SSOEncryption.i

<?php

/**
 * This script includes the Encryption related functions that HomeCU Banking
 * uses to send secured and encrypted requests to the third party vendors/SSOs
 * endpoints.
 *
 * Majority of encryption functions are called from hcuConnect.prg.
 * Interfaces include:
 * - CHCKFREE
 * - EasyCard
 * - DIGITAL
 * - Certegy
 * - IPAY/Billpay
 * - VSHO/VSOFT
 *
 * Other interface: (hcuImages.i)
 * - MVI
 *
 * Major goal is to migrate from MCRYPT based encryption API to
 * OPENSSL based encryption API in PHP. MCRYPT will be deprecated in PHP7.2+.
 *
 * For each interface, there is implementation for both encryption and
 * decryption using both MCRYPT and OPENSSL API. MCRYPT based API
 * checks for the related function existence and they can be removed
 * after confirming the openssl based functions' correctness.
 * The accuracy of generation of same ciphertext using
 * both the libraries, third party specification conformity
 * and inter-library compatibility have been tested with various
 * unit tests in test/unit/lib/bankingHcuConnect.php script.
 *
 * It's encouraged add and delete encryption related functions relevant to
 * third party interfaces in this script and add unit tests to thoroughly
 * test the edge cases.
 *
 */

// OPENSSL based encryption mode constants
define("TICKET_CIPHERMODE", 'des-ede3-cbc'); // equivalent to MCRYPT_TRIPLEDES + MCRYPT_MODE_CBC
define("EZCARD_CIPHERMODE", 'des-ede3-cbc'); // equivalent to MCRYPT_TRIPLEDES + MCRYPT_MODE_CBC
define("CERTEGY_CIPHERMODE", 'des-ede3'); // equivalent to MCRYPT_TRIPLEDES + MCRYPT_MODE_ECB
define("DIGITAL_CIPHERMODE", 'des-ede3'); // equivalent to MCRYPT_TRIPLEDES + MCRYPT_MODE_ECB
define("BILLPAY_CIPHERMODE", 'cast5-ecb'); // equivalent to MCRYPT_CAST_128 + MCRYPT_MODE_ECB
define("VSOFT_CIPHERMODE", 'aes-256-ecb'); // equivalent to MCRYPT_RIJNDAEL_128 + MCRYPT_MODE_ECB

define("MVI_CIPHERMODE", 'aes-256-cbc'); // equivalent to MCRYPT_RIJNDAEL_128 + MCRYPT_MODE_CBC
define("SAVVYMO_CIPHERMODE", 'aes-256-cbc'); // equivalent to MCRYPT_RIJNDAEL_128 + MCRYPT_MODE_CBC

// hash algorithm to be used (if added anywhere) for authentication
define("THIRDPARTY_DEFAULT_AUTH_ALGO", "sha256");


/**
 * check if mcrypt library exists
 */
function check_mcrypt_exists() {
    if (!function_exists("mdecrypt_generic") && !function_exists("mcrypt_generic"))
        throw new exception("MCRYPT library does not exist.");
}

//****************************
//****** CHKFREE
//***************************
/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function encrypt_ticket_mcrypt($ticket, $key, $iv) {
    check_mcrypt_exists();
    # pad so length of ticket is even multiple of 8
    $ticket .= str_repeat(' ', 8 - (strlen($ticket) % 8));
    $td = mcrypt_module_open(MCRYPT_3DES, '', MCRYPT_MODE_CBC, '');
    mcrypt_generic_init($td, $key, $iv);
    $tktvalue = mcrypt_generic($td, $ticket);
    $tktvalue = bin2hex($tktvalue);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return array($tktvalue, $ticket);
}

/**
 * Encrypt CHKFREE using openssl
 */
function encrypt_ticket_openssl($ticket, $key, $iv) {
    try {
        # pad so length of ticket is even multiple of 8
        $ticket .= str_repeat(' ', 8 - (strlen($ticket) % 8));
        $openssl_enc = hcuOpenSSLEncrypt($ticket,
                                 $key,
                                 TICKET_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv=$iv,
                                 $context="connect_chkfree");
        return array(bin2hex($openssl_enc["message"]), $ticket);
    } catch (exception $ex) {
        throw $ex;
    }
}

/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function decrypt_ticket_mcrypt($ticket, $key, $iv) {
    check_mcrypt_exists();
    try {
        if(function_exists("mdecrypt_generic")) {
            $ticket = hex2bin($ticket);
            $td = mcrypt_module_open(MCRYPT_3DES, '', MCRYPT_MODE_CBC, '');
            mcrypt_generic_init($td, $key, $iv);
            $tktvalue = mdecrypt_generic($td, $ticket);
            mcrypt_generic_deinit($td);
            mcrypt_module_close($td);

            return $tktvalue;
        }
    } catch (exception $ex) {
        throw $ex;
    }
}

/**
 * Used only for testing openssl based CHKFREE encryption
 */
function decrypt_ticket_openssl($ticket, $key, $iv) {
    try {
        $ticket = hex2bin($ticket);
        $dec_ticket = hcuOpenSSLDecrypt($ticket,
                                 "",
                                 $key,
                                 TICKET_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv=$iv,
                                 $context="connect_chkfree");
        return $dec_ticket;


    } catch (exception $ex) {
        throw $ex;
    }
}

//****************************
//****** EasyCard
//***************************

/**
 * Encrypt EZCARD using openssl
 */
function encrypt_ezcard_openssl($ssoPkt, $key, $iv) {
    try {
        // maintaining string padding
        //space pad data to make an even 8-byte boundary
        $blocksize = 8;
        $pad = $blocksize - (strlen($ssoPkt) % $blocksize);
        $ssoPkt = ($ssoPkt . str_repeat(chr($pad), $pad));
        // uses no padding in encryption for ezcard context
        $openssl_enc = hcuOpenSSLEncrypt($ssoPkt,
                                 $key,
                                 EZCARD_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv=$iv,
                                 $context="connect_ezcard");
        $packet = base64_encode($openssl_enc["message"]);
        $packet = str_replace(array("+", "/", "="), array("-", "_", "."), $packet);
        return array($packet, $ssoPkt);

    } catch (exception $ex) {
        throw $ex;
    }
}

/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function encrypt_ezcard_mcrypt($td_cbc, $ssoPkt, $key, $iv) {
    check_mcrypt_exists();

    // space/null byte padding - even to 8 bytes
    $blocksize = mcrypt_enc_get_block_size($td_cbc);
    $pad = $blocksize - (strlen($ssoPkt) % $blocksize);
    $ssoPkt = ($ssoPkt . str_repeat(chr($pad), $pad));

    mcrypt_generic_init($td_cbc, $key, $iv);
    $packet = mcrypt_generic($td_cbc, $ssoPkt);
    mcrypt_generic_deinit($td_cbc);

    $packet = base64_encode($packet);
    $packet = str_replace(array("+", "/", "="), array("-", "_", "."), $packet);
    // also returns padded string
    return array($packet, $ssoPkt);
}

/**
 * Used only for testing EZCARD encryption using openssl
 */
function decrypt_ezcard_openssl($ssoPktEnc, $key, $iv) {
    try {
        $ssoPktEnc = str_replace(array("-", "_", "."), array("+", "/", "="), $ssoPktEnc);
        $ssoPktEnc = base64_decode($ssoPktEnc);
        $ssoPktDec = hcuOpenSSLDecrypt($ssoPktEnc,
                                 "",
                                 $key,
                                 EZCARD_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv=$iv,
                                 $context="connect_ezcard");
        return $ssoPktDec;

    } catch (exception $ex) {
        throw $ex;
    }
}

/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function decrypt_ezcard_mcrypt($ssoPktEnc, $key, $priviv) {
    check_mcrypt_exists();
    // get ready for encryption
    $td_cbc = mcrypt_module_open(MCRYPT_3DES, '', MCRYPT_MODE_CBC, '');
    $iv = substr($priviv, 0, mcrypt_enc_get_iv_size($td_cbc));

    $ssoPktEnc = str_replace(array("-", "_", "."), array("+", "/", "="), $ssoPktEnc);
    $ssoPktEnc = base64_decode($ssoPktEnc);

    mcrypt_generic_init($td_cbc, $key, $iv);
    $ssoPktDec = mdecrypt_generic($td_cbc, $ssoPktEnc);
    mcrypt_generic_deinit($td_cbc);

    // close mcrypt module
    mcrypt_module_close($td_cbc);

    return $ssoPktDec;
}

/**
 * Used to encrypt inner and outer easycard packet using OPENSSL
 */
// openssl ezcard main
function encrypt_ezcard_sso($ssoRequest,
                            $clientId,
                            $privkey,
                            $pubkey,
                            $iv,
                            $salt) {
    // build the inner packet, pad, encrypt, base64 encode
    list($innerpkt, $paddedSsoRequest) = encrypt_ezcard_openssl($ssoRequest, $privkey, $iv);
    // use inner packet to build outer packet, pad, encrypt, base64 encode

    $ssoWrap = "$salt<SSOWrapper ClientId=\"{$clientId}\" SSORequest=\"$innerpkt\" Ver=\"3.0\"/>";
    list($outpkt, $paddedSsoWrap) = encrypt_ezcard_openssl($ssoWrap, $pubkey, $iv);

    $outpkt = str_replace(array("+", "/", "="), array("-", "_", "."), $outpkt);
    return array($paddedSsoRequest, $innerpkt, $paddedSsoWrap, $outpkt);
}

/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
// mcrypt ezcard main
function encrypt_ezcard_sso_mcrypt($ssoRequest,
                                   $clientId,
                                   $privkey,
                                   $pubkey,
                                   $priviv,
                                   $salt) {
    check_mcrypt_exists();
    // get ready for encryption
    $td = mcrypt_module_open(MCRYPT_3DES, '', MCRYPT_MODE_CBC, '');
    $iv = substr($priviv, 0, mcrypt_enc_get_iv_size($td));

    // build the inner packet, pad, encrypt, base64 encode
    list($innerpkt, $paddedSsoRequest) = encrypt_ezcard_mcrypt($td, $ssoRequest, $privkey, $iv);

    // use inner packet to build outer packet, pad, encrypt, base64 encode
    $ssoWrap = "$salt<SSOWrapper ClientId=\"{$clientId}\" SSORequest=\"$innerpkt\" Ver=\"3.0\"/>";
    list($outpkt, $paddedSsoWrap) = encrypt_ezcard_mcrypt($td, $ssoWrap, $pubkey, $iv);
    // modify
    $outpkt = str_replace(array("+", "/", "="), array("-", "_", "."), $outpkt);

    // close mcrypt module
    mcrypt_module_close($td);
    // also return padded strings
    return array($paddedSsoRequest, $innerpkt, $paddedSsoWrap, $outpkt);
}

//****************************
//****** Certegy
//***************************
/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function encrypt_certegy_account_mcrypt($ACCOUNT, $key) {
    #
    # set values for testing
    #
    #   $showurl=1;
    #   $FIID="8000"; #CU Institution ID for testing
    #   $ACCOUNT="214027153"; # not enrolled
    #   $ACCOUNT="210328770"; # enrolled";
    # Implement PKCS5 / PKCS7 Padding (PKCS7 apparently extends PKCS5, but they
    # are the same for 8-byte blocks)
    # cipher algorithm needs 8-byte blocks, pad data with binary bytes
    # - 01 if you need 1 byte, 02 02 if you need 2 bytes, ...
    # 07 07 07 07 07 07 07 if you need 7 bytes, and if you have a multiple of 8,
    # pad with 8 bytes 08.

    check_mcrypt_exists();
    $blocksize = mcrypt_get_block_size('tripledes', 'ecb');
    $pad = $blocksize - (strlen($ACCOUNT) % $blocksize);
    $ACCOUNT = ($ACCOUNT . str_repeat(chr($pad), $pad));

    $td = mcrypt_module_open(MCRYPT_TRIPLEDES, '', 'ecb', '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $key, $iv);
    $dm_token = mcrypt_generic($td, $ACCOUNT);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    // also return padded string
    return array($dm_token, $ACCOUNT);
}

/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function decrypt_certegy_account_mcrypt($ACCOUNT_CIPHER, $key) {
    check_mcrypt_exists();
    $td = mcrypt_module_open(MCRYPT_TRIPLEDES, '', 'ecb', '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $key, $iv);
    $ACCOUNT_DECRYPTED = mdecrypt_generic($td, $ACCOUNT_CIPHER);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return $ACCOUNT_DECRYPTED;
}

/**
 * Encrypt CERTEGY using OPENSSL
 */
function encrypt_certegy_openssl($account, $key) {
    try {
        //pad data to make an even 8-byte boundary
        $blocksize = 8;
        $pad = $blocksize - (strlen($account) % $blocksize);
        $account = ($account . str_repeat(chr($pad), $pad));

        // uses no padding in encryption for ezcard context
        $openssl_enc = hcuOpenSSLEncrypt($account,
                                 $key,
                                 CERTEGY_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv="",
                                 $context="connect_certegy");
        $account_enc = $openssl_enc["message"];
        // also return padded string
        return array($account_enc, $account);

    } catch (exception $ex) {
        throw $ex;
    }
}

/**
 * Used only for testing certegy encryption using openssl
 */
function decrypt_certegy_openssl($account_cipher, $key) {
    try {
        $account_dec = hcuOpenSSLDecrypt($account_cipher,
                                 "",
                                 $key,
                                 CERTEGY_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv="",
                                 $context="connect_certegy");
        return $account_dec;

    } catch (exception $ex) {
        throw $ex;
    }
}


//****************************
//****** Digital
//***************************
/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function encrypt_digital_mcrypt($srcstring, $servicekey) {
    # Implement PKCS5 / PKCS7 Padding (PKCS7 apparently extends PKCS5, but they
    # are the same for 8-byte blocks)
    # cipher algorithm needs 8-byte blocks, pad data with binary bytes
    # - 01 if you need 1 byte, 02 02 if you need 2 bytes, ...
    # 07 07 07 07 07 07 07 if you need 7 bytes, and if you have a multiple of 8,
    # pad with 8 bytes 08.

    # values for testing
    //  $CustID="103"; #static string assigned by DigitalMailer
    //  $ACCOUNT="88888888";
    //  $servicepass="thisisatest";
    //  $servicekey="52g2jajrt56syh5j2yf82ngf";
    //  $showurl=1; # look before we leap
    //  $srcstring = "ACCOUNT=88888888&TIMESTAMP=201208011000&CID=103&PASS=thisisatest&GMT=1";

    check_mcrypt_exists();
    $blocksize = mcrypt_get_block_size('tripledes', 'ecb');
    $pad = $blocksize - (strlen($srcstring) % $blocksize);
    $srcstring = ($srcstring . str_repeat(chr($pad), $pad));

    $td = mcrypt_module_open(MCRYPT_TRIPLEDES, '', 'ecb', '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $servicekey, $iv);
    $dm_token = mcrypt_generic($td, $srcstring);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    // also return padded string
    return array($dm_token, $srcstring);
}

/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function decrypt_digital_mcrypt($srcstring_cipher, $servicekey) {

    check_mcrypt_exists();
    $td = mcrypt_module_open(MCRYPT_TRIPLEDES, '', 'ecb', '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $servicekey, $iv);
    $dec_srcstring = mdecrypt_generic($td, $srcstring_cipher);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return $dec_srcstring;
}

/**
 * Encrypt DIGITAL using OPENSSL
 */
function encrypt_digital_openssl($srcstring, $key) {
    try {
        //pad data to make an even 8-byte boundary
        $blocksize = 8;
        $pad = $blocksize - (strlen($srcstring) % $blocksize);
        $srcstring = ($srcstring . str_repeat(chr($pad), $pad));

        // uses no padding in encryption for ezcard context
        $openssl_enc = hcuOpenSSLEncrypt($srcstring,
                                 $key,
                                 DIGITAL_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv="",
                                 $context="connect_digital");
        $srcstring_enc = $openssl_enc["message"];
        // also return padded string
        return array($srcstring_enc, $srcstring);

    } catch (exception $ex) {
        throw $ex;
    }
}

/**
 * Used only for testing digital sourcestring using openssl
 */
function decrypt_digital_openssl($srcstring_cipher, $key) {
    try {
        $srcstring_dec = hcuOpenSSLDecrypt($srcstring_cipher,
                                 "",
                                 $key,
                                 DIGITAL_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv="",
                                 $context="connect_digital");
        return $srcstring_dec;

    } catch (exception $ex) {
        throw $ex;
    }
}

//****************************
//****** Bill Pay
//***************************
/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function encrypt_billpay_mcrypt($billpayid, $key) {
    check_mcrypt_exists();
    # if billpayid is less than 2 chars, left pad w/zero
    if (strlen($billpayid) < 2) {
        $billpayid = substr("00$billpayid", -2, 2);
    }
    // null byte padding
    $billpayid .= str_repeat("\0", 8 - (strlen($billpayid) % 8));

    $td = mcrypt_module_open(MCRYPT_CAST_128, '', 'ecb', '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $key, $iv);
    $ipay_token = urlencode(base64_encode(mcrypt_generic($td, $billpayid)));
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return array($ipay_token, $billpayid);
}

/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function decrypt_billpay_mcrypt($billpayid_cipher, $key) {
    check_mcrypt_exists();
    $td = mcrypt_module_open(MCRYPT_CAST_128, '', 'ecb', '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $key, $iv);
    $billpayid_cipher = base64_decode(urldecode($billpayid_cipher));
    $ipay_token_dec = mdecrypt_generic($td, $billpayid_cipher);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return $ipay_token_dec;
}

/**
 * Encrypt IPAY: Billpay using OPENSSL
 */
function encrypt_billpay_openssl($billpayid, $key) {
    try {
        # if billpayid is less than 2 chars, left pad w/zero
        if (strlen($billpayid) < 2) {
            $billpayid = substr("00$billpayid", -2, 2);
        }
        // null byte padding
        $billpayid .= str_repeat("\0", 8 - (strlen($billpayid) % 8));

        $openssl_enc = hcuOpenSSLEncrypt($billpayid,
                                 $key,
                                 BILLPAY_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv="",
                                 $context="connect_ipay");
        $billpayid_enc = urlencode(base64_encode($openssl_enc["message"]));
        // also return padded string
        return array($billpayid_enc, $billpayid);

    } catch (exception $ex) {
        throw $ex;
    }
}

/**
 * Used only for testing billpayid encryption using openssl
 */
function decrypt_billpay_openssl($billpayid_cipher, $key) {
    try {
        $billpayid_cipher = base64_decode(urldecode($billpayid_cipher));
        $billpayid_dec = hcuOpenSSLDecrypt($billpayid_cipher,
                                 "",
                                 $key,
                                 BILLPAY_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv="",
                                 $context="connect_ipay");
        return $billpayid_dec;

    } catch (exception $ex) {
        throw $ex;
    }
}

//****************************
//****** VSOFT/VSHO
//***************************
/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function encrypt_vsoftquery_mcrypt($vsoftqry, $vsoftkey) {
    check_mcrypt_exists();
    # blocksize is 16 bytes
    $blocksize = mcrypt_get_block_size(MCRYPT_RIJNDAEL_128, 'ecb');
    $pad = $blocksize - (strlen($vsoftqry) % $blocksize);
    $vsoftqry = ($vsoftqry . str_repeat(chr($pad), $pad));

    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', 'ecb', '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $vsoftkey, $iv);
    $vsoftenc = mcrypt_generic($td, $vsoftqry);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);

    $vsoftenc = base64_encode($vsoftenc);
    return array($vsoftenc, $vsoftqry);
}

/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function decrypt_vsoftquery_mcrypt($vsoftqry_cipher, $vsoftkey) {
    check_mcrypt_exists();
    $vsoftqry_cipher = base64_decode($vsoftqry_cipher);

    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', 'ecb', '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, $vsoftkey, $iv);
    $vsoftdec = mdecrypt_generic($td, $vsoftqry_cipher);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);

    return $vsoftdec;
}

/**
 * Encrypt VSOFT using openssl
 */
function encrypt_vsoftquery_openssl($vsoftqry, $key) {
    try {
        // padding -- blocksize of MCRYPT_RIJNDAEL_128 is/was 16
        $blocksize = 16;
        $pad = $blocksize - (strlen($vsoftqry) % $blocksize);
        $vsoftqry = ($vsoftqry . str_repeat(chr($pad), $pad));

        $openssl_enc = hcuOpenSSLEncrypt($vsoftqry,
                                 $key,
                                 VSOFT_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv="",
                                 $context="connect_vsoft");
        $vsoftqry_enc = base64_encode($openssl_enc["message"]);
        // also return padded string
        return array($vsoftqry_enc, $vsoftqry);

    } catch (exception $ex) {
        throw $ex;
    }
}

/**
 * Used only for testing vsoft/vsho encryption for openssl
 */
function decrypt_vsoftquery_openssl($vsoftqry_cipher, $key) {
    try {
        $vsoftqry_cipher = base64_decode($vsoftqry_cipher);
        $vsoftqry_dec = hcuOpenSSLDecrypt($vsoftqry_cipher,
                                 "",
                                 $key,
                                 VSOFT_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv="",
                                 $context="connect_vsoft");
        return $vsoftqry_dec;

    } catch (exception $ex) {
        throw $ex;
    }
}

//****************************
//****** MVI
//***************************
/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function encrypt_mvi_mcrypt($mvi_query, $ckhexkey, $iv="") {
    # MCRYPT_RIJNDAEL_256 is not AES. The 256 in that constant refers to the blocksize, not the keysize.
    # Use MCRYPT_RIJNDAEL_128 to get the same algorithm as AES. The keysize is set by the number of bytes
    # in the key argument you supply. So supply 32 bytes and you get AES with a 256-bit key.
    check_mcrypt_exists();
    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', 'cbc', '');
    if ($iv == "") {
        # uncomment the following line to get a random iv for each call
        $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    }


    mcrypt_generic_init($td, $ckhexkey, $iv);
    $mvi_data = bin2hex(mcrypt_generic($td, $mvi_query));
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);

    // alternative hexify
    // $hexiv = bin2hex($iv);

    $hexiv = '';
    for ($i = 0; $i < strlen($iv); $i++) {
        $h = dechex(ord($iv[$i]));
        $hexiv_this = substr('0' . $h, -2);
        $hexiv .= $hexiv_this;
    }

    $mvi_data .= $hexiv;
    return $mvi_data;
}

/**
 * USED ONLY FOR TESTING
 * TO BE DEPRECATED
 */
function decrypt_mvi_mcrypt($mvi_cipher_iv, $ckhexkey) {
    check_mcrypt_exists();
    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', 'cbc', '');
    $iv_size = mcrypt_enc_get_iv_size($td); // 16

    $iv_hex = substr($mvi_cipher_iv, $iv_size * -2);
    $mvi_cipher_hex = substr($mvi_cipher_iv, 0, $iv_size * -2);
    $iv = hex2bin($iv_hex);

    mcrypt_generic_init($td, $ckhexkey, $iv);
    $mvi_dec = mdecrypt_generic($td, hex2bin($mvi_cipher_hex));
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);

    return rtrim($mvi_dec, "\0");
}

/**
 * Encrypt MVI query using openssl
 */
function encrypt_mvi_openssl($mvi_query, $ckhexkey, $iv="") {
    try {
        // padding -- blocksize of MCRYPT_RIJNDAEL_128 + MCRYPT_CBC is/was 16
        $blocksize = openssl_cipher_iv_length(MVI_CIPHERMODE);
        // add zero padding as per the specification
        $mvi_query .= str_repeat("\0", $blocksize - (strlen($mvi_query) % $blocksize));
        $openssl_enc = hcuOpenSSLEncrypt($mvi_query,
                                 $ckhexkey,
                                 MVI_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv=$iv,
                                 $context="connect_mvi");
        $mvi_enc = bin2hex($openssl_enc["message"]);
        $mvi_iv = bin2hex($openssl_enc["iv"]);

        return $mvi_enc.$mvi_iv;

    } catch (exception $ex) {
        throw $ex;
    }
}

/**
 * Used only for testing mvi query using openssl
 */
function decrypt_mvi_openssl($mvi_cipher_iv, $ckhexkey) {
    try {
        // MCRYPT_RIJNDAEL_128 + MCRYPT_CBC = 16
        $blocksize = openssl_cipher_iv_length(MVI_CIPHERMODE);
        $iv_hex = substr($mvi_cipher_iv, $blocksize * -2);
        $mvi_cipher_hex = substr($mvi_cipher_iv, 0, $blocksize * -2);

        $mvi_dec = hcuOpenSSLDecrypt(hex2bin($mvi_cipher_hex),
                                 "",
                                 $ckhexkey,
                                 MVI_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv=hex2bin($iv_hex),
                                 $context="connect_mvi");

        return rtrim($mvi_dec, "\0");
    } catch (exception $ex) {
        throw $ex;
    }
}
/**
 * Encrypt SavvyMoney attribute using openssl
 */
function encrypt_smo_openssl($smo_query, $smo_key) {
    try {
        $blocksize = openssl_cipher_iv_length(SAVVYMO_CIPHERMODE);
        $pad = $blocksize - (strlen($smo_query) % $blocksize);
        $smo_query = ($smo_query . str_repeat(chr($pad), $pad));
        $smo_key = base64_decode($smo_key);
        $iv='';
        for ($i = 0; $i < $blocksize; $i++) {
            $iv .= chr(0);
        }

        $openssl_enc = hcuOpenSSLEncrypt($smo_query,
                                 $smo_key,
                                 SAVVYMO_CIPHERMODE,
                                 THIRDPARTY_DEFAULT_AUTH_ALGO,
                                 true,
                                 $iv=$iv,
                                 $context="connect_smo");
        $smo_enc = base64_encode($openssl_enc["message"]);

        return $smo_enc;

    } catch (exception $ex) {
        throw $ex;
    }
}

?>