test: openssl 3.4 compatibility #56294
Open
+15
−9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OpenSSL 3.4 has intentionally broken EVP_DigestFinal for SHAKE128 and
SHAKE256 when OSSL_DIGEST_PARAM_XOFLEN is not set because a) the default
length used weakened them from their maximum strength and b) a static
length does not fully make sense for XOFs (which SHAKE* are).
Unfortunately, while crypto.createHash accepts an option argument that can
be something like `{ outputLength: 128 }`, crypto.hash doesn't offer a
similar API. Therefore there is little choice but to skip the test
completely for shake128 and shake256 on openssl >= 3.4.
Fixes: nodejs#56159
Refs: openssl/openssl@b911fef
Refs: openssl/openssl@ad3f28c
…ilure According to RFC 8446 (TLS 1.3), a PSK binder validation failure should result in decrypt_error rather than illegal_parameter which openssl had been using. Update the tests to match openssl's fix. Refs: openssl/openssl@02b8b7b Refs: https://www.rfc-editor.org/rfc/rfc8446
nodejs-github-bot
added
needs-ci
aduh95
reviewed
Dec 17, 2024
| const digestFromString = crypto.hash(method, input.toString(), outputEncoding); | ||
| assert.deepStrictEqual(digestFromString, oldDigest, | ||
| `different result from ${method} with encoding ${outputEncoding}`); | ||
| if (method !== 'shake128' && method !== 'shake256' || !common.hasOpenSSL(3, 4)) { |
There was a problem hiding this comment.
nit: I think it would be more readable to filter them above, with a comment explaining why.
// As of OpenSSL 3.4.0, shake128 and shake256 methods are not supported because…
const methods = crypto.getHashes().filter(
common.hasOpenSSL(3, 4) ?
method => method !== 'shake128' && method !== 'shake256' :
() => true,
);In any case, we should move the check to outside the inner loop.
lpinca
approved these changes
Dec 18, 2024
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #56294 +/- ##
=======================================
Coverage 88.53% 88.54%
=======================================
Files 657 657
Lines 190285 190285
Branches 36535 36536 +1
=======================================
+ Hits 168470 168485 +15
+ Misses 14991 14976 -15
Partials 6824 6824 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes two issues in the testsuite caused by changes in openssl 3.4:
In addition to #56160 , this should fix
the build of nodejs with openssl 3.4 for Ubuntu 25.04 (Plucky).