Skip to content

crypto: enable SIV and GCM-SIV modes in Cipher/Decipher APIs#63411

Open
panva wants to merge 2 commits into
nodejs:mainfrom
panva:crypto-add-siv-modes
Open

crypto: enable SIV and GCM-SIV modes in Cipher/Decipher APIs#63411
panva wants to merge 2 commits into
nodejs:mainfrom
panva:crypto-add-siv-modes

Conversation

@panva

@panva panva commented May 18, 2026

Copy link
Copy Markdown
Member

Closes #63393

@nodejs-github-bot

nodejs-github-bot commented May 18, 2026

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels May 18, 2026
@panva panva force-pushed the crypto-add-siv-modes branch from a1ea9b7 to 127a852 Compare May 18, 2026 13:24
@panva panva requested a review from tniessen May 18, 2026 13:24
@panva panva added the crypto Issues and PRs related to the crypto subsystem. label May 18, 2026
@panva panva marked this pull request as ready for review May 18, 2026 13:24
@panva panva added dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. dont-land-on-v24.x PRs that should not land on the v24.x-staging branch and should not be released in v24.x. dont-land-on-v25.x labels May 18, 2026
@panva panva force-pushed the crypto-add-siv-modes branch from 687e02b to b5764bc Compare May 18, 2026 13:45
@codecov

codecov Bot commented May 18, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 85.71429% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.18%. Comparing base (550f195) to head (944bf43).
⚠️ Report is 291 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_cipher.cc 85.71% 2 Missing and 5 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #63411      +/-   ##
==========================================
+ Coverage   90.06%   91.18%   +1.11%     
==========================================
  Files         714      733      +19     
  Lines      225648   237482   +11834     
  Branches    42711    51291    +8580     
==========================================
+ Hits       203237   216553   +13316     
+ Misses      14200    12742    -1458     
+ Partials     8211     8187      -24
Files with missing lines Coverage Δ
src/crypto/crypto_cipher.h 66.66% <ø> (ø)
src/crypto/crypto_cipher.cc 78.28% <85.71%> (+0.85%) ⬆️

... and 154 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@panva panva added review wanted PRs that need reviews. semver-minor PRs that contain new features and should be released in the next minor version. and removed dont-land-on-v24.x PRs that should not land on the v24.x-staging branch and should not be released in v24.x. labels May 25, 2026
@panva panva requested review from ChALkeR and jasnell June 7, 2026 09:57
@panva panva marked this pull request as draft June 11, 2026 09:09
@panva panva marked this pull request as ready for review June 14, 2026 10:13
@panva
crypto: enable SIV and GCM-SIV modes in Cipher/Decipher APIs
7c39722 
Closes nodejs#63393

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva panva force-pushed the crypto-add-siv-modes branch from 944bf43 to 7c39722 Compare June 29, 2026 08:14
tniessen
tniessen reviewed Jun 29, 2026
View reviewed changes
Comment thread deps/ncrypto/ncrypto.h Outdated
const EVP_CIPHER* cipher_ = nullptr;
#if OPENSSL_WITH_AES_SIV || OPENSSL_WITH_AES_GCM_SIV
explicit Cipher(EVP_CIPHER* cipher);
std::shared_ptr<EVP_CIPHER> fetched_cipher_;

@tniessen tniessen Jun 29, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be a DeleteFnPtr<EVP_CIPHER, EVP_CIPHER_free>?

Comment thread deps/ncrypto/ncrypto.cc Outdated
Comment on lines +3180 to +3181
Cipher::Cipher(EVP_CIPHER* cipher)
: cipher_(cipher), fetched_cipher_(cipher, EVP_CIPHER_free) {}

@tniessen tniessen Jun 29, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This constructor hides (at the call site) that the cipher object will be freed using EVP_CIPHER_free later. It would be better to require that the caller passes the std::shared_ptr (or a DeleteFnPtr), which would enforce the desired semantics.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tniessen tniessen tniessen left review comments
@ChALkeR ChALkeR Awaiting requested review from ChALkeR
@jasnell jasnell Awaiting requested review from jasnell

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

crypto Issues and PRs related to the crypto subsystem. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. review wanted PRs that need reviews. semver-minor PRs that contain new features and should be released in the next minor version.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

crypto: support AES-*-SIV and AES-*-GCM-SIV in createCipheriv()

4 participants

@panva @nodejs-github-bot @tniessen @aduh95