feat(NODE-5875): provide native crypto hooks for OpenSSL 3

[addaleax]

Description

$ ~/.nvm/versions/node/v20.14.0/bin/node test/benchmarks/bench.mjs && ~/.nvm/versions/node/v16.20.2/bin/node test/benchmarks/bench.mjs 

- cpu: AMD Ryzen 7 3700X 8-Core Processor
- node: v20.14.0
- cores: 16
- arch: x64
- os: linux (6.5.0-41-generic)
- ram: 31.254920959472656GB

BenchmarkRunner is using libmongocryptVersion=1.10.0, cryptoHooks=native_openssl, warmupSecs=2, testInSecs=57
samples taken:  2
samples taken:  57
Decrypting 1500 fields median ops/sec : 183
{
  info: { test_name: 'javascript_decrypt_1500' },
  created_at: 2024-06-19T14:36:01.591Z,
  completed_at: 2024-06-19T14:37:00.773Z,
  artifacts: [],
  metrics: [ { name: 'medianOpsPerSec', type: 'THROUGHPUT', value: 183 } ],
  sub_tests: []
}

- cpu: AMD Ryzen 7 3700X 8-Core Processor
- node: v16.20.2
- cores: 16
- arch: x64
- os: linux (6.5.0-41-generic)
- ram: 31.254920959472656GB

BenchmarkRunner is using libmongocryptVersion=1.10.0, cryptoHooks=js, warmupSecs=2, testInSecs=57
samples taken:  2
samples taken:  57
Decrypting 1500 fields median ops/sec : 35
{
  info: { test_name: 'javascript_decrypt_1500' },
  created_at: 2024-06-19T14:37:01.096Z,
  completed_at: 2024-06-19T14:38:00.979Z,
  artifacts: [],
  metrics: [ { name: 'medianOpsPerSec', type: 'THROUGHPUT', value: 35 } ],
  sub_tests: []
}

What is changing?

Is there new documentation needed for these changes?

What is the motivation for this change?

Need for speed.

Release Highlight

Create native cryptoCallbacks 🔐

Node.js bundles OpenSSL, which means we can access the crypto APIs from C++ directly avoiding the need to define them in javascript and call back into the JS engine to perform encryption. Now, when running the bindings in a version of Node.js that bundles OpenSSL 3 (should correspond to Node.js 18+), the cryptoCallbacks option will be ignored and C++ defined callbacks will be used instead. This improves the performance of encryption dramatically, as much as 5x faster. 🚀

Double check the following

• Ran npm run check:lint script
• Self-review completed using the steps outlined here
• PR title follows the correct format: type(NODE-xxxx)[!]: description
  • Example: feat(NODE-1234)!: rewriting everything in coffeescript
• Changes are covered by tests
• New TODOs have a related JIRA ticket

[addaleax]

fyi, I've pushed 3886c37 because we just learned (the hard way 🙂) that Electron doesn't expose its native SSL bindings, absolutely makes sense for them not to do that but it's not something we had thought about before (plus a GYP variable so there's an easy way to skip this optimization if we need that at some point)

[nbbeeken]

Changes LGTM, why does it make sense that they wouldn't expose those? would it further add to the version matrix of ssls?

[addaleax]

@nbbeeken I think the biggest reason is that they're using BoringSSL because of Chromium instead of OpenSSL, and BoringSSL's README helpfully states:

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

[durran]

Fire