encrypt icon indicating copy to clipboard operation
encrypt copied to clipboard

Published 20 hours ago • verified publisher icon leocavalcante

Why Bad state: IV is required, after upgrade from 4.0.2 to 5.0.0.

Open SevenCho opened this issue 4 years ago • 8 comments

Upgrade from 4.0.4 to 5.0.0, the original encryption algorithm is wrong。

Mode: ECB Padding: PKCS7 IV: No

    final key = Key(Uint8List.fromList(keyBytes));
    final encrypter = Encrypter(AES(key, mode: AESMode.ecb, padding: 'PKCS7'));
    final encrypted = encrypter.encryptBytes(input);
  • Now there is an IV error. I checked the stack and found that it is because the IV is null, but I don't need the IV parameter at all.
  • The source code that caused the error:
@override
  Encrypted encrypt(Uint8List bytes, {IV? iv}) {
    if (iv == null) {
      throw StateError('IV is required.');
    }

    if (_streamCipher != null) {
      _streamCipher!
        ..reset()
        ..init(true, _buildParams(iv));

      return Encrypted(_streamCipher!.process(bytes));
    }

SevenCho avatar Apr 29 '21 03:04 SevenCho

@are the ECB mode doesn't require an IV. Do you have fresh in mind why this check? Can I just remove it?

leocavalcante avatar Apr 29 '21 12:04 leocavalcante

That was because the _buildParams method uses the ParametersWithIV class that requires iv to be not null, so the check was added to make sure its supplied.

are avatar Apr 29 '21 12:04 are

Right, thanks.

@SevenCho can you workaround this by now please giving a meaningless IV?

final encrypted = encrypter.encryptBytes(input, iv: IV.fromLength(16));

I will be thinking on a proper strategy to handle this.

leocavalcante avatar Apr 29 '21 12:04 leocavalcante

Right, thanks.

@SevenCho can you workaround this by now please giving a meaningless IV?

final encrypted = encrypter.encryptBytes(input, iv: IV.fromLength(16));

I will be thinking on a proper strategy to handle this.

Giving a meaningless IV that works. I tried different meaningless IVs. but I don’t know if this will cause potential problems.

final iv = IV.fromBase16("");
final iv = IV.fromLength(16);

SevenCho avatar Apr 30 '21 01:04 SevenCho

Don't worry, for ECB it will just be ignored.

leocavalcante avatar Apr 30 '21 11:04 leocavalcante

Please fix this, ECB does not require an IV. So supplying an IV should not be required. Also worse is that the function still fails if you provide null, even though signature specifically allows it:

https://pub.dev/documentation/encrypt/latest/encrypt/Encrypter/encrypt.html

89z avatar May 12 '21 23:05 89z

Please fix this, ECB does not require an IV. So supplying an IV should not be required. Also worse is that the function still fails if you provide null, even though signature specifically allows it:

https://pub.dev/documentation/encrypt/latest/encrypt/Encrypter/encrypt.html

but in my case it still giving an error

hiashutoshsingh avatar Jun 21 '21 11:06 hiashutoshsingh

Right, thanks.

@SevenCho can you workaround this by now please giving a meaningless IV?

final encrypted = encrypter.encryptBytes(input, iv: IV.fromLength(16));

I will be thinking on a proper strategy to handle this.

I think moving the iv == null check into the _buildParams method right before the return would solve this?

wbusey0 avatar Jun 22 '21 15:06 wbusey0