Skip to content

crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 #58942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 5, 2025
Merged

crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 #58942

merged 3 commits into from
Jul 5, 2025
+91 −22

Conversation

panva
Copy link
Member

@panva panva commented Jul 3, 2025
edited
Loading

Background:

This PR:

After this lands a semver-major PRs that contain breaking changes and should be released in the next major version. will follow with a runtime deprecation.

This will need backporting all the way back to 20.x

Reverts: #56160
Fixes: #56159
Fixes: #58913
Refs: #58121

Note: FWIW #56160 should not have landed. Any OpenSSL version-related test changes should only accomodate changes in codes, not behaviour.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Jul 3, 2025
panva
panva commented Jul 3, 2025
View reviewed changes
panva
panva commented Jul 3, 2025
View reviewed changes
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/67797/

@panva panva marked this pull request as ready for review July 3, 2025 10:18
@panva panva added the commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. label Jul 3, 2025
@panva panva requested review from jasnell, tniessen and aduh95 July 3, 2025 10:26
aduh95
aduh95 reviewed Jul 3, 2025
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented Jul 3, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 75.55556% with 11 lines in your changes missing coverage. Please review.

Project coverage is 90.08%. Comparing base (ec41686) to head (68fb47c).
Report is 21 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_hash.cc 0.00% 9 Missing and 1 partial ⚠️
lib/internal/crypto/hash.js 96.77% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #58942      +/-   ##
==========================================
+ Coverage   90.07%   90.08%   +0.01%     
==========================================
  Files         640      640              
  Lines      188473   188516      +43     
  Branches    36972    36986      +14     
==========================================
+ Hits       169763   169830      +67     
+ Misses      11427    11392      -35     
- Partials     7283     7294      +11
Files with missing lines Coverage Δ
lib/internal/util.js 96.75% <100.00%> (-0.10%) ⬇️
lib/internal/crypto/hash.js 98.43% <96.77%> (-0.23%) ⬇️
src/crypto/crypto_hash.cc 70.56% <0.00%> (-2.45%) ⬇️

... and 30 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@panva panva added lts-watch-v20.x PRs that may need to be released in v20.x lts-watch-v22.x PRs that may need to be released in v22.x labels Jul 3, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/67802/

aduh95
aduh95 reviewed Jul 3, 2025
View reviewed changes
aduh95
aduh95 reviewed Jul 3, 2025
View reviewed changes
@panva
Copy link
Member Author

panva commented Jul 3, 2025

[email protected] https://ci.nodejs.org/job/node-test-commit-linux-containered/nodes=ubuntu2204_sharedlibs_openssl111_x64/51512/
[email protected] https://ci.nodejs.org/job/node-test-commit-linux-containered/nodes=ubuntu2204_sharedlibs_openssl35_x64/51512/

aduh95
aduh95 approved these changes Jul 3, 2025
View reviewed changes
@panva panva added request-ci Add this label to start a Jenkins CI on a PR. author ready PRs that have at least one approval, no pending requests for changes, and a CI started. labels Jul 3, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jul 3, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/67809/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/67815/

@panva panva mentioned this pull request Jul 3, 2025
Merged
tniessen
tniessen approved these changes Jul 4, 2025
View reviewed changes
Copy link
Member

@tniessen tniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @panva!

lib/internal/crypto/hash.js
Comment on lines +241 to +242
// TODO: ideally we have to ship https://github.com/nodejs/node/pull/58121 so
// that a proper DEP0198 deprecation can be done here as well.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// TODO: ideally we have to ship https://github.com/nodejs/node/pull/58121 so
// that a proper DEP0198 deprecation can be done here as well.
// TODO(panva): ideally we have to ship https://github.com/nodejs/node/pull/58121
// so that a proper DEP0198 deprecation can be done here as well.

@panva
Copy link
Member Author

panva commented Jul 4, 2025

Thank you for the reviews. I think I'll wait for #58121 to ship and then include its code in the deprecation.

@panva panva added the blocked PRs that are blocked by other issues or PRs. label Jul 4, 2025
@panva
Copy link
Member Author

panva commented Jul 4, 2025
edited
Loading

Actually, this PR is backportable to 20.x as a fix, #58121 is a new feature in a Stability: 1.2 - Release candidate API that we don't have to backport to maintenance LTS.

I'll land this and update #58121 with the deprecation when this lands.

@panva panva added commit-queue Add this label to land a pull request using GitHub Actions. and removed blocked PRs that are blocked by other issues or PRs. labels Jul 4, 2025
@joyeecheung joyeecheung added request-ci Add this label to start a Jenkins CI on a PR. and removed request-ci Add this label to start a Jenkins CI on a PR. labels Jul 4, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jul 5, 2025
@nodejs-github-bot nodejs-github-bot merged commit f5da8f8 into nodejs:main Jul 5, 2025
72 of 74 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in f5da8f8

@panva panva mentioned this pull request Jul 5, 2025
Open
@panva panva added the backport-open-v22.x Indicate that the PR has an open backport label Jul 5, 2025
panva added a commit to panva/node that referenced this pull request Jul 5, 2025
@panva
crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4
76ca72e 
Reverts: nodejs#56160
Fixes: nodejs#56159
Fixes: nodejs#58913
Refs: nodejs#58121
PR-URL: nodejs#58942
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Joyee Cheung <[email protected]>
@panva panva deleted the xof-openssl34 branch July 5, 2025 11:59
panva added a commit to panva/node that referenced this pull request Jul 5, 2025
@panva
crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4
ca8d3a7 
Reverts: nodejs#56160
Fixes: nodejs#56159
Fixes: nodejs#58913
Refs: nodejs#58121
PR-URL: nodejs#58942
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Joyee Cheung <[email protected]>
@panva panva mentioned this pull request Jul 5, 2025
Open
@panva panva added the backport-open-v20.x Indicate that the PR has an open backport label Jul 5, 2025
RafaelGSS pushed a commit that referenced this pull request Jul 8, 2025
@panva @RafaelGSS
crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4
77712ae 
Reverts: #56160
Fixes: #56159
Fixes: #58913
Refs: #58121
PR-URL: #58942
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Joyee Cheung <[email protected]>
@github-actions github-actions bot mentioned this pull request Jul 8, 2025
Merged
@panva panva mentioned this pull request Jul 9, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasnell jasnell jasnell approved these changes

@tniessen tniessen tniessen approved these changes

@joyeecheung joyeecheung joyeecheung approved these changes

@aduh95 aduh95 aduh95 approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. backport-open-v20.x Indicate that the PR has an open backport backport-open-v22.x Indicate that the PR has an open backport c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. crypto Issues and PRs related to the crypto subsystem. lts-watch-v20.x PRs that may need to be released in v20.x lts-watch-v22.x PRs that may need to be released in v22.x needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
6 participants
@panva @nodejs-github-bot @jasnell @tniessen @joyeecheung @aduh95