crypto: fix faulty logic in iv size check

Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM
ciphers to have a longer IV length") from April 2016 where a misplaced
parenthesis in a 'is ECB cipher?' check made it possible to use empty
IVs with non-ECB ciphers.

Also fix some exit bugs in test/parallel/test-crypto-authenticated.js
that were introduced in commit 4a40832 ("test: cleanup IIFE tests")
where removing the IFFEs made the test exit prematurely instead of just
skipping subtests.

PR-URL: https://github.com/nodejs/node/pull/9032
Refs: https://github.com/nodejs/node/pull/6376
Refs: https://github.com/nodejs/node/issues/9024
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

1 files changed, 17 insertions, 25 deletions

diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js
index 0e1c1298bf..8eab91e549 100644
--- a/test/parallel/test-crypto-authenticated.js
+++ b/test/parallel/test-crypto-authenticated.js
@@ -307,10 +307,10 @@ const TEST_CASES = [
     tag: 'a44a8266ee1c8eb0c8b5d4cf5ae9f19a', tampered: false },
 ];
 
-var ciphers = crypto.getCiphers();
+const ciphers = crypto.getCiphers();
 
-for (var i in TEST_CASES) {
-  var test = TEST_CASES[i];
+for (const i in TEST_CASES) {
+  const test = TEST_CASES[i];
 
   if (ciphers.indexOf(test.algo) === -1) {
     common.skip('unsupported ' + test.algo + ' test');
@@ -359,8 +359,7 @@ for (var i in TEST_CASES) {
     }
   }
 
-  {
-    if (!test.password) return;
+  if (test.password) {
     if (common.hasFipsCrypto) {
       assert.throws(() => { crypto.createCipher(test.algo, test.password); },
                     /not supported in FIPS mode/);
@@ -379,8 +378,7 @@ for (var i in TEST_CASES) {
     }
   }
 
-  {
-    if (!test.password) return;
+  if (test.password) {
     if (common.hasFipsCrypto) {
       assert.throws(() => { crypto.createDecipher(test.algo, test.password); },
                     /not supported in FIPS mode/);
@@ -400,24 +398,6 @@ for (var i in TEST_CASES) {
     }
   }
 
-  // after normal operation, test some incorrect ways of calling the API:
-  // it's most certainly enough to run these tests with one algorithm only.
-
-  if (i > 0) {
-    continue;
-  }
-
-  {
-    // non-authenticating mode:
-    const encrypt = crypto.createCipheriv('aes-128-cbc',
-      'ipxp9a6i1Mb4USb4', '6fKjEjR3Vl30EUYC');
-    encrypt.update('blah', 'ascii');
-    encrypt.final();
-    assert.throws(() => { encrypt.getAuthTag(); }, / state/);
-    assert.throws(() => { encrypt.setAAD(Buffer.from('123', 'ascii')); },
-                  / state/);
-  }
-
   {
     // trying to get tag before inputting all data:
     const encrypt = crypto.createCipheriv(test.algo,
@@ -452,3 +432,15 @@ for (var i in TEST_CASES) {
     }, /Invalid IV length/);
   }
 }
+
+// Non-authenticating mode:
+{
+  const encrypt =
+      crypto.createCipheriv('aes-128-cbc',
+                            'ipxp9a6i1Mb4USb4',
+                            '6fKjEjR3Vl30EUYC');
+  encrypt.update('blah', 'ascii');
+  encrypt.final();
+  assert.throws(() => encrypt.getAuthTag(), / state/);
+  assert.throws(() => encrypt.setAAD(Buffer.from('123', 'ascii')), / state/);
+}