crypto: Fix createCipheriv with null IVs and FIPS mode.

nodejs · iangcarroll · Jun 27, 2017 · Jun 27, 2017 · Jul 4, 2017 · Jul 4, 2017
commit 39a2112a40eb259f904566ac952a73c72d01bea8
diff --git a/lib/crypto.js b/lib/crypto.js
@@ -243,7 +243,7 @@ function Cipheriv(cipher, key, iv, options) {
   if (!(this instanceof Cipheriv))
     return new Cipheriv(cipher, key, iv, options);
   this._handle = new binding.CipherBase(true);
-  this._handle.initiv(cipher, toBuf(key), iv ? toBuf(iv) : null);
+  this._handle.initiv(cipher, toBuf(key), iv ? toBuf(iv) : Buffer([]));
   this._decoder = null;
 
   LazyTransform.call(this, options);
@@ -291,7 +291,7 @@ function Decipheriv(cipher, key, iv, options) {
     return new Decipheriv(cipher, key, iv, options);
 
   this._handle = new binding.CipherBase(false);
-  this._handle.initiv(cipher, toBuf(key), toBuf(iv));
+  this._handle.initiv(cipher, toBuf(key), iv ? toBuf(iv) : Buffer([]));
   this._decoder = null;
 
   LazyTransform.call(this, options);

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -3537,10 +3537,7 @@ void CipherBase::InitIv(const FunctionCallbackInfo<Value>& args) {
 
   THROW_AND_RETURN_IF_NOT_STRING(args[0], "Cipher type");
   THROW_AND_RETURN_IF_NOT_BUFFER(args[1], "Key");
-
-  if (!Buffer::HasInstance(args[2]) && !args[2]->IsNull()) {
-    return env->ThrowTypeError("IV must be a buffer or null");
-  }
+  THROW_AND_RETURN_IF_NOT_BUFFER(args[2], "IV");
 
   const node::Utf8Value cipher_type(env->isolate(), args[0]);
   ssize_t key_len = Buffer::Length(args[1]);

diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js
@@ -393,7 +393,7 @@ for (const i in TEST_CASES) {
   if (test.password) {
     if (!test.algo.endsWith('ecb')) {
       assert.throws(() => { crypto.createCipher(test.algo, test.password); },
-                    errMessages.IV);
+                    common.hasFipsCrypto ? errMessages.FIPS : errMessages.IV);
     } else {
       const encrypt = crypto.createCipher(test.algo, test.password);
       if (test.aad)

diff --git a/test/parallel/test-crypto-deprecated.js b/test/parallel/test-crypto-deprecated.js
@@ -29,8 +29,11 @@ crypto.Cipher;
 
 assert.throws(() => {
   crypto.createCipher('aes-128-cbc', 'this-should-throw');
-}, /no longer supported with ciphers that require initialization vectors/);
+}, common.hasFipsCrypto ? /not supported in FIPS mode/ : /no longer supported with ciphers that require initialization vectors/);
 
-assert.doesNotThrow(() => {
-  crypto.createCipher('aes-128-ecb', 'this-should-warn');
-});
+
+if (!common.hasFipsCrypto) {
+  assert.doesNotThrow(() => {
+    crypto.createCipher('aes-128-ecb', 'this-should-warn');
+  });
+}
diff --git a/test/parallel/test-crypto-ecb.js b/test/parallel/test-crypto-ecb.js
@@ -39,16 +39,14 @@ crypto.DEFAULT_ENCODING = 'buffer';
 // Reference: bug#1997
 
 {
-  const encrypt =
-    crypto.createCipheriv('BF-ECB', 'SomeRandomBlahz0c5GZVnR', '');
+  const encrypt = crypto.createCipheriv('BF-ECB', 'SomeRandomBlahz0c5GZVnR');
   let hex = encrypt.update('Hello World!', 'ascii', 'hex');
   hex += encrypt.final('hex');
   assert.strictEqual(hex.toUpperCase(), '6D385F424AAB0CFBF0BB86E07FFB7D71');
 }
 
-{
-  const decrypt =
-    crypto.createDecipheriv('BF-ECB', 'SomeRandomBlahz0c5GZVnR', '');
+{  
+  const decrypt = crypto.createDecipheriv('BF-ECB', 'SomeRandomBlahz0c5GZVnR');
   let msg = decrypt.update('6D385F424AAB0CFBF0BB86E07FFB7D71', 'hex', 'ascii');
   msg += decrypt.final('ascii');
   assert.strictEqual(msg, 'Hello World!');

diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js
@@ -135,9 +135,13 @@ testImmutability(crypto.getCurves);
 
 // Regression tests for #5725: hex input that's not a power of two should
 // throw, not assert in C++ land.
+if (common.hasFipsCrypto) {
+
+}
+
 assert.throws(function() {
   crypto.createCipher('aes192', 'test').update('0', 'hex');
-}, /no longer supported with ciphers that require initialization vectors/);
+}, common.hasFipsCrypto ? /not supported in FIPS mode/ : /no longer supported with ciphers that require initialization vectors/);
 
 assert.throws(function() {
   crypto.createDecipher('aes192', 'test').update('0', 'hex');