JohanLe / me-app

Passed

Push — master ( 445067...6ce435 )

by Johan

created 2020-02-11 18:38 UTC

node_modules/tweetnacl/nacl-fast.js F

↳ Parent: Project

Complexity

Total Complexity	224
Complexity/F	2.7

Size

Lines of Code	2388
Function Count	83

Duplication

Duplicated Lines	831
Ratio	34.8 %

Importance

Changes

0

Metric	Value
wmc	224
eloc	1925
mnd	141
bc	141
fnc	83
dl	831
loc	2388
rs	0.8
bpm	1.6987
cpm	2.6987
noi	5
c	0
b	0
f	0

How to fix Duplicated Code Complexity

1			(function(nacl) {
2			'use strict';
3
4			// Ported in 2014 by Dmitry Chestnykh and Devi Mandiri.
5			// Public domain.
6			//
7			// Implementation derived from TweetNaCl version 20140427.
8			// See for details: http://tweetnacl.cr.yp.to/
9
10			var gf = function(init) {
11			var i, r = new Float64Array(16);
12			if (init) for (i = 0; i < init.length; i++) r[i] = init[i];
13			return r;
14			};
15
16			// Pluggable, initialized in high-level API below.
17			var randombytes = function(/* x, n */) { throw new Error('no PRNG'); };
18
19			var _0 = new Uint8Array(16);
20			var _9 = new Uint8Array(32); _9[0] = 9;
21
22			var gf0 = gf(),
23			gf1 = gf([1]),
24			_121665 = gf([0xdb41, 1]),
25			D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),
26			D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]),
27			X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]),
28			Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]),
29			I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);
30
31			function ts64(x, i, h, l) {
32			x[i] = (h >> 24) & 0xff;
33			x[i+1] = (h >> 16) & 0xff;
34			x[i+2] = (h >> 8) & 0xff;
35			x[i+3] = h & 0xff;
36			x[i+4] = (l >> 24) & 0xff;
37			x[i+5] = (l >> 16) & 0xff;
38			x[i+6] = (l >> 8) & 0xff;
39			x[i+7] = l & 0xff;
40			}
41
42			function vn(x, xi, y, yi, n) {
43			var i,d = 0;
44			for (i = 0; i < n; i++) d \|= x[xi+i]^y[yi+i];
45			return (1 & ((d - 1) >>> 8)) - 1;
46			}
47
48			function crypto_verify_16(x, xi, y, yi) {
49			return vn(x,xi,y,yi,16);
50			}
51
52			function crypto_verify_32(x, xi, y, yi) {
53			return vn(x,xi,y,yi,32);
54			}
55
56			function core_salsa20(o, p, k, c) {
57			var j0 = c[ 0] & 0xff \| (c[ 1] & 0xff)<<8 \| (c[ 2] & 0xff)<<16 \| (c[ 3] & 0xff)<<24,
58			j1 = k[ 0] & 0xff \| (k[ 1] & 0xff)<<8 \| (k[ 2] & 0xff)<<16 \| (k[ 3] & 0xff)<<24,
59			j2 = k[ 4] & 0xff \| (k[ 5] & 0xff)<<8 \| (k[ 6] & 0xff)<<16 \| (k[ 7] & 0xff)<<24,
60			j3 = k[ 8] & 0xff \| (k[ 9] & 0xff)<<8 \| (k[10] & 0xff)<<16 \| (k[11] & 0xff)<<24,
61			j4 = k[12] & 0xff \| (k[13] & 0xff)<<8 \| (k[14] & 0xff)<<16 \| (k[15] & 0xff)<<24,
62			j5 = c[ 4] & 0xff \| (c[ 5] & 0xff)<<8 \| (c[ 6] & 0xff)<<16 \| (c[ 7] & 0xff)<<24,
63			j6 = p[ 0] & 0xff \| (p[ 1] & 0xff)<<8 \| (p[ 2] & 0xff)<<16 \| (p[ 3] & 0xff)<<24,
64			j7 = p[ 4] & 0xff \| (p[ 5] & 0xff)<<8 \| (p[ 6] & 0xff)<<16 \| (p[ 7] & 0xff)<<24,
65			j8 = p[ 8] & 0xff \| (p[ 9] & 0xff)<<8 \| (p[10] & 0xff)<<16 \| (p[11] & 0xff)<<24,
66			j9 = p[12] & 0xff \| (p[13] & 0xff)<<8 \| (p[14] & 0xff)<<16 \| (p[15] & 0xff)<<24,
67			j10 = c[ 8] & 0xff \| (c[ 9] & 0xff)<<8 \| (c[10] & 0xff)<<16 \| (c[11] & 0xff)<<24,
68			j11 = k[16] & 0xff \| (k[17] & 0xff)<<8 \| (k[18] & 0xff)<<16 \| (k[19] & 0xff)<<24,
69			j12 = k[20] & 0xff \| (k[21] & 0xff)<<8 \| (k[22] & 0xff)<<16 \| (k[23] & 0xff)<<24,
70			j13 = k[24] & 0xff \| (k[25] & 0xff)<<8 \| (k[26] & 0xff)<<16 \| (k[27] & 0xff)<<24,
71			j14 = k[28] & 0xff \| (k[29] & 0xff)<<8 \| (k[30] & 0xff)<<16 \| (k[31] & 0xff)<<24,
72			j15 = c[12] & 0xff \| (c[13] & 0xff)<<8 \| (c[14] & 0xff)<<16 \| (c[15] & 0xff)<<24;
73
74			var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
75			x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
76			x15 = j15, u;
77
78			for (var i = 0; i < 20; i += 2) {
79			u = x0 + x12 \| 0;
80			x4 ^= u<<7 \| u>>>(32-7);
81			u = x4 + x0 \| 0;
82			x8 ^= u<<9 \| u>>>(32-9);
83			u = x8 + x4 \| 0;
84			x12 ^= u<<13 \| u>>>(32-13);
85			u = x12 + x8 \| 0;
86			x0 ^= u<<18 \| u>>>(32-18);
87
88			u = x5 + x1 \| 0;
89			x9 ^= u<<7 \| u>>>(32-7);
90			u = x9 + x5 \| 0;
91			x13 ^= u<<9 \| u>>>(32-9);
92			u = x13 + x9 \| 0;
93			x1 ^= u<<13 \| u>>>(32-13);
94			u = x1 + x13 \| 0;
95			x5 ^= u<<18 \| u>>>(32-18);
96
97			u = x10 + x6 \| 0;
98			x14 ^= u<<7 \| u>>>(32-7);
99			u = x14 + x10 \| 0;
100			x2 ^= u<<9 \| u>>>(32-9);
101			u = x2 + x14 \| 0;
102			x6 ^= u<<13 \| u>>>(32-13);
103			u = x6 + x2 \| 0;
104			x10 ^= u<<18 \| u>>>(32-18);
105
106			u = x15 + x11 \| 0;
107			x3 ^= u<<7 \| u>>>(32-7);
108			u = x3 + x15 \| 0;
109			x7 ^= u<<9 \| u>>>(32-9);
110			u = x7 + x3 \| 0;
111			x11 ^= u<<13 \| u>>>(32-13);
112			u = x11 + x7 \| 0;
113			x15 ^= u<<18 \| u>>>(32-18);
114
115			u = x0 + x3 \| 0;
116			x1 ^= u<<7 \| u>>>(32-7);
117			u = x1 + x0 \| 0;
118			x2 ^= u<<9 \| u>>>(32-9);
119			u = x2 + x1 \| 0;
120			x3 ^= u<<13 \| u>>>(32-13);
121			u = x3 + x2 \| 0;
122			x0 ^= u<<18 \| u>>>(32-18);
123
124			u = x5 + x4 \| 0;
125			x6 ^= u<<7 \| u>>>(32-7);
126			u = x6 + x5 \| 0;
127			x7 ^= u<<9 \| u>>>(32-9);
128			u = x7 + x6 \| 0;
129			x4 ^= u<<13 \| u>>>(32-13);
130			u = x4 + x7 \| 0;
131			x5 ^= u<<18 \| u>>>(32-18);
132
133			u = x10 + x9 \| 0;
134			x11 ^= u<<7 \| u>>>(32-7);
135			u = x11 + x10 \| 0;
136			x8 ^= u<<9 \| u>>>(32-9);
137			u = x8 + x11 \| 0;
138			x9 ^= u<<13 \| u>>>(32-13);
139			u = x9 + x8 \| 0;
140			x10 ^= u<<18 \| u>>>(32-18);
141
142			u = x15 + x14 \| 0;
143			x12 ^= u<<7 \| u>>>(32-7);
144			u = x12 + x15 \| 0;
145			x13 ^= u<<9 \| u>>>(32-9);
146			u = x13 + x12 \| 0;
147			x14 ^= u<<13 \| u>>>(32-13);
148			u = x14 + x13 \| 0;
149			x15 ^= u<<18 \| u>>>(32-18);
150			}
151			x0 = x0 + j0 \| 0;
152			x1 = x1 + j1 \| 0;
153			x2 = x2 + j2 \| 0;
154			x3 = x3 + j3 \| 0;
155			x4 = x4 + j4 \| 0;
156			x5 = x5 + j5 \| 0;
157			x6 = x6 + j6 \| 0;
158			x7 = x7 + j7 \| 0;
159			x8 = x8 + j8 \| 0;
160			x9 = x9 + j9 \| 0;
161			x10 = x10 + j10 \| 0;
162			x11 = x11 + j11 \| 0;
163			x12 = x12 + j12 \| 0;
164			x13 = x13 + j13 \| 0;
165			x14 = x14 + j14 \| 0;
166			x15 = x15 + j15 \| 0;
167
168			o[ 0] = x0 >>> 0 & 0xff;
169			o[ 1] = x0 >>> 8 & 0xff;
170			o[ 2] = x0 >>> 16 & 0xff;
171			o[ 3] = x0 >>> 24 & 0xff;
172
173			o[ 4] = x1 >>> 0 & 0xff;
174			o[ 5] = x1 >>> 8 & 0xff;
175			o[ 6] = x1 >>> 16 & 0xff;
176			o[ 7] = x1 >>> 24 & 0xff;
177
178			o[ 8] = x2 >>> 0 & 0xff;
179			o[ 9] = x2 >>> 8 & 0xff;
180			o[10] = x2 >>> 16 & 0xff;
181			o[11] = x2 >>> 24 & 0xff;
182
183			o[12] = x3 >>> 0 & 0xff;
184			o[13] = x3 >>> 8 & 0xff;
185			o[14] = x3 >>> 16 & 0xff;
186			o[15] = x3 >>> 24 & 0xff;
187
188			o[16] = x4 >>> 0 & 0xff;
189			o[17] = x4 >>> 8 & 0xff;
190			o[18] = x4 >>> 16 & 0xff;
191			o[19] = x4 >>> 24 & 0xff;
192
193			o[20] = x5 >>> 0 & 0xff;
194			o[21] = x5 >>> 8 & 0xff;
195			o[22] = x5 >>> 16 & 0xff;
196			o[23] = x5 >>> 24 & 0xff;
197
198			o[24] = x6 >>> 0 & 0xff;
199			o[25] = x6 >>> 8 & 0xff;
200			o[26] = x6 >>> 16 & 0xff;
201			o[27] = x6 >>> 24 & 0xff;
202
203			o[28] = x7 >>> 0 & 0xff;
204			o[29] = x7 >>> 8 & 0xff;
205			o[30] = x7 >>> 16 & 0xff;
206			o[31] = x7 >>> 24 & 0xff;
207
208			o[32] = x8 >>> 0 & 0xff;
209			o[33] = x8 >>> 8 & 0xff;
210			o[34] = x8 >>> 16 & 0xff;
211			o[35] = x8 >>> 24 & 0xff;
212
213			o[36] = x9 >>> 0 & 0xff;
214			o[37] = x9 >>> 8 & 0xff;
215			o[38] = x9 >>> 16 & 0xff;
216			o[39] = x9 >>> 24 & 0xff;
217
218			o[40] = x10 >>> 0 & 0xff;
219			o[41] = x10 >>> 8 & 0xff;
220			o[42] = x10 >>> 16 & 0xff;
221			o[43] = x10 >>> 24 & 0xff;
222
223			o[44] = x11 >>> 0 & 0xff;
224			o[45] = x11 >>> 8 & 0xff;
225			o[46] = x11 >>> 16 & 0xff;
226			o[47] = x11 >>> 24 & 0xff;
227
228			o[48] = x12 >>> 0 & 0xff;
229			o[49] = x12 >>> 8 & 0xff;
230			o[50] = x12 >>> 16 & 0xff;
231			o[51] = x12 >>> 24 & 0xff;
232
233			o[52] = x13 >>> 0 & 0xff;
234			o[53] = x13 >>> 8 & 0xff;
235			o[54] = x13 >>> 16 & 0xff;
236			o[55] = x13 >>> 24 & 0xff;
237
238			o[56] = x14 >>> 0 & 0xff;
239			o[57] = x14 >>> 8 & 0xff;
240			o[58] = x14 >>> 16 & 0xff;
241			o[59] = x14 >>> 24 & 0xff;
242
243			o[60] = x15 >>> 0 & 0xff;
244			o[61] = x15 >>> 8 & 0xff;
245			o[62] = x15 >>> 16 & 0xff;
246			o[63] = x15 >>> 24 & 0xff;
247			}
248
249			function core_hsalsa20(o,p,k,c) {
250			var j0 = c[ 0] & 0xff \| (c[ 1] & 0xff)<<8 \| (c[ 2] & 0xff)<<16 \| (c[ 3] & 0xff)<<24,
251			j1 = k[ 0] & 0xff \| (k[ 1] & 0xff)<<8 \| (k[ 2] & 0xff)<<16 \| (k[ 3] & 0xff)<<24,
252			j2 = k[ 4] & 0xff \| (k[ 5] & 0xff)<<8 \| (k[ 6] & 0xff)<<16 \| (k[ 7] & 0xff)<<24,
253			j3 = k[ 8] & 0xff \| (k[ 9] & 0xff)<<8 \| (k[10] & 0xff)<<16 \| (k[11] & 0xff)<<24,
254			j4 = k[12] & 0xff \| (k[13] & 0xff)<<8 \| (k[14] & 0xff)<<16 \| (k[15] & 0xff)<<24,
255			j5 = c[ 4] & 0xff \| (c[ 5] & 0xff)<<8 \| (c[ 6] & 0xff)<<16 \| (c[ 7] & 0xff)<<24,
256			j6 = p[ 0] & 0xff \| (p[ 1] & 0xff)<<8 \| (p[ 2] & 0xff)<<16 \| (p[ 3] & 0xff)<<24,
257			j7 = p[ 4] & 0xff \| (p[ 5] & 0xff)<<8 \| (p[ 6] & 0xff)<<16 \| (p[ 7] & 0xff)<<24,
258			j8 = p[ 8] & 0xff \| (p[ 9] & 0xff)<<8 \| (p[10] & 0xff)<<16 \| (p[11] & 0xff)<<24,
259			j9 = p[12] & 0xff \| (p[13] & 0xff)<<8 \| (p[14] & 0xff)<<16 \| (p[15] & 0xff)<<24,
260			j10 = c[ 8] & 0xff \| (c[ 9] & 0xff)<<8 \| (c[10] & 0xff)<<16 \| (c[11] & 0xff)<<24,
261			j11 = k[16] & 0xff \| (k[17] & 0xff)<<8 \| (k[18] & 0xff)<<16 \| (k[19] & 0xff)<<24,
262			j12 = k[20] & 0xff \| (k[21] & 0xff)<<8 \| (k[22] & 0xff)<<16 \| (k[23] & 0xff)<<24,
263			j13 = k[24] & 0xff \| (k[25] & 0xff)<<8 \| (k[26] & 0xff)<<16 \| (k[27] & 0xff)<<24,
264			j14 = k[28] & 0xff \| (k[29] & 0xff)<<8 \| (k[30] & 0xff)<<16 \| (k[31] & 0xff)<<24,
265			j15 = c[12] & 0xff \| (c[13] & 0xff)<<8 \| (c[14] & 0xff)<<16 \| (c[15] & 0xff)<<24;
266
267			var x0 = j0, x1 = j1, x2 = j2, x3 = j3, x4 = j4, x5 = j5, x6 = j6, x7 = j7,
268			x8 = j8, x9 = j9, x10 = j10, x11 = j11, x12 = j12, x13 = j13, x14 = j14,
269			x15 = j15, u;
270
271			for (var i = 0; i < 20; i += 2) {
272			u = x0 + x12 \| 0;
273			x4 ^= u<<7 \| u>>>(32-7);
274			u = x4 + x0 \| 0;
275			x8 ^= u<<9 \| u>>>(32-9);
276			u = x8 + x4 \| 0;
277			x12 ^= u<<13 \| u>>>(32-13);
278			u = x12 + x8 \| 0;
279			x0 ^= u<<18 \| u>>>(32-18);
280
281			u = x5 + x1 \| 0;
282			x9 ^= u<<7 \| u>>>(32-7);
283			u = x9 + x5 \| 0;
284			x13 ^= u<<9 \| u>>>(32-9);
285			u = x13 + x9 \| 0;
286			x1 ^= u<<13 \| u>>>(32-13);
287			u = x1 + x13 \| 0;
288			x5 ^= u<<18 \| u>>>(32-18);
289
290			u = x10 + x6 \| 0;
291			x14 ^= u<<7 \| u>>>(32-7);
292			u = x14 + x10 \| 0;
293			x2 ^= u<<9 \| u>>>(32-9);
294			u = x2 + x14 \| 0;
295			x6 ^= u<<13 \| u>>>(32-13);
296			u = x6 + x2 \| 0;
297			x10 ^= u<<18 \| u>>>(32-18);
298
299			u = x15 + x11 \| 0;
300			x3 ^= u<<7 \| u>>>(32-7);
301			u = x3 + x15 \| 0;
302			x7 ^= u<<9 \| u>>>(32-9);
303			u = x7 + x3 \| 0;
304			x11 ^= u<<13 \| u>>>(32-13);
305			u = x11 + x7 \| 0;
306			x15 ^= u<<18 \| u>>>(32-18);
307
308			u = x0 + x3 \| 0;
309			x1 ^= u<<7 \| u>>>(32-7);
310			u = x1 + x0 \| 0;
311			x2 ^= u<<9 \| u>>>(32-9);
312			u = x2 + x1 \| 0;
313			x3 ^= u<<13 \| u>>>(32-13);
314			u = x3 + x2 \| 0;
315			x0 ^= u<<18 \| u>>>(32-18);
316
317			u = x5 + x4 \| 0;
318			x6 ^= u<<7 \| u>>>(32-7);
319			u = x6 + x5 \| 0;
320			x7 ^= u<<9 \| u>>>(32-9);
321			u = x7 + x6 \| 0;
322			x4 ^= u<<13 \| u>>>(32-13);
323			u = x4 + x7 \| 0;
324			x5 ^= u<<18 \| u>>>(32-18);
325
326			u = x10 + x9 \| 0;
327			x11 ^= u<<7 \| u>>>(32-7);
328			u = x11 + x10 \| 0;
329			x8 ^= u<<9 \| u>>>(32-9);
330			u = x8 + x11 \| 0;
331			x9 ^= u<<13 \| u>>>(32-13);
332			u = x9 + x8 \| 0;
333			x10 ^= u<<18 \| u>>>(32-18);
334
335			u = x15 + x14 \| 0;
336			x12 ^= u<<7 \| u>>>(32-7);
337			u = x12 + x15 \| 0;
338			x13 ^= u<<9 \| u>>>(32-9);
339			u = x13 + x12 \| 0;
340			x14 ^= u<<13 \| u>>>(32-13);
341			u = x14 + x13 \| 0;
342			x15 ^= u<<18 \| u>>>(32-18);
343			}
344
345			o[ 0] = x0 >>> 0 & 0xff;
346			o[ 1] = x0 >>> 8 & 0xff;
347			o[ 2] = x0 >>> 16 & 0xff;
348			o[ 3] = x0 >>> 24 & 0xff;
349
350			o[ 4] = x5 >>> 0 & 0xff;
351			o[ 5] = x5 >>> 8 & 0xff;
352			o[ 6] = x5 >>> 16 & 0xff;
353			o[ 7] = x5 >>> 24 & 0xff;
354
355			o[ 8] = x10 >>> 0 & 0xff;
356			o[ 9] = x10 >>> 8 & 0xff;
357			o[10] = x10 >>> 16 & 0xff;
358			o[11] = x10 >>> 24 & 0xff;
359
360			o[12] = x15 >>> 0 & 0xff;
361			o[13] = x15 >>> 8 & 0xff;
362			o[14] = x15 >>> 16 & 0xff;
363			o[15] = x15 >>> 24 & 0xff;
364
365			o[16] = x6 >>> 0 & 0xff;
366			o[17] = x6 >>> 8 & 0xff;
367			o[18] = x6 >>> 16 & 0xff;
368			o[19] = x6 >>> 24 & 0xff;
369
370			o[20] = x7 >>> 0 & 0xff;
371			o[21] = x7 >>> 8 & 0xff;
372			o[22] = x7 >>> 16 & 0xff;
373			o[23] = x7 >>> 24 & 0xff;
374
375			o[24] = x8 >>> 0 & 0xff;
376			o[25] = x8 >>> 8 & 0xff;
377			o[26] = x8 >>> 16 & 0xff;
378			o[27] = x8 >>> 24 & 0xff;
379
380			o[28] = x9 >>> 0 & 0xff;
381			o[29] = x9 >>> 8 & 0xff;
382			o[30] = x9 >>> 16 & 0xff;
383			o[31] = x9 >>> 24 & 0xff;
384			}
385
386			function crypto_core_salsa20(out,inp,k,c) {
387			core_salsa20(out,inp,k,c);
388			}
389
390			function crypto_core_hsalsa20(out,inp,k,c) {
391			core_hsalsa20(out,inp,k,c);
392			}
393
394			var sigma = new Uint8Array([101, 120, 112, 97, 110, 100, 32, 51, 50, 45, 98, 121, 116, 101, 32, 107]);
395			// "expand 32-byte k"
396
397			function crypto_stream_salsa20_xor(c,cpos,m,mpos,b,n,k) {
398			var z = new Uint8Array(16), x = new Uint8Array(64);
399			var u, i;
400			for (i = 0; i < 16; i++) z[i] = 0;
401			for (i = 0; i < 8; i++) z[i] = n[i];
402			while (b >= 64) {
403			crypto_core_salsa20(x,z,k,sigma);
404			for (i = 0; i < 64; i++) c[cpos+i] = m[mpos+i] ^ x[i];
405			u = 1;
406			for (i = 8; i < 16; i++) {
407			u = u + (z[i] & 0xff) \| 0;
408			z[i] = u & 0xff;
409			u >>>= 8;
410			}
411			b -= 64;
412			cpos += 64;
413			mpos += 64;
414			}
415			if (b > 0) {
416			crypto_core_salsa20(x,z,k,sigma);
417			for (i = 0; i < b; i++) c[cpos+i] = m[mpos+i] ^ x[i];
418			}
419			return 0;
420			}
421
422			function crypto_stream_salsa20(c,cpos,b,n,k) {
423			var z = new Uint8Array(16), x = new Uint8Array(64);
424			var u, i;
425			for (i = 0; i < 16; i++) z[i] = 0;
426			for (i = 0; i < 8; i++) z[i] = n[i];
427			while (b >= 64) {
428			crypto_core_salsa20(x,z,k,sigma);
429			for (i = 0; i < 64; i++) c[cpos+i] = x[i];
430			u = 1;
431			for (i = 8; i < 16; i++) {
432			u = u + (z[i] & 0xff) \| 0;
433			z[i] = u & 0xff;
434			u >>>= 8;
435			}
436			b -= 64;
437			cpos += 64;
438			}
439			if (b > 0) {
440			crypto_core_salsa20(x,z,k,sigma);
441			for (i = 0; i < b; i++) c[cpos+i] = x[i];
442			}
443			return 0;
444			}
445
446			function crypto_stream(c,cpos,d,n,k) {
447			var s = new Uint8Array(32);
448			crypto_core_hsalsa20(s,n,k,sigma);
449			var sn = new Uint8Array(8);
450			for (var i = 0; i < 8; i++) sn[i] = n[i+16];
451			return crypto_stream_salsa20(c,cpos,d,sn,s);
452			}
453
454			function crypto_stream_xor(c,cpos,m,mpos,d,n,k) {
455			var s = new Uint8Array(32);
456			crypto_core_hsalsa20(s,n,k,sigma);
457			var sn = new Uint8Array(8);
458			for (var i = 0; i < 8; i++) sn[i] = n[i+16];
459			return crypto_stream_salsa20_xor(c,cpos,m,mpos,d,sn,s);
460			}
461
462			/*
463			* Port of Andrew Moon's Poly1305-donna-16. Public domain.
464			* https://github.com/floodyberry/poly1305-donna
465			*/
466
467			var poly1305 = function(key) {
468			this.buffer = new Uint8Array(16);
469			this.r = new Uint16Array(10);
470			this.h = new Uint16Array(10);
471			this.pad = new Uint16Array(8);
472			this.leftover = 0;
473			this.fin = 0;
474
475			var t0, t1, t2, t3, t4, t5, t6, t7;
476
477			t0 = key[ 0] & 0xff \| (key[ 1] & 0xff) << 8; this.r[0] = ( t0 ) & 0x1fff;
478			t1 = key[ 2] & 0xff \| (key[ 3] & 0xff) << 8; this.r[1] = ((t0 >>> 13) \| (t1 << 3)) & 0x1fff;
479			t2 = key[ 4] & 0xff \| (key[ 5] & 0xff) << 8; this.r[2] = ((t1 >>> 10) \| (t2 << 6)) & 0x1f03;
480			t3 = key[ 6] & 0xff \| (key[ 7] & 0xff) << 8; this.r[3] = ((t2 >>> 7) \| (t3 << 9)) & 0x1fff;
481			t4 = key[ 8] & 0xff \| (key[ 9] & 0xff) << 8; this.r[4] = ((t3 >>> 4) \| (t4 << 12)) & 0x00ff;
482			this.r[5] = ((t4 >>> 1)) & 0x1ffe;
483			t5 = key[10] & 0xff \| (key[11] & 0xff) << 8; this.r[6] = ((t4 >>> 14) \| (t5 << 2)) & 0x1fff;
484			t6 = key[12] & 0xff \| (key[13] & 0xff) << 8; this.r[7] = ((t5 >>> 11) \| (t6 << 5)) & 0x1f81;
485			t7 = key[14] & 0xff \| (key[15] & 0xff) << 8; this.r[8] = ((t6 >>> 8) \| (t7 << 8)) & 0x1fff;
486			this.r[9] = ((t7 >>> 5)) & 0x007f;
487
488			this.pad[0] = key[16] & 0xff \| (key[17] & 0xff) << 8;
489			this.pad[1] = key[18] & 0xff \| (key[19] & 0xff) << 8;
490			this.pad[2] = key[20] & 0xff \| (key[21] & 0xff) << 8;
491			this.pad[3] = key[22] & 0xff \| (key[23] & 0xff) << 8;
492			this.pad[4] = key[24] & 0xff \| (key[25] & 0xff) << 8;
493			this.pad[5] = key[26] & 0xff \| (key[27] & 0xff) << 8;
494			this.pad[6] = key[28] & 0xff \| (key[29] & 0xff) << 8;
495			this.pad[7] = key[30] & 0xff \| (key[31] & 0xff) << 8;
496			};
497
498			poly1305.prototype.blocks = function(m, mpos, bytes) {
499			var hibit = this.fin ? 0 : (1 << 11);
500			var t0, t1, t2, t3, t4, t5, t6, t7, c;
501			var d0, d1, d2, d3, d4, d5, d6, d7, d8, d9;
502
503			var h0 = this.h[0],
504			h1 = this.h[1],
505			h2 = this.h[2],
506			h3 = this.h[3],
507			h4 = this.h[4],
508			h5 = this.h[5],
509			h6 = this.h[6],
510			h7 = this.h[7],
511			h8 = this.h[8],
512			h9 = this.h[9];
513
514			var r0 = this.r[0],
515			r1 = this.r[1],
516			r2 = this.r[2],
517			r3 = this.r[3],
518			r4 = this.r[4],
519			r5 = this.r[5],
520			r6 = this.r[6],
521			r7 = this.r[7],
522			r8 = this.r[8],
523			r9 = this.r[9];
524
525			while (bytes >= 16) {
526			t0 = m[mpos+ 0] & 0xff \| (m[mpos+ 1] & 0xff) << 8; h0 += ( t0 ) & 0x1fff;
527			t1 = m[mpos+ 2] & 0xff \| (m[mpos+ 3] & 0xff) << 8; h1 += ((t0 >>> 13) \| (t1 << 3)) & 0x1fff;
528			t2 = m[mpos+ 4] & 0xff \| (m[mpos+ 5] & 0xff) << 8; h2 += ((t1 >>> 10) \| (t2 << 6)) & 0x1fff;
529			t3 = m[mpos+ 6] & 0xff \| (m[mpos+ 7] & 0xff) << 8; h3 += ((t2 >>> 7) \| (t3 << 9)) & 0x1fff;
530			t4 = m[mpos+ 8] & 0xff \| (m[mpos+ 9] & 0xff) << 8; h4 += ((t3 >>> 4) \| (t4 << 12)) & 0x1fff;
531			h5 += ((t4 >>> 1)) & 0x1fff;
532			t5 = m[mpos+10] & 0xff \| (m[mpos+11] & 0xff) << 8; h6 += ((t4 >>> 14) \| (t5 << 2)) & 0x1fff;
533			t6 = m[mpos+12] & 0xff \| (m[mpos+13] & 0xff) << 8; h7 += ((t5 >>> 11) \| (t6 << 5)) & 0x1fff;
534			t7 = m[mpos+14] & 0xff \| (m[mpos+15] & 0xff) << 8; h8 += ((t6 >>> 8) \| (t7 << 8)) & 0x1fff;
535			h9 += ((t7 >>> 5)) \| hibit;
536
537			c = 0;
538
539			d0 = c;
540			d0 += h0 * r0;
541			d0 += h1 * (5 * r9);
542			d0 += h2 * (5 * r8);
543			d0 += h3 * (5 * r7);
544			d0 += h4 * (5 * r6);
545			c = (d0 >>> 13); d0 &= 0x1fff;
546			d0 += h5 * (5 * r5);
547			d0 += h6 * (5 * r4);
548			d0 += h7 * (5 * r3);
549			d0 += h8 * (5 * r2);
550			d0 += h9 * (5 * r1);
551			c += (d0 >>> 13); d0 &= 0x1fff;
552
553			d1 = c;
554			d1 += h0 * r1;
555			d1 += h1 * r0;
556			d1 += h2 * (5 * r9);
557			d1 += h3 * (5 * r8);
558			d1 += h4 * (5 * r7);
559			c = (d1 >>> 13); d1 &= 0x1fff;
560			d1 += h5 * (5 * r6);
561			d1 += h6 * (5 * r5);
562			d1 += h7 * (5 * r4);
563			d1 += h8 * (5 * r3);
564			d1 += h9 * (5 * r2);
565			c += (d1 >>> 13); d1 &= 0x1fff;
566
567			d2 = c;
568			d2 += h0 * r2;
569			d2 += h1 * r1;
570			d2 += h2 * r0;
571			d2 += h3 * (5 * r9);
572			d2 += h4 * (5 * r8);
573			c = (d2 >>> 13); d2 &= 0x1fff;
574			d2 += h5 * (5 * r7);
575			d2 += h6 * (5 * r6);
576			d2 += h7 * (5 * r5);
577			d2 += h8 * (5 * r4);
578			d2 += h9 * (5 * r3);
579			c += (d2 >>> 13); d2 &= 0x1fff;
580
581			d3 = c;
582			d3 += h0 * r3;
583			d3 += h1 * r2;
584			d3 += h2 * r1;
585			d3 += h3 * r0;
586			d3 += h4 * (5 * r9);
587			c = (d3 >>> 13); d3 &= 0x1fff;
588			d3 += h5 * (5 * r8);
589			d3 += h6 * (5 * r7);
590			d3 += h7 * (5 * r6);
591			d3 += h8 * (5 * r5);
592			d3 += h9 * (5 * r4);
593			c += (d3 >>> 13); d3 &= 0x1fff;
594
595			d4 = c;
596			d4 += h0 * r4;
597			d4 += h1 * r3;
598			d4 += h2 * r2;
599			d4 += h3 * r1;
600			d4 += h4 * r0;
601			c = (d4 >>> 13); d4 &= 0x1fff;
602			d4 += h5 * (5 * r9);
603			d4 += h6 * (5 * r8);
604			d4 += h7 * (5 * r7);
605			d4 += h8 * (5 * r6);
606			d4 += h9 * (5 * r5);
607			c += (d4 >>> 13); d4 &= 0x1fff;
608
609			d5 = c;
610			d5 += h0 * r5;
611			d5 += h1 * r4;
612			d5 += h2 * r3;
613			d5 += h3 * r2;
614			d5 += h4 * r1;
615			c = (d5 >>> 13); d5 &= 0x1fff;
616			d5 += h5 * r0;
617			d5 += h6 * (5 * r9);
618			d5 += h7 * (5 * r8);
619			d5 += h8 * (5 * r7);
620			d5 += h9 * (5 * r6);
621			c += (d5 >>> 13); d5 &= 0x1fff;
622
623			d6 = c;
624			d6 += h0 * r6;
625			d6 += h1 * r5;
626			d6 += h2 * r4;
627			d6 += h3 * r3;
628			d6 += h4 * r2;
629			c = (d6 >>> 13); d6 &= 0x1fff;
630			d6 += h5 * r1;
631			d6 += h6 * r0;
632			d6 += h7 * (5 * r9);
633			d6 += h8 * (5 * r8);
634			d6 += h9 * (5 * r7);
635			c += (d6 >>> 13); d6 &= 0x1fff;
636
637			d7 = c;
638			d7 += h0 * r7;
639			d7 += h1 * r6;
640			d7 += h2 * r5;
641			d7 += h3 * r4;
642			d7 += h4 * r3;
643			c = (d7 >>> 13); d7 &= 0x1fff;
644			d7 += h5 * r2;
645			d7 += h6 * r1;
646			d7 += h7 * r0;
647			d7 += h8 * (5 * r9);
648			d7 += h9 * (5 * r8);
649			c += (d7 >>> 13); d7 &= 0x1fff;
650
651			d8 = c;
652			d8 += h0 * r8;
653			d8 += h1 * r7;
654			d8 += h2 * r6;
655			d8 += h3 * r5;
656			d8 += h4 * r4;
657			c = (d8 >>> 13); d8 &= 0x1fff;
658			d8 += h5 * r3;
659			d8 += h6 * r2;
660			d8 += h7 * r1;
661			d8 += h8 * r0;
662			d8 += h9 * (5 * r9);
663			c += (d8 >>> 13); d8 &= 0x1fff;
664
665			d9 = c;
666			d9 += h0 * r9;
667			d9 += h1 * r8;
668			d9 += h2 * r7;
669			d9 += h3 * r6;
670			d9 += h4 * r5;
671			c = (d9 >>> 13); d9 &= 0x1fff;
672			d9 += h5 * r4;
673			d9 += h6 * r3;
674			d9 += h7 * r2;
675			d9 += h8 * r1;
676			d9 += h9 * r0;
677			c += (d9 >>> 13); d9 &= 0x1fff;
678
679			c = (((c << 2) + c)) \| 0;
680			c = (c + d0) \| 0;
681			d0 = c & 0x1fff;
682			c = (c >>> 13);
683			d1 += c;
684
685			h0 = d0;
686			h1 = d1;
687			h2 = d2;
688			h3 = d3;
689			h4 = d4;
690			h5 = d5;
691			h6 = d6;
692			h7 = d7;
693			h8 = d8;
694			h9 = d9;
695
696			mpos += 16;
697			bytes -= 16;
698			}
699			this.h[0] = h0;
700			this.h[1] = h1;
701			this.h[2] = h2;
702			this.h[3] = h3;
703			this.h[4] = h4;
704			this.h[5] = h5;
705			this.h[6] = h6;
706			this.h[7] = h7;
707			this.h[8] = h8;
708			this.h[9] = h9;
709			};
710
711			poly1305.prototype.finish = function(mac, macpos) {
712			var g = new Uint16Array(10);
713			var c, mask, f, i;
714
715			if (this.leftover) {
716			i = this.leftover;
717			this.buffer[i++] = 1;
718			for (; i < 16; i++) this.buffer[i] = 0;
719			this.fin = 1;
720			this.blocks(this.buffer, 0, 16);
721			}
722
723			c = this.h[1] >>> 13;
724			this.h[1] &= 0x1fff;
725			for (i = 2; i < 10; i++) {
726			this.h[i] += c;
727			c = this.h[i] >>> 13;
728			this.h[i] &= 0x1fff;
729			}
730			this.h[0] += (c * 5);
731			c = this.h[0] >>> 13;
732			this.h[0] &= 0x1fff;
733			this.h[1] += c;
734			c = this.h[1] >>> 13;
735			this.h[1] &= 0x1fff;
736			this.h[2] += c;
737
738			g[0] = this.h[0] + 5;
739			c = g[0] >>> 13;
740			g[0] &= 0x1fff;
741			for (i = 1; i < 10; i++) {
742			g[i] = this.h[i] + c;
743			c = g[i] >>> 13;
744			g[i] &= 0x1fff;
745			}
746			g[9] -= (1 << 13);
747
748			mask = (c ^ 1) - 1;
749			for (i = 0; i < 10; i++) g[i] &= mask;
750			mask = ~mask;
751			for (i = 0; i < 10; i++) this.h[i] = (this.h[i] & mask) \| g[i];
752
753			this.h[0] = ((this.h[0] ) \| (this.h[1] << 13) ) & 0xffff;
754			this.h[1] = ((this.h[1] >>> 3) \| (this.h[2] << 10) ) & 0xffff;
755			this.h[2] = ((this.h[2] >>> 6) \| (this.h[3] << 7) ) & 0xffff;
756			this.h[3] = ((this.h[3] >>> 9) \| (this.h[4] << 4) ) & 0xffff;
757			this.h[4] = ((this.h[4] >>> 12) \| (this.h[5] << 1) \| (this.h[6] << 14)) & 0xffff;
758			this.h[5] = ((this.h[6] >>> 2) \| (this.h[7] << 11) ) & 0xffff;
759			this.h[6] = ((this.h[7] >>> 5) \| (this.h[8] << 8) ) & 0xffff;
760			this.h[7] = ((this.h[8] >>> 8) \| (this.h[9] << 5) ) & 0xffff;
761
762			f = this.h[0] + this.pad[0];
763			this.h[0] = f & 0xffff;
764			for (i = 1; i < 8; i++) {
765			f = (((this.h[i] + this.pad[i]) \| 0) + (f >>> 16)) \| 0;
766			this.h[i] = f & 0xffff;
767			}
768
769			mac[macpos+ 0] = (this.h[0] >>> 0) & 0xff;
770			mac[macpos+ 1] = (this.h[0] >>> 8) & 0xff;
771			mac[macpos+ 2] = (this.h[1] >>> 0) & 0xff;
772			mac[macpos+ 3] = (this.h[1] >>> 8) & 0xff;
773			mac[macpos+ 4] = (this.h[2] >>> 0) & 0xff;
774			mac[macpos+ 5] = (this.h[2] >>> 8) & 0xff;
775			mac[macpos+ 6] = (this.h[3] >>> 0) & 0xff;
776			mac[macpos+ 7] = (this.h[3] >>> 8) & 0xff;
777			mac[macpos+ 8] = (this.h[4] >>> 0) & 0xff;
778			mac[macpos+ 9] = (this.h[4] >>> 8) & 0xff;
779			mac[macpos+10] = (this.h[5] >>> 0) & 0xff;
780			mac[macpos+11] = (this.h[5] >>> 8) & 0xff;
781			mac[macpos+12] = (this.h[6] >>> 0) & 0xff;
782			mac[macpos+13] = (this.h[6] >>> 8) & 0xff;
783			mac[macpos+14] = (this.h[7] >>> 0) & 0xff;
784			mac[macpos+15] = (this.h[7] >>> 8) & 0xff;
785			};
786
787			poly1305.prototype.update = function(m, mpos, bytes) {
788			var i, want;
789
790			if (this.leftover) {
791			want = (16 - this.leftover);
792			if (want > bytes)
793			want = bytes;
794			for (i = 0; i < want; i++)
795			this.buffer[this.leftover + i] = m[mpos+i];
796			bytes -= want;
797			mpos += want;
798			this.leftover += want;
799			if (this.leftover < 16)
800			return;
801			this.blocks(this.buffer, 0, 16);
802			this.leftover = 0;
803			}
804
805			if (bytes >= 16) {
806			want = bytes - (bytes % 16);
807			this.blocks(m, mpos, want);
808			mpos += want;
809			bytes -= want;
810			}
811
812			if (bytes) {
813			for (i = 0; i < bytes; i++)
814			this.buffer[this.leftover + i] = m[mpos+i];
815			this.leftover += bytes;
816			}
817			};
818
819			function crypto_onetimeauth(out, outpos, m, mpos, n, k) {
820			var s = new poly1305(k);
821			s.update(m, mpos, n);
822			s.finish(out, outpos);
823			return 0;
824			}
825
826			function crypto_onetimeauth_verify(h, hpos, m, mpos, n, k) {
827			var x = new Uint8Array(16);
828			crypto_onetimeauth(x,0,m,mpos,n,k);
829			return crypto_verify_16(h,hpos,x,0);
830			}
831
832			function crypto_secretbox(c,m,d,n,k) {
833			var i;
834			if (d < 32) return -1;
835			crypto_stream_xor(c,0,m,0,d,n,k);
836			crypto_onetimeauth(c, 16, c, 32, d - 32, c);
837			for (i = 0; i < 16; i++) c[i] = 0;
838			return 0;
839			}
840
841			function crypto_secretbox_open(m,c,d,n,k) {
842			var i;
843			var x = new Uint8Array(32);
844			if (d < 32) return -1;
845			crypto_stream(x,0,32,n,k);
846			if (crypto_onetimeauth_verify(c, 16,c, 32,d - 32,x) !== 0) return -1;
847			crypto_stream_xor(m,0,c,0,d,n,k);
848			for (i = 0; i < 32; i++) m[i] = 0;
849			return 0;
850			}
851
852			function set25519(r, a) {
853			var i;
854			for (i = 0; i < 16; i++) r[i] = a[i]\|0;
855			}
856
857			function car25519(o) {
858			var i, v, c = 1;
859			for (i = 0; i < 16; i++) {
860			v = o[i] + c + 65535;
861			c = Math.floor(v / 65536);
862			o[i] = v - c * 65536;
863			}
864			o[0] += c-1 + 37 * (c-1);
865			}
866
867			function sel25519(p, q, b) {
868			var t, c = ~(b-1);
869			for (var i = 0; i < 16; i++) {
870			t = c & (p[i] ^ q[i]);
871			p[i] ^= t;
872			q[i] ^= t;
873			}
874			}
875
876			function pack25519(o, n) {
877			var i, j, b;
878			var m = gf(), t = gf();
879			for (i = 0; i < 16; i++) t[i] = n[i];
880			car25519(t);
881			car25519(t);
882			car25519(t);
883			for (j = 0; j < 2; j++) {
884			m[0] = t[0] - 0xffed;
885			for (i = 1; i < 15; i++) {
886			m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);
887			m[i-1] &= 0xffff;
888			}
889			m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);
890			b = (m[15]>>16) & 1;
891			m[14] &= 0xffff;
892			sel25519(t, m, 1-b);
893			}
894			for (i = 0; i < 16; i++) {
895			o[2*i] = t[i] & 0xff;
896			o[2*i+1] = t[i]>>8;
897			}
898			}
899
900			function neq25519(a, b) {
901			var c = new Uint8Array(32), d = new Uint8Array(32);
902			pack25519(c, a);
903			pack25519(d, b);
904			return crypto_verify_32(c, 0, d, 0);
905			}
906
907			function par25519(a) {
908			var d = new Uint8Array(32);
909			pack25519(d, a);
910			return d[0] & 1;
911			}
912
913			function unpack25519(o, n) {
914			var i;
915			for (i = 0; i < 16; i++) o[i] = n[2i] + (n[2i+1] << 8);
916			o[15] &= 0x7fff;
917			}
918
919			function A(o, a, b) {
920			for (var i = 0; i < 16; i++) o[i] = a[i] + b[i];
921			}
922
923			function Z(o, a, b) {
924			for (var i = 0; i < 16; i++) o[i] = a[i] - b[i];
925			}
926
927			function M(o, a, b) {
928			var v, c,
929			t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0,
930			t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0,
931			t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0,
932			t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0,
933			b0 = b[0],
934			b1 = b[1],
935			b2 = b[2],
936			b3 = b[3],
937			b4 = b[4],
938			b5 = b[5],
939			b6 = b[6],
940			b7 = b[7],
941			b8 = b[8],
942			b9 = b[9],
943			b10 = b[10],
944			b11 = b[11],
945			b12 = b[12],
946			b13 = b[13],
947			b14 = b[14],
948			b15 = b[15];
949
950			v = a[0];
951			t0 += v * b0;
952			t1 += v * b1;
953			t2 += v * b2;
954			t3 += v * b3;
955			t4 += v * b4;
956			t5 += v * b5;
957			t6 += v * b6;
958			t7 += v * b7;
959			t8 += v * b8;
960			t9 += v * b9;
961			t10 += v * b10;
962			t11 += v * b11;
963			t12 += v * b12;
964			t13 += v * b13;
965			t14 += v * b14;
966			t15 += v * b15;
967			v = a[1];
968			t1 += v * b0;
969			t2 += v * b1;
970			t3 += v * b2;
971			t4 += v * b3;
972			t5 += v * b4;
973			t6 += v * b5;
974			t7 += v * b6;
975			t8 += v * b7;
976			t9 += v * b8;
977			t10 += v * b9;
978			t11 += v * b10;
979			t12 += v * b11;
980			t13 += v * b12;
981			t14 += v * b13;
982			t15 += v * b14;
983			t16 += v * b15;
984			v = a[2];
985			t2 += v * b0;
986			t3 += v * b1;
987			t4 += v * b2;
988			t5 += v * b3;
989			t6 += v * b4;
990			t7 += v * b5;
991			t8 += v * b6;
992			t9 += v * b7;
993			t10 += v * b8;
994			t11 += v * b9;
995			t12 += v * b10;
996			t13 += v * b11;
997			t14 += v * b12;
998			t15 += v * b13;
999			t16 += v * b14;
1000			t17 += v * b15;
1001			v = a[3];
1002			t3 += v * b0;
1003			t4 += v * b1;
1004			t5 += v * b2;
1005			t6 += v * b3;
1006			t7 += v * b4;
1007			t8 += v * b5;
1008			t9 += v * b6;
1009			t10 += v * b7;
1010			t11 += v * b8;
1011			t12 += v * b9;
1012			t13 += v * b10;
1013			t14 += v * b11;
1014			t15 += v * b12;
1015			t16 += v * b13;
1016			t17 += v * b14;
1017			t18 += v * b15;
1018			v = a[4];
1019			t4 += v * b0;
1020			t5 += v * b1;
1021			t6 += v * b2;
1022			t7 += v * b3;
1023			t8 += v * b4;
1024			t9 += v * b5;
1025			t10 += v * b6;
1026			t11 += v * b7;
1027			t12 += v * b8;
1028			t13 += v * b9;
1029			t14 += v * b10;
1030			t15 += v * b11;
1031			t16 += v * b12;
1032			t17 += v * b13;
1033			t18 += v * b14;
1034			t19 += v * b15;
1035			v = a[5];
1036			t5 += v * b0;
1037			t6 += v * b1;
1038			t7 += v * b2;
1039			t8 += v * b3;
1040			t9 += v * b4;
1041			t10 += v * b5;
1042			t11 += v * b6;
1043			t12 += v * b7;
1044			t13 += v * b8;
1045			t14 += v * b9;
1046			t15 += v * b10;
1047			t16 += v * b11;
1048			t17 += v * b12;
1049			t18 += v * b13;
1050			t19 += v * b14;
1051			t20 += v * b15;
1052			v = a[6];
1053			t6 += v * b0;
1054			t7 += v * b1;
1055			t8 += v * b2;
1056			t9 += v * b3;
1057			t10 += v * b4;
1058			t11 += v * b5;
1059			t12 += v * b6;
1060			t13 += v * b7;
1061			t14 += v * b8;
1062			t15 += v * b9;
1063			t16 += v * b10;
1064			t17 += v * b11;
1065			t18 += v * b12;
1066			t19 += v * b13;
1067			t20 += v * b14;
1068			t21 += v * b15;
1069			v = a[7];
1070			t7 += v * b0;
1071			t8 += v * b1;
1072			t9 += v * b2;
1073			t10 += v * b3;
1074			t11 += v * b4;
1075			t12 += v * b5;
1076			t13 += v * b6;
1077			t14 += v * b7;
1078			t15 += v * b8;
1079			t16 += v * b9;
1080			t17 += v * b10;
1081			t18 += v * b11;
1082			t19 += v * b12;
1083			t20 += v * b13;
1084			t21 += v * b14;
1085			t22 += v * b15;
1086			v = a[8];
1087			t8 += v * b0;
1088			t9 += v * b1;
1089			t10 += v * b2;
1090			t11 += v * b3;
1091			t12 += v * b4;
1092			t13 += v * b5;
1093			t14 += v * b6;
1094			t15 += v * b7;
1095			t16 += v * b8;
1096			t17 += v * b9;
1097			t18 += v * b10;
1098			t19 += v * b11;
1099			t20 += v * b12;
1100			t21 += v * b13;
1101			t22 += v * b14;
1102			t23 += v * b15;
1103			v = a[9];
1104			t9 += v * b0;
1105			t10 += v * b1;
1106			t11 += v * b2;
1107			t12 += v * b3;
1108			t13 += v * b4;
1109			t14 += v * b5;
1110			t15 += v * b6;
1111			t16 += v * b7;
1112			t17 += v * b8;
1113			t18 += v * b9;
1114			t19 += v * b10;
1115			t20 += v * b11;
1116			t21 += v * b12;
1117			t22 += v * b13;
1118			t23 += v * b14;
1119			t24 += v * b15;
1120			v = a[10];
1121			t10 += v * b0;
1122			t11 += v * b1;
1123			t12 += v * b2;
1124			t13 += v * b3;
1125			t14 += v * b4;
1126			t15 += v * b5;
1127			t16 += v * b6;
1128			t17 += v * b7;
1129			t18 += v * b8;
1130			t19 += v * b9;
1131			t20 += v * b10;
1132			t21 += v * b11;
1133			t22 += v * b12;
1134			t23 += v * b13;
1135			t24 += v * b14;
1136			t25 += v * b15;
1137			v = a[11];
1138			t11 += v * b0;
1139			t12 += v * b1;
1140			t13 += v * b2;
1141			t14 += v * b3;
1142			t15 += v * b4;
1143			t16 += v * b5;
1144			t17 += v * b6;
1145			t18 += v * b7;
1146			t19 += v * b8;
1147			t20 += v * b9;
1148			t21 += v * b10;
1149			t22 += v * b11;
1150			t23 += v * b12;
1151			t24 += v * b13;
1152			t25 += v * b14;
1153			t26 += v * b15;
1154			v = a[12];
1155			t12 += v * b0;
1156			t13 += v * b1;
1157			t14 += v * b2;
1158			t15 += v * b3;
1159			t16 += v * b4;
1160			t17 += v * b5;
1161			t18 += v * b6;
1162			t19 += v * b7;
1163			t20 += v * b8;
1164			t21 += v * b9;
1165			t22 += v * b10;
1166			t23 += v * b11;
1167			t24 += v * b12;
1168			t25 += v * b13;
1169			t26 += v * b14;
1170			t27 += v * b15;
1171			v = a[13];
1172			t13 += v * b0;
1173			t14 += v * b1;
1174			t15 += v * b2;
1175			t16 += v * b3;
1176			t17 += v * b4;
1177			t18 += v * b5;
1178			t19 += v * b6;
1179			t20 += v * b7;
1180			t21 += v * b8;
1181			t22 += v * b9;
1182			t23 += v * b10;
1183			t24 += v * b11;
1184			t25 += v * b12;
1185			t26 += v * b13;
1186			t27 += v * b14;
1187			t28 += v * b15;
1188			v = a[14];
1189			t14 += v * b0;
1190			t15 += v * b1;
1191			t16 += v * b2;
1192			t17 += v * b3;
1193			t18 += v * b4;
1194			t19 += v * b5;
1195			t20 += v * b6;
1196			t21 += v * b7;
1197			t22 += v * b8;
1198			t23 += v * b9;
1199			t24 += v * b10;
1200			t25 += v * b11;
1201			t26 += v * b12;
1202			t27 += v * b13;
1203			t28 += v * b14;
1204			t29 += v * b15;
1205			v = a[15];
1206			t15 += v * b0;
1207			t16 += v * b1;
1208			t17 += v * b2;
1209			t18 += v * b3;
1210			t19 += v * b4;
1211			t20 += v * b5;
1212			t21 += v * b6;
1213			t22 += v * b7;
1214			t23 += v * b8;
1215			t24 += v * b9;
1216			t25 += v * b10;
1217			t26 += v * b11;
1218			t27 += v * b12;
1219			t28 += v * b13;
1220			t29 += v * b14;
1221			t30 += v * b15;
1222
1223			t0 += 38 * t16;
1224			t1 += 38 * t17;
1225			t2 += 38 * t18;
1226			t3 += 38 * t19;
1227			t4 += 38 * t20;
1228			t5 += 38 * t21;
1229			t6 += 38 * t22;
1230			t7 += 38 * t23;
1231			t8 += 38 * t24;
1232			t9 += 38 * t25;
1233			t10 += 38 * t26;
1234			t11 += 38 * t27;
1235			t12 += 38 * t28;
1236			t13 += 38 * t29;
1237			t14 += 38 * t30;
1238			// t15 left as is
1239
1240			// first car
1241			c = 1;
1242			v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
1243			v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
1244			v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
1245			v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
1246			v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
1247			v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
1248			v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
1249			v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
1250			v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
1251			v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
1252			v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
1253			v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
1254			v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
1255			v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
1256			v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
1257			v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
1258			t0 += c-1 + 37 * (c-1);
1259
1260			// second car
1261			c = 1;
1262			v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
1263			v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
1264			v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
1265			v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
1266			v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
1267			v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
1268			v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
1269			v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
1270			v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
1271			v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
1272			v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
1273			v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
1274			v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
1275			v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
1276			v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
1277			v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
1278			t0 += c-1 + 37 * (c-1);
1279
1280			o[ 0] = t0;
1281			o[ 1] = t1;
1282			o[ 2] = t2;
1283			o[ 3] = t3;
1284			o[ 4] = t4;
1285			o[ 5] = t5;
1286			o[ 6] = t6;
1287			o[ 7] = t7;
1288			o[ 8] = t8;
1289			o[ 9] = t9;
1290			o[10] = t10;
1291			o[11] = t11;
1292			o[12] = t12;
1293			o[13] = t13;
1294			o[14] = t14;
1295			o[15] = t15;
1296			}
1297
1298			function S(o, a) {
1299			M(o, a, a);
1300			}
1301
1302			function inv25519(o, i) {
1303			var c = gf();
1304			var a;
1305			for (a = 0; a < 16; a++) c[a] = i[a];
1306			for (a = 253; a >= 0; a--) {
1307			S(c, c);
1308			if(a !== 2 && a !== 4) M(c, c, i);
1309			}
1310			for (a = 0; a < 16; a++) o[a] = c[a];
1311			}
1312
1313			function pow2523(o, i) {
1314			var c = gf();
1315			var a;
1316			for (a = 0; a < 16; a++) c[a] = i[a];
1317			for (a = 250; a >= 0; a--) {
1318			S(c, c);
1319			if(a !== 1) M(c, c, i);
1320			}
1321			for (a = 0; a < 16; a++) o[a] = c[a];
1322			}
1323
1324			function crypto_scalarmult(q, n, p) {
1325			var z = new Uint8Array(32);
1326			var x = new Float64Array(80), r, i;
1327			var a = gf(), b = gf(), c = gf(),
1328			d = gf(), e = gf(), f = gf();
1329			for (i = 0; i < 31; i++) z[i] = n[i];
1330			z[31]=(n[31]&127)\|64;
1331			z[0]&=248;
1332			unpack25519(x,p);
1333			for (i = 0; i < 16; i++) {
1334			b[i]=x[i];
1335			d[i]=a[i]=c[i]=0;
1336			}
1337			a[0]=d[0]=1;
1338			for (i=254; i>=0; --i) {
1339			r=(z[i>>>3]>>>(i&7))&1;
1340			sel25519(a,b,r);
1341			sel25519(c,d,r);
1342			A(e,a,c);
1343			Z(a,a,c);
1344			A(c,b,d);
1345			Z(b,b,d);
1346			S(d,e);
1347			S(f,a);
1348			M(a,c,a);
1349			M(c,b,e);
1350			A(e,a,c);
1351			Z(a,a,c);
1352			S(b,a);
1353			Z(c,d,f);
1354			M(a,c,_121665);
1355			A(a,a,d);
1356			M(c,c,a);
1357			M(a,d,f);
1358			M(d,b,x);
1359			S(b,e);
1360			sel25519(a,b,r);
1361			sel25519(c,d,r);
1362			}
1363			for (i = 0; i < 16; i++) {
1364			x[i+16]=a[i];
1365			x[i+32]=c[i];
1366			x[i+48]=b[i];
1367			x[i+64]=d[i];
1368			}
1369			var x32 = x.subarray(32);
1370			var x16 = x.subarray(16);
1371			inv25519(x32,x32);
1372			M(x16,x16,x32);
1373			pack25519(q,x16);
1374			return 0;
1375			}
1376
1377			function crypto_scalarmult_base(q, n) {
1378			return crypto_scalarmult(q, n, _9);
1379			}
1380
1381			function crypto_box_keypair(y, x) {
1382			randombytes(x, 32);
1383			return crypto_scalarmult_base(y, x);
1384			}
1385
1386			function crypto_box_beforenm(k, y, x) {
1387			var s = new Uint8Array(32);
1388			crypto_scalarmult(s, x, y);
1389			return crypto_core_hsalsa20(k, _0, s, sigma);
1390			}
1391
1392			var crypto_box_afternm = crypto_secretbox;
1393			var crypto_box_open_afternm = crypto_secretbox_open;
1394
1395			function crypto_box(c, m, d, n, y, x) {
1396			var k = new Uint8Array(32);
1397			crypto_box_beforenm(k, y, x);
1398			return crypto_box_afternm(c, m, d, n, k);
1399			}
1400
1401			function crypto_box_open(m, c, d, n, y, x) {
1402			var k = new Uint8Array(32);
1403			crypto_box_beforenm(k, y, x);
1404			return crypto_box_open_afternm(m, c, d, n, k);
1405			}
1406
1407			var K = [
1408			0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd,
1409			0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc,
1410			0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019,
1411			0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118,
1412			0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe,
1413			0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2,
1414			0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1,
1415			0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694,
1416			0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3,
1417			0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65,
1418			0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483,
1419			0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5,
1420			0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210,
1421			0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4,
1422			0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725,
1423			0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70,
1424			0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926,
1425			0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df,
1426			0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8,
1427			0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b,
1428			0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001,
1429			0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30,
1430			0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910,
1431			0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8,
1432			0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53,
1433			0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8,
1434			0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb,
1435			0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3,
1436			0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60,
1437			0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec,
1438			0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9,
1439			0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b,
1440			0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207,
1441			0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178,
1442			0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6,
1443			0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b,
1444			0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493,
1445			0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c,
1446			0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a,
1447			0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817
1448			];
1449
1450			function crypto_hashblocks_hl(hh, hl, m, n) {
1451			var wh = new Int32Array(16), wl = new Int32Array(16),
1452			bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7,
1453			bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7,
1454			th, tl, i, j, h, l, a, b, c, d;
1455
1456			var ah0 = hh[0],
1457			ah1 = hh[1],
1458			ah2 = hh[2],
1459			ah3 = hh[3],
1460			ah4 = hh[4],
1461			ah5 = hh[5],
1462			ah6 = hh[6],
1463			ah7 = hh[7],
1464
1465			al0 = hl[0],
1466			al1 = hl[1],
1467			al2 = hl[2],
1468			al3 = hl[3],
1469			al4 = hl[4],
1470			al5 = hl[5],
1471			al6 = hl[6],
1472			al7 = hl[7];
1473
1474			var pos = 0;
1475			while (n >= 128) {
1476			for (i = 0; i < 16; i++) {
1477			j = 8 * i + pos;
1478			wh[i] = (m[j+0] << 24) \| (m[j+1] << 16) \| (m[j+2] << 8) \| m[j+3];
1479			wl[i] = (m[j+4] << 24) \| (m[j+5] << 16) \| (m[j+6] << 8) \| m[j+7];
1480			}
1481			for (i = 0; i < 80; i++) {
1482			bh0 = ah0;
1483			bh1 = ah1;
1484			bh2 = ah2;
1485			bh3 = ah3;
1486			bh4 = ah4;
1487			bh5 = ah5;
1488			bh6 = ah6;
1489			bh7 = ah7;
1490
1491			bl0 = al0;
1492			bl1 = al1;
1493			bl2 = al2;
1494			bl3 = al3;
1495			bl4 = al4;
1496			bl5 = al5;
1497			bl6 = al6;
1498			bl7 = al7;
1499
1500			// add
1501			h = ah7;
1502			l = al7;
1503
1504			a = l & 0xffff; b = l >>> 16;
1505			c = h & 0xffff; d = h >>> 16;
1506
1507			// Sigma1
1508			h = ((ah4 >>> 14) \| (al4 << (32-14))) ^ ((ah4 >>> 18) \| (al4 << (32-18))) ^ ((al4 >>> (41-32)) \| (ah4 << (32-(41-32))));
1509			l = ((al4 >>> 14) \| (ah4 << (32-14))) ^ ((al4 >>> 18) \| (ah4 << (32-18))) ^ ((ah4 >>> (41-32)) \| (al4 << (32-(41-32))));
1510
1511			a += l & 0xffff; b += l >>> 16;
1512			c += h & 0xffff; d += h >>> 16;
1513
1514			// Ch
1515			h = (ah4 & ah5) ^ (~ah4 & ah6);
1516			l = (al4 & al5) ^ (~al4 & al6);
1517
1518			a += l & 0xffff; b += l >>> 16;
1519			c += h & 0xffff; d += h >>> 16;
1520
1521			// K
1522			h = K[i*2];
1523			l = K[i*2+1];
1524
1525			a += l & 0xffff; b += l >>> 16;
1526			c += h & 0xffff; d += h >>> 16;
1527
1528			// w
1529			h = wh[i%16];
1530			l = wl[i%16];
1531
1532			a += l & 0xffff; b += l >>> 16;
1533			c += h & 0xffff; d += h >>> 16;
1534
1535			b += a >>> 16;
1536			c += b >>> 16;
1537			d += c >>> 16;
1538
1539			th = c & 0xffff \| d << 16;
1540			tl = a & 0xffff \| b << 16;
1541
1542			// add
1543			h = th;
1544			l = tl;
1545
1546			a = l & 0xffff; b = l >>> 16;
1547			c = h & 0xffff; d = h >>> 16;
1548
1549			// Sigma0
1550			h = ((ah0 >>> 28) \| (al0 << (32-28))) ^ ((al0 >>> (34-32)) \| (ah0 << (32-(34-32)))) ^ ((al0 >>> (39-32)) \| (ah0 << (32-(39-32))));
1551			l = ((al0 >>> 28) \| (ah0 << (32-28))) ^ ((ah0 >>> (34-32)) \| (al0 << (32-(34-32)))) ^ ((ah0 >>> (39-32)) \| (al0 << (32-(39-32))));
1552
1553			a += l & 0xffff; b += l >>> 16;
1554			c += h & 0xffff; d += h >>> 16;
1555
1556			// Maj
1557			h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2);
1558			l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2);
1559
1560			a += l & 0xffff; b += l >>> 16;
1561			c += h & 0xffff; d += h >>> 16;
1562
1563			b += a >>> 16;
1564			c += b >>> 16;
1565			d += c >>> 16;
1566
1567			bh7 = (c & 0xffff) \| (d << 16);
1568			bl7 = (a & 0xffff) \| (b << 16);
1569
1570			// add
1571			h = bh3;
1572			l = bl3;
1573
1574			a = l & 0xffff; b = l >>> 16;
1575			c = h & 0xffff; d = h >>> 16;
1576
1577			h = th;
1578			l = tl;
1579
1580			a += l & 0xffff; b += l >>> 16;
1581			c += h & 0xffff; d += h >>> 16;
1582
1583			b += a >>> 16;
1584			c += b >>> 16;
1585			d += c >>> 16;
1586
1587			bh3 = (c & 0xffff) \| (d << 16);
1588			bl3 = (a & 0xffff) \| (b << 16);
1589
1590			ah1 = bh0;
1591			ah2 = bh1;
1592			ah3 = bh2;
1593			ah4 = bh3;
1594			ah5 = bh4;
1595			ah6 = bh5;
1596			ah7 = bh6;
1597			ah0 = bh7;
1598
1599			al1 = bl0;
1600			al2 = bl1;
1601			al3 = bl2;
1602			al4 = bl3;
1603			al5 = bl4;
1604			al6 = bl5;
1605			al7 = bl6;
1606			al0 = bl7;
1607
1608			if (i%16 === 15) {
1609			for (j = 0; j < 16; j++) {
1610			// add
1611			h = wh[j];
1612			l = wl[j];
1613
1614			a = l & 0xffff; b = l >>> 16;
1615			c = h & 0xffff; d = h >>> 16;
1616
1617			h = wh[(j+9)%16];
1618			l = wl[(j+9)%16];
1619
1620			a += l & 0xffff; b += l >>> 16;
1621			c += h & 0xffff; d += h >>> 16;
1622
1623			// sigma0
1624			th = wh[(j+1)%16];
1625			tl = wl[(j+1)%16];
1626			h = ((th >>> 1) \| (tl << (32-1))) ^ ((th >>> 8) \| (tl << (32-8))) ^ (th >>> 7);
1627			l = ((tl >>> 1) \| (th << (32-1))) ^ ((tl >>> 8) \| (th << (32-8))) ^ ((tl >>> 7) \| (th << (32-7)));
1628
1629			a += l & 0xffff; b += l >>> 16;
1630			c += h & 0xffff; d += h >>> 16;
1631
1632			// sigma1
1633			th = wh[(j+14)%16];
1634			tl = wl[(j+14)%16];
1635			h = ((th >>> 19) \| (tl << (32-19))) ^ ((tl >>> (61-32)) \| (th << (32-(61-32)))) ^ (th >>> 6);
1636			l = ((tl >>> 19) \| (th << (32-19))) ^ ((th >>> (61-32)) \| (tl << (32-(61-32)))) ^ ((tl >>> 6) \| (th << (32-6)));
1637
1638			a += l & 0xffff; b += l >>> 16;
1639			c += h & 0xffff; d += h >>> 16;
1640
1641			b += a >>> 16;
1642			c += b >>> 16;
1643			d += c >>> 16;
1644
1645			wh[j] = (c & 0xffff) \| (d << 16);
1646			wl[j] = (a & 0xffff) \| (b << 16);
1647			}
1648			}
1649			}
1650
1651			// add
1652			h = ah0;
1653			l = al0;
1654
1655			a = l & 0xffff; b = l >>> 16;
1656			c = h & 0xffff; d = h >>> 16;
1657
1658			h = hh[0];
1659			l = hl[0];
1660
1661			a += l & 0xffff; b += l >>> 16;
1662			c += h & 0xffff; d += h >>> 16;
1663
1664			b += a >>> 16;
1665			c += b >>> 16;
1666			d += c >>> 16;
1667
1668			hh[0] = ah0 = (c & 0xffff) \| (d << 16);
1669			hl[0] = al0 = (a & 0xffff) \| (b << 16);
1670
1671			h = ah1;
1672			l = al1;
1673
1674			a = l & 0xffff; b = l >>> 16;
1675			c = h & 0xffff; d = h >>> 16;
1676
1677			h = hh[1];
1678			l = hl[1];
1679
1680			a += l & 0xffff; b += l >>> 16;
1681			c += h & 0xffff; d += h >>> 16;
1682
1683			b += a >>> 16;
1684			c += b >>> 16;
1685			d += c >>> 16;
1686
1687			hh[1] = ah1 = (c & 0xffff) \| (d << 16);
1688			hl[1] = al1 = (a & 0xffff) \| (b << 16);
1689
1690			h = ah2;
1691			l = al2;
1692
1693			a = l & 0xffff; b = l >>> 16;
1694			c = h & 0xffff; d = h >>> 16;
1695
1696			h = hh[2];
1697			l = hl[2];
1698
1699			a += l & 0xffff; b += l >>> 16;
1700			c += h & 0xffff; d += h >>> 16;
1701
1702			b += a >>> 16;
1703			c += b >>> 16;
1704			d += c >>> 16;
1705
1706			hh[2] = ah2 = (c & 0xffff) \| (d << 16);
1707			hl[2] = al2 = (a & 0xffff) \| (b << 16);
1708
1709			h = ah3;
1710			l = al3;
1711
1712			a = l & 0xffff; b = l >>> 16;
1713			c = h & 0xffff; d = h >>> 16;
1714
1715			h = hh[3];
1716			l = hl[3];
1717
1718			a += l & 0xffff; b += l >>> 16;
1719			c += h & 0xffff; d += h >>> 16;
1720
1721			b += a >>> 16;
1722			c += b >>> 16;
1723			d += c >>> 16;
1724
1725			hh[3] = ah3 = (c & 0xffff) \| (d << 16);
1726			hl[3] = al3 = (a & 0xffff) \| (b << 16);
1727
1728			h = ah4;
1729			l = al4;
1730
1731			a = l & 0xffff; b = l >>> 16;
1732			c = h & 0xffff; d = h >>> 16;
1733
1734			h = hh[4];
1735			l = hl[4];
1736
1737			a += l & 0xffff; b += l >>> 16;
1738			c += h & 0xffff; d += h >>> 16;
1739
1740			b += a >>> 16;
1741			c += b >>> 16;
1742			d += c >>> 16;
1743
1744			hh[4] = ah4 = (c & 0xffff) \| (d << 16);
1745			hl[4] = al4 = (a & 0xffff) \| (b << 16);
1746
1747			h = ah5;
1748			l = al5;
1749
1750			a = l & 0xffff; b = l >>> 16;
1751			c = h & 0xffff; d = h >>> 16;
1752
1753			h = hh[5];
1754			l = hl[5];
1755
1756			a += l & 0xffff; b += l >>> 16;
1757			c += h & 0xffff; d += h >>> 16;
1758
1759			b += a >>> 16;
1760			c += b >>> 16;
1761			d += c >>> 16;
1762
1763			hh[5] = ah5 = (c & 0xffff) \| (d << 16);
1764			hl[5] = al5 = (a & 0xffff) \| (b << 16);
1765
1766			h = ah6;
1767			l = al6;
1768
1769			a = l & 0xffff; b = l >>> 16;
1770			c = h & 0xffff; d = h >>> 16;
1771
1772			h = hh[6];
1773			l = hl[6];
1774
1775			a += l & 0xffff; b += l >>> 16;
1776			c += h & 0xffff; d += h >>> 16;
1777
1778			b += a >>> 16;
1779			c += b >>> 16;
1780			d += c >>> 16;
1781
1782			hh[6] = ah6 = (c & 0xffff) \| (d << 16);
1783			hl[6] = al6 = (a & 0xffff) \| (b << 16);
1784
1785			h = ah7;
1786			l = al7;
1787
1788			a = l & 0xffff; b = l >>> 16;
1789			c = h & 0xffff; d = h >>> 16;
1790
1791			h = hh[7];
1792			l = hl[7];
1793
1794			a += l & 0xffff; b += l >>> 16;
1795			c += h & 0xffff; d += h >>> 16;
1796
1797			b += a >>> 16;
1798			c += b >>> 16;
1799			d += c >>> 16;
1800
1801			hh[7] = ah7 = (c & 0xffff) \| (d << 16);
1802			hl[7] = al7 = (a & 0xffff) \| (b << 16);
1803
1804			pos += 128;
1805			n -= 128;
1806			}
1807
1808			return n;
1809			}
1810
1811			function crypto_hash(out, m, n) {
1812			var hh = new Int32Array(8),
1813			hl = new Int32Array(8),
1814			x = new Uint8Array(256),
1815			i, b = n;
1816
1817			hh[0] = 0x6a09e667;
1818			hh[1] = 0xbb67ae85;
1819			hh[2] = 0x3c6ef372;
1820			hh[3] = 0xa54ff53a;
1821			hh[4] = 0x510e527f;
1822			hh[5] = 0x9b05688c;
1823			hh[6] = 0x1f83d9ab;
1824			hh[7] = 0x5be0cd19;
1825
1826			hl[0] = 0xf3bcc908;
1827			hl[1] = 0x84caa73b;
1828			hl[2] = 0xfe94f82b;
1829			hl[3] = 0x5f1d36f1;
1830			hl[4] = 0xade682d1;
1831			hl[5] = 0x2b3e6c1f;
1832			hl[6] = 0xfb41bd6b;
1833			hl[7] = 0x137e2179;
1834
1835			crypto_hashblocks_hl(hh, hl, m, n);
1836			n %= 128;
1837
1838			for (i = 0; i < n; i++) x[i] = m[b-n+i];
1839			x[n] = 128;
1840
1841			n = 256-128*(n<112?1:0);
1842			x[n-9] = 0;
1843			ts64(x, n-8, (b / 0x20000000) \| 0, b << 3);
1844			crypto_hashblocks_hl(hh, hl, x, n);
1845
1846			for (i = 0; i < 8; i++) ts64(out, 8*i, hh[i], hl[i]);
1847
1848			return 0;
1849			}
1850
1851			function add(p, q) {
1852			var a = gf(), b = gf(), c = gf(),
1853			d = gf(), e = gf(), f = gf(),
1854			g = gf(), h = gf(), t = gf();
1855
1856			Z(a, p[1], p[0]);
1857			Z(t, q[1], q[0]);
1858			M(a, a, t);
1859			A(b, p[0], p[1]);
1860			A(t, q[0], q[1]);
1861			M(b, b, t);
1862			M(c, p[3], q[3]);
1863			M(c, c, D2);
1864			M(d, p[2], q[2]);
1865			A(d, d, d);
1866			Z(e, b, a);
1867			Z(f, d, c);
1868			A(g, d, c);
1869			A(h, b, a);
1870
1871			M(p[0], e, f);
1872			M(p[1], h, g);
1873			M(p[2], g, f);
1874			M(p[3], e, h);
1875			}
1876
1877			function cswap(p, q, b) {
1878			var i;
1879			for (i = 0; i < 4; i++) {
1880			sel25519(p[i], q[i], b);
1881			}
1882			}
1883
1884			function pack(r, p) {
1885			var tx = gf(), ty = gf(), zi = gf();
1886			inv25519(zi, p[2]);
1887			M(tx, p[0], zi);
1888			M(ty, p[1], zi);
1889			pack25519(r, ty);
1890			r[31] ^= par25519(tx) << 7;
1891			}
1892
1893			function scalarmult(p, q, s) {
1894			var b, i;
1895			set25519(p[0], gf0);
1896			set25519(p[1], gf1);
1897			set25519(p[2], gf1);
1898			set25519(p[3], gf0);
1899			for (i = 255; i >= 0; --i) {
1900			b = (s[(i/8)\|0] >> (i&7)) & 1;
1901			cswap(p, q, b);
1902			add(q, p);
1903			add(p, p);
1904			cswap(p, q, b);
1905			}
1906			}
1907
1908			function scalarbase(p, s) {
1909			var q = [gf(), gf(), gf(), gf()];
1910			set25519(q[0], X);
1911			set25519(q[1], Y);
1912			set25519(q[2], gf1);
1913			M(q[3], X, Y);
1914			scalarmult(p, q, s);
1915			}
1916
1917			function crypto_sign_keypair(pk, sk, seeded) {
1918			var d = new Uint8Array(64);
1919			var p = [gf(), gf(), gf(), gf()];
1920			var i;
1921
1922			if (!seeded) randombytes(sk, 32);
1923			crypto_hash(d, sk, 32);
1924			d[0] &= 248;
1925			d[31] &= 127;
1926			d[31] \|= 64;
1927
1928			scalarbase(p, d);
1929			pack(pk, p);
1930
1931			for (i = 0; i < 32; i++) sk[i+32] = pk[i];
1932			return 0;
1933			}
1934
1935			var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]);
1936
1937			function modL(r, x) {
1938			var carry, i, j, k;
1939			for (i = 63; i >= 32; --i) {
1940			carry = 0;
1941			for (j = i - 32, k = i - 12; j < k; ++j) {
1942			x[j] += carry - 16 * x[i] * L[j - (i - 32)];
1943			carry = (x[j] + 128) >> 8;
1944			x[j] -= carry * 256;
1945			}
1946			x[j] += carry;
1947			x[i] = 0;
1948			}
1949			carry = 0;
1950			for (j = 0; j < 32; j++) {
1951			x[j] += carry - (x[31] >> 4) * L[j];
1952			carry = x[j] >> 8;
1953			x[j] &= 255;
1954			}
1955			for (j = 0; j < 32; j++) x[j] -= carry * L[j];
1956			for (i = 0; i < 32; i++) {
1957			x[i+1] += x[i] >> 8;
1958			r[i] = x[i] & 255;
1959			}
1960			}
1961
1962			function reduce(r) {
1963			var x = new Float64Array(64), i;
1964			for (i = 0; i < 64; i++) x[i] = r[i];
1965			for (i = 0; i < 64; i++) r[i] = 0;
1966			modL(r, x);
1967			}
1968
1969			// Note: difference from C - smlen returned, not passed as argument.
1970			function crypto_sign(sm, m, n, sk) {
1971			var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64);
1972			var i, j, x = new Float64Array(64);
1973			var p = [gf(), gf(), gf(), gf()];
1974
1975			crypto_hash(d, sk, 32);
1976			d[0] &= 248;
1977			d[31] &= 127;
1978			d[31] \|= 64;
1979
1980			var smlen = n + 64;
1981			for (i = 0; i < n; i++) sm[64 + i] = m[i];
1982			for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i];
1983
1984			crypto_hash(r, sm.subarray(32), n+32);
1985			reduce(r);
1986			scalarbase(p, r);
1987			pack(sm, p);
1988
1989			for (i = 32; i < 64; i++) sm[i] = sk[i];
1990			crypto_hash(h, sm, n + 64);
1991			reduce(h);
1992
1993			for (i = 0; i < 64; i++) x[i] = 0;
1994			for (i = 0; i < 32; i++) x[i] = r[i];
1995			for (i = 0; i < 32; i++) {
1996			for (j = 0; j < 32; j++) {
1997			x[i+j] += h[i] * d[j];
1998			}
1999			}
2000
2001			modL(sm.subarray(32), x);
2002			return smlen;
2003			}
2004
2005			function unpackneg(r, p) {
2006			var t = gf(), chk = gf(), num = gf(),
2007			den = gf(), den2 = gf(), den4 = gf(),
2008			den6 = gf();
2009
2010			set25519(r[2], gf1);
2011			unpack25519(r[1], p);
2012			S(num, r[1]);
2013			M(den, num, D);
2014			Z(num, num, r[2]);
2015			A(den, r[2], den);
2016
2017			S(den2, den);
2018			S(den4, den2);
2019			M(den6, den4, den2);
2020			M(t, den6, num);
2021			M(t, t, den);
2022
2023			pow2523(t, t);
2024			M(t, t, num);
2025			M(t, t, den);
2026			M(t, t, den);
2027			M(r[0], t, den);
2028
2029			S(chk, r[0]);
2030			M(chk, chk, den);
2031			if (neq25519(chk, num)) M(r[0], r[0], I);
2032
2033			S(chk, r[0]);
2034			M(chk, chk, den);
2035			if (neq25519(chk, num)) return -1;
2036
2037			if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]);
2038
2039			M(r[3], r[0], r[1]);
2040			return 0;
2041			}
2042
2043			function crypto_sign_open(m, sm, n, pk) {
2044			var i, mlen;
2045			var t = new Uint8Array(32), h = new Uint8Array(64);
2046			var p = [gf(), gf(), gf(), gf()],
2047			q = [gf(), gf(), gf(), gf()];
2048
2049			mlen = -1;
2050			if (n < 64) return -1;
2051
2052			if (unpackneg(q, pk)) return -1;
2053
2054			for (i = 0; i < n; i++) m[i] = sm[i];
2055			for (i = 0; i < 32; i++) m[i+32] = pk[i];
2056			crypto_hash(h, m, n);
2057			reduce(h);
2058			scalarmult(p, q, h);
2059
2060			scalarbase(q, sm.subarray(32));
2061			add(p, q);
2062			pack(t, p);
2063
2064			n -= 64;
2065			if (crypto_verify_32(sm, 0, t, 0)) {
2066			for (i = 0; i < n; i++) m[i] = 0;
2067			return -1;
2068			}
2069
2070			for (i = 0; i < n; i++) m[i] = sm[i + 64];
2071			mlen = n;
2072			return mlen;
2073			}
2074
2075			var crypto_secretbox_KEYBYTES = 32,
2076			crypto_secretbox_NONCEBYTES = 24,
2077			crypto_secretbox_ZEROBYTES = 32,
2078			crypto_secretbox_BOXZEROBYTES = 16,
2079			crypto_scalarmult_BYTES = 32,
2080			crypto_scalarmult_SCALARBYTES = 32,
2081			crypto_box_PUBLICKEYBYTES = 32,
2082			crypto_box_SECRETKEYBYTES = 32,
2083			crypto_box_BEFORENMBYTES = 32,
2084			crypto_box_NONCEBYTES = crypto_secretbox_NONCEBYTES,
2085			crypto_box_ZEROBYTES = crypto_secretbox_ZEROBYTES,
2086			crypto_box_BOXZEROBYTES = crypto_secretbox_BOXZEROBYTES,
2087			crypto_sign_BYTES = 64,
2088			crypto_sign_PUBLICKEYBYTES = 32,
2089			crypto_sign_SECRETKEYBYTES = 64,
2090			crypto_sign_SEEDBYTES = 32,
2091			crypto_hash_BYTES = 64;
2092
2093			nacl.lowlevel = {
2094			crypto_core_hsalsa20: crypto_core_hsalsa20,
2095			crypto_stream_xor: crypto_stream_xor,
2096			crypto_stream: crypto_stream,
2097			crypto_stream_salsa20_xor: crypto_stream_salsa20_xor,
2098			crypto_stream_salsa20: crypto_stream_salsa20,
2099			crypto_onetimeauth: crypto_onetimeauth,
2100			crypto_onetimeauth_verify: crypto_onetimeauth_verify,
2101			crypto_verify_16: crypto_verify_16,
2102			crypto_verify_32: crypto_verify_32,
2103			crypto_secretbox: crypto_secretbox,
2104			crypto_secretbox_open: crypto_secretbox_open,
2105			crypto_scalarmult: crypto_scalarmult,
2106			crypto_scalarmult_base: crypto_scalarmult_base,
2107			crypto_box_beforenm: crypto_box_beforenm,
2108			crypto_box_afternm: crypto_box_afternm,
2109			crypto_box: crypto_box,
2110			crypto_box_open: crypto_box_open,
2111			crypto_box_keypair: crypto_box_keypair,
2112			crypto_hash: crypto_hash,
2113			crypto_sign: crypto_sign,
2114			crypto_sign_keypair: crypto_sign_keypair,
2115			crypto_sign_open: crypto_sign_open,
2116
2117			crypto_secretbox_KEYBYTES: crypto_secretbox_KEYBYTES,
2118			crypto_secretbox_NONCEBYTES: crypto_secretbox_NONCEBYTES,
2119			crypto_secretbox_ZEROBYTES: crypto_secretbox_ZEROBYTES,
2120			crypto_secretbox_BOXZEROBYTES: crypto_secretbox_BOXZEROBYTES,
2121			crypto_scalarmult_BYTES: crypto_scalarmult_BYTES,
2122			crypto_scalarmult_SCALARBYTES: crypto_scalarmult_SCALARBYTES,
2123			crypto_box_PUBLICKEYBYTES: crypto_box_PUBLICKEYBYTES,
2124			crypto_box_SECRETKEYBYTES: crypto_box_SECRETKEYBYTES,
2125			crypto_box_BEFORENMBYTES: crypto_box_BEFORENMBYTES,
2126			crypto_box_NONCEBYTES: crypto_box_NONCEBYTES,
2127			crypto_box_ZEROBYTES: crypto_box_ZEROBYTES,
2128			crypto_box_BOXZEROBYTES: crypto_box_BOXZEROBYTES,
2129			crypto_sign_BYTES: crypto_sign_BYTES,
2130			crypto_sign_PUBLICKEYBYTES: crypto_sign_PUBLICKEYBYTES,
2131			crypto_sign_SECRETKEYBYTES: crypto_sign_SECRETKEYBYTES,
2132			crypto_sign_SEEDBYTES: crypto_sign_SEEDBYTES,
2133			crypto_hash_BYTES: crypto_hash_BYTES
2134			};
2135
2136			/* High-level API */
2137
2138			function checkLengths(k, n) {
2139			if (k.length !== crypto_secretbox_KEYBYTES) throw new Error('bad key size');
2140			if (n.length !== crypto_secretbox_NONCEBYTES) throw new Error('bad nonce size');
2141			}
2142
2143			function checkBoxLengths(pk, sk) {
2144			if (pk.length !== crypto_box_PUBLICKEYBYTES) throw new Error('bad public key size');
2145			if (sk.length !== crypto_box_SECRETKEYBYTES) throw new Error('bad secret key size');
2146			}
2147
2148			function checkArrayTypes() {
2149			var t, i;
2150			for (i = 0; i < arguments.length; i++) {
2151			if ((t = Object.prototype.toString.call(arguments[i])) !== '[object Uint8Array]')
2152			throw new TypeError('unexpected type ' + t + ', use Uint8Array');
2153			}
2154			}
2155
2156			function cleanup(arr) {
2157			for (var i = 0; i < arr.length; i++) arr[i] = 0;
2158			}
2159
2160			// TODO: Completely remove this in v0.15.
2161			if (!nacl.util) {
2162			nacl.util = {};
2163			nacl.util.decodeUTF8 = nacl.util.encodeUTF8 = nacl.util.encodeBase64 = nacl.util.decodeBase64 = function() {
2164			throw new Error('nacl.util moved into separate package: https://github.com/dchest/tweetnacl-util-js');
2165			};
2166			}
2167
2168			nacl.randomBytes = function(n) {
2169			var b = new Uint8Array(n);
2170			randombytes(b, n);
2171			return b;
2172			};
2173
2174			nacl.secretbox = function(msg, nonce, key) {
2175			checkArrayTypes(msg, nonce, key);
2176			checkLengths(key, nonce);
2177			var m = new Uint8Array(crypto_secretbox_ZEROBYTES + msg.length);
2178			var c = new Uint8Array(m.length);
2179			for (var i = 0; i < msg.length; i++) m[i+crypto_secretbox_ZEROBYTES] = msg[i];
2180			crypto_secretbox(c, m, m.length, nonce, key);
2181			return c.subarray(crypto_secretbox_BOXZEROBYTES);
2182			};
2183
2184			nacl.secretbox.open = function(box, nonce, key) {
2185			checkArrayTypes(box, nonce, key);
2186			checkLengths(key, nonce);
2187			var c = new Uint8Array(crypto_secretbox_BOXZEROBYTES + box.length);
2188			var m = new Uint8Array(c.length);
2189			for (var i = 0; i < box.length; i++) c[i+crypto_secretbox_BOXZEROBYTES] = box[i];
2190			if (c.length < 32) return false;
2191			if (crypto_secretbox_open(m, c, c.length, nonce, key) !== 0) return false;
2192			return m.subarray(crypto_secretbox_ZEROBYTES);
2193			};
2194
2195			nacl.secretbox.keyLength = crypto_secretbox_KEYBYTES;
2196			nacl.secretbox.nonceLength = crypto_secretbox_NONCEBYTES;
2197			nacl.secretbox.overheadLength = crypto_secretbox_BOXZEROBYTES;
2198
2199			nacl.scalarMult = function(n, p) {
2200			checkArrayTypes(n, p);
2201			if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
2202			if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size');
2203			var q = new Uint8Array(crypto_scalarmult_BYTES);
2204			crypto_scalarmult(q, n, p);
2205			return q;
2206			};
2207
2208			nacl.scalarMult.base = function(n) {
2209			checkArrayTypes(n);
2210			if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
2211			var q = new Uint8Array(crypto_scalarmult_BYTES);
2212			crypto_scalarmult_base(q, n);
2213			return q;
2214			};
2215
2216			nacl.scalarMult.scalarLength = crypto_scalarmult_SCALARBYTES;
2217			nacl.scalarMult.groupElementLength = crypto_scalarmult_BYTES;
2218
2219			nacl.box = function(msg, nonce, publicKey, secretKey) {
2220			var k = nacl.box.before(publicKey, secretKey);
2221			return nacl.secretbox(msg, nonce, k);
2222			};
2223
2224			nacl.box.before = function(publicKey, secretKey) {
2225			checkArrayTypes(publicKey, secretKey);
2226			checkBoxLengths(publicKey, secretKey);
2227			var k = new Uint8Array(crypto_box_BEFORENMBYTES);
2228			crypto_box_beforenm(k, publicKey, secretKey);
2229			return k;
2230			};
2231
2232			nacl.box.after = nacl.secretbox;
2233
2234			nacl.box.open = function(msg, nonce, publicKey, secretKey) {
2235			var k = nacl.box.before(publicKey, secretKey);
2236			return nacl.secretbox.open(msg, nonce, k);
2237			};
2238
2239			nacl.box.open.after = nacl.secretbox.open;
2240
2241			nacl.box.keyPair = function() {
2242			var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
2243			var sk = new Uint8Array(crypto_box_SECRETKEYBYTES);
2244			crypto_box_keypair(pk, sk);
2245			return {publicKey: pk, secretKey: sk};
2246			};
2247
2248			nacl.box.keyPair.fromSecretKey = function(secretKey) {
2249			checkArrayTypes(secretKey);
2250			if (secretKey.length !== crypto_box_SECRETKEYBYTES)
2251			throw new Error('bad secret key size');
2252			var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
2253			crypto_scalarmult_base(pk, secretKey);
2254			return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
2255			};
2256
2257			nacl.box.publicKeyLength = crypto_box_PUBLICKEYBYTES;
2258			nacl.box.secretKeyLength = crypto_box_SECRETKEYBYTES;
2259			nacl.box.sharedKeyLength = crypto_box_BEFORENMBYTES;
2260			nacl.box.nonceLength = crypto_box_NONCEBYTES;
2261			nacl.box.overheadLength = nacl.secretbox.overheadLength;
2262
2263			nacl.sign = function(msg, secretKey) {
2264			checkArrayTypes(msg, secretKey);
2265			if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
2266			throw new Error('bad secret key size');
2267			var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length);
2268			crypto_sign(signedMsg, msg, msg.length, secretKey);
2269			return signedMsg;
2270			};
2271
2272			nacl.sign.open = function(signedMsg, publicKey) {
2273			if (arguments.length !== 2)
2274			throw new Error('nacl.sign.open accepts 2 arguments; did you mean to use nacl.sign.detached.verify?');
2275			checkArrayTypes(signedMsg, publicKey);
2276			if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
2277			throw new Error('bad public key size');
2278			var tmp = new Uint8Array(signedMsg.length);
2279			var mlen = crypto_sign_open(tmp, signedMsg, signedMsg.length, publicKey);
2280			if (mlen < 0) return null;
2281			var m = new Uint8Array(mlen);
2282			for (var i = 0; i < m.length; i++) m[i] = tmp[i];
2283			return m;
2284			};
2285
2286			nacl.sign.detached = function(msg, secretKey) {
2287			var signedMsg = nacl.sign(msg, secretKey);
2288			var sig = new Uint8Array(crypto_sign_BYTES);
2289			for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i];
2290			return sig;
2291			};
2292
2293			nacl.sign.detached.verify = function(msg, sig, publicKey) {
2294			checkArrayTypes(msg, sig, publicKey);
2295			if (sig.length !== crypto_sign_BYTES)
2296			throw new Error('bad signature size');
2297			if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
2298			throw new Error('bad public key size');
2299			var sm = new Uint8Array(crypto_sign_BYTES + msg.length);
2300			var m = new Uint8Array(crypto_sign_BYTES + msg.length);
2301			var i;
2302			for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i];
2303			for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i];
2304			return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0);
2305			};
2306
2307			nacl.sign.keyPair = function() {
2308			var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
2309			var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
2310			crypto_sign_keypair(pk, sk);
2311			return {publicKey: pk, secretKey: sk};
2312			};
2313
2314			nacl.sign.keyPair.fromSecretKey = function(secretKey) {
2315			checkArrayTypes(secretKey);
2316			if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
2317			throw new Error('bad secret key size');
2318			var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
2319			for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i];
2320			return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
2321			};
2322
2323			nacl.sign.keyPair.fromSeed = function(seed) {
2324			checkArrayTypes(seed);
2325			if (seed.length !== crypto_sign_SEEDBYTES)
2326			throw new Error('bad seed size');
2327			var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
2328			var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
2329			for (var i = 0; i < 32; i++) sk[i] = seed[i];
2330			crypto_sign_keypair(pk, sk, true);
2331			return {publicKey: pk, secretKey: sk};
2332			};
2333
2334			nacl.sign.publicKeyLength = crypto_sign_PUBLICKEYBYTES;
2335			nacl.sign.secretKeyLength = crypto_sign_SECRETKEYBYTES;
2336			nacl.sign.seedLength = crypto_sign_SEEDBYTES;
2337			nacl.sign.signatureLength = crypto_sign_BYTES;
2338
2339			nacl.hash = function(msg) {
2340			checkArrayTypes(msg);
2341			var h = new Uint8Array(crypto_hash_BYTES);
2342			crypto_hash(h, msg, msg.length);
2343			return h;
2344			};
2345
2346			nacl.hash.hashLength = crypto_hash_BYTES;
2347
2348			nacl.verify = function(x, y) {
2349			checkArrayTypes(x, y);
2350			// Zero length arguments are considered not equal.
2351			if (x.length === 0 \|\| y.length === 0) return false;
2352			if (x.length !== y.length) return false;
2353			return (vn(x, 0, y, 0, x.length) === 0) ? true : false;
2354			};
2355
2356			nacl.setPRNG = function(fn) {
2357			randombytes = fn;
2358			};
2359
2360			(function() {
2361			// Initialize PRNG if environment provides CSPRNG.
2362			// If not, methods calling randombytes will throw.
2363			var crypto = typeof self !== 'undefined' ? (self.crypto \|\| self.msCrypto) : null;
2364			if (crypto && crypto.getRandomValues) {
2365			// Browsers.
2366			var QUOTA = 65536;
2367			nacl.setPRNG(function(x, n) {
2368			var i, v = new Uint8Array(n);
2369			for (i = 0; i < n; i += QUOTA) {
2370			crypto.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
2371			}
2372			for (i = 0; i < n; i++) x[i] = v[i];
2373			cleanup(v);
2374			});
2375			} else if (typeof require !== 'undefined') {
2376			// Node.js.
2377			crypto = require('crypto');
2378			if (crypto && crypto.randomBytes) {
2379			nacl.setPRNG(function(x, n) {
2380			var i, v = crypto.randomBytes(n);
2381			for (i = 0; i < n; i++) x[i] = v[i];
2382			cleanup(v);
2383			});
2384			}
2385			}
2386			})();
2387
2388			})(typeof module !== 'undefined' && module.exports ? module.exports : (self.nacl = self.nacl \|\| {}));
2389