From 56973d40db123d981efb5b875ba8e1b3ec7da61f Mon Sep 17 00:00:00 2001
From: terrafrost <terrafrost@gmail.com>
Date: Tue, 1 Feb 2022 21:17:10 -0600
Subject: [PATCH] SSH2: stop using more dynamic properties in SymmetricKey

---
 phpseclib/Crypt/Common/SymmetricKey.php |  3 ---
 phpseclib/Net/SSH2.php                  | 28 +++++++++++++++++++++----
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/phpseclib/Crypt/Common/SymmetricKey.php b/phpseclib/Crypt/Common/SymmetricKey.php
index 0f0ea978..519a284e 100644
--- a/phpseclib/Crypt/Common/SymmetricKey.php
+++ b/phpseclib/Crypt/Common/SymmetricKey.php
@@ -213,9 +213,6 @@ abstract class SymmetricKey
         self::ENGINE_OPENSSL_GCM => 'OpenSSL (GCM)'
     ];
 
-    /** @var string|false */
-    public $fixed;
-
     /**
      * The Encryption Mode
      *
diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php
index cc02b79b..d18bf1e2 100644
--- a/phpseclib/Net/SSH2.php
+++ b/phpseclib/Net/SSH2.php
@@ -427,6 +427,16 @@ class SSH2
      */
     private $decryptInvocationCounter;
 
+    /**
+     * Fixed Part of Nonce
+     *
+     * Used by GCM
+     *
+     * @var string|null
+     * @access private
+     */
+    private $decryptFixedPart;
+
     /**
      * Server to Client Length Encryption Object
      *
@@ -463,6 +473,16 @@ class SSH2
      */
     private $encryptInvocationCounter;
 
+    /**
+     * Fixed Part of Nonce
+     *
+     * Used by GCM
+     *
+     * @var string|null
+     * @access private
+     */
+    private $encryptFixedPart;
+
     /**
      * Client to Server Length Encryption Object
      *
@@ -1926,7 +1946,7 @@ class SSH2
                 case 'aes128-gcm@openssh.com':
                 case 'aes256-gcm@openssh.com':
                     $nonce = $kexHash->hash($keyBytes . $this->exchange_hash . 'A' . $this->session_id);
-                    $this->encrypt->fixed = substr($nonce, 0, 4);
+                    $this->encryptFixedPart = substr($nonce, 0, 4);
                     $this->encryptInvocationCounter = substr($nonce, 4, 8);
                 case 'chacha20-poly1305@openssh.com':
                     break;
@@ -1971,7 +1991,7 @@ class SSH2
                 case 'aes256-gcm@openssh.com':
                     // see https://tools.ietf.org/html/rfc5647#section-7.1
                     $nonce = $kexHash->hash($keyBytes . $this->exchange_hash . 'B' . $this->session_id);
-                    $this->decrypt->fixed = substr($nonce, 0, 4);
+                    $this->decryptFixedPart = substr($nonce, 0, 4);
                     $this->decryptInvocationCounter = substr($nonce, 4, 8);
                 case 'chacha20-poly1305@openssh.com':
                     break;
@@ -3438,7 +3458,7 @@ class SSH2
                 case 'aes128-gcm@openssh.com':
                 case 'aes256-gcm@openssh.com':
                     $this->decrypt->setNonce(
-                        $this->decrypt->fixed .
+                        $this->decryptFixedPart .
                         $this->decryptInvocationCounter
                     );
                     Strings::increment_str($this->decryptInvocationCounter);
@@ -4201,7 +4221,7 @@ class SSH2
                 case 'aes128-gcm@openssh.com':
                 case 'aes256-gcm@openssh.com':
                     $this->encrypt->setNonce(
-                        $this->encrypt->fixed .
+                        $this->encryptFixedPart .
                         $this->encryptInvocationCounter
                     );
                     Strings::increment_str($this->encryptInvocationCounter);