crypto: fix behavior of createCipher in wrap mode

The old implementation silently failed in EVP_CipherInit_ex in
EVP_CIPH_WRAP_MODE, this commit should fix that.

PR-URL: https://github.com/nodejs/node/pull/21287
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>

1 files changed, 5 insertions, 4 deletions

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 3fcd2910bb..8b152e65c3 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -2611,10 +2611,14 @@ void CipherBase::Init(const char* cipher_type,
                                iv);
 
   ctx_.reset(EVP_CIPHER_CTX_new());
+
+  const int mode = EVP_CIPHER_mode(cipher);
+  if (mode == EVP_CIPH_WRAP_MODE)
+    EVP_CIPHER_CTX_set_flags(ctx_.get(), EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+
   const bool encrypt = (kind_ == kCipher);
   EVP_CipherInit_ex(ctx_.get(), cipher, nullptr, nullptr, nullptr, encrypt);
 
-  int mode = EVP_CIPHER_CTX_mode(ctx_.get());
   if (encrypt && (mode == EVP_CIPH_CTR_MODE || mode == EVP_CIPH_GCM_MODE ||
       mode == EVP_CIPH_CCM_MODE)) {
     // Ignore the return value (i.e. possible exception) because we are
@@ -2624,9 +2628,6 @@ void CipherBase::Init(const char* cipher_type,
                        cipher_type);
   }
 
-  if (mode == EVP_CIPH_WRAP_MODE)
-    EVP_CIPHER_CTX_set_flags(ctx_.get(), EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
-
   if (IsAuthenticatedMode()) {
     if (!InitAuthenticated(cipher_type, EVP_CIPHER_iv_length(cipher),
                            auth_tag_len))