How can I solve this OpenSSL "EVP_DecryptFinal_ex:bad decrypt" error in PHP?

Question

Setup:

session_start();

function set_encryption_method() {

if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity']) > 3600) {
    unset($_SESSION['cipher']);
    unset($_SESSION['iv']);
    unset($_SESSION['last_activity']);
}

$cipher = 'aes-256-cbc';
$iv = random_bytes(16);    
    
    if (in_array($cipher, openssl_get_cipher_methods())) {
        if (!isset($_SESSION['cipher'])) {
            $_SESSION['cipher'] = $cipher;
        }
        if (!isset($_SESSION['iv'])) {
            $_SESSION['iv'] = $iv;
        }
        $_SESSION['last_activity'] = time();
    } else {
        die('Encryption method not supported!');
    }
}

set_encryption_method();

Encrypt:

function encrypt_string($key, $string) {
    // $key is a constant stored in a database
    return rawurlencode(base64_encode(openssl_encrypt($string, $_SESSION['cipher'], $key, 0, $_SESSION['iv'])));
}

Decrypt:

function decrypt_string($key, $encrypted) {
    // $key is a constant stored in a database
    return openssl_decrypt(rawurldecode(base64_decode($encrypted)), $_SESSION['cipher'], $key, 0, $_SESSION['iv']);
}

When decrypt_string() is called with the appropriate parameters, it throws this error: digital envelope routines evp_decrypt_final_ex: bad decrypt. If I hardcode the iv, then it works correctly.

What am I doing wrong?

Answer 1

The error message is (indirectly) caused by the fact that your are using different IVs for encryption and decryption. From your description it is not clear how that can happen, but let me propose some suggestions that will avoid your issue altogether.

First, with EAS-CBC it is not a good idea to use the same IV + key combination multiple times. You can find some discussion on that in the answers to Is AES in CBC mode secure if a known and/or fixed IV is used?. You did not mention how you are using the different functions, but during 3600 seconds, you are using the same IV + key combinations.

To work around this, you could generate a random IV for every encryption that you do. You could then store the IV together with the encrypted data; the IV is not required or supposed to be secret. The following two functions are modifications of yours that do exactly that, by concatenating the two after encryption and splitting the two before decryption:

function encrypt_string($key, $string) {
    // $key is a constant stored in a database
    $iv = random_bytes(16);
    $ciphtxt = openssl_encrypt($string, $_SESSION['cipher'], $key, OPENSSL_RAW_DATA, $iv);
    return base64_encode($iv.$ciphtxt);
}

function decrypt_string($key, $encrypted) {
    // $key is a constant stored in a database
    $combo = base64_decode($encrypted);
    $iv = substr($combo, 0, 16);
    $ciphtxt= substr($combo, 16);
    return openssl_decrypt($ciphtxt, $_SESSION['cipher'], $key, OPENSSL_RAW_DATA, $iv);
}

Note the use of the flag OPENSSL_RAW_DATA. As the documentation for openssl_encrypt mentions (not too clearly), the result will be base64-ed if you do not give that flag. You were doing the base64-ing yourself so I added the flag. This also makes it a little easier to handle the (de-)concatenation of the IV and the ciphertext.

---

A few words about the occurrence of that bad decrypt error: that is emitted when the padding bytes are different than expected. Since you were using an incorrect IV for decryption, the AES decryption did not result in the original data, with a high probability that the padding bytes therefore did not have the right value.