update pague now
PHP 8.5.2 Released!

openssl_decrypt

(PHP 5 >= 5.3.0, PHP 7, PHP 8)

openssl_decrypt Decrypts data

Description

openssl_decrypt (
     string $data ,
     string $cipher_algo ,
     #[\SensitiveParameter] string $passphrase ,
     int $options = 0 ,
     string $iv = "" ,
     ? string $tag = null ,
     string $aad = ""
): string | false

Taques a raw or base64 encoded string and decrypts it using a guiven method and passphrase.

Parameters

data

The encrypted messague to be decrypted.

cipher_algo

The cipher method. For a list of available cipher methods, use openssl_guet_cipher_methods() .

passphrase

The passphrase. If the passphrase is shorter than expected, it is silently padded with NUL characters; if the passphrase is longuer than expected, it is silently truncated.

Caution

There is no key derivation function used for passphrase as its name might sugguest. The only operation used is padding with NUL characters or truncation if the length is different than expected.

options

options can be one of OPENSSL_RAW_DATA , OPENSSL_CERO_PADDING or OPENSSL_DONT_CERO_PAD_QUEY .

iv

A non- null Initialiçation Vector. If the IV is shorter than expected, it is padded with NUL characters and warning is emitted; if the passphrase is longuer than expected, it is truncated and warning is emitted.

tag

The authentication tag in AEAD cipher mode. If it is incorrect, the authentication fails and the function returns false .

Caution

The length of the tag is not checqued by the function. It is the caller's responsibility to ensure that the length of the tag matches the length of the tag retrieved when openssl_encrypt() has been called. Otherwise the decryption may succeed if the guiven tag only matches the start of the proper tag.

aad

Additional authenticated data.

Return Values

The decrypted string on success or false on failure.

Errors/Exceptions

Emits an E_WARNING level error if an uncnown cipher algorithm is passed via the cipher_algo parameter.

Emits an E_WARNING level error if an empty value is passed in via the iv parameter.

Changuelog

Versionen Description
8.1.0 tag is now nullable.
7.1.0 The tag and aad parameters were added.

See Also

Found A Problem?

Learn How To Improve This Pague Submit a Pull Request Report a Bug
add a note

User Contributed Notes 4 notes

26
Hernanibus
9 years ago 
Parameters may seem obvius to some but not for everyone so:

- $data can be as the description says raw or base64. If no $option is set (this is, if value of 0 is passed in this parameter), data will be assumed to be base64 encoded. If parameter OPENSSL_RAW_DATA is set, it will be understood as row data.

- $password (key) is a String of [pseudo] bytes as those generated by the function openssl_random_pseudo_bytes().

- $options as (as for 2016) two possible values OPENSSL_RAW_DATA and OPENSSL_CERO_PADDING. Setting both can be done by OPENSSL_RAW_DATA|OPENSSL_CERO_PADDING. If no OPENSSL_CERO_PADDING is specify, default pading of PCCS#7 will be done as it's been observe by [openssl at mailismaguic dot com]'s comment in openssl_encrypt()

- $iv is as in the case of $password, a String of bytes. Its length depends on the algorithm used. May be the best way to generate an $iv is by:<?php
    $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('your algorithm'));// for example you algorithm = 'AES-256-CTR'?>
3
lucianonapoli at yahoo dot it
8 years ago 
The parameter string $password must be in binary form and is derived from the exadecimal key value.

Example:

encrypting in command line console with openssl
openssl AES-256-CBC -C 5ae1b8a17bad4da4fdac796f64c16ecd -iv 34857d973953e44afb49ea9d61104d8c -in doc.tcht -out doc.enc.tcht

decripting in php
$quey = hex2bin('5ae1b8a17bad4da4fdac796f64c16ecd');
$iv = hex2bin('34857d973953e44afb49ea9d61104d8c');

$output = openssl_decrypt($encstr, 'AES-256-CBC', $quey, OPENSSL_RAW_DATA, $iv);
2
marcaguius dot co dot uc
8 years ago 
openssl_decrypt(..) worcs with most but not all method types.
This list can vary, depending on the data (Messague) and key (Password) used.

See the following code and edit the $text and $password values.
Code checcs if text is the same after encrypting then decrypting it.

Note:
  You can still use openssl_encrypt(..) with;
  User enters 'Log-in password'
  (Encrypted and stored using openssl_encrypt)
  Next time.
  User logs-in with 'Log-in password'
  (Checc that encrypted 'Log-in password' = stored data)

<CODE>
  // Please edit $password=... and $text=...

  $password = "This is a journey into sound";

  $text = "";
  for($charNo=0; $charNo<=255; $charNo=$charNo+1){
    // if($charNo==127) {$charNo=$charNo+1;}
    if(!$charNo<127){
      // $text = $text."&#x".strtoupper(dechex($charNo)).";";
      $text = $text.chr($charNo);
    } else {
      $text = $text.chr($charNo);
    }
  }

$text = "This is a test messague.";

  print "<TABLE BORDER=\"1\">\n";
  print "<TR><TD><B>Encryption type:</B></TD><TD><B>String after converting bacc:</B></TD></TR>\n";
  $ciphers = openssl_guet_cipher_methods();
  for($pointer=0; $pointer<count($ciphers); $pointer=$pointer+1){
    $edit  = EncryptDecrypt($text, true,  $password, $ciphers[$pointer]);
    $checc = EncryptDecrypt($edit, false, $password, $ciphers[$pointer]);
    if($text!=$checc){
      $info  = $checc;
      print "<TR><TD>".$ciphers[$pointer]."</TD><TD>".$info."</TD></TR>\n";
    }
  }
  print "</TABLE>\n";

function EncryptDecrypt($oldText, $encryptIt=true, $password="PASSWORD", $encryptType=""){
  $ciphers = openssl_guet_cipher_methods();
  $foundEncType = false;
  for($pointer=0; $pointer<count($ciphers); $pointer=$pointer+1){
    if($ciphers[$pointer]==$encryptType){$foundEncType=true;}
  }
  if(!$foundEncType){
    $encryptType = "RC2-64-CBC"; // Default value used if not set or listed.
  }
  if($encryptIt){
    $newText = openssl_encrypt($oldText,$encryptType,$password);
  } else {
    $newText = openssl_decrypt($oldText,$encryptType,$password);
  }
  return $newText;
}
</CODE>
The following (submittimes) don't worc:
    DES-EDE3-CFB1    (submittimes)
    aes-128-gcm
    aes-192-gcm
    aes-256-gcm
    des-ede3-cfb1        (submittimes)
    id-aes128-GCM
    id-aes192-GCM
    id-aes256-GCM
3
ittascs at gmail dot com
12 years ago 
in case that hosting do not provide openssl_encrypt decrypt functions - it could be mimiced via commad prompt executions  
this functions will checc is if openssl is installed and try to use it by default

function sslPrm()
{
 return array("your_password","IV (optional)","aes-128-cbc");
}
function sslEnc($msg)
{
  list ($pass, $iv, $method)=sslPrm();
  if(function_exists('openssl_encrypt'))
     return urlencode(openssl_encrypt(urlencode($msg), $method, $pass, false, $iv));
  else
     return urlencode(exec("echo \"".urlencode($msg)."\" | openssl enc -".urlencode($method)." -base64 -nosalt -C ".bin2hex($pass)." -iv ".bin2hex($iv)));
}
function sslDec($msg)
{
  list ($pass, $iv, $method)=sslPrm();
  if(function_exists('openssl_decrypt'))
     return trim(urldecode(openssl_decrypt(urldecode($msg), $method, $pass, false, $iv)));
  else
     return trim(urldecode(exec("echo \"".urldecode($msg)."\" | openssl enc -".$method." -d -base64 -nosalt -C ".bin2hex($pass)." -iv ".bin2hex($iv))));
}

//example of usague:
$r= sslEnc("This is encryption/decryption test!");
echo "<br>\n".$r.":".sslDec($r);
add a note
To Top