mirror/php-zip
1
0
Fork 0
mirror of https://github.com/Ne-Lexa/php-zip.git synced 2025-04-13 19:21:56 +02:00
Code Issues Releases Wiki Activity

Fixed bug from issues 1

Browse Source 
- Fixed encryption and decryption Traditional PKWARE Encryption - add casting to 32-bit integer.
- The restriction on the length of the password to 99 characters for the WinZIP AES Encryption method.
This commit is contained in:
wapplay-home-linux 2016-12-14 12:34:59 +03:00
parent f2ffdae0c2
commit 11a7c16f1b
4 changed files with 73 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/PhpZip/Crypto/TraditionalPkwareEncryptionEngine.php
View File

@ -105,9 +105,26 @@ class TraditionalPkwareEncryptionEngine
private function updateKeys($charAt)
{
$this->keys[0] = self::crc32($this->keys[0], $charAt);
$this->keys[1] = ($this->keys[1] + ($this->keys[0] & 0xff)) & 4294967295;
$this->keys[1] = ($this->keys[1] * 134775813 + 1) & 4294967295;
$this->keys[2] = self::crc32($this->keys[2], ($this->keys[1] >> 24) & 0xff);
$this->keys[1] = $this->keys[1] + ($this->keys[0] & 0xff);
$this->keys[1] = self::toInt($this->keys[1] * 134775813 + 1);
$this->keys[2] = self::toInt(self::crc32($this->keys[2], ($this->keys[1] >> 24) & 0xff));
}
/**
* Cast to int
*
* @param $i
* @return int
*/
private static function toInt($i)
{
$i = (int)($i & 0xffffffff);
if ($i > 2147483647) {
return -(-$i & 0xffffffff);
} elseif ($i < -2147483648) {
return $i & -2147483648;
}
return $i;
}
/**

16
src/PhpZip/Crypto/WinZipAesEngine.php
View File

@ -88,16 +88,20 @@ class WinZipAesEngine
throw new ZipCryptoException("Expected end of file after WinZip AES authentication code!");
}
do {
assert($this->entry->getPassword() !== null);
assert(self::AES_BLOCK_SIZE_BITS <= $keyStrengthBits);
$password = $this->entry->getPassword();
assert($password !== null);
assert(self::AES_BLOCK_SIZE_BITS <= $keyStrengthBits);
// WinZip 99-character limit
// @see https://sourceforge.net/p/p7zip/discussion/383044/thread/c859a2f0/
$password = substr($password, 0, 99);
do {
// Here comes the strange part about WinZip AES encryption:
// Its unorthodox use of the Password-Based Key Derivation
// Function 2 (PBKDF2) of PKCS #5 V2.0 alias RFC 2898.
// Yes, the password verifier is only a 16 bit value.
// So we must use the MAC for password verification, too.
$keyParam = hash_pbkdf2("sha1", $this->entry->getPassword(), $salt, self::ITERATION_COUNT, (2 * $keyStrengthBits + self::PWD_VERIFIER_BITS) / 8, true);
$keyParam = hash_pbkdf2("sha1", $password, $salt, self::ITERATION_COUNT, (2 * $keyStrengthBits + self::PWD_VERIFIER_BITS) / 8, true);
$ctrIvSize = self::AES_BLOCK_SIZE_BITS / 8;
$iv = str_repeat(chr(0), $ctrIvSize);
@ -202,6 +206,10 @@ class WinZipAesEngine
$password = $this->entry->getPassword();
assert($password !== null);
// WinZip 99-character limit
// @see https://sourceforge.net/p/p7zip/discussion/383044/thread/c859a2f0/
$password = substr($password, 0, 99);
$keyStrengthBytes = 32;
$keyStrengthBits = $keyStrengthBytes * 8;

6
tests/PhpZip/ZipTest.php
View File

@ -752,7 +752,7 @@ class ZipTest extends ZipTestCase
*/
public function testSetPassword()
{
$password = CryptoUtil::randomBytes(100);
$password = base64_encode(CryptoUtil::randomBytes(100));
$badPassword = "sdgt43r23wefe";
$outputZip = ZipOutputFile::create();
@ -761,6 +761,8 @@ class ZipTest extends ZipTestCase
$outputZip->saveAsFile($this->outputFilename);
$outputZip->close();
self::assertCorrectZipArchive($this->outputFilename, $password);
$zipFile = ZipFile::openFromFile($this->outputFilename);
// set bad password Traditional Encryption
@ -791,6 +793,8 @@ class ZipTest extends ZipTestCase
$outputZip->close();
$zipFile->close();
self::assertCorrectZipArchive($this->outputFilename, $password);
// check from WinZip AES encryption
$zipFile = ZipFile::openFromFile($this->outputFilename);

44
tests/PhpZip/ZipTestCase.php
View File

@ -9,18 +9,47 @@ class ZipTestCase extends \PHPUnit_Framework_TestCase
/**
* Assert correct zip archive.
*
* @param $filename
* @param string $filename
* @param string|null $password
*/
public static function assertCorrectZipArchive($filename)
public static function assertCorrectZipArchive($filename, $password = null)
{
if (DIRECTORY_SEPARATOR !== '\\' && `which zip`) {
exec("zip -T " . escapeshellarg($filename), $output, $returnCode);
if (DIRECTORY_SEPARATOR !== '\\' && `which unzip`) {
$command = "unzip";
if ($password !== null) {
$command .= " -P " . escapeshellarg($password);
}
$command .= " -t " . escapeshellarg($filename);
exec($command, $output, $returnCode);
$output = implode(PHP_EOL, $output);
self::assertEquals($returnCode, 0);
self::assertNotContains('zip error', $output);
self::assertContains(' OK', $output);
if ($password !== null && $returnCode === 81) {
if(`which 7z`){
// WinZip 99-character limit
// @see https://sourceforge.net/p/p7zip/discussion/383044/thread/c859a2f0/
$password = substr($password, 0, 99);
$command = "7z t -p" . escapeshellarg($password). " " . escapeshellarg($filename);
exec($command, $output, $returnCode);
$output = implode(PHP_EOL, $output);
self::assertEquals($returnCode, 0);
self::assertNotContains(' Errors', $output);
self::assertContains(' Ok', $output);
}
else{
fwrite(STDERR, 'Program unzip cannot support this function.'.PHP_EOL);
fwrite(STDERR, 'Please install 7z. For Ubuntu-like: sudo apt-get install p7zip-full'.PHP_EOL);
}
}
else {
self::assertEquals($returnCode, 0);
self::assertNotContains('incorrect password', $output);
self::assertContains(' OK', $output);
self::assertContains('No errors', $output);
}
}
}
@ -52,7 +81,6 @@ class ZipTestCase extends \PHPUnit_Framework_TestCase
exec("zipalign -c -v 4 " . escapeshellarg($filename), $output, $returnCode);
return $returnCode === 0;
} else {
echo 'Can not find program "zipalign" for test' . PHP_EOL;
fwrite(STDERR, 'Can not find program "zipalign" for test');
return null;
}