From c99e38b7c9aec42bc6a76a21147cf4e523ed9f66 Mon Sep 17 00:00:00 2001 From: terrafrost Date: Fri, 16 Dec 2022 22:16:49 -0600 Subject: [PATCH] OpenSSL 3.0.1+ deprecated some algorithms --- phpseclib/Crypt/Blowfish.php | 6 ++++++ phpseclib/Crypt/DES.php | 6 ++++++ phpseclib/Crypt/RC2.php | 6 ++++++ phpseclib/Crypt/RC4.php | 6 ++++++ 4 files changed, 24 insertions(+) diff --git a/phpseclib/Crypt/Blowfish.php b/phpseclib/Crypt/Blowfish.php index c32bfa17..b3257d67 100644 --- a/phpseclib/Crypt/Blowfish.php +++ b/phpseclib/Crypt/Blowfish.php @@ -515,6 +515,12 @@ class Crypt_Blowfish extends Crypt_Base function isValidEngine($engine) { if ($engine == CRYPT_ENGINE_OPENSSL) { + // quoting https://www.openssl.org/news/openssl-3.0-notes.html, OpenSSL 3.0.1 + // "Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider" + // in theory openssl_get_cipher_methods() should catch this but, on GitHub Actions, at least, it does not + if (version_compare(preg_replace('#OpenSSL (\d+\.\d+\.\d+) .*#', '$1', OPENSSL_VERSION_TEXT), '3.0.1', '>=')) { + return false; + } if (version_compare(PHP_VERSION, '5.3.7') < 0 && $this->key_length != 16) { return false; } diff --git a/phpseclib/Crypt/DES.php b/phpseclib/Crypt/DES.php index 093657f6..80766f63 100644 --- a/phpseclib/Crypt/DES.php +++ b/phpseclib/Crypt/DES.php @@ -665,6 +665,12 @@ class Crypt_DES extends Crypt_Base { if ($this->key_length_max == 8) { if ($engine == CRYPT_ENGINE_OPENSSL) { + // quoting https://www.openssl.org/news/openssl-3.0-notes.html, OpenSSL 3.0.1 + // "Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider" + // in theory openssl_get_cipher_methods() should catch this but, on GitHub Actions, at least, it does not + if (version_compare(preg_replace('#OpenSSL (\d+\.\d+\.\d+) .*#', '$1', OPENSSL_VERSION_TEXT), '3.0.1', '>=')) { + return false; + } $this->cipher_name_openssl_ecb = 'des-ecb'; $this->cipher_name_openssl = 'des-' . $this->_openssl_translate_mode(); } diff --git a/phpseclib/Crypt/RC2.php b/phpseclib/Crypt/RC2.php index 8c5b5cd7..2a11e0b7 100644 --- a/phpseclib/Crypt/RC2.php +++ b/phpseclib/Crypt/RC2.php @@ -346,6 +346,12 @@ class Crypt_RC2 extends Crypt_Base { switch ($engine) { case CRYPT_ENGINE_OPENSSL: + // quoting https://www.openssl.org/news/openssl-3.0-notes.html, OpenSSL 3.0.1 + // "Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider" + // in theory openssl_get_cipher_methods() should catch this but, on GitHub Actions, at least, it does not + if (version_compare(preg_replace('#OpenSSL (\d+\.\d+\.\d+) .*#', '$1', OPENSSL_VERSION_TEXT), '3.0.1', '>=')) { + return false; + } if ($this->current_key_length != 128 || strlen($this->orig_key) < 16) { return false; } diff --git a/phpseclib/Crypt/RC4.php b/phpseclib/Crypt/RC4.php index 8a59518f..488ff84c 100644 --- a/phpseclib/Crypt/RC4.php +++ b/phpseclib/Crypt/RC4.php @@ -190,6 +190,12 @@ class Crypt_RC4 extends Crypt_Base function isValidEngine($engine) { if ($engine == CRYPT_ENGINE_OPENSSL) { + // quoting https://www.openssl.org/news/openssl-3.0-notes.html, OpenSSL 3.0.1 + // "Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider" + // in theory openssl_get_cipher_methods() should catch this but, on GitHub Actions, at least, it does not + if (version_compare(preg_replace('#OpenSSL (\d+\.\d+\.\d+) .*#', '$1', OPENSSL_VERSION_TEXT), '3.0.1', '>=')) { + return false; + } if (version_compare(PHP_VERSION, '5.3.7') >= 0) { $this->cipher_name_openssl = 'rc4-40'; } else {