leviathan-crypto 2.0.1 → 3.0.0

package/dist/serpent/serpent-cbc.js

@@ -21,56 +21,45 @@
 //
 // src/ts/serpent/serpent-cbc.ts
 //
-// SerpentCbc — Serpent-256 CBC + PKCS7, internal module.
+// SerpentCbc, Serpent-256 CBC + PKCS7, internal module.
 // Extracted to break the cipher-suite.ts ↔ index.ts circular dependency.
 // Import from here directly; index.ts re-exports for the public API surface.
-import { getInstance } from '../init.js';
+import { getInstance, _acquireModule, _releaseModule } from '../init.js';
+import { pkcs7Pad, pkcs7Strip, PKCS7_INVALID } from './shared-ops.js';
+/** Returns the raw serpent WASM export object. @internal */
 function getExports() {
     return getInstance('serpent').exports;
 }
-// ── PKCS7 helpers ────────────────────────────────────────────────────────────
-function pkcs7Pad(data) {
-    const padLen = 16 - (data.length % 16); // 1..16
-    const out = new Uint8Array(data.length + padLen);
-    out.set(data);
-    out.fill(padLen, data.length);
-    return out;
-}
-// pkcs7Strip is only called after HMAC authentication succeeds (verify-then-decrypt).
-// The early throw on invalid padLen is not a padding oracle in this context —
-// the HMAC check is the oracle gate and runs in constant time before this point.
-// If you move this call to a pre-auth site, revisit the timing properties.
-function pkcs7Strip(data) {
-    if (data.length === 0)
-        throw new RangeError('empty ciphertext');
-    const padLen = data[data.length - 1];
-    if (padLen === 0 || padLen > 16)
-        throw new RangeError(`invalid PKCS7 padding byte: ${padLen}`);
-    if (padLen > data.length)
-        throw new RangeError(`invalid PKCS7 padding: pad length ${padLen} exceeds data length ${data.length}`);
-    let bad = 0;
-    for (let i = data.length - padLen; i < data.length; i++)
-        bad |= data[i] ^ padLen;
-    if (bad !== 0)
-        throw new RangeError('invalid PKCS7 padding');
-    return data.subarray(0, data.length - padLen);
-}
-// ── SerpentCbc ───────────────────────────────────────────────────────────────
+// ── PKCS7 helpers ───────────────────────────────────────────────────────────
+//
+// The canonical `pkcs7Pad` / `pkcs7Strip` live in `./shared-ops.ts`; this
+// file re-uses them so the main-thread class and the pool worker share one
+// implementation. See `shared-ops.ts` for the branch-free, Vaudenay-2002-
+// closed padding check.
+// ── SerpentCbc ──────────────────────────────────────────────────────────────
 /**
  * Serpent-256 in CBC mode with PKCS7 padding.
  *
  * **WARNING: CBC mode is unauthenticated.** Always authenticate the output
  * with HMAC-SHA256 (Encrypt-then-MAC) or use `XChaCha20Poly1305` instead.
+ *
+ * Holds exclusive access to the `serpent` WASM module from construction
+ * until `dispose()`. Constructing a second SerpentCbc/SerpentCtr/
+ * SerpentCipher or any other serpent user while this instance is live
+ * throws. Call `dispose()` when done.
  */
 export class SerpentCbc {
     x;
+    _tok;
     constructor(opts) {
         if (!opts?.dangerUnauthenticated) {
-            throw new Error('leviathan-crypto: SerpentCbc is unauthenticated — use Seal with SerpentCipher instead. ' +
+            throw new Error('leviathan-crypto: SerpentCbc is unauthenticated, use Seal with SerpentCipher instead. ' +
                 'To use SerpentCbc directly, pass { dangerUnauthenticated: true }.');
         }
         this.x = getExports();
+        this._tok = _acquireModule('serpent');
     }
+    /** View over WASM linear memory. Rebind on every access, memory can be detached after grow. @internal */
     get mem() {
         return new Uint8Array(this.x.memory.buffer);
     }
@@ -78,11 +67,13 @@ export class SerpentCbc {
    * Encrypt plaintext with Serpent-256 CBC + PKCS7 padding.
    *
    * @param key       16, 24, or 32 bytes
-   * @param iv        16 bytes — must be random and unique per (key, message)
-   * @param plaintext any length — PKCS7 padding applied automatically
+   * @param iv        16 bytes, must be random and unique per (key, message)
+   * @param plaintext any length, PKCS7 padding applied automatically
    * @returns         ciphertext (length = ceil((plaintext.length + 1) / 16) * 16)
    */
     encrypt(key, iv, plaintext) {
+        if (this._tok === undefined)
+            throw new Error('SerpentCbc: instance has been disposed');
         this._loadKey(key);
         this._setIv(iv);
         const padded = pkcs7Pad(plaintext);
@@ -103,11 +94,19 @@ export class SerpentCbc {
     }
     /**
    * Decrypt Serpent-256 CBC + PKCS7.
-   * Throws if ciphertext length is not a non-zero multiple of 16 or PKCS7 is invalid.
+   *
+   * All failure modes, empty input, non-multiple-of-16 length, and any
+   * PKCS7 validation failure, throw the same generic `RangeError` with
+   * message `'invalid ciphertext'`. Padding validation runs branch-free
+   * over the last 16 bytes regardless of where the mismatch is, closing
+   * the Vaudenay 2002 padding-oracle surface for callers using
+   * `{ dangerUnauthenticated: true }` without an outer HMAC.
    */
     decrypt(key, iv, ciphertext) {
+        if (this._tok === undefined)
+            throw new Error('SerpentCbc: instance has been disposed');
         if (ciphertext.length === 0 || ciphertext.length % 16 !== 0)
-            throw new RangeError('ciphertext length must be a non-zero multiple of 16');
+            throw new RangeError(PKCS7_INVALID);
         this._loadKey(key);
         this._setIv(iv);
         const output = new Uint8Array(ciphertext.length);
@@ -125,15 +124,37 @@ export class SerpentCbc {
         }
         return pkcs7Strip(output);
     }
+    /** Wipe WASM state and release exclusive module access. Idempotent. */
     dispose() {
-        this.x.wipeBuffers();
+        if (this._tok === undefined)
+            return;
+        try {
+            this.x.wipeBuffers();
+        }
+        finally {
+            _releaseModule('serpent', this._tok);
+            this._tok = undefined;
+        }
     }
+    /**
+     * Validate and load `key` into the WASM key schedule.
+     * @param key  16, 24, or 32 bytes
+     * @internal
+     */
     _loadKey(key) {
         if (key.length !== 16 && key.length !== 24 && key.length !== 32)
             throw new RangeError(`Serpent key must be 16, 24, or 32 bytes (got ${key.length})`);
         this.mem.set(key, this.x.getKeyOffset());
-        this.x.loadKey(key.length);
+        if (this.x.loadKey(key.length) !== 0) {
+            this.x.wipeBuffers();
+            throw new Error('SerpentCbc: loadKey failed');
+        }
     }
+    /**
+     * Write `iv` into the WASM CBC IV buffer.
+     * @param iv  16 bytes
+     * @internal
+     */
     _setIv(iv) {
         if (iv.length !== 16)
             throw new RangeError(`CBC IV must be 16 bytes (got ${iv.length})`);

package/dist/serpent/shared-ops.d.ts

@@ -0,0 +1,63 @@
+export { pkcs7Pad, pkcs7Strip, PKCS7_INVALID } from '../shared/pkcs7.js';
+/** Subset of the sha2 WASM exports used by `hmacSha256`. */
+export interface Sha2OpsExports {
+    memory: WebAssembly.Memory;
+    getSha256InputOffset: () => number;
+    getSha256OutOffset: () => number;
+    sha256Init: () => void;
+    sha256Update: (len: number) => void;
+    sha256Final: () => void;
+    hmac256Init: (keyLen: number) => void;
+    hmac256Update: (len: number) => void;
+    hmac256Final: () => void;
+}
+/** Subset of the serpent WASM exports used by `cbcEncryptChunk`/`cbcDecryptChunk`. */
+export interface SerpentOpsExports {
+    memory: WebAssembly.Memory;
+    getKeyOffset: () => number;
+    getChunkPtOffset: () => number;
+    getChunkCtOffset: () => number;
+    getChunkSize: () => number;
+    getCbcIvOffset: () => number;
+    loadKey: (n: number) => number;
+    cbcEncryptChunk: (n: number) => number;
+    cbcDecryptChunk_simd: (n: number) => number;
+    wipeBuffers: () => void;
+}
+/**
+ * Compute HMAC-SHA-256 using raw WASM sha2 exports.
+ *
+ * Keys longer than 64 bytes are pre-hashed per RFC 2104 §3. The SHA-256
+ * input buffer is fed in 64-byte chunks to match the WASM block size.
+ * Does not call `_acquireModule`, callers must ensure no stateful instance
+ * owns the sha2 module before calling.
+ * @param sx   sha2 WASM exports
+ * @param key  HMAC key of any length
+ * @param msg  Message to authenticate
+ * @returns    32-byte HMAC-SHA-256 tag
+ */
+export declare function hmacSha256(sx: Sha2OpsExports, key: Uint8Array, msg: Uint8Array): Uint8Array;
+/**
+ * Encrypt one plaintext chunk with Serpent-256 CBC + PKCS7 padding.
+ *
+ * The padded chunk must fit within the WASM CHUNK_SIZE. Callers are
+ * responsible for splitting larger payloads before calling.
+ * @param kx     Serpent WASM exports
+ * @param key    16, 24, or 32-byte key
+ * @param iv     16-byte CBC initialisation vector
+ * @param chunk  Plaintext chunk (padded length must be ≤ WASM CHUNK_SIZE)
+ * @returns      Ciphertext with PKCS7 padding applied
+ */
+export declare function cbcEncryptChunk(kx: SerpentOpsExports, key: Uint8Array, iv: Uint8Array, chunk: Uint8Array): Uint8Array;
+/**
+ * Decrypt one Serpent-256 CBC chunk using the SIMD path and strip PKCS7 padding.
+ *
+ * Output matches `SerpentCbc.decrypt` byte-for-byte. Throws
+ * `RangeError('invalid ciphertext')` on any length or padding failure.
+ * @param kx   Serpent WASM exports
+ * @param key  16, 24, or 32-byte key
+ * @param iv   16-byte CBC initialisation vector
+ * @param ct   Ciphertext (must be non-empty and a multiple of 16 bytes)
+ * @returns    Plaintext with PKCS7 padding removed
+ */
+export declare function cbcDecryptChunk(kx: SerpentOpsExports, key: Uint8Array, iv: Uint8Array, ct: Uint8Array): Uint8Array;

package/dist/serpent/shared-ops.js

@@ -0,0 +1,178 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/serpent/shared-ops.ts
+//
+// Pure-function primitives shared between the main-thread `SerpentCipher`
+// (cipher-suite.ts) and the `SealStreamPool` worker (pool-worker.ts). Both
+// call sites hold their own WASM exports, pool workers instantiate modules
+// locally, the main thread fetches via `getInstance()`, so every function
+// here takes the sha2/serpent exports as parameters. No dependency on
+// `init.ts`, no module-level state, no instance wrappers.
+//
+// These helpers are strictly single-chunk: the caller already divided the
+// payload into chunks ≤ WASM CHUNK_SIZE. For multi-chunk use, see
+// `SerpentCbc.encrypt`/`decrypt`, which loop over the same WASM exports.
+//
+// `pkcs7Pad` / `pkcs7Strip` / `PKCS7_INVALID` live in `../shared/pkcs7.js`
+// and are re-exported here so existing serpent-side imports keep working.
+// A single source of truth keeps the branch-free, Vaudenay-2002-closed
+// padding check identical across all CBC paths.
+export { pkcs7Pad, pkcs7Strip, PKCS7_INVALID } from '../shared/pkcs7.js';
+import { pkcs7Pad, pkcs7Strip, PKCS7_INVALID } from '../shared/pkcs7.js';
+// ── HMAC-SHA-256 ────────────────────────────────────────────────────────────
+/**
+ * Compute HMAC-SHA-256 using raw WASM sha2 exports.
+ *
+ * Keys longer than 64 bytes are pre-hashed per RFC 2104 §3. The SHA-256
+ * input buffer is fed in 64-byte chunks to match the WASM block size.
+ * Does not call `_acquireModule`, callers must ensure no stateful instance
+ * owns the sha2 module before calling.
+ * @param sx   sha2 WASM exports
+ * @param key  HMAC key of any length
+ * @param msg  Message to authenticate
+ * @returns    32-byte HMAC-SHA-256 tag
+ */
+export function hmacSha256(sx, key, msg) {
+    const inOff = sx.getSha256InputOffset();
+    const outOff = sx.getSha256OutOffset();
+    let k = key;
+    if (k.length > 64) {
+        sx.sha256Init();
+        feedMemory(sx.memory, inOff, k, 64, sx.sha256Update);
+        sx.sha256Final();
+        k = new Uint8Array(sx.memory.buffer).slice(outOff, outOff + 32);
+    }
+    const mem = new Uint8Array(sx.memory.buffer);
+    mem.set(k, inOff);
+    sx.hmac256Init(k.length);
+    feedMemory(sx.memory, inOff, msg, 64, sx.hmac256Update);
+    sx.hmac256Final();
+    return new Uint8Array(sx.memory.buffer).slice(outOff, outOff + 32);
+}
+/**
+ * Copy `msg` into WASM linear memory at `inputOff` in `chunkSize`-byte
+ * increments, calling `update(n)` after each write.
+ * @param memory     WASM memory object
+ * @param inputOff   Byte offset of the WASM input buffer
+ * @param msg        Data to feed
+ * @param chunkSize  Maximum bytes per write (must match WASM buffer size)
+ * @param update     WASM update function to call after each write
+ * @internal
+ */
+function feedMemory(memory, inputOff, msg, chunkSize, update) {
+    const mem = new Uint8Array(memory.buffer);
+    let pos = 0;
+    while (pos < msg.length) {
+        const n = Math.min(msg.length - pos, chunkSize);
+        mem.set(msg.subarray(pos, pos + n), inputOff);
+        update(n);
+        pos += n;
+    }
+}
+// ── Serpent-CBC (single chunk) ──────────────────────────────────────────────
+/**
+ * Encrypt one plaintext chunk with Serpent-256 CBC + PKCS7 padding.
+ *
+ * The padded chunk must fit within the WASM CHUNK_SIZE. Callers are
+ * responsible for splitting larger payloads before calling.
+ * @param kx     Serpent WASM exports
+ * @param key    16, 24, or 32-byte key
+ * @param iv     16-byte CBC initialisation vector
+ * @param chunk  Plaintext chunk (padded length must be ≤ WASM CHUNK_SIZE)
+ * @returns      Ciphertext with PKCS7 padding applied
+ */
+export function cbcEncryptChunk(kx, key, iv, chunk) {
+    loadKeyAndIv(kx, key, iv);
+    try {
+        const padded = pkcs7Pad(chunk);
+        const ptOff = kx.getChunkPtOffset();
+        const ctOff = kx.getChunkCtOffset();
+        const mem = new Uint8Array(kx.memory.buffer);
+        mem.set(padded, ptOff);
+        const ret = kx.cbcEncryptChunk(padded.length);
+        if (ret < 0)
+            throw new RangeError(`cbcEncryptChunk rejected len=${padded.length}` +
+                ` (WASM CHUNK_SIZE=${kx.getChunkSize()})`);
+        return new Uint8Array(kx.memory.buffer).slice(ctOff, ctOff + padded.length);
+    }
+    catch (err) {
+        // Length-error or any other throw past loadKeyAndIv leaves key+iv staged.
+        // Wipe before re-throwing, the cipher-suite caller may not call dispose.
+        kx.wipeBuffers();
+        throw err;
+    }
+}
+/**
+ * Decrypt one Serpent-256 CBC chunk using the SIMD path and strip PKCS7 padding.
+ *
+ * Output matches `SerpentCbc.decrypt` byte-for-byte. Throws
+ * `RangeError('invalid ciphertext')` on any length or padding failure.
+ * @param kx   Serpent WASM exports
+ * @param key  16, 24, or 32-byte key
+ * @param iv   16-byte CBC initialisation vector
+ * @param ct   Ciphertext (must be non-empty and a multiple of 16 bytes)
+ * @returns    Plaintext with PKCS7 padding removed
+ */
+export function cbcDecryptChunk(kx, key, iv, ct) {
+    if (ct.length === 0 || ct.length % 16 !== 0)
+        throw new RangeError(PKCS7_INVALID);
+    loadKeyAndIv(kx, key, iv);
+    try {
+        const ctOff = kx.getChunkCtOffset();
+        const ptOff = kx.getChunkPtOffset();
+        const mem = new Uint8Array(kx.memory.buffer);
+        mem.set(ct, ctOff);
+        const ret = kx.cbcDecryptChunk_simd(ct.length);
+        if (ret < 0)
+            throw new RangeError(`cbcDecryptChunk_simd rejected len=${ct.length}` +
+                ` (WASM CHUNK_SIZE=${kx.getChunkSize()})`);
+        const raw = new Uint8Array(kx.memory.buffer).slice(ptOff, ptOff + ct.length);
+        return pkcs7Strip(raw);
+    }
+    catch (err) {
+        // Length-error, padding mismatch, or any other throw past loadKeyAndIv
+        // leaves key+iv staged. Wipe before re-throwing, bad PKCS7 padding is
+        // a Vaudenay-attack signal; per-chunk staged key+iv must not survive it.
+        kx.wipeBuffers();
+        throw err;
+    }
+}
+/**
+ * Validate, then write `key` and `iv` into the WASM buffers and expand the key schedule.
+ * @param kx   Serpent WASM exports
+ * @param key  16, 24, or 32-byte Serpent key
+ * @param iv   16-byte CBC initialisation vector
+ * @internal
+ */
+function loadKeyAndIv(kx, key, iv) {
+    if (key.length !== 16 && key.length !== 24 && key.length !== 32)
+        throw new RangeError(`Serpent key must be 16, 24, or 32 bytes (got ${key.length})`);
+    if (iv.length !== 16)
+        throw new RangeError(`CBC IV must be 16 bytes (got ${iv.length})`);
+    const mem = new Uint8Array(kx.memory.buffer);
+    mem.set(key, kx.getKeyOffset());
+    if (kx.loadKey(key.length) !== 0) {
+        kx.wipeBuffers();
+        throw new Error('Serpent shared-ops: loadKey failed');
+    }
+    mem.set(iv, kx.getCbcIvOffset());
+}

package/dist/serpent/types.d.ts

@@ -1,5 +1 @@
-/** WASM exports for the serpent module */
-export interface SerpentExports {
-    memory: WebAssembly.Memory;
-    getModuleId(): number;
-}
+export {};

package/dist/sha2/hash.d.ts

@@ -0,0 +1,2 @@
+import type { HashFn } from '../types.js';
+export declare const SHA256Hash: HashFn;

package/dist/sha2/hash.js

@@ -0,0 +1,53 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sha2/hash.ts
+//
+// Stateless SHA-256 HashFn for Fortuna's accumulator and reseed slots.
+import { _assertNotOwned, getInstance } from '../init.js';
+export const SHA256Hash = {
+    outputSize: 32,
+    wasmModules: ['sha2'],
+    digest(msg) {
+        _assertNotOwned('sha2');
+        const x = getInstance('sha2').exports;
+        const mem = new Uint8Array(x.memory.buffer);
+        try {
+            x.sha256Init();
+            const inOff = x.getSha256InputOffset();
+            let pos = 0;
+            while (pos < msg.length) {
+                const n = Math.min(msg.length - pos, 64);
+                mem.set(msg.subarray(pos, pos + n), inOff);
+                x.sha256Update(n);
+                pos += n;
+            }
+            x.sha256Final();
+            const outOff = x.getSha256OutOffset();
+            return mem.slice(outOff, outOff + 32);
+        }
+        finally {
+            // Wipe the SHA-256 input/output/state scratch so secret-derived
+            // inputs (e.g. Fortuna pool entropy) do not outlive this call.
+            x.wipeBuffers();
+        }
+    },
+};

package/dist/sha2/hkdf.js

@@ -21,7 +21,7 @@
 //
 // src/ts/sha2/hkdf.ts
 //
-// RFC 5869 — HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
+// RFC 5869, HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
 // Pure TS composition over HMAC_SHA256 and HMAC_SHA512.
 import { HMAC_SHA256, HMAC_SHA512 } from './index.js';
 // ── HKDF_SHA256 ─────────────────────────────────────────────────────────────
@@ -30,12 +30,12 @@ export class HKDF_SHA256 {
     constructor() {
         this.hmac = new HMAC_SHA256();
     }
-    // RFC 5869 §2.2 — Extract
+    // RFC 5869 §2.2, Extract
     extract(salt, ikm) {
         const s = (!salt || salt.length === 0) ? new Uint8Array(32) : salt;
         return this.hmac.hash(s, ikm);
     }
-    // RFC 5869 §2.3 — Expand
+    // RFC 5869 §2.3, Expand
     expand(prk, info, length) {
         if (prk.length !== 32)
             throw new RangeError('HKDF expand: PRK must be 32 bytes');
@@ -79,12 +79,12 @@ export class HKDF_SHA512 {
     constructor() {
         this.hmac = new HMAC_SHA512();
     }
-    // RFC 5869 §2.2 — Extract
+    // RFC 5869 §2.2, Extract
     extract(salt, ikm) {
         const s = (!salt || salt.length === 0) ? new Uint8Array(64) : salt;
         return this.hmac.hash(s, ikm);
     }
-    // RFC 5869 §2.3 — Expand
+    // RFC 5869 §2.3, Expand
     expand(prk, info, length) {
         if (prk.length !== 64)
             throw new RangeError('HKDF expand: PRK must be 64 bytes');

package/dist/sha2/index.d.ts

@@ -1,7 +1,9 @@
 import type { WasmSource } from '../wasm-source.js';
+import type { Sha2Exports } from './types.js';
 export declare function sha2Init(source: WasmSource): Promise<void>;
 export type { WasmSource };
-export declare function _sha2Ready(): boolean;
+export type { Sha2Exports };
+export { isInitialized } from '../init.js';
 export declare class SHA256 {
     private readonly x;
     constructor();
@@ -20,6 +22,24 @@ export declare class SHA384 {
     hash(msg: Uint8Array): Uint8Array;
     dispose(): void;
 }
+export declare class SHA224 {
+    private readonly x;
+    constructor();
+    hash(msg: Uint8Array): Uint8Array;
+    dispose(): void;
+}
+export declare class SHA512_224 {
+    private readonly x;
+    constructor();
+    hash(msg: Uint8Array): Uint8Array;
+    dispose(): void;
+}
+export declare class SHA512_256 {
+    private readonly x;
+    constructor();
+    hash(msg: Uint8Array): Uint8Array;
+    dispose(): void;
+}
 export declare class HMAC_SHA256 {
     private readonly x;
     constructor();
@@ -39,3 +59,4 @@ export declare class HMAC_SHA384 {
     dispose(): void;
 }
 export { HKDF_SHA256, HKDF_SHA512 } from './hkdf.js';
+export { SHA256Hash } from './hash.js';