Merge branch 'master' into diffie-hellman

2024-06-02 08:30:52 +00:00 · 2019-08-07 08:09:36 -05:00 · 2019-08-07 08:09:36 -05:00 · f04d69a3eb
commit f04d69a3eb
parent 1e7453b585 dfde088d4c
12 changed files with 176 additions and 12 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: #terrafrost
+patreon: phpseclib
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: "packagist/phpseclib/phpseclib"
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
--- a/.travis.yml
+++ b/.travis.yml
@ -20,6 +20,7 @@ before_install: true
 matrix:
  allow_failures:
    - php: nightly
+    - php: 7.4snapshot

 install:
  - wget http://ftp.gnu.org/gnu/parallel/parallel-20170822.tar.bz2
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,9 @@
 # Changelog

+## 2.0.21 - 2019-07-14
+
+- SSH2: only auto close the channel for exec() timeouts (#1384)
+
 ## 2.0.20 - 2019-06-23

 - BigInteger: lower PHP req back down to PHP 5.3.3 (#1382)
--- a/5
+++ b/5
@ -1,5 +1,4 @@
-Copyright 2007-2016 TerraFrost and other contributors
-http://phpseclib.sourceforge.net/
+Copyright (c) 2011-2019 TerraFrost and other contributors

 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
@ -18,4 +17,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/README.md
+++ b/README.md
@ -2,6 +2,14 @@

 [![Build Status](https://travis-ci.org/phpseclib/phpseclib.svg?branch=master)](https://travis-ci.org/phpseclib/phpseclib)

+## Supporting phpseclib
+
+- [Become a backer or sponsor on Patreon](https://www.patreon.com/phpseclib)
+- [One-time donation via PayPal or crypto-currencies](http://sourceforge.net/donate/index.php?group_id=198487)
+- [Subscribe to Tidelift](https://tidelift.com/subscription/pkg/packagist-phpseclib-phpseclib?utm_source=packagist-phpseclib-phpseclib&utm_medium=referral&utm_campaign=readme)
+
+## Introduction
+
 MIT-licensed pure-PHP implementations of an arbitrary-precision integer
 arithmetic library, fully PKCS#1 (v2.1) compliant RSA, DES, 3DES, RC4, Rijndael,
 AES, Blowfish, Twofish, SSH-1, SSH-2, SFTP, and X.509
@ -39,6 +47,10 @@ AES, Blowfish, Twofish, SSH-1, SSH-2, SFTP, and X.509
 * Install using PEAR: See [phpseclib PEAR Channel Documentation](http://phpseclib.sourceforge.net/pear.htm)
 * [Download 1.0.16 as ZIP](http://sourceforge.net/projects/phpseclib/files/phpseclib1.0.16.zip/download)

+## Security contact information
+
+To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure.
+
 ## Support

 Need Support?
--- a/phpseclib/Crypt/Common/SymmetricKey.php
+++ b/phpseclib/Crypt/Common/SymmetricKey.php
@ -243,7 +243,7 @@ abstract class SymmetricKey
     * @var array
     * @access private
     */
-    private $enbuffer;
+    protected $enbuffer;

    /**
     * Decryption buffer for CTR, OFB and CFB modes
@ -253,7 +253,7 @@ abstract class SymmetricKey
     * @var array
     * @access private
     */
-    private $debuffer;
+    protected $debuffer;

    /**
     * mcrypt resource for encryption
--- a/phpseclib/File/ASN1.php
+++ b/phpseclib/File/ASN1.php
@ -739,7 +739,14 @@ abstract class ASN1
                return isset(self::$oids[$decoded['content']]) ? self::$oids[$decoded['content']] : $decoded['content'];
            case self::TYPE_UTC_TIME:
            case self::TYPE_GENERALIZED_TIME:
-                if (isset($mapping['implicit'])) {
+                // for explicitly tagged optional stuff
+                if (is_array($decoded['content'])) {
+                    $decoded['content'] = $decoded['content'][0]['content'];
+                }
+                // for implicitly tagged optional stuff
+                // in theory, doing isset($mapping['implicit']) would work but malformed certs do exist
+                // in the wild that OpenSSL decodes without issue so we'll support them as well
+                if (!is_object($decoded['content'])) {
                    $decoded['content'] = self::decodeTime($decoded['content'], $decoded['type']);
                }
                return $decoded['content'] ? $decoded['content']->format(self::$format) : false;
@ -902,7 +909,7 @@ abstract class ASN1
                    if ($mapping['type'] == self::TYPE_SET) {
                        sort($value);
                    }
-                    $value = implode($value, '');
+                    $value = implode('', $value);
                    break;
                }

--- a/phpseclib/File/ASN1/Maps/SubjectInfoAccessSyntax.php
+++ b/phpseclib/File/ASN1/Maps/SubjectInfoAccessSyntax.php
@ -0,0 +1,35 @@
+<?php
+
+/**
+ * SubjectInfoAccessSyntax
+ *
+ * PHP version 5
+ *
+ * @category  File
+ * @package   ASN1
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+namespace phpseclib\File\ASN1\Maps;
+
+use phpseclib\File\ASN1;
+
+/**
+ * SubjectInfoAccessSyntax
+ *
+ * @package ASN1
+ * @author  Jim Wigginton <terrafrost@php.net>
+ * @access  public
+ */
+abstract class SubjectInfoAccessSyntax
+{
+    const MAP = [
+        'type'     => ASN1::TYPE_SEQUENCE,
+        'min'      => 1,
+        'max'      => -1,
+        'children' => AccessDescription::MAP
+    ];
+}
--- a/phpseclib/File/X509.php
+++ b/phpseclib/File/X509.php
@ -575,7 +575,10 @@ class X509
                   corresponding to the extension type identified by extnID */
                $map = $this->getMapping($id);
                if (!is_bool($map)) {
-                    $mapped = ASN1::asn1map($decoded[0], $map, ['iPAddress' => [$this, 'decodeIP']]);
+                    $decoder = $id == 'id-ce-nameConstraints' ?
+                        [$this, 'decodeNameConstraintIP'] :
+                        [$this, 'decodeIP'];
+                    $mapped = ASN1::asn1map($decoded[0], $map, ['iPAddress' => $decoder]);
                    $value = $mapped === false ? $decoded[0] : $mapped;

                    if ($id == 'id-ce-certificatePolicies') {
@ -1466,18 +1469,37 @@ class X509
        return inet_ntop($ip);
    }

+    /**
+     * Decodes an IP address in a name constraints extension
+     *
+     * Takes in a base64 encoded "blob" and returns a human readable IP address / mask
+     *
+     * @param string $ip
+     * @access private
+     * @return array
+     */
+    public function decodeNameConstraintIP($ip)
+    {
+        $size = strlen($ip) >> 1;
+        $mask = substr($ip, $size);
+        $ip = substr($ip, 0, $size);
+        return [inet_ntop($ip), inet_ntop($mask)];
+    }
+
    /**
     * Encodes an IP address
     *
     * Takes a human readable IP address into a base64-encoded "blob"
     *
-     * @param string $ip
+     * @param string|array $ip
     * @access private
     * @return string
     */
    public function encodeIP($ip)
    {
-        return inet_pton($ip);
+        return is_string($ip) ?
+            inet_pton($ip) :
+            inet_pton($ip[0]) . inet_pton($ip[1]);
    }

    /**
--- a/phpseclib/Net/SSH2.php
+++ b/phpseclib/Net/SSH2.php
@ -3564,7 +3564,9 @@ class SSH2
                    // on windows this returns a "Warning: Invalid CRT parameters detected" error
                    if (!@stream_select($read, $write, $except, $sec, $usec) && !count($read)) {
                        $this->is_timeout = true;
-                        $this->close_channel($client_channel);
+                        if ($client_channel == self::CHANNEL_EXEC && !$this->request_pty) {
+                            $this->close_channel($client_channel);
+                        }
                        return true;
                    }
                    $elapsed = microtime(true) - $start;
@ -3597,7 +3599,7 @@ class SSH2
                switch ($type) {
                    case NET_SSH2_MSG_CHANNEL_EXTENDED_DATA:
                        /*
-                        if ($client_channel == NET_SSH2_CHANNEL_EXEC) {
+                        if ($client_channel == self::CHANNEL_EXEC) {
                            $this->send_channel_packet($client_channel, chr(0));
                        }
                        */
--- a/tests/Unit/File/ASN1Test.php
+++ b/tests/Unit/File/ASN1Test.php
@ -364,4 +364,32 @@ class Unit_File_ASN1Test extends PhpseclibTestCase
        $this->assertSame(pack('H*', '6983f09da7ebcfdee0c7a1a7b2c0948cc8f9d776'), $new);
        $this->assertSame($orig, ASN1::decodeOID($new));
    }
+
+    /**
+     * @group github1388
+     */
+    public function testExplicitImplicitDate()
+    {
+        $map = [
+            'type'     => ASN1::TYPE_SEQUENCE,
+            'children' => [
+                'notBefore' => [
+                                             'constant' => 0,
+                                             'optional' => true,
+                                             'implicit' => true,
+                                             'type' => ASN1::TYPE_GENERALIZED_TIME],
+                'notAfter'  => [
+                                             'constant' => 1,
+                                             'optional' => true,
+                                             'implicit' => true,
+                                             'type' => ASN1::TYPE_GENERALIZED_TIME]
+            ]
+        ];
+
+        $a = pack('H*', '3026a011180f32303137303432313039303535305aa111180f32303138303432313230353935395a');
+        $a = ASN1::decodeBER($a);
+        $a = ASN1::asn1map($a[0], $map);
+
+        $this->assertInternalType('array', $a);
+    }
 }
--- a/tests/Unit/File/X509/X509Test.php
+++ b/tests/Unit/File/X509/X509Test.php
@ -961,4 +961,46 @@ A9bhRA0cVk7bAEU2c44CYg==

        $this->assertFalse($r);
    }
+
+    /**
+     * @group github1387
+     */
+    public function testNameConstraintIP()
+    {
+        $x509 = new X509();
+        $r = $x509->loadX509('-----BEGIN CERTIFICATE-----
+MIIGcDCCBVigAwIBAgIQRUgJC4ec7yFWcqzT3mwbWzANBgkqhkiG9w0BAQwFADB1MQswCQYDVQQG
+EwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2Vy
+dGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMCAXDTE1
+MTIxNzEyMzg0M1oYDzIwMzAxMjE3MjM1OTU5WjBjMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMg
+U2VydGlmaXRzZWVyaW1pc2tlc2t1czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFzAVBgNVBAMM
+DkVTVEVJRC1TSyAyMDE1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oH61NDxbdW9
+k8nLA1qGaL4B7vydod2Ewp/STBZB3wEtIJCLdkpEsS8pXfFiRqwDVsgGGbu+Q99trlb5LI7yi7rI
+kRov5NftBdSNPSU5rAhYPQhvZZQgOwRaHa5Ey+BaLJHmLqYQS9hQvQsCYyws+xVvNFUpK0pGD64i
+ycqdMuBl/nWq3fLuZppwBh0VFltm4nhr/1S0R9TRJpqFUGbGr4OK/DwebQ5PjhdS40gCUNwmC7fP
+Q4vIH+x+TCk2aG+u3MoAz0IrpVWqiwzG/vxreuPPAkgXeFCeYf6fXLsGz4WivsZFbph2pMjELu6s
+ltlBXfAG3fGv43t91VXicyzR/eT5dsB+zFsW1sHV+1ONPr+qzgDxCH2cmuqoZNfIIq+buob3eA8e
+e+XpJKJQr+1qGrmhggjvAhc7m6cU4x/QfxwRYhIVNhJf+sKVThkQhbJ9XxuKk3c18wymwL1mpDD0
+PIGJqlssMeiuJ4IzagFbgESGNDUd4icm0hQT8CmQeUm1GbWeBYseqPhMQX97QFBLXJLVy2SCyoAz
+7Bq1qA43++EcibN+yBc1nQs2Zoq8ck9MK0bCxDMeUkQUz6VeQGp69ImOQrsw46qTz0mtdQrMSbnk
+XCuLan5dPm284J9HmaqiYi6j6KLcZ2NkUnDQFesBVlMEm+fHa2iR6lnAFYZ06UECAwEAAaOCAgow
+ggIGMB8GA1UdIwQYMBaAFBLyWj7qVhy/zQas8fElyalL1BSZMB0GA1UdDgQWBBSzq4i8mdVipIUq
+CM20HXI7g3JHUTAOBgNVHQ8BAf8EBAMCAQYwdwYDVR0gBHAwbjAIBgYEAI96AQIwCQYHBACL7EAB
+AjAwBgkrBgEEAc4fAQEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93d3cuc2suZWUvQ1BTMAsGCSsG
+AQQBzh8BAjALBgkrBgEEAc4fAQMwCwYJKwYBBAHOHwEEMBIGA1UdEwEB/wQIMAYBAf8CAQAwQQYD
+VR0eBDowOKE2MASCAiIiMAqHCAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAMCcGA1UdJQQgMB4GCCsGAQUFBwMJBggrBgEFBQcDAgYIKwYBBQUHAwQwfAYIKwYBBQUH
+AQEEcDBuMCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcC5zay5lZS9DQTBKBggrBgEFBQcwAoY+aHR0
+cDovL3d3dy5zay5lZS9jZXJ0cy9FRV9DZXJ0aWZpY2F0aW9uX0NlbnRyZV9Sb290X0NBLmRlci5j
+cnQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL3d3dy5zay5lZS9yZXBvc2l0b3J5L2NybHMvZWVj
+Y3JjYS5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHRWDGI3P00r2sOnlvLHKk9eE7X93eT+4e5TeaQs
+OpE5zQRUTtshxN8Bnx2ToQ9rgi18q+MwXm2f0mrGakYYG0bix7ZgDQvCMD/kuRYmwLGdfsTXwh8K
+uL6uSHF+U/ZTss6qG7mxCHG9YvebkN5Yj/rYRvZ9/uJ9rieByxw4wo7b19p22PXkAkXP5y3+qK/O
+et98lqwI97kJhiS2zxFYRk+dXbazmoVHnozYKmsZaSUvoYNNH19tpS7BLdsgi9KpbvQLb5ywIMq9
+ut3+b2Xvzq8yzmHMFtLIJ6Afu1jJpqD82BUAFcvi5vhnP8M7b974R18WCOpgNQvXDI+2/8ZINeU=
+-----END CERTIFICATE-----');
+        $r = $x509->saveX509($r);
+        $r = $x509->loadX509($r);
+        $this->assertSame($r['tbsCertificate']['extensions'][5]['extnValue']['excludedSubtrees'][1]['base']['iPAddress'], ['0.0.0.0', '0.0.0.0']);
+    }
 }