Skip to content

lib,src: updates for BoringSSL#63125

Open
panva wants to merge 11 commits intonodejs:mainfrom
panva:make-crypto-boring-again
Open

lib,src: updates for BoringSSL#63125
panva wants to merge 11 commits intonodejs:mainfrom
panva:make-crypto-boring-again

Conversation

@panva
Copy link
Copy Markdown
Member

@panva panva commented May 5, 2026
edited
Loading

wip Issues and PRs that are still a work in progress.

aarch64-linux: with shared boringssl-0.20260413.0

===
=== All tests succeeded
===

All tests passed.

@panva panva added wip Issues and PRs that are still a work in progress. test-shared-boringssl labels May 5, 2026
@panva panva force-pushed the make-crypto-boring-again branch 2 times, most recently from 121a7ab to 97a3c8f Compare May 5, 2026 13:30
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@codecov
Copy link
Copy Markdown

codecov Bot commented May 5, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 80.00000% with 31 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.68%. Comparing base (18f938d) to head (078d5ed).

Files with missing lines Patch % Lines
src/crypto/crypto_keys.cc 76.84% 2 Missing and 20 partials ⚠️
lib/internal/crypto/webidl.js 50.00% 5 Missing ⚠️
lib/internal/tls/wrap.js 71.42% 2 Missing ⚠️
src/crypto/crypto_pqc.cc 93.33% 0 Missing and 2 partials ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #63125   +/-   ##
=======================================
  Coverage   89.67%   89.68%           
=======================================
  Files         712      712           
  Lines      221251   221332   +81     
  Branches    42393    42437   +44     
=======================================
+ Hits       198413   198498   +85     
+ Misses      14681    14629   -52     
- Partials     8157     8205   +48
Files with missing lines Coverage Δ
lib/internal/crypto/keys.js 97.05% <100.00%> (+0.01%) ⬆️
lib/internal/crypto/ml_kem.js 94.66% <100.00%> (ø)
lib/internal/crypto/util.js 96.61% <100.00%> (+0.10%) ⬆️
lib/internal/errors.js 97.64% <100.00%> (+<0.01%) ⬆️
src/crypto/crypto_aes.cc 53.81% <ø> (-0.35%) ⬇️
src/crypto/crypto_aes.h 33.33% <ø> (ø)
src/crypto/crypto_argon2.cc 64.13% <ø> (ø)
src/crypto/crypto_argon2.h 50.00% <ø> (ø)
src/crypto/crypto_chacha20_poly1305.cc 58.13% <ø> (ø)
src/crypto/crypto_cipher.cc 77.62% <ø> (+0.19%) ⬆️
... and 12 more

... and 44 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@panva panva force-pushed the make-crypto-boring-again branch from 97a3c8f to 6b8d741 Compare May 5, 2026 15:49
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@panva panva force-pushed the make-crypto-boring-again branch from 6b8d741 to db65e65 Compare May 5, 2026 17:17
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
panva added 10 commits May 5, 2026 20:29
@panva
crypto: reject invalid raw key imports
03c121c 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire ML-DSA and ML-KEM for use when using BoringSSL
b241e0f 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire AES-KW in Web Cryptography when using BoringSSL
88f9da9 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL
cfcd7ec 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
test: adjust Web Cryptography WPT expectations for BoringSSL
b15dda6 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
src: simplify OpenSSL feature gates
f00976f 
Introduce explicit OPENSSL_WITH_* feature macros for crypto
capabilities that vary by OpenSSL version or BoringSSL support.

Use those macros at call sites instead of repeating version and
backend checks, and centralize PQC key metadata so key handling can
query helper functions instead of duplicating algorithm switch lists.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
src: add BoringSSL EVP enumeration fallback
f2c45cc 
BoringSSL declares EVP_CIPHER_do_all_sorted and
EVP_MD_do_all_sorted, but stock no-decrepit builds do not provide
those symbols. Add a Node build flag that keeps ncrypto and its
dependents on a local BoringSSL fallback list when libdecrepit is
absent.

Keep embedders that provide the EVP enumeration symbols on the normal
OpenSSL-compatible path, matching Electron's patched BoringSSL build.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
tls: add unsupported renegotiation error
c978a8c 
Map BoringSSL's native renegotiation failure to
ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is
called. This avoids exposing an implementation-specific OpenSSL error
when the TLS backend does not support caller-initiated renegotiation.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
test: update tls/crypto behaviour expectations when using BoringSSL
7d85a98 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
tools: add boringssl to tools/nix/openssl-matrix.nix
e34bb1c
@panva panva force-pushed the make-crypto-boring-again branch from db65e65 to 3639d3c Compare May 5, 2026 18:39
@panva
crypto: refactor PQC raw seed handling
078d5ed 
Factor ML-DSA and ML-KEM seed sizes and seed import/export
helpers into shared helpers. Keep the provider-specific OpenSSL
and BoringSSL paths contained in those helpers.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva panva force-pushed the make-crypto-boring-again branch from 3639d3c to 078d5ed Compare May 5, 2026 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

wip Issues and PRs that are still a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@panva @nodejs-github-bot