[pull] master from phpseclib:master

.github/workflows/ci.yml

@@ -25,7 +25,7 @@ jobs:
         strategy:
             fail-fast: false
             matrix:
-                php-version: ['8.1', '8.2', '8.3']
+                php-version: ['8.1', '8.2', '8.3', '8.4']
     quality_tools:
         name: Quality Tools
         timeout-minutes: 5
@@ -92,4 +92,4 @@ jobs:
             fail-fast: false
             matrix:
                 os: [ubuntu-latest, windows-latest, macos-latest]
-                php-version: ['8.1', '8.2', '8.3']
+                php-version: ['8.1', '8.2', '8.3', '8.4']

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 3.0.43 - 2024-12-14
+
+- fix PHP 8.4 deprecations
+- BigInteger: workaround for regression in GMP that PHP introduced
+- BigInteger: speed up Barrett reductions
+- X509: make the attributes section of new CSRs be blank (#1522)
+- X509: add getRequestedCertificateExtensions()
+- X509: algorithmidentifier parameters could get incorrectly set (#2051)
+- SSH2: ignore [email protected] in key re-exchanges (#2050)
+- SSH2: make it so phpseclib initiates key re-exchange after 1GB (#2050)
+- SSH2: if string is passed to setPreferredAlgorithms treat as array
+- SSH2: update setPreferredAlgorithms() to accept csv's
+
 ## 3.0.42 - 2024-09-15
 
 - X509: CRL version number wasn't correctly being saved (#2037)
@@ -287,6 +300,19 @@
   - Salsa20 / ChaCha20
 - namespace changed from `phpseclib\` to `\phpseclib3` to facilitate phpseclib 2 shim (phpseclib2_compat)
 
+## 2.0.48 - 2024-12-14
+
+- BigInteger: workaround for regression in GMP that PHP introduced
+- X509: make the attributes section of new CSRs be blank (#1522)
+- X509: CRL version number wasn't correctly being saved (#2037)
+- SSH2: ignore [email protected] in key re-exchanges (#2050)
+- SSH2: make it so phpseclib initiates key re-exchange after 1GB (#2050)
+- SSH2: if string is passed to setPreferredAlgorithms treat as array
+- SSH2: identification strings > 255 bytes didn't get parsed correctly
+- SSH2: fix possible infinite loop on packet timeout
+- SSH2: handle SSH2_MSG_EXT_INFO out of login (#2001, #2002)
+- SSH2/Agent: reset supported_private_key_algorithms for every key (#1995)
+
 ## 2.0.47 - 2024-02-25
 
 - BigInteger: add getLength() and getLengthInBytes() methods

phpseclib/Common/Functions/Strings.php

@@ -119,7 +119,7 @@ public static function unpackSSH2(string $format, string &$data): array
                     // 64-bit floats can be used to get larger numbers then 32-bit signed ints would allow
                     // for. sure, you're not gonna get the full precision of 64-bit numbers but just because
                     // you need > 32-bit precision doesn't mean you need the full 64-bit precision
-                    extract(unpack('Nupper/Nlower', self::shift($data, 8)));
+                    ['upper' => $upper, 'lower' => $lower] = unpack('Nupper/Nlower', self::shift($data, 8));
                     $temp = $upper ? 4294967296 * $upper : 0;
                     $temp += $lower < 0 ? ($lower & 0x7FFFFFFFF) + 0x80000000 : $lower;
                     // $temp = hexdec(bin2hex(self::shift($data, 8)));

phpseclib/Crypt/Blowfish.php

@@ -129,7 +129,7 @@ class Blowfish extends BlockCipher
     /**
      * Block Length of the cipher
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::block_size
+     * @see Common\SymmetricKey::block_size
      * @var int
      */
     protected $block_size = 8;
@@ -309,7 +309,7 @@ class Blowfish extends BlockCipher
      *    derive this from $key_length or vice versa, but that'd mean we'd have to do multiple shift operations, so in lieu
      *    of that, we'll just precompute it once.}
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::setKeyLength()
+     * @see Common\SymmetricKey::setKeyLength()
      * @var int
      */
     protected $key_length = 16;
@@ -349,7 +349,7 @@ public function setKeyLength(int $length): void
      *
      * This is mainly just a wrapper to set things up for \phpseclib3\Crypt\Common\SymmetricKey::isValidEngine()
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::isValidEngine()
+     * @see Common\SymmetricKey::isValidEngine()
      */
     protected function isValidEngineHelper(int $engine): bool
     {
@@ -373,7 +373,7 @@ protected function isValidEngineHelper(int $engine): bool
     /**
      * Setup the key (expansion)
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::_setupKey()
+     * @see Common\SymmetricKey::_setupKey()
      */
     protected function setupKey(): void
     {
@@ -711,7 +711,7 @@ protected function decryptBlock(string $in): string
     /**
      * Setup the performance-optimized function for de/encrypt()
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::_setupInlineCrypt()
+     * @see Common\SymmetricKey::_setupInlineCrypt()
      */
     protected function setupInlineCrypt(): void
     {

phpseclib/Crypt/Common/Formats/Keys/PKCS8.php

@@ -129,10 +129,8 @@ public static function setPRF(string $algo): void
 
     /**
      * Returns a SymmetricKey object based on a PBES1 $algo
-     *
-     * @return SymmetricKey
      */
-    private static function getPBES1EncryptionObject(string $algo)
+    private static function getPBES1EncryptionObject(string $algo): SymmetricKey
     {
         $algo = preg_match('#^pbeWith(?:MD2|MD5|SHA1|SHA)And(.*?)-CBC$#', $algo, $matches) ?
             $matches[1] :
@@ -345,7 +343,10 @@ protected static function load($key, ?string $password = null): array
                     if (!$temp) {
                         throw new RuntimeException('Unable to decode BER');
                     }
-                    extract(ASN1::asn1map($temp[0], Maps\PBEParameter::MAP));
+                    [
+                        'salt' => $salt,
+                        'iterationCount' => $iterationCount
+                    ] = ASN1::asn1map($temp[0], Maps\PBEParameter::MAP);
                     $iterationCount = (int) $iterationCount->toString();
                     $cipher->setPassword($password, $kdf, $hash, $salt, $iterationCount);
                     $key = $cipher->decrypt($decrypted['encryptedData']);
@@ -363,7 +364,10 @@ protected static function load($key, ?string $password = null): array
                         throw new RuntimeException('Unable to decode BER');
                     }
                     $temp = ASN1::asn1map($temp[0], Maps\PBES2params::MAP);
-                    extract($temp);
+                    [
+                        'keyDerivationFunc' => $keyDerivationFunc,
+                        'encryptionScheme' => $encryptionScheme
+                    ] = $temp;
 
                     $cipher = self::getPBES2EncryptionObject($encryptionScheme['algorithm']);
                     $meta['meta']['cipher'] = $encryptionScheme['algorithm'];
@@ -373,7 +377,10 @@ protected static function load($key, ?string $password = null): array
                         throw new RuntimeException('Unable to decode BER');
                     }
                     $temp = ASN1::asn1map($temp[0], Maps\PBES2params::MAP);
-                    extract($temp);
+                    [
+                        'keyDerivationFunc' => $keyDerivationFunc,
+                        'encryptionScheme' => $encryptionScheme
+                    ] = $temp;
 
                     if (!$cipher instanceof RC2) {
                         $cipher->setIV($encryptionScheme['parameters']['octetString']);
@@ -382,7 +389,10 @@ protected static function load($key, ?string $password = null): array
                         if (!$temp) {
                             throw new RuntimeException('Unable to decode BER');
                         }
-                        extract(ASN1::asn1map($temp[0], Maps\RC2CBCParameter::MAP));
+                        [
+                            'rc2ParametersVersion' => $rc2ParametersVersion,
+                            'iv' => $iv
+                        ] = ASN1::asn1map($temp[0], Maps\RC2CBCParameter::MAP);
                         $effectiveKeyLength = (int) $rc2ParametersVersion->toString();
                         switch ($effectiveKeyLength) {
                             case 160:
@@ -407,9 +417,15 @@ protected static function load($key, ?string $password = null): array
                             if (!$temp) {
                                 throw new RuntimeException('Unable to decode BER');
                             }
-                            $prf = ['algorithm' => 'id-hmacWithSHA1'];
                             $params = ASN1::asn1map($temp[0], Maps\PBKDF2params::MAP);
-                            extract($params);
+                            if (empty($params['prf'])) {
+                                $params['prf'] = ['algorithm' => 'id-hmacWithSHA1'];
+                            }
+                            [
+                                'salt' => $salt,
+                                'iterationCount' => $iterationCount,
+                                'prf' => $prf
+                            ] = $params;
                             $meta['meta']['prf'] = $prf['algorithm'];
                             $hash = str_replace('-', '/', substr($prf['algorithm'], 11));
                             $params = [
@@ -511,7 +527,7 @@ protected static function load($key, ?string $password = null): array
      *
      * @param bool $enabled
      */
-    public static function setBinaryOutput($enabled)
+    public static function setBinaryOutput($enabled): void
     {
         self::$binary = $enabled;
     }
@@ -616,7 +632,7 @@ protected static function wrapPrivateKey(string $key, $attr, $params, $password,
 
             $key = ASN1::encodeDER($key, Maps\EncryptedPrivateKeyInfo::MAP);
 
-            if (isset($options['binary']) ? $options['binary'] : self::$binary) {
+            if ($options['binary'] ?? self::$binary) {
                 return $key;
             }
 
@@ -625,7 +641,7 @@ protected static function wrapPrivateKey(string $key, $attr, $params, $password,
                    "-----END ENCRYPTED PRIVATE KEY-----";
         }
 
-        if (isset($options['binary']) ? $options['binary'] : self::$binary) {
+        if ($options['binary'] ?? self::$binary) {
             return $key;
         }
 
@@ -654,7 +670,7 @@ protected static function wrapPublicKey(string $key, $params, ?string $oid = nul
 
         $key = ASN1::encodeDER($key, Maps\PublicKeyInfo::MAP);
 
-        if (isset($options['binary']) ? $options['binary'] : self::$binary) {
+        if ($options['binary'] ?? self::$binary) {
             return $key;
         }
 

phpseclib/Crypt/Common/Formats/Keys/PuTTY.php

@@ -186,7 +186,7 @@ public static function load($key, $password)
 
         $source = Strings::packSSH2('ssss', $type, $encryption, $components['comment'], $public);
 
-        extract(unpack('Nlength', Strings::shift($public, 4)));
+        ['length' => $length] = unpack('Nlength', Strings::shift($public, 4));
         $newtype = Strings::shift($public, $length);
         if ($newtype != $type) {
             throw new RuntimeException('The binary type does not match the human readable type field');
@@ -214,7 +214,11 @@ public static function load($key, $password)
                         $parallelism = trim(preg_replace('#Argon2-Parallelism: (\d+)#', '$1', $key[$offset++]));
                         $salt = Strings::hex2bin(trim(preg_replace('#Argon2-Salt: ([0-9a-f]+)#', '$1', $key[$offset++])));
 
-                        extract(self::generateV3Key($password, $flavour, (int)$memory, (int)$passes, $salt));
+                        [
+                            'symkey' => $symkey,
+                            'symiv' => $symiv,
+                            'hashkey' => $hashkey
+                        ] = self::generateV3Key($password, $flavour, (int)$memory, (int)$passes, $salt);
 
                         break;
                     case 2:
@@ -306,7 +310,11 @@ protected static function wrapPrivateKey(string $public, string $private, string
                     $key .= "Argon2-Passes: 13\r\n";
                     $key .= "Argon2-Parallelism: 1\r\n";
                     $key .= "Argon2-Salt: " . Strings::bin2hex($salt) . "\r\n";
-                    extract(self::generateV3Key($password, 'Argon2id', 8192, 13, $salt));
+                    [
+                        'symkey' => $symkey,
+                        'symiv' => $symiv,
+                        'hashkey' => $hashkey
+                    ] = self::generateV3Key($password, 'Argon2id', 8192, 13, $salt);
 
                     $hash = new Hash('sha256');
                     $hash->setKey($hashkey);

phpseclib/Crypt/Common/StreamCipher.php

@@ -28,7 +28,7 @@ abstract class StreamCipher extends SymmetricKey
      *
      * Stream ciphers do not have a block size
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::block_size
+     * @see SymmetricKey::block_size
      * @var int
      */
     protected $block_size = 0;

phpseclib/Crypt/DES.php

@@ -71,23 +71,23 @@ class DES extends BlockCipher
     /**
      * Block Length of the cipher
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::block_size
+     * @see Common\SymmetricKey::block_size
      * @var int
      */
     protected $block_size = 8;
 
     /**
      * Key Length (in bytes)
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::setKeyLength()
+     * @see Common\SymmetricKey::setKeyLength()
      * @var int
      */
     protected $key_length = 8;
 
     /**
      * The OpenSSL names of the cipher / modes
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::openssl_mode_names
+     * @see Common\SymmetricKey::openssl_mode_names
      * @var array
      */
     protected $openssl_mode_names = [
@@ -572,7 +572,7 @@ public function __construct(string $mode)
      *
      * This is mainly just a wrapper to set things up for \phpseclib3\Crypt\Common\SymmetricKey::isValidEngine()
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::isValidEngine()
+     * @see Common\SymmetricKey::isValidEngine()
      */
     protected function isValidEngineHelper(int $engine): bool
     {
@@ -599,7 +599,7 @@ protected function isValidEngineHelper(int $engine): bool
      *
      * DES also requires that every eighth bit be a parity bit, however, we'll ignore that.
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::setKey()
+     * @see Common\SymmetricKey::setKey()
      */
     public function setKey(string $key): void
     {
@@ -615,8 +615,8 @@ public function setKey(string $key): void
      * Encrypts a block
      *
      * @see self::encrypt()
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::encryptBlock()
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::encrypt()
+     * @see Common\SymmetricKey::encryptBlock()
+     * @see Common\SymmetricKey::encrypt()
      */
     protected function encryptBlock(string $in): string
     {
@@ -627,8 +627,8 @@ protected function encryptBlock(string $in): string
      * Decrypts a block
      *
      * @see self::decrypt()
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::decryptBlock()
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::decrypt()
+     * @see Common\SymmetricKey::decryptBlock()
+     * @see Common\SymmetricKey::decrypt()
      */
     protected function decryptBlock(string $in): string
     {
@@ -724,7 +724,7 @@ private function processBlock(string $block, int $mode)
     /**
      * Creates the key schedule
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::setupKey()
+     * @see Common\SymmetricKey::setupKey()
      */
     protected function setupKey(): void
     {
@@ -1258,7 +1258,7 @@ protected function setupKey(): void
     /**
      * Setup the performance-optimized function for de/encrypt()
      *
-     * @see \phpseclib3\Crypt\Common\SymmetricKey::setupInlineCrypt()
+     * @see Common\SymmetricKey::setupInlineCrypt()
      */
     protected function setupInlineCrypt(): void
     {

phpseclib/Crypt/DSA/Formats/Keys/PuTTY.php

@@ -59,7 +59,12 @@ public static function load($key, $password)
         if (!isset($components['private'])) {
             return $components;
         }
-        extract($components);
+        [
+            'type' => $type,
+            'comment' => $comment,
+            'public' => $public,
+            'private' => $private
+        ] = $components;
         unset($components['public'], $components['private']);
 
         [$p, $q, $g, $y] = Strings::unpackSSH2('iiii', $public);

phpseclib/Crypt/DSA/PrivateKey.php

@@ -88,7 +88,7 @@ public function sign($message): string
                     return $signature;
                 }
 
-                extract(ASN1Signature::load($signature));
+                ['r' => $r, 's' => $s] = ASN1Signature::load($signature);
 
                 return $format::save($r, $s);
             }

phpseclib/Crypt/DSA/PublicKey.php

@@ -41,7 +41,7 @@ public function verify($message, $signature): bool
         if ($params === false || count($params) != 2) {
             return false;
         }
-        extract($params);
+        ['r' => $r, 's' => $s] = $params;
 
         if (self::$engines['OpenSSL'] && in_array($this->hash->getHash(), openssl_get_md_methods())) {
             $sig = $format != 'ASN1' ? ASN1Signature::save($r, $s) : $signature;

phpseclib/Crypt/EC/BaseCurves/Montgomery.php

@@ -221,7 +221,7 @@ private function doubleAndAddPoint(array $p, array $q, PrimeInteger $x1): array
     public function multiplyPoint(array $p, BigInteger $d): array
     {
         $p1 = [$this->one, $this->zero];
-        $alreadyInternal = isset($x[1]);
+        $alreadyInternal = isset($p[1]);
         $p2 = $this->convertToInternal($p);
         $x = $p[0];