Abort on missing IV if the enc_mode requires it

Previously the code fell back on using a NUL IV if no IV was
passed and the encryption mode required it. This is dangerous and
makes no sense from a practical point of view (as you could just
as well use ECB then).

Author: nikic

ext/mcrypt/mcrypt.c

@@ -1230,9 +1230,9 @@ static void php_mcrypt_do_crypt(char* cipher, const char *key, int key_len, cons
 				memcpy(iv_s, iv, iv_size);
 			}
 		} else if (argc == 4) {
-			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempt to use an empty IV, which is NOT recommend");
-			iv_s = emalloc(iv_size + 1);
-			memset(iv_s, 0, iv_size + 1);
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Encryption mode requires an initialization vector");
+			efree(key_s);
+			RETURN_FALSE;
 		}
 	}
 

ext/mcrypt/tests/mcrypt_cbc.phpt

@@ -15,7 +15,7 @@ $enc_data = mcrypt_cbc($cipher, $key, $secret, MCRYPT_ENCRYPT, $iv);
 echo trim(mcrypt_cbc($cipher, $key, $enc_data, MCRYPT_DECRYPT, $iv)) . "\n";
 
 // a warning must be issued if we don't use a IV on a AES cipher, that usually requires an IV
-mcrypt_cbc($cipher, $key, $enc_data, MCRYPT_DECRYPT);
+var_dump(mcrypt_cbc($cipher, $key, $enc_data, MCRYPT_DECRYPT));
 
 --EXPECTF--
 
@@ -26,4 +26,5 @@ PHP Testfest 2008
 
 Deprecated: Function mcrypt_cbc() is deprecated in %s on line %d
 
-Warning: mcrypt_cbc(): Attempt to use an empty IV, which is NOT recommend in %s on line %d
+Warning: mcrypt_cbc(): Encryption mode requires an initialization vector in %s on line %d
+bool(false)

ext/mcrypt/tests/mcrypt_cfb.phpt

@@ -15,7 +15,7 @@ $enc_data = mcrypt_cfb($cipher, $key, $secret, MCRYPT_ENCRYPT, $iv);
 echo trim(mcrypt_cfb($cipher, $key, $enc_data, MCRYPT_DECRYPT, $iv)) . "\n";
 
 // a warning must be issued if we don't use a IV on a AES cipher, that usually requires an IV
-mcrypt_cfb($cipher, $key, $enc_data, MCRYPT_DECRYPT);
+var_dump(mcrypt_cfb($cipher, $key, $enc_data, MCRYPT_DECRYPT));
 
 --EXPECTF--
 
@@ -26,4 +26,5 @@ PHP Testfest 2008
 
 Deprecated: Function mcrypt_cfb() is deprecated in %s on line %d
 
-Warning: mcrypt_cfb(): Attempt to use an empty IV, which is NOT recommend in %s on line %d
+Warning: mcrypt_cfb(): Encryption mode requires an initialization vector in %s on line %d
+bool(false)

ext/mcrypt/tests/mcrypt_decrypt.phpt

@@ -16,13 +16,14 @@ $enc_data = mcrypt_encrypt($cipher, $key, $secret, $mode, $iv);
 echo trim(mcrypt_decrypt($cipher, $key, $enc_data, $mode, $iv)) . "\n";
 
 // a warning must be issued if we don't use a IV on a AES cipher, that usually requires an IV
-mcrypt_decrypt($cipher, $key, $enc_data, MCRYPT_MODE_CBC);
+var_dump(mcrypt_decrypt($cipher, $key, $enc_data, MCRYPT_MODE_CBC));
 
-var_dump(strpos(mcrypt_decrypt(MCRYPT_BLOWFISH, "FooBar", $enc_data, MCRYPT_MODE_CBC, $iv), "Testfest") !== false);
+var_dump(mcrypt_decrypt(MCRYPT_BLOWFISH, "FooBar", $enc_data, MCRYPT_MODE_CBC, $iv));
 --EXPECTF--
 PHP Testfest 2008
 
-Warning: mcrypt_decrypt(): Attempt to use an empty IV, which is NOT recommend in %s on line %d
+Warning: mcrypt_decrypt(): Encryption mode requires an initialization vector in %s on line %d
+bool(false)
 
 Warning: mcrypt_decrypt(): The IV parameter must be as long as the blocksize in %s on line %d
-bool(false)
+bool(false)