src: add BoringSSL EVP enumeration fallback

panva · sxa · commit c863c75c398c · 2026-06-23T01:06:40.000+01:00
BoringSSL declares EVP_CIPHER_do_all_sorted and EVP_MD_do_all_sorted, but stock no-decrepit builds do not provide those symbols. Add a Node build flag that keeps ncrypto and its dependents on a local BoringSSL fallback list when libdecrepit is absent. Keep embedders that provide the EVP enumeration symbols on the normal OpenSSL-compatible path, matching Electron's patched BoringSSL build. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63206 Backport-PR-URL: #63563 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
@@ -7,6 +7,11 @@
 #include <openssl/pkcs12.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+#if NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK
+#include <openssl/bytestring.h>
+#include <openssl/cipher.h>
+#include <openssl/pem.h>
+#endif
 #include <algorithm>
 #include <array>
 #include <cstring>
@@ -67,6 +72,28 @@ using NetscapeSPKIPointer = DeleteFnPtr<NETSCAPE_SPKI, NETSCAPE_SPKI_free>;
 
 static constexpr int kX509NameFlagsRFC2253WithinUtf8JSON =
     XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB & ~ASN1_STRFLGS_ESC_CTRL;
+
+#if NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK
+struct BoringSSLCipher {
+  const EVP_CIPHER* (*get)();
+  const char* name;
+};
+
+constexpr BoringSSLCipher kBoringSSLCiphers[] = {
+    {EVP_aes_128_cbc, "aes-128-cbc"},   {EVP_aes_128_ctr, "aes-128-ctr"},
+    {EVP_aes_128_ecb, "aes-128-ecb"},   {EVP_aes_128_gcm, "aes-128-gcm"},
+    {EVP_aes_128_ofb, "aes-128-ofb"},   {EVP_aes_192_cbc, "aes-192-cbc"},
+    {EVP_aes_192_ctr, "aes-192-ctr"},   {EVP_aes_192_ecb, "aes-192-ecb"},
+    {EVP_aes_192_gcm, "aes-192-gcm"},   {EVP_aes_192_ofb, "aes-192-ofb"},
+    {EVP_aes_256_cbc, "aes-256-cbc"},   {EVP_aes_256_ctr, "aes-256-ctr"},
+    {EVP_aes_256_ecb, "aes-256-ecb"},   {EVP_aes_256_gcm, "aes-256-gcm"},
+    {EVP_aes_256_ofb, "aes-256-ofb"},   {EVP_des_cbc, "des-cbc"},
+    {EVP_des_ecb, "des-ecb"},           {EVP_des_ede, "des-ede"},
+    {EVP_des_ede3_cbc, "des-ede3-cbc"}, {EVP_des_ede_cbc, "des-ede-cbc"},
+    {EVP_rc2_cbc, "rc2-cbc"},           {EVP_rc4, "rc4"},
+};
+
+#endif
 }  // namespace
 
 // ============================================================================
@@ -4209,6 +4236,12 @@ void Cipher::ForEach(Cipher::CipherNameCallback callback) {
   CipherCallbackContext context;
   context.cb = std::move(callback);
 
+#if NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK
+  for (const auto& cipher : kBoringSSLCiphers) {
+    static_cast<void>(cipher.get);
+    context.cb(cipher.name);
+  }
+#else
   EVP_CIPHER_do_all_sorted(
 #if OPENSSL_VERSION_MAJOR >= 3
       array_push_back<EVP_CIPHER,
@@ -4220,6 +4253,7 @@ void Cipher::ForEach(Cipher::CipherNameCallback callback) {
       array_push_back<EVP_CIPHER>,
 #endif
       &context);
+#endif
 }
 
 // ============================================================================
diff --git a/deps/ncrypto/ncrypto.gyp b/deps/ncrypto/ncrypto.gyp
@@ -1,5 +1,6 @@
 {
   'variables': {
+    'ncrypto_bssl_libdecrepit_missing%': 1,
     'ncrypto_sources': [
       'engine.cc',
       'ncrypto.cc',
@@ -11,8 +12,14 @@
       'target_name': 'ncrypto',
       'type': 'static_library',
       'include_dirs': ['.'],
+      'defines': [
+        'NCRYPTO_BSSL_LIBDECREPIT_MISSING=<(ncrypto_bssl_libdecrepit_missing)',
+      ],
       'direct_dependent_settings': {
         'include_dirs': ['.'],
+        'defines': [
+          'NCRYPTO_BSSL_LIBDECREPIT_MISSING=<(ncrypto_bssl_libdecrepit_missing)',
+        ],
       },
       'sources': [ '<@(ncrypto_sources)' ],
       'conditions': [
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
@@ -22,6 +22,24 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif  // !OPENSSL_NO_ENGINE
+
+#ifndef OPENSSL_VERSION_PREREQ
+#define OPENSSL_VERSION_PREREQ(maj, min)                                       \
+  (OPENSSL_VERSION_NUMBER >= (((maj) << 28) | ((min) << 20)))
+#endif
+
+// BoringSSL declares the EVP_*_do_all* APIs, but their implementation may
+// live in libdecrepit. This matches standalone ncrypto's build flag.
+#ifndef NCRYPTO_BSSL_LIBDECREPIT_MISSING
+#define NCRYPTO_BSSL_LIBDECREPIT_MISSING 0
+#endif
+
+#if defined(OPENSSL_IS_BORINGSSL) && NCRYPTO_BSSL_LIBDECREPIT_MISSING
+#define NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK 1
+#else
+#define NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK 0
+#endif
+
 // The FIPS-related functions are only available
 // when the OpenSSL itself was compiled with FIPS support.
 #if defined(OPENSSL_FIPS) && OPENSSL_VERSION_MAJOR < 3
diff --git a/lib/internal/crypto/keys.js b/lib/internal/crypto/keys.js
@@ -682,6 +682,10 @@ function prepareAsymmetricKey(key, ctx, name = 'key') {
       return { data, format: kKeyFormatJWK };
     } else if (format === 'raw-public' || format === 'raw-private' ||
                format === 'raw-seed') {
+      if ((ctx === kConsumePrivate || ctx === kCreatePrivate) &&
+          format === 'raw-public') {
+        throw new ERR_INVALID_ARG_VALUE(`${name}.format`, format);
+      }
       if (!isArrayBufferView(data) && !isAnyArrayBuffer(data)) {
         throw new ERR_INVALID_ARG_TYPE(
           `${name}.key`,
diff --git a/src/crypto/crypto_hash.cc b/src/crypto/crypto_hash.cc
@@ -7,6 +7,10 @@
 #include "threadpoolwork-inl.h"
 #include "v8.h"
 
+#if NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK
+#include <openssl/digest.h>
+#endif
+
 #include <cstdio>
 
 namespace node {
@@ -41,6 +45,24 @@ void Hash::MemoryInfo(MemoryTracker* tracker) const {
   tracker->TrackFieldWithSize("md", digest_ ? md_len_ : 0);
 }
 
+#if NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK
+struct BoringSSLDigest {
+  const EVP_MD* (*get)();
+  const char* name;
+};
+
+constexpr BoringSSLDigest kBoringSSLDigests[] = {
+    {EVP_md4, "md4"},
+    {EVP_md5, "md5"},
+    {EVP_sha1, "sha1"},
+    {EVP_sha224, "sha224"},
+    {EVP_sha256, "sha256"},
+    {EVP_sha384, "sha384"},
+    {EVP_sha512, "sha512"},
+    {EVP_sha512_256, "sha512-256"},
+};
+#endif
+
 #if OPENSSL_VERSION_MAJOR >= 3
 void PushAliases(const char* name, void* data) {
   static_cast<std::vector<std::string>*>(data)->push_back(name);
@@ -122,7 +144,12 @@ void SaveSupportedHashAlgorithms(const EVP_MD* md,
 const std::vector<std::string>& GetSupportedHashAlgorithms(Environment* env) {
   if (env->supported_hash_algorithms.empty()) {
     MarkPopErrorOnReturn mark_pop_error_on_return;
-#if OPENSSL_VERSION_MAJOR >= 3
+#if NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK
+    for (const auto& digest : kBoringSSLDigests) {
+      static_cast<void>(digest.get);
+      env->supported_hash_algorithms.emplace_back(digest.name);
+    }
+#elif OPENSSL_VERSION_MAJOR >= 3
     // Since we'll fetch the EVP_MD*, cache them along the way to speed up
     // later lookups instead of throwing them away immediately.
     EVP_MD_do_all_sorted(SaveSupportedHashAlgorithmsAndCacheMD, env);
diff --git a/test/parallel/test-crypto-boringssl-evp-list.js b/test/parallel/test-crypto-boringssl-evp-list.js
@@ -0,0 +1,31 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+if (!process.features.openssl_is_boringssl)
+  common.skip('BoringSSL-only test');
+
+const assert = require('assert');
+const { getCiphers, getHashes } = require('crypto');
+
+const ciphers = getCiphers();
+[
+  'aes-128-cbc',
+  'aes-256-gcm',
+  'des-ede',
+  'des-ede-cbc',
+  'des-ede3-cbc',
+  'rc2-cbc',
+  'rc4',
+].forEach((cipher) => assert(ciphers.includes(cipher), cipher));
+
+const hashes = getHashes();
+[
+  'md4',
+  'md5',
+  'sha1',
+  'sha256',
+  'sha512-256',
+].forEach((hash) => assert(hashes.includes(hash), hash));
diff --git a/test/parallel/test-crypto-key-objects-raw.js b/test/parallel/test-crypto-key-objects-raw.js
@@ -59,6 +59,47 @@ const { hasOpenSSL } = require('../common/crypto');
   }
 }
 
+// Raw public keys cannot be imported as private keys.
+{
+  const rawPublicKeys = [
+    ['ec', 'ec_p256_public.pem', { namedCurve: 'P-256' }],
+    ['ed25519', 'ed25519_public.pem'],
+    ['x25519', 'x25519_public.pem'],
+  ];
+
+  if (!process.features.openssl_is_boringssl) {
+    rawPublicKeys.push(
+      ['ed448', 'ed448_public.pem'],
+      ['x448', 'x448_public.pem'],
+    );
+  } else {
+    common.printSkipMessage('Skipping unsupported ed448/x448 test cases');
+  }
+
+  if (hasOpenSSL(3, 5)) {
+    rawPublicKeys.push(
+      ['ml-dsa-44', 'ml_dsa_44_public.pem'],
+      ['ml-kem-768', 'ml_kem_768_public.pem'],
+    );
+  }
+
+  if (hasOpenSSL(3, 5)) {
+    rawPublicKeys.push(
+      ['slh-dsa-sha2-128f', 'slh_dsa_sha2_128f_public.pem'],
+    );
+  }
+
+  for (const [asymmetricKeyType, fixture, options = {}] of rawPublicKeys) {
+    const publicKey = crypto.createPublicKey(fixtures.readKey(fixture, 'ascii'));
+    assert.throws(() => crypto.createPrivateKey({
+      key: publicKey.export({ format: 'raw-public' }),
+      format: 'raw-public',
+      asymmetricKeyType,
+      ...options,
+    }), { code: 'ERR_INVALID_ARG_VALUE' });
+  }
+}
+
 // Raw seed imports do not support strings.
 if (hasOpenSSL(3, 5)) {
   const privKeyObj = crypto.createPrivateKey(
@@ -116,7 +157,11 @@ if (hasOpenSSL(3, 5)) {
     for (const format of ['raw-public', 'raw-private', 'raw-seed']) {
       assert.throws(() => crypto.createPrivateKey({
         key: Buffer.alloc(32), format, asymmetricKeyType: 'dh',
-      }), { code: 'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS' });
+      }), {
+        code: format === 'raw-public' ?
+          'ERR_INVALID_ARG_VALUE' :
+          'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS',
+      });
     }
   } else {
     common.printSkipMessage('Skipping unsupported dh test case');
diff --git a/test/parallel/test-crypto-pqc-key-objects-ml-kem.js b/test/parallel/test-crypto-pqc-key-objects-ml-kem.js
@@ -4,6 +4,10 @@ const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
 
+if (process.features.openssl_is_boringssl) {
+  common.skip('Skipping unsupported ML-KEM key tests');
+}
+
 const { hasOpenSSL } = require('../common/crypto');
 
 const assert = require('assert');
diff --git a/test/wpt/status/WebCryptoAPI.cjs b/test/wpt/status/WebCryptoAPI.cjs
@@ -6,16 +6,27 @@ const { hasOpenSSL } = require('../../common/crypto.js');
 
 const s390x = os.arch() === 's390x';
 
-const conditionalSkips = {};
+const conditionalFileSkips = {};
+const conditionalSubtestSkips = {};
 
 function skip(...files) {
   for (const file of files) {
-    conditionalSkips[file] = {
-      'skip': `Unsupported in OpenSSL ${process.versions.openssl}`,
+    conditionalFileSkips[file] = {
+      'skip': 'Unsupported in ' + (process.features.openssl_is_boringssl ? 'BoringSSL' : `OpenSSL ${process.versions.openssl}`),
     };
   }
 }
 
+function skipSubtests(...entries) {
+  for (const [file, regexp] of entries) {
+    conditionalSubtestSkips[file] ||= {
+      'skipTests': [],
+    };
+
+    conditionalSubtestSkips[file].skipTests.push(regexp);
+  }
+}
+
 if (!hasOpenSSL(3, 0)) {
   skip(
     'encrypt_decrypt/aes_ocb.tentative.https.any.js',
@@ -45,8 +56,54 @@ if (!hasOpenSSL(3, 5)) {
     'import_export/ML-DSA_importKey.tentative.https.any.js',
     'import_export/ML-KEM_importKey.tentative.https.any.js',
     'sign_verify/mldsa.tentative.https.any.js');
+
+  skipSubtests(
+    ['supports-modern.tentative.https.any.js', /ml-(?:kem|dsa)/i]);
 }
 
+if (process.features.openssl_is_boringssl) {
+  skip(
+    'derive_bits_keys/cfrg_curves_bits_curve448.tentative.https.any.js',
+    'derive_bits_keys/cfrg_curves_keys_curve448.tentative.https.any.js',
+    'digest/cshake.tentative.https.any.js',
+    'digest/sha3.tentative.https.any.js',
+    'encrypt_decrypt/chacha20_poly1305.tentative.https.any.js',
+    'generateKey/failures_AES-KW.https.any.js',
+    'generateKey/failures_Ed448.tentative.https.any.js',
+    'generateKey/failures_X448.tentative.https.any.js',
+    'generateKey/failures_chacha20_poly1305.tentative.https.any.js',
+    'generateKey/successes_AES-KW.https.any.js',
+    'generateKey/successes_Ed448.tentative.https.any.js',
+    'generateKey/successes_X448.tentative.https.any.js',
+    'generateKey/successes_chacha20_poly1305.tentative.https.any.js',
+    'import_export/ChaCha20-Poly1305_importKey.tentative.https.any.js',
+    'import_export/okp_importKey_Ed448.tentative.https.any.js',
+    'import_export/okp_importKey_failures_Ed448.tentative.https.any.js',
+    'import_export/okp_importKey_failures_X448.tentative.https.any.js',
+    'import_export/okp_importKey_X448.tentative.https.any.js',
+    'sign_verify/eddsa_curve448.tentative.https.any.js');
+
+  skipSubtests(
+    ['derive_bits_keys/hkdf.https.any.js', /AES-KW/],
+    ['derive_bits_keys/pbkdf2.https.any.js', /AES-KW/],
+    ['import_export/raw_format_aliases.tentative.https.any.js', /AES-KW/],
+    ['import_export/symmetric_importKey.https.any.js', /AES-KW/],
+    ['supports.tentative.https.any.js', /AES-KW/],
+    ['supports-modern.tentative.https.any.js', /ChaCha20-Poly1305/],
+    ['supports-modern.tentative.https.any.js', /^supports returns true for algorithm objects with valid parameters$/]);
+}
+
+function assertNoOverlap(fileSkips, subtestSkips) {
+  const subtestSkipFiles = new Set(Object.keys(subtestSkips));
+  const overlap = Object.keys(fileSkips).filter((file) => subtestSkipFiles.has(file));
+
+  if (overlap.length !== 0) {
+    throw new Error(`conditionalFileSkips and conditionalSubtestSkips overlap: ${overlap.join(', ')}`);
+  }
+}
+
+assertNoOverlap(conditionalFileSkips, conditionalSubtestSkips);
+
 const cshakeExpectedFailures = ['cSHAKE128', 'cSHAKE256'].flatMap((algorithm) => {
   return [0, 256, 384, 512].flatMap((length) => {
     return ['empty', 'short', 'medium'].flatMap((size) => {
@@ -95,7 +152,8 @@ const kmacExpectedFailures = kmacVectorNames.flatMap((name) => {
 });
 
 module.exports = {
-  ...conditionalSkips,
+  ...conditionalFileSkips,
+  ...conditionalSubtestSkips,
   'algorithm-discards-context.https.window.js': {
     'skip': 'Not relevant in Node.js context',
   },
@@ -133,13 +191,13 @@ module.exports = {
       ],
     },
   },
-  'digest/cshake.tentative.https.any.js': {
+  'digest/cshake.tentative.https.any.js': conditionalFileSkips['digest/cshake.tentative.https.any.js'] ?? {
     'fail': {
       'note': 'WPT still uses CShakeParams.length; implementation moved to CShakeParams.outputLength',
       'expected': cshakeExpectedFailures,
     },
   },
-  'sign_verify/kmac.tentative.https.any.js': conditionalSkips['sign_verify/kmac.tentative.https.any.js'] ?? {
+  'sign_verify/kmac.tentative.https.any.js': conditionalFileSkips['sign_verify/kmac.tentative.https.any.js'] ?? {
     'fail': {
       'note': 'WPT still uses KmacParams.length; implementation moved to KmacParams.outputLength',
       'expected': kmacExpectedFailures,
