fix: prevent cipher reuse after final() and reset is_finalized in all init() overrides (#948)

Author: boorad

example/src/tests/cipher/cipher_tests.ts

@@ -165,6 +165,130 @@ test(SUITE, 'GCM wrong key throws error (issue #798)', () => {
   expect(() => decipher.final()).to.throw();
 });
 
+// --- String encoding tests (issue #945) ---
+
+test(SUITE, 'Buffer concat vs string concat produce same result', () => {
+  const testKey = Buffer.from(
+    'KTnGEDonslhj/qGvf6rj4HSnO32T7dvjAs5PntTDB0s=',
+    'base64',
+  );
+  const testIv = Buffer.from('2pXx2krk1wU8RI6AQjuPUg==', 'base64');
+  const text = 'this is a test.';
+
+  // Buffer concat approach
+  const cipher1 = createCipheriv('aes-256-cbc', testKey, testIv);
+  const bufResult = Buffer.concat([
+    cipher1.update(Buffer.from(text, 'utf8')),
+    cipher1.final(),
+  ]).toString('base64');
+
+  // String concat approach (fresh cipher)
+  const cipher2 = createCipheriv('aes-256-cbc', testKey, testIv);
+  const strResult =
+    cipher2.update(text, 'utf8', 'base64') + cipher2.final('base64');
+
+  expect(bufResult).to.equal(strResult);
+});
+
+test(SUITE, 'update with hex input and output encoding', () => {
+  const cipher1 = createCipheriv('aes-128-cbc', key16, iv);
+  const bufResult = Buffer.concat([
+    cipher1.update(plaintextBuffer),
+    cipher1.final(),
+  ]).toString('hex');
+
+  const cipher2 = createCipheriv('aes-128-cbc', key16, iv);
+  const hexResult =
+    cipher2.update(plaintext, 'utf8', 'hex') + cipher2.final('hex');
+
+  expect(bufResult).to.equal(hexResult);
+});
+
+test(SUITE, 'update with hex input decryption', () => {
+  // Encrypt
+  const cipher = createCipheriv('aes-128-cbc', key16, iv);
+  const encrypted =
+    cipher.update(plaintext, 'utf8', 'hex') + cipher.final('hex');
+
+  // Decrypt using hex input encoding
+  const decipher = createDecipheriv('aes-128-cbc', key16, iv);
+  const decrypted =
+    decipher.update(encrypted, 'hex', 'utf8') + decipher.final('utf8');
+
+  expect(decrypted).to.equal(plaintext);
+});
+
+test(SUITE, 'update with hex encoding roundtrip (aes-256-cbc)', () => {
+  // Encrypt
+  const cipher = createCipheriv('aes-256-cbc', key32, iv);
+  const encrypted =
+    cipher.update(plaintext, 'utf8', 'hex') + cipher.final('hex');
+
+  // Decrypt
+  const decipher = createDecipheriv('aes-256-cbc', key32, iv);
+  const decrypted =
+    decipher.update(encrypted, 'hex', 'utf8') + decipher.final('utf8');
+
+  expect(decrypted).to.equal(plaintext);
+});
+
+// --- Cipher state violation tests ---
+
+test(SUITE, 'update after final throws', () => {
+  const cipher = createCipheriv('aes-128-cbc', key16, iv);
+  cipher.update(plaintextBuffer);
+  cipher.final();
+
+  expect(() => cipher.update(plaintextBuffer)).to.throw();
+});
+
+test(SUITE, 'final called twice throws', () => {
+  const cipher = createCipheriv('aes-128-cbc', key16, iv);
+  cipher.update(plaintextBuffer);
+  cipher.final();
+
+  expect(() => cipher.final()).to.throw();
+});
+
+test(SUITE, 'decipher update after final throws', () => {
+  // First encrypt something
+  const cipher = createCipheriv('aes-128-cbc', key16, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintextBuffer),
+    cipher.final(),
+  ]);
+
+  // Decrypt and then try to reuse
+  const decipher = createDecipheriv('aes-128-cbc', key16, iv);
+  decipher.update(encrypted);
+  decipher.final();
+
+  expect(() => decipher.update(encrypted)).to.throw();
+});
+
+test(SUITE, 'cipher works after re-init (createCipheriv)', () => {
+  // First use
+  const cipher1 = createCipheriv('aes-128-cbc', key16, iv);
+  const enc1 = Buffer.concat([
+    cipher1.update(plaintextBuffer),
+    cipher1.final(),
+  ]);
+
+  // Second use with same params should produce identical result
+  const cipher2 = createCipheriv('aes-128-cbc', key16, iv);
+  const enc2 = Buffer.concat([
+    cipher2.update(plaintextBuffer),
+    cipher2.final(),
+  ]);
+
+  expect(enc1.toString('hex')).to.equal(enc2.toString('hex'));
+
+  // Verify decryption still works
+  const decipher = createDecipheriv('aes-128-cbc', key16, iv);
+  const decrypted = Buffer.concat([decipher.update(enc2), decipher.final()]);
+  expect(decrypted.toString('utf8')).to.equal(plaintext);
+});
+
 test(SUITE, 'GCM tampered ciphertext throws error', () => {
   const testKey = Buffer.from(randomFillSync(new Uint8Array(32)));
   const testIv = randomFillSync(new Uint8Array(12));

packages/react-native-quick-crypto/cpp/cipher/CCMCipher.cpp

@@ -54,6 +54,7 @@ void CCMCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::s
 
 std::shared_ptr<ArrayBuffer> CCMCipher::update(const std::shared_ptr<ArrayBuffer>& data) {
   checkCtx();
+  checkNotFinalized();
   auto native_data = ToNativeArrayBuffer(data);
   size_t in_len = native_data->size();
   if (in_len < 0 || in_len > INT_MAX) {
@@ -104,10 +105,11 @@ std::shared_ptr<ArrayBuffer> CCMCipher::update(const std::shared_ptr<ArrayBuffer
 
 std::shared_ptr<ArrayBuffer> CCMCipher::final() {
   checkCtx();
+  checkNotFinalized();
 
   // CCM decryption does not use final. Verification happens in the last update call.
   if (!is_cipher) {
-    // Return an empty buffer, matching Node.js behavior
+    is_finalized = true;
     unsigned char* empty_output = new unsigned char[0];
     return std::make_shared<NativeArrayBuffer>(empty_output, 0, [=]() { delete[] empty_output; });
   }
@@ -138,6 +140,7 @@ std::shared_ptr<ArrayBuffer> CCMCipher::final() {
     throw std::runtime_error("Failed to get auth tag after finalization: " + std::string(err_buf));
   }
   auth_tag_state = kAuthTagKnown;
+  is_finalized = true;
 
   unsigned char* final_output = out_buf.release();
   return std::make_shared<NativeArrayBuffer>(final_output, out_len, [=]() { delete[] final_output; });

packages/react-native-quick-crypto/cpp/cipher/ChaCha20Cipher.cpp

@@ -64,6 +64,7 @@ void ChaCha20Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const s
 
 std::shared_ptr<ArrayBuffer> ChaCha20Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
   checkCtx();
+  checkNotFinalized();
   auto native_data = ToNativeArrayBuffer(data);
   size_t in_len = native_data->size();
   if (in_len > INT_MAX) {
@@ -89,7 +90,8 @@ std::shared_ptr<ArrayBuffer> ChaCha20Cipher::update(const std::shared_ptr<ArrayB
 
 std::shared_ptr<ArrayBuffer> ChaCha20Cipher::final() {
   checkCtx();
-  // For ChaCha20, final() should return an empty buffer since it's a stream cipher
+  checkNotFinalized();
+  is_finalized = true;
   unsigned char* empty_output = new unsigned char[0];
   return std::make_shared<NativeArrayBuffer>(empty_output, 0, [=]() { delete[] empty_output; });
 }

packages/react-native-quick-crypto/cpp/cipher/ChaCha20Poly1305Cipher.cpp

@@ -60,13 +60,12 @@ void ChaCha20Poly1305Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key,
     ctx = nullptr;
     throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to set key/IV: " + std::string(err_buf));
   }
-
-  // Reset final_called flag
-  final_called = false;
+  is_finalized = false;
 }
 
 std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
   checkCtx();
+  checkNotFinalized();
   auto native_data = ToNativeArrayBuffer(data);
   size_t in_len = native_data->size();
   if (in_len > INT_MAX) {
@@ -92,6 +91,7 @@ std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::update(const std::shared_pt
 
 std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::final() {
   checkCtx();
+  checkNotFinalized();
 
   // For ChaCha20-Poly1305, we need to call final to generate the tag
   int out_len = 0;
@@ -105,7 +105,7 @@ std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::final() {
     throw std::runtime_error("ChaCha20Poly1305Cipher: Failed to finalize: " + std::string(err_buf));
   }
 
-  final_called = true;
+  is_finalized = true;
   return std::make_shared<NativeArrayBuffer>(out, out_len, [=]() { delete[] out; });
 }
 
@@ -130,7 +130,7 @@ std::shared_ptr<ArrayBuffer> ChaCha20Poly1305Cipher::getAuthTag() {
   if (!is_cipher) {
     throw std::runtime_error("getAuthTag can only be called during encryption");
   }
-  if (!final_called) {
+  if (!is_finalized) {
     throw std::runtime_error("getAuthTag must be called after final()");
   }
 

packages/react-native-quick-crypto/cpp/cipher/ChaCha20Poly1305Cipher.hpp

@@ -6,7 +6,7 @@ namespace margelo::nitro::crypto {
 
 class ChaCha20Poly1305Cipher : public HybridCipher {
  public:
-  ChaCha20Poly1305Cipher() : HybridObject(TAG), final_called(false) {}
+  ChaCha20Poly1305Cipher() : HybridObject(TAG) {}
   ~ChaCha20Poly1305Cipher() {
     // Let parent destructor free the context
     ctx = nullptr;
@@ -24,7 +24,6 @@ class ChaCha20Poly1305Cipher : public HybridCipher {
   static constexpr int kKeySize = 32;
   static constexpr int kNonceSize = 12;
   static constexpr int kTagSize = 16; // Poly1305 tag is always 16 bytes
-  bool final_called;
 };
 
 } // namespace margelo::nitro::crypto

packages/react-native-quick-crypto/cpp/cipher/HybridCipher.cpp

@@ -27,6 +27,12 @@ void HybridCipher::checkCtx() const {
   }
 }
 
+void HybridCipher::checkNotFinalized() const {
+  if (is_finalized) {
+    throw std::runtime_error("Unsupported state or unable to authenticate data");
+  }
+}
+
 bool HybridCipher::maybePassAuthTagToOpenSSL() {
   if (auth_tag_state == kAuthTagKnown) {
     OSSL_PARAM params[] = {OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, auth_tag, auth_tag_len),
@@ -48,6 +54,7 @@ void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std
     EVP_CIPHER_CTX_free(ctx);
     ctx = nullptr;
   }
+  is_finalized = false;
 
   // 1. Get cipher implementation by name
   const EVP_CIPHER* cipher = EVP_get_cipherbyname(cipher_type.c_str());
@@ -100,6 +107,7 @@ void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std
 std::shared_ptr<ArrayBuffer> HybridCipher::update(const std::shared_ptr<ArrayBuffer>& data) {
   auto native_data = ToNativeArrayBuffer(data);
   checkCtx();
+  checkNotFinalized();
   size_t in_len = native_data->size();
   if (in_len > INT_MAX) {
     throw std::runtime_error("Message too long");
@@ -125,6 +133,7 @@ std::shared_ptr<ArrayBuffer> HybridCipher::update(const std::shared_ptr<ArrayBuf
 
 std::shared_ptr<ArrayBuffer> HybridCipher::final() {
   checkCtx();
+  checkNotFinalized();
   // Block size is max output size for final, unless EVP_CIPH_NO_PADDING is set
   int block_size = EVP_CIPHER_CTX_block_size(ctx);
   if (block_size <= 0)
@@ -149,8 +158,8 @@ std::shared_ptr<ArrayBuffer> HybridCipher::final() {
 
   // Context should NOT be freed here. It might be needed for getAuthTag() for GCM/OCB.
   // The context will be freed by the destructor (~HybridCipher) when the object goes out of scope.
+  is_finalized = true;
 
-  // Return the shared_ptr<NativeArrayBuffer> (implicit upcast to shared_ptr<ArrayBuffer>)
   return native_final_chunk;
 }
 

packages/react-native-quick-crypto/cpp/cipher/HybridCipher.hpp

@@ -53,6 +53,7 @@ class HybridCipher : public HybridCipherSpec {
  protected:
   // Properties
   bool is_cipher = true;
+  bool is_finalized = false;
   std::string cipher_type;
   EVP_CIPHER_CTX* ctx = nullptr;
   bool pending_auth_failed = false;
@@ -66,6 +67,7 @@ class HybridCipher : public HybridCipherSpec {
   // Methods
   int getMode();
   void checkCtx() const;
+  void checkNotFinalized() const;
   bool maybePassAuthTagToOpenSSL();
 };
 

packages/react-native-quick-crypto/cpp/cipher/XChaCha20Poly1305Cipher.cpp

@@ -45,10 +45,11 @@ void XChaCha20Poly1305Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key
 
   data_buffer_.clear();
   aad_.clear();
-  final_called_ = false;
+  is_finalized = false;
 }
 
 std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+  checkNotFinalized();
 #ifndef BLSALLOC_SODIUM
   throw std::runtime_error("XChaCha20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
 #else
@@ -64,6 +65,7 @@ std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::update(const std::shared_p
 }
 
 std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::final() {
+  checkNotFinalized();
 #ifndef BLSALLOC_SODIUM
   throw std::runtime_error("XChaCha20Poly1305Cipher: libsodium must be enabled (BLSALLOC_SODIUM)");
 #else
@@ -80,12 +82,12 @@ std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::final() {
       throw std::runtime_error("XChaCha20Poly1305Cipher: encryption failed");
     }
 
-    final_called_ = true;
+    is_finalized = true;
     size_t ct_len = data_buffer_.size();
     return std::make_shared<NativeArrayBuffer>(ciphertext, ct_len, [=]() { delete[] ciphertext; });
   } else {
     if (data_buffer_.empty()) {
-      final_called_ = true;
+      is_finalized = true;
       return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
     }
 
@@ -101,7 +103,7 @@ std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::final() {
       throw std::runtime_error("XChaCha20Poly1305Cipher: decryption failed - authentication tag mismatch");
     }
 
-    final_called_ = true;
+    is_finalized = true;
     size_t pt_len = data_buffer_.size();
     return std::make_shared<NativeArrayBuffer>(plaintext, pt_len, [=]() { delete[] plaintext; });
   }
@@ -126,7 +128,7 @@ std::shared_ptr<ArrayBuffer> XChaCha20Poly1305Cipher::getAuthTag() {
   if (!is_cipher) {
     throw std::runtime_error("getAuthTag can only be called during encryption");
   }
-  if (!final_called_) {
+  if (!is_finalized) {
     throw std::runtime_error("getAuthTag must be called after final()");
   }
 

packages/react-native-quick-crypto/cpp/cipher/XChaCha20Poly1305Cipher.hpp

@@ -16,7 +16,7 @@ namespace margelo::nitro::crypto {
 
 class XChaCha20Poly1305Cipher : public HybridCipher {
  public:
-  XChaCha20Poly1305Cipher() : HybridObject(TAG), final_called_(false) {}
+  XChaCha20Poly1305Cipher() : HybridObject(TAG) {}
   ~XChaCha20Poly1305Cipher();
 
   void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
@@ -37,7 +37,6 @@ class XChaCha20Poly1305Cipher : public HybridCipher {
   std::vector<uint8_t> aad_;
   std::vector<uint8_t> data_buffer_;
   uint8_t auth_tag_[kTagSize];
-  bool final_called_;
 };
 
 } // namespace margelo::nitro::crypto

packages/react-native-quick-crypto/cpp/cipher/XSalsa20Cipher.cpp

@@ -28,12 +28,14 @@ void XSalsa20Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const s
   // Copy key and nonce data
   std::memcpy(key, native_key->data(), crypto_stream_KEYBYTES);
   std::memcpy(nonce, native_iv->data(), crypto_stream_NONCEBYTES);
+  is_finalized = false;
 }
 
 /**
  * xsalsa20 call to sodium implementation
  */
 std::shared_ptr<ArrayBuffer> XSalsa20Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+  checkNotFinalized();
 #ifndef BLSALLOC_SODIUM
   throw std::runtime_error("XSalsa20Cipher: libsodium must be enabled to use this cipher (BLSALLOC_SODIUM is not defined).");
 #else
@@ -51,9 +53,11 @@ std::shared_ptr<ArrayBuffer> XSalsa20Cipher::update(const std::shared_ptr<ArrayB
  * xsalsa20 does not have a final step, returns empty buffer
  */
 std::shared_ptr<ArrayBuffer> XSalsa20Cipher::final() {
+  checkNotFinalized();
 #ifndef BLSALLOC_SODIUM
   throw std::runtime_error("XSalsa20Cipher: libsodium must be enabled to use this cipher (BLSALLOC_SODIUM is not defined).");
 #else
+  is_finalized = true;
   return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
 #endif
 }