react-native-quick-crypto 1.0.19 → 1.1.1

package/cpp/mldsa/HybridMlDsaKeyPair.cpp

@@ -15,6 +15,9 @@
 
 namespace margelo::nitro::crypto {
 
+using EVP_MD_CTX_ptr = std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)>;
+using EVP_PKEY_CTX_ptr = std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)>;
+
 int HybridMlDsaKeyPair::getEvpPkeyType() const {
 #if RNQC_HAS_ML_DSA
   if (variant_ == "ML-DSA-44")
@@ -39,8 +42,9 @@ void HybridMlDsaKeyPair::setVariant(const std::string& variant) {
 
 std::shared_ptr<Promise<void>> HybridMlDsaKeyPair::generateKeyPair(double publicFormat, double publicType, double privateFormat,
                                                                    double privateType) {
-  return Promise<void>::async([this, publicFormat, publicType, privateFormat, privateType]() {
-    this->generateKeyPairSync(publicFormat, publicType, privateFormat, privateType);
+  auto self = this->shared_cast<HybridMlDsaKeyPair>();
+  return Promise<void>::async([self, publicFormat, publicType, privateFormat, privateType]() {
+    self->generateKeyPairSync(publicFormat, publicType, privateFormat, privateType);
   });
 }
 
@@ -61,24 +65,20 @@ void HybridMlDsaKeyPair::generateKeyPairSync(double publicFormat, double publicT
 
   pkey_.reset();
 
-  EVP_PKEY_CTX* pctx = EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr);
+  EVP_PKEY_CTX_ptr pctx(EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr), EVP_PKEY_CTX_free);
   if (pctx == nullptr) {
     throw std::runtime_error("Failed to create key context for " + variant_ + ": " + getOpenSSLError());
   }
 
-  if (EVP_PKEY_keygen_init(pctx) <= 0) {
-    EVP_PKEY_CTX_free(pctx);
+  if (EVP_PKEY_keygen_init(pctx.get()) <= 0) {
     throw std::runtime_error("Failed to initialize keygen: " + getOpenSSLError());
   }
 
   EVP_PKEY* raw = nullptr;
-  if (EVP_PKEY_keygen(pctx, &raw) <= 0) {
-    EVP_PKEY_CTX_free(pctx);
+  if (EVP_PKEY_keygen(pctx.get(), &raw) <= 0) {
     throw std::runtime_error("Failed to generate ML-DSA key pair: " + getOpenSSLError());
   }
   pkey_.reset(raw);
-
-  EVP_PKEY_CTX_free(pctx);
 #endif
 }
 
@@ -108,13 +108,14 @@ std::shared_ptr<ArrayBuffer> HybridMlDsaKeyPair::getPublicKey() {
   BUF_MEM* bptr;
   BIO_get_mem_ptr(bio, &bptr);
 
-  uint8_t* data = new uint8_t[bptr->length];
-  memcpy(data, bptr->data, bptr->length);
   size_t len = bptr->length;
+  auto buf = std::make_unique<uint8_t[]>(len);
+  memcpy(buf.get(), bptr->data, len);
 
   BIO_free(bio);
 
-  return std::make_shared<NativeArrayBuffer>(data, len, [=]() { delete[] data; });
+  uint8_t* raw_ptr = buf.get();
+  return std::make_shared<NativeArrayBuffer>(buf.release(), len, [raw_ptr]() { delete[] raw_ptr; });
 #endif
 }
 
@@ -144,19 +145,23 @@ std::shared_ptr<ArrayBuffer> HybridMlDsaKeyPair::getPrivateKey() {
   BUF_MEM* bptr;
   BIO_get_mem_ptr(bio, &bptr);
 
-  uint8_t* data = new uint8_t[bptr->length];
-  memcpy(data, bptr->data, bptr->length);
   size_t len = bptr->length;
+  auto buf = std::make_unique<uint8_t[]>(len);
+  memcpy(buf.get(), bptr->data, len);
 
+  // Wipe the private key bytes from the BIO before freeing.
+  secureZero(bptr->data, bptr->length);
   BIO_free(bio);
 
-  return std::make_shared<NativeArrayBuffer>(data, len, [=]() { delete[] data; });
+  uint8_t* raw_ptr = buf.get();
+  return std::make_shared<NativeArrayBuffer>(buf.release(), len, [raw_ptr]() { delete[] raw_ptr; });
 #endif
 }
 
 std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> HybridMlDsaKeyPair::sign(const std::shared_ptr<ArrayBuffer>& message) {
   auto nativeMessage = ToNativeArrayBuffer(message);
-  return Promise<std::shared_ptr<ArrayBuffer>>::async([this, nativeMessage]() { return this->signSync(nativeMessage); });
+  auto self = this->shared_cast<HybridMlDsaKeyPair>();
+  return Promise<std::shared_ptr<ArrayBuffer>>::async([self, nativeMessage]() { return self->signSync(nativeMessage); });
 }
 
 std::shared_ptr<ArrayBuffer> HybridMlDsaKeyPair::signSync(const std::shared_ptr<ArrayBuffer>& message) {
@@ -166,40 +171,30 @@ std::shared_ptr<ArrayBuffer> HybridMlDsaKeyPair::signSync(const std::shared_ptr<
   clearOpenSSLErrors();
   checkKeyPair();
 
-  EVP_MD_CTX* md_ctx = EVP_MD_CTX_new();
+  EVP_MD_CTX_ptr md_ctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
   if (md_ctx == nullptr) {
     throw std::runtime_error("Failed to create signing context");
   }
 
-  EVP_PKEY_CTX* pkey_ctx = EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr);
-  if (pkey_ctx == nullptr) {
-    EVP_MD_CTX_free(md_ctx);
-    throw std::runtime_error("Failed to create signing context for " + variant_);
-  }
-
-  if (EVP_DigestSignInit(md_ctx, &pkey_ctx, nullptr, nullptr, pkey_.get()) <= 0) {
-    EVP_MD_CTX_free(md_ctx);
-    EVP_PKEY_CTX_free(pkey_ctx);
+  // Pass nullptr — EVP_DigestSignInit allocates the matching PKEY_CTX from
+  // pkey_ and the EVP_MD_CTX takes ownership of it.
+  if (EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey_.get()) <= 0) {
     throw std::runtime_error("Failed to initialize signing: " + getOpenSSLError());
   }
 
   size_t sig_len = 0;
-  if (EVP_DigestSign(md_ctx, nullptr, &sig_len, message->data(), message->size()) <= 0) {
-    EVP_MD_CTX_free(md_ctx);
+  if (EVP_DigestSign(md_ctx.get(), nullptr, &sig_len, message->data(), message->size()) <= 0) {
     throw std::runtime_error("Failed to calculate signature size: " + getOpenSSLError());
   }
 
-  uint8_t* sig = new uint8_t[sig_len];
+  auto sig = std::make_unique<uint8_t[]>(sig_len);
 
-  if (EVP_DigestSign(md_ctx, sig, &sig_len, message->data(), message->size()) <= 0) {
-    EVP_MD_CTX_free(md_ctx);
-    delete[] sig;
+  if (EVP_DigestSign(md_ctx.get(), sig.get(), &sig_len, message->data(), message->size()) <= 0) {
     throw std::runtime_error("Failed to sign message: " + getOpenSSLError());
   }
 
-  EVP_MD_CTX_free(md_ctx);
-
-  return std::make_shared<NativeArrayBuffer>(sig, sig_len, [=]() { delete[] sig; });
+  uint8_t* raw_ptr = sig.get();
+  return std::make_shared<NativeArrayBuffer>(sig.release(), sig_len, [raw_ptr]() { delete[] raw_ptr; });
 #endif
 }
 
@@ -207,7 +202,8 @@ std::shared_ptr<Promise<bool>> HybridMlDsaKeyPair::verify(const std::shared_ptr<
                                                           const std::shared_ptr<ArrayBuffer>& message) {
   auto nativeSignature = ToNativeArrayBuffer(signature);
   auto nativeMessage = ToNativeArrayBuffer(message);
-  return Promise<bool>::async([this, nativeSignature, nativeMessage]() { return this->verifySync(nativeSignature, nativeMessage); });
+  auto self = this->shared_cast<HybridMlDsaKeyPair>();
+  return Promise<bool>::async([self, nativeSignature, nativeMessage]() { return self->verifySync(nativeSignature, nativeMessage); });
 }
 
 bool HybridMlDsaKeyPair::verifySync(const std::shared_ptr<ArrayBuffer>& signature, const std::shared_ptr<ArrayBuffer>& message) {
@@ -217,26 +213,18 @@ bool HybridMlDsaKeyPair::verifySync(const std::shared_ptr<ArrayBuffer>& signatur
   clearOpenSSLErrors();
   checkKeyPair();
 
-  EVP_MD_CTX* md_ctx = EVP_MD_CTX_new();
+  EVP_MD_CTX_ptr md_ctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
   if (md_ctx == nullptr) {
     throw std::runtime_error("Failed to create verify context");
   }
 
-  EVP_PKEY_CTX* pkey_ctx = EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr);
-  if (pkey_ctx == nullptr) {
-    EVP_MD_CTX_free(md_ctx);
-    throw std::runtime_error("Failed to create verify context for " + variant_);
-  }
-
-  if (EVP_DigestVerifyInit(md_ctx, &pkey_ctx, nullptr, nullptr, pkey_.get()) <= 0) {
-    EVP_MD_CTX_free(md_ctx);
-    EVP_PKEY_CTX_free(pkey_ctx);
+  // Pass nullptr — EVP_DigestVerifyInit allocates the matching PKEY_CTX from
+  // pkey_ and the EVP_MD_CTX takes ownership of it.
+  if (EVP_DigestVerifyInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey_.get()) <= 0) {
     throw std::runtime_error("Failed to initialize verification: " + getOpenSSLError());
   }
 
-  int result = EVP_DigestVerify(md_ctx, signature->data(), signature->size(), message->data(), message->size());
-
-  EVP_MD_CTX_free(md_ctx);
+  int result = EVP_DigestVerify(md_ctx.get(), signature->data(), signature->size(), message->data(), message->size());
 
   if (result < 0) {
     throw std::runtime_error("Verification error: " + getOpenSSLError());

package/cpp/mlkem/HybridMlKemKeyPair.cpp

@@ -15,6 +15,8 @@
 
 namespace margelo::nitro::crypto {
 
+using EVP_PKEY_CTX_ptr = std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)>;
+
 void HybridMlKemKeyPair::setVariant(const std::string& variant) {
 #if !RNQC_HAS_ML_KEM
   throw std::runtime_error("ML-KEM requires OpenSSL 3.5+");
@@ -27,8 +29,9 @@ void HybridMlKemKeyPair::setVariant(const std::string& variant) {
 
 std::shared_ptr<Promise<void>> HybridMlKemKeyPair::generateKeyPair(double publicFormat, double publicType, double privateFormat,
                                                                    double privateType) {
-  return Promise<void>::async([this, publicFormat, publicType, privateFormat, privateType]() {
-    this->generateKeyPairSync(publicFormat, publicType, privateFormat, privateType);
+  auto self = this->shared_cast<HybridMlKemKeyPair>();
+  return Promise<void>::async([self, publicFormat, publicType, privateFormat, privateType]() {
+    self->generateKeyPairSync(publicFormat, publicType, privateFormat, privateType);
   });
 }
 
@@ -49,24 +52,21 @@ void HybridMlKemKeyPair::generateKeyPairSync(double publicFormat, double publicT
 
   pkey_.reset();
 
-  EVP_PKEY_CTX* pctx = EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr);
+  EVP_PKEY_CTX_ptr pctx(EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr), EVP_PKEY_CTX_free);
   if (pctx == nullptr) {
     throw std::runtime_error("Failed to create key context for " + variant_ + ": " + getOpenSSLError());
   }
 
-  if (EVP_PKEY_keygen_init(pctx) <= 0) {
-    EVP_PKEY_CTX_free(pctx);
+  if (EVP_PKEY_keygen_init(pctx.get()) <= 0) {
     throw std::runtime_error("Failed to initialize keygen: " + getOpenSSLError());
   }
 
   EVP_PKEY* raw = nullptr;
-  if (EVP_PKEY_keygen(pctx, &raw) <= 0) {
-    EVP_PKEY_CTX_free(pctx);
+  if (EVP_PKEY_keygen(pctx.get(), &raw) <= 0) {
     throw std::runtime_error("Failed to generate ML-KEM key pair: " + getOpenSSLError());
   }
 
   pkey_.reset(raw);
-  EVP_PKEY_CTX_free(pctx);
 #endif
 }
 
@@ -96,13 +96,14 @@ std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::getPublicKey() {
   BUF_MEM* bptr;
   BIO_get_mem_ptr(bio, &bptr);
 
-  uint8_t* data = new uint8_t[bptr->length];
-  memcpy(data, bptr->data, bptr->length);
   size_t len = bptr->length;
+  auto buf = std::make_unique<uint8_t[]>(len);
+  memcpy(buf.get(), bptr->data, len);
 
   BIO_free(bio);
 
-  return std::make_shared<NativeArrayBuffer>(data, len, [=]() { delete[] data; });
+  uint8_t* raw_ptr = buf.get();
+  return std::make_shared<NativeArrayBuffer>(buf.release(), len, [raw_ptr]() { delete[] raw_ptr; });
 #endif
 }
 
@@ -132,13 +133,16 @@ std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::getPrivateKey() {
   BUF_MEM* bptr;
   BIO_get_mem_ptr(bio, &bptr);
 
-  uint8_t* data = new uint8_t[bptr->length];
-  memcpy(data, bptr->data, bptr->length);
   size_t len = bptr->length;
+  auto buf = std::make_unique<uint8_t[]>(len);
+  memcpy(buf.get(), bptr->data, len);
 
+  // Wipe the private key bytes from the BIO before freeing.
+  secureZero(bptr->data, bptr->length);
   BIO_free(bio);
 
-  return std::make_shared<NativeArrayBuffer>(data, len, [=]() { delete[] data; });
+  uint8_t* raw_ptr = buf.get();
+  return std::make_shared<NativeArrayBuffer>(buf.release(), len, [raw_ptr]() { delete[] raw_ptr; });
 #endif
 }
 
@@ -213,7 +217,8 @@ void HybridMlKemKeyPair::setPrivateKey(const std::shared_ptr<ArrayBuffer>& keyDa
 }
 
 std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> HybridMlKemKeyPair::encapsulate() {
-  return Promise<std::shared_ptr<ArrayBuffer>>::async([this]() { return this->encapsulateSync(); });
+  auto self = this->shared_cast<HybridMlKemKeyPair>();
+  return Promise<std::shared_ptr<ArrayBuffer>>::async([self]() { return self->encapsulateSync(); });
 }
 
 std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::encapsulateSync() {
@@ -223,51 +228,47 @@ std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::encapsulateSync() {
   clearOpenSSLErrors();
   checkKeyPair();
 
-  EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new(pkey_.get(), nullptr);
+  EVP_PKEY_CTX_ptr ctx(EVP_PKEY_CTX_new(pkey_.get(), nullptr), EVP_PKEY_CTX_free);
   if (ctx == nullptr) {
     throw std::runtime_error("Failed to create encapsulation context: " + getOpenSSLError());
   }
 
-  if (EVP_PKEY_encapsulate_init(ctx, nullptr) <= 0) {
-    EVP_PKEY_CTX_free(ctx);
+  if (EVP_PKEY_encapsulate_init(ctx.get(), nullptr) <= 0) {
     throw std::runtime_error("Failed to initialize encapsulation: " + getOpenSSLError());
   }
 
   size_t ct_len = 0;
   size_t sk_len = 0;
-  if (EVP_PKEY_encapsulate(ctx, nullptr, &ct_len, nullptr, &sk_len) <= 0) {
-    EVP_PKEY_CTX_free(ctx);
+  if (EVP_PKEY_encapsulate(ctx.get(), nullptr, &ct_len, nullptr, &sk_len) <= 0) {
     throw std::runtime_error("Failed to determine encapsulation output sizes: " + getOpenSSLError());
   }
 
   // Pack result as: [uint32 ct_len][uint32 sk_len][ciphertext][shared_key]
   size_t header_size = sizeof(uint32_t) * 2;
   size_t total_size = header_size + ct_len + sk_len;
-  uint8_t* out = new uint8_t[total_size];
+  auto out = std::make_unique<uint8_t[]>(total_size);
 
   uint32_t ct_len_u32 = static_cast<uint32_t>(ct_len);
   uint32_t sk_len_u32 = static_cast<uint32_t>(sk_len);
-  memcpy(out, &ct_len_u32, sizeof(uint32_t));
-  memcpy(out + sizeof(uint32_t), &sk_len_u32, sizeof(uint32_t));
+  memcpy(out.get(), &ct_len_u32, sizeof(uint32_t));
+  memcpy(out.get() + sizeof(uint32_t), &sk_len_u32, sizeof(uint32_t));
 
-  uint8_t* ct_data = out + header_size;
+  uint8_t* ct_data = out.get() + header_size;
   uint8_t* sk_data = ct_data + ct_len;
 
-  if (EVP_PKEY_encapsulate(ctx, ct_data, &ct_len, sk_data, &sk_len) <= 0) {
-    EVP_PKEY_CTX_free(ctx);
-    delete[] out;
+  if (EVP_PKEY_encapsulate(ctx.get(), ct_data, &ct_len, sk_data, &sk_len) <= 0) {
     throw std::runtime_error("Failed to encapsulate: " + getOpenSSLError());
   }
 
-  EVP_PKEY_CTX_free(ctx);
-
-  return std::make_shared<NativeArrayBuffer>(out, total_size, [=]() { delete[] out; });
+  uint8_t* raw_ptr = out.get();
+  return std::make_shared<NativeArrayBuffer>(out.release(), total_size, [raw_ptr]() { delete[] raw_ptr; });
 #endif
 }
 
 std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> HybridMlKemKeyPair::decapsulate(const std::shared_ptr<ArrayBuffer>& ciphertext) {
   auto nativeCiphertext = ToNativeArrayBuffer(ciphertext);
-  return Promise<std::shared_ptr<ArrayBuffer>>::async([this, nativeCiphertext]() { return this->decapsulateSync(nativeCiphertext); });
+  auto self = this->shared_cast<HybridMlKemKeyPair>();
+  return Promise<std::shared_ptr<ArrayBuffer>>::async([self, nativeCiphertext]() { return self->decapsulateSync(nativeCiphertext); });
 }
 
 std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::decapsulateSync(const std::shared_ptr<ArrayBuffer>& ciphertext) {
@@ -277,13 +278,12 @@ std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::decapsulateSync(const std::shar
   clearOpenSSLErrors();
   checkKeyPair();
 
-  EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new(pkey_.get(), nullptr);
+  EVP_PKEY_CTX_ptr ctx(EVP_PKEY_CTX_new(pkey_.get(), nullptr), EVP_PKEY_CTX_free);
   if (ctx == nullptr) {
     throw std::runtime_error("Failed to create decapsulation context: " + getOpenSSLError());
   }
 
-  if (EVP_PKEY_decapsulate_init(ctx, nullptr) <= 0) {
-    EVP_PKEY_CTX_free(ctx);
+  if (EVP_PKEY_decapsulate_init(ctx.get(), nullptr) <= 0) {
     throw std::runtime_error("Failed to initialize decapsulation: " + getOpenSSLError());
   }
 
@@ -291,22 +291,18 @@ std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::decapsulateSync(const std::shar
   size_t ct_size = ciphertext->size();
 
   size_t sk_len = 0;
-  if (EVP_PKEY_decapsulate(ctx, nullptr, &sk_len, ct_data, ct_size) <= 0) {
-    EVP_PKEY_CTX_free(ctx);
+  if (EVP_PKEY_decapsulate(ctx.get(), nullptr, &sk_len, ct_data, ct_size) <= 0) {
     throw std::runtime_error("Failed to determine shared key size: " + getOpenSSLError());
   }
 
-  uint8_t* sk_data = new uint8_t[sk_len];
+  auto sk_buf = std::make_unique<uint8_t[]>(sk_len);
 
-  if (EVP_PKEY_decapsulate(ctx, sk_data, &sk_len, ct_data, ct_size) <= 0) {
-    EVP_PKEY_CTX_free(ctx);
-    delete[] sk_data;
+  if (EVP_PKEY_decapsulate(ctx.get(), sk_buf.get(), &sk_len, ct_data, ct_size) <= 0) {
     throw std::runtime_error("Failed to decapsulate: " + getOpenSSLError());
   }
 
-  EVP_PKEY_CTX_free(ctx);
-
-  return std::make_shared<NativeArrayBuffer>(sk_data, sk_len, [=]() { delete[] sk_data; });
+  uint8_t* raw_ptr = sk_buf.get();
+  return std::make_shared<NativeArrayBuffer>(sk_buf.release(), sk_len, [raw_ptr]() { delete[] raw_ptr; });
 #endif
 }
 

package/cpp/pbkdf2/HybridPbkdf2.cpp

@@ -19,19 +19,18 @@ std::shared_ptr<ArrayBuffer> HybridPbkdf2::pbkdf2Sync(const std::shared_ptr<Arra
                                                       const std::shared_ptr<ArrayBuffer>& salt, double iterations, double keylen,
                                                       const std::string& digest) {
   size_t bufferSize = static_cast<size_t>(keylen);
-  uint8_t* data = new uint8_t[bufferSize];
-  auto result = std::make_shared<NativeArrayBuffer>(data, bufferSize, [=]() { delete[] data; });
+  auto out_buf = std::make_unique<uint8_t[]>(bufferSize);
 
   // use fastpbkdf2 when possible
   if (digest == "sha1") {
     fastpbkdf2_hmac_sha1(password.get()->data(), password.get()->size(), salt.get()->data(), salt.get()->size(),
-                         static_cast<uint32_t>(iterations), result.get()->data(), result.get()->size());
+                         static_cast<uint32_t>(iterations), out_buf.get(), bufferSize);
   } else if (digest == "sha256") {
     fastpbkdf2_hmac_sha256(password.get()->data(), password.get()->size(), salt.get()->data(), salt.get()->size(),
-                           static_cast<uint32_t>(iterations), result.get()->data(), result.get()->size());
+                           static_cast<uint32_t>(iterations), out_buf.get(), bufferSize);
   } else if (digest == "sha512") {
     fastpbkdf2_hmac_sha512(password.get()->data(), password.get()->size(), salt.get()->data(), salt.get()->size(),
-                           static_cast<uint32_t>(iterations), result.get()->data(), result.get()->size());
+                           static_cast<uint32_t>(iterations), out_buf.get(), bufferSize);
   } else {
     // fallback to OpenSSL
     auto* digestByName = EVP_get_digestbyname(digest.c_str());
@@ -40,12 +39,12 @@ std::shared_ptr<ArrayBuffer> HybridPbkdf2::pbkdf2Sync(const std::shared_ptr<Arra
     }
     char* passAsCharA = reinterpret_cast<char*>(password.get()->data());
     const unsigned char* saltAsCharA = reinterpret_cast<const unsigned char*>(salt.get()->data());
-    unsigned char* resultAsCharA = reinterpret_cast<unsigned char*>(result.get()->data());
     PKCS5_PBKDF2_HMAC(passAsCharA, password.get()->size(), saltAsCharA, salt.get()->size(), static_cast<uint32_t>(iterations), digestByName,
-                      result.get()->size(), resultAsCharA);
+                      bufferSize, out_buf.get());
   }
 
-  return result;
+  uint8_t* raw_ptr = out_buf.get();
+  return std::make_shared<NativeArrayBuffer>(out_buf.release(), bufferSize, [raw_ptr]() { delete[] raw_ptr; });
 }
 
 } // namespace margelo::nitro::crypto

package/cpp/rsa/HybridRsaKeyPair.cpp

@@ -21,10 +21,7 @@ std::shared_ptr<Promise<void>> HybridRsaKeyPair::generateKeyPair() {
 
 void HybridRsaKeyPair::generateKeyPairSync() {
   // Clean up existing key if any
-  if (this->pkey != nullptr) {
-    EVP_PKEY_free(this->pkey);
-    this->pkey = nullptr;
-  }
+  this->pkey_.reset();
 
   // Create key generation context
   std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)> ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr), EVP_PKEY_CTX_free);
@@ -69,7 +66,7 @@ void HybridRsaKeyPair::generateKeyPairSync() {
     throw std::runtime_error("Failed to generate RSA key pair");
   }
 
-  this->pkey = raw_pkey;
+  this->pkey_.reset(raw_pkey);
 }
 
 void HybridRsaKeyPair::setModulusLength(double modulusLength) {
@@ -96,7 +93,7 @@ std::shared_ptr<ArrayBuffer> HybridRsaKeyPair::getPublicKey() {
     throw std::runtime_error("Failed to create BIO for public key export");
   }
 
-  if (i2d_PUBKEY_bio(bio, this->pkey) != 1) {
+  if (i2d_PUBKEY_bio(bio, this->pkey_.get()) != 1) {
     BIO_free(bio);
     throw std::runtime_error("Failed to export public key to DER format");
   }
@@ -120,7 +117,7 @@ std::shared_ptr<ArrayBuffer> HybridRsaKeyPair::getPrivateKey() {
     throw std::runtime_error("Failed to create BIO for private key export");
   }
 
-  if (i2d_PKCS8PrivateKey_bio(bio, this->pkey, nullptr, nullptr, 0, nullptr, nullptr) != 1) {
+  if (i2d_PKCS8PrivateKey_bio(bio, this->pkey_.get(), nullptr, nullptr, 0, nullptr, nullptr) != 1) {
     BIO_free(bio);
     throw std::runtime_error("Failed to export private key to DER PKCS8 format");
   }
@@ -146,7 +143,7 @@ std::shared_ptr<ArrayBuffer> HybridRsaKeyPair::exportKey(const KeyObject& /* key
 }
 
 void HybridRsaKeyPair::checkKeyPair() {
-  if (this->pkey == nullptr) {
+  if (!this->pkey_) {
     throw std::runtime_error("RSA KeyPair not initialized");
   }
 }

package/cpp/rsa/HybridRsaKeyPair.hpp

@@ -13,12 +13,8 @@ namespace margelo::nitro::crypto {
 
 class HybridRsaKeyPair : public HybridRsaKeyPairSpec {
  public:
-  HybridRsaKeyPair() : HybridObject(TAG), pkey(nullptr), modulusLength(2048), hashAlgorithm("SHA-256") {}
-  ~HybridRsaKeyPair() {
-    if (pkey) {
-      EVP_PKEY_free(pkey);
-    }
-  }
+  HybridRsaKeyPair() : HybridObject(TAG), modulusLength(2048), hashAlgorithm("SHA-256") {}
+  ~HybridRsaKeyPair() override = default;
 
   std::shared_ptr<Promise<void>> generateKeyPair() override;
   void generateKeyPairSync() override;
@@ -32,7 +28,8 @@ class HybridRsaKeyPair : public HybridRsaKeyPairSpec {
   std::shared_ptr<ArrayBuffer> exportKey(const KeyObject& key, const std::string& format) override;
 
  private:
-  EVP_PKEY* pkey;
+  using EVP_PKEY_ptr = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>;
+  EVP_PKEY_ptr pkey_{nullptr, EVP_PKEY_free};
   int modulusLength;
   std::vector<unsigned char> publicExponent;
   std::string hashAlgorithm;

package/cpp/scrypt/HybridScrypt.cpp

@@ -46,17 +46,19 @@ std::shared_ptr<ArrayBuffer> HybridScrypt::deriveKeySync(const std::shared_ptr<A
   size_t salt_len = salt ? salt->size() : 0;
 
   // Allocate output buffer
-  uint8_t* outBuf = new uint8_t[outLen];
+  auto out_buf = std::make_unique<uint8_t[]>(outLen);
 
   // Use EVP_PBE_scrypt - the same API Node.js uses
-  int result = EVP_PBE_scrypt(pass_data, pass_len, salt_data, salt_len, n_val, r_val, p_val, maxmem_val, outBuf, outLen);
+  int result = EVP_PBE_scrypt(pass_data, pass_len, salt_data, salt_len, n_val, r_val, p_val, maxmem_val, out_buf.get(), outLen);
 
   if (result != 1) {
-    delete[] outBuf;
+    // Zero any partially-derived secret bits before unique_ptr frees the buffer.
+    secureZero(out_buf.get(), outLen);
     throw std::runtime_error("SCRYPT derivation failed: " + getOpenSSLError());
   }
 
-  return std::make_shared<NativeArrayBuffer>(outBuf, outLen, [=]() { delete[] outBuf; });
+  uint8_t* raw_ptr = out_buf.get();
+  return std::make_shared<NativeArrayBuffer>(out_buf.release(), outLen, [raw_ptr]() { delete[] raw_ptr; });
 }
 
 } // namespace margelo::nitro::crypto