react-native-quick-crypto 1.0.0-beta.8 → 1.0.0

package/cpp/cipher/CCMCipher.cpp

@@ -0,0 +1,199 @@
+#include "CCMCipher.hpp"
+#include "Utils.hpp"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <stdexcept>
+
+namespace margelo::nitro::crypto {
+
+void CCMCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
+  // 1. Call the base class initializer first
+  try {
+    HybridCipher::init(cipher_key, iv);
+  } catch (const std::exception& e) {
+    throw; // Re-throw after logging
+  }
+
+  // Ensure context is valid after base init
+  checkCtx();
+
+  // 2. Perform CCM-specific initialization
+  auto native_iv = ToNativeArrayBuffer(iv);
+  size_t iv_len = native_iv->size();
+
+  // Set the IV length using CCM-specific control
+  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, iv_len, nullptr) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("CCMCipher: Failed to set IV length: " + std::string(err_buf));
+  }
+
+  // Set the expected/output tag length using CCM-specific control.
+  // auth_tag_len should have been defaulted or set via setArgs in the base init.
+  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, auth_tag_len, nullptr) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("CCMCipher: Failed to set tag length: " + std::string(err_buf));
+  }
+
+  // Finally, initialize the key and IV using the parameters passed to this function.
+  auto native_key = ToNativeArrayBuffer(cipher_key); // Use 'cipher_key' parameter
+  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(native_key->data());
+  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(native_iv->data());
+
+  // The last argument (is_cipher) should be consistent with the initial setup call.
+  if (EVP_CipherInit_ex(ctx, nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("CCMCipher: Failed to set key/IV: " + std::string(err_buf));
+  }
+}
+
+std::shared_ptr<ArrayBuffer> CCMCipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+  checkCtx();
+  auto native_data = ToNativeArrayBuffer(data);
+  size_t in_len = native_data->size();
+  if (in_len < 0 || in_len > INT_MAX) {
+    throw std::runtime_error("Invalid message length");
+  }
+  int out_len = 0;
+
+  if (!is_cipher) {
+    maybePassAuthTagToOpenSSL();
+  }
+
+  int block_size = EVP_CIPHER_CTX_block_size(ctx);
+  if (block_size <= 0) {
+    throw std::runtime_error("Invalid block size in update");
+  }
+  out_len = in_len + block_size - 1;
+  if (out_len < 0 || out_len < in_len) {
+    throw std::runtime_error("Calculated output buffer size invalid in update");
+  }
+
+  auto out_buf = std::make_unique<unsigned char[]>(out_len);
+  const uint8_t* in = reinterpret_cast<const uint8_t*>(native_data->data());
+
+  int actual_out_len = 0;
+  int ret = EVP_CipherUpdate(ctx, out_buf.get(), &actual_out_len, in, in_len);
+
+  if (!is_cipher) {
+    // Decryption: Check for tag verification failure
+    if (ret <= 0) {
+      // Tag verification failed (or other decryption error)
+      throw std::runtime_error("CCM Decryption: Tag verification failed");
+    }
+  } else {
+    // Encryption: Check for standard errors
+    if (ret != 1) {
+      pending_auth_failed = true; // Should this be set for encryption failure?
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("Error in update() performing encryption operation: " + std::string(err_buf));
+    }
+  }
+  // If we reached here, the operation (encryption or decryption) succeeded
+
+  unsigned char* final_output = out_buf.release();
+  return std::make_shared<NativeArrayBuffer>(final_output, actual_out_len, [=]() { delete[] final_output; });
+}
+
+std::shared_ptr<ArrayBuffer> CCMCipher::final() {
+  checkCtx();
+
+  // CCM decryption does not use final. Verification happens in the last update call.
+  if (!is_cipher) {
+    // Return an empty buffer, matching Node.js behavior
+    unsigned char* empty_output = new unsigned char[0];
+    return std::make_shared<NativeArrayBuffer>(empty_output, 0, [=]() { delete[] empty_output; });
+  }
+
+  // Proceed only for encryption
+  int block_size = EVP_CIPHER_CTX_block_size(ctx);
+  if (block_size <= 0) {
+    throw std::runtime_error("Invalid block size");
+  }
+  auto out_buf = std::make_unique<unsigned char[]>(block_size);
+  int out_len = 0;
+
+  if (!EVP_CipherFinal_ex(ctx, out_buf.get(), &out_len)) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("Encryption finalization failed: " + std::string(err_buf));
+  }
+
+  if (auth_tag_len == 0) {
+    auth_tag_len = sizeof(auth_tag);
+  }
+
+  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, auth_tag_len, auth_tag) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("Failed to get auth tag after finalization: " + std::string(err_buf));
+  }
+  auth_tag_state = kAuthTagKnown;
+
+  unsigned char* final_output = out_buf.release();
+  return std::make_shared<NativeArrayBuffer>(final_output, out_len, [=]() { delete[] final_output; });
+}
+
+bool CCMCipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
+  checkCtx();
+  if (!plaintextLength.has_value()) {
+    throw std::runtime_error("CCM mode requires plaintextLength to be set");
+  }
+
+  // IMPORTANT: For CCM decryption (!is_cipher), OpenSSL requires this initial update
+  // call to specify the TOTAL LENGTH OF THE CIPHERTEXT, not the plaintext.
+  // The caller (JS) must ensure `plaintextLength` holds the ciphertext length when decrypting.
+  int data_len = static_cast<int>(plaintextLength.value());
+  if (data_len > kMaxMessageSize) {
+    throw std::runtime_error("Provided data length exceeds maximum allowed size");
+  }
+
+  if (!is_cipher) {
+    if (!maybePassAuthTagToOpenSSL()) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("setAAD: Failed to set auth tag parameters: " + std::string(err_buf));
+    }
+  }
+
+  int out_len = 0;
+
+  // Get AAD data and length *before* deciding whether to set total length
+  auto native_aad = ToNativeArrayBuffer(data);
+  size_t aad_len = native_aad->size();
+
+  // 1. Set the total *ciphertext* length. This seems necessary based on examples,
+  //    BUT the wiki says "(only needed if AAD is passed)". Let's skip if decrypting and AAD length is 0.
+  bool should_set_total_length = is_cipher || aad_len > 0;
+  if (should_set_total_length) {
+    if (EVP_CipherUpdate(ctx, nullptr, &out_len, nullptr, data_len) != 1) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("CCMCipher: Failed to set expected length: " + std::string(err_buf));
+    }
+  }
+
+  // 2. Process AAD Data
+  // Per OpenSSL CCM decryption examples, this MUST be called even if aad_len is 0.
+  // Pass nullptr as the output buffer, the AAD data pointer, and its length.
+  if (EVP_CipherUpdate(ctx, nullptr, &out_len, native_aad->data(), aad_len) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("CCMCipher: Failed to update AAD: " + std::string(err_buf));
+  }
+  return true;
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/CCMCipher.hpp

@@ -0,0 +1,26 @@
+#pragma once
+
+#include "HybridCipher.hpp"
+
+namespace margelo::nitro::crypto {
+
+class CCMCipher : public HybridCipher {
+ public:
+  CCMCipher() : HybridObject(TAG) {}
+  ~CCMCipher() {
+    // Let parent destructor free the context
+    ctx = nullptr;
+  }
+
+  void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
+  std::shared_ptr<ArrayBuffer> update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> final() override;
+  bool setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) override;
+
+ private:
+  // CCM mode supports messages up to 2^(8L) - 1 bytes where L is the length of nonce
+  // With a 12-byte nonce (L=3), max size is 2^24 - 1 bytes
+  static constexpr int kMaxMessageSize = (1 << 24) - 1;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/ChaCha20Cipher.cpp

@@ -0,0 +1,97 @@
+#include "ChaCha20Cipher.hpp"
+#include "Utils.hpp"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <stdexcept>
+
+namespace margelo::nitro::crypto {
+
+void ChaCha20Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
+  // Clean up any existing context
+  if (ctx) {
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+  }
+
+  // Get ChaCha20 cipher implementation
+  const EVP_CIPHER* cipher = EVP_chacha20();
+  if (!cipher) {
+    throw std::runtime_error("Failed to get ChaCha20 cipher implementation");
+  }
+
+  // Create a new context
+  ctx = EVP_CIPHER_CTX_new();
+  if (!ctx) {
+    throw std::runtime_error("Failed to create cipher context");
+  }
+
+  // Initialize the encryption/decryption operation
+  if (EVP_CipherInit_ex(ctx, cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("ChaCha20Cipher: Failed initial CipherInit setup: " + std::string(err_buf));
+  }
+
+  // Set key and IV
+  auto native_key = ToNativeArrayBuffer(cipher_key);
+  auto native_iv = ToNativeArrayBuffer(iv);
+
+  // Validate key size
+  if (native_key->size() != kKeySize) {
+    throw std::runtime_error("ChaCha20 key must be 32 bytes");
+  }
+
+  // Validate IV size
+  if (native_iv->size() != kIVSize) {
+    throw std::runtime_error("ChaCha20 IV must be 16 bytes");
+  }
+
+  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(native_key->data());
+  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(native_iv->data());
+
+  if (EVP_CipherInit_ex(ctx, nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("ChaCha20Cipher: Failed to set key/IV: " + std::string(err_buf));
+  }
+}
+
+std::shared_ptr<ArrayBuffer> ChaCha20Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+  checkCtx();
+  auto native_data = ToNativeArrayBuffer(data);
+  size_t in_len = native_data->size();
+  if (in_len > INT_MAX) {
+    throw std::runtime_error("Message too long");
+  }
+
+  // For ChaCha20, output size equals input size since it's a stream cipher
+  int out_len = in_len;
+  uint8_t* out = new uint8_t[out_len];
+
+  // Perform the cipher update operation
+  if (EVP_CipherUpdate(ctx, out, &out_len, native_data->data(), in_len) != 1) {
+    delete[] out;
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("ChaCha20Cipher: Failed to update: " + std::string(err_buf));
+  }
+
+  // Create and return a new buffer of exact size needed
+  return std::make_shared<NativeArrayBuffer>(out, out_len, [=]() { delete[] out; });
+}
+
+std::shared_ptr<ArrayBuffer> ChaCha20Cipher::final() {
+  checkCtx();
+  // For ChaCha20, final() should return an empty buffer since it's a stream cipher
+  unsigned char* empty_output = new unsigned char[0];
+  return std::make_shared<NativeArrayBuffer>(empty_output, 0, [=]() { delete[] empty_output; });
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/ChaCha20Cipher.hpp

@@ -0,0 +1,25 @@
+#pragma once
+
+#include "HybridCipher.hpp"
+
+namespace margelo::nitro::crypto {
+
+class ChaCha20Cipher : public HybridCipher {
+ public:
+  ChaCha20Cipher() : HybridObject(TAG) {}
+  ~ChaCha20Cipher() {
+    // Let parent destructor free the context
+    ctx = nullptr;
+  }
+
+  void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
+  std::shared_ptr<ArrayBuffer> update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> final() override;
+
+ private:
+  // ChaCha20 uses a 256-bit key (32 bytes) and a 128-bit IV (16 bytes)
+  static constexpr int kKeySize = 32;
+  static constexpr int kIVSize = 16;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/ChaCha20Poly1305Cipher.cpp

@@ -0,0 +1,170 @@
+#include "ChaCha20Poly1305Cipher.hpp"
+#include "Utils.hpp"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <stdexcept>
+
+namespace margelo::nitro::crypto {
+
+void ChaCha20Poly1305Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
+  // Clean up any existing context
+  if (ctx) {
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+  }
+
+  // Get ChaCha20-Poly1305 cipher implementation
+  const EVP_CIPHER* cipher = EVP_chacha20_poly1305();
+  if (!cipher) {
+    throw std::runtime_error("Failed to get ChaCha20-Poly1305 cipher implementation");
+  }
+
+  // Create a new context
+  ctx = EVP_CIPHER_CTX_new();
+  if (!ctx) {
+    throw std::runtime_error("Failed to create cipher context");
+  }
+
+  // Initialize the encryption/decryption operation
+  if (EVP_CipherInit_ex(ctx, cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("ChaCha20Poly1305Cipher: Failed initial CipherInit setup: " + std::string(err_buf));
+  }
+
+  // Set key and IV
+  auto native_key = ToNativeArrayBuffer(cipher_key);
+  auto native_iv = ToNativeArrayBuffer(iv);
+
+  // Validate key size
+  if (native_key->size() != kKeySize) {
+    throw std::runtime_error("ChaCha20-Poly1305 key must be 32 bytes");
+  }
+
+  // Validate nonce size
+  if (native_iv->size() != kNonceSize) {
+    throw std::runtime_error("ChaCha20-Poly1305 nonce must be 12 bytes");
+  }
+
+  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(native_key->data());
+  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(native_iv->data());
+
+  if (EVP_CipherInit_ex(ctx, nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to set key/IV: " + std::string(err_buf));
+  }
+
+  // Reset final_called flag
+  final_called = false;
+}
+
+std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+  checkCtx();
+  auto native_data = ToNativeArrayBuffer(data);
+  size_t in_len = native_data->size();
+  if (in_len > INT_MAX) {
+    throw std::runtime_error("Message too long");
+  }
+
+  // For ChaCha20-Poly1305, output size equals input size since it's a stream cipher
+  int out_len = in_len;
+  uint8_t* out = new uint8_t[out_len];
+
+  // Perform the cipher update operation
+  if (EVP_CipherUpdate(ctx, out, &out_len, native_data->data(), in_len) != 1) {
+    delete[] out;
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to update: " + std::string(err_buf));
+  }
+
+  // Create and return a new buffer of exact size needed
+  return std::make_shared<NativeArrayBuffer>(out, out_len, [=]() { delete[] out; });
+}
+
+std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::final() {
+  checkCtx();
+
+  // For ChaCha20-Poly1305, we need to call final to generate the tag
+  int out_len = 0;
+  unsigned char* out = new unsigned char[0];
+
+  if (EVP_CipherFinal_ex(ctx, out, &out_len) != 1) {
+    delete[] out;
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to finalize: " + std::string(err_buf));
+  }
+
+  final_called = true;
+  return std::make_shared<NativeArrayBuffer>(out, out_len, [=]() { delete[] out; });
+}
+
+bool ChaCha20Poly1305Cipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
+  checkCtx();
+  auto native_aad = ToNativeArrayBuffer(data);
+  size_t aad_len = native_aad->size();
+
+  // Set AAD data
+  int out_len = 0;
+  if (EVP_CipherUpdate(ctx, nullptr, &out_len, native_aad->data(), aad_len) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to set AAD: " + std::string(err_buf));
+  }
+  return true;
+}
+
+std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::getAuthTag() {
+  checkCtx();
+  if (!is_cipher) {
+    throw std::runtime_error("getAuthTag can only be called during encryption");
+  }
+  if (!final_called) {
+    throw std::runtime_error("getAuthTag must be called after final()");
+  }
+
+  // Get the authentication tag
+  auto tag_buf = std::make_unique<uint8_t[]>(kTagSize);
+  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, kTagSize, tag_buf.get()) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to get auth tag: " + std::string(err_buf));
+  }
+
+  uint8_t* raw_ptr = tag_buf.get();
+  return std::make_shared<NativeArrayBuffer>(tag_buf.release(), kTagSize, [raw_ptr]() { delete[] raw_ptr; });
+}
+
+bool ChaCha20Poly1305Cipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
+  checkCtx();
+  if (is_cipher) {
+    throw std::runtime_error("setAuthTag can only be called during decryption");
+  }
+
+  auto native_tag = ToNativeArrayBuffer(tag);
+  if (native_tag->size() != kTagSize) {
+    throw std::runtime_error("ChaCha20-Poly1305 tag must be 16 bytes");
+  }
+
+  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, kTagSize, native_tag->data()) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to set auth tag: " + std::string(err_buf));
+  }
+  return true;
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/ChaCha20Poly1305Cipher.hpp

@@ -0,0 +1,30 @@
+#pragma once
+
+#include "HybridCipher.hpp"
+
+namespace margelo::nitro::crypto {
+
+class ChaCha20Poly1305Cipher : public HybridCipher {
+ public:
+  ChaCha20Poly1305Cipher() : HybridObject(TAG), final_called(false) {}
+  ~ChaCha20Poly1305Cipher() {
+    // Let parent destructor free the context
+    ctx = nullptr;
+  }
+
+  void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
+  std::shared_ptr<ArrayBuffer> update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> final() override;
+  bool setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) override;
+  std::shared_ptr<ArrayBuffer> getAuthTag() override;
+  bool setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) override;
+
+ private:
+  // ChaCha20-Poly1305 uses a 256-bit key (32 bytes) and a 96-bit nonce (12 bytes)
+  static constexpr int kKeySize = 32;
+  static constexpr int kNonceSize = 12;
+  static constexpr int kTagSize = 16; // Poly1305 tag is always 16 bytes
+  bool final_called;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/GCMCipher.cpp

@@ -0,0 +1,68 @@
+#include "GCMCipher.hpp"
+#include "Utils.hpp"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <stdexcept>
+
+namespace margelo::nitro::crypto {
+
+void GCMCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
+  // Clean up any existing context
+  if (ctx) {
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+  }
+
+  // 1. Get cipher implementation by name
+  const EVP_CIPHER* cipher = EVP_get_cipherbyname(cipher_type.c_str());
+  if (!cipher) {
+    throw std::runtime_error("Unknown cipher " + cipher_type);
+  }
+
+  // 2. Create a new context
+  ctx = EVP_CIPHER_CTX_new();
+  if (!ctx) {
+    throw std::runtime_error("Failed to create cipher context");
+  }
+
+  // 3. Initialize with cipher type only (no key/IV yet)
+  if (EVP_CipherInit_ex(ctx, cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("GCMCipher: Failed initial CipherInit setup: " + std::string(err_buf));
+  }
+
+  // 4. Set IV length for non-standard IV sizes (GCM default is 96 bits/12 bytes)
+  auto native_iv = ToNativeArrayBuffer(iv);
+  size_t iv_len = native_iv->size();
+
+  if (iv_len != 12) { // Only set if not the default length
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, static_cast<int>(iv_len), nullptr) != 1) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      EVP_CIPHER_CTX_free(ctx);
+      ctx = nullptr;
+      throw std::runtime_error("GCMCipher: Failed to set IV length: " + std::string(err_buf));
+    }
+  }
+
+  // 5. Now set the key and IV
+  auto native_key = ToNativeArrayBuffer(cipher_key);
+  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(native_key->data());
+  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(native_iv->data());
+
+  if (EVP_CipherInit_ex(ctx, nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("GCMCipher: Failed to set key/IV: " + std::string(err_buf));
+  }
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/GCMCipher.hpp

@@ -0,0 +1,14 @@
+#pragma once
+
+#include "HybridCipher.hpp"
+
+namespace margelo::nitro::crypto {
+
+class GCMCipher : public HybridCipher {
+ public:
+  GCMCipher() : HybridObject(TAG) {}
+
+  void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
+};
+
+} // namespace margelo::nitro::crypto