react-native-quick-crypto 1.0.0-beta.13 → 1.0.0-beta.15

package/README.md

@@ -26,7 +26,7 @@ QuickCrypto can be used as a drop-in replacement for your Web3/Crypto apps to sp
 
 | Version | RN Architecture | Modules |
 | ------- | ------ | ------- |
-| `1.x`     | new [->](https://github.com/reactwg/react-native-new-architecture/blob/main/docs/enable-apps.md)  | Nitro Modules [->](https://github.com/margelo/react-native-nitro) |
+| `1.x`     | new [->](https://github.com/reactwg/react-native-new-architecture/blob/main/docs/enable-apps.md)  | Nitro Modules [->](https://github.com/mrousavy/nitro) |
 | `0.x`     | old  | Bridge & JSI |
 
 ## Benchmarks

package/android/CMakeLists.txt

@@ -9,9 +9,12 @@ set(CMAKE_CXX_STANDARD 20)
 add_library(
   ${PACKAGE_NAME} SHARED
   src/main/cpp/cpp-adapter.cpp
-  ../cpp/hmac/HybridHmac.cpp
-  ../cpp/hash/HybridHash.cpp
+  ../cpp/cipher/CCMCipher.cpp
+  ../cpp/cipher/HybridCipher.cpp
+  ../cpp/cipher/OCBCipher.cpp
   ../cpp/ed25519/HybridEdKeyPair.cpp
+  ../cpp/hash/HybridHash.cpp
+  ../cpp/hmac/HybridHmac.cpp
   ../cpp/pbkdf2/HybridPbkdf2.cpp
   ../cpp/random/HybridRandom.cpp
   ../deps/fastpbkdf2/fastpbkdf2.c
@@ -23,9 +26,10 @@ include(${CMAKE_SOURCE_DIR}/../nitrogen/generated/android/QuickCrypto+autolinkin
 # local includes
 include_directories(
   "src/main/cpp"
-  "../cpp/hmac"
-  "../cpp/hash"
+  "../cpp/cipher"
   "../cpp/ed25519"
+  "../cpp/hash"
+  "../cpp/hmac"
   "../cpp/pbkdf2"
   "../cpp/random"
   "../cpp/utils"

package/android/src/main/java/com/margelo/nitro/quickcrypto/QuickCryptoPackage.java

@@ -8,8 +8,6 @@ import com.facebook.react.bridge.NativeModule;
 import com.facebook.react.bridge.ReactApplicationContext;
 import com.facebook.react.module.model.ReactModuleInfoProvider;
 import com.facebook.react.TurboReactPackage;
-import com.margelo.nitro.core.HybridObject;
-import com.margelo.nitro.core.HybridObjectRegistry;
 
 import java.util.HashMap;
 import java.util.function.Supplier;

package/cpp/cipher/CCMCipher.cpp

@@ -0,0 +1,199 @@
+#include "CCMCipher.hpp"
+#include "Utils.hpp"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <stdexcept>
+
+namespace margelo::nitro::crypto {
+
+void CCMCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
+  // 1. Call the base class initializer first
+  try {
+    HybridCipher::init(cipher_key, iv);
+  } catch (const std::exception& e) {
+    throw; // Re-throw after logging
+  }
+
+  // Ensure context is valid after base init
+  checkCtx();
+
+  // 2. Perform CCM-specific initialization
+  auto native_iv = ToNativeArrayBuffer(iv);
+  size_t iv_len = native_iv->size();
+
+  // Set the IV length using CCM-specific control
+  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, iv_len, nullptr) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("CCMCipher: Failed to set IV length: " + std::string(err_buf));
+  }
+
+  // Set the expected/output tag length using CCM-specific control.
+  // auth_tag_len should have been defaulted or set via setArgs in the base init.
+  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, auth_tag_len, nullptr) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("CCMCipher: Failed to set tag length: " + std::string(err_buf));
+  }
+
+  // Finally, initialize the key and IV using the parameters passed to this function.
+  auto native_key = ToNativeArrayBuffer(cipher_key); // Use 'cipher_key' parameter
+  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(native_key->data());
+  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(native_iv->data());
+
+  // The last argument (is_cipher) should be consistent with the initial setup call.
+  if (EVP_CipherInit_ex(ctx, nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("CCMCipher: Failed to set key/IV: " + std::string(err_buf));
+  }
+}
+
+std::shared_ptr<ArrayBuffer> CCMCipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+  checkCtx();
+  auto native_data = ToNativeArrayBuffer(data);
+  size_t in_len = native_data->size();
+  if (in_len < 0 || in_len > INT_MAX) {
+    throw std::runtime_error("Invalid message length");
+  }
+  int out_len = 0;
+
+  if (!is_cipher) {
+    maybePassAuthTagToOpenSSL();
+  }
+
+  int block_size = EVP_CIPHER_CTX_block_size(ctx);
+  if (block_size <= 0) {
+    throw std::runtime_error("Invalid block size in update");
+  }
+  out_len = in_len + block_size - 1;
+  if (out_len < 0 || out_len < in_len) {
+    throw std::runtime_error("Calculated output buffer size invalid in update");
+  }
+
+  auto out_buf = std::make_unique<unsigned char[]>(out_len);
+  const uint8_t* in = reinterpret_cast<const uint8_t*>(native_data->data());
+
+  int actual_out_len = 0;
+  int ret = EVP_CipherUpdate(ctx, out_buf.get(), &actual_out_len, in, in_len);
+
+  if (!is_cipher) {
+    // Decryption: Check for tag verification failure
+    if (ret <= 0) {
+      // Tag verification failed (or other decryption error)
+      throw std::runtime_error("CCM Decryption: Tag verification failed");
+    }
+  } else {
+    // Encryption: Check for standard errors
+    if (ret != 1) {
+      pending_auth_failed = true; // Should this be set for encryption failure?
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("Error in update() performing encryption operation: " + std::string(err_buf));
+    }
+  }
+  // If we reached here, the operation (encryption or decryption) succeeded
+
+  unsigned char* final_output = out_buf.release();
+  return std::make_shared<NativeArrayBuffer>(final_output, actual_out_len, [=]() { delete[] final_output; });
+}
+
+std::shared_ptr<ArrayBuffer> CCMCipher::final() {
+  checkCtx();
+
+  // CCM decryption does not use final. Verification happens in the last update call.
+  if (!is_cipher) {
+    // Return an empty buffer, matching Node.js behavior
+    unsigned char* empty_output = new unsigned char[0];
+    return std::make_shared<NativeArrayBuffer>(empty_output, 0, [=]() { delete[] empty_output; });
+  }
+
+  // Proceed only for encryption
+  int block_size = EVP_CIPHER_CTX_block_size(ctx);
+  if (block_size <= 0) {
+    throw std::runtime_error("Invalid block size");
+  }
+  auto out_buf = std::make_unique<unsigned char[]>(block_size);
+  int out_len = 0;
+
+  if (!EVP_CipherFinal_ex(ctx, out_buf.get(), &out_len)) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("Encryption finalization failed: " + std::string(err_buf));
+  }
+
+  if (auth_tag_len == 0) {
+    auth_tag_len = sizeof(auth_tag);
+  }
+
+  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, auth_tag_len, auth_tag) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("Failed to get auth tag after finalization: " + std::string(err_buf));
+  }
+  auth_tag_state = kAuthTagKnown;
+
+  unsigned char* final_output = out_buf.release();
+  return std::make_shared<NativeArrayBuffer>(final_output, out_len, [=]() { delete[] final_output; });
+}
+
+bool CCMCipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
+  checkCtx();
+  if (!plaintextLength.has_value()) {
+    throw std::runtime_error("CCM mode requires plaintextLength to be set");
+  }
+
+  // IMPORTANT: For CCM decryption (!is_cipher), OpenSSL requires this initial update
+  // call to specify the TOTAL LENGTH OF THE CIPHERTEXT, not the plaintext.
+  // The caller (JS) must ensure `plaintextLength` holds the ciphertext length when decrypting.
+  int data_len = static_cast<int>(plaintextLength.value());
+  if (data_len > kMaxMessageSize) {
+    throw std::runtime_error("Provided data length exceeds maximum allowed size");
+  }
+
+  if (!is_cipher) {
+    if (!maybePassAuthTagToOpenSSL()) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("setAAD: Failed to set auth tag parameters: " + std::string(err_buf));
+    }
+  }
+
+  int out_len = 0;
+
+  // Get AAD data and length *before* deciding whether to set total length
+  auto native_aad = ToNativeArrayBuffer(data);
+  size_t aad_len = native_aad->size();
+
+  // 1. Set the total *ciphertext* length. This seems necessary based on examples,
+  //    BUT the wiki says "(only needed if AAD is passed)". Let's skip if decrypting and AAD length is 0.
+  bool should_set_total_length = is_cipher || aad_len > 0;
+  if (should_set_total_length) {
+    if (EVP_CipherUpdate(ctx, nullptr, &out_len, nullptr, data_len) != 1) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("CCMCipher: Failed to set expected length: " + std::string(err_buf));
+    }
+  }
+
+  // 2. Process AAD Data
+  // Per OpenSSL CCM decryption examples, this MUST be called even if aad_len is 0.
+  // Pass nullptr as the output buffer, the AAD data pointer, and its length.
+  if (EVP_CipherUpdate(ctx, nullptr, &out_len, native_aad->data(), aad_len) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("CCMCipher: Failed to update AAD: " + std::string(err_buf));
+  }
+  return true;
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/CCMCipher.hpp

@@ -0,0 +1,26 @@
+#pragma once
+
+#include "HybridCipher.hpp"
+
+namespace margelo::nitro::crypto {
+
+class CCMCipher : public HybridCipher {
+ public:
+  CCMCipher() : HybridObject(TAG) {}
+  ~CCMCipher() {
+    // Let parent destructor free the context
+    ctx = nullptr;
+  }
+
+  void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
+  std::shared_ptr<ArrayBuffer> update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> final() override;
+  bool setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) override;
+
+ private:
+  // CCM mode supports messages up to 2^(8L) - 1 bytes where L is the length of nonce
+  // With a 12-byte nonce (L=3), max size is 2^24 - 1 bytes
+  static constexpr int kMaxMessageSize = (1 << 24) - 1;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/HybridCipher.cpp

@@ -0,0 +1,324 @@
+#include <algorithm> // For std::sort
+#include <cstring>   // For std::memcpy
+#include <memory>
+#include <stdexcept>
+#include <string>
+#include <vector>
+
+#include "HybridCipher.hpp"
+#include "Utils.hpp"
+
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+namespace margelo::nitro::crypto {
+
+HybridCipher::~HybridCipher() {
+  if (ctx) {
+    EVP_CIPHER_CTX_free(ctx);
+    // No need to set ctx = nullptr here, object is being destroyed
+  }
+}
+
+void HybridCipher::checkCtx() const {
+  if (!ctx) {
+    throw std::runtime_error("Cipher context is not initialized or has been disposed.");
+  }
+}
+
+bool HybridCipher::maybePassAuthTagToOpenSSL() {
+  if (auth_tag_state == kAuthTagKnown) {
+    OSSL_PARAM params[] = {OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, auth_tag, auth_tag_len),
+                           OSSL_PARAM_construct_end()};
+    if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      return false;
+    }
+    auth_tag_state = kAuthTagPassedToOpenSSL;
+  }
+  return true;
+}
+
+void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
+  // Clean up any existing context
+  if (ctx) {
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+  }
+
+  // 1. Get cipher implementation by name
+  const EVP_CIPHER* cipher = EVP_get_cipherbyname(cipher_type.c_str());
+  if (!cipher) {
+    throw std::runtime_error("Unknown cipher " + cipher_type);
+  }
+
+  // 2. Create a new context
+  ctx = EVP_CIPHER_CTX_new();
+  if (!ctx) {
+    throw std::runtime_error("Failed to create cipher context");
+  }
+
+  // Initialise the encryption/decryption operation with the cipher type.
+  // Key and IV will be set later by the derived class if needed.
+  if (EVP_CipherInit_ex(ctx, cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("HybridCipher: Failed initial CipherInit setup: " + std::string(err_buf));
+  }
+
+  // For base hybrid cipher, set key and IV immediately.
+  // Derived classes like CCM might override init and handle this differently.
+  auto native_key = ToNativeArrayBuffer(cipher_key);
+  auto native_iv = ToNativeArrayBuffer(iv);
+  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(native_key->data());
+  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(native_iv->data());
+
+  if (EVP_CipherInit_ex(ctx, nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("HybridCipher: Failed to set key/IV: " + std::string(err_buf));
+  }
+}
+
+std::shared_ptr<ArrayBuffer> HybridCipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+  auto native_data = ToNativeArrayBuffer(data);
+  checkCtx();
+  size_t in_len = native_data->size();
+  if (in_len > INT_MAX) {
+    throw std::runtime_error("Message too long");
+  }
+
+  int out_len = in_len + EVP_CIPHER_CTX_block_size(ctx);
+  uint8_t* out = new uint8_t[out_len];
+  // Perform the cipher update operation. The real size of the output is
+  // returned in out_len
+  EVP_CipherUpdate(ctx, out, &out_len, native_data->data(), in_len);
+
+  // Create and return a new buffer of exact size needed
+  return std::make_shared<NativeArrayBuffer>(out, out_len, [=]() { delete[] out; });
+}
+
+std::shared_ptr<ArrayBuffer> HybridCipher::final() {
+  checkCtx();
+  // Block size is max output size for final, unless EVP_CIPH_NO_PADDING is set
+  int block_size = EVP_CIPHER_CTX_block_size(ctx);
+  if (block_size <= 0)
+    block_size = 16; // Default if block size is weird (e.g., 0)
+  auto out_buf = std::make_unique<uint8_t[]>(block_size);
+  int out_len = 0;
+
+  int mode = EVP_CIPHER_CTX_mode(ctx);
+  int ret = EVP_CipherFinal_ex(ctx, out_buf.get(), &out_len);
+  if (!ret) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    // Don't free context on error here either, rely on destructor
+    throw std::runtime_error("Cipher final failed: " + std::string(err_buf));
+  }
+
+  // Get raw pointer before releasing unique_ptr
+  uint8_t* raw_ptr = out_buf.get();
+  // Create the specific NativeArrayBuffer first, using full namespace
+  auto native_final_chunk = std::make_shared<margelo::nitro::NativeArrayBuffer>(out_buf.release(), static_cast<size_t>(out_len),
+                                                                                [raw_ptr]() { delete[] raw_ptr; });
+
+  // Context should NOT be freed here. It might be needed for getAuthTag() for GCM/OCB.
+  // The context will be freed by the destructor (~HybridCipher) when the object goes out of scope.
+
+  // Return the shared_ptr<NativeArrayBuffer> (implicit upcast to shared_ptr<ArrayBuffer>)
+  return native_final_chunk;
+}
+
+bool HybridCipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
+  checkCtx();
+  auto native_data = ToNativeArrayBuffer(data);
+
+  // Set the AAD
+  int out_len;
+  if (!EVP_CipherUpdate(ctx, nullptr, &out_len, native_data->data(), native_data->size())) {
+    return false;
+  }
+
+  has_aad = true;
+  return true;
+}
+
+bool HybridCipher::setAutoPadding(bool autoPad) {
+  checkCtx();
+  return EVP_CIPHER_CTX_set_padding(ctx, autoPad) == 1;
+}
+
+bool HybridCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
+  checkCtx();
+
+  if (is_cipher) {
+    throw std::runtime_error("setAuthTag can only be called during decryption.");
+  }
+
+  auto native_tag = ToNativeArrayBuffer(tag);
+  size_t tag_len = native_tag->size();
+  uint8_t* tag_ptr = native_tag->data();
+
+  int mode = EVP_CIPHER_CTX_mode(ctx);
+
+  if (mode == EVP_CIPH_GCM_MODE || mode == EVP_CIPH_OCB_MODE) {
+    // Use EVP_CTRL_AEAD_SET_TAG for GCM/OCB decryption
+    if (tag_len < 1 || tag_len > 16) { // Check tag length bounds for GCM/OCB
+      throw std::runtime_error("Invalid auth tag length for GCM/OCB. Must be between 1 and 16 bytes.");
+    }
+    // Add check for valid cipher in context before setting tag
+    // Use the correct OpenSSL 3 function: EVP_CIPHER_CTX_cipher
+    if (!EVP_CIPHER_CTX_cipher(ctx)) {
+      throw std::runtime_error("Context has no cipher set before setting GCM/OCB tag");
+    }
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag_ptr) <= 0) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      // Include the error code in the message
+      throw std::runtime_error("Failed to set GCM/OCB auth tag: " + std::string(err_buf) + " (code: " + std::to_string(err) + ")");
+    }
+    auth_tag_state = kAuthTagPassedToOpenSSL; // Mark state
+    return true;
+
+  } else if (mode == EVP_CIPH_CCM_MODE) {
+    // Store tag internally for CCM decryption (used in CCMCipher::final)
+    if (tag_len < 4 || tag_len > 16) { // Check tag length bounds for CCM
+      throw std::runtime_error("Invalid auth tag length for CCM. Must be between 4 and 16 bytes.");
+    }
+    auth_tag_state = kAuthTagKnown; // Correct state enum value
+    auth_tag_len = tag_len;
+    // Copy directly into the member buffer (assuming uint8_t auth_tag[16])
+    std::memcpy(auth_tag, tag_ptr, tag_len);
+    return true;
+
+  } else {
+    // Not an AEAD mode that supports setAuthTag for decryption
+    throw std::runtime_error("setAuthTag is not supported for the current cipher mode.");
+  }
+}
+
+std::shared_ptr<ArrayBuffer> HybridCipher::getAuthTag() {
+  checkCtx();
+
+  int mode = EVP_CIPHER_CTX_mode(ctx);
+
+  if (!is_cipher) {
+    throw std::runtime_error("getAuthTag can only be called during encryption.");
+  }
+
+  if (mode == EVP_CIPH_GCM_MODE || mode == EVP_CIPH_OCB_MODE) {
+    // Retrieve the tag using EVP_CIPHER_CTX_ctrl for GCM/OCB
+    constexpr int max_tag_len = 16; // GCM/OCB tags are typically up to 16 bytes
+    auto tag_buf = std::make_unique<uint8_t[]>(max_tag_len);
+
+    int ret = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, max_tag_len, tag_buf.get());
+
+    if (ret <= 0) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("Failed to get GCM/OCB auth tag: " + std::string(err_buf));
+    }
+
+    size_t actual_tag_len = static_cast<size_t>(ret);
+    uint8_t* raw_ptr = tag_buf.get();
+    auto final_tag_buffer =
+        std::make_shared<margelo::nitro::NativeArrayBuffer>(tag_buf.release(), actual_tag_len, [raw_ptr]() { delete[] raw_ptr; });
+    return final_tag_buffer;
+
+  } else if (mode == EVP_CIPH_CCM_MODE) {
+    // CCM: allow getAuthTag after encryption/finalization
+    if (auth_tag_len > 0 && auth_tag_state == kAuthTagKnown) {
+      // Return the stored tag buffer
+      auto tag_buf = std::make_unique<uint8_t[]>(auth_tag_len);
+      std::memcpy(tag_buf.get(), auth_tag, auth_tag_len);
+      uint8_t* raw_ptr = tag_buf.get();
+      auto final_tag_buffer =
+          std::make_shared<margelo::nitro::NativeArrayBuffer>(tag_buf.release(), auth_tag_len, [raw_ptr]() { delete[] raw_ptr; });
+      return final_tag_buffer;
+    } else {
+      throw std::runtime_error("CCM: Auth tag not available. Ensure encryption is finalized before calling getAuthTag.");
+    }
+  } else {
+    // Not an AEAD mode that supports getAuthTag post-encryption
+    throw std::runtime_error("getAuthTag is not supported for the current cipher mode.");
+  }
+}
+
+int HybridCipher::getMode() {
+  if (!ctx) {
+    throw std::runtime_error("Cipher not initialized. Did you call setArgs()?");
+  }
+  return EVP_CIPHER_CTX_get_mode(ctx);
+}
+
+void HybridCipher::setArgs(const CipherArgs& args) {
+  this->is_cipher = args.isCipher;
+  this->cipher_type = args.cipherType;
+
+  // Reset auth tag state
+  auth_tag_state = kAuthTagUnknown;
+  std::memset(auth_tag, 0, EVP_GCM_TLS_TAG_LEN);
+
+  // Set auth tag length from args or use default
+  if (args.authTagLen.has_value()) {
+    if (!CheckIsUint32(args.authTagLen.value())) {
+      throw std::runtime_error("authTagLen must be uint32");
+    }
+    uint32_t requested_len = static_cast<uint32_t>(args.authTagLen.value());
+    if (requested_len > EVP_GCM_TLS_TAG_LEN) {
+      throw std::runtime_error("Authentication tag length too large");
+    }
+    this->auth_tag_len = requested_len;
+  } else {
+    // Default to 16 bytes for all authenticated modes
+    this->auth_tag_len = kDefaultAuthTagLength;
+  }
+}
+
+// Corrected callback signature for EVP_CIPHER_do_all_provided
+void collect_ciphers(EVP_CIPHER* cipher, void* arg) {
+  auto* names = static_cast<std::vector<std::string>*>(arg);
+  if (cipher == nullptr)
+    return;
+  // Note: EVP_CIPHER_get0_name expects const EVP_CIPHER*, but the callback provides EVP_CIPHER*.
+  // This implicit const cast should be safe here.
+  const char* name = EVP_CIPHER_get0_name(cipher);
+  if (name != nullptr) {
+    std::string name_str(name);
+    if (name_str == "NULL" || name_str.find("CTS") != std::string::npos ||
+        name_str.find("SIV") != std::string::npos ||  // Covers -SIV and -GCM-SIV
+        name_str.find("WRAP") != std::string::npos || // Covers -WRAP-INV and -WRAP-PAD-INV
+        name_str.find("SM4-") != std::string::npos) {
+      return; // Skip adding this cipher
+    }
+
+    // If not filtered out, add it to the list
+    names->push_back(name_str); // Use name_str here
+  }
+}
+
+std::vector<std::string> HybridCipher::getSupportedCiphers() {
+  std::vector<std::string> cipher_names;
+
+  // Use the simpler approach with the separate callback
+  EVP_CIPHER_do_all_provided(nullptr, // Default library context
+                             collect_ciphers, &cipher_names);
+
+  // OpenSSL 3 doesn't guarantee sorted output with _do_all_provided, sort manually
+  std::sort(cipher_names.begin(), cipher_names.end());
+
+  return cipher_names;
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/HybridCipher.hpp

@@ -0,0 +1,69 @@
+#pragma once
+
+#include <memory>
+#include <openssl/core_names.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/param_build.h>
+#include <optional>
+#include <string>
+#include <vector>
+
+#include "HybridCipherSpec.hpp"
+
+namespace margelo::nitro::crypto {
+
+// Default tag length for OCB, SIV, CCM, ChaCha20-Poly1305
+constexpr unsigned kDefaultAuthTagLength = 16;
+
+class HybridCipher : public HybridCipherSpec {
+ public:
+  HybridCipher() : HybridObject(TAG) {}
+  ~HybridCipher() override;
+
+ public:
+  // Methods
+  std::shared_ptr<ArrayBuffer> update(const std::shared_ptr<ArrayBuffer>& data) override;
+
+  std::shared_ptr<ArrayBuffer> final() override;
+
+  virtual void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv);
+
+  void setArgs(const CipherArgs& args) override;
+
+  bool setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) override;
+
+  bool setAutoPadding(bool autoPad) override;
+
+  bool setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) override;
+
+  std::shared_ptr<ArrayBuffer> getAuthTag() override;
+
+  std::vector<std::string> getSupportedCiphers() override;
+
+ protected:
+  // Protected enums for state management
+  enum CipherKind { kCipher, kDecipher };
+  enum UpdateResult { kSuccess, kErrorMessageSize, kErrorState };
+  enum AuthTagState { kAuthTagUnknown, kAuthTagKnown, kAuthTagPassedToOpenSSL };
+
+ protected:
+  // Properties
+  bool is_cipher = true;
+  std::string cipher_type;
+  EVP_CIPHER_CTX* ctx = nullptr;
+  bool pending_auth_failed = false;
+  bool has_aad = false;
+  uint8_t auth_tag[EVP_GCM_TLS_TAG_LEN];
+  AuthTagState auth_tag_state;
+  unsigned int auth_tag_len = 0;
+  int max_message_size;
+
+ protected:
+  // Methods
+  int getMode();
+  void checkCtx() const;
+  bool maybePassAuthTagToOpenSSL();
+};
+
+} // namespace margelo::nitro::crypto