fix(crypto): resolve 11 failing tests from Phase 4 security audit

Five distinct fixes addressing failures introduced by the Phase 4.3
(AEAD misuse), 4.5 (Random callback), and 4.6 (cross-impl verify)
suites:

1. AEAD cipher state guards (4 tests) — adds `has_update_called` to
   HybridCipher base; `setAAD` throws if called after `update` for
   OCB and ChaCha20-Poly1305. OpenSSL silently accepts misordered
   AAD/data on those modes, letting an attacker truncate
   authenticated data.

   For CCM decipher, `update()` no longer throws on missing-tag
   verification — defers to `final()` so the failure surfaces at
   the documented place ("auth tag mismatch on final") rather than
   the misleading "Tag verification failed on update".

   ChaCha20-Poly1305 `final()` explicitly checks `auth_tag_state`
   for decipher; OpenSSL's chacha20-poly1305 `EVP_CipherFinal_ex`
   does not flag a missing tag, which would silently accept
   unauthenticated ciphertext.

   `setAuthTag` overrides on OCB and ChaCha20-Poly1305 now also
   transition `auth_tag_state` (was only the base-class method).

2. ECDSA P1363↔DER auto-detect (1 test) — `HybridEcKeyPair::verify`
   was unconditionally converting sigs from P1363 to DER, which
   fails for callers that already pass DER (`subtle.verify` with
   `dsaEncoding:'der'`, or the Node-API path). Now: if `sig_len ==
   2*n` treat as P1363 and convert, otherwise pass through as DER.

3. `randomInt` async callback (3 tests) — was passing `undefined`
   as the error arg; tests pin Node-style `cb(null, value)`.

4. `randomFill` in-place semantics (1 test) — the native async
   path operates on a copy of the underlying buffer (necessary for
   thread safety on the worker), so the caller's view never saw
   the random bytes. JS layer now copies the randomized window
   from the C++ result back into the caller's buffer, restoring
   Node-API in-place semantics.

5. HKDF RFC 5869 Case 6 fixture (2 tests) — IKM was 11 bytes of
   0x0b but the expected OKM `0ac1af70…` is the verbatim RFC A.6
   vector, which requires 22 bytes of 0x0b. The implementation was
   correct; the test fixture had a typo (Case 7 below uses the full
   22-byte IKM, matching RFC A.7).

Author: boorad

example/src/tests/hkdf/hkdf_tests.ts

@@ -57,7 +57,7 @@ const testVectors = [
   },
   // A.6 — Test Case 6: SHA-1 with zero-length salt and zero-length info
   {
-    ikm: '0b0b0b0b0b0b0b0b0b0b0b',
+    ikm: '0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b',
     salt: '',
     info: '',
     len: 42,

packages/react-native-quick-crypto/cpp/cipher/CCMCipher.cpp

@@ -55,6 +55,7 @@ void CCMCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::s
 std::shared_ptr<ArrayBuffer> CCMCipher::update(const std::shared_ptr<ArrayBuffer>& data) {
   checkCtx();
   checkNotFinalized();
+  has_update_called = true;
   auto native_data = ToNativeArrayBuffer(data);
   size_t in_len = native_data->size();
   if (in_len < 0 || in_len > INT_MAX) {
@@ -82,10 +83,14 @@ std::shared_ptr<ArrayBuffer> CCMCipher::update(const std::shared_ptr<ArrayBuffer
   int ret = EVP_CipherUpdate(ctx.get(), out_buf.get(), &actual_out_len, in, in_len);
 
   if (!is_cipher) {
-    // Decryption: Check for tag verification failure
+    // Decryption: tag verification happens during update for CCM. Don't
+    // throw here — defer the failure to final() so callers see the standard
+    // "auth tag mismatch on final" semantics. This also covers the misuse
+    // case where setAuthTag() was never called: ret <= 0 here, we record
+    // it, and final() turns it into a thrown error.
     if (ret <= 0) {
-      // Tag verification failed (or other decryption error)
-      throw std::runtime_error("CCM Decryption: Tag verification failed");
+      pending_auth_failed = true;
+      actual_out_len = 0;
     }
   } else {
     // Encryption: Check for standard errors
@@ -107,9 +112,15 @@ std::shared_ptr<ArrayBuffer> CCMCipher::final() {
   checkCtx();
   checkNotFinalized();
 
-  // CCM decryption does not use final. Verification happens in the last update call.
+  // CCM decryption does not use final for the verification step itself
+  // (that happens in update()), but final() is still where misuse must
+  // surface — both "setAuthTag was never called" and "the tag we did set
+  // didn't match the ciphertext" land here.
   if (!is_cipher) {
     is_finalized = true;
+    if (auth_tag_state == kAuthTagUnknown || pending_auth_failed) {
+      throw std::runtime_error("Unsupported state or unable to authenticate data");
+    }
     auto empty_output = std::make_unique<unsigned char[]>(0);
     unsigned char* raw_ptr = empty_output.get();
     return std::make_shared<NativeArrayBuffer>(empty_output.release(), 0, [raw_ptr]() { delete[] raw_ptr; });
@@ -149,6 +160,7 @@ std::shared_ptr<ArrayBuffer> CCMCipher::final() {
 
 bool CCMCipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
   checkCtx();
+  checkAADBeforeUpdate();
   if (!plaintextLength.has_value()) {
     throw std::runtime_error("CCM mode requires plaintextLength to be set");
   }

packages/react-native-quick-crypto/cpp/cipher/ChaCha20Poly1305Cipher.cpp

@@ -56,11 +56,16 @@ void ChaCha20Poly1305Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key,
     throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to set key/IV: " + std::string(err_buf));
   }
   is_finalized = false;
+  has_update_called = false;
+  has_aad = false;
+  pending_auth_failed = false;
+  auth_tag_state = kAuthTagUnknown;
 }
 
 std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
   checkCtx();
   checkNotFinalized();
+  has_update_called = true;
   auto native_data = ToNativeArrayBuffer(data);
   size_t in_len = native_data->size();
   if (in_len > INT_MAX) {
@@ -88,6 +93,15 @@ std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::final() {
   checkCtx();
   checkNotFinalized();
 
+  // For decryption, the auth tag must have been provided via setAuthTag
+  // before final(). OpenSSL's ChaCha20-Poly1305 EVP_CipherFinal_ex does
+  // not flag a missing tag as an error (it simply doesn't verify), which
+  // would silently accept unauthenticated ciphertext — defeating the whole
+  // point of an AEAD. Enforce the precondition explicitly.
+  if (!is_cipher && auth_tag_state == kAuthTagUnknown) {
+    throw std::runtime_error("Unsupported state or unable to authenticate data");
+  }
+
   // For ChaCha20-Poly1305, we need to call final to generate the tag
   int out_len = 0;
   auto out_buf = std::make_unique<unsigned char[]>(0);
@@ -106,6 +120,7 @@ std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::final() {
 
 bool ChaCha20Poly1305Cipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
   checkCtx();
+  checkAADBeforeUpdate();
   auto native_aad = ToNativeArrayBuffer(data);
   size_t aad_len = native_aad->size();
 
@@ -159,6 +174,7 @@ bool ChaCha20Poly1305Cipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag)
     ERR_error_string_n(err, err_buf, sizeof(err_buf));
     throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to set auth tag: " + std::string(err_buf));
   }
+  auth_tag_state = kAuthTagPassedToOpenSSL;
   return true;
 }
 

packages/react-native-quick-crypto/cpp/cipher/GCMCipher.cpp

@@ -9,6 +9,11 @@ namespace margelo::nitro::crypto {
 void GCMCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
   // Resetting the unique_ptr frees any previous context.
   ctx.reset();
+  is_finalized = false;
+  has_update_called = false;
+  has_aad = false;
+  pending_auth_failed = false;
+  auth_tag_state = kAuthTagUnknown;
 
   // 1. Get cipher implementation by name
   const EVP_CIPHER* cipher = EVP_get_cipherbyname(cipher_type.c_str());

packages/react-native-quick-crypto/cpp/cipher/HybridCipher.cpp

@@ -30,6 +30,12 @@ void HybridCipher::checkNotFinalized() const {
   }
 }
 
+void HybridCipher::checkAADBeforeUpdate() const {
+  if (has_update_called) {
+    throw std::runtime_error("setAAD must be called before update");
+  }
+}
+
 bool HybridCipher::maybePassAuthTagToOpenSSL() {
   if (auth_tag_state == kAuthTagKnown) {
     OSSL_PARAM params[] = {OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, auth_tag, auth_tag_len),
@@ -49,6 +55,9 @@ void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std
   // Resetting the unique_ptr frees any previous context.
   ctx.reset();
   is_finalized = false;
+  has_update_called = false;
+  has_aad = false;
+  pending_auth_failed = false;
 
   // 1. Get cipher implementation by name
   const EVP_CIPHER* cipher = EVP_get_cipherbyname(cipher_type.c_str());
@@ -100,6 +109,7 @@ std::shared_ptr<ArrayBuffer> HybridCipher::update(const std::shared_ptr<ArrayBuf
   auto native_data = ToNativeArrayBuffer(data);
   checkCtx();
   checkNotFinalized();
+  has_update_called = true;
   size_t in_len = native_data->size();
   if (in_len > INT_MAX) {
     throw std::runtime_error("Message too long");
@@ -157,6 +167,7 @@ std::shared_ptr<ArrayBuffer> HybridCipher::final() {
 
 bool HybridCipher::setAAD(const std::shared_ptr<ArrayBuffer>& data, std::optional<double> plaintextLength) {
   checkCtx();
+  checkAADBeforeUpdate();
   auto native_data = ToNativeArrayBuffer(data);
 
   // Set the AAD

packages/react-native-quick-crypto/cpp/cipher/HybridCipher.hpp

@@ -68,6 +68,11 @@ class HybridCipher : public HybridCipherSpec {
   EvpCipherCtxPtr ctx{nullptr, EVP_CIPHER_CTX_free};
   bool pending_auth_failed = false;
   bool has_aad = false;
+  // Tracks whether update() has been called on this cipher. Used to enforce
+  // the AEAD ordering invariant that setAAD() must precede any update() call;
+  // OpenSSL silently accepts misordered AAD/data on some modes (OCB,
+  // ChaCha20-Poly1305), letting an attacker truncate authenticated data.
+  bool has_update_called = false;
   uint8_t auth_tag[EVP_GCM_TLS_TAG_LEN];
   AuthTagState auth_tag_state;
   unsigned int auth_tag_len = 0;
@@ -78,6 +83,7 @@ class HybridCipher : public HybridCipherSpec {
   int getMode();
   void checkCtx() const;
   void checkNotFinalized() const;
+  void checkAADBeforeUpdate() const;
   bool maybePassAuthTagToOpenSSL();
 };
 

packages/react-native-quick-crypto/cpp/cipher/OCBCipher.cpp

@@ -49,6 +49,7 @@ bool OCBCipher::setAuthTag(const std::shared_ptr<ArrayBuffer>& tag) {
     throw std::runtime_error("Failed to set OCB auth tag");
   }
   auth_tag_len = tag_len;
+  auth_tag_state = kAuthTagPassedToOpenSSL;
   return true;
 }
 

packages/react-native-quick-crypto/cpp/ec/HybridEcKeyPair.cpp

@@ -418,7 +418,12 @@ bool HybridEcKeyPair::verify(const std::shared_ptr<ArrayBuffer>& data, const std
     throw std::runtime_error("Failed to update ECDSA verification with data");
   }
 
-  // Web Crypto API passes IEEE P1363 format, OpenSSL expects DER
+  // Web Crypto API typically passes IEEE P1363 (raw r||s, exactly 2*n bytes);
+  // the Node-API path with `dsaEncoding: 'der'` passes ASN.1 DER instead.
+  // Discriminate by length — anything other than 2*n is treated as DER and
+  // passed through unchanged. This matches what every other ECDSA verify
+  // wrapper (Node's, ncrypto's) does and is robust because well-formed DER
+  // ECDSA signatures are never exactly 2*n bytes for the curves we support.
   const unsigned char* sig_data = static_cast<const unsigned char*>(signature->data());
   size_t sig_len = signature->size();
   std::unique_ptr<uint8_t[]> der_sig_buf;
@@ -427,13 +432,16 @@ bool HybridEcKeyPair::verify(const std::shared_ptr<ArrayBuffer>& data, const std
   if (n == 0) {
     throw std::runtime_error("Failed to determine EC key order size for DER conversion");
   }
-  size_t der_len = 0;
-  der_sig_buf = convertSignatureToDER(sig_data, sig_len, n, &der_len);
-  if (!der_sig_buf) {
-    throw std::runtime_error("Failed to convert ECDSA signature from P1363 to DER format");
+
+  if (sig_len == 2 * n) {
+    size_t der_len = 0;
+    der_sig_buf = convertSignatureToDER(sig_data, sig_len, n, &der_len);
+    if (!der_sig_buf) {
+      throw std::runtime_error("Failed to convert ECDSA signature from P1363 to DER format");
+    }
+    sig_data = der_sig_buf.get();
+    sig_len = der_len;
   }
-  sig_data = der_sig_buf.get();
-  sig_len = der_len;
 
   int result = EVP_DigestVerifyFinal(md_ctx.get(), sig_data, sig_len);
 

packages/react-native-quick-crypto/src/random.ts

@@ -59,8 +59,17 @@ export function randomFill(buffer: ABV, ...rest: unknown[]): void {
   }
 
   getNative();
-  random.randomFill(abvToArrayBuffer(buffer), viewOffset + offset, size).then(
+  const ab = abvToArrayBuffer(buffer);
+  const start = viewOffset + offset;
+  random.randomFill(ab, start, size).then(
     (res: ArrayBuffer) => {
+      // The native async path operates on a copy of the underlying buffer to
+      // avoid races with JS-owned memory on the worker thread, so the
+      // randomized bytes live in `res`, not in the caller's buffer. Copy them
+      // back to preserve Node's in-place randomFill semantics.
+      if (res !== ab) {
+        new Uint8Array(ab, start, size).set(new Uint8Array(res, start, size));
+      }
       callback(null, res);
     },
     (e: Error) => {
@@ -224,7 +233,7 @@ export function randomInt(
     if (x < randLimit) {
       const n = (x % range) + min;
       if (isSync) return n;
-      process.nextTick(callback as RandomIntCallback, undefined, n);
+      process.nextTick(callback as RandomIntCallback, null, n);
       return;
     }
   }