fixup! crypto: coerce -0 to +0 before native calls

panva · panva · commit bb206e1bcac8 · 2026-05-27T08:56:52.000+02:00
diff --git a/test/parallel/test-crypto-negative-zero.js b/test/parallel/test-crypto-negative-zero.js
@@ -6,6 +6,7 @@ if (!common.hasCrypto)
 
 const assert = require('assert');
 const crypto = require('crypto');
+const { hasOpenSSL } = require('../common/crypto');
 
 function getOutcome(fn) {
   try {
@@ -68,30 +69,38 @@ function assertSameErrorOrSuccess(actual, expected) {
   });
 }
 
+const isOpenSSL111Fips = !hasOpenSSL(3) && crypto.getFips();
 {
-  for (const [type, getOptions] of [
-    ['rsa', (zero) => ({ modulusLength: zero })],
-    ['rsa', (zero) => ({ modulusLength: 512, publicExponent: zero })],
-    ['rsa-pss', (zero) => ({
-      modulusLength: 512,
-      publicExponent: 65537,
-      saltLength: zero,
-    })],
-    ['dsa', (zero) => ({ modulusLength: zero })],
-    ['dsa', (zero) => ({ modulusLength: 512, divisorLength: zero })],
-    ['dh', (zero) => ({ primeLength: zero })],
-    ['dh', (zero) => ({ primeLength: 2, generator: zero })],
-  ]) {
-    assertSameErrorOrSuccess(
-      getOutcome(() => crypto.generateKeyPairSync(type, getOptions(-0))),
-      getOutcome(() => crypto.generateKeyPairSync(type, getOptions(0))),
-    );
-  }
+  if (isOpenSSL111Fips) {
+    // OpenSSL 1.1.1 FIPS can hang on invalid key generation parameters.
+    // These cases only verify that -0 reaches the same path as +0.
+    common.printSkipMessage(
+      'Skipping invalid key generation parity checks with OpenSSL 1.1.1 FIPS');
+  } else {
+    for (const [type, getOptions] of [
+      ['rsa', (zero) => ({ modulusLength: zero })],
+      ['rsa', (zero) => ({ modulusLength: 512, publicExponent: zero })],
+      ['rsa-pss', (zero) => ({
+        modulusLength: 512,
+        publicExponent: 65537,
+        saltLength: zero,
+      })],
+      ['dsa', (zero) => ({ modulusLength: zero })],
+      ['dsa', (zero) => ({ modulusLength: 512, divisorLength: zero })],
+      ['dh', (zero) => ({ primeLength: zero })],
+      ['dh', (zero) => ({ primeLength: 2, generator: zero })],
+    ]) {
+      assertSameErrorOrSuccess(
+        getOutcome(() => crypto.generateKeyPairSync(type, getOptions(-0))),
+        getOutcome(() => crypto.generateKeyPairSync(type, getOptions(0))),
+      );
+    }
 
-  crypto.generateKeyPair('rsa', { modulusLength: -0 },
-                         common.mustCall((err) => {
-                           assert(err instanceof Error);
-                         }));
+    crypto.generateKeyPair('rsa', { modulusLength: -0 },
+                           common.mustCall((err) => {
+                             assert(err instanceof Error);
+                           }));
+  }
 }
 
 if (!process.features.openssl_is_boringssl) {
