react-native-quick-crypto 1.0.19 → 1.1.1

package/cpp/cipher/XSalsa20Cipher.cpp

@@ -1,4 +1,6 @@
+#include <algorithm>
 #include <cstring>   // For std::memcpy
+#include <memory>    // For std::unique_ptr
 #include <stdexcept> // For std::runtime_error
 
 #include "NitroModules/ArrayBuffer.hpp"
@@ -28,11 +30,27 @@ void XSalsa20Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const s
   // Copy key and nonce data
   std::memcpy(key, native_key->data(), crypto_stream_KEYBYTES);
   std::memcpy(nonce, native_iv->data(), crypto_stream_NONCEBYTES);
+
+  // Reset streaming state so a re-init'd cipher does not accidentally reuse
+  // keystream bytes from a previous session.
+  block_counter = 0;
+  leftover_offset = kSalsa20BlockBytes;
+
   is_finalized = false;
 }
 
 /**
- * xsalsa20 call to sodium implementation
+ * xsalsa20 update — encrypts/decrypts `data` while keeping the keystream
+ * advancing across successive update() calls.
+ *
+ * Implementation notes:
+ *   1. First, drain any unused keystream bytes left over from the previous
+ *      chunk's trailing partial block.
+ *   2. Then process as many aligned whole 64-byte blocks as possible by
+ *      jumping the keystream to `block_counter` via crypto_stream_xsalsa20_xor_ic.
+ *   3. For the remaining tail (< 64 bytes), generate one full keystream
+ *      block, XOR the requested prefix, and stash the unused suffix for the
+ *      next update() call.
  */
 std::shared_ptr<ArrayBuffer> XSalsa20Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
   checkNotFinalized();
@@ -40,12 +58,60 @@ std::shared_ptr<ArrayBuffer> XSalsa20Cipher::update(const std::shared_ptr<ArrayB
   throw std::runtime_error("XSalsa20Cipher: libsodium must be enabled to use this cipher (BLSALLOC_SODIUM is not defined).");
 #else
   auto native_data = ToNativeArrayBuffer(data);
-  auto output = new uint8_t[native_data->size()];
-  int result = crypto_stream_xor(output, native_data->data(), native_data->size(), nonce, key);
-  if (result != 0) {
-    throw std::runtime_error("XSalsa20Cipher: Failed to update");
+  const std::size_t data_size = native_data->size();
+
+  if (data_size == 0) {
+    return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
+  }
+
+  // Owning buffer: prevents leaking `output` if we throw on the way out.
+  auto output = std::make_unique<uint8_t[]>(data_size);
+  const uint8_t* input = native_data->data();
+  std::size_t pos = 0;
+
+  // (1) Drain any unused keystream from the previous update()'s tail block.
+  if (leftover_offset < kSalsa20BlockBytes) {
+    const std::size_t avail = kSalsa20BlockBytes - leftover_offset;
+    const std::size_t take = std::min(avail, data_size);
+    for (std::size_t i = 0; i < take; ++i) {
+      output[i] = input[i] ^ leftover_keystream[leftover_offset + i];
+    }
+    leftover_offset += take;
+    pos = take;
   }
-  return std::make_shared<NativeArrayBuffer>(output, native_data->size(), [=]() { delete[] output; });
+
+  // (2) Encrypt the aligned whole blocks at the current block counter.
+  const std::size_t remaining = data_size - pos;
+  const std::size_t whole_blocks = remaining / kSalsa20BlockBytes;
+  const std::size_t whole_bytes = whole_blocks * kSalsa20BlockBytes;
+  if (whole_bytes > 0) {
+    int rc = crypto_stream_xsalsa20_xor_ic(output.get() + pos, input + pos, whole_bytes, nonce, block_counter, key);
+    if (rc != 0) {
+      throw std::runtime_error("XSalsa20Cipher: crypto_stream_xsalsa20_xor_ic failed");
+    }
+    block_counter += whole_blocks;
+    pos += whole_bytes;
+  }
+
+  // (3) For any trailing partial block, generate one full keystream block,
+  //     XOR the requested prefix, and stash the unused keystream bytes for
+  //     the next update() call.
+  const std::size_t tail = data_size - pos;
+  if (tail > 0) {
+    uint8_t zeros[kSalsa20BlockBytes] = {};
+    int rc = crypto_stream_xsalsa20_xor_ic(leftover_keystream, zeros, kSalsa20BlockBytes, nonce, block_counter, key);
+    if (rc != 0) {
+      throw std::runtime_error("XSalsa20Cipher: crypto_stream_xsalsa20_xor_ic failed");
+    }
+    for (std::size_t i = 0; i < tail; ++i) {
+      output[pos + i] = input[pos + i] ^ leftover_keystream[i];
+    }
+    leftover_offset = tail;
+    block_counter += 1;
+  }
+
+  uint8_t* raw = output.release();
+  return std::make_shared<NativeArrayBuffer>(raw, data_size, [=]() { delete[] raw; });
 #endif
 }
 

package/cpp/cipher/XSalsa20Cipher.hpp

@@ -8,17 +8,26 @@
 #define crypto_stream_NONCEBYTES 24 // XSalsa20 nonce size (24 bytes)
 #endif
 
+#include <cstddef>
+#include <cstdint>
+
 #include "HybridCipher.hpp"
 #include "NitroModules/ArrayBuffer.hpp"
+#include "QuickCryptoUtils.hpp"
 
 namespace margelo::nitro::crypto {
 
 class XSalsa20Cipher : public HybridCipher {
  public:
   XSalsa20Cipher() : HybridObject(TAG) {}
-  ~XSalsa20Cipher() {
-    // Let parent destructor free the context
-    ctx = nullptr;
+  ~XSalsa20Cipher() override {
+    // Wipe key material and any cached keystream bytes before the heap is
+    // returned. Without this the secret-bearing bytes persist on the heap
+    // until overwritten — see audit HIGH finding (XSalsa20Cipher.hpp:19-22).
+    // The base-class unique_ptr ctx frees itself; we don't touch it here.
+    secureZero(key);
+    secureZero(nonce);
+    secureZero(leftover_keystream);
   }
 
   void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
@@ -26,8 +35,21 @@ class XSalsa20Cipher : public HybridCipher {
   std::shared_ptr<ArrayBuffer> final() override;
 
  private:
+  // Salsa20 (and therefore XSalsa20) processes the keystream in 64-byte blocks.
+  static constexpr std::size_t kSalsa20BlockBytes = 64;
+
   uint8_t key[crypto_stream_KEYBYTES];
   uint8_t nonce[crypto_stream_NONCEBYTES];
+
+  // Streaming state — keeps the keystream advancing across multiple update()
+  // calls. Without this, every update() would restart at block 0, producing
+  // identical keystream for each chunk (a two-time-pad break).
+  uint8_t leftover_keystream[kSalsa20BlockBytes] = {};
+  // 0..kSalsa20BlockBytes; the sentinel value kSalsa20BlockBytes means "no
+  // leftover keystream available — start the next chunk on a block boundary".
+  std::size_t leftover_offset = kSalsa20BlockBytes;
+  // Index of the next 64-byte keystream block to consume.
+  uint64_t block_counter = 0;
 };
 
 } // namespace margelo::nitro::crypto

package/cpp/cipher/XSalsa20Poly1305Cipher.cpp

@@ -9,18 +9,13 @@
 namespace margelo::nitro::crypto {
 
 XSalsa20Poly1305Cipher::~XSalsa20Poly1305Cipher() {
-#ifdef BLSALLOC_SODIUM
-  sodium_memzero(key_, kKeySize);
-  sodium_memzero(nonce_, kNonceSize);
-  sodium_memzero(auth_tag_, kTagSize);
-  if (!data_buffer_.empty()) {
-    sodium_memzero(data_buffer_.data(), data_buffer_.size());
-  }
-#else
-  std::memset(key_, 0, kKeySize);
-  std::memset(nonce_, 0, kNonceSize);
-  std::memset(auth_tag_, 0, kTagSize);
-#endif
+  // Always wipe via OPENSSL_cleanse (even when libsodium is enabled) so the
+  // non-sodium `std::memset` fallback can't be optimized away by the
+  // compiler. Audit MEDIUM finding (XSalsa20Poly1305Cipher.cpp:20-22).
+  secureZero(key_);
+  secureZero(nonce_);
+  secureZero(auth_tag_);
+  secureZero(data_buffer_);
   data_buffer_.clear();
 }
 
@@ -65,38 +60,38 @@ std::shared_ptr<ArrayBuffer> XSalsa20Poly1305Cipher::final() {
   throw std::runtime_error("XSalsa20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
 #else
   if (is_cipher) {
-    uint8_t* ciphertext = new uint8_t[data_buffer_.size()];
+    auto ciphertext = std::make_unique<uint8_t[]>(data_buffer_.size());
 
-    int result = crypto_secretbox_detached(ciphertext, auth_tag_, data_buffer_.data(), data_buffer_.size(), nonce_, key_);
+    int result = crypto_secretbox_detached(ciphertext.get(), auth_tag_, data_buffer_.data(), data_buffer_.size(), nonce_, key_);
 
     if (result != 0) {
-      sodium_memzero(ciphertext, data_buffer_.size());
-      delete[] ciphertext;
+      sodium_memzero(ciphertext.get(), data_buffer_.size());
       throw std::runtime_error("XSalsa20Poly1305Cipher: encryption failed");
     }
 
     is_finalized = true;
     size_t ct_len = data_buffer_.size();
-    return std::make_shared<NativeArrayBuffer>(ciphertext, ct_len, [=]() { delete[] ciphertext; });
+    uint8_t* raw_ptr = ciphertext.get();
+    return std::make_shared<NativeArrayBuffer>(ciphertext.release(), ct_len, [raw_ptr]() { delete[] raw_ptr; });
   } else {
     if (data_buffer_.empty()) {
       is_finalized = true;
       return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
     }
 
-    uint8_t* plaintext = new uint8_t[data_buffer_.size()];
+    auto plaintext = std::make_unique<uint8_t[]>(data_buffer_.size());
 
-    int result = crypto_secretbox_open_detached(plaintext, data_buffer_.data(), auth_tag_, data_buffer_.size(), nonce_, key_);
+    int result = crypto_secretbox_open_detached(plaintext.get(), data_buffer_.data(), auth_tag_, data_buffer_.size(), nonce_, key_);
 
     if (result != 0) {
-      sodium_memzero(plaintext, data_buffer_.size());
-      delete[] plaintext;
+      sodium_memzero(plaintext.get(), data_buffer_.size());
       throw std::runtime_error("XSalsa20Poly1305Cipher: decryption failed - authentication tag mismatch");
     }
 
     is_finalized = true;
     size_t pt_len = data_buffer_.size();
-    return std::make_shared<NativeArrayBuffer>(plaintext, pt_len, [=]() { delete[] plaintext; });
+    uint8_t* raw_ptr = plaintext.get();
+    return std::make_shared<NativeArrayBuffer>(plaintext.release(), pt_len, [raw_ptr]() { delete[] raw_ptr; });
   }
 #endif
 }
@@ -116,9 +111,10 @@ std::shared_ptr<ArrayBuffer> XSalsa20Poly1305Cipher::getAuthTag() {
     throw std::runtime_error("getAuthTag must be called after final()");
   }
 
-  uint8_t* tag_copy = new uint8_t[kTagSize];
-  std::memcpy(tag_copy, auth_tag_, kTagSize);
-  return std::make_shared<NativeArrayBuffer>(tag_copy, kTagSize, [=]() { delete[] tag_copy; });
+  auto tag_copy = std::make_unique<uint8_t[]>(kTagSize);
+  std::memcpy(tag_copy.get(), auth_tag_, kTagSize);
+  uint8_t* raw_ptr = tag_copy.get();
+  return std::make_shared<NativeArrayBuffer>(tag_copy.release(), kTagSize, [raw_ptr]() { delete[] raw_ptr; });
 #endif
 }
 

package/cpp/dh/HybridDiffieHellman.cpp

@@ -133,6 +133,35 @@ std::shared_ptr<ArrayBuffer> HybridDiffieHellman::computeSecret(const std::share
   const BIGNUM *p, *q, *g;
   DH_get0_pqg(ourDh, &p, &q, &g);
 
+  // Validate the peer's public key against our DH parameters BEFORE doing
+  // anything else. EVP_PKEY_derive_set_peer() does NOT call DH_check_pub_key,
+  // so without this check a peer key of 0, 1, or p-1 silently produces a
+  // degenerate "shared secret" (0, 1, or ±1) — the small-subgroup attack.
+  // Match the ncrypto pattern (DHPointer::checkPublicKey) and Node.js error
+  // surface so callers see why the key was rejected.
+  {
+    BN_ptr peerPubCheck(BN_bin2bn(otherPublicKey->data(), static_cast<int>(otherPublicKey->size()), nullptr), BN_free);
+    if (!peerPubCheck) {
+      throw std::runtime_error("DiffieHellman: failed to parse peer public key");
+    }
+    int codes = 0;
+    if (DH_check_pub_key(ourDh, peerPubCheck.get(), &codes) != 1) {
+      throw std::runtime_error("DiffieHellman: failed to check peer public key");
+    }
+    if (codes & DH_CHECK_PUBKEY_TOO_SMALL) {
+      throw std::runtime_error("DiffieHellman: peer public key is too small (<= 1)");
+    }
+    if (codes & DH_CHECK_PUBKEY_TOO_LARGE) {
+      throw std::runtime_error("DiffieHellman: peer public key is too large (>= p-1)");
+    }
+    if (codes & DH_CHECK_PUBKEY_INVALID) {
+      throw std::runtime_error("DiffieHellman: peer public key is invalid (not in subgroup)");
+    }
+    if (codes != 0) {
+      throw std::runtime_error("DiffieHellman: peer public key is invalid");
+    }
+  }
+
   // Create peer DH with same parameters but peer's public key
   DH_ptr peerDh(DH_new(), DH_free);
   if (!peerDh) {

package/cpp/ec/HybridEcKeyPair.cpp

@@ -40,10 +40,7 @@ void HybridEcKeyPair::generateKeyPairSync() {
   }
 
   // Clean up existing key if any
-  if (this->pkey != nullptr) {
-    EVP_PKEY_free(this->pkey);
-    this->pkey = nullptr;
-  }
+  this->pkey_.reset();
 
   // Get curve NID from curve name
   int curve_nid = GetCurveFromName(this->curve.c_str());
@@ -105,17 +102,14 @@ void HybridEcKeyPair::generateKeyPairSync() {
     throw std::runtime_error("Failed to generate EC key pair");
   }
 
-  this->pkey = raw_pkey;
+  this->pkey_.reset(raw_pkey);
 }
 
 KeyObject HybridEcKeyPair::importKey(const std::string& format, const std::shared_ptr<ArrayBuffer>& keyData,
                                      const std::string& /* algorithm */, bool /* extractable */,
                                      const std::vector<std::string>& /* keyUsages */) {
   // Clean up any existing key
-  if (this->pkey != nullptr) {
-    EVP_PKEY_free(this->pkey);
-    this->pkey = nullptr;
-  }
+  this->pkey_.reset();
   // Reset curve state to avoid interference between different uses
   this->curve.clear();
 
@@ -143,7 +137,7 @@ KeyObject HybridEcKeyPair::importKey(const std::string& format, const std::share
         PKCS8_PRIV_KEY_INFO_free(p8inf);
         BIO_free(pkcs8_bio);
         if (pkcs8_pkey != nullptr) {
-          this->pkey = pkcs8_pkey;
+          this->pkey_.reset(pkcs8_pkey);
           KeyObject keyObj;
           return keyObj;
         }
@@ -157,7 +151,7 @@ KeyObject HybridEcKeyPair::importKey(const std::string& format, const std::share
       EVP_PKEY* spki_pkey = d2i_PUBKEY_bio(spki_bio, nullptr);
       BIO_free(spki_bio);
       if (spki_pkey != nullptr) {
-        this->pkey = spki_pkey;
+        this->pkey_.reset(spki_pkey);
         KeyObject keyObj;
         return keyObj;
       }
@@ -166,7 +160,7 @@ KeyObject HybridEcKeyPair::importKey(const std::string& format, const std::share
     throw std::runtime_error("Failed to import EC key from DER data");
   }
 
-  this->pkey = pkey;
+  this->pkey_.reset(pkey);
 
   // Return a placeholder KeyObject - this would need proper implementation
   // For now, we just need the key imported into this->pkey for sign/verify
@@ -178,20 +172,20 @@ std::shared_ptr<ArrayBuffer> HybridEcKeyPair::exportKey(const KeyObject& key, co
   // Suppress unused parameter warning
   (void)key;
 
-  if (!this->pkey) {
+  if (!this->pkey_) {
     throw std::runtime_error("No key pair generated");
   }
 
   if (format == "der-spki") {
     // Export public key in DER SPKI format
-    int len = i2d_PUBKEY(this->pkey, nullptr);
+    int len = i2d_PUBKEY(this->pkey_.get(), nullptr);
     if (len <= 0) {
       throw std::runtime_error("Failed to get public key DER length");
     }
 
     std::vector<unsigned char> derData(len);
     unsigned char* ptr = derData.data();
-    i2d_PUBKEY(this->pkey, &ptr);
+    i2d_PUBKEY(this->pkey_.get(), &ptr);
     return ToNativeArrayBuffer(std::string(derData.begin(), derData.end()));
   } else if (format == "der-pkcs8") {
     // Export private key in DER PKCS8 format
@@ -200,7 +194,7 @@ std::shared_ptr<ArrayBuffer> HybridEcKeyPair::exportKey(const KeyObject& key, co
       throw std::runtime_error("Failed to create BIO for private key export");
     }
 
-    if (i2d_PKCS8PrivateKey_bio(bio, this->pkey, nullptr, nullptr, 0, nullptr, nullptr) != 1) {
+    if (i2d_PKCS8PrivateKey_bio(bio, this->pkey_.get(), nullptr, nullptr, 0, nullptr, nullptr) != 1) {
       BIO_free(bio);
       throw std::runtime_error("Failed to export private key to DER PKCS8 format");
     }
@@ -218,7 +212,7 @@ std::shared_ptr<ArrayBuffer> HybridEcKeyPair::exportKey(const KeyObject& key, co
       throw std::runtime_error("Failed to create BIO for public key export");
     }
 
-    if (PEM_write_bio_PUBKEY(bio, this->pkey) != 1) {
+    if (PEM_write_bio_PUBKEY(bio, this->pkey_.get()) != 1) {
       BIO_free(bio);
       throw std::runtime_error("Failed to export public key to PEM SPKI format");
     }
@@ -236,7 +230,7 @@ std::shared_ptr<ArrayBuffer> HybridEcKeyPair::exportKey(const KeyObject& key, co
       throw std::runtime_error("Failed to create BIO for private key export");
     }
 
-    if (PEM_write_bio_PKCS8PrivateKey(bio, this->pkey, nullptr, nullptr, 0, nullptr, nullptr) != 1) {
+    if (PEM_write_bio_PKCS8PrivateKey(bio, this->pkey_.get(), nullptr, nullptr, 0, nullptr, nullptr) != 1) {
       BIO_free(bio);
       throw std::runtime_error("Failed to export private key to PEM PKCS8 format");
     }
@@ -261,7 +255,7 @@ std::shared_ptr<ArrayBuffer> HybridEcKeyPair::getPublicKey() {
     throw std::runtime_error("Failed to create BIO for public key export");
   }
 
-  if (i2d_PUBKEY_bio(bio, this->pkey) != 1) {
+  if (i2d_PUBKEY_bio(bio, this->pkey_.get()) != 1) {
     BIO_free(bio);
     throw std::runtime_error("Failed to export public key to DER format");
   }
@@ -277,13 +271,13 @@ std::shared_ptr<ArrayBuffer> HybridEcKeyPair::getPublicKey() {
 }
 
 std::shared_ptr<ArrayBuffer> HybridEcKeyPair::getPrivateKey() {
-  if (this->pkey == nullptr) {
+  if (!this->pkey_) {
     throw std::runtime_error("No private key available");
   }
 
   // Export private key in PKCS8 DER format
   BIO* bio = BIO_new(BIO_s_mem());
-  if (i2d_PKCS8PrivateKey_bio(bio, this->pkey, nullptr, nullptr, 0, nullptr, nullptr) != 1) {
+  if (i2d_PKCS8PrivateKey_bio(bio, this->pkey_.get(), nullptr, nullptr, 0, nullptr, nullptr) != 1) {
     BIO_free(bio);
     throw std::runtime_error("Failed to export private key");
   }
@@ -350,7 +344,7 @@ std::shared_ptr<ArrayBuffer> HybridEcKeyPair::sign(const std::shared_ptr<ArrayBu
   }
 
   // Initialize signing
-  if (EVP_DigestSignInit(md_ctx.get(), nullptr, md, nullptr, this->pkey) <= 0) {
+  if (EVP_DigestSignInit(md_ctx.get(), nullptr, md, nullptr, this->pkey_.get()) <= 0) {
     throw std::runtime_error("Failed to initialize ECDSA signing");
   }
 
@@ -377,7 +371,7 @@ std::shared_ptr<ArrayBuffer> HybridEcKeyPair::sign(const std::shared_ptr<ArrayBu
   signature.resize(sig_len);
 
   // Web Crypto API requires IEEE P1363 format for ECDSA signatures
-  unsigned int n = getBytesOfRS(this->pkey);
+  unsigned int n = getBytesOfRS(this->pkey_.get());
   if (n == 0) {
     throw std::runtime_error("Failed to determine EC key order size for P1363 conversion");
   }
@@ -415,7 +409,7 @@ bool HybridEcKeyPair::verify(const std::shared_ptr<ArrayBuffer>& data, const std
   }
 
   // Initialize verification
-  if (EVP_DigestVerifyInit(md_ctx.get(), nullptr, md, nullptr, this->pkey) <= 0) {
+  if (EVP_DigestVerifyInit(md_ctx.get(), nullptr, md, nullptr, this->pkey_.get()) <= 0) {
     throw std::runtime_error("Failed to initialize ECDSA verification");
   }
 
@@ -424,22 +418,30 @@ bool HybridEcKeyPair::verify(const std::shared_ptr<ArrayBuffer>& data, const std
     throw std::runtime_error("Failed to update ECDSA verification with data");
   }
 
-  // Web Crypto API passes IEEE P1363 format, OpenSSL expects DER
+  // Web Crypto API typically passes IEEE P1363 (raw r||s, exactly 2*n bytes);
+  // the Node-API path with `dsaEncoding: 'der'` passes ASN.1 DER instead.
+  // Discriminate by length — anything other than 2*n is treated as DER and
+  // passed through unchanged. This matches what every other ECDSA verify
+  // wrapper (Node's, ncrypto's) does and is robust because well-formed DER
+  // ECDSA signatures are never exactly 2*n bytes for the curves we support.
   const unsigned char* sig_data = static_cast<const unsigned char*>(signature->data());
   size_t sig_len = signature->size();
   std::unique_ptr<uint8_t[]> der_sig_buf;
 
-  unsigned int n = getBytesOfRS(this->pkey);
+  unsigned int n = getBytesOfRS(this->pkey_.get());
   if (n == 0) {
     throw std::runtime_error("Failed to determine EC key order size for DER conversion");
   }
-  size_t der_len = 0;
-  der_sig_buf = convertSignatureToDER(sig_data, sig_len, n, &der_len);
-  if (!der_sig_buf) {
-    throw std::runtime_error("Failed to convert ECDSA signature from P1363 to DER format");
+
+  if (sig_len == 2 * n) {
+    size_t der_len = 0;
+    der_sig_buf = convertSignatureToDER(sig_data, sig_len, n, &der_len);
+    if (!der_sig_buf) {
+      throw std::runtime_error("Failed to convert ECDSA signature from P1363 to DER format");
+    }
+    sig_data = der_sig_buf.get();
+    sig_len = der_len;
   }
-  sig_data = der_sig_buf.get();
-  sig_len = der_len;
 
   int result = EVP_DigestVerifyFinal(md_ctx.get(), sig_data, sig_len);
 
@@ -451,7 +453,7 @@ bool HybridEcKeyPair::verify(const std::shared_ptr<ArrayBuffer>& data, const std
 }
 
 void HybridEcKeyPair::checkKeyPair() {
-  if (this->pkey == nullptr) {
+  if (!this->pkey_) {
     throw std::runtime_error("EC KeyPair not initialized");
   }
 }

package/cpp/ec/HybridEcKeyPair.hpp

@@ -13,12 +13,7 @@ namespace margelo::nitro::crypto {
 class HybridEcKeyPair : public HybridEcKeyPairSpec {
  public:
   HybridEcKeyPair() : HybridObject(TAG) {}
-  ~HybridEcKeyPair() {
-    if (pkey != nullptr) {
-      EVP_PKEY_free(pkey);
-      pkey = nullptr;
-    }
-  }
+  ~HybridEcKeyPair() override = default;
 
  public:
   // Methods
@@ -41,7 +36,8 @@ class HybridEcKeyPair : public HybridEcKeyPairSpec {
 
  private:
   std::string curve;
-  EVP_PKEY* pkey = nullptr;
+  using EVP_PKEY_ptr = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>;
+  EVP_PKEY_ptr pkey_{nullptr, EVP_PKEY_free};
 
   static int GetCurveFromName(const char* name);
 };

package/cpp/ecdh/HybridECDH.cpp

@@ -65,6 +65,29 @@ std::shared_ptr<ArrayBuffer> HybridECDH::computeSecret(const std::shared_ptr<Arr
     throw std::runtime_error("ECDH: private key not set");
   }
 
+  // Validate the peer's public key BEFORE building an EVP_PKEY from it.
+  // EVP_PKEY_fromdata() does NOT verify that the supplied public-key octets
+  // decode to a point on the configured curve, so an attacker can mount an
+  // invalid-curve attack: send a point on a related, weaker curve (or a
+  // small-order point) and recover bits of our private key from the
+  // resulting "shared secret". Reject malformed encodings, the identity
+  // point, and any point that is not on _group up front.
+  {
+    EC_POINT_ptr peerPoint(EC_POINT_new(_group.get()), EC_POINT_free);
+    if (!peerPoint) {
+      throw std::runtime_error("ECDH: failed to allocate EC_POINT for peer key validation");
+    }
+    if (EC_POINT_oct2point(_group.get(), peerPoint.get(), otherPublicKey->data(), otherPublicKey->size(), nullptr) != 1) {
+      throw std::runtime_error("ECDH: peer public key is malformed");
+    }
+    if (EC_POINT_is_at_infinity(_group.get(), peerPoint.get())) {
+      throw std::runtime_error("ECDH: peer public key is the identity point");
+    }
+    if (EC_POINT_is_on_curve(_group.get(), peerPoint.get(), nullptr) != 1) {
+      throw std::runtime_error("ECDH: peer public key is not on the configured curve");
+    }
+  }
+
   // Build peer EVP_PKEY from raw public key octets
   EVP_PKEY_ptr peerPkey(createEcEvpPkey(_curveName.c_str(), otherPublicKey->data(), otherPublicKey->size()), EVP_PKEY_free);