@pathscale/secure-local-storage-chacha20-poly1305 1.0.0 → 1.0.1

package/dist/index.mjs

@@ -1,178 +1,1220 @@
-import { chacha20poly1305 } from '@noble/ciphers/chacha.js';
-import { randomBytes } from '@noble/ciphers/utils.js';
-import { pbkdf2 } from '@noble/hashes/pbkdf2.js';
-import { sha256 } from '@noble/hashes/sha2.js';
+// Copyright (C) 2016 Dmitry Chestnykh
+// MIT License. See LICENSE file for details.
+/**
+ * Package binary provides functions for encoding and decoding numbers in byte arrays.
+ */
+/**
+ * Writes 4-byte little-endian representation of 32-bit unsigned
+ * value to array starting at offset.
+ *
+ * If byte array is not given, creates a new 4-byte one.
+ *
+ * Returns the output byte array.
+ */
+function writeUint32LE(value, out = new Uint8Array(4), offset = 0) {
+    out[offset + 0] = value >>> 0;
+    out[offset + 1] = value >>> 8;
+    out[offset + 2] = value >>> 16;
+    out[offset + 3] = value >>> 24;
+    return out;
+}
+/**
+ * Writes 8-byte little-endian representation of 64-bit unsigned
+ * value to byte array starting at offset.
+ *
+ * Due to JavaScript limitation, supports values up to 2^53-1.
+ *
+ * If byte array is not given, creates a new 8-byte one.
+ *
+ * Returns the output byte array.
+ */
+function writeUint64LE(value, out = new Uint8Array(8), offset = 0) {
+    writeUint32LE(value >>> 0, out, offset);
+    writeUint32LE(value / 0x100000000 >>> 0, out, offset + 4);
+    return out;
+}
 
+// Copyright (C) 2016 Dmitry Chestnykh
+// MIT License. See LICENSE file for details.
 /**
- * Browser fingerprinting utility for generating unique browser identifiers
+ * Sets all values in the given array to zero and returns it.
+ *
+ * The fact that it sets bytes to zero can be relied on.
+ *
+ * There is no guarantee that this function makes data disappear from memory,
+ * as runtime implementation can, for example, have copying garbage collector
+ * that will make copies of sensitive data before we wipe it. Or that an
+ * operating system will write our data to swap or sleep image. Another thing
+ * is that an optimizing compiler can remove calls to this function or make it
+ * no-op. There's nothing we can do with it, so we just do our best and hope
+ * that everything will be okay and good will triumph over evil.
  */
-class BrowserFingerprinting {
-    constructor(disabledKeys = []) {
-        this.disabledKeys = new Set(disabledKeys);
+function wipe(array) {
+    // Right now it's similar to array.fill(0). If it turns
+    // out that runtimes optimize this call away, maybe
+    // we can try something else.
+    for (let i = 0; i < array.length; i++) {
+        array[i] = 0;
     }
-    /**
-     * Generate a comprehensive browser fingerprint
-     */
-    generateFingerprint() {
-        return {
-            userAgent: this.isEnabled('UserAgent') ? this.getUserAgent() : '',
-            screenPrint: this.isEnabled('ScreenPrint') ? this.getScreenPrint() : '',
-            plugins: this.isEnabled('Plugins') ? this.getPlugins() : '',
-            fonts: this.isEnabled('Fonts') ? this.getFonts() : '',
-            localStorage: this.isEnabled('LocalStorage') ? this.hasLocalStorage() : false,
-            sessionStorage: this.isEnabled('SessionStorage') ? this.hasSessionStorage() : false,
-            timeZone: this.isEnabled('TimeZone') ? this.getTimeZone() : '',
-            language: this.isEnabled('Language') ? this.getLanguage() : '',
-            systemLanguage: this.isEnabled('SystemLanguage') ? this.getSystemLanguage() : '',
-            cookie: this.isEnabled('Cookie') ? this.hasCookieSupport() : false,
-            canvas: this.isEnabled('Canvas') ? this.getCanvasFingerprint() : '',
-            hostname: this.isEnabled('Hostname') ? this.getHostname() : '',
-        };
+    return array;
+}
+
+// Copyright (C) 2016 Dmitry Chestnykh
+// MIT License. See LICENSE file for details.
+/**
+ * Package chacha implements ChaCha stream cipher.
+ */
+// Number of ChaCha rounds (ChaCha20).
+const ROUNDS$1 = 20;
+// Applies the ChaCha core function to 16-byte input,
+// 32-byte key key, and puts the result into 64-byte array out.
+function core(out, input, key) {
+    let j0 = 0x61707865; // "expa"  -- ChaCha's "sigma" constant
+    let j1 = 0x3320646E; // "nd 3"     for 32-byte keys
+    let j2 = 0x79622D32; // "2-by"
+    let j3 = 0x6B206574; // "te k"
+    let j4 = (key[3] << 24) | (key[2] << 16) | (key[1] << 8) | key[0];
+    let j5 = (key[7] << 24) | (key[6] << 16) | (key[5] << 8) | key[4];
+    let j6 = (key[11] << 24) | (key[10] << 16) | (key[9] << 8) | key[8];
+    let j7 = (key[15] << 24) | (key[14] << 16) | (key[13] << 8) | key[12];
+    let j8 = (key[19] << 24) | (key[18] << 16) | (key[17] << 8) | key[16];
+    let j9 = (key[23] << 24) | (key[22] << 16) | (key[21] << 8) | key[20];
+    let j10 = (key[27] << 24) | (key[26] << 16) | (key[25] << 8) | key[24];
+    let j11 = (key[31] << 24) | (key[30] << 16) | (key[29] << 8) | key[28];
+    let j12 = (input[3] << 24) | (input[2] << 16) | (input[1] << 8) | input[0];
+    let j13 = (input[7] << 24) | (input[6] << 16) | (input[5] << 8) | input[4];
+    let j14 = (input[11] << 24) | (input[10] << 16) | (input[9] << 8) | input[8];
+    let j15 = (input[15] << 24) | (input[14] << 16) | (input[13] << 8) | input[12];
+    let x0 = j0;
+    let x1 = j1;
+    let x2 = j2;
+    let x3 = j3;
+    let x4 = j4;
+    let x5 = j5;
+    let x6 = j6;
+    let x7 = j7;
+    let x8 = j8;
+    let x9 = j9;
+    let x10 = j10;
+    let x11 = j11;
+    let x12 = j12;
+    let x13 = j13;
+    let x14 = j14;
+    let x15 = j15;
+    for (let i = 0; i < ROUNDS$1; i += 2) {
+        x0 = x0 + x4 | 0;
+        x12 ^= x0;
+        x12 = x12 >>> (32 - 16) | x12 << 16;
+        x8 = x8 + x12 | 0;
+        x4 ^= x8;
+        x4 = x4 >>> (32 - 12) | x4 << 12;
+        x1 = x1 + x5 | 0;
+        x13 ^= x1;
+        x13 = x13 >>> (32 - 16) | x13 << 16;
+        x9 = x9 + x13 | 0;
+        x5 ^= x9;
+        x5 = x5 >>> (32 - 12) | x5 << 12;
+        x2 = x2 + x6 | 0;
+        x14 ^= x2;
+        x14 = x14 >>> (32 - 16) | x14 << 16;
+        x10 = x10 + x14 | 0;
+        x6 ^= x10;
+        x6 = x6 >>> (32 - 12) | x6 << 12;
+        x3 = x3 + x7 | 0;
+        x15 ^= x3;
+        x15 = x15 >>> (32 - 16) | x15 << 16;
+        x11 = x11 + x15 | 0;
+        x7 ^= x11;
+        x7 = x7 >>> (32 - 12) | x7 << 12;
+        x2 = x2 + x6 | 0;
+        x14 ^= x2;
+        x14 = x14 >>> (32 - 8) | x14 << 8;
+        x10 = x10 + x14 | 0;
+        x6 ^= x10;
+        x6 = x6 >>> (32 - 7) | x6 << 7;
+        x3 = x3 + x7 | 0;
+        x15 ^= x3;
+        x15 = x15 >>> (32 - 8) | x15 << 8;
+        x11 = x11 + x15 | 0;
+        x7 ^= x11;
+        x7 = x7 >>> (32 - 7) | x7 << 7;
+        x1 = x1 + x5 | 0;
+        x13 ^= x1;
+        x13 = x13 >>> (32 - 8) | x13 << 8;
+        x9 = x9 + x13 | 0;
+        x5 ^= x9;
+        x5 = x5 >>> (32 - 7) | x5 << 7;
+        x0 = x0 + x4 | 0;
+        x12 ^= x0;
+        x12 = x12 >>> (32 - 8) | x12 << 8;
+        x8 = x8 + x12 | 0;
+        x4 ^= x8;
+        x4 = x4 >>> (32 - 7) | x4 << 7;
+        x0 = x0 + x5 | 0;
+        x15 ^= x0;
+        x15 = x15 >>> (32 - 16) | x15 << 16;
+        x10 = x10 + x15 | 0;
+        x5 ^= x10;
+        x5 = x5 >>> (32 - 12) | x5 << 12;
+        x1 = x1 + x6 | 0;
+        x12 ^= x1;
+        x12 = x12 >>> (32 - 16) | x12 << 16;
+        x11 = x11 + x12 | 0;
+        x6 ^= x11;
+        x6 = x6 >>> (32 - 12) | x6 << 12;
+        x2 = x2 + x7 | 0;
+        x13 ^= x2;
+        x13 = x13 >>> (32 - 16) | x13 << 16;
+        x8 = x8 + x13 | 0;
+        x7 ^= x8;
+        x7 = x7 >>> (32 - 12) | x7 << 12;
+        x3 = x3 + x4 | 0;
+        x14 ^= x3;
+        x14 = x14 >>> (32 - 16) | x14 << 16;
+        x9 = x9 + x14 | 0;
+        x4 ^= x9;
+        x4 = x4 >>> (32 - 12) | x4 << 12;
+        x2 = x2 + x7 | 0;
+        x13 ^= x2;
+        x13 = x13 >>> (32 - 8) | x13 << 8;
+        x8 = x8 + x13 | 0;
+        x7 ^= x8;
+        x7 = x7 >>> (32 - 7) | x7 << 7;
+        x3 = x3 + x4 | 0;
+        x14 ^= x3;
+        x14 = x14 >>> (32 - 8) | x14 << 8;
+        x9 = x9 + x14 | 0;
+        x4 ^= x9;
+        x4 = x4 >>> (32 - 7) | x4 << 7;
+        x1 = x1 + x6 | 0;
+        x12 ^= x1;
+        x12 = x12 >>> (32 - 8) | x12 << 8;
+        x11 = x11 + x12 | 0;
+        x6 ^= x11;
+        x6 = x6 >>> (32 - 7) | x6 << 7;
+        x0 = x0 + x5 | 0;
+        x15 ^= x0;
+        x15 = x15 >>> (32 - 8) | x15 << 8;
+        x10 = x10 + x15 | 0;
+        x5 ^= x10;
+        x5 = x5 >>> (32 - 7) | x5 << 7;
     }
-    /**
-     * Convert fingerprint to a hash string
-     */
-    fingerprintToString(fingerprint) {
-        return Object.values(fingerprint)
-            .map(value => String(value))
-            .join('|');
+    writeUint32LE(x0 + j0 | 0, out, 0);
+    writeUint32LE(x1 + j1 | 0, out, 4);
+    writeUint32LE(x2 + j2 | 0, out, 8);
+    writeUint32LE(x3 + j3 | 0, out, 12);
+    writeUint32LE(x4 + j4 | 0, out, 16);
+    writeUint32LE(x5 + j5 | 0, out, 20);
+    writeUint32LE(x6 + j6 | 0, out, 24);
+    writeUint32LE(x7 + j7 | 0, out, 28);
+    writeUint32LE(x8 + j8 | 0, out, 32);
+    writeUint32LE(x9 + j9 | 0, out, 36);
+    writeUint32LE(x10 + j10 | 0, out, 40);
+    writeUint32LE(x11 + j11 | 0, out, 44);
+    writeUint32LE(x12 + j12 | 0, out, 48);
+    writeUint32LE(x13 + j13 | 0, out, 52);
+    writeUint32LE(x14 + j14 | 0, out, 56);
+    writeUint32LE(x15 + j15 | 0, out, 60);
+}
+/**
+ * Encrypt src with ChaCha20 stream generated for the given 32-byte key and
+ * 8-byte (as in original implementation) or 12-byte (as in RFC7539) nonce and
+ * write the result into dst and return it.
+ *
+ * dst and src may be the same, but otherwise must not overlap.
+ *
+ * If nonce is 12 bytes, users should not encrypt more than 256 GiB with the
+ * same key and nonce, otherwise the stream will repeat. The function will
+ * throw error if counter overflows to prevent this.
+ *
+ * If nonce is 8 bytes, the output is practically unlimited (2^70 bytes, which
+ * is more than a million petabytes). However, it is not recommended to
+ * generate 8-byte nonces randomly, as the chance of collision is high.
+ *
+ * Never use the same key and nonce to encrypt more than one message.
+ *
+ * If nonceInplaceCounterLength is not 0, the nonce is assumed to be a 16-byte
+ * array with stream counter in first nonceInplaceCounterLength bytes and nonce
+ * in the last remaining bytes. The counter will be incremented inplace for
+ * each ChaCha block. This is useful if you need to encrypt one stream of data
+ * in chunks.
+ */
+function streamXOR(key, nonce, src, dst, nonceInplaceCounterLength = 0) {
+    // We only support 256-bit keys.
+    if (key.length !== 32) {
+        throw new Error("ChaCha: key size must be 32 bytes");
     }
-    isEnabled(property) {
-        return !this.disabledKeys.has(property);
+    if (dst.length < src.length) {
+        throw new Error("ChaCha: destination is shorter than source");
     }
-    getUserAgent() {
-        return typeof navigator !== 'undefined' ? navigator.userAgent : '';
+    let nc;
+    let counterLength;
+    if (nonceInplaceCounterLength === 0) {
+        if (nonce.length !== 8 && nonce.length !== 12) {
+            throw new Error("ChaCha nonce must be 8 or 12 bytes");
+        }
+        nc = new Uint8Array(16);
+        // First counterLength bytes of nc are counter, starting with zero.
+        counterLength = nc.length - nonce.length;
+        // Last bytes of nc after counterLength are nonce, set them.
+        nc.set(nonce, counterLength);
     }
-    getScreenPrint() {
-        if (typeof screen === 'undefined')
-            return '';
-        return `${screen.width}x${screen.height}x${screen.colorDepth}`;
+    else {
+        if (nonce.length !== 16) {
+            throw new Error("ChaCha nonce with counter must be 16 bytes");
+        }
+        // This will update passed nonce with counter inplace.
+        nc = nonce;
+        counterLength = nonceInplaceCounterLength;
     }
-    getPlugins() {
-        if (typeof navigator === 'undefined' || !navigator.plugins)
-            return '';
-        const plugins = Array.from(navigator.plugins)
-            .map(plugin => plugin.name)
-            .sort()
-            .join(',');
-        return plugins;
+    // Allocate temporary space for ChaCha block.
+    const block = new Uint8Array(64);
+    for (let i = 0; i < src.length; i += 64) {
+        // Generate a block.
+        core(block, nc, key);
+        // XOR block bytes with src into dst.
+        for (let j = i; j < i + 64 && j < src.length; j++) {
+            dst[j] = src[j] ^ block[j - i];
+        }
+        // Increment counter.
+        incrementCounter(nc, 0, counterLength);
     }
-    getFonts() {
-        // Basic font detection using canvas
-        if (typeof document === 'undefined')
-            return '';
-        const fonts = [
-            'Arial', 'Helvetica', 'Times New Roman', 'Times', 'Courier New', 'Courier',
-            'Verdana', 'Georgia', 'Palatino', 'Garamond', 'Bookman', 'Comic Sans MS',
-            'Trebuchet MS', 'Arial Black', 'Impact', 'Sans-serif', 'Serif', 'Monospace'
-        ];
-        const availableFonts = [];
-        const canvas = document.createElement('canvas');
-        const context = canvas.getContext('2d');
-        if (!context)
-            return '';
-        fonts.forEach(font => {
-            context.font = `12px ${font}, monospace`;
-            const width1 = context.measureText('mmmmmmmmmmlli').width;
-            context.font = `12px ${font}, sans-serif`;
-            const width2 = context.measureText('mmmmmmmmmmlli').width;
-            if (width1 !== width2) {
-                availableFonts.push(font);
+    // Cleanup temporary space.
+    wipe(block);
+    if (nonceInplaceCounterLength === 0) {
+        // Cleanup counter.
+        wipe(nc);
+    }
+    return dst;
+}
+/**
+ * Generate ChaCha20 stream for the given 32-byte key and 8-byte or 12-byte
+ * nonce and write it into dst and return it.
+ *
+ * Never use the same key and nonce to generate more than one stream.
+ *
+ * If nonceInplaceCounterLength is not 0, it behaves the same with respect to
+ * the nonce as described in the streamXOR documentation.
+ *
+ * stream is like streamXOR with all-zero src.
+ */
+function stream(key, nonce, dst, nonceInplaceCounterLength = 0) {
+    wipe(dst);
+    return streamXOR(key, nonce, dst, dst, nonceInplaceCounterLength);
+}
+function incrementCounter(counter, pos, len) {
+    let carry = 1;
+    while (len--) {
+        carry = carry + (counter[pos] & 0xff) | 0;
+        counter[pos] = carry & 0xff;
+        carry >>>= 8;
+        pos++;
+    }
+    if (carry > 0) {
+        throw new Error("ChaCha: counter overflow");
+    }
+}
+
+// Copyright (C) 2019 Kyle Den Hartog
+// MIT License. See LICENSE file for details.
+/**
+ * Package xchacha20 implements XChaCha20 stream cipher.
+ */
+// Number of ChaCha rounds (ChaCha20).
+const ROUNDS = 20;
+/**
+ * HChaCha is a one-way function used in XChaCha to extend nonce.
+ *
+ * It takes 32-byte key and 16-byte src and writes 32-byte result
+ * into dst and returns it.
+ */
+function hchacha(key, src, dst) {
+    let j0 = 0x61707865; // "expa"  -- ChaCha's "sigma" constant
+    let j1 = 0x3320646e; // "nd 3"     for 32-byte keys
+    let j2 = 0x79622d32; // "2-by"
+    let j3 = 0x6b206574; // "te k"
+    let j4 = (key[3] << 24) | (key[2] << 16) | (key[1] << 8) | key[0];
+    let j5 = (key[7] << 24) | (key[6] << 16) | (key[5] << 8) | key[4];
+    let j6 = (key[11] << 24) | (key[10] << 16) | (key[9] << 8) | key[8];
+    let j7 = (key[15] << 24) | (key[14] << 16) | (key[13] << 8) | key[12];
+    let j8 = (key[19] << 24) | (key[18] << 16) | (key[17] << 8) | key[16];
+    let j9 = (key[23] << 24) | (key[22] << 16) | (key[21] << 8) | key[20];
+    let j10 = (key[27] << 24) | (key[26] << 16) | (key[25] << 8) | key[24];
+    let j11 = (key[31] << 24) | (key[30] << 16) | (key[29] << 8) | key[28];
+    let j12 = (src[3] << 24) | (src[2] << 16) | (src[1] << 8) | src[0];
+    let j13 = (src[7] << 24) | (src[6] << 16) | (src[5] << 8) | src[4];
+    let j14 = (src[11] << 24) | (src[10] << 16) | (src[9] << 8) | src[8];
+    let j15 = (src[15] << 24) | (src[14] << 16) | (src[13] << 8) | src[12];
+    let x0 = j0;
+    let x1 = j1;
+    let x2 = j2;
+    let x3 = j3;
+    let x4 = j4;
+    let x5 = j5;
+    let x6 = j6;
+    let x7 = j7;
+    let x8 = j8;
+    let x9 = j9;
+    let x10 = j10;
+    let x11 = j11;
+    let x12 = j12;
+    let x13 = j13;
+    let x14 = j14;
+    let x15 = j15;
+    for (let i = 0; i < ROUNDS; i += 2) {
+        x0 = (x0 + x4) | 0;
+        x12 ^= x0;
+        x12 = (x12 >>> (32 - 16)) | (x12 << 16);
+        x8 = (x8 + x12) | 0;
+        x4 ^= x8;
+        x4 = (x4 >>> (32 - 12)) | (x4 << 12);
+        x1 = (x1 + x5) | 0;
+        x13 ^= x1;
+        x13 = (x13 >>> (32 - 16)) | (x13 << 16);
+        x9 = (x9 + x13) | 0;
+        x5 ^= x9;
+        x5 = (x5 >>> (32 - 12)) | (x5 << 12);
+        x2 = (x2 + x6) | 0;
+        x14 ^= x2;
+        x14 = (x14 >>> (32 - 16)) | (x14 << 16);
+        x10 = (x10 + x14) | 0;
+        x6 ^= x10;
+        x6 = (x6 >>> (32 - 12)) | (x6 << 12);
+        x3 = (x3 + x7) | 0;
+        x15 ^= x3;
+        x15 = (x15 >>> (32 - 16)) | (x15 << 16);
+        x11 = (x11 + x15) | 0;
+        x7 ^= x11;
+        x7 = (x7 >>> (32 - 12)) | (x7 << 12);
+        x2 = (x2 + x6) | 0;
+        x14 ^= x2;
+        x14 = (x14 >>> (32 - 8)) | (x14 << 8);
+        x10 = (x10 + x14) | 0;
+        x6 ^= x10;
+        x6 = (x6 >>> (32 - 7)) | (x6 << 7);
+        x3 = (x3 + x7) | 0;
+        x15 ^= x3;
+        x15 = (x15 >>> (32 - 8)) | (x15 << 8);
+        x11 = (x11 + x15) | 0;
+        x7 ^= x11;
+        x7 = (x7 >>> (32 - 7)) | (x7 << 7);
+        x1 = (x1 + x5) | 0;
+        x13 ^= x1;
+        x13 = (x13 >>> (32 - 8)) | (x13 << 8);
+        x9 = (x9 + x13) | 0;
+        x5 ^= x9;
+        x5 = (x5 >>> (32 - 7)) | (x5 << 7);
+        x0 = (x0 + x4) | 0;
+        x12 ^= x0;
+        x12 = (x12 >>> (32 - 8)) | (x12 << 8);
+        x8 = (x8 + x12) | 0;
+        x4 ^= x8;
+        x4 = (x4 >>> (32 - 7)) | (x4 << 7);
+        x0 = (x0 + x5) | 0;
+        x15 ^= x0;
+        x15 = (x15 >>> (32 - 16)) | (x15 << 16);
+        x10 = (x10 + x15) | 0;
+        x5 ^= x10;
+        x5 = (x5 >>> (32 - 12)) | (x5 << 12);
+        x1 = (x1 + x6) | 0;
+        x12 ^= x1;
+        x12 = (x12 >>> (32 - 16)) | (x12 << 16);
+        x11 = (x11 + x12) | 0;
+        x6 ^= x11;
+        x6 = (x6 >>> (32 - 12)) | (x6 << 12);
+        x2 = (x2 + x7) | 0;
+        x13 ^= x2;
+        x13 = (x13 >>> (32 - 16)) | (x13 << 16);
+        x8 = (x8 + x13) | 0;
+        x7 ^= x8;
+        x7 = (x7 >>> (32 - 12)) | (x7 << 12);
+        x3 = (x3 + x4) | 0;
+        x14 ^= x3;
+        x14 = (x14 >>> (32 - 16)) | (x14 << 16);
+        x9 = (x9 + x14) | 0;
+        x4 ^= x9;
+        x4 = (x4 >>> (32 - 12)) | (x4 << 12);
+        x2 = (x2 + x7) | 0;
+        x13 ^= x2;
+        x13 = (x13 >>> (32 - 8)) | (x13 << 8);
+        x8 = (x8 + x13) | 0;
+        x7 ^= x8;
+        x7 = (x7 >>> (32 - 7)) | (x7 << 7);
+        x3 = (x3 + x4) | 0;
+        x14 ^= x3;
+        x14 = (x14 >>> (32 - 8)) | (x14 << 8);
+        x9 = (x9 + x14) | 0;
+        x4 ^= x9;
+        x4 = (x4 >>> (32 - 7)) | (x4 << 7);
+        x1 = (x1 + x6) | 0;
+        x12 ^= x1;
+        x12 = (x12 >>> (32 - 8)) | (x12 << 8);
+        x11 = (x11 + x12) | 0;
+        x6 ^= x11;
+        x6 = (x6 >>> (32 - 7)) | (x6 << 7);
+        x0 = (x0 + x5) | 0;
+        x15 ^= x0;
+        x15 = (x15 >>> (32 - 8)) | (x15 << 8);
+        x10 = (x10 + x15) | 0;
+        x5 ^= x10;
+        x5 = (x5 >>> (32 - 7)) | (x5 << 7);
+    }
+    writeUint32LE(x0, dst, 0);
+    writeUint32LE(x1, dst, 4);
+    writeUint32LE(x2, dst, 8);
+    writeUint32LE(x3, dst, 12);
+    writeUint32LE(x12, dst, 16);
+    writeUint32LE(x13, dst, 20);
+    writeUint32LE(x14, dst, 24);
+    writeUint32LE(x15, dst, 28);
+    return dst;
+}
+
+// Copyright (C) 2016 Dmitry Chestnykh
+// MIT License. See LICENSE file for details.
+/**
+ * Package constant-time provides functions for performing algorithmically constant-time operations.
+ */
+/**
+ * NOTE! Due to the inability to guarantee real constant time evaluation of
+ * anything in JavaScript VM, this is module is the best effort.
+ */
+/**
+ * Returns resultIfOne if subject is 1, or resultIfZero if subject is 0.
+ *
+ * Supports only 32-bit integers, so resultIfOne or resultIfZero are not
+ * integers, they'll be converted to them with bitwise operations.
+ */
+/**
+ * Returns 1 if a and b are of equal length and their contents
+ * are equal, or 0 otherwise.
+ *
+ * Note that unlike in equal(), zero-length inputs are considered
+ * the same, so this function will return 1.
+ */
+function compare(a, b) {
+    if (a.length !== b.length) {
+        return 0;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a[i] ^ b[i];
+    }
+    return (1 & ((result - 1) >>> 8));
+}
+/**
+ * Returns true if a and b are of equal non-zero length,
+ * and their contents are equal, or false otherwise.
+ *
+ * Note that unlike in compare() zero-length inputs are considered
+ * _not_ equal, so this function will return false.
+ */
+function equal(a, b) {
+    if (a.length === 0 || b.length === 0) {
+        return false;
+    }
+    return compare(a, b) !== 0;
+}
+
+// Copyright (C) 2016 Dmitry Chestnykh
+// MIT License. See LICENSE file for details.
+/**
+ * Package poly1305 implements Poly1305 one-time message authentication algorithm.
+ */
+const DIGEST_LENGTH = 16;
+// Port of Andrew Moon's Poly1305-donna-16. Public domain.
+// https://github.com/floodyberry/poly1305-donna
+/**
+ * Poly1305 computes 16-byte authenticator of message using
+ * a one-time 32-byte key.
+ *
+ * Important: key should be used for only one message,
+ * it should never repeat.
+ */
+class Poly1305 {
+    digestLength = DIGEST_LENGTH;
+    _buffer = new Uint8Array(16);
+    _r = new Uint16Array(10);
+    _h = new Uint16Array(10);
+    _pad = new Uint16Array(8);
+    _leftover = 0;
+    _fin = 0;
+    _finished = false;
+    constructor(key) {
+        let t0 = key[0] | key[1] << 8;
+        this._r[0] = (t0) & 0x1fff;
+        let t1 = key[2] | key[3] << 8;
+        this._r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
+        let t2 = key[4] | key[5] << 8;
+        this._r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
+        let t3 = key[6] | key[7] << 8;
+        this._r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
+        let t4 = key[8] | key[9] << 8;
+        this._r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
+        this._r[5] = ((t4 >>> 1)) & 0x1ffe;
+        let t5 = key[10] | key[11] << 8;
+        this._r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
+        let t6 = key[12] | key[13] << 8;
+        this._r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
+        let t7 = key[14] | key[15] << 8;
+        this._r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
+        this._r[9] = ((t7 >>> 5)) & 0x007f;
+        this._pad[0] = key[16] | key[17] << 8;
+        this._pad[1] = key[18] | key[19] << 8;
+        this._pad[2] = key[20] | key[21] << 8;
+        this._pad[3] = key[22] | key[23] << 8;
+        this._pad[4] = key[24] | key[25] << 8;
+        this._pad[5] = key[26] | key[27] << 8;
+        this._pad[6] = key[28] | key[29] << 8;
+        this._pad[7] = key[30] | key[31] << 8;
+    }
+    _blocks(m, mpos, bytes) {
+        let hibit = this._fin ? 0 : 1 << 11;
+        let h0 = this._h[0], h1 = this._h[1], h2 = this._h[2], h3 = this._h[3], h4 = this._h[4], h5 = this._h[5], h6 = this._h[6], h7 = this._h[7], h8 = this._h[8], h9 = this._h[9];
+        let r0 = this._r[0], r1 = this._r[1], r2 = this._r[2], r3 = this._r[3], r4 = this._r[4], r5 = this._r[5], r6 = this._r[6], r7 = this._r[7], r8 = this._r[8], r9 = this._r[9];
+        while (bytes >= 16) {
+            let t0 = m[mpos + 0] | m[mpos + 1] << 8;
+            h0 += (t0) & 0x1fff;
+            let t1 = m[mpos + 2] | m[mpos + 3] << 8;
+            h1 += ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
+            let t2 = m[mpos + 4] | m[mpos + 5] << 8;
+            h2 += ((t1 >>> 10) | (t2 << 6)) & 0x1fff;
+            let t3 = m[mpos + 6] | m[mpos + 7] << 8;
+            h3 += ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
+            let t4 = m[mpos + 8] | m[mpos + 9] << 8;
+            h4 += ((t3 >>> 4) | (t4 << 12)) & 0x1fff;
+            h5 += ((t4 >>> 1)) & 0x1fff;
+            let t5 = m[mpos + 10] | m[mpos + 11] << 8;
+            h6 += ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
+            let t6 = m[mpos + 12] | m[mpos + 13] << 8;
+            h7 += ((t5 >>> 11) | (t6 << 5)) & 0x1fff;
+            let t7 = m[mpos + 14] | m[mpos + 15] << 8;
+            h8 += ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
+            h9 += ((t7 >>> 5)) | hibit;
+            let c = 0;
+            let d0 = c;
+            d0 += h0 * r0;
+            d0 += h1 * (5 * r9);
+            d0 += h2 * (5 * r8);
+            d0 += h3 * (5 * r7);
+            d0 += h4 * (5 * r6);
+            c = (d0 >>> 13);
+            d0 &= 0x1fff;
+            d0 += h5 * (5 * r5);
+            d0 += h6 * (5 * r4);
+            d0 += h7 * (5 * r3);
+            d0 += h8 * (5 * r2);
+            d0 += h9 * (5 * r1);
+            c += (d0 >>> 13);
+            d0 &= 0x1fff;
+            let d1 = c;
+            d1 += h0 * r1;
+            d1 += h1 * r0;
+            d1 += h2 * (5 * r9);
+            d1 += h3 * (5 * r8);
+            d1 += h4 * (5 * r7);
+            c = (d1 >>> 13);
+            d1 &= 0x1fff;
+            d1 += h5 * (5 * r6);
+            d1 += h6 * (5 * r5);
+            d1 += h7 * (5 * r4);
+            d1 += h8 * (5 * r3);
+            d1 += h9 * (5 * r2);
+            c += (d1 >>> 13);
+            d1 &= 0x1fff;
+            let d2 = c;
+            d2 += h0 * r2;
+            d2 += h1 * r1;
+            d2 += h2 * r0;
+            d2 += h3 * (5 * r9);
+            d2 += h4 * (5 * r8);
+            c = (d2 >>> 13);
+            d2 &= 0x1fff;
+            d2 += h5 * (5 * r7);
+            d2 += h6 * (5 * r6);
+            d2 += h7 * (5 * r5);
+            d2 += h8 * (5 * r4);
+            d2 += h9 * (5 * r3);
+            c += (d2 >>> 13);
+            d2 &= 0x1fff;
+            let d3 = c;
+            d3 += h0 * r3;
+            d3 += h1 * r2;
+            d3 += h2 * r1;
+            d3 += h3 * r0;
+            d3 += h4 * (5 * r9);
+            c = (d3 >>> 13);
+            d3 &= 0x1fff;
+            d3 += h5 * (5 * r8);
+            d3 += h6 * (5 * r7);
+            d3 += h7 * (5 * r6);
+            d3 += h8 * (5 * r5);
+            d3 += h9 * (5 * r4);
+            c += (d3 >>> 13);
+            d3 &= 0x1fff;
+            let d4 = c;
+            d4 += h0 * r4;
+            d4 += h1 * r3;
+            d4 += h2 * r2;
+            d4 += h3 * r1;
+            d4 += h4 * r0;
+            c = (d4 >>> 13);
+            d4 &= 0x1fff;
+            d4 += h5 * (5 * r9);
+            d4 += h6 * (5 * r8);
+            d4 += h7 * (5 * r7);
+            d4 += h8 * (5 * r6);
+            d4 += h9 * (5 * r5);
+            c += (d4 >>> 13);
+            d4 &= 0x1fff;
+            let d5 = c;
+            d5 += h0 * r5;
+            d5 += h1 * r4;
+            d5 += h2 * r3;
+            d5 += h3 * r2;
+            d5 += h4 * r1;
+            c = (d5 >>> 13);
+            d5 &= 0x1fff;
+            d5 += h5 * r0;
+            d5 += h6 * (5 * r9);
+            d5 += h7 * (5 * r8);
+            d5 += h8 * (5 * r7);
+            d5 += h9 * (5 * r6);
+            c += (d5 >>> 13);
+            d5 &= 0x1fff;
+            let d6 = c;
+            d6 += h0 * r6;
+            d6 += h1 * r5;
+            d6 += h2 * r4;
+            d6 += h3 * r3;
+            d6 += h4 * r2;
+            c = (d6 >>> 13);
+            d6 &= 0x1fff;
+            d6 += h5 * r1;
+            d6 += h6 * r0;
+            d6 += h7 * (5 * r9);
+            d6 += h8 * (5 * r8);
+            d6 += h9 * (5 * r7);
+            c += (d6 >>> 13);
+            d6 &= 0x1fff;
+            let d7 = c;
+            d7 += h0 * r7;
+            d7 += h1 * r6;
+            d7 += h2 * r5;
+            d7 += h3 * r4;
+            d7 += h4 * r3;
+            c = (d7 >>> 13);
+            d7 &= 0x1fff;
+            d7 += h5 * r2;
+            d7 += h6 * r1;
+            d7 += h7 * r0;
+            d7 += h8 * (5 * r9);
+            d7 += h9 * (5 * r8);
+            c += (d7 >>> 13);
+            d7 &= 0x1fff;
+            let d8 = c;
+            d8 += h0 * r8;
+            d8 += h1 * r7;
+            d8 += h2 * r6;
+            d8 += h3 * r5;
+            d8 += h4 * r4;
+            c = (d8 >>> 13);
+            d8 &= 0x1fff;
+            d8 += h5 * r3;
+            d8 += h6 * r2;
+            d8 += h7 * r1;
+            d8 += h8 * r0;
+            d8 += h9 * (5 * r9);
+            c += (d8 >>> 13);
+            d8 &= 0x1fff;
+            let d9 = c;
+            d9 += h0 * r9;
+            d9 += h1 * r8;
+            d9 += h2 * r7;
+            d9 += h3 * r6;
+            d9 += h4 * r5;
+            c = (d9 >>> 13);
+            d9 &= 0x1fff;
+            d9 += h5 * r4;
+            d9 += h6 * r3;
+            d9 += h7 * r2;
+            d9 += h8 * r1;
+            d9 += h9 * r0;
+            c += (d9 >>> 13);
+            d9 &= 0x1fff;
+            c = (((c << 2) + c)) | 0;
+            c = (c + d0) | 0;
+            d0 = c & 0x1fff;
+            c = (c >>> 13);
+            d1 += c;
+            h0 = d0;
+            h1 = d1;
+            h2 = d2;
+            h3 = d3;
+            h4 = d4;
+            h5 = d5;
+            h6 = d6;
+            h7 = d7;
+            h8 = d8;
+            h9 = d9;
+            mpos += 16;
+            bytes -= 16;
+        }
+        this._h[0] = h0;
+        this._h[1] = h1;
+        this._h[2] = h2;
+        this._h[3] = h3;
+        this._h[4] = h4;
+        this._h[5] = h5;
+        this._h[6] = h6;
+        this._h[7] = h7;
+        this._h[8] = h8;
+        this._h[9] = h9;
+    }
+    finish(mac, macpos = 0) {
+        const g = new Uint16Array(10);
+        let c;
+        let mask;
+        let f;
+        let i;
+        if (this._leftover) {
+            i = this._leftover;
+            this._buffer[i++] = 1;
+            for (; i < 16; i++) {
+                this._buffer[i] = 0;
             }
-        });
-        return availableFonts.join(',');
+            this._fin = 1;
+            this._blocks(this._buffer, 0, 16);
+        }
+        c = this._h[1] >>> 13;
+        this._h[1] &= 0x1fff;
+        for (i = 2; i < 10; i++) {
+            this._h[i] += c;
+            c = this._h[i] >>> 13;
+            this._h[i] &= 0x1fff;
+        }
+        this._h[0] += (c * 5);
+        c = this._h[0] >>> 13;
+        this._h[0] &= 0x1fff;
+        this._h[1] += c;
+        c = this._h[1] >>> 13;
+        this._h[1] &= 0x1fff;
+        this._h[2] += c;
+        g[0] = this._h[0] + 5;
+        c = g[0] >>> 13;
+        g[0] &= 0x1fff;
+        for (i = 1; i < 10; i++) {
+            g[i] = this._h[i] + c;
+            c = g[i] >>> 13;
+            g[i] &= 0x1fff;
+        }
+        g[9] -= (1 << 13);
+        mask = (c ^ 1) - 1;
+        for (i = 0; i < 10; i++) {
+            g[i] &= mask;
+        }
+        mask = ~mask;
+        for (i = 0; i < 10; i++) {
+            this._h[i] = (this._h[i] & mask) | g[i];
+        }
+        this._h[0] = ((this._h[0]) | (this._h[1] << 13)) & 0xffff;
+        this._h[1] = ((this._h[1] >>> 3) | (this._h[2] << 10)) & 0xffff;
+        this._h[2] = ((this._h[2] >>> 6) | (this._h[3] << 7)) & 0xffff;
+        this._h[3] = ((this._h[3] >>> 9) | (this._h[4] << 4)) & 0xffff;
+        this._h[4] = ((this._h[4] >>> 12) | (this._h[5] << 1) | (this._h[6] << 14)) & 0xffff;
+        this._h[5] = ((this._h[6] >>> 2) | (this._h[7] << 11)) & 0xffff;
+        this._h[6] = ((this._h[7] >>> 5) | (this._h[8] << 8)) & 0xffff;
+        this._h[7] = ((this._h[8] >>> 8) | (this._h[9] << 5)) & 0xffff;
+        f = this._h[0] + this._pad[0];
+        this._h[0] = f & 0xffff;
+        for (i = 1; i < 8; i++) {
+            f = (((this._h[i] + this._pad[i]) | 0) + (f >>> 16)) | 0;
+            this._h[i] = f & 0xffff;
+        }
+        mac[macpos + 0] = this._h[0] >>> 0;
+        mac[macpos + 1] = this._h[0] >>> 8;
+        mac[macpos + 2] = this._h[1] >>> 0;
+        mac[macpos + 3] = this._h[1] >>> 8;
+        mac[macpos + 4] = this._h[2] >>> 0;
+        mac[macpos + 5] = this._h[2] >>> 8;
+        mac[macpos + 6] = this._h[3] >>> 0;
+        mac[macpos + 7] = this._h[3] >>> 8;
+        mac[macpos + 8] = this._h[4] >>> 0;
+        mac[macpos + 9] = this._h[4] >>> 8;
+        mac[macpos + 10] = this._h[5] >>> 0;
+        mac[macpos + 11] = this._h[5] >>> 8;
+        mac[macpos + 12] = this._h[6] >>> 0;
+        mac[macpos + 13] = this._h[6] >>> 8;
+        mac[macpos + 14] = this._h[7] >>> 0;
+        mac[macpos + 15] = this._h[7] >>> 8;
+        this._finished = true;
+        return this;
     }
-    hasLocalStorage() {
-        try {
-            return typeof localStorage !== 'undefined';
+    update(m) {
+        let mpos = 0;
+        let bytes = m.length;
+        let want;
+        if (this._leftover) {
+            want = (16 - this._leftover);
+            if (want > bytes) {
+                want = bytes;
+            }
+            for (let i = 0; i < want; i++) {
+                this._buffer[this._leftover + i] = m[mpos + i];
+            }
+            bytes -= want;
+            mpos += want;
+            this._leftover += want;
+            if (this._leftover < 16) {
+                return this;
+            }
+            this._blocks(this._buffer, 0, 16);
+            this._leftover = 0;
         }
-        catch {
-            return false;
+        if (bytes >= 16) {
+            want = bytes - (bytes % 16);
+            this._blocks(m, mpos, want);
+            mpos += want;
+            bytes -= want;
         }
+        if (bytes) {
+            for (let i = 0; i < bytes; i++) {
+                this._buffer[this._leftover + i] = m[mpos + i];
+            }
+            this._leftover += bytes;
+        }
+        return this;
     }
-    hasSessionStorage() {
-        try {
-            return typeof sessionStorage !== 'undefined';
+    digest() {
+        // TODO(dchest): it behaves differently than other hashes/HMAC,
+        // because it throws when finished — others just return saved result.
+        if (this._finished) {
+            throw new Error("Poly1305 was finished");
         }
-        catch {
-            return false;
+        let mac = new Uint8Array(16);
+        this.finish(mac);
+        return mac;
+    }
+    clean() {
+        wipe(this._buffer);
+        wipe(this._r);
+        wipe(this._h);
+        wipe(this._pad);
+        this._leftover = 0;
+        this._fin = 0;
+        this._finished = true; // mark as finished even if not
+        return this;
+    }
+}
+
+// Copyright (C) 2016 Dmitry Chestnykh
+// MIT License. See LICENSE file for details.
+const KEY_LENGTH$1 = 32;
+const NONCE_LENGTH$1 = 12;
+const TAG_LENGTH$1 = 16;
+const ZEROS = new Uint8Array(16);
+/**
+ * ChaCha20-Poly1305 Authenticated Encryption with Associated Data.
+ *
+ * Defined in RFC7539.
+ */
+class ChaCha20Poly1305 {
+    nonceLength = NONCE_LENGTH$1;
+    tagLength = TAG_LENGTH$1;
+    _key;
+    /**
+     * Creates a new instance with the given 32-byte key.
+     */
+    constructor(key) {
+        if (key.length !== KEY_LENGTH$1) {
+            throw new Error("ChaCha20Poly1305 needs 32-byte key");
         }
+        // Copy key.
+        this._key = new Uint8Array(key);
     }
-    getTimeZone() {
-        try {
-            return Intl.DateTimeFormat().resolvedOptions().timeZone;
+    /**
+     * Encrypts and authenticates plaintext, authenticates associated data,
+     * and returns sealed ciphertext, which includes authentication tag.
+     *
+     * RFC7539 specifies 12 bytes for nonce. It may be this 12-byte nonce
+     * ("IV"), or full 16-byte counter (called "32-bit fixed-common part")
+     * and nonce.
+     *
+     * If dst is given (it must be the size of plaintext + the size of tag
+     * length) the result will be put into it. Dst and plaintext must not
+     * overlap.
+     */
+    seal(nonce, plaintext, associatedData, dst) {
+        if (nonce.length > 16) {
+            throw new Error("ChaCha20Poly1305: incorrect nonce length");
         }
-        catch {
-            return new Date().getTimezoneOffset().toString();
+        // Allocate space for counter, and set nonce as last bytes of it.
+        const counter = new Uint8Array(16);
+        counter.set(nonce, counter.length - nonce.length);
+        // Generate authentication key by taking first 32-bytes of stream.
+        // We pass full counter, which has 12-byte nonce and 4-byte block counter,
+        // and it will get incremented after generating the block, which is
+        // exactly what we need: we only use the first 32 bytes of 64-byte
+        // ChaCha block and discard the next 32 bytes.
+        const authKey = new Uint8Array(32);
+        stream(this._key, counter, authKey, 4);
+        // Allocate space for sealed ciphertext.
+        const resultLength = plaintext.length + this.tagLength;
+        let result;
+        if (dst) {
+            if (dst.length !== resultLength) {
+                throw new Error("ChaCha20Poly1305: incorrect destination length");
+            }
+            result = dst;
+        }
+        else {
+            result = new Uint8Array(resultLength);
         }
+        // Encrypt plaintext.
+        streamXOR(this._key, counter, plaintext, result, 4);
+        // Authenticate.
+        // XXX: can "simplify" here: pass full result (which is already padded
+        // due to zeroes prepared for tag), and ciphertext length instead of
+        // subarray of result.
+        this._authenticate(result.subarray(result.length - this.tagLength, result.length), authKey, result.subarray(0, result.length - this.tagLength), associatedData);
+        // Cleanup.
+        wipe(counter);
+        return result;
     }
-    getLanguage() {
-        if (typeof navigator === 'undefined')
-            return '';
-        return navigator.language || '';
+    /**
+     * Authenticates sealed ciphertext (which includes authentication tag) and
+     * associated data, decrypts ciphertext and returns decrypted plaintext.
+     *
+     * RFC7539 specifies 12 bytes for nonce. It may be this 12-byte nonce
+     * ("IV"), or full 16-byte counter (called "32-bit fixed-common part")
+     * and nonce.
+     *
+     * If authentication fails, it returns null.
+     *
+     * If dst is given (it must be of ciphertext length minus tag length),
+     * the result will be put into it. Dst and plaintext must not overlap.
+     */
+    open(nonce, sealed, associatedData, dst) {
+        if (nonce.length > 16) {
+            throw new Error("ChaCha20Poly1305: incorrect nonce length");
+        }
+        // Sealed ciphertext should at least contain tag.
+        if (sealed.length < this.tagLength) {
+            // TODO(dchest): should we throw here instead?
+            return null;
+        }
+        // Allocate space for counter, and set nonce as last bytes of it.
+        const counter = new Uint8Array(16);
+        counter.set(nonce, counter.length - nonce.length);
+        // Generate authentication key by taking first 32-bytes of stream.
+        const authKey = new Uint8Array(32);
+        stream(this._key, counter, authKey, 4);
+        // Authenticate.
+        // XXX: can simplify and avoid allocation: since authenticate()
+        // already allocates tag (from Poly1305.digest(), it can return)
+        // it instead of copying to calculatedTag. But then in seal()
+        // we'll need to copy it.
+        const calculatedTag = new Uint8Array(this.tagLength);
+        this._authenticate(calculatedTag, authKey, sealed.subarray(0, sealed.length - this.tagLength), associatedData);
+        // Constant-time compare tags and return null if they differ.
+        if (!equal(calculatedTag, sealed.subarray(sealed.length - this.tagLength, sealed.length))) {
+            return null;
+        }
+        // Allocate space for decrypted plaintext.
+        const resultLength = sealed.length - this.tagLength;
+        let result;
+        if (dst) {
+            if (dst.length !== resultLength) {
+                throw new Error("ChaCha20Poly1305: incorrect destination length");
+            }
+            result = dst;
+        }
+        else {
+            result = new Uint8Array(resultLength);
+        }
+        // Decrypt.
+        streamXOR(this._key, counter, sealed.subarray(0, sealed.length - this.tagLength), result, 4);
+        // Cleanup.
+        wipe(counter);
+        return result;
     }
-    getSystemLanguage() {
-        if (typeof navigator === 'undefined')
-            return '';
-        const extendedNavigator = navigator;
-        return extendedNavigator.systemLanguage || navigator.language || '';
+    clean() {
+        wipe(this._key);
+        return this;
     }
-    hasCookieSupport() {
-        if (typeof document === 'undefined')
-            return false;
-        return navigator.cookieEnabled;
+    _authenticate(tagOut, authKey, ciphertext, associatedData) {
+        // Initialize Poly1305 with authKey.
+        const h = new Poly1305(authKey);
+        // Authenticate padded associated data.
+        if (associatedData) {
+            h.update(associatedData);
+            if (associatedData.length % 16 > 0) {
+                h.update(ZEROS.subarray(associatedData.length % 16));
+            }
+        }
+        // Authenticate padded ciphertext.
+        h.update(ciphertext);
+        if (ciphertext.length % 16 > 0) {
+            h.update(ZEROS.subarray(ciphertext.length % 16));
+        }
+        // Authenticate length of associated data.
+        // XXX: can avoid allocation here?
+        const length = new Uint8Array(8);
+        if (associatedData) {
+            writeUint64LE(associatedData.length, length);
+        }
+        h.update(length);
+        // Authenticate length of ciphertext.
+        writeUint64LE(ciphertext.length, length);
+        h.update(length);
+        // Get tag and copy it into tagOut.
+        const tag = h.digest();
+        for (let i = 0; i < tag.length; i++) {
+            tagOut[i] = tag[i];
+        }
+        // Cleanup.
+        h.clean();
+        wipe(tag);
+        wipe(length);
     }
-    getCanvasFingerprint() {
-        if (typeof document === 'undefined')
-            return '';
-        try {
-            const canvas = document.createElement('canvas');
-            const ctx = canvas.getContext('2d');
-            if (!ctx)
-                return '';
-            // Draw some text and shapes to create a unique canvas fingerprint
-            ctx.textBaseline = 'top';
-            ctx.font = '14px Arial';
-            ctx.fillStyle = '#f60';
-            ctx.fillRect(125, 1, 62, 20);
-            ctx.fillStyle = '#069';
-            ctx.fillText('SecureStorage 🔒', 2, 15);
-            ctx.fillStyle = 'rgba(102, 204, 0, 0.7)';
-            ctx.fillText('SecureStorage 🔒', 4, 17);
-            return canvas.toDataURL();
+}
+
+// Copyright (C) 2019 Kyle Den Hartog
+// MIT License. See LICENSE file for details.
+const KEY_LENGTH = 32;
+const NONCE_LENGTH = 24;
+const TAG_LENGTH = 16;
+/**
+ * XChaCha20-Poly1305 Authenticated Encryption with Associated Data.
+ *
+ * Defined in draft-irtf-cfrg-xchacha-01.
+ * See https://tools.ietf.org/html/draft-irtf-cfrg-xchacha-01
+ */
+class XChaCha20Poly1305 {
+    nonceLength = NONCE_LENGTH;
+    tagLength = TAG_LENGTH;
+    _key;
+    /**
+     * Creates a new instance with the given 32-byte key.
+     */
+    constructor(key) {
+        if (key.length !== KEY_LENGTH) {
+            throw new Error("ChaCha20Poly1305 needs 32-byte key");
         }
-        catch {
-            return '';
+        // Copy key.
+        this._key = new Uint8Array(key);
+    }
+    /**
+     * Encrypts and authenticates plaintext, authenticates associated data,
+     * and returns sealed ciphertext, which includes authentication tag.
+     *
+     * draft-irtf-cfrg-xchacha-01 defines a 24 byte nonce (192 bits) which
+     * uses the first 16 bytes of the nonce and the secret key with
+     * HChaCha to generate an initial subkey. The last 8 bytes of the nonce
+     * are then prefixed with 4 zero bytes and then provided with the subkey
+     * to the ChaCha20Poly1305 implementation.
+     *
+     * If dst is given (it must be the size of plaintext + the size of tag
+     * length) the result will be put into it. Dst and plaintext must not
+     * overlap.
+     */
+    seal(nonce, plaintext, associatedData, dst) {
+        if (nonce.length !== 24) {
+            throw new Error("XChaCha20Poly1305: incorrect nonce length");
         }
+        // Use HSalsa one-way function to transform first 16 bytes of
+        // 24-byte extended nonce and key into a new key for Salsa
+        // stream -- "subkey".
+        const subKey = hchacha(this._key, nonce.subarray(0, 16), new Uint8Array(32));
+        // Use last 8 bytes of 24-byte extended nonce as an actual nonce prefixed by 4 zero bytes,
+        // and a subkey derived in the previous step as key to encrypt.
+        const modifiedNonce = new Uint8Array(12);
+        modifiedNonce.set(nonce.subarray(16), 4);
+        const chaChaPoly = new ChaCha20Poly1305(subKey);
+        const result = chaChaPoly.seal(modifiedNonce, plaintext, associatedData, dst);
+        wipe(subKey);
+        wipe(modifiedNonce);
+        chaChaPoly.clean();
+        return result;
     }
-    getHostname() {
-        if (typeof location === 'undefined')
-            return '';
-        return location.hostname;
+    /**
+     * Authenticates sealed ciphertext (which includes authentication tag) and
+     * associated data, decrypts ciphertext and returns decrypted plaintext.
+     *
+     * draft-irtf-cfrg-xchacha-01 defines a 24 byte nonce (192 bits) which
+     * then uses the first 16 bytes of the nonce and the secret key with
+     * Hchacha to generate an initial subkey. The last 8 bytes of the nonce
+     * are then prefixed with 4 zero bytes and then provided with the subkey
+     * to the chacha20poly1305 implementation.
+     *
+     * If authentication fails, it returns null.
+     *
+     * If dst is given (it must be the size of plaintext + the size of tag
+     * length) the result will be put into it. Dst and plaintext must not
+     * overlap.
+     */
+    open(nonce, sealed, associatedData, dst) {
+        if (nonce.length !== 24) {
+            throw new Error("XChaCha20Poly1305: incorrect nonce length");
+        }
+        // Sealed ciphertext should at least contain tag.
+        if (sealed.length < this.tagLength) {
+            // TODO(dchest): should we throw here instead?
+            return null;
+        }
+        /**
+        * Generate subKey by using HChaCha20 function as defined
+        * in section 2 step 1 of draft-irtf-cfrg-xchacha-01
+        */
+        const subKey = hchacha(this._key, nonce.subarray(0, 16), new Uint8Array(32));
+        /**
+        * Generate Nonce as defined - remaining 8 bytes of the nonce prefixed with
+        * 4 zero bytes
+        */
+        const modifiedNonce = new Uint8Array(12);
+        modifiedNonce.set(nonce.subarray(16), 4);
+        /**
+         * Authenticate and decrypt by calling into chacha20poly1305.
+         */
+        const chaChaPoly = new ChaCha20Poly1305(subKey);
+        const result = chaChaPoly.open(modifiedNonce, sealed, associatedData, dst);
+        wipe(subKey);
+        wipe(modifiedNonce);
+        chaChaPoly.clean();
+        return result;
+    }
+    clean() {
+        wipe(this._key);
+        return this;
     }
 }
 
-const ALGORITHM = 'ChaCha20-Poly1305';
+const ALGORITHM = 'XChaCha20-Poly1305';
 const KEY_BYTES = 32;
-const NONCE_BYTES = 12;
-const PBKDF2_ITERATIONS = 1000;
-const PBKDF2_SALT = 'secure-local-storage-salt';
+const NONCE_BYTES = 24;
+const HEX_KEY_PATTERN = /^[0-9a-f]{64}$/i;
+const DEFAULT_SECRET_KEY = new Uint8Array([
+    0x70, 0x61, 0x74, 0x68, 0x73, 0x63, 0x61, 0x6c,
+    0x65, 0x2d, 0x73, 0x6c, 0x73, 0x2d, 0x63, 0x68,
+    0x61, 0x63, 0x68, 0x61, 0x32, 0x30, 0x70, 0x6f,
+    0x6c, 0x79, 0x31, 0x33, 0x30, 0x35, 0x6b, 0x31,
+]);
 /**
  * Encryption utility for secure data storage
  */
 class EncryptionManager {
-    constructor(secretKey) {
+    constructor(secretKey = '') {
         this.version = '2.0.0';
         this.textEncoder = new TextEncoder();
         this.textDecoder = new TextDecoder();
-        this.secretKey = this.deriveKey(secretKey);
+        this.secretKey = this.loadSecretKey(secretKey);
     }
     /**
      * Update the secret key
      */
     updateSecretKey(newSecretKey) {
         this.secretKey.fill(0);
-        this.secretKey = this.deriveKey(newSecretKey);
+        this.secretKey = this.loadSecretKey(newSecretKey);
     }
     /**
      * Encrypt data with type preservation
@@ -185,9 +1227,11 @@ class EncryptionManager {
             version: this.version,
         };
         const serialized = JSON.stringify(item);
-        const nonce = randomBytes(NONCE_BYTES);
+        const nonce = this.getRandomBytes(NONCE_BYTES);
         const plaintext = this.textEncoder.encode(serialized);
-        const ciphertext = chacha20poly1305(this.secretKey, nonce).encrypt(plaintext);
+        const cipher = new XChaCha20Poly1305(this.secretKey);
+        const ciphertext = cipher.seal(nonce, plaintext);
+        cipher.clean();
         const envelope = {
             algorithm: ALGORITHM,
             nonce: this.encodeBase64(nonce),
@@ -207,7 +1251,12 @@ class EncryptionManager {
             }
             const nonce = this.decodeBase64(envelope.nonce);
             const ciphertext = this.decodeBase64(envelope.ciphertext);
-            const plaintext = chacha20poly1305(this.secretKey, nonce).decrypt(ciphertext);
+            const cipher = new XChaCha20Poly1305(this.secretKey);
+            const plaintext = cipher.open(nonce, ciphertext);
+            cipher.clean();
+            if (!plaintext) {
+                throw new Error('Failed to authenticate encrypted data');
+            }
             const decryptedText = this.textDecoder.decode(plaintext);
             const item = JSON.parse(decryptedText);
             return this.deserializeData(item.data, item.type);
@@ -225,7 +1274,11 @@ class EncryptionManager {
             const envelope = JSON.parse(encryptedData);
             if (!this.isChachaEnvelope(envelope))
                 return false;
-            const plaintext = chacha20poly1305(this.secretKey, this.decodeBase64(envelope.nonce)).decrypt(this.decodeBase64(envelope.ciphertext));
+            const cipher = new XChaCha20Poly1305(this.secretKey);
+            const plaintext = cipher.open(this.decodeBase64(envelope.nonce), this.decodeBase64(envelope.ciphertext));
+            cipher.clean();
+            if (!plaintext)
+                return false;
             const item = JSON.parse(this.textDecoder.decode(plaintext));
             return item && typeof item.data !== 'undefined' && typeof item.type === 'string';
         }
@@ -233,11 +1286,29 @@ class EncryptionManager {
             return false;
         }
     }
-    deriveKey(key) {
-        return pbkdf2(sha256, key, PBKDF2_SALT, {
-            c: PBKDF2_ITERATIONS,
-            dkLen: KEY_BYTES,
-        });
+    loadSecretKey(key) {
+        return this.tryParseRawKey(key) || DEFAULT_SECRET_KEY.slice();
+    }
+    tryParseRawKey(key) {
+        if (!key)
+            return null;
+        if (HEX_KEY_PATTERN.test(key)) {
+            const bytes = new Uint8Array(KEY_BYTES);
+            for (let index = 0; index < KEY_BYTES; index += 1) {
+                bytes[index] = Number.parseInt(key.slice(index * 2, index * 2 + 2), 16);
+            }
+            return bytes;
+        }
+        try {
+            const decoded = this.decodeBase64(key);
+            if (decoded.length === KEY_BYTES)
+                return decoded;
+        }
+        catch {
+            // Not a base64 key; try raw UTF-8 below.
+        }
+        const raw = this.textEncoder.encode(key);
+        return raw.length === KEY_BYTES ? raw : null;
     }
     serializeData(data) {
         if (data === null || data === undefined) {
@@ -317,6 +1388,15 @@ class EncryptionManager {
     getGlobalBuffer() {
         return globalThis.Buffer;
     }
+    getRandomBytes(length) {
+        const crypto = globalThis.crypto;
+        if (!crypto?.getRandomValues) {
+            throw new Error('No cryptographically secure random source available');
+        }
+        const bytes = new Uint8Array(length);
+        crypto.getRandomValues(bytes);
+        return bytes;
+    }
 }
 
 /**
@@ -402,7 +1482,6 @@ class SecureLocalStorage {
             disabledKeys: config.disabledKeys || envConfig.disabledKeys || [],
             debug: config.debug || envConfig.debug || false,
         };
-        this.fingerprinting = new BrowserFingerprinting(this.config.disabledKeys);
         this.storageEngine = this.getStorageEngine();
         this.prefix = this.config.prefix || 'sls_';
         this.memoryCache = new Map();
@@ -560,10 +1639,6 @@ class SecureLocalStorage {
             const newSecretKey = this.generateSecretKey();
             this.encryption.updateSecretKey(newSecretKey);
         }
-        // Update fingerprinting if disabled keys changed
-        if (oldConfig.disabledKeys !== this.config.disabledKeys) {
-            this.fingerprinting = new BrowserFingerprinting(this.config.disabledKeys);
-        }
         if (this.config.debug) {
             console.log('Configuration updated:', this.config);
         }
@@ -582,9 +1657,7 @@ class SecureLocalStorage {
         return 'secure-local-storage-default-key';
     }
     generateSecretKey() {
-        const fingerprint = this.fingerprinting.generateFingerprint();
-        const fingerprintString = this.fingerprinting.fingerprintToString(fingerprint);
-        return `${this.config.hashKey}|${fingerprintString}`;
+        return this.config.hashKey || this.generateDefaultHashKey();
     }
     initializeFromStorage() {
         try {
@@ -638,6 +1711,155 @@ class MemoryStorage {
     }
 }
 
+/**
+ * Browser fingerprinting utility for generating unique browser identifiers
+ */
+class BrowserFingerprinting {
+    constructor(disabledKeys = []) {
+        this.disabledKeys = new Set(disabledKeys);
+    }
+    /**
+     * Generate a comprehensive browser fingerprint
+     */
+    generateFingerprint() {
+        return {
+            userAgent: this.isEnabled('UserAgent') ? this.getUserAgent() : '',
+            screenPrint: this.isEnabled('ScreenPrint') ? this.getScreenPrint() : '',
+            plugins: this.isEnabled('Plugins') ? this.getPlugins() : '',
+            fonts: this.isEnabled('Fonts') ? this.getFonts() : '',
+            localStorage: this.isEnabled('LocalStorage') ? this.hasLocalStorage() : false,
+            sessionStorage: this.isEnabled('SessionStorage') ? this.hasSessionStorage() : false,
+            timeZone: this.isEnabled('TimeZone') ? this.getTimeZone() : '',
+            language: this.isEnabled('Language') ? this.getLanguage() : '',
+            systemLanguage: this.isEnabled('SystemLanguage') ? this.getSystemLanguage() : '',
+            cookie: this.isEnabled('Cookie') ? this.hasCookieSupport() : false,
+            canvas: this.isEnabled('Canvas') ? this.getCanvasFingerprint() : '',
+            hostname: this.isEnabled('Hostname') ? this.getHostname() : '',
+        };
+    }
+    /**
+     * Convert fingerprint to a hash string
+     */
+    fingerprintToString(fingerprint) {
+        return Object.values(fingerprint)
+            .map(value => String(value))
+            .join('|');
+    }
+    isEnabled(property) {
+        return !this.disabledKeys.has(property);
+    }
+    getUserAgent() {
+        return typeof navigator !== 'undefined' ? navigator.userAgent : '';
+    }
+    getScreenPrint() {
+        if (typeof screen === 'undefined')
+            return '';
+        return `${screen.width}x${screen.height}x${screen.colorDepth}`;
+    }
+    getPlugins() {
+        if (typeof navigator === 'undefined' || !navigator.plugins)
+            return '';
+        const plugins = Array.from(navigator.plugins)
+            .map(plugin => plugin.name)
+            .sort()
+            .join(',');
+        return plugins;
+    }
+    getFonts() {
+        // Basic font detection using canvas
+        if (typeof document === 'undefined')
+            return '';
+        const fonts = [
+            'Arial', 'Helvetica', 'Times New Roman', 'Times', 'Courier New', 'Courier',
+            'Verdana', 'Georgia', 'Palatino', 'Garamond', 'Bookman', 'Comic Sans MS',
+            'Trebuchet MS', 'Arial Black', 'Impact', 'Sans-serif', 'Serif', 'Monospace'
+        ];
+        const availableFonts = [];
+        const canvas = document.createElement('canvas');
+        const context = canvas.getContext('2d');
+        if (!context)
+            return '';
+        fonts.forEach(font => {
+            context.font = `12px ${font}, monospace`;
+            const width1 = context.measureText('mmmmmmmmmmlli').width;
+            context.font = `12px ${font}, sans-serif`;
+            const width2 = context.measureText('mmmmmmmmmmlli').width;
+            if (width1 !== width2) {
+                availableFonts.push(font);
+            }
+        });
+        return availableFonts.join(',');
+    }
+    hasLocalStorage() {
+        try {
+            return typeof localStorage !== 'undefined';
+        }
+        catch {
+            return false;
+        }
+    }
+    hasSessionStorage() {
+        try {
+            return typeof sessionStorage !== 'undefined';
+        }
+        catch {
+            return false;
+        }
+    }
+    getTimeZone() {
+        try {
+            return Intl.DateTimeFormat().resolvedOptions().timeZone;
+        }
+        catch {
+            return new Date().getTimezoneOffset().toString();
+        }
+    }
+    getLanguage() {
+        if (typeof navigator === 'undefined')
+            return '';
+        return navigator.language || '';
+    }
+    getSystemLanguage() {
+        if (typeof navigator === 'undefined')
+            return '';
+        const extendedNavigator = navigator;
+        return extendedNavigator.systemLanguage || navigator.language || '';
+    }
+    hasCookieSupport() {
+        if (typeof document === 'undefined')
+            return false;
+        return navigator.cookieEnabled;
+    }
+    getCanvasFingerprint() {
+        if (typeof document === 'undefined')
+            return '';
+        try {
+            const canvas = document.createElement('canvas');
+            const ctx = canvas.getContext('2d');
+            if (!ctx)
+                return '';
+            // Draw some text and shapes to create a unique canvas fingerprint
+            ctx.textBaseline = 'top';
+            ctx.font = '14px Arial';
+            ctx.fillStyle = '#f60';
+            ctx.fillRect(125, 1, 62, 20);
+            ctx.fillStyle = '#069';
+            ctx.fillText('SecureStorage 🔒', 2, 15);
+            ctx.fillStyle = 'rgba(102, 204, 0, 0.7)';
+            ctx.fillText('SecureStorage 🔒', 4, 17);
+            return canvas.toDataURL();
+        }
+        catch {
+            return '';
+        }
+    }
+    getHostname() {
+        if (typeof location === 'undefined')
+            return '';
+        return location.hostname;
+    }
+}
+
 /**
  * Default secure local storage instance
  */