صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
seven
/
bot-28
1
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
درخت: bf7d625595
شاخه‌ها تگ‌ها
bot-28
/
node
/
node_modules
/
@noble
/
hashes
/
src
/
argon2.ts

argon2.ts 12 KB
تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374 
  1. import { number as assertNumber } from './_assert.js';
    2. 

  2. import { Input, toBytes, u8, u32 } from './utils.js';
    3. 

  3. import { blake2b } from './blake2b.js';
    4. 

  4. import { add3H, add3L, rotr32H, rotr32L, rotrBH, rotrBL, rotrSH, rotrSL } from './_u64.js';
    5. 

  5. 

  6. // Experimental Argon2 RFC 9106 implementation. It may be removed at any time.
    7. 

  7. const enum Types {
    8. 

  8.   Argond2d = 0,
    9. 

  9.   Argon2i = 1,
    10. 

  10.   Argon2id = 2,
    11. 

  11. }
    12. 

  12. 

  13. const ARGON2_SYNC_POINTS = 4;
    14. 

  14. 

  15. const toBytesOptional = (buf?: Input) => (buf !== undefined ? toBytes(buf) : new Uint8Array([]));
    16. 

  16. 

  17. function mul(a: number, b: number) {
    18. 

  18.   const aL = a & 0xffff;
    19. 

  19.   const aH = a >>> 16;
    20. 

  20.   const bL = b & 0xffff;
    21. 

  21.   const bH = b >>> 16;
    22. 

  22.   const ll = Math.imul(aL, bL);
    23. 

  23.   const hl = Math.imul(aH, bL);
    24. 

  24.   const lh = Math.imul(aL, bH);
    25. 

  25.   const hh = Math.imul(aH, bH);
    26. 

  26.   const BUF = ((ll >>> 16) + (hl & 0xffff) + lh) | 0;
    27. 

  27.   const h = ((hl >>> 16) + (BUF >>> 16) + hh) | 0;
    28. 

  28.   return { h, l: (BUF << 16) | (ll & 0xffff) };
    29. 

  29. }
    30. 

  30. 

  31. function relPos(areaSize: number, relativePos: number) {
    32. 

  32.   // areaSize - 1 - ((areaSize * ((relativePos ** 2) >>> 32)) >>> 32)
    33. 

  33.   return areaSize - 1 - mul(areaSize, mul(relativePos, relativePos).h).h;
    34. 

  34. }
    35. 

  35. 

  36. function mul2(a: number, b: number) {
    37. 

  37.   // 2 * a * b (via shifts)
    38. 

  38.   const { h, l } = mul(a, b);
    39. 

  39.   return { h: ((h << 1) | (l >>> 31)) & 0xffff_ffff, l: (l << 1) & 0xffff_ffff };
    40. 

  40. }
    41. 

  41. 

  42. function blamka(Ah: number, Al: number, Bh: number, Bl: number) {
    43. 

  43.   const { h: Ch, l: Cl } = mul2(Al, Bl);
    44. 

  44.   // A + B + (2 * A * B)
    45. 

  45.   const Rll = add3L(Al, Bl, Cl);
    46. 

  46.   return { h: add3H(Rll, Ah, Bh, Ch), l: Rll | 0 };
    47. 

  47. }
    48. 

  48. 

  49. // Temporary block buffer
    50. 

  50. const A2_BUF = new Uint32Array(256);
    51. 

  51. 

  52. function G(a: number, b: number, c: number, d: number) {
    53. 

  53.   let Al = A2_BUF[2*a], Ah = A2_BUF[2*a + 1]; // prettier-ignore
    54. 

  54.   let Bl = A2_BUF[2*b], Bh = A2_BUF[2*b + 1]; // prettier-ignore
    55. 

  55.   let Cl = A2_BUF[2*c], Ch = A2_BUF[2*c + 1]; // prettier-ignore
    56. 

  56.   let Dl = A2_BUF[2*d], Dh = A2_BUF[2*d + 1]; // prettier-ignore
    57. 

  57. 

  58.   ({ h: Ah, l: Al } = blamka(Ah, Al, Bh, Bl));
    59. 

  59.   ({ Dh, Dl } = { Dh: Dh ^ Ah, Dl: Dl ^ Al });
    60. 

  60.   ({ Dh, Dl } = { Dh: rotr32H(Dh, Dl), Dl: rotr32L(Dh, Dl) });
    61. 

  61. 

  62.   ({ h: Ch, l: Cl } = blamka(Ch, Cl, Dh, Dl));
    63. 

  63.   ({ Bh, Bl } = { Bh: Bh ^ Ch, Bl: Bl ^ Cl });
    64. 

  64.   ({ Bh, Bl } = { Bh: rotrSH(Bh, Bl, 24), Bl: rotrSL(Bh, Bl, 24) });
    65. 

  65. 

  66.   ({ h: Ah, l: Al } = blamka(Ah, Al, Bh, Bl));
    67. 

  67.   ({ Dh, Dl } = { Dh: Dh ^ Ah, Dl: Dl ^ Al });
    68. 

  68.   ({ Dh, Dl } = { Dh: rotrSH(Dh, Dl, 16), Dl: rotrSL(Dh, Dl, 16) });
    69. 

  69. 

  70.   ({ h: Ch, l: Cl } = blamka(Ch, Cl, Dh, Dl));
    71. 

  71.   ({ Bh, Bl } = { Bh: Bh ^ Ch, Bl: Bl ^ Cl });
    72. 

  72.   ({ Bh, Bl } = { Bh: rotrBH(Bh, Bl, 63), Bl: rotrBL(Bh, Bl, 63) });
    73. 

  73. 

  74.   (A2_BUF[2 * a] = Al), (A2_BUF[2 * a + 1] = Ah);
    75. 

  75.   (A2_BUF[2 * b] = Bl), (A2_BUF[2 * b + 1] = Bh);
    76. 

  76.   (A2_BUF[2 * c] = Cl), (A2_BUF[2 * c + 1] = Ch);
    77. 

  77.   (A2_BUF[2 * d] = Dl), (A2_BUF[2 * d + 1] = Dh);
    78. 

  78. }
    79. 

  79. 

  80. // prettier-ignore
    81. 

  81. function P(
    82. 

  82.   v00: number, v01: number, v02: number, v03: number, v04: number, v05: number, v06: number, v07: number,
    83. 

  83.   v08: number, v09: number, v10: number, v11: number, v12: number, v13: number, v14: number, v15: number,
    84. 

  84. ) {
    85. 

  85.   G(v00, v04, v08, v12);
    86. 

  86.   G(v01, v05, v09, v13);
    87. 

  87.   G(v02, v06, v10, v14);
    88. 

  88.   G(v03, v07, v11, v15);
    89. 

  89.   G(v00, v05, v10, v15);
    90. 

  90.   G(v01, v06, v11, v12);
    91. 

  91.   G(v02, v07, v08, v13);
    92. 

  92.   G(v03, v04, v09, v14);
    93. 

  93. }
    94. 

  94. 

  95. function block(x: Uint32Array, xPos: number, yPos: number, outPos: number, needXor: boolean) {
    96. 

  96.   for (let i = 0; i < 256; i++) A2_BUF[i] = x[xPos + i] ^ x[yPos + i];
    97. 

  97. 

  98.   // columns
    99. 

  99.   for (let i = 0; i < 128; i += 16) {
    100. 

  100.     // prettier-ignore
    101. 

  101.     P(
    102. 

  102.       i, i + 1, i + 2, i + 3, i + 4, i + 5, i + 6, i + 7,
    103. 

  103.       i + 8, i + 9, i + 10, i + 11, i + 12, i + 13, i + 14, i + 15
    104. 

  104.     );
    105. 

  105.   }
    106. 

  106.   // rows
    107. 

  107.   for (let i = 0; i < 16; i += 2) {
    108. 

  108.     // prettier-ignore
    109. 

  109.     P(
    110. 

  110.       i, i + 1, i + 16, i + 17, i + 32, i + 33, i + 48, i + 49,
    111. 

  111.       i + 64, i + 65, i + 80, i + 81, i + 96, i + 97, i + 112, i + 113
    112. 

  112.     );
    113. 

  113.   }
    114. 

  114. 

  115.   if (needXor) for (let i = 0; i < 256; i++) x[outPos + i] ^= A2_BUF[i] ^ x[xPos + i] ^ x[yPos + i];
    116. 

  116.   else for (let i = 0; i < 256; i++) x[outPos + i] = A2_BUF[i] ^ x[xPos + i] ^ x[yPos + i];
    117. 

  117. }
    118. 

  118. 

  119. // Variable-Length Hash Function H'
    120. 

  120. function Hp(A: Uint32Array, dkLen: number) {
    121. 

  121.   const A8 = u8(A);
    122. 

  122.   const T = new Uint32Array(1);
    123. 

  123.   const T8 = u8(T);
    124. 

  124.   T[0] = dkLen;
    125. 

  125.   // Fast path
    126. 

  126.   if (dkLen <= 64) return blake2b.create({ dkLen }).update(T8).update(A8).digest();
    127. 

  127.   const out = new Uint8Array(dkLen);
    128. 

  128.   let V = blake2b.create({}).update(T8).update(A8).digest();
    129. 

  129.   let pos = 0;
    130. 

  130.   // First block
    131. 

  131.   out.set(V.subarray(0, 32));
    132. 

  132.   pos += 32;
    133. 

  133.   // Rest blocks
    134. 

  134.   for (; dkLen - pos > 64; pos += 32) out.set((V = blake2b(V)).subarray(0, 32), pos);
    135. 

  135.   // Last block
    136. 

  136.   out.set(blake2b(V, { dkLen: dkLen - pos }), pos);
    137. 

  137.   return u32(out);
    138. 

  138. }
    139. 

  139. 

  140. function indexAlpha(
    141. 

  141.   r: number,
    142. 

  142.   s: number,
    143. 

  143.   laneLen: number,
    144. 

  144.   segmentLen: number,
    145. 

  145.   index: number,
    146. 

  146.   randL: number,
    147. 

  147.   sameLane: boolean = false
    148. 

  148. ) {
    149. 

  149.   let area;
    150. 

  150.   if (0 == r) {
    151. 

  151.     if (0 == s) area = index - 1;
    152. 

  152.     else if (sameLane) area = s * segmentLen + index - 1;
    153. 

  153.     else area = s * segmentLen + (index == 0 ? -1 : 0);
    154. 

  154.   } else if (sameLane) area = laneLen - segmentLen + index - 1;
    155. 

  155.   else area = laneLen - segmentLen + (index == 0 ? -1 : 0);
    156. 

  156.   const startPos = r !== 0 && s !== ARGON2_SYNC_POINTS - 1 ? (s + 1) * segmentLen : 0;
    157. 

  157.   const rel = relPos(area, randL);
    158. 

  158.   // NOTE: check about overflows here
    159. 

  159.   //     absPos = (startPos + relPos) % laneLength;
    160. 

  160.   return (startPos + rel) % laneLen;
    161. 

  161. }
    162. 

  162. 

  163. // RFC 9106
    164. 

  164. export type ArgonOpts = {
    165. 

  165.   t: number; // Time cost, iterations count
    166. 

  166.   m: number; // Memory cost (in KB)
    167. 

  167.   p: number; // Parallelization parameter
    168. 

  168.   version?: number; // Default: 0x13 (19)
    169. 

  169.   key?: Input; // Optional key
    170. 

  170.   personalization?: Input; // Optional arbitrary extra data
    171. 

  171.   dkLen?: number; // Desired number of returned bytes
    172. 

  172.   asyncTick?: number; // Maximum time in ms for which async function can block execution
    173. 

  173.   maxmem?: number;
    174. 

  174.   onProgress?: (progress: number) => void;
    175. 

  175. };
    176. 

  176. 

  177. function argon2Init(type: Types, password: Input, salt: Input, opts: ArgonOpts) {
    178. 

  178.   password = toBytes(password);
    179. 

  179.   salt = toBytes(salt);
    180. 

  180.   let { p, dkLen, m, t, version, key, personalization, maxmem, onProgress } = {
    181. 

  181.     ...opts,
    182. 

  182.     version: opts.version || 0x13,
    183. 

  183.     dkLen: opts.dkLen || 32,
    184. 

  184.     maxmem: 2 ** 32,
    185. 

  185.   };
    186. 

  186.   // Validation
    187. 

  187.   assertNumber(p);
    188. 

  188.   assertNumber(dkLen);
    189. 

  189.   assertNumber(m);
    190. 

  190.   assertNumber(t);
    191. 

  191.   assertNumber(version);
    192. 

  192.   if (dkLen < 4 || dkLen >= 2 ** 32) throw new Error('Argon2: dkLen should be at least 4 bytes');
    193. 

  193.   if (p < 1 || p >= 2 ** 32) throw new Error('Argon2: p (parallelism) should be at least 1');
    194. 

  194.   if (t < 1 || t >= 2 ** 32) throw new Error('Argon2: t (iterations) should be at least 1');
    195. 

  195.   if (m < 8 * p) throw new Error(`Argon2: memory should be at least 8*p bytes`);
    196. 

  196.   if (version !== 16 && version !== 19) throw new Error(`Argon2: unknown version=${version}`);
    197. 

  197.   password = toBytes(password);
    198. 

  198.   if (password.length < 0 || password.length >= 2 ** 32)
    199. 

  199.     throw new Error('Argon2: password should be less than 4 GB');
    200. 

  200.   salt = toBytes(salt);
    201. 

  201.   if (salt.length < 8) throw new Error('Argon2: salt should be at least 8 bytes');
    202. 

  202.   key = toBytesOptional(key);
    203. 

  203.   personalization = toBytesOptional(personalization);
    204. 

  204.   if (onProgress !== undefined && typeof onProgress !== 'function')
    205. 

  205.     throw new Error('progressCb should be function');
    206. 

  206.   // Params
    207. 

  207.   const lanes = p;
    208. 

  208.   // m' = 4 * p * floor (m / 4p)
    209. 

  209.   const mP = 4 * p * Math.floor(m / (ARGON2_SYNC_POINTS * p));
    210. 

  210.   //q = m' / p columns
    211. 

  211.   const laneLen = Math.floor(mP / p);
    212. 

  212.   const segmentLen = Math.floor(laneLen / ARGON2_SYNC_POINTS);
    213. 

  213.   // H0
    214. 

  214.   const h = blake2b.create({});
    215. 

  215.   const BUF = new Uint32Array(1);
    216. 

  216.   const BUF8 = u8(BUF);
    217. 

  217.   for (const i of [p, dkLen, m, t, version, type]) {
    218. 

  218.     if (i < 0 || i >= 2 ** 32) throw new Error(`Argon2: wrong parameter=${i}, expected uint32`);
    219. 

  219.     BUF[0] = i;
    220. 

  220.     h.update(BUF8);
    221. 

  221.   }
    222. 

  222.   for (let i of [password, salt, key, personalization]) {
    223. 

  223.     BUF[0] = i.length;
    224. 

  224.     h.update(BUF8).update(i);
    225. 

  225.   }
    226. 

  226.   const H0 = new Uint32Array(18);
    227. 

  227.   const H0_8 = u8(H0);
    228. 

  228.   h.digestInto(H0_8);
    229. 

  229. 

  230.   // 256 u32 = 1024 (BLOCK_SIZE)
    231. 

  231.   const memUsed = mP * 256;
    232. 

  232.   if (memUsed < 0 || memUsed >= 2 ** 32 || memUsed > maxmem) {
    233. 

  233.     throw new Error(
    234. 

  234.       `Argon2: wrong params (memUsed=${memUsed} maxmem=${maxmem}), should be less than 2**32`
    235. 

  235.     );
    236. 

  236.   }
    237. 

  237.   const B = new Uint32Array(memUsed);
    238. 

  238.   // Fill first blocks
    239. 

  239.   for (let l = 0; l < p; l++) {
    240. 

  240.     const i = 256 * laneLen * l;
    241. 

  241.     // B[i][0] = H'^(1024)(H_0 || LE32(0) || LE32(i))
    242. 

  242.     H0[17] = l;
    243. 

  243.     H0[16] = 0;
    244. 

  244.     B.set(Hp(H0, 1024), i);
    245. 

  245.     // B[i][1] = H'^(1024)(H_0 || LE32(1) || LE32(i))
    246. 

  246.     H0[16] = 1;
    247. 

  247.     B.set(Hp(H0, 1024), i + 256);
    248. 

  248.   }
    249. 

  249.   let perBlock = () => {};
    250. 

  250.   if (onProgress) {
    251. 

  251.     const totalBlock = t * ARGON2_SYNC_POINTS * p * segmentLen;
    252. 

  252.     // Invoke callback if progress changes from 10.01 to 10.02
    253. 

  253.     // Allows to draw smooth progress bar on up to 8K screen
    254. 

  254.     const callbackPer = Math.max(Math.floor(totalBlock / 10000), 1);
    255. 

  255.     let blockCnt = 0;
    256. 

  256.     perBlock = () => {
    257. 

  257.       blockCnt++;
    258. 

  258.       if (onProgress && (!(blockCnt % callbackPer) || blockCnt === totalBlock))
    259. 

  259.         onProgress(blockCnt / totalBlock);
    260. 

  260.     };
    261. 

  261.   }
    262. 

  262.   return { type, mP, p, t, version, B, laneLen, lanes, segmentLen, dkLen, perBlock };
    263. 

  263. }
    264. 

  264. 

  265. function argon2Output(B: Uint32Array, p: number, laneLen: number, dkLen: number) {
    266. 

  266.   const B_final = new Uint32Array(256);
    267. 

  267.   for (let l = 0; l < p; l++)
    268. 

  268.     for (let j = 0; j < 256; j++) B_final[j] ^= B[256 * (laneLen * l + laneLen - 1) + j];
    269. 

  269.   return u8(Hp(B_final, dkLen));
    270. 

  270. }
    271. 

  271. 

  272. function processBlock(
    273. 

  273.   B: Uint32Array,
    274. 

  274.   address: Uint32Array,
    275. 

  275.   l: number,
    276. 

  276.   r: number,
    277. 

  277.   s: number,
    278. 

  278.   index: number,
    279. 

  279.   laneLen: number,
    280. 

  280.   segmentLen: number,
    281. 

  281.   lanes: number,
    282. 

  282.   offset: number,
    283. 

  283.   prev: number,
    284. 

  284.   dataIndependent: boolean,
    285. 

  285.   needXor: boolean
    286. 

  286. ) {
    287. 

  287.   if (offset % laneLen) prev = offset - 1;
    288. 

  288.   let randL, randH;
    289. 

  289.   if (dataIndependent) {
    290. 

  290.     if (index % 128 === 0) {
    291. 

  291.       address[256 + 12]++;
    292. 

  292.       block(address, 256, 2 * 256, 0, false);
    293. 

  293.       block(address, 0, 2 * 256, 0, false);
    294. 

  294.     }
    295. 

  295.     randL = address[2 * (index % 128)];
    296. 

  296.     randH = address[2 * (index % 128) + 1];
    297. 

  297.   } else {
    298. 

  298.     const T = 256 * prev;
    299. 

  299.     randL = B[T];
    300. 

  300.     randH = B[T + 1];
    301. 

  301.   }
    302. 

  302.   // address block
    303. 

  303.   const refLane = r === 0 && s === 0 ? l : randH % lanes;
    304. 

  304.   const refPos = indexAlpha(r, s, laneLen, segmentLen, index, randL, refLane == l);
    305. 

  305.   const refBlock = laneLen * refLane + refPos;
    306. 

  306.   // B[i][j] = G(B[i][j-1], B[l][z])
    307. 

  307.   block(B, 256 * prev, 256 * refBlock, offset * 256, needXor);
    308. 

  308. }
    309. 

  309. 

  310. function argon2(type: Types, password: Input, salt: Input, opts: ArgonOpts) {
    311. 

  311.   const { mP, p, t, version, B, laneLen, lanes, segmentLen, dkLen, perBlock } = argon2Init(
    312. 

  312.     type,
    313. 

  313.     password,
    314. 

  314.     salt,
    315. 

  315.     opts
    316. 

  316.   );
    317. 

  317.   // Pre-loop setup
    318. 

  318.   // [address, input, zero_block] format so we can pass single U32 to block function
    319. 

  319.   const address = new Uint32Array(3 * 256);
    320. 

  320.   address[256 + 6] = mP;
    321. 

  321.   address[256 + 8] = t;
    322. 

  322.   address[256 + 10] = type;
    323. 

  323.   for (let r = 0; r < t; r++) {
    324. 

  324.     const needXor = r !== 0 && version === 0x13;
    325. 

  325.     address[256 + 0] = r;
    326. 

  326.     for (let s = 0; s < ARGON2_SYNC_POINTS; s++) {
    327. 

  327.       address[256 + 4] = s;
    328. 

  328.       const dataIndependent = type == Types.Argon2i || (type == Types.Argon2id && r === 0 && s < 2);
    329. 

  329.       for (let l = 0; l < p; l++) {
    330. 

  330.         address[256 + 2] = l;
    331. 

  331.         address[256 + 12] = 0;
    332. 

  332.         let startPos = 0;
    333. 

  333.         if (r === 0 && s === 0) {
    334. 

  334.           startPos = 2;
    335. 

  335.           if (dataIndependent) {
    336. 

  336.             address[256 + 12]++;
    337. 

  337.             block(address, 256, 2 * 256, 0, false);
    338. 

  338.             block(address, 0, 2 * 256, 0, false);
    339. 

  339.           }
    340. 

  340.         }
    341. 

  341.         // current block postion
    342. 

  342.         let offset = l * laneLen + s * segmentLen + startPos;
    343. 

  343.         // previous block position
    344. 

  344.         let prev = offset % laneLen ? offset - 1 : offset + laneLen - 1;
    345. 

  345.         for (let index = startPos; index < segmentLen; index++, offset++, prev++) {
    346. 

  346.           perBlock();
    347. 

  347.           processBlock(
    348. 

  348.             B,
    349. 

  349.             address,
    350. 

  350.             l,
    351. 

  351.             r,
    352. 

  352.             s,
    353. 

  353.             index,
    354. 

  354.             laneLen,
    355. 

  355.             segmentLen,
    356. 

  356.             lanes,
    357. 

  357.             offset,
    358. 

  358.             prev,
    359. 

  359.             dataIndependent,
    360. 

  360.             needXor
    361. 

  361.           );
    362. 

  362.         }
    363. 

  363.       }
    364. 

  364.     }
    365. 

  365.   }
    366. 

  366.   return argon2Output(B, p, laneLen, dkLen);
    367. 

  367. }
    368. 

  368. 

  369. export const argon2d = (password: Input, salt: Input, opts: ArgonOpts) =>
    370. 

  370.   argon2(Types.Argond2d, password, salt, opts);
    371. 

  371. export const argon2i = (password: Input, salt: Input, opts: ArgonOpts) =>
    372. 

  372.   argon2(Types.Argon2i, password, salt, opts);
    373. 

  373. export const argon2id = (password: Input, salt: Input, opts: ArgonOpts) =>
    374. 

  374.   argon2(Types.Argon2id, password, salt, opts);
    375.