chore: sync ncrypto from Node.js v26.2.0 (#47)

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

Author: github-actions[bot]

.github/sync-node-ncrypto.json

@@ -1,3 +1,3 @@
 {
-  "node_commit": "e7da6f056ac4afeaaf012042188818ca7736f437"
+  "node_commit": "cfd7920d5a2d84905c4292362d01d07870047e93"
 }

.github/workflows/ubuntu.yml

@@ -45,52 +45,42 @@ jobs:
       - name: Test
         run: ctest --output-on-failure --test-dir build
 
-  # Test with OpenSSL 3.2+ to cover Argon2 code path
+  # Test with OpenSSL release lines
   openssl:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: "1.1.1"
+            cache_key: "1.1.1"
+            version: "1.1.1w"
+            tag: "OpenSSL_1_1_1w"
+            cxx_flags: ""
+          - name: "3.0"
+            cache_key: "3.0"
+            version: "3.0.20"
+            tag: "openssl-3.0.20"
+            cxx_flags: ""
+          - name: "3.5 LTS"
+            cache_key: "3.5-lts"
+            version: "3.5.6"
+            tag: "openssl-3.5.6"
+            cxx_flags: ""
+          - name: "3.5 LTS, no Argon2"
+            cache_key: "3.5-lts-no-argon2"
+            version: "3.5.6"
+            tag: "openssl-3.5.6"
+            cxx_flags: "-DOPENSSL_NO_ARGON2"
+          - name: "4.0"
+            cache_key: "4.0"
+            version: "4.0.0"
+            tag: "openssl-4.0.0"
+            cxx_flags: ""
+    name: OpenSSL ${{ matrix.name }}
     runs-on: ubuntu-latest
     env:
-      OPENSSL_VERSION: "3.4.1"
-      OPENSSL_DIR: "${{ github.workspace }}/openssl-install"
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Cache OpenSSL
-        id: cache-openssl
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: ${{ env.OPENSSL_DIR }}
-          key: openssl-${{ env.OPENSSL_VERSION }}-${{ runner.os }}
-      - name: Build OpenSSL
-        if: steps.cache-openssl.outputs.cache-hit != 'true'
-        run: |
-          curl -LO https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz
-          tar xzf openssl-${OPENSSL_VERSION}.tar.gz
-          cd openssl-${OPENSSL_VERSION}
-          ./Configure --prefix=${OPENSSL_DIR} --openssldir=${OPENSSL_DIR}/ssl
-          make -j$(nproc)
-          make install_sw
-      - name: ccache
-        uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23
-        with:
-          key: ${{github.job}}-openssl
-      - name: Setup dependencies
-        run: sudo apt-get update && sudo apt-get install -y ninja-build libgtest-dev
-      - name: Prepare
-        run: |
-          cmake -DNCRYPTO_SHARED_LIBS=ON -G Ninja -B build \
-            -DOPENSSL_ROOT_DIR=${OPENSSL_DIR} \
-            -DCMAKE_PREFIX_PATH=${OPENSSL_DIR}
-      - name: Build
-        run: cmake --build build -j=4
-      - name: Test
-        run: ctest --output-on-failure --test-dir build
-        env:
-          LD_LIBRARY_PATH: ${{ env.OPENSSL_DIR }}/lib64:${{ env.OPENSSL_DIR }}/lib
-
-  # Test with OPENSSL_NO_ARGON2 defined (Argon2 tests excluded)
-  openssl-no-argon2:
-    runs-on: ubuntu-latest
-    env:
-      OPENSSL_VERSION: "3.4.1"
+      OPENSSL_VERSION: ${{ matrix.version }}
+      OPENSSL_TAG: ${{ matrix.tag }}
       OPENSSL_DIR: "${{ github.workspace }}/openssl-install"
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -103,21 +93,21 @@ jobs:
       - name: Build OpenSSL
         if: steps.cache-openssl.outputs.cache-hit != 'true'
         run: |
-          curl -LO https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz
+          curl -LO https://github.com/openssl/openssl/releases/download/${OPENSSL_TAG}/openssl-${OPENSSL_VERSION}.tar.gz
           tar xzf openssl-${OPENSSL_VERSION}.tar.gz
           cd openssl-${OPENSSL_VERSION}
-          ./Configure --prefix=${OPENSSL_DIR} --openssldir=${OPENSSL_DIR}/ssl
+          ./config --prefix=${OPENSSL_DIR} --openssldir=${OPENSSL_DIR}/ssl
           make -j$(nproc)
           make install_sw
       - name: ccache
         uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23
         with:
-          key: ${{github.job}}-openssl-no-argon2
+          key: ${{github.job}}-openssl-${{ matrix.cache_key }}
       - name: Setup dependencies
         run: sudo apt-get update && sudo apt-get install -y ninja-build libgtest-dev
       - name: Prepare
         run: |
-          cmake -DNCRYPTO_SHARED_LIBS=ON -DCMAKE_CXX_FLAGS="-DOPENSSL_NO_ARGON2" -G Ninja -B build \
+          cmake -DNCRYPTO_SHARED_LIBS=ON -DCMAKE_CXX_FLAGS="${{ matrix.cxx_flags }}" -G Ninja -B build \
             -DOPENSSL_ROOT_DIR=${OPENSSL_DIR} \
             -DCMAKE_PREFIX_PATH=${OPENSSL_DIR}
       - name: Build

CMakeLists.txt

@@ -18,9 +18,9 @@ else()
 
   CPMAddPackage(
     NAME boringssl
-    VERSION 0.20250818.0
+    VERSION 0.20260508.0
     GITHUB_REPOSITORY google/boringssl
-    GIT_TAG 0.20250818.0
+    GIT_TAG 0.20260508.0
     OPTIONS "BUILD_SHARED_LIBS OFF" "BUILD_TESTING OFF"
   )
 endif()

MODULE.bazel

@@ -1,16 +1,16 @@
 bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
 bazel_dep(name = "bazel_skylib", version = "1.9.0")
-bazel_dep(name = "boringssl", version = "0.20251002.0", repo_name = "ssl")
-bazel_dep(name = "rules_cc", version = "0.2.16")
+bazel_dep(name = "boringssl", version = "0.20260508.0", repo_name = "ssl")
+bazel_dep(name = "rules_cc", version = "0.2.17")
 
 archive_override(
     module_name = "boringssl",
     patch_strip = 1,
     patches = [
         "//:patches/0001-Expose-libdecrepit-so-NodeJS-can-use-it-for-ncrypto.patch",
     ],
-    sha256 = "f96733fc3df03d4195db656d1b7b8c174c33f95d052f811f0ecc8f4e4e3db332",
-    strip_prefix = "boringssl-0.20251002.0",
+    sha256 = "de3371d3fe085afd34778a4c988fb7840b9c92cb21504e674f33ebefd98edc00",
+    strip_prefix = "boringssl-0.20260508.0",
     type = "tgz",
-    urls = ["https://github.com/google/boringssl/archive/refs/tags/0.20251002.0.tar.gz"],
+    urls = ["https://github.com/google/boringssl/archive/refs/tags/0.20260508.0.tar.gz"],
 )

MODULE.bazel.lock

@@ -32,22 +32,103 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif  // !OPENSSL_NO_ENGINE
+
+#ifndef OPENSSL_VERSION_PREREQ
+#define OPENSSL_VERSION_PREREQ(maj, min)                                       \
+  (OPENSSL_VERSION_NUMBER >= (((maj) << 28) | ((min) << 20)))
+#endif
+
+// BoringSSL declares the EVP_*_do_all* APIs, but their implementation may
+// live in libdecrepit. This matches standalone ncrypto's build flag.
+#ifndef NCRYPTO_BSSL_LIBDECREPIT_MISSING
+#define NCRYPTO_BSSL_LIBDECREPIT_MISSING 0
+#endif
+
+#if defined(OPENSSL_IS_BORINGSSL) && NCRYPTO_BSSL_LIBDECREPIT_MISSING
+#define NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK 1
+#else
+#define NCRYPTO_USE_BORINGSSL_EVP_DO_ALL_FALLBACK 0
+#endif
+
 // The FIPS-related functions are only available
 // when the OpenSSL itself was compiled with FIPS support.
-#if defined(OPENSSL_FIPS) && OPENSSL_VERSION_MAJOR < 3
+#if defined(OPENSSL_FIPS) && !OPENSSL_VERSION_PREREQ(3, 0)
 #include <openssl/fips.h>
 #endif  // OPENSSL_FIPS
 
-// Define OPENSSL_WITH_PQC for post-quantum cryptography support
-#if OPENSSL_VERSION_NUMBER >= 0x30500000L
-#define OPENSSL_WITH_PQC 1
+#if OPENSSL_VERSION_PREREQ(3, 0)
+#define OPENSSL_WITH_AES_OCB 1
+#else
+#define OPENSSL_WITH_AES_OCB 0
+#endif
+
+#if !defined(OPENSSL_NO_ARGON2) && OPENSSL_VERSION_PREREQ(3, 2)
+#define OPENSSL_WITH_ARGON2 1
+#else
+#define OPENSSL_WITH_ARGON2 0
+#endif
+
+#if OPENSSL_VERSION_PREREQ(3, 0) || defined(OPENSSL_IS_BORINGSSL)
+#define OPENSSL_WITH_KEM 1
+#else
+#define OPENSSL_WITH_KEM 0
+#endif
+
+#if OPENSSL_VERSION_PREREQ(3, 0)
+#define OPENSSL_WITH_KMAC 1
+#else
+#define OPENSSL_WITH_KMAC 0
+#endif
+
+#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_PREREQ(3, 2)
+#define OPENSSL_WITH_SIGNATURE_CONTEXT_STRING 1
+#else
+#define OPENSSL_WITH_SIGNATURE_CONTEXT_STRING 0
+#endif
+
+#if !defined(OPENSSL_IS_BORINGSSL) && OPENSSL_VERSION_PREREQ(3, 2)
+#define OPENSSL_WITH_OPENSSL_DHKEM 1
+#else
+#define OPENSSL_WITH_OPENSSL_DHKEM 0
+#endif
+
+#if OPENSSL_WITH_KEM && !defined(OPENSSL_IS_BORINGSSL) &&                      \
+    !OPENSSL_VERSION_PREREQ(3, 5)
+#define OPENSSL_WITH_KEM_OPERATION_PARAM 1
+#else
+#define OPENSSL_WITH_KEM_OPERATION_PARAM 0
+#endif
+
+// Post-quantum cryptography support. Keep these explicit so code can
+// distinguish provider API shape from the available algorithm set.
+#if !defined(OPENSSL_IS_BORINGSSL) && OPENSSL_VERSION_PREREQ(3, 5)
+#define OPENSSL_WITH_OPENSSL_PQC 1
+#else
+#define OPENSSL_WITH_OPENSSL_PQC 0
+#endif
+
+#ifdef OPENSSL_IS_BORINGSSL
+#define OPENSSL_WITH_BORINGSSL_PQC 1
+#else
+#define OPENSSL_WITH_BORINGSSL_PQC 0
+#endif
+
+#define OPENSSL_WITH_PQC                                                       \
+  (OPENSSL_WITH_OPENSSL_PQC || OPENSSL_WITH_BORINGSSL_PQC)
+#define OPENSSL_WITH_PQC_ML_KEM_512 OPENSSL_WITH_OPENSSL_PQC
+#define OPENSSL_WITH_PQC_SLH_DSA OPENSSL_WITH_OPENSSL_PQC
+
+#if OPENSSL_WITH_OPENSSL_PQC
 #define EVP_PKEY_ML_KEM_512 NID_ML_KEM_512
 #define EVP_PKEY_ML_KEM_768 NID_ML_KEM_768
 #define EVP_PKEY_ML_KEM_1024 NID_ML_KEM_1024
 #include <openssl/core_names.h>
+#elif OPENSSL_WITH_BORINGSSL_PQC
+#define EVP_PKEY_ML_KEM_768 NID_ML_KEM_768
+#define EVP_PKEY_ML_KEM_1024 NID_ML_KEM_1024
 #endif
 
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_VERSION_PREREQ(3, 0)
 #define OSSL3_CONST const
 #else
 #define OSSL3_CONST
@@ -1515,7 +1596,7 @@ class HMACCtxPointer final {
   DeleteFnPtr<HMAC_CTX, HMAC_CTX_free> ctx_;
 };
 
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KMAC
 class EVPMacPointer final {
  public:
   EVPMacPointer() = default;
@@ -1563,7 +1644,7 @@ class EVPMacCtxPointer final {
  private:
   DeleteFnPtr<EVP_MAC_CTX, EVP_MAC_CTX_free> ctx_;
 };
-#endif  // OPENSSL_VERSION_MAJOR >= 3
+#endif  // OPENSSL_WITH_KMAC
 
 #ifndef OPENSSL_NO_ENGINE
 class EnginePointer final {
@@ -1703,8 +1784,7 @@ DataPointer pbkdf2(const Digest& md,
                    uint32_t iterations,
                    size_t length);
 
-#if OPENSSL_VERSION_NUMBER >= 0x30200000L
-#ifndef OPENSSL_NO_ARGON2
+#if OPENSSL_WITH_ARGON2
 enum class Argon2Type { ARGON2D, ARGON2I, ARGON2ID };
 
 DataPointer argon2(const Buffer<const char>& pass,
@@ -1718,11 +1798,10 @@ DataPointer argon2(const Buffer<const char>& pass,
                    const Buffer<const unsigned char>& ad,
                    Argon2Type type);
 #endif
-#endif
 
 // ============================================================================
 // KEM (Key Encapsulation Mechanism)
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KEM
 
 class KEM final {
  public:
@@ -1746,13 +1825,13 @@ class KEM final {
                                  const Buffer<const void>& ciphertext);
 
  private:
-#if !OPENSSL_VERSION_PREREQ(3, 5)
+#if OPENSSL_WITH_KEM_OPERATION_PARAM
   static bool SetOperationParameter(EVP_PKEY_CTX* ctx,
                                     const EVPKeyPointer& key);
 #endif
 };
 
-#endif  // OPENSSL_VERSION_MAJOR >= 3
+#endif  // OPENSSL_WITH_KEM
 
 #include "ncrypto/version.h"