feat: add xsalsa20 cipher from libsodium

Author: boorad

.rules

@@ -27,6 +27,7 @@ Every time you choose to apply a rule(s), explicitly state the rule(s) in the ou
 - Use modern C++ features.
 - Attempt to reduce the amount of code rather than add more.
 - Prefer iteration and modularization over code duplication.
+- Do not add comments unless explicitly told to do so.
 
 ## TypeScript Best Practices
 

bun.lock

@@ -1942,7 +1942,7 @@ SPEC CHECKSUMS:
   hermes-engine: 46f1ffbf0297f4298862068dd4c274d4ac17a1fd
   NitroModules: 3a9c88afc1ca3dba01759ed410e8c2902a5d3dbb
   OpenSSL-Universal: b60a3702c9fea8b3145549d421fdb018e53ab7b4
-  QuickCrypto: e457fb08347cd9807514cefad95337a7664aeabe
+  QuickCrypto: 39358cf38783f7f26bd750cf3a2609feb845fa3d
   RCT-Folly: 84578c8756030547307e4572ab1947de1685c599
   RCTDeprecation: fde92935b3caa6cb65cbff9fbb7d3a9867ffb259
   RCTRequired: 75c6cee42d21c1530a6f204ba32ff57335d19007

example/ios/Podfile.lock

@@ -4,6 +4,7 @@ import {
   createCipheriv,
   createDecipheriv,
   randomFillSync,
+  xsalsa20,
   type Cipher,
   type Decipher,
 } from 'react-native-quick-crypto';
@@ -198,3 +199,11 @@ allCiphers.forEach(cipherName => {
     }
   });
 });
+
+// libsodium cipher tests
+test(SUITE, 'xsalsa20', () => {
+  const nonce = Buffer.from('0123456789abcdef', 'hex');
+  const ciphertext = xsalsa20(key, nonce, plaintextBuffer);
+  const decrypted = xsalsa20(key, nonce, ciphertext);
+  expect(decrypted).eql(plaintextBuffer);
+});

example/src/tests/cipher/cipher_tests.ts

@@ -4,7 +4,7 @@ import { expect } from 'chai';
 import { test } from '../util';
 import { fixtures, type Fixture } from './fixtures';
 
-import crypto, { ab2str } from 'react-native-quick-crypto';
+import crypto from 'react-native-quick-crypto';
 import type { BinaryLike, HashAlgorithm } from 'react-native-quick-crypto';
 
 type TestFixture = [string, string, number, number, string];
@@ -36,7 +36,7 @@ const SUITE = 'pbkdf2';
       function (err, result) {
         expect(err).to.be.null;
         expect(result).not.to.be.null;
-        expect(ab2str(result as ArrayBuffer)).to.equal(expected);
+        expect(result?.toString('hex')).to.equal(expected);
       },
     );
   };
@@ -76,7 +76,7 @@ const SUITE = 'pbkdf2';
 
 test(SUITE, 'handles buffers', () => {
   const resultSync = crypto.pbkdf2Sync('password', 'salt', 1, 32);
-  expect(ab2str(resultSync)).to.equal(
+  expect(resultSync.toString('hex')).to.equal(
     '0c60c80f961f0e71f3a9b524af6012062fe037a6e0f0eb94fe8fc46bdc637164',
   );
 
@@ -186,7 +186,7 @@ algos.forEach(function (algorithm) {
         function (err, result) {
           expect(err).to.be.null;
           expect(result).not.to.be.null;
-          expect(ab2str(result as ArrayBuffer)).to.equal(expected);
+          expect(result?.toString('hex')).to.equal(expected);
         },
       );
     });
@@ -199,7 +199,7 @@ algos.forEach(function (algorithm) {
         f.dkLen as number,
         algorithm as HashAlgorithm,
       );
-      expect(ab2str(result)).to.equal(expected);
+      expect(result?.toString('hex')).to.equal(expected);
     });
   });
 

example/src/tests/pbkdf2/pbkdf2_tests.ts

@@ -6,9 +6,10 @@
   "include": [
     "index.ts",
     "app.json",
-    "src",
-    "**.*.ts",
-    "**.*.tsx",
+    "src", 
+    "./**/*.ts", 
+    "./**/*.tsx", 
+    "../packages/react-native-quick-crypto/src/**/*.ts" 
   ],
   "compilerOptions": {
     "jsx": "react",

example/tsconfig.json

@@ -17,7 +17,11 @@ Pod::Spec.new do |s|
   s.macos.deployment_target = 10.13
   s.tvos.deployment_target = 13.4
 
-  s.source       = { :git => "https://github.com/margelo/react-native-quick-crypto.git", :tag => "#{s.version}" }
+  s.source = { :git => "https://github.com/margelo/react-native-quick-crypto.git", :tag => "#{s.version}" }
+
+  # TODO: handle libsodium
+  s.source = { :http => "file:///Users/brad/dev/rnqc/lib/libsodium-1.0.20/libsodium-apple/Clibsodium.xcframework.tar.gz" }
+  s.vendored_frameworks = "Clibsodium.xcframework"
 
   s.source_files = [
     # implementation (Swift)
@@ -44,5 +48,6 @@ Pod::Spec.new do |s|
   s.dependency 'React-jsi'
   s.dependency 'React-callinvoker'
   s.dependency "OpenSSL-Universal"
+  # s.dependency "libsodium"
   install_modules_dependencies(s)
 end

packages/react-native-quick-crypto/QuickCrypto.podspec

@@ -7,6 +7,8 @@
 #include "CCMCipher.hpp"
 #include "HybridCipherFactorySpec.hpp"
 #include "OCBCipher.hpp"
+#include "Utils.hpp"
+#include "XSalsa20Cipher.hpp"
 
 namespace margelo::nitro::crypto {
 
@@ -20,40 +22,54 @@ class HybridCipherFactory : public HybridCipherFactorySpec {
  public:
   // Factory method exposed to JS
   inline std::shared_ptr<HybridCipherSpec> createCipher(const CipherArgs& args) {
-    // Create a temporary cipher context to determine the mode
-    EVP_CIPHER* cipher = EVP_CIPHER_fetch(nullptr, args.cipherType.c_str(), nullptr);
-    if (!cipher) {
-      throw std::runtime_error("Invalid cipher type: " + args.cipherType);
-    }
-
-    int mode = EVP_CIPHER_get_mode(cipher);
-    EVP_CIPHER_free(cipher);
 
     // Create the appropriate cipher instance based on mode
     std::shared_ptr<HybridCipher> cipherInstance;
-    switch (mode) {
-      case EVP_CIPH_OCB_MODE: {
-        cipherInstance = std::make_shared<OCBCipher>();
-        cipherInstance->setArgs(args);
-        // Pass tag length (default 16 if not present)
-        size_t tag_len = args.authTagLen.has_value() ? static_cast<size_t>(args.authTagLen.value()) : 16;
-        std::static_pointer_cast<OCBCipher>(cipherInstance)->init(args.cipherKey, args.iv, tag_len);
-        return cipherInstance;
-      }
-      case EVP_CIPH_CCM_MODE: {
-        cipherInstance = std::make_shared<CCMCipher>();
-        cipherInstance->setArgs(args);
-        cipherInstance->init(args.cipherKey, args.iv);
-        return cipherInstance;
-      }
-      default: {
-        cipherInstance = std::make_shared<HybridCipher>();
-        cipherInstance->setArgs(args);
-        cipherInstance->init(args.cipherKey, args.iv);
-        return cipherInstance;
+
+    // OpenSSL
+    // temporary cipher context to determine the mode
+    EVP_CIPHER* cipher = EVP_CIPHER_fetch(nullptr, args.cipherType.c_str(), nullptr);
+    if (cipher) {
+      int mode = EVP_CIPHER_get_mode(cipher);
+
+      switch (mode) {
+        case EVP_CIPH_OCB_MODE: {
+          cipherInstance = std::make_shared<OCBCipher>();
+          cipherInstance->setArgs(args);
+          // Pass tag length (default 16 if not present)
+          size_t tag_len = args.authTagLen.has_value() ? static_cast<size_t>(args.authTagLen.value()) : 16;
+          std::static_pointer_cast<OCBCipher>(cipherInstance)->init(args.cipherKey, args.iv, tag_len);
+          return cipherInstance;
+        }
+        case EVP_CIPH_CCM_MODE: {
+          cipherInstance = std::make_shared<CCMCipher>();
+          cipherInstance->setArgs(args);
+          cipherInstance->init(args.cipherKey, args.iv);
+          return cipherInstance;
+        }
+        default: {
+          cipherInstance = std::make_shared<HybridCipher>();
+          cipherInstance->setArgs(args);
+          cipherInstance->init(args.cipherKey, args.iv);
+          return cipherInstance;
+        }
       }
     }
-  }
+    EVP_CIPHER_free(cipher);
+
+    // libsodium
+    std::string cipherName = toLower(args.cipherType);
+    if (cipherName == "xsalsa20") {
+      cipherInstance = std::make_shared<XSalsa20Cipher>();
+      cipherInstance->setArgs(args);
+      cipherInstance->init(args.cipherKey, args.iv);
+      return cipherInstance;
+    }
+
+    // Unsupported cipher type
+    throw std::runtime_error("Unsupported or unknown cipher type: " + args.cipherType);
+  };
+
 };
 
 } // namespace margelo::nitro::crypto

packages/react-native-quick-crypto/cpp/cipher/HybridCipherFactory.hpp

@@ -0,0 +1,52 @@
+#include "XSalsa20Cipher.hpp"
+#include <cstring>   // For std::memcpy
+#include <stdexcept> // For std::runtime_error
+#include <string>    // For std::to_string
+
+namespace margelo::nitro::crypto {
+
+/**
+ * Initialize the cipher with a key and a nonce (using iv argument as nonce)
+*/
+void XSalsa20Cipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) {
+  auto native_key = ToNativeArrayBuffer(cipher_key);
+  auto native_iv = ToNativeArrayBuffer(iv);
+
+  // Validate key size
+  if (native_key->size() < crypto_stream_KEYBYTES) {
+    throw std::runtime_error("XSalsa20 key too short: expected " +
+                             std::to_string(crypto_stream_KEYBYTES) + " bytes, got " +
+                             std::to_string(native_key->size()) + " bytes.");
+  }
+  // Validate nonce size
+  if (native_iv->size() < crypto_stream_NONCEBYTES) {
+    throw std::runtime_error("XSalsa20 nonce too short: expected " +
+                             std::to_string(crypto_stream_NONCEBYTES) + " bytes, got " +
+                             std::to_string(native_iv->size()) + " bytes.");
+  }
+
+  // Copy key and nonce data
+  std::memcpy(key, native_key->data(), crypto_stream_KEYBYTES);
+  std::memcpy(nonce, native_iv->data(), crypto_stream_NONCEBYTES);
+}
+
+/**
+ * xsalsa20 call to sodium implementation
+ */
+std::shared_ptr<ArrayBuffer> XSalsa20Cipher::update(const std::shared_ptr<ArrayBuffer>& data) {
+  auto native_data = ToNativeArrayBuffer(data);
+  int result = crypto_stream(native_data->data(), native_data->size(), nonce, key);
+  if (result != 0) {
+    throw std::runtime_error("XSalsa20Cipher: Failed to update");
+  }
+  return std::make_shared<NativeArrayBuffer>(native_data->data(), native_data->size(), nullptr);
+}
+
+/**
+ * xsalsa20 does not have a final step, returns empty buffer
+ */
+std::shared_ptr<ArrayBuffer> XSalsa20Cipher::final() {
+  return std::make_shared<NativeArrayBuffer>(nullptr, 0, nullptr);
+}
+
+} // namespace margelo::nitro::crypto

packages/react-native-quick-crypto/cpp/cipher/XSalsa20Cipher.cpp

@@ -0,0 +1,27 @@
+#pragma once
+
+#include "sodium.h"
+
+#include "HybridCipher.hpp"
+#include "Utils.hpp"
+
+namespace margelo::nitro::crypto {
+
+class XSalsa20Cipher : public HybridCipher {
+ public:
+  XSalsa20Cipher() : HybridObject(TAG) {}
+  ~XSalsa20Cipher() {
+    // Let parent destructor free the context
+    ctx = nullptr;
+  }
+
+  void init(const std::shared_ptr<ArrayBuffer> cipher_key, const std::shared_ptr<ArrayBuffer> iv) override;
+  std::shared_ptr<ArrayBuffer> update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> final() override;
+
+ private:
+  uint8_t key[crypto_stream_KEYBYTES];
+  uint8_t nonce[crypto_stream_NONCEBYTES];
+};
+
+} // namespace margelo::nitro::crypto