leviathan-crypto 1.4.0 → 2.0.0

package/dist/serpent/stream.d.ts

@@ -1,28 +0,0 @@
-import { SerpentCtr } from './index.js';
-import { HMAC_SHA256, HKDF_SHA256 } from '../sha2/index.js';
-export declare function u32be(n: number): Uint8Array;
-export declare function u64be(n: number): Uint8Array;
-export declare function chunkInfo(streamNonce: Uint8Array, chunkSize: number, chunkCount: number, index: number, isLast: boolean): Uint8Array;
-export declare function deriveChunkKeys(hkdf: HKDF_SHA256, masterKey: Uint8Array, streamNonce: Uint8Array, chunkSize: number, chunkCount: number, index: number, isLast: boolean): {
-    encKey: Uint8Array;
-    macKey: Uint8Array;
-};
-/**
- * Encrypt one chunk. Returns ciphertext || hmac_tag (32 bytes).
- * Does not generate keys -- caller provides encKey and macKey.
- */
-export declare function sealChunk(ctr: SerpentCtr, hmac: HMAC_SHA256, encKey: Uint8Array, macKey: Uint8Array, chunk: Uint8Array): Uint8Array;
-/**
- * Decrypt one chunk. Throws 'SerpentStream: authentication failed' on bad tag.
- * Returns plaintext.
- */
-export declare function openChunk(ctr: SerpentCtr, hmac: HMAC_SHA256, encKey: Uint8Array, macKey: Uint8Array, wire: Uint8Array): Uint8Array;
-export declare class SerpentStream {
-    private readonly _ctr;
-    private readonly _hmac;
-    private readonly _hkdf;
-    constructor();
-    seal(key: Uint8Array, plaintext: Uint8Array, chunkSize?: number, _nonce?: Uint8Array): Uint8Array;
-    open(key: Uint8Array, ciphertext: Uint8Array): Uint8Array;
-    dispose(): void;
-}

package/dist/serpent/stream.js

@@ -1,205 +0,0 @@
-//                  ▄▄▄▄▄▄▄▄▄▄
-//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
-//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
-//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
-//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
-//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
-//     ███████▌    ▀██▀         ███
-//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
-//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
-//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
-//            ▀████▄   ▄██▄
-//              ▐████   ▐███                  Author: xero (https://x-e.ro)
-//       ▄▄██████████    ▐███         ▄▄      License: MIT
-//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
-//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
-//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
-//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
-//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
-//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
-//                           ▀█████▀▀
-//
-// src/ts/serpent/stream.ts
-//
-// SerpentStream — chunked authenticated encryption for large payloads.
-// Tier 2 pure-TS composition: SerpentCtr + HMAC_SHA256 + HKDF_SHA256.
-import { SerpentCtr, _serpentReady } from './index.js';
-import { HMAC_SHA256, HKDF_SHA256, _sha2Ready } from '../sha2/index.js';
-import { constantTimeEqual } from '../utils.js';
-// ── Constants ─────────────────────────────────────────────────────────────────
-const DOMAIN = 'serpent-stream-v1'; // UTF-8, 17 bytes
-const ZERO_IV = new Uint8Array(16); // fixed zero IV for CTR
-const CHUNK_MIN = 1024; // 1 KB
-const CHUNK_MAX = 65536; // 64 KB
-const CHUNK_DEF = 65536; // default
-// ── Internal helpers ──────────────────────────────────────────────────────────
-export function u32be(n) {
-    const b = new Uint8Array(4);
-    b[0] = (n >>> 24) & 0xff;
-    b[1] = (n >>> 16) & 0xff;
-    b[2] = (n >>> 8) & 0xff;
-    b[3] = n & 0xff;
-    return b;
-}
-export function u64be(n) {
-    const b = new Uint8Array(8);
-    // high 32 bits (safe for n < 2^53)
-    const hi = Math.floor(n / 0x100000000);
-    const lo = n >>> 0;
-    b[0] = (hi >>> 24) & 0xff;
-    b[1] = (hi >>> 16) & 0xff;
-    b[2] = (hi >>> 8) & 0xff;
-    b[3] = hi & 0xff;
-    b[4] = (lo >>> 24) & 0xff;
-    b[5] = (lo >>> 16) & 0xff;
-    b[6] = (lo >>> 8) & 0xff;
-    b[7] = lo & 0xff;
-    return b;
-}
-const DOMAIN_BYTES = new TextEncoder().encode(DOMAIN);
-export function chunkInfo(streamNonce, chunkSize, chunkCount, index, isLast) {
-    // 17 + 16 + 4 + 8 + 8 + 1 = 54 bytes
-    const info = new Uint8Array(54);
-    let off = 0;
-    info.set(DOMAIN_BYTES, off);
-    off += 17;
-    info.set(streamNonce, off);
-    off += 16;
-    info.set(u32be(chunkSize), off);
-    off += 4;
-    info.set(u64be(chunkCount), off);
-    off += 8;
-    info.set(u64be(index), off);
-    off += 8;
-    info[off] = isLast ? 0x01 : 0x00;
-    return info;
-}
-export function deriveChunkKeys(hkdf, masterKey, streamNonce, chunkSize, chunkCount, index, isLast) {
-    const info = chunkInfo(streamNonce, chunkSize, chunkCount, index, isLast);
-    const derived = hkdf.derive(masterKey, streamNonce, info, 64);
-    return {
-        encKey: derived.subarray(0, 32),
-        macKey: derived.subarray(32, 64),
-    };
-}
-// ── Exported chunk-level ops (used by Part 2 pool worker) ─────────────────────
-/**
- * Encrypt one chunk. Returns ciphertext || hmac_tag (32 bytes).
- * Does not generate keys -- caller provides encKey and macKey.
- */
-export function sealChunk(ctr, hmac, encKey, macKey, chunk) {
-    ctr.beginEncrypt(encKey, ZERO_IV);
-    const ciphertext = ctr.encryptChunk(chunk);
-    const tag = hmac.hash(macKey, ciphertext);
-    const out = new Uint8Array(ciphertext.length + 32);
-    out.set(ciphertext, 0);
-    out.set(tag, ciphertext.length);
-    return out;
-}
-/**
- * Decrypt one chunk. Throws 'SerpentStream: authentication failed' on bad tag.
- * Returns plaintext.
- */
-export function openChunk(ctr, hmac, encKey, macKey, wire) {
-    if (wire.length < 32)
-        throw new RangeError('SerpentStream: chunk wire data too short');
-    const ciphertext = wire.subarray(0, wire.length - 32);
-    const tag = wire.subarray(wire.length - 32);
-    const expectedTag = hmac.hash(macKey, ciphertext);
-    if (!constantTimeEqual(tag, expectedTag))
-        throw new Error('SerpentStream: authentication failed');
-    ctr.beginEncrypt(encKey, ZERO_IV);
-    return ctr.encryptChunk(ciphertext);
-}
-// ── SerpentStream class ───────────────────────────────────────────────────────
-export class SerpentStream {
-    _ctr;
-    _hmac;
-    _hkdf;
-    constructor() {
-        if (!_serpentReady() || !_sha2Ready())
-            throw new Error('leviathan-crypto: call init([\'serpent\', \'sha2\']) before using SerpentStream');
-        this._ctr = new SerpentCtr({ dangerUnauthenticated: true });
-        this._hmac = new HMAC_SHA256();
-        this._hkdf = new HKDF_SHA256();
-    }
-    // _nonce: test seam only — inject a fixed nonce for deterministic KAT vectors
-    seal(key, plaintext, chunkSize, _nonce) {
-        if (key.length !== 32)
-            throw new RangeError(`SerpentStream key must be 32 bytes (got ${key.length})`);
-        const cs = chunkSize ?? CHUNK_DEF;
-        if (cs < CHUNK_MIN || cs > CHUNK_MAX)
-            throw new RangeError(`SerpentStream chunkSize must be ${CHUNK_MIN}..${CHUNK_MAX} (got ${cs})`);
-        const streamNonce = (_nonce && _nonce.length === 16) ? _nonce : new Uint8Array(16);
-        if (!_nonce || _nonce.length !== 16)
-            crypto.getRandomValues(streamNonce);
-        const chunkCount = plaintext.length === 0 ? 1 : Math.ceil(plaintext.length / cs);
-        // Compute total output size
-        let totalWire = 28; // header
-        for (let i = 0; i < chunkCount; i++) {
-            const start = i * cs;
-            const end = Math.min(start + cs, plaintext.length);
-            totalWire += (end - start) + 32;
-        }
-        const out = new Uint8Array(totalWire);
-        // Write header
-        out.set(streamNonce, 0);
-        out.set(u32be(cs), 16);
-        out.set(u64be(chunkCount), 20);
-        let pos = 28;
-        for (let i = 0; i < chunkCount; i++) {
-            const start = i * cs;
-            const end = Math.min(start + cs, plaintext.length);
-            const slice = plaintext.subarray(start, end);
-            const isLast = i === chunkCount - 1;
-            const { encKey, macKey } = deriveChunkKeys(this._hkdf, key, streamNonce, cs, chunkCount, i, isLast);
-            const wire = sealChunk(this._ctr, this._hmac, encKey, macKey, slice);
-            out.set(wire, pos);
-            pos += wire.length;
-        }
-        return out;
-    }
-    open(key, ciphertext) {
-        if (key.length !== 32)
-            throw new RangeError(`SerpentStream key must be 32 bytes (got ${key.length})`);
-        if (ciphertext.length < 28 + 32)
-            throw new RangeError('SerpentStream: ciphertext too short');
-        // Parse header
-        const streamNonce = ciphertext.subarray(0, 16);
-        const csView = ciphertext.subarray(16, 20);
-        const cs = (csView[0] << 24) | (csView[1] << 16) | (csView[2] << 8) | csView[3];
-        const ccView = ciphertext.subarray(20, 28);
-        let chunkCount = 0;
-        for (let i = 0; i < 8; i++)
-            chunkCount = chunkCount * 256 + ccView[i];
-        // Compute total plaintext size
-        let totalPt = 0;
-        let pos = 28;
-        for (let i = 0; i < chunkCount; i++) {
-            const isLast = i === chunkCount - 1;
-            const wireLen = isLast ? ciphertext.length - pos : cs + 32;
-            totalPt += wireLen - 32;
-            if (!isLast)
-                pos += wireLen;
-        }
-        const plaintext = new Uint8Array(totalPt);
-        pos = 28;
-        let ptPos = 0;
-        for (let i = 0; i < chunkCount; i++) {
-            const isLast = i === chunkCount - 1;
-            const wireLen = isLast ? ciphertext.length - pos : cs + 32;
-            const wireSlice = ciphertext.subarray(pos, pos + wireLen);
-            const { encKey, macKey } = deriveChunkKeys(this._hkdf, key, streamNonce, cs, chunkCount, i, isLast);
-            const pt = openChunk(this._ctr, this._hmac, encKey, macKey, wireSlice);
-            plaintext.set(pt, ptPos);
-            ptPos += pt.length;
-            pos += wireLen;
-        }
-        return plaintext;
-    }
-    dispose() {
-        this._ctr.dispose();
-        this._hmac.dispose();
-        this._hkdf.dispose();
-    }
-}

package/dist/serpent/stream.worker.d.ts

@@ -1,32 +0,0 @@
-interface SerpentExports {
-    memory: WebAssembly.Memory;
-    getKeyOffset: () => number;
-    getNonceOffset: () => number;
-    getChunkPtOffset: () => number;
-    getChunkCtOffset: () => number;
-    getChunkSize: () => number;
-    loadKey: (n: number) => number;
-    resetCounter: () => void;
-    encryptChunk: (n: number) => number;
-    wipeBuffers: () => void;
-}
-interface Sha2Exports {
-    memory: WebAssembly.Memory;
-    getSha256InputOffset: () => number;
-    getSha256OutOffset: () => number;
-    sha256Init: () => void;
-    sha256Update: (len: number) => void;
-    sha256Final: () => void;
-    hmac256Init: (keyLen: number) => void;
-    hmac256Update: (len: number) => void;
-    hmac256Final: () => void;
-    wipeBuffers: () => void;
-}
-declare let sx: SerpentExports | undefined;
-declare let hx: Sha2Exports | undefined;
-declare const ZERO_IV: Uint8Array<ArrayBuffer>;
-declare function hmacSha256(hx: Sha2Exports, key: Uint8Array, msg: Uint8Array): Uint8Array;
-declare function ctrEncrypt(sx: SerpentExports, key: Uint8Array, chunk: Uint8Array): Uint8Array;
-declare function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean;
-declare function workerSealChunk(encKey: Uint8Array, macKey: Uint8Array, chunk: Uint8Array): Uint8Array;
-declare function workerOpenChunk(encKey: Uint8Array, macKey: Uint8Array, wire: Uint8Array): Uint8Array;

package/dist/serpent/stream.worker.js

@@ -1,117 +0,0 @@
-"use strict";
-// / <reference lib="webworker" />
-// src/ts/serpent/stream.worker.ts
-//
-// Worker entry point for SerpentStreamPool. Runs in a Web Worker —
-// no access to the main thread's module cache. Owns its own
-// serpent.wasm and sha2.wasm instances with isolated linear memory.
-// Implements sealChunk/openChunk inline using raw WASM exports.
-let sx;
-let hx;
-const ZERO_IV = new Uint8Array(16);
-// ── Inline chunk ops ──────────────────────────────────────────────────────────
-function hmacSha256(hx, key, msg) {
-    // RFC 2104 §3: keys longer than block size (64 bytes) are pre-hashed.
-    // mac_key is always 32 bytes in normal usage (half of HKDF 64-byte output),
-    // but this guard must match the main-thread HMAC_SHA256.hash() behaviour
-    // exactly — any divergence would cause authentication failures if key sizes
-    // ever change.
-    let k = key;
-    if (k.length > 64) {
-        hx.sha256Init();
-        let pos = 0;
-        while (pos < k.length) {
-            const n = Math.min(k.length - pos, 64);
-            new Uint8Array(hx.memory.buffer).set(k.subarray(pos, pos + n), hx.getSha256InputOffset());
-            hx.sha256Update(n);
-            pos += n;
-        }
-        hx.sha256Final();
-        const out = new Uint8Array(hx.memory.buffer);
-        k = out.slice(hx.getSha256OutOffset(), hx.getSha256OutOffset() + 32);
-    }
-    const mem = new Uint8Array(hx.memory.buffer);
-    const inputOff = hx.getSha256InputOffset();
-    mem.set(k, inputOff);
-    hx.hmac256Init(k.length);
-    let pos = 0;
-    while (pos < msg.length) {
-        const n = Math.min(msg.length - pos, 64);
-        new Uint8Array(hx.memory.buffer).set(msg.subarray(pos, pos + n), inputOff);
-        hx.hmac256Update(n);
-        pos += n;
-    }
-    hx.hmac256Final();
-    const out = new Uint8Array(hx.memory.buffer);
-    return out.slice(hx.getSha256OutOffset(), hx.getSha256OutOffset() + 32);
-}
-function ctrEncrypt(sx, key, chunk) {
-    const mem = new Uint8Array(sx.memory.buffer);
-    mem.set(key, sx.getKeyOffset());
-    mem.set(ZERO_IV, sx.getNonceOffset());
-    sx.loadKey(key.length);
-    sx.resetCounter();
-    new Uint8Array(sx.memory.buffer).set(chunk, sx.getChunkPtOffset());
-    sx.encryptChunk(chunk.length);
-    const out = new Uint8Array(sx.memory.buffer);
-    return out.slice(sx.getChunkCtOffset(), sx.getChunkCtOffset() + chunk.length);
-}
-function constantTimeEqual(a, b) {
-    if (a.length !== b.length)
-        return false;
-    let diff = 0;
-    for (let i = 0; i < a.length; i++)
-        diff |= a[i] ^ b[i];
-    return diff === 0;
-}
-function workerSealChunk(encKey, macKey, chunk) {
-    const ciphertext = ctrEncrypt(sx, encKey, chunk);
-    const tag = hmacSha256(hx, macKey, ciphertext);
-    const out = new Uint8Array(ciphertext.length + 32);
-    out.set(ciphertext, 0);
-    out.set(tag, ciphertext.length);
-    return out;
-}
-function workerOpenChunk(encKey, macKey, wire) {
-    if (wire.length < 32)
-        throw new RangeError('SerpentStream: chunk wire data too short');
-    const ciphertext = wire.subarray(0, wire.length - 32);
-    const tag = wire.subarray(wire.length - 32);
-    const expectedTag = hmacSha256(hx, macKey, ciphertext);
-    if (!constantTimeEqual(tag, expectedTag))
-        throw new Error('SerpentStream: authentication failed');
-    return ctrEncrypt(sx, encKey, ciphertext);
-}
-// ── Message handler ───────────────────────────────────────────────────────────
-self.onmessage = async (e) => {
-    const msg = e.data;
-    if (msg.type === 'init') {
-        try {
-            const serpentMem = new WebAssembly.Memory({ initial: 3, maximum: 3 });
-            const sha2Mem = new WebAssembly.Memory({ initial: 3, maximum: 3 });
-            const serpentInst = await WebAssembly.instantiate(msg.serpentModule, { env: { memory: serpentMem } });
-            const sha2Inst = await WebAssembly.instantiate(msg.sha2Module, { env: { memory: sha2Mem } });
-            sx = serpentInst.exports;
-            hx = sha2Inst.exports;
-            self.postMessage({ type: 'ready' });
-        }
-        catch (err) {
-            self.postMessage({ type: 'error', id: -1, message: err.message });
-        }
-        return;
-    }
-    if (!sx || !hx) {
-        self.postMessage({ type: 'error', id: msg.id, message: 'worker not initialized' });
-        return;
-    }
-    try {
-        const { id, op, encKey, macKey, data } = msg;
-        const result = op === 'seal'
-            ? workerSealChunk(encKey, macKey, data)
-            : workerOpenChunk(encKey, macKey, data);
-        self.postMessage({ type: 'result', id, data: result }, [result.buffer]);
-    }
-    catch (err) {
-        self.postMessage({ type: 'error', id: msg.id, message: err.message });
-    }
-};