Skip to content

crypto: add guards and adjust tests for BoringSSL#62883

Open
panva wants to merge 6 commits intonodejs:mainfrom
panva:more-boring
Open

crypto: add guards and adjust tests for BoringSSL#62883
panva wants to merge 6 commits intonodejs:mainfrom
panva:more-boring

Conversation

@panva
Copy link
Copy Markdown
Member

@panva panva commented Apr 22, 2026
edited
Loading

This reduces the number of patches needed to make Node.js compile and test crypto/webcrypto when running linked against BoringSSL (date below)

Version / tag: 0.20260327.0 (dated 2026-03-27)
Source:        https://boringssl.googlesource.com/boringssl
Rev:           refs/tags/0.20260327.0
Nixpkgs pin:   ab72be9733b41190ea34f1422a3e4e243ede7533

Some of the patches have been adapted from these sources:

ncrypto changes are already in / from https://github.com/nodejs/ncrypto/blob/88555cc07e8ffcfdbbab779e86cc6225317ee6ae/include/ncrypto.h#L332-L343 / https://github.com/nodejs/ncrypto/blob/88555cc07e8ffcfdbbab779e86cc6225317ee6ae/src/ncrypto.cpp#L3240-L3248

@panva
crypto: add guards and adjust tests for BoringSSL
277f68f 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 22, 2026

Review requested:

  • @nodejs/crypto
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Apr 22, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 22, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 89.63%. Comparing base (c29a34c) to head (f613538).
⚠️ Report is 20 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_dh.cc 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #62883   +/-   ##
=======================================
  Coverage   89.62%   89.63%           
=======================================
  Files         706      706           
  Lines      219165   219197   +32     
  Branches    41989    41989           
=======================================
+ Hits       196435   196474   +39     
+ Misses      14621    14620    -1     
+ Partials     8109     8103    -6
Files with missing lines Coverage Δ
src/crypto/crypto_cipher.cc 77.43% <ø> (ø)
src/crypto/crypto_context.cc 72.17% <ø> (+0.16%) ⬆️
src/crypto/crypto_rsa.cc 65.65% <ø> (ø)
src/crypto/crypto_util.cc 73.60% <ø> (+0.41%) ⬆️
src/crypto/crypto_dh.cc 67.59% <0.00%> (-0.21%) ⬇️

... and 35 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@panva panva added crypto Issues and PRs related to the crypto subsystem. webcrypto labels Apr 22, 2026
panva
panva commented Apr 23, 2026
View reviewed changes
Comment thread src/crypto/crypto_util.cc
uint32_t len = args[0].As<Uint32>()->Value();

auto data = DataPointer::SecureAlloc(len);
CHECK(data.isSecure());
Copy link
Copy Markdown
Member Author

@panva panva Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CHECK was incorrect.

DataPointer::SecureAlloc wraps OPENSSL_secure_zalloc, which by design transparently falls back to a regular CRYPTO_zalloc when the secure heap is not available:

  • --secure-heap=0 (the default), secure heap is never initialized, so every SecureAlloc returns a non-secure pointer.
  • Windows, secure-heap initialization is gated behind #ifndef _WIN32 in InitCryptoOnce, so it's never initialized there either.
  • BoringSSL does not implement OPENSSL_secure_zalloc at all; ncrypto falls back to OPENSSL_malloc + memset and sets secure_=false.
  • OpenSSL with secure heap enabled but exhausted, OPENSSL_secure_zalloc silently falls back to the regular heap.

The comment directly above SecureBuffer already documents this: "Without --secure-heap, OpenSSL's secure heap is disabled, in which case this has the same semantics as using OPENSSL_malloc." A non-secure fallback is an expected, documented outcome, so asserting isSecure() is not a valid invariant.

Why it didn't fire before

The CHECK only "passed" due to a bug in ncrypto::DataPointer::SecureAlloc, which unconditionally set secure_=true regardless of whether the returned pointer actually came from the secure heap. That bug is fixed in ncrypto (using CRYPTO_secure_allocated(ptr) to track actual use of secure heap), which in turn exposed the CHECK as unsound on default cli options, on Windows, and made the process crash on BoringSSL builds where secure_ was already correctly false.

Impact

Paired with the ncrypto fix randomUUID() (the only caller of secureBuffer) continues to work exactly as before; it just no longer aborts on BoringSSL / when the ncrypto provenance fix is in place.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnell jasnell Awaiting requested review from jasnell

@anonrig anonrig Awaiting requested review from anonrig

@codebytere codebytere Awaiting requested review from codebytere

@tniessen tniessen Awaiting requested review from tniessen

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

crypto Issues and PRs related to the crypto subsystem. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. webcrypto

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@panva @nodejs-github-bot