crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Author: panva

lib/internal/crypto/util.js

@@ -400,7 +400,7 @@ const conditionalAlgorithms = {
   'Argon2d': !!Argon2Job,
   'Argon2i': !!Argon2Job,
   'Argon2id': !!Argon2Job,
-  'ChaCha20-Poly1305': !process.features.openssl_is_boringssl ||
+  'ChaCha20-Poly1305': process.features.openssl_is_boringssl ||
     ArrayPrototypeIncludes(getCiphers(), 'chacha20-poly1305'),
   'cSHAKE128': !process.features.openssl_is_boringssl ||
     ArrayPrototypeIncludes(getHashes(), 'shake128'),

src/crypto/crypto_chacha20_poly1305.cc

@@ -10,6 +10,9 @@
 #include "v8.h"
 
 #include <openssl/evp.h>
+#ifdef OPENSSL_IS_BORINGSSL
+#include <openssl/aead.h>
+#endif
 
 namespace node {
 
@@ -110,10 +113,15 @@ Maybe<void> ChaCha20Poly1305CipherTraits::AdditionalConfig(
   params->mode = mode;
   params->cipher = ncrypto::Cipher::CHACHA20_POLY1305;
 
+#ifndef OPENSSL_IS_BORINGSSL
+  // On BoringSSL, ChaCha20-Poly1305 is not exposed via the EVP_CIPHER registry
+  // so FromNid() returns a null Cipher. We use EVP_AEAD directly in DoCipher
+  // instead.
   if (!params->cipher) {
     THROW_ERR_CRYPTO_UNKNOWN_CIPHER(env);
     return Nothing<void>();
   }
+#endif
 
   // IV parameter (required)
   if (!ValidateIV(env, mode, args[offset], params)) {
@@ -144,6 +152,75 @@ WebCryptoCipherStatus ChaCha20Poly1305CipherTraits::DoCipher(
     return WebCryptoCipherStatus::INVALID_KEY_TYPE;
   }
 
+#ifdef OPENSSL_IS_BORINGSSL
+  // BoringSSL does not expose ChaCha20-Poly1305 via the EVP_CIPHER registry;
+  // it is only available through the EVP_AEAD API. Matches Chromium's
+  // WebCrypto ChaCha20-Poly1305 implementation.
+  const auto key_bytes =
+      reinterpret_cast<const unsigned char*>(key_data.GetSymmetricKey());
+  const auto ad_bytes = params.additional_data.data<unsigned char>();
+  const auto ad_len = params.additional_data.size();
+  const auto iv_bytes = params.iv.data<unsigned char>();
+  const auto iv_len = params.iv.size();
+
+  bssl::ScopedEVP_AEAD_CTX ctx;
+  if (!EVP_AEAD_CTX_init(ctx.get(),
+                         EVP_aead_chacha20_poly1305(),
+                         key_bytes,
+                         key_data.GetSymmetricKeySize(),
+                         kChaCha20Poly1305TagSize,
+                         nullptr)) {
+    return WebCryptoCipherStatus::FAILED;
+  }
+
+  if (cipher_mode == kWebCryptoCipherEncrypt) {
+    size_t out_len = 0;
+    const size_t max_out_len = in.size() + kChaCha20Poly1305TagSize;
+    auto buf = DataPointer::Alloc(max_out_len);
+    if (!EVP_AEAD_CTX_seal(ctx.get(),
+                           static_cast<unsigned char*>(buf.get()),
+                           &out_len,
+                           max_out_len,
+                           iv_bytes,
+                           iv_len,
+                           in.data<unsigned char>(),
+                           in.size(),
+                           ad_bytes,
+                           ad_len)) {
+      return WebCryptoCipherStatus::FAILED;
+    }
+    buf = buf.resize(out_len);
+    *out = ByteSource::Allocated(buf.release());
+    return WebCryptoCipherStatus::OK;
+  }
+
+  // Decrypt
+  if (in.size() < kChaCha20Poly1305TagSize) {
+    return WebCryptoCipherStatus::FAILED;
+  }
+  size_t out_len = 0;
+  const size_t max_out_len = in.size();  // at most |in_len| bytes written
+  auto buf = DataPointer::Alloc(max_out_len == 0 ? 1 : max_out_len);
+  if (!EVP_AEAD_CTX_open(ctx.get(),
+                         static_cast<unsigned char*>(buf.get()),
+                         &out_len,
+                         max_out_len,
+                         iv_bytes,
+                         iv_len,
+                         in.data<unsigned char>(),
+                         in.size(),
+                         ad_bytes,
+                         ad_len)) {
+    return WebCryptoCipherStatus::FAILED;
+  }
+  if (out_len == 0) {
+    *out = ByteSource();
+  } else {
+    buf = buf.resize(out_len);
+    *out = ByteSource::Allocated(buf.release());
+  }
+  return WebCryptoCipherStatus::OK;
+#else
   auto ctx = CipherCtxPointer::New();
   CHECK(ctx);
 
@@ -242,6 +319,7 @@ WebCryptoCipherStatus ChaCha20Poly1305CipherTraits::DoCipher(
   *out = ByteSource::Allocated(buf.release());
 
   return WebCryptoCipherStatus::OK;
+#endif  // OPENSSL_IS_BORINGSSL
 }
 
 void ChaCha20Poly1305::Initialize(Environment* env, Local<Object> target) {

test/fixtures/webcrypto/supports-modern-algorithms.mjs

@@ -6,7 +6,6 @@ const pqc = hasOpenSSL(3, 5);
 const argon2 = hasOpenSSL(3, 2);
 const shake128 = crypto.getHashes().includes('shake128');
 const shake256 = crypto.getHashes().includes('shake256');
-const chacha = crypto.getCiphers().includes('chacha20-poly1305');
 const ocb = hasOpenSSL(3);
 const kmac = hasOpenSSL(3);
 const boringSSL = process.features.openssl_is_boringssl;
@@ -78,7 +77,7 @@ export const vectors = {
     [pqc, 'ML-KEM-512'],
     [pqc, 'ML-KEM-768'],
     [pqc, 'ML-KEM-1024'],
-    [chacha, 'ChaCha20-Poly1305'],
+    [true, 'ChaCha20-Poly1305'],
     [ocb, { name: 'AES-OCB', length: 128 }],
     [false, 'Argon2d'],
     [false, 'Argon2i'],
@@ -99,7 +98,7 @@ export const vectors = {
     [pqc, 'ML-KEM-512'],
     [pqc, 'ML-KEM-768'],
     [pqc, 'ML-KEM-1024'],
-    [chacha, 'ChaCha20-Poly1305'],
+    [true, 'ChaCha20-Poly1305'],
     [ocb, { name: 'AES-OCB', length: 128 }],
     [argon2, 'Argon2d'],
     [argon2, 'Argon2i'],
@@ -120,7 +119,7 @@ export const vectors = {
     [pqc, 'ML-KEM-512'],
     [pqc, 'ML-KEM-768'],
     [pqc, 'ML-KEM-1024'],
-    [chacha, 'ChaCha20-Poly1305'],
+    [true, 'ChaCha20-Poly1305'],
     [ocb, 'AES-OCB'],
     [false, 'Argon2d'],
     [false, 'Argon2i'],
@@ -186,9 +185,9 @@ export const vectors = {
     [false, { name: 'Argon2d', nonce: Buffer.alloc(8), parallelism: 16777215, memory: 8, passes: 1 }, 32],
   ],
   'encrypt': [
-    [chacha, { name: 'ChaCha20-Poly1305', iv: Buffer.alloc(12) }],
+    [true, { name: 'ChaCha20-Poly1305', iv: Buffer.alloc(12) }],
     [false, { name: 'ChaCha20-Poly1305', iv: Buffer.alloc(16) }],
-    [chacha, { name: 'ChaCha20-Poly1305', iv: Buffer.alloc(12), tagLength: 128 }],
+    [true, { name: 'ChaCha20-Poly1305', iv: Buffer.alloc(12), tagLength: 128 }],
     [false, { name: 'ChaCha20-Poly1305', iv: Buffer.alloc(12), tagLength: 64 }],
     [false, 'ChaCha20-Poly1305'],
     [ocb, { name: 'AES-OCB', iv: Buffer.alloc(15) }],

test/parallel/test-crypto-key-objects-to-crypto-key.js

@@ -26,15 +26,10 @@ function assertCryptoKey(cryptoKey, keyObject, algorithm, extractable, usages) {
 {
   for (const length of [128, 192, 256]) {
     const key = createSecretKey(randomBytes(length >> 3));
-    let algorithms = ['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW'];
+    const algorithms = ['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW'];
     if (length === 256)
       algorithms.push('ChaCha20-Poly1305');
 
-    if (process.features.openssl_is_boringssl) {
-      algorithms = algorithms.filter((a) => a !== 'ChaCha20-Poly1305');
-      common.printSkipMessage('Skipping unsupported ChaCha20-Poly1305 test case');
-    }
-
     for (const algorithm of algorithms) {
       const usages = algorithm === 'AES-KW' ? ['wrapKey', 'unwrapKey'] : ['encrypt', 'decrypt'];
       for (const extractable of [true, false]) {

test/parallel/test-webcrypto-aead-decrypt-detached-buffer.js

@@ -29,14 +29,11 @@ async function test(algorithmName, keyLength, ivLength, format = 'raw') {
 
 const tests = [
   test('AES-GCM', 32, 12),
+  test('ChaCha20-Poly1305', 32, 12, 'raw-secret'),
 ];
 
 if (hasOpenSSL(3)) {
   tests.push(test('AES-OCB', 32, 12, 'raw-secret'));
 }
 
-if (!process.features.openssl_is_boringssl) {
-  tests.push(test('ChaCha20-Poly1305', 32, 12, 'raw-secret'));
-}
-
 Promise.all(tests).then(common.mustCall());

test/parallel/test-webcrypto-deduplicate-usages.js

@@ -45,6 +45,9 @@ function assertSameSet(actual, expected, msg) {
     { algorithm: { name: 'AES-KW', length: 128 },
       usages: ['wrapKey', 'unwrapKey', 'wrapKey', 'unwrapKey'],
       expected: ['wrapKey', 'unwrapKey'] },
+    { algorithm: { name: 'ChaCha20-Poly1305' },
+      usages: ['wrapKey', 'decrypt', 'encrypt', 'unwrapKey', 'wrapKey', 'encrypt'],
+      expected: ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey'] },
   ];
 
   if (hasOpenSSL(3)) {
@@ -62,16 +65,6 @@ function assertSameSet(actual, expected, msg) {
     common.printSkipMessage('AES-OCB and KMAC require OpenSSL >= 3');
   }
 
-  if (!process.features.openssl_is_boringssl) {
-    symmetric.push({
-      algorithm: { name: 'ChaCha20-Poly1305' },
-      usages: ['wrapKey', 'decrypt', 'encrypt', 'unwrapKey', 'wrapKey', 'encrypt'],
-      expected: ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey'],
-    });
-  } else {
-    common.printSkipMessage('ChaCha20-Poly1305 is not supported in BoringSSL');
-  }
-
   for (const { algorithm, usages, expected } of symmetric) {
     tests.push((async () => {
       const key = await subtle.generateKey(algorithm, true, usages);
@@ -342,20 +335,16 @@ function assertSameSet(actual, expected, msg) {
   })());
 
   // ChaCha20-Poly1305 raw-secret import.
-  if (!process.features.openssl_is_boringssl) {
-    tests.push((async () => {
-      const key = await subtle.importKey(
-        'raw-secret',
-        new Uint8Array(32),
-        { name: 'ChaCha20-Poly1305' },
-        true,
-        ['decrypt', 'encrypt', 'decrypt', 'encrypt']);
-      assertSameSet(key.usages, ['encrypt', 'decrypt']);
-      assert.strictEqual(key.usages.length, 2);
-    })());
-  } else {
-    common.printSkipMessage('ChaCha20-Poly1305 is not supported in BoringSSL');
-  }
+  tests.push((async () => {
+    const key = await subtle.importKey(
+      'raw-secret',
+      new Uint8Array(32),
+      { name: 'ChaCha20-Poly1305' },
+      true,
+      ['decrypt', 'encrypt', 'decrypt', 'encrypt']);
+    assertSameSet(key.usages, ['encrypt', 'decrypt']);
+    assert.strictEqual(key.usages.length, 2);
+  })());
 
   // AES-OCB raw-secret import.
   if (hasOpenSSL(3)) {

test/parallel/test-webcrypto-encrypt-decrypt-chacha20-poly1305.js

@@ -5,9 +5,6 @@ const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
 
-if (process.features.openssl_is_boringssl)
-  common.skip('Skipping unsupported ChaCha20-Poly1305 test case');
-
 const assert = require('assert');
 const { subtle } = globalThis.crypto;
 

test/parallel/test-webcrypto-keygen.js

@@ -142,7 +142,16 @@ const vectors = {
       'wrapKey',
       'unwrapKey',
     ],
-  }
+  },
+  'ChaCha20-Poly1305': {
+    result: 'CryptoKey',
+    usages: [
+      'encrypt',
+      'decrypt',
+      'wrapKey',
+      'unwrapKey',
+    ],
+  },
 };
 
 if (!process.features.openssl_is_boringssl) {
@@ -160,15 +169,6 @@ if (!process.features.openssl_is_boringssl) {
       'deriveBits',
     ],
   };
-  vectors['ChaCha20-Poly1305'] = {
-    result: 'CryptoKey',
-    usages: [
-      'encrypt',
-      'decrypt',
-      'wrapKey',
-      'unwrapKey',
-    ],
-  };
 } else {
   common.printSkipMessage('Skipping unsupported test cases');
 }

test/parallel/test-webcrypto-wrap-unwrap.js

@@ -44,21 +44,15 @@ const kWrappingData = {
     wrap: { },
     pair: false
   },
-};
-
-
-if (!process.features.openssl_is_boringssl) {
-  kWrappingData['ChaCha20-Poly1305'] = {
+  'ChaCha20-Poly1305': {
     wrap: {
       iv: new Uint8Array(12),
       additionalData: new Uint8Array(16),
       tagLength: 128
     },
     pair: false
-  };
-} else {
-  common.printSkipMessage('Skipping unsupported ChaCha20-Poly1305 test case');
-}
+  }
+};
 
 if (hasOpenSSL(3)) {
   kWrappingData['AES-OCB'] = {
@@ -197,19 +191,14 @@ async function generateKeysToWrap() {
       usages: ['wrapKey', 'unwrapKey'],
       pair: false,
     },
-  ];
-
-  if (!process.features.openssl_is_boringssl) {
-    parameters.push({
+    {
       algorithm: {
         name: 'ChaCha20-Poly1305'
       },
       usages: ['encrypt', 'decrypt'],
       pair: false,
-    });
-  } else {
-    common.printSkipMessage('Skipping unsupported ChaCha20-Poly1305 test case');
-  }
+    },
+  ];
 
   if (hasOpenSSL(3, 5)) {
     for (const name of ['ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']) {

test/wpt/status/WebCryptoAPI.cjs

@@ -67,23 +67,16 @@ if (process.features.openssl_is_boringssl) {
     'derive_bits_keys/cfrg_curves_keys_curve448.tentative.https.any.js',
     'digest/cshake.tentative.https.any.js',
     'digest/sha3.tentative.https.any.js',
-    'encrypt_decrypt/chacha20_poly1305.tentative.https.any.js',
     'generateKey/failures_Ed448.tentative.https.any.js',
     'generateKey/failures_X448.tentative.https.any.js',
-    'generateKey/failures_chacha20_poly1305.tentative.https.any.js',
     'generateKey/successes_Ed448.tentative.https.any.js',
     'generateKey/successes_X448.tentative.https.any.js',
-    'generateKey/successes_chacha20_poly1305.tentative.https.any.js',
-    'import_export/ChaCha20-Poly1305_importKey.tentative.https.any.js',
     'import_export/okp_importKey_Ed448.tentative.https.any.js',
     'import_export/okp_importKey_failures_Ed448.tentative.https.any.js',
     'import_export/okp_importKey_failures_X448.tentative.https.any.js',
     'import_export/okp_importKey_X448.tentative.https.any.js',
     'sign_verify/eddsa_curve448.tentative.https.any.js');
 
-  skipSubtests(
-    ['supports-modern.tentative.https.any.js', /ChaCha20-Poly1305/],
-    ['supports-modern.tentative.https.any.js', /^supports returns true for algorithm objects with valid parameters$/]);
 }
 
 function assertNoOverlap(fileSkips, subtestSkips) {