codeigniter4 · gr8man · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026
diff --git a/system/Encryption/Handlers/SodiumHandler.php b/system/Encryption/Handlers/SodiumHandler.php
@@ -15,6 +15,7 @@
 
 use CodeIgniter\Encryption\Exceptions\EncryptionException;
 use SensitiveParameter;
+use SodiumException;
 
 /**
  * SodiumHandler uses libsodium in encryption.
@@ -43,34 +44,31 @@ class SodiumHandler extends BaseHandler
      */
     public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $params = null)
     {
-        // Allow key override
-        $key = $params !== null
-            ? (is_array($params) && isset($params['key']) ? $params['key'] : $params)
-            : $this->key;
-
-        // Allow blockSize override
-        $blockSize = (is_array($params) && isset($params['blockSize']))
-            ? $params['blockSize']
-            : $this->blockSize;
+        $key       = $this->key;
+        $blockSize = $this->blockSize;
+
+        if ($params !== null) {
+            if (is_array($params)) {
+                $key       = $params['key'] ?? $key;
+                $blockSize = $params['blockSize'] ?? $blockSize;
+            } else {
+                $key = $params;
+            }
+        }
 
-        if (empty($key)) {
+        if (empty($key) || strlen((string) $key) !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
             throw EncryptionException::forNeedsStarterKey();
         }
 
-        // create a nonce for this operation
-        $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); // 24 bytes
-
-        // add padding before we encrypt the data
         if ($blockSize <= 0) {
             throw EncryptionException::forEncryptionFailed();
         }
 
-        $data = sodium_pad($data, $blockSize);
+        $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+        $data  = sodium_pad($data, $blockSize);
 
-        // encrypt message and combine with nonce
         $ciphertext = $nonce . sodium_crypto_secretbox($data, $nonce, $key);
 
-        // cleanup buffers
         sodium_memzero($data);
         sodium_memzero($key);
 
@@ -82,45 +80,41 @@ public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $para
      */
     public function decrypt($data, #[SensitiveParameter] $params = null)
     {
-        // Allow key override
-        $key = $params !== null
-            ? (is_array($params) && isset($params['key']) ? $params['key'] : $params)
-            : $this->key;
-
-        // Allow blockSize override
-        $blockSize = (is_array($params) && isset($params['blockSize']))
-            ? $params['blockSize']
-            : $this->blockSize;
+        $key       = $this->key;
+        $blockSize = $this->blockSize;
+
+        if ($params !== null) {
+            if (is_array($params)) {
+                $key       = $params['key'] ?? $key;
+                $blockSize = $params['blockSize'] ?? $blockSize;
+            } else {
+                $key = $params;
+            }
+        }
 
-        if (empty($key)) {
+        if (empty($key) || strlen((string) $key) !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
             throw EncryptionException::forNeedsStarterKey();
         }
 
         if (mb_strlen($data, '8bit') < (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)) {
-            // message was truncated
             throw EncryptionException::forAuthenticationFailed();
         }
 
-        // Extract info from encrypted data
         $nonce      = self::substr($data, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
         $ciphertext = self::substr($data, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
 
-        // decrypt data
         $data = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
 
-        if ($data === false) {
-            // message was tampered in transit
-            throw EncryptionException::forAuthenticationFailed(); // @codeCoverageIgnore
+        if ($data === false || $blockSize <= 0) {
+            throw EncryptionException::forAuthenticationFailed();
         }
 
-        // remove extra padding during encryption
-        if ($blockSize <= 0) {
+        try {
+            $data = sodium_unpad($data, $blockSize);
+        } catch (SodiumException) {
             throw EncryptionException::forAuthenticationFailed();
         }
 
-        $data = sodium_unpad($data, $blockSize);
-
-        // cleanup buffers
         sodium_memzero($ciphertext);
         sodium_memzero($key);
 

diff --git a/tests/system/Encryption/Handlers/SodiumHandlerTest.php b/tests/system/Encryption/Handlers/SodiumHandlerTest.php
@@ -151,4 +151,57 @@ public function testInternalKeyNotModifiedByParams(): void
 
         $this->assertSame($message, $encrypter->decrypt($encoded, ['key' => $differentKey]));
     }
+
+    public function testNullKeyOverrideFallsBackToInstanceKey(): void
+    {
+        /** @var SodiumHandler $encrypter */
+        $encrypter = $this->encryption->initialize($this->config);
+
+        $ciphertext = $encrypter->encrypt('message', ['key' => null]);
+
+        $this->assertSame('message', $encrypter->decrypt($ciphertext, ['key' => null]));
+    }
+
+    public function testInvalidKeyLengthThrowsEncryptionException(): void
+    {
+        $this->expectException(EncryptionException::class);
+        /** @var SodiumHandler $encrypter */
+        $encrypter = $this->encryption->initialize($this->config);
+
+        $encrypter->encrypt('message', str_repeat('a', 31));
+    }
+
+    public function testMismatchedBlockSizeThrowsEncryptionException(): void
+    {
+        $this->expectException(EncryptionException::class);
+        /** @var SodiumHandler $encrypter */
+        $encrypter = $this->encryption->initialize($this->config);
+
+        $ciphertext = $encrypter->encrypt('message', ['blockSize' => 16]);
+
+        $encrypter->decrypt($ciphertext, ['blockSize' => 32]);
+    }
+
+    public function testDecryptTamperedMessageThrowsException(): void
+    {
+        $this->expectException(EncryptionException::class);
+        $encrypter = $this->encryption->initialize($this->config);
+
+        $ciphertext = $encrypter->encrypt('message');
+
+        $ciphertext[0] = $ciphertext[0] === 'a' ? 'b' : 'a';
+
+        $encrypter->decrypt($ciphertext);
+    }
+
+    public function testOverrideKeyAsStringWorks(): void
+    {
+        $encrypter = $this->encryption->initialize($this->config);
+        $newKey    = sodium_crypto_secretbox_keygen();
+
+        $ciphertext = $encrypter->encrypt('message', $newKey);
+        $decrypted  = $encrypter->decrypt($ciphertext, $newKey);
+
+        $this->assertSame('message', $decrypted);
+    }
 }
diff --git a/user_guide_src/source/changelogs/v4.7.4.rst b/user_guide_src/source/changelogs/v4.7.4.rst
@@ -37,6 +37,7 @@ Bugs Fixed
 - **Commands:** Fixed a bug where ``spark lang:find`` treated translation keys already provided by the framework or another namespace (such as ``Errors.*`` in ``system/Language``) as new, listing them under ``--show-new`` and writing untranslated placeholders into ``app/Language`` that overrode the existing translations.
 - **Config:** Fixed a bug where ``BaseService::injectMock`` did not apply ``strtolower`` consistently, causing inconsistent Service and Mock registration and resolution.
 - **Database:** Fixed a bug where ``updateBatch()`` could be called after Query Builder ``where()`` conditions, even though it's not supported. In this situation, now the ``DatabaseException`` is thrown.
+- **Encryption:** Fixed bugs in ``SodiumHandler`` where incorrect key handling and mismatched block sizes caused encryption and decryption failures.
 - **Filters:** Fixed a bug in ``InvalidChars`` filter where invalid UTF-8 or control characters in array keys were not checked.
 - **HTTP:** Fixed a bug where the User Agent library reported Safari's WebKit version instead of the browser version from the ``Version`` token.
 - **Model:** Fixed a bug in ``Model::objectToRawArray()`` where the ``$recursive`` parameter was ignored.