src: update OpenSSL pqc checks

panva · targos · commit 823dce32ecca · 2025-08-21T19:00:58.000+02:00
PR-URL: #59436 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com>
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
@@ -1897,7 +1897,7 @@ EVPKeyPointer EVPKeyPointer::NewRawPrivate(
       EVP_PKEY_new_raw_private_key(id, nullptr, data.data, data.len));
 }
 
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
 EVPKeyPointer EVPKeyPointer::NewRawSeed(
     int id, const Buffer<const unsigned char>& data) {
   if (id == 0) return {};
@@ -1968,7 +1968,7 @@ EVP_PKEY* EVPKeyPointer::release() {
 int EVPKeyPointer::id(const EVP_PKEY* key) {
   if (key == nullptr) return 0;
   int type = EVP_PKEY_id(key);
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
   // https://github.com/openssl/openssl/issues/27738#issuecomment-3013215870
   if (type == -1) {
     if (EVP_PKEY_is_a(key, "ML-DSA-44")) return EVP_PKEY_ML_DSA_44;
@@ -2032,7 +2032,7 @@ DataPointer EVPKeyPointer::rawPublicKey() const {
   return {};
 }
 
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
 DataPointer EVPKeyPointer::rawSeed() const {
   if (!pkey_) return {};
   switch (id()) {
@@ -2515,7 +2515,7 @@ bool EVPKeyPointer::isOneShotVariant() const {
   switch (type) {
     case EVP_PKEY_ED25519:
     case EVP_PKEY_ED448:
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
     case EVP_PKEY_ML_DSA_44:
     case EVP_PKEY_ML_DSA_65:
     case EVP_PKEY_ML_DSA_87:
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
@@ -28,11 +28,14 @@
 #include <openssl/fips.h>
 #endif  // OPENSSL_FIPS
 
-#if OPENSSL_VERSION_MAJOR >= 3
-#define OSSL3_CONST const
-#if OPENSSL_VERSION_MINOR >= 5
+// Define OPENSSL_WITH_PQC for post-quantum cryptography support
+#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+#define OPENSSL_WITH_PQC 1
 #include <openssl/core_names.h>
 #endif
+
+#if OPENSSL_VERSION_MAJOR >= 3
+#define OSSL3_CONST const
 #else
 #define OSSL3_CONST
 #endif
@@ -820,7 +823,7 @@ class EVPKeyPointer final {
                                     const Buffer<const unsigned char>& data);
   static EVPKeyPointer NewRawPrivate(int id,
                                      const Buffer<const unsigned char>& data);
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
   static EVPKeyPointer NewRawSeed(int id,
                                   const Buffer<const unsigned char>& data);
 #endif
@@ -917,7 +920,7 @@ class EVPKeyPointer final {
   DataPointer rawPrivateKey() const;
   BIOPointer derPublicKey() const;
 
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
   DataPointer rawSeed() const;
 #endif
 
diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc
@@ -177,7 +177,7 @@ bool ExportJWKAsymmetricKey(Environment* env,
       // Fall through
     case EVP_PKEY_X448:
       return ExportJWKEdKey(env, key, target);
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
     case EVP_PKEY_ML_DSA_44:
       // Fall through
     case EVP_PKEY_ML_DSA_65:
@@ -280,7 +280,7 @@ int GetNidFromName(const char* name) {
     nid = EVP_PKEY_X25519;
   } else if (strcmp(name, "X448") == 0) {
     nid = EVP_PKEY_X448;
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
   } else if (strcmp(name, "ML-DSA-44") == 0) {
     nid = EVP_PKEY_ML_DSA_44;
   } else if (strcmp(name, "ML-DSA-65") == 0) {
@@ -620,7 +620,7 @@ Local<Function> KeyObjectHandle::Initialize(Environment* env) {
     SetProtoMethod(isolate, templ, "exportJwk", ExportJWK);
     SetProtoMethod(isolate, templ, "initECRaw", InitECRaw);
     SetProtoMethod(isolate, templ, "initEDRaw", InitEDRaw);
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
     SetProtoMethod(isolate, templ, "initMlDsaRaw", InitMlDsaRaw);
 #endif
     SetProtoMethod(isolate, templ, "initJwk", InitJWK);
@@ -643,7 +643,7 @@ void KeyObjectHandle::RegisterExternalReferences(
   registry->Register(ExportJWK);
   registry->Register(InitECRaw);
   registry->Register(InitEDRaw);
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
   registry->Register(InitMlDsaRaw);
 #endif
   registry->Register(InitJWK);
@@ -838,7 +838,7 @@ void KeyObjectHandle::InitEDRaw(const FunctionCallbackInfo<Value>& args) {
   args.GetReturnValue().Set(true);
 }
 
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
 void KeyObjectHandle::InitMlDsaRaw(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
   KeyObjectHandle* key;
@@ -971,7 +971,7 @@ Local<Value> KeyObjectHandle::GetAsymmetricKeyType() const {
       return env()->crypto_x25519_string();
     case EVP_PKEY_X448:
       return env()->crypto_x448_string();
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
     case EVP_PKEY_ML_DSA_44:
       return env()->crypto_ml_dsa_44_string();
     case EVP_PKEY_ML_DSA_65:
@@ -1254,7 +1254,7 @@ void Initialize(Environment* env, Local<Object> target) {
   NODE_DEFINE_CONSTANT(target, kWebCryptoKeyFormatJWK);
   NODE_DEFINE_CONSTANT(target, EVP_PKEY_ED25519);
   NODE_DEFINE_CONSTANT(target, EVP_PKEY_ED448);
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
   NODE_DEFINE_CONSTANT(target, EVP_PKEY_ML_DSA_44);
   NODE_DEFINE_CONSTANT(target, EVP_PKEY_ML_DSA_65);
   NODE_DEFINE_CONSTANT(target, EVP_PKEY_ML_DSA_87);
diff --git a/src/crypto/crypto_keys.h b/src/crypto/crypto_keys.h
@@ -152,7 +152,7 @@ class KeyObjectHandle : public BaseObject {
   static void Init(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void InitECRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void InitEDRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
   static void InitMlDsaRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
 #endif
   static void InitJWK(const v8::FunctionCallbackInfo<v8::Value>& args);
diff --git a/src/crypto/crypto_ml_dsa.cc b/src/crypto/crypto_ml_dsa.cc
@@ -14,7 +14,7 @@ using v8::Value;
 
 namespace crypto {
 
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
 constexpr const char* GetMlDsaAlgorithmName(int id) {
   switch (id) {
     case EVP_PKEY_ML_DSA_44:
diff --git a/src/crypto/crypto_ml_dsa.h b/src/crypto/crypto_ml_dsa.h
@@ -9,7 +9,7 @@
 
 namespace node {
 namespace crypto {
-#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+#if OPENSSL_WITH_PQC
 bool ExportJwkMlDsaKey(Environment* env,
                        const KeyObjectData& key,
                        v8::Local<v8::Object> target);
