使用PHP编码的字符串与使用OpenSSL编写的shell 代码之间的差异

While the key and IV in PHP/OpenSSL must be passed as raw values (i.e. binary strings) to openssl_encrypt(), they must be specified hex encoded in the OpenSSL statement (s. openssl-enc, -K. -iv options).
Both are not done correctly in the code (possibly because, as already suspected in the comment, binary and hex encoded data are confused):

• 在PHP代码中，对于键和IV，使用的不是原始散列值，而是十六进制编码的散列值.direct使用十六进制编码的哈希值是一个漏洞，因 for each 字节的取值范围从256个字节减少到16个字节.因此，这个问题应该得到解决.为此，必须将hash()函数的第三个参数设置为true:

  $key = hash('sha256', $secret_key, true);
  $iv = substr(hash('sha256', $secret_iv, true), 0, 16); 
  

• 在bash脚本中，十六进制编码的散列值被截断.要解决此问题，请使用正确的长度(64个十六进制数字或32个字节用于密钥，32个十六进制数字或16个字节用于IV):

  keyhash=$(echo -n $key | sha256sum)                      
  ivhash=$(echo -n $secret_iv | sha256sum | cut -c 1-32)   
  

如果PHP代码不能/不应该改变，尽管有上述缺点，十六进制编码的值将直接用作键和IV，则需要在批处理脚本中添加额外的十六进制编码:

keyhashstr=$(echo -n $key | sha256sum | cut -c 1-32)               
keyhash=$(printf '%s' $keyhashstr | hexdump -ve '/1 "%02X"')
ivhashstr=$(echo -n $secret_iv | sha256sum | cut -c 1-16)               
ivhash=$(printf '%s' $ivhashstr | hexdump -ve '/1 "%02X"')

(或者使用xxd而不是hexdump).

Security: Regarding the term secret_iv: The IV is not a secret and therefore does not need to be kept secret. However, it is a vulnerability if a static IV is used, as this results in a reuse of key/IV pairs if the same key is used. To prevent this, a common approach is to generate a random IV for each encryption. The IV is passed together with the ciphertext to the decrypting side, usually concatenated.
When using a passphrase, another vulnerability is to use a fast digest for key derivation. More secure is a key derivation function such as PBKDF2 in conjunction with a random (also not secret) salt.