PR #538: Use RNGCryptoServiceProvider for crypto headers

piksel · web-flow · commit 7520a3ff6633 · 2020-11-21T12:33:16.000+01:00
- Use RNGCryptoServiceProvider for crypto headers
- Dispose RNG service after use in ZipCrypto
diff --git a/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs b/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs
@@ -444,8 +444,10 @@ public override byte[] Key
 		public override void GenerateKey()
 		{
 			key_ = new byte[12];
-			var rnd = new Random();
-			rnd.NextBytes(key_);
+			using (var rng = new RNGCryptoServiceProvider())
+			{
+				rng.GetBytes(key_);
+			}
 		}
 
 		/// <summary>
diff --git a/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs b/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs
@@ -3727,8 +3727,10 @@ private static void CheckClassicPassword(CryptoStream classicCryptoStream, ZipEn
 		private static void WriteEncryptionHeader(Stream stream, long crcValue)
 		{
 			byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];
-			var rnd = new Random();
-			rnd.NextBytes(cryptBuffer);
+			using (var rng = new RNGCryptoServiceProvider())
+			{
+				rng.GetBytes(cryptBuffer);
+			}
 			cryptBuffer[11] = (byte)(crcValue >> 24);
 			stream.Write(cryptBuffer, 0, cryptBuffer.Length);
 		}
diff --git a/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs b/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs
@@ -5,6 +5,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Security.Cryptography;
 
 namespace ICSharpCode.SharpZipLib.Zip
 {
@@ -633,8 +634,11 @@ private void WriteEncryptionHeader(long crcValue)
 			InitializePassword(Password);
 
 			byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];
-			var rnd = new Random();
-			rnd.NextBytes(cryptBuffer);
+			using (var rng = new RNGCryptoServiceProvider())
+			{
+				rng.GetBytes(cryptBuffer);
+			}
+
 			cryptBuffer[11] = (byte)(crcValue >> 24);
 
 			EncryptBlock(cryptBuffer, 0, cryptBuffer.Length);

Original file line number	Diff line number	Diff line change
`@@ -444,8 +444,10 @@ public override byte[] Key`
`444`	`444`	`public override void GenerateKey()`
`445`	`445`	`{`
`446`	`446`	`key_ = new byte[12];`
`447`		`- var rnd = new Random();`
`448`		`- rnd.NextBytes(key_);`
	`447`	`+ using (var rng = new RNGCryptoServiceProvider())`
	`448`	`+ {`
	`449`	`+ rng.GetBytes(key_);`
	`450`	`+ }`
`449`	`451`	`}`
`450`	`452`
`451`	`453`	`/// <summary>`
Original file line number	Diff line number	Diff line change
`@@ -3727,8 +3727,10 @@ private static void CheckClassicPassword(CryptoStream classicCryptoStream, ZipEn`
`3727`	`3727`	`private static void WriteEncryptionHeader(Stream stream, long crcValue)`
`3728`	`3728`	`{`
`3729`	`3729`	`byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];`
`3730`		`- var rnd = new Random();`
`3731`		`- rnd.NextBytes(cryptBuffer);`
	`3730`	`+ using (var rng = new RNGCryptoServiceProvider())`
	`3731`	`+ {`
	`3732`	`+ rng.GetBytes(cryptBuffer);`
	`3733`	`+ }`
`3732`	`3734`	`cryptBuffer[11] = (byte)(crcValue >> 24);`
`3733`	`3735`	`stream.Write(cryptBuffer, 0, cryptBuffer.Length);`
`3734`	`3736`	`}`