react-native-quick-crypto 1.1.0 → 1.1.2

package/cpp/cipher/GCMCipher.cpp

@@ -7,11 +7,13 @@
 namespace margelo::nitro::crypto {
 
 void GCMCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
-  // Clean up any existing context
-  if (ctx) {
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = nullptr;
-  }
+  // Resetting the unique_ptr frees any previous context.
+  ctx.reset();
+  is_finalized = false;
+  has_update_called = false;
+  has_aad = false;
+  pending_auth_failed = false;
+  auth_tag_state = kAuthTagUnknown;
 
   // 1. Get cipher implementation by name
   const EVP_CIPHER* cipher = EVP_get_cipherbyname(cipher_type.c_str());
@@ -20,47 +22,42 @@ void GCMCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::s
   }
 
   // 2. Create a new context
-  ctx = EVP_CIPHER_CTX_new();
+  ctx.reset(EVP_CIPHER_CTX_new());
   if (!ctx) {
     throw std::runtime_error("Failed to create cipher context");
   }
 
   // 3. Initialize with cipher type only (no key/IV yet)
-  if (EVP_CipherInit_ex(ctx, cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
+  if (EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
     ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = nullptr;
+    ctx.reset();
     throw std::runtime_error("GCMCipher: Failed initial CipherInit setup: " + std::string(err_buf));
   }
 
   // 4. Set IV length for non-standard IV sizes (GCM default is 96 bits/12 bytes)
-  auto native_iv = ToNativeArrayBuffer(iv);
-  size_t iv_len = native_iv->size();
+  size_t iv_len = iv->size();
 
   if (iv_len != 12) { // Only set if not the default length
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, static_cast<int>(iv_len), nullptr) != 1) {
+    if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN, static_cast<int>(iv_len), nullptr) != 1) {
       unsigned long err = ERR_get_error();
       char err_buf[256];
       ERR_error_string_n(err, err_buf, sizeof(err_buf));
-      EVP_CIPHER_CTX_free(ctx);
-      ctx = nullptr;
+      ctx.reset();
       throw std::runtime_error("GCMCipher: Failed to set IV length: " + std::string(err_buf));
     }
   }
 
   // 5. Now set the key and IV
-  auto native_key = ToNativeArrayBuffer(cipher_key);
-  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(native_key->data());
-  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(native_iv->data());
+  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(cipher_key->data());
+  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(iv->data());
 
-  if (EVP_CipherInit_ex(ctx, nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
+  if (EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
     ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = nullptr;
+    ctx.reset();
     throw std::runtime_error("GCMCipher: Failed to set key/IV: " + std::string(err_buf));
   }
 }

package/cpp/cipher/HybridCipher.cpp

@@ -14,12 +14,9 @@
 
 namespace margelo::nitro::crypto {
 
-HybridCipher::~HybridCipher() {
-  if (ctx) {
-    EVP_CIPHER_CTX_free(ctx);
-    // No need to set ctx = nullptr here, object is being destroyed
-  }
-}
+// The unique_ptr in the base class destroys ctx automatically — nothing for
+// us to do here. Subclasses MUST NOT touch ctx in their own destructors.
+HybridCipher::~HybridCipher() = default;
 
 void HybridCipher::checkCtx() const {
   if (!ctx) {
@@ -33,11 +30,17 @@ void HybridCipher::checkNotFinalized() const {
   }
 }
 
+void HybridCipher::checkAADBeforeUpdate() const {
+  if (has_update_called) {
+    throw std::runtime_error("setAAD must be called before update");
+  }
+}
+
 bool HybridCipher::maybePassAuthTagToOpenSSL() {
   if (auth_tag_state == kAuthTagKnown) {
     OSSL_PARAM params[] = {OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, auth_tag, auth_tag_len),
                            OSSL_PARAM_construct_end()};
-    if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
+    if (!EVP_CIPHER_CTX_set_params(ctx.get(), params)) {
       unsigned long err = ERR_get_error();
       char err_buf[256];
       ERR_error_string_n(err, err_buf, sizeof(err_buf));
@@ -49,12 +52,12 @@ bool HybridCipher::maybePassAuthTagToOpenSSL() {
 }
 
 void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
-  // Clean up any existing context
-  if (ctx) {
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = nullptr;
-  }
+  // Resetting the unique_ptr frees any previous context.
+  ctx.reset();
   is_finalized = false;
+  has_update_called = false;
+  has_aad = false;
+  pending_auth_failed = false;
 
   // 1. Get cipher implementation by name
   const EVP_CIPHER* cipher = EVP_get_cipherbyname(cipher_type.c_str());
@@ -63,35 +66,31 @@ void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std
   }
 
   // 2. Create a new context
-  ctx = EVP_CIPHER_CTX_new();
+  ctx.reset(EVP_CIPHER_CTX_new());
   if (!ctx) {
     throw std::runtime_error("Failed to create cipher context");
   }
 
   // Initialise the encryption/decryption operation with the cipher type.
   // Key and IV will be set later by the derived class if needed.
-  if (EVP_CipherInit_ex(ctx, cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
+  if (EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr, is_cipher) != 1) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
     ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = nullptr;
+    ctx.reset();
     throw std::runtime_error("HybridCipher: Failed initial CipherInit setup: " + std::string(err_buf));
   }
 
   // For base hybrid cipher, set key and IV immediately.
   // Derived classes like CCM might override init and handle this differently.
-  auto native_key = ToNativeArrayBuffer(cipher_key);
-  auto native_iv = ToNativeArrayBuffer(iv);
-  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(native_key->data());
-  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(native_iv->data());
+  const unsigned char* key_ptr = reinterpret_cast<const unsigned char*>(cipher_key->data());
+  const unsigned char* iv_ptr = reinterpret_cast<const unsigned char*>(iv->data());
 
-  if (EVP_CipherInit_ex(ctx, nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
+  if (EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key_ptr, iv_ptr, is_cipher) != 1) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
     ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = nullptr;
+    ctx.reset();
     throw std::runtime_error("HybridCipher: Failed to set key/IV: " + std::string(err_buf));
   }
 
@@ -99,49 +98,49 @@ void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std
   std::string cipher_name(cipher_type);
   if (cipher_name.find("-wrap") != std::string::npos) {
     // This flag is required for AES-KW in OpenSSL 3.x
-    EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
-    EVP_CIPHER_CTX_set_padding(ctx, 0);
+    EVP_CIPHER_CTX_set_flags(ctx.get(), EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+    EVP_CIPHER_CTX_set_padding(ctx.get(), 0);
   }
 }
 
 std::shared_ptr<ArrayBuffer> HybridCipher::update(const std::shared_ptr<ArrayBuffer>& data) {
-  auto native_data = ToNativeArrayBuffer(data);
   checkCtx();
   checkNotFinalized();
-  size_t in_len = native_data->size();
+  has_update_called = true;
+  size_t in_len = data->size();
   if (in_len > INT_MAX) {
     throw std::runtime_error("Message too long");
   }
 
-  int out_len = in_len + EVP_CIPHER_CTX_block_size(ctx);
-  uint8_t* out = new uint8_t[out_len];
+  int out_len = in_len + EVP_CIPHER_CTX_block_size(ctx.get());
+  auto out_buf = std::make_unique<uint8_t[]>(out_len);
   // Perform the cipher update operation. The real size of the output is
   // returned in out_len
-  int ret = EVP_CipherUpdate(ctx, out, &out_len, native_data->data(), in_len);
+  int ret = EVP_CipherUpdate(ctx.get(), out_buf.get(), &out_len, data->data(), in_len);
 
   if (!ret) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
     ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    delete[] out;
     throw std::runtime_error("Cipher update failed: " + std::string(err_buf));
   }
 
   // Create and return a new buffer of exact size needed
-  return std::make_shared<NativeArrayBuffer>(out, out_len, [=]() { delete[] out; });
+  uint8_t* raw_ptr = out_buf.get();
+  return std::make_shared<NativeArrayBuffer>(out_buf.release(), out_len, [raw_ptr]() { delete[] raw_ptr; });
 }
 
 std::shared_ptr<ArrayBuffer> HybridCipher::final() {
   checkCtx();
   checkNotFinalized();
   // Block size is max output size for final, unless EVP_CIPH_NO_PADDING is set
-  int block_size = EVP_CIPHER_CTX_block_size(ctx);
+  int block_size = EVP_CIPHER_CTX_block_size(ctx.get());
   if (block_size <= 0)
     block_size = 16; // Default if block size is weird (e.g., 0)
   auto out_buf = std::make_unique<uint8_t[]>(block_size);
   int out_len = 0;
 
-  int ret = EVP_CipherFinal_ex(ctx, out_buf.get(), &out_len);
+  int ret = EVP_CipherFinal_ex(ctx.get(), out_buf.get(), &out_len);
   if (!ret) {
     unsigned long err = ERR_get_error();
     char err_buf[256];
@@ -165,11 +164,10 @@ std::shared_ptr<ArrayBuffer> HybridCipher::final() {
 
 bool HybridCipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
   checkCtx();
-  auto native_data = ToNativeArrayBuffer(data);
-
+  checkAADBeforeUpdate();
   // Set the AAD
   int out_len;
-  if (!EVP_CipherUpdate(ctx, nullptr, &out_len, native_data->data(), native_data->size())) {
+  if (!EVP_CipherUpdate(ctx.get(), nullptr, &out_len, data->data(), data->size())) {
     return false;
   }
 
@@ -179,7 +177,7 @@ bool HybridCipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optiona
 
 bool HybridCipher::setAutoPadding(bool autoPad) {
   checkCtx();
-  return EVP_CIPHER_CTX_set_padding(ctx, autoPad) == 1;
+  return EVP_CIPHER_CTX_set_padding(ctx.get(), autoPad) == 1;
 }
 
 bool HybridCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
@@ -189,11 +187,10 @@ bool HybridCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
     throw std::runtime_error("setAuthTag can only be called during decryption.");
   }
 
-  auto native_tag = ToNativeArrayBuffer(tag);
-  size_t tag_len = native_tag->size();
-  uint8_t* tag_ptr = native_tag->data();
+  size_t tag_len = tag->size();
+  uint8_t* tag_ptr = tag->data();
 
-  int mode = EVP_CIPHER_CTX_mode(ctx);
+  int mode = EVP_CIPHER_CTX_mode(ctx.get());
 
   if (mode == EVP_CIPH_GCM_MODE || mode == EVP_CIPH_OCB_MODE) {
     // Use EVP_CTRL_AEAD_SET_TAG for GCM/OCB decryption
@@ -202,10 +199,10 @@ bool HybridCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
     }
     // Add check for valid cipher in context before setting tag
     // Use the correct OpenSSL 3 function: EVP_CIPHER_CTX_cipher
-    if (!EVP_CIPHER_CTX_cipher(ctx)) {
+    if (!EVP_CIPHER_CTX_cipher(ctx.get())) {
       throw std::runtime_error("Context has no cipher set before setting GCM/OCB tag");
     }
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag_ptr) <= 0) {
+    if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_TAG, tag_len, tag_ptr) <= 0) {
       unsigned long err = ERR_get_error();
       char err_buf[256];
       ERR_error_string_n(err, err_buf, sizeof(err_buf));
@@ -235,7 +232,7 @@ bool HybridCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
 std::shared_ptr<ArrayBuffer> HybridCipher::getAuthTag() {
   checkCtx();
 
-  int mode = EVP_CIPHER_CTX_mode(ctx);
+  int mode = EVP_CIPHER_CTX_mode(ctx.get());
 
   if (!is_cipher) {
     throw std::runtime_error("getAuthTag can only be called during encryption.");
@@ -246,7 +243,7 @@ std::shared_ptr<ArrayBuffer> HybridCipher::getAuthTag() {
     constexpr int max_tag_len = 16; // GCM/OCB tags are typically up to 16 bytes
     auto tag_buf = std::make_unique<uint8_t[]>(max_tag_len);
 
-    int ret = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, max_tag_len, tag_buf.get());
+    int ret = EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_GET_TAG, max_tag_len, tag_buf.get());
 
     if (ret <= 0) {
       unsigned long err = ERR_get_error();
@@ -283,7 +280,7 @@ int HybridCipher::getMode() {
   if (!ctx) {
     throw std::runtime_error("Cipher not initialized. Did you call setArgs()?");
   }
-  return EVP_CIPHER_CTX_get_mode(ctx);
+  return EVP_CIPHER_CTX_get_mode(ctx.get());
 }
 
 void HybridCipher::setArgs(const CipherArgs& args) {

package/cpp/cipher/HybridCipher.hpp

@@ -1,5 +1,6 @@
 #pragma once
 
+#include <memory>
 #include <openssl/core_names.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -13,6 +14,15 @@
 
 namespace margelo::nitro::crypto {
 
+// Owning smart pointer for EVP_CIPHER_CTX. Living in the base class means
+// subclasses never have to remember to free it — the destruction order
+// (subclass → base) automatically calls the deleter when the cipher object
+// goes away. The previous design required each subclass to handle ctx in
+// its destructor, and three subclasses (CCM, ChaCha20, ChaCha20-Poly1305)
+// got it wrong by setting `ctx = nullptr` without calling the free first,
+// leaking the OpenSSL cipher context. See audit Phase 1.3.
+using EvpCipherCtxPtr = std::unique_ptr<EVP_CIPHER_CTX, decltype(&EVP_CIPHER_CTX_free)>;
+
 // Default tag length for OCB, SIV, CCM, ChaCha20-Poly1305
 constexpr unsigned kDefaultAuthTagLength = 16;
 
@@ -55,9 +65,14 @@ class HybridCipher : public HybridCipherSpec {
   bool is_cipher = true;
   bool is_finalized = false;
   std::string cipher_type;
-  EVP_CIPHER_CTX* ctx = nullptr;
+  EvpCipherCtxPtr ctx{nullptr, EVP_CIPHER_CTX_free};
   bool pending_auth_failed = false;
   bool has_aad = false;
+  // Tracks whether update() has been called on this cipher. Used to enforce
+  // the AEAD ordering invariant that setAAD() must precede any update() call;
+  // OpenSSL silently accepts misordered AAD/data on some modes (OCB,
+  // ChaCha20-Poly1305), letting an attacker truncate authenticated data.
+  bool has_update_called = false;
   uint8_t auth_tag[EVP_GCM_TLS_TAG_LEN];
   AuthTagState auth_tag_state;
   unsigned int auth_tag_len = 0;
@@ -68,6 +83,7 @@ class HybridCipher : public HybridCipherSpec {
   int getMode();
   void checkCtx() const;
   void checkNotFinalized() const;
+  void checkAADBeforeUpdate() const;
   bool maybePassAuthTagToOpenSSL();
 };
 

package/cpp/cipher/HybridRsaCipher.cpp

@@ -25,6 +25,38 @@ int toOpenSSLPadding(int padding) {
   }
 }
 
+// Bleichenbacher mitigation. For RSA PKCS#1 v1.5 decryption, ask OpenSSL to
+// substitute random-looking plaintext on padding-check failure rather than
+// surfacing a distinguishable error. This closes the "padding-valid /
+// padding-invalid" oracle that the Million Message Attack depends on. The
+// `EVP_PKEY_CTX_ctrl_str` knob was added in OpenSSL 3.2; if the underlying
+// build does not support it (BoringSSL, older OpenSSL) we refuse to perform
+// PKCS#1 v1.5 decryption rather than silently fall back to a configuration
+// that leaves the timing-side oracle open. Node.js (`crypto_cipher.cc`)
+// applies the same hard-fail policy. Returns true if implicit rejection is
+// engaged or not applicable (OAEP); false if PKCS#1 v1.5 was requested but
+// the knob failed. Always clears the OpenSSL error stack on failure so a
+// rejected knob does not leak through to a later operation.
+[[nodiscard]] static bool enableImplicitRejectionIfPkcs1(EVP_PKEY_CTX* ctx, int opensslPadding) {
+  if (opensslPadding != RSA_PKCS1_PADDING) {
+    return true;
+  }
+  bool ok = EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "1") > 0;
+  if (!ok) {
+    ERR_clear_error();
+  }
+  return ok;
+}
+
+// Throw the SAME message regardless of the underlying OpenSSL error so that
+// callers (and remote attackers in oracle-style scenarios) cannot distinguish
+// "padding invalid" from "data too large", "bad version", "wrong key", etc.
+// The OpenSSL error stack is cleared so it is not observable later.
+[[noreturn]] static void throwOpaqueDecryptFailure() {
+  ERR_clear_error();
+  throw std::runtime_error("RSA decryption failed");
+}
+
 std::shared_ptr<ArrayBuffer> HybridRsaCipher::encrypt(const std::shared_ptr<HybridKeyObjectHandleSpec>& keyHandle,
                                                       const std::shared_ptr<ArrayBuffer>& data, double padding,
                                                       const std::string& hashAlgorithm,
@@ -70,15 +102,14 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::encrypt(const std::shared_ptr<Hybr
     }
 
     if (label.has_value() && label.value()->size() > 0) {
-      auto native_label = ToNativeArrayBuffer(label.value());
-      unsigned char* label_copy = (unsigned char*)OPENSSL_malloc(native_label->size());
+      unsigned char* label_copy = (unsigned char*)OPENSSL_malloc(label.value()->size());
       if (!label_copy) {
         EVP_PKEY_CTX_free(ctx);
         throw std::runtime_error("Failed to allocate memory for label");
       }
-      std::memcpy(label_copy, native_label->data(), native_label->size());
+      std::memcpy(label_copy, label.value()->data(), label.value()->size());
 
-      if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, native_label->size()) <= 0) {
+      if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, label.value()->size()) <= 0) {
         OPENSSL_free(label_copy);
         EVP_PKEY_CTX_free(ctx);
         throw std::runtime_error("Failed to set OAEP label");
@@ -86,9 +117,8 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::encrypt(const std::shared_ptr<Hybr
     }
   }
 
-  auto native_data = ToNativeArrayBuffer(data);
-  const unsigned char* in = native_data->data();
-  size_t inlen = native_data->size();
+  const unsigned char* in = data->data();
+  size_t inlen = data->size();
 
   size_t outlen;
   if (EVP_PKEY_encrypt(ctx, nullptr, &outlen, in, inlen) <= 0) {
@@ -147,6 +177,11 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::decrypt(const std::shared_ptr<Hybr
     throw std::runtime_error("Failed to set RSA padding");
   }
 
+  if (!enableImplicitRejectionIfPkcs1(ctx, opensslPadding)) {
+    EVP_PKEY_CTX_free(ctx);
+    throw std::runtime_error("RSA PKCS#1 v1.5 decryption requires OpenSSL implicit-rejection support (>= 3.2)");
+  }
+
   if (paddingInt == kRsaOaepPadding) {
     const EVP_MD* md = getDigestByName(hashAlgorithm);
     if (EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) <= 0) {
@@ -160,15 +195,14 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::decrypt(const std::shared_ptr<Hybr
     }
 
     if (label.has_value() && label.value()->size() > 0) {
-      auto native_label = ToNativeArrayBuffer(label.value());
-      unsigned char* label_copy = (unsigned char*)OPENSSL_malloc(native_label->size());
+      unsigned char* label_copy = (unsigned char*)OPENSSL_malloc(label.value()->size());
       if (!label_copy) {
         EVP_PKEY_CTX_free(ctx);
         throw std::runtime_error("Failed to allocate memory for label");
       }
-      std::memcpy(label_copy, native_label->data(), native_label->size());
+      std::memcpy(label_copy, label.value()->data(), label.value()->size());
 
-      if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, native_label->size()) <= 0) {
+      if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, label.value()->size()) <= 0) {
         OPENSSL_free(label_copy);
         EVP_PKEY_CTX_free(ctx);
         throw std::runtime_error("Failed to set OAEP label");
@@ -176,27 +210,23 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::decrypt(const std::shared_ptr<Hybr
     }
   }
 
-  auto native_data = ToNativeArrayBuffer(data);
-  const unsigned char* in = native_data->data();
-  size_t inlen = native_data->size();
+  const unsigned char* in = data->data();
+  size_t inlen = data->size();
 
+  // Both decrypt calls below operate on attacker-controlled ciphertext, so
+  // any failure must be surfaced with an opaque, content-independent message.
+  // See enableImplicitRejectionIfPkcs1 / throwOpaqueDecryptFailure above.
   size_t outlen;
   if (EVP_PKEY_decrypt(ctx, nullptr, &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Failed to determine output length: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   auto out_buf = std::make_unique<uint8_t[]>(outlen);
 
   if (EVP_PKEY_decrypt(ctx, out_buf.get(), &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Decryption failed: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   EVP_PKEY_CTX_free(ctx);
@@ -235,41 +265,49 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::publicDecrypt(const std::shared_pt
     throw std::runtime_error("Failed to set RSA padding");
   }
 
-  auto native_data = ToNativeArrayBuffer(data);
-  const unsigned char* in = native_data->data();
-  size_t inlen = native_data->size();
+  const unsigned char* in = data->data();
+  size_t inlen = data->size();
 
+  // verify_recover acts on attacker-controlled ciphertext too — surface only
+  // an opaque error so a remote caller cannot distinguish failure modes.
   size_t outlen;
   if (EVP_PKEY_verify_recover(ctx, nullptr, &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Failed to determine output length: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   if (outlen == 0) {
     EVP_PKEY_CTX_free(ctx);
-    uint8_t* empty_buf = new uint8_t[1];
-    return std::make_shared<NativeArrayBuffer>(empty_buf, 0, [empty_buf]() { delete[] empty_buf; });
+    auto empty_buf = std::make_unique<uint8_t[]>(1);
+    uint8_t* raw_ptr = empty_buf.get();
+    return std::make_shared<NativeArrayBuffer>(empty_buf.release(), 0, [raw_ptr]() { delete[] raw_ptr; });
   }
 
   auto out_buf = std::make_unique<uint8_t[]>(outlen);
 
   if (EVP_PKEY_verify_recover(ctx, out_buf.get(), &outlen, in, inlen) <= 0) {
+    // Empty-plaintext recovery: when the original message was zero bytes,
+    // OpenSSL's verify_recover surfaces a specific reason code rather than
+    // returning success+outlen=0. Match the narrow code from the original
+    // implementation and return an empty buffer so `publicDecrypt(privateEncrypt(""))`
+    // round-trips. publicDecrypt is signature verification with the PUBLIC
+    // key — anyone can perform it — so the special case does not enable a
+    // Bleichenbacher-style oracle. The fall-through still uses the opaque
+    // throw helper.
+    //
+    // Use ERR_get_error (oldest in the FIFO queue) to match the inner
+    // padding-check error rather than ERR_peek_last_error which returns
+    // the outer wrapper code that doesn't satisfy the narrow match.
     unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-
     if ((err & 0xFFFFFFF) == 0x1C880004 || (err & 0xFF) == 0x04) {
       ERR_clear_error();
       EVP_PKEY_CTX_free(ctx);
-      uint8_t* empty_buf = new uint8_t[1];
-      return std::make_shared<NativeArrayBuffer>(empty_buf, 0, [empty_buf]() { delete[] empty_buf; });
+      auto empty_buf = std::make_unique<uint8_t[]>(1);
+      uint8_t* raw_ptr = empty_buf.get();
+      return std::make_shared<NativeArrayBuffer>(empty_buf.release(), 0, [raw_ptr]() { delete[] raw_ptr; });
     }
-
     EVP_PKEY_CTX_free(ctx);
-    throw std::runtime_error("Public decryption failed: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   EVP_PKEY_CTX_free(ctx);
@@ -308,9 +346,8 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::privateEncrypt(const std::shared_p
     throw std::runtime_error("Failed to set RSA padding");
   }
 
-  auto native_data = ToNativeArrayBuffer(data);
-  const unsigned char* in = native_data->data();
-  size_t inlen = native_data->size();
+  const unsigned char* in = data->data();
+  size_t inlen = data->size();
 
   size_t outlen;
   if (EVP_PKEY_sign(ctx, nullptr, &outlen, in, inlen) <= 0) {
@@ -369,6 +406,11 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::privateDecrypt(const std::shared_p
     throw std::runtime_error("Failed to set RSA padding");
   }
 
+  if (!enableImplicitRejectionIfPkcs1(ctx, opensslPadding)) {
+    EVP_PKEY_CTX_free(ctx);
+    throw std::runtime_error("RSA PKCS#1 v1.5 decryption requires OpenSSL implicit-rejection support (>= 3.2)");
+  }
+
   if (paddingInt == kRsaOaepPadding) {
     const EVP_MD* md = getDigestByName(hashAlgorithm);
     if (EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) <= 0) {
@@ -382,15 +424,14 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::privateDecrypt(const std::shared_p
     }
 
     if (label.has_value() && label.value()->size() > 0) {
-      auto native_label = ToNativeArrayBuffer(label.value());
-      unsigned char* label_copy = (unsigned char*)OPENSSL_malloc(native_label->size());
+      unsigned char* label_copy = (unsigned char*)OPENSSL_malloc(label.value()->size());
       if (!label_copy) {
         EVP_PKEY_CTX_free(ctx);
         throw std::runtime_error("Failed to allocate memory for label");
       }
-      std::memcpy(label_copy, native_label->data(), native_label->size());
+      std::memcpy(label_copy, label.value()->data(), label.value()->size());
 
-      if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, native_label->size()) <= 0) {
+      if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, label.value()->size()) <= 0) {
         OPENSSL_free(label_copy);
         EVP_PKEY_CTX_free(ctx);
         throw std::runtime_error("Failed to set OAEP label");
@@ -398,27 +439,23 @@ std::shared_ptr<ArrayBuffer> HybridRsaCipher::privateDecrypt(const std::shared_p
     }
   }
 
-  auto native_data = ToNativeArrayBuffer(data);
-  const unsigned char* in = native_data->data();
-  size_t inlen = native_data->size();
+  const unsigned char* in = data->data();
+  size_t inlen = data->size();
 
+  // Both decrypt calls below operate on attacker-controlled ciphertext, so
+  // any failure must be surfaced with an opaque, content-independent message.
+  // See enableImplicitRejectionIfPkcs1 / throwOpaqueDecryptFailure above.
   size_t outlen;
   if (EVP_PKEY_decrypt(ctx, nullptr, &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Failed to determine output length: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   auto out_buf = std::make_unique<uint8_t[]>(outlen);
 
   if (EVP_PKEY_decrypt(ctx, out_buf.get(), &outlen, in, inlen) <= 0) {
     EVP_PKEY_CTX_free(ctx);
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Private decryption failed: " + std::string(err_buf));
+    throwOpaqueDecryptFailure();
   }
 
   EVP_PKEY_CTX_free(ctx);

package/cpp/cipher/OCBCipher.cpp

@@ -17,7 +17,7 @@ void OCBCipher::init(const std::shared_ptr<ArrayBuffer>& key, const std::shared_
   if (auth_tag_len < 8 || auth_tag_len > 16) {
     throw std::runtime_error("OCB tag length must be between 8 and 16 bytes");
   }
-  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, auth_tag_len, nullptr) != 1) {
+  if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len, nullptr) != 1) {
     throw std::runtime_error("Failed to set OCB tag length");
   }
 }
@@ -28,7 +28,7 @@ std::shared_ptr<ArrayBuffer> OCBCipher::getAuthTag() {
     throw std::runtime_error("getAuthTag can only be called during encryption.");
   }
   auto tag_buf = std::make_unique<uint8_t[]>(auth_tag_len);
-  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, auth_tag_len, tag_buf.get()) != 1) {
+  if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_GET_TAG, auth_tag_len, tag_buf.get()) != 1) {
     throw std::runtime_error("Failed to get OCB auth tag");
   }
   uint8_t* raw_ptr = tag_buf.get();
@@ -40,15 +40,15 @@ bool OCBCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
   if (is_cipher) {
     throw std::runtime_error("setAuthTag can only be called during decryption.");
   }
-  auto native_tag = ToNativeArrayBuffer(tag);
-  size_t tag_len = native_tag->size();
+  size_t tag_len = tag->size();
   if (tag_len < 8 || tag_len > 16) {
     throw std::runtime_error("Invalid OCB tag length");
   }
-  if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, native_tag->data()) != 1) {
+  if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_TAG, tag_len, tag->data()) != 1) {
     throw std::runtime_error("Failed to set OCB auth tag");
   }
   auth_tag_len = tag_len;
+  auth_tag_state = kAuthTagPassedToOpenSSL;
   return true;
 }