crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms by panva · Pull Request #62183 · nodejs/node

panva · 2026-03-10T13:20:09Z

Adds RFC 9861 - KangarooTwelve and TurboSHAKE digest algorithm to Web Cryptography API per WICG/webcrypto-modern-algos#41 using adapted OpenSSL's keccak1600 implementation, to be replaced when OpenSSL supports them natively at which point we'd also make them available in stable node:crypto.

Refs: https://wicg.github.io/webcrypto-modern-algos/#kangarootwelve
Refs: https://wicg.github.io/webcrypto-modern-algos/#turboshake
Refs: https://www.rfc-editor.org/rfc/rfc9861.html
Refs: https://redirect.github.com/openssl/openssl/issues/30304

The tests for the implementation use both test vectors from the RFC as well as ones generated using PyCryptodome

nodejs-github-bot · 2026-03-10T13:20:15Z

Review requested:

@nodejs/crypto
@nodejs/gyp
@nodejs/web-standards

codecov · 2026-03-10T16:20:11Z

Codecov Report

❌ Patch coverage is 85.71429% with 62 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.69%. Comparing base (1baafcc) to head (c8e9f1d).
⚠️ Report is 102 commits behind head on main.

Files with missing lines	Patch %	Lines
src/crypto/crypto_turboshake.cc	83.42%	33 Missing and 25 partials ⚠️
src/crypto/crypto_turboshake.h	33.33%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #62183      +/-   ##
==========================================
- Coverage   89.71%   89.69%   -0.02%     
==========================================
  Files         676      678       +2     
  Lines      206751   207185     +434     
  Branches    39640    39731      +91     
==========================================
+ Hits       185484   185842     +358     
- Misses      13403    13441      +38     
- Partials     7864     7902      +38

Files with missing lines	Coverage Δ
lib/internal/crypto/hash.js	`99.00% <100.00%> (+0.06%)`	⬆️
lib/internal/crypto/util.js	`95.51% <100.00%> (+0.06%)`	⬆️
lib/internal/crypto/webidl.js	`98.41% <100.00%> (+0.08%)`	⬆️
src/node_crypto.cc	`81.81% <ø> (ø)`
src/crypto/crypto_turboshake.h	`33.33% <33.33%> (ø)`
src/crypto/crypto_turboshake.cc	`83.42% <83.42%> (ø)`

... and 36 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

panva · 2026-03-18T08:35:38Z

cc @nodejs/cpp-reviewers

addaleax

Can't really review the cryptography here but the code otherwise LGTM

addaleax · 2026-03-20T12:21:49Z

+  // Absorb complete blocks from input
+  while (offset + rate <= input_len) {
+    for (size_t i = 0; i < lane_count; i++) {
+      A[i / 5][i % 5] ^= LoadLE64(input + offset + i * 8);


Is using LE part of the algorithm specification? Because Node.js does support BE platforms

It does need to produce the same digests regardless of the platforms's endianness. And it does, i had earlier failures in jenkins on those platforms and handled that.

PR-URL: nodejs#62183 Refs: https://wicg.github.io/webcrypto-modern-algos/#kangarootwelve Refs: https://wicg.github.io/webcrypto-modern-algos/#turboshake Refs: https://www.rfc-editor.org/rfc/rfc9861.html Refs: https://redirect.github.com/openssl/openssl/issues/30304 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

PR-URL: nodejs#62183 Backport-PR-URL: nodejs#62539 Refs: https://wicg.github.io/webcrypto-modern-algos/#kangarootwelve Refs: https://wicg.github.io/webcrypto-modern-algos/#turboshake Refs: https://www.rfc-editor.org/rfc/rfc9861.html Refs: https://redirect.github.com/openssl/openssl/issues/30304 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>

PR-URL: nodejs#62183 Refs: https://wicg.github.io/webcrypto-modern-algos/#kangarootwelve Refs: https://wicg.github.io/webcrypto-modern-algos/#turboshake Refs: https://www.rfc-editor.org/rfc/rfc9861.html Refs: https://redirect.github.com/openssl/openssl/issues/30304 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

PR-URL: #62183 Refs: https://wicg.github.io/webcrypto-modern-algos/#kangarootwelve Refs: https://wicg.github.io/webcrypto-modern-algos/#turboshake Refs: https://www.rfc-editor.org/rfc/rfc9861.html Refs: https://redirect.github.com/openssl/openssl/issues/30304 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

Notable changes: * crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) nodejs#63527 * (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) nodejs#63597 * (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) crypto: unify asymmetric key import through KeyObjectHandle::Init (Filip Skokan) nodejs#62499 * (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) nodejs#62183 * (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) nodejs#63155 * (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) nodejs#63079 * (SEMVER-MINOR) lib: cleanup stateless diffiehellman key handling (Filip Skokan) nodejs#62645 PR-URL: nodejs#64062 Signed-off-by: Stewart X Addison <sxa@ibm.com>

Notable changes: * crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527 * (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597 * (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #62527 * (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527 * (SEMVER-MINOR) crypto: unify asymmetric key import through KeyObjectHandle::Init (Filip Skokan) #62499 * (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 * (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #63155 * (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #63079 * (SEMVER-MINOR) lib: cleanup stateless diffiehellman key handling (Filip Skokan) #62645 PR-URL: #64062 Signed-off-by: Stewart X Addison <sxa@ibm.com>

Notable changes: * crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527 * (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597 * (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #62527 * (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527 * (SEMVER-MINOR) crypto: unify asymmetric key import through KeyObjectHandle::Init (Filip Skokan) #62499 * (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 * (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #63155 * (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #63079 * (SEMVER-MINOR) lib: cleanup stateless diffiehellman key handling (Filip Skokan) #62645 PR-URL: #64062

Notable changes: buffer: * (SEMVER-MINOR) increase Buffer.poolSize default to 64 KiB (Matteo Collina) nodejs#63597 crypto: * update root certificates to NSS 3.123.1 (Node.js GitHub Bot) nodejs#63527 * (SEMVER-MINOR) align key argument names in docs and error messages (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) nodejs#62183 http: * http: avoid stream listeners on idle agent sockets (Matteo Collina) nodejs#64004 * (SEMVER-MINOR) add writeInformation to send arbitrary 1xx status codes (Tim Perry) nodejs#63155 inspector: * (SEMVER-MINOR) expose precise coverage start to JS runtime (sangwook) nodejs#63079 stream: * stream: Revert noop pause/resume on destroyed streams" (Stewart X Addison) nodejs#63834 PR-URL: nodejs#64062

Notable changes: buffer: * (SEMVER-MINOR) increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597 crypto: * update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527 * (SEMVER-MINOR) align key argument names in docs and error messages (Filip Skokan) #62527 * (SEMVER-MINOR) accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527 * (SEMVER-MINOR) add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 http: * http: avoid stream listeners on idle agent sockets (Matteo Collina) #64004 * (SEMVER-MINOR) add writeInformation to send arbitrary 1xx status codes (Tim Perry) #63155 inspector: * (SEMVER-MINOR) expose precise coverage start to JS runtime (sangwook) #63079 stream: * stream: Revert noop pause/resume on destroyed streams" (Stewart X Addison) #63834 PR-URL: #64062

PR-URL: nodejs#62183 Backport-PR-URL: nodejs#63563 Refs: https://wicg.github.io/webcrypto-modern-algos/#kangarootwelve Refs: https://wicg.github.io/webcrypto-modern-algos/#turboshake Refs: https://www.rfc-editor.org/rfc/rfc9861.html Refs: https://redirect.github.com/openssl/openssl/issues/30304 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

Notable changes: buffer: * (SEMVER-MINOR) increase Buffer.poolSize default to 64 KiB (Matteo Collina) nodejs#63597 crypto: * update root certificates to NSS 3.123.1 (Node.js GitHub Bot) nodejs#63527 * (SEMVER-MINOR) align key argument names in docs and error messages (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) nodejs#62183 http: * http: avoid stream listeners on idle agent sockets (Matteo Collina) nodejs#64004 * (SEMVER-MINOR) add writeInformation to send arbitrary 1xx status codes (Tim Perry) nodejs#63155 inspector: * (SEMVER-MINOR) expose precise coverage start to JS runtime (sangwook) nodejs#63079 stream: * stream: Revert noop pause/resume on destroyed streams" (Stewart X Addison) nodejs#63834 PR-URL: nodejs#64062

PR-URL: nodejs#62183 Backport-PR-URL: nodejs#63563 Refs: https://wicg.github.io/webcrypto-modern-algos/#kangarootwelve Refs: https://wicg.github.io/webcrypto-modern-algos/#turboshake Refs: https://www.rfc-editor.org/rfc/rfc9861.html Refs: https://redirect.github.com/openssl/openssl/issues/30304 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

Notable changes: buffer: * (SEMVER-MINOR) increase Buffer.poolSize default to 64 KiB (Matteo Collina) nodejs#63597 crypto: * update root certificates to NSS 3.123.1 (Node.js GitHub Bot) nodejs#63527 * (SEMVER-MINOR) align key argument names in docs and error messages (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) nodejs#62183 http: * http: avoid stream listeners on idle agent sockets (Matteo Collina) nodejs#64004 * (SEMVER-MINOR) add writeInformation to send arbitrary 1xx status codes (Tim Perry) nodejs#63155 inspector: * (SEMVER-MINOR) expose precise coverage start to JS runtime (sangwook) nodejs#63079 stream: * stream: Revert noop pause/resume on destroyed streams" (Stewart X Addison) nodejs#63834 PR-URL: nodejs#64062

Notable changes: buffer: * (SEMVER-MINOR) increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597 crypto: * update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527 * (SEMVER-MINOR) align key argument names in docs and error messages (Filip Skokan) #62527 * (SEMVER-MINOR) accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527 * (SEMVER-MINOR) add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 http: * http: avoid stream listeners on idle agent sockets (Matteo Collina) #64004 * (SEMVER-MINOR) add writeInformation to send arbitrary 1xx status codes (Tim Perry) #63155 inspector: * (SEMVER-MINOR) expose precise coverage start to JS runtime (sangwook) #63079 stream: * stream: Revert noop pause/resume on destroyed streams" (Stewart X Addison) #63834 PR-URL: #64062

panva added semver-minor PRs that contain new features and should be released in the next minor version. experimental Issues and PRs related to experimental features. webcrypto labels Mar 10, 2026

nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Mar 10, 2026

panva force-pushed the turbo-kangaroo branch 2 times, most recently from 4afe257 to a9f6b32 Compare March 10, 2026 13:23

panva changed the title ~~crypto: Add TurboSHAKE and KangarooTwelve Web Cryptography algorithms~~ crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms Mar 10, 2026

panva force-pushed the turbo-kangaroo branch from a9f6b32 to f80cc1b Compare March 10, 2026 13:36

panva marked this pull request as ready for review March 10, 2026 14:28

This comment was marked as outdated.

Sign in to view

anonrig reviewed Mar 10, 2026

View reviewed changes

Comment thread src/crypto/crypto_turboshake.cc

anonrig reviewed Mar 10, 2026

View reviewed changes

Comment thread src/crypto/crypto_turboshake.cc

anonrig reviewed Mar 10, 2026

View reviewed changes

Comment thread src/crypto/crypto_turboshake.cc

panva mentioned this pull request Mar 10, 2026

feat: add Web Cryptography-based TurboSHAKE KDF exports panva/hpke#29

Merged

This comment was marked as outdated.

Sign in to view

panva added the crypto Issues and PRs related to the crypto subsystem. label Mar 10, 2026

This comment was marked as outdated.

Sign in to view

panva force-pushed the turbo-kangaroo branch from 95d3e32 to cded65c Compare March 16, 2026 21:12

panva requested a review from anonrig March 17, 2026 15:55

panva added the review wanted PRs that need reviews. label Mar 18, 2026

addaleax approved these changes Mar 20, 2026

View reviewed changes

panva added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Mar 20, 2026

This was referenced Apr 4, 2026

[javascript] Update Node.js to v25.9.0 hayat01sh1da/coding-tests#41

Merged

[javascript] Update Node.js to v25.9.0 hayat01sh1da/tutorials#206

Merged

aduh95 added dont-land-on-v24.x PRs that should not land on the v24.x-staging branch and should not be released in v24.x. and removed backport-open-v24.x Indicate that the PR has an open backport lts-watch-v24.x PRs that may need to be released in v24.x labels Apr 7, 2026

panva mentioned this pull request May 25, 2026

[v24.x backport] crypto, WebCrypto, and WebIDL updates #63563

Closed

sxa mentioned this pull request Jun 22, 2026

2026-06-23, Version 24.18.0 'Krypton' (LTS) #64062

Merged

panva added backported-to-v24.x PRs backported to the v24.x-staging branch. and removed backport-open-v24.x Indicate that the PR has an open backport labels Jun 23, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms#62183

crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms#62183
panva wants to merge 1 commit into
nodejs:mainfrom
panva:turbo-kangaroo

panva commented Mar 10, 2026 •

edited

Loading

Uh oh!

nodejs-github-bot commented Mar 10, 2026 •

edited by panva

Loading

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

Uh oh!

Uh oh!

Uh oh!

codecov Bot commented Mar 10, 2026 •

edited

Loading

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

This comment was marked as outdated.

This comment was marked as outdated.

This comment was marked as outdated.

panva commented Mar 18, 2026

Uh oh!

addaleax left a comment

Uh oh!

Uh oh!

addaleax Mar 20, 2026

Uh oh!

panva Mar 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Uh oh!

Conversation

panva commented Mar 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 10, 2026 • edited by panva Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

Uh oh!

Uh oh!

Uh oh!

codecov Bot commented Mar 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

This comment was marked as outdated.

This comment was marked as outdated.

This comment was marked as outdated.

panva commented Mar 18, 2026

Uh oh!

addaleax left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

addaleax Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

panva Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

panva commented Mar 10, 2026 •

edited

Loading

nodejs-github-bot commented Mar 10, 2026 •

edited by panva

Loading

codecov Bot commented Mar 10, 2026 •

edited

Loading