react-native-quick-crypto 1.0.8 → 1.0.10

package/QuickCrypto.podspec

@@ -22,10 +22,50 @@ Pod::Spec.new do |s|
   sodium_enabled = ENV['SODIUM_ENABLED'] == '1'
   Pod::UI.puts("[QuickCrypto]  🧂 has libsodium #{sodium_enabled ? "enabled" : "disabled"}!")
 
+  # Ensure libsodium source is present during podspec evaluation when enabled.
+  # This is necessary because prepare_command is skipped for :path pods.
+  if sodium_enabled
+    sodium_version = "1.0.20"
+    sodium_dir = File.join(__dir__, "ios", "libsodium-stable")
+    sodium_header = File.join(sodium_dir, "src", "libsodium", "include", "sodium.h")
+    unless File.exist?(sodium_header)
+      FileUtils.mkdir_p(File.join(__dir__, "ios"))
+      FileUtils.rm_rf(sodium_dir) if File.directory?(sodium_dir)
+
+      Pod::UI.puts "[QuickCrypto] ⬇️  Downloading libsodium source..."
+      Dir.chdir(__dir__) do
+        system("curl -sSfL --connect-timeout 30 --max-time 300 -o ios/libsodium.tar.gz https://download.libsodium.org/libsodium/releases/libsodium-#{sodium_version}-stable.tar.gz") || raise("Failed to download libsodium")
+        system("tar -xzf ios/libsodium.tar.gz -C ios") || raise("Failed to extract libsodium")
+        File.delete("ios/libsodium.tar.gz") if File.exist?("ios/libsodium.tar.gz")
+      end
+      Pod::UI.puts "[QuickCrypto] ✅ libsodium source downloaded successfully"
+    end
+  end
+
   # OpenSSL 3.6+ vendored xcframework (not yet on CocoaPods trunk)
-  openssl_version = "3.6.0000"
+  openssl_version = "3.6.0001"
   openssl_url = "https://github.com/krzyzanowskim/OpenSSL/releases/download/#{openssl_version}/OpenSSL.xcframework.zip"
 
+  # Ensure OpenSSL.xcframework is present during podspec evaluation.
+  # This is necessary because prepare_command is skipped for :path pods,
+  # which is how React Native native modules are installed.
+  # See: https://github.com/margelo/react-native-quick-crypto/issues/882
+  openssl_dir = File.join(__dir__, "OpenSSL.xcframework")
+  openssl_plist = File.join(openssl_dir, "Info.plist")
+  unless File.exist?(openssl_plist)
+    # Clean up any partial download
+    FileUtils.rm_rf(openssl_dir) if File.directory?(openssl_dir)
+    FileUtils.rm_f(File.join(__dir__, "OpenSSL.xcframework.zip"))
+
+    Pod::UI.puts "[QuickCrypto] ⬇️  Downloading OpenSSL.xcframework..."
+    Dir.chdir(__dir__) do
+      system("curl -sSfL --connect-timeout 30 --max-time 300 -o OpenSSL.xcframework.zip #{openssl_url}") || raise("Failed to download OpenSSL")
+      system("unzip -q -o OpenSSL.xcframework.zip") || raise("Failed to unzip OpenSSL")
+      File.delete("OpenSSL.xcframework.zip") if File.exist?("OpenSSL.xcframework.zip")
+    end
+    Pod::UI.puts "[QuickCrypto] ✅ OpenSSL.xcframework downloaded successfully"
+  end
+
   if sodium_enabled
     # Build libsodium from source for XSalsa20 cipher support
     # CocoaPods packages are outdated (1.0.12) and SPM causes module conflicts
@@ -72,7 +112,7 @@ Pod::Spec.new do |s|
     # implementation (C++)
     "cpp/**/*.{hpp,cpp}",
     # dependencies (C++) - ncrypto
-    "deps/ncrypto/include/*.{h}",
+    "deps/ncrypto/include/**/*.{h}",
     "deps/ncrypto/src/*.{cpp}",
     # dependencies (C) - exclude BLAKE3 x86 SIMD files (only use portable + NEON for ARM)
     "deps/blake3/c/*.{h,c}",
@@ -103,6 +143,9 @@ Pod::Spec.new do |s|
     "deps/blake3/c/example.c",
     "deps/blake3/c/example_tbb.c",
     "deps/blake3/c/blake3_tbb.cpp",
+    # Exclude ncrypto version.h to avoid header name collision with libsodium's version.h
+    # (ncrypto.h includes it via relative path "ncrypto/version.h" which still resolves)
+    "deps/ncrypto/include/ncrypto/version.h",
     # Exclude non-C parts of BLAKE3 repo (Rust, benchmarks, tools, etc.)
     "deps/blake3/src/**/*",
     "deps/blake3/b3sum/**/*",
@@ -125,7 +168,11 @@ Pod::Spec.new do |s|
     "CLANG_CXX_LANGUAGE_STANDARD" => "c++20",
     "CLANG_ALLOW_NON_MODULAR_INCLUDES_IN_FRAMEWORK_MODULES" => "YES",
     # Exclude ARM NEON source when building x86_64 simulator (no NEON support).
-    "EXCLUDED_SOURCE_FILE_NAMES[sdk=iphonesimulator*][arch=x86_64]" => "deps/blake3/c/blake3_neon.c"
+    "EXCLUDED_SOURCE_FILE_NAMES[sdk=iphonesimulator*][arch=x86_64]" => "deps/blake3/c/blake3_neon.c",
+    # Disable x86 SIMD intrinsics on iOS simulator — the .c implementation files are already
+    # excluded above, but blake3_dispatch.c still references the symbols unless these macros
+    # are defined. Mirrors the Android CMakeLists.txt approach (line 18-22).
+    "GCC_PREPROCESSOR_DEFINITIONS[sdk=iphonesimulator*][arch=x86_64]" => "$(inherited) BLAKE3_NO_AVX512 BLAKE3_NO_AVX2 BLAKE3_NO_SSE41 BLAKE3_NO_SSE2"
   }
 
   # Add cpp subdirectories to header search paths
@@ -141,12 +188,15 @@ Pod::Spec.new do |s|
   ]
 
   if sodium_enabled
+    # Use absolute path from __dir__ which resolves symlinks correctly.
+    # This is necessary in monorepo setups where the podspec is accessed via symlink
+    # but the source files are resolved to their real paths during compilation.
+    real_sodium_include = File.join(__dir__, "ios", "libsodium-stable", "src", "libsodium", "include")
     sodium_headers = [
       "\"$(PODS_TARGET_SRCROOT)/ios/libsodium-stable/src/libsodium/include\"",
       "\"$(PODS_TARGET_SRCROOT)/ios/libsodium-stable/src/libsodium/include/sodium\"",
-      "\"$(PODS_TARGET_SRCROOT)/ios/libsodium-stable\"",
-      "\"$(PODS_ROOT)/../../packages/react-native-quick-crypto/ios/libsodium-stable/src/libsodium/include\"",
-      "\"$(PODS_ROOT)/../../packages/react-native-quick-crypto/ios/libsodium-stable/src/libsodium/include/sodium\""
+      "\"#{real_sodium_include}\"",
+      "\"#{real_sodium_include}/sodium\""
     ]
     xcconfig["HEADER_SEARCH_PATHS"] = (cpp_headers + sodium_headers).join(' ')
     xcconfig["GCC_PREPROCESSOR_DEFINITIONS"] = "$(inherited) FOLLY_NO_CONFIG FOLLY_CFG_NO_COROUTINES BLSALLOC_SODIUM=1"

package/README.md

@@ -10,19 +10,15 @@
 
 A fast implementation of Node's `crypto` module.
 
-> Note: This version `1.x` completed a major refactor, porting to OpenSSL 3.6+, New Architecture, Bridgeless, and [`Nitro Modules`](https://github.com/mrousavy/react-native-nitro).  It should be at or above feature-parity compared to the `0.x` version.  Status, as always, will be represented in [implementation-coverage.md](./.docs/implementation-coverage.md).
-
-> Note: Minimum supported version of React Native is `0.75`.  If you need to use earlier versions, please use `0.x` versions of this library.
-
 ## Features
 
 Unlike any other current JS-based polyfills, react-native-quick-crypto is written in C/C++ JSI and provides much greater performance - especially on mobile devices.
-QuickCrypto can be used as a drop-in replacement for your Web3/Crypto apps to speed up common cryptography functions.
+QuickCrypto can be used as a drop-in replacement for your Web3/Crypto apps or CRDT-based local first databases to speed up common cryptography functions.
 
-- 🏎️ Up to 58x faster than all other solutions
-- ⚡️ Lightning fast implementation with pure C++ and JSI, instead of JS
+- 🏎️ Hundreds of times faster than all JS-based solutions
+- ⚡️ Lightning fast implementation with Nitro Modules (pure C++ and JSI) instead of JS
 - 🧪 Well tested in JS and C++ (OpenSSL)
-- 💰 Made for crypto apps and Wallets
+- 💰 Made for crypto apps and wallets
 - 🔢 Secure native compiled cryptography
 - 🔁 Easy drop-in replacement for [crypto-browserify](https://github.com/browserify/crypto-browserify) or [react-native-crypto](https://github.com/tradle/react-native-crypto)
 
@@ -33,6 +29,8 @@ QuickCrypto can be used as a drop-in replacement for your Web3/Crypto apps to sp
 | `1.x`     | new [->](https://github.com/reactwg/react-native-new-architecture/blob/main/docs/enable-apps.md)  | Nitro Modules [->](https://github.com/mrousavy/nitro) |
 | `0.x`     | old, new 🤞  | Bridge & JSI |
 
+> Note: Minimum supported version of React Native is `0.75`.  If you need to use earlier versions, please use `0.x` versions of this library.
+
 ## Migration
 
 Our goal in refactoring to v1.0 was to maintain API compatibility.  If you are upgrading to v1.0 from v0.x, and find any discrepancies, please open an issue in this repo.
@@ -50,12 +48,18 @@ There is a benchmark suite in the Example app in this repo that has benchmarks o
 </h3>
 
 ```sh
-bun add react-native-quick-crypto react-native-nitro-modules
+bun add react-native-quick-crypto react-native-nitro-modules react-native-quick-base64
 cd ios && pod install
 ```
 
 <h3>
-  Expo  <a href="#"><img src="./.docs/img/expo.png" height="12" /></a>
+  Expo  <a href="#">
+    <picture>
+      <source media="(prefers-color-scheme: dark)" srcset="./.docs/img/expo/dark.png" />
+      <source media="(prefers-color-scheme: light)" srcset="./.docs/img/expo/light.png" />
+      <img alt="Expo" src="./.docs/img/expo/light.png" height="12" />
+      </picture>
+  </a>
 </h3>
 
 ```sh
@@ -114,7 +118,7 @@ module.exports = {
 +       alias: {
 +         'crypto': 'react-native-quick-crypto',
 +         'stream': 'readable-stream',
-+         'buffer': '@craftzdog/react-native-buffer',
++         'buffer': 'react-native-quick-crypto',
 +       },
 +     },
 +   ],
@@ -123,6 +127,8 @@ module.exports = {
 };
 ```
 
+> **Note:** `react-native-quick-crypto` re-exports `Buffer` from `@craftzdog/react-native-buffer`, so you can use either as the buffer alias. Using `react-native-quick-crypto` ensures a single Buffer instance across your app.
+
 Then restart your bundler using `yarn start --reset-cache`.
 
 ## Usage

package/android/CMakeLists.txt

@@ -32,6 +32,8 @@ add_library(
   ../cpp/cipher/HybridRsaCipher.cpp
   ../cpp/cipher/OCBCipher.cpp
   ../cpp/cipher/XSalsa20Cipher.cpp
+  ../cpp/cipher/XSalsa20Poly1305Cipher.cpp
+  ../cpp/cipher/XChaCha20Poly1305Cipher.cpp
   ../cpp/cipher/ChaCha20Cipher.cpp
   ../cpp/cipher/ChaCha20Poly1305Cipher.cpp
   ../cpp/dh/HybridDiffieHellman.cpp
@@ -53,6 +55,8 @@ add_library(
   ../cpp/utils/HybridUtils.cpp
   ${BLAKE3_SOURCES}
   ../deps/fastpbkdf2/fastpbkdf2.c
+  ../deps/ncrypto/src/aead.cpp
+  ../deps/ncrypto/src/engine.cpp
   ../deps/ncrypto/src/ncrypto.cpp
 )
 

package/android/build.gradle

@@ -79,6 +79,9 @@ android {
   buildFeatures {
     buildConfig true
     prefab true
+    // Explicitly disable RenderScript (deprecated since Android 12, removed in AGP 9.0)
+    // to suppress 'isRenderscriptDebuggable is obsolete' warning. See #802.
+    renderScript = false
   }
 
 packagingOptions {

package/cpp/cipher/HybridCipherFactory.hpp

@@ -11,7 +11,9 @@
 #include "HybridCipherFactorySpec.hpp"
 #include "OCBCipher.hpp"
 #include "QuickCryptoUtils.hpp"
+#include "XChaCha20Poly1305Cipher.hpp"
 #include "XSalsa20Cipher.hpp"
+#include "XSalsa20Poly1305Cipher.hpp"
 
 namespace margelo::nitro::crypto {
 
@@ -88,7 +90,7 @@ class HybridCipherFactory : public HybridCipherFactorySpec {
     }
     EVP_CIPHER_free(cipher);
 
-    // libsodium
+    // libsodium ciphers
     std::string cipherName = toLower(args.cipherType);
     if (cipherName == "xsalsa20") {
       cipherInstance = std::make_shared<XSalsa20Cipher>();
@@ -96,6 +98,18 @@ class HybridCipherFactory : public HybridCipherFactorySpec {
       cipherInstance->init(args.cipherKey, args.iv);
       return cipherInstance;
     }
+    if (cipherName == "xsalsa20-poly1305") {
+      cipherInstance = std::make_shared<XSalsa20Poly1305Cipher>();
+      cipherInstance->setArgs(args);
+      cipherInstance->init(args.cipherKey, args.iv);
+      return cipherInstance;
+    }
+    if (cipherName == "xchacha20-poly1305") {
+      cipherInstance = std::make_shared<XChaCha20Poly1305Cipher>();
+      cipherInstance->setArgs(args);
+      cipherInstance->init(args.cipherKey, args.iv);
+      return cipherInstance;
+    }
 
     // Unsupported cipher type
     throw std::runtime_error("Unsupported or unknown cipher type: " + args.cipherType);

package/cpp/cipher/OCBCipher.cpp

@@ -13,9 +13,9 @@ void OCBCipher::init(const std::shared_ptr<ArrayBuffer>& key, const std::shared_
   HybridCipher::init(key, iv);
   auth_tag_len = tag_len;
 
-  // Set tag length for OCB (must be 12-16 bytes)
-  if (auth_tag_len < 12 || auth_tag_len > 16) {
-    throw std::runtime_error("OCB tag length must be between 12 and 16 bytes");
+  // Set tag length for OCB (must be 8-16 bytes)
+  if (auth_tag_len < 8 || auth_tag_len > 16) {
+    throw std::runtime_error("OCB tag length must be between 8 and 16 bytes");
   }
   if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, auth_tag_len, nullptr) != 1) {
     throw std::runtime_error("Failed to set OCB tag length");
@@ -42,7 +42,7 @@ bool OCBCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
   }
   auto native_tag = ToNativeArrayBuffer(tag);
   size_t tag_len = native_tag->size();
-  if (tag_len < 12 || tag_len > 16) {
+  if (tag_len < 8 || tag_len > 16) {
     throw std::runtime_error("Invalid OCB tag length");
   }
   if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, native_tag->data()) != 1) {

package/cpp/cipher/XChaCha20Poly1305Cipher.cpp

@@ -0,0 +1,161 @@
+#include "XChaCha20Poly1305Cipher.hpp"
+
+#include <cstring>
+#include <stdexcept>
+
+#include "NitroModules/ArrayBuffer.hpp"
+#include "QuickCryptoUtils.hpp"
+
+namespace margelo::nitro::crypto {
+
+XChaCha20Poly1305Cipher::~XChaCha20Poly1305Cipher() {
+#ifdef BLSALLOC_SODIUM
+  sodium_memzero(key_, kKeySize);
+  sodium_memzero(nonce_, kNonceSize);
+  sodium_memzero(auth_tag_, kTagSize);
+  if (!data_buffer_.empty()) {
+    sodium_memzero(data_buffer_.data(), data_buffer_.size());
+  }
+  if (!aad_.empty()) {
+    sodium_memzero(aad_.data(), aad_.size());
+  }
+#else
+  std::memset(key_, 0, kKeySize);
+  std::memset(nonce_, 0, kNonceSize);
+  std::memset(auth_tag_, 0, kTagSize);
+#endif
+  data_buffer_.clear();
+  aad_.clear();
+}
+
+void XChaCha20Poly1305Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
+  auto native_key = ToNativeArrayBuffer(cipher_key);
+  auto native_iv = ToNativeArrayBuffer(iv);
+
+  if (native_key->size() != kKeySize) {
+    throw std::runtime_error("XChaCha20-Poly1305 key must be 32 bytes, got " + std::to_string(native_key->size()) + " bytes");
+  }
+
+  if (native_iv->size() != kNonceSize) {
+    throw std::runtime_error("XChaCha20-Poly1305 nonce must be 24 bytes, got " + std::to_string(native_iv->size()) + " bytes");
+  }
+
+  std::memcpy(key_, native_key->data(), kKeySize);
+  std::memcpy(nonce_, native_iv->data(), kNonceSize);
+
+  data_buffer_.clear();
+  aad_.clear();
+  final_called_ = false;
+}
+
+std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+#ifndef BLSALLOC_SODIUM
+  throw std::runtime_error("XChaCha20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
+#else
+  auto native_data = ToNativeArrayBuffer(data);
+  size_t data_len = native_data->size();
+
+  size_t old_size = data_buffer_.size();
+  data_buffer_.resize(old_size + data_len);
+  std::memcpy(data_buffer_.data() + old_size, native_data->data(), data_len);
+
+  return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
+#endif
+}
+
+std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::final() {
+#ifndef BLSALLOC_SODIUM
+  throw std::runtime_error("XChaCha20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
+#else
+  if (is_cipher) {
+    uint8_t* ciphertext = new uint8_t[data_buffer_.size()];
+
+    int result =
+        crypto_aead_xchacha20poly1305_ietf_encrypt_detached(ciphertext, auth_tag_, nullptr, data_buffer_.data(), data_buffer_.size(),
+                                                            aad_.empty() ? nullptr : aad_.data(), aad_.size(), nullptr, nonce_, key_);
+
+    if (result != 0) {
+      sodium_memzero(ciphertext, data_buffer_.size());
+      delete[] ciphertext;
+      throw std::runtime_error("XChaCha20Poly1305Cipher: encryption failed");
+    }
+
+    final_called_ = true;
+    size_t ct_len = data_buffer_.size();
+    return std::make_shared<NativeArrayBuffer>(ciphertext, ct_len, [=]() { delete[] ciphertext; });
+  } else {
+    if (data_buffer_.empty()) {
+      final_called_ = true;
+      return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
+    }
+
+    uint8_t* plaintext = new uint8_t[data_buffer_.size()];
+
+    int result =
+        crypto_aead_xchacha20poly1305_ietf_decrypt_detached(plaintext, nullptr, data_buffer_.data(), data_buffer_.size(), auth_tag_,
+                                                            aad_.empty() ? nullptr : aad_.data(), aad_.size(), nonce_, key_);
+
+    if (result != 0) {
+      sodium_memzero(plaintext, data_buffer_.size());
+      delete[] plaintext;
+      throw std::runtime_error("XChaCha20Poly1305Cipher: decryption failed - authentication tag mismatch");
+    }
+
+    final_called_ = true;
+    size_t pt_len = data_buffer_.size();
+    return std::make_shared<NativeArrayBuffer>(plaintext, pt_len, [=]() { delete[] plaintext; });
+  }
+#endif
+}
+
+bool XChaCha20Poly1305Cipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
+#ifndef BLSALLOC_SODIUM
+  throw std::runtime_error("XChaCha20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
+#else
+  auto native_aad = ToNativeArrayBuffer(data);
+  aad_.resize(native_aad->size());
+  std::memcpy(aad_.data(), native_aad->data(), native_aad->size());
+  return true;
+#endif
+}
+
+std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::getAuthTag() {
+#ifndef BLSALLOC_SODIUM
+  throw std::runtime_error("XChaCha20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
+#else
+  if (!is_cipher) {
+    throw std::runtime_error("getAuthTag can only be called during encryption");
+  }
+  if (!final_called_) {
+    throw std::runtime_error("getAuthTag must be called after final()");
+  }
+
+  uint8_t* tag_copy = new uint8_t[kTagSize];
+  std::memcpy(tag_copy, auth_tag_, kTagSize);
+  return std::make_shared<NativeArrayBuffer>(tag_copy, kTagSize, [=]() { delete[] tag_copy; });
+#endif
+}
+
+bool XChaCha20Poly1305Cipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
+#ifndef BLSALLOC_SODIUM
+  throw std::runtime_error("XChaCha20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
+#else
+  if (is_cipher) {
+    throw std::runtime_error("setAuthTag can only be called during decryption");
+  }
+
+  auto native_tag = ToNativeArrayBuffer(tag);
+  if (native_tag->size() != kTagSize) {
+    throw std::runtime_error("XChaCha20-Poly1305 tag must be 16 bytes, got " + std::to_string(native_tag->size()) + " bytes");
+  }
+
+  std::memcpy(auth_tag_, native_tag->data(), kTagSize);
+  return true;
+#endif
+}
+
+bool XChaCha20Poly1305Cipher::setAutoPadding(bool autoPad) {
+  throw std::runtime_error("setAutoPadding is not supported for xchacha20-poly1305");
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/XChaCha20Poly1305Cipher.hpp

@@ -0,0 +1,43 @@
+#pragma once
+
+#ifdef BLSALLOC_SODIUM
+#include "sodium.h"
+#else
+#define crypto_aead_xchacha20poly1305_ietf_KEYBYTES 32U
+#define crypto_aead_xchacha20poly1305_ietf_NPUBBYTES 24U
+#define crypto_aead_xchacha20poly1305_ietf_ABYTES 16U
+#endif
+
+#include <vector>
+
+#include "HybridCipher.hpp"
+
+namespace margelo::nitro::crypto {
+
+class XChaCha20Poly1305Cipher : public HybridCipher {
+ public:
+  XChaCha20Poly1305Cipher() : HybridObject(TAG), final_called_(false) {}
+  ~XChaCha20Poly1305Cipher();
+
+  void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
+  std::shared_ptr<ArrayBuffer> update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> final() override;
+  bool setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) override;
+  std::shared_ptr<ArrayBuffer> getAuthTag() override;
+  bool setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) override;
+  bool setAutoPadding(bool autoPad) override;
+
+ private:
+  static constexpr size_t kKeySize = crypto_aead_xchacha20poly1305_ietf_KEYBYTES;
+  static constexpr size_t kNonceSize = crypto_aead_xchacha20poly1305_ietf_NPUBBYTES;
+  static constexpr size_t kTagSize = crypto_aead_xchacha20poly1305_ietf_ABYTES;
+
+  uint8_t key_[kKeySize];
+  uint8_t nonce_[kNonceSize];
+  std::vector<uint8_t> aad_;
+  std::vector<uint8_t> data_buffer_;
+  uint8_t auth_tag_[kTagSize];
+  bool final_called_;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/XSalsa20Poly1305Cipher.cpp

@@ -0,0 +1,145 @@
+#include "XSalsa20Poly1305Cipher.hpp"
+
+#include <cstring>
+#include <stdexcept>
+
+#include "NitroModules/ArrayBuffer.hpp"
+#include "QuickCryptoUtils.hpp"
+
+namespace margelo::nitro::crypto {
+
+XSalsa20Poly1305Cipher::~XSalsa20Poly1305Cipher() {
+#ifdef BLSALLOC_SODIUM
+  sodium_memzero(key_, kKeySize);
+  sodium_memzero(nonce_, kNonceSize);
+  sodium_memzero(auth_tag_, kTagSize);
+  if (!data_buffer_.empty()) {
+    sodium_memzero(data_buffer_.data(), data_buffer_.size());
+  }
+#else
+  std::memset(key_, 0, kKeySize);
+  std::memset(nonce_, 0, kNonceSize);
+  std::memset(auth_tag_, 0, kTagSize);
+#endif
+  data_buffer_.clear();
+}
+
+void XSalsa20Poly1305Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
+  auto native_key = ToNativeArrayBuffer(cipher_key);
+  auto native_iv = ToNativeArrayBuffer(iv);
+
+  if (native_key->size() != kKeySize) {
+    throw std::runtime_error("XSalsa20-Poly1305 key must be 32 bytes, got " + std::to_string(native_key->size()) + " bytes");
+  }
+
+  if (native_iv->size() != kNonceSize) {
+    throw std::runtime_error("XSalsa20-Poly1305 nonce must be 24 bytes, got " + std::to_string(native_iv->size()) + " bytes");
+  }
+
+  std::memcpy(key_, native_key->data(), kKeySize);
+  std::memcpy(nonce_, native_iv->data(), kNonceSize);
+
+  data_buffer_.clear();
+  final_called_ = false;
+}
+
+std::shared_ptr<ArrayBuffer> XSalsa20Poly1305Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+#ifndef BLSALLOC_SODIUM
+  throw std::runtime_error("XSalsa20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
+#else
+  auto native_data = ToNativeArrayBuffer(data);
+  size_t data_len = native_data->size();
+
+  size_t old_size = data_buffer_.size();
+  data_buffer_.resize(old_size + data_len);
+  std::memcpy(data_buffer_.data() + old_size, native_data->data(), data_len);
+
+  return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
+#endif
+}
+
+std::shared_ptr<ArrayBuffer> XSalsa20Poly1305Cipher::final() {
+#ifndef BLSALLOC_SODIUM
+  throw std::runtime_error("XSalsa20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
+#else
+  if (is_cipher) {
+    uint8_t* ciphertext = new uint8_t[data_buffer_.size()];
+
+    int result = crypto_secretbox_detached(ciphertext, auth_tag_, data_buffer_.data(), data_buffer_.size(), nonce_, key_);
+
+    if (result != 0) {
+      sodium_memzero(ciphertext, data_buffer_.size());
+      delete[] ciphertext;
+      throw std::runtime_error("XSalsa20Poly1305Cipher: encryption failed");
+    }
+
+    final_called_ = true;
+    size_t ct_len = data_buffer_.size();
+    return std::make_shared<NativeArrayBuffer>(ciphertext, ct_len, [=]() { delete[] ciphertext; });
+  } else {
+    if (data_buffer_.empty()) {
+      final_called_ = true;
+      return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
+    }
+
+    uint8_t* plaintext = new uint8_t[data_buffer_.size()];
+
+    int result = crypto_secretbox_open_detached(plaintext, data_buffer_.data(), auth_tag_, data_buffer_.size(), nonce_, key_);
+
+    if (result != 0) {
+      sodium_memzero(plaintext, data_buffer_.size());
+      delete[] plaintext;
+      throw std::runtime_error("XSalsa20Poly1305Cipher: decryption failed - authentication tag mismatch");
+    }
+
+    final_called_ = true;
+    size_t pt_len = data_buffer_.size();
+    return std::make_shared<NativeArrayBuffer>(plaintext, pt_len, [=]() { delete[] plaintext; });
+  }
+#endif
+}
+
+bool XSalsa20Poly1305Cipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
+  throw std::runtime_error("AAD is not supported for xsalsa20-poly1305 (use xchacha20-poly1305 instead)");
+}
+
+std::shared_ptr<ArrayBuffer> XSalsa20Poly1305Cipher::getAuthTag() {
+#ifndef BLSALLOC_SODIUM
+  throw std::runtime_error("XSalsa20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
+#else
+  if (!is_cipher) {
+    throw std::runtime_error("getAuthTag can only be called during encryption");
+  }
+  if (!final_called_) {
+    throw std::runtime_error("getAuthTag must be called after final()");
+  }
+
+  uint8_t* tag_copy = new uint8_t[kTagSize];
+  std::memcpy(tag_copy, auth_tag_, kTagSize);
+  return std::make_shared<NativeArrayBuffer>(tag_copy, kTagSize, [=]() { delete[] tag_copy; });
+#endif
+}
+
+bool XSalsa20Poly1305Cipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
+#ifndef BLSALLOC_SODIUM
+  throw std::runtime_error("XSalsa20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
+#else
+  if (is_cipher) {
+    throw std::runtime_error("setAuthTag can only be called during decryption");
+  }
+
+  auto native_tag = ToNativeArrayBuffer(tag);
+  if (native_tag->size() != kTagSize) {
+    throw std::runtime_error("XSalsa20-Poly1305 tag must be 16 bytes, got " + std::to_string(native_tag->size()) + " bytes");
+  }
+
+  std::memcpy(auth_tag_, native_tag->data(), kTagSize);
+  return true;
+#endif
+}
+
+bool XSalsa20Poly1305Cipher::setAutoPadding(bool autoPad) {
+  throw std::runtime_error("setAutoPadding is not supported for xsalsa20-poly1305");
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/XSalsa20Poly1305Cipher.hpp

@@ -0,0 +1,42 @@
+#pragma once
+
+#ifdef BLSALLOC_SODIUM
+#include "sodium.h"
+#else
+#define crypto_secretbox_xsalsa20poly1305_KEYBYTES 32U
+#define crypto_secretbox_xsalsa20poly1305_NONCEBYTES 24U
+#define crypto_secretbox_xsalsa20poly1305_MACBYTES 16U
+#endif
+
+#include <vector>
+
+#include "HybridCipher.hpp"
+
+namespace margelo::nitro::crypto {
+
+class XSalsa20Poly1305Cipher : public HybridCipher {
+ public:
+  XSalsa20Poly1305Cipher() : HybridObject(TAG), final_called_(false) {}
+  ~XSalsa20Poly1305Cipher();
+
+  void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
+  std::shared_ptr<ArrayBuffer> update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> final() override;
+  bool setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) override;
+  std::shared_ptr<ArrayBuffer> getAuthTag() override;
+  bool setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) override;
+  bool setAutoPadding(bool autoPad) override;
+
+ private:
+  static constexpr size_t kKeySize = crypto_secretbox_xsalsa20poly1305_KEYBYTES;
+  static constexpr size_t kNonceSize = crypto_secretbox_xsalsa20poly1305_NONCEBYTES;
+  static constexpr size_t kTagSize = crypto_secretbox_xsalsa20poly1305_MACBYTES;
+
+  uint8_t key_[kKeySize];
+  uint8_t nonce_[kNonceSize];
+  std::vector<uint8_t> data_buffer_;
+  uint8_t auth_tag_[kTagSize];
+  bool final_called_;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/dh/HybridDiffieHellman.cpp

@@ -433,6 +433,16 @@ const DH* HybridDiffieHellman::getDH() const {
   return dh;
 }
 
+double HybridDiffieHellman::getVerifyError() {
+  ensureInitialized();
+  const DH* dh = getDH();
+  int codes = 0;
+  if (DH_check(const_cast<DH*>(dh), &codes) != 1) {
+    return 0;
+  }
+  return static_cast<double>(codes);
+}
+
 #pragma clang diagnostic pop
 
 } // namespace margelo::nitro::crypto