Custom 3.0.55#1
Open
zare-ashkan wants to merge 47 commits into
Open
Conversation
Feature: SFTP Hardlink
in particular, it didn't work when OpenSSL was auto selected. it worked just fine when OpenSSL was forcefully selected
this is breaking the unit tests for phpseclib2_compat, hence my doing a release now vs waiting until other issues have accumulated
There was a problem hiding this comment.
Pull request overview
Rebases the custom phpseclib fork onto upstream 3.0.55 while retaining / extending DIP-specific RSASSA-PSS certificate behavior (notably omitting PSS parameters in SubjectPublicKeyInfo) and picking up upstream fixes across RSA, X509, ASN.1, and SFTP.
Changes:
- Updates X509/RSA/PSS handling to support OpenSSL-compatible PSS certificate encoding and to validate PSS signatures when public keys omit PSS parameters.
- Adds / updates tests covering PSS export/encoding, OpenSSL engine behavior with password-protected keys, and invalid-key parsing.
- Pulls in upstream features and fixes (ASN1 OID handling performance work, SFTP hardlink support, DES deprecation fixes, docs/changelog updates).
Reviewed changes
Copilot reviewed 24 out of 25 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Unit/Math/BigInteger/TestCase.php | Adds coverage for empty-string BigInteger length behavior. |
| tests/Unit/File/X509/X509Test.php | Adds regression tests around PSS SPKI parameter omission and queued extensions. |
| tests/Unit/Crypt/RSA/ModeTest.php | Adds OpenSSL-engine regression test for decrypting with passphrase-protected PKCS8 keys; expands engine matrix. |
| tests/Unit/Crypt/RSA/LoadKeyTest.php | Adds tests for PSS omitParameters behavior and invalid-version key rejection. |
| tests/Unit/Crypt/DSA/LoadDSAKeyTest.php | Adds invalid-version DSA key rejection test. |
| tests/Functional/Net/SFTPUserStoryTest.php | Adds functional hardlink user story coverage. |
| README.md | Documents upcoming 4.0 branch details and updates 1.0 download link. |
| phpseclib/Net/SSH2.php | Adds removal annotations in docblocks for upcoming 4.0 API changes. |
| phpseclib/Net/SFTP.php | Adds hardlink() support and 4.0 docblock annotations. |
| phpseclib/Math/BigInteger/Engines/GMP.php | Fixes GMP bit conversion for empty hex input. |
| phpseclib/Math/BigInteger.php | Adds 4.0 docblock annotation for modInverse. |
| phpseclib/File/X509.php | Implements queued extensions, PSS-parameter omission for SPKI, URL fetch callback pinning, and PSS signature-parameter fallback verification. |
| phpseclib/File/ASN1.php | Adds optional 64-bit OID handling and refactors decodeOID for performance. |
| phpseclib/Crypt/RSA/PublicKey.php | Adjusts PSS serialization to support omitting parameters; removes inline PKCS1/OpenSSL commentary now handled centrally. |
| phpseclib/Crypt/RSA/PrivateKey.php | Adjusts PSS serialization to support omitting parameters. |
| phpseclib/Crypt/RSA/Formats/Keys/PSS.php | Supports omitting PSS parameters and updates default parameter emission. |
| phpseclib/Crypt/RSA/Formats/Keys/PKCS1.php | Adds stricter validation for RSA PKCS1 version parsing. |
| phpseclib/Crypt/RSA.php | Improves OpenSSL-engine handling (PKCS1 verification constraints, password-protected key export, warning handling). |
| phpseclib/Crypt/EC.php | Fixes control flow in curve/provider selection. |
| phpseclib/Crypt/DSA/PrivateKey.php | Ensures OpenSSL signing uses an unencrypted PKCS8 export. |
| phpseclib/Crypt/DSA/Formats/Keys/PKCS1.php | Adds stricter validation for DSA PKCS1 version parsing. |
| phpseclib/Crypt/DES.php | Updates inline-crypt callback generation to avoid deprecated callable syntax. |
| phpseclib/Crypt/Common/Formats/Keys/PKCS8.php | Allows omitting algorithm parameters when formats indicate false. |
| CHANGELOG.md | Adds entries for 3.0.53–3.0.55 and aligns CVE annotation text. |
| .gitignore | Ignores .DS_Store. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * Composer compatible (PSR-0 autoloading) | ||
| * Install using Composer: `composer require phpseclib/phpseclib:~1.0` | ||
| * [Download 1.0.25 as ZIP](http://sourceforge.net/projects/phpseclib/files/phpseclib1.0.25.zip/download) | ||
| * [Download 1.0.25 as ZIP](http://sourceforge.net/projects/phpseclib/files/phpseclib1.0.30.zip/download) |
|
|
||
| ## 3.0.55 - 2026-06-14 | ||
|
|
||
| - RSA: signature verification with PKCS1 with failed when the parameters field was absent |
Comment on lines
+4230
to
+4234
| /** | ||
| * Returns the OID corresponding to a name | ||
| * | ||
| * @param ?callable $callback | ||
| */ |
| $numBytes++; | ||
| $endByte = ~$temp & 0x80; | ||
| if ($numBytes === PHP_INT_SIZE) { | ||
| $prefix .= substr(pack('J', $subn), 1); // we're basically left shifting by 7 bytes |
| $sbox1 = array_map(["' . self::class . '", "safe_intval"], self::$sbox1); | ||
| $sbox2 = array_map(["' . self::class . '", "safe_intval"], self::$sbox2); | ||
| $sbox3 = array_map(["' . self::class . '", "safe_intval"], self::$sbox3); | ||
| $sbox4 = array_map(["' . self::class .'", "safe_intval"], self::$sbox4); |
Comment on lines
+3800
to
+3804
| throw new \RuntimeException( | ||
| "Extension 'hardlink@openssh.com' is not supported by the server. " . | ||
| "Call getSupportedVersions() to see a list of supported extension" | ||
| ); | ||
| } |
Comment on lines
+795
to
+802
| public function testHardlink($sftp) | ||
| { | ||
| $sftp->put('test3.txt', 'abcdefg'); | ||
|
|
||
| $this->assertTrue( | ||
| $sftp->hardlink('test3.txt', 'hardlink'), | ||
| 'Failed asserting that a hardlink could be created' | ||
| ); |
Author
|
@zembrowski |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rebases the rechtlogisch custom phpseclib fork onto upstream 3.0.55 while keeping the DIP-specific RSASSA-PSS certificate patches required by Mind.
omitParameters,queueExtension)