react-native-quick-crypto 1.0.19 → 1.1.1

package/src/cipher.ts

@@ -65,6 +65,100 @@ export function getCipherInfo(
   return CipherUtils.getCipherInfo(name, options?.keyLength, options?.ivLength);
 }
 
+// libsodium ciphers aren't visible to OpenSSL's EVP_CIPHER_fetch, so
+// getCipherInfo() returns undefined for them. Hard-code the (key, iv)
+// byte-lengths the C++ factory will accept.
+const LIBSODIUM_CIPHER_PARAMS: Readonly<
+  Record<string, { keyLength: number; ivLength: number }>
+> = {
+  xsalsa20: { keyLength: 32, ivLength: 24 },
+  'xsalsa20-poly1305': { keyLength: 32, ivLength: 24 },
+  'xchacha20-poly1305': { keyLength: 32, ivLength: 24 },
+};
+
+function validateCipherParams(
+  cipherType: string,
+  keyByteLength: number,
+  ivByteLength: number,
+): void {
+  if (typeof cipherType !== 'string' || cipherType.length === 0) {
+    throw new TypeError('cipher algorithm must be a non-empty string');
+  }
+  // ArrayBuffer.byteLength is always a non-negative integer, so the only
+  // out-of-range value we need to guard is 0 — empty key buffers must not
+  // reach OpenSSL's EVP_CipherInit_ex.
+  if (keyByteLength === 0) {
+    throw new RangeError(`Invalid key length 0 for cipher ${cipherType}`);
+  }
+
+  const lower = cipherType.toLowerCase();
+  const sodium = LIBSODIUM_CIPHER_PARAMS[lower];
+  if (sodium) {
+    // libsodium parlance: "nonce" rather than "iv". Phrase the expected
+    // size as a natural-language clause so callers asserting on either
+    // `key must be N bytes` or `Invalid key length N` both match.
+    if (keyByteLength !== sodium.keyLength) {
+      throw new RangeError(
+        `Invalid key length ${keyByteLength} for cipher ${cipherType} ` +
+          `(key must be ${sodium.keyLength} bytes)`,
+      );
+    }
+    if (ivByteLength !== sodium.ivLength) {
+      throw new RangeError(
+        `Invalid nonce length ${ivByteLength} for cipher ${cipherType} ` +
+          `(nonce must be ${sodium.ivLength} bytes)`,
+      );
+    }
+    return;
+  }
+
+  // OpenSSL path. Look up the cipher's defaults once. Most callers pass
+  // exactly the cipher's default key/iv lengths (e.g. AES-128-CBC always
+  // wants 16/16) — short-circuit those to a single native round-trip.
+  // Variable-length ciphers (GCM, CCM, OCB, ChaCha20-Poly1305) fall through
+  // to per-parameter validation calls so the error message can name which
+  // of {key, iv} is wrong.
+  const info = CipherUtils.getCipherInfo(cipherType);
+  if (info === undefined) {
+    throw new TypeError(`Unsupported or unknown cipher type: ${cipherType}`);
+  }
+
+  const expectedIv = info.ivLength ?? 0;
+  if (expectedIv === 0 && ivByteLength > 0) {
+    throw new RangeError(
+      `Cipher ${cipherType} does not use an iv (got ${ivByteLength} bytes)`,
+    );
+  }
+  if (expectedIv > 0 && ivByteLength === 0) {
+    throw new RangeError(
+      `Cipher ${cipherType} requires an iv but none was provided`,
+    );
+  }
+
+  // Fast path: lengths match the cipher's defaults exactly.
+  if (info.keyLength === keyByteLength && expectedIv === ivByteLength) {
+    return;
+  }
+
+  // Variable-length: verify against native one parameter at a time.
+  if (
+    CipherUtils.getCipherInfo(cipherType, keyByteLength, undefined) ===
+    undefined
+  ) {
+    throw new RangeError(
+      `Invalid key length ${keyByteLength} for cipher ${cipherType}`,
+    );
+  }
+  if (
+    expectedIv > 0 &&
+    CipherUtils.getCipherInfo(cipherType, undefined, ivByteLength) === undefined
+  ) {
+    throw new RangeError(
+      `Invalid iv length ${ivByteLength} for cipher ${cipherType}`,
+    );
+  }
+}
+
 interface CipherArgs {
   isCipher: boolean;
   cipherType: string;
@@ -107,18 +201,24 @@ class CipherCommon extends Stream.Transform {
     }
     super(streamOptions); // Pass filtered options
 
-    const authTagLen: number =
-      getUIntOption(options ?? {}, 'authTagLength') !== -1
-        ? getUIntOption(options ?? {}, 'authTagLength')
-        : 16; // defaults to 16 bytes
+    // defaults to 16 bytes for AEAD modes; non-AEAD callers ignore it.
+    const authTagLen =
+      getUIntOption(
+        options as Readonly<Record<string, unknown>> | undefined,
+        'authTagLength',
+      ) ?? 16;
+
+    const cipherKeyAB = binaryLikeToArrayBuffer(cipherKey);
+    const ivAB = binaryLikeToArrayBuffer(iv);
+    validateCipherParams(cipherType, cipherKeyAB.byteLength, ivAB.byteLength);
 
     const factory =
       NitroModules.createHybridObject<CipherFactory>('CipherFactory');
     this.native = factory.createCipher({
       isCipher,
       cipherType,
-      cipherKey: binaryLikeToArrayBuffer(cipherKey),
-      iv: binaryLikeToArrayBuffer(iv),
+      cipherKey: cipherKeyAB,
+      iv: ivAB,
       authTagLen,
     });
   }
@@ -179,18 +279,31 @@ class CipherCommon extends Stream.Transform {
     return Buffer.from(ret);
   }
 
+  // Stream interface — surface synchronous errors (bad encoding,
+  // OpenSSL EVP failures, AEAD tag mismatch in `final()`, etc.) via
+  // the callback so they emit as stream 'error' events instead of
+  // throwing out of the Transform plumbing and crashing the host
+  // pipeline.
   _transform(
     chunk: BinaryLike,
     encoding: BufferEncoding,
-    callback: () => void,
+    callback: (err?: Error | null) => void,
   ) {
-    this.push(this.update(chunk, normalizeEncoding(encoding)));
-    callback();
+    try {
+      this.push(this.update(chunk, normalizeEncoding(encoding)));
+      callback();
+    } catch (err) {
+      callback(err as Error);
+    }
   }
 
-  _flush(callback: () => void) {
-    this.push(this.final());
-    callback();
+  _flush(callback: (err?: Error | null) => void) {
+    try {
+      this.push(this.final());
+      callback();
+    } catch (err) {
+      callback(err as Error);
+    }
   }
 
   public setAutoPadding(autoPadding?: boolean): this {
@@ -211,7 +324,14 @@ class CipherCommon extends Stream.Transform {
     if (!this.native || typeof this.native.setAAD !== 'function') {
       throw new Error('Cipher native object or setAAD method not initialized.');
     }
-    const res = this.native.setAAD(buffer.buffer, options?.plaintextLength);
+    // Use binaryLikeToArrayBuffer (not `buffer.buffer`) so that sliced /
+    // offset views send only the AAD bytes the caller intended. Passing the
+    // raw backing ArrayBuffer authenticates the wrong data and silently
+    // breaks the AEAD integrity guarantee.
+    const res = this.native.setAAD(
+      binaryLikeToArrayBuffer(buffer),
+      options?.plaintextLength,
+    );
     if (!res) {
       throw new Error('setAAD failed (native call returned false)');
     }
@@ -360,13 +480,17 @@ export function xsalsa20(
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
   counter?: number,
 ): Uint8Array {
+  const cipherKeyAB = binaryLikeToArrayBuffer(key);
+  const ivAB = binaryLikeToArrayBuffer(nonce);
+  validateCipherParams('xsalsa20', cipherKeyAB.byteLength, ivAB.byteLength);
+
   const factory =
     NitroModules.createHybridObject<CipherFactory>('CipherFactory');
   const native = factory.createCipher({
     isCipher: true,
     cipherType: 'xsalsa20',
-    cipherKey: binaryLikeToArrayBuffer(key),
-    iv: binaryLikeToArrayBuffer(nonce),
+    cipherKey: cipherKeyAB,
+    iv: ivAB,
   });
   const result = native.update(binaryLikeToArrayBuffer(data));
   return new Uint8Array(result);

package/src/dsa.ts

@@ -25,6 +25,12 @@ export class Dsa {
   }
 }
 
+// FIPS 186-4 §4.2: only L = 1024, 2048, 3072 are sanctioned. NIST has
+// deprecated DSA-1024 for new applications, but we retain it for
+// interop with legacy systems and match Node's permissive default. We
+// reject anything below 1024 outright.
+const DSA_MIN_MODULUS_LENGTH = 1024;
+
 function dsa_prepareKeyGenParams(
   options: GenerateKeyPairOptions | undefined,
 ): Dsa {
@@ -34,8 +40,11 @@ function dsa_prepareKeyGenParams(
 
   const { modulusLength, divisorLength } = options;
 
-  if (!modulusLength || modulusLength <= 0) {
-    throw new Error('Invalid or missing modulusLength for DSA key generation');
+  if (!modulusLength || modulusLength < DSA_MIN_MODULUS_LENGTH) {
+    throw new RangeError(
+      `DSA modulusLength must be at least ${DSA_MIN_MODULUS_LENGTH} bits ` +
+        `(got ${modulusLength ?? 0})`,
+    );
   }
 
   return new Dsa(modulusLength, divisorLength);

package/src/hash.ts

@@ -183,18 +183,28 @@ class Hash extends Stream.Transform {
     return this.native.getOpenSSLVersion();
   }
 
-  // stream interface
+  // Stream interface — surface synchronous errors via the callback so
+  // they emit as stream 'error' events instead of throwing out of the
+  // Transform plumbing (which would crash the host pipeline).
   _transform(
     chunk: BinaryLike,
     encoding: BufferEncoding,
-    callback: () => void,
+    callback: (err?: Error | null) => void,
   ) {
-    this.update(chunk, encoding as Encoding);
-    callback();
+    try {
+      this.update(chunk, encoding as Encoding);
+      callback();
+    } catch (err) {
+      callback(err as Error);
+    }
   }
-  _flush(callback: () => void) {
-    this.push(this.digest());
-    callback();
+  _flush(callback: (err?: Error | null) => void) {
+    try {
+      this.push(this.digest());
+      callback();
+    } catch (err) {
+      callback(err as Error);
+    }
   }
 }
 

package/src/hkdf.ts

@@ -45,6 +45,46 @@ function sanitizeInput(input: BinaryLike, name: string): ArrayBuffer {
   }
 }
 
+// Output byte-length of each fixed-length digest. HKDF requires a fixed-
+// output hash (it builds on HMAC), so XOFs like SHAKE128/256 are not
+// included even though `normalizeHashName` will accept them — passing
+// SHAKE here is a caller bug we surface as `Unsupported HKDF digest`
+// instead of letting the native side return an opaque error.
+const HKDF_HASH_BYTES: Readonly<Record<string, number>> = {
+  sha1: 20,
+  sha224: 28,
+  sha256: 32,
+  sha384: 48,
+  sha512: 64,
+  'sha3-256': 32,
+  'sha3-384': 48,
+  'sha3-512': 64,
+  ripemd160: 20,
+};
+
+function validateHkdfKeylen(digest: string, keylen: number): void {
+  if (
+    typeof keylen !== 'number' ||
+    !Number.isFinite(keylen) ||
+    !Number.isInteger(keylen) ||
+    keylen < 0 ||
+    keylen > 0x7fff_ffff
+  ) {
+    throw new TypeError('Bad key length');
+  }
+  const hashLen = HKDF_HASH_BYTES[digest.toLowerCase()];
+  if (hashLen === undefined) {
+    throw new TypeError(`Unsupported HKDF digest: ${digest}`);
+  }
+  // RFC 5869 §2.3: L ≤ 255 * HashLen.
+  if (keylen > 255 * hashLen) {
+    throw new RangeError(
+      `HKDF keylen ${keylen} exceeds RFC 5869 ceiling ` +
+        `255 * HashLen (${255 * hashLen}) for ${digest}`,
+    );
+  }
+}
+
 export function hkdf(
   digest: string,
   key: KeyMaterial,
@@ -61,9 +101,7 @@ export function hkdf(
     const sanitizedSalt = sanitizeInput(salt, 'Salt');
     const sanitizedInfo = sanitizeInput(info, 'Info');
 
-    if (keylen < 0) {
-      throw new TypeError('Bad key length');
-    }
+    validateHkdfKeylen(normalizedDigest, keylen);
 
     const nativeMod = getNative();
     nativeMod
@@ -99,9 +137,7 @@ export function hkdfSync(
   const sanitizedSalt = sanitizeInput(salt, 'Salt');
   const sanitizedInfo = sanitizeInput(info, 'Info');
 
-  if (keylen < 0) {
-    throw new TypeError('Bad key length');
-  }
+  validateHkdfKeylen(normalizedDigest, keylen);
 
   const nativeMod = getNative();
   const result = nativeMod.deriveKeySync(
@@ -134,6 +170,8 @@ export function hkdfDeriveBits(
   const hashName = typeof hash === 'string' ? hash : hash.name;
   const normalizedDigest = normalizeHashName(hashName);
 
+  validateHkdfKeylen(normalizedDigest, keylen);
+
   const nativeMod = getNative();
   const result = nativeMod.deriveKeySync(
     normalizedDigest,

package/src/hmac.ts

@@ -85,18 +85,28 @@ class Hmac extends Stream.Transform {
     return Buffer.from(nativeDigest);
   }
 
-  // stream interface
+  // Stream interface — surface synchronous errors via the callback so
+  // they emit as stream 'error' events instead of throwing out of the
+  // Transform plumbing.
   _transform(
     chunk: BinaryLike,
     encoding: BufferEncoding,
-    callback: () => void,
+    callback: (err?: Error | null) => void,
   ) {
-    this.update(chunk, encoding as Encoding);
-    callback();
+    try {
+      this.update(chunk, encoding as Encoding);
+      callback();
+    } catch (err) {
+      callback(err as Error);
+    }
   }
-  _flush(callback: () => void) {
-    this.push(this.digest());
-    callback();
+  _flush(callback: (err?: Error | null) => void) {
+    try {
+      this.push(this.digest());
+      callback();
+    } catch (err) {
+      callback(err as Error);
+    }
   }
 }
 

package/src/keys/publicCipher.ts

@@ -144,8 +144,13 @@ export function publicDecrypt(
       paddingMode,
     );
     return Buffer.from(decrypted);
-  } catch (error) {
-    throw new Error(`publicDecrypt failed: ${(error as Error).message}`);
+  } catch {
+    // Bleichenbacher mitigation: surface a single, content-independent error
+    // for every decrypt failure so an attacker cannot use error-message
+    // differences as a padding oracle. The native side already collapses its
+    // OpenSSL error codes to the same opaque message; we drop it here too
+    // rather than re-leaking it via string interpolation.
+    throw new Error('publicDecrypt failed');
   }
 }
 
@@ -244,7 +249,8 @@ export function privateDecrypt(
       oaepLabel,
     );
     return Buffer.from(decrypted);
-  } catch (error) {
-    throw new Error(`privateDecrypt failed: ${(error as Error).message}`);
+  } catch {
+    // Bleichenbacher mitigation — see publicDecrypt above.
+    throw new Error('privateDecrypt failed');
   }
 }

package/src/random.ts

@@ -59,8 +59,17 @@ export function randomFill(buffer: ABV, ...rest: unknown[]): void {
   }
 
   getNative();
-  random.randomFill(abvToArrayBuffer(buffer), viewOffset + offset, size).then(
+  const ab = abvToArrayBuffer(buffer);
+  const start = viewOffset + offset;
+  random.randomFill(ab, start, size).then(
     (res: ArrayBuffer) => {
+      // The native async path operates on a copy of the underlying buffer to
+      // avoid races with JS-owned memory on the worker thread, so the
+      // randomized bytes live in `res`, not in the caller's buffer. Copy them
+      // back to preserve Node's in-place randomFill semantics.
+      if (res !== ab) {
+        new Uint8Array(ab, start, size).set(new Uint8Array(res, start, size));
+      }
       callback(null, res);
     },
     (e: Error) => {
@@ -224,7 +233,7 @@ export function randomInt(
     if (x < randLimit) {
       const n = (x % range) + min;
       if (isSync) return n;
-      process.nextTick(callback as RandomIntCallback, undefined, n);
+      process.nextTick(callback as RandomIntCallback, null, n);
       return;
     }
   }

package/src/rsa.ts

@@ -60,6 +60,13 @@ export class Rsa {
   }
 }
 
+// Modern best practice (NIST SP 800-131A Rev. 2, IETF RFC 8017): RSA keys
+// shorter than 2048 bits are deprecated for both signing and encryption.
+// 1024-bit moduli have been factored in academic settings; 768-bit keys
+// have been factored on commodity hardware. Reject anything below 2048
+// at the JS boundary so callers can't accidentally generate weak keys.
+const RSA_MIN_MODULUS_LENGTH = 2048;
+
 // Node API
 export async function rsa_generateKeyPair(
   algorithm: SubtleAlgorithm,
@@ -70,8 +77,12 @@ export async function rsa_generateKeyPair(
     algorithm as RsaHashedKeyGenParams;
 
   // Validate parameters first
-  if (!modulusLength || modulusLength < 256) {
-    throw lazyDOMException('Invalid key length', 'OperationError');
+  if (!modulusLength || modulusLength < RSA_MIN_MODULUS_LENGTH) {
+    throw lazyDOMException(
+      `RSA modulusLength must be at least ${RSA_MIN_MODULUS_LENGTH} bits ` +
+        `(got ${modulusLength ?? 0})`,
+      'OperationError',
+    );
   }
 
   if (!publicExponent || publicExponent.length === 0) {
@@ -198,8 +209,11 @@ function rsa_prepareKeyGenParams(
     hash?: string;
   };
 
-  if (!modulusLength || modulusLength < 256) {
-    throw new Error('Invalid modulus length');
+  if (!modulusLength || modulusLength < RSA_MIN_MODULUS_LENGTH) {
+    throw new RangeError(
+      `RSA modulusLength must be at least ${RSA_MIN_MODULUS_LENGTH} bits ` +
+        `(got ${modulusLength ?? 0})`,
+    );
   }
 
   const pubExp = publicExponent || 65537;

package/src/scrypt.ts

@@ -35,12 +35,83 @@ const defaults = {
   maxmem: 32 * 1024 * 1024,
 };
 
+// RFC 7914 § 2: scrypt parameters
+//   N — CPU/memory cost; must be a power of 2 > 1.
+//   r — block size; positive integer.
+//   p — parallelization factor; positive integer.
+//   r * p must be < 2^30 (otherwise the spec output is undefined).
+//   The work buffer is 128 * r * N bytes, which must fit in maxmem.
+const SCRYPT_MAX_RP = 1 << 30; // 2^30 per RFC 7914
+
+function isPositiveInteger(value: unknown): value is number {
+  return (
+    typeof value === 'number' &&
+    Number.isFinite(value) &&
+    Number.isInteger(value) &&
+    value > 0
+  );
+}
+
+function validateScryptParams(
+  N: number,
+  r: number,
+  p: number,
+  maxmem: number,
+): void {
+  if (!isPositiveInteger(N)) {
+    throw new RangeError(`Invalid scrypt cost (N): ${N}`);
+  }
+  // Power-of-two & > 1 check (RFC 7914 §6 step 1).
+  if (N <= 1 || (N & (N - 1)) !== 0) {
+    throw new RangeError(
+      `Invalid scrypt cost (N): ${N} — must be a power of 2 greater than 1`,
+    );
+  }
+  if (!isPositiveInteger(r)) {
+    throw new RangeError(`Invalid scrypt blockSize (r): ${r}`);
+  }
+  if (!isPositiveInteger(p)) {
+    throw new RangeError(`Invalid scrypt parallelization (p): ${p}`);
+  }
+  if (r * p >= SCRYPT_MAX_RP) {
+    throw new RangeError(
+      `Invalid scrypt parameters: r * p (${r * p}) must be < 2^30`,
+    );
+  }
+  if (!isPositiveInteger(maxmem)) {
+    throw new RangeError(`Invalid scrypt maxmem: ${maxmem}`);
+  }
+  // 128 * r * N is the minimum working memory. Reject early so we don't
+  // hand a doomed parameter set to native and OOM the device.
+  const required = 128 * r * N;
+  if (required > maxmem) {
+    throw new RangeError(
+      `Invalid scrypt parameters: working memory ${required} bytes ` +
+        `exceeds maxmem ${maxmem}`,
+    );
+  }
+}
+
+function validateScryptKeylen(keylen: number): void {
+  if (
+    typeof keylen !== 'number' ||
+    !Number.isFinite(keylen) ||
+    !Number.isInteger(keylen) ||
+    keylen < 0 ||
+    keylen > 0x7fff_ffff
+  ) {
+    throw new TypeError('Bad key length');
+  }
+}
+
 function getScryptParams(options?: ScryptOptions) {
   const N = options?.N ?? options?.cost ?? defaults.N;
   const r = options?.r ?? options?.blockSize ?? defaults.r;
   const p = options?.p ?? options?.parallelization ?? defaults.p;
   const maxmem = options?.maxmem ?? defaults.maxmem;
 
+  validateScryptParams(N, r, p, maxmem);
+
   return { N, r, p, maxmem };
 }
 
@@ -85,9 +156,7 @@ export function scrypt(
     const sanitizedPassword = sanitizeInput(password, 'Password');
     const sanitizedSalt = sanitizeInput(salt, 'Salt');
 
-    if (keylen < 0) {
-      throw new TypeError('Bad key length');
-    }
+    validateScryptKeylen(keylen);
 
     const nativeMod = getNative();
     nativeMod
@@ -115,9 +184,7 @@ export function scryptSync(
   const sanitizedPassword = sanitizeInput(password, 'Password');
   const sanitizedSalt = sanitizeInput(salt, 'Salt');
 
-  if (keylen < 0) {
-    throw new TypeError('Bad key length');
-  }
+  validateScryptKeylen(keylen);
 
   const nativeMod = getNative();
   const result = nativeMod.deriveKeySync(

package/src/specs/utils.nitro.ts

@@ -2,6 +2,4 @@ import { type HybridObject } from 'react-native-nitro-modules';
 
 export interface Utils extends HybridObject<{ ios: 'c++'; android: 'c++' }> {
   timingSafeEqual(a: ArrayBuffer, b: ArrayBuffer): boolean;
-  bufferToString(buffer: ArrayBuffer, encoding: string): string;
-  stringToBuffer(str: string, encoding: string): ArrayBuffer;
 }