Skip to content

lib,src: updates for BoringSSL#63125

Open
panva wants to merge 8 commits intonodejs:mainfrom
panva:make-crypto-boring-again
Open

lib,src: updates for BoringSSL#63125
panva wants to merge 8 commits intonodejs:mainfrom
panva:make-crypto-boring-again

Conversation

@panva
Copy link
Copy Markdown
Member

@panva panva commented May 5, 2026
edited
Loading

wip Issues and PRs that are still a work in progress.

aarch64-linux: with shared boringssl-0.20260413.0

===
=== All tests succeeded
===

All tests passed.

@panva panva added wip Issues and PRs that are still a work in progress. test-shared-boringssl labels May 5, 2026
@panva panva force-pushed the make-crypto-boring-again branch 2 times, most recently from 121a7ab to 97a3c8f Compare May 5, 2026 13:30
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@codecov
Copy link
Copy Markdown

codecov Bot commented May 5, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 89.01099% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.04%. Comparing base (1fd4949) to head (dd9e2f4).

Files with missing lines Patch % Lines
lib/internal/crypto/webidl.js 50.00% 5 Missing ⚠️
lib/internal/tls/wrap.js 71.42% 2 Missing ⚠️
src/crypto/crypto_pqc.cc 92.00% 0 Missing and 2 partials ⚠️
src/crypto/crypto_keys.cc 97.61% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #63125   +/-   ##
=======================================
  Coverage   90.03%   90.04%           
=======================================
  Files         713      713           
  Lines      224699   224726   +27     
  Branches    42473    42508   +35     
=======================================
+ Hits       202310   202355   +45     
  Misses      14179    14179           
+ Partials     8210     8192   -18
Files with missing lines Coverage Δ
lib/internal/crypto/util.js 97.08% <100.00%> (+0.10%) ⬆️
lib/internal/errors.js 97.65% <100.00%> (+<0.01%) ⬆️
src/crypto/crypto_aes.cc 53.81% <ø> (ø)
src/crypto/crypto_aes.h 33.33% <ø> (ø)
src/crypto/crypto_argon2.cc 64.13% <ø> (ø)
src/crypto/crypto_argon2.h 50.00% <ø> (ø)
src/crypto/crypto_chacha20_poly1305.cc 58.13% <ø> (ø)
src/crypto/crypto_cipher.cc 77.62% <ø> (+0.19%) ⬆️
src/crypto/crypto_hash.cc 77.24% <ø> (+0.29%) ⬆️
src/crypto/crypto_kem.cc 80.74% <ø> (ø)
... and 10 more

... and 28 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@panva panva force-pushed the make-crypto-boring-again branch from 97a3c8f to 6b8d741 Compare May 5, 2026 15:49
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@panva panva force-pushed the make-crypto-boring-again branch from 6b8d741 to db65e65 Compare May 5, 2026 17:17
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@panva panva force-pushed the make-crypto-boring-again branch 3 times, most recently from 078d5ed to b88eca8 Compare May 6, 2026 19:13
@panva panva mentioned this pull request May 6, 2026
Open
jasnell
jasnell approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jasnell jasnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but would be good to have @codebytere also take a look if they're available to do so.

@panva
Copy link
Copy Markdown
Member Author

panva commented May 7, 2026
edited
Loading

This is WIP / CI harness @jasnell . I am slowly taking things off the stack here and opening them individually. E.g. #63161

@panva panva force-pushed the make-crypto-boring-again branch from b88eca8 to dd9e2f4 Compare May 8, 2026 00:03
panva added 8 commits May 8, 2026 09:10
@panva
tls: add unsupported renegotiation error
6bb199b 
Map BoringSSL's native renegotiation failure to
ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is
called. This avoids exposing an implementation-specific OpenSSL error
when the TLS backend does not support caller-initiated renegotiation.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
test: update tls/crypto behaviour expectations when using BoringSSL
868dcd5 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
src: add BoringSSL EVP enumeration fallback
3a30c56 
BoringSSL declares EVP_CIPHER_do_all_sorted and
EVP_MD_do_all_sorted, but stock no-decrepit builds do not provide
those symbols. Add a Node build flag that keeps ncrypto and its
dependents on a local BoringSSL fallback list when libdecrepit is
absent.

Keep embedders that provide the EVP enumeration symbols on the normal
OpenSSL-compatible path, matching Electron's patched BoringSSL build.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
tools: add boringssl to tools/nix/openssl-matrix.nix
455f489 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
src: simplify OpenSSL feature gates
168818e 
Introduce explicit OPENSSL_WITH_* feature macros for crypto
capabilities that vary by OpenSSL version or BoringSSL support.

Use those macros at call sites instead of repeating version and
backend checks, and centralize PQC key metadata so key handling can
query helper functions instead of duplicating algorithm switch lists.

Refactor ML-DSA and ML-KEM seed sizes and seed import/export
helpers into shared helpers.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire ML-DSA and ML-KEM for use when using BoringSSL
6fc9cf2 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire AES-KW in Web Cryptography when using BoringSSL
bdd7eea 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL
8868f43 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva panva force-pushed the make-crypto-boring-again branch from dd9e2f4 to 8868f43 Compare May 8, 2026 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnell jasnell jasnell approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

wip Issues and PRs that are still a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@panva @nodejs-github-bot @jasnell