$pkg['version'], 'meta' => $meta, 'source' => $source]; } private static function unpackage(string $packed): array { /* HMAC prüfen (letzte 32 Bytes) */ $hmac = substr($packed, -self::HMAC_LEN); $body = substr($packed, 0, -self::HMAC_LEN); $expected = hash_hmac('sha256', $body, self::getMasterKey(), true); if (!hash_equals($expected, $hmac)) { throw new \RuntimeException('HDEncoder: Integritätsprüfung fehlgeschlagen (HMAC)'); } /* Binary-Format parsen */ $magic = substr($body, 0, 8); if ($magic !== self::MAGIC) { throw new \RuntimeException('HDEncoder: Ungültiges Dateiformat'); } $pos = 8; $version = ord($body[$pos++]); $saltLen = ord($body[$pos++]); $salt = substr($body, $pos, $saltLen); $pos += $saltLen; $metaIv = substr($body, $pos, self::IV_LEN); $pos += self::IV_LEN; $metaLen = unpack('N', substr($body, $pos, 4))[1]; $pos += 4; $metaEnc = substr($body, $pos, $metaLen); $pos += $metaLen; $payIv = substr($body, $pos, self::IV_LEN); $pos += self::IV_LEN; $payLen = unpack('N', substr($body, $pos, 4))[1]; $pos += 4; $payEnc = substr($body, $pos, $payLen); return [ 'version' => $version, 'salt' => $salt, 'meta_iv' => $metaIv, 'meta_encrypted' => $metaEnc, 'payload_iv' => $payIv, 'payload_encrypted' => $payEnc, ]; } private static function deriveKey(string $salt): string { return sodium_crypto_pwhash( self::KEY_LEN, self::getMasterKey(), $salt, SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13 ); } private static function aesDecrypt(string $data, string $iv, string $key): string { $tag = substr($data, 0, self::TAG_LEN); $encrypted = substr($data, self::TAG_LEN); $decrypted = openssl_decrypt($encrypted, self::CIPHER, $key, OPENSSL_RAW_DATA, $iv, $tag); if ($decrypted === false) { throw new \RuntimeException('HDEncoder: Entschlüsselung fehlgeschlagen — ' . openssl_error_string()); } return $decrypted; } /* ================================================================ * Lizenz-Check via API * ================================================================ */ private static function verifyLicense(string $domain): void { /* Leere Domain = kein Domain-Lock → überspringen */ if (empty($domain) || $domain === 'localhost') { return; } $cacheDir = self::getCacheDir(); $cacheFile = $cacheDir . '/lic_' . md5($domain); /* Cache prüfen (1 Stunde gültig) */ if (file_exists($cacheFile) && (time() - filemtime($cacheFile)) < self::LICENSE_TTL) { $cached = file_get_contents($cacheFile); if ($cached === '1') return; throw new \RuntimeException('HDEncoder: Lizenz ungültig für Domain ' . $domain); } /* API-Check */ $payload = json_encode(['domain' => $domain]); $signature = hash_hmac('sha256', $payload, self::getMasterKey()); $ch = curl_init(self::LICENSE_URL); curl_setopt_array($ch, [ CURLOPT_POST => true, CURLOPT_POSTFIELDS => $payload, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CONNECTTIMEOUT => 5, CURLOPT_HTTPHEADER => [ 'Content-Type: application/json', 'X-Signature: ' . $signature, ], ]); $response = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); $error = curl_error($ch); curl_close($ch); /* Bei Netzwerk-Fehler: Fail-open (kleine Radios sollen nicht offline gehen) */ if ($response === false || $httpCode !== 200) { /* Alten Cache nutzen wenn vorhanden */ if (file_exists($cacheFile)) { return; } error_log('HDEncoder: Lizenz-Check fehlgeschlagen (' . ($error ?: "HTTP $httpCode") . ') — Fail-open'); return; } $data = json_decode($response, true); $valid = ($data['valid'] ?? false) === true; /* Ergebnis cachen */ @file_put_contents($cacheFile, $valid ? '1' : '0', LOCK_EX); if (!$valid) { throw new \RuntimeException('HDEncoder: Lizenz ungültig für Domain ' . $domain); } } /* ================================================================ * File-Cache — vermeidet Argon2id pro Request * ================================================================ */ private static function getCacheDir(): string { if (self::$cacheDirPath !== null) { return self::$cacheDirPath; } $dir = getenv('HDENCODER_CACHE_DIR'); if (!$dir) { $dir = sys_get_temp_dir() . '/' . self::CACHE_DIR; } if (!is_dir($dir)) { @mkdir($dir, 0700, true); /* .htaccess schützt vor direktem Web-Zugriff */ @file_put_contents($dir . '/.htaccess', "Deny from all\n", LOCK_EX); } self::$cacheDirPath = $dir; return $dir; } private static function getCachedFile(string $cacheKey): ?string { $path = self::getCacheDir() . '/' . $cacheKey . '.php'; if (file_exists($path)) { return $path; } return null; } private static function putCachedFile(string $cacheKey, string $source, string $filePath): string { $path = self::getCacheDir() . '/' . $cacheKey . '.php'; /* PHP Opening-Tag entfernen (für sauberes include) */ $code = $source; $code = preg_replace('/^\s*<\?(php)?\s*/i', ' 0 && $bytes < 128 * 1024 * 1024) { error_log('HDEncoder: memory_limit ist ' . $memLimit . ' — empfohlen: mindestens 128M (Argon2id benötigt 64MB)'); } } } private static function parseMemoryLimit(string $val): int { $val = trim($val); $num = (int)$val; $unit = strtolower(substr($val, -1)); return match ($unit) { 'g' => $num * 1024 * 1024 * 1024, 'm' => $num * 1024 * 1024, 'k' => $num * 1024, default => $num, }; } /** * Cache leeren — kann manuell aufgerufen werden. */ public static function clearCache(): void { $dir = self::getCacheDir(); if (is_dir($dir)) { $files = glob($dir . '/*.php'); if ($files) { foreach ($files as $f) @unlink($f); } $lics = glob($dir . '/lic_*'); if ($lics) { foreach ($lics as $f) @unlink($f); } } } }