leviathan-crypto 2.0.1 → 2.1.0

package/dist/serpent/serpent-cbc.js

@@ -24,53 +24,42 @@
 // SerpentCbc — Serpent-256 CBC + PKCS7, internal module.
 // Extracted to break the cipher-suite.ts ↔ index.ts circular dependency.
 // Import from here directly; index.ts re-exports for the public API surface.
-import { getInstance } from '../init.js';
+import { getInstance, _acquireModule, _releaseModule } from '../init.js';
+import { pkcs7Pad, pkcs7Strip, PKCS7_INVALID } from './shared-ops.js';
+/** Returns the raw serpent WASM export object. @internal */
 function getExports() {
     return getInstance('serpent').exports;
 }
-// ── PKCS7 helpers ────────────────────────────────────────────────────────────
-function pkcs7Pad(data) {
-    const padLen = 16 - (data.length % 16); // 1..16
-    const out = new Uint8Array(data.length + padLen);
-    out.set(data);
-    out.fill(padLen, data.length);
-    return out;
-}
-// pkcs7Strip is only called after HMAC authentication succeeds (verify-then-decrypt).
-// The early throw on invalid padLen is not a padding oracle in this context —
-// the HMAC check is the oracle gate and runs in constant time before this point.
-// If you move this call to a pre-auth site, revisit the timing properties.
-function pkcs7Strip(data) {
-    if (data.length === 0)
-        throw new RangeError('empty ciphertext');
-    const padLen = data[data.length - 1];
-    if (padLen === 0 || padLen > 16)
-        throw new RangeError(`invalid PKCS7 padding byte: ${padLen}`);
-    if (padLen > data.length)
-        throw new RangeError(`invalid PKCS7 padding: pad length ${padLen} exceeds data length ${data.length}`);
-    let bad = 0;
-    for (let i = data.length - padLen; i < data.length; i++)
-        bad |= data[i] ^ padLen;
-    if (bad !== 0)
-        throw new RangeError('invalid PKCS7 padding');
-    return data.subarray(0, data.length - padLen);
-}
-// ── SerpentCbc ───────────────────────────────────────────────────────────────
+// ── PKCS7 helpers ───────────────────────────────────────────────────────────
+//
+// The canonical `pkcs7Pad` / `pkcs7Strip` live in `./shared-ops.ts`; this
+// file re-uses them so the main-thread class and the pool worker share one
+// implementation. See `shared-ops.ts` for the branch-free, Vaudenay-2002-
+// closed padding check.
+// ── SerpentCbc ──────────────────────────────────────────────────────────────
 /**
  * Serpent-256 in CBC mode with PKCS7 padding.
  *
  * **WARNING: CBC mode is unauthenticated.** Always authenticate the output
  * with HMAC-SHA256 (Encrypt-then-MAC) or use `XChaCha20Poly1305` instead.
+ *
+ * Holds exclusive access to the `serpent` WASM module from construction
+ * until `dispose()`. Constructing a second SerpentCbc/SerpentCtr/
+ * SerpentCipher or any other serpent user while this instance is live
+ * throws. Call `dispose()` when done.
  */
 export class SerpentCbc {
     x;
+    _tok;
     constructor(opts) {
         if (!opts?.dangerUnauthenticated) {
             throw new Error('leviathan-crypto: SerpentCbc is unauthenticated — use Seal with SerpentCipher instead. ' +
                 'To use SerpentCbc directly, pass { dangerUnauthenticated: true }.');
         }
         this.x = getExports();
+        this._tok = _acquireModule('serpent');
     }
+    /** View over WASM linear memory. Rebind on every access — memory can be detached after grow. @internal */
     get mem() {
         return new Uint8Array(this.x.memory.buffer);
     }
@@ -83,6 +72,8 @@ export class SerpentCbc {
    * @returns         ciphertext (length = ceil((plaintext.length + 1) / 16) * 16)
    */
     encrypt(key, iv, plaintext) {
+        if (this._tok === undefined)
+            throw new Error('SerpentCbc: instance has been disposed');
         this._loadKey(key);
         this._setIv(iv);
         const padded = pkcs7Pad(plaintext);
@@ -103,11 +94,19 @@ export class SerpentCbc {
     }
     /**
    * Decrypt Serpent-256 CBC + PKCS7.
-   * Throws if ciphertext length is not a non-zero multiple of 16 or PKCS7 is invalid.
+   *
+   * All failure modes — empty input, non-multiple-of-16 length, and any
+   * PKCS7 validation failure — throw the same generic `RangeError` with
+   * message `'invalid ciphertext'`. Padding validation runs branch-free
+   * over the last 16 bytes regardless of where the mismatch is, closing
+   * the Vaudenay 2002 padding-oracle surface for callers using
+   * `{ dangerUnauthenticated: true }` without an outer HMAC.
    */
     decrypt(key, iv, ciphertext) {
+        if (this._tok === undefined)
+            throw new Error('SerpentCbc: instance has been disposed');
         if (ciphertext.length === 0 || ciphertext.length % 16 !== 0)
-            throw new RangeError('ciphertext length must be a non-zero multiple of 16');
+            throw new RangeError(PKCS7_INVALID);
         this._loadKey(key);
         this._setIv(iv);
         const output = new Uint8Array(ciphertext.length);
@@ -125,15 +124,34 @@ export class SerpentCbc {
         }
         return pkcs7Strip(output);
     }
+    /** Wipe WASM state and release exclusive module access. Idempotent. */
     dispose() {
-        this.x.wipeBuffers();
+        if (this._tok === undefined)
+            return;
+        try {
+            this.x.wipeBuffers();
+        }
+        finally {
+            _releaseModule('serpent', this._tok);
+            this._tok = undefined;
+        }
     }
+    /**
+     * Validate and load `key` into the WASM key schedule.
+     * @param key  16, 24, or 32 bytes
+     * @internal
+     */
     _loadKey(key) {
         if (key.length !== 16 && key.length !== 24 && key.length !== 32)
             throw new RangeError(`Serpent key must be 16, 24, or 32 bytes (got ${key.length})`);
         this.mem.set(key, this.x.getKeyOffset());
         this.x.loadKey(key.length);
     }
+    /**
+     * Write `iv` into the WASM CBC IV buffer.
+     * @param iv  16 bytes
+     * @internal
+     */
     _setIv(iv) {
         if (iv.length !== 16)
             throw new RangeError(`CBC IV must be 16 bytes (got ${iv.length})`);

package/dist/serpent/shared-ops.d.ts

@@ -0,0 +1,83 @@
+/** Subset of the sha2 WASM exports used by `hmacSha256`. */
+export interface Sha2OpsExports {
+    memory: WebAssembly.Memory;
+    getSha256InputOffset: () => number;
+    getSha256OutOffset: () => number;
+    sha256Init: () => void;
+    sha256Update: (len: number) => void;
+    sha256Final: () => void;
+    hmac256Init: (keyLen: number) => void;
+    hmac256Update: (len: number) => void;
+    hmac256Final: () => void;
+}
+/** Subset of the serpent WASM exports used by `cbcEncryptChunk`/`cbcDecryptChunk`. */
+export interface SerpentOpsExports {
+    memory: WebAssembly.Memory;
+    getKeyOffset: () => number;
+    getChunkPtOffset: () => number;
+    getChunkCtOffset: () => number;
+    getChunkSize: () => number;
+    getCbcIvOffset: () => number;
+    loadKey: (n: number) => number;
+    cbcEncryptChunk: (n: number) => number;
+    cbcDecryptChunk_simd: (n: number) => number;
+}
+export declare const PKCS7_INVALID = "invalid ciphertext";
+/**
+ * Apply PKCS7 padding to `data` so the result length is a multiple of 16.
+ * Padding length is always 1–16 bytes so a full pad block is appended when
+ * `data.length` is already block-aligned.
+ * @param data  Input bytes of any length
+ * @returns     New Uint8Array padded to the next 16-byte boundary
+ */
+export declare function pkcs7Pad(data: Uint8Array): Uint8Array;
+/**
+ * Remove PKCS7 padding from a block-aligned buffer in constant time.
+ *
+ * Branch-free over all secret bits — padding length and per-byte comparisons
+ * are accumulated into a single `bad` flag with no early exit. Closes the
+ * Vaudenay 2002 padding-oracle surface. Throws a single generic
+ * `RangeError('invalid ciphertext')` for every failure mode: empty input,
+ * non-block-aligned length, padding byte out of range 1–16, and any per-byte
+ * mismatch in the padding region.
+ * @param data  Block-aligned ciphertext (length must be a multiple of 16)
+ * @returns     Plaintext with padding removed
+ */
+export declare function pkcs7Strip(data: Uint8Array): Uint8Array;
+/**
+ * Compute HMAC-SHA-256 using raw WASM sha2 exports.
+ *
+ * Keys longer than 64 bytes are pre-hashed per RFC 2104 §3. The SHA-256
+ * input buffer is fed in 64-byte chunks to match the WASM block size.
+ * Does not call `_acquireModule` — callers must ensure no stateful instance
+ * owns the sha2 module before calling.
+ * @param sx   sha2 WASM exports
+ * @param key  HMAC key of any length
+ * @param msg  Message to authenticate
+ * @returns    32-byte HMAC-SHA-256 tag
+ */
+export declare function hmacSha256(sx: Sha2OpsExports, key: Uint8Array, msg: Uint8Array): Uint8Array;
+/**
+ * Encrypt one plaintext chunk with Serpent-256 CBC + PKCS7 padding.
+ *
+ * The padded chunk must fit within the WASM CHUNK_SIZE. Callers are
+ * responsible for splitting larger payloads before calling.
+ * @param kx     Serpent WASM exports
+ * @param key    16, 24, or 32-byte key
+ * @param iv     16-byte CBC initialisation vector
+ * @param chunk  Plaintext chunk (padded length must be ≤ WASM CHUNK_SIZE)
+ * @returns      Ciphertext with PKCS7 padding applied
+ */
+export declare function cbcEncryptChunk(kx: SerpentOpsExports, key: Uint8Array, iv: Uint8Array, chunk: Uint8Array): Uint8Array;
+/**
+ * Decrypt one Serpent-256 CBC chunk using the SIMD path and strip PKCS7 padding.
+ *
+ * Output matches `SerpentCbc.decrypt` byte-for-byte. Throws
+ * `RangeError('invalid ciphertext')` on any length or padding failure.
+ * @param kx   Serpent WASM exports
+ * @param key  16, 24, or 32-byte key
+ * @param iv   16-byte CBC initialisation vector
+ * @param ct   Ciphertext (must be non-empty and a multiple of 16 bytes)
+ * @returns    Plaintext with PKCS7 padding removed
+ */
+export declare function cbcDecryptChunk(kx: SerpentOpsExports, key: Uint8Array, iv: Uint8Array, ct: Uint8Array): Uint8Array;

package/dist/serpent/shared-ops.js

@@ -0,0 +1,213 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/serpent/shared-ops.ts
+//
+// Pure-function primitives shared between the main-thread `SerpentCipher`
+// (cipher-suite.ts) and the `SealStreamPool` worker (pool-worker.ts). Both
+// call sites hold their own WASM exports — pool workers instantiate modules
+// locally, the main thread fetches via `getInstance()` — so every function
+// here takes the sha2/serpent exports as parameters. No dependency on
+// `init.ts`, no module-level state, no instance wrappers.
+//
+// These helpers are strictly single-chunk: the caller already divided the
+// payload into chunks ≤ WASM CHUNK_SIZE. For multi-chunk use, see
+// `SerpentCbc.encrypt`/`decrypt`, which loop over the same WASM exports.
+//
+// This file owns the canonical `pkcs7Pad` / `pkcs7Strip`; `serpent-cbc.ts`
+// re-exports them. A single source of truth keeps the branch-free,
+// Vaudenay-2002-closed padding check identical on the main-thread and
+// pool-worker paths — divergence between the two would reintroduce an
+// oracle.
+// ── PKCS7 ───────────────────────────────────────────────────────────────────
+// Generic error string used by every failure mode of `pkcs7Strip` and the
+// length/alignment gate in `SerpentCbc.decrypt`. No numeric leaks, no
+// structural disclosure — a caller cannot distinguish "bad length" from
+// "bad padding" by message or by timing.
+export const PKCS7_INVALID = 'invalid ciphertext';
+/**
+ * Apply PKCS7 padding to `data` so the result length is a multiple of 16.
+ * Padding length is always 1–16 bytes so a full pad block is appended when
+ * `data.length` is already block-aligned.
+ * @param data  Input bytes of any length
+ * @returns     New Uint8Array padded to the next 16-byte boundary
+ */
+export function pkcs7Pad(data) {
+    const padLen = 16 - (data.length % 16); // 1..16
+    const out = new Uint8Array(data.length + padLen);
+    out.set(data);
+    out.fill(padLen, data.length);
+    return out;
+}
+/**
+ * Remove PKCS7 padding from a block-aligned buffer in constant time.
+ *
+ * Branch-free over all secret bits — padding length and per-byte comparisons
+ * are accumulated into a single `bad` flag with no early exit. Closes the
+ * Vaudenay 2002 padding-oracle surface. Throws a single generic
+ * `RangeError('invalid ciphertext')` for every failure mode: empty input,
+ * non-block-aligned length, padding byte out of range 1–16, and any per-byte
+ * mismatch in the padding region.
+ * @param data  Block-aligned ciphertext (length must be a multiple of 16)
+ * @returns     Plaintext with padding removed
+ */
+export function pkcs7Strip(data) {
+    if (data.length === 0 || data.length % 16 !== 0)
+        throw new RangeError(PKCS7_INVALID);
+    const padLen = data[data.length - 1];
+    let bad = 0;
+    bad |= ((padLen - 1) >>> 31); // 1 if padLen == 0
+    bad |= ((16 - padLen) >>> 31); // 1 if padLen > 16
+    // Per-byte pad-region mask without branches on secret bits.
+    //   inPadRegion = 0xff when i >= 16 - padLen
+    //               = 0x00 otherwise
+    //
+    // (16 - padLen - i - 1) is negative iff i >= 16 - padLen. A signed
+    // arithmetic shift by 31 yields -1 for negative, 0 for non-negative;
+    // ANDing with 0xff collapses those to 0xff and 0x00.
+    for (let i = 0; i < 16; i++) {
+        const idx = data.length - 16 + i;
+        const mask = ((16 - padLen - i - 1) >> 31) & 0xff;
+        bad |= (data[idx] ^ padLen) & mask;
+    }
+    const invalid = ((bad - 1) >>> 31) ^ 1;
+    if (invalid)
+        throw new RangeError(PKCS7_INVALID);
+    return data.subarray(0, data.length - padLen);
+}
+// ── HMAC-SHA-256 ────────────────────────────────────────────────────────────
+/**
+ * Compute HMAC-SHA-256 using raw WASM sha2 exports.
+ *
+ * Keys longer than 64 bytes are pre-hashed per RFC 2104 §3. The SHA-256
+ * input buffer is fed in 64-byte chunks to match the WASM block size.
+ * Does not call `_acquireModule` — callers must ensure no stateful instance
+ * owns the sha2 module before calling.
+ * @param sx   sha2 WASM exports
+ * @param key  HMAC key of any length
+ * @param msg  Message to authenticate
+ * @returns    32-byte HMAC-SHA-256 tag
+ */
+export function hmacSha256(sx, key, msg) {
+    const inOff = sx.getSha256InputOffset();
+    const outOff = sx.getSha256OutOffset();
+    let k = key;
+    if (k.length > 64) {
+        sx.sha256Init();
+        feedMemory(sx.memory, inOff, k, 64, sx.sha256Update);
+        sx.sha256Final();
+        k = new Uint8Array(sx.memory.buffer).slice(outOff, outOff + 32);
+    }
+    const mem = new Uint8Array(sx.memory.buffer);
+    mem.set(k, inOff);
+    sx.hmac256Init(k.length);
+    feedMemory(sx.memory, inOff, msg, 64, sx.hmac256Update);
+    sx.hmac256Final();
+    return new Uint8Array(sx.memory.buffer).slice(outOff, outOff + 32);
+}
+/**
+ * Copy `msg` into WASM linear memory at `inputOff` in `chunkSize`-byte
+ * increments, calling `update(n)` after each write.
+ * @param memory     WASM memory object
+ * @param inputOff   Byte offset of the WASM input buffer
+ * @param msg        Data to feed
+ * @param chunkSize  Maximum bytes per write (must match WASM buffer size)
+ * @param update     WASM update function to call after each write
+ * @internal
+ */
+function feedMemory(memory, inputOff, msg, chunkSize, update) {
+    const mem = new Uint8Array(memory.buffer);
+    let pos = 0;
+    while (pos < msg.length) {
+        const n = Math.min(msg.length - pos, chunkSize);
+        mem.set(msg.subarray(pos, pos + n), inputOff);
+        update(n);
+        pos += n;
+    }
+}
+// ── Serpent-CBC (single chunk) ──────────────────────────────────────────────
+/**
+ * Encrypt one plaintext chunk with Serpent-256 CBC + PKCS7 padding.
+ *
+ * The padded chunk must fit within the WASM CHUNK_SIZE. Callers are
+ * responsible for splitting larger payloads before calling.
+ * @param kx     Serpent WASM exports
+ * @param key    16, 24, or 32-byte key
+ * @param iv     16-byte CBC initialisation vector
+ * @param chunk  Plaintext chunk (padded length must be ≤ WASM CHUNK_SIZE)
+ * @returns      Ciphertext with PKCS7 padding applied
+ */
+export function cbcEncryptChunk(kx, key, iv, chunk) {
+    loadKeyAndIv(kx, key, iv);
+    const padded = pkcs7Pad(chunk);
+    const ptOff = kx.getChunkPtOffset();
+    const ctOff = kx.getChunkCtOffset();
+    const mem = new Uint8Array(kx.memory.buffer);
+    mem.set(padded, ptOff);
+    const ret = kx.cbcEncryptChunk(padded.length);
+    if (ret < 0)
+        throw new RangeError(`cbcEncryptChunk rejected len=${padded.length}` +
+            ` (WASM CHUNK_SIZE=${kx.getChunkSize()})`);
+    return new Uint8Array(kx.memory.buffer).slice(ctOff, ctOff + padded.length);
+}
+/**
+ * Decrypt one Serpent-256 CBC chunk using the SIMD path and strip PKCS7 padding.
+ *
+ * Output matches `SerpentCbc.decrypt` byte-for-byte. Throws
+ * `RangeError('invalid ciphertext')` on any length or padding failure.
+ * @param kx   Serpent WASM exports
+ * @param key  16, 24, or 32-byte key
+ * @param iv   16-byte CBC initialisation vector
+ * @param ct   Ciphertext (must be non-empty and a multiple of 16 bytes)
+ * @returns    Plaintext with PKCS7 padding removed
+ */
+export function cbcDecryptChunk(kx, key, iv, ct) {
+    if (ct.length === 0 || ct.length % 16 !== 0)
+        throw new RangeError(PKCS7_INVALID);
+    loadKeyAndIv(kx, key, iv);
+    const ctOff = kx.getChunkCtOffset();
+    const ptOff = kx.getChunkPtOffset();
+    const mem = new Uint8Array(kx.memory.buffer);
+    mem.set(ct, ctOff);
+    const ret = kx.cbcDecryptChunk_simd(ct.length);
+    if (ret < 0)
+        throw new RangeError(`cbcDecryptChunk_simd rejected len=${ct.length}` +
+            ` (WASM CHUNK_SIZE=${kx.getChunkSize()})`);
+    const raw = new Uint8Array(kx.memory.buffer).slice(ptOff, ptOff + ct.length);
+    return pkcs7Strip(raw);
+}
+/**
+ * Validate, then write `key` and `iv` into the WASM buffers and expand the key schedule.
+ * @param kx   Serpent WASM exports
+ * @param key  16, 24, or 32-byte Serpent key
+ * @param iv   16-byte CBC initialisation vector
+ * @internal
+ */
+function loadKeyAndIv(kx, key, iv) {
+    if (key.length !== 16 && key.length !== 24 && key.length !== 32)
+        throw new RangeError(`Serpent key must be 16, 24, or 32 bytes (got ${key.length})`);
+    if (iv.length !== 16)
+        throw new RangeError(`CBC IV must be 16 bytes (got ${iv.length})`);
+    const mem = new Uint8Array(kx.memory.buffer);
+    mem.set(key, kx.getKeyOffset());
+    kx.loadKey(key.length);
+    mem.set(iv, kx.getCbcIvOffset());
+}

package/dist/serpent/types.d.ts

@@ -1,5 +1 @@
-/** WASM exports for the serpent module */
-export interface SerpentExports {
-    memory: WebAssembly.Memory;
-    getModuleId(): number;
-}
+export {};

package/dist/sha2/hash.d.ts

@@ -0,0 +1,2 @@
+import type { HashFn } from '../types.js';
+export declare const SHA256Hash: HashFn;

package/dist/sha2/hash.js

@@ -0,0 +1,53 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sha2/hash.ts
+//
+// Stateless SHA-256 HashFn for Fortuna's accumulator and reseed slots.
+import { _assertNotOwned, getInstance } from '../init.js';
+export const SHA256Hash = {
+    outputSize: 32,
+    wasmModules: ['sha2'],
+    digest(msg) {
+        _assertNotOwned('sha2');
+        const x = getInstance('sha2').exports;
+        const mem = new Uint8Array(x.memory.buffer);
+        try {
+            x.sha256Init();
+            const inOff = x.getSha256InputOffset();
+            let pos = 0;
+            while (pos < msg.length) {
+                const n = Math.min(msg.length - pos, 64);
+                mem.set(msg.subarray(pos, pos + n), inOff);
+                x.sha256Update(n);
+                pos += n;
+            }
+            x.sha256Final();
+            const outOff = x.getSha256OutOffset();
+            return mem.slice(outOff, outOff + 32);
+        }
+        finally {
+            // Wipe the SHA-256 input/output/state scratch so secret-derived
+            // inputs (e.g. Fortuna pool entropy) do not outlive this call.
+            x.wipeBuffers();
+        }
+    },
+};

package/dist/sha2/index.d.ts

@@ -39,3 +39,4 @@ export declare class HMAC_SHA384 {
     dispose(): void;
 }
 export { HKDF_SHA256, HKDF_SHA512 } from './hkdf.js';
+export { SHA256Hash } from './hash.js';

package/dist/sha2/index.js

@@ -23,7 +23,7 @@
 //
 // Public API classes for the SHA-2 WASM module.
 // Uses the init() module cache — call sha2Init(source) before constructing.
-import { getInstance, initModule } from '../init.js';
+import { getInstance, initModule, _assertNotOwned } from '../init.js';
 export async function sha2Init(source) {
     return initModule('sha2', source);
 }
@@ -57,6 +57,7 @@ export class SHA256 {
         this.x = getExports();
     }
     hash(msg) {
+        _assertNotOwned('sha2');
         this.x.sha256Init();
         feedHash(this.x, msg, this.x.getSha256InputOffset(), 64, this.x.sha256Update);
         this.x.sha256Final();
@@ -64,6 +65,7 @@ export class SHA256 {
         return mem.slice(this.x.getSha256OutOffset(), this.x.getSha256OutOffset() + 32);
     }
     dispose() {
+        _assertNotOwned('sha2');
         this.x.wipeBuffers();
     }
 }
@@ -74,6 +76,7 @@ export class SHA512 {
         this.x = getExports();
     }
     hash(msg) {
+        _assertNotOwned('sha2');
         this.x.sha512Init();
         feedHash(this.x, msg, this.x.getSha512InputOffset(), 128, this.x.sha512Update);
         this.x.sha512Final();
@@ -81,6 +84,7 @@ export class SHA512 {
         return mem.slice(this.x.getSha512OutOffset(), this.x.getSha512OutOffset() + 64);
     }
     dispose() {
+        _assertNotOwned('sha2');
         this.x.wipeBuffers();
     }
 }
@@ -91,6 +95,7 @@ export class SHA384 {
         this.x = getExports();
     }
     hash(msg) {
+        _assertNotOwned('sha2');
         this.x.sha384Init();
         feedHash(this.x, msg, this.x.getSha512InputOffset(), 128, this.x.sha512Update);
         this.x.sha384Final();
@@ -98,6 +103,7 @@ export class SHA384 {
         return mem.slice(this.x.getSha512OutOffset(), this.x.getSha512OutOffset() + 48);
     }
     dispose() {
+        _assertNotOwned('sha2');
         this.x.wipeBuffers();
     }
 }
@@ -108,6 +114,7 @@ export class HMAC_SHA256 {
         this.x = getExports();
     }
     hash(key, msg) {
+        _assertNotOwned('sha2');
         let k = key;
         // RFC 2104 §3: keys longer than block size are pre-hashed
         if (k.length > 64) {
@@ -126,6 +133,7 @@ export class HMAC_SHA256 {
         return out.slice(this.x.getSha256OutOffset(), this.x.getSha256OutOffset() + 32);
     }
     dispose() {
+        _assertNotOwned('sha2');
         this.x.wipeBuffers();
     }
 }
@@ -136,6 +144,7 @@ export class HMAC_SHA512 {
         this.x = getExports();
     }
     hash(key, msg) {
+        _assertNotOwned('sha2');
         let k = key;
         // RFC 2104 §3: keys longer than block size (128) are pre-hashed
         if (k.length > 128) {
@@ -154,6 +163,7 @@ export class HMAC_SHA512 {
         return out.slice(this.x.getSha512OutOffset(), this.x.getSha512OutOffset() + 64);
     }
     dispose() {
+        _assertNotOwned('sha2');
         this.x.wipeBuffers();
     }
 }
@@ -164,6 +174,7 @@ export class HMAC_SHA384 {
         this.x = getExports();
     }
     hash(key, msg) {
+        _assertNotOwned('sha2');
         let k = key;
         // RFC 2104 §3: keys longer than block size (128) are pre-hashed with SHA-384
         if (k.length > 128) {
@@ -182,8 +193,11 @@ export class HMAC_SHA384 {
         return out.slice(this.x.getSha512OutOffset(), this.x.getSha512OutOffset() + 48);
     }
     dispose() {
+        _assertNotOwned('sha2');
         this.x.wipeBuffers();
     }
 }
 // ── HKDF ────────────────────────────────────────────────────────────────────
 export { HKDF_SHA256, HKDF_SHA512 } from './hkdf.js';
+// ── SHA256Hash ──────────────────────────────────────────────────────────────
+export { SHA256Hash } from './hash.js';

package/dist/sha3/hash.d.ts

@@ -0,0 +1,2 @@
+import type { HashFn } from '../types.js';
+export declare const SHA3_256Hash: HashFn;

package/dist/sha3/hash.js

@@ -0,0 +1,53 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sha3/hash.ts
+//
+// Stateless SHA3-256 HashFn for Fortuna's accumulator and reseed slots.
+import { _assertNotOwned, getInstance } from '../init.js';
+export const SHA3_256Hash = {
+    outputSize: 32,
+    wasmModules: ['sha3'],
+    digest(msg) {
+        _assertNotOwned('sha3');
+        const x = getInstance('sha3').exports;
+        const mem = new Uint8Array(x.memory.buffer);
+        try {
+            x.sha3_256Init();
+            const inOff = x.getInputOffset();
+            let pos = 0;
+            while (pos < msg.length) {
+                const n = Math.min(msg.length - pos, 168);
+                mem.set(msg.subarray(pos, pos + n), inOff);
+                x.keccakAbsorb(n);
+                pos += n;
+            }
+            x.sha3_256Final();
+            const outOff = x.getOutOffset();
+            return mem.slice(outOff, outOff + 32);
+        }
+        finally {
+            // Wipe the keccak input/output/sponge state so secret-derived
+            // inputs (e.g. Fortuna pool entropy) do not outlive this call.
+            x.wipeBuffers();
+        }
+    },
+};