lib,src: updates for BoringSSL by panva · Pull Request #63125 · nodejs/node

panva · 2026-05-05T12:34:46Z

wip Issues and PRs that are still a work in progress.

aarch64-linux: with shared boringssl-0.20260413.0
===
=== All tests succeeded
===

All tests passed.

codecov · 2026-05-05T15:02:54Z

Codecov Report

❌ Patch coverage is 89.01099% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.03%. Comparing base (9adddc5) to head (cd86c6a).
⚠️ Report is 9 commits behind head on main.

Files with missing lines	Patch %	Lines
lib/internal/crypto/webidl.js	50.00%	5 Missing ⚠️
lib/internal/tls/wrap.js	71.42%	2 Missing ⚠️
src/crypto/crypto_pqc.cc	92.00%	0 Missing and 2 partials ⚠️
src/crypto/crypto_keys.cc	97.61%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #63125      +/-   ##
==========================================
- Coverage   90.04%   90.03%   -0.01%     
==========================================
  Files         713      713              
  Lines      224926   224969      +43     
  Branches    42525    42548      +23     
==========================================
+ Hits       202526   202558      +32     
- Misses      14180    14186       +6     
- Partials     8220     8225       +5

Files with missing lines	Coverage Δ
lib/internal/crypto/util.js	`97.08% <100.00%> (+0.10%)`	⬆️
lib/internal/errors.js	`97.65% <100.00%> (+<0.01%)`	⬆️
src/crypto/crypto_aes.cc	`53.81% <ø> (ø)`
src/crypto/crypto_aes.h	`33.33% <ø> (ø)`
src/crypto/crypto_argon2.cc	`64.13% <ø> (ø)`
src/crypto/crypto_argon2.h	`50.00% <ø> (ø)`
src/crypto/crypto_chacha20_poly1305.cc	`58.13% <ø> (ø)`
src/crypto/crypto_cipher.cc	`77.62% <ø> (+0.19%)`	⬆️
src/crypto/crypto_hash.cc	`77.24% <ø> (ø)`
src/crypto/crypto_kem.cc	`80.74% <ø> (ø)`
... and 10 more

... and 35 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

jasnell

LGTM but would be good to have @codebytere also take a look if they're available to do so.

panva · 2026-05-07T04:58:40Z

This is WIP / CI harness @jasnell . I am slowly taking things off the stack here and opening them individually. E.g. #63161

Map BoringSSL's native renegotiation failure to ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is called. This avoids exposing an implementation-specific OpenSSL error when the TLS backend does not support caller-initiated renegotiation. Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

BoringSSL declares EVP_CIPHER_do_all_sorted and EVP_MD_do_all_sorted, but stock no-decrepit builds do not provide those symbols. Add a Node build flag that keeps ncrypto and its dependents on a local BoringSSL fallback list when libdecrepit is absent. Keep embedders that provide the EVP enumeration symbols on the normal OpenSSL-compatible path, matching Electron's patched BoringSSL build. Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Add OPENSSL_WITH_* feature macros for crypto capabilities that vary by OpenSSL version and use those instead of repeating version checks. Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

panva added wip Issues and PRs that are still a work in progress. test-shared-boringssl labels May 5, 2026

panva force-pushed the make-crypto-boring-again branch 2 times, most recently from 121a7ab to 97a3c8f Compare May 5, 2026 13:30

panva removed the test-shared-boringssl label May 5, 2026

This comment was marked as outdated.

Sign in to view

panva force-pushed the make-crypto-boring-again branch from 97a3c8f to 6b8d741 Compare May 5, 2026 15:49

This comment was marked as outdated.

Sign in to view

panva force-pushed the make-crypto-boring-again branch from 6b8d741 to db65e65 Compare May 5, 2026 17:17

This comment was marked as outdated.

Sign in to view

panva force-pushed the make-crypto-boring-again branch 3 times, most recently from 078d5ed to b88eca8 Compare May 6, 2026 19:13

panva mentioned this pull request May 6, 2026

tls: add unsupported renegotiation error #63161

Closed

jasnell approved these changes May 7, 2026

View reviewed changes

panva force-pushed the make-crypto-boring-again branch from b88eca8 to dd9e2f4 Compare May 8, 2026 00:03

panva added 2 commits May 8, 2026 09:10

test: update tls/crypto behaviour expectations when using BoringSSL

868dcd5

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

panva force-pushed the make-crypto-boring-again branch 2 times, most recently from 8868f43 to b2b116e Compare May 8, 2026 08:53

aduh95 reviewed May 8, 2026

View reviewed changes

Comment thread tools/dep_updaters/update-nixpkgs-pin.sh Outdated

panva force-pushed the make-crypto-boring-again branch 2 times, most recently from 5bfc8bf to 2a7cae8 Compare May 8, 2026 18:05

panva added 5 commits May 8, 2026 20:11

tools: add boringssl to tools/nix/openssl-matrix.nix

c3a1b13

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

src: simplify OpenSSL feature gates

b51a0ce

Add OPENSSL_WITH_* feature macros for crypto capabilities that vary by OpenSSL version and use those instead of repeating version checks. Signed-off-by: Filip Skokan <panva.ip@gmail.com>

crypto: wire AES-KW in Web Cryptography when using BoringSSL

3e17845

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL

cc7f5ea

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

crypto: wire ML-DSA and ML-KEM for use when using BoringSSL

cd86c6a

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

panva force-pushed the make-crypto-boring-again branch from 2a7cae8 to cd86c6a Compare May 8, 2026 18:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

lib,src: updates for BoringSSL#63125

lib,src: updates for BoringSSL#63125
panva wants to merge 8 commits intonodejs:mainfrom
panva:make-crypto-boring-again

panva commented May 5, 2026 •

edited

Loading

Uh oh!

This comment was marked as outdated.

codecov Bot commented May 5, 2026 •

edited

Loading

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

jasnell left a comment

Uh oh!

panva commented May 7, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Uh oh!

Conversation

panva commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment was marked as outdated.

codecov Bot commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

jasnell left a comment

Choose a reason for hiding this comment

Uh oh!

panva commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

panva commented May 5, 2026 •

edited

Loading

codecov Bot commented May 5, 2026 •

edited

Loading

panva commented May 7, 2026 •

edited

Loading