openssl_decrypt

    (PHP 5 >= 5.3.0, PHP 7, PHP 8)

    openssl_decryptDecrypts data

    Description

    openssl_decrypt(
        string $data,
        string $cipher_algo,
        #[\SensitiveParameter] string $passphrase,
        int $options = 0,
        string $iv = "",
        ?string $tag = null,
        string $aad = ""
    ): string|false

    Takes a raw or base64 encoded string and decrypts it using a given method and passphrase.

    Parameters

    data

    The encrypted message to be decrypted.

    cipher_algo

    The cipher method. For a list of available cipher methods, use openssl_get_cipher_methods().

    passphrase

    The passphrase. If the passphrase is shorter than expected, it is silently padded with NUL characters; if the passphrase is longer than expected, it is silently truncated.

    Caution

    There is no key derivation function used for passphrase as its name might suggest. The only operation used is padding with NUL characters or truncation if the length is different than expected.

    options

    options can be one of OPENSSL_RAW_DATA, OPENSSL_ZERO_PADDING or OPENSSL_DONT_ZERO_PAD_KEY.

    iv

    A non-null Initialization Vector. If the IV is shorter than expected, it is padded with NUL characters and warning is emitted; if the passphrase is longer than expected, it is truncated and warning is emitted.

    tag

    The authentication tag in AEAD cipher mode. If it is incorrect, the authentication fails and the function returns false.

    Caution

    The length of the tag is not checked by the function. It is the caller's responsibility to ensure that the length of the tag matches the length of the tag retrieved when openssl_encrypt() has been called. Otherwise the decryption may succeed if the given tag only matches the start of the proper tag.

    aad

    Additional authenticated data.

    Return Values

    The decrypted string on success or false on failure.

    Errors/Exceptions

    Emits an E_WARNING level error if an unknown cipher algorithm is passed via the cipher_algo parameter.

    Emits an E_WARNING level error if an empty value is passed in via the iv parameter.

    Changelog

    Version Description
    8.1.0 tag is now nullable.
    7.1.0 The tag and aad parameters were added.

    See Also

    Improve This Page

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 4 notes

    up
    15
    Hernanibus
    8 years ago
    Parameters may seem obvius to some but not for everyone so:

    - $data can be as the description says raw or base64. If no $option is set (this is, if value of 0 is passed in this parameter), data will be assumed to be base64 encoded. If parameter OPENSSL_RAW_DATA is set, it will be understood as row data.

    - $password (key) is a String of [pseudo] bytes as those generated by the function openssl_random_pseudo_bytes().

    - $options as (as for 2016) two possible values OPENSSL_RAW_DATA and OPENSSL_ZERO_PADDING. Setting both can be done by OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING. If no OPENSSL_ZERO_PADDING is specify, default pading of PKCS#7 will be done as it's been observe by [openssl at mailismagic dot com]'s coment in openssl_encrypt()

    - $iv is as in the case of $password, a String of bytes. Its length depends on the algorithm used. May be the best way to generate an $iv is by:

    <?php
    $iv     = openssl_random_pseudo_bytes(openssl_cipher_iv_length('your algorithm'));// for example you algorithm = 'AES-256-CTR'
    ?>
    up
    1
    ittasks at gmail dot com
    11 years ago
    in case that hosting do not provide openssl_encrypt decrypt functions - it could be mimiced via commad prompt executions
    this functions will check is if openssl is installed and try to use it by default

    function sslPrm()
    {
    return array("your_password","IV (optional)","aes-128-cbc");
    }
    function sslEnc($msg)
    {
    list ($pass, $iv, $method)=sslPrm();
    if(function_exists('openssl_encrypt'))
    return urlencode(openssl_encrypt(urlencode($msg), $method, $pass, false, $iv));
    else
    return urlencode(exec("echo \"".urlencode($msg)."\" | openssl enc -".urlencode($method)." -base64 -nosalt -K ".bin2hex($pass)." -iv ".bin2hex($iv)));
    }
    function sslDec($msg)
    {
    list ($pass, $iv, $method)=sslPrm();
    if(function_exists('openssl_decrypt'))
    return trim(urldecode(openssl_decrypt(urldecode($msg), $method, $pass, false, $iv)));
    else
    return trim(urldecode(exec("echo \"".urldecode($msg)."\" | openssl enc -".$method." -d -base64 -nosalt -K ".bin2hex($pass)." -iv ".bin2hex($iv))));
    }

    //example of usage:
    $r= sslEnc("This is encryption/decryption test!");
    echo "<br>\n".$r.":".sslDec($r);
    up
    0
    markagius dot co dot uk
    7 years ago
    openssl_decrypt(..) works with most but not all method types.
    This list can vary, depending on the data (Message) and key (Password) used.

    See the following code and edit the $text and $password values.
    Code checks if text is the same after encrypting then decrypting it.

    Note:
    You can still use openssl_encrypt(..) with;
    User enters 'Log-in password'
    (Encrypted and stored using openssl_encrypt)
    Next time.
    User logs-in with 'Log-in password'
    (Check that encrypted 'Log-in password' = stored data)

    <CODE>
    // Please edit $password=... and $text=...

    $password = "This is a journey into sound";

    $text = "";
    for($charNo=0; $charNo<=255; $charNo=$charNo+1){
    // if($charNo==127) {$charNo=$charNo+1;}
    if(!$charNo<127){
    // $text = $text."&#x".strtoupper(dechex($charNo)).";";
    $text = $text.chr($charNo);
    } else {
    $text = $text.chr($charNo);
    }
    }

    $text = "This is a test message.";

    print "<TABLE BORDER=\"1\">\n";
    print "<TR><TD><B>Encryption type:</B></TD><TD><B>String after converting back:</B></TD></TR>\n";
    $ciphers = openssl_get_cipher_methods();
    for($pointer=0; $pointer<count($ciphers); $pointer=$pointer+1){
    $edit = EncryptDecrypt($text, true, $password, $ciphers[$pointer]);
    $check = EncryptDecrypt($edit, false, $password, $ciphers[$pointer]);
    if($text!=$check){
    $info = $check;
    print "<TR><TD>".$ciphers[$pointer]."</TD><TD>".$info."</TD></TR>\n";
    }
    }
    print "</TABLE>\n";

    function EncryptDecrypt($oldText, $encryptIt=true, $password="PASSWORD", $encryptType=""){
    $ciphers = openssl_get_cipher_methods();
    $foundEncType = false;
    for($pointer=0; $pointer<count($ciphers); $pointer=$pointer+1){
    if($ciphers[$pointer]==$encryptType){$foundEncType=true;}
    }
    if(!$foundEncType){
    $encryptType = "RC2-64-CBC"; // Default value used if not set or listed.
    }
    if($encryptIt){
    $newText = openssl_encrypt($oldText,$encryptType,$password);
    } else {
    $newText = openssl_decrypt($oldText,$encryptType,$password);
    }
    return $newText;
    }
    </CODE>
    The following (sometimes) don't work:
    DES-EDE3-CFB1 (sometimes)
    aes-128-gcm
    aes-192-gcm
    aes-256-gcm
    des-ede3-cfb1 (sometimes)
    id-aes128-GCM
    id-aes192-GCM
    id-aes256-GCM
    up
    0
    lucianonapoli at yahoo dot it
    7 years ago
    The parameter string $password must be in binary form and is derived from the exadecimal key value.

    Example:

    encrypting in command line console with openssl
    openssl AES-256-CBC -K 5ae1b8a17bad4da4fdac796f64c16ecd -iv 34857d973953e44afb49ea9d61104d8c -in doc.txt -out doc.enc.txt

    decripting in php
    $key = hex2bin('5ae1b8a17bad4da4fdac796f64c16ecd');
    $iv = hex2bin('34857d973953e44afb49ea9d61104d8c');

    $output = openssl_decrypt($encstr, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
    add a note
    To Top