PHP cryption on server won't work "mcrypt_get_iv_size" function

Question

So I was writing a web application and for some uses I need to encrypt string and decrypt it later, and everything from my code works perfectly on localhost on Macbook on El Capitan 10.11.4 and XAMPP 5.6.15-1 but when I upload code on the server it just wont work. I found one problem (Also I tried on multiple servers).

So this is my code:

<?php
session_start();
header("Content-Type: text/html;charset=UTF-8");
if (isset($_POST["file"])) {
    $filename = $_POST["file"];
    //$filename = $_GET["file"];
    $filename = substr($filename, 12);

    $username = $_SESSION["username"];
    $key = $_SESSION["key"];

    $filename = "../users/$username/text/" . $filename;

    $fileNumber = $_POST["number"];

    ///Cloude/users/antonio/text/teext/file2.txt
    // Cloude/script

    $handle = fopen($filename, "r");
    $contents = fread($handle, filesize($filename));
    fclose($handle);
echo $contents;
    $decrypt = str_replace(" ", "+", $contents);

echo " ------ 1 ------ ";

    $decrypt = explode('|', $decrypt.'|');
    $decoded = base64_decode($decrypt[0]);
    $iv = base64_decode($decrypt[1]);

echo " ------ 2 ------";

    if(strlen($iv)!==mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC)){ return false; }

echo " ------ 3 ------";

    $key = pack('H*', $key);
    $decrypted = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $decoded, MCRYPT_MODE_CBC, $iv));
    $mac = substr($decrypted, -64);
    $decrypted = substr($decrypted, 0, -64);
    $calcmac = hash_hmac('sha256', $decrypted, substr(bin2hex($key), -32));
    if($calcmac!==$mac){ return false; }
    $decrypted = unserialize($decrypted);

    echo json_encode($decrypted . "qJB0rGtIn5UB1xG03efyCp55");
}

and, this echoes are just for testing which line won't work. So when I try to run it all it will just print "------ 1 ------ and ------ 2 ------", the code after

mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC)

just wont work on server, does anyone knows why?

EDIT: I found the bug, it was the hosting problem, they do some weird things, thanks anyway!

Thanks, but I think I found error, the problem was that I was using free hosting at 000webhost.com, they when recognize .html file add script that tracks analytics, I just needed to remove that script code when reading file and everything was fine, thanks anyway — Antonio Stipić, May 15 '16 at 19:47
btw, I hope you don't plan on paying for that service; it's simply awful. There are much better free hosting services out there. I've used that one some years back and they're still awful, if not worse. *sigh* take it from experience ;-) I know a bad hosting service when I see one. — Funk Forty Niner, May 15 '16 at 19:51
Ideally, paying for a good host makes all the difference in the world and HostGator is a good one. For a free host, I've used AwardSpace with good results. Sidenote: I am not affiliated with them in any way (as a disclaimer). — Funk Forty Niner, May 15 '16 at 20:08
It is best not to use mcrypt, it is abandonware, has not been updated in years and does not support standard PKCS#7 (née PKCS#5) padding, only non-standard null padding that can't even be used with binary data. Instead consider using [defuse](https://github.com/defuse/php-encryption), it is being maintained and is correct. — zaph, May 15 '16 at 20:55

Jacco · Accepted Answer · 2016-05-15T20:52:23.470

2

You should not use the MCrypt functions anymore. Why? because MCrypt is considered abandonware. The library is no longer actively maintained and a long list of known bugs are not fixed since a long time.

So, what would be the solution to your problem? The quick, easy and safest option is to use a drop in library.

Example of doing strong crypto the easy way:

// Assuming a PSR-4 compatible autoloader

use Driftwood\SymmetricEncryption;
$password = 'correct horse battery staple';

$crypto = new SymmetricEncryption(20);

$encrypted = $crypto->encrypt('Never roll your own crypto.', $password);
$decrypted = $crypto->decrypt($encrypted, $password);

echo $decrypted; // Never roll your own crypto.

If you reaally want to create your own crypto library (you shouldn't) then the recommended solution is to use PHP's OpenSSL extension. But: crypto is hard, exceptionally hard. A good crypto wrapper requires multiple cryptographers and PHP specialists working together, checking each other and double checking each change in the code. Scrutinizing every decision.

edited May 15 '16 at 20:52

answered May 15 '16 at 20:42

Jacco

23,534
17
88
105

1

The problem I see with *Pixelfck/SymmetricEncryption* is the lack of documentation. What cryptographic primitives does it support (only encryption?), does it provide encryption authentication (seems to), what is the data format (read the code), all of this is necessary for interoperability. As an example of what is needed RNCryptor provides a [data format specification](https://github.com/RNCryptor/RNCryptor-Spec/blob/master/RNCryptor-Spec-v3.md) – zaph May 15 '16 at 21:03
@zaph, yeah, I think you should open an issue to ask for increased documentation. They are pretty clear it is authenticated encryption (Encrypt-then-mac) though [third bullet point]; I would never recommend it otherwise. I've analysed the code with an (app-sec) colleague (we're not cryptographers though) and we found the code well documented and of high quality. But code comments are not a substitution for proper documentation of course. – Jacco May 16 '16 at 19:54
Alternatively: [defuse/php-encryption](https://github.com/defuse/php-encryption/blob/master/docs/CryptoDetails.md) is well documented, and version 2 just came out yesterday. – Scott Arciszewski May 17 '16 at 21:02

PHP cryption on server won't work "mcrypt_get_iv_size" function

1 Answers1