react-native-quick-crypto 1.1.0 → 1.1.1

package/cpp/cipher/HybridCipher.cpp

@@ -14,12 +14,9 @@
 
 namespace margelo::nitro::crypto {
 
-HybridCipher::~HybridCipher() {
-  if (ctx) {
-    EVP_CIPHER_CTX_free(ctx);
-    // No need to set ctx = nullptr here, object is being destroyed
-  }
-}
+// The unique_ptr in the base class destroys ctx automatically — nothing for
+// us to do here. Subclasses MUST NOT touch ctx in their own destructors.
+HybridCipher::~HybridCipher() = default;
 
 void HybridCipher::checkCtx() const {
   if (!ctx) {
@@ -33,11 +30,17 @@ void HybridCipher::checkNotFinalized() const {
   }
 }
 
+void HybridCipher::checkAADBeforeUpdate() const {
+  if (has_update_called) {
+    throw std::runtime_error("setAAD must be called before update");
+  }
+}
+
 bool HybridCipher::maybePassAuthTagToOpenSSL() {
   if (auth_tag_state == kAuthTagKnown) {
     OSSL_PARAM params[] = {OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, auth_tag, auth_tag_len),
                            OSSL_PARAM_construct_end()};
-    if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
+    if (!EVP_CIPHER_CTX_set_params(ctx.get(), params)) {
       unsigned long err = ERR_get_error();
       char err_buf[256];
       ERR_error_string_n(err, err_buf, sizeof(err_buf));
@@ -49,12 +52,12 @@ bool HybridCipher::maybePassAuthTagToOpenSSL() {
 }
 
 void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
-  // Clean up any existing context
-  if (ctx) {
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = nullptr;
-  }
+  // Resetting the unique_ptr frees any previous context.
+  ctx.reset();
   is_finalized = false;
+  has_update_called = false;
+  has_aad = false;
+  pending_auth_failed = false;
 
   // 1. Get cipher implementation by name
   const EVP_CIPHER* cipher = EVP_get_cipherbyname(cipher_type.c_str());
@@ -63,19 +66,18 @@ void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std
   }
 
   // 2. Create a new context
-  ctx = EVP_CIPHER_CTX_new();
+  ctx.reset(EVP_CIPHER_CTX_new());
   if (!ctx) {
     throw std::runtime_error("Failed to create cipher context");
   }
 
   // Initialise the encryption/decryption operation with the cipher type.
   // Key and IV will be set later by the derived class if needed.
-  if (EVP_CipherInit_ex(ctx, cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
+  if (EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
     ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = nullptr;
+    ctx.reset();
     throw std::runtime_error("HybridCipher: Failed initial CipherInit setup: " + std::string(err_buf));
   }
 
@@ -86,12 +88,11 @@ void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std
   const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(native_key->data());
   const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(native_iv->data());
 
-  if (EVP_CipherInit_ex(ctx, nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
+  if (EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
     ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = nullptr;
+    ctx.reset();
     throw std::runtime_error("HybridCipher: Failed to set key/IV: " + std::string(err_buf));
   }
 
@@ -99,8 +100,8 @@ void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std
   std::string cipher_name(cipher_type);
   if (cipher_name.find("-wrap") != std::string::npos) {
     // This flag is required for AES-KW in OpenSSL 3.x
-    EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
-    EVP_CIPHER_CTX_set_padding(ctx, 0);
+    EVP_CIPHER_CTX_set_flags(ctx.get(), EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+    EVP_CIPHER_CTX_set_padding(ctx.get(), 0);
   }
 }
 
@@ -108,40 +109,41 @@ std::shared_ptr<ArrayBuffer> HybridCipher::update(const std::shared_ptr<ArrayBuf
   auto native_data = ToNativeArrayBuffer(data);
   checkCtx();
   checkNotFinalized();
+  has_update_called = true;
   size_t in_len = native_data->size();
   if (in_len > INT_MAX) {
     throw std::runtime_error("Message too long");
   }
 
-  int out_len = in_len + EVP_CIPHER_CTX_block_size(ctx);
-  uint8_t* out = new uint8_t[out_len];
+  int out_len = in_len + EVP_CIPHER_CTX_block_size(ctx.get());
+  auto out_buf = std::make_unique<uint8_t[]>(out_len);
   // Perform the cipher update operation. The real size of the output is
   // returned in out_len
-  int ret = EVP_CipherUpdate(ctx, out, &out_len, native_data->data(), in_len);
+  int ret = EVP_CipherUpdate(ctx.get(), out_buf.get(), &out_len, native_data->data(), in_len);
 
   if (!ret) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
     ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    delete[] out;
     throw std::runtime_error("Cipher update failed: " + std::string(err_buf));
   }
 
   // Create and return a new buffer of exact size needed
-  return std::make_shared<NativeArrayBuffer>(out, out_len, [=]() { delete[] out; });
+  uint8_t* raw_ptr = out_buf.get();
+  return std::make_shared<NativeArrayBuffer>(out_buf.release(), out_len, [raw_ptr]() { delete[] raw_ptr; });
 }
 
 std::shared_ptr<ArrayBuffer> HybridCipher::final() {
   checkCtx();
   checkNotFinalized();
   // Block size is max output size for final, unless EVP_CIPH_NO_PADDING is set
-  int block_size = EVP_CIPHER_CTX_block_size(ctx);
+  int block_size = EVP_CIPHER_CTX_block_size(ctx.get());
   if (block_size <= 0)
     block_size = 16; // Default if block size is weird (e.g., 0)
   auto out_buf = std::make_unique<uint8_t[]>(block_size);
   int out_len = 0;
 
-  int ret = EVP_CipherFinal_ex(ctx, out_buf.get(), &out_len);
+  int ret = EVP_CipherFinal_ex(ctx.get(), out_buf.get(), &out_len);
   if (!ret) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
@@ -165,11 +167,12 @@ std::shared_ptr<ArrayBuffer> HybridCipher::final() {
 
 bool HybridCipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
   checkCtx();
+  checkAADBeforeUpdate();
   auto native_data = ToNativeArrayBuffer(data);
 
   // Set the AAD
   int out_len;
-  if (!EVP_CipherUpdate(ctx, nullptr, &out_len, native_data->data(), native_data->size())) {
+  if (!EVP_CipherUpdate(ctx.get(), nullptr, &out_len, native_data->data(), native_data->size())) {
     return false;
   }
 
@@ -179,7 +182,7 @@ bool HybridCipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optiona
 
 bool HybridCipher::setAutoPadding(bool autoPad) {
   checkCtx();
-  return EVP_CIPHER_CTX_set_padding(ctx, autoPad) == 1;
+  return EVP_CIPHER_CTX_set_padding(ctx.get(), autoPad) == 1;
 }
 
 bool HybridCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
@@ -193,7 +196,7 @@ bool HybridCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
   size_t tag_len = native_tag->size();
   uint8_t* tag_ptr = native_tag->data();
 
-  int mode = EVP_CIPHER_CTX_mode(ctx);
+  int mode = EVP_CIPHER_CTX_mode(ctx.get());
 
   if (mode == EVP_CIPH_GCM_MODE || mode == EVP_CIPH_OCB_MODE) {
     // Use EVP_CTRL_AEAD_SET_TAG for GCM/OCB decryption
@@ -202,10 +205,10 @@ bool HybridCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
     }
     // Add check for valid cipher in context before setting tag
     // Use the correct OpenSSL 3 function: EVP_CIPHER_CTX_cipher
-    if (!EVP_CIPHER_CTX_cipher(ctx)) {
+    if (!EVP_CIPHER_CTX_cipher(ctx.get())) {
       throw std::runtime_error("Context has no cipher set before setting GCM/OCB tag");
     }
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag_ptr) <= 0) {
+    if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_TAG, tag_len, tag_ptr) <= 0) {
       unsigned long err = ERR_get_error();
       char err_buf[256];
       ERR_error_string_n(err, err_buf, sizeof(err_buf));
@@ -235,7 +238,7 @@ bool HybridCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
 std::shared_ptr<ArrayBuffer> HybridCipher::getAuthTag() {
   checkCtx();
 
-  int mode = EVP_CIPHER_CTX_mode(ctx);
+  int mode = EVP_CIPHER_CTX_mode(ctx.get());
 
   if (!is_cipher) {
     throw std::runtime_error("getAuthTag can only be called during encryption.");
@@ -246,7 +249,7 @@ std::shared_ptr<ArrayBuffer> HybridCipher::getAuthTag() {
     constexpr int max_tag_len = 16; // GCM/OCB tags are typically up to 16 bytes
     auto tag_buf = std::make_unique<uint8_t[]>(max_tag_len);
 
-    int ret = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, max_tag_len, tag_buf.get());
+    int ret = EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_GET_TAG, max_tag_len, tag_buf.get());
 
     if (ret <= 0) {
       unsigned long err = ERR_get_error();
@@ -283,7 +286,7 @@ int HybridCipher::getMode() {
   if (!ctx) {
     throw std::runtime_error("Cipher not initialized. Did you call setArgs()?");
   }
-  return EVP_CIPHER_CTX_get_mode(ctx);
+  return EVP_CIPHER_CTX_get_mode(ctx.get());
 }
 
 void HybridCipher::setArgs(const CipherArgs& args) {

package/cpp/cipher/HybridCipher.hpp

@@ -1,5 +1,6 @@
 #pragma once
 
+#include <memory>
 #include <openssl/core_names.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -13,6 +14,15 @@
 
 namespace margelo::nitro::crypto {
 
+// Owning smart pointer for EVP_CIPHER_CTX. Living in the base class means
+// subclasses never have to remember to free it — the destruction order
+// (subclass → base) automatically calls the deleter when the cipher object
+// goes away. The previous design required each subclass to handle ctx in
+// its destructor, and three subclasses (CCM, ChaCha20, ChaCha20-Poly1305)
+// got it wrong by setting `ctx = nullptr` without calling the free first,
+// leaking the OpenSSL cipher context. See audit Phase 1.3.
+using EvpCipherCtxPtr = std::unique_ptr<EVP_CIPHER_CTX, decltype(&EVP_CIPHER_CTX_free)>;
+
 // Default tag length for OCB, SIV, CCM, ChaCha20-Poly1305
 constexpr unsigned kDefaultAuthTagLength = 16;
 
@@ -55,9 +65,14 @@ class HybridCipher : public HybridCipherSpec {
   bool is_cipher = true;
   bool is_finalized = false;
   std::string cipher_type;
-  EVP_CIPHER_CTX* ctx = nullptr;
+  EvpCipherCtxPtr ctx{nullptr, EVP_CIPHER_CTX_free};
   bool pending_auth_failed = false;
   bool has_aad = false;
+  // Tracks whether update() has been called on this cipher. Used to enforce
+  // the AEAD ordering invariant that setAAD() must precede any update() call;
+  // OpenSSL silently accepts misordered AAD/data on some modes (OCB,
+  // ChaCha20-Poly1305), letting an attacker truncate authenticated data.
+  bool has_update_called = false;
   uint8_t auth_tag[EVP_GCM_TLS_TAG_LEN];
   AuthTagState auth_tag_state;
   unsigned int auth_tag_len = 0;
@@ -68,6 +83,7 @@ class HybridCipher : public HybridCipherSpec {
   int getMode();
   void checkCtx() const;
   void checkNotFinalized() const;
+  void checkAADBeforeUpdate() const;
   bool maybePassAuthTagToOpenSSL();
 };
 

package/cpp/cipher/HybridRsaCipher.cpp

@@ -25,6 +25,38 @@ int toOpenSSLPadding(int padding) {
   }
 }
 
+// Bleichenbacher mitigation. For RSA PKCS#1 v1.5 decryption, ask OpenSSL to
+// substitute random-looking plaintext on padding-check failure rather than
+// surfacing a distinguishable error. This closes the "padding-valid /
+// padding-invalid" oracle that the Million Message Attack depends on. The
+// `EVP_PKEY_CTX_ctrl_str` knob was added in OpenSSL 3.2; if the underlying
+// build does not support it (BoringSSL, older OpenSSL) we refuse to perform
+// PKCS#1 v1.5 decryption rather than silently fall back to a configuration
+// that leaves the timing-side oracle open. Node.js (`crypto_cipher.cc`)
+// applies the same hard-fail policy. Returns true if implicit rejection is
+// engaged or not applicable (OAEP); false if PKCS#1 v1.5 was requested but
+// the knob failed. Always clears the OpenSSL error stack on failure so a
+// rejected knob does not leak through to a later operation.
+[[nodiscard]] static bool enableImplicitRejectionIfPkcs1(EVP_PKEY_CTX* ctx, int opensslPadding) {
+  if (opensslPadding != RSA_PKCS1_PADDING) {
+    return true;
+  }
+  bool ok = EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "1") > 0;
+  if (!ok) {
+    ERR_clear_error();
+  }
+  return ok;
+}
+
+// Throw the SAME message regardless of the underlying OpenSSL error so that
+// callers (and remote attackers in oracle-style scenarios) cannot distinguish
+// "padding invalid" from "data too large", "bad version", "wrong key", etc.
+// The OpenSSL error stack is cleared so it is not observable later.
+[[noreturn]] static void throwOpaqueDecryptFailure() {
+  ERR_clear_error();
+  throw std::runtime_error("RSA decryption failed");
+}
+
 std::shared_ptr<ArrayBuffer> HybridRsaCipher::encrypt(const std::shared_ptr<HybridKeyObjectHandleSpec>& keyHandle,
                                                       const std::shared_ptr<ArrayBuffer>& data, double padding,
                                                       const std::string& hashAlgorithm,
@@ -147,6 +179,11 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::decrypt(const std::shared_ptr<Hybr
     throw std::runtime_error("Failed to set RSA padding");
   }
 
+  if (!enableImplicitRejectionIfPkcs1(ctx, opensslPadding)) {
+    EVP_PKEY_CTX_free(ctx);
+    throw std::runtime_error("RSA PKCS#1 v1.5 decryption requires OpenSSL implicit-rejection support (>= 3.2)");
+  }
+
   if (paddingInt == kRsaOaepPadding) {
     const EVP_MD* md = getDigestByName(hashAlgorithm);
     if (EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) <= 0) {
@@ -180,23 +217,20 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::decrypt(const std::shared_ptr<Hybr
   const unsigned char* in = native_data->data();
   size_t inlen = native_data->size();
 
+  // Both decrypt calls below operate on attacker-controlled ciphertext, so
+  // any failure must be surfaced with an opaque, content-independent message.
+  // See enableImplicitRejectionIfPkcs1 / throwOpaqueDecryptFailure above.
   size_t outlen;
   if (EVP_PKEY_decrypt(ctx, nullptr, &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Failed to determine output length: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   auto out_buf = std::make_unique<uint8_t[]>(outlen);
 
   if (EVP_PKEY_decrypt(ctx, out_buf.get(), &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Decryption failed: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   EVP_PKEY_CTX_free(ctx);
@@ -239,37 +273,46 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::publicDecrypt(const std::shared_pt
   const unsigned char* in = native_data->data();
   size_t inlen = native_data->size();
 
+  // verify_recover acts on attacker-controlled ciphertext too — surface only
+  // an opaque error so a remote caller cannot distinguish failure modes.
   size_t outlen;
   if (EVP_PKEY_verify_recover(ctx, nullptr, &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Failed to determine output length: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   if (outlen == 0) {
     EVP_PKEY_CTX_free(ctx);
-    uint8_t* empty_buf = new uint8_t[1];
-    return std::make_shared<NativeArrayBuffer>(empty_buf, 0, [empty_buf]() { delete[] empty_buf; });
+    auto empty_buf = std::make_unique<uint8_t[]>(1);
+    uint8_t* raw_ptr = empty_buf.get();
+    return std::make_shared<NativeArrayBuffer>(empty_buf.release(), 0, [raw_ptr]() { delete[] raw_ptr; });
   }
 
   auto out_buf = std::make_unique<uint8_t[]>(outlen);
 
   if (EVP_PKEY_verify_recover(ctx, out_buf.get(), &outlen, in, inlen) <= 0) {
+    // Empty-plaintext recovery: when the original message was zero bytes,
+    // OpenSSL's verify_recover surfaces a specific reason code rather than
+    // returning success+outlen=0. Match the narrow code from the original
+    // implementation and return an empty buffer so `publicDecrypt(privateEncrypt(""))`
+    // round-trips. publicDecrypt is signature verification with the PUBLIC
+    // key — anyone can perform it — so the special case does not enable a
+    // Bleichenbacher-style oracle. The fall-through still uses the opaque
+    // throw helper.
+    //
+    // Use ERR_get_error (oldest in the FIFO queue) to match the inner
+    // padding-check error rather than ERR_peek_last_error which returns
+    // the outer wrapper code that doesn't satisfy the narrow match.
     unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-
     if ((err & 0xFFFFFFF) == 0x1C880004 || (err & 0xFF) == 0x04) {
       ERR_clear_error();
       EVP_PKEY_CTX_free(ctx);
-      uint8_t* empty_buf = new uint8_t[1];
-      return std::make_shared<NativeArrayBuffer>(empty_buf, 0, [empty_buf]() { delete[] empty_buf; });
+      auto empty_buf = std::make_unique<uint8_t[]>(1);
+      uint8_t* raw_ptr = empty_buf.get();
+      return std::make_shared<NativeArrayBuffer>(empty_buf.release(), 0, [raw_ptr]() { delete[] raw_ptr; });
     }
-
     EVP_PKEY_CTX_free(ctx);
-    throw std::runtime_error("Public decryption failed: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   EVP_PKEY_CTX_free(ctx);
@@ -369,6 +412,11 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::privateDecrypt(const std::shared_p
     throw std::runtime_error("Failed to set RSA padding");
   }
 
+  if (!enableImplicitRejectionIfPkcs1(ctx, opensslPadding)) {
+    EVP_PKEY_CTX_free(ctx);
+    throw std::runtime_error("RSA PKCS#1 v1.5 decryption requires OpenSSL implicit-rejection support (>= 3.2)");
+  }
+
   if (paddingInt == kRsaOaepPadding) {
     const EVP_MD* md = getDigestByName(hashAlgorithm);
     if (EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) <= 0) {
@@ -402,23 +450,20 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::privateDecrypt(const std::shared_p
   const unsigned char* in = native_data->data();
   size_t inlen = native_data->size();
 
+  // Both decrypt calls below operate on attacker-controlled ciphertext, so
+  // any failure must be surfaced with an opaque, content-independent message.
+  // See enableImplicitRejectionIfPkcs1 / throwOpaqueDecryptFailure above.
   size_t outlen;
   if (EVP_PKEY_decrypt(ctx, nullptr, &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Failed to determine output length: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   auto out_buf = std::make_unique<uint8_t[]>(outlen);
 
   if (EVP_PKEY_decrypt(ctx, out_buf.get(), &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Private decryption failed: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   EVP_PKEY_CTX_free(ctx);

package/cpp/cipher/OCBCipher.cpp

@@ -17,7 +17,7 @@ void OCBCipher::init(const std::shared_ptr<ArrayBuffer>& key, const std::shared_
   if (auth_tag_len < 8 || auth_tag_len > 16) {
     throw std::runtime_error("OCB tag length must be between 8 and 16 bytes");
   }
-  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, auth_tag_len, nullptr) != 1) {
+  if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len, nullptr) != 1) {
     throw std::runtime_error("Failed to set OCB tag length");
   }
 }
@@ -28,7 +28,7 @@ std::shared_ptr<ArrayBuffer> OCBCipher::getAuthTag() {
     throw std::runtime_error("getAuthTag can only be called during encryption.");
   }
   auto tag_buf = std::make_unique<uint8_t[]>(auth_tag_len);
-  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, auth_tag_len, tag_buf.get()) != 1) {
+  if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_GET_TAG, auth_tag_len, tag_buf.get()) != 1) {
     throw std::runtime_error("Failed to get OCB auth tag");
   }
   uint8_t* raw_ptr = tag_buf.get();
@@ -45,10 +45,11 @@ bool OCBCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
   if (tag_len < 8 || tag_len > 16) {
     throw std::runtime_error("Invalid OCB tag length");
   }
-  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, native_tag->data()) != 1) {
+  if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_TAG, tag_len, native_tag->data()) != 1) {
     throw std::runtime_error("Failed to set OCB auth tag");
   }
   auth_tag_len = tag_len;
+  auth_tag_state = kAuthTagPassedToOpenSSL;
   return true;
 }
 

package/cpp/cipher/XChaCha20Poly1305Cipher.cpp

@@ -70,42 +70,42 @@ std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::final() {
   throw std::runtime_error("XChaCha20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
 #else
   if (is_cipher) {
-    uint8_t* ciphertext = new uint8_t[data_buffer_.size()];
+    auto ciphertext = std::make_unique<uint8_t[]>(data_buffer_.size());
 
     int result =
-        crypto_aead_xchacha20poly1305_ietf_encrypt_detached(ciphertext, auth_tag_, nullptr, data_buffer_.data(), data_buffer_.size(),
+        crypto_aead_xchacha20poly1305_ietf_encrypt_detached(ciphertext.get(), auth_tag_, nullptr, data_buffer_.data(), data_buffer_.size(),
                                                             aad_.empty() ? nullptr : aad_.data(), aad_.size(), nullptr, nonce_, key_);
 
     if (result != 0) {
-      sodium_memzero(ciphertext, data_buffer_.size());
-      delete[] ciphertext;
+      sodium_memzero(ciphertext.get(), data_buffer_.size());
       throw std::runtime_error("XChaCha20Poly1305Cipher: encryption failed");
     }
 
     is_finalized = true;
     size_t ct_len = data_buffer_.size();
-    return std::make_shared<NativeArrayBuffer>(ciphertext, ct_len, [=]() { delete[] ciphertext; });
+    uint8_t* raw_ptr = ciphertext.get();
+    return std::make_shared<NativeArrayBuffer>(ciphertext.release(), ct_len, [raw_ptr]() { delete[] raw_ptr; });
   } else {
     if (data_buffer_.empty()) {
       is_finalized = true;
       return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
     }
 
-    uint8_t* plaintext = new uint8_t[data_buffer_.size()];
+    auto plaintext = std::make_unique<uint8_t[]>(data_buffer_.size());
 
     int result =
-        crypto_aead_xchacha20poly1305_ietf_decrypt_detached(plaintext, nullptr, data_buffer_.data(), data_buffer_.size(), auth_tag_,
+        crypto_aead_xchacha20poly1305_ietf_decrypt_detached(plaintext.get(), nullptr, data_buffer_.data(), data_buffer_.size(), auth_tag_,
                                                             aad_.empty() ? nullptr : aad_.data(), aad_.size(), nonce_, key_);
 
     if (result != 0) {
-      sodium_memzero(plaintext, data_buffer_.size());
-      delete[] plaintext;
+      sodium_memzero(plaintext.get(), data_buffer_.size());
       throw std::runtime_error("XChaCha20Poly1305Cipher: decryption failed - authentication tag mismatch");
     }
 
     is_finalized = true;
     size_t pt_len = data_buffer_.size();
-    return std::make_shared<NativeArrayBuffer>(plaintext, pt_len, [=]() { delete[] plaintext; });
+    uint8_t* raw_ptr = plaintext.get();
+    return std::make_shared<NativeArrayBuffer>(plaintext.release(), pt_len, [raw_ptr]() { delete[] raw_ptr; });
   }
 #endif
 }
@@ -132,9 +132,10 @@ std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::getAuthTag() {
     throw std::runtime_error("getAuthTag must be called after final()");
   }
 
-  uint8_t* tag_copy = new uint8_t[kTagSize];
-  std::memcpy(tag_copy, auth_tag_, kTagSize);
-  return std::make_shared<NativeArrayBuffer>(tag_copy, kTagSize, [=]() { delete[] tag_copy; });
+  auto tag_copy = std::make_unique<uint8_t[]>(kTagSize);
+  std::memcpy(tag_copy.get(), auth_tag_, kTagSize);
+  uint8_t* raw_ptr = tag_copy.get();
+  return std::make_shared<NativeArrayBuffer>(tag_copy.release(), kTagSize, [raw_ptr]() { delete[] raw_ptr; });
 #endif
 }
 

package/cpp/cipher/XSalsa20Cipher.cpp

@@ -1,4 +1,6 @@
+#include <algorithm>
 #include <cstring>   // For std::memcpy
+#include <memory>    // For std::unique_ptr
 #include <stdexcept> // For std::runtime_error
 
 #include "NitroModules/ArrayBuffer.hpp"
@@ -28,11 +30,27 @@ void XSalsa20Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const s
   // Copy key and nonce data
   std::memcpy(key, native_key->data(), crypto_stream_KEYBYTES);
   std::memcpy(nonce, native_iv->data(), crypto_stream_NONCEBYTES);
+
+  // Reset streaming state so a re-init'd cipher does not accidentally reuse
+  // keystream bytes from a previous session.
+  block_counter = 0;
+  leftover_offset = kSalsa20BlockBytes;
+
   is_finalized = false;
 }
 
 /**
- * xsalsa20 call to sodium implementation
+ * xsalsa20 update — encrypts/decrypts `data` while keeping the keystream
+ * advancing across successive update() calls.
+ *
+ * Implementation notes:
+ *   1. First, drain any unused keystream bytes left over from the previous
+ *      chunk's trailing partial block.
+ *   2. Then process as many aligned whole 64-byte blocks as possible by
+ *      jumping the keystream to `block_counter` via crypto_stream_xsalsa20_xor_ic.
+ *   3. For the remaining tail (< 64 bytes), generate one full keystream
+ *      block, XOR the requested prefix, and stash the unused suffix for the
+ *      next update() call.
  */
 std::shared_ptr<ArrayBuffer> XSalsa20Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
   checkNotFinalized();
@@ -40,12 +58,60 @@ std::shared_ptr<ArrayBuffer> XSalsa20Cipher::update(const std::shared_ptr<ArrayB
   throw std::runtime_error("XSalsa20Cipher: libsodium must be enabled to use this cipher (BLSALLOC_SODIUM is not defined).");
 #else
   auto native_data = ToNativeArrayBuffer(data);
-  auto output = new uint8_t[native_data->size()];
-  int result = crypto_stream_xor(output, native_data->data(), native_data->size(), nonce, key);
-  if (result != 0) {
-    throw std::runtime_error("XSalsa20Cipher: Failed to update");
+  const std::size_t data_size = native_data->size();
+
+  if (data_size == 0) {
+    return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
+  }
+
+  // Owning buffer: prevents leaking `output` if we throw on the way out.
+  auto output = std::make_unique<uint8_t[]>(data_size);
+  const uint8_t* input = native_data->data();
+  std::size_t pos = 0;
+
+  // (1) Drain any unused keystream from the previous update()'s tail block.
+  if (leftover_offset < kSalsa20BlockBytes) {
+    const std::size_t avail = kSalsa20BlockBytes - leftover_offset;
+    const std::size_t take = std::min(avail, data_size);
+    for (std::size_t i = 0; i < take; ++i) {
+      output[i] = input[i] ^ leftover_keystream[leftover_offset + i];
+    }
+    leftover_offset += take;
+    pos = take;
   }
-  return std::make_shared<NativeArrayBuffer>(output, native_data->size(), [=]() { delete[] output; });
+
+  // (2) Encrypt the aligned whole blocks at the current block counter.
+  const std::size_t remaining = data_size - pos;
+  const std::size_t whole_blocks = remaining / kSalsa20BlockBytes;
+  const std::size_t whole_bytes = whole_blocks * kSalsa20BlockBytes;
+  if (whole_bytes > 0) {
+    int rc = crypto_stream_xsalsa20_xor_ic(output.get() + pos, input + pos, whole_bytes, nonce, block_counter, key);
+    if (rc != 0) {
+      throw std::runtime_error("XSalsa20Cipher: crypto_stream_xsalsa20_xor_ic failed");
+    }
+    block_counter += whole_blocks;
+    pos += whole_bytes;
+  }
+
+  // (3) For any trailing partial block, generate one full keystream block,
+  //     XOR the requested prefix, and stash the unused keystream bytes for
+  //     the next update() call.
+  const std::size_t tail = data_size - pos;
+  if (tail > 0) {
+    uint8_t zeros[kSalsa20BlockBytes] = {};
+    int rc = crypto_stream_xsalsa20_xor_ic(leftover_keystream, zeros, kSalsa20BlockBytes, nonce, block_counter, key);
+    if (rc != 0) {
+      throw std::runtime_error("XSalsa20Cipher: crypto_stream_xsalsa20_xor_ic failed");
+    }
+    for (std::size_t i = 0; i < tail; ++i) {
+      output[pos + i] = input[pos + i] ^ leftover_keystream[i];
+    }
+    leftover_offset = tail;
+    block_counter += 1;
+  }
+
+  uint8_t* raw = output.release();
+  return std::make_shared<NativeArrayBuffer>(raw, data_size, [=]() { delete[] raw; });
 #endif
 }