v02enc

#!/usr/bin/env php
<?php

/*
  Copyright (c) 2023-2024, Yahe
  Copyright (c) 2016-2023, SysEleven GmbH
  All rights reserved.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions are met:
      * Redistributions of source code must retain the above copyright
        notice, this list of conditions and the following disclaimer.
      * Redistributions in binary form must reproduce the above copyright
        notice, this list of conditions and the following disclaimer in the
        documentation and/or other materials provided with the distribution.
      * Neither the name of the SysEleven GmbH nor the
        names of its contributors may be used to endorse or promote products
        derived from this software without specific prior written permission.

  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  DISCLAIMED. IN NO EVENT SHALL SYSELEVEN GMBH BE LIABLE FOR ANY
  DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

##### DEFINITIONS #####

# define armor fields
define("ARMOR_FOOTER", "-----END V02ENC MESSAGE-----");
define("ARMOR_HEADER", "-----BEGIN V02ENC MESSAGE-----");

# define KDF iterations
define("KDF_ITERATIONS", 512000);

# define lengths
define("AES256_BLOCK_SIZE",  16);
define("AES256_KEY_SIZE",    32);
define("ARMOR_RAW_LENGTH",   48);
define("SHA256_OUTPUT_SIZE", 32);
define("STREAM_RAW_LENGTH",  ARMOR_RAW_LENGTH*200); // = ~8k blocks

# define encryption fields
define("CHECKMAC",      "checkmac");
define("ENCKEY",        "enckey");
define("HEADER",        "header");
define("HEADERMAC",     "headermac");
define("HEADERMACKEY",  "headermackey");
define("HEADERNONCE",   "headernonce");
define("HEADERSALT",    "headersalt");
define("KEY",           "key");
define("MESSAGE",       "message");
define("MESSAGEMAC",    "messagemac");
define("MESSAGEMACKEY", "messagemackey");
define("MESSAGENONCE",  "messagenonce");
define("SUBKEY",        "subkey");
define("SUBKEYCOUNT",   "subkeycount");
define("SUBKEYHEADER",  "subkeyheader");
define("SUBKEYLIST",    "subkeylist");
define("VERSION",       "version");

# define stream fields
define("ARMOR",  "armor");
define("BUFFER", "buffer");
define("EOF",    "eof");
define("NAME",   "name");
define("STREAM", "stream");

# define version number
define("VERSION_BYTE", "\x02");

##### GLOBAL VARIABLES #####

$__INPUTS  = [];
$__OUTPUTS = [];

##### INPUT/OUTPUT FUNCTIONS #####

function input_dearmor($name) {
  global $__INPUTS;

  $result = false;

  if (is_string($name)) {
    if (array_key_exists($name, $__INPUTS)) {
      # read the first byte to check if it contains the version byte
      $byte = fread($__INPUTS[$name][STREAM], strlen(VERSION_BYTE));
      if (false !== $byte) {
        # is the read value the version byte
        if (VERSION_BYTE === $byte) {
          # put the read byte in the input buffer
          $__INPUTS[$name][BUFFER] = $byte;

          # this was successful
          $result = true;
        } else {
          $line = "";

          # consume empty lines
          while (!input_eof($name) && (false !== $line) && (0 === strlen($line))) {
            $line = input_readln($name);

            # handle the byte that was initially read
            if (false !== $line) {
              $line = trim($byte.$line, "\n\r");
              $byte = "";
            }
          }

          # check if we found the armor header
          if (ARMOR_HEADER === $line) {
            $__INPUTS[$name][ARMOR] = true;

            # this was successful
            $result = true;
          }
        }
      }
    }
  }

  return $result;
}

function input_eof($name) {
  global $__INPUTS;

  $result = false;

  if (is_string($name)) {
    if (array_key_exists($name, $__INPUTS)) {
      # only read the value directly from the file if it isn't set internally
      if (!$__INPUTS[$name][EOF]) {
        $__INPUTS[$name][EOF] = feof($__INPUTS[$name][STREAM]);
      }

      $result = $__INPUTS[$name][EOF];
    }
  }

  return $result;
}

function input_finit($name) {
  global $__INPUTS;

  $result = false;

  if (is_string($name)) {
    if (array_key_exists($name, $__INPUTS)) {
      # clean-up leftovers
      $__INPUTS[$name][BUFFER] = "";

      unset($__INPUTS[$name]);

      $result = true;
    }
  }

  return $result;
}

function input_init($name, $stream) {
  global $__INPUTS;

  $result = false;

  if (is_string($name) && is_resource($stream)) {
    if (!array_key_exists($name, $__INPUTS)) {
      $__INPUTS[$name] = [ARMOR  => false,
                          BUFFER => "",
                          EOF    => false,
                          NAME   => $name,
                          STREAM => $stream];

      $result = true;
    }
  }

  return $result;
}

function input_isarmor($name) {
  global $__INPUTS;

  $result = false;

  if (is_string($name)) {
    if (array_key_exists($name, $__INPUTS)) {
      $result = $__INPUTS[$name][ARMOR];
    }
  }

  return $result;
}

function input_read($name, $length) {
  global $__INPUTS;

  $result = false;

  if (is_string($name) && is_int($length)) {
    if (array_key_exists($name, $__INPUTS)) {
      $result = "";

      # clean-up the input buffer first
      if (0 < strlen($__INPUTS[$name][BUFFER])) {
        $result = substr($__INPUTS[$name][BUFFER], 0, $length);

        # remove bytes from the input buffer
        $__INPUTS[$name][BUFFER] = substr($__INPUTS[$name][BUFFER], $length);
      }

      if (strlen($result) < $length) {
        $tmp = false;

        while (!input_eof($name) && (strlen($result) < $length) && (false !== $result)) {
          if (input_isarmor($name)) {
            # read next line
            $tmp = input_readln($name);
            if (false !== $tmp) {
              # ignore empty line
              if (0 < strlen($tmp)) {
                # check if we found the armor footer
                if (0 === strcmp($tmp, ARMOR_FOOTER)) {
                  # set the input to end-of-file
                  $__INPUTS[$name][EOF] = true;
                } else {
                  # decode the line
                  $tmp = base64_decode($tmp, true);
                  if (false !== $tmp) {
                    # the new block is enough to reach the $length
                    if (strlen($result)+strlen($tmp) >= $length) {
                      # how many bytes to take from the new block
                      $count = $length-strlen($result);

                      # write bytes to result
                      $result .= substr($tmp, 0, $count);

                      # update the input buffer
                      $__INPUTS[$name][BUFFER] = substr($tmp, $count);
                    } else {
                      $result .= $tmp;
                    }
                  } else {
                    # decode errors have priority
                    $result = false;
                  }
                }
              }
            } else {
              # read errors have priority
              $result = false;
            }
          } else {
            # just read the data
            $tmp = fread($__INPUTS[$name][STREAM], $length-strlen($result));

            if (false !== $tmp) {
              $result .= $tmp;
            } else {
              # read errors have priority
              $result = false;
            }
          }
        }
      }
    }
  }

  return $result;
}

function input_readln($name) {
  global $__INPUTS;

  $result = false;

  if (is_string($name)) {
    if (array_key_exists($name, $__INPUTS)) {
      $result = fgets($__INPUTS[$name][STREAM]);
      if (false !== $result) {
        # remove line breaks from the end of the line
        $result = trim($result, "\n\r");
      }
    }
  }

  return $result;
}

function input_read_collect($name, $length, &$collection) {
  $result = input_read($name, $length);

  # if we have returned data, append to $collection
  if (is_string($result)) {
    $collection .= $result;
  }

  return $result;
}

function input_trailing($name) {
  global $__INPUTS;

  $result = false;

  if (is_string($name)) {
    if (array_key_exists($name, $__INPUTS)) {
      # check if we reached eof
      $result = !feof($__INPUTS[$name][STREAM]);

      # only continue if we have an armored file
      if ($result && input_isarmor($name)) {
        $line = "";

        # consume empty lines
        while (!feof($__INPUTS[$name][STREAM]) && (false !== $line) && (0 === strlen($line))) {
          $line = input_readln($name);
        }

        # check if we reached eof or encountered additional content
        $result = (!feof($__INPUTS[$name][STREAM]) || (0 < strlen($line)));
      }
    }
  }

  return $result;
}

function output_armor($name) {
  global $__OUTPUTS;

  $result = false;

  if (is_string($name)) {
    if (array_key_exists($name, $__OUTPUTS)) {
      $__OUTPUTS[$name][ARMOR] = true;

      # write armor header
      $result = (strlen(ARMOR_HEADER)+1 === fwrite($__OUTPUTS[$name][STREAM], ARMOR_HEADER."\n"));
    }
  }

  return $result;
}

function output_finit($name) {
  global $__OUTPUTS;

  $result = false;

  if (is_string($name)) {
    if (array_key_exists($name, $__OUTPUTS)) {
      $result = true;

      if ($__OUTPUTS[$name][ARMOR]) {
        # write rest of the output buffer
        $tmp     = base64_encode($__OUTPUTS[$name][BUFFER]);
        $result &= (strlen($tmp) === fwrite($__OUTPUTS[$name][STREAM], $tmp));

        # write armor footer
        $result &= (strlen(ARMOR_FOOTER)+1 === fwrite($__OUTPUTS[$name][STREAM], "\n".ARMOR_FOOTER));

        # clean-up leftovers
        $__OUTPUTS[$name][BUFFER] = "";
      }

      if ($result) {
        unset($__OUTPUTS[$name]);
      }
    }
  }

  return $result;
}

function output_init($name, $stream) {
  global $__OUTPUTS;

  $result = false;

  if (is_string($name) && is_resource($stream)) {
    if (!array_key_exists($name, $__OUTPUTS)) {
      $__OUTPUTS[$name] = [ARMOR  => false,
                           BUFFER => "",
                           NAME   => $name,
                           STREAM => $stream];

      $result = true;
    }
  }

  return $result;
}

function output_write($name, $data) {
  global $__OUTPUTS;

  $result = false;

  if (is_string($name) && is_string($data)) {
    if (array_key_exists($name, $__OUTPUTS)) {
      if ($__OUTPUTS[$name][ARMOR]) {
        # prepare result
        $result = true;

        # prepend the current output buffer to the data
        $data = $__OUTPUTS[$name][BUFFER].$data;

        # prepare Base64 encoding
        $position = 0;

        # split data into chunks to Base64-encode and write them
        while (strlen($data)-$position >= ARMOR_RAW_LENGTH) {
          $tmp     = base64_encode(substr($data, $position, ARMOR_RAW_LENGTH));
          $result &= (strlen($tmp)+1 === fwrite($__OUTPUTS[$name][STREAM], "{$tmp}\n"));

          # increase the position
          if ($result) {
            $position = $position+ARMOR_RAW_LENGTH;
          } else {
            # exit the loop
            break;
          }
        }

        # proceed if nothing went wrong
        if ($result) {
          # put rest of the data in write buffer
          $__OUTPUTS[$name][BUFFER] = substr($data, $position);
        } else  {
          # clean-up leftovers
          $__OUTPUTS[$name][BUFFER] = "";
        }
      } else {
        # just write the data
        $result = (strlen($data) === fwrite($__OUTPUTS[$name][STREAM], $data));
      }
    }
  }

  return $result;
}

##### CRYPTOGRAPHIC FUNCTIONS #####

# TODO: chr() and ord() are not time-constant
function increment($counter, $increment = 0x01) {
  $result = $counter;

  if (is_string($result) && is_int($increment) && (0x00 <= $increment)) {
    # add increment to the result
    for ($index = strlen($result)-0x01; $index >= 0x00; $index--) {
      $tmp            = ((ord($result[$index]) + $increment) >> 0x08);
      $result[$index] = chr((ord($result[$index]) + $increment) & 0xFF);
      $increment      = $tmp;
    }
  }

  return $result;
}

# reusable header decryption
function decrypt_header($input, $recipients, &$data, &$error) {
  $result = false;
  $error  = false;

  if (is_string($input) && is_array($recipients) && is_array($data)) {
    if (0 < count($recipients)) {
      # prepare MAC comparison
      $data[HEADER] = "";

      $data[VERSION]      = input_read_collect($input, 1,                 $data[HEADER]);
      $data[HEADERSALT]   = input_read_collect($input, AES256_KEY_SIZE,   $data[HEADER]);
      $data[HEADERNONCE]  = input_read_collect($input, AES256_BLOCK_SIZE, $data[HEADER]);
      $data[MESSAGENONCE] = input_read_collect($input, AES256_BLOCK_SIZE, $data[HEADER]);

      $data[SUBKEYCOUNT] = hexdec(bin2hex(input_read_collect($input, 2, $data[HEADER])));
      $data[SUBKEYLIST]  = [];

      # iterate through the subkeys
      for ($i = 0; $i < $data[SUBKEYCOUNT]; $i++) {
        $data[SUBKEYLIST][$i]               = [];
        $data[SUBKEYLIST][$i][CHECKMAC]     = [];
        $data[SUBKEYLIST][$i][ENCKEY]       = [];
        $data[SUBKEYLIST][$i][KEY]          = [];
        $data[SUBKEYLIST][$i][HEADERMACKEY] = [];
        $data[SUBKEYLIST][$i][SUBKEY]       = [];
        $data[SUBKEYLIST][$i][SUBKEYHEADER] = input_read_collect($input, AES256_KEY_SIZE, $data[HEADER]);
      }

      # do not add the header mac to the overall header
      $data[HEADERMAC] = input_read($input, SHA256_OUTPUT_SIZE);

      if (VERSION_BYTE === $data[VERSION]) {
        # prevent excessive key search if we reached eof,
        # this is definitely a malformed input
        if (!input_eof($input)) {
          # set default key value
          $data[KEY] = false;

          # iterate through the recipients and see whether we find a fitting key
          $keys    = array_keys($recipients);
          $subkeys = array_keys($data[SUBKEYLIST]);
          foreach ($subkeys as $subkey) {
            foreach ($keys as $key) {
              # derive secure key from recipient key and salt
              $data[SUBKEYLIST][$subkey][SUBKEY][$key] = hash_pbkdf2("sha256", $recipients[$key], $data[HEADERSALT], KDF_ITERATIONS, 0, true);

              if (false !== $data[SUBKEYLIST][$subkey][SUBKEY][$key]) {
                # decrypt subkey with derived secure key
                $data[SUBKEYLIST][$subkey][KEY][$key] = openssl_decrypt($data[SUBKEYLIST][$subkey][SUBKEYHEADER], "aes-256-ctr", $data[SUBKEYLIST][$subkey][SUBKEY][$key], OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $data[HEADERNONCE]);

                if (false !== $data[SUBKEYLIST][$subkey][KEY][$key]) {
                  # generate mac keys
                  $data[SUBKEYLIST][$subkey][HEADERMACKEY][$key] = hash_hmac("sha256", "mac-header", $data[SUBKEYLIST][$subkey][KEY][$key], true);

                  if (false !== $data[SUBKEYLIST][$subkey][HEADERMACKEY][$key]) {
                    # calculate header mac with header mac key
                    $data[SUBKEYLIST][$subkey][CHECKMAC][$key] = hash_hmac("sha256", $data[HEADER], $data[SUBKEYLIST][$subkey][HEADERMACKEY][$key], true);

                    if (false !== $data[SUBKEYLIST][$subkey][CHECKMAC][$key]) {
                      if (hash_equals($data[SUBKEYLIST][$subkey][CHECKMAC][$key], $data[HEADERMAC])) {
                        # generate encryption key
                        $data[KEY] = $data[SUBKEYLIST][$subkey][KEY][$key];
                      }
                    }
                  }
                }
              }
            }
          }

          if (false !== $data[KEY]) {
            $data[ENCKEY]        = hash_hmac("sha256", "enc",         $data[KEY], true); // generate enc key
            $data[HEADERMACKEY]  = hash_hmac("sha256", "mac-header" , $data[KEY], true); // generate mac key
            $data[MESSAGEMACKEY] = hash_hmac("sha256", "mac-message", $data[KEY], true); // generate mac key

            if ((false !== $data[ENCKEY]) && (false !== $data[MESSAGEMACKEY]) && (false !== $data[MESSAGEMACKEY])) {
              $result = true;
            } else {
              $error = "Key expansion failed.";
            }
          } else {
            $error = "No matching recipient provided.";
          }
        } else {
          $error = "Message has malformed header.";
        }
      } else  {
        $error = "Message has wrong version.";
      }
    } else {
      $error = "No recipients provided.";
    }
  } else {
    $error = "Insufficient arguments provided.";
  }

  return $result;
}

# reusable message decryption
function decrypt_message($input, $output, &$data, &$error) {
  $result = false;
  $error  = false;

  if (is_string($input) && is_string($output) && is_array($data)) {
    # prepare message hmac
    if ($checkmac = hash_init("sha256", HASH_HMAC, $data[MESSAGEMACKEY])) {
      hash_update($checkmac, $data[HEADER]);
      hash_update($checkmac, $data[HEADERMAC]);

      # prepare streamed message encryption
      $buffer  = "";
      $counter = $data[MESSAGENONCE];
      while (!input_eof($input) && (false === $error)) {
        # we read a specific number of ARMOR_RAW_LENGTH blocks to
        # optimize the input and output buffering behaviour by
        # ensuring that the block size aligns with the AES block
        # size, armor raw length and armor Base64 length
        $tmp = input_read($input, STREAM_RAW_LENGTH);
        if (false !== $tmp) {
          # add read string to buffer
          $buffer .= $tmp;

          # get number of AES blocks,
          # keep 32 bytes at the end for a potential message mac
          $blocks = 0;
          if (SHA256_OUTPUT_SIZE < strlen($buffer)) {
            $blocks = intdiv(strlen($buffer)-SHA256_OUTPUT_SIZE, AES256_BLOCK_SIZE);
          }

          if (0 < $blocks) {
            # decrypt full block lengths
            $tmp = openssl_decrypt(substr($buffer, 0, $blocks*AES256_BLOCK_SIZE), "aes-256-ctr", $data[ENCKEY], OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $counter);
            if (false !== $tmp) {
              hash_update($checkmac, substr($buffer, 0, $blocks*AES256_BLOCK_SIZE));

              # increment the counter for the next round
              $counter = increment($counter, $blocks);

              if (output_write($output, $tmp)) {
                $buffer = substr($buffer, $blocks*AES256_BLOCK_SIZE);
              } else {
                $error = "Message could not be written to output.";
              }
            } else {
              $error = "Message decryption failed.";
            }
          }
        } else {
          $error = "Message could not be read from input.";
        }
      }

      # handle the rest of the buffer
      if (false === $error) {
        # get the message mac
        $data[MESSAGEMAC] = substr($buffer, -SHA256_OUTPUT_SIZE);

        # prepare the buffer for the last round
        $buffer = substr($buffer, 0, -SHA256_OUTPUT_SIZE);

        # decrypt what's left
        $tmp = openssl_decrypt($buffer, "aes-256-ctr", $data[ENCKEY], OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $counter);
        if (false !== $tmp) {
          hash_update($checkmac, $buffer);

          if (!output_write($output, $tmp)) {
            $error = "Message could not be written to output.";
          }
        } else {
          $error = "Message decryption failed.";
        }
      }

      if (false === $error) {
        # calculate message mac with message mac key
        $data[CHECKMAC] = hash_final($checkmac, true);

        $result = hash_equals($data[CHECKMAC], $data[MESSAGEMAC]);
        if (!$result) {
          $error = "Message MAC does not belong to message.";
        }
      } else {
        # keep the error message of the loop
      }
    } else {
      $error = "Message HMAC could not be initialized.";
    }
  } else {
    $error = "Insufficient arguments provided.";
  }

  return $result;
}

# reusable message encryption
function encrypt_message($input, $output, &$data, &$error) {
  $result = false;
  $error  = false;

  if (is_string($input) && is_string($output) && is_array($data)) {
    # concatenate the header
    $data[HEADER]  = $data[VERSION];
    $data[HEADER] .= $data[HEADERSALT];
    $data[HEADER] .= $data[HEADERNONCE];
    $data[HEADER] .= $data[MESSAGENONCE];
    $data[HEADER] .= hex2bin(sprintf("%04x", $data[SUBKEYCOUNT]));

    $keys = array_keys($data[SUBKEYHEADER]);
    foreach ($keys as $key) {
      $data[HEADER] .= $data[SUBKEYHEADER][$key];
    }

    # calculate the header mac with the header mac key
    $data[HEADERMAC] = hash_hmac("sha256", $data[HEADER], $data[HEADERMACKEY], true);

    if (false !== $data[HEADERMAC]) {
      # write header to output
      if (output_write($output, $data[HEADER].$data[HEADERMAC])) {
        # prepare message hmac
        if ($messagemac = hash_init("sha256", HASH_HMAC, $data[MESSAGEMACKEY])) {
          hash_update($messagemac, $data[HEADER]);
          hash_update($messagemac, $data[HEADERMAC]);

          # prepare streamed message encryption
          $buffer  = "";
          $counter = $data[MESSAGENONCE];
          while (!input_eof($input) && (false === $error)) {
            # we read a specific number of ARMOR_RAW_LENGTH blocks to
            # optimize the input and output buffering behaviour by
            # ensuring that the block size aligns with the AES block
            # size, armor raw length and armor Base64 length
            $tmp = input_read($input, STREAM_RAW_LENGTH);
            if (false !== $tmp) {
              # add read string to buffer
              $buffer .= $tmp;

              # get number of AES blocks
              $blocks = intdiv(strlen($buffer), AES256_BLOCK_SIZE);

              if (0 < $blocks) {
                # encrypt full block lengths
                $tmp = openssl_encrypt(substr($buffer, 0, $blocks*AES256_BLOCK_SIZE), "aes-256-ctr", $data[ENCKEY], OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $counter);
                if (false !== $tmp) {
                  hash_update($messagemac, $tmp);

                  # increment the counter for the next round
                  $counter = increment($counter, $blocks);

                  if (output_write($output, $tmp)) {
                    $buffer = substr($buffer, $blocks*AES256_BLOCK_SIZE);
                  } else {
                    $error = "Message could not be written to output.";
                  }
                } else {
                  $error = "Message encryption failed.";
                }
              }
            } else {
              $error = "Message could not be read from input.";
            }
          }

          # handle the rest of the buffer
          if (false === $error) {
            # encrypt what's left
            $tmp = openssl_encrypt($buffer, "aes-256-ctr", $data[ENCKEY], OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $counter);
            if (false !== $tmp) {
              hash_update($messagemac, $tmp);

              if (output_write($output, $tmp)) {
                # calculate message mac with message mac key
                $data[MESSAGEMAC] = hash_final($messagemac, true);

                $result = output_write($output, $data[MESSAGEMAC]);
                if (!$result) {
                  $error = "Message could not be written to output.";
                }
              } else {
                $error = "Message could not be written to output.";
              }
            } else {
              $error = "Message encryption failed.";
            }
          }
        } else {
          $error = "Message HMAC could not be initialized.";
        }
      } else {
        $error = "Header could not be written to output.";
      }
    } else {
      $error = "Header MAC calculation failed.";
    }
  } else {
    $error = "Insufficient arguments provided.";
  }

  return $result;
}

function decrypt_v02($input, $output, $recipients, &$error) {
  $result = false;
  $error  = false;

  if (is_string($input) && is_string($output)) {
    $data = [];

    try {
      if (decrypt_header($input, $recipients, $data, $error)) {
        $result = decrypt_message($input, $output, $data, $error);
        if (!$result) {
          # keep the error text from decrypt_message()
        }
      } else {
        # keep the error text from decrypt_header()
      }
    } finally {
      zeroize_array($data);
    }
  } else {
    $error = "Insufficient arguments provided.";
  }

  return $result;
}

function encrypt_v02($input, $output, $recipients, &$error) {
  $result = false;
  $error  = false;

  if (is_string($input) && is_string($output) && is_array($recipients)) {
    if (0xFFFF >= count($recipients)) {
      if (0 < count($recipients)) {
        $data = [];

        try {
          # set and generate values
          $data[VERSION]    = "\x02";
          $data[HEADERSALT] = openssl_random_pseudo_bytes(AES256_KEY_SIZE, $strong_crypto_headersalt); // generate random salt
          $data[KEY]        = openssl_random_pseudo_bytes(AES256_KEY_SIZE, $strong_crypto_key);        // generate random key

          if ((false !== $data[HEADERSALT]) && (false !== $data[KEY]) && $strong_crypto_headersalt && $strong_crypto_key) {
            $data[ENCKEY]        = hash_hmac("sha256", "enc",         $data[KEY], true); // generate enc key
            $data[HEADERMACKEY]  = hash_hmac("sha256", "mac-header",  $data[KEY], true); // generate mac key
            $data[MESSAGEMACKEY] = hash_hmac("sha256", "mac-message", $data[KEY], true); // generate mac key

            if ((false !== $data[ENCKEY]) && (false !== $data[HEADERMACKEY]) && (false !== $data[MESSAGEMACKEY])) {
              # use the same time for both nonces
              $time = time();

              $data[HEADERNONCE]  = hex2bin(sprintf("%016xFFFFFFFF00000000", $time)); // generate nonce
              $data[MESSAGENONCE] = hex2bin(sprintf("%016x0000000000000000", $time)); // generate nonce

              if ((false !== $data[HEADERNONCE]) && (false !== $data[MESSAGENONCE])) {
                # iterate through recipients and generate rsa keys
                $data[SUBKEY]       = [];
                $data[SUBKEYCOUNT]  = 0;
                $data[SUBKEYHEADER] = [];

                $keys = array_keys($recipients);
                foreach ($keys as $key) {
                  $data[SUBKEY][$key] = hash_pbkdf2("sha256", $recipients[$key], $data[HEADERSALT], KDF_ITERATIONS, 0, true);

                  if (false !== $data[SUBKEY][$key]) {
                    $data[SUBKEYHEADER][$key] = openssl_encrypt($data[KEY], "aes-256-ctr", $data[SUBKEY][$key], OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $data[HEADERNONCE]);

                    if (false !== $data[SUBKEYHEADER][$key]) {
                      $data[SUBKEYCOUNT] = $data[SUBKEYCOUNT]+1;
                    }
                  }
                }

                # check if we were able to encrypt for all recipients
                if (count($recipients) === $data[SUBKEYCOUNT]) {
                  $result = encrypt_message($input, $output, $data, $error);
                  if (!$result) {
                    # keep the error text from encrypt_message()
                  }
                } else {
                  $error = "Key encryption failed.";
                }
              } else {
                $error = "Nonce generation failed.";
              }
            } else {
              $error = "Key expansion failed.";
            }
          } else {
            $error = "Randomness generation failed.";
          }
        } finally {
          zeroize_array($data);
        }
      } else {
        $error = "No recipients provided.";
      }
    } else {
      $error = "Too many recipients provided.";
    }
  } else {
    $error = "Insufficient arguments provided.";
  }

  return $result;
}

function update_v02($input, $update, $output, $recipients, &$error) {
  $result = false;
  $error  = false;

  if (is_string($input) && is_string($update) && is_string($output)) {
    $data = [];

    try {
      if (decrypt_header($input, $recipients, $data, $error)) {
        $newdata = [];

        try {
          # copy values from $data to $newdata to separate decryption from re-encryption
          $newdata[ENCKEY]        = $data[ENCKEY];
          $newdata[HEADERMACKEY]  = $data[HEADERMACKEY];
          $newdata[HEADERNONCE]   = $data[HEADERNONCE];
          $newdata[HEADERSALT]    = $data[HEADERSALT];
          $newdata[KEY]           = $data[KEY];
          $newdata[MESSAGEMACKEY] = $data[MESSAGEMACKEY];
          $newdata[SUBKEYCOUNT]   = $data[SUBKEYCOUNT];
          $newdata[SUBKEYHEADER]  = [];
          $newdata[VERSION]       = $data[VERSION];

          # copy the subkey headers from $data to $newdata to separate decryption from re-encryption
          $keys = array_keys($data[SUBKEYLIST]);
          foreach ($keys as $key) {
            $newdata[SUBKEYHEADER][$key] = $data[SUBKEYLIST][$key][SUBKEYHEADER];
          }

          # !!! create a NEW message nonce to prevent nonce reuse
          $newdata[MESSAGENONCE] = hex2bin(sprintf("%016x0000000000000000", time())); // generate nonce

          if (false !== $newdata[MESSAGENONCE]) {
            $result = encrypt_message($update, $output, $newdata, $error);
            if (!$result) {
              # keep the error text from encrypt_message()
            }
          } else {
            $error = "Nonce generation failed.";
          }
        } finally {
          zeroize_array($newdata);
        }
      } else {
        # keep the error text from decrypt_header()
      }
    } finally {
      zeroize_array($data);
    }
  } else {
    $error = "Insufficient arguments provided.";
  }

  return $result;
}

function zeroize_array(&$array) {
  $result = false;

  if (is_array($array)) {
    $result = true;

    $keys = array_keys($array);
    foreach ($keys as $key) {
      if (is_array($array[$key])) {
        $result = $result && zeroize_array($array[$key]);
      } elseif (is_string($array[$key])) {
        for ($i = 0; $i < strlen($array[$key]); $i++) {
          $array[$key][$i] = "\0";
        }
      }
    }
  }

  return $result;
}

##### HELPER FUNCTIONS #####

function check_armor($options, $rest, &$error) {
  return (0 < count(get_opt_values($options, "a", "armor")));
}

function check_decrypt($options, $rest, &$error) {
  return (0 < count(get_opt_values($options, "d", "decrypt")));
}

function check_encrypt($options, $rest, &$error) {
  return (0 < count(get_opt_values($options, "e", "encrypt")));
}

function check_file($options, $rest, &$error) {
  $result = false;

  if (1 === count($rest)) {
    if ("-" === $rest[0]) {
      $result = "php://stdin";
    } elseif (is_file($rest[0])) {
      $result = $rest[0];
    } else {
      if (!is_array($error)) {
        $error = [];
      }
      $error[] = "File does not exist: {$rest[0]}";
    }
  } elseif (1 < count($rest)) {
    if (!is_array($error)) {
      $error = [];
    }
    $error[] = "Too many files provided.";
  }

  return $result;
}

function check_help($options, $rest, &$error) {
  return (0 < count(get_opt_values($options, "h", "help")));
}

function check_key($options, $rest, &$error) {
  $result = false;

  $key = get_opt_values($options, "k", "key");
  if (0 < count($key)) {
    $result = [];

    foreach ($key as $keyvalue) {
      if ("-" === $keyvalue) {
        $result[] = "php://stdin";
      } elseif (is_file($keyvalue)) {
        $result[] = $keyvalue;
      } else {
        if (!is_array($error)) {
          $error = [];
        }
        $error[] = "Key does not exist: {$keyvalue}";
      }
    }
  }

  return $result;
}

function check_keychain($options, $rest, &$error) {
  $result = false;

  $keychain = get_opt_values($options, "c", "keychain");
  if (0 < count($keychain)) {
    # check if we are running on macOS
    if (0 === strcasecmp(php_uname("s"), "darwin")) {
      # get the real uid and try to retrieve the corresponding username
      $user = posix_getpwuid(posix_getuid());

      if ((false !== $user) && array_key_exists("name", $user)) {
        $result = [];

        foreach ($keychain as $keychainvalue) {
          # prepare output
          $output = null;

          # execute the external command
          $line = exec("/usr/bin/env security find-generic-password -a '".escapeshellarg($user["name"])."' -s '".escapeshellarg($keychainvalue)."' -w 2>/dev/null", $output, $exitcode);

          if ((false !== $line) && (0 < count($output)) && (0 === $exitcode)) {
            # decode keychain entry
            $tmp = hex2bin(implode("", $output));

            if ((false !== $tmp) && (0 < strlen($tmp))) {
              $result[] = $tmp;
            } else {
              if (!is_array($error)) {
                $error = [];
              }
              $error[] = "Keychain entry is malformed: {$keychainvalue}";
            }
          } else {
            if (!is_array($error)) {
              $error = [];
            }
            $error[] = "Keychain entry does not exist: {$keychainvalue}";
          }
        }
      } else {
        if (!is_array($error)) {
          $error = [];
        }
        $error[] = "Could not retrieve the process username.";
      }
    } else {
      if (!is_array($error)) {
        $error = [];
      }
      $error[] = "Keychain entries are only supported on macOS.";
    }
  }

  return $result;
}

function check_input($options, $rest, &$error) {
  $result = false;

  $input = get_opt_values($options, "i", "input");
  if (1 === count($input)) {
    if ("-" === $input[0]) {
      $result = "php://stdin";
    } elseif (is_file($input[0])) {
      $result = $input[0];
    } else {
      if (!is_array($error)) {
        $error = [];
      }
      $error[] = "Input does not exist: {$input[0]}";
    }
  } elseif (1 < count($input)) {
    if (!is_array($error)) {
      $error = [];
    }
    $error[] = "Too many inputs provided.";
  }

  return $result;
}

function check_message($options, $rest, &$error) {
  $result = false;

  $message = get_opt_values($options, "m", "message");
  if (1 === count($message)) {
    $result = $message[0];
  } elseif (1 < count($message)) {
    if (!is_array($error)) {
      $error = [];
    }
    $error[] = "Too many messages provided.";
  }

  return $result;
}

function check_output($options, $rest, &$error) {
  $result = false;

  $output = get_opt_values($options, "o", "output");
  if (1 === count($output)) {
    if ("-" === $output[0]) {
      $result = "php://stdout";
    } elseif ("+" === $output[0]) {
      $result = "php://stderr";
    } else {
      $result = $output[0];
    }
  } elseif (1 < count($output)) {
    if (!is_array($error)) {
      $error = [];
    }
    $error[] = "Too many outputs provided.";
  }

  return $result;
}

function check_password($options, $rest, &$error) {
  $result = false;

  $password = get_opt_values($options, "p", "password");
  if (0 < count($password)) {
    $result = $password;
  }

  return $result;
}

function check_update($options, $rest, &$error) {
  $result = false;

  $update = get_opt_values($options, "u", "update");
  if (1 === count($update)) {
    if ("-" === $update[0]) {
      $result = "php://stdin";
    } elseif (is_file($update[0])) {
      $result = $update[0];
    } else {
      if (!is_array($error)) {
        $error = [];
      }
      $error[] = "Update does not exist: {$update[0]}";
    }
  } elseif (1 < count($update)) {
    if (!is_array($error)) {
      $error = [];
    }
    $error[] = "Too many updates provided.";
  }

  return $result;
}

function get_opt_values($options, $short_opt, $long_opt) {
  $result = [];

  foreach ([$short_opt, $long_opt] as $optname) {
    if (array_key_exists($optname, $options)) {
      if (is_array($options[$optname])) {
        foreach ($options[$optname] as $optvalue) {
          $result[] = $optvalue;
        }
      } else {
        $result[] = $options[$optname];
      }
    }
  }

  return $result;
}

function get_long_opts() {
  return ["armor",     // armor without a value
          "decrypt",   // decrypt without a value
          "encrypt",   // encrypt without a value
          "help",      // help without a value
          "input:",    // input with a required value
          "key:",      // key with a required value
          "keychain:", // keychain with a required value
          "message:",  // message with a required value
          "output:",   // output with a required value
          "password:", // password with a required value
          "update:"];  // update with a required value
}

function get_short_opts() {
  return  "a"   // armor without a value
         ."c:"  // keychain with a required value
         ."d"   // decrypt without a value
         ."e"   // encrypt without a value
         ."h"   // help without a value
         ."i:"  // input with a required value
         ."k:"  // key with a required value
         ."m:"  // message with a required value
         ."o:"  // output with a required value
         ."p:"  // password with a required value
         ."u:"; // update with a required value
}

function print_error($string) {
  fwrite(STDERR, "\nERROR: {$string}\n");
}

function print_info($string) {
  fwrite(STDERR, "\nINFO: {$string}\n");
}

function print_help() {
  print("v02enc v0.2b7\n");
  print("\n");
  print("Usage:\n");
  print("======\n");
  print("\n");
  print("./".basename(__FILE__)."\n");
  print("  [-d|--decrypt|-e|--encrypt|-u <file>|--update <file>]\n");
  print("  [-a|--armor]\n");
  print("  [-c <string>|--keychain <string>]\n");
  print("  [-h|-help]\n");
  print("  [-i <file>|--input <file>]\n");
  print("  [-k <file>|--key <file>]*\n");
  print("  [-m|--message <string>]\n");
  print("  [-o <file>|--output <file>]\n");
  print("  [-p <string>|--password <string>]*\n");
  print("  [<file>]\n");
  print("\n");
  print("Options:\n");
  print("========\n");
  print("\n");
  print("  -d          | --decrypt           Decrypt a message.\n");
  print("  -e          | --encrypt           Encrypt a message.\n");
  print("  -u <file>   | --update <file>     Update an encrypted message with the contents in <file>.\n");
  print("                                    <file> can be \"-\" to read from STDIN.\n");
  print("  -a          | --armor             ASCII-armor the encrypted message.\n");
  print("  -c <string> | --keychain <string> Use the hex-decoded generic password in the macOS\n");
  print("                                    keychain with the name <string> as an encryption key.\n");
  print("                                    This option can be provided multiple times.\n");
  print("  -h          | --help              Print this help.\n");
  print("  -i <file>   | --input <file>      Use <file> as the input.\n");
  print("                                    <file> can be \"-\" to read from STDIN.\n");
  print("                                    The default is STDIN.\n");
  print("  -k <file>   | --key <file>        Use the contents in <file> as an encryption key.\n");
  print("                                    This option can be provided multiple times.\n");
  print("                                    <file> can be \"-\" to read from STDIN.\n");
  print("  -m <string> | --message <string>  Use <string> as the input.\n");
  print("  -o <file>   | --output <file>     Use <file> as the output.\n");
  print("                                    <file> can be \"-\" to write to STDOUT.\n");
  print("                                    <file> can be \"+\" to write to STDERR.\n");
  print("                                    The default is STDOUT.\n");
  print("  -p <string> | --password <string> Use <string> as an encryption key.\n");
  print("                                    This option can be provided multiple times.\n");
  print("  <file>                            Use <file> as the input.\n");
  print("                                    <file> can be \"-\" to read from STDIN.\n");
  print("                                    The default is STDIN.\n");
  print("\n");
  print("Notes:\n");
  print("======\n");
  print("\n");
  print("* You can only use one mode at a time, so either decrypt, encrypt or update.\n");
  print("* You can only use one input at a time.\n");
  print("* You can only use one output at a time.\n");
  print("\n");
  print("macOS Keychain:\n");
  print("===============\n");
  print("\n");
  print("You can add a password to the macOS keychain like this:\n");
  print("> security \\\n");
  print("    add-generic-password \\\n");
  print("    -a \"$(whoami)\" \\\n");
  print("    -s \"<string>\" \\\n");
  print("    -T \"\" \\\n");
  print("    -U \\\n");
  print("    -w \"$(echo -n \"Password: \" >&2 && \\\n");
  print("          read -s password && \\\n");
  print("          echo \$password | \\\n");
  print("          xxd -p | \\\n");
  print("          tr -d \"\\n\")\"\n");
  print("\n");
  print("You can view a password in the macOS keychain like this:\n");
  print("> security \\\n");
  print("    find-generic-password \\\n");
  print("    -a \"$(whoami)\" \\\n");
  print("    -s \"<string>\" \\\n");
  print("    -w | \\\n");
  print("    xxd -p -r\n");
  
}

##### MAIN FUNCTION #####

function main($arguments) {
  $result = 0;

  # parse the parameters
  $options = getopt(get_short_opts(), get_long_opts(), $rest_index);
  $rest    = array_slice($arguments, $rest_index);

  # set configuration
  $armor    = check_armor(   $options, $rest, $error);
  $decrypt  = check_decrypt( $options, $rest, $error);
  $encrypt  = check_encrypt( $options, $rest, $error);
  $file     = check_file(    $options, $rest, $error);
  $help     = check_help(    $options, $rest, $error);
  $key      = check_key(     $options, $rest, $error);
  $keychain = check_keychain($options, $rest, $error);
  $input    = check_input(   $options, $rest, $error);
  $message  = check_message( $options, $rest, $error);
  $output   = check_output(  $options, $rest, $error);
  $password = check_password($options, $rest, $error);
  $update   = check_update(  $options, $rest, $error);

  # only proceed if we have not encountered a configuration error
  if ((!is_array($error)) || (0 === count($error))) {
    # handle help first
    if ($help || (1 === count($arguments))) {
      print_help();
    } else {
      # ensure that only one mode is selected
      if (($decrypt ^ $encrypt ^ (false !== $update)) && !($decrypt && $encrypt && (false !== $update))) {
        # ensure that at most one input type is provided
        if (((false === $file) && (false === $input) && (false === $message)) ||
            (((false !== $file) ^ (false !== $input) ^ (false !== $message)) && !((false !== $file) && (false !== $input) && (false !== $message)))) {
          $inputfile = "php://stdin";
          if (false !== $file) {
            $inputfile = $file;
          } elseif (false !== $input) {
            $inputfile = $input;
          } elseif (false !== $message) {
            $inputfile = null;
          }

          $outputfile = "php://stdout";
          if (false !== $output) {
            $outputfile = $output;
          }

          $recipients = [];
          if (false !== $key) {
            foreach ($key as $keyvalue) {
              $tmp = file_get_contents($keyvalue);
              if (false !== $tmp) {
                $recipients[] = $tmp;
              }
            }
          }
          if (false !== $keychain) {
            foreach ($keychain as $keychainvalue) {
              $recipients[] = $keychainvalue;
            }
          }
          if (false !== $password) {
            foreach ($password as $passwordvalue) {
              $recipients[] = $passwordvalue;
            }
          }
          $recipients = array_unique($recipients);

          # ensure that there is at least one recipient
          if (0 < count($recipients)) {
            $inputstream = false;

            if (null === $inputfile) {
              # write $message into memory stream
              $inputstream = fopen("php://memory", "rwb");
              if (false !== $inputstream) {
                if ((strlen($message) !== fwrite($inputstream, $message)) || !rewind($inputstream)) {
                  # some error occured
                  fclose($inputstream);
                  $inputstream = false;
                }
              }
            } else {
              $inputstream = fopen($inputfile, "rb");
            }

            if (false !== $inputstream) {
              try {
                if (input_init("input", $inputstream)) {
                  try {
                    $outputstream = fopen($outputfile, "wb");
                    if (false !== $outputstream) {
                      try {
                        if (output_init("output", $outputstream)) {
                          try {
                            # prepare execution
                            $success = false;
                            $error   = "";

                            if ($decrypt) {
                              # prepare input dearmoring
                              if (input_dearmor("input")) {
                                # try to decrypt
                                $success = decrypt_v02("input", "output", $recipients, $error);
                              } else {
                                $error = "Input could not be dearmored.";
                              }
                            } elseif ($encrypt) {
                              # prepare output armoring
                              if (!$armor || output_armor("output")) {
                                # try to encrypt
                                $success = encrypt_v02("input", "output", $recipients, $error);
                              } else {
                                $error = "Output could not be armored.";
                              }
                            } elseif (false !== $update) {
                              # prepare input dearmoring
                              if (input_dearmor("input")) {
                                # prepare output armoring
                                if (!$armor || output_armor("output")) {
                                  $updatestream = fopen($update, "rb");
                                  if (false !== $updatestream) {
                                    try {
                                      if (input_init("update", $updatestream)) {
                                        try {
                                          $success = update_v02("input", "update", "output", $recipients, $error);
                                        } finally {
                                          if (!input_finit("update")) {
                                            $error = "Update could not be finalized.";
                                          }
                                        }
                                      } else {
                                        $error = "Update could not be initialized.";
                                      }
                                    } finally {
                                      if (!fclose($updatestream)) {
                                        $error = "Update could not be closed.";
                                      }
                                    }
                                  } else {
                                    $error = "Update could not be opened";
                                  }
                                } else {
                                  $error = "Output could not be armored.";
                                }
                              } else {
                                $error = "Input could not be dearmored.";
                              }
                            }

                            # ensure that the execution succeeded
                            if ($success) {
                              # warn user if file handling ended before eof, this can happen
                              # with armored files that have additional content after the
                              # armor footer, this is not an error but expected behaviour,
                              # skip this test on update as we will only read the header
                              # when updating an existing file
                              if ($decrypt || $encrypt) {
                                if (input_trailing("input")) {
                                  print_info("The input contains unprocessed trailing content.");
                                }
                              }
                            } else {
                              # print method errors
                              print_error($error);
                            $result = 13;
                            }
                          } finally {
                            if (!output_finit("output")) {
                              print_error("Output could not be finalized.");

                              # only overwrite exit code if it is not set
                              if (0 === $result) {
                                $result = 12;
                              }
                            }
                          }
                        } else {
                          print_error("Output could not be initialized.");
                          $result = 11;
                        }
                      } finally {
                        if (!fclose($outputstream)) {
                          print_error("Output could not be closed.");

                          # only overwrite exit code if it is not set
                          if (0 === $result) {
                            $result = 10;
                          }
                        }
                      }
                    } else {
                      print_error("Output could not be opened");
                      $result = 9;
                    }
                  } finally {
                    if (!input_finit("input")) {
                      print_error("Input could not be finalized.");

                      # only overwrite exit code if it is not set
                      if (0 === $result) {
                        $result = 8;
                      }
                    }
                  }
                } else {
                  print_error("Input could not be initialized.");
                  $result = 7;
                }
              } finally {
                if (!fclose($inputstream)) {
                  print_error("Input could not be closed.");

                  # only overwrite exit code if it is not set
                  if (0 === $result) {
                    $result = 6;
                  }
                }
              }
            } else {
              print_error("Input could not be opened");
              $result = 5;
            }
          } else {
            print_error("You have to provide at least one key or password.");
            $result = 4;
          }
        } else {
          print_error("You can only provide one file or input or message.");
          $result = 3;
        }
      } else {
        print_error("You can only select decrypt or encrypt or update.");
        $result = 2;
      }
    }
  } else {
    foreach ($error as $line) {
      print_error($line);
    }
    $result = 1;
  }

  return $result;
}

exit(main($argv));