nextcloud · susnux · Apr 9, 2024 · Nov 5, 2024
diff --git a/3rdparty b/3rdparty
diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php
@@ -16,7 +16,7 @@
 use OCP\IConfig;
 use OCP\IL10N;
 use OCP\IUserSession;
-use phpseclib\Crypt\RC4;
+use phpseclib3\Crypt\RC4;
 use Psr\Log\LoggerInterface;
 
 /**
@@ -724,7 +724,6 @@ public function useLegacyBase64Encoding(): bool {
 	 */
 	private function rc4Decrypt(string $data, string $secret): string {
 		$rc4 = new RC4();
-		/** @psalm-suppress InternalMethod */
 		$rc4->setKey($secret);
 
 		return $rc4->decrypt($data);
@@ -735,7 +734,6 @@ private function rc4Decrypt(string $data, string $secret): string {
 	 */
 	private function rc4Encrypt(string $data, string $secret): string {
 		$rc4 = new RC4();
-		/** @psalm-suppress InternalMethod */
 		$rc4->setKey($secret);
 
 		return $rc4->encrypt($data);

diff --git a/apps/files_external/lib/Controller/AjaxController.php b/apps/files_external/lib/Controller/AjaxController.php
@@ -42,10 +42,15 @@ public function __construct(
 	 */
 	private function generateSshKeys($keyLength) {
 		$key = $this->rsaMechanism->createKey($keyLength);
-		// Replace the placeholder label with a more meaningful one
-		$key['publickey'] = str_replace('phpseclib-generated-key', gethostname(), $key['publickey']);
-
-		return $key;
+		return [
+			'private_key' => $key->toString('PKCS1'),
+			// Replace the placeholder label with a more meaningful one
+			'public_key' => str_replace(
+				'phpseclib-generated-key',
+				gethostname(),
+				$key->getPublicKey()->toString('OpenSSH'),
+			),
+		];
 	}
 
 	/**
@@ -57,10 +62,7 @@ private function generateSshKeys($keyLength) {
 	public function getSshKeys($keyLength = 1024) {
 		$key = $this->generateSshKeys($keyLength);
 		return new JSONResponse(
-			['data' => [
-				'private_key' => $key['privatekey'],
-				'public_key' => $key['publickey']
-			],
+			['data' => $key,
 				'status' => 'success'
 			]);
 	}

diff --git a/apps/files_external/lib/Lib/Auth/PublicKey/RSA.php b/apps/files_external/lib/Lib/Auth/PublicKey/RSA.php
@@ -12,7 +12,7 @@
 use OCP\IConfig;
 use OCP\IL10N;
 use OCP\IUser;
-use phpseclib\Crypt\RSA as RSACrypt;
+use phpseclib3\Crypt\RSA as RSACrypt;
 
 /**
  * RSA public key authentication
@@ -41,33 +41,33 @@
 	 * @return void
 	 */
 	public function manipulateStorageConfig(StorageConfig &$storage, ?IUser $user = null) {
-		$auth = new RSACrypt();
-		$auth->setPassword($this->config->getSystemValue('secret', ''));
-		if (!$auth->loadKey($storage->getBackendOption('private_key'))) {
+		try {
+			$auth = RSACrypt::loadPrivateKey(
+				$storage->getBackendOption('private_key'),
+				$this->config->getSystemValue('secret', '')
+			);
+		} catch (\Throwable) {
 			// Add fallback routine for a time where secret was not enforced to be exists
-			$auth->setPassword('');
-			if (!$auth->loadKey($storage->getBackendOption('private_key'))) {
-				throw new \RuntimeException('unable to load private key');
-			}
+			$auth = RSACrypt::loadPrivateKey($storage->getBackendOption('private_key'));
 		}
+
 		$storage->setBackendOption('public_key_auth', $auth);
 	}
 
 	/**
 	 * Generate a keypair
 	 *
 	 * @param int $keyLenth
-	 * @return array ['privatekey' => $privateKey, 'publickey' => $publicKey]
 	 */
-	public function createKey($keyLength) {
+	public function createKey($keyLength): RSACrypt\PrivateKey {
 		$rsa = new RSACrypt();
-		$rsa->setPublicKeyFormat(RSACrypt::PUBLIC_FORMAT_OPENSSH);
-		$rsa->setPassword($this->config->getSystemValue('secret', ''));
-
+
 		if ($keyLength !== 1024 && $keyLength !== 2048 && $keyLength !== 4096) {
 			$keyLength = 1024;
 		}
 
-		return $rsa->createKey($keyLength);
+		$secret = $this->config->getSystemValue('secret', '');
+		return $rsa->createKey($keyLength)
+			->withPassword($secret);
 	}
 }
diff --git a/apps/files_external/lib/Lib/Auth/PublicKey/RSAPrivateKey.php b/apps/files_external/lib/Lib/Auth/PublicKey/RSAPrivateKey.php
@@ -11,7 +11,7 @@
 use OCP\IConfig;
 use OCP\IL10N;
 use OCP\IUser;
-use phpseclib\Crypt\RSA as RSACrypt;
+use phpseclib3\Crypt\RSA;
 
 /**
  * RSA public key authentication
@@ -39,12 +39,12 @@
 	 * @return void
 	 */
 	public function manipulateStorageConfig(StorageConfig &$storage, ?IUser $user = null) {
-		$auth = new RSACrypt();
-		$auth->setPassword($this->config->getSystemValue('secret', ''));
-		if (!$auth->loadKey($storage->getBackendOption('private_key'))) {
+		$auth = new RSA\PrivateKey();
+		$auth->withPassword($this->config->getSystemValue('secret', ''));
+		if (!$auth->loadPrivateKey($storage->getBackendOption('private_key'))) {
 			// Add fallback routine for a time where secret was not enforced to be exists
-			$auth->setPassword('');
-			if (!$auth->loadKey($storage->getBackendOption('private_key'))) {
+			$auth->withPassword('');
+			if (!$auth->loadPrivateKey($storage->getBackendOption('private_key'))) {
 				throw new \RuntimeException('unable to load private key');
 			}
 		}

diff --git a/apps/files_external/lib/Lib/Storage/SFTP.php b/apps/files_external/lib/Lib/Storage/SFTP.php
@@ -14,7 +14,7 @@
 use OCP\Constants;
 use OCP\Files\FileInfo;
 use OCP\Files\IMimeTypeDetector;
-use phpseclib\Net\SFTP\Stream;
+use phpseclib3\Net\SFTP\Stream;
 
 /**
  * Uses phpseclib's Net\SFTP class and the Net\SFTP\Stream stream wrapper to
@@ -29,7 +29,7 @@
 	private $auth = [];
 
 	/**
-	 * @var \phpseclib\Net\SFTP
+	 * @var \phpseclib3\Net\SFTP
 	 */
 	protected $client;
 	private IMimeTypeDetector $mimeTypeDetector;
@@ -93,16 +93,16 @@
 	/**
 	 * Returns the connection.
 	 *
-	 * @return \phpseclib\Net\SFTP connected client instance
+	 * @return \phpseclib3\Net\SFTP connected client instance
 	 * @throws \Exception when the connection failed
 	 */
-	public function getConnection(): \phpseclib\Net\SFTP {
+	public function getConnection(): \phpseclib3\Net\SFTP {
 		if (!is_null($this->client)) {
 			return $this->client;
 		}
 
 		$hostKeys = $this->readHostKeys();
-		$this->client = new \phpseclib\Net\SFTP($this->host, $this->port);
+		$this->client = new \phpseclib3\Net\SFTP($this->host, $this->port);
 
 		// The SSH Host Key MUST be verified before login().
 		$currentHostKey = $this->client->getServerPublicHostKey();
@@ -315,7 +315,7 @@
 				case 'wb':
 					SFTPWriteStream::register();
 					// the SFTPWriteStream doesn't go through the "normal" methods so it doesn't clear the stat cache.
 					$connection->_remove_from_stat_cache($absPath);
 					$context = stream_context_create(['sftp' => ['session' => $connection]]);
 					return fopen('sftpwrite://' . trim($absPath, '/'), 'w', false, $context);
 				case 'a':
@@ -442,7 +442,7 @@
 			$absTarget = $this->absPath($target);

 			$connection = $this->getConnection();
 			$size = $connection->size($absSource);
 			if ($size === false) {
 				return false;
 			}
@@ -453,7 +453,7 @@
 					return false;
 				}
 				/** @psalm-suppress InternalMethod */
-				if (!$connection->put($absTarget, $chunk, \phpseclib\Net\SFTP::SOURCE_STRING, $i)) {
+				if (!$connection->put($absTarget, $chunk, \phpseclib3\Net\SFTP::SOURCE_STRING, $i)) {
 					return false;
 				}
 			}

diff --git a/apps/files_external/lib/Lib/Storage/SFTPReadStream.php b/apps/files_external/lib/Lib/Storage/SFTPReadStream.php
@@ -9,13 +9,13 @@
 namespace OCA\Files_External\Lib\Storage;
 
 use Icewind\Streams\File;
-use phpseclib\Net\SSH2;
+use phpseclib3\Net\SSH2;
 
 class SFTPReadStream implements File {
 	/** @var resource */
 	public $context;
 
-	/** @var \phpseclib\Net\SFTP */
+	/** @var \phpseclib3\Net\SFTP */
 	private $sftp;
 
 	/** @var string */
@@ -53,7 +53,7 @@
 		} else {
 			throw new \BadMethodCallException('Invalid context, "' . $name . '" options not set');
 		}
-		if (isset($context['session']) and $context['session'] instanceof \phpseclib\Net\SFTP) {
+		if (isset($context['session']) and $context['session'] instanceof \phpseclib3\Net\SFTP) {
 			$this->sftp = $context['session'];
 		} else {
 			throw new \BadMethodCallException('Invalid context, session not set');
@@ -71,27 +71,27 @@

 		$this->loadContext('sftp');

 		if (!($this->sftp->bitmap & SSH2::MASK_LOGIN)) {
 			return false;
 		}

 		$remote_file = $this->sftp->_realpath($path);
 		if ($remote_file === false) {
 			return false;
 		}

 		$packet = pack('Na*N2', strlen($remote_file), $remote_file, NET_SFTP_OPEN_READ, 0);
 		if (!$this->sftp->_send_sftp_packet(NET_SFTP_OPEN, $packet)) {
 			return false;
 		}

 		$response = $this->sftp->_get_sftp_packet();
 		switch ($this->sftp->packet_type) {
 			case NET_SFTP_HANDLE:
 				$this->handle = substr($response, 4);
 				break;
 			case NET_SFTP_STATUS: // presumably SSH_FX_NO_SUCH_FILE or SSH_FX_PERMISSION_DENIED
 				$this->sftp->_logError($response);
 				return false;
 			default:
 				user_error('Expected SSH_FXP_HANDLE or SSH_FXP_STATUS');

diff --git a/apps/files_external/lib/Lib/Storage/SFTPWriteStream.php b/apps/files_external/lib/Lib/Storage/SFTPWriteStream.php
@@ -9,13 +9,13 @@
 namespace OCA\Files_External\Lib\Storage;
 
 use Icewind\Streams\File;
-use phpseclib\Net\SSH2;
+use phpseclib3\Net\SSH2;
 
 class SFTPWriteStream implements File {
 	/** @var resource */
 	public $context;
 
-	/** @var \phpseclib\Net\SFTP */
+	/** @var \phpseclib3\Net\SFTP */
 	private $sftp;
 
 	/** @var string */
@@ -51,7 +51,7 @@ protected function loadContext(string $name) {
 		} else {
 			throw new \BadMethodCallException('Invalid context, "' . $name . '" options not set');
 		}
-		if (isset($context['session']) and $context['session'] instanceof \phpseclib\Net\SFTP) {
+		if (isset($context['session']) and $context['session'] instanceof \phpseclib3\Net\SFTP) {
 			$this->sftp = $context['session'];
 		} else {
 			throw new \BadMethodCallException('Invalid context, session not set');

diff --git a/apps/files_external/lib/MountConfig.php b/apps/files_external/lib/MountConfig.php
@@ -18,7 +18,7 @@
 use OCP\Files\StorageNotAvailableException;
 use OCP\IL10N;
 use OCP\Util;
-use phpseclib\Crypt\AES;
+use phpseclib3\Crypt\AES;
 use Psr\Log\LoggerInterface;
 
 /**

diff --git a/apps/files_external/tests/Controller/AjaxControllerTest.php b/apps/files_external/tests/Controller/AjaxControllerTest.php
@@ -13,28 +13,27 @@
 use OCP\IRequest;
 use OCP\IUser;
 use OCP\IUserSession;
+use phpseclib3\Crypt\RSA as CryptRSA;
+use phpseclib3\Crypt\RSA\PrivateKey;
+use phpseclib3\Crypt\RSA\PublicKey;
+use PHPUnit\Framework\MockObject\MockObject;
 use Test\TestCase;
 
 class AjaxControllerTest extends TestCase {
-	/** @var IRequest */
-	private $request;
-	/** @var RSA */
-	private $rsa;
-	/** @var GlobalAuth */
-	private $globalAuth;
-	/** @var IUserSession */
-	private $userSession;
-	/** @var IGroupManager */
-	private $groupManager;
-	/** @var AjaxController */
-	private $ajaxController;
+	private IRequest&MockObject $request;
+	private RSA&MockObject $rsa;
+	private GlobalAuth&MockObject $globalAuth;
+	private IUserSession&MockObject $userSession;
+	private IGroupManager&MockObject $groupManager;
+
+	private AjaxController $ajaxController;
 
 	protected function setUp(): void {
 		$this->request = $this->createMock(IRequest::class);
-		$this->rsa = $this->getMockBuilder('\\OCA\\Files_External\\Lib\\Auth\\PublicKey\\RSA')
+		$this->rsa = $this->getMockBuilder(RSA::class)
 			->disableOriginalConstructor()
 			->getMock();
-		$this->globalAuth = $this->getMockBuilder('\\OCA\\Files_External\\Lib\\Auth\\Password\GlobalAuth')
+		$this->globalAuth = $this->getMockBuilder(GlobalAuth::class)
 			->disableOriginalConstructor()
 			->getMock();
 		$this->userSession = $this->createMock(IUserSession::class);
@@ -53,12 +52,29 @@ protected function setUp(): void {
 	}
 
 	public function testGetSshKeys(): void {
+		$keyImpl = $this->createMock(CryptRSA::class);
+		$keyImpl->expects(self::once())
+			->method('toString')
+			->with('OpenSSH')
+			->willReturn('MyPublicKey');
+
+		$publicKey = $this->createMock(PublicKey::class);
+		$publicKey->expects(self::once())
+			->method('getPublicKey')
+			->willReturn($keyImpl);
+
+		$privateKey = $this->createMock(PrivateKey::class);
+		$privateKey->expects(self::once())
+			->method('toString')
+			->with('PKCS1')
+			->willReturn('MyPrivatekey');
+
 		$this->rsa
 			->expects($this->once())
 			->method('createKey')
 			->willReturn([
-				'privatekey' => 'MyPrivateKey',
-				'publickey' => 'MyPublicKey',
+				'privatekey' => $privateKey,
+				'publickey' => $publicKey,
 			]);
 
 		$expected = new JSONResponse(

diff --git a/core/Command/Integrity/SignApp.php b/core/Command/Integrity/SignApp.php
@@ -10,8 +10,8 @@
 use OC\IntegrityCheck\Checker;
 use OC\IntegrityCheck\Helpers\FileAccessHelper;
 use OCP\IURLGenerator;
-use phpseclib\Crypt\RSA;
-use phpseclib\File\X509;
+use phpseclib3\Crypt\RSA;
+use phpseclib3\File\X509;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
@@ -68,8 +68,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 			return 1;
 		}
 
-		$rsa = new RSA();
-		$rsa->loadKey($privateKey);
+		$rsa = RSA::loadPrivateKey($privateKey);
 		$x509 = new X509();
 		$x509->loadX509($keyBundle);
 		$x509->setPrivateKey($rsa);

diff --git a/core/Command/Integrity/SignCore.php b/core/Command/Integrity/SignCore.php
@@ -9,8 +9,8 @@
 
 use OC\IntegrityCheck\Checker;
 use OC\IntegrityCheck\Helpers\FileAccessHelper;
-use phpseclib\Crypt\RSA;
-use phpseclib\File\X509;
+use phpseclib3\Crypt\RSA;
+use phpseclib3\File\X509;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
@@ -63,8 +63,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 			return 1;
 		}
 
-		$rsa = new RSA();
-		$rsa->loadKey($privateKey);
+		$rsa = RSA::loadPrivateKey($privateKey);
 		$x509 = new X509();
 		$x509->loadX509($keyBundle);
 		$x509->setPrivateKey($rsa);

diff --git a/lib/private/Installer.php b/lib/private/Installer.php
@@ -24,7 +24,7 @@
 use OCP\IConfig;
 use OCP\ITempManager;
 use OCP\Migration\IOutput;
-use phpseclib\File\X509;
+use phpseclib3\File\X509;
 use Psr\Log\LoggerInterface;
 
 /**