/** * Decrypts a value and verifies the HMAC (Encrypt-Then-Mac) * @param string $authenticatedCiphertext * @param string $password Password to encrypt, if not specified the secret from config.php will be taken * @return string plaintext * @throws \Exception If the HMAC does not match */ public function decrypt($authenticatedCiphertext, $password = '') { if ($password === '') { $password = $this->config->getSystemValue('secret'); } $this->cipher->setPassword($password); $parts = explode('|', $authenticatedCiphertext); if (sizeof($parts) !== 3) { throw new \Exception('Authenticated ciphertext could not be decoded.'); } $ciphertext = hex2bin($parts[0]); $iv = $parts[1]; $hmac = hex2bin($parts[2]); $this->cipher->setIV($iv); if (!hash_equals($this->calculateHMAC($parts[0] . $parts[1], $password), $hmac)) { throw new \Exception('HMAC does not match.'); } return $this->cipher->decrypt($ciphertext); }