2]>>((3&t)<<3)}}};var n,a=Object.freeze({__proto__:null,ChaCha20:r,chacha20_block:h,chacha20_quarter_round:s});const o=(n=class t{static digest(e,s,i){const h=new t(s,i);return h.update(e),h.final()}constructor(e,s){if(this.buffer=new Uint8Array(16),this.r=new Uint16Array(10),this.h=new Uint16Array(10),this.pad=new Uint16Array(8),this.leftover=0,this.fin=0,!e)throw new Error("Poly1305: key required");if((null!=s?s:t.OUTBYTES)!==t.OUTBYTES)throw new Error("Poly1305: outlen != OUTBYTES");const i=255&e[0]|(255&e[1])<<8;this.r[0]=8191&i;const h=255&e[2]|(255&e[3])<<8;this.r[1]=8191&(i>>>13|h<<3);const r=255&e[4]|(255&e[5])<<8;this.r[2]=7939&(h>>>10|r<<6);const n=255&e[6]|(255&e[7])<<8;this.r[3]=8191&(r>>>7|n<<9);const a=255&e[8]|(255&e[9])<<8;this.r[4]=255&(n>>>4|a<<12),this.r[5]=a>>>1&8190;const o=255&e[10]|(255&e[11])<<8;this.r[6]=8191&(a>>>14|o<<2);const l=255&e[12]|(255&e[13])<<8;this.r[7]=8065&(o>>>11|l<<5);const c=255&e[14]|(255&e[15])<<8;this.r[8]=8191&(l>>>8|c<<8),this.r[9]=c>>>5&127,this.pad[0]=255&e[16]|(255&e[17])<<8,this.pad[1]=255&e[18]|(255&e[19])<<8,this.pad[2]=255&e[20]|(255&e[21])<<8,this.pad[3]=255&e[22]|(255&e[23])<<8,this.pad[4]=255&e[24]|(255&e[25])<<8,this.pad[5]=255&e[26]|(255&e[27])<<8,this.pad[6]=255&e[28]|(255&e[29])<<8,this.pad[7]=255&e[30]|(255&e[31])<<8}blocks(t,e,s){const i=this.fin?0:2048;let h=this.h[0],r=this.h[1],n=this.h[2],a=this.h[3],o=this.h[4],l=this.h[5],c=this.h[6],u=this.h[7],f=this.h[8],y=this.h[9],p=this.r[0],d=this.r[1],m=this.r[2],g=this.r[3],K=this.r[4],b=this.r[5],w=this.r[6],E=this.r[7],_=this.r[8],A=this.r[9];for(;s>=16;){const M=255&t[e+0]|(255&t[e+1])<<8;h+=8191&M;const U=255&t[e+2]|(255&t[e+3])<<8;r+=8191&(M>>>13|U<<3);const v=255&t[e+4]|(255&t[e+5])<<8;n+=8191&(U>>>10|v<<6);const S=255&t[e+6]|(255&t[e+7])<<8;a+=8191&(v>>>7|S<<9);const N=255&t[e+8]|(255&t[e+9])<<8;o+=8191&(S>>>4|N<<12),l+=N>>>1&8191;const L=255&t[e+10]|(255&t[e+11])<<8;c+=8191&(N>>>14|L<<2);const k=255&t[e+12]|(255&t[e+13])<<8;u+=8191&(L>>>11|k<<5);const x=255&t[e+14]|(255&t[e+15])<<8;f+=8191&(k>>>8|x<<8),y+=x>>>5|i;let T=0,B=T;B+=h*p,B+=r*(5*A),B+=n*(5*_),B+=a*(5*E),B+=o*(5*w),T=B>>>13,B&=8191,B+=l*(5*b),B+=c*(5*K),B+=u*(5*g),B+=f*(5*m),B+=y*(5*d),T+=B>>>13,B&=8191;let P=T;P+=h*d,P+=r*p,P+=n*(5*A),P+=a*(5*_),P+=o*(5*E),T=P>>>13,P&=8191,P+=l*(5*w),P+=c*(5*b),P+=u*(5*K),P+=f*(5*g),P+=y*(5*m),T+=P>>>13,P&=8191;let O=T;O+=h*m,O+=r*d,O+=n*p,O+=a*(5*A),O+=o*(5*_),T=O>>>13,O&=8191,O+=l*(5*E),O+=c*(5*w),O+=u*(5*b),O+=f*(5*K),O+=y*(5*g),T+=O>>>13,O&=8191;let C=T;C+=h*g,C+=r*m,C+=n*d,C+=a*p,C+=o*(5*A),T=C>>>13,C&=8191,C+=l*(5*_),C+=c*(5*E),C+=u*(5*w),C+=f*(5*b),C+=y*(5*K),T+=C>>>13,C&=8191;let H=T;H+=h*K,H+=r*g,H+=n*m,H+=a*d,H+=o*p,T=H>>>13,H&=8191,H+=l*(5*A),H+=c*(5*_),H+=u*(5*E),H+=f*(5*w),H+=y*(5*b),T+=H>>>13,H&=8191;let X=T;X+=h*b,X+=r*K,X+=n*g,X+=a*m,X+=o*d,T=X>>>13,X&=8191,X+=l*p,X+=c*(5*A),X+=u*(5*_),X+=f*(5*E),X+=y*(5*w),T+=X>>>13,X&=8191;let Y=T;Y+=h*w,Y+=r*b,Y+=n*K,Y+=a*g,Y+=o*m,T=Y>>>13,Y&=8191,Y+=l*d,Y+=c*p,Y+=u*(5*A),Y+=f*(5*_),Y+=y*(5*E),T+=Y>>>13,Y&=8191;let I=T;I+=h*E,I+=r*w,I+=n*b,I+=a*K,I+=o*g,T=I>>>13,I&=8191,I+=l*m,I+=c*d,I+=u*p,I+=f*(5*A),I+=y*(5*_),T+=I>>>13,I&=8191;let z=T;z+=h*_,z+=r*E,z+=n*w,z+=a*b,z+=o*K,T=z>>>13,z&=8191,z+=l*g,z+=c*m,z+=u*d,z+=f*p,z+=y*(5*A),T+=z>>>13,z&=8191;let j=T;j+=h*A,j+=r*_,j+=n*E,j+=a*w,j+=o*b,T=j>>>13,j&=8191,j+=l*K,j+=c*g,j+=u*m,j+=f*d,j+=y*p,T+=j>>>13,j&=8191,T=(T<<2)+T|0,T=T+B|0,B=8191&T,T>>>=13,P+=T,h=B,r=P,n=O,a=C,o=H,l=X,c=Y,u=I,f=z,y=j,e+=16,s-=16}this.h[0]=h,this.h[1]=r,this.h[2]=n,this.h[3]=a,this.h[4]=o,this.h[5]=l,this.h[6]=c,this.h[7]=u,this.h[8]=f,this.h[9]=y}final(e){if(e||(e=new Uint8Array(t.OUTBYTES)),this.leftover){let t=this.leftover;for(this.buffer[t++]=1;t<16;t++)this.buffer[t]=0;this.fin=1,this.blocks(this.buffer,0,16)}let s=this.h[1]>>>13;this.h[1]&=8191;for(let t=2;t<10;t++)this.h[t]+=s,s=this.h[t]>>>13,this.h[t]&=8191;this.h[0]+=5*s,s=this.h[0]>>>13,this.h[0]&=8191,this.h[1]+=s,s=this.h[1]>>>13,this.h[1]&=8191,this.h[2]+=s;const i=new Uint16Array(10);i[0]=this.h[0]+5,s=i[0]>>>13,i[0]&=8191;for(let t=1;t<10;t++)i[t]=this.h[t]+s,s=i[t]>>>13,i[t]&=8191;i[9]-=8192;let h=(1^s)-1;for(let t=0;t<10;t++)i[t]&=h;h=~h;for(let t=0;t<10;t++)this.h[t]=this.h[t]&h|i[t];this.h[0]=65535&(this.h[0]|this.h[1]<<13),this.h[1]=65535&(this.h[1]>>>3|this.h[2]<<10),this.h[2]=65535&(this.h[2]>>>6|this.h[3]<<7),this.h[3]=65535&(this.h[3]>>>9|this.h[4]<<4),this.h[4]=65535&(this.h[4]>>>12|this.h[5]<<1|this.h[6]<<14),this.h[5]=65535&(this.h[6]>>>2|this.h[7]<<11),this.h[6]=65535&(this.h[7]>>>5|this.h[8]<<8),this.h[7]=65535&(this.h[8]>>>8|this.h[9]<<5);let r=this.h[0]+this.pad[0];this.h[0]=65535&r;for(let t=1;t<8;t++)r=(this.h[t]+this.pad[t]|0)+(r>>>16)|0,this.h[t]=65535&r;return e[0]=this.h[0]>>>0&255,e[1]=this.h[0]>>>8&255,e[2]=this.h[1]>>>0&255,e[3]=this.h[1]>>>8&255,e[4]=this.h[2]>>>0&255,e[5]=this.h[2]>>>8&255,e[6]=this.h[3]>>>0&255,e[7]=this.h[3]>>>8&255,e[8]=this.h[4]>>>0&255,e[9]=this.h[4]>>>8&255,e[10]=this.h[5]>>>0&255,e[11]=this.h[5]>>>8&255,e[12]=this.h[6]>>>0&255,e[13]=this.h[6]>>>8&255,e[14]=this.h[7]>>>0&255,e[15]=this.h[7]>>>8&255,e}update(t,e=0,s=t.byteLength){if(this.leftover){let i=16-this.leftover;i>s&&(i=s);for(let s=0;s<i;s++)this.buffer[this.leftover+s]=t[e+s];if(s-=i,e+=i,this.leftover+=i,this.leftover<16)return;this.blocks(this.buffer,0,16),this.leftover=0}if(s>=16){const i=s-s%16;this.blocks(t,e,i),e+=i,s-=i}if(s){for(let i=0;i<s;i++)this.buffer[this.leftover+i]=t[e+i];this.leftover+=s}}},n.NAME="Poly1305",n.KEYBYTES=32,n.OUTBYTES=16,n.BLOCKLEN=16,n);var l=Object.freeze({__proto__:null,Poly1305:o});function c(t,e,s){return 0===function(t,e,s){let i=0;for(let h=0;h<s;h++)i|=t[h]^e[h];return(1&i-1>>>8)-1}(t,e,s)}function u(t,e){const s=Math.min(t.byteLength,e.byteLength),i=new Uint8Array(s);for(let h=0;h<s;h++)i[h]=t[h]^e[h];return i}function f(t,e){const s=new Uint8Array(t.byteLength+e.byteLength);return s.set(t,0),s.set(e,t.byteLength),s}const y=new Uint8Array(0);var p=Object.freeze({__proto__:null,EMPTY:y,append:f,equal:c,xor:u});const d=new Uint8Array(16);function m(t,e){const s=15&e;0!==s&&t.update(d,0,16-s)}function g(t,e,s,i,h,n){const a=new Uint8Array(o.KEYBYTES);r.stream_xor(e,s,a,a,0);const l=new o(a);void 0!==n&&(l.update(n,0,n.byteLength),m(l,n.byteLength)),l.update(i,0,h),m(l,h);const c=new Uint8Array(16),u=new DataView(c.buffer);void 0!==n&&u.setUint32(0,n.byteLength,!0),u.setUint32(8,h,!0),l.update(c,0,c.byteLength),l.final(t)}const K={NAME:"ChaChaPoly",KEYBYTES:32,NONCEBYTES:12,TAGBYTES:16,encrypt_detached(t,e,s,i,h,n,a){r.stream_xor(h,n,t,e,1,s),g(i,h,n,e,s,a)},encrypt:E,decrypt_detached(t,e,s,i,h,n,a){const o=new Uint8Array(this.TAGBYTES);g(o,h,n,e,s,a);const l=c(o,i,o.byteLength);return l&&r.stream_xor(h,n,e,t,1,s),l},decrypt:_};var b=Object.freeze({__proto__:null,ChaCha20Poly1305_RFC8439:K});class w extends Error{}function E(t,e,s,i){const h=new Uint8Array(t.byteLength+this.TAGBYTES);return this.encrypt_detached(t,h,t.byteLength,h.subarray(t.byteLength),e,s,i),h}function _(t,e,s,i){const h=new Uint8Array(t.byteLength-this.TAGBYTES);if(!this.decrypt_detached(h,t,h.byteLength,t.subarray(h.byteLength),e,s,i))throw new w("AEAD authentication failed");return h}const A=(()=>{var t="undefined"!=typeof self?self.crypto||self.msCrypto:null;if(t&&t.getRandomValues){const e=65536;return(s,i)=>{for(let h=0;h<i;h+=e)t.getRandomValues(s.subarray(h,h+Math.min(i-h,e)))}}if("undefined"!=typeof require&&(t=require("crypto"))&&t.randomBytes)return(e,s)=>e.set(t.randomBytes(s));throw new Error("No usable randomness source found")})();function M(t){const e=new Uint8Array(t);return A(e,t),e}function U(){return new Float64Array(16)}const v=new Uint8Array(32);v[0]=9;const S=U();function N(t){let e=1;for(let s=0;s<16;s++){const i=t[s]+e+65535;e=Math.floor(i/65536),t[s]=i-65536*e}t[0]+=e-1+37*(e-1)}function L(t,e,s){const i=~(s-1);for(let s=0;s<16;s++){const h=i&(t[s]^e[s]);t[s]^=h,e[s]^=h}}function k(t,e,s){for(let i=0;i<16;i++)t[i]=e[i]+s[i]}function x(t,e,s){for(let i=0;i<16;i++)t[i]=e[i]-s[i]}function T(t,e,s){let i=0,h=0,r=0,n=0,a=0,o=0,l=0,c=0,u=0,f=0,y=0,p=0,d=0,m=0,g=0,K=0,b=0,w=0,E=0,_=0,A=0,M=0,U=0,v=0,S=0,N=0,L=0,k=0,x=0,T=0,B=0;const P=s[0],O=s[1],C=s[2],H=s[3],X=s[4],Y=s[5],I=s[6],z=s[7],j=s[8],D=s[9],R=s[10],V=s[11],F=s[12],$=s[13],q=s[14],G=s[15];let W=e[0];i+=W*P,h+=W*O,r+=W*C,n+=W*H,a+=W*X,o+=W*Y,l+=W*I,c+=W*z,u+=W*j,f+=W*D,y+=W*R,p+=W*V,d+=W*F,m+=W*$,g+=W*q,K+=W*G,W=e[1],h+=W*P,r+=W*O,n+=W*C,a+=W*H,o+=W*X,l+=W*Y,c+=W*I,u+=W*z,f+=W*j,y+=W*D,p+=W*R,d+=W*V,m+=W*F,g+=W*$,K+=W*q,b+=W*G,W=e[2],r+=W*P,n+=W*O,a+=W*C,o+=W*H,l+=W*X,c+=W*Y,u+=W*I,f+=W*z,y+=W*j,p+=W*D,d+=W*R,m+=W*V,g+=W*F,K+=W*$,b+=W*q,w+=W*G,W=e[3],n+=W*P,a+=W*O,o+=W*C,l+=W*H,c+=W*X,u+=W*Y,f+=W*I,y+=W*z,p+=W*j,d+=W*D,m+=W*R,g+=W*V,K+=W*F,b+=W*$,w+=W*q,E+=W*G,W=e[4],a+=W*P,o+=W*O,l+=W*C,c+=W*H,u+=W*X,f+=W*Y,y+=W*I,p+=W*z,d+=W*j,m+=W*D,g+=W*R,K+=W*V,b+=W*F,w+=W*$,E+=W*q,_+=W*G,W=e[5],o+=W*P,l+=W*O,c+=W*C,u+=W*H,f+=W*X,y+=W*Y,p+=W*I,d+=W*z,m+=W*j,g+=W*D,K+=W*R,b+=W*V,w+=W*F,E+=W*$,_+=W*q,A+=W*G,W=e[6],l+=W*P,c+=W*O,u+=W*C,f+=W*H,y+=W*X,p+=W*Y,d+=W*I,m+=W*z,g+=W*j,K+=W*D,b+=W*R,w+=W*V,E+=W*F,_+=W*$,A+=W*q,M+=W*G,W=e[7],c+=W*P,u+=W*O,f+=W*C,y+=W*H,p+=W*X,d+=W*Y,m+=W*I,g+=W*z,K+=W*j,b+=W*D,w+=W*R,E+=W*V,_+=W*F,A+=W*$,M+=W*q,U+=W*G,W=e[8],u+=W*P,f+=W*O,y+=W*C,p+=W*H,d+=W*X,m+=W*Y,g+=W*I,K+=W*z,b+=W*j,w+=W*D,E+=W*R,_+=W*V,A+=W*F,M+=W*$,U+=W*q,v+=W*G,W=e[9],f+=W*P,y+=W*O,p+=W*C,d+=W*H,m+=W*X,g+=W*Y,K+=W*I,b+=W*z,w+=W*j,E+=W*D,_+=W*R,A+=W*V,M+=W*F,U+=W*$,v+=W*q,S+=W*G,W=e[10],y+=W*P,p+=W*O,d+=W*C,m+=W*H,g+=W*X,K+=W*Y,b+=W*I,w+=W*z,E+=W*j,_+=W*D,A+=W*R,M+=W*V,U+=W*F,v+=W*$,S+=W*q,N+=W*G,W=e[11],p+=W*P,d+=W*O,m+=W*C,g+=W*H,K+=W*X,b+=W*Y,w+=W*I,E+=W*z,_+=W*j,A+=W*D,M+=W*R,U+=W*V,v+=W*F,S+=W*$,N+=W*q,L+=W*G,W=e[12],d+=W*P,m+=W*O,g+=W*C,K+=W*H,b+=W*X,w+=W*Y,E+=W*I,_+=W*z,A+=W*j,M+=W*D,U+=W*R,v+=W*V,S+=W*F,N+=W*$,L+=W*q,k+=W*G,W=e[13],m+=W*P,g+=W*O,K+=W*C,b+=W*H,w+=W*X,E+=W*Y,_+=W*I,A+=W*z,M+=W*j,U+=W*D,v+=W*R,S+=W*V,N+=W*F,L+=W*$,k+=W*q,x+=W*G,W=e[14],g+=W*P,K+=W*O,b+=W*C,w+=W*H,E+=W*X,_+=W*Y,A+=W*I,M+=W*z,U+=W*j,v+=W*D,S+=W*R,N+=W*V,L+=W*F,k+=W*$,x+=W*q,T+=W*G,W=e[15],K+=W*P,b+=W*O,w+=W*C,E+=W*H,_+=W*X,A+=W*Y,M+=W*I,U+=W*z,v+=W*j,S+=W*D,N+=W*R,L+=W*V,k+=W*F,x+=W*$,T+=W*q,B+=W*G,i+=38*b,h+=38*w,r+=38*E,n+=38*_,a+=38*A,o+=38*M,l+=38*U,c+=38*v,u+=38*S,f+=38*N,y+=38*L,p+=38*k,d+=38*x,m+=38*T,g+=38*B;let Z=1;W=i+Z+65535,Z=Math.floor(W/65536),i=W-65536*Z,W=h+Z+65535,Z=Math.floor(W/65536),h=W-65536*Z,W=r+Z+65535,Z=Math.floor(W/65536),r=W-65536*Z,W=n+Z+65535,Z=Math.floor(W/65536),n=W-65536*Z,W=a+Z+65535,Z=Math.floor(W/65536),a=W-65536*Z,W=o+Z+65535,Z=Math.floor(W/65536),o=W-65536*Z,W=l+Z+65535,Z=Math.floor(W/65536),l=W-65536*Z,W=c+Z+65535,Z=Math.floor(W/65536),c=W-65536*Z,W=u+Z+65535,Z=Math.floor(W/65536),u=W-65536*Z,W=f+Z+65535,Z=Math.floor(W/65536),f=W-65536*Z,W=y+Z+65535,Z=Math.floor(W/65536),y=W-65536*Z,W=p+Z+65535,Z=Math.floor(W/65536),p=W-65536*Z,W=d+Z+65535,Z=Math.floor(W/65536),d=W-65536*Z,W=m+Z+65535,Z=Math.floor(W/65536),m=W-65536*Z,W=g+Z+65535,Z=Math.floor(W/65536),g=W-65536*Z,W=K+Z+65535,Z=Math.floor(W/65536),K=W-65536*Z,i+=Z-1+37*(Z-1),Z=1,W=i+Z+65535,Z=Math.floor(W/65536),i=W-65536*Z,W=h+Z+65535,Z=Math.floor(W/65536),h=W-65536*Z,W=r+Z+65535,Z=Math.floor(W/65536),r=W-65536*Z,W=n+Z+65535,Z=Math.floor(W/65536),n=W-65536*Z,W=a+Z+65535,Z=Math.floor(W/65536),a=W-65536*Z,W=o+Z+65535,Z=Math.floor(W/65536),o=W-65536*Z,W=l+Z+65535,Z=Math.floor(W/65536),l=W-65536*Z,W=c+Z+65535,Z=Math.floor(W/65536),c=W-65536*Z,W=u+Z+65535,Z=Math.floor(W/65536),u=W-65536*Z,W=f+Z+65535,Z=Math.floor(W/65536),f=W-65536*Z,W=y+Z+65535,Z=Math.floor(W/65536),y=W-65536*Z,W=p+Z+65535,Z=Math.floor(W/65536),p=W-65536*Z,W=d+Z+65535,Z=Math.floor(W/65536),d=W-65536*Z,W=m+Z+65535,Z=Math.floor(W/65536),m=W-65536*Z,W=g+Z+65535,Z=Math.floor(W/65536),g=W-65536*Z,W=K+Z+65535,Z=Math.floor(W/65536),K=W-65536*Z,i+=Z-1+37*(Z-1),t[0]=i,t[1]=h,t[2]=r,t[3]=n,t[4]=a,t[5]=o,t[6]=l,t[7]=c,t[8]=u,t[9]=f,t[10]=y,t[11]=p,t[12]=d,t[13]=m,t[14]=g,t[15]=K}function B(t,e){T(t,e,e)}function P(t,e,s){const i=new Uint8Array(32),h=new Float64Array(80),r=U(),n=U(),a=U(),o=U(),l=U(),c=U();for(let t=0;t<31;t++)i[t]=e[t];i[31]=127&e[31]|64,i[0]&=248,function(t,e){for(let s=0;s<16;s++)t[s]=e[2*s]+(e[2*s+1]<<8);t[15]&=32767}(h,s);for(let t=0;t<16;t++)n[t]=h[t],o[t]=r[t]=a[t]=0;r[0]=o[0]=1;for(let t=254;t>=0;--t){const e=i[t>>>3]>>>(7&t)&1;L(r,n,e),L(a,o,e),k(l,r,a),x(r,r,a),k(a,n,o),x(n,n,o),B(o,l),B(c,r),T(r,a,r),T(a,n,l),k(l,r,a),x(r,r,a),B(n,r),x(a,o,c),T(r,a,S),k(r,r,o),T(a,a,r),T(r,o,c),T(o,n,h),B(n,l),L(r,n,e),L(a,o,e)}for(let t=0;t<16;t++)h[t+16]=r[t],h[t+32]=a[t],h[t+48]=n[t],h[t+64]=o[t];const u=h.subarray(32),f=h.subarray(16);!function(t,e){const s=U();for(let t=0;t<16;t++)s[t]=e[t];for(let t=253;t>=0;t--)B(s,s),2!==t&&4!==t&&T(s,s,e);for(let e=0;e<16;e++)t[e]=s[e]}(u,u),T(f,f,u),function(t,e){const s=U(),i=U();for(let t=0;t<16;t++)i[t]=e[t];N(i),N(i),N(i);for(let t=0;t<2;t++){s[0]=i[0]-65517;for(let t=1;t<15;t++)s[t]=i[t]-65535-(s[t-1]>>16&1),s[t-1]&=65535;s[15]=i[15]-32767-(s[14]>>16&1);const t=s[15]>>16&1;s[14]&=65535,L(i,s,1-t)}for(let e=0;e<16;e++)t[2*e]=255&i[e],t[2*e+1]=i[e]>>8}(t,f)}function O(t,e){P(t,e,v)}function C(t,e){if(32!==t.length)throw new Error("bad n size");if(32!==e.length)throw new Error("bad p size");const s=new Uint8Array(32);return P(s,t,e),s}function H(t){if(32!==t.length)throw new Error("bad n size");const e=new Uint8Array(32);return O(e,t),e}S[0]=56129,S[1]=1,C.scalarLength=32,C.groupElementLength=32;var X=Object.freeze({__proto__:null,crypto_scalarmult:P,crypto_scalarmult_BYTES:32,crypto_scalarmult_SCALARBYTES:32,crypto_scalarmult_base:O,scalarMult:C,scalarMultBase:H});const Y={NAME:"25519",DHLEN:C.groupElementLength,generateKeypair(){const t=M(C.scalarLength);return{public:H(t),secret:t}},dh:(t,e)=>C(t.secret,e)};var I;function z(t,e){return t>>>e|t<<32-e}function j(t,e,s,i,h,r,n){t[e]=t[e]+t[s]+r,t[h]=z(t[h]^t[e],16),t[i]=t[i]+t[h],t[s]=z(t[s]^t[i],12),t[e]=t[e]+t[s]+n,t[h]=z(t[h]^t[e],8),t[i]=t[i]+t[h],t[s]=z(t[s]^t[i],7)}const D=Uint32Array.from([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]),R=Uint8Array.from([0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,14,10,4,8,9,15,13,6,1,12,0,2,11,7,5,3,11,8,12,0,5,2,15,13,10,14,3,6,7,1,9,4,7,9,3,1,13,12,11,14,2,6,5,10,4,0,15,8,9,0,5,7,2,4,10,15,14,1,11,12,6,8,3,13,2,12,6,10,0,11,8,3,4,13,7,5,15,14,1,9,12,5,1,15,14,13,4,10,0,7,6,3,9,2,8,11,13,11,7,14,12,1,3,9,5,0,15,4,8,6,2,10,6,15,14,9,11,3,0,8,12,2,13,7,1,4,10,5,10,2,8,4,7,6,1,5,15,11,9,14,3,12,13,0]);function V(t,e){return R[(t<<4)+e]}const F=(I=class t{static digest(e,s,i){const h=new t(s,i);return h.update(e),h.final()}constructor(e,s=t.OUTBYTES){var i;this.outlen=s,this.b=new Uint8Array(64),this.bv=new DataView(this.b.buffer),this.h=Uint32Array.from(D),this.t=new Uint32Array(2),this.c=0;const h=null!==(i=null==e?void 0:e.byteLength)&&void 0!==i?i:0;if(0==s||s>32||h>32)throw new Error("illegal BLAKE2s parameter length(s)");this.h[0]^=16842752^h<<8^s,e&&h>0&&(this.update(e),this.c=64)}update(t,e=0,s=t.byteLength){for(let i=e;i<e+s;i++)64==this.c&&(this.t[0]+=this.c,this.t[0]<this.c&&this.t[1]++,this.compress(!1),this.c=0),this.b[this.c++]=t[i]}final(t){for(this.t[0]+=this.c,this.t[0]<this.c&&this.t[1]++;this.c<64;)this.b[this.c++]=0;this.compress(!0),void 0===t&&(t=new Uint8Array(this.outlen));for(let e=0;e<this.outlen;e++)t[e]=this.h[e>>2]>>8*(3&e)&255;return t}compress(t){const e=new Uint32Array(16),s=new Uint32Array(16);for(let t=0;t<8;t++)e[t]=this.h[t],e[t+8]=D[t];e[12]^=this.t[0],e[13]^=this.t[1],t&&(e[14]=~e[14]);for(let t=0;t<16;t++)s[t]=this.bv.getUint32(t<<2,!0);for(let t=0;t<10;t++)j(e,0,4,8,12,s[V(t,0)],s[V(t,1)]),j(e,1,5,9,13,s[V(t,2)],s[V(t,3)]),j(e,2,6,10,14,s[V(t,4)],s[V(t,5)]),j(e,3,7,11,15,s[V(t,6)],s[V(t,7)]),j(e,0,5,10,15,s[V(t,8)],s[V(t,9)]),j(e,1,6,11,12,s[V(t,10)],s[V(t,11)]),j(e,2,7,8,13,s[V(t,12)],s[V(t,13)]),j(e,3,4,9,14,s[V(t,14)],s[V(t,15)]);for(let t=0;t<8;t++)this.h[t]^=e[t]^e[t+8]}},I.NAME="BLAKE2s",I.KEYBYTES=32,I.OUTBYTES=32,I.BLOCKLEN=64,I);var $=Object.freeze({__proto__:null,BLAKE2s:F});function q(t){return function(e,s,i){const h=t(e,s),r=t(h,Uint8Array.from([1])),n=t(h,f(r,Uint8Array.from([2])));switch(i){case 2:return[r,n];case 3:return[r,n,t(h,f(n,Uint8Array.from([3])))]}}}function G(t){const e=new Uint8Array(t.BLOCKLEN);e.fill(54);const s=new Uint8Array(t.BLOCKLEN);s.fill(92);const i=(i,h)=>{const r=i.byteLength>t.BLOCKLEN?t.digest(i):i,n=f(r,new Uint8Array(t.BLOCKLEN-r.byteLength));return t.digest(f(u(n,s),t.digest(f(u(n,e),h))))};return i.NAME="HMAC-"+t.NAME,i}function W(t,e){const s=new RegExp(`^Noise_([A-Za-z0-9+]+)_${t.dh.NAME}_${t.aead.NAME}_${t.hash.NAME}$`).exec(e);return null===s?null:s[1]}var Z=Object.freeze({__proto__:null,matchPattern:W});class J{constructor(t=0,e=0,s=0){this.lo=t,this.hi=e,this.extra=s}increment(){const t=this.lo,e=t+1|0;this.lo=e,e<t&&(this.hi=this.hi+1|0)}reset(t=0,e=0,s=0){this.lo=t,this.hi=e,this.extra=s}static get MAX(){return new J(4294967295,4294967295)}}function Q(t){return e=>new DataView(t.encrypt(new Uint8Array(32),e,J.MAX).buffer)}var tt=Object.freeze({__proto__:null,makeRekey:Q});class et{constructor(t,e){this.algorithms=t,this.view=null,this.nonce=new J,void 0!==e&&(this.view=new DataView(e.buffer))}encrypt(t,e){if(null===this.view)return t;const s=this.algorithms.aead.encrypt(t,this.view,this.nonce,e);return this.nonce.increment(),s}decrypt(t,e){if(null===this.view)return t;const s=this.algorithms.aead.decrypt(t,this.view,this.nonce,e);return this.nonce.increment(),s}rekey(){var t;null!==this.view&&(this.view=(null!==(t=this.algorithms.rekey)&&void 0!==t?t:Q(this.algorithms.aead))(this.view))}}var st=Object.freeze({__proto__:null,CipherState:et});class it{constructor(t,e,s,i={}){var h,r,n,a,o,l,c;this.algorithms=t,this.pattern=e,this.role=s,this.stepIndex=0,this.staticKeypair=null!==(h=i.staticKeypair)&&void 0!==h?h:this.algorithms.dh.generateKeypair(),this.remoteStaticPublicKey=null!==(r=i.remoteStaticPublicKey)&&void 0!==r?r:null,this.ephemeralKeypair=null!==(n=i.pregeneratedEphemeralKeypair)&&void 0!==n?n:this.algorithms.dh.generateKeypair(),this.remoteEphemeralPublicKey=null!==(a=i.remotePregeneratedEphemeralPublicKey)&&void 0!==a?a:null,this.preSharedKeys=i.preSharedKeys,this.preSharedKeys&&(this.preSharedKeys=this.preSharedKeys.slice(),0===this.preSharedKeys.length&&(this.preSharedKeys=void 0));const u=(new TextEncoder).encode("Noise_"+this.pattern.name+"_"+this.algorithms.dh.NAME+"_"+this.algorithms.aead.NAME+"_"+this.algorithms.hash.NAME);this.cipherState=new et(this.algorithms);{const t=this.algorithms.hash.OUTBYTES,e=u.byteLength>t?this.algorithms.hash.digest(u):u;this.chainingKey=f(e,new Uint8Array(t-e.byteLength))}this.handshakeHash=this.chainingKey,this.mixHash(null!==(o=i.prologue)&&void 0!==o?o:y),this.pattern.initiatorPreMessage.forEach((t=>this.mixHash("e"===t?this.isInitiator?this.ephemeralKeypair.public:this.remoteEphemeralPublicKey:this.isInitiator?this.staticKeypair.public:this.remoteStaticPublicKey))),this.pattern.responderPreMessage.forEach((t=>this.mixHash("e"===t?this.isInitiator?this.remoteEphemeralPublicKey:this.ephemeralKeypair.public:this.isInitiator?this.remoteStaticPublicKey:this.staticKeypair.public))),this.hkdf=null!==(l=this.algorithms.hkdf)&&void 0!==l?l:q(null!==(c=this.algorithms.hmac)&&void 0!==c?c:G(this.algorithms.hash))}get isInitiator(){return"initiator"===this.role}mixHash(t){this.handshakeHash=this.algorithms.hash.digest(f(this.handshakeHash,t))}mixKey(t){const[e,s]=this.hkdf(this.chainingKey,t,2);this.chainingKey=e,this.cipherState=new et(this.algorithms,s)}mixKeyAndHashNextPSK(){const t=this.preSharedKeys.shift(),[e,s,i]=this.hkdf(this.chainingKey,t,3);this.chainingKey=e,this.mixHash(s),this.cipherState=new et(this.algorithms,i)}encryptAndHash(t){const e=this.cipherState.encrypt(t,this.handshakeHash);return this.mixHash(e),e}decryptAndHash(t){const e=this.cipherState.decrypt(t,this.handshakeHash);return this.mixHash(t),e}_split(){if(this.stepIndex<this.pattern.messages.length)return null;{let[t,e]=this.hkdf(this.chainingKey,y,2).map((t=>new et(this.algorithms,t)));return this.isInitiator?{send:t,recv:e}:{send:e,recv:t}}}_nextStep(){if(this.stepIndex>=this.pattern.messages.length)throw new Error("Handshake already complete, cannot continue");return this.pattern.messages[this.stepIndex++]}_processKeyMixToken(t){switch(t){case"ee":this.mixKey(this.algorithms.dh.dh(this.ephemeralKeypair,this.remoteEphemeralPublicKey));break;case"es":this.mixKey(this.isInitiator?this.algorithms.dh.dh(this.ephemeralKeypair,this.remoteStaticPublicKey):this.algorithms.dh.dh(this.staticKeypair,this.remoteEphemeralPublicKey));break;case"se":this.mixKey(this.isInitiator?this.algorithms.dh.dh(this.staticKeypair,this.remoteEphemeralPublicKey):this.algorithms.dh.dh(this.ephemeralKeypair,this.remoteStaticPublicKey));break;case"ss":this.mixKey(this.algorithms.dh.dh(this.staticKeypair,this.remoteStaticPublicKey));break;case"psk":this.mixKeyAndHashNextPSK()}}writeMessage(t){const e=[];let s;if(this._nextStep().forEach((t=>{switch(t){case"e":e.push(this.ephemeralKeypair.public),this.mixHash(this.ephemeralKeypair.public),this.preSharedKeys&&this.mixKey(this.ephemeralKeypair.public);break;case"s":e.push(this.encryptAndHash(this.staticKeypair.public));break;default:this._processKeyMixToken(t)}})),e.push(this.encryptAndHash(t)),1===e.length)s=e[0];else{s=new Uint8Array(e.reduce(((t,e)=>t+e.byteLength),0));let t=0;e.forEach((e=>{s.set(e,t),t+=e.byteLength}))}return{packet:s,finished:this._split()}}readMessage(t){const e=e=>{const s=t.slice(0,e);return t=t.subarray(e),s};this._nextStep().forEach((t=>{switch(t){case"e":this.remoteEphemeralPublicKey=e(this.algorithms.dh.DHLEN),this.mixHash(this.remoteEphemeralPublicKey),this.preSharedKeys&&this.mixKey(this.remoteEphemeralPublicKey);break;case"s":this.remoteStaticPublicKey=this.decryptAndHash(e(this.algorithms.dh.DHLEN+(this.cipherState.view?16:0)));break;default:this._processKeyMixToken(t)}}));return{message:this.decryptAndHash(t),finished:this._split()}}async completeHandshake(t,e,s=(async t=>{}),i=(async()=>new Uint8Array(0))){const h=async()=>{const{packet:e,finished:s}=this.writeMessage(await i());return await t(e),s||r()},r=async()=>{const{message:t,finished:i}=this.readMessage(await e());return await s(t),i||h()};return this.isInitiator?h():r()}}var ht=Object.freeze({__proto__:null,Handshake:it});const rt={};function nt(t,e,s,i){const h={name:t,baseName:t,messages:e,initiatorPreMessage:s,responderPreMessage:i};rt[h.name]=h}function at(t){return 1===t.baseName.length}nt("I1K1",[["e","s"],["e","ee","es"],["se"]],[],["s"]),nt("I1K",[["e","es","s"],["e","ee"],["se"]],[],["s"]),nt("I1N",[["e","s"],["e","ee"],["se"]],[],[]),nt("I1X1",[["e","s"],["e","ee","s"],["se","es"]],[],[]),nt("I1X",[["e","s"],["e","ee","s","es"],["se"]],[],[]),nt("IK1",[["e","s"],["e","ee","se","es"]],[],["s"]),nt("IK",[["e","es","s","ss"],["e","ee","se"]],[],["s"]),nt("IN",[["e","s"],["e","ee","se"]],[],[]),nt("IX1",[["e","s"],["e","ee","se","s"],["es"]],[],[]),nt("IX",[["e","s"],["e","ee","se","s","es"]],[],[]),nt("K1K1",[["e"],["e","ee","es"],["se"]],["s"],["s"]),nt("K1K",[["e","es"],["e","ee"],["se"]],["s"],["s"]),nt("K1N",[["e"],["e","ee"],["se"]],["s"],[]),nt("K1X1",[["e"],["e","ee","s"],["se","es"]],["s"],[]),nt("K1X",[["e"],["e","ee","s","es"],["se"]],["s"],[]),nt("K",[["e","es","ss"]],["s"],["s"]),nt("KK1",[["e"],["e","ee","se","es"]],["s"],["s"]),nt("KK",[["e","es","ss"],["e","ee","se"]],["s"],["s"]),nt("KN",[["e"],["e","ee","se"]],["s"],[]),nt("KX1",[["e"],["e","ee","se","s"],["es"]],["s"],[]),nt("KX",[["e"],["e","ee","se","s","es"]],["s"],[]),nt("N",[["e","es"]],[],["s"]),nt("NK1",[["e"],["e","ee","es"]],[],["s"]),nt("NK",[["e","es"],["e","ee"]],[],["s"]),nt("NN",[["e"],["e","ee"]],[],[]),nt("NX1",[["e"],["e","ee","s"],["es"]],[],[]),nt("NX",[["e"],["e","ee","s","es"]],[],[]),nt("X1K1",[["e"],["e","ee","es"],["s"],["se"]],[],["s"]),nt("X1K",[["e","es"],["e","ee"],["s"],["se"]],[],["s"]),nt("X1N",[["e"],["e","ee"],["s"],["se"]],[],[]),nt("X1X1",[["e"],["e","ee","s"],["es","s"],["se"]],[],[]),nt("X1X",[["e"],["e","ee","s","es"],["s"],["se"]],[],[]),nt("X",[["e","es","s","ss"]],[],["s"]),nt("XK1",[["e"],["e","ee","es"],["s","se"]],[],["s"]),nt("XK",[["e","es"],["e","ee"],["s","se"]],[],["s"]),nt("XN",[["e"],["e","ee"],["s","se"]],[],[]),nt("XX1",[["e"],["e","ee","s"],["es","s","se"]],[],[]),nt("XX",[["e"],["e","ee","s","es"],["s","se"]],[],[]);const ot=/^([NKX]|[NKXI]1?[NKX]1?)([a-z][a-z0-9]*(\+[a-z][a-z0-9]*)*)?$/,lt=/^psk([0-9]+)$/;function ct(t){var e,s,i;const h=ot.exec(t);if(null===h)return null;const r=null!==(s=null===(e=h[2])||void 0===e?void 0:e.split("+"))&&void 0!==s?s:[];let n=null!==(i=rt[h[1]])&&void 0!==i?i:null;return n?(r.forEach((t=>n=n&&function(t,e){const s=lt.exec(e);if(null===s)return null;const i=parseInt(s[1],10),h=t.messages;return Object.assign(Object.assign({},t),{messages:0===i?[["psk",...h[0]],...h.slice(1)]:[...h.slice(0,i-1),[...h[i-1],"psk"],...h.slice(i)]})}(n,t))),n&&Object.assign(Object.assign({},n),{name:t})):null}const ut={dh:Y,aead:K,hash:F};const ft={aead:{chacha20poly1305:b},cipher:{chacha20:a},dh:{x25519:X},hash:{blake2s:$,poly1305:l},noise:{algorithms:Z,cipherstate:st,handshake:ht,patterns:Object.freeze({__proto__:null,PATTERNS:rt,isOneWay:at,lookupPattern:ct}),profiles:Object.freeze({__proto__:null,Noise_25519_ChaChaPoly_BLAKE2s:ut}),rekey:tt}};t.AuthenticationFailure=w,t.BLAKE2s=F,t.Bytes=p,t.ChaCha20=r,t.ChaCha20Poly1305_RFC8439=K,t.CipherState=et,t.Handshake=it,t.INTERNALS=ft,t.Noise_25519_ChaChaPoly_BLAKE2s=ut,t.Nonce=J,t.PATTERNS=rt,t.Poly1305=o,t.X25519=Y,t._decrypt=_,t._encrypt=E,t._randomBytes=A,t.isOneWay=at,t.lookupPattern=ct,t.makeHKDF=q,t.makeHMAC=G,t.matchPattern=W,t.randomBytes=M}));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "salty-crypto",
-  "version": "0.0.5",
+  "version": "0.1.0",
   "description": "Noise Protocol Framework, plus X25519/ChaCha20Poly1305/BLAKE2s code, for browser and node.js",
   "author": "Tony Garnock-Jones <tonyg@leastfixedpoint.com>",
   "homepage": "https://github.com/tonyg/typescript-salty-crypto",

package/speed.ts

@@ -0,0 +1,22 @@
+import { scalarMult } from './x25519';
+import { randomBytes } from './random';
+
+const N = 1000;
+const start = +new Date();
+
+let sum = 0;
+for (let i = 0; i < N; i++) {
+    const sk = randomBytes(32);
+    const pk = randomBytes(32);
+    const dh = scalarMult(sk, pk);
+    sum += dh[0];
+}
+
+const stop = +new Date();
+const delta = (stop - start) / 1000.0;
+
+console.log({
+    sum,
+    delta,
+    rate: N / delta,
+});

package/src/aead/chacha20poly1305.ts

@@ -0,0 +1,85 @@
+/// SPDX-License-Identifier: MIT
+/// SPDX-FileCopyrightText: Copyright © 2023 Tony Garnock-Jones <tonyg@leastfixedpoint.com>
+
+// RFC-8439 AEAD construction.
+
+import { AEAD, _encrypt, _decrypt } from '../aead';
+import { Nonce } from '../nonce';
+
+import { ChaCha20 } from '../cipher/chacha20';
+import { Poly1305 } from '../hash/poly1305';
+import * as Bytes from '../bytes';
+import { HashAlgorithm } from '../hash';
+
+const PADDING = new Uint8Array(16);
+
+function pad16(p: HashAlgorithm, unpadded_length: number) {
+    const leftover = unpadded_length & 15;
+    if (leftover !== 0) p.update(PADDING, 0, 16 - leftover);
+}
+
+function aead_tag(tag: Uint8Array,
+                  key: DataView,
+                  nonce: Nonce,
+                  ciphertext: Uint8Array,
+                  cipherlength: number,
+                  associated_data?: Uint8Array)
+{
+    const mac_key = new Uint8Array(Poly1305.KEYBYTES);
+    ChaCha20.stream_xor(key, nonce, mac_key, mac_key, 0);
+    const p = new Poly1305(mac_key);
+
+    if (associated_data !== void 0) {
+        p.update(associated_data, 0, associated_data.byteLength);
+        pad16(p, associated_data.byteLength);
+    }
+
+    p.update(ciphertext, 0, cipherlength);
+    pad16(p, cipherlength);
+
+    const L = new Uint8Array(16);
+    const Lv = new DataView(L.buffer);
+    if (associated_data !== void 0) {
+        Lv.setUint32(0, associated_data.byteLength, true);
+    }
+    Lv.setUint32(8, cipherlength, true);
+    p.update(L, 0, L.byteLength);
+
+    p.final(tag);
+}
+
+export const ChaCha20Poly1305_RFC8439: AEAD = {
+    NAME: 'ChaChaPoly',
+    KEYBYTES: 32,
+    NONCEBYTES: 12,
+    TAGBYTES: 16,
+
+    encrypt_detached(plaintext: Uint8Array,
+                     ciphertext: Uint8Array,
+                     messagelength: number,
+                     tag: Uint8Array,
+                     key: DataView,
+                     nonce: Nonce,
+                     associated_data?: Uint8Array): void {
+        ChaCha20.stream_xor(key, nonce, plaintext, ciphertext, 1, messagelength);
+        aead_tag(tag, key, nonce, ciphertext, messagelength, associated_data);
+    },
+
+    encrypt: _encrypt,
+
+    decrypt_detached(plaintext: Uint8Array,
+                     ciphertext: Uint8Array,
+                     messagelength: number,
+                     expected_tag: Uint8Array,
+                     key: DataView,
+                     nonce: Nonce,
+                     associated_data?: Uint8Array): boolean {
+        const actual_tag = new Uint8Array(this.TAGBYTES);
+        aead_tag(actual_tag, key, nonce, ciphertext, messagelength, associated_data);
+        const ok = Bytes.equal(actual_tag, expected_tag, actual_tag.byteLength);
+        if (ok) ChaCha20.stream_xor(key, nonce, ciphertext, plaintext, 1, messagelength);
+        return ok;
+    },
+
+    decrypt: _decrypt,
+};

package/src/aead.ts

@@ -1,73 +1,51 @@
 /// SPDX-License-Identifier: MIT
 /// SPDX-FileCopyrightText: Copyright © 2023 Tony Garnock-Jones <tonyg@leastfixedpoint.com>
 
-// RFC-8439 AEAD construction.
+import { Nonce } from './nonce';
 
-export const AEAD_CHACHA20_POLY1305_KEYBYTES = 32;
-export const AEAD_CHACHA20_POLY1305_NONCEBYTES = 12;
-export const AEAD_CHACHA20_POLY1305_TAGBYTES = 16;
-
-import { chacha20 } from './chacha20';
-import { Poly1305 } from './poly1305';
-
-const PADDING = new Uint8Array(16);
+export class AuthenticationFailure extends Error {}
 
-function pad16(p: Poly1305, unpadded_length: number) {
-    const leftover = unpadded_length & 15;
-    if (leftover !== 0) p.update(PADDING, 0, 16 - leftover);
+export interface AEAD {
+    readonly NAME: string;
+    readonly KEYBYTES: number;
+    readonly NONCEBYTES: number;
+    readonly TAGBYTES: number;
+
+    encrypt_detached(plaintext: Uint8Array,
+                     ciphertext: Uint8Array,
+                     messagelength: number,
+                     tag: Uint8Array,
+                     key: DataView,
+                     nonce: Nonce,
+                     associated_data?: Uint8Array): void;
+
+    encrypt(plaintext: Uint8Array,
+            key: DataView,
+            nonce: Nonce,
+            associated_data?: Uint8Array): Uint8Array;
+
+    decrypt_detached(plaintext: Uint8Array,
+                     ciphertext: Uint8Array,
+                     messagelength: number,
+                     expected_tag: Uint8Array,
+                     key: DataView,
+                     nonce: Nonce,
+                     associated_data?: Uint8Array): boolean;
+
+    decrypt(ciphertextAndTag: Uint8Array,
+            key: DataView,
+            nonce: Nonce,
+            associated_data?: Uint8Array): Uint8Array;
 }
 
-function aead_tag(tag: Uint8Array,
-                  key: DataView,
-                  nonce: DataView,
-                  ciphertext: Uint8Array,
-                  cipherlength: number,
-                  associated_data?: Uint8Array)
+export function _encrypt(this: AEAD,
+                         plaintext: Uint8Array,
+                         key: DataView,
+                         nonce: Nonce,
+                         associated_data?: Uint8Array): Uint8Array
 {
-    const mac_key = new Uint8Array(Poly1305.KEYBYTES);
-    chacha20(key, nonce, mac_key, mac_key, 0);
-    const p = new Poly1305(mac_key);
-
-    if (associated_data !== void 0) {
-        p.update(associated_data, 0, associated_data.byteLength);
-        pad16(p, associated_data.byteLength);
-    }
-
-    p.update(ciphertext, 0, cipherlength);
-    pad16(p, cipherlength);
-
-    const L = new Uint8Array(16);
-    const Lv = new DataView(L.buffer);
-    if (associated_data !== void 0) {
-        Lv.setUint32(0, associated_data.byteLength, true);
-    }
-    Lv.setUint32(8, cipherlength, true);
-    p.update(L, 0, L.byteLength);
-
-    p.finish(tag, 0);
-}
-
-export function aead_encrypt_detached(
-    plaintext: Uint8Array,
-    ciphertext: Uint8Array,
-    messagelength: number,
-    tag: Uint8Array,
-    key: DataView,
-    nonce: DataView,
-    associated_data?: Uint8Array,
-): void {
-    chacha20(key, nonce, plaintext, ciphertext, 1, messagelength);
-    aead_tag(tag, key, nonce, ciphertext, messagelength, associated_data);
-}
-
-export function aead_encrypt(
-    plaintext: Uint8Array,
-    key: DataView,
-    nonce: DataView,
-    associated_data?: Uint8Array,
-): Uint8Array {
-    const ciphertextAndTag = new Uint8Array(plaintext.byteLength + AEAD_CHACHA20_POLY1305_TAGBYTES);
-    aead_encrypt_detached(plaintext,
+    const ciphertextAndTag = new Uint8Array(plaintext.byteLength + this.TAGBYTES);
+    this.encrypt_detached(plaintext,
                           ciphertextAndTag,
                           plaintext.byteLength,
                           ciphertextAndTag.subarray(plaintext.byteLength),
@@ -77,45 +55,23 @@ export function aead_encrypt(
     return ciphertextAndTag;
 }
 
-// `verify` from nacl-fast.js
-function verify(x: Uint8Array, y: Uint8Array, n: number): number {
-    let d = 0;
-    for (let i = 0; i < n; i++) d |= x[i]^y[i];
-    return (1 & ((d - 1) >>> 8)) - 1;
-}
-
-export function aead_decrypt_detached(plaintext: Uint8Array,
-                                      ciphertext: Uint8Array,
-                                      messagelength: number,
-                                      expected_tag: Uint8Array,
-                                      key: DataView,
-                                      nonce: DataView,
-                                      associated_data?: Uint8Array): boolean
+export function _decrypt(this: AEAD,
+                         ciphertextAndTag: Uint8Array,
+                         key: DataView,
+                         nonce: Nonce,
+                         associated_data?: Uint8Array): Uint8Array
 {
-    const actual_tag = new Uint8Array(AEAD_CHACHA20_POLY1305_TAGBYTES);
-    aead_tag(actual_tag, key, nonce, ciphertext, messagelength, associated_data);
-    const ok = verify(actual_tag, expected_tag, actual_tag.byteLength) === 0;
-    if (ok) chacha20(key, nonce, ciphertext, plaintext, 1, messagelength);
-    return ok;
-}
-
-export class AuthenticationFailure extends Error {}
-
-export function aead_decrypt(
-    ciphertextAndTag: Uint8Array,
-    key: DataView,
-    nonce: DataView,
-    associated_data?: Uint8Array,
-): Uint8Array {
-    const plaintext = new Uint8Array(ciphertextAndTag.byteLength - AEAD_CHACHA20_POLY1305_TAGBYTES);
-    if (!aead_decrypt_detached(plaintext,
+    const plaintext = new Uint8Array(ciphertextAndTag.byteLength - this.TAGBYTES);
+    if (!this.decrypt_detached(plaintext,
                                ciphertextAndTag,
                                plaintext.byteLength,
                                ciphertextAndTag.subarray(plaintext.byteLength),
                                key,
                                nonce,
                                associated_data)) {
-        throw new AuthenticationFailure("ChaCha20Poly1305 AEAD authentication failed");
+        throw new AuthenticationFailure("AEAD authentication failed");
     }
     return plaintext;
 }
+
+export { ChaCha20Poly1305_RFC8439 } from './aead/chacha20poly1305';

package/src/bytes.ts

@@ -0,0 +1,29 @@
+/// SPDX-License-Identifier: MIT
+/// SPDX-FileCopyrightText: Copyright © 2023 Tony Garnock-Jones <tonyg@leastfixedpoint.com>
+
+// `verify` from nacl-fast.js
+function verify(x: Uint8Array, y: Uint8Array, n: number): number {
+    let d = 0;
+    for (let i = 0; i < n; i++) d |= x[i]^y[i];
+    return (1 & ((d - 1) >>> 8)) - 1;
+}
+
+export function equal(x: Uint8Array, y: Uint8Array, n: number): boolean {
+    return verify(x, y, n) === 0;
+}
+
+export function xor(a: Uint8Array, b: Uint8Array): Uint8Array {
+    const len = Math.min(a.byteLength, b.byteLength);
+    const r = new Uint8Array(len);
+    for (let i = 0; i < len; i++) r[i] = a[i] ^ b[i];
+    return r;
+}
+
+export function append(a: Uint8Array, b: Uint8Array): Uint8Array {
+    const r = new Uint8Array(a.byteLength + b.byteLength);
+    r.set(a, 0);
+    r.set(b, a.byteLength);
+    return r;
+}
+
+export const EMPTY = new Uint8Array(0);

package/src/{chacha20.ts → cipher/chacha20.ts}

@@ -3,9 +3,8 @@
 
 // RFC-8439 ChaCha20.
 
-export const CHACHA20_KEYBYTES = 32;
-export const CHACHA20_NONCEBYTES = 12;
-export const CHACHA20_BLOCKBYTES = 64;
+import { StreamCipher } from '../cipher';
+import { Nonce } from '../nonce';
 
 function ROTATE(n: number, bits: number): number {
     return (n << bits) | (n >>> (32 - bits));
@@ -47,26 +46,41 @@ export function chacha20_block(key: DataView, block: number, nonce: DataView): U
     return state;
 }
 
-export function chacha20(
-    key: DataView,
-    nonce: DataView,
-    input: Uint8Array,
-    output: Uint8Array,
-    initial_counter = 0,
-    messagelength = input.byteLength,
-) {
-    const whole_blocks = messagelength >> 6;
-    const remaining_bytes = messagelength & 63;
-    for (let j = 0; j < whole_blocks; j++) {
-        const chunk = chacha20_block(key, initial_counter + j, nonce);
-        for (let i = 0; i < 64; i++) {
-            output[(j << 6) + i] = input[(j << 6) + i] ^ (chunk[i >> 2] >> ((i & 3) << 3));
+function serializeNonce(n: Nonce): DataView {
+    const view = new DataView(new ArrayBuffer(ChaCha20.NONCEBYTES));
+    view.setUint32(0, n.extra, true);
+    view.setUint32(4, n.lo, true);
+    view.setUint32(8, n.hi, true);
+    return view;
+}
+
+export const ChaCha20: StreamCipher = {
+    NAME: 'chacha20',
+    KEYBYTES: 32,
+    NONCEBYTES: 12,
+    BLOCKBYTES: 64,
+
+    stream_xor(key: DataView,
+               nonce0: Nonce,
+               input: Uint8Array,
+               output: Uint8Array,
+               initial_counter = 0,
+               messagelength = input.byteLength): void
+    {
+        const nonce = serializeNonce(nonce0);
+        const whole_blocks = messagelength >> 6;
+        const remaining_bytes = messagelength & 63;
+        for (let j = 0; j < whole_blocks; j++) {
+            const chunk = chacha20_block(key, initial_counter + j, nonce);
+            for (let i = 0; i < 64; i++) {
+                output[(j << 6) + i] = input[(j << 6) + i] ^ (chunk[i >> 2] >> ((i & 3) << 3));
+            }
         }
-    }
-    if (remaining_bytes !== 0) {
-        const chunk = chacha20_block(key, initial_counter + whole_blocks, nonce);
-        for (let i = 0; i < remaining_bytes; i++) {
-            output[(whole_blocks << 6) + i] = input[(whole_blocks << 6) + i] ^ (chunk[i >> 2] >> ((i & 3) << 3));
+        if (remaining_bytes !== 0) {
+            const chunk = chacha20_block(key, initial_counter + whole_blocks, nonce);
+            for (let i = 0; i < remaining_bytes; i++) {
+                output[(whole_blocks << 6) + i] = input[(whole_blocks << 6) + i] ^ (chunk[i >> 2] >> ((i & 3) << 3));
+            }
         }
     }
-}
+};

package/src/cipher.ts

@@ -0,0 +1,20 @@
+/// SPDX-License-Identifier: MIT
+/// SPDX-FileCopyrightText: Copyright © 2023 Tony Garnock-Jones <tonyg@leastfixedpoint.com>
+
+import { Nonce } from './nonce';
+
+export interface StreamCipher {
+    readonly NAME: string;
+    readonly KEYBYTES: number;
+    readonly NONCEBYTES: number;
+    readonly BLOCKBYTES: number;
+
+    stream_xor(key: DataView,
+               nonce: Nonce,
+               input: Uint8Array,
+               output: Uint8Array,
+               initial_counter?: number,
+               messagelength?: number): void;
+}
+
+export { ChaCha20 } from './cipher/chacha20';

package/src/dh.ts

@@ -0,0 +1,30 @@
+/// SPDX-License-Identifier: MIT
+/// SPDX-FileCopyrightText: Copyright © 2023 Tony Garnock-Jones <tonyg@leastfixedpoint.com>
+
+import { randomBytes } from "./random";
+import { scalarMult, scalarMultBase } from "./dh/x25519";
+
+export type DHKeyPair = { public: Uint8Array, secret: Uint8Array };
+
+export interface DH {
+    readonly NAME: string;
+    readonly DHLEN: number;
+
+    generateKeypair(): DHKeyPair;
+    dh(kp: DHKeyPair, pk: Uint8Array): Uint8Array;
+}
+
+export const X25519: DH = {
+    NAME: "25519",
+    DHLEN: scalarMult.groupElementLength,
+
+    generateKeypair(): DHKeyPair {
+        const sk = randomBytes(scalarMult.scalarLength);
+        const pk = scalarMultBase(sk);
+        return { public: pk, secret: sk };
+    },
+
+    dh(kp: DHKeyPair, pk: Uint8Array): Uint8Array {
+        return scalarMult(kp.secret, pk);
+    }
+};

package/src/{blake2.ts → hash/blake2s.ts}

@@ -3,6 +3,8 @@
 
 // RFC 7693 BLAKE2s, ported from the C code therein.
 
+import type { Hash, HashAlgorithm } from '../hash';
+
 function ROTR32(n: number, bits: number): number {
     return (n >>> bits) | (n << (32 - bits));
 }
@@ -40,7 +42,8 @@ function sigma(i: number, j: number): number {
     return _sigma[(i << 4) + j];
 }
 
-export class BLAKE2s {
+export const BLAKE2s = (class BLAKE2s implements HashAlgorithm {
+    static readonly NAME = "BLAKE2s";
     static readonly KEYBYTES = 32;
     static readonly OUTBYTES = 32;
     static readonly BLOCKLEN = 64;
@@ -52,13 +55,13 @@ export class BLAKE2s {
     t = new Uint32Array(2);
     c = 0;
 
-    static digest(input: Uint8Array, outlen?: number, key?: Uint8Array): Uint8Array {
-        const p = new BLAKE2s(outlen, key);
+    static digest(input: Uint8Array, key?: Uint8Array, outlen?: number, ): Uint8Array {
+        const p = new BLAKE2s(key, outlen);
         p.update(input);
         return p.final();
     }
 
-    constructor(public outlen: number = BLAKE2s.OUTBYTES, key?: Uint8Array)
+    constructor(key?: Uint8Array, public outlen: number = BLAKE2s.OUTBYTES)
     {
         const keylen = key?.byteLength ?? 0;
 
@@ -68,14 +71,14 @@ export class BLAKE2s {
 
         this.h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen;
 
-        if (key !== void 0 && keylen > 0) {
+        if (key && keylen > 0) {
             this.update(key);
             this.c = 64;
         }
     }
 
-    update(input: Uint8Array) {
-        for (let i = 0; i < input.byteLength; i++) {
+    update(input: Uint8Array, offset = 0, length = input.byteLength) {
+        for (let i = offset; i < offset + length; i++) {
             if (this.c == 64) {
                 this.t[0] += this.c;
                 if (this.t[0] < this.c) this.t[1]++;
@@ -132,4 +135,4 @@ export class BLAKE2s {
             this.h[i] ^= v[i] ^ v[i + 8];
         }
     }
-}
+}) satisfies Hash;