Skip to content

lib,src: updates for BoringSSL#63125

Open
panva wants to merge 11 commits intonodejs:mainfrom
panva:make-crypto-boring-again
Open

lib,src: updates for BoringSSL#63125
panva wants to merge 11 commits intonodejs:mainfrom
panva:make-crypto-boring-again

Conversation

@panva
Copy link
Copy Markdown
Member

@panva panva commented May 5, 2026
edited
Loading

wip Issues and PRs that are still a work in progress.

aarch64-linux: with shared boringssl-0.20260413.0

===
=== All tests succeeded
===

All tests passed.

@panva panva added wip Issues and PRs that are still a work in progress. test-shared-boringssl labels May 5, 2026
@panva panva force-pushed the make-crypto-boring-again branch 2 times, most recently from 121a7ab to 97a3c8f Compare May 5, 2026 13:30
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@codecov
Copy link
Copy Markdown

codecov Bot commented May 5, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 80.00000% with 31 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.03%. Comparing base (0bd46c1) to head (b88eca8).
⚠️ Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_keys.cc 76.84% 2 Missing and 20 partials ⚠️
lib/internal/crypto/webidl.js 50.00% 5 Missing ⚠️
lib/internal/tls/wrap.js 71.42% 2 Missing ⚠️
src/crypto/crypto_pqc.cc 93.33% 0 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #63125      +/-   ##
==========================================
+ Coverage   89.65%   90.03%   +0.38%     
==========================================
  Files         713      713              
  Lines      224134   224565     +431     
  Branches    42320    42479     +159     
==========================================
+ Hits       200939   202188    +1249     
+ Misses      14996    14174     -822     
- Partials     8199     8203       +4
Files with missing lines Coverage Δ
lib/internal/crypto/keys.js 97.05% <100.00%> (+0.01%) ⬆️
lib/internal/crypto/ml_kem.js 94.66% <100.00%> (ø)
lib/internal/crypto/util.js 97.08% <100.00%> (+0.10%) ⬆️
lib/internal/errors.js 97.65% <100.00%> (+<0.01%) ⬆️
src/crypto/crypto_aes.cc 53.81% <ø> (ø)
src/crypto/crypto_aes.h 33.33% <ø> (ø)
src/crypto/crypto_argon2.cc 64.13% <ø> (ø)
src/crypto/crypto_argon2.h 50.00% <ø> (ø)
src/crypto/crypto_chacha20_poly1305.cc 58.13% <ø> (ø)
src/crypto/crypto_cipher.cc 77.62% <ø> (+0.19%) ⬆️
... and 12 more

... and 51 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@panva panva force-pushed the make-crypto-boring-again branch from 97a3c8f to 6b8d741 Compare May 5, 2026 15:49
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@panva panva force-pushed the make-crypto-boring-again branch from 6b8d741 to db65e65 Compare May 5, 2026 17:17
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@panva panva force-pushed the make-crypto-boring-again branch 2 times, most recently from 3639d3c to 078d5ed Compare May 5, 2026 18:40
panva added 11 commits May 6, 2026 15:50
@panva
crypto: reject invalid raw key imports
14a4fec 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
tls: add unsupported renegotiation error
db8081b 
Map BoringSSL's native renegotiation failure to
ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is
called. This avoids exposing an implementation-specific OpenSSL error
when the TLS backend does not support caller-initiated renegotiation.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
test: update tls/crypto behaviour expectations when using BoringSSL
47acf3a 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire ML-DSA and ML-KEM for use when using BoringSSL
4974fa3 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire AES-KW in Web Cryptography when using BoringSSL
e64f558 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL
15c64f9 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
test: adjust Web Cryptography WPT expectations for BoringSSL
37b9c10 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
src: simplify OpenSSL feature gates
6ba359e 
Introduce explicit OPENSSL_WITH_* feature macros for crypto
capabilities that vary by OpenSSL version or BoringSSL support.

Use those macros at call sites instead of repeating version and
backend checks, and centralize PQC key metadata so key handling can
query helper functions instead of duplicating algorithm switch lists.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
src: add BoringSSL EVP enumeration fallback
8faac8f 
BoringSSL declares EVP_CIPHER_do_all_sorted and
EVP_MD_do_all_sorted, but stock no-decrepit builds do not provide
those symbols. Add a Node build flag that keeps ncrypto and its
dependents on a local BoringSSL fallback list when libdecrepit is
absent.

Keep embedders that provide the EVP enumeration symbols on the normal
OpenSSL-compatible path, matching Electron's patched BoringSSL build.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
tools: add boringssl to tools/nix/openssl-matrix.nix
328bf1a
@panva
crypto: refactor PQC raw seed handling
b88eca8 
Refactor ML-DSA and ML-KEM seed sizes and seed import/export
helpers into shared helpers. Keep the provider-specific OpenSSL
and BoringSSL paths contained in those helpers.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva panva force-pushed the make-crypto-boring-again branch from 078d5ed to b88eca8 Compare May 6, 2026 19:13
@panva panva mentioned this pull request May 6, 2026
Open
jasnell
jasnell approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jasnell jasnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but would be good to have @codebytere also take a look if they're available to do so.

@panva
Copy link
Copy Markdown
Member Author

panva commented May 7, 2026
edited
Loading

This is WIP / CI harness @jasnell . I am slowly taking things off the stack here and opening them individually. E.g. #63161

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnell jasnell jasnell approved these changes

Assignees

No one assigned

Labels

wip Issues and PRs that are still a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@panva @nodejs-github-bot @jasnell