Skip to content

crypto: use EVP_MAC for HMAC on OpenSSL >=3#63942

Merged
nodejs-github-bot merged 2 commits into
nodejs:mainfrom
panva:use-evp_mac
Jun 19, 2026
Merged

crypto: use EVP_MAC for HMAC on OpenSSL >=3#63942
nodejs-github-bot merged 2 commits into
nodejs:mainfrom
panva:use-evp_mac

Conversation

@panva

@panva panva commented Jun 16, 2026

Copy link
Copy Markdown
Member

Closes: #59493

Use OpenSSL 3 provider-backed EVP_MAC APIs for HMAC when available, while keeping the existing HMAC_* implementation around for OpenSSL 1.1.1 and BoringSSL compatibility. Provider fetch/setup failures on OpenSSL 3 surface as HMAC initialization failures instead of falling back to deprecated HMAC_* APIs.

@panva
crypto: use EVP_MAC for HMAC on OpenSSL >=3
21b49d6 
Closes: nodejs#59493
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@nodejs-github-bot

nodejs-github-bot commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Jun 16, 2026
@panva

panva commented Jun 16, 2026

Copy link
Copy Markdown
Member Author

https://ci.nodejs.org/view/Node.js%20benchmark/job/benchmark-node-micro-benchmarks/1872/

The EVP_MAC path shows a statistically significant HMAC construction slowdown
in this run, around 4.5% across the createHmac() configurations. That's construction, but then HMAC throughput and WebCrypto HMAC are mostly flat.

@panva panva requested review from jasnell and tniessen June 16, 2026 14:12
@panva panva added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Jun 17, 2026
@github-actions github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jun 17, 2026
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot

nodejs-github-bot commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/74230/

@panva panva added the commit-queue Add this label to land a pull request using GitHub Actions. label Jun 19, 2026
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jun 19, 2026
@nodejs-github-bot nodejs-github-bot merged commit 8fa5954 into nodejs:main Jun 19, 2026
73 of 74 checks passed
@nodejs-github-bot

nodejs-github-bot commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

Landed in 8fa5954

@panva panva deleted the use-evp_mac branch June 19, 2026 08:09
aduh95 pushed a commit that referenced this pull request Jun 20, 2026
@panva @aduh95
crypto: use EVP_MAC for HMAC on OpenSSL >=3
f9fdce3 
Closes: #59493
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
PR-URL: #63942
Fixes: #59493
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnell jasnell jasnell approved these changes

@anonrig anonrig anonrig approved these changes

@tniessen tniessen Awaiting requested review from tniessen

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Please port ncrypto from deprecated HMAC_ apis to EVP_MAC apis

4 participants

@panva @nodejs-github-bot @jasnell @anonrig