Skip to content

[pull] main from nodejs:main #855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 3 commits into from
Mar 28, 2026
Merged

[pull] main from nodejs:main #855

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
74509b1
crypto: decorate async crypto job errors with OpenSSL error details
panva Mar 28, 2026
cf2b05c
quic: remove CryptoKey support from session keys option
panva Mar 28, 2026
8ea96e6
deps: V8: cherry-pick b25cd62c7ba2
anonrig Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion common.gypi
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.16',
'v8_embedder_string': '-node.17',

##### V8 defaults for Node.js #####

Expand Down
6 changes: 6 additions & 0 deletions deps/v8/src/objects/string-inl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1221,6 +1221,12 @@ size_t String::Utf8Length(Isolate* isolate, DirectHandle<String> string) {
reinterpret_cast<const char*>(vec.begin()), vec.size());
}

base::Vector<const base::uc16> vec = content.ToUC16Vector();
const char16_t* data = reinterpret_cast<const char16_t*>(vec.begin());
if (simdutf::validate_utf16(data, vec.size())) {
return simdutf::utf8_length_from_utf16(data, vec.size());
}

// TODO(419496232): Use simdutf once upstream bug is resolved.
size_t utf8_length = 0;
uint16_t last_character = unibrow::Utf16::kNoPreviousCharacter;
Expand Down
6 changes: 5 additions & 1 deletion doc/api/quic.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1197,9 +1197,13 @@

<!-- YAML
added: v23.8.0
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/62335

Check warning on line 1202 in doc/api/quic.md

View workflow job for this annotation

GitHub Actions / lint-pr-url 

pr-url doesn't match the URL of the current PR.
description: CryptoKey is no longer accepted.
-->

* Type: {KeyObject|CryptoKey|KeyObject\[]|CryptoKey\[]}
* Type: {KeyObject|KeyObject\[]}

The TLS crypto keys to use for sessions.

Expand Down
12 changes: 2 additions & 10 deletions lib/internal/quic/quic.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,6 @@ const {

const {
isKeyObject,
isCryptoKey,
} = require('internal/crypto/keys');

const {
Expand Down Expand Up @@ -143,7 +142,6 @@ const {
kVersionNegotiation,
kInspect,
kKeyObjectHandle,
kKeyObjectInner,
kWantsHeaders,
kWantsTrailers,
} = require('internal/quic/symbols');
Expand Down Expand Up @@ -187,7 +185,6 @@ const onSessionHandshakeChannel = dc.channel('quic.session.handshake');
/**
* @typedef {import('../socketaddress.js').SocketAddress} SocketAddress
* @typedef {import('../crypto/keys.js').KeyObject} KeyObject
* @typedef {import('../crypto/keys.js').CryptoKey} CryptoKey
*/

/**
Expand Down Expand Up @@ -260,7 +257,7 @@ const onSessionHandshakeChannel = dc.channel('quic.session.handshake');
* @property {boolean} [verifyClient] Verify the client
* @property {boolean} [tlsTrace] Enable TLS tracing
* @property {boolean} [verifyPrivateKey] Verify the private key
* @property {KeyObject|CryptoKey|Array<KeyObject|CryptoKey>} [keys] The keys
* @property {KeyObject|KeyObject[]} [keys] The keys
* @property {ArrayBuffer|ArrayBufferView|Array<ArrayBuffer|ArrayBufferView>} [certs] The certificates
* @property {ArrayBuffer|ArrayBufferView|Array<ArrayBuffer|ArrayBufferView>} [ca] The certificate authority
* @property {ArrayBuffer|ArrayBufferView|Array<ArrayBuffer|ArrayBufferView>} [crl] The certificate revocation list
Expand Down Expand Up @@ -2171,13 +2168,8 @@ function processTlsOptions(tls, forServer) {
throw new ERR_INVALID_ARG_VALUE('options.keys', key, 'must be a private key');
}
ArrayPrototypePush(keyHandles, key[kKeyObjectHandle]);
} else if (isCryptoKey(key)) {
if (key.type !== 'private') {
throw new ERR_INVALID_ARG_VALUE('options.keys', key, 'must be a private key');
}
ArrayPrototypePush(keyHandles, key[kKeyObjectInner][kKeyObjectHandle]);
} else {
throw new ERR_INVALID_ARG_TYPE('options.keys', ['KeyObject', 'CryptoKey'], key);
throw new ERR_INVALID_ARG_TYPE('options.keys', 'KeyObject', key);
}
}
}
Expand Down
2 changes: 0 additions & 2 deletions lib/internal/quic/symbols.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ const {

const {
kHandle: kKeyObjectHandle,
kKeyObject: kKeyObjectInner,
} = require('internal/crypto/util');

// Symbols used to hide various private properties and methods from the
Expand Down Expand Up @@ -61,7 +60,6 @@ module.exports = {
kHeaders,
kInspect,
kKeyObjectHandle,
kKeyObjectInner,
kListen,
kNewSession,
kNewStream,
Expand Down
8 changes: 6 additions & 2 deletions src/crypto/crypto_argon2.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,8 @@ Maybe<void> Argon2Traits::AdditionalConfig(
bool Argon2Traits::DeriveBits(Environment* env,
const Argon2Config& config,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
// If the config.length is zero-length, just return an empty buffer.
// It's useless, yes, but allowed via the API.
if (config.keylen == 0) {
Expand All @@ -144,7 +145,10 @@ bool Argon2Traits::DeriveBits(Environment* env,
config.ad,
config.type);

if (!dp) return false;
if (!dp) {
errors->Insert(NodeCryptoError::ARGON2_FAILED);
return false;
}
DCHECK(!dp.isSecure());
*out = ByteSource::Allocated(dp.release());
return true;
Expand Down
3 changes: 2 additions & 1 deletion src/crypto/crypto_argon2.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,8 @@ struct Argon2Traits final {
static bool DeriveBits(Environment* env,
const Argon2Config& config,
ByteSource* out,
CryptoJobMode mode);
CryptoJobMode mode,
CryptoErrorStore* errors);

static v8::MaybeLocal<v8::Value> EncodeOutput(Environment* env,
const Argon2Config& config,
Expand Down
9 changes: 2 additions & 7 deletions src/crypto/crypto_dh.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -504,16 +504,11 @@ MaybeLocal<Value> DHBitsTraits::EncodeOutput(Environment* env,
bool DHBitsTraits::DeriveBits(Environment* env,
const DHBitsConfig& params,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
auto dp = DHPointer::stateless(params.private_key.GetAsymmetricKey(),
params.public_key.GetAsymmetricKey());
if (!dp) {
bool can_throw = mode == CryptoJobMode::kCryptoJobSync;

if (can_throw) {
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
if (err) ThrowCryptoError(env, err, "diffieHellman failed");
}
return false;
}

Expand Down
3 changes: 2 additions & 1 deletion src/crypto/crypto_dh.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,8 @@ struct DHBitsTraits final {
static bool DeriveBits(Environment* env,
const DHBitsConfig& params,
ByteSource* out_,
CryptoJobMode mode);
CryptoJobMode mode,
CryptoErrorStore* errors);

static v8::MaybeLocal<v8::Value> EncodeOutput(Environment* env,
const DHBitsConfig& params,
Expand Down
7 changes: 5 additions & 2 deletions src/crypto/crypto_ec.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -433,7 +433,8 @@ Maybe<void> ECDHBitsTraits::AdditionalConfig(
bool ECDHBitsTraits::DeriveBits(Environment* env,
const ECDHBitsConfig& params,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
size_t len = 0;
const auto& m_privkey = params.private_.GetAsymmetricKey();
const auto& m_pubkey = params.public_.GetAsymmetricKey();
Expand Down Expand Up @@ -464,8 +465,10 @@ bool ECDHBitsTraits::DeriveBits(Environment* env,
const EC_KEY* public_key = m_pubkey;

const auto group = ECKeyPointer::GetGroup(private_key);
if (group == nullptr)
if (group == nullptr) {
errors->Insert(NodeCryptoError::ECDH_FAILED);
return false;
}

CHECK(ECKeyPointer::Check(private_key));
CHECK(ECKeyPointer::Check(public_key));
Expand Down
3 changes: 2 additions & 1 deletion src/crypto/crypto_ec.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,8 @@ struct ECDHBitsTraits final {
static bool DeriveBits(Environment* env,
const ECDHBitsConfig& params,
ByteSource* out_,
CryptoJobMode mode);
CryptoJobMode mode,
CryptoErrorStore* errors);

static v8::MaybeLocal<v8::Value> EncodeOutput(Environment* env,
const ECDHBitsConfig& params,
Expand Down
3 changes: 2 additions & 1 deletion src/crypto/crypto_hash.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -540,7 +540,8 @@ Maybe<void> HashTraits::AdditionalConfig(
bool HashTraits::DeriveBits(Environment* env,
const HashConfig& params,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
auto ctx = EVPMDCtxPointer::New();

if (!ctx.digestInit(params.digest) || !ctx.digestUpdate(params.in))
Expand Down
3 changes: 2 additions & 1 deletion src/crypto/crypto_hash.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,8 @@ struct HashTraits final {
static bool DeriveBits(Environment* env,
const HashConfig& params,
ByteSource* out,
CryptoJobMode mode);
CryptoJobMode mode,
CryptoErrorStore* errors);

static v8::MaybeLocal<v8::Value> EncodeOutput(Environment* env,
const HashConfig& params,
Expand Down
8 changes: 6 additions & 2 deletions src/crypto/crypto_hkdf.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,8 @@ Maybe<void> HKDFTraits::AdditionalConfig(
bool HKDFTraits::DeriveBits(Environment* env,
const HKDFConfig& params,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
auto dp = ncrypto::hkdf(params.digest,
ncrypto::Buffer<const unsigned char>{
.data = reinterpret_cast<const unsigned char*>(
Expand All @@ -116,7 +117,10 @@ bool HKDFTraits::DeriveBits(Environment* env,
.len = params.salt.size(),
},
params.length);
if (!dp) return false;
if (!dp) {
errors->Insert(NodeCryptoError::HKDF_FAILED);
return false;
}

DCHECK(!dp.isSecure());
*out = ByteSource::Allocated(dp.release());
Expand Down
3 changes: 2 additions & 1 deletion src/crypto/crypto_hkdf.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,8 @@ struct HKDFTraits final {
static bool DeriveBits(Environment* env,
const HKDFConfig& params,
ByteSource* out,
CryptoJobMode mode);
CryptoJobMode mode,
CryptoErrorStore* errors);

static v8::MaybeLocal<v8::Value> EncodeOutput(Environment* env,
const HKDFConfig& params,
Expand Down
3 changes: 2 additions & 1 deletion src/crypto/crypto_hmac.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,8 @@ Maybe<void> HmacTraits::AdditionalConfig(
bool HmacTraits::DeriveBits(Environment* env,
const HmacConfig& params,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
auto ctx = HMACCtxPointer::New();

ncrypto::Buffer<const void> key_buf{
Expand Down
3 changes: 2 additions & 1 deletion src/crypto/crypto_hmac.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,8 @@ struct HmacTraits final {
static bool DeriveBits(Environment* env,
const HmacConfig& params,
ByteSource* out,
CryptoJobMode mode);
CryptoJobMode mode,
CryptoErrorStore* errors);

static v8::MaybeLocal<v8::Value> EncodeOutput(Environment* env,
const HmacConfig& params,
Expand Down
33 changes: 17 additions & 16 deletions src/crypto/crypto_kem.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,12 @@ namespace {
bool DoKEMEncapsulate(Environment* env,
const EVPKeyPointer& public_key,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
auto result = ncrypto::KEM::Encapsulate(public_key);
if (!result) {
if (mode == kCryptoJobSync) {
THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Failed to perform encapsulation");
}
errors->Insert(NodeCryptoError::ENCAPSULATION_FAILED);
errors->SetNodeErrorCode("ERR_CRYPTO_OPERATION_FAILED");
return false;
}

Expand All @@ -68,10 +68,8 @@ bool DoKEMEncapsulate(Environment* env,

auto data = ncrypto::DataPointer::Alloc(total_len);
if (!data) {
if (mode == kCryptoJobSync) {
THROW_ERR_CRYPTO_OPERATION_FAILED(env,
"Failed to allocate output buffer");
}
errors->Insert(NodeCryptoError::ALLOCATION_FAILED);
errors->SetNodeErrorCode("ERR_CRYPTO_OPERATION_FAILED");
return false;
}

Expand All @@ -97,14 +95,14 @@ bool DoKEMDecapsulate(Environment* env,
const EVPKeyPointer& private_key,
const ByteSource& ciphertext,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
ncrypto::Buffer<const void> ciphertext_buf{ciphertext.data(),
ciphertext.size()};
auto shared_key = ncrypto::KEM::Decapsulate(private_key, ciphertext_buf);
if (!shared_key) {
if (mode == kCryptoJobSync) {
THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Failed to perform decapsulation");
}
errors->Insert(NodeCryptoError::DECAPSULATION_FAILED);
errors->SetNodeErrorCode("ERR_CRYPTO_OPERATION_FAILED");
return false;
}

Expand Down Expand Up @@ -137,11 +135,12 @@ Maybe<void> KEMEncapsulateTraits::AdditionalConfig(
bool KEMEncapsulateTraits::DeriveBits(Environment* env,
const KEMConfiguration& params,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
Mutex::ScopedLock lock(params.key.mutex());
const auto& public_key = params.key.GetAsymmetricKey();

return DoKEMEncapsulate(env, public_key, out, mode);
return DoKEMEncapsulate(env, public_key, out, mode, errors);
}

MaybeLocal<Value> KEMEncapsulateTraits::EncodeOutput(
Expand Down Expand Up @@ -218,11 +217,13 @@ Maybe<void> KEMDecapsulateTraits::AdditionalConfig(
bool KEMDecapsulateTraits::DeriveBits(Environment* env,
const KEMConfiguration& params,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
Mutex::ScopedLock lock(params.key.mutex());
const auto& private_key = params.key.GetAsymmetricKey();

return DoKEMDecapsulate(env, private_key, params.ciphertext, out, mode);
return DoKEMDecapsulate(
env, private_key, params.ciphertext, out, mode, errors);
}

MaybeLocal<Value> KEMDecapsulateTraits::EncodeOutput(
Expand Down
6 changes: 4 additions & 2 deletions src/crypto/crypto_kem.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@ struct KEMEncapsulateTraits final {
static bool DeriveBits(Environment* env,
const KEMConfiguration& params,
ByteSource* out,
CryptoJobMode mode);
CryptoJobMode mode,
CryptoErrorStore* errors);

static v8::MaybeLocal<v8::Value> EncodeOutput(Environment* env,
const KEMConfiguration& params,
Expand All @@ -71,7 +72,8 @@ struct KEMDecapsulateTraits final {
static bool DeriveBits(Environment* env,
const KEMConfiguration& params,
ByteSource* out,
CryptoJobMode mode);
CryptoJobMode mode,
CryptoErrorStore* errors);

static v8::MaybeLocal<v8::Value> EncodeOutput(Environment* env,
const KEMConfiguration& params,
Expand Down
4 changes: 3 additions & 1 deletion src/crypto/crypto_kmac.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,8 @@ Maybe<void> KmacTraits::AdditionalConfig(
bool KmacTraits::DeriveBits(Environment* env,
const KmacConfig& params,
ByteSource* out,
CryptoJobMode mode) {
CryptoJobMode mode,
CryptoErrorStore* errors) {
if (params.length == 0) {
*out = ByteSource();
return true;
Expand All @@ -133,6 +134,7 @@ bool KmacTraits::DeriveBits(Environment* env,
size_t key_size = params.key.GetSymmetricKeySize();

if (key_size == 0) {
errors->Insert(NodeCryptoError::KMAC_FAILED);
return false;
}

Expand Down
3 changes: 2 additions & 1 deletion src/crypto/crypto_kmac.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ struct KmacTraits final {
static bool DeriveBits(Environment* env,
const KmacConfig& params,
ByteSource* out,
CryptoJobMode mode);
CryptoJobMode mode,
CryptoErrorStore* errors);

static v8::MaybeLocal<v8::Value> EncodeOutput(Environment* env,
const KmacConfig& params,
Expand Down
Loading
Loading