解密由openssl_encrypt在PHP中加密的AES-256-CBC密文时出现错误的块大小错误

I have a PHP module that encrypts emails with aes-256-cbc using openssl_encrypt.

The ciphertexts generated by this module can be decrypted by this module as well.

But if I try to decrypt them with an implementation of aes-256-cbc in Go with the same IV and Key, I get a bad blocksize error. The block size is supposed to be in multiples of 16 but the ciphertext generated by PHP is not in multiples of 16.

Here is the code

package main

import (
    "crypto/aes"
    "crypto/cipher"
    "crypto/sha256"
    "encoding/base64"
    "encoding/hex"
    "fmt"
)

var (
    IV  = []byte("fg3Dk54f4340fKF2JTC9")
    KEY = []byte("13GsJd6076v69^f4(fdB")
)

func main() {

    h := sha256.New()
    h.Write(KEY)
    KEY = []byte(hex.EncodeToString(h.Sum(nil))[:32])

    h.Reset()
    h.Write(IV)
    IV = []byte(hex.EncodeToString(h.Sum(nil))[:16])

   fmt.Println("Key", string(KEY))
   fmt.Println("IV", string(IV))

   // This ciphertext was generated by the PHP module
   de := "ZHRodkpCK3R5QXlCMnh3MFdudDh3Zz09"

   q, err := decrypt(KEY, IV, []byte(de))

   fmt.Println(string(q), err)
}

// Returns slice of the original data without padding.
func pkcs7Unpad(data []byte, blocklen int) ([]byte, error) {
    if blocklen <= 0 {
        return nil, fmt.Errorf("invalid blocklen %d", blocklen)
    }
    if len(data)%blocklen != 0 || len(data) == 0 {
        return nil, fmt.Errorf("invalid data len %d", len(data))
    }
    padlen := int(data[len(data)-1])
    if padlen > blocklen || padlen == 0 {
        return nil, fmt.Errorf("invalid padding")
    }
   // check padding
   pad := data[len(data)-padlen:]
   for i := 0; i < padlen; i++ {
        if pad[i] != byte(padlen) {
            return nil, fmt.Errorf("invalid padding")
        }
   }

   return data[:len(data)-padlen], nil
}

func decrypt(key, iv, data []byte) ([]byte, error) {
    var err error
    data, err = base64.StdEncoding.DecodeString(string(data))
    if err != nil {
        return nil, err
    }

    if len(data) == 0 || len(data)%aes.BlockSize != 0 {
        return nil, fmt.Errorf("bad blocksize(%v), aes.BlockSize = %v
", len(data), aes.BlockSize)
    }
    c, err := aes.NewCipher(key)
    if err != nil {
        return nil, err
    }
    cbc := cipher.NewCBCDecrypter(c, iv)
    cbc.CryptBlocks(data[aes.BlockSize:], data[aes.BlockSize:])
    out, err := pkcs7Unpad(data[aes.BlockSize:], aes.BlockSize)
    if err != nil {
        return out, err
    }
    return out, nil
}

I have tried different things like using OPENSSL_RAW_DATA and OPENSSL_ZERO_PADDING in PHP module but absolutely nothing has worked.

The ciphertext used in above program was generated with options field in openssl_encrypt set to 0.

My speculation is, PHP doesn't pads input before encrypting them which generates ciphertexts that are not multiples of 16.

PHP implementation

<?php
class MBM_Encrypt_Decrypt {
    const ENCRYPT_METHOD = 'AES-256-CBC'; // type of encryption
    const SECRET_KEY = '13GsJd6076v69^f4(fdB'; // secret key
    const SECRET_IV = 'fg3Dk54f4340fKF2JTC9'; // secret iv

    public function encrypt($string) {
        return $this->encrypt_decrypt('encrypt', $string);
    }

    public function decrypt($string) {
        return $this->encrypt_decrypt('decrypt', $string);
    }
    private function encrypt_decrypt($action, $string)
    {
        $key = hash('sha256', self::SECRET_KEY);
        $iv = substr(hash('sha256', self::SECRET_IV), 0, 16);
        if ($action == 'encrypt') {
            $output = openssl_encrypt($string, self::ENCRYPT_METHOD, $key, 0, $iv);
        } else if ($action == 'decrypt') {
            $output = openssl_decrypt(base64_decode($string), self::ENCRYPT_METHOD, $key, 0, $iv);
        }
        $output = (!empty($output)) ? $output : false;
        return $output;
    }
}



$class_encrypt = new MBM_Encrypt_Decrypt();

$plain_txt = "xyz@abc.com";
echo 'Plain Text: ' . $plain_txt . PHP_EOL;

$decrypted_txt = $class_encrypt->decrypt("ZHRodkpCK3R5QXlCMnh3MFdudDh3Zz09");
echo 'Decrypted Text: ' . $decrypted_txt . PHP_EOL;

if ($plain_txt === $decrypted_txt) echo 'SUCCESS' . PHP_EOL;
else echo 'FAILED' . PHP_EOL;

echo PHP_EOL . 'Length of Plain Text: ' . strlen($plain_txt);
echo PHP_EOL . 'Length of Encrypted Text: ' . strlen($encrypted_txt). PHP_EOL;

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

douzi0609 2018-11-26 10:35

关注

I see a few issues with your code:

The PHP hash() function returns hex-encoded strings by default. You need to pass TRUE as the third argument to enable "raw" mode.
Similarly no need to hex.EncodeToString in the Go version.
The PHP openssl_encrypt() and openssl_decrypt() functions work with Base64-encoded strings by default. So no need to base64_decode.

Here are the fixed versions:

PHP:

<?php
class MBM_Encrypt_Decrypt {
    const ENCRYPT_METHOD = 'AES-256-CBC'; // type of encryption
    const SECRET_KEY = '13GsJd6076v69^f4(fdB'; // secret key
    const SECRET_IV = 'fg3Dk54f4340fKF2JTC9'; // secret iv

    public function encrypt($string) {
        return $this->encrypt_decrypt('encrypt', $string);
    }

    public function decrypt($string) {
        return $this->encrypt_decrypt('decrypt', $string);
    }
    private function encrypt_decrypt($action, $string)
    {
        $key = hash('sha256', self::SECRET_KEY, true);
        $iv = substr(hash('sha256', self::SECRET_IV, true), 0, 16);
        if ($action == 'encrypt') {
            $output = openssl_encrypt($string, self::ENCRYPT_METHOD, $key, 0, $iv);
        } else if ($action == 'decrypt') {
            $output = openssl_decrypt($string, self::ENCRYPT_METHOD, $key, 0, $iv);
        }
        $output = (!empty($output)) ? $output : false;
        return $output;
    }
}


$class_encrypt = new MBM_Encrypt_Decrypt();

$plain_txt = "xyz@abc.com";
echo 'Plain Text: ' . $plain_txt . PHP_EOL;

$encrypted_txt = $class_encrypt->encrypt($plain_txt);
echo 'Ciphertext: ' . $encrypted_txt . PHP_EOL;

$decrypted_txt = $class_encrypt->decrypt($encrypted_txt);
echo 'Decrypted Text: ' . $decrypted_txt . PHP_EOL;

if ($plain_txt === $decrypted_txt) echo 'SUCCESS' . PHP_EOL;
else echo 'FAILED' . PHP_EOL;

echo PHP_EOL . 'Length of Plain Text: ' . strlen($plain_txt);
echo PHP_EOL . 'Length of Encrypted Text: ' . strlen($encrypted_txt). PHP_EOL;

Go:

package main

import (
    "crypto/aes"
    "crypto/cipher"
    "crypto/sha256"
    "encoding/base64"
    "encoding/hex"
    "fmt"
)

var (
    IV  = []byte("fg3Dk54f4340fKF2JTC9")
    KEY = []byte("13GsJd6076v69^f4(fdB")
)

func main() {

    h := sha256.New()
    h.Write(KEY)
    KEY = h.Sum(nil)

    h.Reset()
    h.Write(IV)
    IV = h.Sum(nil)[:16]

   fmt.Println("Key", hex.EncodeToString(KEY))
   fmt.Println("IV", hex.EncodeToString(IV))

   // This ciphertext was generated by the PHP module
   de := "rDAnykzTorR5/SgpdD7slA=="
   q, err := decrypt(KEY, IV, de)

   fmt.Println(string(q), err)
}

// Returns slice of the original data without padding.
func pkcs7Unpad(data []byte, blocklen int) ([]byte, error) {
    if blocklen <= 0 {
        return nil, fmt.Errorf("invalid blocklen %d", blocklen)
    }
    if len(data)%blocklen != 0 || len(data) == 0 {
        return nil, fmt.Errorf("invalid data len %d", len(data))
    }
    padlen := int(data[len(data)-1])
    if padlen > blocklen || padlen == 0 {
        return nil, fmt.Errorf("invalid padding")
    }
   // check padding
   pad := data[len(data)-padlen:]
   for i := 0; i < padlen; i++ {
        if pad[i] != byte(padlen) {
            return nil, fmt.Errorf("invalid padding")
        }
   }

   return data[:len(data)-padlen], nil
}

func decrypt(key []byte, iv []byte, encrypted string) ([]byte, error) {
    data, err := base64.StdEncoding.DecodeString(encrypted)
    if err != nil {
        return nil, err
    }

    if len(data) == 0 || len(data)%aes.BlockSize != 0 {
        return nil, fmt.Errorf("bad blocksize(%v), aes.BlockSize = %v
", len(data), aes.BlockSize)
    }
    c, err := aes.NewCipher(key)
    if err != nil {
        return nil, err
    }
    cbc := cipher.NewCBCDecrypter(c, iv)
    cbc.CryptBlocks(data, data)
    out, err := pkcs7Unpad(data, aes.BlockSize)
    if err != nil {
        return out, err
    }
    return out, nil
}

Output:

$ php test.php
Plain Text: xyz@abc.com
Ciphertext: rDAnykzTorR5/SgpdD7slA==
Decrypted Text: xyz@abc.com
SUCCESS

Length of Plain Text: 11
Length of Encrypted Text: 24

$ go test
Key 45ede7f4300fcc407d734020f12c8176463e7d493aa0395cdfa32e31ff914b0a
IV 9f79430dfdd761b3ed128bc38bfeadc5
xyz@abc.com <nil>

报告相同问题？

关注问题

尝试使用PHP OpenSSL_encrypt / OpenSSL_decrypt加密/解密数据 php
2017-12-10 17:45

回答 1 已采纳 Constants do not require the $ suffix that a variable name does. So simply remove the $ from your
使用golang解密使用php openssl_encrypt加密的文件 php
2018-04-13 06:29

回答 1 已采纳 Let's take a step back and simplify: // encrypt.php <?php $iv = base64_decode("AJf3QItKM7+Lkh
在Python和PHP上解密AES256 php python
2019-03-08 12:04

回答 1 已采纳 You are defining a 64-character key; that those 64 characters are hex digits is neither here nor t
php7使用openssl_encrypt函数进行AES加密
2022-11-23 16:05

骷大人的博客手上有个api对接需求，要用到AES加密，要用到openssl_encrypt函数，记录一下，鉴权要求大概如下。将明文先base64加密，后取前16位判断字符串的字节型数据长度是否为16倍整，如不是则进行补充（PKCS#7标准对字符串...
PHP AES加密JAVA到PHP - openssl_encrypt php
2018-11-20 11:39

回答 1 已采纳 I have solved your code by using below code Hope this may help you public function encrypt($d
AES-128-CTR加密在PHP（openssl_encrypt）和Node.js（加密）上给出不同的结果 node.js php
2018-09-18 12:37

回答 1 已采纳 While browsing the related section (after my post) I came across this one: C# and PHP have differe
openssl aes_256_cbc加解密的问题。
2015-03-15 05:56

回答 2 已采纳参考：http://blog.csdn.net/yasi_xi/article/details/13997337 http://blog.csdn.net/chary8088/article/det
实战篇-OpenSSL之AES加密算法-CBC模式
2021-01-06 16:56

百里杨的博客实战篇-OpenSSL之AES加密算法-CBC模式一、AES简介二、CBC模式1、命令行操作2、函数说明3、编程实现（1）特别注意（2）实现CBC模式加解密（3）测试代码一、AES简介密码学中的高级加密标准（Advanced Encryption ...
从PHP到Golang的aes-256-gcm解密 php
2018-10-01 22:45

回答 1 已采纳 Normally an encrypted message looks like IV+ciphertext+tag, not ciphertext+IV+tag. When one deviat
在PHP中将PHP openssl_encrypt与空白IV匹配 javascript php
2017-08-18 12:23

回答 1 已采纳 There are some issues with your code: If you want to use an existing key, then you need to provi
php openssl使用aes256加密数据并使用sha256散列传递帮助！ php
2010-07-29 17:22

回答 1 已采纳 I'd guess you should pass the raw data, not an hexadecimal representation of it. I say this becaus
c程序下openssl aes-cbc 加密解密
2019-10-10 15:34

weixin_43071994的博客在CBC模式中，每个明文块先与前一个密文块进行异或后，再进行加密。在这种方法中，每个密文块都依赖于它前面的所有明文块。同时，为了保证每条消息的唯一性，在第一个块中需要使用初始化向量。 CBC模式原理图讲解的...
在PHP中复制Java的AES / CBC / PKCS5Padding加密 java php
2018-10-12 09:06

回答 1 已采纳 Finally figured out the solution as per following link : https://gist.github.com/odan/c1dc2798ef9
aes-gcm-256 php加密 java解密成功 java php有区别！！
2022-10-08 14:12

死狗等夜狼的博客 aes-gcm-256 php加密 java解密案例
PHP openssl_decrypt 加密用户名、密码，密文传输数据,js的CryptoJS数据加密解密踩坑集合
2021-11-22 17:41

宇飞林海的博客其实在 2015 就已经开始建议大家使用 openssl_encrypt/openssl_decrypt 来代替 mcrypt_encrypt/mcrypt_decrypt，缓冲了 N 久，这一天终于在 7.2.0 版本上到来了。 openssl_decrypt 的 OPENSSL_ZERO_PADDING默认会...
没有解决我的问题, 去提问

悬赏问题

¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像，如何解决？
¥15 求daily translation（DT）偏差订正方法的代码
¥15 js调用html页面需要隐藏某个按钮
¥15 ads仿真结果在圆图上是怎么读数的
¥20 Cotex M3的调试和程序执行方式是什么样的？
¥20 java项目连接sqlserver时报ssl相关错误
¥15 一道python难题3
¥15 牛顿斯科特系数表表示
¥15 arduino 步进电机
¥20 程序进入HardFault_Handler

码龄粉丝数原力等级 --

解密由openssl_encrypt在PHP中加密的AES-256-CBC密文时出现错误的块大小错误

1条回答默认最新

码龄粉丝数原力等级 --

悬赏问题

解密由openssl_encrypt在PHP中加密的AES-256-CBC密文时出现错误的块大小错误

1条回答 默认 最新

悬赏问题

1条回答默认最新