Skip to content

crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms#62183

Open
panva wants to merge 5 commits intonodejs:mainfrom
panva:turbo-kangaroo
Open

crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms#62183
panva wants to merge 5 commits intonodejs:mainfrom
panva:turbo-kangaroo

Conversation

@panva
Copy link
Member

@panva panva commented Mar 10, 2026
edited
Loading

Adds RFC 9861 - KangarooTwelve and TurboSHAKE digest algorithm to Web Cryptography API per WICG/webcrypto-modern-algos#41 using adapted OpenSSL's keccak1600 implementation, to be replaced when OpenSSL supports them natively at which point we'd also make them available in stable node:crypto.

Refs: https://wicg.github.io/webcrypto-modern-algos/#kangarootwelve
Refs: https://wicg.github.io/webcrypto-modern-algos/#turboshake
Refs: https://www.rfc-editor.org/rfc/rfc9861.html
Refs: https://redirect.github.com/openssl/openssl/issues/30304

The tests for the implementation use both test vectors from the RFC as well as ones generated using PyCryptodome

@panva panva added semver-minor PRs that contain new features and should be released in the next minor version. experimental Issues and PRs related to experimental features. webcrypto labels Mar 10, 2026
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 10, 2026
edited by panva
Loading

Review requested:

  • @nodejs/crypto
  • @nodejs/gyp
  • @nodejs/web-standards

@nodejs-github-bot nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Mar 10, 2026
@panva panva force-pushed the turbo-kangaroo branch 2 times, most recently from 4afe257 to a9f6b32 Compare March 10, 2026 13:23
@panva panva changed the title crypto: Add TurboSHAKE and KangarooTwelve Web Cryptography algorithms crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms Mar 10, 2026
@panva panva marked this pull request as ready for review March 10, 2026 14:28
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
anonrig
anonrig reviewed Mar 10, 2026
View reviewed changes
src/crypto/crypto_turboshake.cc
namespace {

inline uint64_t ROL64(uint64_t val, int offset) {
if (offset == 0) return val;
Copy link
Member

@anonrig anonrig Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will fix an undefined behavior.

Suggested change
if (offset == 0) return val;
if (offset <= 0) return val;

Copy link
Member

@anonrig anonrig Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or the following:

Copy link
Member Author

@panva panva Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The offset values come from the static rhotates table which only contains values 0–62, so this can never happen in practice.

anonrig
anonrig reviewed Mar 10, 2026
View reviewed changes
src/crypto/crypto_turboshake.cc
Comment on lines +29 to +30
if (offset == 0) return val;
return (val << offset) | (val >> (64 - offset));
Copy link
Member

@anonrig anonrig Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (offset == 0) return val;
return (val << offset) | (val >> (64 - offset));
offset &= 63; // reduce to [0, 63]
if (offset == 0) return val;
return (val << offset) | (val >> (64 - offset));
}

Copy link
Member Author

@panva panva Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same, the offsets are fixed values in the range of 0..62

anonrig
anonrig reviewed Mar 10, 2026
View reviewed changes
src/crypto/crypto_turboshake.cc
// Load/store 64-bit lanes in little-endian byte order.
// The Keccak state uses LE lane encoding (FIPS 202 Section 1, B.1).
// These helpers ensure correctness on both LE and BE platforms.
inline uint64_t LoadLE64(const uint8_t* src) {
Copy link
Member

@anonrig anonrig Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to have an assert somewhere making sure that src has size at least 8.

Copy link
Member Author

@panva panva Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These helpers are only called on the internal 200-byte Keccak state and fixed-size padding buffers. Same pattern as OpenSSL's keccak1600.c they're adapted from.

@panva panva mentioned this pull request Mar 10, 2026
Open
@codecov
Copy link

codecov bot commented Mar 10, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 85.71429% with 62 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.64%. Comparing base (ae228c1) to head (95d3e32).
⚠️ Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_turboshake.cc 83.42% 33 Missing and 25 partials ⚠️
src/crypto/crypto_turboshake.h 33.33% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62183      +/-   ##
==========================================
- Coverage   89.65%   89.64%   -0.01%     
==========================================
  Files         676      678       +2     
  Lines      206546   206984     +438     
  Branches    39558    39632      +74     
==========================================
+ Hits       185179   185553     +374     
- Misses      13485    13516      +31     
- Partials     7882     7915      +33
Files with missing lines Coverage Δ
lib/internal/crypto/hash.js 99.00% <100.00%> (+0.06%) ⬆️
lib/internal/crypto/util.js 95.50% <100.00%> (+0.06%) ⬆️
lib/internal/crypto/webidl.js 98.41% <100.00%> (+0.08%) ⬆️
src/node_crypto.cc 81.81% <ø> (ø)
src/crypto/crypto_turboshake.h 33.33% <33.33%> (ø)
src/crypto/crypto_turboshake.cc 83.42% <83.42%> (ø)

... and 32 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@panva panva added the crypto Issues and PRs related to the crypto subsystem. label Mar 10, 2026
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 10, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/71678/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anonrig anonrig anonrig left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

crypto Issues and PRs related to the crypto subsystem. experimental Issues and PRs related to experimental features. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. semver-minor PRs that contain new features and should be released in the next minor version. webcrypto

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@panva @nodejs-github-bot @anonrig