ÿØÿà JFIF    ÿÛ „  ( %"1!%)+...383,7(-.+  -+++--++++---+-+-----+---------------+---+-++7-----ÿÀ  ß â" ÿÄ     ÿÄ H    !1AQaq"‘¡2B±ÁÑð#R“Ò Tbr‚²á3csƒ’ÂñDS¢³$CÿÄ   ÿÄ %  !1AQa"23‘ÿÚ   ? ôÿ ¨pŸªáÿ —åYõõ\?àÒü©ŠÄï¨pŸªáÿ —åYõõ\?àÓü©ŠÄá 0Ÿªáÿ Ÿå[úƒ ú®ði~TÁbqÐ8OÕpÿ ƒOò¤Oè`–RÂáœá™êi€ßÉ< FtŸI“öÌ8úDf´°å}“¾œ6  öFá°y¥jñÇh†ˆ¢ã/ÃÐ:ªcÈ "Y¡ðÑl>ÿ ”ÏËte:qž\oäŠe÷󲍷˜HT4&ÿ ÓÐü6ö®¿øþßèô Ÿ•7Ñi’•j|“ñì>b…þS?*Óôÿ ÓÐü*h¥£ír¶ü UãSç‚Ÿ[AÐaè[ûª•õ&õj?†Éö+EzP—WeÒírJFt ‘BŒ†Ï‡%#tE Øz ¥OÛ«!1›üä±Í™%ºÍãö]°î(–:@<‹ŒÊö×òÆt¦ãº+‡¦%ÌÁ²h´OƒJŒtMÜ>ÀÜÊw3Y´•牋4ǍýʏTì>œú=Íwhyë,¾Ôò×õ¿ßÊa»«þˆѪQ|%6ž™A õ%:øj<>É—ÿ Å_ˆCbõ¥š±ý¯Ýƒï…¶|RëócÍf溪“t.СøTÿ *Ä¿-{†çàczůŽ_–^XþŒ±miB[X±d 1,é”zEù»& î9gœf™9Ð'.;—™i}!ôšåîqêÛ٤ёý£½ÆA–àôe"A$˝Úsäÿ ÷Û #°xŸëí(l »ý3—¥5m! rt`†0~'j2(]S¦¦kv,ÚÇ l¦øJA£Šƒ J3E8ÙiŽ:cÉžúeZ°€¯\®kÖ(79«Ž:¯X”¾³Š&¡* ….‰Ž(ÜíŸ2¥ª‡×Hi²TF¤ò[¨íÈRëÉ䢍mgÑ.Ÿ<öäS0í„ǹÁU´f#Vß;Õ–…P@3ío<ä-±»Ž.L|kªÀê›fÂ6@»eu‚|ÓaÞÆŸ…¨ááå>åŠ?cKü6ùTÍÆ”†sĤÚ;H2RÚ†õ\Ö·Ÿn'¾ ñ#ºI¤Å´%çÁ­‚â7›‹qT3Iï¨ÖÚ5I7Ë!ÅOóŸ¶øÝñØôת¦$Tcö‘[«Ö³šÒ';Aþ ¸èíg A2Z"i¸vdÄ÷.iõ®§)¿]¤À†–‡É&ä{V¶iŽ”.Ó×Õÿ û?h¬Mt–íª[ÿ Ñÿ ÌV(í}=ibÔ¡›¥¢±b Lô¥‡piη_Z<‡z§èŒ)iÖwiÇ 2hÙ3·=’d÷8éŽ1¦¸c¤µ€7›7Ø ð\á)} ¹fËí›pAÃL%âc2 í§æQz¿;T8sæ°qø)QFMð‰XŒÂ±N¢aF¨…8¯!U  Z©RÊ ÖPVÄÀÍin™Ì-GˆªÅËŠ›•zË}º±ŽÍFò¹}Uw×#ä5B¤{î}Ð<ÙD é©¤&‡ïDbàÁôMÁ." ¤‡ú*õ'VŽ|¼´Úgllº¼klz[Æüï÷Aób‡Eÿ dÑ»Xx9ÃÜ£ÁT/`¼¸vI±Ýµ·Ë‚“G³þ*Ÿû´r|*}<¨îºœ @¦mÄ’M¹”.œ«Y–|6ÏU¤jç¥ÕÞqO ˜kDÆÁ¨5ÿ š;Њ¦¦€GÙk \ –Þ=â¼=SͧµªS°ÚÍpÜãQűÀõ¬?ÃÁ1Ñ•õZà?hóœ€ L¦l{Y*K˜Ù›zc˜–ˆâ ø+¾ ­-Ök¥%ùEÜA'}ˆ><ÊIè“bpÍ/qÞâvoX€w,\úªò6Z[XdÒæ­@Ö—€$òJí#é>'°Ú ôª˜<)4ryÙ£|óAÅn5žêŸyÒäMÝ2{"}‰–¤l÷ûWX\l¾Á¸góÉOÔ /óñB¤f¸çñ[.P˜ZsÊË*ßT܈§QN¢’¡¨§V¼(Üù*eÕ“”5T¨‹Âê¥FŒã½Dü[8'Ò¥a…Ú¶k7a *•›¼'Ò·\8¨ª\@\õ¢¦íq+DÙrmÎ…_ªæ»ŠÓœ¡¯’Ré9MÅ×D™lælffc+ŒÑ,ý™ÿ ¯þǤ=Å’Á7µ÷ÚÛ/“Ü€ñýã¼àí¾ÕÑ+ƒ,uµMâÀÄbm:ÒÎPæ{˜Gz[ƒ¯«® KHà`ßØŠéí¯P8Aq.C‰ à€kòpj´kN¶qô€…Õ,ÜNŠª-­{Zö’æû44‰sŽè‰îVíRœÕm" 6?³D9¡ÇTíÅꋇ`4«¸ÝÁô ï’ýorqКÇZ«x4Žâéþuïf¹µö[P ,Q£éaX±`PÉÍZ ¸äYúg üAx ’6Lê‚xÝÓ*äQ  Ï’¨hÍ =²,6ï#rÃ<¯–£»ƒ‹,–ê•€ aÛsñ'%Æ"®ÛüìBᝠHÚ3ß°©$“XnœÖ’î2ËTeûìxîß ¦å¿çÉ ðK§þ{‘t‚Ϋ¬jéîZ[ ”š7L¥4VÚCE×]m¤Øy”ä4-dz£œ§¸x.*ãÊÊ b÷•h:©‡¦s`BTÁRû¾g⻩‹jø sF¢àJøFl‘È•Xᓁà~*j¯ +(ÚÕ6-£¯÷GŠØy‚<Ç’.F‹Hœw(+)ÜÜâÈzÄäT§FߘãÏ;DmVœ3Àu@mÚüXÝü•3B¨òÌÁÛ<·ÃÜ z,Ì@õÅ·d2]ü8s÷IôÞ¯^Ç9¢u„~ëAŸï4«M? K]­ÅàPl@s_ p:°¬ZR”´›JC[CS.h‹ƒïËœ«Æ]–÷ó‚wR×k7X‰k›‘´ù¦=¡«‰¨¨Â')—71ó’c‡Ðúµ `é.{§p¹ój\Ž{1h{o±Ý=áUÊïGÖŒõ–-BÄm+AZX¶¡ ïHðæ¥JmÙ;…ä¡Ÿˆ¦ ° äšiÉg«$üMk5¤L“’çÊvïâï ,=f“"íἊ5ô¬x6{ɏžID0e¸vçmi'︧ºð9$ò¹÷*£’9ÿ ²TÔ…×>JV¥}Œ}$p[bÔ®*[jzS*8 ”·T›Í–ñUîƒwo$áè=LT™ç—~ô·¤ÈÚ$榍q‰„+´kFm)ž‹©i–ËqÞŠ‰à¶ü( ‚•§ •°ò·‡#5ª•µÊ﯅¡X¨šÁ*F#TXJÊ ušJVÍ&=iÄs1‚3•'fý§5Ñ<=[íÞ­ PÚ;ѱÌ_~Ä££8rÞ ²w;’hDT°>ÈG¬8Á²ÚzŽ®ò®qZcqJêäÞ-ö[ܘbň±çb“Š¶31²n×iƒðÕ;1¶þÉ ªX‰,ßqÏ$>•î íZ¥Z 1{ç൵+ƒÕµ¥°T$§K]á»Ûï*·¤tMI’ÂZbŽÕiÒ˜}bÓ0£ª5›¨ [5Ž^ÝœWøÂÝh° ¢OWun£¤5 a2Z.G2³YL]jåtì”ä ÁÓ‘%"©<ÔúÊ°sº UZvä‡ÄiÆÒM .÷V·™ø#kèýiíÌ–ª)µT[)BˆõÑ xB¾B€ÖT¨.¥~ð@VĶr#¸ü*åZNDŽH;âi ],©£öØpù(šºãö¼T.uCê•4@ÿ GÕÛ)Cx›®0ø#:ÏðFÒbR\(€€Ä®fã4Þ‰Fä¯HXƒÅ,†öEÑÔÜ]Öv²?tLÃvBY£ú6Êu5ÅAQ³1‘’¬x–HŒÐ‡ ^ ¸KwJôÖŽ5×CÚ¨vÜ«/B0$×k°=ðbÇ(Ï)w±A†Á† 11Í=èQšµ626ŒÜ/`G«µ<}—-Ö7KEHÈÉðóȤmݱû±·ø«Snmá=“ä«šmݱŸ¡¶~ó·“äUóJæúòB|E LêŽy´jDÔ$G¢þÐñ7óR8ýÒ…Ç› WVe#·Ÿ p·Fx~•ݤF÷0Èÿ K¯æS<6’¡WШ; ´ÿ ¥Êø\Òuî†åÝ–VNœkÒ7oòX¨Á­Ø÷FÎÑä±g÷ÿ M~Çî=p,X´ ÝÌÚÅ‹’ÃjÖ.ØöÏñ qïQ¤ÓZE†° =6·]܈ s¸>v•Ž^Ý\wq9r‰Î\¸¡kURÒ$­*‹Nq?Þª*!sŠÆ:TU_u±T+øX¡ ®¹¡,ÄâÃBTsÜ$Ø›4m椴zÜK]’’›Pƒ @€#â˜`é¹=I‡fiV•Ôî“nRm+µFPOhÍ0B£ €+¬5c v•:P'ÒyÎ ‰V~‚Ó†ÖuókDoh$å\*ö%Ю=£«…aȼ½÷Û.-½VŒŠ¼'lyî±1¬3ó#ÞE¿ÔS¤gV£m›=§\û"—WU¤ÚǼÿ ÂnÁGŒÃ ‚õN D³õNÚíŒÕ;HôyÄÈ©P¹Ä{:?R‘Ô¨âF÷ø£bÅó® JS|‚R÷ivýáâ€Æé¡è³´IئÑT!§˜•Øª‚¬â@q€wnïCWÄ@JU€ê¯m6]Ï:£âx'+ÒðXvÓ¦Úm=–´7œ $ì“B£~p%ÕŸUþ« N@¼üï~w˜ñø5®—'Ôe»¤5ã//€ž~‰Tþ›Å7•#¤× Íö pÄ$ùeåì*«ÓŠEØWEÈsßg ¦ûvžSsLpºÊW–âµEWöˬH; ™!CYõZ ÃÄf æ#1W. \uWâ\,\Çf j’<qTbên›Î[vxx£ë 'ö¨1›˜ÀM¼Pÿ H)ƒêêŒA7s,|F“ 꺸k³9Ìö*ç®;Ö!Ö$Eiž•¹ÒÚ†ýóéÝû¾ÕS®ó$’NÝäŸz¤5r¦ãÄÃD÷Üø!°ø‡Ô&@m™Ì^Ãä­d q5Lnÿ N;.6½·N|#ä"1Nƒx“ã<3('&ñßt  ~ªu”1Tb㫨9ê–›–bìd$ߣ=#ÕãÒmU¯eí$EFù5ýYô櫨æ왍Ǘ±ssM]·á¿0ÕåJRÓªîiƒ+O58ÖñªŠÒx" \µâá¨i’¤i —Ö ” M+M¤ë9‚‰A¦°Qõ¾ßøK~¼Ã‘g…Ö´~÷Ï[3GUœÒ½#…kàÔ®Ò”‰³·dWV‰IP‰Ú8u¹”E ÖqLj¾êÕCBš{A^Âß;–¨`¯¬ìö ˼ ×tìø.tƐm*n¨y4o&Àx¥n¦×î‡aupáÛj8¿m›è¶ã!o½;ß0y^ý×^EÑ¿ÒjzŒ­)vÚÑnÄL …^ªô× ‡—‚3k Îý­hï]içå–îÏ*÷ñþ»Ô CÒjøjÍznˆ´ ¹#b'Fô‹ ‰v¥'’à'T´ƒHýÍ%M‰ ƒ&ÆÇŒï1 ‘ –Þ ‰i¬s žR-Ÿ kŠ¬á¬7:þ 0ŒÅÒÕ/aÙ¬ÃÝ#Úøœ ©aiVc‰. ¹¦ãµ” ›Yg¦›ÆÎýº°f³7ƒhá·¸­}&D9¡ÂsÉÙÞèŠõØàC™¨ñbFC|´Ü(ŸƒÚÒ-%»'a Ì¿)ËÇn¿úÿ ÞŽX…4ÊÅH^ôΑí@ù¹Eh¶“L8Çjù ¼ÎåVªóR©Ï5uà V4lZß®=€xÖŸ–ÑÈ ÷”¨°¾__yM1tÉ?uÆþIkÄgæ@þ[¢†°XÃJ£j·:nkÅ¢u ‘}âGzö­/IµèŠ¬¼48q¦F°ŽR¼=ûì{´¯RýicS ÕÛ íNtÍÙï£,w4rêì®»~x(©Uñ§#Ñ&œÕ¤>ÎåÍÓ9’Ö{9eV­[Öjâ²ãu]˜å2›qÑšÕJç0€sÄ|Êëè0튔bÁ>“{×_F`Ø©ºê:µä,v¤ðfc1±"«ÔÍän1#=· Âøv~H½ÐßA¾¿Ü€Óš]Õ; I¾÷ç‚Qi†î¹9ywÔKG˜áñ zQY—§ÃÕZ07§X‚ Áh;ÁM)iÌCH-¯T‘ë|A0{Ò½LÚ–TâÖkÜ’dÀ“rmm»”جPF³ÖcbE§T€ÒxKºû’Ó®7±²(\4ŽÃ¸Uu@j™yĵ;³µ!Á¢b.W¤=mõ´êµK k ¸K^ÜÛ#p*Ü14qkZç5ïë †°5Ï%ÍÛ<Õ¤×Ô¥ê†C Õ´¼ú$ƒÖ“”]Ù¬qÞÚ[4©ý!ûÏ—Áb쳐XµA¬â~`›Çr¸8ìùÝ䫦<>ä÷«?xs´ÇÑ /á;¹øüÊÈÙà{"@Žïzâ¬[âß‚ U_<ÇŸ½4èN˜ú61®qŠu ¦þF£»äJ_ˆÙÎ~ ÞAã–Ý„Ï—rŠD;xTž‘ô`É«…suãO`?³à™ô Lý#Íc5öoæØ‚y´´÷«ZR§<&JÇ+éâô´€i!Àˆ0æAoàðLèÖ-2ŸõW.’t^–(KÁmHµV@xÜÇy®Ñø­â^:Ú3w· 7½¹°ñ¸â¹®:',«Mœ—n­Á+Ãbš LÈ‘ÄnRÓÅœ%¦²‰¨ùQ:¤f‚ "PÕtô¸…cæl…&˜Ú˜Ôkv‹ž+vŠ,=¢v­6—Xy*¥t£«<™:“aîϲ=¦6rO]XI¿Œ÷¤zÚ­›¶ 6÷”w\d ü~v®ˆÌk«^m<ÿ ¢‰Õ\)ùºŽ;… lîÙÅEŠ®cѾ@vnMÏ,¼“ñ•ŽBxðÃzãÇç%3ˆ"}Ù•Åî> BÉú;Ò]V+P˜F_´ßé> Øše|ï‡ÄOmFæÇ ãqÞ$/xÐx­z`ï9"œÜij‚!7.\Td…9M‡•iŽ‹¾‘50ÞŽn¥ß4ÉôO ¹*í^QêËÜÇÌ8=Ž§s‰'ÂëÙ«á%Pú[O †ÅP¯VsŽ°.‰,kc¶ ¬A9n˜XÎ-ÞšN["¹QÕ‰ƒMýÁߺXJæÍaLj¾×Ãmã¾ãÚ uñÒþåQô¦¥ /ÄUx:‚ÍÜ’ Đ©ØÝ3V¨‰ÕnÐ6ó*óúK­«…c ¯U òhsý­jóÔj#,ímŒRµ«lbïUTŒÑ8†Ä0œÏr`ð¡¬É Ї ë"À² ™ 6¥ f¶ ¢ÚoܱԷ-<Àî)†a¶ž'Ú»¨TXqØæ¶÷YÄHy˜9ÈIW­YÀuMFë ºÏ’AqÌ4·/Ú †ô'i$øä­=Ä Ý|öK×40è|È6p‘0§)o¥ctî§H+CA-“ xØ|ÐXŠç l8íºð3Ø:³¤¬KX¯UÿÙ /** * Supported cipher modes. * * @author Dave Longley * * Copyright (c) 2010-2014 Digital Bazaar, Inc. */ var forge = require('./forge'); require('./util'); forge.cipher = forge.cipher || {}; // supported cipher modes var modes = module.exports = forge.cipher.modes = forge.cipher.modes || {}; /** Electronic codebook (ECB) (Don't use this; it's not secure) **/ modes.ecb = function(options) { options = options || {}; this.name = 'ECB'; this.cipher = options.cipher; this.blockSize = options.blockSize || 16; this._ints = this.blockSize / 4; this._inBlock = new Array(this._ints); this._outBlock = new Array(this._ints); }; modes.ecb.prototype.start = function(options) {}; modes.ecb.prototype.encrypt = function(input, output, finish) { // not enough input to encrypt if(input.length() < this.blockSize && !(finish && input.length() > 0)) { return true; } // get next block for(var i = 0; i < this._ints; ++i) { this._inBlock[i] = input.getInt32(); } // encrypt block this.cipher.encrypt(this._inBlock, this._outBlock); // write output for(var i = 0; i < this._ints; ++i) { output.putInt32(this._outBlock[i]); } }; modes.ecb.prototype.decrypt = function(input, output, finish) { // not enough input to decrypt if(input.length() < this.blockSize && !(finish && input.length() > 0)) { return true; } // get next block for(var i = 0; i < this._ints; ++i) { this._inBlock[i] = input.getInt32(); } // decrypt block this.cipher.decrypt(this._inBlock, this._outBlock); // write output for(var i = 0; i < this._ints; ++i) { output.putInt32(this._outBlock[i]); } }; modes.ecb.prototype.pad = function(input, options) { // add PKCS#7 padding to block (each pad byte is the // value of the number of pad bytes) var padding = (input.length() === this.blockSize ? this.blockSize : (this.blockSize - input.length())); input.fillWithByte(padding, padding); return true; }; modes.ecb.prototype.unpad = function(output, options) { // check for error: input data not a multiple of blockSize if(options.overflow > 0) { return false; } // ensure padding byte count is valid var len = output.length(); var count = output.at(len - 1); if(count > (this.blockSize << 2)) { return false; } // trim off padding bytes output.truncate(count); return true; }; /** Cipher-block Chaining (CBC) **/ modes.cbc = function(options) { options = options || {}; this.name = 'CBC'; this.cipher = options.cipher; this.blockSize = options.blockSize || 16; this._ints = this.blockSize / 4; this._inBlock = new Array(this._ints); this._outBlock = new Array(this._ints); }; modes.cbc.prototype.start = function(options) { // Note: legacy support for using IV residue (has security flaws) // if IV is null, reuse block from previous processing if(options.iv === null) { // must have a previous block if(!this._prev) { throw new Error('Invalid IV parameter.'); } this._iv = this._prev.slice(0); } else if(!('iv' in options)) { throw new Error('Invalid IV parameter.'); } else { // save IV as "previous" block this._iv = transformIV(options.iv); this._prev = this._iv.slice(0); } }; modes.cbc.prototype.encrypt = function(input, output, finish) { // not enough input to encrypt if(input.length() < this.blockSize && !(finish && input.length() > 0)) { return true; } // get next block // CBC XOR's IV (or previous block) with plaintext for(var i = 0; i < this._ints; ++i) { this._inBlock[i] = this._prev[i] ^ input.getInt32(); } // encrypt block this.cipher.encrypt(this._inBlock, this._outBlock); // write output, save previous block for(var i = 0; i < this._ints; ++i) { output.putInt32(this._outBlock[i]); } this._prev = this._outBlock; }; modes.cbc.prototype.decrypt = function(input, output, finish) { // not enough input to decrypt if(input.length() < this.blockSize && !(finish && input.length() > 0)) { return true; } // get next block for(var i = 0; i < this._ints; ++i) { this._inBlock[i] = input.getInt32(); } // decrypt block this.cipher.decrypt(this._inBlock, this._outBlock); // write output, save previous ciphered block // CBC XOR's IV (or previous block) with ciphertext for(var i = 0; i < this._ints; ++i) { output.putInt32(this._prev[i] ^ this._outBlock[i]); } this._prev = this._inBlock.slice(0); }; modes.cbc.prototype.pad = function(input, options) { // add PKCS#7 padding to block (each pad byte is the // value of the number of pad bytes) var padding = (input.length() === this.blockSize ? this.blockSize : (this.blockSize - input.length())); input.fillWithByte(padding, padding); return true; }; modes.cbc.prototype.unpad = function(output, options) { // check for error: input data not a multiple of blockSize if(options.overflow > 0) { return false; } // ensure padding byte count is valid var len = output.length(); var count = output.at(len - 1); if(count > (this.blockSize << 2)) { return false; } // trim off padding bytes output.truncate(count); return true; }; /** Cipher feedback (CFB) **/ modes.cfb = function(options) { options = options || {}; this.name = 'CFB'; this.cipher = options.cipher; this.blockSize = options.blockSize || 16; this._ints = this.blockSize / 4; this._inBlock = null; this._outBlock = new Array(this._ints); this._partialBlock = new Array(this._ints); this._partialOutput = forge.util.createBuffer(); this._partialBytes = 0; }; modes.cfb.prototype.start = function(options) { if(!('iv' in options)) { throw new Error('Invalid IV parameter.'); } // use IV as first input this._iv = transformIV(options.iv); this._inBlock = this._iv.slice(0); this._partialBytes = 0; }; modes.cfb.prototype.encrypt = function(input, output, finish) { // not enough input to encrypt var inputLength = input.length(); if(inputLength === 0) { return true; } // encrypt block this.cipher.encrypt(this._inBlock, this._outBlock); // handle full block if(this._partialBytes === 0 && inputLength >= this.blockSize) { // XOR input with output, write input as output for(var i = 0; i < this._ints; ++i) { this._inBlock[i] = input.getInt32() ^ this._outBlock[i]; output.putInt32(this._inBlock[i]); } return; } // handle partial block var partialBytes = (this.blockSize - inputLength) % this.blockSize; if(partialBytes > 0) { partialBytes = this.blockSize - partialBytes; } // XOR input with output, write input as partial output this._partialOutput.clear(); for(var i = 0; i < this._ints; ++i) { this._partialBlock[i] = input.getInt32() ^ this._outBlock[i]; this._partialOutput.putInt32(this._partialBlock[i]); } if(partialBytes > 0) { // block still incomplete, restore input buffer input.read -= this.blockSize; } else { // block complete, update input block for(var i = 0; i < this._ints; ++i) { this._inBlock[i] = this._partialBlock[i]; } } // skip any previous partial bytes if(this._partialBytes > 0) { this._partialOutput.getBytes(this._partialBytes); } if(partialBytes > 0 && !finish) { output.putBytes(this._partialOutput.getBytes( partialBytes - this._partialBytes)); this._partialBytes = partialBytes; return true; } output.putBytes(this._partialOutput.getBytes( inputLength - this._partialBytes)); this._partialBytes = 0; }; modes.cfb.prototype.decrypt = function(input, output, finish) { // not enough input to decrypt var inputLength = input.length(); if(inputLength === 0) { return true; } // encrypt block (CFB always uses encryption mode) this.cipher.encrypt(this._inBlock, this._outBlock); // handle full block if(this._partialBytes === 0 && inputLength >= this.blockSize) { // XOR input with output, write input as output for(var i = 0; i < this._ints; ++i) { this._inBlock[i] = input.getInt32(); output.putInt32(this._inBlock[i] ^ this._outBlock[i]); } return; } // handle partial block var partialBytes = (this.blockSize - inputLength) % this.blockSize; if(partialBytes > 0) { partialBytes = this.blockSize - partialBytes; } // XOR input with output, write input as partial output this._partialOutput.clear(); for(var i = 0; i < this._ints; ++i) { this._partialBlock[i] = input.getInt32(); this._partialOutput.putInt32(this._partialBlock[i] ^ this._outBlock[i]); } if(partialBytes > 0) { // block still incomplete, restore input buffer input.read -= this.blockSize; } else { // block complete, update input block for(var i = 0; i < this._ints; ++i) { this._inBlock[i] = this._partialBlock[i]; } } // skip any previous partial bytes if(this._partialBytes > 0) { this._partialOutput.getBytes(this._partialBytes); } if(partialBytes > 0 && !finish) { output.putBytes(this._partialOutput.getBytes( partialBytes - this._partialBytes)); this._partialBytes = partialBytes; return true; } output.putBytes(this._partialOutput.getBytes( inputLength - this._partialBytes)); this._partialBytes = 0; }; /** Output feedback (OFB) **/ modes.ofb = function(options) { options = options || {}; this.name = 'OFB'; this.cipher = options.cipher; this.blockSize = options.blockSize || 16; this._ints = this.blockSize / 4; this._inBlock = null; this._outBlock = new Array(this._ints); this._partialOutput = forge.util.createBuffer(); this._partialBytes = 0; }; modes.ofb.prototype.start = function(options) { if(!('iv' in options)) { throw new Error('Invalid IV parameter.'); } // use IV as first input this._iv = transformIV(options.iv); this._inBlock = this._iv.slice(0); this._partialBytes = 0; }; modes.ofb.prototype.encrypt = function(input, output, finish) { // not enough input to encrypt var inputLength = input.length(); if(input.length() === 0) { return true; } // encrypt block (OFB always uses encryption mode) this.cipher.encrypt(this._inBlock, this._outBlock); // handle full block if(this._partialBytes === 0 && inputLength >= this.blockSize) { // XOR input with output and update next input for(var i = 0; i < this._ints; ++i) { output.putInt32(input.getInt32() ^ this._outBlock[i]); this._inBlock[i] = this._outBlock[i]; } return; } // handle partial block var partialBytes = (this.blockSize - inputLength) % this.blockSize; if(partialBytes > 0) { partialBytes = this.blockSize - partialBytes; } // XOR input with output this._partialOutput.clear(); for(var i = 0; i < this._ints; ++i) { this._partialOutput.putInt32(input.getInt32() ^ this._outBlock[i]); } if(partialBytes > 0) { // block still incomplete, restore input buffer input.read -= this.blockSize; } else { // block complete, update input block for(var i = 0; i < this._ints; ++i) { this._inBlock[i] = this._outBlock[i]; } } // skip any previous partial bytes if(this._partialBytes > 0) { this._partialOutput.getBytes(this._partialBytes); } if(partialBytes > 0 && !finish) { output.putBytes(this._partialOutput.getBytes( partialBytes - this._partialBytes)); this._partialBytes = partialBytes; return true; } output.putBytes(this._partialOutput.getBytes( inputLength - this._partialBytes)); this._partialBytes = 0; }; modes.ofb.prototype.decrypt = modes.ofb.prototype.encrypt; /** Counter (CTR) **/ modes.ctr = function(options) { options = options || {}; this.name = 'CTR'; this.cipher = options.cipher; this.blockSize = options.blockSize || 16; this._ints = this.blockSize / 4; this._inBlock = null; this._outBlock = new Array(this._ints); this._partialOutput = forge.util.createBuffer(); this._partialBytes = 0; }; modes.ctr.prototype.start = function(options) { if(!('iv' in options)) { throw new Error('Invalid IV parameter.'); } // use IV as first input this._iv = transformIV(options.iv); this._inBlock = this._iv.slice(0); this._partialBytes = 0; }; modes.ctr.prototype.encrypt = function(input, output, finish) { // not enough input to encrypt var inputLength = input.length(); if(inputLength === 0) { return true; } // encrypt block (CTR always uses encryption mode) this.cipher.encrypt(this._inBlock, this._outBlock); // handle full block if(this._partialBytes === 0 && inputLength >= this.blockSize) { // XOR input with output for(var i = 0; i < this._ints; ++i) { output.putInt32(input.getInt32() ^ this._outBlock[i]); } } else { // handle partial block var partialBytes = (this.blockSize - inputLength) % this.blockSize; if(partialBytes > 0) { partialBytes = this.blockSize - partialBytes; } // XOR input with output this._partialOutput.clear(); for(var i = 0; i < this._ints; ++i) { this._partialOutput.putInt32(input.getInt32() ^ this._outBlock[i]); } if(partialBytes > 0) { // block still incomplete, restore input buffer input.read -= this.blockSize; } // skip any previous partial bytes if(this._partialBytes > 0) { this._partialOutput.getBytes(this._partialBytes); } if(partialBytes > 0 && !finish) { output.putBytes(this._partialOutput.getBytes( partialBytes - this._partialBytes)); this._partialBytes = partialBytes; return true; } output.putBytes(this._partialOutput.getBytes( inputLength - this._partialBytes)); this._partialBytes = 0; } // block complete, increment counter (input block) inc32(this._inBlock); }; modes.ctr.prototype.decrypt = modes.ctr.prototype.encrypt; /** Galois/Counter Mode (GCM) **/ modes.gcm = function(options) { options = options || {}; this.name = 'GCM'; this.cipher = options.cipher; this.blockSize = options.blockSize || 16; this._ints = this.blockSize / 4; this._inBlock = new Array(this._ints); this._outBlock = new Array(this._ints); this._partialOutput = forge.util.createBuffer(); this._partialBytes = 0; // R is actually this value concatenated with 120 more zero bits, but // we only XOR against R so the other zeros have no effect -- we just // apply this value to the first integer in a block this._R = 0xE1000000; }; modes.gcm.prototype.start = function(options) { if(!('iv' in options)) { throw new Error('Invalid IV parameter.'); } // ensure IV is a byte buffer var iv = forge.util.createBuffer(options.iv); // no ciphered data processed yet this._cipherLength = 0; // default additional data is none var additionalData; if('additionalData' in options) { additionalData = forge.util.createBuffer(options.additionalData); } else { additionalData = forge.util.createBuffer(); } // default tag length is 128 bits if('tagLength' in options) { this._tagLength = options.tagLength; } else { this._tagLength = 128; } // if tag is given, ensure tag matches tag length this._tag = null; if(options.decrypt) { // save tag to check later this._tag = forge.util.createBuffer(options.tag).getBytes(); if(this._tag.length !== (this._tagLength / 8)) { throw new Error('Authentication tag does not match tag length.'); } } // create tmp storage for hash calculation this._hashBlock = new Array(this._ints); // no tag generated yet this.tag = null; // generate hash subkey // (apply block cipher to "zero" block) this._hashSubkey = new Array(this._ints); this.cipher.encrypt([0, 0, 0, 0], this._hashSubkey); // generate table M // use 4-bit tables (32 component decomposition of a 16 byte value) // 8-bit tables take more space and are known to have security // vulnerabilities (in native implementations) this.componentBits = 4; this._m = this.generateHashTable(this._hashSubkey, this.componentBits); // Note: support IV length different from 96 bits? (only supporting // 96 bits is recommended by NIST SP-800-38D) // generate J_0 var ivLength = iv.length(); if(ivLength === 12) { // 96-bit IV this._j0 = [iv.getInt32(), iv.getInt32(), iv.getInt32(), 1]; } else { // IV is NOT 96-bits this._j0 = [0, 0, 0, 0]; while(iv.length() > 0) { this._j0 = this.ghash( this._hashSubkey, this._j0, [iv.getInt32(), iv.getInt32(), iv.getInt32(), iv.getInt32()]); } this._j0 = this.ghash( this._hashSubkey, this._j0, [0, 0].concat(from64To32(ivLength * 8))); } // generate ICB (initial counter block) this._inBlock = this._j0.slice(0); inc32(this._inBlock); this._partialBytes = 0; // consume authentication data additionalData = forge.util.createBuffer(additionalData); // save additional data length as a BE 64-bit number this._aDataLength = from64To32(additionalData.length() * 8); // pad additional data to 128 bit (16 byte) block size var overflow = additionalData.length() % this.blockSize; if(overflow) { additionalData.fillWithByte(0, this.blockSize - overflow); } this._s = [0, 0, 0, 0]; while(additionalData.length() > 0) { this._s = this.ghash(this._hashSubkey, this._s, [ additionalData.getInt32(), additionalData.getInt32(), additionalData.getInt32(), additionalData.getInt32() ]); } }; modes.gcm.prototype.encrypt = function(input, output, finish) { // not enough input to encrypt var inputLength = input.length(); if(inputLength === 0) { return true; } // encrypt block this.cipher.encrypt(this._inBlock, this._outBlock); // handle full block if(this._partialBytes === 0 && inputLength >= this.blockSize) { // XOR input with output for(var i = 0; i < this._ints; ++i) { output.putInt32(this._outBlock[i] ^= input.getInt32()); } this._cipherLength += this.blockSize; } else { // handle partial block var partialBytes = (this.blockSize - inputLength) % this.blockSize; if(partialBytes > 0) { partialBytes = this.blockSize - partialBytes; } // XOR input with output this._partialOutput.clear(); for(var i = 0; i < this._ints; ++i) { this._partialOutput.putInt32(input.getInt32() ^ this._outBlock[i]); } if(partialBytes <= 0 || finish) { // handle overflow prior to hashing if(finish) { // get block overflow var overflow = inputLength % this.blockSize; this._cipherLength += overflow; // truncate for hash function this._partialOutput.truncate(this.blockSize - overflow); } else { this._cipherLength += this.blockSize; } // get output block for hashing for(var i = 0; i < this._ints; ++i) { this._outBlock[i] = this._partialOutput.getInt32(); } this._partialOutput.read -= this.blockSize; } // skip any previous partial bytes if(this._partialBytes > 0) { this._partialOutput.getBytes(this._partialBytes); } if(partialBytes > 0 && !finish) { // block still incomplete, restore input buffer, get partial output, // and return early input.read -= this.blockSize; output.putBytes(this._partialOutput.getBytes( partialBytes - this._partialBytes)); this._partialBytes = partialBytes; return true; } output.putBytes(this._partialOutput.getBytes( inputLength - this._partialBytes)); this._partialBytes = 0; } // update hash block S this._s = this.ghash(this._hashSubkey, this._s, this._outBlock); // increment counter (input block) inc32(this._inBlock); }; modes.gcm.prototype.decrypt = function(input, output, finish) { // not enough input to decrypt var inputLength = input.length(); if(inputLength < this.blockSize && !(finish && inputLength > 0)) { return true; } // encrypt block (GCM always uses encryption mode) this.cipher.encrypt(this._inBlock, this._outBlock); // increment counter (input block) inc32(this._inBlock); // update hash block S this._hashBlock[0] = input.getInt32(); this._hashBlock[1] = input.getInt32(); this._hashBlock[2] = input.getInt32(); this._hashBlock[3] = input.getInt32(); this._s = this.ghash(this._hashSubkey, this._s, this._hashBlock); // XOR hash input with output for(var i = 0; i < this._ints; ++i) { output.putInt32(this._outBlock[i] ^ this._hashBlock[i]); } // increment cipher data length if(inputLength < this.blockSize) { this._cipherLength += inputLength % this.blockSize; } else { this._cipherLength += this.blockSize; } }; modes.gcm.prototype.afterFinish = function(output, options) { var rval = true; // handle overflow if(options.decrypt && options.overflow) { output.truncate(this.blockSize - options.overflow); } // handle authentication tag this.tag = forge.util.createBuffer(); // concatenate additional data length with cipher length var lengths = this._aDataLength.concat(from64To32(this._cipherLength * 8)); // include lengths in hash this._s = this.ghash(this._hashSubkey, this._s, lengths); // do GCTR(J_0, S) var tag = []; this.cipher.encrypt(this._j0, tag); for(var i = 0; i < this._ints; ++i) { this.tag.putInt32(this._s[i] ^ tag[i]); } // trim tag to length this.tag.truncate(this.tag.length() % (this._tagLength / 8)); // check authentication tag if(options.decrypt && this.tag.bytes() !== this._tag) { rval = false; } return rval; }; /** * See NIST SP-800-38D 6.3 (Algorithm 1). This function performs Galois * field multiplication. The field, GF(2^128), is defined by the polynomial: * * x^128 + x^7 + x^2 + x + 1 * * Which is represented in little-endian binary form as: 11100001 (0xe1). When * the value of a coefficient is 1, a bit is set. The value R, is the * concatenation of this value and 120 zero bits, yielding a 128-bit value * which matches the block size. * * This function will multiply two elements (vectors of bytes), X and Y, in * the field GF(2^128). The result is initialized to zero. For each bit of * X (out of 128), x_i, if x_i is set, then the result is multiplied (XOR'd) * by the current value of Y. For each bit, the value of Y will be raised by * a power of x (multiplied by the polynomial x). This can be achieved by * shifting Y once to the right. If the current value of Y, prior to being * multiplied by x, has 0 as its LSB, then it is a 127th degree polynomial. * Otherwise, we must divide by R after shifting to find the remainder. * * @param x the first block to multiply by the second. * @param y the second block to multiply by the first. * * @return the block result of the multiplication. */ modes.gcm.prototype.multiply = function(x, y) { var z_i = [0, 0, 0, 0]; var v_i = y.slice(0); // calculate Z_128 (block has 128 bits) for(var i = 0; i < 128; ++i) { // if x_i is 0, Z_{i+1} = Z_i (unchanged) // else Z_{i+1} = Z_i ^ V_i // get x_i by finding 32-bit int position, then left shift 1 by remainder var x_i = x[(i / 32) | 0] & (1 << (31 - i % 32)); if(x_i) { z_i[0] ^= v_i[0]; z_i[1] ^= v_i[1]; z_i[2] ^= v_i[2]; z_i[3] ^= v_i[3]; } // if LSB(V_i) is 1, V_i = V_i >> 1 // else V_i = (V_i >> 1) ^ R this.pow(v_i, v_i); } return z_i; }; modes.gcm.prototype.pow = function(x, out) { // if LSB(x) is 1, x = x >>> 1 // else x = (x >>> 1) ^ R var lsb = x[3] & 1; // always do x >>> 1: // starting with the rightmost integer, shift each integer to the right // one bit, pulling in the bit from the integer to the left as its top // most bit (do this for the last 3 integers) for(var i = 3; i > 0; --i) { out[i] = (x[i] >>> 1) | ((x[i - 1] & 1) << 31); } // shift the first integer normally out[0] = x[0] >>> 1; // if lsb was not set, then polynomial had a degree of 127 and doesn't // need to divided; otherwise, XOR with R to find the remainder; we only // need to XOR the first integer since R technically ends w/120 zero bits if(lsb) { out[0] ^= this._R; } }; modes.gcm.prototype.tableMultiply = function(x) { // assumes 4-bit tables are used var z = [0, 0, 0, 0]; for(var i = 0; i < 32; ++i) { var idx = (i / 8) | 0; var x_i = (x[idx] >>> ((7 - (i % 8)) * 4)) & 0xF; var ah = this._m[i][x_i]; z[0] ^= ah[0]; z[1] ^= ah[1]; z[2] ^= ah[2]; z[3] ^= ah[3]; } return z; }; /** * A continuing version of the GHASH algorithm that operates on a single * block. The hash block, last hash value (Ym) and the new block to hash * are given. * * @param h the hash block. * @param y the previous value for Ym, use [0, 0, 0, 0] for a new hash. * @param x the block to hash. * * @return the hashed value (Ym). */ modes.gcm.prototype.ghash = function(h, y, x) { y[0] ^= x[0]; y[1] ^= x[1]; y[2] ^= x[2]; y[3] ^= x[3]; return this.tableMultiply(y); //return this.multiply(y, h); }; /** * Precomputes a table for multiplying against the hash subkey. This * mechanism provides a substantial speed increase over multiplication * performed without a table. The table-based multiplication this table is * for solves X * H by multiplying each component of X by H and then * composing the results together using XOR. * * This function can be used to generate tables with different bit sizes * for the components, however, this implementation assumes there are * 32 components of X (which is a 16 byte vector), therefore each component * takes 4-bits (so the table is constructed with bits=4). * * @param h the hash subkey. * @param bits the bit size for a component. */ modes.gcm.prototype.generateHashTable = function(h, bits) { // TODO: There are further optimizations that would use only the // first table M_0 (or some variant) along with a remainder table; // this can be explored in the future var multiplier = 8 / bits; var perInt = 4 * multiplier; var size = 16 * multiplier; var m = new Array(size); for(var i = 0; i < size; ++i) { var tmp = [0, 0, 0, 0]; var idx = (i / perInt) | 0; var shft = ((perInt - 1 - (i % perInt)) * bits); tmp[idx] = (1 << (bits - 1)) << shft; m[i] = this.generateSubHashTable(this.multiply(tmp, h), bits); } return m; }; /** * Generates a table for multiplying against the hash subkey for one * particular component (out of all possible component values). * * @param mid the pre-multiplied value for the middle key of the table. * @param bits the bit size for a component. */ modes.gcm.prototype.generateSubHashTable = function(mid, bits) { // compute the table quickly by minimizing the number of // POW operations -- they only need to be performed for powers of 2, // all other entries can be composed from those powers using XOR var size = 1 << bits; var half = size >>> 1; var m = new Array(size); m[half] = mid.slice(0); var i = half >>> 1; while(i > 0) { // raise m0[2 * i] and store in m0[i] this.pow(m[2 * i], m[i] = []); i >>= 1; } i = 2; while(i < half) { for(var j = 1; j < i; ++j) { var m_i = m[i]; var m_j = m[j]; m[i + j] = [ m_i[0] ^ m_j[0], m_i[1] ^ m_j[1], m_i[2] ^ m_j[2], m_i[3] ^ m_j[3] ]; } i *= 2; } m[0] = [0, 0, 0, 0]; /* Note: We could avoid storing these by doing composition during multiply calculate top half using composition by speed is preferred. */ for(i = half + 1; i < size; ++i) { var c = m[i ^ half]; m[i] = [mid[0] ^ c[0], mid[1] ^ c[1], mid[2] ^ c[2], mid[3] ^ c[3]]; } return m; }; /** Utility functions */ function transformIV(iv) { if(typeof iv === 'string') { // convert iv string into byte buffer iv = forge.util.createBuffer(iv); } if(forge.util.isArray(iv) && iv.length > 4) { // convert iv byte array into byte buffer var tmp = iv; iv = forge.util.createBuffer(); for(var i = 0; i < tmp.length; ++i) { iv.putByte(tmp[i]); } } if(!forge.util.isArray(iv)) { // convert iv byte buffer into 32-bit integer array iv = [iv.getInt32(), iv.getInt32(), iv.getInt32(), iv.getInt32()]; } return iv; } function inc32(block) { // increment last 32 bits of block only block[block.length - 1] = (block[block.length - 1] + 1) & 0xFFFFFFFF; } function from64To32(num) { // convert 64-bit number to two BE Int32s return [(num / 0x100000000) | 0, num & 0xFFFFFFFF]; }