Stopped working

[jestep]

Have been using phpseclib for years now and it fails to decrypt starting a few days ago. Nothing to my knowledge has changed on this server in months except broad server updates. Running a really generic centos, apache using MPM-ITK, and php for this and I cannot find anything in any log. I've reinstalled phpseclib entirely, it literally wont decrypt known strings at all. It throws no usable errors, running php 7.4.28.

If I do:

$aes = new AES();
$aes->setKey('abcdefg');
$enc_data = $aes->encrypt('Hi Friend);

//output  �,�-Gp����7���

$dec_data = $aes->decrypt($enc_data);
Fatal error: Uncaught Error: Call to a member function decrypt() on string in ...  thrown in ... on line 15

Did a php update break this, I can't get any other error on this on any server log whatsoever. We do automatic php and apache updates, but I'm scratching my head on this one. We use phpseclib on dozens of sites so wanting to see if someone else is experiencing this.

[jestep]

I rolled back to php 7.3 and it's still failing, we update phpseclib via composer routinely, can anyone think of an update to this that would specifically break the decryption function?

[jestep]

Well updated to 3.x branch, we were using the 2.0 branch, and 3.x works, I out of curiosity went back, and 2 doesn't work still. I don't know if this is a server configuration issue, I'll test on my other servers to see, but really has me stumped on this one.

[terrafrost]

Well you do have a syntax error in your code:

$aes = new AES();
$aes->setKey('abcdefg');
$enc_data = $aes->encrypt('Hi Friend);

There should be a single quote (') after "Hi Friend".

Ultimately, the variable is being set outside of phpseclib. $aes = new AES() can't return a string. Since you're not setting $aes to anything in the code that you posted (eg. $aes = $aes->withWhatever() there's no way for $aes to have been turned into a string. Like $aes->setKey() can't, all of a sudden, turn the $aes variable into a string.

I mean, even with the code you posted, it's not really possible, even with the syntax error.

I feel like you took what you felt is the relevant part of the code without really testing it and posted it here assuming the problem you have with your main codebase would still be present

[jestep]

Sorry, that's a typo when I was copying and pasting, the single quote is present in our usage. And I wasn't posting the outputting method just assumed it would be assumed there was something outputting: echo, vardump, print_r, etc...

But, basically:

$aes = new AES();
$aes->setKey('abcdefg');
$enc_data = $aes->encrypt('Hi Friend');
echo $enc_data; 

Output: �,�-Gp����7���
Which is expected.

$dec_data = $aes->decrypt($enc_data);
echo $dec_data;

Output: Fatal error: Uncaught Error: Call to a member function decrypt() on string in ... thrown in ... on line 15

This specific site/app has been using phpseclib for 10 years by my estimate, the decryption just does nothing at this point. I'm trying to test on my other servers to see if I can reproduce it. We got phpseclib3 working, but having issues decrypting without an initialization vector which was unfortunately not used on this project.

I have literally deleted and reloaded and even created a blank site run from a vanilla php setup, no frameworks or anything, and the encryption function works, the decryption function will not work, and there's no errors beyond the generic fatal error uncaught error one.

[jestep]

And again, this is likely not a phpseclib issue, I'm more trying to see if anyone has found apache or php or other updates breaking phpseclib in some way, I can't figure out why this just stopped working, I've in 20+ years never seen anything like this.

[terrafrost]

So the line number isn't in a phpseclib file but in PHP code you wrote?

If that's the case I guess what I'd try to do is to first figure out where this is happening. Maybe put var_dump($aes) after every line and see which one is causing $aes to change from an object to a string.

Also, sorry for the delayed response - I'm vacationing atm!