chore: sync ncrypto from Node.js v26.1.0 (#46)

github-actions[bot] · panva · web-flow · commit 2ee0b8866071 · 2026-05-08T15:46:52.000+02:00
Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
Co-authored-by: Filip Skokan &lt;panva.ip@gmail.com&gt;
diff --git a/.github/sync-node-ncrypto.json b/.github/sync-node-ncrypto.json
@@ -1,3 +1,3 @@
 {
-  "node_commit": "8385efc01343a835e3a0efe05611f44272cbb413"
+  "node_commit": "e7da6f056ac4afeaaf012042188818ca7736f437"
 }
diff --git a/src/ncrypto.cpp b/src/ncrypto.cpp
@@ -156,7 +156,12 @@ DataPointer DataPointer::SecureAlloc(size_t len) {
 #ifndef OPENSSL_IS_BORINGSSL
   auto ptr = OPENSSL_secure_zalloc(len);
   if (ptr == nullptr) return {};
-  return DataPointer(ptr, len, true);
+  // OPENSSL_secure_zalloc transparently falls back to a regular allocation
+  // when the secure heap is not initialized or is exhausted. Reflect the
+  // actual provenance of the pointer so that reset() routes to the correct
+  // free function (OPENSSL_secure_clear_free vs. OPENSSL_clear_free) and
+  // callers of isSecure() get a truthful answer.
+  return DataPointer(ptr, len, CRYPTO_secure_allocated(ptr) == 1);
 #else
   // BoringSSL does not implement the OPENSSL_secure_zalloc API.
   auto ptr = OPENSSL_malloc(len);

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`{`
`2`		`- "node_commit": "8385efc01343a835e3a0efe05611f44272cbb413"`
	`2`	`+ "node_commit": "e7da6f056ac4afeaaf012042188818ca7736f437"`
`3`	`3`	`}`