AES-GCM-SIV encrypts message incorrectly

[olegbaturin]

Description

The following code:

<?php
$algo = 'AES-256-GCM-SIV';
$data = 'plain text';
$pass = random_bytes(32);
$iv = str_repeat("\0", 12);
$enc = openssl_encrypt($data, $algo, $pass, OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, $iv, $tag);
$dec = openssl_decrypt($enc, $algo, $pass, OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, $iv, $tag);
$result = $data === $dec;
var_dump($result, $enc, $dec, $tag, openssl_error_string());

Resulted in this output:

bool(false)
string(10) "cipertext"
bool(false)
NULL
bool(false)

But I expected this output instead:
$result must be true

According to the AES-GCM-SIV spec, the ciphertext $enc must be exactly $data length + 16 bytes for the authentication tag. Alternatively, the tag can be passed separately via the $tag parameter.

PHP Version

PHP 8.5.6 (cli) (built: May  6 2026 09:31:05) (ZTS Visual C++ 2022 x64)
Copyright (c) The PHP Group
Built by The PHP Group
Zend Engine v4.5.6, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.6, Copyright (c), by Zend Technologies

OpenSSL 3.5.6 7 Apr 2026

---

PHP 8.5.6 (cli) (built: May 19 2026 23:08:03) (NTS)
Copyright (c) The PHP Group
Built by https://github.com/docker-library/php
Zend Engine v4.5.6, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.6, Copyright (c), by Zend Technologies

OpenSSL 3.5.6 7 Apr 2026

Operating System

No response

[devnexen]

I have an idea how to process it, therefore I think it s a feature request. However, I ll let bukka decides on it because it s borderline.

[olegbaturin]

It looks like the authentication tag is lost. The tag is neither appended to the ciphertext nor returned via the $tag parameter.