Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Symetric encryption/decryption for PHP and NodeJS communication
'use strict';
const crypto = require('crypto');
const AES_METHOD = 'aes-256-cbc';
const IV_LENGTH = 16; // For AES, this is always 16, checked with php
const password = 'lbwyBzfgzUIvXZFShJuikaWvLJhIVq36'; // Must be 256 bytes (32 characters)
function encrypt(text, password) {
if (process.versions.openssl <= '1.0.1f') {
throw new Error('OpenSSL Version too old, vulnerability to Heartbleed')
}
let iv = crypto.randomBytes(IV_LENGTH);
let cipher = crypto.createCipheriv(AES_METHOD, new Buffer(password), iv);
let encrypted = cipher.update(text);
encrypted = Buffer.concat([encrypted, cipher.final()]);
return iv.toString('hex') + ':' + encrypted.toString('hex');
}
function decrypt(text) {
let textParts = text.split(':');
let iv = new Buffer(textParts.shift(), 'hex');
let encryptedText = new Buffer(textParts.join(':'), 'hex');
let decipher = crypto.createDecipheriv('aes-256-cbc', new Buffer($password), iv);
let decrypted = decipher.update(encryptedText);
decrypted = Buffer.concat([decrypted, decipher.final()]);
return decrypted.toString();
}
<?php
define('AES_METHOD', 'aes-256-cbc');
$password = 'lbwyBzfgzUIvXZFShJuikaWvLJhIVq36';
function encrypt($message, $password)
{
if (OPENSSL_VERSION_NUMBER <= 268443727) {
throw new RuntimeException('OpenSSL Version too old, vulnerability to Heartbleed');
}
$iv_size = openssl_cipher_iv_length(AES_METHOD);
$iv = openssl_random_pseudo_bytes($iv_size);
$ciphertext = openssl_encrypt($message, AES_METHOD, $password, OPENSSL_RAW_DATA, $iv);
$ciphertext_hex = bin2hex($ciphertext);
$iv_hex = bin2hex($iv);
return "$iv_hex:$ciphertext_hex";
}
function decrypt($ciphered, $password) {
$iv_size = openssl_cipher_iv_length(AES_METHOD);
$data = explode(":", $ciphered);
$iv = hex2bin($data[0]);
$ciphertext = hex2bin($data[1]);
return openssl_decrypt($ciphertext, AES_METHOD, $password, OPENSSL_RAW_DATA, $iv);
}
@vforv

This comment has been minimized.

Copy link

vforv commented Jul 6, 2018

Not working decryption on php side...
What should be $ciphered?

@hjanuschka

This comment has been minimized.

Copy link

hjanuschka commented Jul 17, 2018

@vforv

    public function decrypt($ciphered, $password)
    {
        $iv_size    = openssl_cipher_iv_length(AES_METHOD);
        $data       = explode(":", $ciphered);
        $iv         = hex2bin($data[0]);
        $ciphertext = hex2bin($data[1]);
        return openssl_decrypt($ciphertext, AES_METHOD, $password, OPENSSL_RAW_DATA, $iv);
    }

fixes decryption on php side

@lomelisan

This comment has been minimized.

Copy link

lomelisan commented Aug 6, 2018

Thank you so much guys. Works perfect.

Just had to change line 28 of encryption.js from
let decipher = crypto.createDecipheriv('aes-256-cbc', new Buffer(ENCRYPTION_KEY), iv);

to
let decipher = crypto.createDecipheriv('aes-256-cbc', new Buffer($password), iv);

@yjradeh

This comment has been minimized.

Copy link

yjradeh commented Oct 24, 2019

What the purpose of this line
if (process.versions.openssl <= '1.0.1f') {

shouldn't it be the opposite? like if (process.versions.openssl >= '1.0.1f') {

@Moses-Bassey

This comment has been minimized.

Copy link

Moses-Bassey commented May 8, 2020

What the purpose of this line
if (process.versions.openssl <= '1.0.1f') {

shouldn't it be the opposite? like if (process.versions.openssl >= '1.0.1f') {

I think the code snippets work with version 1.0.1f down

@Tiriel

This comment has been minimized.

Copy link
Owner Author

Tiriel commented May 8, 2020

Actually, it's "throw an error if version is inferior or equal to 1.0.1f
if (process.versions.openssl <= '1.0.1f') { // Throw error...//}

Versions of OpenSSL prior to 1.0.1g are subject to the Heartbleed vulnerability. Hence throwing an error if the version is inferior or equal to 1.0.1f.

@Tiriel

This comment has been minimized.

Copy link
Owner Author

Tiriel commented May 14, 2020

Hadn't seen the old comments at the time, updated the gist accordingly in case it interests someone.

Thanks everyone!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.