Skip to content

lib,src: updates for BoringSSL#63125

Open
panva wants to merge 8 commits intonodejs:mainfrom
panva:make-crypto-boring-again
Open

lib,src: updates for BoringSSL#63125
panva wants to merge 8 commits intonodejs:mainfrom
panva:make-crypto-boring-again

Conversation

@panva
Copy link
Copy Markdown
Member

@panva panva commented May 5, 2026
edited
Loading

wip Issues and PRs that are still a work in progress.

aarch64-linux: with shared boringssl-0.20260413.0

===
=== All tests succeeded
===

All tests passed.

@panva panva added wip Issues and PRs that are still a work in progress. test-shared-boringssl labels May 5, 2026
@panva panva force-pushed the make-crypto-boring-again branch 2 times, most recently from 121a7ab to 97a3c8f Compare May 5, 2026 13:30
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@codecov
Copy link
Copy Markdown

codecov Bot commented May 5, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 90.10989% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.98%. Comparing base (9adddc5) to head (b2b116e).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
lib/internal/crypto/webidl.js 50.00% 5 Missing ⚠️
lib/internal/tls/wrap.js 71.42% 2 Missing ⚠️
src/crypto/crypto_pqc.cc 92.00% 0 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #63125      +/-   ##
==========================================
- Coverage   90.04%   89.98%   -0.06%     
==========================================
  Files         713      711       -2     
  Lines      224926   223867    -1059     
  Branches    42525    42393     -132     
==========================================
- Hits       202526   201452    -1074     
- Misses      14180    14280     +100     
+ Partials     8220     8135      -85
Files with missing lines Coverage Δ
lib/internal/crypto/util.js 97.08% <100.00%> (+0.10%) ⬆️
lib/internal/errors.js 97.60% <100.00%> (-0.05%) ⬇️
src/crypto/crypto_aes.cc 53.81% <ø> (ø)
src/crypto/crypto_aes.h 33.33% <ø> (ø)
src/crypto/crypto_argon2.cc 64.13% <ø> (ø)
src/crypto/crypto_argon2.h 50.00% <ø> (ø)
src/crypto/crypto_chacha20_poly1305.cc 58.13% <ø> (ø)
src/crypto/crypto_cipher.cc 77.62% <ø> (+0.19%) ⬆️
src/crypto/crypto_hash.cc 76.94% <ø> (-0.30%) ⬇️
src/crypto/crypto_kem.cc 80.74% <ø> (ø)
... and 10 more

... and 125 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@panva panva force-pushed the make-crypto-boring-again branch from 97a3c8f to 6b8d741 Compare May 5, 2026 15:49
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@panva panva force-pushed the make-crypto-boring-again branch from 6b8d741 to db65e65 Compare May 5, 2026 17:17
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@panva panva force-pushed the make-crypto-boring-again branch 3 times, most recently from 078d5ed to b88eca8 Compare May 6, 2026 19:13
@panva panva mentioned this pull request May 6, 2026
Open
jasnell
jasnell approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jasnell jasnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but would be good to have @codebytere also take a look if they're available to do so.

@panva
Copy link
Copy Markdown
Member Author

panva commented May 7, 2026
edited
Loading

This is WIP / CI harness @jasnell . I am slowly taking things off the stack here and opening them individually. E.g. #63161

@panva panva force-pushed the make-crypto-boring-again branch from b88eca8 to dd9e2f4 Compare May 8, 2026 00:03
panva added 3 commits May 8, 2026 09:10
@panva
tls: add unsupported renegotiation error
6bb199b 
Map BoringSSL's native renegotiation failure to
ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is
called. This avoids exposing an implementation-specific OpenSSL error
when the TLS backend does not support caller-initiated renegotiation.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
test: update tls/crypto behaviour expectations when using BoringSSL
868dcd5 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
src: add BoringSSL EVP enumeration fallback
3a30c56 
BoringSSL declares EVP_CIPHER_do_all_sorted and
EVP_MD_do_all_sorted, but stock no-decrepit builds do not provide
those symbols. Add a Node build flag that keeps ncrypto and its
dependents on a local BoringSSL fallback list when libdecrepit is
absent.

Keep embedders that provide the EVP enumeration symbols on the normal
OpenSSL-compatible path, matching Electron's patched BoringSSL build.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva panva force-pushed the make-crypto-boring-again branch 2 times, most recently from 8868f43 to b2b116e Compare May 8, 2026 08:53
aduh95
aduh95 reviewed May 8, 2026
View reviewed changes
Comment thread tools/dep_updaters/update-nixpkgs-pin.sh Outdated
panva added 5 commits May 8, 2026 12:24
@panva
tools: add boringssl to tools/nix/openssl-matrix.nix
7e5ba88 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
src: simplify OpenSSL feature gates
c37b85d 
Add OPENSSL_WITH_* feature macros for crypto capabilities that vary by
OpenSSL version and use those instead of repeating version checks.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire AES-KW in Web Cryptography when using BoringSSL
e8eaac1 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL
dc1fac8 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva
crypto: wire ML-DSA and ML-KEM for use when using BoringSSL
5bfc8bf 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva panva force-pushed the make-crypto-boring-again branch from b2b116e to 5bfc8bf Compare May 8, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aduh95 aduh95 aduh95 left review comments

@jasnell jasnell jasnell approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

wip Issues and PRs that are still a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@panva @nodejs-github-bot @jasnell @aduh95