[pull] master from phpseclib:master

.github/workflows/ci.yml

@@ -25,7 +25,7 @@ jobs:
         strategy:
             fail-fast: false
             matrix:
-                php-version: ['8.1', '8.2', '8.3']
+                php-version: ['8.1', '8.2', '8.3', '8.4']
     quality_tools:
         name: Quality Tools
         timeout-minutes: 5
@@ -92,4 +92,4 @@ jobs:
             fail-fast: false
             matrix:
                 os: [ubuntu-latest, windows-latest, macos-latest]
-                php-version: ['8.1', '8.2', '8.3']
+                php-version: ['8.1', '8.2', '8.3', '8.4']

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 3.0.43 - 2024-12-14
+
+- fix PHP 8.4 deprecations
+- BigInteger: introduce regression in GMP that PHP introduced
+- BigInteger: speed up Barrett reductions
+- X509: make the attributes section of new CSRs be blank (#1522)
+- X509: add getRequestedCertificateExtensions()
+- X509: algorithmidentifier parameters could get incorrectly set (#2051)
+- SSH2: ignore [email protected] in key re-exchanges (#2005)
+- SSH2: make it so phpseclib initiates key re-exchange after 1GB (#2050)
+- SSH2: if string is passed to setPreferredAlgorithms treat as array
+- SSH2: update setPreferredAlgorithms() to accept csv's
+
 ## 3.0.42 - 2024-09-15
 
 - X509: CRL version number wasn't correctly being saved (#2037)
@@ -287,6 +300,19 @@
   - Salsa20 / ChaCha20
 - namespace changed from `phpseclib\` to `\phpseclib3` to facilitate phpseclib 2 shim (phpseclib2_compat)
 
+## 2.0.48 - 2024-12-14
+
+- BigInteger: introduce regression in GMP that PHP introduced
+- X509: make the attributes section of new CSRs be blank (#1522)
+- X509: CRL version number wasn't correctly being saved (#2037)
+- SSH2: ignore [email protected] in key re-exchanges (#2005)
+- SSH2: make it so phpseclib initiates key re-exchange after 1GB (#2050)
+- SSH2: if string is passed to setPreferredAlgorithms treat as array
+- SSH2: identification strings > 255 bytes didn't get parsed correctly
+- SSH2: fix possible infinite loop on packet timeout
+- SSH2: handle SSH2_MSG_EXT_INFO out of login (#2001, #2002)
+- SSH2/Agent: reset supported_private_key_algorithms for every key (#1995)
+
 ## 2.0.47 - 2024-02-25
 
 - BigInteger: add getLength() and getLengthInBytes() methods

phpseclib/Crypt/Common/Formats/Keys/PKCS8.php

@@ -129,10 +129,8 @@ public static function setPRF(string $algo): void
 
     /**
      * Returns a SymmetricKey object based on a PBES1 $algo
-     *
-     * @return SymmetricKey
      */
-    private static function getPBES1EncryptionObject(string $algo)
+    private static function getPBES1EncryptionObject(string $algo): SymmetricKey
     {
         $algo = preg_match('#^pbeWith(?:MD2|MD5|SHA1|SHA)And(.*?)-CBC$#', $algo, $matches) ?
             $matches[1] :
@@ -511,7 +509,7 @@ protected static function load($key, ?string $password = null): array
      *
      * @param bool $enabled
      */
-    public static function setBinaryOutput($enabled)
+    public static function setBinaryOutput($enabled): void
     {
         self::$binary = $enabled;
     }
@@ -616,7 +614,7 @@ protected static function wrapPrivateKey(string $key, $attr, $params, $password,
 
             $key = ASN1::encodeDER($key, Maps\EncryptedPrivateKeyInfo::MAP);
 
-            if (isset($options['binary']) ? $options['binary'] : self::$binary) {
+            if ($options['binary'] ?? self::$binary) {
                 return $key;
             }
 
@@ -625,7 +623,7 @@ protected static function wrapPrivateKey(string $key, $attr, $params, $password,
                    "-----END ENCRYPTED PRIVATE KEY-----";
         }
 
-        if (isset($options['binary']) ? $options['binary'] : self::$binary) {
+        if ($options['binary'] ?? self::$binary) {
             return $key;
         }
 
@@ -654,7 +652,7 @@ protected static function wrapPublicKey(string $key, $params, ?string $oid = nul
 
         $key = ASN1::encodeDER($key, Maps\PublicKeyInfo::MAP);
 
-        if (isset($options['binary']) ? $options['binary'] : self::$binary) {
+        if ($options['binary'] ?? self::$binary) {
             return $key;
         }
 

phpseclib/Crypt/EC/BaseCurves/Montgomery.php

@@ -221,7 +221,7 @@ private function doubleAndAddPoint(array $p, array $q, PrimeInteger $x1): array
     public function multiplyPoint(array $p, BigInteger $d): array
     {
         $p1 = [$this->one, $this->zero];
-        $alreadyInternal = isset($x[1]);
+        $alreadyInternal = isset($p[1]);
         $p2 = $this->convertToInternal($p);
         $x = $p[0];
 

phpseclib/Crypt/Salsa20.php

@@ -316,7 +316,7 @@ private function crypt(string $text, int $mode): string
             foreach ($blocks as &$block) {
                 $block ^= static::salsa20($this->p1 . pack('V', $i++) . $this->p2);
             }
-
+            unset($block);
             return implode('', $blocks);
         }
 
@@ -356,6 +356,7 @@ private function crypt(string $text, int $mode): string
                     foreach ($blocks as &$block) {
                         $block ^= static::salsa20($this->p1 . pack('V', $buffer['counter']++) . $this->p2);
                     }
+                    unset($block);
                 }
                 $encrypted = implode('', $blocks);
                 $temp = static::salsa20($this->p1 . pack('V', $buffer['counter']++) . $this->p2);
@@ -378,6 +379,7 @@ private function crypt(string $text, int $mode): string
                 foreach ($blocks as &$block) {
                     $block ^= static::salsa20($this->p1 . pack('V', $buffer['counter']++) . $this->p2);
                 }
+                unset($block);
                 $ciphertext .= implode('', $blocks);
             }
         }

phpseclib/File/ASN1/Maps/TBSCertList.php

@@ -31,7 +31,7 @@ abstract class TBSCertList
                 'type' => ASN1::TYPE_INTEGER,
                 'mapping' => ['v1', 'v2'],
                 'optional' => true,
-                'default' => 'v1'
+                'default' => 'v1',
             ],
             'signature' => AlgorithmIdentifier::MAP,
             'issuer' => Name::MAP,

phpseclib/File/X509.php

@@ -512,11 +512,6 @@ public function saveX509(array $cert, int $format = self::FORMAT_PEM)
                 );
         }
 
-        if ($algorithm == 'rsaEncryption') {
-            $cert['signatureAlgorithm']['parameters'] = null;
-            $cert['tbsCertificate']['signature']['parameters'] = null;
-        }
-
         $filters = [];
         $type_utf8_string = ['type' => ASN1::TYPE_UTF8_STRING];
         $filters['tbsCertificate']['signature']['parameters'] = $type_utf8_string;
@@ -2879,7 +2874,10 @@ private static function identifySignatureAlgorithm(PrivateKey $key): array
                 case 'sha256':
                 case 'sha384':
                 case 'sha512':
-                    return ['algorithm' => $key->getHash()->__toString() . 'WithRSAEncryption'];
+                    return [
+                        'algorithm' => $key->getHash()->__toString() . 'WithRSAEncryption',
+                        'parameters' => null
+                    ];
             }
             throw new UnsupportedAlgorithmException('The only supported hash algorithms for RSA are: md2, md5, sha1, sha224, sha256, sha384, sha512');
         }
@@ -3361,9 +3359,8 @@ public function getAttribute(string $id, int $disposition = self::ATTR_ALL, ?arr
      * Returns the list of extensions if there are any and false if not
      *
      * @param array $csr optional
-     * @return mixed
      */
-    public function getRequestedCertificateExtensions(array $csr = null)
+    public function getRequestedCertificateExtensions(?array $csr = null)
     {
         if (empty($csr)) {
             $csr = $this->currentCert;

phpseclib/Net/SFTP.php

@@ -2721,6 +2721,8 @@ private function parseTime(string $key, int $flags, string &$response): array
      */
     protected function parseAttributes(string &$response): array
     {
+        $attr = [];
+
         if ($this->version >= 4) {
             [$flags, $attr['type']] = Strings::unpackSSH2('NC', $response);
         } else {
@@ -3273,7 +3275,7 @@ public function posix_rename(string $oldname, string $newname): bool
         }
 
         // if $status isn't SSH_FX_OK it's probably SSH_FX_NO_SUCH_FILE or SSH_FX_PERMISSION_DENIED
-        list($status) = Strings::unpackSSH2('N', $response);
+        [$status] = Strings::unpackSSH2('N', $response);
         if ($status != StatusCode::OK) {
             $this->logError($response, $status);
             return false;