From a73b575304722a3682fbec3a5fb13b39c5791342 Mon Sep 17 00:00:00 2001
From: Rafael Gonzaga <rafael.nunu@hotmail.com>
Date: Sat, 9 Aug 2025 09:54:53 -0300
Subject: [PATCH 1/4] lib: handle windows reserved device names on UNC

We have found that UNC paths weren't covered
when .join/.normalize windows reserved device
names (COM1, LPT1).

PR-URL: https://github.com/nodejs/node/pull/59286
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 lib/path.js                                   | 37 +++++++++++++++++++
 test/parallel/test-path-join.js               |  8 ++++
 .../test-path-win32-normalize-device-names.js | 15 ++++++++
 3 files changed, 60 insertions(+)

diff --git a/lib/path.js b/lib/path.js
index bee827c06e9973..be6fd8b24ac8bf 100644
--- a/lib/path.js
+++ b/lib/path.js
@@ -400,6 +400,13 @@ const win32 = {
                 // We matched a device root (e.g. \\\\.\\PHYSICALDRIVE0)
                 device = `\\\\${firstPart}`;
                 rootEnd = 4;
+                const colonIndex = StringPrototypeIndexOf(path, ':');
+                // Special case: handle \\?\COM1: or similar reserved device paths
+                const possibleDevice = StringPrototypeSlice(path, 4, colonIndex + 1);
+                if (isWindowsReservedName(possibleDevice, possibleDevice.length - 1)) {
+                  device = `\\\\?\\${possibleDevice}`;
+                  rootEnd = 4 + possibleDevice.length;
+                }
               } else if (j === len) {
                 // We matched a UNC root only
                 // Return the normalized version of the UNC root since there
@@ -558,6 +565,36 @@ const win32 = {
         joined = `\\${StringPrototypeSlice(joined, slashCount)}`;
     }
 
+    // Skip normalization when reserved device names are present
+    const parts = [];
+    let part = '';
+
+    for (let i = 0; i < joined.length; i++) {
+      if (joined[i] === '\\') {
+        if (part) parts.push(part);
+        part = '';
+        // Skip consecutive backslashes
+        while (i + 1 < joined.length && joined[i + 1] === '\\') i++;
+      } else {
+        part += joined[i];
+      }
+    }
+    // Add the final part if any
+    if (part) parts.push(part);
+
+    // Check if any part has a Windows reserved name
+    if (parts.some((p) => {
+      const colonIndex = StringPrototypeIndexOf(p, ':');
+      return colonIndex !== -1 && isWindowsReservedName(p, colonIndex);
+    })) {
+      // Replace forward slashes with backslashes
+      let result = '';
+      for (let i = 0; i < joined.length; i++) {
+        result += joined[i] === '/' ? '\\' : joined[i];
+      }
+      return result;
+    }
+
     return win32.normalize(joined);
   },
 
diff --git a/test/parallel/test-path-join.js b/test/parallel/test-path-join.js
index b8d6375989a75e..ec4f5fea7097a5 100644
--- a/test/parallel/test-path-join.js
+++ b/test/parallel/test-path-join.js
@@ -110,6 +110,14 @@ joinTests.push([
       [['c:.', 'file'], 'c:file'],
       [['c:', '/'], 'c:\\'],
       [['c:', 'file'], 'c:\\file'],
+      // UNC path join tests (Windows)
+      [['\\server\\share', 'file.txt'], '\\server\\share\\file.txt'],
+      [['\\server\\share', 'folder', 'another.txt'], '\\server\\share\\folder\\another.txt'],
+      [['\\server\\share', 'COM1:'], '\\server\\share\\COM1:'],
+      [['\\server\\share', 'path', 'LPT1:'], '\\server\\share\\path\\LPT1:'],
+      [['\\fileserver\\public\\uploads', 'CON:..\\..\\..\\private\\db.conf'],
+       '\\fileserver\\public\\uploads\\CON:..\\..\\..\\private\\db.conf'],
+
       // Path traversal in previous versions of Node.js.
       [['./upload', '/../C:/Windows'], '.\\C:\\Windows'],
       [['upload', '../', 'C:foo'], '.\\C:foo'],
diff --git a/test/parallel/test-path-win32-normalize-device-names.js b/test/parallel/test-path-win32-normalize-device-names.js
index 2c6dcf142a2674..b34c9061e56539 100644
--- a/test/parallel/test-path-win32-normalize-device-names.js
+++ b/test/parallel/test-path-win32-normalize-device-names.js
@@ -9,6 +9,19 @@ if (!common.isWindows) {
 }
 
 const normalizeDeviceNameTests = [
+  // UNC paths: \\server\share\... is a Windows UNC path, where 'server' is the network server name and 'share'
+  // is the shared folder. These are used for network file access and are subject to reserved device name
+  // checks after the share.
+  { input: '\\\\server\\share\\COM1:', expected: '\\\\server\\share\\COM1:' },
+  { input: '\\\\server\\share\\PRN:', expected: '\\\\server\\share\\PRN:' },
+  { input: '\\\\server\\share\\AUX:', expected: '\\\\server\\share\\AUX:' },
+  { input: '\\\\server\\share\\LPT1:', expected: '\\\\server\\share\\LPT1:' },
+  { input: '\\\\server\\share\\COM1:\\foo\\bar', expected: '\\\\server\\share\\COM1:\\foo\\bar' },
+  { input: '\\\\server\\share\\path\\COM1:', expected: '\\\\server\\share\\path\\COM1:' },
+  { input: '\\\\server\\share\\COM1:..\\..\\..\\..\\Windows', expected: '\\\\server\\share\\Windows' },
+  { input: '\\\\server\\share\\path\\to\\LPT9:..\\..\\..\\..\\..\\..\\..\\..\\..\\file.txt',
+    expected: '\\\\server\\share\\file.txt' },
+
   { input: 'CON', expected: 'CON' },
   { input: 'con', expected: 'con' },
   { input: 'CON:', expected: '.\\CON:.' },
@@ -81,6 +94,8 @@ const normalizeDeviceNameTests = [
   // Test cases from original vulnerability reports or similar scenarios
   { input: 'COM1:.\\..\\..\\foo.js', expected: '.\\COM1:..\\..\\foo.js' },
   { input: 'LPT1:.\\..\\..\\another.txt', expected: '.\\LPT1:..\\..\\another.txt' },
+  // UNC paths
+  { input: '\\\\?\\COM1:.\\..\\..\\foo2.js', expected: '\\\\?\\COM1:\\foo2.js' },
 
   // Paths with device names not at the beginning
   { input: 'C:\\CON', expected: 'C:\\CON' },

From 3c741f7ccd47119077eabdb15ee2427a6bd09a1b Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Sat, 9 Aug 2025 17:35:12 +0100
Subject: [PATCH 2/4] doc: fix Pbkdf2Params hash attribute heading
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs/node/pull/59395
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
---
 doc/api/webcrypto.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/api/webcrypto.md b/doc/api/webcrypto.md
index 52b26496a792ae..b2506dee18c3c3 100644
--- a/doc/api/webcrypto.md
+++ b/doc/api/webcrypto.md
@@ -1573,7 +1573,7 @@ added: v15.0.0
 added: v15.0.0
 -->
 
-#### `pbkdb2Params.hash`
+#### `pbkdf2Params.hash`
 
 <!-- YAML
 added: v15.0.0

From 7a450272fb0c0ec2b3b07eb0dcc1b54dbf042851 Mon Sep 17 00:00:00 2001
From: Shelley Vohr <shelley.vohr@gmail.com>
Date: Sat, 9 Aug 2025 19:18:51 +0200
Subject: [PATCH 3/4] test,crypto: skip unsupported ciphers

PR-URL: https://github.com/nodejs/node/pull/59388
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
---
 test/parallel/test-crypto-aes-wrap.js         |   5 +
 .../test-crypto-authenticated-stream.js       |   5 +
 test/parallel/test-crypto-authenticated.js    | 275 ++++++++++--------
 .../test-crypto-default-shake-lengths.js      |   5 +
 test/parallel/test-crypto-des3-wrap.js        |   4 +
 test/parallel/test-crypto-ecb.js              |   4 +
 test/parallel/test-crypto-padding-aes256.js   |   3 +
 7 files changed, 183 insertions(+), 118 deletions(-)

diff --git a/test/parallel/test-crypto-aes-wrap.js b/test/parallel/test-crypto-aes-wrap.js
index 21d48d8a3fbae7..951e93d728e32b 100644
--- a/test/parallel/test-crypto-aes-wrap.js
+++ b/test/parallel/test-crypto-aes-wrap.js
@@ -53,6 +53,11 @@ const key3 = Buffer.from('29c9eab5ed5ad44134a1437fe2e673b4d88a5b7c72e68454fea087
     text: '12345678123456781234567812345678123'
   },
 ].forEach(({ algorithm, key, iv, text }) => {
+  if (!crypto.getCiphers().includes(algorithm)) {
+    common.printSkipMessage(`Skipping unsupported ${algorithm} test case`);
+    return;
+  }
+
   const cipher = crypto.createCipheriv(algorithm, key, iv);
   const decipher = crypto.createDecipheriv(algorithm, key, iv);
   const msg = decipher.update(cipher.update(text, 'utf8'), 'buffer', 'utf8');
diff --git a/test/parallel/test-crypto-authenticated-stream.js b/test/parallel/test-crypto-authenticated-stream.js
index fcd53aa4696abc..51b928ec36be1f 100644
--- a/test/parallel/test-crypto-authenticated-stream.js
+++ b/test/parallel/test-crypto-authenticated-stream.js
@@ -115,6 +115,11 @@ function fstream(config) {
 fstream.count = 0;
 
 function test(config) {
+  if (!crypto.getCiphers().includes(config.cipher)) {
+    common.printSkipMessage(`unsupported cipher: ${config.cipher}`);
+    return;
+  }
+
   direct(config);
   mstream(config);
   fstream(config);
diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js
index 5f74f7c2611138..e8fedf2d5d5072 100644
--- a/test/parallel/test-crypto-authenticated.js
+++ b/test/parallel/test-crypto-authenticated.js
@@ -248,49 +248,24 @@ for (const test of TEST_CASES) {
 // Test that create(De|C)ipheriv throws if the mode is CCM and an invalid
 // authentication tag length has been specified.
 {
-  for (const authTagLength of [-1, true, false, NaN, 5.5]) {
-    assert.throws(() => {
-      crypto.createCipheriv('aes-256-ccm',
-                            'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                            'qkuZpJWCewa6S',
-                            {
-                              authTagLength
-                            });
-    }, {
-      name: 'TypeError',
-      code: 'ERR_INVALID_ARG_VALUE',
-      message: "The property 'options.authTagLength' is invalid. " +
-               `Received ${inspect(authTagLength)}`
-    });
-
-    assert.throws(() => {
-      crypto.createDecipheriv('aes-256-ccm',
+  if (!ciphers.includes('aes-256-ccm')) {
+    common.printSkipMessage(`unsupported aes-256-ccm test`);
+  } else {
+    for (const authTagLength of [-1, true, false, NaN, 5.5]) {
+      assert.throws(() => {
+        crypto.createCipheriv('aes-256-ccm',
                               'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
                               'qkuZpJWCewa6S',
                               {
                                 authTagLength
                               });
-    }, {
-      name: 'TypeError',
-      code: 'ERR_INVALID_ARG_VALUE',
-      message: "The property 'options.authTagLength' is invalid. " +
-        `Received ${inspect(authTagLength)}`
-    });
-  }
-
-  // The following values will not be caught by the JS layer and thus will not
-  // use the default error codes.
-  for (const authTagLength of [0, 1, 2, 3, 5, 7, 9, 11, 13, 15, 17, 18]) {
-    assert.throws(() => {
-      crypto.createCipheriv('aes-256-ccm',
-                            'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                            'qkuZpJWCewa6S',
-                            {
-                              authTagLength
-                            });
-    }, errMessages.authTagLength);
+      }, {
+        name: 'TypeError',
+        code: 'ERR_INVALID_ARG_VALUE',
+        message: "The property 'options.authTagLength' is invalid. " +
+                `Received ${inspect(authTagLength)}`
+      });
 
-    if (!isFipsEnabled) {
       assert.throws(() => {
         crypto.createDecipheriv('aes-256-ccm',
                                 'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
@@ -298,7 +273,36 @@ for (const test of TEST_CASES) {
                                 {
                                   authTagLength
                                 });
+      }, {
+        name: 'TypeError',
+        code: 'ERR_INVALID_ARG_VALUE',
+        message: "The property 'options.authTagLength' is invalid. " +
+          `Received ${inspect(authTagLength)}`
+      });
+    }
+
+    // The following values will not be caught by the JS layer and thus will not
+    // use the default error codes.
+    for (const authTagLength of [0, 1, 2, 3, 5, 7, 9, 11, 13, 15, 17, 18]) {
+      assert.throws(() => {
+        crypto.createCipheriv('aes-256-ccm',
+                              'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                              'qkuZpJWCewa6S',
+                              {
+                                authTagLength
+                              });
       }, errMessages.authTagLength);
+
+      if (!isFipsEnabled) {
+        assert.throws(() => {
+          crypto.createDecipheriv('aes-256-ccm',
+                                  'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                                  'qkuZpJWCewa6S',
+                                  {
+                                    authTagLength
+                                  });
+        }, errMessages.authTagLength);
+      }
     }
   }
 }
@@ -307,6 +311,11 @@ for (const test of TEST_CASES) {
 // authentication tag length has been specified.
 {
   for (const mode of ['ccm', 'ocb']) {
+    if (!ciphers.includes(`aes-256-${mode}`)) {
+      common.printSkipMessage(`unsupported aes-256-${mode} test`);
+      continue;
+    }
+
     assert.throws(() => {
       crypto.createCipheriv(`aes-256-${mode}`,
                             'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
@@ -330,84 +339,96 @@ for (const test of TEST_CASES) {
 
 // Test that setAAD throws if an invalid plaintext length has been specified.
 {
-  const cipher = crypto.createCipheriv('aes-256-ccm',
-                                       'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                                       'qkuZpJWCewa6S',
-                                       {
-                                         authTagLength: 10
-                                       });
-
-  for (const plaintextLength of [-1, true, false, NaN, 5.5]) {
-    assert.throws(() => {
-      cipher.setAAD(Buffer.from('0123456789', 'hex'), { plaintextLength });
-    }, {
-      name: 'TypeError',
-      code: 'ERR_INVALID_ARG_VALUE',
-      message: "The property 'options.plaintextLength' is invalid. " +
-        `Received ${inspect(plaintextLength)}`
-    });
+  if (!ciphers.includes('aes-256-ccm')) {
+    common.printSkipMessage(`unsupported aes-256-ccm test`);
+  } else {
+    const cipher = crypto.createCipheriv('aes-256-ccm',
+                                         'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                                         'qkuZpJWCewa6S',
+                                         {
+                                           authTagLength: 10
+                                         });
+
+    for (const plaintextLength of [-1, true, false, NaN, 5.5]) {
+      assert.throws(() => {
+        cipher.setAAD(Buffer.from('0123456789', 'hex'), { plaintextLength });
+      }, {
+        name: 'TypeError',
+        code: 'ERR_INVALID_ARG_VALUE',
+        message: "The property 'options.plaintextLength' is invalid. " +
+          `Received ${inspect(plaintextLength)}`
+      });
+    }
   }
 }
 
 // Test that setAAD and update throw if the plaintext is too long.
 {
-  for (const ivLength of [13, 12]) {
-    const maxMessageSize = (1 << (8 * (15 - ivLength))) - 1;
-    const key = 'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8';
-    const cipher = () => crypto.createCipheriv('aes-256-ccm', key,
-                                               '0'.repeat(ivLength),
-                                               {
-                                                 authTagLength: 10
-                                               });
+  if (!ciphers.includes('aes-256-ccm')) {
+    common.printSkipMessage(`unsupported aes-256-ccm test`);
+  } else {
+    for (const ivLength of [13, 12]) {
+      const maxMessageSize = (1 << (8 * (15 - ivLength))) - 1;
+      const key = 'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8';
+      const cipher = () => crypto.createCipheriv('aes-256-ccm', key,
+                                                 '0'.repeat(ivLength),
+                                                 {
+                                                   authTagLength: 10
+                                                 });
 
-    assert.throws(() => {
-      cipher().setAAD(Buffer.alloc(0), {
-        plaintextLength: maxMessageSize + 1
-      });
-    }, /Invalid message length$/);
+      assert.throws(() => {
+        cipher().setAAD(Buffer.alloc(0), {
+          plaintextLength: maxMessageSize + 1
+        });
+      }, /Invalid message length$/);
 
-    const msg = Buffer.alloc(maxMessageSize + 1);
-    assert.throws(() => {
-      cipher().update(msg);
-    }, /Invalid message length/);
+      const msg = Buffer.alloc(maxMessageSize + 1);
+      assert.throws(() => {
+        cipher().update(msg);
+      }, /Invalid message length/);
 
-    const c = cipher();
-    c.setAAD(Buffer.alloc(0), {
-      plaintextLength: maxMessageSize
-    });
-    c.update(msg.slice(1));
+      const c = cipher();
+      c.setAAD(Buffer.alloc(0), {
+        plaintextLength: maxMessageSize
+      });
+      c.update(msg.slice(1));
+    }
   }
 }
 
 // Test that setAAD throws if the mode is CCM and the plaintext length has not
 // been specified.
 {
-  assert.throws(() => {
-    const cipher = crypto.createCipheriv('aes-256-ccm',
-                                         'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                                         'qkuZpJWCewa6S',
-                                         {
-                                           authTagLength: 10
-                                         });
-    cipher.setAAD(Buffer.from('0123456789', 'hex'));
-  }, /options\.plaintextLength required for CCM mode with AAD/);
-
-  if (!isFipsEnabled) {
+  if (!ciphers.includes('aes-256-ccm')) {
+    common.printSkipMessage(`unsupported aes-256-ccm test`);
+  } else {
     assert.throws(() => {
-      const cipher = crypto.createDecipheriv('aes-256-ccm',
-                                             'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                                             'qkuZpJWCewa6S',
-                                             {
-                                               authTagLength: 10
-                                             });
+      const cipher = crypto.createCipheriv('aes-256-ccm',
+                                           'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                                           'qkuZpJWCewa6S',
+                                           {
+                                             authTagLength: 10
+                                           });
       cipher.setAAD(Buffer.from('0123456789', 'hex'));
     }, /options\.plaintextLength required for CCM mode with AAD/);
+
+    if (!isFipsEnabled) {
+      assert.throws(() => {
+        const cipher = crypto.createDecipheriv('aes-256-ccm',
+                                               'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                                               'qkuZpJWCewa6S',
+                                               {
+                                                 authTagLength: 10
+                                               });
+        cipher.setAAD(Buffer.from('0123456789', 'hex'));
+      }, /options\.plaintextLength required for CCM mode with AAD/);
+    }
   }
 }
 
 // Test that final() throws in CCM mode when no authentication tag is provided.
 {
-  if (!isFipsEnabled) {
+  if (!isFipsEnabled && ciphers.includes('aes-128-ccm')) {
     const key = Buffer.from('1ed2233fa2223ef5d7df08546049406c', 'hex');
     const iv = Buffer.from('7305220bca40d4c90e1791e9', 'hex');
     const ct = Buffer.from('8beba09d4d4d861f957d51c0794f4abf8030848e', 'hex');
@@ -439,12 +460,16 @@ for (const test of TEST_CASES) {
 
 // Test that an IV length of 11 does not overflow max_message_size_.
 {
-  const key = 'x'.repeat(16);
-  const iv = Buffer.from('112233445566778899aabb', 'hex');
-  const options = { authTagLength: 8 };
-  const encrypt = crypto.createCipheriv('aes-128-ccm', key, iv, options);
-  encrypt.update('boom');  // Should not throw 'Message exceeds maximum size'.
-  encrypt.final();
+  if (!ciphers.includes('aes-128-ccm')) {
+    common.printSkipMessage(`unsupported aes-128-ccm test`);
+  } else {
+    const key = 'x'.repeat(16);
+    const iv = Buffer.from('112233445566778899aabb', 'hex');
+    const options = { authTagLength: 8 };
+    const encrypt = crypto.createCipheriv('aes-128-ccm', key, iv, options);
+    encrypt.update('boom');  // Should not throw 'Message exceeds maximum size'.
+    encrypt.final();
+  }
 }
 
 // Test that the authentication tag can be set at any point before calling
@@ -499,6 +524,11 @@ for (const test of TEST_CASES) {
   }
 
   for (const alg of ['aes-256-gcm', 'aes-256-ocb', 'chacha20-poly1305']) {
+    if (!ciphers.includes(alg)) {
+      common.printSkipMessage(`unsupported ${alg} test`);
+      continue;
+    }
+
     for (const authTagLength of alg === 'aes-256-gcm' ? [undefined, 8] : [8]) {
       for (const [useAAD, useMessage] of [
         [false, false],  // No AAD, no update.
@@ -520,6 +550,11 @@ for (const test of TEST_CASES) {
   const opts = { authTagLength: 8 };
 
   for (const mode of ['gcm', 'ccm', 'ocb']) {
+    if (!ciphers.includes(`aes-128-${mode}`)) {
+      common.printSkipMessage(`unsupported aes-128-${mode} test`);
+      continue;
+    }
+
     const cipher = crypto.createCipheriv(`aes-128-${mode}`, key, iv, opts);
     const ciphertext = Buffer.concat([cipher.update(plain), cipher.final()]);
     const tag = cipher.getAuthTag();
@@ -563,25 +598,29 @@ for (const test of TEST_CASES) {
     tampered: false,
   };
 
-  // Invalid IV lengths should be detected:
-  // - 12 and below are valid.
-  // - 13-16 are not detected as invalid by some OpenSSL versions.
-  check(13);
-  check(14);
-  check(15);
-  check(16);
-  // - 17 and above were always detected as invalid by OpenSSL.
-  check(17);
-
-  function check(ivLength) {
-    const prefix = ivLength - valid.iv.length / 2;
-    assert.throws(() => crypto.createCipheriv(
-      valid.algo,
-      Buffer.from(valid.key, 'hex'),
-      Buffer.from(H(prefix) + valid.iv, 'hex')
-    ), errMessages.length, `iv length ${ivLength} was not rejected`);
-
-    function H(length) { return '00'.repeat(length); }
+  if (!ciphers.includes(valid.algo)) {
+    common.printSkipMessage(`unsupported ${valid.algo} test`);
+  } else {
+    // Invalid IV lengths should be detected:
+    // - 12 and below are valid.
+    // - 13-16 are not detected as invalid by some OpenSSL versions.
+    check(13);
+    check(14);
+    check(15);
+    check(16);
+    // - 17 and above were always detected as invalid by OpenSSL.
+    check(17);
+
+    function check(ivLength) {
+      const prefix = ivLength - valid.iv.length / 2;
+      assert.throws(() => crypto.createCipheriv(
+        valid.algo,
+        Buffer.from(valid.key, 'hex'),
+        Buffer.from(H(prefix) + valid.iv, 'hex')
+      ), errMessages.length, `iv length ${ivLength} was not rejected`);
+
+      function H(length) { return '00'.repeat(length); }
+    }
   }
 }
 
diff --git a/test/parallel/test-crypto-default-shake-lengths.js b/test/parallel/test-crypto-default-shake-lengths.js
index ae463b61db574e..870468cbdc63df 100644
--- a/test/parallel/test-crypto-default-shake-lengths.js
+++ b/test/parallel/test-crypto-default-shake-lengths.js
@@ -4,6 +4,11 @@ const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
 
+const crypto = require('crypto');
+if (!crypto.getHashes().includes('shake128')) {
+  common.skip('unsupported shake128 test');
+}
+
 const { createHash } = require('crypto');
 
 common.expectWarning({
diff --git a/test/parallel/test-crypto-des3-wrap.js b/test/parallel/test-crypto-des3-wrap.js
index 75c8cd574fd662..54d8a4c4014abc 100644
--- a/test/parallel/test-crypto-des3-wrap.js
+++ b/test/parallel/test-crypto-des3-wrap.js
@@ -6,6 +6,10 @@ if (!common.hasCrypto)
 const assert = require('assert');
 const crypto = require('crypto');
 
+const ciphers = crypto.getCiphers();
+if (!ciphers.includes('des3-wrap'))
+  common.skip('des3-wrap cipher is not available');
+
 // Test case for des-ede3 wrap/unwrap. des3-wrap needs extra 2x blocksize
 // then plaintext to store ciphertext.
 const test = {
diff --git a/test/parallel/test-crypto-ecb.js b/test/parallel/test-crypto-ecb.js
index 6439c9354a059e..06c88272438a05 100644
--- a/test/parallel/test-crypto-ecb.js
+++ b/test/parallel/test-crypto-ecb.js
@@ -37,6 +37,10 @@ if (hasOpenSSL3) {
     'OpenSSl 3.x');
 }
 
+if (!crypto.getCiphers().includes('BF-ECB')) {
+  common.skip('BF-ECB cipher is not available');
+}
+
 const assert = require('assert');
 
 // Testing whether EVP_CipherInit_ex is functioning correctly.
diff --git a/test/parallel/test-crypto-padding-aes256.js b/test/parallel/test-crypto-padding-aes256.js
index 14d853bdfd0a5d..164d06413a7d14 100644
--- a/test/parallel/test-crypto-padding-aes256.js
+++ b/test/parallel/test-crypto-padding-aes256.js
@@ -27,6 +27,9 @@ if (!common.hasCrypto)
 const assert = require('assert');
 const crypto = require('crypto');
 
+if (!crypto.getCiphers().includes('aes256'))
+  common.skip('aes256 cipher is not available');
+
 const iv = Buffer.from('00000000000000000000000000000000', 'hex');
 const key = Buffer.from('0123456789abcdef0123456789abcdef' +
                         '0123456789abcdef0123456789abcdef', 'hex');

From a93c1c0aa53c626042243c70e2bc3d73f0584736 Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Sat, 9 Aug 2025 19:43:07 +0100
Subject: [PATCH 4/4] doc: rename x509.extKeyUsage to x509.keyUsage

PR-URL: https://github.com/nodejs/node/pull/59332
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 doc/api/crypto.md | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index cde3893ab4aab4..53c0c3ba2bdd80 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -2690,16 +2690,6 @@ added: v15.6.0
 Checks whether the public key for this certificate is consistent with
 the given private key.
 
-### `x509.extKeyUsage`
-
-<!-- YAML
-added: v15.6.0
--->
-
-* Type: {string\[]}
-
-An array detailing the key extended usages for this certificate.
-
 ### `x509.fingerprint`
 
 <!-- YAML
@@ -2791,6 +2781,16 @@ added: v15.9.0
 The issuer certificate or `undefined` if the issuer certificate is not
 available.
 
+### `x509.keyUsage`
+
+<!-- YAML
+added: v15.6.0
+-->
+
+* Type: {string\[]}
+
+An array detailing the key extended usages for this certificate.
+
 ### `x509.publicKey`
 
 <!-- YAML