github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-02-19 03:14:51 -05:00
Code Issues Packages Projects Releases Wiki Activity

test,crypto: handle a few more BoringSSL tests

Browse Source 
https://github.com/nodejs/node/pull/59030
This commit is contained in:
Shelley Vohr
2026-01-14 18:39:12 +01:00
parent d07e0236ba
commit a07595f314
3 changed files with 13 additions and 229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
patches/node/.patches
View File

@@ -39,7 +39,6 @@ fix_avoid_external_memory_leak_on_invalid_tls_protocol_versions.patch
lib_check_sharedarraybuffer_existence_in_fast-utf8-stream.patch
api_delete_deprecated_fields_on_v8_isolate.patch
api_promote_deprecation_of_v8_context_and_v8_object_api_methods.patch
src_use_cp_utf8_for_wide_file_names_on_win32.patch
fix_ensure_traverseparent_bails_on_resource_path_exit.patch
reland_temporal_unflag_temporal.patch
src_handle_der_decoding_errors_from_system_certificates.patch

227
patches/node/fix_crypto_tests_to_run_with_bssl.patch
View File

@@ -22,98 +22,17 @@ index 423f2c4d77bfc98bfbdab93c09aff8012c678cbd..fa0bcceb5697486930a9530732f9a9ab
const pkcs8 = Buffer.from(
'308204bf020100300d06092a864886f70d0101010500048204a9308204a5020100028' +
'2010100d3576092e62957364544e7e4233b7bdb293db2085122c479328546f9f0f712' +
diff --git a/test/fixtures/webcrypto/supports-modern-algorithms.mjs b/test/fixtures/webcrypto/supports-modern-algorithms.mjs
index 337ed577b143062d41e378cc1f820945e76cea08..76d5e805cbc0e756aef0013373baec31bd320f44 100644
--- a/test/fixtures/webcrypto/supports-modern-algorithms.mjs
+++ b/test/fixtures/webcrypto/supports-modern-algorithms.mjs
@@ -9,6 +9,7 @@ const shake256 = crypto.getHashes().includes('shake256');
const chacha = crypto.getCiphers().includes('chacha20-poly1305');
const ocb = hasOpenSSL(3);
const kmac = hasOpenSSL(3);
+const boringSSL = process.features.openssl_is_boringssl;
const { subtle } = globalThis.crypto;
const X25519 = await subtle.generateKey('X25519', false, ['deriveBits', 'deriveKey']);
@@ -108,9 +109,9 @@ export const vectors = {
[true, 'RSA-PSS'],
[true, 'RSASSA-PKCS1-v1_5'],
[true, 'X25519'],
- [true, 'X448'],
+ [!boringSSL, 'X448'],
[true, 'Ed25519'],
- [true, 'Ed448'],
+ [!boringSSL, 'Ed448'],
[true, 'ECDH'],
[true, 'ECDSA'],
[pqc, 'ML-DSA-44'],
diff --git a/test/parallel/test-crypto-async-sign-verify.js b/test/parallel/test-crypto-async-sign-verify.js
index d385926e9943052bbe1793d4b1e39846e1a69562..dbf7b04afa77f132aaa466c9ee02c5ffad0296bc 100644
index 9876c4bb6ecd2e5b8879f153811cd0a0a22997aa..688ed342570741fdcc7876f375c56d3fc61c2ea1 100644
--- a/test/parallel/test-crypto-async-sign-verify.js
+++ b/test/parallel/test-crypto-async-sign-verify.js
@@ -89,6 +89,7 @@ test('rsa_public.pem', 'rsa_private.pem', 'sha256', false,
// ED25519
test('ed25519_public.pem', 'ed25519_private.pem', undefined, true);
// ED448
+if (!process.features.openssl_is_boringssl) {
test('ed448_public.pem', 'ed448_private.pem', undefined, true);
// ECDSA w/ der signature encoding
@@ -110,6 +111,7 @@ test('dsa_public.pem', 'dsa_private.pem', 'sha256',
@@ -113,6 +113,7 @@ test('dsa_public.pem', 'dsa_private.pem', 'sha256',
// DSA w/ ieee-p1363 signature encoding
test('dsa_public.pem', 'dsa_private.pem', 'sha256', false,
{ dsaEncoding: 'ieee-p1363' });
+}
// Test Parallel Execution w/ KeyObject is threadsafe in openssl3
{
@@ -150,7 +152,10 @@ MCowBQYDK2VuAyEA6pwGRbadNQAI/tYN8+/p/0/hbsdHfOEGr1ADiLVk/Gc=
const data = crypto.randomBytes(32);
const signature = crypto.randomBytes(16);
- const expected = hasOpenSSL3 ? /operation not supported for this keytype/ : /no default digest/;
+ let expected = hasOpenSSL3 ? /operation not supported for this keytype/ : /no default digest/;
+ if (hasOpenSSL3 || process.features.openssl_is_boringssl) {
+ expected = /operation[\s_]not[\s_]supported[\s_]for[\s_]this[\s_]keytype/i;
+ }
crypto.verify(undefined, data, untrustedKey, signature, common.mustCall((err) => {
assert.ok(err);
@@ -164,6 +169,6 @@ MCowBQYDK2VuAyEA6pwGRbadNQAI/tYN8+/p/0/hbsdHfOEGr1ADiLVk/Gc=
});
crypto.sign('sha512', 'message', privateKey, common.mustCall((err) => {
assert.ok(err);
- assert.match(err.message, /digest too big for rsa key/);
+ assert.match(err.message, /digest[\s_]too[\s_]big[\s_]for[\s_]rsa[\s_]key/i);
}));
}
diff --git a/test/parallel/test-crypto-certificate.js b/test/parallel/test-crypto-certificate.js
index 4a5f1f149fe6c739f7f1d2ee17df6e61a942d621..b3287f428ce6b3fde11d449c601a57ff5e3843f9 100644
--- a/test/parallel/test-crypto-certificate.js
+++ b/test/parallel/test-crypto-certificate.js
@@ -40,8 +40,10 @@ function copyArrayBuffer(buf) {
}
function checkMethods(certificate) {
-
+ /* spkacValid has a md5 based signature which is not allowed in boringssl
+ https://boringssl.googlesource.com/boringssl/+/33d7e32ce40c04e8f1b99c05964956fda187819f
assert.strictEqual(certificate.verifySpkac(spkacValid), true);
+ */
assert.strictEqual(certificate.verifySpkac(spkacFail), false);
assert.strictEqual(
@@ -56,10 +58,12 @@ function checkMethods(certificate) {
);
assert.strictEqual(certificate.exportChallenge(spkacFail), '');
+ /* spkacValid has a md5 based signature which is not allowed in boringssl
const ab = copyArrayBuffer(spkacValid);
assert.strictEqual(certificate.verifySpkac(ab), true);
assert.strictEqual(certificate.verifySpkac(new Uint8Array(ab)), true);
assert.strictEqual(certificate.verifySpkac(new DataView(ab)), true);
+ */
}
{
diff --git a/test/parallel/test-crypto-cipheriv-decipheriv.js b/test/parallel/test-crypto-cipheriv-decipheriv.js
index 6742722f9e90914b4dc8c079426d10040d476f72..8801ddfe7023fd0f7d5657b86a9164d75765322e 100644
@@ -144,7 +63,7 @@ index 81a469c226c261564dee1e0b06b6571b18a41f1f..58b66045dba4201b7ebedd78b129420f
const availableCurves = new Set(crypto.getCurves());
diff --git a/test/parallel/test-crypto-dh-errors.js b/test/parallel/test-crypto-dh-errors.js
index 0af4db0310750cea9350ecff7fc44404c6df6c83..b14b4bbf88b902b6de916b92e3d48335c01df911 100644
index d7527d82617efccd931f0fc2f700ab876872c1e6..b14b4bbf88b902b6de916b92e3d48335c01df911 100644
--- a/test/parallel/test-crypto-dh-errors.js
+++ b/test/parallel/test-crypto-dh-errors.js
@@ -27,7 +27,7 @@ assert.throws(() => crypto.createDiffieHellman('abcdef', 13.37), {
@@ -156,47 +75,11 @@ index 0af4db0310750cea9350ecff7fc44404c6df6c83..b14b4bbf88b902b6de916b92e3d48335
name: 'Error',
message: /modulus too small/,
});
@@ -35,7 +35,7 @@ for (const bits of [-1, 0, 1]) {
assert.throws(() => crypto.createDiffieHellman(bits), {
code: 'ERR_OSSL_BN_BITS_TOO_SMALL',
name: 'Error',
- message: /bits too small/,
+ message: /bits[\s_]too[\s_]small/i,
});
}
}
diff --git a/test/parallel/test-crypto-dh.js b/test/parallel/test-crypto-dh.js
index d7ffbe5eca92734aa2380f482c7f9bfe7e2a36c7..b4e7002d862907d2af3b4f8e985700bd03300809 100644
index 3c00a5fc73bb9f86f944df74f29d6b5225bc2f0e..b4e7002d862907d2af3b4f8e985700bd03300809 100644
--- a/test/parallel/test-crypto-dh.js
+++ b/test/parallel/test-crypto-dh.js
@@ -60,18 +60,17 @@ const {
let wrongBlockLength;
if (hasOpenSSL3) {
wrongBlockLength = {
- message: 'error:1C80006B:Provider routines::wrong final block length',
- code: 'ERR_OSSL_WRONG_FINAL_BLOCK_LENGTH',
- library: 'Provider routines',
- reason: 'wrong final block length'
+ message: /wrong[\s_]final[\s_]block[\s_]length/i,
+ code: /ERR_OSSL_(EVP_)?WRONG_FINAL_BLOCK_LENGTH/,
+ library: /Provider routines|Cipher functions/,
+ reason: /wrong[\s_]final[\s_]block[\s_]length/i,
};
} else {
wrongBlockLength = {
- message: 'error:0606506D:digital envelope' +
- ' routines:EVP_DecryptFinal_ex:wrong final block length',
- code: 'ERR_OSSL_EVP_WRONG_FINAL_BLOCK_LENGTH',
- library: 'digital envelope routines',
- reason: 'wrong final block length'
+ message: /wrong[\s_]final[\s_]block[\s_]length/i,
+ code: /ERR_OSSL_(EVP_)?WRONG_FINAL_BLOCK_LENGTH/,
+ library: /digital envelope routines|Cipher functions/,
+ reason: /wrong[\s_]final[\s_]block[\s_]length/i,
};
}
@@ -98,17 +97,23 @@ const {
@@ -97,17 +97,23 @@ const {
dh3.computeSecret('');
}, { message: hasOpenSSL3 && !hasOpenSSL3WithNewErrorMessage ?
'Unspecified validation error' :
@@ -244,19 +127,6 @@ index d22281abbd5c3cab3aaa3ac494301fa6b4a8a968..5f0c6a4aed2e868a1a1049212edf2187
s.pipe(h).on('data', common.mustCall(function(c) {
assert.strictEqual(c, expect);
diff --git a/test/parallel/test-crypto-hash.js b/test/parallel/test-crypto-hash.js
index 929dd36c669239804f2cfc5168bd3bf6e15855e6..8ebe599bbd21ad30e5041e0eab1e5898caf33e49 100644
--- a/test/parallel/test-crypto-hash.js
+++ b/test/parallel/test-crypto-hash.js
@@ -182,7 +182,7 @@ assert.throws(
}
// Test XOF hash functions and the outputLength option.
-{
+if (!process.features.openssl_is_boringssl) {
// Default outputLengths.
assert.strictEqual(crypto.createHash('shake128').digest('hex'),
'7f9c2ba4e88f827d616045507605853e');
diff --git a/test/parallel/test-crypto-oneshot-hash-xof.js b/test/parallel/test-crypto-oneshot-hash-xof.js
index 75cb4800ff1bd51fedd7bc4e2d7e6af6f4f48346..b4363c31592763235116d970a5f45d4cf63de373 100644
--- a/test/parallel/test-crypto-oneshot-hash-xof.js
@@ -272,51 +142,6 @@ index 75cb4800ff1bd51fedd7bc4e2d7e6af6f4f48346..b4363c31592763235116d970a5f45d4c
// Test XOF hash functions and the outputLength option.
{
// Default outputLengths.
diff --git a/test/parallel/test-crypto-padding.js b/test/parallel/test-crypto-padding.js
index 48cd1ed4df61aaddeee8785cb90f83bdd9628187..d09e01712c617597833bb1320a32a967bcf1d318 100644
--- a/test/parallel/test-crypto-padding.js
+++ b/test/parallel/test-crypto-padding.js
@@ -84,14 +84,13 @@ assert.throws(function() {
// Input must have block length %.
enc(ODD_LENGTH_PLAIN, false);
}, hasOpenSSL3 ? {
- message: 'error:1C80006B:Provider routines::wrong final block length',
- code: 'ERR_OSSL_WRONG_FINAL_BLOCK_LENGTH',
- reason: 'wrong final block length',
+ message: /wrong[\s_]final[\s_]block[\s_]length/i,
+ code: /ERR_OSSL(_EVP)?_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH/,
+ message: /wrong[\s_]final[\s_]block[\s_]length/i,
} : {
- message: 'error:0607F08A:digital envelope routines:EVP_EncryptFinal_ex:' +
- 'data not multiple of block length',
- code: 'ERR_OSSL_EVP_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH',
- reason: 'data not multiple of block length',
+ message: /data[\s_]not[\s_]multiple[\s_]of[\s_]block[\s_]length/i,
+ code: /ERR_OSSL(_EVP)?_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH/,
+ reason: /data[\s_]not[\s_]multiple[\s_]of[\s_]block[\s_]length/i,
}
);
@@ -110,15 +109,10 @@ assert.strictEqual(dec(EVEN_LENGTH_ENCRYPTED, false).length, 48);
assert.throws(function() {
// Must have at least 1 byte of padding (PKCS):
assert.strictEqual(dec(EVEN_LENGTH_ENCRYPTED_NOPAD, true), EVEN_LENGTH_PLAIN);
-}, hasOpenSSL3 ? {
- message: 'error:1C800064:Provider routines::bad decrypt',
- reason: 'bad decrypt',
- code: 'ERR_OSSL_BAD_DECRYPT',
-} : {
- message: 'error:06065064:digital envelope routines:EVP_DecryptFinal_ex:' +
- 'bad decrypt',
- reason: 'bad decrypt',
- code: 'ERR_OSSL_EVP_BAD_DECRYPT',
+}, {
+ message: /bad[\s_]decrypt/i,
+ reason: /bad[\s_]decrypt/i,
+ code: /ERR_OSSL(_EVP)?_BAD_DECRYPT/,
});
// No-pad encrypted string should return the same:
diff --git a/test/parallel/test-crypto-rsa-dsa.js b/test/parallel/test-crypto-rsa-dsa.js
index 119bc3c2d20ea7d681f0b579f9d91ad46cdc3634..8d13b105fa426015a873c411ad1d7f64b3d9580e 100644
--- a/test/parallel/test-crypto-rsa-dsa.js
@@ -428,23 +253,6 @@ index a66f0a94efd7c952c1d2320fbc7a39fe3a88a8a1..dc5846db0e3dcf8f7cb5f7efcdbc81c1
for (const [file, length] of keys) {
const privKey = fixtures.readKey(file);
diff --git a/test/parallel/test-crypto-stream.js b/test/parallel/test-crypto-stream.js
index 747af780469c22eb8e4c6c35424043e868f75c3d..ed0916b036a9af23d805007ebd609973ee954473 100644
--- a/test/parallel/test-crypto-stream.js
+++ b/test/parallel/test-crypto-stream.js
@@ -73,9 +73,9 @@ const cipher = crypto.createCipheriv('aes-128-cbc', key, iv);
const decipher = crypto.createDecipheriv('aes-128-cbc', badkey, iv);
cipher.pipe(decipher)
- .on('error', common.expectsError(hasOpenSSL3 ? {
- message: /bad[\s_]decrypt/,
- library: 'Provider routines',
+ .on('error', common.expectsError((hasOpenSSL3 || process.features.openssl_is_boringssl) ? {
+ message: /bad[\s_]decrypt/i,
+ library: /Provider routines|Cipher functions/,
reason: /bad[\s_]decrypt/i,
} : {
message: /bad[\s_]decrypt/i,
diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js
index 84111740cd9ef6425b747e24e984e66e46b0b2ef..b1621d310536fae3fdec91a6a9d275ec8fc99a98 100644
--- a/test/parallel/test-crypto.js
@@ -502,29 +310,6 @@ index 84111740cd9ef6425b747e24e984e66e46b0b2ef..b1621d310536fae3fdec91a6a9d275ec
// Make sure memory isn't released before being returned
console.log(crypto.randomBytes(16));
diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js
index 7bd42bbe721c4c9442410d524c5ca740078fc72c..de49dbdc2b75517f497af353a6b24b1beb11ed69 100644
--- a/test/parallel/test-tls-alert-handling.js
+++ b/test/parallel/test-tls-alert-handling.js
@@ -43,7 +43,8 @@ const errorHandler = common.mustCall((err) => {
assert.strictEqual(err.code, expectedErrorCode);
assert.strictEqual(err.library, 'SSL routines');
- if (!hasOpenSSL3) assert.strictEqual(err.function, 'ssl3_get_record');
+ if (!hasOpenSSL3 && !process.features.openssl_is_boringssl)
+ assert.strictEqual(err.function, 'ssl3_get_record');
assert.match(err.reason, expectedErrorReason);
errorReceived = true;
if (canCloseServer())
@@ -105,7 +106,7 @@ function sendBADTLSRecord() {
}
assert.strictEqual(err.code, expectedErrorCode);
assert.strictEqual(err.library, 'SSL routines');
- if (!hasOpenSSL3)
+ if (!hasOpenSSL3 && !process.features.openssl_is_boringssl)
assert.strictEqual(err.function, 'ssl3_read_bytes');
assert.match(err.reason, expectedErrorReason);
}));
diff --git a/test/parallel/test-webcrypto-wrap-unwrap.js b/test/parallel/test-webcrypto-wrap-unwrap.js
index bd788ec4ed88289d35798b8af8c9490a68e081a2..1a5477ba928bce93320f8056db02e1a7b8ddcdf3 100644
--- a/test/parallel/test-webcrypto-wrap-unwrap.js
@@ -584,7 +369,7 @@ index bd788ec4ed88289d35798b8af8c9490a68e081a2..1a5477ba928bce93320f8056db02e1a7
function generateWrappingKeys() {
return Promise.all(Object.keys(kWrappingData).map(async (name) => {
diff --git a/test/parallel/test-x509-escaping.js b/test/parallel/test-x509-escaping.js
index b507af88e1f7f3424b7b5d6d683a295b9d208e5e..825ba4c8dce775f401080a0522565bb7a087bcc3 100644
index c8fc4abbb108a6d6849e8452d97d29187da2ebe6..e897dbbf8a69e454498f2793228e6f53ee7d54f5 100644
--- a/test/parallel/test-x509-escaping.js
+++ b/test/parallel/test-x509-escaping.js
@@ -448,7 +448,7 @@ const { hasOpenSSL3 } = require('../common/crypto');

14
patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch
View File

@@ -17,7 +17,7 @@ Upstreams:
- https://github.com/nodejs/node/pull/39136
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
index e1c2da6969a1ce937d397735e844930f3234bba7..0bed152014949c22b6c610198df39a2522890279 100644
index 461819ce0fa732048e4365c40a86ef55d984c35f..fa55c980a9c4f373723a867fd41276d67b0b9413 100644
--- a/deps/ncrypto/ncrypto.cc
+++ b/deps/ncrypto/ncrypto.cc
@@ -11,6 +11,7 @@
@@ -151,7 +151,7 @@ index d005bf0ffb93445fa6611a1beb1b465764271ede..01770687bd191c61af02e76d7de24bba
X509View ca(sk_X509_value(peer_certs.get(), i));
if (!cert->view().isIssuedBy(ca)) continue;
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
index 6482bd58bb6a95cfa4074ea9535e1443aea66bb5..20d3c1d9d17fde18fc09b6ee219137831eb08a45 100644
index 03c0c6f42d84efaeba0cc3b997cd29f77648b00d..f3631d538a38dc3a93a47707ea8dab0462fa2140 100644
--- a/src/crypto/crypto_context.cc
+++ b/src/crypto/crypto_context.cc
@@ -143,7 +143,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
@@ -163,7 +163,7 @@ index 6482bd58bb6a95cfa4074ea9535e1443aea66bb5..20d3c1d9d17fde18fc09b6ee21913783
X509* ca = sk_X509_value(extra_certs, i);
// NOTE: Increments reference count on `ca`
@@ -1831,11 +1831,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
@@ -1832,11 +1832,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
// If the user specified "auto" for dhparams, the JavaScript layer will pass
// true to this function instead of the original string. Any other string
// value will be interpreted as custom DH parameters below.
@@ -177,7 +177,7 @@ index 6482bd58bb6a95cfa4074ea9535e1443aea66bb5..20d3c1d9d17fde18fc09b6ee21913783
DHPointer dh;
{
BIOPointer bio(LoadBIO(env, args[0]));
@@ -2061,7 +2062,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
@@ -2062,7 +2063,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
}
// Add CA certs too
@@ -276,7 +276,7 @@ index 205e248e0f20f019e189a6c69d3c011a616b3939..12b0d804c6f1d4998b85160b0aac8eb7
#define V(name) case ERR_LIB_##name: lib = #name "_"; break;
diff --git a/src/env.h b/src/env.h
index f3a2d221f4bb52987e1bdacdadf19aacfcf65ec3..d34aec43630b3cf53004d8180446d7136b59ceac 100644
index ed2253f1fc3cf8d59e73e4f2478dfb0d4227aacd..84a650885a79bc5c49efdc26f62ec8db48de775c 100644
--- a/src/env.h
+++ b/src/env.h
@@ -52,7 +52,7 @@
@@ -288,7 +288,7 @@ index f3a2d221f4bb52987e1bdacdadf19aacfcf65ec3..d34aec43630b3cf53004d8180446d713
#include <openssl/evp.h>
#endif
@@ -1058,7 +1058,7 @@ class Environment final : public MemoryRetainer {
@@ -1059,7 +1059,7 @@ class Environment final : public MemoryRetainer {
kExitInfoFieldCount
};
@@ -311,7 +311,7 @@ index d9c533f100d25aeab1fe8589932a8ddead431258..2acab8786a8a752b17961445edeb872c
#if NODE_OPENSSL_HAS_QUIC
#include <openssl/quic.h>
diff --git a/src/node_options.h b/src/node_options.h
index 3a1503a035e12b5dce75c77c327607c857a8a367..941ae4f15c42fb8016d03c786973fd4709ac1a0d 100644
index 1f15c6cc6a9ae192b1b394c437393e744b5b1153..638e49ccf48d9b9c60189af9255ce7cef9184723 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -11,7 +11,7 @@